ieee80211_crypto_tkip.c revision 1.3
1 /*- 2 * Copyright (c) 2002-2005 Sam Leffler, Errno Consulting 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. The name of the author may not be used to endorse or promote products 14 * derived from this software without specific prior written permission. 15 * 16 * Alternatively, this software may be distributed under the terms of the 17 * GNU General Public License ("GPL") version 2 as published by the Free 18 * Software Foundation. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 21 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 22 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 23 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 25 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 26 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 27 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 29 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 #include <sys/cdefs.h> 33 #ifdef __FreeBSD__ 34 __FBSDID("$FreeBSD: src/sys/net80211/ieee80211_crypto_tkip.c,v 1.9 2005/06/10 16:11:24 sam Exp $"); 35 #endif 36 #ifdef __NetBSD__ 37 __KERNEL_RCSID(0, "$NetBSD: ieee80211_crypto_tkip.c,v 1.3 2005/07/26 22:52:48 dyoung Exp $"); 38 #endif 39 40 /* 41 * IEEE 802.11i TKIP crypto support. 42 * 43 * Part of this module is derived from similar code in the Host 44 * AP driver. The code is used with the consent of the author and 45 * it's license is included below. 46 */ 47 #include <sys/param.h> 48 #include <sys/systm.h> 49 #include <sys/mbuf.h> 50 #include <sys/malloc.h> 51 #include <sys/kernel.h> 52 #include <sys/endian.h> 53 54 #include <sys/socket.h> 55 56 #include <net/if.h> 57 #include <net/if_media.h> 58 59 #include <net80211/ieee80211_var.h> 60 61 static void *tkip_attach(struct ieee80211com *, struct ieee80211_key *); 62 static void tkip_detach(struct ieee80211_key *); 63 static int tkip_setkey(struct ieee80211_key *); 64 static int tkip_encap(struct ieee80211_key *, struct mbuf *m, u_int8_t keyid); 65 static int tkip_enmic(struct ieee80211_key *, struct mbuf *, int); 66 static int tkip_decap(struct ieee80211_key *, struct mbuf *, int); 67 static int tkip_demic(struct ieee80211_key *, struct mbuf *, int); 68 69 const struct ieee80211_cipher ieee80211_cipher_tkip = { 70 .ic_name = "TKIP", 71 .ic_cipher = IEEE80211_CIPHER_TKIP, 72 .ic_header = IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN + 73 IEEE80211_WEP_EXTIVLEN, 74 .ic_trailer = IEEE80211_WEP_CRCLEN, 75 .ic_miclen = IEEE80211_WEP_MICLEN, 76 .ic_attach = tkip_attach, 77 .ic_detach = tkip_detach, 78 .ic_setkey = tkip_setkey, 79 .ic_encap = tkip_encap, 80 .ic_decap = tkip_decap, 81 .ic_enmic = tkip_enmic, 82 .ic_demic = tkip_demic, 83 }; 84 85 #define tkip ieee80211_cipher_tkip 86 87 typedef uint8_t u8; 88 typedef uint16_t u16; 89 typedef uint32_t __u32; 90 typedef uint32_t u32; 91 92 struct tkip_ctx { 93 struct ieee80211com *tc_ic; /* for diagnostics */ 94 95 u16 tx_ttak[5]; 96 int tx_phase1_done; 97 u8 tx_rc4key[16]; /* XXX for test module; make locals? */ 98 99 u16 rx_ttak[5]; 100 int rx_phase1_done; 101 u8 rx_rc4key[16]; /* XXX for test module; make locals? */ 102 uint64_t rx_rsc; /* held until MIC verified */ 103 }; 104 105 static void michael_mic(struct tkip_ctx *, const u8 *key, 106 struct mbuf *m, u_int off, size_t data_len, 107 u8 mic[IEEE80211_WEP_MICLEN]); 108 static int tkip_encrypt(struct tkip_ctx *, struct