I am a novice in macsec, and appreciate any help in understanding why macsec via wpa_supplicant on Ubuntu does not work with the Ruckus ICX7850-48FS switch.
This switch does have macsec option enabled and configured with pre-shared CAK and CKN
However, I cannot ping any device on my network when macsec is set in ICX and wpa_supplicant is running on Ubuntu.
Do I miss something in configuration?
Thank you
Here is what ip command shows:
$ ip -s macsec show
17: macsec0: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off
cipher suite: GCM-AES-128, using ICV length 16
TXSC: 00e102005f280001 on SA 0
stats: OutPktsUntagged InPktsUntagged OutPktsTooLong InPktsNoTag InPktsBadTag InPktsUnknownSCI InPktsNoSCI InPktsOverrun
0 0 0 107 0 0 2832 0
stats: OutPktsProtected OutPktsEncrypted OutOctetsProtected OutOctetsEncrypted
0 11 0 1218
0: PN 12, state on, key af90ad063d4a31db48edac0d01000000
stats: OutPktsProtected OutPktsEncrypted
0 11
RXSC: 38453b3aa3730003, state on
stats: InOctetsValidated InOctetsDecrypted InPktsUnchecked InPktsDelayed InPktsOK InPktsInvalid InPktsLate InPktsNotValid
InPktsNotUsingSA InPktsUnusedSA
0 0 0 0 0 0 0 0 0 0
0: PN 1, state on, key af90ad063d4a31db48edac0d01000000
stats: InPktsOK InPktsInvalid InPktsNotValid InPktsNotUsingSA InPktsUnusedSA
0 0 0 0 0
wpa_supplicant.config:
ctrl_interface=/var/run/wpa_supplicant eapol_version=3 ap_scan=0
#orig fast_reauth=1 fast_reauth=0 network={
key_mgmt=NONE
#key_mgmt=IEEE8021X
eapol_flags=0
macsec_policy=1
mka_cak=135bd758b0ee5c11c55ff6ab19fdb199
mka_ckn=96437a93ccf10d9dfe347846cce52c7d
mka_priority=100 }
I run wpa_supplicant in debug mode:
wpa_supplicant -dd -K -i eth0 -Dmacsec_linux -c
wpa_supplicant_ubuntu.conf
Wpa_cli status:
> status
bssid=01:80:c2:00:00:03
freq=0
ssid=
id=0
mode=station
pairwise_cipher=NONE
group_cipher=NONE
key_mgmt=NONE
wpa_state=COMPLETED
ip_address=10.100.97.158
address=00:e1:02:00:5f:28
PAE KaY status=Active
Authenticated=No
Secured=Yes
Failed=No
Actor Priority=100
Key Server Priority=16
Is Key Server=No
Number of Keys Distributed=0
Number of Keys Received=1
MKA Hello Time=2000
actor_sci=00:e1:02:00:5f:28#1
key_server_sci=38:45:3b:3a:a3:73#3
participant_idx=0
ckn=96437a93ccf10d9dfe347846cce52c7d
mi=3dfae97ed11d9ba7013cef3d
mn=6
active=Yes
participant=No
retain=No
live_peers=1
potential_peers=0
is_key_server=No
is_elected=Yes
uuid=84d0be70-7d9a-5dba-b0ed-139b3414cf7d
Log of wpa_supplicant:
# ./startWpaSupplicantUbuntu.sh
wpa_supplicant v2.9
random: getrandom() support available
Successfully initialized wpa_supplicant
Initializing interface 'eth0' conf 'wpa_supplicant_ubuntu.conf' driver 'macsec_linux' ctrl_interface 'N/A' bridge 'N/A'
Configuration file 'wpa_supplicant_ubuntu.conf' -> '/home/dima/Desktop/macsec/wpa_supplicant_ubuntu.conf'
Reading configuration file '/home/dima/Desktop/macsec/wpa_supplicant_ubuntu.conf'
ctrl_interface='/var/run/wpa_supplicant'
eapol_version=3
ap_scan=0
fast_reauth=0
Line: 7 - start of a new network block
key_mgmt: 0x4
eapol_flags=0 (0x0)
macsec_policy=1 (0x1)
MKA-CAK - hexdump(len=16): [REMOVED]
MKA-CKN - hexdump(len=16): [REMOVED]
mka_priority=100 (0x64)
Priority group 0
id=0 ssid=''
driver_wired_init_common: Added multicast membership with packet socket
Add interface eth0 to a new radio N/A
eth0: Own MAC address: 00:e1:02:00:5f:28
eth0: RSN: flushing PMKID list in the driver
eth0: Setting scan request: 0.100000 sec
TDLS: TDLS operation not supported by driver
TDLS: Driver uses internal link setup
TDLS: Driver does not support TDLS channel switching
eth0: WPS: UUID based on MAC address: 84d0be70-7d9a-5dba-b0ed-139b3414cf7d
ENGINE: Loading builtin engines
ENGINE: Loading builtin engines
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: Supplicant port status: Unauthorized
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
eth0: Added interface eth0
eth0: State: DISCONNECTED -> DISCONNECTED
EAPOL: External notification - EAP success=0
EAPOL: External notification - EAP fail=0
EAPOL: External notification - portControl=Auto
KaY: Initialize - ifname=eth0 addr=00:e1:02:00:5f:28 port=0 priority=100
KaY: Generated SCI: 00:e1:02:00:5f:28#1
macsec_drv_get_capability
KaY: state machine created
macsec_drv_macsec_init
macsec_linux: ifname=eth0 parent_ifi=2
KaY: secy init macsec done
CP: state machine created
macsec_drv_enable_protect_frames -> TRUE
macsec_drv_enable_encrypt -> TRUE
macsec_drv_set_replay_protect -> FALSE, 0
macsec_drv_enable_controlled_port -> FALSE
CP: CP entering state INIT
macsec_drv_enable_controlled_port -> FALSE
CP: CP entering state CHANGE
macsec_drv_enable_controlled_port -> FALSE
eth0: Already associated with a configured network - generating associated event
eth0: Event ASSOC (0) received
eth0: Association info event
FT: Stored MDIE and FTIE from (Re)Association Response - hexdump(len=0):
eth0: State: DISCONNECTED -> ASSOCIATED
eth0: Associated to a new BSS: BSSID=01:80:c2:00:00:03
eth0: Select network based on association information
eth0: Network configuration found for the current AP
eth0: WPA: clearing AP WPA IE
eth0: WPA: clearing AP RSN IE
eth0: WPA: clearing own WPA/RSN IE
