ieee80211_crypto_tkip.c revision 1.13
1 /*- 2 * Copyright (c) 2002-2005 Sam Leffler, Errno Consulting 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. The name of the author may not be used to endorse or promote products 14 * derived from this software without specific prior written permission. 15 * 16 * Alternatively, this software may be distributed under the terms of the 17 * GNU General Public License ("GPL") version 2 as published by the Free 18 * Software Foundation. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 21 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 22 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 23 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 25 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 26 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 27 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 29 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 #include <sys/cdefs.h> 33 #ifdef __FreeBSD__ 34 __FBSDID("$FreeBSD: src/sys/net80211/ieee80211_crypto_tkip.c,v 1.10 2005/08/08 18:46:35 sam Exp $"); 35 #endif 36 #ifdef __NetBSD__ 37 __KERNEL_RCSID(0, "$NetBSD: ieee80211_crypto_tkip.c,v 1.13 2018/01/17 17:41:38 maxv Exp $"); 38 #endif 39 40 /* 41 * IEEE 802.11i TKIP crypto support. 42 * 43 * Part of this module is derived from similar code in the Host 44 * AP driver. The code is used with the consent of the author and 45 * its license is included below. 46 */ 47 #include <sys/param.h> 48 #include <sys/systm.h> 49 #include <sys/mbuf.h> 50 #include <sys/malloc.h> 51 #include <sys/kernel.h> 52 #include <sys/endian.h> 53 54 #include <sys/socket.h> 55 56 #include <net/if.h> 57 #include <net/if_ether.h> 58 #include <net/if_media.h> 59 60 #include <net80211/ieee80211_var.h> 61 62 static void *tkip_attach(struct ieee80211com *, struct ieee80211_key *); 63 static void tkip_detach(struct ieee80211_key *); 64 static int tkip_setkey(struct ieee80211_key *); 65 static int tkip_encap(struct ieee80211_key *, struct mbuf *m, u_int8_t keyid); 66 static int tkip_enmic(struct ieee80211_key *, struct mbuf *, int); 67 static int tkip_decap(struct ieee80211_key *, struct mbuf *, int); 68 static int tkip_demic(struct ieee80211_key *, struct mbuf *, int); 69 70 const struct ieee80211_cipher ieee80211_cipher_tkip = { 71 .ic_name = "TKIP", 72 .ic_cipher = IEEE80211_CIPHER_TKIP, 73 .ic_header = IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN + 74 IEEE80211_WEP_EXTIVLEN, 75 .ic_trailer = IEEE80211_WEP_CRCLEN, 76 .ic_miclen = IEEE80211_WEP_MICLEN, 77 .ic_attach = tkip_attach, 78 .ic_detach = tkip_detach, 79 .ic_setkey = tkip_setkey, 80 .ic_encap = tkip_encap, 81 .ic_decap = tkip_decap, 82 .ic_enmic = tkip_enmic, 83 .ic_demic = tkip_demic, 84 }; 85 86 #define tkip ieee80211_cipher_tkip 87 88 typedef uint8_t u8; 89 typedef uint16_t u16; 90 typedef uint32_t __u32; 91 typedef uint32_t u32; 92 93 struct tkip_ctx { 94 struct ieee80211com *tc_ic; /* for diagnostics */ 95 96 u16 tx_ttak[5]; 97 int tx_phase1_done; 98 u8 tx_rc4key[16]; /* XXX for test module; make locals? */ 99 100 u16 rx_ttak[5]; 101 int rx_phase1_done; 102 u8 rx_rc4key[16]; /* XXX for test module; make locals? */ 103 uint64_t rx_rsc; /* held until MIC verified */ 104 }; 105 106 static void michael_mic(struct tkip_ctx *, const u8 *key, 107 struct mbuf *m, u_int off, size_t data_len, 108 u8 mic[IEEE80211_WEP_MICLEN]); 109 static int tkip_encrypt(struct tkip_ctx *, struct ieee80211_key *, 110 struct mbuf *, int hdr_len); 111 static int tkip_decrypt(struct tkip_ctx *, struct ieee80211_key *, 112 struct mbuf *, int hdr_len); 113 114 static void * 115 tkip_attach(struct