Context Navigation

source: bootcd/isolinux/syslinux-6.03/gpxe/src/net/80211/wpa.c

Last change on this file was e16e8f2, checked in by Edwin Eefting <edwin@datux.nl>, 3 years ago
bootstuff
Property mode set to `100644`
File size: 26.3 KB

Rev	Line
[e16e8f2]	1	/*
	2	* Copyright (c) 2009 Joshua Oreman <oremanj@rwcr.net>.
	3	*
	4	* This program is free software; you can redistribute it and/or
	5	* modify it under the terms of the GNU General Public License as
	6	* published by the Free Software Foundation; either version 2 of the
	7	* License, or any later version.
	8	*
	9	* This program is distributed in the hope that it will be useful, but
	10	* WITHOUT ANY WARRANTY; without even the implied warranty of
	11	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	12	* General Public License for more details.
	13	*
	14	* You should have received a copy of the GNU General Public License
	15	* along with this program; if not, write to the Free Software
	16	* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
	17	*/
	18
	19	FILE_LICENCE ( GPL2_OR_LATER );
	20
	21	#include <gpxe/net80211.h>
	22	#include <gpxe/sec80211.h>
	23	#include <gpxe/wpa.h>
	24	#include <gpxe/eapol.h>
	25	#include <gpxe/crypto.h>
	26	#include <gpxe/arc4.h>
	27	#include <gpxe/crc32.h>
	28	#include <gpxe/sha1.h>
	29	#include <gpxe/hmac.h>
	30	#include <gpxe/list.h>
	31	#include <gpxe/ethernet.h>
	32	#include <stdlib.h>
	33	#include <string.h>
	34	#include <errno.h>
	35
	36	/** @file
	37	*
	38	* Handler for the aspects of WPA handshaking that are independent of
	39	* 802.1X/PSK or TKIP/CCMP; this mostly involves the 4-Way Handshake.
	40	*/
	41
	42	/** List of WPA contexts in active use. */
	43	struct list_head wpa_contexts = LIST_HEAD_INIT ( wpa_contexts );
	44
	45
	46	/**
	47	* Return an error code and deauthenticate
	48	*
	49	* @v ctx WPA common context
	50	* @v rc Return status code
	51	* @ret rc The passed return status code
	52	*/
	53	static int wpa_fail ( struct wpa_common_ctx *ctx, int rc )
	54	{
	55	net80211_deauthenticate ( ctx->dev, rc );
	56	return rc;
	57	}
	58
	59
	60	/**
	61	* Find a cryptosystem handler structure from a crypto ID
	62	*
	63	* @v crypt Cryptosystem ID
	64	* @ret crypto Cryptosystem handler structure
	65	*
	66	* If support for @a crypt is not compiled in to gPXE, or if @a crypt
	67	* is NET80211_CRYPT_UNKNOWN, returns @c NULL.
	68	*/
	69	static struct net80211_crypto *
	70	wpa_find_cryptosystem ( enum net80211_crypto_alg crypt )
	71	{
	72	struct net80211_crypto *crypto;
	73
	74	for_each_table_entry ( crypto, NET80211_CRYPTOS ) {
	75	if ( crypto->algorithm == crypt )
	76	return crypto;
	77	}
	78
	79	return NULL;
	80	}
	81
	82
	83	/**
	84	* Find WPA key integrity and encryption handler from key version field
	85	*
	86	* @v ver Version bits of EAPOL-Key info field
	87	* @ret kie Key integrity and encryption handler
	88	*/
	89	struct wpa_kie * wpa_find_kie ( int version )
	90	{
	91	struct wpa_kie *kie;
	92
	93	for_each_table_entry ( kie, WPA_KIES ) {
	94	if ( kie->version == version )
	95	return kie;
	96	}
	97
	98	return NULL;
	99	}
	100
	101
	102	/**
	103	* Construct RSN or WPA information element
	104	*
	105	* @v dev 802.11 device
	106	* @ret ie_ret RSN or WPA information element
	107	* @ret rc Return status code
	108	*
	109	* This function allocates, fills, and returns a RSN or WPA
	110	* information element suitable for including in an association
	111	* request frame to the network identified by @c dev->associating.
	112	* If it is impossible to construct an information element consistent
	113	* with gPXE's capabilities that is compatible with that network, or
	114	* if none should be sent because that network's beacon included no
	115	* security information, returns an error indication and leaves
	116	* @a ie_ret unchanged.
	117	*
	118	* The returned IE will be of the same type (RSN or WPA) as was
	119	* included in the beacon for the network it is destined for.