ieee80211_key *, 109 struct mbuf *, int hdr_len); 110 static int tkip_decrypt(struct tkip_ctx *, struct ieee80211_key *, 111 struct mbuf *, int hdr_len); 112 113 static void * 114 tkip_attach(struct ieee80211com *ic, struct ieee80211_key *k) 115 { 116 struct tkip_ctx *ctx; 117 118 MALLOC(ctx, struct tkip_ctx *, sizeof(struct tkip_ctx), 119 M_DEVBUF, M_NOWAIT | M_ZERO); 120 if (ctx == NULL) { 121 ic->ic_stats.is_crypto_nomem++; 122 return NULL; 123 } 124 125 ctx->tc_ic = ic; 126 return ctx; 127 } 128 129 static void 130 tkip_detach(struct ieee80211_key *k) 131 { 132 struct tkip_ctx *ctx = k->wk_private; 133 134 FREE(ctx, M_DEVBUF); 135 } 136 137 static int 138 tkip_setkey(struct ieee80211_key *k) 139 { 140 struct tkip_ctx *ctx = k->wk_private; 141 142 if (k->wk_keylen != (128/NBBY)) { 143 (void) ctx; /* XXX */ 144 IEEE80211_DPRINTF(ctx->tc_ic, IEEE80211_MSG_CRYPTO, 145 "%s: Invalid key length %u, expecting %u\n", 146 __func__, k->wk_keylen, 128/NBBY); 147 return 0; 148 } 149 k->wk_keytsc = 1; /* TSC starts at 1 */ 150 return 1; 151 } 152 153 /* 154 * Add privacy headers and do any s/w encryption required. 155 */ 156 static int 157 tkip_encap(struct ieee80211_key *k, struct mbuf *m, u_int8_t keyid) 158 { 159 struct tkip_ctx *ctx = k->wk_private; 160 struct ieee80211com *ic = ctx->tc_ic; 161 u_int8_t *ivp; 162 int hdrlen; 163 164 /* 165 * Handle TKIP counter measures requirement. 166 */ 167 if (ic->ic_flags & IEEE80211_F_COUNTERM) { 168 #ifdef IEEE80211_DEBUG 169 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 170 #endif 171 172 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO, 173 "[%s] Discard frame due to countermeasures (%s)\n", 174 ether_sprintf(wh->i_addr2), __func__); 175 ic->ic_stats.is_crypto_tkipcm++; 176 return 0; 177 } 178 hdrlen = ieee80211_hdrspace(ic, mtod(m, void *)); 179 180 /* 181 * Copy down 802.11 header and add the IV, KeyID, and ExtIV. 182 */ 183 M_PREPEND(m, tkip.ic_header, M_NOWAIT); 184 if (m == NULL) 185 return 0; 186 ivp = mtod(m, u_int8_t *); 187 memmove(ivp, ivp + tkip.ic_header, hdrlen); 188 ivp += hdrlen; 189 190 ivp[0] = k->wk_keytsc >> 8; /* TSC1 */ 191 ivp[1] = (ivp[0] | 0x20) & 0x7f; /* WEP seed */ 192 ivp[2] = k->wk_keytsc >> 0; /* TSC0 */ 193 ivp[3] = keyid | IEEE80211_WEP_EXTIV; /* KeyID | ExtID */ 194 ivp[4] = k->wk_keytsc >> 16; /* TSC2 */ 195 ivp[5] = k->wk_keytsc >> 24; /* TSC3 */ 196 ivp[6] = k->wk_keytsc >> 32; /* TSC4 */ 197 ivp[7] = k->wk_keytsc >> 40; /* TSC5 */ 198 199 /* 200 * Finally, do software encrypt if neeed. 201 */ 202 if (k->wk_flags & IEEE80211_KEY_SWCRYPT) { 203 if (!tkip_encrypt(ctx, k, m, hdrlen)) 204 return 0; 205 /* NB: tkip_encrypt handles wk_keytsc */ 206 } else 207 k->wk_keytsc++; 208 209 return 1; 210 } 211 212 /* 213 * Add MIC to the frame as needed. 214 */ 215 static int 216 tkip_enmic(struct ieee80211_key *k, struct mbuf *m, int force) 217 { 218 struct tkip_ctx *ctx = k->wk_private; 219 220 if (force || (k->wk_flags & IEEE80211_KEY_SWMIC)) { 221 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 222 struct ieee80211com *ic = ctx->tc_ic; 223 int hdrlen; 224 uint8_t mic[IEEE80211_WEP_MICLEN]; 225 226 ic->ic_stats.is_crypto_tkipenmic++; 227 228 hdrlen = ieee80211_hdrspace(ic, wh); 229 230 michael_mic(ctx, k->wk_txmic, 231 m, hdrlen, m->m_pkthdr.len - hdrlen, mic); 232 return m_append(m, tkip.ic_miclen, mic); 233 } 234 return 1; 235 } 236 237 static __inline