1 /*
2 * Copyright (c) 2009 Joshua Oreman <oremanj@rwcr.net>.
3 *
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License as
6 * published by the Free Software Foundation; either version 2 of the
7 * License, or any later version.
8 *
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write to the Free Software
16 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
17 * 02110-1301, USA.
18 */
19
20 FILE_LICENCE ( GPL2_OR_LATER );
21
22 #include <ipxe/net80211.h>
23 #include <ipxe/sec80211.h>
24 #include <ipxe/wpa.h>
25 #include <ipxe/eapol.h>
26 #include <ipxe/crypto.h>
27 #include <ipxe/arc4.h>
28 #include <ipxe/crc32.h>
29 #include <ipxe/sha1.h>
30 #include <ipxe/hmac.h>
31 #include <ipxe/list.h>
32 #include <ipxe/ethernet.h>
33 #include <ipxe/rbg.h>
34 #include <stdlib.h>
35 #include <string.h>
36 #include <errno.h>
37 #include <byteswap.h>
38
39 /** @file
40 *
41 * Handler for the aspects of WPA handshaking that are independent of
42 * 802.1X/PSK or TKIP/CCMP; this mostly involves the 4-Way Handshake.
43 */
44
45 /** List of WPA contexts in active use. */
46 struct list_head wpa_contexts = LIST_HEAD_INIT ( wpa_contexts );
47
48
49 /**
50 * Return an error code and deauthenticate
51 *
52 * @v ctx WPA common context
53 * @v rc Return status code
54 * @ret rc The passed return status code
55 */
wpa_fail(struct wpa_common_ctx * ctx,int rc)56 static int wpa_fail ( struct wpa_common_ctx *ctx, int rc )
57 {
58 net80211_deauthenticate ( ctx->dev, rc );
59 return rc;
60 }
61
62
63 /**
64 * Find a cryptosystem handler structure from a crypto ID
65 *
66 * @v crypt Cryptosystem ID
67 * @ret crypto Cryptosystem handler structure
68 *
69 * If support for @a crypt is not compiled in to iPXE, or if @a crypt
70 * is NET80211_CRYPT_UNKNOWN, returns @c NULL.
71 */
72 static struct net80211_crypto *
wpa_find_cryptosystem(enum net80211_crypto_alg crypt)73 wpa_find_cryptosystem ( enum net80211_crypto_alg crypt )
74 {
75 struct net80211_crypto *crypto;
76
77 for_each_table_entry ( crypto, NET80211_CRYPTOS ) {
78 if ( crypto->algorithm == crypt )
79 return crypto;
80 }
81
82 return NULL;
83 }
84
85
86 /**
87 * Find WPA key integrity and encryption handler from key version field
88 *
89 * @v ver Version bits of EAPOL-Key info field
90 * @ret kie Key integrity and encryption handler
91 */
wpa_find_kie(int version)92 struct wpa_kie * wpa_find_kie ( int version )
93 {
94 struct wpa_kie *kie;
95
96 for_each_table_entry ( kie, WPA_KIES ) {
97 if ( kie->version == version )
98 return kie;
99 }
100
101 return NULL;
102 }
103
104
105 /**
106 * Construct RSN or WPA information element
107 *
108 * @v dev 802.11 device
109 * @ret ie_ret RSN or WPA information element
110 * @ret rc Return status code
111 *
112 * This function allocates, fills, and returns a RSN or WPA
113 * information element suitable for including in an association
114 * request frame to the network identified by @c dev->associating.
115 * If it is impossible to construct an information element consistent
116 * with iPXE's capabilities that is compatible with that network, or
117 * if none should be sent because that network's beacon included no
118 * security information, returns an error indication and leaves
119 * @a ie_ret unchanged.
120 *
121 * The returned IE will be of the same type (RSN or WPA) as was
122 * included in the beacon for the network it is destined for.
