From 8ec18a5b508f5d9dbf1a771e5f6107d042446493 Mon Sep 17 00:00:00 2001 From: Joshua Oreman Date: Fri, 7 Aug 2009 23:03:40 -0700 Subject: [PATCH] [wpa] Add general support for WPA-protected 802.11 networks Modified-by: Marty Connor Signed-off-by: Marty Connor --- src/include/gpxe/errfile.h | 1 + src/include/gpxe/wpa.h | 503 +++++++++++++++++++ src/net/80211/wpa.c | 973 +++++++++++++++++++++++++++++++++++++ 3 files changed, 1477 insertions(+) create mode 100644 src/include/gpxe/wpa.h create mode 100644 src/net/80211/wpa.c diff --git a/src/include/gpxe/errfile.h b/src/include/gpxe/errfile.h index f68b9b7b..e55af1c1 100644 --- a/src/include/gpxe/errfile.h +++ b/src/include/gpxe/errfile.h @@ -161,6 +161,7 @@ FILE_LICENCE ( GPL2_OR_LATER ); #define ERRFILE_sec80211 ( ERRFILE_NET | 0x00230000 ) #define ERRFILE_wep ( ERRFILE_NET | 0x00240000 ) #define ERRFILE_eapol ( ERRFILE_NET | 0x00250000 ) +#define ERRFILE_wpa ( ERRFILE_NET | 0x00260000 ) #define ERRFILE_image ( ERRFILE_IMAGE | 0x00000000 ) #define ERRFILE_elf ( ERRFILE_IMAGE | 0x00010000 ) diff --git a/src/include/gpxe/wpa.h b/src/include/gpxe/wpa.h new file mode 100644 index 00000000..a7f19d71 --- /dev/null +++ b/src/include/gpxe/wpa.h @@ -0,0 +1,503 @@ +/* + * Copyright (c) 2009 Joshua Oreman . + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + */ + +#ifndef _GPXE_WPA_H +#define _GPXE_WPA_H + +#include +#include + +FILE_LICENCE ( GPL2_OR_LATER ); + +/** @file + * + * Common definitions for all types of WPA-protected networks. + */ + + +/** EAPOL-Key type field for modern 802.11i/RSN WPA packets */ +#define EAPOL_KEY_TYPE_RSN 2 + +/** Old EAPOL-Key type field used by WPA1 hardware before 802.11i ratified */ +#define EAPOL_KEY_TYPE_WPA 254 + + +/** + * @defgroup eapol_key_info EAPOL-Key Info field bits + * @{ + */ + +/** Key descriptor version, indicating WPA or WPA2 */ +#define EAPOL_KEY_INFO_VERSION 0x0007 + +/** Key type bit, indicating pairwise or group */ +#define EAPOL_KEY_INFO_TYPE 0x0008 + +/** Key install bit; set on message 3 except when legacy hacks are used */ +#define EAPOL_KEY_INFO_INSTALL 0x0040 + +/** Key ACK bit; set when a response is required, on all messages except #4 */ +#define EAPOL_KEY_INFO_KEY_ACK 0x0080 + +/** Key MIC bit; set when the MIC field is valid, on messages 3 and 4 */ +#define EAPOL_KEY_INFO_KEY_MIC 0x0100 + +/** Secure bit; set when both sides have both keys, on messages 3 and 4 */ +#define EAPOL_KEY_INFO_SECURE 0x0200 + +/** Error bit; set on a MIC failure for TKIP */ +#define EAPOL_KEY_INFO_ERROR 0x0400 + +/** Request bit; set when authentication is initiated by the Peer (unusual) */ +#define EAPOL_KEY_INFO_REQUEST 0x0800 + +/** Key Encrypted bit; set when the Key Data field is encrypted */ +#define EAPOL_KEY_INFO_KEY_ENC 0x1000 + +/** SMC Message bit; set when this frame is part of an IBSS SMK handshake */ +#define EAPOL_KEY_INFO_SMC_MESS 0x2000 + + +/** Key descriptor version field value for WPA (TKIP) */ +#define EAPOL_KEY_VERSION_WPA 1 + +/** Key descriptor version field value for WPA2 (CCMP) */ +#define EAPOL_KEY_VERSION_WPA2 2 + +/** Key type field value for a PTK (pairwise) key handshake */ +#define EAPOL_KEY_TYPE_PTK 0x0008 + +/** Key type field value for a GTK (group) key handshake */ +#define EAPOL_KEY_TYPE_GTK 0x0000 + +/** @} */ + + + +/** An EAPOL-Key packet. + * + * These are used for the WPA 4-Way Handshake, whether or not prior + * authentication has been performed using EAP. + * + * On LANs, an eapol_key_pkt is always encapsulated in the data field + * of an eapol_frame, with the frame's type code set to EAPOL_TYPE_KEY. + * + * Unlike 802.11 frame headers, the fields in this structure are + * stored in big-endian! + */ +struct eapol_key_pkt +{ + /** One of the EAPOL_KEY_TYPE_* defines. */ + u8 type; + + /** Bitfield of key characteristics, network byte order */ + u16 info; + + /** Length of encryption key to be used, network byte order + * + * This is 16 for CCMP, 32 for TKIP, and 5 or 13 for WEP. + */ + u16 keysize; + + /** Monotonically increasing value for EAPOL-Key conversations + * + * In another classic demonstration of overengineering, this + * 8-byte value will rarely be anything above 1. It's stored + * in network byte order. + */ + u64 replay; + + /** Nonce value + * + * This is the authenticator's ANonce in frame 1, the peer's + * SNonce in frame 2, and 0 in frames 3 and 4. + */ + u8 nonce[32]; + + /** Initialization vector + * + * This contains the IV used with the Key Encryption Key, or 0 + * if the key is unencrypted or encrypted using an algorithm + * that does not require an IV. + */ + u8 iv[16]; + + /** Receive sequence counter for GTK + * + * This is used to synchronize the client's replay counter for + * ordinary data packets. The first six bytes contain PN0 + * through PN5 for CCMP mode, or TSC0 through TSC5 for TKIP + * mode. The last two bytes are zero. + */ + u8 rsc[8]; + + /** Reserved bytes */ + u8 _reserved[8]; + + /** Message integrity code over the entire EAPOL frame + * + * This is calculated using HMAC-MD5 when the