	120	*/
	121	int wpa_make_rsn_ie ( struct net80211_device dev, union ieee80211_ie *ie_ret )
	122	{
	123	u8 rsn, rsn_end;
	124	int is_rsn;
	125	u32 group_cipher;
	126	enum net80211_crypto_alg gcrypt;
	127	int ie_len;
	128	u8 *iep;
	129	struct ieee80211_ie_rsn *ie;
	130	struct ieee80211_frame *hdr;
	131	struct ieee80211_beacon *beacon;
	132
	133	if ( ! dev->associating ) {
	134	DBG ( "WPA: Can't make RSN IE for a non-associating device\n" );
	135	return -EINVAL;
	136	}
	137
	138	hdr = dev->associating->beacon->data;
	139	beacon = ( struct ieee80211_beacon * ) hdr->data;
	140	rsn = sec80211_find_rsn ( beacon->info_element,
	141	dev->associating->beacon->tail, &is_rsn,
	142	&rsn_end );
	143	if ( ! rsn ) {
	144	DBG ( "WPA: Can't make RSN IE when we didn't get one\n" );
	145	return -EINVAL;
	146	}
	147
	148	rsn += 2; /* skip version */
	149	group_cipher = ( u32 ) rsn;
	150	gcrypt = sec80211_rsn_get_net80211_crypt ( group_cipher );
	151
	152	if ( ! wpa_find_cryptosystem ( gcrypt ) \|\|
	153	! wpa_find_cryptosystem ( dev->associating->crypto ) ) {
	154	DBG ( "WPA: No support for (GC:%d, PC:%d)\n",
	155	gcrypt, dev->associating->crypto );
	156	return -ENOTSUP;
	157	}
	158
	159	/* Everything looks good - make our IE. */
	160
	161	/* WPA IEs need 4 more bytes for the OUI+type */
	162	ie_len = ieee80211_rsn_size ( 1, 1, 0, is_rsn ) + ( 4 * ! is_rsn );
	163	iep = malloc ( ie_len );
	164	if ( ! iep )
	165	return -ENOMEM;
	166
	167	ie_ret = ( union ieee80211_ie ) iep;
	168
	169	/* Store ID and length bytes. */
	170	*iep++ = ( is_rsn ? IEEE80211_IE_RSN : IEEE80211_IE_VENDOR );
	171	*iep++ = ie_len - 2;
	172
	173	/* Store OUI+type for WPA IEs. */
	174	if ( ! is_rsn ) {
	175	( u32 ) iep = IEEE80211_WPA_OUI_VEN;
	176	iep += 4;
	177	}
	178
	179	/* If this is a WPA IE, the id and len bytes in the
	180	ieee80211_ie_rsn structure will not be valid, but by doing
	181	the cast we can fill all the other fields much more
	182	readily. */
	183
	184	ie = ( struct ieee80211_ie_rsn * ) ( iep - 2 );
	185	ie->version = IEEE80211_RSN_VERSION;
	186	ie->group_cipher = group_cipher;
	187	ie->pairwise_count = 1;
	188	ie->pairwise_cipher[0] =
	189	sec80211_rsn_get_crypto_desc ( dev->associating->crypto,
	190	is_rsn );
	191	ie->akm_count = 1;
	192	ie->akm_list[0] =
	193	sec80211_rsn_get_akm_desc ( dev->associating->handshaking,
	194	is_rsn );
	195	if ( is_rsn ) {
	196	ie->rsn_capab = 0;
	197	ie->pmkid_count = 0;
	198	}
	199
	200	return 0;
	201	}
	202
	203
	204	/**
	205	* Set up generic WPA support to handle 4-Way Handshake
	206	*
	207	* @v dev 802.11 device
	208	* @v ctx WPA common context
	209	* @v pmk Pairwise Master Key to use for session
	210	* @v pmk_len Length of PMK, almost always 32
	211	* @ret rc Return status code
	212	*/
	213	int wpa_start ( struct net80211_device dev, struct wpa_common_ctx ctx,
	214	const void *pmk, size_t pmk_len )
	215	{
	216	struct io_buffer *iob;
	217	struct ieee80211_frame *hdr;
	218	struct ieee80211_beacon *beacon;
	219	u8 ap_rsn_ie = NULL, ap_rsn_ie_end;
	220
	221	if ( ! dev->rsn_ie \|\| ! dev->associating )
	222	return -EINVAL;
	223
	224	ctx->dev = dev;
	225	memcpy ( ctx->pmk, pmk, ctx->pmk_len = pmk_len );
	226	ctx->state = WPA_READY;
	227	ctx->replay = ~0ULL;
	228
	229	iob = dev->associating->beacon;
	230	hdr = iob->data;
	231	beacon = ( struct ieee80211_beacon * ) hdr->data;
	232	ap_rsn_ie = sec80211_find_rsn ( beacon->info_element, iob->tail,
	233	&ctx->ap_rsn_is_rsn, &ap_rsn_ie_end );
	234	if ( ap_rsn_ie ) {
	235	ctx->ap_rsn_ie = malloc ( ap_rsn_ie_end - ap_rsn_ie );
	236	if ( ! ctx->ap_rsn_ie )
