1 /* 2 * Copyright (c) 2009 Joshua Oreman <oremanj (at) rwcr.net>. 3 * 4 * This program is free software; you can redistribute it and/or 5 * modify it under the terms of the GNU General Public License as 6 * published by the Free Software Foundation; either version 2 of the 7 * License, or any later version. 8 * 9 * This program is distributed in the hope that it will be useful, but 10 * WITHOUT ANY WARRANTY; without even the implied warranty of 11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 12 * General Public License for more details. 13 * 14 * You should have received a copy of the GNU General Public License 15 * along with this program; if not, write to the Free Software 16 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. 17 */ 18 19 FILE_LICENCE ( GPL2_OR_LATER ); 20 21 #include <gpxe/net80211.h> 22 #include <gpxe/sec80211.h> 23 #include <gpxe/wpa.h> 24 #include <gpxe/eapol.h> 25 #include <gpxe/crypto.h> 26 #include <gpxe/arc4.h> 27 #include <gpxe/crc32.h> 28 #include <gpxe/sha1.h> 29 #include <gpxe/hmac.h> 30 #include <gpxe/list.h> 31 #include <gpxe/ethernet.h> 32 #include <stdlib.h> 33 #include <string.h> 34 #include <errno.h> 35 36 /** @file 37 * 38 * Handler for the aspects of WPA handshaking that are independent of 39 * 802.1X/PSK or TKIP/CCMP; this mostly involves the 4-Way Handshake. 40 */ 41 42 /** List of WPA contexts in active use. */ 43 struct list_head wpa_contexts = LIST_HEAD_INIT ( wpa_contexts ); 44 45 46 /** 47 * Return an error code and deauthenticate 48 * 49 * @v ctx WPA common context 50 * @v rc Return status code 51 * @ret rc The passed return status code 52 */ 53 static int wpa_fail ( struct wpa_common_ctx *ctx, int rc ) 54 { 55 net80211_deauthenticate ( ctx->dev, rc ); 56 return rc; 57 } 58 59 60 /** 61 * Find a cryptosystem handler structure from a crypto ID 62 * 63 * @v crypt Cryptosystem ID 64 * @ret crypto Cryptosystem handler structure 65 * 66 * If support for @a crypt is not compiled in to gPXE, or if @a crypt 67 * is NET80211_CRYPT_UNKNOWN, returns @c NULL. 68 */ 69 static struct net80211_crypto * 70 wpa_find_cryptosystem ( enum net80211_crypto_alg crypt ) 71 { 72 struct net80211_crypto *crypto; 73 74 for_each_table_entry ( crypto, NET80211_CRYPTOS ) { 75 if ( crypto->algorithm == crypt ) 76 return crypto; 77 } 78 79 return NULL; 80 } 81 82 83 /** 84 * Find WPA key integrity and encryption handler from key version field 85 * 86 * @v ver Version bits of EAPOL-Key info field 87 * @ret kie Key integrity and encryption handler 88 */ 89 struct wpa_kie * wpa_find_kie ( int version ) 90 { 91 struct wpa_kie *kie; 92 93 for_each_table_entry ( kie, WPA_KIES ) { 94 if ( kie->version == version ) 95 return kie; 96 } 97 98 return NULL; 99 } 100 101 102 /** 103 * Construct RSN or WPA information element 104 * 105 * @v dev 802.11 device 106 * @ret ie_ret RSN or WPA information element 107 * @ret rc Return status code 108 * 109 * This function allocates, fills, and returns a RSN or WPA 110 * information element suitable for including in an association 111 * request frame to the network identified by @c dev->associating. 112 * If it is impossible to construct an information element consistent 113 * with gPXE's capabilities that is compatible with that network, or 114 * if none should be sent because that network's beacon included no 115 * security information, returns an error indication and leaves 116 * @a ie_ret unchanged. 