key descriptor + * version field in @a info is 1, and HMAC-SHA1 ignoring the + * last 4 bytes of the hash when the version field in @a info + * is 2. + */ + u8 mic[16]; + + /** Length of the @a data field in bytes, network byte order */ + u16 datalen; + + /** Key data + * + * This is formatted as a series of 802.11 information + * elements, with cryptographic data encapsulated using a + * "vendor-specific IE" code and an IEEE-specified OUI. + */ + u8 data[0]; +} __attribute__ (( packed )); + + +/** WPA handshaking state */ +enum wpa_state { + /** Waiting for PMK to be set */ + WPA_WAITING = 0, + + /** Ready for 4-Way Handshake */ + WPA_READY, + + /** Performing 4-Way Handshake */ + WPA_WORKING, + + /** 4-Way Handshake succeeded */ + WPA_SUCCESS, + + /** 4-Way Handshake failed */ + WPA_FAILURE, +}; + +/** Bitfield indicating a selection of WPA transient keys */ +enum wpa_keymask { + /** Pairwise transient key */ + WPA_PTK = 1, + + /** Group transient key */ + WPA_GTK = 2, +}; + + +/** Length of a nonce */ +#define WPA_NONCE_LEN 32 + +/** Length of a TKIP main key */ +#define WPA_TKIP_KEY_LEN 16 + +/** Length of a TKIP MIC key */ +#define WPA_TKIP_MIC_KEY_LEN 8 + +/** Length of a CCMP key */ +#define WPA_CCMP_KEY_LEN 16 + +/** Length of an EAPOL Key Confirmation Key */ +#define WPA_KCK_LEN 16 + +/** Length of an EAPOL Key Encryption Key */ +#define WPA_KEK_LEN 16 + +/** Usual length of a Pairwise Master Key */ +#define WPA_PMK_LEN 32 + +/** Length of a PMKID */ +#define WPA_PMKID_LEN 16 + + +/** Structure of the Temporal Key for TKIP encryption */ +struct tkip_tk +{ + /** Main key: input to TKIP Phase 1 and Phase 2 key mixing functions */ + u8 key[WPA_TKIP_KEY_LEN]; + + /** Michael MIC keys */ + struct { + /** MIC key for packets from the AP */ + u8 rx[WPA_TKIP_MIC_KEY_LEN]; + + /** MIC key for packets to the AP */ + u8 tx[WPA_TKIP_MIC_KEY_LEN]; + } __attribute__ (( packed )) mic; +} __attribute__ (( packed )); + +/** Structure of a generic Temporal Key */ +union wpa_tk +{ + /** CCMP key */ + u8 ccmp[WPA_CCMP_KEY_LEN]; + + /** TKIP keys */ + struct tkip_tk tkip; +}; + +/** Structure of the Pairwise Transient Key */ +struct wpa_ptk +{ + /** EAPOL-Key Key Confirmation Key (KCK) */ + u8 kck[WPA_KCK_LEN]; + + /** EAPOL-Key Key Encryption Key (KEK) */ + u8 kek[WPA_KEK_LEN]; + + /** Temporal key */ + union wpa_tk tk; +} __attribute__ (( packed )); + +/** Structure of the Group Transient Key */ +struct wpa_gtk +{ + /** Temporal key */ + union wpa_tk tk; +} __attribute__ (( packed )); + + +/** Common context for WPA security handshaking + * + * Any implementor of a particular handshaking type (e.g. PSK or EAP) + * must include this structure at the very beginning of their private + * data context structure, to allow the EAPOL-Key handling code to + * work. When the preliminary authentication is done, it is necessary + * to call wpa_start(), passing the PMK (derived from PSK or EAP MSK) + * as an argument. The handshaker can use its @a step function to + * monitor @a state in this wpa_ctx structure for success or + * failure. On success, the keys will be available in @a ptk and @a + * gtk according to the state of the @a valid bitmask. + * + * After an initial success, the parent handshaker does not need to + * concern itself with rekeying; the WPA common code takes care of + * that. + */ +struct wpa_common_ctx +{ + /** 802.11 device we are authenticating for */ + struct net80211_device *dev; + + /** The Pairwise Master Key to use in handshaking + * + * This is set either by running the PBKDF2 algorithm on a + * passphrase with the SSID as salt to generate a pre-shared + * key, or by copying the first 32 bytes of the EAP Master + * Session Key in 802.1X-served authentication. + */ + u8 pmk[WPA_PMK_LEN]; + + /** Length of the Pairwise Master Key + * + * This is always 32 except with one EAP method which only + * gives 16 bytes. + */ + int pmk_len; + + /** State of EAPOL-Key handshaking */ + enum wpa_state state; + + /** Replay counter for this association + * + * This stores the replay counter value for the most recent + * packet we've accepted. It is initially initialised to ~0 to + * show we'll accept anything. + */ + u64 replay; + + /** Mask of valid keys after authentication success + * + * If the PTK is not valid, the GTK should be used for both + * unicast and multicast decryption; if the GTK is not valid, + * multicast packets cannot be decrypted. + */ + enum wpa_keymask valid; + + /** The cipher to use for unicast RX and all TX */ + enum net80211_crypto_alg crypt; + + /** The cipher to use for broadcast and multicast RX */ + enum net80211_crypto_alg gcrypt; + + /** The Pairwise Transient Key derived from the handshake */ + struct wpa_ptk ptk; + + /** The Group Transient Key derived from the handshake */ + struct wpa_gtk gtk; + + /** Authenticator-provided nonce */ + u8 Anonce[WPA_NONCE_LEN]; + + /** Supplicant-generated nonce (that's us) */ + u8 Snonce[WPA_NONCE_LEN]; + + /** Whether we should refrain from generating another SNonce */ + int have_Snonce; + + /** Data