Wireshark-bugs: [Wireshark-bugs] [Bug 11994] Wifi 4-way handshake 4/4 is displayed as2/4
Date: Mon, 11 Jan 2016 20:11:26 +0000

Comment # 4 on bug 11994 from
Not good, the STA (Client) in this capture is violating the spec, the nonce
should be zero. (see IEEE802.11-2012 11.6.6.5 4)

Unfortunately Windows is also violating the spec, by setting the secure bit for
#2 when re-keying.  So it looks like we can use neither now...

The good news is, that the current code only reports the packet wrong, it will
not affect anything else (like decrypting).

https://code.wireshark.org/review/#q,commit:cb3dd958a,n,z cleaned up two
different methods to differentiate between #2 and #4, moving everything to the
nonce.

The "correct" fix would probably be to introduce a state machine and check the
replay counter and non-trivial.

There are multiple workarounds, but the only one I would consider is using "Key
Data Length" instead. #2 must here have something >0, but unfortunately the
speck for #4 reads:
  Key Data Length = length of Key Data field in octets
  Key Data = "" required

So the spec is not really forbidding Key Data in #4 and we could have >0 length
within the spec (or that is my interpretation of the section).

All captures I have and this one here would work by checking Key Data Length,
so I guess I'll prepare a patch that as a quick fix in the next days and we
discuss that on gerrit.


You are receiving this mail because:
  • You are watching all bug changes.