117 * 118 * The returned IE will be of the same type (RSN or WPA) as was 119 * included in the beacon for the network it is destined for. 120 */ 121 int wpa_make_rsn_ie ( struct net80211_device *dev, union ieee80211_ie **ie_ret ) 122 { 123 u8 *rsn, *rsn_end; 124 int is_rsn; 125 u32 group_cipher; 126 enum net80211_crypto_alg gcrypt; 127 int ie_len; 128 u8 *iep; 129 struct ieee80211_ie_rsn *ie; 130 struct ieee80211_frame *hdr; 131 struct ieee80211_beacon *beacon; 132 133 if ( ! dev->associating ) { 134 DBG ( "WPA: Can't make RSN IE for a non-associating device\n" ); 135 return -EINVAL; 136 } 137 138 hdr = dev->associating->beacon->data; 139 beacon = ( struct ieee80211_beacon * ) hdr->data; 140 rsn = sec80211_find_rsn ( beacon->info_element, 141 dev->associating->beacon->tail, &is_rsn, 142 &rsn_end ); 143 if ( ! rsn ) { 144 DBG ( "WPA: Can't make RSN IE when we didn't get one\n" ); 145 return -EINVAL; 146 } 147 148 rsn += 2; /* skip version */ 149 group_cipher = *( u32 * ) rsn; 150 gcrypt = sec80211_rsn_get_net80211_crypt ( group_cipher ); 151 152 if ( ! wpa_find_cryptosystem ( gcrypt ) || 153 ! wpa_find_cryptosystem ( dev->associating->crypto ) ) { 154 DBG ( "WPA: No support for (GC:%d, PC:%d)\n", 155 gcrypt, dev->associating->crypto ); 156 return -ENOTSUP; 157 } 158 159 /* Everything looks good - make our IE. */ 160 161 /* WPA IEs need 4 more bytes for the OUI+type */ 162 ie_len = ieee80211_rsn_size ( 1, 1, 0, is_rsn ) + ( 4 * ! is_rsn ); 163 iep = malloc ( ie_len ); 164 if ( ! iep ) 165 return -ENOMEM; 166 167 *ie_ret = ( union ieee80211_ie * ) iep; 168 169 /* Store ID and length bytes. */ 170 *iep++ = ( is_rsn ? IEEE80211_IE_RSN : IEEE80211_IE_VENDOR ); 171 *iep++ = ie_len - 2; 172 173 /* Store OUI+type for WPA IEs. */ 174 if ( ! is_rsn ) { 175 *( u32 * ) iep = IEEE80211_WPA_OUI_VEN; 176 iep += 4; 177 } 178 179 /* If this is a WPA IE, the id and len bytes in the 180 ieee80211_ie_rsn structure will not be valid, but by doing 181 the cast we can fill all the other fields much more 182 readily. */ 183 184 ie = ( struct ieee80211_ie_rsn * ) ( iep - 2 ); 185 ie->version = IEEE80211_RSN_VERSION; 186 ie->group_cipher = group_cipher; 187 ie->pairwise_count = 1; 188 ie->pairwise_cipher[0] = 189 sec80211_rsn_get_crypto_desc ( dev->associating->crypto, 190 is_rsn ); 191 ie->akm_count = 1; 192 ie->akm_list[0] = 193 sec80211_rsn_get_akm_desc ( dev->associating->handshaking, 194 is_rsn ); 195 if ( is_rsn ) { 196 ie->rsn_capab = 0; 197 ie->pmkid_count = 0; 198 } 199 200 return 0; 201 } 202 203 204 /** 205 * Set up generic WPA support to handle 4-Way Handshake 206 * 207 * @v dev 802.11 device 208 * @v ctx WPA common context 209 * @v pmk Pairwise Master Key to use for session 210 * @v pmk_len Length of PMK, almost always 32 211 * @ret rc Return status code 212 */ 213 int wpa_start ( struct net80211_device *dev, struct wpa_common_ctx *ctx, 214 const void *pmk, size_t pmk_len ) 215 { 216 struct io_buffer *iob; 217 struct ieee80211_frame *hdr; 218 struct ieee80211_beacon *beacon; 219 u8 *ap_rsn_ie = NULL, *ap_rsn_ie_end; 220 221 if ( ! dev->rsn_ie || ! dev->associating ) 222 return -EINVAL; 223 224 ctx->dev = dev; 225 memcpy ( ctx->pmk, pmk, ctx->pmk_len = pmk_len ); 226 ctx->state = WPA_READY; 227 ctx->replay = ~0ULL; 228 229 iob = dev->associating->beacon; 230 hdr = iob->data; 231 beacon = ( struct ieee80211_beacon * ) hdr->data; 232 ap_rsn_ie = sec80211_find_rsn ( beacon->info_element, iob->tail, 233 &ctx->ap_rsn_is_rsn, &ap_rsn_ie_end ); 234 if ( ap_rsn_ie ) { 235 ctx->ap_rsn_ie = malloc ( ap_rsn_ie_end - ap_rsn_ie ); 236 if ( ! ctx->ap_rsn_ie ) 237 return -ENOMEM; 238 memcpy ( ctx->ap_rsn_ie, ap_rsn_ie, ap_rsn_ie_end - ap_rsn_ie ); 239 ctx->ap_rsn_ie_len = ap_rsn_ie_end - ap_rsn_ie; 240 } else { 241 return -ENOENT; 242 } 243 244 ctx->crypt = dev->associating->crypto; 245 