ieee80211com *ic, struct ieee80211_key *k) 116 { 117 struct tkip_ctx *ctx; 118 119 ctx = malloc(sizeof(struct tkip_ctx), M_DEVBUF, M_NOWAIT | M_ZERO); 120 if (ctx == NULL) { 121 ic->ic_stats.is_crypto_nomem++; 122 return NULL; 123 } 124 125 ctx->tc_ic = ic; 126 return ctx; 127 } 128 129 static void 130 tkip_detach(struct ieee80211_key *k) 131 { 132 struct tkip_ctx *ctx = k->wk_private; 133 134 free(ctx, M_DEVBUF); 135 } 136 137 static int 138 tkip_setkey(struct ieee80211_key *k) 139 { 140 struct tkip_ctx *ctx = k->wk_private; 141 142 if (k->wk_keylen != (128/NBBY)) { 143 (void) ctx; /* XXX */ 144 IEEE80211_DPRINTF(ctx->tc_ic, IEEE80211_MSG_CRYPTO, 145 "%s: Invalid key length %u, expecting %u\n", 146 __func__, k->wk_keylen, 128/NBBY); 147 return 0; 148 } 149 k->wk_keytsc = 1; /* TSC starts at 1 */ 150 return 1; 151 } 152 153 /* 154 * Add privacy headers and do any s/w encryption required. 155 */ 156 static int 157 tkip_encap(struct ieee80211_key *k, struct mbuf *m, u_int8_t keyid) 158 { 159 struct tkip_ctx *ctx = k->wk_private; 160 struct ieee80211com *ic = ctx->tc_ic; 161 u_int8_t *ivp; 162 int hdrlen; 163 164 /* 165 * Handle TKIP counter measures requirement. 166 */ 167 if (ic->ic_flags & IEEE80211_F_COUNTERM) { 168 #ifdef IEEE80211_DEBUG 169 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 170 #endif 171 172 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO, 173 "[%s] Discard frame due to countermeasures (%s)\n", 174 ether_sprintf(wh->i_addr2), __func__); 175 ic->ic_stats.is_crypto_tkipcm++; 176 return 0; 177 } 178 179 hdrlen = ieee80211_hdrspace(ic, mtod(m, void *)); 180 ivp = mtod(m, u_int8_t *) + hdrlen; 181 182 ivp[0] = k->wk_keytsc >> 8; /* TSC1 */ 183 ivp[1] = (ivp[0] | 0x20) & 0x7f; /* WEP seed */ 184 ivp[2] = k->wk_keytsc >> 0; /* TSC0 */ 185 ivp[3] = keyid | IEEE80211_WEP_EXTIV; /* KeyID | ExtID */ 186 ivp[4] = k->wk_keytsc >> 16; /* TSC2 */ 187 ivp[5] = k->wk_keytsc >> 24; /* TSC3 */ 188 ivp[6] = k->wk_keytsc >> 32; /* TSC4 */ 189 ivp[7] = k->wk_keytsc >> 40; /* TSC5 */ 190 191 /* 192 * Finally, do software encrypt if neeed. 193 */ 194 if (k->wk_flags & IEEE80211_KEY_SWCRYPT) { 195 if (!tkip_encrypt(ctx, k, m, hdrlen)) 196 return 0; 197 /* NB: tkip_encrypt handles wk_keytsc */ 198 } else 199 k->wk_keytsc++; 200 201 return 1; 202 } 203 204 /* 205 * Add MIC to the frame as needed. 206 */ 207 static int 208 tkip_enmic(struct ieee80211_key *k, struct mbuf *m, int force) 209 { 210 struct tkip_ctx *ctx = k->wk_private; 211 212 if (force || (k->wk_flags & IEEE80211_KEY_SWMIC)) { 213 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 214 struct ieee80211com *ic = ctx->tc_ic; 215 int hdrlen; 216 uint8_t mic[IEEE80211_WEP_MICLEN]; 217 218 ic->ic_stats.is_crypto_tkipenmic++; 219 220 hdrlen = ieee80211_hdrspace(ic, wh); 221 222 michael_mic(ctx, k->wk_txmic, 223 m, hdrlen, m->m_pkthdr.len - hdrlen, mic); 224 return m_append(m, tkip.ic_miclen, mic); 225 } 226 return 1; 227 } 228 229 static __inline uint64_t 230 READ_6(uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3, uint8_t b4, uint8_t b5) 231 { 232 uint32_t iv32 = (b0 << 0) | (b1 << 8) | (b2 << 16) | (b3 << 24); 233 uint16_t iv16 = (b4 << 0) | (b5 << 8); 234 return (((uint64_t)iv16) << 32) | iv32; 235 } 236 237 /* 238 * Validate and strip privacy headers (and trailer) for a 239 * received frame. If necessary, decrypt the frame using 240 * the specified key. 241 */ 242 static int 243 tkip_decap(struct ieee80211_key *k, struct mbuf *m, int hdrlen) 244 { 245 struct tkip_ctx *ctx = k->wk_private; 246 struct ieee80211com *ic = ctx->tc_ic; 247 struct ieee80211_frame *wh; 248 uint8_t *ivp; 249 250 /* 251 * Header should have extended IV and sequence number; 252 * verify the former and validate the latter. 