Thread: [Ndiswrapper-general] Re: Problem setting keys with ndiswrapper after authentication?
Status: Beta
Brought to you by:
pgiri
From: Jouni M. <jkm...@cc...> - 2004-11-28 05:31:09
Attachments:
ndiswrapper_wpa_wep_key_setup.patch
|
ndiswrapper-general cc'ed; please, apply the attached patch to ndiswrapper CVS. On Fri, Nov 26, 2004 at 10:16:21AM +0100, Romano Giannetti wrote: > Well. I have ndiswrapper installed (last version, 0.12rc3), with a realtek > ndis5 driver version 173. > First of all, I set essid manually (no way to obtain this in scan mode, so I > disabled it) and "up" the interface OK, although support for scanning for specific SSID with ndiswrapper when using wpa_supplicant should be added at some point.. Unfortunately, this seems to be somewhat complex task with NDIS and multiple possible authentication modes. > [root@rukbat wifi]# iwconfig wlan0 mode managed essid upco_wlan key 0 open > [root@rukbat wifi]# iwconfig wlan0 && ifconfig wlan0 > wlan0 IEEE 802.11b ESSID:"upco_wlan" > Mode:Managed Frequency:2.427GHz Access Point: 00:11:5C:77:82:40 OK, so association works when done manually. I tested this with wpa_supplicant doing scanning and it actually failed. ndiswrapper ended up configuring the driver to reject APs that were using encryption.. I fixed wpa_supplicant to set cipher suite to WEP-104 when using IEEE 802.1X (available in the current Host AP CVS snapshot) and this seemed to have fixed the association part. > EAPOL: Decrypted(RC4) key - hexdump(len=13): 13 ab d7 39 ef 08 e0 bc 63 a7 d1 a8 b9 > EAPOL: Setting dynamic WEP key: broadcast keyidx 0 len 13 > key data: key_idx=0 set_tx=0 > trying to set key... > result of iw_set_ext, RESULT -1 > > ***** HERE is the fault!!! Indeed. There's a bug in the way the current ndiswrapper handles WEP keys from wpa_supplicant. wpa_set_key() tries to convert the WPA key set structure into normal wireless extensions WEP configuration, but does it incorrectly. The key is already in binary form, so no hex2bin conversion is needed. In addition, key index needs +1 to match the wireless extensions. The attached patch to the current ndiswrapper CVS version fixes these problems. With this patch and the current CVS version of wpa_supplicant, I was able to complete IEEE 802.1X (non-WPA) authentication and use the encrypted data connection (both unicast and multicast worked). -- Jouni Malinen PGP id EFC895FA |
From: Romano G. <ro...@de...> - 2004-11-29 11:19:25
|
Warning: crossposted to hostap and ndiswrapper mailing list. On Sat, Nov 27, 2004 at 08:55:36PM -0800, Jouni Malinen wrote: > ndiswrapper-general cc'ed; please, apply the attached patch to > ndiswrapper CVS. Thank you for the answer. I had no time to try it (my laptop is at home now), but I will report back as soon as possible. Just one question: I downloaded ndiswrapper 0.12 and --- although via a completely different patch --- the iwndis.c file is quite changed. Should I use this version? Is the bug fixed in a different way? > > > [root@rukbat wifi]# iwconfig wlan0 mode managed essid upco_wlan key 0 open > > [root@rukbat wifi]# iwconfig wlan0 && ifconfig wlan0 > > wlan0 IEEE 802.11b ESSID:"upco_wlan" > > Mode:Managed Frequency:2.427GHz Access Point: 00:11:5C:77:82:40 > > OK, so association works when done manually. I tested this with > wpa_supplicant doing