	237	return -ENOMEM;
	238	memcpy ( ctx->ap_rsn_ie, ap_rsn_ie, ap_rsn_ie_end - ap_rsn_ie );
	239	ctx->ap_rsn_ie_len = ap_rsn_ie_end - ap_rsn_ie;
	240	} else {
	241	return -ENOENT;
	242	}
	243
	244	ctx->crypt = dev->associating->crypto;
	245	ctx->gcrypt = NET80211_CRYPT_UNKNOWN;
	246
	247	list_add_tail ( &ctx->list, &wpa_contexts );
	248	return 0;
	249	}
	250
	251
	252	/**
	253	* Disable handling of received WPA handshake frames
	254	*
	255	* @v dev 802.11 device
	256	*/
	257	void wpa_stop ( struct net80211_device *dev )
	258	{
	259	struct wpa_common_ctx ctx, tmp;
	260
	261	list_for_each_entry_safe ( ctx, tmp, &wpa_contexts, list ) {
	262	if ( ctx->dev == dev ) {
	263	free ( ctx->ap_rsn_ie );
	264	ctx->ap_rsn_ie = NULL;
	265	list_del ( &ctx->list );
	266	}
	267	}
	268	}
	269
	270
	271	/**
	272	* Check PMKID consistency
	273	*
	274	* @v ctx WPA common context
	275	* @v pmkid PMKID to check against (16 bytes long)
	276	* @ret rc Zero if they match, or a negative error code if not
	277	*/
	278	int wpa_check_pmkid ( struct wpa_common_ctx ctx, const u8 pmkid )
	279	{
	280	u8 sha1_ctx[SHA1_CTX_SIZE];
	281	u8 my_pmkid[SHA1_SIZE];
	282	u8 pmk[ctx->pmk_len];
	283	size_t pmk_len;
	284	struct {
	285	char name[8];
	286	u8 aa[ETH_ALEN];
	287	u8 spa[ETH_ALEN];
	288	} __attribute__ (( packed )) pmkid_data;
	289
	290	memcpy ( pmk, ctx->pmk, ctx->pmk_len );
	291	pmk_len = ctx->pmk_len;
	292
	293	memcpy ( pmkid_data.name, "PMK Name", 8 );
	294	memcpy ( pmkid_data.aa, ctx->dev->bssid, ETH_ALEN );
	295	memcpy ( pmkid_data.spa, ctx->dev->netdev->ll_addr, ETH_ALEN );
	296
	297	hmac_init ( &sha1_algorithm, sha1_ctx, pmk, &pmk_len );
	298	hmac_update ( &sha1_algorithm, sha1_ctx, &pmkid_data,
	299	sizeof ( pmkid_data ) );
	300	hmac_final ( &sha1_algorithm, sha1_ctx, pmk, &pmk_len, my_pmkid );
	301
	302	if ( memcmp ( my_pmkid, pmkid, WPA_PMKID_LEN ) != 0 )
	303	return -EACCES;
	304
	305	return 0;
	306	}
	307
	308
	309	/**
	310	* Derive pairwise transient key
	311	*
	312	* @v ctx WPA common context
	313	*/
	314	static void wpa_derive_ptk ( struct wpa_common_ctx *ctx )
	315	{
	316	struct {
	317	u8 mac1[ETH_ALEN];
	318	u8 mac2[ETH_ALEN];
	319	u8 nonce1[WPA_NONCE_LEN];
	320	u8 nonce2[WPA_NONCE_LEN];
	321	} __attribute__ (( packed )) ptk_data;
	322
	323	/* The addresses and nonces are stored in numerical order (!) */
	324
	325	if ( memcmp ( ctx->dev->netdev->ll_addr, ctx->dev->bssid,
	326	ETH_ALEN ) < 0 ) {
	327	memcpy ( ptk_data.mac1, ctx->dev->netdev->ll_addr, ETH_ALEN );
	328	memcpy ( ptk_data.mac2, ctx->dev->bssid, ETH_ALEN );
	329	} else {
	330	memcpy ( ptk_data.mac1, ctx->dev->bssid, ETH_ALEN );
	331	memcpy ( ptk_data.mac2, ctx->dev->netdev->ll_addr, ETH_ALEN );
	332	}
	333
	334	if ( memcmp ( ctx->Anonce, ctx->Snonce, WPA_NONCE_LEN ) < 0 ) {
	335	memcpy ( ptk_data.nonce1, ctx->Anonce, WPA_NONCE_LEN );
	336	memcpy ( ptk_data.nonce2, ctx->Snonce, WPA_NONCE_LEN );
	337	} else {
	338	memcpy ( ptk_data.nonce1, ctx->Snonce, WPA_NONCE_LEN );
	339	memcpy ( ptk_data.nonce2, ctx->Anonce, WPA_NONCE_LEN );
	340	}
	341
	342	DBGC2 ( ctx, "WPA %p A1 %s, A2 %s\n", ctx, eth_ntoa ( ptk_data.mac1 ),
	343	eth_ntoa ( ptk_data.mac2 ) );
	344	DBGC2 ( ctx, "WPA %p Nonce1, Nonce2:\n", ctx );
	345	DBGC2_HD ( ctx, ptk_data.nonce1, WPA_NONCE_LEN );
	346	DBGC2_HD ( ctx, ptk_data.nonce2, WPA_NONCE_LEN );
	347
	348	prf_sha1 ( ctx->pmk, ctx->pmk_len,
	349	"Pairwise key expansion",
	350	&ptk_data, sizeof ( ptk_data ),
	351	&ctx->ptk, sizeof ( ctx->ptk ) );
	352
	353	DBGC2 ( ctx, "WPA %p PTK:\n", ctx );
	354	DBGC2_HD ( ctx, &ctx->ptk, sizeof ( ctx->ptk ) );
	355	}
	356
	357