in WPA or RSN IE from AP's beacon frame */ + void *ap_rsn_ie; + + /** Length of @a ap_rsn_ie */ + int ap_rsn_ie_len; + + /** Whether @a ap_rsn_ie is an RSN IE (as opposed to old WPA) */ + int ap_rsn_is_rsn; + + /** List entry */ + struct list_head list; +}; + + +/** WPA handshake key integrity and encryption handler + * + * Note that due to the structure of the 4-Way Handshake we never + * actually need to encrypt key data, only decrypt it. + */ +struct wpa_kie { + /** Value of version bits in EAPOL-Key info field for which to use + * + * This should be one of the @c EAPOL_KEY_VERSION_* constants. + */ + int version; + + /** Calculate MIC over message + * + * @v kck Key Confirmation Key, 16 bytes + * @v msg Message to calculate MIC over + * @v len Number of bytes to calculate MIC over + * @ret mic Calculated MIC, 16 bytes long + * + * The @a mic return may point within @a msg, so it must not + * be filled until the calculation has been performed. + */ + void ( * mic ) ( const void *kck, const void *msg, size_t len, + void *mic ); + + /** Decrypt key data + * + * @v kek Key Encryption Key, 16 bytes + * @v iv Initialisation vector for encryption, 16 bytes + * @v msg Message to decrypt (Key Data field) + * @v len Length of message + * @ret msg Decrypted message in place of original + * @ret len Updated to reflect encrypted length + * @ret rc Return status code + * + * The decrypted message is written over the encrypted one. + */ + int ( * decrypt ) ( const void *kek, const void *iv, void *msg, + u16 *len ); +}; + +#define WPA_KIES __table ( struct wpa_kie, "wpa_kies" ) +#define __wpa_kie __table_entry ( WPA_KIES, 01 ) + + + +/** + * @defgroup wpa_kde Key descriptor element types + * @{ + */ + +/** Payload structure of the GTK-encapsulating KDE + * + * This does not include the IE type, length, or OUI bytes, which are + * generic to all KDEs. + */ +struct wpa_kde_gtk_encap +{ + /** Key ID and TX bit */ + u8 id; + + /** Reserved byte */ + u8 _rsvd; + + /** Encapsulated group transient key */ + struct wpa_gtk gtk; +} __attribute__ (( packed )); + +/** Mask for Key ID in wpa_kde_gtk::id field */ +#define WPA_GTK_KID 0x03 + +/** Mask for Tx bit in wpa_kde_gtk::id field */ +#define WPA_GTK_TXBIT 0x04 + + +/** KDE type for an encapsulated Group Transient Key (requires encryption) */ +#define WPA_KDE_GTK _MKOUI ( 0x00, 0x0F, 0xAC, 0x01 ) + +/** KDE type for a MAC address */ +#define WPA_KDE_MAC _MKOUI ( 0x00, 0x0F, 0xAC, 0x03 ) + +/** KDE type for a PMKID */ +#define WPA_KDE_PMKID _MKOUI ( 0x00, 0x0F, 0xAC, 0x04 ) + +/** KDE type for a nonce */ +#define WPA_KDE_NONCE _MKOUI ( 0x00, 0x0F, 0xAC, 0x06 ) + +/** KDE type for a lifetime value */ +#define WPA_KDE_LIFETIME _MKOUI ( 0x00, 0x0F, 0xAC, 0x07 ) + + +/** Any key descriptor element type + * + * KDEs follow the 802.11 information element format of a type byte + * (in this case "vendor-specific", with the requisite OUI+subtype + * after length) and a length byte whose value does not include the + * length of the type and length bytes. + */ +struct wpa_kde +{ + /** Information element type: always 0xDD (IEEE80211_IE_VENDOR) */ + u8 ie_type; + + /** Length, not including ie_type and length fields */ + u8 len; + + /** OUI + type byte */ + u32 oui_type; + + /** Payload data */ + union { + /** For GTK-type KDEs, encapsulated GTK */ + struct wpa_kde_gtk_encap gtk_encap; + + /** For MAC-type KDEs, the MAC address */ + u8 mac[ETH_ALEN]; + + /** For PMKID-type KDEs, the PMKID */ + u8 pmkid[WPA_PMKID_LEN]; + + /** For Nonce-type KDEs, the nonce */ + u8 nonce[WPA_NONCE_LEN]; + + /** For Lifetime-type KDEs, the lifetime in seconds + * + * This is in network byte order! + */ + u32 lifetime; + }; +} __attribute__ (( packed )); + +/** @} */ + +int wpa_make_rsn_ie ( struct net80211_device *dev, union ieee80211_ie **ie ); +int wpa_start ( struct net80211_device *dev, struct wpa_common_ctx *ctx, + const void *pmk, size_t pmk_len ); +void wpa_stop ( struct net80211_device *dev ); + +#endif /* _GPXE_WPA_H */ diff --git a/src/net/80211/wpa.c b/src/net/80211/wpa.c new file mode 100644 index 00000000..9bac8fe7 --- /dev/null +++ b/src/net/80211/wpa.c @@ -0,0 +1,973 @@ +/* + * Copyright (c) 2009 Joshua Oreman . + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + */ + +FILE_LICENCE ( GPL2_OR_LATER ); + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +/** @file + * + * Handler for the aspects of WPA handshaking that are independent of + * 802.1X/PSK or TKIP/CCMP; this mostly involves the 4-Way Handshake. + */ + +/** List of WPA contexts in active use. */ +struct list_head wpa_contexts = LIST_HEAD_INIT ( wpa_contexts ); + + +/** + * Return an error code and deauthenticate + * + * @v ctx WPA common context + * @v rc Return status code + * @ret rc The passed return status code + */ +static int wpa_fail ( struct wpa_common_ctx *ctx, int rc ) +{ + net80211_deauthenticate ( ctx->dev, rc ); + return rc; +} + + +/** + * Find a cryptosystem handler structure from a crypto ID + * + * @v crypt Cryptosystem ID + * @ret crypto