253 */ 254 wh = mtod(m, struct ieee80211_frame *); 255 ivp = mtod(m, uint8_t *) + hdrlen; 256 if ((ivp[IEEE80211_WEP_IVLEN] & IEEE80211_WEP_EXTIV) == 0) { 257 /* 258 * No extended IV; discard frame. 259 */ 260 IEEE80211_DPRINTF(ctx->tc_ic, IEEE80211_MSG_CRYPTO, 261 "[%s] missing ExtIV for TKIP cipher\n", 262 ether_sprintf(wh->i_addr2)); 263 ctx->tc_ic->ic_stats.is_rx_tkipformat++; 264 return 0; 265 } 266 /* 267 * Handle TKIP counter measures requirement. 268 */ 269 if (ic->ic_flags & IEEE80211_F_COUNTERM) { 270 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO, 271 "[%s] discard frame due to countermeasures (%s)\n", 272 ether_sprintf(wh->i_addr2), __func__); 273 ic->ic_stats.is_crypto_tkipcm++; 274 return 0; 275 } 276 277 ctx->rx_rsc = READ_6(ivp[2], ivp[0], ivp[4], ivp[5], ivp[6], ivp[7]); 278 if (ctx->rx_rsc <= k->wk_keyrsc) { 279 /* 280 * Replay violation; notify upper layer. 281 */ 282 ieee80211_notify_replay_failure(ctx->tc_ic, wh, k, ctx->rx_rsc); 283 ctx->tc_ic->ic_stats.is_rx_tkipreplay++; 284 return 0; 285 } 286 /* 287 * NB: We can't update the rsc in the key until MIC is verified. 288 * 289 * We assume we are not preempted between doing the check above 290 * and updating wk_keyrsc when stripping the MIC in tkip_demic. 291 * Otherwise we might process another packet and discard it as 292 * a replay. 293 */ 294 295 /* 296 * Check if the device handled the decrypt in hardware. 297 * If so we just strip the header; otherwise we need to 298 * handle the decrypt in software. 299 */ 300 if ((k->wk_flags & IEEE80211_KEY_SWCRYPT) && 301 !tkip_decrypt(ctx, k, m, hdrlen)) 302 return 0; 303 304 /* 305 * Copy up 802.11 header and strip crypto bits. 306 */ 307 memmove(mtod(m, uint8_t *) + tkip.ic_header, mtod(m, void *), hdrlen); 308 m_adj(m, tkip.ic_header); 309 m_adj(m, -tkip.ic_trailer); 310 311 return 1; 312 } 313 314 /* 315 * Verify and strip MIC from the frame. 316 */ 317 static int 318 tkip_demic(struct ieee80211_key *k, struct mbuf *m, int force) 319 { 320 struct tkip_ctx *ctx = k->wk_private; 321 322 if (force || (k->wk_flags & IEEE80211_KEY_SWMIC)) { 323 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 324 struct ieee80211com *ic = ctx->tc_ic; 325 int hdrlen = ieee80211_hdrspace(ic, wh); 326 u8 mic[IEEE80211_WEP_MICLEN]; 327 u8 mic0[IEEE80211_WEP_MICLEN]; 328 329 ic->ic_stats.is_crypto_tkipdemic++; 330 331 michael_mic(ctx, k->wk_rxmic, 332 m, hdrlen, m->m_pkthdr.len - (hdrlen + tkip.ic_miclen), 333 mic); 334 m_copydata(m, m->m_pkthdr.len - tkip.ic_miclen, 335 tkip.ic_miclen, mic0); 336 if (memcmp(mic, mic0, tkip.ic_miclen)) { 337 /* NB: 802.11 layer handles statistic and debug msg */ 338 ieee80211_notify_michael_failure(ic, wh, 339 k->wk_rxkeyix != IEEE80211_KEYIX_NONE ? 340 k->wk_rxkeyix : k->wk_keyix); 341 return 0; 342 } 343 } 344 /* 345 * Strip MIC from the tail. 346 */ 347 m_adj(m, -tkip.ic_miclen); 348 349 /* 350 * Ok to update rsc now that MIC has been verified. 351 */ 352 k->wk_keyrsc = ctx->rx_rsc; 353 354 return 1; 355 } 356 357 /* 358 * Host AP crypt: host-based TKIP encryption implementation for Host AP driver 359 * 360 * Copyright (c) 2003-2004, Jouni Malinen <jkmaline (at) cc.hut.fi> 361 * 362 * This program is free software; you can redistribute it and/or modify 363 * it under the terms of the GNU General Public License version 2 as 364 * published by the Free Software Foundation. See README and COPYING for 365 * more details. 366 * 367 * Alternatively, this software may be distributed under the terms of BSD 368 * license. 