	358	/**
	359	* Install pairwise transient key
	360	*
	361	* @v ctx WPA common context
	362	* @v len Key length (16 for CCMP, 32 for TKIP)
	363	* @ret rc Return status code
	364	*/
	365	static inline int wpa_install_ptk ( struct wpa_common_ctx *ctx, int len )
	366	{
	367	DBGC ( ctx, "WPA %p: installing %d-byte pairwise transient key\n",
	368	ctx, len );
	369	DBGC2_HD ( ctx, &ctx->ptk.tk, len );
	370
	371	return sec80211_install ( &ctx->dev->crypto, ctx->crypt,
	372	&ctx->ptk.tk, len, NULL );
	373	}
	374
	375	/**
	376	* Install group transient key
	377	*
	378	* @v ctx WPA common context
	379	* @v len Key length (16 for CCMP, 32 for TKIP)
	380	* @v rsc Receive sequence counter field in EAPOL-Key packet
	381	* @ret rc Return status code
	382	*/
	383	static inline int wpa_install_gtk ( struct wpa_common_ctx *ctx, int len,
	384	const void *rsc )
	385	{
	386	DBGC ( ctx, "WPA %p: installing %d-byte group transient key\n",
	387	ctx, len );
	388	DBGC2_HD ( ctx, &ctx->gtk.tk, len );
	389
	390	return sec80211_install ( &ctx->dev->gcrypto, ctx->gcrypt,
	391	&ctx->gtk.tk, len, rsc );
	392	}
	393
	394	/**
	395	* Search for group transient key, and install it if found
	396	*
	397	* @v ctx WPA common context
	398	* @v ie Pointer to first IE in key data field
	399	* @v ie_end Pointer to first byte not in key data field
	400	* @v rsc Receive sequence counter field in EAPOL-Key packet
	401	* @ret rc Return status code
	402	*/
	403	static int wpa_maybe_install_gtk ( struct wpa_common_ctx *ctx,
	404	union ieee80211_ie ie, void ie_end,
	405	const void *rsc )
	406	{
	407	struct wpa_kde *kde;
	408
	409	if ( ! ieee80211_ie_bound ( ie, ie_end ) )
	410	return -ENOENT;
	411
	412	while ( ie ) {
	413	if ( ie->id == IEEE80211_IE_VENDOR &&
	414	ie->vendor.oui == WPA_KDE_GTK )
	415	break;
	416
	417	ie = ieee80211_next_ie ( ie, ie_end );
	418	}
	419
	420	if ( ! ie )
	421	return -ENOENT;
	422
	423	if ( ie->len - 6u > sizeof ( ctx->gtk.tk ) ) {
	424	DBGC ( ctx, "WPA %p: GTK KDE is too long (%d bytes, max %d)\n",
	425	ctx, ie->len - 4, sizeof ( ctx->gtk.tk ) );
	426	return -EINVAL;
	427	}
	428
	429	/* XXX We ignore key ID for now. */
	430	kde = ( struct wpa_kde * ) ie;
	431	memcpy ( &ctx->gtk.tk, &kde->gtk_encap.gtk, kde->len - 6 );
	432
	433	return wpa_install_gtk ( ctx, kde->len - 6, rsc );
	434	}
	435
	436
	437	/**
	438	* Allocate I/O buffer for construction of outgoing EAPOL-Key frame
	439	*
	440	* @v kdlen Maximum number of bytes in the Key Data field
	441	* @ret iob Newly allocated I/O buffer
	442	*
	443	* The returned buffer will have space reserved for the link-layer and
	444	* EAPOL headers, and will have @c iob->tail pointing to the start of
	445	* the Key Data field. Thus, it is necessary to use iob_put() in
	446	* filling the Key Data.
	447	*/
	448	static struct io_buffer * wpa_alloc_frame ( int kdlen )
	449	{
	450	struct io_buffer *ret = alloc_iob ( sizeof ( struct eapol_key_pkt ) +
	451	kdlen + EAPOL_HDR_LEN +
	452	MAX_LL_HEADER_LEN );
	453	if ( ! ret )
	454	return NULL;
	455
	456	iob_reserve ( ret, MAX_LL_HEADER_LEN + EAPOL_HDR_LEN );
	457	memset ( iob_put ( ret, sizeof ( struct eapol_key_pkt ) ), 0,
	458	sizeof ( struct eapol_key_pkt ) );
	459
	460	return ret;
	461	}
	462
	463
	464	/**
	465	* Send EAPOL-Key packet
	466	*
	467	* @v iob I/O buffer, with sufficient headroom for headers
	468	* @v dev 802.11 device
	469	* @v kie Key integrity and encryption handler
	470	* @v is_rsn If TRUE, handshake uses new RSN format
	471	* @ret rc Return status code
	472	*
	473	* If a KIE is specified, the MIC will be filled in before transmission.