Cryptosystem handler structure + * + * If support for @a crypt is not compiled in to gPXE, or if @a crypt + * is NET80211_CRYPT_UNKNOWN, returns @c NULL. + */ +static struct net80211_crypto * +wpa_find_cryptosystem ( enum net80211_crypto_alg crypt ) +{ + struct net80211_crypto *crypto; + + for_each_table_entry ( crypto, NET80211_CRYPTOS ) { + if ( crypto->algorithm == crypt ) + return crypto; + } + + return NULL; +} + + +/** + * Find WPA key integrity and encryption handler from key version field + * + * @v ver Version bits of EAPOL-Key info field + * @ret kie Key integrity and encryption handler + */ +struct wpa_kie * wpa_find_kie ( int version ) +{ + struct wpa_kie *kie; + + for_each_table_entry ( kie, WPA_KIES ) { + if ( kie->version == version ) + return kie; + } + + return NULL; +} + + +/** + * Construct RSN or WPA information element + * + * @v dev 802.11 device + * @ret ie_ret RSN or WPA information element + * @ret rc Return status code + * + * This function allocates, fills, and returns a RSN or WPA + * information element suitable for including in an association + * request frame to the network identified by @c dev->associating. + * If it is impossible to construct an information element consistent + * with gPXE's capabilities that is compatible with that network, or + * if none should be sent because that network's beacon included no + * security information, returns an error indication and leaves + * @a ie_ret unchanged. + * + * The returned IE will be of the same type (RSN or WPA) as was + * included in the beacon for the network it is destined for. + */ +int wpa_make_rsn_ie ( struct net80211_device *dev, union ieee80211_ie **ie_ret ) +{ + u8 *rsn, *rsn_end; + int is_rsn; + u32 group_cipher; + enum net80211_crypto_alg gcrypt; + int ie_len; + u8 *iep; + struct ieee80211_ie_rsn *ie; + struct ieee80211_frame *hdr; + struct ieee80211_beacon *beacon; + + if ( ! dev->associating ) { + DBG ( "WPA: Can't make RSN IE for a non-associating device\n" ); + return -EINVAL; + } + + hdr = dev->associating->beacon->data; + beacon = ( struct ieee80211_beacon * ) hdr->data; + rsn = sec80211_find_rsn ( beacon->info_element, + dev->associating->beacon->tail, &is_rsn, + &rsn_end ); + if ( ! rsn ) { + DBG ( "WPA: Can't make RSN IE when we didn't get one\n" ); + return -EINVAL; + } + + rsn += 2; /* skip version */ + group_cipher = *( u32 * ) rsn; + gcrypt = sec80211_rsn_get_net80211_crypt ( group_cipher ); + + if ( ! wpa_find_cryptosystem ( gcrypt ) || + ! wpa_find_cryptosystem ( dev->associating->crypto ) ) { + DBG ( "WPA: No support for (GC:%d, PC:%d)\n", + gcrypt, dev->associating->crypto ); + return -ENOTSUP; + } + + /* Everything looks good - make our IE. */ + + /* WPA IEs need 4 more bytes for the OUI+type */ + ie_len = ieee80211_rsn_size ( 1, 1, 0, is_rsn ) + ( 4 * ! is_rsn ); + iep = malloc ( ie_len ); + if ( ! iep ) + return -ENOMEM; + + *ie_ret = ( union ieee80211_ie * ) iep; + + /* Store ID and length bytes. */ + *iep++ = ( is_rsn ? IEEE80211_IE_RSN : IEEE80211_IE_VENDOR ); + *iep++ = ie_len - 2; + + /* Store OUI+type for WPA IEs. */ + if ( ! is_rsn ) { + *( u32 * ) iep = IEEE80211_WPA_OUI_VEN; + iep += 4; + } + + /* If this is a WPA IE, the id and len bytes in the + ieee80211_ie_rsn structure will not be valid, but by doing + the cast we can fill all the other fields much more + readily. */ + + ie = ( struct ieee80211_ie_rsn * ) ( iep - 2 ); + ie->version = IEEE80211_RSN_VERSION; + ie->group_cipher = group_cipher; + ie->pairwise_count = 1; + ie->pairwise_cipher[0] = + sec80211_rsn_get_crypto_desc ( dev->associating->crypto, + is_rsn ); + ie->akm_count = 1; + ie->akm_list[0] = + sec80211_rsn_get_akm_desc ( dev->associating->handshaking, + is_rsn ); + if ( is_rsn ) { + ie->rsn_capab = 0; + ie->pmkid_count = 0; + } + + return 0; +} + + +/** + * Set up generic WPA support to handle 4-Way Handshake + * + * @v dev 802.11 device + * @v ctx WPA common context + * @v pmk Pairwise Master Key to use for session + * @v pmk_len Length of PMK, almost always 32 + * @ret rc Return status code + */ +int wpa_start ( struct net80211_device *dev, struct wpa_common_ctx *ctx, + const void *pmk, size_t pmk_len ) +{ + struct io_buffer *iob; + struct ieee80211_frame *hdr; + struct ieee80211_beacon *beacon; + u8 *ap_rsn_ie = NULL, *ap_rsn_ie_end; + + if ( ! dev->rsn_ie || ! dev->associating ) + return -EINVAL; + + ctx->dev = dev; + memcpy ( ctx->pmk, pmk, ctx->pmk_len = pmk_len ); + ctx->state = WPA_READY; + ctx->replay = ~0ULL; + + iob = dev->associating->beacon; + hdr = iob->data; + beacon = ( struct ieee80211_beacon * ) hdr->data; + ap_rsn_ie = sec80211_find_rsn ( beacon->info_element, iob->tail, + &ctx->ap_rsn_is_rsn, &ap_rsn_ie_end ); + if ( ap_rsn_ie ) { + ctx->ap_rsn_ie = malloc ( ap_rsn_ie_end - ap_rsn_ie ); + if ( ! ctx->ap_rsn_ie ) + return -ENOMEM; + memcpy ( ctx->ap_rsn_ie, ap_rsn_ie, ap_rsn_ie_end - ap_rsn_ie ); + ctx->ap_rsn_ie_len = ap_rsn_ie_end - ap_rsn_ie; + } else { + return -ENOENT; + } + + ctx->crypt = dev->associating->crypto; + ctx->gcrypt = NET80211_CRYPT_UNKNOWN; + + list_add_tail ( &ctx->list, &wpa_contexts ); + return 0; +} + + +/** + * Disable handling of received WPA handshake frames + * + * @v dev 802.11 device + */ +void wpa_stop ( struct net80211_device *dev ) +{ + struct wpa_common_ctx *ctx, *tmp; + + list_for_each_entry_safe ( ctx, tmp, &wpa_contexts, list ) { + if ( ctx->dev == dev ) { + free ( ctx->ap_rsn_ie ); + ctx->ap_rsn_ie = NULL; + list_del ( &ctx->list ); + } + } +} + + +/** + * Check PMKID consistency + * + * @v ctx WPA common context + * @v pmkid PMKID to check against (16 bytes long) + * @ret rc Zero if they match, or a negative error code if not + */ +int wpa_check_pmkid ( struct wpa_common_ctx *ctx, const u8 *pmkid ) +{ + u8 sha1_ctx[SHA1_CTX_SIZE]; + u8 my_pmkid[SHA1_SIZE]; + u8 pmk[ctx->pmk_len]; + size_t pmk_len; + struct { + char name[8]; + u8 aa[ETH_ALEN]; + u8 spa[ETH_ALEN]; + } __attribute__ (( packed )) pmkid_data; + + memcpy ( pmk, ctx->pmk, ctx->pmk_len ); + pmk_len = ctx->pmk_len; + + memcpy ( pmkid_data.name, "PMK Name", 8 ); + memcpy ( pmkid_data.aa, ctx->dev->bssid, ETH_ALEN ); + memcpy ( pmkid_data.spa, ctx->dev->netdev->ll_addr, ETH_ALEN ); + + hmac_init ( &sha1_algorithm, sha1_ctx, pmk, &pmk_len ); + hmac_update ( &sha1_algorithm, sha1_ctx, &pmkid_data, + sizeof ( pmkid_data ) ); + hmac_final ( &sha1_algorithm, sha1_ctx, pmk, &pmk_len, my_pmkid ); + + if ( memcmp ( my_pmkid, pmkid, WPA_PMKID_LEN ) != 0 ) + return -EACCES; + + return 0; +} + + +/** + * Derive pairwise transient key + * + * @v ctx WPA common context + */ +static void wpa_derive_ptk ( struct wpa_common_ctx *ctx ) +{ + struct { + u8 mac1[ETH_ALEN]; + u8 mac2[ETH_ALEN]; + u8 nonce1[WPA_NONCE_LEN]; + u8 nonce2[WPA_NONCE_LEN]; + } __attribute__ (( packed )) ptk_data; + + /* The addresses and nonces are stored in numerical order (!) */ + + if ( memcmp ( ctx->dev->netdev->ll_addr, ctx->dev->bssid, + ETH_ALEN ) < 0 ) { + memcpy ( ptk_data.mac1, ctx->dev->netdev->ll_addr, ETH_ALEN ); + memcpy ( ptk_data.mac2, ctx->dev->bssid, ETH_ALEN ); + } else { + memcpy ( ptk_data.mac1, ctx->dev->bssid, ETH_ALEN ); + memcpy ( ptk_data.mac2, ctx->dev->netdev->ll_addr, ETH_ALEN ); + } + + if ( memcmp ( ctx->Anonce, ctx->Snonce, WPA_NONCE_LEN ) < 0 ) { + memcpy ( ptk_data.nonce1, ctx->Anonce, WPA_NONCE_LEN ); + memcpy ( ptk_data.nonce2, ctx->Snonce, WPA_NONCE_LEN ); + } else { + memcpy ( ptk_data.nonce1, ctx->Snonce, WPA_NONCE_LEN ); + memcpy ( ptk_data.nonce2, ctx->Anonce, WPA_NONCE_LEN ); + } + + DBGC2 ( ctx, "WPA %p A1 %s, A2 %s\n", ctx, eth_ntoa ( ptk_data.mac1 ), + eth_ntoa ( ptk_data.mac2 ) ); + DBGC2 ( ctx, "WPA %p Nonce1, Nonce2:\n", ctx ); + DBGC2_HD ( ctx, ptk_data.nonce1, WPA_NONCE_LEN ); + DBGC2_HD ( ctx, ptk_data.nonce2, WPA_NONCE_LEN ); + + prf_sha1 ( ctx->pmk, ctx->pmk_len, + "Pairwise key expansion", + &ptk_data, sizeof ( ptk_data ), + &ctx->ptk, sizeof ( ctx->ptk ) ); + + DBGC2 ( ctx, "WPA %p PTK:\n", ctx ); + DBGC2_HD ( ctx, &ctx->ptk, sizeof ( ctx->ptk ) ); +} + + +/** + * Install pairwise transient key + * + * @v ctx WPA common context + * @v len Key length (16 for CCMP, 32 for TKIP) + * @ret rc Return status code + */ +static inline int wpa_install_ptk ( struct wpa_common_ctx *ctx, int len ) +{ + DBGC ( ctx, "WPA %p: installing %d-byte pairwise transient key\n", + ctx, len ); + DBGC2_HD ( ctx, &ctx->ptk.tk, len ); + + return sec80211_install ( &ctx->dev->crypto, ctx->crypt, + &ctx->ptk.tk, len, NULL ); +} + +/** + * Install group transient key + * + * @v ctx WPA common context + * @v len Key length (16 for CCMP, 32 for TKIP) + * @v rsc Receive sequence counter field in EAPOL-Key packet + * @ret rc Return status code + */ +static inline int wpa_install_gtk ( struct wpa_common_ctx *ctx, int len, + const void *rsc ) +{ + DBGC ( ctx, "WPA %p: installing %d-byte group transient key\n", + ctx, len ); + DBGC2_HD ( ctx, &ctx->gtk.tk, len ); + + return sec80211_install ( &ctx->dev->gcrypto, ctx->gcrypt, + &ctx->gtk.tk, len, rsc ); +} + +/** + * Search for group transient key, and install it if found + * + * @v ctx WPA common context + * @v ie Pointer to first IE in key data field + * @v ie_end Pointer to first byte not in key data field + * @v rsc Receive sequence counter field in EAPOL-Key packet + * @ret rc Return status code + */ +static int wpa_maybe_install_gtk ( struct wpa_common_ctx *ctx, + union ieee80211_ie *ie, void *ie_end, + const void *rsc ) +{ + struct wpa_kde *kde; + + if ( ! ieee80211_ie_bound ( ie, ie_end ) ) + return -ENOENT; + + while ( ie ) { + if ( ie->id == IEEE80211_IE_VENDOR && + ie->vendor.oui == WPA_KDE_GTK ) + break; + + ie = ieee80211_next_ie ( ie, ie_end ); + } + + if ( ! ie ) + return -ENOENT; + + if ( ie->len - 6u > sizeof ( ctx->gtk.tk ) ) { + DBGC ( ctx, "WPA %p: GTK KDE is too long (%d bytes, max %d)\n", + ctx, ie->len - 4, sizeof ( ctx->gtk.tk ) ); + return -EINVAL; + } + + /* XXX We ignore key ID for now. */ + kde = ( struct wpa_kde * ) ie; + memcpy ( &ctx->gtk.tk, &kde->gtk_encap.gtk, kde->len - 6 ); + + return wpa_install_gtk ( ctx, kde->len - 6, rsc ); +} + + +/** + * Allocate