gpxe/src/include/gpxe/wpa.h - platform/external/syslinux - Git at Google

 /*
  * Copyright (c) 2009 Joshua Oreman <oremanj@rwcr.net>.
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License as
  * published by the Free Software Foundation; either version 2 of the
  * License, or any later version.
  *
  * This program is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  * General Public License for more details.
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
  * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  */

 #ifndef _GPXE_WPA_H
 #define _GPXE_WPA_H

 #include <gpxe/ieee80211.h>
 #include <gpxe/list.h>

 FILE_LICENCE ( GPL2_OR_LATER );

 /** @file
  *
  * Common definitions for all types of WPA-protected networks.
  */


 /** EAPOL-Key type field for modern 802.11i/RSN WPA packets */
 #define EAPOL_KEY_TYPE_RSN	2

 /** Old EAPOL-Key type field used by WPA1 hardware before 802.11i ratified */
 #define EAPOL_KEY_TYPE_WPA	254


 /**
  * @defgroup eapol_key_info EAPOL-Key Info field bits
  * @{
  */

 /** Key descriptor version, indicating WPA or WPA2 */
 #define EAPOL_KEY_INFO_VERSION	0x0007

 /** Key type bit, indicating pairwise or group */
 #define EAPOL_KEY_INFO_TYPE	0x0008

 /** Key install bit; set on message 3 except when legacy hacks are used */
 #define EAPOL_KEY_INFO_INSTALL	0x0040

 /** Key ACK bit; set when a response is required, on all messages except #4 */
 #define EAPOL_KEY_INFO_KEY_ACK	0x0080

 /** Key MIC bit; set when the MIC field is valid, on messages 3 and 4 */
 #define EAPOL_KEY_INFO_KEY_MIC	0x0100

 /** Secure bit; set when both sides have both keys, on messages 3 and 4 */
 #define EAPOL_KEY_INFO_SECURE	0x0200

 /** Error bit; set on a MIC failure for TKIP */
 #define EAPOL_KEY_INFO_ERROR	0x0400

 /** Request bit; set when authentication is initiated by the Peer (unusual) */
 #define EAPOL_KEY_INFO_REQUEST	0x0800

 /** Key Encrypted bit; set when the Key Data field is encrypted */
 #define EAPOL_KEY_INFO_KEY_ENC	0x1000

 /** SMC Message bit; set when this frame is part of an IBSS SMK handshake */
 #define EAPOL_KEY_INFO_SMC_MESS	0x2000


 /** Key descriptor version field value for WPA (TKIP) */
 #define EAPOL_KEY_VERSION_WPA	1

 /** Key descriptor version field value for WPA2 (CCMP) */
 #define EAPOL_KEY_VERSION_WPA2	2

 /** Key type field value for a PTK (pairwise) key handshake */
 #define EAPOL_KEY_TYPE_PTK	0x0008

 /** Key type field value for a GTK (group) key handshake */
 #define EAPOL_KEY_TYPE_GTK	0x0000

 /** @} */


 /** An EAPOL-Key packet.
  *
  * These are used for the WPA 4-Way Handshake, whether or not prior
  * authentication has been performed using EAP.
  *
  * On LANs, an eapol_key_pkt is always encapsulated in the data field
  * of an eapol_frame, with the frame's type code set to EAPOL_TYPE_KEY.
  *
  * Unlike 802.11 frame headers, the fields in this structure are
  * stored in big-endian!
  */
 struct eapol_key_pkt
 {
 	/** One of the EAPOL_KEY_TYPE_* defines. */
 	u8 type;

 	/** Bitfield of key characteristics, network byte order */
 	u16 info;

 	/** Length of encryption key to be used, network byte order
 	 *
 	 * This is 16 for CCMP, 32 for TKIP, and 5 or 13 for WEP.
 	 */
 	u16 keysize;

 	/** Monotonically increasing value for EAPOL-Key conversations
 	 *
 	 * In another classic demonstration of overengineering, this
 	 * 8-byte value will rarely be anything above 1. It's stored
 	 * in network byte order.
 	 */
 	u64 replay;