ctx->gcrypt = NET80211_CRYPT_UNKNOWN; 246 247 list_add_tail ( &ctx->list, &wpa_contexts ); 248 return 0; 249 } 250 251 252 /** 253 * Disable handling of received WPA handshake frames 254 * 255 * @v dev 802.11 device 256 */ 257 void wpa_stop ( struct net80211_device *dev ) 258 { 259 struct wpa_common_ctx *ctx, *tmp; 260 261 list_for_each_entry_safe ( ctx, tmp, &wpa_contexts, list ) { 262 if ( ctx->dev == dev ) { 263 free ( ctx->ap_rsn_ie ); 264 ctx->ap_rsn_ie = NULL; 265 list_del ( &ctx->list ); 266 } 267 } 268 } 269 270 271 /** 272 * Check PMKID consistency 273 * 274 * @v ctx WPA common context 275 * @v pmkid PMKID to check against (16 bytes long) 276 * @ret rc Zero if they match, or a negative error code if not 277 */ 278 int wpa_check_pmkid ( struct wpa_common_ctx *ctx, const u8 *pmkid ) 279 { 280 u8 sha1_ctx[SHA1_CTX_SIZE]; 281 u8 my_pmkid[SHA1_SIZE]; 282 u8 pmk[ctx->pmk_len]; 283 size_t pmk_len; 284 struct { 285 char name[8]; 286 u8 aa[ETH_ALEN]; 287 u8 spa[ETH_ALEN]; 288 } __attribute__ (( packed )) pmkid_data; 289 290 memcpy ( pmk, ctx->pmk, ctx->pmk_len ); 291 pmk_len = ctx->pmk_len; 292 293 memcpy ( pmkid_data.name, "PMK Name", 8 ); 294 memcpy ( pmkid_data.aa, ctx->dev->bssid, ETH_ALEN ); 295 memcpy ( pmkid_data.spa, ctx->dev->netdev->ll_addr, ETH_ALEN ); 296 297 hmac_init ( &sha1_algorithm, sha1_ctx, pmk, &pmk_len ); 298 hmac_update ( &sha1_algorithm, sha1_ctx, &pmkid_data, 299 sizeof ( pmkid_data ) ); 300 hmac_final ( &sha1_algorithm, sha1_ctx, pmk, &pmk_len, my_pmkid ); 301 302 if ( memcmp ( my_pmkid, pmkid, WPA_PMKID_LEN ) != 0 ) 303 return -EACCES; 304 305 return 0; 306 } 307 308 309 /** 310 * Derive pairwise transient key 311 * 312 * @v ctx WPA common context 313 */ 314 static void wpa_derive_ptk ( struct wpa_common_ctx *ctx ) 315 { 316 struct { 317 u8 mac1[ETH_ALEN]; 318 u8 mac2[ETH_ALEN]; 319 u8 nonce1[WPA_NONCE_LEN]; 320 u8 nonce2[WPA_NONCE_LEN]; 321 } __attribute__ (( packed )) ptk_data; 322 323 /* The addresses and nonces are stored in numerical order (!) */ 324 325 if ( memcmp ( ctx->dev->netdev->ll_addr, ctx->dev->bssid, 326 ETH_ALEN ) < 0 ) { 327 memcpy ( ptk_data.mac1, ctx->dev->netdev->ll_addr, ETH_ALEN ); 328 memcpy ( ptk_data.mac2, ctx->dev->bssid, ETH_ALEN ); 329 } else { 330 memcpy ( ptk_data.mac1, ctx->dev->bssid, ETH_ALEN ); 331 memcpy ( ptk_data.mac2, ctx->dev->netdev->ll_addr, ETH_ALEN ); 332 } 333 334 if ( memcmp ( ctx->Anonce, ctx->Snonce, WPA_NONCE_LEN ) < 0 ) { 335 memcpy ( ptk_data.nonce1, ctx->Anonce, WPA_NONCE_LEN ); 336 memcpy ( ptk_data.nonce2, ctx->Snonce, WPA_NONCE_LEN ); 337 } else { 338 memcpy ( ptk_data.nonce1, ctx->Snonce, WPA_NONCE_LEN ); 339 memcpy ( ptk_data.nonce2, ctx->Anonce, WPA_NONCE_LEN ); 340 } 341 342 DBGC2 ( ctx, "WPA %p A1 %s, A2 %s\n", ctx, eth_ntoa ( ptk_data.mac1 ), 343 eth_ntoa ( ptk_data.mac2 ) ); 344 DBGC2 ( ctx, "WPA %p Nonce1, Nonce2:\n", ctx ); 345 DBGC2_HD ( ctx, ptk_data.nonce1, WPA_NONCE_LEN ); 346 DBGC2_HD ( ctx, ptk_data.nonce2, WPA_NONCE_LEN ); 347 348 prf_sha1 ( ctx->pmk, ctx->pmk_len, 349 "Pairwise key expansion", 350 &ptk_data, sizeof ( ptk_data ), 351 &ctx->ptk, sizeof ( ctx->ptk ) ); 352 353 DBGC2 ( ctx, "WPA %p PTK:\n", ctx ); 354 DBGC2_HD ( ctx, &ctx->ptk, sizeof ( ctx->ptk ) ); 355 } 356 357 358 /** 359 * Install pairwise transient key 360 * 361 * @v ctx WPA common context 362 * @v len Key length (16 for CCMP, 32 for TKIP) 363 * @ret rc Return status code 364 */ 365 static inline int wpa_install_ptk ( struct wpa_common_ctx *ctx, int len ) 366 { 367 DBGC ( ctx, "WPA %p: installing %d-byte pairwise transient key\n", 368 ctx, len ); 369 DBGC2_HD ( ctx, &ctx->ptk.tk, len ); 370 