wpa.c RSN IE mismatched !!!!!!!!!!

Live forum: http://rt2x00.serialmonkey.com/viewtopic.php?t=4890

TomDeMan

15-07-2008 15:04:15

Still haven't set up my linux box with the RaLink device yet (so haven't tested what I'm about to say) but I saw some reports of "IE mismatched". Reason is probably this

static VOID ParseKeyData(IN PRTMP_ADAPTER pAd, IN PUCHAR pKeyData, IN UCHAR KeyDataLen)
{
PKDE_ENCAP pKDE = NULL;
PNDIS_802_11_KEY pGroupKey = NULL;
PUCHAR pMyKeyData = pKeyData;
UCHAR KeyDataLength = KeyDataLen;
UCHAR GTKLEN;
INT i;
ULONG Idx;

PUCHAR pVIE = NULL;
UCHAR Len;
PEID_STRUCT pEid;

if ((Idx = BssTableSearch(&pAd->ScanTab, pAd->PortCfg.Bssid,
pAd->PortCfg.Channel)) == BSS_NOT_FOUND) {
DBGPRINT(RT_DEBUG_ERROR, "%s, Can't find BSS\n", __FUNCTION__);
return;
}

pVIE = pAd->ScanTab.BssEntry[Idx].VarIEs;
Len = (UCHAR) pAd->ScanTab.BssEntry[Idx].VarIELen;
while (Len > 0) {
pEid = (PEID_STRUCT) pVIE;
if (pEid->Eid != IE_RSN) {
pVIE += (pEid->Len + 2);
Len -= (pEid->Len + 2);
continue;
}

if (memcmp(pKeyData, pEid->Octet, pEid->Len) != 0) {
DBGPRINT(RT_DEBUG_ERROR, " RSN IE mismatched !!!!!!!!!! \n");
} else {
DBGPRINT(RT_DEBUG_TRACE, " RSN IE matched !!!!!!!!!! \n");
}


I think it could be memcmp(pKeyData+2, pEid->Octet, pEid->Len) because pEid->Octed already skips Eid and Len (each 1 byte) and pKeyData comes from Wpa2PairMsg3Action() making the GTK

// Decrypt AES GTK
AES_GTK_KEY_UNWRAP(&pAd->PortCfg.PTK[16], KEYDATA,
pMsg3->KeyDesc.KeyDataLen[1],
pMsg3->KeyDesc.KeyData);

and a bit further after checking the IE in ParseKeyData there's this

if ((*pKeyData == WPARSNIE) && (*(pKeyData + 1) != 0)
&& (KeyDataLength >= (2 + *(pKeyData + 1)))) {
pMyKeyData = pKeyData + *(pKeyData + 1) + 2;
KeyDataLength -= (2 + *(pKeyData + 1));
DBGPRINT_RAW(RT_DEBUG_TRACE,
"WPA RSN IE length %d contained in Msg3 = \n",
(2 + *(pKeyData + 1)));
}
if ((*pMyKeyData == WPA2RSNIE) && (*(pMyKeyData + 1) != 0)
&& (KeyDataLength >= (2 + *(pMyKeyData + 1)))) {
pMyKeyData += (*(pMyKeyData + 1) + 2);
KeyDataLength -= (2 + *(pMyKeyData + 1));
DBGPRINT_RAW(RT_DEBUG_TRACE,
"WPA2 RSN IE length %d contained in Msg3 = \n",
(2 + *(pMyKeyData + 1)));
}


so it's at least possible that pKeyData starts with WPA2RSNIE (but I'm not sure if this is always so), in which case IE mismatch will appear with a valid IE.
It's just a warning of course but still.

So should it always be +2 in memcmp or should it be checked if it starts with the Eid ? I'm guessing always + 2 but I need some advice here from someone knowing more about this than me (Vern ?).

Vern

18-07-2008 16:00:05

The code is walking thru a list of variable length Information Elements. You can download a copy of the IEEE 802.11-2007 standard here[/urluucynszo]. Section 7 contains a discussion of IEs.

TomDeMan

18-07-2008 16:08:21

Ah, OK that's a newer spec than the one I had.
But still, could it be that these are compared pKeyData, pEid->Octet wrongly (sometimes) ? Viewing my data I seem to need to compare with pKeyData+2 there to get it matched...

TomDeMan

14-08-2008 14:03:43

Moved this to the other thread where I posted code changes to wpa.c

viewtopic.php?f=7&t=4892