123 */
wpa_make_rsn_ie(struct net80211_device * dev,union ieee80211_ie ** ie_ret)124 int wpa_make_rsn_ie ( struct net80211_device *dev, union ieee80211_ie **ie_ret )
125 {
126 u8 *rsn, *rsn_end;
127 int is_rsn;
128 u32 group_cipher;
129 enum net80211_crypto_alg gcrypt;
130 int ie_len;
131 u8 *iep;
132 struct ieee80211_ie_rsn *ie;
133 struct ieee80211_frame *hdr;
134 struct ieee80211_beacon *beacon;
135
136 if ( ! dev->associating ) {
137 DBG ( "WPA: Can't make RSN IE for a non-associating device\n" );
138 return -EINVAL;
139 }
140
141 hdr = dev->associating->beacon->data;
142 beacon = ( struct ieee80211_beacon * ) hdr->data;
143 rsn = sec80211_find_rsn ( beacon->info_element,
144 dev->associating->beacon->tail, &is_rsn,
145 &rsn_end );
146 if ( ! rsn ) {
147 DBG ( "WPA: Can't make RSN IE when we didn't get one\n" );
148 return -EINVAL;
149 }
150
151 rsn += 2; /* skip version */
152 group_cipher = *( u32 * ) rsn;
153 gcrypt = sec80211_rsn_get_net80211_crypt ( group_cipher );
154
155 if ( ! wpa_find_cryptosystem ( gcrypt ) ||
156 ! wpa_find_cryptosystem ( dev->associating->crypto ) ) {
157 DBG ( "WPA: No support for (GC:%d, PC:%d)\n",
158 gcrypt, dev->associating->crypto );
159 return -ENOTSUP;
160 }
161
162 /* Everything looks good - make our IE. */
163
164 /* WPA IEs need 4 more bytes for the OUI+type */
165 ie_len = ieee80211_rsn_size ( 1, 1, 0, is_rsn ) + ( 4 * ! is_rsn );
166 iep = malloc ( ie_len );
167 if ( ! iep )
168 return -ENOMEM;
169
170 *ie_ret = ( union ieee80211_ie * ) iep;
171
172 /* Store ID and length bytes. */
173 *iep++ = ( is_rsn ? IEEE80211_IE_RSN : IEEE80211_IE_VENDOR );
174 *iep++ = ie_len - 2;
175
176 /* Store OUI+type for WPA IEs. */
177 if ( ! is_rsn ) {
178 *( u32 * ) iep = IEEE80211_WPA_OUI_VEN;
179 iep += 4;
180 }
181
182 /* If this is a WPA IE, the id and len bytes in the
183 ieee80211_ie_rsn structure will not be valid, but by doing
184 the cast we can fill all the other fields much more
185 readily. */
186
187 ie = ( struct ieee80211_ie_rsn * ) ( iep - 2 );
188 ie->version = IEEE80211_RSN_VERSION;
189 ie->group_cipher = group_cipher;
190 ie->pairwise_count = 1;
191 ie->pairwise_cipher[0] =
192 sec80211_rsn_get_crypto_desc ( dev->associating->crypto,
193 is_rsn );
194 ie->akm_count = 1;
195 ie->akm_list[0] =
196 sec80211_rsn_get_akm_desc ( dev->associating->handshaking,
197 is_rsn );
198 if ( is_rsn ) {
199 ie->rsn_capab = 0;
200 ie->pmkid_count = 0;
201 }
202
203 return 0;
204 }
205
206
207 /**
208 * Set up generic WPA support to handle 4-Way Handshake
209 *
210 * @v dev 802.11 device
211 * @v ctx WPA common context
212 * @v pmk Pairwise Master Key to use for session
213 * @v pmk_len Length of PMK, almost always 32
214 * @ret rc Return status code
215 */
wpa_start(struct net80211_device * dev,struct wpa_common_ctx * ctx,const void * pmk,size_t pmk_len)216 int wpa_start ( struct net80211_device *dev, struct wpa_common_ctx *ctx,
217 const void *pmk, size_t pmk_len )
218 {
219 struct io_buffer *iob;
220 struct ieee80211_frame *hdr;
221 struct ieee80211_beacon *beacon;
222 u8 *ap_rsn_ie = NULL, *ap_rsn_ie_end;
223
224 if ( ! dev->rsn_ie || ! dev->associating )
225 return -EINVAL;
226
227 ctx->dev = dev;
228 memcpy ( ctx->pmk, pmk, ctx->pmk_len = pmk_len );
229 ctx->state = WPA_READY;
230 ctx->replay = ~0ULL;
231
232 iob = dev->associating->beacon;
233 hdr = iob->data;
234 beacon = ( struct ieee80211_beacon * ) hdr->data;
235 ap_rsn_ie = sec80211_find_rsn ( beacon->info_element, iob->tail,
236 &ctx->ap_rsn_is_rsn, &ap_rsn_ie_end );
237 if ( ap_rsn_ie ) {
238 ctx->ap_rsn_ie = malloc ( ap_rsn_ie_end - ap_rsn_ie );
239 if ( ! ctx->ap_rsn_ie )
240 return -ENOMEM;
241 memcpy ( ctx->ap_rsn_ie, ap_rsn_ie, ap_rsn_ie_end - ap_rsn_ie );
