aboutsummaryrefslogtreecommitdiffstats
path: root/gpxe/src/include/gpxe/wpa.h
diff options
context:
space:
mode:
Diffstat (limited to 'gpxe/src/include/gpxe/wpa.h')
-rw-r--r--gpxe/src/include/gpxe/wpa.h503
1 files changed, 503 insertions, 0 deletions
diff --git a/gpxe/src/include/gpxe/wpa.h b/gpxe/src/include/gpxe/wpa.h
new file mode 100644
index 00000000..a7f19d71
--- /dev/null
+++ b/gpxe/src/include/gpxe/wpa.h
@@ -0,0 +1,503 @@
+/*
+ * Copyright (c) 2009 Joshua Oreman <oremanj@rwcr.net>.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+#ifndef _GPXE_WPA_H
+#define _GPXE_WPA_H
+
+#include <gpxe/ieee80211.h>
+#include <gpxe/list.h>
+
+FILE_LICENCE ( GPL2_OR_LATER );
+
+/** @file
+ *
+ * Common definitions for all types of WPA-protected networks.
+ */
+
+
+/** EAPOL-Key type field for modern 802.11i/RSN WPA packets */
+#define EAPOL_KEY_TYPE_RSN 2
+
+/** Old EAPOL-Key type field used by WPA1 hardware before 802.11i ratified */
+#define EAPOL_KEY_TYPE_WPA 254
+
+
+/**
+ * @defgroup eapol_key_info EAPOL-Key Info field bits
+ * @{
+ */
+
+/** Key descriptor version, indicating WPA or WPA2 */
+#define EAPOL_KEY_INFO_VERSION 0x0007
+
+/** Key type bit, indicating pairwise or group */
+#define EAPOL_KEY_INFO_TYPE 0x0008
+
+/** Key install bit; set on message 3 except when legacy hacks are used */
+#define EAPOL_KEY_INFO_INSTALL 0x0040
+
+/** Key ACK bit; set when a response is required, on all messages except #4 */
+#define EAPOL_KEY_INFO_KEY_ACK 0x0080
+
+/** Key MIC bit; set when the MIC field is valid, on messages 3 and 4 */
+#define EAPOL_KEY_INFO_KEY_MIC 0x0100
+
+/** Secure bit; set when both sides have both keys, on messages 3 and 4 */
+#define EAPOL_KEY_INFO_SECURE 0x0200
+
+/** Error bit; set on a MIC failure for TKIP */
+#define EAPOL_KEY_INFO_ERROR 0x0400
+
+/** Request bit; set when authentication is initiated by the Peer (unusual) */
+#define EAPOL_KEY_INFO_REQUEST 0x0800
+
+/** Key Encrypted bit; set when the Key Data field is encrypted */
+#define EAPOL_KEY_INFO_KEY_ENC 0x1000
+
+/** SMC Message bit; set when this frame is part of an IBSS SMK handshake */
+#define EAPOL_KEY_INFO_SMC_MESS 0x2000
+
+
+/** Key descriptor version field value for WPA (TKIP) */
+#define EAPOL_KEY_VERSION_WPA 1
+
+/** Key descriptor version field value for WPA2 (CCMP) */
+#define EAPOL_KEY_VERSION_WPA2 2
+
+/** Key type field value for a PTK (pairwise) key handshake */
+#define EAPOL_KEY_TYPE_PTK 0x0008
+
+/** Key type field value for a GTK (group) key handshake */
+#define EAPOL_KEY_TYPE_GTK 0x0000
+
+/** @} */
+
+
+
+/** An EAPOL-Key packet.
+ *
+ * These are used for the WPA 4-Way Handshake, whether or not prior
+ * authentication has been performed using EAP.
+ *
+ * On LANs, an eapol_key_pkt is always encapsulated in the data field
+ * of an eapol_frame, with the frame's type code set to EAPOL_TYPE_KEY.
+ *
+ * Unlike 802.11 frame headers, the fields in this structure are
+ * stored in big-endian!
+ */
+struct eapol_key_pkt
+{
+ /** One of the EAPOL_KEY_TYPE_* defines. */
+ u8 type;
+
+ /** Bitfield of key characteristics, network byte order */
+ u16 info;
+
+ /** Length of encryption key to be used, network byte order
+ *
+ * This is 16 for CCMP, 32 for TKIP, and 5 or 13 for WEP.
+ */
+ u16 keysize;
+
+ /** Monotonically increasing value for EAPOL-Key conversations
+ *
+ * In another classic demonstration of overengineering, this
+ * 8-byte value will rarely be anything above 1. It's stored
+ * in network byte order.
+ */
+ u64 replay;
+
+ /** Nonce value
+ *
+ * This is the authenticator's ANonce in frame 1, the peer's
+ * SNonce in frame 2, and 0 in frames 3 and 4.
+ */
+ u8 nonce[32];
+
+ /** Initialization vector
+ *
+ * This contains the IV used with the Key Encryption Key, or 0
+ * if the key is unencrypted or encrypted using an algorithm
+ * that does not require an IV.
+ */
+ u8 iv[16];
+
+ /** Receive sequence counter for GTK
+ *
+ * This is used to synchronize the client's replay counter for
+ * ordinary data packets. The first six bytes contain PN0
+ * through PN5 for CCMP mode, or TSC0 through TSC5 for TKIP
+ * mode. The last two bytes are zero.
+ */
+ u8 rsc[8];
+
+ /** Reserved bytes */
+ u8 _reserved[8];
+
+ /** Message integrity code over the entire EAPOL frame
+ *
+ * This is calculated using HMAC-MD5 when the key descriptor
+ * version field in @a info is 1, and HMAC-SHA1 ignoring the
+ * last 4 bytes of the hash when the version field in @a info
+ * is 2.
+ */
+ u8 mic[16];
+
+ /** Length of the @a data field in bytes, network byte order */
+ u16 datalen;
+
+ /** Key data
+ *
+ * This is formatted as a series of 802.11 information
+ * elements, with cryptographic data encapsulated using a
+ * "vendor-specific IE" code and an IEEE-specified OUI.
+ */
+ u8 data[0];
+} __attribute__ (( packed ));
+
+
+/** WPA handshaking state */
+enum wpa_state {
+ /** Waiting for PMK to be set */
+ WPA_WAITING = 0,
+
+ /** Ready for 4-Way Handshake */
+ WPA_READY,
+
+ /** Performing 4-Way Handshake */
+ WPA_WORKING,
+
+ /** 4-Way Handshake succeeded */
+ WPA_SUCCESS,
+
+ /** 4-Way Handshake failed */
+ WPA_FAILURE,
+};
+
+/** Bitfield indicating a selection of WPA transient keys */
+enum wpa_keymask {
+ /** Pairwise transient key */
+ WPA_PTK = 1,
+
+ /** Group transient key */
+ WPA_GTK = 2,
+};
+
+
+/** Length of a nonce */
+#define WPA_NONCE_LEN 32
+
+/** Length of a TKIP main key */
+#define WPA_TKIP_KEY_LEN 16
+
+/** Length of a TKIP MIC key */
+#define WPA_TKIP_MIC_KEY_LEN 8
+
+/** Length of a CCMP key */
+#define WPA_CCMP_KEY_LEN 16
+
+/** Length of an EAPOL Key Confirmation Key */
+#define WPA_KCK_LEN 16
+
+/** Length of an EAPOL Key Encryption Key */
+#define WPA_KEK_LEN 16
+
+/** Usual length of a Pairwise Master Key */
+#define WPA_PMK_LEN 32
+
+/** Length of a PMKID */
+#define WPA_PMKID_LEN 16
+
+
+/** Structure of the Temporal Key for TKIP encryption */
+struct tkip_tk
+{
+ /** Main key: input to TKIP Phase 1 and Phase 2 key mixing functions */
+ u8 key[WPA_TKIP_KEY_LEN];
+
+ /** Michael MIC keys */
+ struct {
+ /** MIC key for packets from the AP */
+ u8 rx[WPA_TKIP_MIC_KEY_LEN];
+
+ /** MIC key for packets to the AP */
+ u8 tx[WPA_TKIP_MIC_KEY_LEN];
+ } __attribute__ (( packed )) mic;
+} __attribute__ (( packed ));
+
+/** Structure of a generic Temporal Key */
+union wpa_tk
+{
+ /** CCMP key */
+ u8 ccmp[WPA_CCMP_KEY_LEN];
+
+ /** TKIP keys */
+ struct tkip_tk tkip;
+};
+
+/** Structure of the Pairwise Transient Key */
+struct wpa_ptk
+{
+ /** EAPOL-Key Key Confirmation Key (KCK) */
+ u8 kck[WPA_KCK_LEN];
+
+ /** EAPOL-Key Key Encryption Key (KEK) */
+ u8 kek[WPA_KEK_LEN];
+
+ /** Temporal key */
+ union wpa_tk tk;
+} __attribute__ (( packed ));
+
+/** Structure of the Group Transient Key */
+struct wpa_gtk
+{
+ /** Temporal key */
+ union wpa_tk tk;
+} __attribute__ (( packed ));
+
+
+/** Common context for WPA security handshaking
+ *
+ * Any implementor of a particular handshaking type (e.g. PSK or EAP)
+ * must include this structure at the very beginning of their private
+ * data context structure, to allow the EAPOL-Key handling code to
+ * work. When the preliminary authentication is done, it is necessary
+ * to call wpa_start(), passing the PMK (derived from PSK or EAP MSK)
+ * as an argument. The handshaker can use its @a step function to
+ * monitor @a state in this wpa_ctx structure for success or
+ * failure. On success, the keys will be available in @a ptk and @a
+ * gtk according to the state of the @a valid bitmask.
+ *
+ * After an initial success, the parent handshaker does not need to
+ * concern itself with rekeying; the WPA common code takes care of
+ * that.
+ */
+struct wpa_common_ctx
+{
+ /** 802.11 device we are authenticating for */
+ struct net80211_device *dev;
+
+ /** The Pairwise Master Key to use in handshaking
+ *
+ * This is set either by running the PBKDF2 algorithm on a
+ * passphrase with the SSID as salt to generate a pre-shared
+ * key, or by copying the first 32 bytes of the EAP Master
+ * Session Key in 802.1X-served authentication.
+ */
+ u8 pmk[WPA_PMK_LEN];
+
+ /** Length of the Pairwise Master Key
+ *
+ * This is always 32 except with one EAP method which only
+ * gives 16 bytes.
+ */
+ int pmk_len;
+
+ /** State of EAPOL-Key handshaking */
+ enum wpa_state state;
+
+ /** Replay counter for this association
+ *
+ * This stores the replay counter value for the most recent
+ * packet we've accepted. It is initially initialised to ~0 to
+ * show we'll accept anything.
+ */
+ u64 replay;
+
+ /** Mask of valid keys after authentication success
+ *
+ * If the PTK is not valid, the GTK should be used for both
+ * unicast and multicast decryption; if the GTK is not valid,
+ * multicast packets cannot be decrypted.
+ */
+ enum wpa_keymask valid;
+
+ /** The cipher to use for unicast RX and all TX */
+ enum net80211_crypto_alg crypt;
+
+ /** The cipher to use for broadcast and multicast RX */
+ enum net80211_crypto_alg gcrypt;
+
+ /** The Pairwise Transient Key derived from the handshake */
+ struct wpa_ptk ptk;
+
+ /** The Group Transient Key derived from the handshake */
+ struct wpa_gtk gtk;
+
+ /** Authenticator-provided nonce */
+ u8 Anonce[WPA_NONCE_LEN];
+
+ /** Supplicant-generated nonce (that's us) */
+ u8 Snonce[WPA_NONCE_LEN];
+
+ /** Whether we should refrain from generating another SNonce */
+ int have_Snonce;
+
+ /** Data in WPA or RSN IE from AP's beacon frame */
+ void *ap_rsn_ie;
+
+ /** Length of @a ap_rsn_ie */
+ int ap_rsn_ie_len;
+
+ /** Whether @a ap_rsn_ie is an RSN IE (as opposed to old WPA) */
+ int ap_rsn_is_rsn;
+
+ /** List entry */
+ struct list_head list;
+};
+
+
+/** WPA handshake key integrity and encryption handler
+ *
+ * Note that due to the structure of the 4-Way Handshake we never
+ * actually need to encrypt key data, only decrypt it.
+ */
+struct wpa_kie {
+ /** Value of version bits in EAPOL-Key info field for which to use
+ *
+ * This should be one of the @c EAPOL_KEY_VERSION_* constants.
+ */
+ int version;
+
+ /** Calculate MIC over message
+ *
+ * @v kck Key Confirmation Key, 16 bytes
+ * @v msg Message to calculate MIC over
+ * @v len Number of bytes to calculate MIC over
+ * @ret mic Calculated MIC, 16 bytes long
+ *
+ * The @a mic return may point within @a msg, so it must not
+ * be filled until the calculation has been performed.
+ */
+ void ( * mic ) ( const void *kck, const void *msg, size_t len,
+ void *mic );
+
+ /** Decrypt key data
+ *
+ * @v kek Key Encryption Key, 16 bytes
+ * @v iv Initialisation vector for encryption, 16 bytes
+ * @v msg Message to decrypt (Key Data field)
+ * @v len Length of message
+ * @ret msg Decrypted message in place of original
+ * @ret len Updated to reflect encrypted length
+ * @ret rc Return status code
+ *
+ * The decrypted message is written over the encrypted one.
+ */
+ int ( * decrypt ) ( const void *kek, const void *iv, void *msg,
+ u16 *len );
+};
+
+#define WPA_KIES __table ( struct wpa_kie, "wpa_kies" )
+#define __wpa_kie __table_entry ( WPA_KIES, 01 )
+
+
+
+/**
+ * @defgroup wpa_kde Key descriptor element types
+ * @{
+ */
+
+/** Payload structure of the GTK-encapsulating KDE
+ *
+ * This does not include the IE type, length, or OUI bytes, which are
+ * generic to all KDEs.
+ */
+struct wpa_kde_gtk_encap
+{
+ /** Key ID and TX bit */
+ u8 id;
+
+ /** Reserved byte */
+ u8 _rsvd;
+
+ /** Encapsulated group transient key */
+ struct wpa_gtk gtk;
+} __attribute__ (( packed ));
+
+/** Mask for Key ID in wpa_kde_gtk::id field */
+#define WPA_GTK_KID 0x03
+
+/** Mask for Tx bit in wpa_kde_gtk::id field */
+#define WPA_GTK_TXBIT 0x04
+
+
+/** KDE type for an encapsulated Group Transient Key (requires encryption) */
+#define WPA_KDE_GTK _MKOUI ( 0x00, 0x0F, 0xAC, 0x01 )
+
+/** KDE type for a MAC address */
+#define WPA_KDE_MAC _MKOUI ( 0x00, 0x0F, 0xAC, 0x03 )
+
+/** KDE type for a PMKID */
+#define WPA_KDE_PMKID _MKOUI ( 0x00, 0x0F, 0xAC, 0x04 )
+
+/** KDE type for a nonce */
+#define WPA_KDE_NONCE _MKOUI ( 0x00, 0x0F, 0xAC, 0x06 )
+
+/** KDE type for a lifetime value */
+#define WPA_KDE_LIFETIME _MKOUI ( 0x00, 0x0F, 0xAC, 0x07 )
+
+
+/** Any key descriptor element type
+ *
+ * KDEs follow the 802.11 information element format of a type byte
+ * (in this case "vendor-specific", with the requisite OUI+subtype
+ * after length) and a length byte whose value does not include the
+ * length of the type and length bytes.
+ */
+struct wpa_kde
+{
+ /** Information element type: always 0xDD (IEEE80211_IE_VENDOR) */
+ u8 ie_type;
+
+ /** Length, not including ie_type and length fields */
+ u8 len;
+
+ /** OUI + type byte */
+ u32 oui_type;
+
+ /** Payload data */
+ union {
+ /** For GTK-type KDEs, encapsulated GTK */
+ struct wpa_kde_gtk_encap gtk_encap;
+
+ /** For MAC-type KDEs, the MAC address */
+ u8 mac[ETH_ALEN];
+
+ /** For PMKID-type KDEs, the PMKID */
+ u8 pmkid[WPA_PMKID_LEN];
+
+ /** For Nonce-type KDEs, the nonce */
+ u8 nonce[WPA_NONCE_LEN];
+
+ /** For Lifetime-type KDEs, the lifetime in seconds
+ *
+ * This is in network byte order!
+ */
+ u32 lifetime;
+ };
+} __attribute__ (( packed ));
+
+/** @} */
+
+int wpa_make_rsn_ie ( struct net80211_device *dev, union ieee80211_ie **ie );
+int wpa_start ( struct net80211_device *dev, struct wpa_common_ctx *ctx,
+ const void *pmk, size_t pmk_len );
+void wpa_stop ( struct net80211_device *dev );
+
+#endif /* _GPXE_WPA_H */