 	/** Nonce value
 	 *
 	 * This is the authenticator's ANonce in frame 1, the peer's
 	 * SNonce in frame 2, and 0 in frames 3 and 4.
 	 */
 	u8 nonce[32];

 	/** Initialization vector
 	 *
 	 * This contains the IV used with the Key Encryption Key, or 0
 	 * if the key is unencrypted or encrypted using an algorithm
 	 * that does not require an IV.
 	 */
 	u8 iv[16];

 	/** Receive sequence counter for GTK
 	 *
 	 * This is used to synchronize the client's replay counter for
 	 * ordinary data packets. The first six bytes contain PN0
 	 * through PN5 for CCMP mode, or TSC0 through TSC5 for TKIP
 	 * mode. The last two bytes are zero.
 	 */
 	u8 rsc[8];

 	/** Reserved bytes */
 	u8 _reserved[8];

 	/** Message integrity code over the entire EAPOL frame
 	 *
 	 * This is calculated using HMAC-MD5 when the key descriptor
 	 * version field in @a info is 1, and HMAC-SHA1 ignoring the
 	 * last 4 bytes of the hash when the version field in @a info
 	 * is 2.
 	 */
 	u8 mic[16];

 	/** Length of the @a data field in bytes, network byte order */
 	u16 datalen;

 	/** Key data
 	 *
 	 * This is formatted as a series of 802.11 information
 	 * elements, with cryptographic data encapsulated using a
 	 * "vendor-specific IE" code and an IEEE-specified OUI.
 	 */
 	u8 data[0];
 } __attribute__ (( packed ));


 /** WPA handshaking state */
 enum wpa_state {
 	/** Waiting for PMK to be set */
 	WPA_WAITING = 0,

 	/** Ready for 4-Way Handshake */
 	WPA_READY,

 	/** Performing 4-Way Handshake */
 	WPA_WORKING,

 	/** 4-Way Handshake succeeded */
 	WPA_SUCCESS,

 	/** 4-Way Handshake failed */
 	WPA_FAILURE,
 };

 /** Bitfield indicating a selection of WPA transient keys */
 enum wpa_keymask {
 	/** Pairwise transient key */
 	WPA_PTK = 1,

 	/** Group transient key */
 	WPA_GTK = 2,
 };


 /** Length of a nonce */
 #define WPA_NONCE_LEN		32

 /** Length of a TKIP main key */
 #define WPA_TKIP_KEY_LEN	16

 /** Length of a TKIP MIC key */
 #define WPA_TKIP_MIC_KEY_LEN	8

 /** Length of a CCMP key */
 #define WPA_CCMP_KEY_LEN	16

 /** Length of an EAPOL Key Confirmation Key */
 #define WPA_KCK_LEN		16

 /** Length of an EAPOL Key Encryption Key */
 #define WPA_KEK_LEN		16

 /** Usual length of a Pairwise Master Key */
 #define WPA_PMK_LEN		32

 /** Length of a PMKID */
 #define WPA_PMKID_LEN		16


 /** Structure of the Temporal Key for TKIP encryption */
 struct tkip_tk
 {
 	/** Main key: input to TKIP Phase 1 and Phase 2 key mixing functions */
 	u8 key[WPA_TKIP_KEY_LEN];

 	/** Michael MIC keys */
 	struct {
 		/** MIC key for packets from the AP */
 		u8 rx[WPA_TKIP_MIC_KEY_LEN];

 		/** MIC key for packets to the AP */
 		u8 tx[WPA_TKIP_MIC_KEY_LEN];
 	} __attribute__ (( packed )) mic;
 } __attribute__ (( packed ));

 /** Structure of a generic Temporal Key */
 union wpa_tk
 {
 	/** CCMP key */
 	u8 ccmp[WPA_CCMP_KEY_LEN];

 	/** TKIP keys */
 	struct tkip_tk tkip;
 };

 /** Structure of the Pairwise Transient Key */
 struct wpa_ptk
 {
 	/** EAPOL-Key Key Confirmation Key (KCK) */
 	u8 kck[WPA_KCK_LEN];