242 ctx->ap_rsn_ie_len = ap_rsn_ie_end - ap_rsn_ie;
243 } else {
244 return -ENOENT;
245 }
246
247 ctx->crypt = dev->associating->crypto;
248 ctx->gcrypt = NET80211_CRYPT_UNKNOWN;
249
250 list_add_tail ( &ctx->list, &wpa_contexts );
251 return 0;
252 }
253
254
255 /**
256 * Disable handling of received WPA handshake frames
257 *
258 * @v dev 802.11 device
259 */
wpa_stop(struct net80211_device * dev)260 void wpa_stop ( struct net80211_device *dev )
261 {
262 struct wpa_common_ctx *ctx, *tmp;
263
264 list_for_each_entry_safe ( ctx, tmp, &wpa_contexts, list ) {
265 if ( ctx->dev == dev ) {
266 free ( ctx->ap_rsn_ie );
267 ctx->ap_rsn_ie = NULL;
268 list_del ( &ctx->list );
269 }
270 }
271 }
272
273
274 /**
275 * Derive pairwise transient key
276 *
277 * @v ctx WPA common context
278 */
wpa_derive_ptk(struct wpa_common_ctx * ctx)279 static void wpa_derive_ptk ( struct wpa_common_ctx *ctx )
280 {
281 struct {
282 u8 mac1[ETH_ALEN];
283 u8 mac2[ETH_ALEN];
284 u8 nonce1[WPA_NONCE_LEN];
285 u8 nonce2[WPA_NONCE_LEN];
286 } __attribute__ (( packed )) ptk_data;
287
288 /* The addresses and nonces are stored in numerical order (!) */
289
290 if ( memcmp ( ctx->dev->netdev->ll_addr, ctx->dev->bssid,
291 ETH_ALEN ) < 0 ) {
292 memcpy ( ptk_data.mac1, ctx->dev->netdev->ll_addr, ETH_ALEN );
293 memcpy ( ptk_data.mac2, ctx->dev->bssid, ETH_ALEN );
294 } else {
295 memcpy ( ptk_data.mac1, ctx->dev->bssid, ETH_ALEN );
296 memcpy ( ptk_data.mac2, ctx->dev->netdev->ll_addr, ETH_ALEN );
297 }
298
299 if ( memcmp ( ctx->Anonce, ctx->Snonce, WPA_NONCE_LEN ) < 0 ) {
300 memcpy ( ptk_data.nonce1, ctx->Anonce, WPA_NONCE_LEN );
301 memcpy ( ptk_data.nonce2, ctx->Snonce, WPA_NONCE_LEN );
302 } else {
303 memcpy ( ptk_data.nonce1, ctx->Snonce, WPA_NONCE_LEN );
304 memcpy ( ptk_data.nonce2, ctx->Anonce, WPA_NONCE_LEN );
305 }
306
307 DBGC2 ( ctx, "WPA %p A1 %s", ctx, eth_ntoa ( ptk_data.mac1 ) );
308 DBGC2 ( ctx, ", A2 %s\n", eth_ntoa ( ptk_data.mac2 ) );
309
310 DBGC2 ( ctx, "WPA %p Nonce1, Nonce2:\n", ctx );
311 DBGC2_HD ( ctx, ptk_data.nonce1, WPA_NONCE_LEN );
312 DBGC2_HD ( ctx, ptk_data.nonce2, WPA_NONCE_LEN );
313
314 prf_sha1 ( ctx->pmk, ctx->pmk_len,
315 "Pairwise key expansion",
316 &ptk_data, sizeof ( ptk_data ),
317 &ctx->ptk, sizeof ( ctx->ptk ) );
318
319 DBGC2 ( ctx, "WPA %p PTK:\n", ctx );
320 DBGC2_HD ( ctx, &ctx->ptk, sizeof ( ctx->ptk ) );
321 }
322
323
324 /**
325 * Install pairwise transient key
326 *
327 * @v ctx WPA common context
328 * @v len Key length (16 for CCMP, 32 for TKIP)
329 * @ret rc Return status code
330 */
wpa_install_ptk(struct wpa_common_ctx * ctx,int len)331 static inline int wpa_install_ptk ( struct wpa_common_ctx *ctx, int len )
332 {
333 DBGC ( ctx, "WPA %p: installing %d-byte pairwise transient key\n",
334 ctx, len );
335 DBGC2_HD ( ctx, &ctx->ptk.tk, len );
336
337 return sec80211_install ( &ctx->dev->crypto, ctx->crypt,
338 &ctx->ptk.tk, len, NULL );
339 }
340
341 /**
342 * Install group transient key
343 *
344 * @v ctx WPA common context
345 * @v len Key length (16 for CCMP, 32 for TKIP)
346 * @v rsc Receive sequence counter field in EAPOL-Key packet
347 * @ret rc Return status code
348 */
wpa_install_gtk(struct wpa_common_ctx * ctx,int len,const void * rsc)349 static inline int wpa_install_gtk ( struct wpa_common_ctx *ctx, int len,
350 const void *rsc )
351 {
352 DBGC ( ctx, "WPA %p: installing %d-byte group transient key\n",
353 ctx, len );
354 DBGC2_HD ( ctx, &ctx->gtk.tk, len );
355
356 return sec80211_install ( &ctx->dev->gcrypto, ctx->gcrypt,
357 &ctx->gtk.tk, len, rsc );
358 }
359
360 /**
361 * Search for group transient key, and install it if found
362 *
363 * @v ctx WPA common context
364 * @v ie Pointer to first IE in key data field