scanning and it actually failed. ndiswrapper ended > up configuring the driver to reject APs that were using encryption.. I > fixed wpa_supplicant to set cipher suite to WEP-104 when using IEEE > 802.1X (available in the current Host AP CVS snapshot) and this seemed > to have fixed the association part. Do you mean the CVS snapshot "stable" or "development"? > The attached patch to the current ndiswrapper CVS version fixes these > problems. With this patch and the current CVS version of wpa_supplicant, > I was able to complete IEEE 802.1X (non-WPA) authentication and use the > encrypted data connection (both unicast and multicast worked). I will try it later tonight or tomorrow and report. Thanks. Romano -- Romano Giannetti - Univ. Pontificia Comillas (Madrid, Spain) Electronic Engineer - phone +34 915 422 800 ext 2416 fax +34 915 596 569 |
From: Romano G. <ro...@up...> - 2004-11-29 11:23:58
|
Warning: crossposted to hostap and ndiswrapper mailing list. On Sat, Nov 27, 2004 at 08:55:36PM -0800, Jouni Malinen wrote: > ndiswrapper-general cc'ed; please, apply the attached patch to > ndiswrapper CVS. Thank you for the answer. I had no time to try it (my laptop is at home now), but I will report back as soon as possible. Just one question: I downloaded ndiswrapper 0.12 and --- although via a completely different patch --- the iwndis.c file is quite changed. Should I use this version? Is the bug fixed in a different way? > > > [root@rukbat wifi]# iwconfig wlan0 mode managed essid upco_wlan key 0 open > > [root@rukbat wifi]# iwconfig wlan0 && ifconfig wlan0 > > wlan0 IEEE 802.11b ESSID:"upco_wlan" > > Mode:Managed Frequency:2.427GHz Access Point: 00:11:5C:77:82:40 > > OK, so association works when done manually. I tested this with > wpa_supplicant doing scanning and it actually failed. ndiswrapper ended > up configuring the driver to reject APs that were using encryption.. I > fixed wpa_supplicant to set cipher suite to WEP-104 when using IEEE > 802.1X (available in the current Host AP CVS snapshot) and this seemed > to have fixed the association part. Do you mean the CVS snapshot "stable" or "development"? > The attached patch to the current ndiswrapper CVS version fixes these > problems. With this patch and the current CVS version of wpa_supplicant, > I was able to complete IEEE 802.1X (non-WPA) authentication and use the > encrypted data connection (both unicast and multicast worked). I will try it later tonight or tomorrow and report. Thanks. Romano -- Romano Giannetti - Univ. Pontificia Comillas (Madrid, Spain) Electronic Engineer - phone +34 915 422 800 ext 2416 fax +34 915 596 569 |
From: Romano G. <ro...@up...> - 2004-11-29 17:47:52
|
On Mon, Nov 29, 2004 at 08:45:35AM -0500, Giridhar Pemmasani wrote: > > Please try current cvs of ndiswrapper. It already has fixes that Jouni > sent earlier - you don't need to change iw_ndis.c. Hi. I tried the last ndiswrapper CVS 0.12@041129 with wpa_supplicant 0.2.5 as suggested here; I have to say that I had a partial success: one step more, but nevertheless the connection does not come up. A bit of debug output: as before, I do the manual association of the interface: [root@rukbat ndiswrapper]# iwconfig wlan0 mode managed essid upco_wlan key 0 open (By the way: sometime I have to repeat the above two or three time before having the