371 return sec80211_install ( &ctx->dev->crypto, ctx->crypt, 372 &ctx->ptk.tk, len, NULL ); 373 } 374 375 /** 376 * Install group transient key 377 * 378 * @v ctx WPA common context 379 * @v len Key length (16 for CCMP, 32 for TKIP) 380 * @v rsc Receive sequence counter field in EAPOL-Key packet 381 * @ret rc Return status code 382 */ 383 static inline int wpa_install_gtk ( struct wpa_common_ctx *ctx, int len, 384 const void *rsc ) 385 { 386 DBGC ( ctx, "WPA %p: installing %d-byte group transient key\n", 387 ctx, len ); 388 DBGC2_HD ( ctx, &ctx->gtk.tk, len ); 389 390 return sec80211_install ( &ctx->dev->gcrypto, ctx->gcrypt, 391 &ctx->gtk.tk, len, rsc ); 392 } 393 394 /** 395 * Search for group transient key, and install it if found 396 * 397 * @v ctx WPA common context 398 * @v ie Pointer to first IE in key data field 399 * @v ie_end Pointer to first byte not in key data field 400 * @v rsc Receive sequence counter field in EAPOL-Key packet 401 * @ret rc Return status code 402 */ 403 static int wpa_maybe_install_gtk ( struct wpa_common_ctx *ctx, 404 union ieee80211_ie *ie, void *ie_end, 405 const void *rsc ) 406 { 407 struct wpa_kde *kde; 408 409 if ( ! ieee80211_ie_bound ( ie, ie_end ) ) 410 return -ENOENT; 411 412 while ( ie ) { 413 if ( ie->id == IEEE80211_IE_VENDOR && 414 ie->vendor.oui == WPA_KDE_GTK ) 415 break; 416 417 ie = ieee80211_next_ie ( ie, ie_end ); 418 } 419 420 if ( ! ie ) 421 return -ENOENT; 422 423 if ( ie->len - 6u > sizeof ( ctx->gtk.tk ) ) { 424 DBGC ( ctx, "WPA %p: GTK KDE is too long (%d bytes, max %d)\n", 425 ctx, ie->len - 4, sizeof ( ctx->gtk.tk ) ); 426 return -EINVAL; 427 } 428 429 /* XXX We ignore key ID for now. */ 430 kde = ( struct wpa_kde * ) ie; 431 memcpy ( &ctx->gtk.tk, &kde->gtk_encap.gtk, kde->len - 6 ); 432 433 return wpa_install_gtk ( ctx, kde->len - 6, rsc ); 434 } 435 436 437 /** 438 * Allocate I/O buffer for construction of outgoing EAPOL-Key frame 439 * 440 * @v kdlen Maximum number of bytes in the Key Data field 441 * @ret iob Newly allocated I/O buffer 442 * 443 * The returned buffer will have space reserved for the link-layer and 444 * EAPOL headers, and will have @c iob->tail pointing to the start of 445 * the Key Data field. Thus, it is necessary to use iob_put() in 446 * filling the Key Data. 447 */ 448 static struct io_buffer * wpa_alloc_frame ( int kdlen ) 449 { 450 struct io_buffer *ret = alloc_iob ( sizeof ( struct eapol_key_pkt ) + 451 kdlen + EAPOL_HDR_LEN + 452 MAX_LL_HEADER_LEN ); 453 if ( ! ret ) 454 return NULL; 455 456 iob_reserve ( ret, MAX_LL_HEADER_LEN + EAPOL_HDR_LEN ); 457 memset ( iob_put ( ret, sizeof ( struct eapol_key_pkt ) ), 0, 458 sizeof ( struct eapol_key_pkt ) ); 459 460 return ret; 461 } 462 463 464 /** 465 * Send EAPOL-Key packet 466 * 467 * @v iob I/O buffer, with sufficient headroom for headers 468 * @v dev 802.11 device 469 * @v kie Key integrity and encryption handler 470 * @v is_rsn If TRUE, handshake uses new RSN format 471 * @ret rc Return status code 472 * 473 * If a KIE is specified, the MIC will be filled in before transmission. 474 */ 475 static int wpa_send_eapol ( struct io_buffer *iob, struct wpa_common_ctx *ctx, 476 struct wpa_kie *kie ) 477 { 478 struct eapol_key_pkt *pkt = iob->data; 479 struct eapol_frame *eapol = iob_push ( iob, EAPOL_HDR_LEN ); 480 481 pkt->info = htons ( pkt->info ); 482 pkt->keysize = htons ( pkt->keysize ); 483 pkt->datalen = htons ( pkt->datalen ); 484 pkt->replay = cpu_to_be64 ( pkt->replay ); 485 eapol->version = EAPOL_THIS_VERSION; 486 eapol->type = EAPOL_TYPE_KEY; 487 eapol->length = htons ( iob->tail - iob->data - sizeof ( *eapol ) ); 488 489 memset ( pkt->mic, 0, sizeof ( pkt->mic ) ); 490 if ( kie ) 491 kie->mic ( &ctx->ptk.kck, eapol, EAPOL_HDR_LEN + 492 sizeof ( *pkt ) + ntohs ( pkt->datalen ), 493 pkt->mic ); 494 495 return net_tx ( iob, ctx->dev->netdev, &eapol_protocol, 496 ctx->dev->bssid ); 497 } 498 499 500 /** 501 * Send second frame in 4-Way Handshake 502 * 503 * @v ctx WPA common context 504 * @v pkt First frame, to which this is a reply 505 * @v is_rsn If TRUE, handshake uses new RSN format 506 * @v kie Key integrity and encryption handler 507 * @ret rc Return status code 508 */ 509 static int wpa_send_2_of_4 ( struct wpa_common_ctx *ctx, 510 struct eapol_key_pkt *pkt, int is_rsn, 511 struct wpa_kie *kie ) 512 { 513 struct io_buffer *iob = wpa_alloc_frame ( ctx->dev->rsn_ie->len + 2 ); 514 struct eapol_key_pkt *npkt; 515 516 if ( ! iob ) 517 return -ENOMEM; 518 519 npkt = iob->data; 520 memcpy ( npkt, pkt, sizeof ( *pkt ) ); 521 npkt->info &= ~EAPOL_KEY_INFO_KEY_ACK; 522 npkt->info |= EAPOL_KEY_INFO_KEY_MIC; 523 if ( is_rsn ) 524 npkt->keysize = 0; 525 memcpy ( npkt->nonce, ctx->Snonce, sizeof ( npkt->nonce ) ); 526 npkt->datalen = ctx->dev->rsn_ie->len + 2; 527 memcpy ( iob_put ( iob, npkt->datalen ), ctx->dev->rsn_ie, 528 npkt->datalen ); 529 530 DBGC ( ctx, "WPA %p: sending 2/4\n", ctx ); 531 532 return wpa_send_eapol ( iob, ctx, kie ); 533 } 534 535 536 /** 537 * Handle receipt of first frame in 4-Way Handshake 538 * 539 * @v ctx WPA common context 540 * @v pkt EAPOL-Key packet 541 * @v is_rsn If TRUE, frame uses new RSN format 542 * @v kie Key integrity and encryption handler 543 * @ret rc Return status code 544 */ 545 static int wpa_handle_1_of_4 ( struct wpa_common_ctx *ctx, 546 struct eapol_key_pkt *pkt, int is_rsn, 547 struct wpa_kie *kie ) 548 { 549 int rc; 550 551 if ( ctx->state == WPA_WAITING ) 552 return -EINVAL; 553 554 ctx->state = WPA_WORKING; 555 memcpy ( ctx->Anonce, pkt->nonce, sizeof ( ctx->Anonce ) ); 556 if ( ! ctx->have_Snonce ) { 557 get_random_bytes ( ctx->Snonce, sizeof ( ctx->Snonce ) ); 558 ctx->have_Snonce = 1; 559 } 560 561 if ( is_rsn && pkt->datalen ) { 562 union ieee80211_ie *ie = ( union ieee80211_ie * ) pkt->data; 563 void *ie_end = pkt->data + pkt->datalen; 564 565 if ( ! ieee80211_ie_bound ( ie, ie_end ) ) { 566 DBGC ( ctx, "WPA %p: malformed PMKID KDE\n", ctx ); 567 return wpa_fail ( ctx, -EINVAL ); 568 } 569 570 while ( ie ) { 571 if ( ie->id == IEEE80211_IE_VENDOR && 572 ie->vendor.oui == WPA_KDE_PMKID ) { 573 rc = wpa_check_pmkid ( ctx, ie->vendor.data ); 574 if ( rc < 0 ) { 575 DBGC ( ctx, "WPA %p ALERT: PMKID " 576 "mismatch in 1/4\n", ctx ); 577 return wpa_fail ( ctx, rc ); 578 } 579 } 580 581 ie = ieee80211_next_ie ( ie, ie_end ); 582 } 583 } 584 585 DBGC ( ctx, "WPA %p: received 1/4, looks OK\n", ctx ); 586 587 wpa_derive_ptk ( ctx ); 588 589 return wpa_send_2_of_4 ( ctx, pkt, is_rsn, kie ); 590 } 591 592 593 /** 594 * Send fourth frame in 4-Way Handshake, or second in Group Key Handshake 595 * 596 * @v ctx WPA common context 597 * @v pkt EAPOL-Key packet for frame to which we're replying 598 * @v is_rsn If TRUE, frame uses new RSN format 599 * @v kie Key integrity and encryption handler 600 * @ret rc Return status code 601 */ 602 static int wpa_send_final ( struct wpa_common_ctx *ctx, 603 struct eapol_key_pkt *pkt, int is_rsn, 604 struct wpa_kie *kie ) 605 { 606 struct io_buffer *iob = wpa_alloc_frame ( 0 ); 607 struct eapol_key_pkt *npkt; 608 609 if ( ! iob ) 610 return -ENOMEM; 611 612 npkt = iob->data; 613 memcpy ( npkt, pkt, sizeof ( *pkt ) ); 614 npkt->info &= ~( EAPOL_KEY_INFO_KEY_ACK | EAPOL_KEY_INFO_INSTALL | 615 