uint64_t 238 READ_6(uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3, uint8_t b4, uint8_t b5) 239 { 240 uint32_t iv32 = (b0 << 0) | (b1 << 8) | (b2 << 16) | (b3 << 24); 241 uint16_t iv16 = (b4 << 0) | (b5 << 8); 242 return (((uint64_t)iv16) << 32) | iv32; 243 } 244 245 /* 246 * Validate and strip privacy headers (and trailer) for a 247 * received frame. If necessary, decrypt the frame using 248 * the specified key. 249 */ 250 static int 251 tkip_decap(struct ieee80211_key *k, struct mbuf *m, int hdrlen) 252 { 253 struct tkip_ctx *ctx = k->wk_private; 254 struct ieee80211com *ic = ctx->tc_ic; 255 struct ieee80211_frame *wh; 256 uint8_t *ivp; 257 258 /* 259 * Header should have extended IV and sequence number; 260 * verify the former and validate the latter. 261 */ 262 wh = mtod(m, struct ieee80211_frame *); 263 ivp = mtod(m, uint8_t *) + hdrlen; 264 if ((ivp[IEEE80211_WEP_IVLEN] & IEEE80211_WEP_EXTIV) == 0) { 265 /* 266 * No extended IV; discard frame. 267 */ 268 IEEE80211_DPRINTF(ctx->tc_ic, IEEE80211_MSG_CRYPTO, 269 "[%s] missing ExtIV for TKIP cipher\n", 270 ether_sprintf(wh->i_addr2)); 271 ctx->tc_ic->ic_stats.is_rx_tkipformat++; 272 return 0; 273 } 274 /* 275 * Handle TKIP counter measures requirement. 276 */ 277 if (ic->ic_flags & IEEE80211_F_COUNTERM) { 278 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO, 279 "[%s] discard frame due to countermeasures (%s)\n", 280 ether_sprintf(wh->i_addr2), __func__); 281 ic->ic_stats.is_crypto_tkipcm++; 282 return 0; 283 } 284 285 ctx->rx_rsc = READ_6(ivp[2], ivp[0], ivp[4], ivp[5], ivp[6], ivp[7]); 286 if (ctx->rx_rsc <= k->wk_keyrsc) { 287 /* 288 * Replay violation; notify upper layer. 289 */ 290 ieee80211_notify_replay_failure(ctx->tc_ic, wh, k, ctx->rx_rsc); 291 ctx->tc_ic->ic_stats.is_rx_tkipreplay++; 292 return 0; 293 } 294 /* 295 * NB: We can't update the rsc in the key until MIC is verified. 296 * 297 * We assume we are not preempted between doing the check above 298 * and updating wk_keyrsc when stripping the MIC in tkip_demic. 299 * Otherwise we might process another packet and discard it as 300 * a replay. 301 */ 302 303 /* 304 * Check if the device handled the decrypt in hardware. 305 * If so we just strip the header; otherwise we need to 306 * handle the decrypt in software. 307 */ 308 if ((k->wk_flags & IEEE80211_KEY_SWCRYPT) && 309 !tkip_decrypt(ctx, k, m, hdrlen)) 310 return 0; 311 312 /* 313 * Copy up 802.11 header and strip crypto bits. 314 */ 315 memmove(mtod(m, uint8_t *) + tkip.ic_header, mtod(m, void *), hdrlen); 316 m_adj(m, tkip.ic_header); 317 m_adj(m, -tkip.ic_trailer); 318 319 return 1; 320 } 321 322 /* 323 * Verify and strip MIC from the frame. 324 */ 325 static int 326 tkip_demic(struct ieee80211_key *k, struct mbuf *m, int force) 327 { 328 struct tkip_ctx *ctx = k->wk_private; 329 330 if (force || (k->wk_flags & IEEE80211_KEY_SWMIC)) { 331 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 332 struct ieee80211com *ic = ctx->tc_ic; 333 int hdrlen = ieee80211_hdrspace(ic, wh); 334 u8 mic[IEEE80211_WEP_MICLEN]; 335 u8 mic0[IEEE80211_WEP_MICLEN]; 336 337 ic->ic_stats.is_crypto_tkipdemic++; 338 339 michael_mic(ctx, k->wk_rxmic, 340 m, hdrlen, m->m_pkthdr.len - (hdrlen + tkip.ic_miclen), 341 mic); 342 m_copydata(m, m->m_pkthdr.len - tkip.ic_miclen, 343 tkip.ic_miclen, mic0); 344 if (memcmp(mic, mic0, tkip.ic_miclen)) { 345 /* NB: 802.11 layer handles statistic and debug msg */ 346 ieee80211_notify_michael_failure(ic, wh, k->wk_keyix); 347 return 0; 348 } 349 } 350 /* 351 * Strip MIC from the tail. 352 */ 353 m_adj(m, -tkip.ic_miclen); 354 355 /* 356 * Ok to update rsc now that MIC has been verified. 