You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

wpa.c 25KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915
  1. /*
  2. * Copyright (c) 2009 Joshua Oreman <oremanj@rwcr.net>.
  3. *
  4. * This program is free software; you can redistribute it and/or
  5. * modify it under the terms of the GNU General Public License as
  6. * published by the Free Software Foundation; either version 2 of the
  7. * License, or any later version.
  8. *
  9. * This program is distributed in the hope that it will be useful, but
  10. * WITHOUT ANY WARRANTY; without even the implied warranty of
  11. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  12. * General Public License for more details.
  13. *
  14. * You should have received a copy of the GNU General Public License
  15. * along with this program; if not, write to the Free Software
  16. * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
  17. * 02110-1301, USA.
  18. */
  19. FILE_LICENCE ( GPL2_OR_LATER );
  20. #include <ipxe/net80211.h>
  21. #include <ipxe/sec80211.h>
  22. #include <ipxe/wpa.h>
  23. #include <ipxe/eapol.h>
  24. #include <ipxe/crypto.h>
  25. #include <ipxe/arc4.h>
  26. #include <ipxe/crc32.h>
  27. #include <ipxe/sha1.h>
  28. #include <ipxe/hmac.h>
  29. #include <ipxe/list.h>
  30. #include <ipxe/ethernet.h>
  31. #include <ipxe/rbg.h>
  32. #include <stdlib.h>
  33. #include <string.h>
  34. #include <errno.h>
  35. #include <byteswap.h>
  36. /** @file
  37. *
  38. * Handler for the aspects of WPA handshaking that are independent of
  39. * 802.1X/PSK or TKIP/CCMP; this mostly involves the 4-Way Handshake.
  40. */
  41. /** List of WPA contexts in active use. */
  42. struct list_head wpa_contexts = LIST_HEAD_INIT ( wpa_contexts );
  43. /**
  44. * Return an error code and deauthenticate
  45. *
  46. * @v ctx WPA common context
  47. * @v rc Return status code
  48. * @ret rc The passed return status code
  49. */
  50. static int wpa_fail ( struct wpa_common_ctx *ctx, int rc )
  51. {
  52. net80211_deauthenticate ( ctx->dev, rc );
  53. return rc;
  54. }
  55. /**
  56. * Find a cryptosystem handler structure from a crypto ID
  57. *
  58. * @v crypt Cryptosystem ID
  59. * @ret crypto Cryptosystem handler structure
  60. *
  61. * If support for @a crypt is not compiled in to iPXE, or if @a crypt
  62. * is NET80211_CRYPT_UNKNOWN, returns @c NULL.
  63. */
  64. static struct net80211_crypto *
  65. wpa_find_cryptosystem ( enum net80211_crypto_alg crypt )
  66. {
  67. struct net80211_crypto *crypto;
  68. for_each_table_entry ( crypto, NET80211_CRYPTOS ) {
  69. if ( crypto->algorithm == crypt )
  70. return crypto;
  71. }
  72. return NULL;
  73. }
  74. /**
  75. * Find WPA key integrity and encryption handler from key version field
  76. *
  77. * @v ver Version bits of EAPOL-Key info field
  78. * @ret kie Key integrity and encryption handler
  79. */
  80. struct wpa_kie * wpa_find_kie ( int version )
  81. {
  82. struct wpa_kie *kie;
  83. for_each_table_entry ( kie, WPA_KIES ) {
  84. if ( kie->version == version )
  85. return kie;
  86. }
  87. return NULL;
  88. }
  89. /**
  90. * Construct RSN or WPA information element
  91. *
  92. * @v dev 802.11 device
  93. * @ret ie_ret RSN or WPA information element
  94. * @ret rc Return status code
  95. *
  96. * This function allocates, fills, and returns a RSN or WPA
  97. * information element suitable for including in an association
  98. * request frame to the network identified by @c dev->associating.
  99. * If it is impossible to construct an information element consistent
  100. * with iPXE's capabilities that is compatible with that network, or
  101. * if none should be sent because that network's beacon included no
  102. * security information, returns an error indication and leaves
  103. * @a ie_ret unchanged.
  104. *
  105. * The returned IE will be of the same type (RSN or WPA) as was
  106. * included in the beacon for the network it is destined for.