I/O buffer for construction of outgoing EAPOL-Key frame + * + * @v kdlen Maximum number of bytes in the Key Data field + * @ret iob Newly allocated I/O buffer + * + * The returned buffer will have space reserved for the link-layer and + * EAPOL headers, and will have @c iob->tail pointing to the start of + * the Key Data field. Thus, it is necessary to use iob_put() in + * filling the Key Data. + */ +static struct io_buffer * wpa_alloc_frame ( int kdlen ) +{ + struct io_buffer *ret = alloc_iob ( sizeof ( struct eapol_key_pkt ) + + kdlen + EAPOL_HDR_LEN + + MAX_LL_HEADER_LEN ); + if ( ! ret ) + return NULL; + + iob_reserve ( ret, MAX_LL_HEADER_LEN + EAPOL_HDR_LEN ); + memset ( iob_put ( ret, sizeof ( struct eapol_key_pkt ) ), 0, + sizeof ( struct eapol_key_pkt ) ); + + return ret; +} + + +/** + * Send EAPOL-Key packet + * + * @v iob I/O buffer, with sufficient headroom for headers + * @v dev 802.11 device + * @v kie Key integrity and encryption handler + * @v is_rsn If TRUE, handshake uses new RSN format + * @ret rc Return status code + * + * If a KIE is specified, the MIC will be filled in before transmission. + */ +static int wpa_send_eapol ( struct io_buffer *iob, struct wpa_common_ctx *ctx, + struct wpa_kie *kie ) +{ + struct eapol_key_pkt *pkt = iob->data; + struct eapol_frame *eapol = iob_push ( iob, EAPOL_HDR_LEN ); + + pkt->info = htons ( pkt->info ); + pkt->keysize = htons ( pkt->keysize ); + pkt->datalen = htons ( pkt->datalen ); + pkt->replay = cpu_to_be64 ( pkt->replay ); + eapol->version = EAPOL_THIS_VERSION; + eapol->type = EAPOL_TYPE_KEY; + eapol->length = htons ( iob->tail - iob->data - sizeof ( *eapol ) ); + + memset ( pkt->mic, 0, sizeof ( pkt->mic ) ); + if ( kie ) + kie->mic ( &ctx->ptk.kck, eapol, EAPOL_HDR_LEN + + sizeof ( *pkt ) + ntohs ( pkt->datalen ), + pkt->mic ); + + return net_tx ( iob, ctx->dev->netdev, &eapol_protocol, + ctx->dev->bssid ); +} + + +/** + * Send second frame in 4-Way Handshake + * + * @v ctx WPA common context + * @v pkt First frame, to which this is a reply + * @v is_rsn If TRUE, handshake uses new RSN format + * @v kie Key integrity and encryption handler + * @ret rc Return status code + */ +static int wpa_send_2_of_4 ( struct wpa_common_ctx *ctx, + struct eapol_key_pkt *pkt, int is_rsn, + struct wpa_kie *kie ) +{ + struct io_buffer *iob = wpa_alloc_frame ( ctx->dev->rsn_ie->len + 2 ); + struct eapol_key_pkt *npkt; + + if ( ! iob ) + return -ENOMEM; + + npkt = iob->data; + memcpy ( npkt, pkt, sizeof ( *pkt ) ); + npkt->info &= ~EAPOL_KEY_INFO_KEY_ACK; + npkt->info |= EAPOL_KEY_INFO_KEY_MIC; + if ( is_rsn ) + npkt->keysize = 0; + memcpy ( npkt->nonce, ctx->Snonce, sizeof ( npkt->nonce ) ); + npkt->datalen = ctx->dev->rsn_ie->len + 2; + memcpy ( iob_put ( iob, npkt->datalen ), ctx->dev->rsn_ie, + npkt->datalen ); + + DBGC ( ctx, "WPA %p: sending 2/4\n", ctx ); + + return wpa_send_eapol ( iob, ctx, kie ); +} + + +/** + * Handle receipt of first frame in 4-Way Handshake + * + * @v ctx WPA common context + * @v pkt EAPOL-Key packet + * @v is_rsn If TRUE, frame uses new RSN format + * @v kie Key integrity and encryption handler + * @ret rc Return status code + */ +static int wpa_handle_1_of_4 ( struct wpa_common_ctx *ctx, + struct eapol_key_pkt *pkt, int is_rsn, + struct wpa_kie *kie ) +{ + int rc; + + if ( ctx->state == WPA_WAITING ) + return -EINVAL; + + ctx->state = WPA_WORKING; + memcpy ( ctx->Anonce, pkt->nonce, sizeof ( ctx->Anonce ) ); + if ( ! ctx->have_Snonce ) { + get_random_bytes ( ctx->Snonce, sizeof ( ctx->Snonce ) ); + ctx->have_Snonce = 1; + } + + if ( is_rsn && pkt->datalen ) { + union ieee80211_ie *ie = ( union ieee80211_ie * ) pkt->data; + void *ie_end = pkt->data + pkt->datalen; + + if ( ! ieee80211_ie_bound ( ie, ie_end ) ) { + DBGC ( ctx, "WPA %p: malformed PMKID KDE\n", ctx ); + return wpa_fail ( ctx, -EINVAL ); + } + + while ( ie ) { + if ( ie->id == IEEE80211_IE_VENDOR && + ie->vendor.oui == WPA_KDE_PMKID ) { + rc = wpa_check_pmkid ( ctx, ie->vendor.data ); + if ( rc < 0 ) { + DBGC ( ctx, "WPA %p ALERT: PMKID " + "mismatch in 1/4\n", ctx ); + return wpa_fail ( ctx, rc ); + } + } + + ie = ieee80211_next_ie ( ie, ie_end ); + } + } + + DBGC ( ctx, "WPA %p: received 1/4, looks OK\n", ctx ); + + wpa_derive_ptk ( ctx ); + + return wpa_send_2_of_4 ( ctx, pkt, is_rsn, kie ); +} + + +/** + * Send fourth frame in 4-Way Handshake, or second in Group Key Handshake + * + * @v ctx WPA common context + * @v pkt EAPOL-Key packet for frame to which we're replying + * @v is_rsn If TRUE, frame uses new RSN format + * @v kie Key integrity and encryption handler + * @ret rc Return status code + */ +static int wpa_send_final ( struct wpa_common_ctx *ctx, + struct eapol_key_pkt *pkt, int is_rsn, + struct wpa_kie *kie ) +{ + struct io_buffer *iob = wpa_alloc_frame ( 0 ); + struct eapol_key_pkt *npkt; + + if ( ! iob ) + return -ENOMEM; + + npkt = iob->data; + memcpy ( npkt, pkt, sizeof ( *pkt ) ); + npkt->info &= ~( EAPOL_KEY_INFO_KEY_ACK | EAPOL_KEY_INFO_INSTALL | + EAPOL_KEY_INFO_KEY_ENC ); + if ( is_rsn ) + npkt->keysize = 0; + memset ( npkt->nonce, 0, sizeof ( npkt->nonce ) ); + memset ( npkt->iv, 0, sizeof ( npkt->iv ) ); + npkt->datalen = 0; + + if ( npkt->info & EAPOL_KEY_INFO_TYPE ) + DBGC ( ctx, "WPA %p: sending 4/4\n", ctx ); + else + DBGC ( ctx, "WPA %p: sending 2/2\n", ctx ); + + return wpa_send_eapol ( iob, ctx, kie ); + +} + + +/** + * Handle receipt of third frame in 4-Way Handshake + * + * @v ctx WPA common context + * @v pkt EAPOL-Key packet + * @v is_rsn If TRUE, frame uses new RSN format + * @v kie Key integrity and encryption handler + * @ret rc Return status code + */ +static int wpa_handle_3_of_4 ( struct wpa_common_ctx *ctx, + struct eapol_key_pkt *pkt, int is_rsn, + struct wpa_kie *kie ) +{ + int rc; + u8 *this_rsn, *this_rsn_end; + u8 *new_rsn, *new_rsn_end; + int this_is_rsn, new_is_rsn; + + if ( ctx->state == WPA_WAITING ) + return -EINVAL; + + ctx->state = WPA_WORKING; + + /* Check nonce */ + if ( memcmp ( ctx->Anonce, pkt->nonce, WPA_NONCE_LEN ) != 0 ) { + DBGC ( ctx, "WPA %p ALERT: nonce mismatch in 3/4\n", ctx ); + return wpa_fail ( ctx, -EACCES ); + } + + /* Check RSN IE */ + this_rsn = sec80211_find_rsn ( ( union ieee80211_ie * ) pkt->data, + pkt->data + pkt->datalen, + &this_is_rsn, &this_rsn_end ); + if ( this_rsn ) + new_rsn = sec80211_find_rsn ( ( union ieee80211_ie * ) + this_rsn_end, + pkt->data + pkt->datalen, + &new_is_rsn, &new_rsn_end ); + else + new_rsn = NULL; + + if ( ! ctx->ap_rsn_ie || ! this_rsn || + ctx->ap_rsn_ie_len != ( this_rsn_end - this_rsn ) || + ctx->ap_rsn_is_rsn != this_is_rsn || + memcmp ( ctx->ap_rsn_ie, this_rsn, ctx->ap_rsn_ie_len ) != 0 ) { + DBGC ( ctx, "WPA %p ALERT: RSN mismatch in 3/4\n", ctx ); + DBGC2 ( ctx, "WPA %p RSNs (in 3/4, in beacon):\n", ctx ); + DBGC2_HD ( ctx, this_rsn, this_rsn_end - this_rsn ); + DBGC2_HD ( ctx, ctx->ap_rsn_ie, ctx->ap_rsn_ie_len ); + return wpa_fail ( ctx, -EACCES ); + } + + /* Don't switch if they just supplied both styles of IE + simultaneously; we need two RSN IEs or two WPA IEs to + switch ciphers. They'll be immediately consecutive because + of ordering guarantees. */ + if ( new_rsn && this_is_rsn == new_is_rsn ) { + struct net80211_wlan *assoc = ctx->dev->associating; + DBGC ( ctx, "WPA %p: accommodating bait-and-switch tactics\n", + ctx ); + DBGC2 ( ctx, "WPA %p RSNs (in 3/4+beacon, new in 3/4):\n", + ctx ); + DBGC2_HD ( ctx, this_rsn, this_rsn_end - this_rsn ); + DBGC2_HD ( ctx, new_rsn, new_rsn_end - new_rsn ); + + if ( ( rc = sec80211_detect_ie ( new_is_rsn, new_rsn, + new_rsn_end, + &assoc->handshaking, + &assoc->crypto ) ) != 0 ) + DBGC ( ctx, "WPA %p: bait-and-switch invalid, staying " + "with original request\n", ctx ); + } else { + new_rsn = this_rsn; + new_is_rsn = this_is_rsn; + new_rsn_end = this_rsn_end; + } + + /* Grab group cryptosystem ID */ + ctx->gcrypt = sec80211_rsn_get_net80211_crypt ( *( u32 * ) + ( new_rsn + 2 ) ); + + /* Check for a GTK, if info field is encrypted */ + if ( pkt->info & EAPOL_KEY_INFO_KEY_ENC ) { + rc = wpa_maybe_install_gtk ( ctx, + ( union ieee80211_ie * ) pkt->data, + pkt->data + pkt->datalen, + pkt->rsc ); + if ( rc < 0 ) { + DBGC ( ctx, "WPA %p did not install GTK in 3/4: %s\n", + ctx, strerror ( rc ) ); + if ( rc != -ENOENT ) + return wpa_fail ( ctx, rc ); + } + } + + DBGC ( ctx, "WPA %p: received 3/4, looks OK\n", ctx ); + + /* Send final message */ + rc = wpa_send_final ( ctx, pkt, is_rsn, kie ); + if ( rc < 0 ) + return wpa_fail ( ctx, rc ); + + /* Install PTK */ + rc = wpa_install_ptk ( ctx, pkt->keysize ); + if ( rc < 0 ) { + DBGC ( ctx, "WPA %p failed to install PTK: %s\n", ctx, + strerror ( rc ) ); + return wpa_fail ( ctx, rc ); + } + + /* Mark us as needing a new Snonce if we rekey */ + ctx->have_Snonce = 0; + + /* Done! */ + ctx->state = WPA_SUCCESS; + return 0; +} + + +/** + * Handle receipt of first frame in Group Key Handshake + * + * @v ctx WPA common context + * @v pkt EAPOL-Key packet + * @v is_rsn If TRUE, frame uses new RSN format + * @v kie Key integrity and encryption handler + * @ret rc Return status code + */ +static int wpa_handle_1_of_2 ( struct wpa_common_ctx *ctx, + struct eapol_key_pkt *pkt, int is_rsn, + struct wpa_kie *kie ) +{ + int rc; + + /* + * WPA and RSN do this completely differently. + * + * The idea of encoding the GTK (or PMKID, or various other + * things) into a KDE that looks like an information element + * is an RSN innovation; old WPA code never encapsulates + * things like that. If it looks like an info element, it + * really is (for the WPA IE check in frames 2/4 and 3/4). The + * "key data encrypted" bit in the info field is also specific + * to RSN. + * + * So from an old WPA host, 3/4 does not contain an + * encapsulated GTK. The first frame of the GK handshake + * contains it, encrypted, but without a KDE wrapper, and with + * the key ID field (which gPXE doesn't use) shoved away in + * the reserved bits in the info field, and the TxRx bit + * stealing the Install bit's spot. + */ + + if ( is_rsn && ( pkt->info & EAPOL_KEY_INFO_KEY_ENC ) ) { + rc = wpa_maybe_install_gtk ( ctx, + ( union ieee80211_ie * ) pkt->data, + pkt->data + pkt->datalen, + pkt->rsc ); + if ( rc < 0 ) { + DBGC ( ctx, "WPA %p: failed to install GTK in 1/2: " + "%s\n", ctx, strerror ( rc ) ); + return wpa_fail ( ctx, rc ); + } + } else { + rc = kie->decrypt ( &ctx->ptk.kek, pkt->iv, pkt->data, + &pkt->datalen ); + if ( rc < 0 ) { + DBGC ( ctx, "WPA %p: failed to decrypt GTK: %s\n", + ctx, strerror ( rc ) ); + return rc; /* non-fatal */ + } + if ( pkt->datalen > sizeof ( ctx->gtk.tk ) ) { + DBGC ( ctx, "WPA %p: too much GTK data (%d > %d)\n", + ctx, pkt->datalen, sizeof ( ctx->gtk.tk ) ); + return wpa_fail ( ctx, -EINVAL ); + } + + memcpy ( &ctx->gtk.tk, pkt->data, pkt->datalen ); + wpa_install_gtk ( ctx, pkt->datalen, pkt->rsc ); + } + + DBGC ( ctx, "WPA %p: received 1/2, looks OK\n", ctx ); + + return wpa_send_final ( ctx, pkt, is_rsn, kie ); +} + + +/** + * Handle receipt of EAPOL-Key frame for WPA + * + * @v iob I/O buffer + * @v netdev Network device + * @v ll_source Source link-layer address + */ +static int eapol_key_rx ( struct io_buffer *iob, struct net_device *netdev, + const void *ll_source ) +{ + struct net80211_device *dev = net80211_get ( netdev ); + struct eapol_key_pkt *pkt = iob->data; + int is_rsn, found_ctx; + struct wpa_common_ctx *ctx; + int rc = 0; + struct wpa_kie *kie; + u8 their_mic[16], our_mic[16]; + + if ( pkt->type != EAPOL_KEY_TYPE_WPA && + pkt->type != EAPOL_KEY_TYPE_RSN ) { + DBG ( "EAPOL-Key: packet not of 802.11 type\n" ); + rc = -EINVAL; + goto drop; + } + + is_rsn = ( pkt->type == EAPOL_KEY_TYPE_RSN ); + + if ( ! dev ) { + DBG ( "EAPOL-Key: packet not from 802.11\n" ); + rc = -EINVAL; + goto drop; + } + + if ( memcmp ( dev->bssid, ll_source, ETH_ALEN ) != 0 ) { + DBG ( "EAPOL-Key: packet not from associated AP\n" ); + rc = -EINVAL; + goto drop; + } + + if ( ! ( ntohs ( pkt->info ) & EAPOL_KEY_INFO_KEY_ACK ) ) { + DBG ( "EAPOL-Key: packet sent in wrong direction\n" ); + rc = -EINVAL; + goto drop; + } + + found_ctx = 0; + list_for_each_entry ( ctx, &wpa_contexts, list ) { + if ( ctx->dev == dev ) { + found_ctx = 1; + break; + } + } + + if ( ! found_ctx ) { + DBG ( "EAPOL-Key: no WPA context to handle packet for %p\n", + dev ); + rc = -ENOENT; + goto drop; + } + + if ( ( void * ) ( pkt + 1 ) + ntohs ( pkt->datalen ) > iob->tail ) { + DBGC ( ctx, "WPA %p: packet truncated (has %d extra bytes, " + "states %d)\n", ctx, iob->tail - ( void * ) ( pkt + 1 ), + ntohs ( pkt->datalen ) ); + rc = -EINVAL; + goto drop; + } + + /* Get a handle on key integrity/encryption handler */ + kie = wpa_find_kie ( ntohs ( pkt->info ) & EAPOL_KEY_INFO_VERSION ); + if ( ! kie ) { + DBGC ( ctx, "WPA %p: no support for packet version %d\n", ctx, + ntohs ( pkt->info ) & EAPOL_KEY_INFO_VERSION ); + rc = wpa_fail ( ctx, -ENOTSUP ); + goto drop; + } + + /* Check MIC */ + if ( ntohs ( pkt->info ) & EAPOL_KEY_INFO_KEY_MIC ) { + memcpy ( their_mic, pkt->mic, sizeof ( pkt->mic ) ); + memset ( pkt->mic, 0, sizeof ( pkt->mic ) ); + kie->mic ( &ctx->ptk.kck, ( void * ) pkt - EAPOL_HDR_LEN, + EAPOL_HDR_LEN + sizeof ( *pkt ) + + ntohs ( pkt->datalen ), our_mic ); + DBGC2 ( ctx, "WPA %p MIC comparison (theirs, ours):\n", ctx ); + DBGC2_HD ( ctx, their_mic, 16 ); + DBGC2_HD ( ctx, our_mic, 16 ); + if ( memcmp ( their_mic, our_mic, sizeof ( pkt->mic ) ) != 0 ) { + DBGC ( ctx, "WPA %p: EAPOL MIC failure\n", ctx ); + goto drop; + } + } + + /* Fix byte order to local */ + pkt->info = ntohs ( pkt->info ); + pkt->keysize = ntohs ( pkt->keysize ); + pkt->datalen = ntohs ( pkt->datalen ); + pkt->replay = be64_to_cpu ( pkt->replay ); + + /* Check replay counter */ + if ( ctx->replay != ~0ULL && ctx->replay >= pkt->replay ) { + DBGC ( ctx, "WPA %p ALERT: Replay detected! " + "(%08x:%08x >= %08x:%08x)\n", ctx, + ( u32 ) ( ctx->replay >> 32 ), ( u32 ) ctx->replay, + ( u32 ) ( pkt->replay >> 32 ), ( u32 ) pkt->replay ); + rc = 0; /* ignore without error */ + goto drop; + } + ctx->replay = pkt->replay; + + /* Decrypt key data */ + if ( pkt->info & EAPOL_KEY_INFO_KEY_ENC ) { + rc = kie->decrypt ( &ctx->ptk.kek, pkt->iv, pkt->data, + &pkt->datalen ); + if ( rc < 0 ) { + DBGC ( ctx, "WPA %p: failed to decrypt packet: %s\n", + ctx, strerror ( rc ) ); + goto drop; + } + } + + /* Hand it off to appropriate handler */ + switch ( pkt->info & ( EAPOL_KEY_INFO_TYPE | + EAPOL_KEY_INFO_KEY_MIC ) ) { + case EAPOL_KEY_TYPE_PTK: + rc = wpa_handle_1_of_4 ( ctx, pkt, is_rsn, kie ); + break; + + case EAPOL_KEY_TYPE_PTK | EAPOL_KEY_INFO_KEY_MIC: + rc = wpa_handle_3_of_4 ( ctx, pkt, is_rsn, kie ); + break; + + case EAPOL_KEY_TYPE_GTK | EAPOL_KEY_INFO_KEY_MIC: + rc = wpa_handle_1_of_2 ( ctx, pkt, is_rsn, kie ); + break; + + default: + DBGC ( ctx, "WPA %p: Invalid combination of key flags %04x\n", + ctx, pkt->info ); + rc = -EINVAL; + break; + } + + drop: + free_iob ( iob ); + return rc; +} + +struct eapol_handler eapol_key_handler __eapol_handler = { + .type = EAPOL_TYPE_KEY, + .rx = eapol_key_rx, +}; + +/* WPA always needs EAPOL in order to be useful */ +REQUIRE_OBJECT ( eapol );