369 */ 370 371 static const __u32 crc32_table[256] = { 372 0x00000000L, 0x77073096L, 0xee0e612cL, 0x990951baL, 0x076dc419L, 373 0x706af48fL, 0xe963a535L, 0x9e6495a3L, 0x0edb8832L, 0x79dcb8a4L, 374 0xe0d5e91eL, 0x97d2d988L, 0x09b64c2bL, 0x7eb17cbdL, 0xe7b82d07L, 375 0x90bf1d91L, 0x1db71064L, 0x6ab020f2L, 0xf3b97148L, 0x84be41deL, 376 0x1adad47dL, 0x6ddde4ebL, 0xf4d4b551L, 0x83d385c7L, 0x136c9856L, 377 0x646ba8c0L, 0xfd62f97aL, 0x8a65c9ecL, 0x14015c4fL, 0x63066cd9L, 378 0xfa0f3d63L, 0x8d080df5L, 0x3b6e20c8L, 0x4c69105eL, 0xd56041e4L, 379 0xa2677172L, 0x3c03e4d1L, 0x4b04d447L, 0xd20d85fdL, 0xa50ab56bL, 380 0x35b5a8faL, 0x42b2986cL, 0xdbbbc9d6L, 0xacbcf940L, 0x32d86ce3L, 381 0x45df5c75L, 0xdcd60dcfL, 0xabd13d59L, 0x26d930acL, 0x51de003aL, 382 0xc8d75180L, 0xbfd06116L, 0x21b4f4b5L, 0x56b3c423L, 0xcfba9599L, 383 0xb8bda50fL, 0x2802b89eL, 0x5f058808L, 0xc60cd9b2L, 0xb10be924L, 384 0x2f6f7c87L, 0x58684c11L, 0xc1611dabL, 0xb6662d3dL, 0x76dc4190L, 385 0x01db7106L, 0x98d220bcL, 0xefd5102aL, 0x71b18589L, 0x06b6b51fL, 386 0x9fbfe4a5L, 0xe8b8d433L, 0x7807c9a2L, 0x0f00f934L, 0x9609a88eL, 387 0xe10e9818L, 0x7f6a0dbbL, 0x086d3d2dL, 0x91646c97L, 0xe6635c01L, 388 0x6b6b51f4L, 0x1c6c6162L, 0x856530d8L, 0xf262004eL, 0x6c0695edL, 389 0x1b01a57bL, 0x8208f4c1L, 0xf50fc457L, 0x65b0d9c6L, 0x12b7e950L, 390 0x8bbeb8eaL, 0xfcb9887cL, 0x62dd1ddfL, 0x15da2d49L, 0x8cd37cf3L, 391 0xfbd44c65L, 0x4db26158L, 0x3ab551ceL, 0xa3bc0074L, 0xd4bb30e2L, 392 0x4adfa541L, 0x3dd895d7L, 0xa4d1c46dL, 0xd3d6f4fbL, 0x4369e96aL, 393 0x346ed9fcL, 0xad678846L, 0xda60b8d0L, 0x44042d73L, 0x33031de5L, 394 0xaa0a4c5fL, 0xdd0d7cc9L, 0x5005713cL, 0x270241aaL, 0xbe0b1010L, 395 0xc90c2086L, 0x5768b525L, 0x206f85b3L, 0xb966d409L, 0xce61e49fL, 396 0x5edef90eL, 0x29d9c998L, 0xb0d09822L, 0xc7d7a8b4L, 0x59b33d17L, 397 0x2eb40d81L, 0xb7bd5c3bL, 0xc0ba6cadL, 0xedb88320L, 0x9abfb3b6L, 398 0x03b6e20cL, 0x74b1d29aL, 0xead54739L, 0x9dd277afL, 0x04db2615L, 399 0x73dc1683L, 0xe3630b12L, 0x94643b84L, 0x0d6d6a3eL, 0x7a6a5aa8L, 400 0xe40ecf0bL, 0x9309ff9dL, 0x0a00ae27L, 0x7d079eb1L, 0xf00f9344L, 401 0x8708a3d2L, 0x1e01f268L, 0x6906c2feL, 0xf762575dL, 0x806567cbL, 402 0x196c3671L, 0x6e6b06e7L, 0xfed41b76L, 0x89d32be0L, 0x10da7a5aL, 403 0x67dd4accL, 0xf9b9df6fL, 0x8ebeeff9L, 0x17b7be43L, 0x60b08ed5L, 404 0xd6d6a3e8L, 0xa1d1937eL, 0x38d8c2c4L, 0x4fdff252L, 0xd1bb67f1L, 405 0xa6bc5767L, 0x3fb506ddL, 0x48b2364bL, 0xd80d2bdaL, 0xaf0a1b4cL, 406 0x36034af6L, 0x41047a60L, 0xdf60efc3L, 0xa867df55L, 0x316e8eefL, 407 0x4669be79L, 0xcb61b38cL, 0xbc66831aL, 0x256fd2a0L, 0x5268e236L, 408 0xcc0c7795L, 0xbb0b4703L, 0x220216b9L, 0x5505262fL, 0xc5ba3bbeL, 409 0xb2bd0b28L, 0x2bb45a92L, 0x5cb36a04L, 0xc2d7ffa7L, 0xb5d0cf31L, 410 0x2cd99e8bL, 0x5bdeae1dL, 0x9b64c2b0L, 0xec63f226L, 0x756aa39cL, 411 0x026d930aL, 0x9c0906a9L, 0xeb0e363fL, 0x72076785L, 0x05005713L, 412 0x95bf4a82L, 0xe2b87a14L, 0x7bb12baeL, 0x0cb61b38L, 0x92d28e9bL, 413 0xe5d5be0dL, 0x7cdcefb7L, 0x0bdbdf21L, 0x86d3d2d4L, 0xf1d4e242L, 414 0x68ddb3f8L, 0x1fda836eL, 0x81be16cdL, 0xf6b9265bL, 0x6fb077e1L, 415 0x18b74777L, 0x88085ae6L, 0xff0f6a70L, 0x66063bcaL, 0x11010b5cL, 416 0x8f659effL, 0xf862ae69L, 0x616bffd3L, 0x166ccf45L, 0xa00ae278L, 417 0xd70dd2eeL, 0x4e048354L, 0x3903b3c2L, 0xa7672661L, 0xd06016f7L, 418 0x4969474dL, 0x3e6e77dbL, 0xaed16a4aL, 0xd9d65adcL, 0x40df0b66L, 419 0x37d83bf0L, 0xa9bcae53L, 0xdebb9ec5L, 0x47b2cf7fL, 0x30b5ffe9L, 420 0xbdbdf21cL, 0xcabac28aL, 0x53b39330L, 0x24b4a3a6L, 0xbad03605L, 421 0xcdd70693L, 0x54de5729L, 0x23d967bfL, 0xb3667a2eL, 0xc4614ab8L, 422 0x5d681b02L, 0x2a6f2b94L, 0xb40bbe37L, 0xc30c8ea1L, 0x5a05df1bL, 423 0x2d02ef8dL 424 }; 425 426 static __inline u16 RotR1(u16 val) 427 { 428 return (val >> 1) | (val << 15); 429 } 430 431 static __inline u8 Lo8(u16 val) 432 { 433 return val & 0xff; 434 } 435 436 static __inline u8 Hi8(u16 val) 437 { 438 return val >> 8; 439 } 440 441 static __inline u16 Lo16(u32 val) 442 { 443 return val & 0xffff; 444 } 445 446 static __inline u16 Hi16(u32 val) 447 { 448 return val >> 16; 449 } 450 451 static __inline u16 Mk16(u8 hi, u8 lo) 452 { 453 return lo | (((u16) hi) << 8); 454 } 455 456 static __inline u16 Mk16_le(const u16 *v) 457 { 458 return le16toh(*v); 459 } 460 461 static const u16 Sbox[256] = { 462 0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154, 463 0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A, 464 0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B, 465 0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B, 466 0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F, 467 0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F, 468 0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5, 469 0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F, 470 0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB, 471 0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397, 472 0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED, 473 0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A, 474 0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194, 475 0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3, 476 0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104, 477 0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D, 478 0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39, 479 0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695, 480 0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83, 481 0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76, 482 0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4, 483 0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B, 484 0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0, 485 0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018, 486 0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751, 487 0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85, 488 0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12, 489 0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9, 490 0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7, 491 0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A, 492 0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8, 493 0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A, 494 }; 495 496 static __inline u16 _S_(u16 v) 497 { 498 u16 t = Sbox[Hi8(v)]; 499 return Sbox[Lo8(v)] ^ ((t << 8) | (t >> 8)); 500 } 501 502 #define PHASE1_LOOP_COUNT 8 503 504 static void tkip_mixing_phase1(u16 *TTAK, const u8 *TK, const u8 *TA, u32 IV32) 505 { 506 int i, j; 507 508 /* Initialize the 80-bit TTAK from TSC (IV32) and TA[0..5] */ 509 TTAK[0] = Lo16(IV32); 510 TTAK[1] = Hi16(IV32); 511 TTAK[2] = Mk16(TA[1], TA[0]); 512 TTAK[3] = Mk16(TA[3], TA[2]); 513 TTAK[4] = Mk16(TA[5], TA[4]); 514 515 for (i = 0; i < PHASE1_LOOP_COUNT; i++) { 516 j = 2 * (i & 1); 517 TTAK[0] += _S_(TTAK[4] ^ Mk16(TK[1 + j], TK[0 + j])); 518 TTAK[1] += _S_(TTAK[0] ^ Mk16(TK[5 + j], TK[4 + j])); 519 TTAK[2] += _S_(TTAK[1] ^ Mk16(TK[9 + j], TK[8 + j])); 520 TTAK[3] += _S_(TTAK[2] ^ Mk16(TK[13 + j], TK[12 + j])); 521 TTAK[4] += _S_(TTAK[3] ^ Mk16(TK[1 + j], TK[0 + j])) + i; 522 } 523 } 524 525 #ifndef _BYTE_ORDER 526 #error "Don't know native byte order" 527 #endif 528 529 static void tkip_mixing_phase2(u8 *WEPSeed, const u8 *TK, const u16 *TTAK, 530 u16 IV16) 531 { 532 /* Make temporary area