essid association shown). [root@rukbat ndiswrapper]# iwconfig wlan0 && ifconfig wlan0 wlan0 IEEE 802.11b ESSID:"upco_wlan" Mode:Managed Frequency:2.442GHz Access Point: 00:11:5C:6B:90:E0 Bit Rate:11Mb/s Tx-Power:20 dBm Sensitivity=0/3 RTS thr:2432 B Fragment thr:2432 B Encryption key:off Power Management:off Link Quality:100/100 Signal level:-54 dBm Noise level:-256 dBm Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:0 Invalid misc:0 Missed beacon:0 wlan0 Link encap:Ethernet HWaddr 00:0B:9D:00:B2:6E UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1 RX packets:1 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:60 (60.0 b) TX bytes:0 (0.0 b) Interrupt:9 Memory:10800000-108000ff [root@rukbat ndiswrapper]# wpa_supplicant -Dndiswrapper -iwlan0 -c/etc/wpa_supplicant.conf -dd Configuration file '/etc/wpa_supplicant.conf' -> '/etc/wpa_supplicant.conf' Reading configuration file '/etc/wpa_supplicant.conf' ctrl_interface='/var/run/wpa_supplicant' ctrl_interface_group=0 eapol_version=1 ap_scan=0 Line: 191 - start of a new network block SSID - hexdump_ascii(len=9): 75 70 63 6f 5f 77 6c 61 6e upco_wlan key_mgmt: 0x8 eap methods - hexdump(len=2): 19 00 identity - hexdump_ascii(len=16): 72 6f 6d 61 6e 6f 40 75 70 63 6f 6e 74 2e 65 73 ro...@up... password - hexdump_ascii(len=9): ****password removed**** ...etc, like before. I remove all the output until the new problem... [...] EAP-PEAP: Phase 2 Request: type=26 EAP-PEAP: Phase 2 EAP packet EAP-MSCHAPV2: Received success EAP-MSCHAPV2: Success message - hexdump(len=0): EAP-MSCHAPV2: Authentication succeeded EAP-PEAP: Encrypting Phase 2 data - hexdump(len=6): 02 f0 00 06 1a 03 ...ok? It seems that the identification succeeded. [...] EAPOL: Received EAPOL-Key frame EAPOL: KEY_RX entering state KEY_RECEIVE EAPOL: processKey EAPOL: RX IEEE 802.1X ver=1 type=3 len=57 EAPOL-Key: type=1 key_length=13 key_index=0x0 EAPOL: EAPOL-Key key signature verified EAPOL: Decrypted(RC4) key - hexdump(len=13): 13 ab d7 39 ef 08 e0 bc 63 a7 d1 a8 b9 EAPOL: Setting dynamic WEP key: broadcast keyidx 0 len 13 Bingo, now it works (and iwconfig shows the new key set). But now, when I try to start dhclient there is no answer, and wpa_supplicant says: WPA: EAPOL frame too short, len 61, expecting at least 99 EAPOL: Port Timers tick - authWhile=29 heldWhile=0 startWhen=29 idleWhile=59 EAPOL: Port Timers tick - authWhile=28 heldWhile=0 startWhen=28 idleWhile=58 EAPOL: Port Timers tick - authWhile=27 heldWhile=0 startWhen=27 idleWhile=57 EAPOL: Port Timers tick - authWhile=26 heldWhile=0 startWhen=26 idleWhile=56 EAPOL: Port Timers tick - authWhile=25 heldWhile=0 startWhen=25 idleWhile=55 EAPOL: Port Timers tick - authWhile=24 heldWhile=0 startWhen=24 idleWhile=54 EAPOL: Port Timers tick - authWhile=23 heldWhile=0 startWhen=23 idleWhile=53 EAPOL: Port Timers tick - authWhile=22 heldWhile=0 startWhen=22 idleWhile=52 EAPOL: Port Timers tick - authWhile=21 heldWhile=0 startWhen=21 idleWhile=51 Authentication with 00:11:5c:6b:90:e0 timed out. Setting scan request: 0 sec 0 usec Already associated with a configured network - generating associated event Association event - clear replay counter EAPOL: External notification - portValid=0 EAPOL: External notification - portEnabled=1 Setting authentication timeout: 10 sec 0 usec EAPOL: Port Timers tick - authWhile=20 