eth0: Failed to get scan results
EAPOL: External notification - EAP success=0
EAPOL: External notification - EAP fail=0
EAPOL: External notification - portControl=ForceAuthorized
KaY: state machine removed
CP: state machine removed
macsec_drv_macsec_deinit
KaY: Initialize - ifname=eth0 addr=00:e1:02:00:5f:28 port=0 priority=100
KaY: Generated SCI: 00:e1:02:00:5f:28#1
macsec_drv_get_capability
KaY: state machine created
macsec_drv_macsec_init
macsec_linux: ifname=eth0 parent_ifi=2
KaY: secy init macsec done
CP: state machine created
macsec_drv_enable_protect_frames -> TRUE
macsec_drv_enable_encrypt -> TRUE
macsec_drv_set_replay_protect -> FALSE, 0
macsec_drv_enable_controlled_port -> FALSE
CP: CP entering state INIT
macsec_drv_enable_controlled_port -> FALSE
CP: CP entering state CHANGE
macsec_drv_enable_controlled_port -> FALSE
KaY: Create MKA (ifname=eth0 mode=PSK authenticator=No)
KaY: CKN - hexdump(len=16): 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d
KaY: CAK - hexdump(len=16): [REMOVED]
KaY: Selected random MI: 3dfae97ed11d9ba7013cef3d
KaY: Create transmit SC - SCI: 00:e1:02:00:5f:28#1
macsec_drv_enable_protect_frames -> TRUE
macsec_drv_set_replay_protect -> FALSE, 0
macsec_linux: eth0: create_transmit_sc -> 00:e1:02:00:5f:28::1 (conf_offset=0)
macsec_linux: eth0: create_transmit_sc: ifi=16 ifname=macsec0
macsec_linux: macsec0: try_commit controlled_port_enabled=0
macsec_linux: macsec0: try_commit protect_frames=1
macsec_linux: macsec0: try_commit encrypt=1
macsec_linux: macsec0: try_commit replay_protect=0 replay_window=0
KaY: Derived KEK - hexdump(len=16): [REMOVED]
KaY: Derived ICK - hexdump(len=16): [REMOVED]
eth0: Associated with 01:80:c2:00:00:03
eth0: WPA: Association event - clear replay counter
eth0: WPA: Clear old PTK
TDLS: Remove peers on association
EAPOL: External notification - portEnabled=0
EAPOL: External notification - portValid=0
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state S_FORCE_AUTH
EAPOL: Supplicant port status: Authorized
EAPOL: SUPP_BE entering state IDLE
eth0: Cancelling authentication timeout
eth0: State: ASSOCIATED -> COMPLETED
eth0: CTRL-EVENT-CONNECTED - Connection to 01:80:c2:00:00:03 completed [id=0 id_str=]
eth0: Cancelling scan request
eth0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
KaY: Participant timer (ifname=eth0)
KaY: Encode and send an MKPDU (ifname=eth0)
KaY: Ethernet header: DA=01:80:c2:00:00:03 SA=00:e1:02:00:5f:28 Ethertype=0x888e
KaY: Common EAPOL PDU structure: Protocol Version=3 Packet Type=5 Packet Body Length=64
MKA Basic Parameter Set
MKA Version Identifier: 1
Key Server Priority: 100
Key Server: 1
MACsec Desired: 1
MACsec Capability: 2
Parameter set body length: 44
SCI: 00:e1:02:00:5f:28#1
Actor's Member Identifier: 3dfae97ed11d9ba7013cef3d
Actor's Message Number: 1
Algorithm Agility: 0080c201
CAK Name - hexdump(len=16): 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d
KaY: ICV - hexdump(len=16): 48 1d a5 ad f5 59 23 02 a1 61 b7 84 af 5e 82 50
KaY: Outgoing MKPDU - hexdump(len=82): 01 80 c2 00 00 03 00 e1 02 00 5f 28 88 8e 03 05 00 40 01 64 e0 2c 00 e1 02 00 5f 28 00 01 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 01 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 48 1d a5 ad f5 59 23 02 a1 61 b7 84 af 5e 82 50
EAPOL: disable timer tick
l2_packet_receive: src=38:45:3b:3a:a3:73 len=92
eth0: RX EAPOL from 38:45:3b:3a:a3:73
RX EAPOL - hexdump(len=92): 03 05 00 58 01 10 e0 2c 38 45 3b 3a a3 73 00 03 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 02 00 00 10 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 01 ff 00 00 10 37 e1 1d 33 e1 1e 79 96 71 2d bb 52 b0 c8 54 12
eth0: Ignored received EAPOL frame since no key management is configured
l2_packet_receive: src=38:45:3b:3a:a3:73 len=106
KaY: RX EAPOL-MKA - hexdump(len=106): 01 80 c2 00 00 03 38 45 3b 3a a3 73 88 8e 03 05 00 58 01 10 e0 2c 38 45 3b 3a a3 73 00 03 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 02 00 00 10 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 01 ff 00 00 10 37 e1 1d 33 e1 1e 79 96 71 2d bb 52 b0 c8 54 12
KaY: Decode received MKPDU (ifname=eth0)
KaY: Ethernet header: DA=01:80:c2:00:00:03 SA=38:45:3b:3a:a3:73 Ethertype=0x888e
KaY: Common EAPOL PDU structure: Protocol Version=3 Packet Type=5 Packet Body Length=88
KaY: EAPOL-MKA Packet Body (MKPDU) - hexdump(len=88): 01 10 e0 2c 38 45 3b 3a a3 73 00 03 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 02 00 00 10 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 01 ff 00 00 10 37 e1 1d 33 e1 1e 79 96 71 2d bb 52 b0 c8 54 12
MKA Basic Parameter Set
MKA Version Identifier: 1
Key Server Priority: 16
Key Server: 1
MACsec Desired: 1
MACsec Capability: 2
Parameter set body length: 44
SCI: 38:45:3b:3a:a3:73#3
Actor's Member Identifier: 6961e3c6b1dddcdbd81ce04f
Actor's Message Number: 1
Algorithm Agility: 0080c201
CAK Name - hexdump(len=16): 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d
KaY: Received ICV - hexdump(len=16): 37 e1 1d 33 e1 1e 79 96 71 2d bb 52 b0 c8 54 12
KaY: Potential peer created
MI: 6961e3c6b1dddcdbd81ce04f MN: 1 SCI: 00:00:00:00:00:00#0
