Re: Progress on WEP in HostAP mode?

From: Benedikt 'Hunz' Heinz (
Date: 2002-02-22 07:08:42 UTC

Howard Leaky wrote:
> >From: "Benedikt 'Hunz' Heinz" <>
> ...
> >another thing is that i currently only encrypt data-pakets since i don't
> >know wether the payload of mgmt-frames should also be crypted... -
> >anyone who knows that? (maybe i should just have a look in the 802.11b
> >specs...)
> Someone on the BAWUG mailing list just confirmed that management frames are
> always in the clear. See
> It sounds like you're really close. Let me know if you want me to take a
> look at your encryption code.

the ICV works now
i've looked up the managemant-frame stuff in the 802.11b specs the only management-frame that has to be crypted is the authenfication-response if shared-key auth is used. I guess that's why the firmware can't do wep in HostAP-mode. but i figured out another problem:
i set the HFA384X_WEPFLAGS_HOSTENCRYPT and HFA384X_WEPFLAGS_HOSTDECRYPT flags when hostwep-mode is enabled - then in the rx i check wether the frame is crypted and decrypt it if possible - if not crypted and privacy is open no decrypting is done but the frame accepted - if privacy is restriced and the frame not crypted i drop it. that reception works fine (although currently only one rx-key is supported but if everything works i'll include support for more)
the problem is sending crypted frames:
if hostwep enabled and keylen>0 then i set the IS_WEP flag in the FC and add 8 (IV+ICV) to the datalen of the 802.11 header and to the 802.3 len then i crypt it including the snap-header (yeah i crypt them both at the same time not each one) and send the result with real len uncluding IV and ICV (as complete frame) to the bap - encryption works correctly - also does ICV-calculation - i sinffed that with tcpdump on a correctly keyed lucent-card.
if wep is disabled or the keylen is zero the frame including snap is sent directly (i send them as one frame to the bap here too), IS_WEP is not set in FC and the 802.11-datalen,802.3-len and len for the bap are without adding the 8 byte of IV+ICV
and here is the problem: if hostwep is enabled but no key set - so cleartext is transferred it works but if the data is crypted and can correctly be decrypted by the lucent the snap-header won't be removed ( it's still there in the tcpdump-dump but if i crypt with a lucent or in not-ap mode with the card-firmware it isn't) - but i didn't add the snap-header twice! i can't see where the problem is :( i verified the crypted and uncrypted data via printk's before sending it to the bap and it looks good :(
i don't have a second prism to check the difference via monitoringmode but i'll be on a digitalTV-developer-meeting this weekend and there are some guys with prism2's so i'll debug it there

a working version with hostwep (optimized wep en/decrypt + multiple rx-keys) should be done til monday - i'll let ya know

till then!


Benedikt 'Hunz' Heinz <>
ICQ #9138850

This archive was generated by hypermail 2.1.4.