overlap WEP seed so that the final copy can be 533 * avoided on little endian hosts. */ 534 u16 *PPK = (u16 *) &WEPSeed[4]; 535 536 /* Step 1 - make copy of TTAK and bring in TSC */ 537 PPK[0] = TTAK[0]; 538 PPK[1] = TTAK[1]; 539 PPK[2] = TTAK[2]; 540 PPK[3] = TTAK[3]; 541 PPK[4] = TTAK[4]; 542 PPK[5] = TTAK[4] + IV16; 543 544 /* Step 2 - 96-bit bijective mixing using S-box */ 545 PPK[0] += _S_(PPK[5] ^ Mk16_le((const u16 *) &TK[0])); 546 PPK[1] += _S_(PPK[0] ^ Mk16_le((const u16 *) &TK[2])); 547 PPK[2] += _S_(PPK[1] ^ Mk16_le((const u16 *) &TK[4])); 548 PPK[3] += _S_(PPK[2] ^ Mk16_le((const u16 *) &TK[6])); 549 PPK[4] += _S_(PPK[3] ^ Mk16_le((const u16 *) &TK[8])); 550 PPK[5] += _S_(PPK[4] ^ Mk16_le((const u16 *) &TK[10])); 551 552 PPK[0] += RotR1(PPK[5] ^ Mk16_le((const u16 *) &TK[12])); 553 PPK[1] += RotR1(PPK[0] ^ Mk16_le((const u16 *) &TK[14])); 554 PPK[2] += RotR1(PPK[1]); 555 PPK[3] += RotR1(PPK[2]); 556 PPK[4] += RotR1(PPK[3]); 557 PPK[5] += RotR1(PPK[4]); 558 559 /* Step 3 - bring in last of TK bits, assign 24-bit WEP IV value 560 * WEPSeed[0..2] is transmitted as WEP IV */ 561 WEPSeed[0] = Hi8(IV16); 562 WEPSeed[1] = (Hi8(IV16) | 0x20) & 0x7F; 563 WEPSeed[2] = Lo8(IV16); 564 WEPSeed[3] = Lo8((PPK[5] ^ Mk16_le((const u16 *) &TK[0])) >> 1); 565 566 #if _BYTE_ORDER == _BIG_ENDIAN 567 { 568 int i; 569 for (i = 0; i < 6; i++) 570 PPK[i] = (PPK[i] << 8) | (PPK[i] >> 8); 571 } 572 #endif 573 } 574 575 static void 576 wep_encrypt(u8 *key, struct mbuf *m0, u_int off, size_t data_len, 577 uint8_t icv[IEEE80211_WEP_CRCLEN]) 578 { 579 u32 i, j, k, crc; 580 size_t buflen; 581 u8 S[256]; 582 u8 *pos; 583 struct mbuf *m; 584 #define S_SWAP(a,b) do { u8 t = S[a]; S[a] = S[b]; S[b] = t; } while(0) 585 586 /* Setup RC4 state */ 587 for (i = 0; i < 256; i++) 588 S[i] = i; 589 j = 0; 590 for (i = 0; i < 256; i++) { 591 j = (j + S[i] + key[i & 0x0f]) & 0xff; 592 S_SWAP(i, j); 593 } 594 595 /* Compute CRC32 over unencrypted data and apply RC4 to data */ 596 crc = ~0; 597 i = j = 0; 598 m = m0; 599 pos = mtod(m, uint8_t *) + off; 600 buflen = m->m_len - off; 601 for (;;) { 602 if (buflen > data_len) 603 buflen = data_len; 604 data_len -= buflen; 605 for (k = 0; k < buflen; k++) { 606 crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8); 607 i = (i + 1) & 0xff; 608 j = (j + S[i]) & 0xff; 609 S_SWAP(i, j); 610 *pos++ ^= S[(S[i] + S[j]) & 0xff]; 611 } 612 m = m->m_next; 613 if (m == NULL) { 614 IASSERT(data_len == 0, 615 ("out of buffers with data_len %zu\n", data_len)); 616 break; 617 } 618 pos = mtod(m, uint8_t *); 619 buflen = m->m_len; 620 } 621 crc = ~crc; 622 623 /* Append little-endian CRC32 and encrypt it to produce ICV */ 624 icv[0] = crc; 625 icv[1] = crc >> 8; 626 icv[2] = crc >> 16; 627 icv[3] = crc >> 24; 628 for (k = 0; k < IEEE80211_WEP_CRCLEN; k++) { 629 i = (i + 1) & 0xff; 630 j = (j + S[i]) & 0xff; 631 S_SWAP(i, j); 632 icv[k] ^= S[(S[i] + S[j]) & 0xff]; 633 } 634 } 635 636 static int 637 wep_decrypt(u8 *key, struct mbuf *m, u_int off, size_t data_len) 638 { 639 u32 i, j, k, crc; 640 u8 S[256]; 641 u8 *pos, icv[4]; 642 size_t buflen; 643 644 /* Setup RC4 state */ 645 for (i = 0; i < 256; i++) 646 S[i] = i; 647 j = 0; 648 for (i = 0; i < 256; i++) { 649 j = (j + S[i] + key[i & 0x0f]) & 0xff; 650 S_SWAP(i, j); 651 } 652 653 /* Apply RC4 to data and compute CRC32 over decrypted data */ 654 crc = ~0; 655 i = j = 0; 656 pos = mtod(m, uint8_t *) + off; 657 buflen = m->m_len - off; 658 for (;;) { 659 if (buflen > data_len) 660 buflen = data_len; 661 data_len -= buflen; 662 for (k = 0; k < buflen; k++) { 663 i = (i + 1) & 0xff; 664 j = (j + S[i]) & 0xff; 665 S_SWAP(i, j); 