357 */ 358 k->wk_keyrsc = ctx->rx_rsc; 359 360 return 1; 361 } 362 363 /* 364 * Host AP crypt: host-based TKIP encryption implementation for Host AP driver 365 * 366 * Copyright (c) 2003-2004, Jouni Malinen <jkmaline (at) cc.hut.fi> 367 * 368 * This program is free software; you can redistribute it and/or modify 369 * it under the terms of the GNU General Public License version 2 as 370 * published by the Free Software Foundation. See README and COPYING for 371 * more details. 372 * 373 * Alternatively, this software may be distributed under the terms of BSD 374 * license. 375 */ 376 377 static const __u32 crc32_table[256] = { 378 0x00000000L, 0x77073096L, 0xee0e612cL, 0x990951baL, 0x076dc419L, 379 0x706af48fL, 0xe963a535L, 0x9e6495a3L, 0x0edb8832L, 0x79dcb8a4L, 380 0xe0d5e91eL, 0x97d2d988L, 0x09b64c2bL, 0x7eb17cbdL, 0xe7b82d07L, 381 0x90bf1d91L, 0x1db71064L, 0x6ab020f2L, 0xf3b97148L, 0x84be41deL, 382 0x1adad47dL, 0x6ddde4ebL, 0xf4d4b551L, 0x83d385c7L, 0x136c9856L, 383 0x646ba8c0L, 0xfd62f97aL, 0x8a65c9ecL, 0x14015c4fL, 0x63066cd9L, 384 0xfa0f3d63L, 0x8d080df5L, 0x3b6e20c8L, 0x4c69105eL, 0xd56041e4L, 385 0xa2677172L, 0x3c03e4d1L, 0x4b04d447L, 0xd20d85fdL, 0xa50ab56bL, 386 0x35b5a8faL, 0x42b2986cL, 0xdbbbc9d6L, 0xacbcf940L, 0x32d86ce3L, 387 0x45df5c75L, 0xdcd60dcfL, 0xabd13d59L, 0x26d930acL, 0x51de003aL, 388 0xc8d75180L, 0xbfd06116L, 0x21b4f4b5L, 0x56b3c423L, 0xcfba9599L, 389 0xb8bda50fL, 0x2802b89eL, 0x5f058808L, 0xc60cd9b2L, 0xb10be924L, 390 0x2f6f7c87L, 0x58684c11L, 0xc1611dabL, 0xb6662d3dL, 0x76dc4190L, 391 0x01db7106L, 0x98d220bcL, 0xefd5102aL, 0x71b18589L, 0x06b6b51fL, 392 0x9fbfe4a5L, 0xe8b8d433L, 0x7807c9a2L, 0x0f00f934L, 0x9609a88eL, 393 0xe10e9818L, 0x7f6a0dbbL, 0x086d3d2dL, 0x91646c97L, 0xe6635c01L, 394 0x6b6b51f4L, 0x1c6c6162L, 0x856530d8L, 0xf262004eL, 0x6c0695edL, 395 0x1b01a57bL, 0x8208f4c1L, 0xf50fc457L, 0x65b0d9c6L, 0x12b7e950L, 396 0x8bbeb8eaL, 0xfcb9887cL, 0x62dd1ddfL, 0x15da2d49L, 0x8cd37cf3L, 397 0xfbd44c65L, 0x4db26158L, 0x3ab551ceL, 0xa3bc0074L, 0xd4bb30e2L, 398 0x4adfa541L, 0x3dd895d7L, 0xa4d1c46dL, 0xd3d6f4fbL, 0x4369e96aL, 399 0x346ed9fcL, 0xad678846L, 0xda60b8d0L, 0x44042d73L, 0x33031de5L, 400 0xaa0a4c5fL, 0xdd0d7cc9L, 0x5005713cL, 0x270241aaL, 0xbe0b1010L, 401 0xc90c2086L, 0x5768b525L, 0x206f85b3L, 0xb966d409L, 0xce61e49fL, 402 0x5edef90eL, 0x29d9c998L, 0xb0d09822L, 0xc7d7a8b4L, 0x59b33d17L, 403 0x2eb40d81L, 0xb7bd5c3bL, 0xc0ba6cadL, 0xedb88320L, 0x9abfb3b6L, 404 0x03b6e20cL, 0x74b1d29aL, 0xead54739L, 0x9dd277afL, 0x04db2615L, 405 0x73dc1683L, 0xe3630b12L, 0x94643b84L, 0x0d6d6a3eL, 0x7a6a5aa8L, 406 0xe40ecf0bL, 0x9309ff9dL, 0x0a00ae27L, 0x7d079eb1L, 0xf00f9344L, 407 0x8708a3d2L, 0x1e01f268L, 0x6906c2feL, 0xf762575dL, 0x806567cbL, 408 0x196c3671L, 0x6e6b06e7L, 0xfed41b76L, 0x89d32be0L, 0x10da7a5aL, 409 0x67dd4accL, 0xf9b9df6fL, 0x8ebeeff9L, 0x17b7be43L, 0x60b08ed5L, 410 0xd6d6a3e8L, 0xa1d1937eL, 0x38d8c2c4L, 0x4fdff252L, 0xd1bb67f1L, 411 0xa6bc5767L, 0x3fb506ddL, 0x48b2364bL, 0xd80d2bdaL, 0xaf0a1b4cL, 412 0x36034af6L, 0x41047a60L, 0xdf60efc3L, 0xa867df55L, 0x316e8eefL, 413 0x4669be79L, 0xcb61b38cL, 0xbc66831aL, 0x256fd2a0L, 0x5268e236L, 414 0xcc0c7795L, 0xbb0b4703L, 0x220216b9L, 