I have added code into aircrack-ng.c from the latest sauce which writes the pke[] array to a file as so:

FILE *pkef;
                pkef=fopen("pke.txt", "a");
                for(j=0; j<nparallel; ++j)
                {
                        /* compute the pairwise transient key and the 
+frame MIC */

                        for (i = 0; i < 4; i++)
                        {
                                pke[99] = i;
                                HMAC(EVP_sha1(), pmk[j], 32, pke, 100,
+ ptk[j] + i * 20, NULL);
                                int kk = 0;
                                fprintf(pkef,"==> ");
                                for(kk = 0;kk<=99;kk++){
                                        fprintf(pkef, "%i ",pke[kk]);
                                }
                                fprintf(pkef,"\n---------------------\
+n");
                        }
[download]

After which I converted it to hex, and the output was exactly that which it should be: "Pairwise key expansion" . 0x00 . $mac1 . $mac2 . $nonce1 . $nonce2 . 0x00; # where $mac1 < $mac2 && $nonce1 < $nonce2. Now, I used this hex in Perl and tried hmac_sha1 and even PBKDF2 again, to no avail (using the pre-computed PMK as the key just like Aircrack-ng). I have tried 1 and 4096 passes, I know I am using CCMP-WPA2, I know what cowpatty and aircrack-ng produce, i have also tried reading the raw bytes directly from Net::Pcap but I cannot seem to get the correct first 128 bits of the PTK.. I bet it has to do with not being able to replicate that danged HMAC() C function properly. There's a description of it in the openSSL documentation as:

unsigned char *HMAC(const EVP_MD *evp_md, const void *key,
               int key_len, const unsigned char *d, int n,
               unsigned char *md, unsigned int *md_len);
[download]

Could it simply not be possible? Thanks monks! :)