 	/** EAPOL-Key Key Encryption Key (KEK) */
 	u8 kek[WPA_KEK_LEN];

 	/** Temporal key */
 	union wpa_tk tk;
 } __attribute__ (( packed ));

 /** Structure of the Group Transient Key */
 struct wpa_gtk
 {
 	/** Temporal key */
 	union wpa_tk tk;
 } __attribute__ (( packed ));


 /** Common context for WPA security handshaking
  *
  * Any implementor of a particular handshaking type (e.g. PSK or EAP)
  * must include this structure at the very beginning of their private
  * data context structure, to allow the EAPOL-Key handling code to
  * work. When the preliminary authentication is done, it is necessary
  * to call wpa_start(), passing the PMK (derived from PSK or EAP MSK)
  * as an argument. The handshaker can use its @a step function to
  * monitor @a state in this wpa_ctx structure for success or
  * failure. On success, the keys will be available in @a ptk and @a
  * gtk according to the state of the @a valid bitmask.
  *
  * After an initial success, the parent handshaker does not need to
  * concern itself with rekeying; the WPA common code takes care of
  * that.
  */
 struct wpa_common_ctx
 {
 	/** 802.11 device we are authenticating for */
 	struct net80211_device *dev;

 	/** The Pairwise Master Key to use in handshaking
 	 *
 	 * This is set either by running the PBKDF2 algorithm on a
 	 * passphrase with the SSID as salt to generate a pre-shared
 	 * key, or by copying the first 32 bytes of the EAP Master
 	 * Session Key in 802.1X-served authentication.
 	 */
 	u8 pmk[WPA_PMK_LEN];

 	/** Length of the Pairwise Master Key
 	 *
 	 * This is always 32 except with one EAP method which only
 	 * gives 16 bytes.
 	 */
 	int pmk_len;

 	/** State of EAPOL-Key handshaking */
 	enum wpa_state state;

 	/** Replay counter for this association
 	 *
 	 * This stores the replay counter value for the most recent
 	 * packet we've accepted. It is initially initialised to ~0 to
 	 * show we'll accept anything.
 	 */
 	u64 replay;

 	/** Mask of valid keys after authentication success
 	 *
 	 * If the PTK is not valid, the GTK should be used for both
 	 * unicast and multicast decryption; if the GTK is not valid,
 	 * multicast packets cannot be decrypted.
 	 */
 	enum wpa_keymask valid;

 	/** The cipher to use for unicast RX and all TX */
 	enum net80211_crypto_alg crypt;

 	/** The cipher to use for broadcast and multicast RX */
 	enum net80211_crypto_alg gcrypt;

 	/** The Pairwise Transient Key derived from the handshake */
 	struct wpa_ptk ptk;

 	/** The Group Transient Key derived from the handshake */
 	struct wpa_gtk gtk;

 	/** Authenticator-provided nonce */
 	u8 Anonce[WPA_NONCE_LEN];

 	/** Supplicant-generated nonce (that's us) */
 	u8 Snonce[WPA_NONCE_LEN];

 	/** Whether we should refrain from generating another SNonce */
 	int have_Snonce;

 	/** Data in WPA or RSN IE from AP's beacon frame */
 	void *ap_rsn_ie;

 	/** Length of @a ap_rsn_ie */
 	int ap_rsn_ie_len;

 	/** Whether @a ap_rsn_ie is an RSN IE (as opposed to old WPA) */
 	int ap_rsn_is_rsn;

 	/** List entry */
 	struct list_head list;
 };


 /** WPA handshake key integrity and encryption handler
  *
  * Note that due to the structure of the 4-Way Handshake we never
  * actually need to encrypt key data, only decrypt it.
  */
 struct wpa_kie {
 	/** Value of version bits in EAPOL-Key info field for which to use
 	 *
 	 * This should be one of the @c EAPOL_KEY_VERSION_* constants.
 	 */
 	int version;

 	/** Calculate MIC over message
 	 *
 	 * @v kck	Key Confirmation Key, 16 bytes
 	 * @v msg	Message to calculate MIC over
 	 * @v len	Number of bytes to calculate MIC over
 	 * @ret mic	Calculated MIC, 16 bytes long
 	 *
 	 * The @a mic return may point within @a msg, so it must not
 	 * be filled until the calculation has been performed.
 	 */
 	void ( * mic ) ( const void *kck, const void *msg, size_t len,
 			 void *mic );

 	/** Decrypt key data
 	 *
 	 * @v kek	Key Encryption Key, 16 bytes
 	 * @v iv	Initialisation vector for encryption, 16 bytes
 	 * @v msg	Message to decrypt (Key Data field)
 	 * @v len	Length of message
 	 * @ret msg	Decrypted message in place of original
 	 * @ret len	Updated to reflect encrypted length
 	 * @ret rc	Return status code
 	 *
 	 * The decrypted message is written over the encrypted one.
 	 */
 	int ( * decrypt ) ( const void *kek, const void *iv, void *msg,
 			    u16 *len );
 };

 #define WPA_KIES	__table ( struct wpa_kie, "wpa_kies" )
 #define __wpa_kie	__table_entry ( WPA_KIES, 01 )


 /**
  * @defgroup wpa_kde Key descriptor element types
  * @{
  */

 /** Payload structure of the GTK-encapsulating KDE
  *
  * This does not include the IE type, length, or OUI bytes, which are
  * generic to all KDEs.
  */
 struct wpa_kde_gtk_encap
 {
 	/** Key ID and TX bit */
 	u8 id;

 	/** Reserved byte */
 	u8 _rsvd;

 	/** Encapsulated group transient key */
 	struct wpa_gtk gtk;
 } __attribute__ (( packed ));

 /** Mask for Key ID in wpa_kde_gtk::id field */
 #define WPA_GTK_KID	0x03

 /** Mask for Tx bit in wpa_kde_gtk::id field */
 #define WPA_GTK_TXBIT	0x04


 /** KDE type for an encapsulated Group Transient Key (requires encryption) */
 #define WPA_KDE_GTK	_MKOUI ( 0x00, 0x0F, 0xAC, 0x01 )

 /** KDE type for a MAC address */
 #define WPA_KDE_MAC	_MKOUI ( 0x00, 0x0F, 0xAC, 0x03 )

 /** KDE type for a PMKID */
 #define WPA_KDE_PMKID	_MKOUI ( 0x00, 0x0F, 0xAC, 0x04 )

 /** KDE type for a nonce */
 #define WPA_KDE_NONCE	_MKOUI ( 0x00, 0x0F, 0xAC, 0x06 )

 /** KDE type for a lifetime value */
 #define WPA_KDE_LIFETIME _MKOUI ( 0x00, 0x0F, 0xAC, 0x07 )


 /** Any key descriptor element type
  *
  * KDEs follow the 802.11 information element format of a type byte
  * (in this case "vendor-specific", with the requisite OUI+subtype
  * after length) and a length byte whose value does not include the
  * length of the type and length bytes.
  */
 struct wpa_kde
 {
 	/** Information element type: always 0xDD (IEEE80211_IE_VENDOR) */
 	u8 ie_type;

 	/** Length, not including ie_type and length fields */
 	u8 len;

 	/** OUI + type byte */
 	u32 oui_type;

 	/** Payload data */
 	union {
 		/** For GTK-type KDEs, encapsulated GTK */
 		struct wpa_kde_gtk_encap gtk_encap;

 		/** For MAC-type KDEs, the MAC address */
 		u8 mac[ETH_ALEN];

 		/** For PMKID-type KDEs, the PMKID */
 		u8 pmkid[WPA_PMKID_LEN];

 		/** For Nonce-type KDEs, the nonce */
 		u8 nonce[WPA_NONCE_LEN];

 		/** For Lifetime-type KDEs, the lifetime in seconds
 		 *
 		 * This is in network byte order!
 		 */
 		u32 lifetime;
 	};
 } __attribute__ (( packed ));

 /** @} */

 int wpa_make_rsn_ie ( struct net80211_device *dev, union ieee80211_ie **ie );
 int wpa_start ( struct net80211_device *dev, struct wpa_common_ctx *ctx,
 		const void *pmk, size_t pmk_len );
 void wpa_stop ( struct net80211_device *dev );

 #endif /* _GPXE_WPA_H */
	/*
	* Copyright (c) 2009 Joshua Oreman <oremanj@rwcr.net>.
	*
	* This program is free software; you can redistribute it and/or
	* modify it under the terms of the GNU General Public License as
	* published by the Free Software Foundation; either version 2 of the
	* License, or any later version.
	*
	* This program is distributed in the hope that it will be useful, but
	* WITHOUT ANY WARRANTY; without even the implied warranty of
	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	* General Public License for more details.
	*
	* You should have received a copy of the GNU General Public License
	* along with this program; if not, write to the Free Software
	* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
	*/

	#ifndef _GPXE_WPA_H
	#define _GPXE_WPA_H

	#include <gpxe/ieee80211.h>
	#include <gpxe/list.h>

	FILE_LICENCE ( GPL2_OR_LATER );

	/** @file
	*
	* Common definitions for all types of WPA-protected networks.
	*/


	/** EAPOL-Key type field for modern 802.11i/RSN WPA packets */
	#define EAPOL_KEY_TYPE_RSN 2

	/** Old EAPOL-Key type field used by WPA1 hardware before 802.11i ratified */
	#define EAPOL_KEY_TYPE_WPA 254


	/**
	* @defgroup eapol_key_info EAPOL-Key Info field bits
	* @{
	*/

	/** Key descriptor version, indicating WPA or WPA2 */
	#define EAPOL_KEY_INFO_VERSION 0x0007

	/** Key type bit, indicating pairwise or group */
	#define EAPOL_KEY_INFO_TYPE 0x0008

	/** Key install bit; set on message 3 except when legacy hacks are used */
	#define EAPOL_KEY_INFO_INSTALL 0x0040

	/** Key ACK bit; set when a response is required, on all messages except #4 */
	#define EAPOL_KEY_INFO_KEY_ACK 0x0080

	/** Key MIC bit; set when the MIC field is valid, on messages 3 and 4 */
	#define EAPOL_KEY_INFO_KEY_MIC 0x0100

	/** Secure bit; set when both sides have both keys, on messages 3 and 4 */
	#define EAPOL_KEY_INFO_SECURE 0x0200

	/** Error bit; set on a MIC failure for TKIP */
	#define EAPOL_KEY_INFO_ERROR 0x0400

	/** Request bit; set when authentication is initiated by the Peer (unusual) */
	#define EAPOL_KEY_INFO_REQUEST 0x0800

	/** Key Encrypted bit; set when the Key Data field is encrypted */
	#define EAPOL_KEY_INFO_KEY_ENC 0x1000

	/** SMC Message bit; set when this frame is part of an IBSS SMK handshake */
	#define EAPOL_KEY_INFO_SMC_MESS 0x2000


	/** Key descriptor version field value for WPA (TKIP) */
	#define EAPOL_KEY_VERSION_WPA 1

	/** Key descriptor version field value for WPA2 (CCMP) */
	#define EAPOL_KEY_VERSION_WPA2 2

	/** Key type field value for a PTK (pairwise) key handshake */
	#define EAPOL_KEY_TYPE_PTK 0x0008

	/** Key type field value for a GTK (group) key handshake */
	#define EAPOL_KEY_TYPE_GTK 0x0000

	/** @} */



	/** An EAPOL-Key packet.
	*
	* These are used for the WPA 4-Way Handshake, whether or not prior
	* authentication has been performed using EAP.
	*
	* On LANs, an eapol_key_pkt is always encapsulated in the data field
	* of an eapol_frame, with the frame's type code set to EAPOL_TYPE_KEY.
	*
	* Unlike 802.11 frame headers, the fields in this structure are
	* stored in big-endian!
	*/
	struct eapol_key_pkt
	{
	/** One of the EAPOL_KEY_TYPE_* defines. */
	u8 type;

	/** Bitfield of key characteristics, network byte order */
	u16 info;

	/** Length of encryption key to be used, network byte order
	*
	* This is 16 for CCMP, 32 for TKIP, and 5 or 13 for WEP.
	*/
	u16 keysize;

	/** Monotonically increasing value for EAPOL-Key conversations
	*
	* In another classic demonstration of overengineering, this
	* 8-byte value will rarely be anything above 1. It's stored
	* in network byte order.
	*/
	u64 replay;

	/** Nonce value
	*
	* This is the authenticator's ANonce in frame 1, the peer's
	* SNonce in frame 2, and 0 in frames 3 and 4.
	*/
	u8 nonce[32];

	/** Initialization vector
	*
	* This contains the IV used with the Key Encryption Key, or 0
	* if the key is unencrypted or encrypted using an algorithm
	* that does not require an IV.
	*/
	u8 iv[16];

	/** Receive sequence counter for GTK
	*
	* This is used to synchronize the client's replay counter for
	* ordinary data packets. The first six bytes contain PN0
	* through PN5 for CCMP mode, or TSC0 through TSC5 for TKIP
	* mode. The last two bytes are zero.
	*/
	u8 rsc[8];

	/** Reserved bytes */
	u8 _reserved[8];

	/** Message integrity code over the entire EAPOL frame
	*
	* This is calculated using HMAC-MD5 when the key descriptor
	* version field in @a info is 1, and HMAC-SHA1 ignoring the
	* last 4 bytes of the hash when the version field in @a info
	* is 2.
	*/
	u8 mic[16];

	/** Length of the @a data field in bytes, network byte order */
	u16 datalen;

	/** Key data
	*
	* This is formatted as a series of 802.11 information
	* elements, with cryptographic data encapsulated using a
	* "vendor-specific IE" code and an IEEE-specified OUI.
	*/
	u8 data[0];
	} __attribute__ (( packed ));


	/** WPA handshaking state */
	enum wpa_state {
	/** Waiting for PMK to be set */
	WPA_WAITING = 0,

	/** Ready for 4-Way Handshake */
	WPA_READY,

	/** Performing 4-Way Handshake */
	WPA_WORKING,

	/** 4-Way Handshake succeeded */
	WPA_SUCCESS,

	/** 4-Way Handshake failed */
	WPA_FAILURE,
	};

	/** Bitfield indicating a selection of WPA transient keys */
	enum wpa_keymask {
	/** Pairwise transient key */
	WPA_PTK = 1,

	/** Group transient key */
	WPA_GTK = 2,
	};


	/** Length of a nonce */
	#define WPA_NONCE_LEN 32

	/** Length of a TKIP main key */
	#define WPA_TKIP_KEY_LEN 16

	/** Length of a TKIP MIC key */
	#define WPA_TKIP_MIC_KEY_LEN 8

	/** Length of a CCMP key */
	#define WPA_CCMP_KEY_LEN 16

	/** Length of an EAPOL Key Confirmation Key */
	#define WPA_KCK_LEN 16

	/** Length of an EAPOL Key Encryption Key */
	#define WPA_KEK_LEN 16

	/** Usual length of a Pairwise Master Key */
	#define WPA_PMK_LEN 32

	/** Length of a PMKID */
	#define WPA_PMKID_LEN 16


	/** Structure of the Temporal Key for TKIP encryption */
	struct tkip_tk
	{
	/** Main key: input to TKIP Phase 1 and Phase 2 key mixing functions */
	u8 key[WPA_TKIP_KEY_LEN];

	/** Michael MIC keys */
	struct {
	/** MIC key for packets from the AP */
	u8 rx[WPA_TKIP_MIC_KEY_LEN];

	/** MIC key for packets to the AP */
	u8 tx[WPA_TKIP_MIC_KEY_LEN];
	} __attribute__ (( packed )) mic;
	} __attribute__ (( packed ));

	/** Structure of a generic Temporal Key */
	union wpa_tk
	{
	/** CCMP key */
	u8 ccmp[WPA_CCMP_KEY_LEN];

	/** TKIP keys */
	struct tkip_tk tkip;
	};

	/** Structure of the Pairwise Transient Key */
	struct wpa_ptk
	{
	/** EAPOL-Key Key Confirmation Key (KCK) */
	u8 kck[WPA_KCK_LEN];

	/** EAPOL-Key Key Encryption Key (KEK) */
	u8 kek[WPA_KEK_LEN];

	/** Temporal key */
	union wpa_tk tk;
	} __attribute__ (( packed ));

	/** Structure of the Group Transient Key */
	struct wpa_gtk
	{
	/** Temporal key */
	union wpa_tk tk;
	} __attribute__ (( packed ));


	/** Common context for WPA security handshaking
	*
	* Any implementor of a particular handshaking type (e.g. PSK or EAP)
	* must include this structure at the very beginning of their private
	* data context structure, to allow the EAPOL-Key handling code to
	* work. When the preliminary authentication is done, it is necessary
	* to call wpa_start(), passing the PMK (derived from PSK or EAP MSK)
	* as an argument. The handshaker can use its @a step function to
	* monitor @a state in this wpa_ctx structure for success or
	* failure. On success, the keys will be available in @a ptk and @a
	* gtk according to the state of the @a valid bitmask.
	*
	* After an initial success, the parent handshaker does not need to
	* concern itself with rekeying; the WPA common code takes care of
	* that.
	*/
	struct wpa_common_ctx
	{
	/** 802.11 device we are authenticating for */
	struct net80211_device *dev;

	/** The Pairwise Master Key to use in handshaking
	*
	* This is set either by running the PBKDF2 algorithm on a
	* passphrase with the SSID as salt to generate a pre-shared
	* key, or by copying the first 32 bytes of the EAP Master
	* Session Key in 802.1X-served authentication.
	*/
	u8 pmk[WPA_PMK_LEN];

	/** Length of the Pairwise Master Key
	*
	* This is always 32 except with one EAP method which only
	* gives 16 bytes.
	*/
	int pmk_len;

	/** State of EAPOL-Key handshaking */
	enum wpa_state state;

	/** Replay counter for this association
	*
	* This stores the replay counter value for the most recent
	* packet we've accepted. It is initially initialised to ~0 to
	* show we'll accept anything.
	*/
	u64 replay;

	/** Mask of valid keys after authentication success
	*
	* If the PTK is not valid, the GTK should be used for both
	* unicast and multicast decryption; if the GTK is not valid,
	* multicast packets cannot be decrypted.
	*/
	enum wpa_keymask valid;

	/** The cipher to use for unicast RX and all TX */
	enum net80211_crypto_alg crypt;

	/** The cipher to use for broadcast and multicast RX */
	enum net80211_crypto_alg gcrypt;

	/** The Pairwise Transient Key derived from the handshake */
	struct wpa_ptk ptk;

	/** The Group Transient Key derived from the handshake */
	struct wpa_gtk gtk;

	/** Authenticator-provided nonce */
	u8 Anonce[WPA_NONCE_LEN];

	/** Supplicant-generated nonce (that's us) */
	u8 Snonce[WPA_NONCE_LEN];

	/** Whether we should refrain from generating another SNonce */
	int have_Snonce;

	/** Data in WPA or RSN IE from AP's beacon frame */
	void *ap_rsn_ie;

	/** Length of @a ap_rsn_ie */
	int ap_rsn_ie_len;

	/** Whether @a ap_rsn_ie is an RSN IE (as opposed to old WPA) */
	int ap_rsn_is_rsn;

	/** List entry */
	struct list_head list;
	};


	/** WPA handshake key integrity and encryption handler
	*
	* Note that due to the structure of the 4-Way Handshake we never
	* actually need to encrypt key data, only decrypt it.
	*/
	struct wpa_kie {
	/** Value of version bits in EAPOL-Key info field for which to use
	*
	* This should be one of the @c EAPOL_KEY_VERSION_* constants.
	*/
	int version;

	/** Calculate MIC over message
	*
	* @v kck Key Confirmation Key, 16 bytes
	* @v msg Message to calculate MIC over
	* @v len Number of bytes to calculate MIC over
	* @ret mic Calculated MIC, 16 bytes long
	*
	* The @a mic return may point within @a msg, so it must not
	* be filled until the calculation has been performed.
	*/
	void ( * mic ) ( const void kck, const void msg, size_t len,
	void *mic );

	/** Decrypt key data
	*
	* @v kek Key Encryption Key, 16 bytes
	* @v iv Initialisation vector for encryption, 16 bytes
	* @v msg Message to decrypt (Key Data field)
	* @v len Length of message
	* @ret msg Decrypted message in place of original
	* @ret len Updated to reflect encrypted length
	* @ret rc Return status code
	*
	* The decrypted message is written over the encrypted one.
	*/
	int ( * decrypt ) ( const void kek, const void iv, void *msg,
	u16 *len );
	};

	#define WPA_KIES __table ( struct wpa_kie, "wpa_kies" )
	#define __wpa_kie __table_entry ( WPA_KIES, 01 )



	/**
	* @defgroup wpa_kde Key descriptor element types
	* @{
	*/

	/** Payload structure of the GTK-encapsulating KDE
	*
	* This does not include the IE type, length, or OUI bytes, which are
	* generic to all KDEs.
	*/
	struct wpa_kde_gtk_encap
	{
	/** Key ID and TX bit */
	u8 id;

	/** Reserved byte */
	u8 _rsvd;

	/** Encapsulated group transient key */
	struct wpa_gtk gtk;
	} __attribute__ (( packed ));

	/** Mask for Key ID in wpa_kde_gtk::id field */
	#define WPA_GTK_KID 0x03

	/** Mask for Tx bit in wpa_kde_gtk::id field */
	#define WPA_GTK_TXBIT 0x04


	/** KDE type for an encapsulated Group Transient Key (requires encryption) */
	#define WPA_KDE_GTK _MKOUI ( 0x00, 0x0F, 0xAC, 0x01 )

	/** KDE type for a MAC address */
	#define WPA_KDE_MAC _MKOUI ( 0x00, 0x0F, 0xAC, 0x03 )

	/** KDE type for a PMKID */
	#define WPA_KDE_PMKID _MKOUI ( 0x00, 0x0F, 0xAC, 0x04 )

	/** KDE type for a nonce */
	#define WPA_KDE_NONCE _MKOUI ( 0x00, 0x0F, 0xAC, 0x06 )

	/** KDE type for a lifetime value */
	#define WPA_KDE_LIFETIME _MKOUI ( 0x00, 0x0F, 0xAC, 0x07 )


	/** Any key descriptor element type
	*
	* KDEs follow the 802.11 information element format of a type byte
	* (in this case "vendor-specific", with the requisite OUI+subtype
	* after length) and a length byte whose value does not include the
	* length of the type and length bytes.
	*/
	struct wpa_kde
	{
	/** Information element type: always 0xDD (IEEE80211_IE_VENDOR) */
	u8 ie_type;

	/** Length, not including ie_type and length fields */
	u8 len;

	/** OUI + type byte */
	u32 oui_type;

	/** Payload data */
	union {
	/** For GTK-type KDEs, encapsulated GTK */
	struct wpa_kde_gtk_encap gtk_encap;

	/** For MAC-type KDEs, the MAC address */
	u8 mac[ETH_ALEN];

	/** For PMKID-type KDEs, the PMKID */
	u8 pmkid[WPA_PMKID_LEN];

	/** For Nonce-type KDEs, the nonce */
	u8 nonce[WPA_NONCE_LEN];

	/** For Lifetime-type KDEs, the lifetime in seconds
	*
	* This is in network byte order!
	*/
	u32 lifetime;
	};
	} __attribute__ (( packed ));

	/** @} */

	int wpa_make_rsn_ie ( struct net80211_device dev, union ieee80211_ie *ie );
	int wpa_start ( struct net80211_device dev, struct wpa_common_ctx ctx,
	const void *pmk, size_t pmk_len );
	void wpa_stop ( struct net80211_device *dev );

	#endif /* _GPXE_WPA_H */