	474	*/
	475	static int wpa_send_eapol ( struct io_buffer iob, struct wpa_common_ctx ctx,
	476	struct wpa_kie *kie )
	477	{
	478	struct eapol_key_pkt *pkt = iob->data;
	479	struct eapol_frame *eapol = iob_push ( iob, EAPOL_HDR_LEN );
	480
	481	pkt->info = htons ( pkt->info );
	482	pkt->keysize = htons ( pkt->keysize );
	483	pkt->datalen = htons ( pkt->datalen );
	484	pkt->replay = cpu_to_be64 ( pkt->replay );
	485	eapol->version = EAPOL_THIS_VERSION;
	486	eapol->type = EAPOL_TYPE_KEY;
	487	eapol->length = htons ( iob->tail - iob->data - sizeof ( *eapol ) );
	488
	489	memset ( pkt->mic, 0, sizeof ( pkt->mic ) );
	490	if ( kie )
	491	kie->mic ( &ctx->ptk.kck, eapol, EAPOL_HDR_LEN +
	492	sizeof ( *pkt ) + ntohs ( pkt->datalen ),
	493	pkt->mic );
	494
	495	return net_tx ( iob, ctx->dev->netdev, &eapol_protocol,
	496	ctx->dev->bssid );
	497	}
	498
	499
	500	/**
	501	* Send second frame in 4-Way Handshake
	502	*
	503	* @v ctx WPA common context
	504	* @v pkt First frame, to which this is a reply
	505	* @v is_rsn If TRUE, handshake uses new RSN format
	506	* @v kie Key integrity and encryption handler
	507	* @ret rc Return status code
	508	*/
	509	static int wpa_send_2_of_4 ( struct wpa_common_ctx *ctx,
	510	struct eapol_key_pkt *pkt, int is_rsn,
	511	struct wpa_kie *kie )
	512	{
	513	struct io_buffer *iob = wpa_alloc_frame ( ctx->dev->rsn_ie->len + 2 );
	514	struct eapol_key_pkt *npkt;
	515
	516	if ( ! iob )
	517	return -ENOMEM;
	518
	519	npkt = iob->data;
	520	memcpy ( npkt, pkt, sizeof ( *pkt ) );
	521	npkt->info &= ~EAPOL_KEY_INFO_KEY_ACK;
	522	npkt->info \|= EAPOL_KEY_INFO_KEY_MIC;
	523	if ( is_rsn )
	524	npkt->keysize = 0;
	525	memcpy ( npkt->nonce, ctx->Snonce, sizeof ( npkt->nonce ) );
	526	npkt->datalen = ctx->dev->rsn_ie->len + 2;
	527	memcpy ( iob_put ( iob, npkt->datalen ), ctx->dev->rsn_ie,
	528	npkt->datalen );
	529
	530	DBGC ( ctx, "WPA %p: sending 2/4\n", ctx );
	531
	532	return wpa_send_eapol ( iob, ctx, kie );
	533	}
	534
	535
	536	/**
	537	* Handle receipt of first frame in 4-Way Handshake
	538	*
	539	* @v ctx WPA common context
	540	* @v pkt EAPOL-Key packet
	541	* @v is_rsn If TRUE, frame uses new RSN format
	542	* @v kie Key integrity and encryption handler
	543	* @ret rc Return status code
	544	*/
	545	static int wpa_handle_1_of_4 ( struct wpa_common_ctx *ctx,
	546	struct eapol_key_pkt *pkt, int is_rsn,
	547	struct wpa_kie *kie )
	548	{
	549	int rc;
	550
	551	if ( ctx->state == WPA_WAITING )
	552	return -EINVAL;
	553
	554	ctx->state = WPA_WORKING;
	555	memcpy ( ctx->Anonce, pkt->nonce, sizeof ( ctx->Anonce ) );
	556	if ( ! ctx->have_Snonce ) {
	557	get_random_bytes ( ctx->Snonce, sizeof ( ctx->Snonce ) );
	558	ctx->have_Snonce = 1;
	559	}
	560
	561	if ( is_rsn && pkt->datalen ) {
	562	union ieee80211_ie ie = ( union ieee80211_ie ) pkt->data;
	563	void *ie_end = pkt->data + pkt->datalen;
	564
	565	if ( ! ieee80211_ie_bound ( ie, ie_end ) ) {
	566	DBGC ( ctx, "WPA %p: malformed PMKID KDE\n", ctx );
	567	return wpa_fail ( ctx, -EINVAL );
	568	}
	569
	570	while ( ie ) {
	571	if ( ie->id == IEEE80211_IE_VENDOR &&
	572	ie->vendor.oui == WPA_KDE_PMKID ) {
	573	rc = wpa_check_pmkid ( ctx, ie->vendor.data );
	574	if ( rc < 0 ) {
	575	DBGC ( ctx, "WPA %p ALERT: PMKID "
	576	"mismatch in 1/4\n", ctx );
	577	return wpa_fail ( ctx, rc );
	578	}
	579	}
	580
	581	ie = ieee80211_next_ie ( ie, ie_end );
	582	}
	583	}
	584
	585	DBGC ( ctx, "WPA %p: received 1/4, looks OK\n", ctx );
	586
	587	wpa_derive_ptk ( ctx );
	588
	589	return wpa_send_2_of_4 ( ctx, pkt, is_rsn, kie );
	590	}
	591
	592
	593	/**
	594	* Send fourth frame in 4-Way Handshake, or second in Group Key Handshake
	595	*
	596	* @v ctx WPA common context
	597	* @v pkt EAPOL-Key packet for frame to which we're replying
	598	* @v is_rsn If TRUE, frame uses new RSN format
	599	* @v kie Key integrity and encryption handler
	600	* @ret rc Return status code
	601	*/
	602	static int wpa_send_final ( struct wpa_common_ctx *ctx,
	603	struct eapol_key_pkt *pkt, int is_rsn,
	604	struct wpa_kie *kie )
	605	{
	606	struct io_buffer *iob = wpa_alloc_frame ( 0 );
	607	struct eapol_key_pkt *npkt;
	608
	609	if ( ! iob )
	610	return -ENOMEM;
	611
	612	npkt = iob->data;
	613	memcpy ( npkt, pkt, sizeof ( *pkt ) );
	614	npkt->info &= ~( EAPOL_KEY_INFO_KEY_ACK \| EAPOL_KEY_INFO_INSTALL \|
	615	EAPOL_KEY_INFO_KEY_ENC );
	616	if ( is_rsn )
	617	npkt->keysize = 0;
	618	memset ( npkt->nonce, 0, sizeof ( npkt->nonce ) );
	619	memset ( npkt->iv, 0, sizeof ( npkt->iv ) );
	620	npkt->datalen = 0;
	621