heldWhile=0 startWhen=20 idleWhile=50 EAPOL: Port Timers tick - authWhile=19 heldWhile=0 startWhen=19 idleWhile=49 EAPOL: Port Timers tick - authWhile=18 heldWhile=0 startWhen=18 idleWhile=48 EAPOL: Port Timers tick - authWhile=17 heldWhile=0 startWhen=17 idleWhile=47 EAPOL: Port Timers tick - authWhile=16 heldWhile=0 startWhen=16 idleWhile=46 EAPOL: Port Timers tick - authWhile=15 heldWhile=0 startWhen=15 idleWhile=45 EAPOL: Port Timers tick - authWhile=14 heldWhile=0 startWhen=14 idleWhile=44 EAPOL: Port Timers tick - authWhile=13 heldWhile=0 startWhen=13 idleWhile=43 EAPOL: Port Timers tick - authWhile=12 heldWhile=0 startWhen=12 idleWhile=42 EAPOL: Port Timers tick - authWhile=11 heldWhile=0 startWhen=11 idleWhile=41 Authentication with 00:11:5c:6b:90:e0 timed out. Setting scan request: 0 sec 0 usec Already associated with a configured network - generating associated event Association event - clear replay counter EAPOL: External notification - portValid=0 EAPOL: External notification - portEnabled=1 Setting authentication timeout: 10 sec 0 usec EAPOL: Port Timers tick - authWhile=10 heldWhile=0 startWhen=10 idleWhile=40 EAPOL: Port Timers tick - authWhile=9 heldWhile=0 startWhen=9 idleWhile=39 EAPOL: Port Timers tick - authWhile=8 heldWhile=0 startWhen=8 idleWhile=38 EAPOL: Port Timers tick - authWhile=7 heldWhile=0 startWhen=7 idleWhile=37 EAPOL: Port Timers tick - authWhile=6 heldWhile=0 startWhen=6 idleWhile=36 EAPOL: Port Timers tick - authWhile=5 heldWhile=0 startWhen=5 idleWhile=35 EAPOL: Port Timers tick - authWhile=4 heldWhile=0 startWhen=4 idleWhile=34 EAPOL: Port Timers tick - authWhile=3 heldWhile=0 startWhen=3 idleWhile=33 RX EAPOL from 00:11:5c:6b:90:e0 RX EAPOL - hexdump(len=46): 01 00 00 05 01 01 00 05 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Setting authentication timeout: 10 sec 0 usec EAPOL: Received EAP-Packet frame WPA: EAPOL frame too short, len 46, expecting at least 99 EAPOL: Port Timers tick - authWhile=2 heldWhile=0 startWhen=2 idleWhile=32 EAPOL: Port Timers tick - authWhile=1 heldWhile=0 startWhen=1 idleWhile=31 EAPOL: Port Timers tick - authWhile=0 heldWhile=0 startWhen=0 idleWhile=30 EAPOL: Port Timers tick - authWhile=0 heldWhile=0 startWhen=0 idleWhile=29 EAPOL: Port Timers tick - authWhile=0 heldWhile=0 startWhen=0 idleWhile=28 EAPOL: Port Timers tick - authWhile=0 heldWhile=0 startWhen=0 idleWhile=27 EAPOL: Port Timers tick - authWhile=0 heldWhile=0 startWhen=0 idleWhile=26 EAPOL: Port Timers tick - authWhile=0 heldWhile=0 startWhen=0 idleWhile=25 EAPOL: Port Timers tick - authWhile=0 heldWhile=0 startWhen=0 idleWhile=24 EAPOL: Port Timers tick - authWhile=0 heldWhile=0 startWhen=0 idleWhile=23 Authentication with 00:11:5c:6b:90:e0 timed out. Setting scan request: 0 sec 0 usec Already associated with a configured network - generating associated event Association event - clear replay counter EAPOL: External notification - portValid=0 EAPOL: External notification - portEnabled=1 Setting authentication timeout: 10 sec 0 usec EAPOL: Port Timers tick - authWhile=0 heldWhile=0 startWhen=0 idleWhile=22 EAPOL: Port Timers tick - authWhile=0 heldWhile=0 startWhen=0 idleWhile=21 Signal 2 received - terminating EAPOL: External notification - portEnabled=0 EAPOL: SUPP_PAE entering state DISCONNECTED EAPOL: KEY_RX entering