365 * @v ie_end Pointer to first byte not in key data field
366 * @v rsc Receive sequence counter field in EAPOL-Key packet
367 * @ret rc Return status code
368 */
wpa_maybe_install_gtk(struct wpa_common_ctx * ctx,union ieee80211_ie * ie,void * ie_end,const void * rsc)369 static int wpa_maybe_install_gtk ( struct wpa_common_ctx *ctx,
370 union ieee80211_ie *ie, void *ie_end,
371 const void *rsc )
372 {
373 struct wpa_kde *kde;
374
375 if ( ! ieee80211_ie_bound ( ie, ie_end ) )
376 return -ENOENT;
377
378 while ( ie ) {
379 if ( ie->id == IEEE80211_IE_VENDOR &&
380 ie->vendor.oui == WPA_KDE_GTK )
381 break;
382
383 ie = ieee80211_next_ie ( ie, ie_end );
384 }
385
386 if ( ! ie )
387 return -ENOENT;
388
389 if ( ie->len - 6u > sizeof ( ctx->gtk.tk ) ) {
390 DBGC ( ctx, "WPA %p: GTK KDE is too long (%d bytes, max %zd)\n",
391 ctx, ie->len - 4, sizeof ( ctx->gtk.tk ) );
392 return -EINVAL;
393 }
394
395 /* XXX We ignore key ID for now. */
396 kde = ( struct wpa_kde * ) ie;
397 memcpy ( &ctx->gtk.tk, &kde->gtk_encap.gtk, kde->len - 6 );
398
399 return wpa_install_gtk ( ctx, kde->len - 6, rsc );
400 }
401
402
403 /**
404 * Allocate I/O buffer for construction of outgoing EAPOL-Key frame
405 *
406 * @v kdlen Maximum number of bytes in the Key Data field
407 * @ret iob Newly allocated I/O buffer
408 *
409 * The returned buffer will have space reserved for the link-layer and
410 * EAPOL headers, and will have @c iob->tail pointing to the start of
411 * the Key Data field. Thus, it is necessary to use iob_put() in
412 * filling the Key Data.
413 */
wpa_alloc_frame(int kdlen)414 static struct io_buffer * wpa_alloc_frame ( int kdlen )
415 {
416 struct io_buffer *ret = alloc_iob ( sizeof ( struct eapol_key_pkt ) +
417 kdlen + EAPOL_HDR_LEN +
418 MAX_LL_HEADER_LEN );
419 if ( ! ret )
420 return NULL;
421
422 iob_reserve ( ret, MAX_LL_HEADER_LEN + EAPOL_HDR_LEN );
423 memset ( iob_put ( ret, sizeof ( struct eapol_key_pkt ) ), 0,
424 sizeof ( struct eapol_key_pkt ) );
425
426 return ret;
427 }
428
429
430 /**
431 * Send EAPOL-Key packet
432 *
433 * @v iob I/O buffer, with sufficient headroom for headers
434 * @v dev 802.11 device
435 * @v kie Key integrity and encryption handler
436 * @v is_rsn If TRUE, handshake uses new RSN format
437 * @ret rc Return status code
438 *
439 * If a KIE is specified, the MIC will be filled in before transmission.
440 */
wpa_send_eapol(struct io_buffer * iob,struct wpa_common_ctx * ctx,struct wpa_kie * kie)441 static int wpa_send_eapol ( struct io_buffer *iob, struct wpa_common_ctx *ctx,
442 struct wpa_kie *kie )
443 {
444 struct eapol_key_pkt *pkt = iob->data;
445 struct eapol_frame *eapol = iob_push ( iob, EAPOL_HDR_LEN );
446
447 pkt->info = htons ( pkt->info );
448 pkt->keysize = htons ( pkt->keysize );
449 pkt->datalen = htons ( pkt->datalen );
450 pkt->replay = cpu_to_be64 ( pkt->replay );
451 eapol->version = EAPOL_THIS_VERSION;
452 eapol->type = EAPOL_TYPE_KEY;
453 eapol->length = htons ( iob->tail - iob->data - sizeof ( *eapol ) );
454
455 memset ( pkt->mic, 0, sizeof ( pkt->mic ) );
456 if ( kie )
457 kie->mic ( &ctx->ptk.kck, eapol, EAPOL_HDR_LEN +
458 sizeof ( *pkt ) + ntohs ( pkt->datalen ),
459 pkt->mic );
460
461 return net_tx ( iob, ctx->dev->netdev, &eapol_protocol,
462 ctx->dev->bssid, ctx->dev->netdev->ll_addr );
463 }
464
465
466 /**
467 * Send second frame in 4-Way Handshake
468 *
469 * @v ctx WPA common context
470 * @v pkt First frame, to which this is a reply
471 * @v is_rsn If TRUE, handshake uses new RSN format
472 * @v kie Key integrity and encryption handler
473 * @ret rc Return status code
474 */
wpa_send_2_of_4(struct wpa_common_ctx * ctx,struct eapol_key_pkt * pkt,int is_rsn,struct wpa_kie * kie)475 static int wpa_send_2_of_4 ( struct wpa_common_ctx *ctx,