	622	if ( npkt->info & EAPOL_KEY_INFO_TYPE )
	623	DBGC ( ctx, "WPA %p: sending 4/4\n", ctx );
	624	else
	625	DBGC ( ctx, "WPA %p: sending 2/2\n", ctx );
	626
	627	return wpa_send_eapol ( iob, ctx, kie );
	628
	629	}
	630
	631
	632	/**
	633	* Handle receipt of third frame in 4-Way Handshake
	634	*
	635	* @v ctx WPA common context
	636	* @v pkt EAPOL-Key packet
	637	* @v is_rsn If TRUE, frame uses new RSN format
	638	* @v kie Key integrity and encryption handler
	639	* @ret rc Return status code
	640	*/
	641	static int wpa_handle_3_of_4 ( struct wpa_common_ctx *ctx,
	642	struct eapol_key_pkt *pkt, int is_rsn,
	643	struct wpa_kie *kie )
	644	{
	645	int rc;
	646	u8 this_rsn, this_rsn_end;
	647	u8 new_rsn, new_rsn_end;
	648	int this_is_rsn, new_is_rsn;
	649
	650	if ( ctx->state == WPA_WAITING )
	651	return -EINVAL;
	652
	653	ctx->state = WPA_WORKING;
	654
	655	/* Check nonce */
	656	if ( memcmp ( ctx->Anonce, pkt->nonce, WPA_NONCE_LEN ) != 0 ) {
	657	DBGC ( ctx, "WPA %p ALERT: nonce mismatch in 3/4\n", ctx );
	658	return wpa_fail ( ctx, -EACCES );
	659	}
	660
	661	/* Check RSN IE */
	662	this_rsn = sec80211_find_rsn ( ( union ieee80211_ie * ) pkt->data,
	663	pkt->data + pkt->datalen,
	664	&this_is_rsn, &this_rsn_end );
	665	if ( this_rsn )
	666	new_rsn = sec80211_find_rsn ( ( union ieee80211_ie * )
	667	this_rsn_end,
	668	pkt->data + pkt->datalen,
	669	&new_is_rsn, &new_rsn_end );
	670	else
	671	new_rsn = NULL;
	672
	673	if ( ! ctx->ap_rsn_ie \|\| ! this_rsn \|\|
	674	ctx->ap_rsn_ie_len != ( this_rsn_end - this_rsn ) \|\|
	675	ctx->ap_rsn_is_rsn != this_is_rsn \|\|
	676	memcmp ( ctx->ap_rsn_ie, this_rsn, ctx->ap_rsn_ie_len ) != 0 ) {
	677	DBGC ( ctx, "WPA %p ALERT: RSN mismatch in 3/4\n", ctx );
	678	DBGC2 ( ctx, "WPA %p RSNs (in 3/4, in beacon):\n", ctx );
	679	DBGC2_HD ( ctx, this_rsn, this_rsn_end - this_rsn );
	680	DBGC2_HD ( ctx, ctx->ap_rsn_ie, ctx->ap_rsn_ie_len );
	681	return wpa_fail ( ctx, -EACCES );
	682	}
	683
	684	/* Don't switch if they just supplied both styles of IE
	685	simultaneously; we need two RSN IEs or two WPA IEs to
	686	switch ciphers. They'll be immediately consecutive because
	687	of ordering guarantees. */
	688	if ( new_rsn && this_is_rsn == new_is_rsn ) {
	689	struct net80211_wlan *assoc = ctx->dev->associating;
	690	DBGC ( ctx, "WPA %p: accommodating bait-and-switch tactics\n",
	691	ctx );
	692	DBGC2 ( ctx, "WPA %p RSNs (in 3/4+beacon, new in 3/4):\n",
	693	ctx );
	694	DBGC2_HD ( ctx, this_rsn, this_rsn_end - this_rsn );
	695	DBGC2_HD ( ctx, new_rsn, new_rsn_end - new_rsn );
	696
	697	if ( ( rc = sec80211_detect_ie ( new_is_rsn, new_rsn,
	698	new_rsn_end,
	699	&assoc->handshaking,
	700	&assoc->crypto ) ) != 0 )
	701	DBGC ( ctx, "WPA %p: bait-and-switch invalid, staying "
	702	"with original request\n", ctx );
	703	} else {
	704	new_rsn = this_rsn;
	705	new_is_rsn = this_is_rsn;
	706	new_rsn_end = this_rsn_end;
	707	}
	708
	709	/* Grab group cryptosystem ID */
	710	ctx->gcrypt = sec80211_rsn_get_net80211_crypt ( ( u32 )
	711	( new_rsn + 2 ) );
	712
	713	/* Check for a GTK, if info field is encrypted */
	714	if ( pkt->info & EAPOL_KEY_INFO_KEY_ENC ) {
	715	rc = wpa_maybe_install_gtk ( ctx,
	716	( union ieee80211_ie * ) pkt->data,
	717	pkt->data + pkt->datalen,
	718	pkt->rsc );
	719	if ( rc < 0 ) {
	720	DBGC ( ctx, "WPA %p did not install GTK in 3/4: %s\n",
	721	ctx, strerror ( rc ) );
	722	if ( rc != -ENOENT )
	723	return wpa_fail ( ctx, rc );
	724	}
	725	}
	726
	727	DBGC ( ctx, "WPA %p: received 3/4, looks OK\n", ctx );
	728
	729	/* Send final message */
	730	rc = wpa_send_final ( ctx, pkt, is_rsn, kie );
	731	if ( rc < 0 )
	732	return wpa_fail ( ctx, rc );
	733
	734	/* Install PTK */
	735	rc = wpa_install_ptk ( ctx, pkt->keysize );
	736	if ( rc < 0 ) {
	737	DBGC ( ctx, "WPA %p failed to install PTK: %s\n", ctx,
	738	strerror ( rc ) );
	739	return wpa_fail ( ctx, rc );
	740	}
	741
	742	/* Mark us as needing a new Snonce if we rekey */
	743	ctx->have_Snonce = 0;
	744
	745	/* Done! */
	746	ctx->state = WPA_SUCCESS;
	747	return 0;
	748	}
	749
	750
	751	/**
	752	* Handle receipt of first frame in Group Key Handshake
	753	*
	754	* @v ctx WPA common context
	755	* @v pkt EAPOL-Key packet
	756	* @v is_rsn If TRUE, frame uses new RSN format
	757	* @v kie Key integrity and encryption handler
	758	* @ret rc Return status code
	759	*/
	760	static int wpa_handle_1_of_2 ( struct wpa_common_ctx *ctx,
	761	struct eapol_key_pkt *pkt, int is_rsn,
	762	struct wpa_kie *kie )
	763	{
	764	int rc;
	765
	766	/*
	767	* WPA and RSN do this completely differently.