666 *pos ^= S[(S[i] + S[j]) & 0xff]; 667 crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8); 668 pos++; 669 } 670 m = m->m_next; 671 if (m == NULL) { 672 IASSERT(data_len == 0, 673 ("out of buffers with data_len %zu\n", data_len)); 674 break; 675 } 676 pos = mtod(m, uint8_t *); 677 buflen = m->m_len; 678 } 679 crc = ~crc; 680 681 /* Encrypt little-endian CRC32 and verify that it matches with the 682 * received ICV */ 683 icv[0] = crc; 684 icv[1] = crc >> 8; 685 icv[2] = crc >> 16; 686 icv[3] = crc >> 24; 687 for (k = 0; k < 4; k++) { 688 i = (i + 1) & 0xff; 689 j = (j + S[i]) & 0xff; 690 S_SWAP(i, j); 691 if ((icv[k] ^ S[(S[i] + S[j]) & 0xff]) != *pos++) { 692 /* ICV mismatch - drop frame */ 693 return -1; 694 } 695 } 696 697 return 0; 698 } 699 700 701 static __inline u32 rotl(u32 val, int bits) 702 { 703 return (val << bits) | (val >> (32 - bits)); 704 } 705 706 707 static __inline u32 rotr(u32 val, int bits) 708 { 709 return (val >> bits) | (val << (32 - bits)); 710 } 711 712 713 static __inline u32 xswap(u32 val) 714 { 715 return ((val & 0x00ff00ff) << 8) | ((val & 0xff00ff00) >> 8); 716 } 717 718 719 #define michael_block(l, r) \ 720 do { \ 721 r ^= rotl(l, 17); \ 722 l += r; \ 723 r ^= xswap(l); \ 724 l += r; \ 725 r ^= rotl(l, 3); \ 726 l += r; \ 727 r ^= rotr(l, 2); \ 728 l += r; \ 729 } while (0) 730 731 732 static __inline u32 get_le32_split(u8 b0, u8 b1, u8 b2, u8 b3) 733 { 734 return b0 | (b1 << 8) | (b2 << 16) | (b3 << 24); 735 } 736 737 static __inline u32 get_le32(const u8 *p) 738 { 739 return get_le32_split(p[0], p[1], p[2], p[3]); 740 } 741 742 743 static __inline void put_le32(u8 *p, u32 v) 744 { 745 p[0] = v; 746 p[1] = v >> 8; 747 p[2] = v >> 16; 748 p[3] = v >> 24; 749 } 750 751 /* 752 * Craft pseudo header used to calculate the MIC. 753 */ 754 static void 755 michael_mic_hdr(const struct ieee80211_frame *wh0, uint8_t hdr[16]) 756 { 757 const struct ieee80211_frame_addr4 *wh = 758 (const struct ieee80211_frame_addr4 *) wh0; 759 760 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 761 case IEEE80211_FC1_DIR_NODS: 762 IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */ 763 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2); 764 break; 765 case IEEE80211_FC1_DIR_TODS: 766 IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */ 767 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2); 768 break; 769 case IEEE80211_FC1_DIR_FROMDS: 770 IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */ 771 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr3); 772 break; 773 case IEEE80211_FC1_DIR_DSTODS: 774 IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */ 775 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr4); 776 break; 777 } 778 779 if (wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_QOS) { 780 const struct ieee80211_qosframe *qwh = 781 (const struct ieee80211_qosframe *) wh; 782 hdr[12] = qwh->i_qos[0] & IEEE80211_QOS_TID; 783 } else 784 hdr[12] = 0; 785 hdr[13] = hdr[14] = hdr[15] = 0; /* reserved */ 786 } 787 788 static void 789 michael_mic(struct tkip_ctx *ctx, const u8 *key, 790 struct mbuf *m, u_int off, size_t data_len, 791 u8 mic[IEEE80211_WEP_MICLEN]) 792 { 793 uint8_t hdr[16]; 794 u32 l, r; 795 const uint8_t *data; 796 u_int space; 797 uint8_t spill[4]; 798 int nspill = 0; 799 800 michael_mic_hdr(mtod(m, struct ieee80211_frame *), hdr); 801 802 l = get_le32(key); 803 r = get_le32(key + 4); 804 805 /* Michael MIC pseudo header: DA, SA, 3 x 0, Priority */ 806 l ^= get_le32(hdr); 807 michael_block(l, r); 808 l ^= get_le32(&hdr[4]); 809 michael_block(l, r); 810 l ^= get_le32(&hdr[8]); 811 michael_block(l, r); 