476 struct eapol_key_pkt *pkt, int is_rsn,
477 struct wpa_kie *kie )
478 {
479 struct io_buffer *iob = wpa_alloc_frame ( ctx->dev->rsn_ie->len + 2 );
480 struct eapol_key_pkt *npkt;
481
482 if ( ! iob )
483 return -ENOMEM;
484
485 npkt = iob->data;
486 memcpy ( npkt, pkt, sizeof ( *pkt ) );
487 npkt->info &= ~EAPOL_KEY_INFO_KEY_ACK;
488 npkt->info |= EAPOL_KEY_INFO_KEY_MIC;
489 if ( is_rsn )
490 npkt->keysize = 0;
491 memcpy ( npkt->nonce, ctx->Snonce, sizeof ( npkt->nonce ) );
492 npkt->datalen = ctx->dev->rsn_ie->len + 2;
493 memcpy ( iob_put ( iob, npkt->datalen ), ctx->dev->rsn_ie,
494 npkt->datalen );
495
496 DBGC ( ctx, "WPA %p: sending 2/4\n", ctx );
497
498 return wpa_send_eapol ( iob, ctx, kie );
499 }
500
501
502 /**
503 * Handle receipt of first frame in 4-Way Handshake
504 *
505 * @v ctx WPA common context
506 * @v pkt EAPOL-Key packet
507 * @v is_rsn If TRUE, frame uses new RSN format
508 * @v kie Key integrity and encryption handler
509 * @ret rc Return status code
510 */
wpa_handle_1_of_4(struct wpa_common_ctx * ctx,struct eapol_key_pkt * pkt,int is_rsn,struct wpa_kie * kie)511 static int wpa_handle_1_of_4 ( struct wpa_common_ctx *ctx,
512 struct eapol_key_pkt *pkt, int is_rsn,
513 struct wpa_kie *kie )
514 {
515 if ( ctx->state == WPA_WAITING )
516 return -EINVAL;
517
518 ctx->state = WPA_WORKING;
519 memcpy ( ctx->Anonce, pkt->nonce, sizeof ( ctx->Anonce ) );
520 if ( ! ctx->have_Snonce ) {
521 rbg_generate ( NULL, 0, 0, ctx->Snonce,
522 sizeof ( ctx->Snonce ) );
523 ctx->have_Snonce = 1;
524 }
525
526 DBGC ( ctx, "WPA %p: received 1/4, looks OK\n", ctx );
527
528 wpa_derive_ptk ( ctx );
529
530 return wpa_send_2_of_4 ( ctx, pkt, is_rsn, kie );
531 }
532
533
534 /**
535 * Send fourth frame in 4-Way Handshake, or second in Group Key Handshake
536 *
537 * @v ctx WPA common context
538 * @v pkt EAPOL-Key packet for frame to which we're replying
539 * @v is_rsn If TRUE, frame uses new RSN format
540 * @v kie Key integrity and encryption handler
541 * @ret rc Return status code
542 */
wpa_send_final(struct wpa_common_ctx * ctx,struct eapol_key_pkt * pkt,int is_rsn,struct wpa_kie * kie)543 static int wpa_send_final ( struct wpa_common_ctx *ctx,
544 struct eapol_key_pkt *pkt, int is_rsn,
545 struct wpa_kie *kie )
546 {
547 struct io_buffer *iob = wpa_alloc_frame ( 0 );
548 struct eapol_key_pkt *npkt;
549
550 if ( ! iob )
551 return -ENOMEM;
552
553 npkt = iob->data;
554 memcpy ( npkt, pkt, sizeof ( *pkt ) );
555 npkt->info &= ~( EAPOL_KEY_INFO_KEY_ACK | EAPOL_KEY_INFO_INSTALL |
556 EAPOL_KEY_INFO_KEY_ENC );
557 if ( is_rsn )
558 npkt->keysize = 0;
559 memset ( npkt->nonce, 0, sizeof ( npkt->nonce ) );
560 memset ( npkt->iv, 0, sizeof ( npkt->iv ) );
561 npkt->datalen = 0;
562
563 if ( npkt->info & EAPOL_KEY_INFO_TYPE )
564 DBGC ( ctx, "WPA %p: sending 4/4\n", ctx );
565 else
566 DBGC ( ctx, "WPA %p: sending 2/2\n", ctx );
567
568 return wpa_send_eapol ( iob, ctx, kie );
569
570 }
571
572
573 /**
574 * Handle receipt of third frame in 4-Way Handshake
575 *
576 * @v ctx WPA common context
577 * @v pkt EAPOL-Key packet
578 * @v is_rsn If TRUE, frame uses new RSN format
579 * @v kie Key integrity and encryption handler
580 * @ret rc Return status code
581 */
wpa_handle_3_of_4(struct wpa_common_ctx * ctx,struct eapol_key_pkt * pkt,int is_rsn,struct wpa_kie * kie)582 static int wpa_handle_3_of_4 ( struct wpa_common_ctx *ctx,
583 struct eapol_key_pkt *pkt, int is_rsn,
584 struct wpa_kie *kie )
585 {
586 int rc;
587 u8 *this_rsn, *this_rsn_end;
588 u8 *new_rsn, *new_rsn_end;
589 int this_is_rsn, new_is_rsn;
590
591 if ( ctx->state == WPA_WAITING )
592 return -EINVAL;