	768	*
	769	* The idea of encoding the GTK (or PMKID, or various other
	770	* things) into a KDE that looks like an information element
	771	* is an RSN innovation; old WPA code never encapsulates
	772	* things like that. If it looks like an info element, it
	773	* really is (for the WPA IE check in frames 2/4 and 3/4). The
	774	* "key data encrypted" bit in the info field is also specific
	775	* to RSN.
	776	*
	777	* So from an old WPA host, 3/4 does not contain an
	778	* encapsulated GTK. The first frame of the GK handshake
	779	* contains it, encrypted, but without a KDE wrapper, and with
	780	* the key ID field (which gPXE doesn't use) shoved away in
	781	* the reserved bits in the info field, and the TxRx bit
	782	* stealing the Install bit's spot.
	783	*/
	784
	785	if ( is_rsn && ( pkt->info & EAPOL_KEY_INFO_KEY_ENC ) ) {
	786	rc = wpa_maybe_install_gtk ( ctx,
	787	( union ieee80211_ie * ) pkt->data,
	788	pkt->data + pkt->datalen,
	789	pkt->rsc );
	790	if ( rc < 0 ) {
	791	DBGC ( ctx, "WPA %p: failed to install GTK in 1/2: "
	792	"%s\n", ctx, strerror ( rc ) );
	793	return wpa_fail ( ctx, rc );
	794	}
	795	} else {
	796	rc = kie->decrypt ( &ctx->ptk.kek, pkt->iv, pkt->data,
	797	&pkt->datalen );
	798	if ( rc < 0 ) {
	799	DBGC ( ctx, "WPA %p: failed to decrypt GTK: %s\n",
	800	ctx, strerror ( rc ) );
	801	return rc; /* non-fatal */
	802	}
	803	if ( pkt->datalen > sizeof ( ctx->gtk.tk ) ) {
	804	DBGC ( ctx, "WPA %p: too much GTK data (%d > %d)\n",
	805	ctx, pkt->datalen, sizeof ( ctx->gtk.tk ) );
	806	return wpa_fail ( ctx, -EINVAL );
	807	}
	808
	809	memcpy ( &ctx->gtk.tk, pkt->data, pkt->datalen );
	810	wpa_install_gtk ( ctx, pkt->datalen, pkt->rsc );
	811	}
	812
	813	DBGC ( ctx, "WPA %p: received 1/2, looks OK\n", ctx );
	814
	815	return wpa_send_final ( ctx, pkt, is_rsn, kie );
	816	}
	817
	818
	819	/**
	820	* Handle receipt of EAPOL-Key frame for WPA
	821	*
	822	* @v iob I/O buffer
	823	* @v netdev Network device
	824	* @v ll_source Source link-layer address
	825	*/
	826	static int eapol_key_rx ( struct io_buffer iob, struct net_device netdev,
	827	const void *ll_source )
	828	{
	829	struct net80211_device *dev = net80211_get ( netdev );
	830	struct eapol_key_pkt *pkt = iob->data;
	831	int is_rsn, found_ctx;
	832	struct wpa_common_ctx *ctx;
	833	int rc = 0;
	834	struct wpa_kie *kie;
	835	u8 their_mic[16], our_mic[16];
	836
	837	if ( pkt->type != EAPOL_KEY_TYPE_WPA &&
	838	pkt->type != EAPOL_KEY_TYPE_RSN ) {
	839	DBG ( "EAPOL-Key: packet not of 802.11 type\n" );
	840	rc = -EINVAL;
	841	goto drop;
	842	}
	843
	844	is_rsn = ( pkt->type == EAPOL_KEY_TYPE_RSN );
	845
	846	if ( ! dev ) {
	847	DBG ( "EAPOL-Key: packet not from 802.11\n" );
	848	rc = -EINVAL;
	849	goto drop;
	850	}
	851
	852	if ( memcmp ( dev->bssid, ll_source, ETH_ALEN ) != 0 ) {
	853	DBG ( "EAPOL-Key: packet not from associated AP\n" );
	854	rc = -EINVAL;
	855	goto drop;
	856	}
	857
	858	if ( ! ( ntohs ( pkt->info ) & EAPOL_KEY_INFO_KEY_ACK ) ) {
	859	DBG ( "EAPOL-Key: packet sent in wrong direction\n" );
	860	rc = -EINVAL;
	861	goto drop;
	862	}
	863
	864	found_ctx = 0;
	865	list_for_each_entry ( ctx, &wpa_contexts, list ) {
	866	if ( ctx->dev == dev ) {
	867	found_ctx = 1;
	868	break;
	869	}
	870	}
	871
	872	if ( ! found_ctx ) {