Potential Peer List parameter set
Body Length: 16
Member Id: 3dfae97ed11d9ba7013cef3d Message Number: 1
KaY: My MI - received MN 1, most recently transmitted MN 1
KaY: i_in_peerlist=Yes is_in_live_peer=No
KaY: Create receive SC: SCI 38:45:3b:3a:a3:73#3
KaY: Move potential peer to live peer
MI: 6961e3c6b1dddcdbd81ce04f MN: 1 SCI: 38:45:3b:3a:a3:73#3
macsec_linux: macsec0: create_receive_sc -> 38:45:3b:3a:a3:73::3 (conf_offset=0 validation=2)
KaY: Peer 6961e3c6b1dddcdbd81ce04f was elected as the key server
CTRL_IFACE monitor attached /tmp/wpa_ctrl_133358-44\x00
CTRL-DEBUG: ctrl_sock-sendto: sock=6 sndbuf=212992 outq=0 send_len=3
CTRL-DEBUG: ctrl_sock-sendto: sock=6 sndbuf=212992 outq=0 send_len=5
KaY: Participant timer (ifname=eth0)
KaY: Encode and send an MKPDU (ifname=eth0)
KaY: Ethernet header: DA=01:80:c2:00:00:03 SA=00:e1:02:00:5f:28 Ethertype=0x888e
KaY: Common EAPOL PDU structure: Protocol Version=3 Packet Type=5 Packet Body Length=84
MKA Basic Parameter Set
MKA Version Identifier: 1
Key Server Priority: 100
Key Server: 0
MACsec Desired: 1
MACsec Capability: 2
Parameter set body length: 44
SCI: 00:e1:02:00:5f:28#1
Actor's Member Identifier: 3dfae97ed11d9ba7013cef3d
Actor's Message Number: 2
Algorithm Agility: 0080c201
CAK Name - hexdump(len=16): 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d
Live Peer List parameter set
Body Length: 16
Member Id: 6961e3c6b1dddcdbd81ce04f Message Number: 1
KaY: ICV - hexdump(len=16): fb 8f 40 14 50 60 3c 1b 24 88 6f ce c1 d1 21 ca
KaY: Outgoing MKPDU - hexdump(len=102): 01 80 c2 00 00 03 00 e1 02 00 5f 28 88 8e 03 05 00 54 01 64 60 2c 00 e1 02 00 5f 28 00 01 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 02 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 01 00 00 10 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 fb 8f 40 14 50 60 3c 1b 24 88 6f ce c1 d1 21 ca
l2_packet_receive: src=38:45:3b:3a:a3:73 len=168
eth0: RX EAPOL from 38:45:3b:3a:a3:73
RX EAPOL - hexdump(len=168): 03 05 00 a4 01 10 e0 2c 38 45 3b 3a a3 73 00 03 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 02 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 01 00 00 10 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 02 03 10 00 28 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 04 10 00 1c 00 00 00 01 fd f6 00 f4 87 75 41 73 0a 64 37 f2 4a 28 e4 92 0e cf 16 03 67 ee 19 f4 ff 00 00 10 c7 f1 51 03 81 c4 19 36 3c bc bb 87 40 65 58 cf
eth0: Ignored received EAPOL frame since no key management is configured
l2_packet_receive: src=38:45:3b:3a:a3:73 len=182
KaY: RX EAPOL-MKA - hexdump(len=182): 01 80 c2 00 00 03 38 45 3b 3a a3 73 88 8e 03 05 00 a4 01 10 e0 2c 38 45 3b 3a a3 73 00 03 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 02 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 01 00 00 10 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 02 03 10 00 28 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 04 10 00 1c 00 00 00 01 fd f6 00 f4 87 75 41 73 0a 64 37 f2 4a 28 e4 92 0e cf 16 03 67 ee 19 f4 ff 00 00 10 c7 f1 51 03 81 c4 19 36 3c bc bb 87 40 65 58 cf
KaY: Decode received MKPDU (ifname=eth0)
KaY: Ethernet header: DA=01:80:c2:00:00:03 SA=38:45:3b:3a:a3:73 Ethertype=0x888e
KaY: Common EAPOL PDU structure: Protocol Version=3 Packet Type=5 Packet Body Length=164
KaY: EAPOL-MKA Packet Body (MKPDU) - hexdump(len=164): 01 10 e0 2c 38 45 3b 3a a3 73 00 03 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 02 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 01 00 00 10 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 02 03 10 00 28 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 04 10 00 1c 00 00 00 01 fd f6 00 f4 87 75 41 73 0a 64 37 f2 4a 28 e4 92 0e cf 16 03 67 ee 19 f4 ff 00 00 10 c7 f1 51 03 81 c4 19 36 3c bc bb 87 40 65 58 cf
MKA Basic Parameter Set
MKA Version Identifier: 1
Key Server Priority: 16
Key Server: 1
MACsec Desired: 1
MACsec Capability: 2
Parameter set body length: 44
SCI: 38:45:3b:3a:a3:73#3
Actor's Member Identifier: 6961e3c6b1dddcdbd81ce04f
Actor's Message Number: 2
Algorithm Agility: 0080c201
CAK Name - hexdump(len=16): 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d
KaY: Received ICV - hexdump(len=16): c7 f1 51 03 81 c4 19 36 3c bc bb 87 40 65 58 cf
Live Peer List parameter set
Body Length: 16
Member Id: 3dfae97ed11d9ba7013cef3d Message Number: 2
KaY: My MI - received MN 2, most recently transmitted MN 2
KaY: i_in_peerlist=Yes is_in_live_peer=Yes
MACsec SAK Use parameter set
Latest Key AN....: 0
Latest Key Tx....: No
Latest Key Rx....: Yes
Old Key AN.......: 0
Old Key Tx.......: No
Old Key Rx.......: No
Plain Tx.........: No
Plain Rx.........: No
Delay Protect....: No
Body Length......: 40
Key Server MI....: 6961e3c6b1dddcdbd81ce04f
Key Number.......: 1
Lowest PN........: 1
Old Key Server MI: 000000000000000000000000
Old Key Number...: 0
Old Lowest PN....: 1
KaY: Latest key is invalid
Distributed SAK parameter set
Distributed AN........: 0
Confidentiality Offset: 1
Body Length...........: 28
Key Number............: 1
AES Key Wrap of SAK...: - hexdump(len=24): fd f6 00 f4 87 75 41 73 0a 64 37 f2 4a 28 e4 92 0e cf 16 03 67 ee 19 f4