0x5505262fL, 0xc5ba3bbeL, 415 0xb2bd0b28L, 0x2bb45a92L, 0x5cb36a04L, 0xc2d7ffa7L, 0xb5d0cf31L, 416 0x2cd99e8bL, 0x5bdeae1dL, 0x9b64c2b0L, 0xec63f226L, 0x756aa39cL, 417 0x026d930aL, 0x9c0906a9L, 0xeb0e363fL, 0x72076785L, 0x05005713L, 418 0x95bf4a82L, 0xe2b87a14L, 0x7bb12baeL, 0x0cb61b38L, 0x92d28e9bL, 419 0xe5d5be0dL, 0x7cdcefb7L, 0x0bdbdf21L, 0x86d3d2d4L, 0xf1d4e242L, 420 0x68ddb3f8L, 0x1fda836eL, 0x81be16cdL, 0xf6b9265bL, 0x6fb077e1L, 421 0x18b74777L, 0x88085ae6L, 0xff0f6a70L, 0x66063bcaL, 0x11010b5cL, 422 0x8f659effL, 0xf862ae69L, 0x616bffd3L, 0x166ccf45L, 0xa00ae278L, 423 0xd70dd2eeL, 0x4e048354L, 0x3903b3c2L, 0xa7672661L, 0xd06016f7L, 424 0x4969474dL, 0x3e6e77dbL, 0xaed16a4aL, 0xd9d65adcL, 0x40df0b66L, 425 0x37d83bf0L, 0xa9bcae53L, 0xdebb9ec5L, 0x47b2cf7fL, 0x30b5ffe9L, 426 0xbdbdf21cL, 0xcabac28aL, 0x53b39330L, 0x24b4a3a6L, 0xbad03605L, 427 0xcdd70693L, 0x54de5729L, 0x23d967bfL, 0xb3667a2eL, 0xc4614ab8L, 428 0x5d681b02L, 0x2a6f2b94L, 0xb40bbe37L, 0xc30c8ea1L, 0x5a05df1bL, 429 0x2d02ef8dL 430 }; 431 432 static __inline u16 RotR1(u16 val) 433 { 434 return (val >> 1) | (val << 15); 435 } 436 437 static __inline u8 Lo8(u16 val) 438 { 439 return val & 0xff; 440 } 441 442 static __inline u8 Hi8(u16 val) 443 { 444 return val >> 8; 445 } 446 447 static __inline u16 Lo16(u32 val) 448 { 449 return val & 0xffff; 450 } 451 452 static __inline u16 Hi16(u32 val) 453 { 454 return val >> 16; 455 } 456 457 static __inline u16 Mk16(u8 hi, u8 lo) 458 { 459 return lo | (((u16) hi) << 8); 460 } 461 462 static __inline u16 Mk16_le(const u16 *v) 463 { 464 return le16toh(*v); 465 } 466 467 static const u16 Sbox[256] = { 468 0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154, 469 0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A, 470 0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B, 471 0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B, 472 0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F, 473 0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F, 474 0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5, 475 0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F, 476 0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB, 477 0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397, 478 0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED, 479 0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A, 480 0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194, 481 0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3, 482 0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104, 483 0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D, 484 0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39, 485 0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695, 486 0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83, 487 0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76, 488 0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4, 489 0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B, 490 0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0, 491 0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018, 492 0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751, 493 0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85, 494 0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12, 495 0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9, 496 0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7, 