593
594 ctx->state = WPA_WORKING;
595
596 /* Check nonce */
597 if ( memcmp ( ctx->Anonce, pkt->nonce, WPA_NONCE_LEN ) != 0 ) {
598 DBGC ( ctx, "WPA %p ALERT: nonce mismatch in 3/4\n", ctx );
599 return wpa_fail ( ctx, -EACCES );
600 }
601
602 /* Check RSN IE */
603 this_rsn = sec80211_find_rsn ( ( union ieee80211_ie * ) pkt->data,
604 pkt->data + pkt->datalen,
605 &this_is_rsn, &this_rsn_end );
606 if ( this_rsn )
607 new_rsn = sec80211_find_rsn ( ( union ieee80211_ie * )
608 this_rsn_end,
609 pkt->data + pkt->datalen,
610 &new_is_rsn, &new_rsn_end );
611 else
612 new_rsn = NULL;
613
614 if ( ! ctx->ap_rsn_ie || ! this_rsn ||
615 ctx->ap_rsn_ie_len != ( this_rsn_end - this_rsn ) ||
616 ctx->ap_rsn_is_rsn != this_is_rsn ||
617 memcmp ( ctx->ap_rsn_ie, this_rsn, ctx->ap_rsn_ie_len ) != 0 ) {
618 DBGC ( ctx, "WPA %p ALERT: RSN mismatch in 3/4\n", ctx );
619 DBGC2 ( ctx, "WPA %p RSNs (in 3/4, in beacon):\n", ctx );
620 DBGC2_HD ( ctx, this_rsn, this_rsn_end - this_rsn );
621 DBGC2_HD ( ctx, ctx->ap_rsn_ie, ctx->ap_rsn_ie_len );
622 return wpa_fail ( ctx, -EACCES );
623 }
624
625 /* Don't switch if they just supplied both styles of IE
626 simultaneously; we need two RSN IEs or two WPA IEs to
627 switch ciphers. They'll be immediately consecutive because
628 of ordering guarantees. */
629 if ( new_rsn && this_is_rsn == new_is_rsn ) {
630 struct net80211_wlan *assoc = ctx->dev->associating;
631 DBGC ( ctx, "WPA %p: accommodating bait-and-switch tactics\n",
632 ctx );
633 DBGC2 ( ctx, "WPA %p RSNs (in 3/4+beacon, new in 3/4):\n",
634 ctx );
635 DBGC2_HD ( ctx, this_rsn, this_rsn_end - this_rsn );
636 DBGC2_HD ( ctx, new_rsn, new_rsn_end - new_rsn );
637
638 if ( ( rc = sec80211_detect_ie ( new_is_rsn, new_rsn,
639 new_rsn_end,
640 &assoc->handshaking,
641 &assoc->crypto ) ) != 0 )
642 DBGC ( ctx, "WPA %p: bait-and-switch invalid, staying "
643 "with original request\n", ctx );
644 } else {
645 new_rsn = this_rsn;
646 new_is_rsn = this_is_rsn;
647 new_rsn_end = this_rsn_end;
648 }
649
650 /* Grab group cryptosystem ID */
651 ctx->gcrypt = sec80211_rsn_get_net80211_crypt ( *( u32 * )
652 ( new_rsn + 2 ) );
653
654 /* Check for a GTK, if info field is encrypted */
655 if ( pkt->info & EAPOL_KEY_INFO_KEY_ENC ) {
656 rc = wpa_maybe_install_gtk ( ctx,
657 ( union ieee80211_ie * ) pkt->data,
658 pkt->data + pkt->datalen,
659 pkt->rsc );
660 if ( rc < 0 ) {
661 DBGC ( ctx, "WPA %p did not install GTK in 3/4: %s\n",
662 ctx, strerror ( rc ) );
663 if ( rc != -ENOENT )
664 return wpa_fail ( ctx, rc );
665 }
666 }
667
668 DBGC ( ctx, "WPA %p: received 3/4, looks OK\n", ctx );
669
670 /* Send final message */
671 rc = wpa_send_final ( ctx, pkt, is_rsn, kie );
672 if ( rc < 0 )
673 return wpa_fail ( ctx, rc );
674
675 /* Install PTK */
676 rc = wpa_install_ptk ( ctx, pkt->keysize );
677 if ( rc < 0 ) {
678 DBGC ( ctx, "WPA %p failed to install PTK: %s\n", ctx,
679 strerror ( rc ) );
680 return wpa_fail ( ctx, rc );
681 }
682
683 /* Mark us as needing a new Snonce if we rekey */
684 ctx->have_Snonce = 0;
685
686 /* Done! */
687 ctx->state = WPA_SUCCESS;
688 return 0;
689 }
690
691
692 /**
693 * Handle receipt of first frame in Group Key Handshake
694 *
695 * @v ctx WPA common context
696 * @v pkt EAPOL-Key packet
697 * @v is_rsn If TRUE, frame uses new RSN format
698 * @v kie Key integrity and encryption handler
699 * @ret rc Return status code
700 */
wpa_handle_1_of_2(struct wpa_common_ctx * ctx,struct eapol_key_pkt * pkt,int is_rsn,struct wpa_kie * kie)701 static int wpa_handle_1_of_2 ( struct wpa_common_ctx *ctx,
702 struct eapol_key_pkt *pkt, int is_rsn,
703 struct wpa_kie *kie )
704 {
705 int rc;
706
707 /*
708 * WPA and RSN do this completely differently.