	873	DBG ( "EAPOL-Key: no WPA context to handle packet for %p\n",
	874	dev );
	875	rc = -ENOENT;
	876	goto drop;
	877	}
	878
	879	if ( ( void * ) ( pkt + 1 ) + ntohs ( pkt->datalen ) > iob->tail ) {
	880	DBGC ( ctx, "WPA %p: packet truncated (has %d extra bytes, "
	881	"states %d)\n", ctx, iob->tail - ( void * ) ( pkt + 1 ),
	882	ntohs ( pkt->datalen ) );
	883	rc = -EINVAL;
	884	goto drop;
	885	}
	886
	887	/* Get a handle on key integrity/encryption handler */
	888	kie = wpa_find_kie ( ntohs ( pkt->info ) & EAPOL_KEY_INFO_VERSION );
	889	if ( ! kie ) {
	890	DBGC ( ctx, "WPA %p: no support for packet version %d\n", ctx,
	891	ntohs ( pkt->info ) & EAPOL_KEY_INFO_VERSION );
	892	rc = wpa_fail ( ctx, -ENOTSUP );
	893	goto drop;
	894	}
	895
	896	/* Check MIC */
	897	if ( ntohs ( pkt->info ) & EAPOL_KEY_INFO_KEY_MIC ) {
	898	memcpy ( their_mic, pkt->mic, sizeof ( pkt->mic ) );
	899	memset ( pkt->mic, 0, sizeof ( pkt->mic ) );
	900	kie->mic ( &ctx->ptk.kck, ( void * ) pkt - EAPOL_HDR_LEN,
	901	EAPOL_HDR_LEN + sizeof ( *pkt ) +
	902	ntohs ( pkt->datalen ), our_mic );
	903	DBGC2 ( ctx, "WPA %p MIC comparison (theirs, ours):\n", ctx );
	904	DBGC2_HD ( ctx, their_mic, 16 );
	905	DBGC2_HD ( ctx, our_mic, 16 );
	906	if ( memcmp ( their_mic, our_mic, sizeof ( pkt->mic ) ) != 0 ) {
	907	DBGC ( ctx, "WPA %p: EAPOL MIC failure\n", ctx );
	908	goto drop;
	909	}
	910	}
	911
	912	/* Fix byte order to local */
	913	pkt->info = ntohs ( pkt->info );
	914	pkt->keysize = ntohs ( pkt->keysize );
	915	pkt->datalen = ntohs ( pkt->datalen );
	916	pkt->replay = be64_to_cpu ( pkt->replay );
	917
	918	/* Check replay counter */
	919	if ( ctx->replay != ~0ULL && ctx->replay >= pkt->replay ) {
	920	DBGC ( ctx, "WPA %p ALERT: Replay detected! "
	921	"(%08x:%08x >= %08x:%08x)\n", ctx,
	922	( u32 ) ( ctx->replay >> 32 ), ( u32 ) ctx->replay,
	923	( u32 ) ( pkt->replay >> 32 ), ( u32 ) pkt->replay );
	924	rc = 0; /* ignore without error */
	925	goto drop;
	926	}
	927	ctx->replay = pkt->replay;
	928
	929	/* Decrypt key data */
	930	if ( pkt->info & EAPOL_KEY_INFO_KEY_ENC ) {
	931	rc = kie->decrypt ( &ctx->ptk.kek, pkt->iv, pkt->data,
	932	&pkt->datalen );
	933	if ( rc < 0 ) {
	934	DBGC ( ctx, "WPA %p: failed to decrypt packet: %s\n",
	935	ctx, strerror ( rc ) );
	936	goto drop;
	937	}
	938	}
	939
	940	/* Hand it off to appropriate handler */
	941	switch ( pkt->info & ( EAPOL_KEY_INFO_TYPE \|
	942	EAPOL_KEY_INFO_KEY_MIC ) ) {
	943	case EAPOL_KEY_TYPE_PTK:
	944	rc = wpa_handle_1_of_4 ( ctx, pkt, is_rsn, kie );
	945	break;
	946
	947	case EAPOL_KEY_TYPE_PTK \| EAPOL_KEY_INFO_KEY_MIC:
	948	rc = wpa_handle_3_of_4 ( ctx, pkt, is_rsn, kie );
	949	break;
	950
	951	case EAPOL_KEY_TYPE_GTK \| EAPOL_KEY_INFO_KEY_MIC:
	952	rc = wpa_handle_1_of_2 ( ctx, pkt, is_rsn, kie );
	953	break;
	954
	955	default:
	956	DBGC ( ctx, "WPA %p: Invalid combination of key flags %04x\n",
	957	ctx, pkt->info );
	958	rc = -EINVAL;
	959	break;
	960	}
	961
	962	drop:
	963	free_iob ( iob );
	964	return rc;
	965	}
	966
	967	struct eapol_handler eapol_key_handler __eapol_handler = {
	968	.type = EAPOL_TYPE_KEY,
	969	.rx = eapol_key_rx,
	970	};
	971
	972	/* WPA always needs EAPOL in order to be useful */
	973	REQUIRE_OBJECT ( eapol );

Note: See TracBrowser for help on using the repository browser.

Download in other formats: