00001 /* 00002 * Copyright (c) 2009 Joshua Oreman <oremanj@rwcr.net>. 00003 * 00004 * This program is free software; you can redistribute it and/or 00005 * modify it under the terms of the GNU General Public License as 00006 * published by the Free Software Foundation; either version 2 of the 00007 * License, or any later version. 00008 * 00009 * This program is distributed in the hope that it will be useful, but 00010 * WITHOUT ANY WARRANTY; without even the implied warranty of 00011 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 00012 * General Public License for more details. 00013 * 00014 * You should have received a copy of the GNU General Public License 00015 * along with this program; if not, write to the Free Software 00016 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. 00017 */ 00018 00019 #ifndef _GPXE_WPA_H 00020 #define _GPXE_WPA_H 00021 00022 #include <gpxe/ieee80211.h> 00023 #include <gpxe/list.h> 00024 00025 FILE_LICENCE ( GPL2_OR_LATER ); 00026 00027 /** @file 00028 * 00029 * Common definitions for all types of WPA-protected networks. 00030 */ 00031 00032 00033 /** EAPOL-Key type field for modern 802.11i/RSN WPA packets */ 00034 #define EAPOL_KEY_TYPE_RSN 2 00035 00036 /** Old EAPOL-Key type field used by WPA1 hardware before 802.11i ratified */ 00037 #define EAPOL_KEY_TYPE_WPA 254 00038 00039 00040 /** 00041 * @defgroup eapol_key_info EAPOL-Key Info field bits 00042 * @{ 00043 */ 00044 00045 /** Key descriptor version, indicating WPA or WPA2 */ 00046 #define EAPOL_KEY_INFO_VERSION 0x0007 00047 00048 /** Key type bit, indicating pairwise or group */ 00049 #define EAPOL_KEY_INFO_TYPE 0x0008 00050 00051 /** Key install bit; set on message 3 except when legacy hacks are used */ 00052 #define EAPOL_KEY_INFO_INSTALL 0x0040 00053 00054 /** Key ACK bit; set when a response is required, on all messages except #4 */ 00055 #define EAPOL_KEY_INFO_KEY_ACK 0x0080 00056 00057 /** Key MIC bit; set when the MIC field is valid, on messages 3 and 4 */ 00058 #define EAPOL_KEY_INFO_KEY_MIC 0x0100 00059 00060 /** Secure bit; set when both sides have both keys, on messages 3 and 4 */ 00061 #define EAPOL_KEY_INFO_SECURE 0x0200 00062 00063 /** Error bit; set on a MIC failure for TKIP */ 00064 #define EAPOL_KEY_INFO_ERROR 0x0400 00065 00066 /** Request bit; set when authentication is initiated by the Peer (unusual) */ 00067 #define EAPOL_KEY_INFO_REQUEST 0x0800 00068 00069 /** Key Encrypted bit; set when the Key Data field is encrypted */ 00070 #define EAPOL_KEY_INFO_KEY_ENC 0x1000 00071 00072 /** SMC Message bit; set when this frame is part of an IBSS SMK handshake */ 00073 #define EAPOL_KEY_INFO_SMC_MESS 0x2000 00074 00075 00076 /** Key descriptor version field value for WPA (TKIP) */ 00077 #define EAPOL_KEY_VERSION_WPA 1 00078 00079 /** Key descriptor version field value for WPA2 (CCMP) */ 00080 #define EAPOL_KEY_VERSION_WPA2 2 00081 00082 /** Key type field value for a PTK (pairwise) key handshake */ 00083 #define EAPOL_KEY_TYPE_PTK 0x0008 00084 00085 /** Key type field value for a GTK (group) key handshake */ 00086 #define EAPOL_KEY_TYPE_GTK 0x0000 00087 00088 /** @} */ 00089 00090 00091 00092 /** An EAPOL-Key packet. 00093 * 00094 * These are used for the WPA 4-Way Handshake, whether or not prior 00095 * authentication has been performed using EAP. 00096 * 00097 * On LANs, an eapol_key_pkt is always encapsulated in the data field 00098 * of an eapol_frame, with the frame's type code set to EAPOL_TYPE_KEY. 00099 * 00100 * Unlike 802.11 frame headers, the fields in this structure are 00101 * stored in big-endian! 00102 */ 00103 struct eapol_key_pkt 00104 { 00105 /** One of the EAPOL_KEY_TYPE_* defines. */ 00106 u8 type; 00107 00108 /** Bitfield of key characteristics, network byte order */ 00109 u16 info; 00110 00111 /** Length of encryption key to be used, network byte order 00112 * 00113 * This is 16 for CCMP, 32 for TKIP, and 5 or 13 for WEP. 00114 */ 00115 u16 keysize; 00116 00117 /** Monotonically increasing value for EAPOL-Key conversations 00118 * 00119 * In another classic demonstration of overengineering, this 00120 * 8-byte value will rarely be anything above 1. It's stored 00121 * in network byte order. 00122 */ 00123 u64 replay; 00124 00125 /** Nonce value 00126 * 00127 * This is the authenticator's ANonce in frame 1, the peer's 00128 * SNonce in frame 2, and 0 in frames 3 and 4. 00129 */ 00130 u8 nonce[32]; 00131 00132 /** Initialization vector 00133 * 00134 * This contains the IV used with the Key Encryption Key, or 0 00135 * if the key is unencrypted or encrypted using an algorithm 00136 * that does not require an IV. 00137 */ 00138 u8 iv[16]; 00139 00140 /** Receive sequence counter for GTK 00141 * 00142 * This is used to synchronize the client's replay counter for 00143 * ordinary data packets. The first six bytes contain PN0 00144 * through PN5 for CCMP mode, or TSC0 through TSC5 for TKIP 00145 * mode. The last two bytes are zero. 00146 */ 00147 u8 rsc[8]; 00148 00149 /** Reserved bytes */ 00150 u8 _reserved[8]; 00151 00152 /** Message integrity code over the entire EAPOL frame 00153 * 00154 * This is calculated using HMAC-MD5 when the key descriptor 00155 * version field in @a info is 1, and HMAC-SHA1 ignoring the 00156 * last 4 bytes of the hash when the version field in @a info 00157 * is 2. 00158 */ 00159 u8 mic[16]; 00160 00161 /** Length of the @a data field in bytes, network byte order */ 00162 u16 datalen; 00163 00164 /** Key data 00165 * 00166 * This is formatted as a series of 802.11 information 00167 * elements, with cryptographic data encapsulated using a 00168 * "vendor-specific IE" code and an IEEE-specified OUI. 00169 */ 00170 u8 data[0]; 00171 } __attribute__ (( packed )); 00172 00173 00174 /** WPA handshaking state */ 00175 enum wpa_state { 00176 /** Waiting for PMK to be set */ 00177 WPA_WAITING = 0, 00178 00179 /** Ready for 4-Way Handshake */ 00180 WPA_READY, 00181 00182 /** Performing 4-Way Handshake */ 00183 WPA_WORKING, 00184 00185 /** 4-Way Handshake succeeded */ 00186 WPA_SUCCESS, 00187 00188 /** 4-Way Handshake failed */ 00189 WPA_FAILURE, 00190 }; 00191 00192 /** Bitfield indicating a selection of WPA transient keys */ 00193 enum wpa_keymask { 00194 /** Pairwise transient key */ 00195 WPA_PTK = 1, 00196 00197 /** Group transient key */ 00198 WPA_GTK = 2, 00199 }; 00200 00201 00202 /** Length of a nonce */ 00203 #define WPA_NONCE_LEN 32 00204 00205 /** Length of a TKIP main key */ 00206 #define WPA_TKIP_KEY_LEN 16 00207 00208 /** Length of a TKIP MIC key */ 00209 #define WPA_TKIP_MIC_KEY_LEN 8 00210 00211 /** Length of a CCMP key */ 00212 #define WPA_CCMP_KEY_LEN 16 00213 00214 /** Length of an EAPOL Key Confirmation Key */ 00215 #define WPA_KCK_LEN 16 00216 00217 /** Length of an EAPOL Key Encryption Key */ 00218 #define WPA_KEK_LEN 16 00219 00220 /** Usual length of a Pairwise Master Key */ 00221 #define WPA_PMK_LEN 32 00222 00223 /** Length of a PMKID */ 00224 #define WPA_PMKID_LEN 16 00225 00226 00227 /** Structure of the Temporal Key for TKIP encryption */ 00228 struct tkip_tk 00229 { 00230 /** Main key: input to TKIP Phase 1 and Phase 2 key mixing functions */ 00231 u8 key[WPA_TKIP_KEY_LEN]; 00232 00233 /** Michael MIC keys */ 00234 struct { 00235 /** MIC key for packets from the AP */ 00236 u8 rx[WPA_TKIP_MIC_KEY_LEN]; 00237 00238 /** MIC key for packets to the AP */ 00239 u8 tx[WPA_TKIP_MIC_KEY_LEN]; 00240 } __attribute__ (( packed )) mic; 00241 } __attribute__ (( packed )); 00242 00243 /** Structure of a generic Temporal Key */ 00244 union wpa_tk 00245 { 00246 /** CCMP key */ 00247 u8 ccmp[WPA_CCMP_KEY_LEN]; 00248 00249 /** TKIP keys */ 00250 struct tkip_tk tkip; 00251 }; 00252 00253 /** Structure of the Pairwise Transient Key */ 00254 struct wpa_ptk 00255 { 00256 /** EAPOL-Key Key Confirmation Key (KCK) */ 00257 u8 kck[WPA_KCK_LEN]; 00258 00259 /** EAPOL-Key Key Encryption Key (KEK) */ 00260 u8 kek[WPA_KEK_LEN]; 00261 00262 /** Temporal key */ 00263 union wpa_tk tk; 00264 } __attribute__ (( packed )); 00265 00266 /** Structure of the Group Transient Key */ 00267 struct wpa_gtk 00268 { 00269 /** Temporal key */ 00270 union wpa_tk tk; 00271 } __attribute__ (( packed )); 00272 00273 00274 /** Common context for WPA security handshaking 00275 * 00276 * Any implementor of a particular handshaking type (e.g. PSK or EAP) 00277 * must include this structure at the very beginning of their private 00278 * data context structure, to allow the EAPOL-Key handling code to 00279 * work. When the preliminary authentication is done, it is necessary 00280 * to call wpa_start(), passing the PMK (derived from PSK or EAP MSK) 00281 * as an argument. The handshaker can use its @a step function to 00282 * monitor @a state in this wpa_ctx structure for success or 00283 * failure. On success, the keys will be available in @a ptk and @a 00284 * gtk according to the state of the @a valid bitmask. 00285 * 00286 * After an initial success, the parent handshaker does not need to 00287 * concern itself with rekeying; the WPA common code takes care of 00288 * that. 00289 */ 00290 struct wpa_common_ctx 00291 { 00292 /** 802.11 device we are authenticating for */ 00293 struct net80211_device *dev; 00294 00295 /** The Pairwise Master Key to use in handshaking 00296 * 00297 * This is set either by running the PBKDF2 algorithm on a 00298 * passphrase with the SSID as salt to generate a pre-shared 00299 * key, or by copying the first 32 bytes of the EAP Master 00300 * Session Key in 802.1X-served authentication. 00301 */ 00302 u8 pmk[WPA_PMK_LEN]; 00303 00304 /** Length of the Pairwise Master Key 00305 * 00306 * This is always 32 except with one EAP method which only 00307 * gives 16 bytes. 00308 */ 00309 int pmk_len; 00310 00311 /** State of EAPOL-Key handshaking */ 00312 enum wpa_state state; 00313 00314 /** Replay counter for this association 00315 * 00316 * This stores the replay counter value for the most recent 00317 * packet we've accepted. It is initially initialised to ~0 to 00318 * show we'll accept anything. 00319 */ 00320 u64 replay; 00321 00322 /** Mask of valid keys after authentication success 00323 * 00324 * If the PTK is not valid, the GTK should be used for both 00325 * unicast and multicast decryption; if the GTK is not valid, 00326 * multicast packets cannot be decrypted. 00327 */ 00328 enum wpa_keymask valid; 00329 00330 /** The cipher to use for unicast RX and all TX */ 00331 enum net80211_crypto_alg crypt; 00332 00333 /** The cipher to use for broadcast and multicast RX */ 00334 enum net80211_crypto_alg gcrypt; 00335 00336 /** The Pairwise Transient Key derived from the handshake */ 00337 struct wpa_ptk ptk; 00338 00339 /** The Group Transient Key derived from the handshake */ 00340 struct wpa_gtk gtk; 00341 00342 /** Authenticator-provided nonce */ 00343 u8 Anonce[WPA_NONCE_LEN]; 00344 00345 /** Supplicant-generated nonce (that's us) */ 00346 u8 Snonce[WPA_NONCE_LEN]; 00347 00348 /** Whether we should refrain from generating another SNonce */ 00349 int have_Snonce; 00350 00351 /** Data in WPA or RSN IE from AP's beacon frame */ 00352 void *ap_rsn_ie; 00353 00354 /** Length of @a ap_rsn_ie */ 00355 int ap_rsn_ie_len; 00356 00357 /** Whether @a ap_rsn_ie is an RSN IE (as opposed to old WPA) */ 00358 int ap_rsn_is_rsn; 00359 00360 /** List entry */ 00361 struct list_head list; 00362 }; 00363 00364 00365 /** WPA handshake key integrity and encryption handler 00366 * 00367 * Note that due to the structure of the 4-Way Handshake we never 00368 * actually need to encrypt key data, only decrypt it. 00369 */ 00370 struct wpa_kie { 00371 /** Value of version bits in EAPOL-Key info field for which to use 00372 * 00373 * This should be one of the @c EAPOL_KEY_VERSION_* constants. 