  107. */
  108. int wpa_make_rsn_ie ( struct net80211_device *dev, union ieee80211_ie **ie_ret )
  109. {
  110. u8 *rsn, *rsn_end;
  111. int is_rsn;
  112. u32 group_cipher;
  113. enum net80211_crypto_alg gcrypt;
  114. int ie_len;
  115. u8 *iep;
  116. struct ieee80211_ie_rsn *ie;
  117. struct ieee80211_frame *hdr;
  118. struct ieee80211_beacon *beacon;
  119. if ( ! dev->associating ) {
  120. DBG ( "WPA: Can't make RSN IE for a non-associating device\n" );
  121. return -EINVAL;
  122. }
  123. hdr = dev->associating->beacon->data;
  124. beacon = ( struct ieee80211_beacon * ) hdr->data;
  125. rsn = sec80211_find_rsn ( beacon->info_element,
  126. dev->associating->beacon->tail, &is_rsn,
  127. &rsn_end );
  128. if ( ! rsn ) {
  129. DBG ( "WPA: Can't make RSN IE when we didn't get one\n" );
  130. return -EINVAL;
  131. }
  132. rsn += 2; /* skip version */
  133. group_cipher = *( u32 * ) rsn;
  134. gcrypt = sec80211_rsn_get_net80211_crypt ( group_cipher );
  135. if ( ! wpa_find_cryptosystem ( gcrypt ) ||
  136. ! wpa_find_cryptosystem ( dev->associating->crypto ) ) {
  137. DBG ( "WPA: No support for (GC:%d, PC:%d)\n",
  138. gcrypt, dev->associating->crypto );
  139. return -ENOTSUP;
  140. }
  141. /* Everything looks good - make our IE. */
  142. /* WPA IEs need 4 more bytes for the OUI+type */
  143. ie_len = ieee80211_rsn_size ( 1, 1, 0, is_rsn ) + ( 4 * ! is_rsn );
  144. iep = malloc ( ie_len );
  145. if ( ! iep )
  146. return -ENOMEM;
  147. *ie_ret = ( union ieee80211_ie * ) iep;
  148. /* Store ID and length bytes. */
  149. *iep++ = ( is_rsn ? IEEE80211_IE_RSN : IEEE80211_IE_VENDOR );
  150. *iep++ = ie_len - 2;
  151. /* Store OUI+type for WPA IEs. */
  152. if ( ! is_rsn ) {
  153. *( u32 * ) iep = IEEE80211_WPA_OUI_VEN;
  154. iep += 4;
  155. }
  156. /* If this is a WPA IE, the id and len bytes in the
  157. ieee80211_ie_rsn structure will not be valid, but by doing
  158. the cast we can fill all the other fields much more
  159. readily. */
  160. ie = ( struct ieee80211_ie_rsn * ) ( iep - 2 );
  161. ie->version = IEEE80211_RSN_VERSION;
  162. ie->group_cipher = group_cipher;
  163. ie->pairwise_count = 1;
  164. ie->pairwise_cipher[0] =
  165. sec80211_rsn_get_crypto_desc ( dev->associating->crypto,
  166. is_rsn );
  167. ie->akm_count = 1;
  168. ie->akm_list[0] =
  169. sec80211_rsn_get_akm_desc ( dev->associating->handshaking,
  170. is_rsn );
  171. if ( is_rsn ) {
  172. ie->rsn_capab = 0;
  173. ie->pmkid_count = 0;
  174. }
  175. return 0;
  176. }
  177. /**
  178. * Set up generic WPA support to handle 4-Way Handshake
  179. *
  180. * @v dev 802.11 device
  181. * @v ctx WPA common context
  182. * @v pmk Pairwise Master Key to use for session
  183. * @v pmk_len Length of PMK, almost always 32
  184. * @ret rc Return status code
  185. */
  186. int wpa_start ( struct net80211_device *dev, struct wpa_common_ctx *ctx,
  187. const void *pmk, size_t pmk_len )
  188. {
  189. struct io_buffer *iob;
  190. struct ieee80211_frame *hdr;
  191. struct ieee80211_beacon *beacon;
  192. u8 *ap_rsn_ie = NULL, *ap_rsn_ie_end;
  193. if ( ! dev->rsn_ie || ! dev->associating )
  194. return -EINVAL;
  195. ctx->dev = dev;
  196. memcpy ( ctx->pmk, pmk, ctx->pmk_len = pmk_len );
  197. ctx->state = WPA_READY;
  198. ctx->replay = ~0ULL;
  199. iob = dev->associating->beacon;
  200. hdr = iob->data;
  201. beacon = ( struct ieee80211_beacon * ) hdr->data;
  202. ap_rsn_ie = sec80211_find_rsn ( beacon->info_element, iob->tail,
  203. &ctx->ap_rsn_is_rsn, &ap_rsn_ie_end );
  204. if ( ap_rsn_ie ) {
  205. ctx->ap_rsn_ie = malloc ( ap_rsn_ie_end - ap_rsn_ie );
  206. if ( ! ctx->ap_rsn_ie )
  207. return -ENOMEM;