497 0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A, 498 0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8, 499 0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A, 500 }; 501 502 static __inline u16 _S_(u16 v) 503 { 504 u16 t = Sbox[Hi8(v)]; 505 return Sbox[Lo8(v)] ^ ((t << 8) | (t >> 8)); 506 } 507 508 #define PHASE1_LOOP_COUNT 8 509 510 static void tkip_mixing_phase1(u16 *TTAK, const u8 *TK, const u8 *TA, u32 IV32) 511 { 512 int i, j; 513 514 /* Initialize the 80-bit TTAK from TSC (IV32) and TA[0..5] */ 515 TTAK[0] = Lo16(IV32); 516 TTAK[1] = Hi16(IV32); 517 TTAK[2] = Mk16(TA[1], TA[0]); 518 TTAK[3] = Mk16(TA[3], TA[2]); 519 TTAK[4] = Mk16(TA[5], TA[4]); 520 521 for (i = 0; i < PHASE1_LOOP_COUNT; i++) { 522 j = 2 * (i & 1); 523 TTAK[0] += _S_(TTAK[4] ^ Mk16(TK[1 + j], TK[0 + j])); 524 TTAK[1] += _S_(TTAK[0] ^ Mk16(TK[5 + j], TK[4 + j])); 525 TTAK[2] += _S_(TTAK[1] ^ Mk16(TK[9 + j], TK[8 + j])); 526 TTAK[3] += _S_(TTAK[2] ^ Mk16(TK[13 + j], TK[12 + j])); 527 TTAK[4] += _S_(TTAK[3] ^ Mk16(TK[1 + j], TK[0 + j])) + i; 528 } 529 } 530 531 #ifndef _BYTE_ORDER 532 #error "Don't know native byte order" 533 #endif 534 535 static void tkip_mixing_phase2(u8 *WEPSeed, const u8 *TK, const u16 *TTAK, 536 u16 IV16) 537 { 538 /* Make temporary area overlap WEP seed so that the final copy can be 539 * avoided on little endian hosts. */ 540 u16 *PPK = (u16 *) &WEPSeed[4]; 541 542 /* Step 1 - make copy of TTAK and bring in TSC */ 543 PPK[0] = TTAK[0]; 544 PPK[1] = TTAK[1]; 545 PPK[2] = TTAK[2]; 546 PPK[3] = TTAK[3]; 547 PPK[4] = TTAK[4]; 548 PPK[5] = TTAK[4] + IV16; 549 550 /* Step 2 - 96-bit bijective mixing using S-box */ 551 PPK[0] += _S_(PPK[5] ^ Mk16_le((const u16 *) &TK[0])); 552 PPK[1] += _S_(PPK[0] ^ Mk16_le((const u16 *) &TK[2])); 553 PPK[2] += _S_(PPK[1] ^ Mk16_le((const u16 *) &TK[4])); 554 PPK[3] += _S_(PPK[2] ^ Mk16_le((const u16 *) &TK[6])); 555 PPK[4] += _S_(PPK[3] ^ Mk16_le((const u16 *) &TK[8])); 556 PPK[5] += _S_(PPK[4] ^ Mk16_le((const u16 *) &TK[10])); 557 558 PPK[0] += RotR1(PPK[5] ^ Mk16_le((const u16 *) &TK[12])); 559 PPK[1] += RotR1(PPK[0] ^ Mk16_le((const u16 *) &TK[14])); 560 PPK[2] += RotR1(PPK[1]); 561 PPK[3] += RotR1(PPK[2]); 562 PPK[4] += RotR1(PPK[3]); 563 PPK[5] += RotR1(PPK[4]); 564 565 /* Step 3 - bring in last of TK bits, assign 24-bit WEP IV value 566 * WEPSeed[0..2] is transmitted as WEP IV */ 567 WEPSeed[0] = Hi8(IV16); 568 WEPSeed[1] = (Hi8(IV16) | 0x20) & 0x7F; 569 WEPSeed[2] = Lo8(IV16); 570 WEPSeed[3] = Lo8((PPK[5] ^ Mk16_le((const u16 *) &TK[0])) >> 1); 571 572 #if _BYTE_ORDER == _BIG_ENDIAN 573 { 574 int i; 575 for (i = 0; i < 6; i++) 576 PPK[i] = (PPK[i] << 8) | (PPK[i] >> 8); 577 } 578 #endif 579 } 580 581 static void 582 wep_encrypt(u8 *key, struct mbuf *m0, u_int off, size_t data_len, 583 uint8_t icv[IEEE80211_WEP_CRCLEN]) 584 { 585 u32 i, j, k, crc; 586 size_t buflen; 587 u8 S[256]; 588 u8 *pos; 589 struct mbuf *m; 590 #define S_SWAP(a,b) do { u8 t = S[a]; S[a] = S[b]; S[b] = t; } while(0) 591 592 /* Setup RC4 state */ 593 for (i = 0; i < 256; i++) 594 S[i] = i; 595 j = 0; 596 for (i = 0; i < 256; i++) { 597 j = (j + S[i] + key[i & 0x0f]) & 0xff; 598 S_SWAP(i, j); 599 } 600 601 /* Compute CRC32 over unencrypted data and apply RC4 to data */ 602 crc = ~0; 603 i = j = 0; 604 m = m0; 605 pos = mtod(m, uint8_t *) + off; 606 buflen = m->m_len - off; 607 for (;;) { 608 if (buflen > data_len) 