812 l ^= get_le32(&hdr[12]); 813 michael_block(l, r); 814 815 /* first buffer has special handling */ 816 data = mtod(m, const uint8_t *) + off; 817 space = m->m_len - off; 818 for (;;) { 819 if (space > data_len) 820 space = data_len; 821 if (nspill) { 822 int n = min(4 - nspill, space); 823 memcpy(spill + nspill, data, n); 824 nspill += n; 825 data += n; 826 space -= n; 827 data_len -= n; 828 if (nspill == 4) { 829 l ^= get_le32(spill); 830 michael_block(l, r); 831 nspill = 0; 832 } else 833 goto next; 834 } 835 /* collect 32-bit blocks from current buffer */ 836 while (space >= sizeof(uint32_t)) { 837 l ^= get_le32(data); 838 michael_block(l, r); 839 data += sizeof(uint32_t); 840 space -= sizeof(uint32_t); 841 data_len -= sizeof(uint32_t); 842 } 843 if (space) { 844 memcpy(spill, data, space); 845 nspill = space; 846 data_len -= space; 847 } 848 next: 849 if (!data_len) 850 break; 851 m = m->m_next; 852 KASSERT(m); 853 /* 854 * Setup for next buffer. 855 */ 856 data = mtod(m, const uint8_t *); 857 space = m->m_len; 858 } 859 /* Last block and padding (0x5a, 4..7 x 0) */ 860 spill[nspill++] = 0x5a; 861 for (; nspill < 4; nspill++) 862 spill[nspill] = 0; 863 l ^= get_le32(spill); 864 michael_block(l, r); 865 /* l ^= 0; */ 866 michael_block(l, r); 867 868 put_le32(mic, l); 869 put_le32(mic + 4, r); 870 } 871 872 static int 873 tkip_encrypt(struct tkip_ctx *ctx, struct ieee80211_key *key, 874 struct mbuf *m, int hdrlen) 875 { 876 struct ieee80211_frame *wh; 877 uint8_t icv[IEEE80211_WEP_CRCLEN]; 878 879 ctx->tc_ic->ic_stats.is_crypto_tkip++; 880 881 wh = mtod(m, struct ieee80211_frame *); 882 if (!ctx->tx_phase1_done) { 883 tkip_mixing_phase1(ctx->tx_ttak, key->wk_key, wh->i_addr2, 884 (u32)(key->wk_keytsc >> 16)); 885 ctx->tx_phase1_done = 1; 886 } 887 tkip_mixing_phase2(ctx->tx_rc4key, key->wk_key, ctx->tx_ttak, 888 (u16) key->wk_keytsc); 889 890 wep_encrypt(ctx->tx_rc4key, 891 m, hdrlen + tkip.ic_header, 892 m->m_pkthdr.len - (hdrlen + tkip.ic_header), 893 icv); 894 (void) m_append(m, IEEE80211_WEP_CRCLEN, icv); /* XXX check return */ 895 896 key->wk_keytsc++; 897 if ((u16)(key->wk_keytsc) == 0) 898 ctx->tx_phase1_done = 0; 899 return 1; 900 } 901 902 static int 903 tkip_decrypt(struct tkip_ctx *ctx, struct ieee80211_key *key, 904 struct mbuf *m, int hdrlen) 905 { 906 struct ieee80211_frame *wh; 907 u32 iv32; 908 u16 iv16; 909 910 ctx->tc_ic->ic_stats.is_crypto_tkip++; 911 912 wh = mtod(m, struct ieee80211_frame *); 913 /* NB: tkip_decap already verified header and left seq in rx_rsc */ 914 iv16 = (u16) ctx->rx_rsc; 915 iv32 = (u32) (ctx->rx_rsc >> 16); 916 917 if (iv32 != (u32)(key->wk_keyrsc >> 16) || !ctx->rx_phase1_done) { 918 tkip_mixing_phase1(ctx->rx_ttak, key->wk_key, 919 wh->i_addr2, iv32); 920 ctx->rx_phase1_done = 1; 921 } 922 tkip_mixing_phase2(ctx->rx_rc4key, key->wk_key, ctx->rx_ttak, iv16); 923 924 /* NB: m is unstripped; deduct headers + ICV to get payload */ 925 if (wep_decrypt(ctx->rx_rc4key, 926 m, hdrlen + tkip.ic_header, 927 m->m_pkthdr.len - (hdrlen + tkip.ic_header + tkip.ic_trailer))) { 928 if (iv32 != (u32)(key->wk_keyrsc >> 16)) { 929 /* Previously cached Phase1 result was already lost, so 930 * it needs to be recalculated for the next packet. */ 931 ctx->rx_phase1_done = 0; 932 } 933 IEEE80211_DPRINTF(ctx->tc_ic, IEEE80211_MSG_CRYPTO, 934 "[%s] TKIP ICV mismatch on decrypt\n", 935 ether_sprintf(wh->i_addr2)); 936 ctx->tc_ic->ic_stats.is_rx_tkipicv++; 937 return 0; 938 } 939 return 1; 940 } 941 942 IEEE80211_CRYPTO_SETUP(tkip_register) 943 { 944 ieee80211_crypto_register(&tkip); 945 } 946
Indexes created Wed Sep 24 02:09:48 GMT 2025