00374 */ 00375 int version; 00376 00377 /** Calculate MIC over message 00378 * 00379 * @v kck Key Confirmation Key, 16 bytes 00380 * @v msg Message to calculate MIC over 00381 * @v len Number of bytes to calculate MIC over 00382 * @ret mic Calculated MIC, 16 bytes long 00383 * 00384 * The @a mic return may point within @a msg, so it must not 00385 * be filled until the calculation has been performed. 00386 */ 00387 void ( * mic ) ( const void *kck, const void *msg, size_t len, 00388 void *mic ); 00389 00390 /** Decrypt key data 00391 * 00392 * @v kek Key Encryption Key, 16 bytes 00393 * @v iv Initialisation vector for encryption, 16 bytes 00394 * @v msg Message to decrypt (Key Data field) 00395 * @v len Length of message 00396 * @ret msg Decrypted message in place of original 00397 * @ret len Updated to reflect encrypted length 00398 * @ret rc Return status code 00399 * 00400 * The decrypted message is written over the encrypted one. 00401 */ 00402 int ( * decrypt ) ( const void *kek, const void *iv, void *msg, 00403 u16 *len ); 00404 }; 00405 00406 #define WPA_KIES __table ( struct wpa_kie, "wpa_kies" ) 00407 #define __wpa_kie __table_entry ( WPA_KIES, 01 ) 00408 00409 00410 00411 /** 00412 * @defgroup wpa_kde Key descriptor element types 00413 * @{ 00414 */ 00415 00416 /** Payload structure of the GTK-encapsulating KDE 00417 * 00418 * This does not include the IE type, length, or OUI bytes, which are 00419 * generic to all KDEs. 00420 */ 00421 struct wpa_kde_gtk_encap 00422 { 00423 /** Key ID and TX bit */ 00424 u8 id; 00425 00426 /** Reserved byte */ 00427 u8 _rsvd; 00428 00429 /** Encapsulated group transient key */ 00430 struct wpa_gtk gtk; 00431 } __attribute__ (( packed )); 00432 00433 /** Mask for Key ID in wpa_kde_gtk::id field */ 00434 #define WPA_GTK_KID 0x03 00435 00436 /** Mask for Tx bit in wpa_kde_gtk::id field */ 00437 #define WPA_GTK_TXBIT 0x04 00438 00439 00440 /** KDE type for an encapsulated Group Transient Key (requires encryption) */ 00441 #define WPA_KDE_GTK _MKOUI ( 0x00, 0x0F, 0xAC, 0x01 ) 00442 00443 /** KDE type for a MAC address */ 00444 #define WPA_KDE_MAC _MKOUI ( 0x00, 0x0F, 0xAC, 0x03 ) 00445 00446 /** KDE type for a PMKID */ 00447 #define WPA_KDE_PMKID _MKOUI ( 0x00, 0x0F, 0xAC, 0x04 ) 00448 00449 /** KDE type for a nonce */ 00450 #define WPA_KDE_NONCE _MKOUI ( 0x00, 0x0F, 0xAC, 0x06 ) 00451 00452 /** KDE type for a lifetime value */ 00453 #define WPA_KDE_LIFETIME _MKOUI ( 0x00, 0x0F, 0xAC, 0x07 ) 00454 00455 00456 /** Any key descriptor element type 00457 * 00458 * KDEs follow the 802.11 information element format of a type byte 00459 * (in this case "vendor-specific", with the requisite OUI+subtype 00460 * after length) and a length byte whose value does not include the 00461 * length of the type and length bytes. 00462 */ 00463 struct wpa_kde 00464 { 00465 /** Information element type: always 0xDD (IEEE80211_IE_VENDOR) */ 00466 u8 ie_type; 00467 00468 /** Length, not including ie_type and length fields */ 00469 u8 len; 00470 00471 /** OUI + type byte */ 00472 u32 oui_type; 00473 00474 /** Payload data */ 00475 union { 00476 /** For GTK-type KDEs, encapsulated GTK */ 00477 struct wpa_kde_gtk_encap gtk_encap; 00478 00479 /** For MAC-type KDEs, the MAC address */ 00480 u8 mac[ETH_ALEN]; 00481 00482 /** For PMKID-type KDEs, the PMKID */ 00483 u8 pmkid[WPA_PMKID_LEN]; 00484 00485 /** For Nonce-type KDEs, the nonce */ 00486 u8 nonce[WPA_NONCE_LEN]; 00487 00488 /** For Lifetime-type KDEs, the lifetime in seconds 00489 * 00490 * This is in network byte order! 00491 */ 00492 u32 lifetime; 00493 }; 00494 } __attribute__ (( packed )); 00495 00496 /** @} */ 00497 00498 int wpa_make_rsn_ie ( struct net80211_device *dev, union ieee80211_ie **ie ); 00499 int wpa_start ( struct net80211_device *dev, struct wpa_common_ctx *ctx, 00500 const void *pmk, size_t pmk_len ); 00501 void wpa_stop ( struct net80211_device *dev ); 00502 00503 #endif /* _GPXE_WPA_H */
1.5.7.1