  208. memcpy ( ctx->ap_rsn_ie, ap_rsn_ie, ap_rsn_ie_end - ap_rsn_ie );
  209. ctx->ap_rsn_ie_len = ap_rsn_ie_end - ap_rsn_ie;
  210. } else {
  211. return -ENOENT;
  212. }
  213. ctx->crypt = dev->associating->crypto;
  214. ctx->gcrypt = NET80211_CRYPT_UNKNOWN;
  215. list_add_tail ( &ctx->list, &wpa_contexts );
  216. return 0;
  217. }
  218. /**
  219. * Disable handling of received WPA handshake frames
  220. *
  221. * @v dev 802.11 device
  222. */
  223. void wpa_stop ( struct net80211_device *dev )
  224. {
  225. struct wpa_common_ctx *ctx, *tmp;
  226. list_for_each_entry_safe ( ctx, tmp, &wpa_contexts, list ) {
  227. if ( ctx->dev == dev ) {
  228. free ( ctx->ap_rsn_ie );
  229. ctx->ap_rsn_ie = NULL;
  230. list_del ( &ctx->list );
  231. }
  232. }
  233. }
  234. /**
  235. * Derive pairwise transient key
  236. *
  237. * @v ctx WPA common context
  238. */
  239. static void wpa_derive_ptk ( struct wpa_common_ctx *ctx )
  240. {
  241. struct {
  242. u8 mac1[ETH_ALEN];
  243. u8 mac2[ETH_ALEN];
  244. u8 nonce1[WPA_NONCE_LEN];
  245. u8 nonce2[WPA_NONCE_LEN];
  246. } __attribute__ (( packed )) ptk_data;
  247. /* The addresses and nonces are stored in numerical order (!) */
  248. if ( memcmp ( ctx->dev->netdev->ll_addr, ctx->dev->bssid,
  249. ETH_ALEN ) < 0 ) {
  250. memcpy ( ptk_data.mac1, ctx->dev->netdev->ll_addr, ETH_ALEN );
  251. memcpy ( ptk_data.mac2, ctx->dev->bssid, ETH_ALEN );
  252. } else {
  253. memcpy ( ptk_data.mac1, ctx->dev->bssid, ETH_ALEN );
  254. memcpy ( ptk_data.mac2, ctx->dev->netdev->ll_addr, ETH_ALEN );
  255. }
  256. if ( memcmp ( ctx->Anonce, ctx->Snonce, WPA_NONCE_LEN ) < 0 ) {
  257. memcpy ( ptk_data.nonce1, ctx->Anonce, WPA_NONCE_LEN );
  258. memcpy ( ptk_data.nonce2, ctx->Snonce, WPA_NONCE_LEN );
  259. } else {
  260. memcpy ( ptk_data.nonce1, ctx->Snonce, WPA_NONCE_LEN );
  261. memcpy ( ptk_data.nonce2, ctx->Anonce, WPA_NONCE_LEN );
  262. }
  263. DBGC2 ( ctx, "WPA %p A1 %s, A2 %s\n", ctx, eth_ntoa ( ptk_data.mac1 ),
  264. eth_ntoa ( ptk_data.mac2 ) );
  265. DBGC2 ( ctx, "WPA %p Nonce1, Nonce2:\n", ctx );
  266. DBGC2_HD ( ctx, ptk_data.nonce1, WPA_NONCE_LEN );
  267. DBGC2_HD ( ctx, ptk_data.nonce2, WPA_NONCE_LEN );
  268. prf_sha1 ( ctx->pmk, ctx->pmk_len,
  269. "Pairwise key expansion",
  270. &ptk_data, sizeof ( ptk_data ),
  271. &ctx->ptk, sizeof ( ctx->ptk ) );
  272. DBGC2 ( ctx, "WPA %p PTK:\n", ctx );
  273. DBGC2_HD ( ctx, &ctx->ptk, sizeof ( ctx->ptk ) );
  274. }
  275. /**
  276. * Install pairwise transient key
  277. *
  278. * @v ctx WPA common context
  279. * @v len Key length (16 for CCMP, 32 for TKIP)
  280. * @ret rc Return status code
  281. */
  282. static inline int wpa_install_ptk ( struct wpa_common_ctx *ctx, int len )
  283. {
  284. DBGC ( ctx, "WPA %p: installing %d-byte pairwise transient key\n",
  285. ctx, len );
  286. DBGC2_HD ( ctx, &ctx->ptk.tk, len );
  287. return sec80211_install ( &ctx->dev->crypto, ctx->crypt,
  288. &ctx->ptk.tk, len, NULL );
  289. }
  290. /**
  291. * Install group transient key
  292. *
  293. * @v ctx WPA common context
  294. * @v len Key length (16 for CCMP, 32 for TKIP)
  295. * @v rsc Receive sequence counter field in EAPOL-Key packet
  296. * @ret rc Return status code
  297. */
  298. static inline int wpa_install_gtk ( struct wpa_common_ctx *ctx, int len,
  299. const void *rsc )
  300. {
  301. DBGC ( ctx, "WPA %p: installing %d-byte group transient key\n",
  302. ctx, len );
  303. DBGC2_HD ( ctx, &ctx->gtk.tk, len );
  304. return sec80211_install ( &ctx->dev->gcrypto, ctx->gcrypt,
  305. &ctx->gtk.tk, len, rsc );
  306. }
  307. /**
  308. * Search for group transient key, and install it if found