state NO_KEY_RECEIVE EAPOL: SUPP_BE entering state INITIALIZE EAP: EAP entering state DISABLED EAPOL: External notification - portValid=0 ...and no data pass thru the wlan0 interface. I do not know if it's my ignorance or what. I run dhclient -n -d wlan0 to avoid reconfiguration of the interface, but I tried various variations without success. Any hints? Thanks! Romano -- Romano Giannetti - Univ. Pontificia Comillas (Madrid, Spain) Electronic Engineer - phone +34 915 422 800 ext 2416 fax +34 915 596 569 |
From: Jouni M. <jkm...@cc...> - 2004-11-30 05:56:09
|
On Mon, Nov 29, 2004 at 06:47:40PM +0100, Romano Giannetti wrote: > Hi. I tried the last ndiswrapper CVS 0.12@041129 with wpa_supplicant 0.2.5 > [root@rukbat ndiswrapper]# wpa_supplicant -Dndiswrapper -iwlan0 -c/etc/wpa_supplicant.conf -dd > ...etc, like before. I remove all the output until the new problem... Please do not.. or at least make the full output available somewhere. > EAP-PEAP: Phase 2 Request: type=26 > EAP-PEAP: Phase 2 EAP packet > EAP-MSCHAPV2: Received success > EAP-MSCHAPV2: Success message - hexdump(len=0): > EAP-MSCHAPV2: Authentication succeeded > EAP-PEAP: Encrypting Phase 2 data - hexdump(len=6): 02 f0 00 06 1a 03 > > ...ok? It seems that the identification succeeded. No, this is not yet completed. PEAP requires additional success notification.. This was not included in this message, but I would assume it actually succeeded based on the following output. > [...] > EAPOL: Received EAPOL-Key frame > EAPOL: KEY_RX entering state KEY_RECEIVE > EAPOL: processKey > EAPOL: RX IEEE 802.1X ver=1 type=3 len=57 EAPOL-Key: type=1 key_length=13 key_index=0x0 > EAPOL: EAPOL-Key key signature verified > EAPOL: Decrypted(RC4) key - hexdump(len=13): 13 ab d7 39 ef 08 e0 bc 63 a7 d1 a8 b9 > EAPOL: Setting dynamic WEP key: broadcast keyidx 0 len 13 Again, getting more context would be useful, but I'm guessing here for now.. You received only one key (broadcast), but wpa_supplicant was configured to expect two keys (separate unicast key). Both cases are valid for IEEE 802.1X, but if you use only one key (this broadcast one), you will need to tell wpa_supplicant about this by setting eapol_flags=2 in the configuration file. > Bingo, now it works (and iwconfig shows the new key set). But now, when I > try to start dhclient there is no answer, and wpa_supplicant says: > > WPA: EAPOL frame too short, len 61, expecting at least 99 > EAPOL: Port Timers tick - authWhile=29 heldWhile=0 startWhen=29 idleWhile=59 > EAPOL: Port Timers tick - authWhile=28 heldWhile=0 startWhen=28 idleWhile=58 > EAPOL: Port Timers tick - authWhile=27 heldWhile=0 startWhen=27 idleWhile=57 > EAPOL: Port Timers tick - authWhile=26 heldWhile=0 startWhen=26 idleWhile=56 > EAPOL: Port Timers tick - authWhile=25 heldWhile=0 startWhen=25 idleWhile=55 > EAPOL: Port Timers tick - authWhile=24 heldWhile=0 startWhen=24 idleWhile=54 > EAPOL: Port Timers tick - authWhile=23 heldWhile=0 startWhen=23 idleWhile=53 > EAPOL: Port Timers tick - authWhile=22 heldWhile=0 startWhen=22 idleWhile=52 > EAPOL: Port Timers tick - authWhile=21 heldWhile=0 startWhen=21 idleWhile=51 > Authentication with 00:11:5c:6b:90:e0 timed out. wpa_supplicant did not receive the other expected key (unicast) and consequently timed out authentication. -- Jouni Malinen PGP id EFC895FA |