wpasupplicant and WEP

Erich Titl erich.titl at think.ch
Sun Jan 4 17:54:27 EST 2015

Hi Jouni

Am 04.01.2015 um 17:20 schrieb Jouni Malinen:
> On Sun, Jan 04, 2015 at 03:15:48PM +0100, Erich Titl wrote:
>> Indeed it does, I configured wlan using
>> iw wlan0 connect scoobly keys 0:1234567890123
> What do you have as an AP here? 

TP-LINK WR1043ND and stock firmware. Android and Windoze work fine.

Are you absolute sure it configures that
> WEP key in the same way as the client does (i.e., as a 104-bit
> "1234567890123" rather than as some kind of failed attempt at parsing
> that as a hexstring for 40-bit 0x1234567890)? When testing something as
> basic as first initial connection, I'd use a key that cannot be parsed
> both as a hexstring for a binary key and ASCII text. Does the AP have
> only this single WEP key configured or could it potentially use another
> WEP key for transmission?

A single WEP key, index 0 and the keylength is tested on this AP.
How can a WEP key allow association without being correct?

>> AP# iw dev wlan0 link
>> Connected to f8:1a:67:56:42:96 (on wlan0)
>>         SSID: scoobly
>>         freq: 2427
> This is expected regardless of whether the keys match or not.


>> and the link showed the same characteristics, dhcp requests are sent,
>> but incoming dhcp packets are dropped somewhere.
> And you are sure that the DHCP request do actually show up behind the
> AP?

It does show up for sure on the dhcp server, which is a virtual machine
on a wire.

> I can only state that this works for me with mac80211_hwsim. I don't
> care enough about WEP to start testing with other drivers. If you can
> produce a wireless capture file showing the frames, it would be
> straightforward to confirm where the problem is.

As I am writing this, a test is running, I changed the key to something
which could not be represented as HEX.

On the dhcpserver I can observe incoming packets from my wlan0 adapter

AP# /etc/init.d/wpasupplicant stop
Stopping wpa_supplicant.
stopped wpa_supplicant (pid 4400)
AP# ifup wlan0
Starting wpa_supplicant.
Successfully initialized wpa_supplicant
dhcpcd[4453]: version 5.2.11 starting
dhcpcd[4453]: wlan0: waiting for carrier

This is interesting
[ 1691.246142] b43 ssb0:0 wlan0: failed to set key 0

dhcpcd[4453]: wlan0: carrier acquired
dhcpcd[4453]: wlan0: rebinding lease of
dhcpcd[4453]: wlan0: broadcasting for a lease
dhcpcd[4453]: timed out

Despite the above error I can see a packet coming in on the dhcp server

bash-4.2# tcpdump -i eth0 port 68
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
22:53:50.961295 IP > BOOTP/DHCP,
Request from 00:1a:2b:5f:61:11 (oui Unknown), length 320
22:53:51.102836 IP luna.think.ch.bootps >
BOOTP/DHCP, Reply, length 300
22:53:54.379430 IP > BOOTP/DHCP,
Request from 00:1a:2b:5f:61:11 (oui Unknown), length 320
22:53:54.469454 IP luna.think.ch.bootps >
BOOTP/DHCP, Reply, length 300
22:54:00.972796 IP > BOOTP/DHCP,
Request from 00:1a:2b:5f:61:11 (oui Unknown), length 314
22:54:00.973766 IP luna.think.ch.bootps >
BOOTP/DHCP, Reply, length 300
22:54:04.388712 IP > BOOTP/DHCP,
Request from 00:1a:2b:5f:61:11 (oui Unknown), length 314
22:54:04.389668 IP luna.think.ch.bootps >
BOOTP/DHCP, Reply, length 300
22:54:11.944634 IP > BOOTP/DHCP,
Request from 00:1a:2b:5f:61:11 (oui Unknown), length 314
22:54:11.945717 IP luna.think.ch.bootps >
BOOTP/DHCP, Reply, length 300

and this packet matches the mac address of the adapter used for wlan0

AP# ip link sh dev wlan0
4: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
mode DORMANT group default qlen 1000
    link/ether 00:1a:2b:5f:61:11 brd ff:ff:ff:ff:ff:ff

There is no wired connection to this piece of hardware, so I am pretty
certain the packet was sent wirelessly.

Here is the status of the adapter

AP# wpa_cli status
Selected interface 'wlan0'

AP# wpa_cli scan_results
Selected interface 'wlan0'
bssid / frequency / signal level / flags / ssid
f8:1a:67:56:42:96       2427    -69     [WEP][ESS]      scoobly

This matches the mac address of the AP and it is the only AP with that ssid.

iw list shows

wiphy phy0
        max # scan SSIDs: 4
        max scan IEs length: 2285 bytes
        Retry short limit: 7
        Retry long limit: 4
        Coverage class: 0 (up to 0m)
        Device supports RSN-IBSS.
        Supported Ciphers:
                * WEP40 (00-0f-ac:1)
                * WEP104 (00-0f-ac:5)
                * TKIP (00-0f-ac:2)
                * CCMP (00-0f-ac:4)

iw dev wlan0 scan shows

BSS f8:1a:67:56:42:96(on wlan0) -- associated
        TSF: 1670178002 usec (0d, 00:27:50)
        freq: 2427
        beacon interval: 100 TUs
        capability: ESS Privacy ShortPreamble ShortSlotTime (0x0431)
        signal: -75.00 dBm
        last seen: 97 ms ago
        Information elements from Probe Response frame:
        SSID: scoobly
        Supported rates: 1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0
        DS Parameter set: channel 4
        ERP: <no flags>
        Extended supported rates: 24.0 36.0 48.0 54.0
        WMM:     * Parameter version 1
                 * u-APSD
                 * BE: CW 15-1023, AIFSN 3
                 * BK: CW 15-1023, AIFSN 7
                 * VI: CW 7-15, AIFSN 2, TXOP 3008 usec
                 * VO: CW 3-7, AIFSN 2, TXOP 1504 usec
        WPS:     * Version: 1.0
                 * Wi-Fi Protected Setup State: 2 (Configured)
                 * Response Type: 3 (AP)
                 * UUID: 00000000-0000-1000-0000-f81a67564296
                 * Manufacturer: TP-LINK
                 * Model: TL-WR1043ND
                 * Model Number: 1.0
                 * Serial Number: 1.0
                 * Primary Device Type: 6-0050f204-1
                 * Device name: Wireless Router TL-WR1043ND
                 * Config methods: Ethernet, Label, PBC
                 * RF Bands: 0x1

AP# iw wlan0 connect scoobly keys 0:abcdefghijklm
AP# [ 4237.636645] b43 ssb0:0 wlan0: failed to set key 0

The same error as in wpasupplicant, as you assumed.

I have a wireshark trace of the connection attempt. If you think it is
worth having a look I can send it off-list. Is there a way to see all
frames with wireshark?



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1908 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20150104/7eab92bb/attachment.bin>

More information about the HostAP mailing list