AES Key Unwrap of SAK.: - hexdump(len=16): [REMOVED]
CP: CP entering state SECURED
macsec_drv_set_current_cipher_suite -> 0080020001000001
macsec_drv_enable_protect_frames -> TRUE
macsec_linux: macsec0: try_commit protect_frames=1
macsec_drv_enable_encrypt -> TRUE
macsec_linux: macsec0: try_commit encrypt=1
macsec_drv_set_replay_protect -> FALSE, 0
macsec_linux: macsec0: try_commit replay_protect=0 replay_window=0
CP: CP entering state RECEIVE
KaY: Create receive SA(an: 0 lowest_pn: 1) of SC
macsec_linux: macsec0: create_receive_sa -> 0 on 38:45:3b:3a:a3:73::3 (enable_receive=0 next_pn=1)
macsec_linux: SA keyid - hexdump(len=16): 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 01 00 00 00
macsec_linux: SA key - hexdump(len=16): [REMOVED]
KaY: Create transmit SA(an: 0, next_pn: 1) of SC
macsec_linux: macsec0: create_transmit_sa -> 0 on 00:e1:02:00:5f:28::1 (enable_transmit=0 next_pn=1)
macsec_linux: SA keyid - hexdump(len=16): 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 01 00 00 00
macsec_linux: SA key - hexdump(len=16): [REMOVED]
macsec_linux: macsec0: enable_receive_sa -> 0 on 38:45:3b:3a:a3:73::3
CP: CP entering state RECEIVING
CP: CP entering state READY
KaY: Encode and send an MKPDU (ifname=eth0)
KaY: Ethernet header: DA=01:80:c2:00:00:03 SA=00:e1:02:00:5f:28 Ethertype=0x888e
KaY: Common EAPOL PDU structure: Protocol Version=3 Packet Type=5 Packet Body Length=128
MKA Basic Parameter Set
MKA Version Identifier: 1
Key Server Priority: 100
Key Server: 0
MACsec Desired: 1
MACsec Capability: 2
Parameter set body length: 44
SCI: 00:e1:02:00:5f:28#1
Actor's Member Identifier: 3dfae97ed11d9ba7013cef3d
Actor's Message Number: 3
Algorithm Agility: 0080c201
CAK Name - hexdump(len=16): 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d
Live Peer List parameter set
Body Length: 16
Member Id: 6961e3c6b1dddcdbd81ce04f Message Number: 2
macsec_drv_get_transmit_next_pn
macsec_linux: macsec_drv_get_transmit_next_pn: err 0 result 1
MACsec SAK Use parameter set
Latest Key AN....: 0
Latest Key Tx....: No
Latest Key Rx....: Yes
Old Key AN.......: 0
Old Key Tx.......: No
Old Key Rx.......: No
Plain Tx.........: No
Plain Rx.........: No
Delay Protect....: No
Body Length......: 40
Key Server MI....: 6961e3c6b1dddcdbd81ce04f
Key Number.......: 1
Lowest PN........: 1
Old Key Server MI: 000000000000000000000000
Old Key Number...: 0
Old Lowest PN....: 1
KaY: ICV - hexdump(len=16): 3f 58 1e c3 42 14 f6 20 50 53 a9 81 7b 75 6f b0
KaY: Outgoing MKPDU - hexdump(len=146): 01 80 c2 00 00 03 00 e1 02 00 5f 28 88 8e 03 05 00 80 01 64 60 2c 00 e1 02 00 5f 28 00 01 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 03 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 01 00 00 10 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 02 03 10 00 28 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 3f 58 1e c3 42 14 f6 20 50 53 a9 81 7b 75 6f b0
CP: CP entering state TRANSMIT
macsec_drv_enable_controlled_port -> TRUE
macsec_linux: macsec0: try_commit controlled_port_enabled=1
macsec_linux: macsec0: enable_transmit_sa -> 0 on 00:e1:02:00:5f:28::1
macsec_linux: macsec0: try_commit encoding_sa=0
CP: CP entering state TRANSMITTING
KaY: Encode and send an MKPDU (ifname=eth0)
KaY: Ethernet header: DA=01:80:c2:00:00:03 SA=00:e1:02:00:5f:28 Ethertype=0x888e
KaY: Common EAPOL PDU structure: Protocol Version=3 Packet Type=5 Packet Body Length=128
MKA Basic Parameter Set
MKA Version Identifier: 1
Key Server Priority: 100
Key Server: 0
MACsec Desired: 1
MACsec Capability: 2
Parameter set body length: 44
SCI: 00:e1:02:00:5f:28#1
Actor's Member Identifier: 3dfae97ed11d9ba7013cef3d
Actor's Message Number: 4
Algorithm Agility: 0080c201
CAK Name - hexdump(len=16): 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d
Live Peer List parameter set
Body Length: 16
Member Id: 6961e3c6b1dddcdbd81ce04f Message Number: 2
macsec_drv_get_transmit_next_pn
macsec_linux: macsec_drv_get_transmit_next_pn: err 0 result 1
MACsec SAK Use parameter set
Latest Key AN....: 0
Latest Key Tx....: Yes
Latest Key Rx....: Yes
Old Key AN.......: 0
Old Key Tx.......: No
Old Key Rx.......: No
Plain Tx.........: No
Plain Rx.........: No
Delay Protect....: No
Body Length......: 40
Key Server MI....: 6961e3c6b1dddcdbd81ce04f
Key Number.......: 1
Lowest PN........: 1
Old Key Server MI: 000000000000000000000000
Old Key Number...: 0
Old Lowest PN....: 1
KaY: ICV - hexdump(len=16): 69 b6 ef f1 6b 29 44 26 d3 40 50 2e 0a b3 e2 89
KaY: Outgoing MKPDU - hexdump(len=146): 01 80 c2 00 00 03 00 e1 02 00 5f 28 88 8e 03 05 00 80 01 64 60 2c 00 e1 02 00 5f 28 00 01 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 04 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 01 00 00 10 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 02 03 30 00 28 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 69 b6 ef f1 6b 29 44 26 d3 40 50 2e 0a b3 e2 89
CP: CP entering state RETIRE
KaY: Participant timer (ifname=eth0)
KaY: Encode and send an MKPDU (ifname=eth0)
KaY: Ethernet header: DA=01:80:c2:00:00:03 SA=00:e1:02:00:5f:28 Ethertype=0x888e
KaY: Common EAPOL PDU structure: Protocol Version=3 Packet Type=5 Packet Body Length=128
MKA Basic Parameter Set
MKA Version Identifier: 1
Key Server Priority: 100
Key Server: 0
MACsec Desired: 1
MACsec Capability: 2
Parameter set body length: 44
SCI: 00:e1:02:00:5f:28#1
Actor's Member Identifier: 3dfae97ed11d9ba7013cef3d
Actor's Message Number: 5
Algorithm Agility: 0080c201
CAK Name - hexdump(len=16): 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d
Live Peer List parameter set
Body Length: 16
Member Id: 6961e3c6b1dddcdbd81ce04f Message Number: 2
macsec_drv_get_transmit_next_pn
macsec_linux: macsec_drv_get_transmit_next_pn: err 0 result 2
MACsec SAK Use parameter set
Latest Key AN....: 0
Latest Key Tx....: Yes
Latest Key Rx....: Yes
Old Key AN.......: 0
Old Key Tx.......: No
Old Key Rx.......: No
Plain Tx.........: No
Plain Rx.........: No
Delay Protect....: No
Body Length......: 40
Key Server MI....: 6961e3c6b1dddcdbd81ce04f
Key Number.......: 1
Lowest PN........: 1
Old Key Server MI: 000000000000000000000000
Old Key Number...: 0
Old Lowest PN....: 1
KaY: ICV - hexdump(len=16): 96 2e 06 f1 a4 80 5f 24 da 41 a2 fa 73 53 5a 75
KaY: Outgoing MKPDU - hexdump(len=146): 01 80 c2 00 00 03 00 e1 02 00 5f 28 88 8e 03 05 00 80 01 64 60 2c 00 e1 02 00 5f 28 00 01 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 05 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 01 00 00 10 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 02 03 30 00 28 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 96 2e 06 f1 a4 80 5f 24 da 41 a2 fa 73 53 5a 75
l2_packet_receive: src=38:45:3b:3a:a3:73 len=136
eth0: RX EAPOL from 38:45:3b:3a:a3:73
RX EAPOL - hexdump(len=136): 03 05 00 84 01 10 e0 2c 38 45 3b 3a a3 73 00 03 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 03 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 01 00 00 10 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 05 03 30 00 28 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ff 00 00 10 d7 5a 9c f8 26 7d 54 fc 7a 92 5f e3 36 ff 71 eb
eth0: Ignored received EAPOL frame since no key management is configured
l2_packet_receive: src=38:45:3b:3a:a3:73 len=150
KaY: RX EAPOL-MKA - hexdump(len=150): 01 80 c2 00 00 03 38 45 3b 3a a3 73 88 8e 03 05 00 84 01 10 e0 2c 38 45 3b 3a a3 73 00 03 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 03 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 01 00 00 10 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 05 03 30 00 28 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ff 00 00 10 d7 5a 9c f8 26 7d 54 fc 7a 92 5f e3 36 ff 71 eb
KaY: Decode received MKPDU (ifname=eth0)
KaY: Ethernet header: DA=01:80:c2:00:00:03 SA=38:45:3b:3a:a3:73 Ethertype=0x888e
KaY: Common EAPOL PDU structure: Protocol Version=3 Packet Type=5 Packet Body Length=132
KaY: EAPOL-MKA Packet Body (MKPDU) - hexdump(len=132): 01 10 e0 2c 38 45 3b 3a a3 73 00 03 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 03 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 01 00 00 10 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 05 03 30 00 28 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ff 00 00 10 d7 5a 9c f8 26 7d 54 fc 7a 92 5f e3 36 ff 71 eb
MKA Basic Parameter Set
MKA Version Identifier: 1
Key Server Priority: 16
Key Server: 1
MACsec Desired: 1
MACsec Capability: 2
Parameter set body length: 44
SCI: 38:45:3b:3a:a3:73#3
Actor's Member Identifier: 6961e3c6b1dddcdbd81ce04f
Actor's Message Number: 3
Algorithm Agility: 0080c201
CAK Name - hexdump(len=16): 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d
KaY: Received ICV - hexdump(len=16): d7 5a 9c f8 26 7d 54 fc 7a 92 5f e3 36 ff 71 eb
Live Peer List parameter set
Body Length: 16
Member Id: 3dfae97ed11d9ba7013cef3d Message Number: 5
KaY: My MI - received MN 5, most recently transmitted MN 5
KaY: i_in_peerlist=Yes is_in_live_peer=Yes
MACsec SAK Use parameter set
Latest Key AN....: 0
Latest Key Tx....: Yes
Latest Key Rx....: Yes
Old Key AN.......: 0
Old Key Tx.......: No
Old Key Rx.......: No
Plain Tx.........: No
Plain Rx.........: No
Delay Protect....: No
Body Length......: 40
Key Server MI....: 6961e3c6b1dddcdbd81ce04f
Key Number.......: 1
Lowest PN........: 1
Old Key Server MI: 000000000000000000000000
Old Key Number...: 0
Old Lowest PN....: 1
l2_packet_receive: src=38:45:3b:3a:a3:73 len=136
eth0: RX EAPOL from 38:45:3b:3a:a3:73
RX EAPOL - hexdump(len=136): 03 05 00 84 01 10 e0 2c 38 45 3b 3a a3 73 00 03 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 04 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 01 00 00 10 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 05 03 30 00 28 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ff 00 00 10 a5 fc ed db e1 b4 1a 61 d8 ec 73 3a ff 9e 54 e7
eth0: Ignored received EAPOL frame since no key management is configured
Here is macsec part of ICX configuration:
dot1x-mka-enable
mka-cfg-group test
key-server-priority 20
macsec cipher-suite gcm-aes-128
enable-mka ethernet 1/1/4
pre-shared-key 135bd758b0ee5c11c55ff6ab19fdb199 key-name 96437a93ccf10d9dfe347846cce52c7d
!
Your wpa_supplicant.config formatting looks odd in your question, but I'm guessing it works on your system based on the log output.
I think you should have a new macsec0 device which handles the encryption and decryption, and that should be the interface you use once MACsec is properly configured on eth0. eth0 traffic will not be usable unless the switch side MACsec configuration allows unencrypted traffic as well as encrypted.
Summary:
eth0 is unsecure traffic (if configured to allow unsecure traffic)
macsec0 is secure traffic
Related
We have a Google App Engine project that is setup to work over a custom domain on HTTPS (Using Google managed SSL certs). For most part it is working fine e.g. on Chrome and other modern browsers but NOT for some old TL1.0 clients where it is failing the handshake.
The problem seems with ghs.googlehosted.com GFE servers. AppEngine GFEs on appspot-preview.l.google.com work fine for these clients.
Here is an example log with openssl, connecting to api.my-project.com
$ openssl s_client -connect ghs.googlehosted.com:443 -msg
CONNECTED(00000005)
>>> TLS 1.2 Handshake [length 0139], ClientHello
01 00 01 35 03 03 82 73 d6 6c 32 b7 84 f3 30 57
8f 98 a7 6e e7 c2 f5 b8 be f4 29 55 41 25 35 ab
56 51 3c 1e b9 e3 00 00 98 cc 14 cc 13 cc 15 c0
30 c0 2c c0 28 c0 24 c0 14 c0 0a 00 a3 00 9f 00
6b 00 6a 00 39 00 38 ff 85 00 c4 00 c3 00 88 00
87 00 81 c0 32 c0 2e c0 2a c0 26 c0 0f c0 05 00
9d 00 3d 00 35 00 c0 00 84 c0 2f c0 2b c0 27 c0
23 c0 13 c0 09 00 a2 00 9e 00 67 00 40 00 33 00
32 00 be 00 bd 00 45 00 44 c0 31 c0 2d c0 29 c0
25 c0 0e c0 04 00 9c 00 3c 00 2f 00 ba 00 41 c0
11 c0 07 c0 0c c0 02 00 05 00 04 c0 12 c0 08 00
16 00 13 c0 0d c0 03 00 0a 00 15 00 12 00 09 00
ff 01 00 00 74 00 0b 00 04 03 00 01 02 00 0a 00
3a 00 38 00 0e 00 0d 00 19 00 1c 00 0b 00 0c 00
1b 00 18 00 09 00 0a 00 1a 00 16 00 17 00 08 00
06 00 07 00 14 00 15 00 04 00 05 00 12 00 13 00
01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00 00
0d 00 26 00 24 06 01 06 02 06 03 ef ef 05 01 05
02 05 03 04 01 04 02 04 03 ee ee ed ed 03 01 03
02 03 03 02 01 02 02 02 03
140735490237384:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.50.2/libressl/ssl/s23_lib.c:124:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 318 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
It works connecting to my-project.appspot.com
$ openssl s_client -connect appspot-preview.l.google.com:443
CONNECTED(00000005)
depth=1 C = US, O = Google Trust Services, CN = Google Internet Authority G3
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.appspot-preview.com
i:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
1 s:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFNjCCBB6gAwIBAgIIf6MEypLTuRMwDQYJKoZIhvcNAQELBQAwVDELMAkGA1UE
BhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczElMCMGA1UEAxMc
R29vZ2xlIEludGVybmV0IEF1dGhvcml0eSBHMzAeFw0xODA0MTcxMzQ5NTFaFw0x
ODA3MTAxMjM5MDBaMG8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh
MRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKDApHb29nbGUgSW5jMR4w
HAYDVQQDDBUqLmFwcHNwb3QtcHJldmlldy5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQCmdyEZXoKJUUXkt0edaQhKSTWt+6EUBHa2OSGrk5uT9UZo
c2El7MMFl1aFhPzDJR3quZpFXdrGYoB5sVSPHDc33EKhWSG/+4YeYMi/fOiGC3x+
Tqesk+F8TME49MTDvSdOZVuYyVJkIYatTeVdfgW7IZ34bbGviazlf236DRfrhxsQ
HpZEaSXkziDbWCbnAvJSwpmxRX8bOmkncecfwOnS0g8O8is9hmMvFo1yBkvns3bm
5gNzA9JHuLvd6T9iW/rfZbi86oinv+cEUlqxQDesTzaWs399uJDf0Glshs9wr3jM
UzwPP36bulMEfdBak3B+eI+jCm+X7WQbp7aF3GxfAgMBAAGjggHvMIIB6zATBgNV
HSUEDDAKBggrBgEFBQcDATCBxQYDVR0RBIG9MIG6ghUqLmFwcHNwb3QtcHJldmll
dy5jb22CDSouYXBwc3BvdC5jb22CFSoudGhpbmt3aXRoZ29vZ2xlLmNvbYIQKi53
aXRoZ29vZ2xlLmNvbYIRKi53aXRoeW91dHViZS5jb22CE2FwcHNwb3QtcHJldmll
dy5jb22CC2FwcHNwb3QuY29tghN0aGlua3dpdGhnb29nbGUuY29tgg53aXRoZ29v
Z2xlLmNvbYIPd2l0aHlvdXR1YmUuY29tMGgGCCsGAQUFBwEBBFwwWjAtBggrBgEF
BQcwAoYhaHR0cDovL3BraS5nb29nL2dzcjIvR1RTR0lBRzMuY3J0MCkGCCsGAQUF
BzABhh1odHRwOi8vb2NzcC5wa2kuZ29vZy9HVFNHSUFHMzAdBgNVHQ4EFgQU1jst