709 *
710 * The idea of encoding the GTK (or PMKID, or various other
711 * things) into a KDE that looks like an information element
712 * is an RSN innovation; old WPA code never encapsulates
713 * things like that. If it looks like an info element, it
714 * really is (for the WPA IE check in frames 2/4 and 3/4). The
715 * "key data encrypted" bit in the info field is also specific
716 * to RSN.
717 *
718 * So from an old WPA host, 3/4 does not contain an
719 * encapsulated GTK. The first frame of the GK handshake
720 * contains it, encrypted, but without a KDE wrapper, and with
721 * the key ID field (which iPXE doesn't use) shoved away in
722 * the reserved bits in the info field, and the TxRx bit
723 * stealing the Install bit's spot.
724 */
725
726 if ( is_rsn && ( pkt->info & EAPOL_KEY_INFO_KEY_ENC ) ) {
727 rc = wpa_maybe_install_gtk ( ctx,
728 ( union ieee80211_ie * ) pkt->data,
729 pkt->data + pkt->datalen,
730 pkt->rsc );
731 if ( rc < 0 ) {
732 DBGC ( ctx, "WPA %p: failed to install GTK in 1/2: "
733 "%s\n", ctx, strerror ( rc ) );
734 return wpa_fail ( ctx, rc );
735 }
736 } else {
737 rc = kie->decrypt ( &ctx->ptk.kek, pkt->iv, pkt->data,
738 &pkt->datalen );
739 if ( rc < 0 ) {
740 DBGC ( ctx, "WPA %p: failed to decrypt GTK: %s\n",
741 ctx, strerror ( rc ) );
742 return rc; /* non-fatal */
743 }
744 if ( pkt->datalen > sizeof ( ctx->gtk.tk ) ) {
745 DBGC ( ctx, "WPA %p: too much GTK data (%d > %zd)\n",
746 ctx, pkt->datalen, sizeof ( ctx->gtk.tk ) );
747 return wpa_fail ( ctx, -EINVAL );
748 }
749
750 memcpy ( &ctx->gtk.tk, pkt->data, pkt->datalen );
751 wpa_install_gtk ( ctx, pkt->datalen, pkt->rsc );
752 }
753
754 DBGC ( ctx, "WPA %p: received 1/2, looks OK\n", ctx );
755
756 return wpa_send_final ( ctx, pkt, is_rsn, kie );
757 }
758
759
760 /**
761 * Handle receipt of EAPOL-Key frame for WPA
762 *
763 * @v iob I/O buffer
764 * @v netdev Network device
765 * @v ll_dest Link-layer destination address
766 * @v ll_source Source link-layer address
767 */
eapol_key_rx(struct io_buffer * iob,struct net_device * netdev,const void * ll_dest __unused,const void * ll_source)768 static int eapol_key_rx ( struct io_buffer *iob, struct net_device *netdev,
769 const void *ll_dest __unused,
770 const void *ll_source )
771 {
772 struct net80211_device *dev = net80211_get ( netdev );
773 struct eapol_key_pkt *pkt = iob->data;
774 int is_rsn, found_ctx;
775 struct wpa_common_ctx *ctx;
776 int rc = 0;
777 struct wpa_kie *kie;
778 u8 their_mic[16], our_mic[16];
779
780 if ( pkt->type != EAPOL_KEY_TYPE_WPA &&
781 pkt->type != EAPOL_KEY_TYPE_RSN ) {
782 DBG ( "EAPOL-Key: packet not of 802.11 type\n" );
783 rc = -EINVAL;
784 goto drop;
785 }
786
787 is_rsn = ( pkt->type == EAPOL_KEY_TYPE_RSN );
788
789 if ( ! dev ) {
790 DBG ( "EAPOL-Key: packet not from 802.11\n" );
791 rc = -EINVAL;
792 goto drop;
793 }
794
795 if ( memcmp ( dev->bssid, ll_source, ETH_ALEN ) != 0 ) {
796 DBG ( "EAPOL-Key: packet not from associated AP\n" );
797 rc = -EINVAL;
798 goto drop;
799 }
800
801 if ( ! ( ntohs ( pkt->info ) & EAPOL_KEY_INFO_KEY_ACK ) ) {
802 DBG ( "EAPOL-Key: packet sent in wrong direction\n" );
803 rc = -EINVAL;
804 goto drop;
805 }
806
807 found_ctx = 0;
808 list_for_each_entry ( ctx, &wpa_contexts, list ) {
809 if ( ctx->dev == dev ) {
810 found_ctx = 1;
811 break;
812 }
813 }
814
815 if ( ! found_ctx ) {
816 DBG ( "EAPOL-Key: no WPA context to handle packet for %p\n",
817 dev );
818 rc = -ENOENT;
819 goto drop;
820 }
821
822 if ( ( void * ) ( pkt + 1 ) + ntohs ( pkt->datalen ) > iob->tail ) {
823 DBGC ( ctx, "WPA %p: packet truncated (has %zd extra bytes, "
824 "states %d)\n", ctx, iob->tail - ( void * ) ( pkt + 1 ),
825 ntohs ( pkt->datalen ) );
826 rc = -EINVAL;
827 goto drop;
828 }
829
830 /* Get a handle on key integrity/encryption handler */
831 kie = wpa_find_kie ( ntohs ( pkt->info ) & EAPOL_KEY_INFO_VERSION );
832 if ( ! kie ) {
833 DBGC ( ctx, "WPA %p: no support for packet version %d\n", ctx,
834 ntohs ( pkt->info ) & EAPOL_KEY_INFO_VERSION );
835 rc = wpa_fail ( ctx, -ENOTSUP );
836 goto drop;
837 }
838
839 /* Check MIC */
840 if ( ntohs ( pkt->info ) & EAPOL_KEY_INFO_KEY_MIC ) {
841 memcpy ( their_mic, pkt->mic, sizeof ( pkt->mic ) );
842 memset ( pkt->mic, 0, sizeof ( pkt->mic ) );
843 kie->mic ( &ctx->ptk.kck, ( void * ) pkt - EAPOL_HDR_LEN,
844 EAPOL_HDR_LEN + sizeof ( *pkt ) +
845 ntohs ( pkt->datalen ), our_mic );
846 DBGC2 ( ctx, "WPA %p MIC comparison (theirs, ours):\n", ctx );
847 DBGC2_HD ( ctx, their_mic, 16 );
848 DBGC2_HD ( ctx, our_mic, 16 );
849 if ( memcmp ( their_mic, our_mic, sizeof ( pkt->mic ) ) != 0 ) {
850 DBGC ( ctx, "WPA %p: EAPOL MIC failure\n", ctx );
851 goto drop;
852 }
853 }
854
855 /* Fix byte order to local */
856 pkt->info = ntohs ( pkt->info );
857 pkt->keysize = ntohs ( pkt->keysize );
858 pkt->datalen = ntohs ( pkt->datalen );
859 pkt->replay = be64_to_cpu ( pkt->replay );
860
861 /* Check replay counter */
862 if ( ctx->replay != ~0ULL && ctx->replay >= pkt->replay ) {
863 DBGC ( ctx, "WPA %p ALERT: Replay detected! "
864 "(%08x:%08x >= %08x:%08x)\n", ctx,
865 ( u32 ) ( ctx->replay >> 32 ), ( u32 ) ctx->replay,
866 ( u32 ) ( pkt->replay >> 32 ), ( u32 ) pkt->replay );
867 rc = 0; /* ignore without error */
868 goto drop;
869 }
870 ctx->replay = pkt->replay;
871
872 /* Decrypt key data */
873 if ( pkt->info & EAPOL_KEY_INFO_KEY_ENC ) {
874 rc = kie->decrypt ( &ctx->ptk.kek, pkt->iv, pkt->data,
875 &pkt->datalen );
876 if ( rc < 0 ) {
877 DBGC ( ctx, "WPA %p: failed to decrypt packet: %s\n",
878 ctx, strerror ( rc ) );
879 goto drop;
880 }
881 }
882
883 /* Hand it off to appropriate handler */
884 switch ( pkt->info & ( EAPOL_KEY_INFO_TYPE |
885 EAPOL_KEY_INFO_KEY_MIC ) ) {
886 case EAPOL_KEY_TYPE_PTK:
887 rc = wpa_handle_1_of_4 ( ctx, pkt, is_rsn, kie );
888 break;
889
890 case EAPOL_KEY_TYPE_PTK | EAPOL_KEY_INFO_KEY_MIC:
891 rc = wpa_handle_3_of_4 ( ctx, pkt, is_rsn, kie );
892 break;
893
894 case EAPOL_KEY_TYPE_GTK | EAPOL_KEY_INFO_KEY_MIC:
895 rc = wpa_handle_1_of_2 ( ctx, pkt, is_rsn, kie );
896 break;
897
898 default:
899 DBGC ( ctx, "WPA %p: Invalid combination of key flags %04x\n",
900 ctx, pkt->info );
901 rc = -EINVAL;
902 break;
903 }
904
905 drop:
906 free_iob ( iob );
907 return rc;
908 }
909
910 struct eapol_handler eapol_key_handler __eapol_handler = {
911 .type = EAPOL_TYPE_KEY,
912 .rx = eapol_key_rx,
913 };
914
915 /* WPA always needs EAPOL in order to be useful */
916 REQUIRING_SYMBOL ( eapol_key_handler );
917 REQUIRE_OBJECT ( eapol );
918