  309. *
  310. * @v ctx WPA common context
  311. * @v ie Pointer to first IE in key data field
  312. * @v ie_end Pointer to first byte not in key data field
  313. * @v rsc Receive sequence counter field in EAPOL-Key packet
  314. * @ret rc Return status code
  315. */
  316. static int wpa_maybe_install_gtk ( struct wpa_common_ctx *ctx,
  317. union ieee80211_ie *ie, void *ie_end,
  318. const void *rsc )
  319. {
  320. struct wpa_kde *kde;
  321. if ( ! ieee80211_ie_bound ( ie, ie_end ) )
  322. return -ENOENT;
  323. while ( ie ) {
  324. if ( ie->id == IEEE80211_IE_VENDOR &&
  325. ie->vendor.oui == WPA_KDE_GTK )
  326. break;
  327. ie = ieee80211_next_ie ( ie, ie_end );
  328. }
  329. if ( ! ie )
  330. return -ENOENT;
  331. if ( ie->len - 6u > sizeof ( ctx->gtk.tk ) ) {
  332. DBGC ( ctx, "WPA %p: GTK KDE is too long (%d bytes, max %zd)\n",
  333. ctx, ie->len - 4, sizeof ( ctx->gtk.tk ) );
  334. return -EINVAL;
  335. }
  336. /* XXX We ignore key ID for now. */
  337. kde = ( struct wpa_kde * ) ie;
  338. memcpy ( &ctx->gtk.tk, &kde->gtk_encap.gtk, kde->len - 6 );
  339. return wpa_install_gtk ( ctx, kde->len - 6, rsc );
  340. }
  341. /**
  342. * Allocate I/O buffer for construction of outgoing EAPOL-Key frame
  343. *
  344. * @v kdlen Maximum number of bytes in the Key Data field
  345. * @ret iob Newly allocated I/O buffer
  346. *
  347. * The returned buffer will have space reserved for the link-layer and
  348. * EAPOL headers, and will have @c iob->tail pointing to the start of
  349. * the Key Data field. Thus, it is necessary to use iob_put() in
  350. * filling the Key Data.
  351. */
  352. static struct io_buffer * wpa_alloc_frame ( int kdlen )
  353. {
  354. struct io_buffer *ret = alloc_iob ( sizeof ( struct eapol_key_pkt ) +
  355. kdlen + EAPOL_HDR_LEN +
  356. MAX_LL_HEADER_LEN );
  357. if ( ! ret )
  358. return NULL;
  359. iob_reserve ( ret, MAX_LL_HEADER_LEN + EAPOL_HDR_LEN );
  360. memset ( iob_put ( ret, sizeof ( struct eapol_key_pkt ) ), 0,
  361. sizeof ( struct eapol_key_pkt ) );
  362. return ret;
  363. }
  364. /**
  365. * Send EAPOL-Key packet
  366. *
  367. * @v iob I/O buffer, with sufficient headroom for headers
  368. * @v dev 802.11 device
  369. * @v kie Key integrity and encryption handler
  370. * @v is_rsn If TRUE, handshake uses new RSN format
  371. * @ret rc Return status code
  372. *
  373. * If a KIE is specified, the MIC will be filled in before transmission.
  374. */
  375. static int wpa_send_eapol ( struct io_buffer *iob, struct wpa_common_ctx *ctx,
  376. struct wpa_kie *kie )
  377. {
  378. struct eapol_key_pkt *pkt = iob->data;
  379. struct eapol_frame *eapol = iob_push ( iob, EAPOL_HDR_LEN );
  380. pkt->info = htons ( pkt->info );
  381. pkt->keysize = htons ( pkt->keysize );
  382. pkt->datalen = htons ( pkt->datalen );
  383. pkt->replay = cpu_to_be64 ( pkt->replay );
  384. eapol->version = EAPOL_THIS_VERSION;
  385. eapol->type = EAPOL_TYPE_KEY;
  386. eapol->length = htons ( iob->tail - iob->data - sizeof ( *eapol ) );
  387. memset ( pkt->mic, 0, sizeof ( pkt->mic ) );
  388. if ( kie )
  389. kie->mic ( &ctx->ptk.kck, eapol, EAPOL_HDR_LEN +
  390. sizeof ( *pkt ) + ntohs ( pkt->datalen ),
  391. pkt->mic );
  392. return net_tx ( iob, ctx->dev->netdev, &eapol_protocol,
  393. ctx->dev->bssid, ctx->dev->netdev->ll_addr );
  394. }
  395. /**
  396. * Send second frame in 4-Way Handshake
  397. *
  398. * @v ctx WPA common context
  399. * @v pkt First frame, to which this is a reply
  400. * @v is_rsn If TRUE, handshake uses new RSN format
  401. * @v kie Key integrity and encryption handler
  402. * @ret rc Return status code
  403. */