EAPOL_KEY_INFO_KEY_ENC ); 616 if ( is_rsn ) 617 npkt->keysize = 0; 618 memset ( npkt->nonce, 0, sizeof ( npkt->nonce ) ); 619 memset ( npkt->iv, 0, sizeof ( npkt->iv ) ); 620 npkt->datalen = 0; 621 622 if ( npkt->info & EAPOL_KEY_INFO_TYPE ) 623 DBGC ( ctx, "WPA %p: sending 4/4\n", ctx ); 624 else 625 DBGC ( ctx, "WPA %p: sending 2/2\n", ctx ); 626 627 return wpa_send_eapol ( iob, ctx, kie ); 628 629 } 630 631 632 /** 633 * Handle receipt of third frame in 4-Way Handshake 634 * 635 * @v ctx WPA common context 636 * @v pkt EAPOL-Key packet 637 * @v is_rsn If TRUE, frame uses new RSN format 638 * @v kie Key integrity and encryption handler 639 * @ret rc Return status code 640 */ 641 static int wpa_handle_3_of_4 ( struct wpa_common_ctx *ctx, 642 struct eapol_key_pkt *pkt, int is_rsn, 643 struct wpa_kie *kie ) 644 { 645 int rc; 646 u8 *this_rsn, *this_rsn_end; 647 u8 *new_rsn, *new_rsn_end; 648 int this_is_rsn, new_is_rsn; 649 650 if ( ctx->state == WPA_WAITING ) 651 return -EINVAL; 652 653 ctx->state = WPA_WORKING; 654 655 /* Check nonce */ 656 if ( memcmp ( ctx->Anonce, pkt->nonce, WPA_NONCE_LEN ) != 0 ) { 657 DBGC ( ctx, "WPA %p ALERT: nonce mismatch in 3/4\n", ctx ); 658 return wpa_fail ( ctx, -EACCES ); 659 } 660 661 /* Check RSN IE */ 662 this_rsn = sec80211_find_rsn ( ( union ieee80211_ie * ) pkt->data, 663 pkt->data + pkt->datalen, 664 &this_is_rsn, &this_rsn_end ); 665 if ( this_rsn ) 666 new_rsn = sec80211_find_rsn ( ( union ieee80211_ie * ) 667 this_rsn_end, 668 pkt->data + pkt->datalen, 669 &new_is_rsn, &new_rsn_end ); 670 else 671 new_rsn = NULL; 672 673 if ( ! ctx->ap_rsn_ie || ! this_rsn || 674 ctx->ap_rsn_ie_len != ( this_rsn_end - this_rsn ) || 675 ctx->ap_rsn_is_rsn != this_is_rsn || 676 memcmp ( ctx->ap_rsn_ie, this_rsn, ctx->ap_rsn_ie_len ) != 0 ) { 677 DBGC ( ctx, "WPA %p ALERT: RSN mismatch in 3/4\n", ctx ); 678 DBGC2 ( ctx, "WPA %p RSNs (in 3/4, in beacon):\n", ctx ); 679 DBGC2_HD ( ctx, this_rsn, this_rsn_end - this_rsn ); 680 DBGC2_HD ( ctx, ctx->ap_rsn_ie, ctx->ap_rsn_ie_len ); 681 return wpa_fail ( ctx, -EACCES ); 682 } 683 684 /* Don't switch if they just supplied both styles of IE 685 simultaneously; we need two RSN IEs or two WPA IEs to 686 switch ciphers. They'll be immediately consecutive because 687 of ordering guarantees. */ 688 if ( new_rsn && this_is_rsn == new_is_rsn ) { 689 struct net80211_wlan *assoc = ctx->dev->associating; 690 DBGC ( ctx, "WPA %p: accommodating bait-and-switch tactics\n", 691 ctx ); 692 DBGC2 ( ctx, "WPA %p RSNs (in 3/4+beacon, new in 3/4):\n", 693 ctx ); 694 DBGC2_HD ( ctx, this_rsn, this_rsn_end - this_rsn ); 695 DBGC2_HD ( ctx, new_rsn, new_rsn_end - new_rsn ); 696 697 if ( ( rc = sec80211_detect_ie ( new_is_rsn, new_rsn, 698 new_rsn_end, 699 &assoc->handshaking, 700 &assoc->crypto ) ) != 0 ) 701 DBGC ( ctx, "WPA %p: bait-and-switch invalid, staying " 702 "with original request\n", ctx ); 703 } else { 704 new_rsn = this_rsn; 705 new_is_rsn = this_is_rsn; 706 new_rsn_end = this_rsn_end; 707 } 708 709 /* Grab group cryptosystem ID */ 710 ctx->gcrypt = sec80211_rsn_get_net80211_crypt ( *( u32 * ) 711 ( new_rsn + 2 ) ); 712 713 /* Check for a GTK, if info field is encrypted */ 714 if ( pkt->info & EAPOL_KEY_INFO_KEY_ENC ) { 715 rc = wpa_maybe_install_gtk ( ctx, 716 ( union ieee80211_ie * ) pkt->data, 717 pkt->data + pkt->datalen, 718 pkt->rsc ); 719 if ( rc < 0 ) { 720 DBGC ( ctx, "WPA %p did not install GTK in 3/4: %s\n", 721 ctx, strerror ( rc ) ); 722 if ( rc != -ENOENT ) 723 return wpa_fail ( ctx, rc ); 724 } 725 } 726 727 DBGC ( ctx, "WPA %p: received 3/4, looks OK\n", ctx ); 728 729 /* Send final