Wireshark-bugs: [Wireshark-bugs] [Bug 11994] Wifi 4-way handshake 4/4 is displayed as2/4
Comment # 4
on bug 11994
from Alexander Wetzel
Not good, the STA (Client) in this capture is violating the spec, the nonce
should be zero. (see IEEE802.11-2012 11.6.6.5 4)
Unfortunately Windows is also violating the spec, by setting the secure bit for
#2 when re-keying. So it looks like we can use neither now...
The good news is, that the current code only reports the packet wrong, it will
not affect anything else (like decrypting).
https://code.wireshark.org/review/#q,commit:cb3dd958a,n,z cleaned up two
different methods to differentiate between #2 and #4, moving everything to the
nonce.
The "correct" fix would probably be to introduce a state machine and check the
replay counter and non-trivial.
There are multiple workarounds, but the only one I would consider is using "Key
Data Length" instead. #2 must here have something >0, but unfortunately the
speck for #4 reads:
Key Data Length = length of Key Data field in octets
Key Data = "" required
So the spec is not really forbidding Key Data in #4 and we could have >0 length
within the spec (or that is my interpretation of the section).
All captures I have and this one here would work by checking Key Data Length,
so I guess I'll prepare a patch that as a quick fix in the next days and we
discuss that on gerrit.
You are receiving this mail because:
- You are watching all bug changes.