  404. static int wpa_send_2_of_4 ( struct wpa_common_ctx *ctx,
  405. struct eapol_key_pkt *pkt, int is_rsn,
  406. struct wpa_kie *kie )
  407. {
  408. struct io_buffer *iob = wpa_alloc_frame ( ctx->dev->rsn_ie->len + 2 );
  409. struct eapol_key_pkt *npkt;
  410. if ( ! iob )
  411. return -ENOMEM;
  412. npkt = iob->data;
  413. memcpy ( npkt, pkt, sizeof ( *pkt ) );
  414. npkt->info &= ~EAPOL_KEY_INFO_KEY_ACK;
  415. npkt->info |= EAPOL_KEY_INFO_KEY_MIC;
  416. if ( is_rsn )
  417. npkt->keysize = 0;
  418. memcpy ( npkt->nonce, ctx->Snonce, sizeof ( npkt->nonce ) );
  419. npkt->datalen = ctx->dev->rsn_ie->len + 2;
  420. memcpy ( iob_put ( iob, npkt->datalen ), ctx->dev->rsn_ie,
  421. npkt->datalen );
  422. DBGC ( ctx, "WPA %p: sending 2/4\n", ctx );
  423. return wpa_send_eapol ( iob, ctx, kie );
  424. }
  425. /**
  426. * Handle receipt of first frame in 4-Way Handshake
  427. *
  428. * @v ctx WPA common context
  429. * @v pkt EAPOL-Key packet
  430. * @v is_rsn If TRUE, frame uses new RSN format
  431. * @v kie Key integrity and encryption handler
  432. * @ret rc Return status code
  433. */
  434. static int wpa_handle_1_of_4 ( struct wpa_common_ctx *ctx,
  435. struct eapol_key_pkt *pkt, int is_rsn,
  436. struct wpa_kie *kie )
  437. {
  438. if ( ctx->state == WPA_WAITING )
  439. return -EINVAL;
  440. ctx->state = WPA_WORKING;
  441. memcpy ( ctx->Anonce, pkt->nonce, sizeof ( ctx->Anonce ) );
  442. if ( ! ctx->have_Snonce ) {
  443. rbg_generate ( NULL, 0, 0, ctx->Snonce,
  444. sizeof ( ctx->Snonce ) );
  445. ctx->have_Snonce = 1;
  446. }
  447. DBGC ( ctx, "WPA %p: received 1/4, looks OK\n", ctx );
  448. wpa_derive_ptk ( ctx );
  449. return wpa_send_2_of_4 ( ctx, pkt, is_rsn, kie );
  450. }
  451. /**
  452. * Send fourth frame in 4-Way Handshake, or second in Group Key Handshake
  453. *
  454. * @v ctx WPA common context
  455. * @v pkt EAPOL-Key packet for frame to which we're replying
  456. * @v is_rsn If TRUE, frame uses new RSN format
  457. * @v kie Key integrity and encryption handler
  458. * @ret rc Return status code
  459. */
  460. static int wpa_send_final ( struct wpa_common_ctx *ctx,
  461. struct eapol_key_pkt *pkt, int is_rsn,
  462. struct wpa_kie *kie )
  463. {
  464. struct io_buffer *iob = wpa_alloc_frame ( 0 );
  465. struct eapol_key_pkt *npkt;
  466. if ( ! iob )
  467. return -ENOMEM;
  468. npkt = iob->data;
  469. memcpy ( npkt, pkt, sizeof ( *pkt ) );
  470. npkt->info &= ~( EAPOL_KEY_INFO_KEY_ACK | EAPOL_KEY_INFO_INSTALL |
  471. EAPOL_KEY_INFO_KEY_ENC );
  472. if ( is_rsn )
  473. npkt->keysize = 0;
  474. memset ( npkt->nonce, 0, sizeof ( npkt->nonce ) );
  475. memset ( npkt->iv, 0, sizeof ( npkt->iv ) );
  476. npkt->datalen = 0;
  477. if ( npkt->info & EAPOL_KEY_INFO_TYPE )
  478. DBGC ( ctx, "WPA %p: sending 4/4\n", ctx );
  479. else
  480. DBGC ( ctx, "WPA %p: sending 2/2\n", ctx );
  481. return wpa_send_eapol ( iob, ctx, kie );
  482. }
  483. /**
  484. * Handle receipt of third frame in 4-Way Handshake
  485. *
  486. * @v ctx WPA common context
  487. * @v pkt EAPOL-Key packet
  488. * @v is_rsn If TRUE, frame uses new RSN format
  489. * @v kie Key integrity and encryption handler
  490. * @ret rc Return status code
  491. */
  492. static int wpa_handle_3_of_4 ( struct wpa_common_ctx *ctx,
  493. struct eapol_key_pkt *pkt, int is_rsn,
  494. struct wpa_kie *kie )
  495. {
  496. int rc;
  497. u8 *this_rsn, *this_rsn_end;
  498. u8 *new_rsn, *new_rsn_end;
  499. int this_is_rsn, new_is_rsn;
  500. if ( ctx->state == WPA_WAITING )
  501. return -EINVAL;
  502. ctx->state = WPA_WORKING;
  503. /* Check nonce */
  504. if ( memcmp ( ctx->Anonce, pkt->nonce, WPA_NONCE_LEN ) != 0 ) {