message */ 730 rc = wpa_send_final ( ctx, pkt, is_rsn, kie ); 731 if ( rc < 0 ) 732 return wpa_fail ( ctx, rc ); 733 734 /* Install PTK */ 735 rc = wpa_install_ptk ( ctx, pkt->keysize ); 736 if ( rc < 0 ) { 737 DBGC ( ctx, "WPA %p failed to install PTK: %s\n", ctx, 738 strerror ( rc ) ); 739 return wpa_fail ( ctx, rc ); 740 } 741 742 /* Mark us as needing a new Snonce if we rekey */ 743 ctx->have_Snonce = 0; 744 745 /* Done! */ 746 ctx->state = WPA_SUCCESS; 747 return 0; 748 } 749 750 751 /** 752 * Handle receipt of first frame in Group Key Handshake 753 * 754 * @v ctx WPA common context 755 * @v pkt EAPOL-Key packet 756 * @v is_rsn If TRUE, frame uses new RSN format 757 * @v kie Key integrity and encryption handler 758 * @ret rc Return status code 759 */ 760 static int wpa_handle_1_of_2 ( struct wpa_common_ctx *ctx, 761 struct eapol_key_pkt *pkt, int is_rsn, 762 struct wpa_kie *kie ) 763 { 764 int rc; 765 766 /* 767 * WPA and RSN do this completely differently. 768 * 769 * The idea of encoding the GTK (or PMKID, or various other 770 * things) into a KDE that looks like an information element 771 * is an RSN innovation; old WPA code never encapsulates 772 * things like that. If it looks like an info element, it 773 * really is (for the WPA IE check in frames 2/4 and 3/4). The 774 * "key data encrypted" bit in the info field is also specific 775 * to RSN. 776 * 777 * So from an old WPA host, 3/4 does not contain an 778 * encapsulated GTK. The first frame of the GK handshake 779 * contains it, encrypted, but without a KDE wrapper, and with 780 * the key ID field (which gPXE doesn't use) shoved away in 781 * the reserved bits in the info field, and the TxRx bit 782 * stealing the Install bit's spot. 783 */ 784 785 if ( is_rsn && ( pkt->info & EAPOL_KEY_INFO_KEY_ENC ) ) { 786 rc = wpa_maybe_install_gtk ( ctx, 787 ( union ieee80211_ie * ) pkt->data, 788 pkt->data + pkt->datalen, 789 pkt->rsc ); 790 if ( rc < 0 ) { 791 DBGC ( ctx, "WPA %p: failed to install GTK in 1/2: " 792 "%s\n", ctx, strerror ( rc ) ); 793 return wpa_fail ( ctx, rc ); 794 } 795 } else { 796 rc = kie->decrypt ( &ctx->ptk.kek, pkt->iv, pkt->data, 797 &pkt->datalen ); 798 if ( rc < 0 ) { 799 DBGC ( ctx, "WPA %p: failed to decrypt GTK: %s\n", 800 ctx, strerror ( rc ) ); 801 return rc; /* non-fatal */ 802 } 803 if ( pkt->datalen > sizeof ( ctx->gtk.tk ) ) { 804 DBGC ( ctx, "WPA %p: too much GTK data (%d > %d)\n", 805 ctx, pkt->datalen, sizeof ( ctx->gtk.tk ) ); 806 return wpa_fail ( ctx, -EINVAL ); 807 } 808 809 memcpy ( &ctx->gtk.tk, pkt->data, pkt->datalen ); 810 wpa_install_gtk ( ctx, pkt->datalen, pkt->rsc ); 811 } 812 813 DBGC ( ctx, "WPA %p: received 1/2, looks OK\n", ctx ); 814 815 return wpa_send_final ( ctx, pkt, is_rsn, kie ); 816 } 817 818 819 /** 820 * Handle receipt of EAPOL-Key frame for WPA 821 * 822 * @v iob I/O buffer 823 * @v netdev Network device 824 * @v ll_source Source link-layer address 825 */ 826 static int eapol_key_rx ( struct io_buffer *iob, struct net_device *netdev, 827 const void *ll_source ) 828 { 829 struct net80211_device *dev = net80211_get ( netdev ); 830 struct eapol_key_pkt *pkt = iob->data; 831 int is_rsn, found_ctx; 832 struct wpa_common_ctx *ctx; 833 int rc = 0; 834 struct wpa_kie *kie; 835 u8 their_mic[16], our_mic[16]; 836 837 if ( pkt->type != EAPOL_KEY_TYPE_WPA && 838 pkt->type != EAPOL_KEY_TYPE_RSN ) { 839 DBG ( "EAPOL-Key: packet not of 802.11 type\n" ); 840 rc = -EINVAL; 841 goto drop; 842 } 843 844 is_rsn = ( pkt->type == EAPOL_KEY_TYPE_RSN ); 845 846 if ( ! dev ) { 847 DBG ( "EAPOL-Key: packet not from 802.11\n" ); 848 rc = -EINVAL; 849 goto drop; 850 } 851 852 if ( memcmp ( dev->bssid, ll_source, ETH_ALEN ) != 0 ) { 853 DBG ( "EAPOL-Key: packet not from associated AP\n" ); 854 rc = -EINVAL; 855 goto drop; 856 } 857 858 if ( ! ( ntohs ( pkt->info ) & EAPOL_KEY_INFO_KEY_ACK ) ) { 859 DBG ( "EAPOL-Key: packet sent in wrong direction\n" ); 860 rc = -EINVAL; 861 goto drop; 862 } 863 864 found_ctx = 0; 865 list_for_each_entry ( ctx, &wpa_contexts, list ) { 866 if ( ctx->dev == dev ) { 867 found_ctx = 1; 868 break; 869 } 870 } 871 872 if ( ! found_ctx ) { 873 DBG ( "EAPOL-Key: no WPA context to handle packet for %p\n", 874 dev ); 875 rc = -ENOENT; 876 goto drop; 877 } 878 879 if ( ( void * ) ( pkt + 1 ) + ntohs ( pkt->datalen ) > iob->tail ) { 880 DBGC ( ctx, "WPA %p: packet truncated (has %d extra bytes, " 881 "states %d)\n", ctx, iob->tail - ( void * ) ( pkt + 1 ), 882 ntohs ( pkt->datalen ) ); 883 rc = -EINVAL; 884 goto drop; 885 } 886 887 /* Get a handle on key integrity/encryption handler */ 888 kie = wpa_find_kie ( ntohs ( pkt->info ) & EAPOL_KEY_INFO_VERSION ); 889 if ( ! kie ) { 890 DBGC ( ctx, "WPA %p: no support for packet version %d\n", ctx, 891 ntohs ( pkt->info ) & EAPOL_KEY_INFO_VERSION ); 892 rc = wpa_fail ( ctx, -ENOTSUP ); 893 goto drop; 894 } 895 896 /* Check MIC */ 897 if ( ntohs ( pkt->info ) & EAPOL_KEY_INFO_KEY_MIC ) { 898 memcpy ( their_mic, pkt->mic, sizeof ( pkt->mic ) ); 899 memset ( pkt->mic, 0, sizeof ( pkt->mic ) ); 900 kie->mic ( &ctx->ptk.kck, ( void * ) pkt - EAPOL_HDR_LEN, 901 EAPOL_HDR_LEN + sizeof ( *pkt ) + 902 ntohs ( pkt->datalen ), our_mic ); 903 DBGC2 ( ctx, "WPA %p MIC comparison (theirs, ours):\n", ctx ); 904 DBGC2_HD ( ctx, their_mic, 16 ); 905 DBGC2_HD ( ctx, our_mic, 16 ); 906 if ( memcmp ( their_mic, our_mic, sizeof ( pkt->mic ) ) != 0 ) { 907 DBGC ( ctx, "WPA %p: EAPOL MIC failure\n", ctx ); 908 goto drop; 909 } 910 } 911 912 /* Fix byte order to local */ 913 pkt->info = ntohs ( pkt->info ); 914 pkt->keysize = ntohs ( pkt->keysize ); 915 pkt->datalen = ntohs ( pkt->datalen ); 916 pkt->replay = be64_to_cpu ( pkt->replay ); 917 918 /* Check replay counter */ 919 if ( ctx->replay != ~0ULL && ctx->replay >= pkt->replay ) { 920 DBGC ( ctx, "WPA %p ALERT: Replay detected! " 921 "(%08x:%08x >= %08x:%08x)\n", ctx, 922 ( u32 ) ( ctx->replay >> 32 ), ( u32 ) ctx->replay, 923 ( u32 ) ( pkt->replay >> 32 ), ( u32 ) pkt->replay ); 924 rc = 0; /* ignore without error */ 925 goto drop; 926 } 927 ctx->replay = pkt->replay; 928 929 /* Decrypt key data */ 930 if ( pkt->info & EAPOL_KEY_INFO_KEY_ENC ) { 931 rc = kie->decrypt ( &ctx->ptk.kek, pkt->iv, pkt->data, 932 &pkt->datalen ); 933 if ( rc < 0 ) { 934 DBGC ( ctx, "WPA %p: failed to decrypt packet: %s\n", 935 ctx, strerror ( rc ) ); 936 goto drop; 937 } 938 } 939 940 /* Hand it off to appropriate handler */ 941 switch ( pkt->info & ( EAPOL_KEY_INFO_TYPE | 942 EAPOL_KEY_INFO_KEY_MIC ) ) { 943 case EAPOL_KEY_TYPE_PTK: 944 rc = wpa_handle_1_of_4 ( ctx, pkt, is_rsn, kie ); 945 break; 946 947 case EAPOL_KEY_TYPE_PTK | EAPOL_KEY_INFO_KEY_MIC: 948 rc = wpa_handle_3_of_4 ( ctx, pkt, is_rsn, kie ); 949 break; 950 951 case EAPOL_KEY_TYPE_GTK | EAPOL_KEY_INFO_KEY_MIC: 952 rc = wpa_handle_1_of_2 ( ctx, pkt, is_rsn, kie ); 953 break; 954 955 default: 956 DBGC ( ctx, "WPA %p: Invalid combination of key flags %04x\n", 957 ctx, pkt->info ); 958 rc = -EINVAL; 959 break; 960 } 961 962 drop: 963 free_iob ( iob ); 964 return rc; 965 } 966 967 struct eapol_handler eapol_key_handler __eapol_handler = { 968 .type = EAPOL_TYPE_KEY, 969 .rx = eapol_key_rx, 970 }; 971 972 /* WPA always needs EAPOL in order to be useful */ 973 REQUIRE_OBJECT ( eapol ); 974