609 buflen = data_len; 610 data_len -= buflen; 611 for (k = 0; k < buflen; k++) { 612 crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8); 613 i = (i + 1) & 0xff; 614 j = (j + S[i]) & 0xff; 615 S_SWAP(i, j); 616 *pos++ ^= S[(S[i] + S[j]) & 0xff]; 617 } 618 m = m->m_next; 619 if (m == NULL) { 620 IASSERT(data_len == 0, 621 ("out of buffers with data_len %zu\n", data_len)); 622 break; 623 } 624 pos = mtod(m, uint8_t *); 625 buflen = m->m_len; 626 } 627 crc = ~crc; 628 629 /* Append little-endian CRC32 and encrypt it to produce ICV */ 630 icv[0] = crc; 631 icv[1] = crc >> 8; 632 icv[2] = crc >> 16; 633 icv[3] = crc >> 24; 634 for (k = 0; k < IEEE80211_WEP_CRCLEN; k++) { 635 i = (i + 1) & 0xff; 636 j = (j + S[i]) & 0xff; 637 S_SWAP(i, j); 638 icv[k] ^= S[(S[i] + S[j]) & 0xff]; 639 } 640 } 641 642 static int 643 wep_decrypt(u8 *key, struct mbuf *m, u_int off, size_t data_len) 644 { 645 u32 i, j, k, crc; 646 u8 S[256]; 647 u8 *pos, icv[4]; 648 size_t buflen; 649 650 /* Setup RC4 state */ 651 for (i = 0; i < 256; i++) 652 S[i] = i; 653 j = 0; 654 for (i = 0; i < 256; i++) { 655 j = (j + S[i] + key[i & 0x0f]) & 0xff; 656 S_SWAP(i, j); 657 } 658 659 /* Apply RC4 to data and compute CRC32 over decrypted data */ 660 crc = ~0; 661 i = j = 0; 662 pos = mtod(m, uint8_t *) + off; 663 buflen = m->m_len - off; 664 for (;;) { 665 if (buflen > data_len) 666 buflen = data_len; 667 data_len -= buflen; 668 for (k = 0; k < buflen; k++) { 669 i = (i + 1) & 0xff; 670 j = (j + S[i]) & 0xff; 671 S_SWAP(i, j); 672 *pos ^= S[(S[i] + S[j]) & 0xff]; 673 crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8); 674 pos++; 675 } 676 m = m->m_next; 677 if (m == NULL) { 678 IASSERT(data_len == 0, 679 ("out of buffers with data_len %zu\n", data_len)); 680 break; 681 } 682 pos = mtod(m, uint8_t *); 683 buflen = m->m_len; 684 } 685 crc = ~crc; 686 687 /* Encrypt little-endian CRC32 and verify that it matches with the 688 * received ICV */ 689 icv[0] = crc; 690 icv[1] = crc >> 8; 691 icv[2] = crc >> 16; 692 icv[3] = crc >> 24; 693 for (k = 0; k < 4; k++) { 694 i = (i + 1) & 0xff; 695 j = (j + S[i]) & 0xff; 696 S_SWAP(i, j); 697 if ((icv[k] ^ S[(S[i] + S[j]) & 0xff]) != *pos++) { 698 /* ICV mismatch - drop frame */ 699 return -1; 700 } 701 } 702 703 return 0; 704 } 705 706 707 static __inline u32 rotl(u32 val, int bits) 708 { 709 return (val << bits) | (val >> (32 - bits)); 710 } 711 712 713 static __inline u32 rotr(u32 val, int bits) 714 { 715 return (val >> bits) | (val << (32 - bits)); 716 } 717 718 719 static __inline u32 xswap(u32 val) 720 { 721 return ((val & 0x00ff00ff) << 8) | ((val & 0xff00ff00) >> 8); 722 } 723 724 725 #define michael_block(l, r) \ 726 do { \ 727 r ^= rotl(l, 17); \ 728 l += r; \ 729 r ^= xswap(l); \ 730 l += r; \ 731 r ^= rotl(l, 3); \ 732 l += r; \ 733 r ^= rotr(l, 2); \ 734 l += r; \ 735 } while (0) 736 737 738 static __inline u32 get_le32_split(u8 b0, u8 b1, u8 b2, u8 b3) 739 { 740 return b0 | (b1 << 8) | (b2 << 16) | (b3 << 24); 741 } 742 743 static __inline u32 get_le32(const u8 *p) 744 { 745 return get_le32_split(p[0], p[1], p[2], p[3]); 746 } 747 748 749 static __inline void put_le32(u8 *p, u32 v) 750 { 751 p[0] = v; 752 p[1] = v >> 8; 753 p[2] = v >> 16; 754 p[3] = v >> 24; 755 } 756 757 /* 758 * Craft pseudo header used to calculate the MIC. 759 */ 760 static void 761 michael_mic_hdr(const struct ieee80211_frame *wh0, uint8_t hdr[16]) 