  505. DBGC ( ctx, "WPA %p ALERT: nonce mismatch in 3/4\n", ctx );
  506. return wpa_fail ( ctx, -EACCES );
  507. }
  508. /* Check RSN IE */
  509. this_rsn = sec80211_find_rsn ( ( union ieee80211_ie * ) pkt->data,
  510. pkt->data + pkt->datalen,
  511. &this_is_rsn, &this_rsn_end );
  512. if ( this_rsn )
  513. new_rsn = sec80211_find_rsn ( ( union ieee80211_ie * )
  514. this_rsn_end,
  515. pkt->data + pkt->datalen,
  516. &new_is_rsn, &new_rsn_end );
  517. else
  518. new_rsn = NULL;
  519. if ( ! ctx->ap_rsn_ie || ! this_rsn ||
  520. ctx->ap_rsn_ie_len != ( this_rsn_end - this_rsn ) ||
  521. ctx->ap_rsn_is_rsn != this_is_rsn ||
  522. memcmp ( ctx->ap_rsn_ie, this_rsn, ctx->ap_rsn_ie_len ) != 0 ) {
  523. DBGC ( ctx, "WPA %p ALERT: RSN mismatch in 3/4\n", ctx );
  524. DBGC2 ( ctx, "WPA %p RSNs (in 3/4, in beacon):\n", ctx );
  525. DBGC2_HD ( ctx, this_rsn, this_rsn_end - this_rsn );
  526. DBGC2_HD ( ctx, ctx->ap_rsn_ie, ctx->ap_rsn_ie_len );
  527. return wpa_fail ( ctx, -EACCES );
  528. }
  529. /* Don't switch if they just supplied both styles of IE
  530. simultaneously; we need two RSN IEs or two WPA IEs to
  531. switch ciphers. They'll be immediately consecutive because
  532. of ordering guarantees. */
  533. if ( new_rsn && this_is_rsn == new_is_rsn ) {
  534. struct net80211_wlan *assoc = ctx->dev->associating;
  535. DBGC ( ctx, "WPA %p: accommodating bait-and-switch tactics\n",
  536. ctx );
  537. DBGC2 ( ctx, "WPA %p RSNs (in 3/4+beacon, new in 3/4):\n",
  538. ctx );
  539. DBGC2_HD ( ctx, this_rsn, this_rsn_end - this_rsn );
  540. DBGC2_HD ( ctx, new_rsn, new_rsn_end - new_rsn );
  541. if ( ( rc = sec80211_detect_ie ( new_is_rsn, new_rsn,
  542. new_rsn_end,
  543. &assoc->handshaking,
  544. &assoc->crypto ) ) != 0 )
  545. DBGC ( ctx, "WPA %p: bait-and-switch invalid, staying "
  546. "with original request\n", ctx );
  547. } else {
  548. new_rsn = this_rsn;
  549. new_is_rsn = this_is_rsn;
  550. new_rsn_end = this_rsn_end;
  551. }
  552. /* Grab group cryptosystem ID */
  553. ctx->gcrypt = sec80211_rsn_get_net80211_crypt ( *( u32 * )
  554. ( new_rsn + 2 ) );
  555. /* Check for a GTK, if info field is encrypted */
  556. if ( pkt->info & EAPOL_KEY_INFO_KEY_ENC ) {
  557. rc = wpa_maybe_install_gtk ( ctx,
  558. ( union ieee80211_ie * ) pkt->data,
  559. pkt->data + pkt->datalen,
  560. pkt->rsc );
  561. if ( rc < 0 ) {
  562. DBGC ( ctx, "WPA %p did not install GTK in 3/4: %s\n",
  563. ctx, strerror ( rc ) );
  564. if ( rc != -ENOENT )
  565. return wpa_fail ( ctx, rc );
  566. }
  567. }
  568. DBGC ( ctx, "WPA %p: received 3/4, looks OK\n", ctx );
  569. /* Send final message */
  570. rc = wpa_send_final ( ctx, pkt, is_rsn, kie );
  571. if ( rc < 0 )
  572. return wpa_fail ( ctx, rc );
  573. /* Install PTK */
  574. rc = wpa_install_ptk ( ctx, pkt->keysize );
  575. if ( rc < 0 ) {
  576. DBGC ( ctx, "WPA %p failed to install PTK: %s\n", ctx,
  577. strerror ( rc ) );
  578. return wpa_fail ( ctx, rc );
  579. }
  580. /* Mark us as needing a new Snonce if we rekey */
  581. ctx->have_Snonce = 0;
  582. /* Done! */
  583. ctx->state = WPA_SUCCESS;
  584. return 0;
  585. }
  586. /**
  587. * Handle receipt of first frame in Group Key Handshake
  588. *
  589. * @v ctx WPA common context
  590. * @v pkt EAPOL-Key packet
  591. * @v is_rsn If TRUE, frame uses new RSN format
  592. * @v kie Key integrity and encryption handler
  593. * @ret rc Return status code
  594. */
  595. static int wpa_handle_1_of_2 ( struct wpa_common_ctx *ctx,
  596. struct eapol_key_pkt *pkt, int is_rsn,
  597. struct wpa_kie *kie )
  598. {
  599. int rc;
  600. /*
  601. * WPA and RSN do this completely differently.
  602. *
  603. * The idea of encoding the GTK (or PMKID, or various other
  604. * things) into a KDE that looks like an information element
  605. * is an RSN innovation; old WPA code never encapsulates
  606. * things like that. If it looks like an info element, it
  607. * really is (for the WPA IE check in frames 2/4 and 3/4). The
  608. * "key data encrypted" bit in the info field is also specific
  609. * to RSN.
  610. *
  611. * So from an old WPA host, 3/4 does not contain an
  612. * encapsulated GTK. The first frame of the GK handshake
  613. * contains it, encrypted, but without a KDE wrapper, and with
  614. * the key ID field (which iPXE doesn't use) shoved away in
  615. * the reserved bits in the info field, and the TxRx bit
  616. * stealing the Install bit's spot.
  617. */
  618. if ( is_rsn && ( pkt->info & EAPOL_KEY_INFO_KEY_ENC ) ) {
  619. rc = wpa_maybe_install_gtk ( ctx,
  620. ( union ieee80211_ie * ) pkt->data,
  621. pkt->data + pkt->datalen,
  622. pkt->rsc );
  623. if ( rc < 0 ) {
  624. DBGC ( ctx, "WPA %p: failed to install GTK in 1/2: "
  625. "%s\n", ctx, strerror ( rc ) );
  626. return wpa_fail ( ctx, rc );
  627. }
  628. } else {
  629. rc = kie->decrypt ( &ctx->ptk.kek, pkt->iv, pkt->data,
  630. &pkt->datalen );
  631. if ( rc < 0 ) {
  632. DBGC ( ctx, "WPA %p: failed to decrypt GTK: %s\n",
  633. ctx, strerror ( rc ) );
  634. return rc; /* non-fatal */
  635. }
  636. if ( pkt->datalen > sizeof ( ctx->gtk.tk ) ) {
  637. DBGC ( ctx, "WPA %p: too much GTK data (%d > %zd)\n",
  638. ctx, pkt->datalen, sizeof ( ctx->gtk.tk ) );
  639. return wpa_fail ( ctx, -EINVAL );
  640. }
  641. memcpy ( &ctx->gtk.tk, pkt->data, pkt->datalen );
  642. wpa_install_gtk ( ctx, pkt->datalen, pkt->rsc );
  643. }
  644. DBGC ( ctx, "WPA %p: received 1/2, looks OK\n", ctx );
  645. return wpa_send_final ( ctx, pkt, is_rsn, kie );
  646. }
  647. /**
  648. * Handle receipt of EAPOL-Key frame for WPA
  649. *
  650. * @v iob I/O buffer
  651. * @v netdev Network device
  652. * @v ll_dest Link-layer destination address
  653. * @v ll_source Source link-layer address
  654. */
  655. static int eapol_key_rx ( struct io_buffer *iob, struct net_device *netdev,
  656. const void *ll_dest __unused,
  657. const void *ll_source )
  658. {
  659. struct net80211_device *dev = net80211_get ( netdev );
  660. struct eapol_key_pkt *pkt = iob->data;
  661. int is_rsn, found_ctx;
  662. struct wpa_common_ctx *ctx;
  663. int rc = 0;
  664. struct wpa_kie *kie;
  665. u8 their_mic[16], our_mic[16];
  666. if ( pkt->type != EAPOL_KEY_TYPE_WPA &&
  667. pkt->type != EAPOL_KEY_TYPE_RSN ) {
  668. DBG ( "EAPOL-Key: packet not of 802.11 type\n" );
  669. rc = -EINVAL;
  670. goto drop;
  671. }
  672. is_rsn = ( pkt->type == EAPOL_KEY_TYPE_RSN );
  673. if ( ! dev ) {
  674. DBG ( "EAPOL-Key: packet not from 802.11\n" );
  675. rc = -EINVAL;
  676. goto drop;
  677. }
  678. if ( memcmp ( dev->bssid, ll_source, ETH_ALEN ) != 0 ) {
  679. DBG ( "EAPOL-Key: packet not from associated AP\n" );
  680. rc = -EINVAL;
  681. goto drop;
  682. }
  683. if ( ! ( ntohs ( pkt->info ) & EAPOL_KEY_INFO_KEY_ACK ) ) {
  684. DBG ( "EAPOL-Key: packet sent in wrong direction\n" );
  685. rc = -EINVAL;
  686. goto drop;
  687. }
  688. found_ctx = 0;
  689. list_for_each_entry ( ctx, &wpa_contexts, list ) {
  690. if ( ctx->dev == dev ) {