cVQOljRrrXMTZa4vqe7cCiMwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBR3wrhQ
mmd2drEtwobQg6B+pn66SzAhBgNVHSAEGjAYMAwGCisGAQQB1nkCBQMwCAYGZ4EM
AQICMDEGA1UdHwQqMCgwJqAkoCKGIGh0dHA6Ly9jcmwucGtpLmdvb2cvR1RTR0lB
RzMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCFibJ0MNHYQk2x6jUHCsdmswo3HACq
nhGV0KXuG0kK6bmPAYYzNuIj6Ee+Dq1x9eFrhxiCu1fQsRKJ42xHTawUBEdhKgcz
wMDxkhRsd3rO1pF8LPTyT4XDACOH20UUxOzBY4yiIP6MU8oZxEGPP7Db2UnpKBJU
/ID1DyAHntoQru/5zNbKFlCfzFgpuTkXCtZlBrY33/V3V3umsOgwOz+isDNW4N+f
RrSpGynywJiHLXFSs/tOr0dFsebG2Dil2ZVDq5aRDhGMn7WKNe8IJvI3GMr6ZUiS
o7WzSPqRij1HOgJoNsL39luSwwOxWJ4znaDkjoewxFmWMqd/7F0lVf4m
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.appspot-preview.com
issuer=/C=US/O=Google Trust Services/CN=Google Internet Authority G3
---
No client certificate CA names sent
---
SSL handshake has read 3166 bytes and written 444 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 7C3AAFD46B8D8C8C95F336DEAFFEAB0950B61A01DE9CCD33BC1B4E00B8778ACA
Session-ID-ctx:
Master-Key: F796ECD4CA06D7B3FD8888F5B74AA70C22846CCD207AFA9BC3686AD53E3CBAEA7E2535B9051C0CE2EB96CBA80090CD14
TLS session ticket lifetime hint: 100800 (seconds)
TLS session ticket:
0000 - 00 cf 37 1b ad 9e 5d e3-33 ca 1f 1a 53 78 e0 1b ..7...].3...Sx..
0010 - 9a 7b fe 86 70 da 77 ee-b6 a4 2d 0e 5d 57 c4 b0 .{..p.w...-.]W..
0020 - 5e 3a f3 37 65 d1 bb c3-9f 47 0c e9 05 fc c0 6b ^:.7e....G.....k
0030 - 26 ed a2 27 dc 18 17 88-79 70 4f e4 92 a0 b7 fa &..'....ypO.....
0040 - b6 91 6e c0 7f c6 6e cc-35 81 02 5b 9d 4c 66 6f ..n...n.5..[.Lfo
0050 - 6e 5b d2 7e c5 8f bb 14-70 a8 dd 9b cb ff 50 07 n[.~....p.....P.
0060 - 0f 9c 86 f6 4a d3 bd c7-20 26 2a b6 c3 f7 52 1e ....J... &*...R.
0070 - ce 1d 8e 77 be 65 d6 41-44 c8 9a 30 31 29 66 93 ...w.e.AD..01)f.
0080 - 15 fc 76 f2 6a c5 68 92-23 96 d5 47 50 92 04 e0 ..v.j.h.#..GP...
0090 - 6a de d4 77 b7 bb 02 cf-fd fe 75 71 13 2c c7 34 j..w......uq.,.4
00a0 - 47 48 f3 fa a2 fc ef 7d-7a bd b9 94 8e 40 06 c6 GH.....}z....#..
00b0 - a3 55 56 ec af 29 77 27-7f 40 98 4e ef 0b dc 54 .UV..)w'.#.N...T
00c0 - 6d 8f d1 93 8f 96 2d c2-79 42 1f 4a 7b f4 d6 d9 m.....-.yB.J{...
00d0 - e7 f0 d1 5a 83 ...Z.
Start Time: 1526935566
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
DONE
I'm demuxing one program stream file and I can't figure out what one PES packet is carrying. (see picture below).
Stream ID is 0xE0, so it is a video stream. Since I'm reading a program stream file, it is the only video stream. As you can see, the packet length is 0x9C, the next byte 0x80 tells us that first two bits are '10', as expected and PES_scrambling_control, PES_priority, data_alignment_indicator, copyright and original_or_copy are all 0 (not set). The next byte 0x09 tells us that we have DSM_trick_mode_flag and PES_extension_flag set. The next byte 0x78 is PES header length. If we skip PES header, we will be at the first byte in the framed area containing 33 bytes. It begins with 00 37 B0... These 33 bytes should be skipped when demuxing, but I can't figure out why. Any comment or suggestion is very welcome.
PES packet picture
PES packet hex values as text:
00 00 01 e0 00 9c 80 09 78 00 52 40 09 ac 00 3f
40 00 22 00 d7 c0 00 e2 00 da 20 04 8a 00 62 60
02 36 00 46 10 0e a1 00 28 50 01 b9 00 d9 d0 09
cd 00 67 30 0f a3 00 44 b0 04 6b 00 8f b0 0d e7
00 64 f0 00 57 00 41 70 09 d7 00 a7 70 0d 5f 00
73 f0 0c 40 80 f8 88 00 b0 80 23 88 06 68 80 38
88 0b a8 80 be 08 07 b0 80 b3 f0 0a 10 80 67 70
08 90 80 b6 70 03 10 80 7f b0 09 00 80 f1 b0 0f
2f 00 37 b0 09 77 00 a4 70 0e 37 00 ca 70 07 47
00 b1 b0 03 33 00 3e 30 06 bd 00 77 50 05 2d 00
15 50
I have an OTI Copni device and I need to install a .cap file to this Copni device. So I have JCOP tools with Eclipse and I try to upload and install. It then gives this the indicated error. I presume this is happening because of a failed authentication.
cm> /term "winscard:4|SCM Microsystems Inc. SDI011G Contactless Reader 0"
--Opening terminal
> /card -a a000000003000000 -c com.ibm.jc.CardManager
resetCard with timeout: 0 (ms)
--Waiting for card...