  691. found_ctx = 1;
  692. break;
  693. }
  694. }
  695. if ( ! found_ctx ) {
  696. DBG ( "EAPOL-Key: no WPA context to handle packet for %p\n",
  697. dev );
  698. rc = -ENOENT;
  699. goto drop;
  700. }
  701. if ( ( void * ) ( pkt + 1 ) + ntohs ( pkt->datalen ) > iob->tail ) {
  702. DBGC ( ctx, "WPA %p: packet truncated (has %zd extra bytes, "
  703. "states %d)\n", ctx, iob->tail - ( void * ) ( pkt + 1 ),
  704. ntohs ( pkt->datalen ) );
  705. rc = -EINVAL;
  706. goto drop;
  707. }
  708. /* Get a handle on key integrity/encryption handler */
  709. kie = wpa_find_kie ( ntohs ( pkt->info ) & EAPOL_KEY_INFO_VERSION );
  710. if ( ! kie ) {
  711. DBGC ( ctx, "WPA %p: no support for packet version %d\n", ctx,
  712. ntohs ( pkt->info ) & EAPOL_KEY_INFO_VERSION );
  713. rc = wpa_fail ( ctx, -ENOTSUP );
  714. goto drop;
  715. }
  716. /* Check MIC */
  717. if ( ntohs ( pkt->info ) & EAPOL_KEY_INFO_KEY_MIC ) {
  718. memcpy ( their_mic, pkt->mic, sizeof ( pkt->mic ) );
  719. memset ( pkt->mic, 0, sizeof ( pkt->mic ) );
  720. kie->mic ( &ctx->ptk.kck, ( void * ) pkt - EAPOL_HDR_LEN,
  721. EAPOL_HDR_LEN + sizeof ( *pkt ) +
  722. ntohs ( pkt->datalen ), our_mic );
  723. DBGC2 ( ctx, "WPA %p MIC comparison (theirs, ours):\n", ctx );
  724. DBGC2_HD ( ctx, their_mic, 16 );
  725. DBGC2_HD ( ctx, our_mic, 16 );
  726. if ( memcmp ( their_mic, our_mic, sizeof ( pkt->mic ) ) != 0 ) {
  727. DBGC ( ctx, "WPA %p: EAPOL MIC failure\n", ctx );
  728. goto drop;
  729. }
  730. }
  731. /* Fix byte order to local */
  732. pkt->info = ntohs ( pkt->info );
  733. pkt->keysize = ntohs ( pkt->keysize );
  734. pkt->datalen = ntohs ( pkt->datalen );
  735. pkt->replay = be64_to_cpu ( pkt->replay );
  736. /* Check replay counter */
  737. if ( ctx->replay != ~0ULL && ctx->replay >= pkt->replay ) {
  738. DBGC ( ctx, "WPA %p ALERT: Replay detected! "
  739. "(%08x:%08x >= %08x:%08x)\n", ctx,
  740. ( u32 ) ( ctx->replay >> 32 ), ( u32 ) ctx->replay,
  741. ( u32 ) ( pkt->replay >> 32 ), ( u32 ) pkt->replay );
  742. rc = 0; /* ignore without error */
  743. goto drop;
  744. }
  745. ctx->replay = pkt->replay;
  746. /* Decrypt key data */
  747. if ( pkt->info & EAPOL_KEY_INFO_KEY_ENC ) {
  748. rc = kie->decrypt ( &ctx->ptk.kek, pkt->iv, pkt->data,
  749. &pkt->datalen );
  750. if ( rc < 0 ) {
  751. DBGC ( ctx, "WPA %p: failed to decrypt packet: %s\n",
  752. ctx, strerror ( rc ) );
  753. goto drop;
  754. }
  755. }
  756. /* Hand it off to appropriate handler */
  757. switch ( pkt->info & ( EAPOL_KEY_INFO_TYPE |
  758. EAPOL_KEY_INFO_KEY_MIC ) ) {
  759. case EAPOL_KEY_TYPE_PTK:
  760. rc = wpa_handle_1_of_4 ( ctx, pkt, is_rsn, kie );
  761. break;
  762. case EAPOL_KEY_TYPE_PTK | EAPOL_KEY_INFO_KEY_MIC:
  763. rc = wpa_handle_3_of_4 ( ctx, pkt, is_rsn, kie );
  764. break;
  765. case EAPOL_KEY_TYPE_GTK | EAPOL_KEY_INFO_KEY_MIC:
  766. rc = wpa_handle_1_of_2 ( ctx, pkt, is_rsn, kie );
  767. break;
  768. default:
  769. DBGC ( ctx, "WPA %p: Invalid combination of key flags %04x\n",
  770. ctx, pkt->info );
  771. rc = -EINVAL;
  772. break;
  773. }
  774. drop:
  775. free_iob ( iob );
  776. return rc;
  777. }
  778. struct eapol_handler eapol_key_handler __eapol_handler = {
  779. .type = EAPOL_TYPE_KEY,
  780. .rx = eapol_key_rx,
  781. };
  782. /* WPA always needs EAPOL in order to be useful */
  783. REQUIRE_OBJECT ( eapol );