ATR=3B 88 80 01 00 73 C8 40 00 00 90 00 62 ;....s.#....b
ATR: T=0, T=1, Hist=0073C84000009000
=> 00 A4 04 00 08 A0 00 00 00 03 00 00 00 00 ..............
(21592 usec)
<= 6F 65 84 08 A0 00 00 00 03 00 00 00 A5 59 9F 65 oe...........Y.e
01 FF 9F 6E 06 47 91 20 17 3F 00 73 4A 06 07 2A ...n.G. .?.sJ..*
86 48 86 FC 6B 01 60 0C 06 0A 2A 86 48 86 FC 6B .H..k.`...*.H..k
02 02 01 01 63 09 06 07 2A 86 48 86 FC 6B 03 64 ....c...*.H..k.d
0B 06 09 2A 86 48 86 FC 6B 04 02 15 65 0B 06 09 ...*.H..k...e...
2B 85 10 86 48 64 02 01 03 66 0C 06 0A 2B 06 01 +...Hd...f...+..
04 01 2A 02 6E 01 02 90 00 ..*.n....
Status: No Error
cm> set-key 255/1/DES-ECB/404142434445464748494a4b4c4d4e4f 255/2/DES-ECB/404142434445464748494a4b4c4d4e4f 255/3/DES-ECB/404142434445464748494a4b4c4d4e4f
cm> init-update 255
=> 80 50 00 00 08 C2 3F 4B C4 BE B6 E5 58 00 .P....?K....X.
(43622 usec)
<= 00 00 32 98 00 09 30 97 06 25 01 02 00 10 68 6C ..2...0..%....hl
E3 CA 2C 2B 4D 2C 4B 0D 0E 62 5F 8C 90 00 ..,+M,K..b_...
Status: No Error
cm> ext-auth plain
=> 84 82 00 00 10 EB FC 66 BC FA 30 91 58 5B 51 FA .......f..0.X[Q.
0C 46 D7 43 C9 .F.C.
(12557 usec)
<= 69 85 i.
Status: Conditions of use not satisfied
jcshell: Error code: 6985 (Conditions of use not satisfied)
jcshell: Wrong response APDU: 6985
Unexpected error; aborting execution
Can someone tell me how to upload a .cap file to this device?
Try ext-auth mac instead, the smart card is probably in the state OP_SECURE, which means that at minimal command MAC is required.
As JCOP tools is not publicly available nor open source, I'd suggest you try a publicly available piece of software instead:
https://github.com/martinpaljak/GlobalPlatform#globalplatform-from-openkms
(as the name of the github repository implies this is self-promotion)
During SSL 3.0 handshaking server responses with the following serverhello message
16 03 00 00 51 02 00
00 4d 03 00 4f a1 c1
eb e3 fb 00 a9 c8 25
25 48 6f 89 27 ec bb
80 f3 8c 5d db f7 6c
94 56 d8 34 7a b5 9d
02 20 54 ab 20 ea 05
a6 38 6f ee 55 40 ae
af e2 5d ae 2a 4d c1
c6 f4 09 a7 08 b1 c5
49 39 87 82 d3 f7 00
39 00 00 05 ff 01 00
01 00
I understand this response as follows:
Content-type: 22 (Handshake protocol)
Version: 3.0
Length: a1 (81 bytes)
Content-type: 02 (ServerHello)
Length: 4d (77 bytes)
Version: 3.0
Random: 4f a1 c1 eb e3 fb 00 a9
c8 25 25 48 6f 89 27 ec
bb 80 f3 8c 5d db f7 6c
94 56 d8 34 7a b5 9d 02
SessionID Length: 20 (32 bytes)
SessionID: 54 ab 20 ea 05 a6 38 6f
ee 55 40 ae af e2 5d ae
2a 4d c1 c6 f4 09 a7 08
b1 c5 49 39 87 82 d3 f7
Cipher Suite: 00 39
Compression method: 00
But i can't understand how the last 7 bytes should be interpreted: 00 05 ff 01 00 01 00
That would be the renegotiation_info extension, as defined in RFC 5746:
o If this is the initial handshake for a connection, then the
"renegotiated_connection" field is of zero length in both the
ClientHello and the ServerHello. Thus, the entire encoding of the
extension is ff 01 00 01 00. The first two octets represent the
extension type, the third and fourth octets the length of the
extension itself, and the final octet the zero length byte for the
"renegotiated_connection" field.
I capture packets sent/received by Win Xp machine when connecting to SQL Server 2005 Express using TLS encryption.
Server and Client exchange Hello messages
Server and Client send ChangeCipherSpec message
Then Server and Client server send strange message that is not described in TLS protocol
What is the message?
Server side capture:
16 **SSL Handshake**
03 01
00 4a
02 ServerHello
00 00 46
03 01
4b dd 68 59 GMT
33 13 37 98 10 5d 57 9d ff 71 70 dc d6 6f 9e 2c Random[00..13]
cb 96 c0 2e b3 2f 9b 74 67 05 cc 96 Random[14..27]
20 72 26 00 00 0f db 7f d9 b0 51 c2 4f cd 81 4c Session ID
3f e3 d2 d1 da 55 c0 fe 9b 56 b7 6f 70 86 fe bb Session ID
54 Session ID
00 04 Cipher Suite
00 Compression
14 03 01 00 01 01 **ChangeCipherSpec**
16 03 01 ???? Finished ???
00 20 d0 da cc c4 36 11 43 ff 22 25 8a e1 38 2b ???? ???
71 ce f3 59 9e 35 b0 be b2 4b 1d c5 21 21 ce 41 ???? ???
8e 24
16 03 01
00 20 d0 da cc c4 36 11 43 ff 22 25 8a e1 38 2b
71 ce f3 59 9e 35 b0 be b2 4b 1d c5 21 21 ce 41
8e 24
This message is already encrypted, therefore to see
14 03 01 00 00 0c
it needs to be decrypted first