762 { 763 const struct ieee80211_frame_addr4 *wh = 764 (const struct ieee80211_frame_addr4 *) wh0; 765 766 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 767 case IEEE80211_FC1_DIR_NODS: 768 IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */ 769 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2); 770 break; 771 case IEEE80211_FC1_DIR_TODS: 772 IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */ 773 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2); 774 break; 775 case IEEE80211_FC1_DIR_FROMDS: 776 IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */ 777 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr3); 778 break; 779 case IEEE80211_FC1_DIR_DSTODS: 780 IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */ 781 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr4); 782 break; 783 } 784 785 if (wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_QOS) { 786 const struct ieee80211_qosframe *qwh = 787 (const struct ieee80211_qosframe *) wh; 788 hdr[12] = qwh->i_qos[0] & IEEE80211_QOS_TID; 789 } else 790 hdr[12] = 0; 791 hdr[13] = hdr[14] = hdr[15] = 0; /* reserved */ 792 } 793 794 static void 795 michael_mic(struct tkip_ctx *ctx, const u8 *key, 796 struct mbuf *m, u_int off, size_t data_len, 797 u8 mic[IEEE80211_WEP_MICLEN]) 798 { 799 uint8_t hdr[16]; 800 u32 l, r; 801 const uint8_t *data; 802 u_int space; 803 804 michael_mic_hdr(mtod(m, struct ieee80211_frame *), hdr); 805 806 l = get_le32(key); 807 r = get_le32(key + 4); 808 809 /* Michael MIC pseudo header: DA, SA, 3 x 0, Priority */ 810 l ^= get_le32(hdr); 811 michael_block(l, r); 812 l ^= get_le32(&hdr[4]); 813 michael_block(l, r); 814 l ^= get_le32(&hdr[8]); 815 michael_block(l, r); 816 l ^= get_le32(&hdr[12]); 817 michael_block(l, r); 818 819 /* first buffer has special handling */ 820 data = mtod(m, const uint8_t *) + off; 821 space = m->m_len - off; 822 for (;;) { 823 if (space > data_len) 824 space = data_len; 825 /* collect 32-bit blocks from current buffer */ 826 while (space >= sizeof(uint32_t)) { 827 l ^= get_le32(data); 828 michael_block(l, r); 829 data += sizeof(uint32_t), space -= sizeof(uint32_t); 830 data_len -= sizeof(uint32_t); 831 } 832 if (data_len < sizeof(uint32_t)) 833 break; 834 m = m->m_next; 835 if (m == NULL) { 836 IASSERT(0, ("out of data, data_len %zu\n", data_len)); 837 break; 838 } 839 if (space != 0) { 840 const uint8_t *data_next; 841 /* 842 * Block straddles buffers, split references. 843 */ 844 data_next = mtod(m, const uint8_t *); 845 IASSERT(m->m_len >= sizeof(uint32_t) - space, 846 ("not enough data in following buffer, " 847 "m_len %u need %zu\n", m->m_len, 848 sizeof(uint32_t) - space)); 849 switch (space) { 850 case 1: 851 l ^= get_le32_split(data[0], data_next[0], 852 data_next[1], data_next[2]); 853 data = data_next + 3; 854 space = m->m_len - 3; 855 break; 856 case 2: 857 l ^= get_le32_split(data[0], data[1], 858 data_next[0], data_next[1]); 859 data = data_next + 2; 860 space = m->m_len - 2; 861 break; 862 case 3: 863 l ^= get_le32_split(data[0], data[1], 864 data[2], data_next[0]); 865 data = data_next + 1; 866 space = m->m_len - 1; 867 break; 868 } 869 michael_block(l, r); 870 data_len -= sizeof(uint32_t); 871 } else { 872 /* 873 * Setup for next buffer. 874 */ 875 data = mtod(m, const uint8_t *); 876 space = m->m_len; 877 } 878 } 879 /* Last block and padding (0x5a, 4..7 x 0) */ 880 switch (data_len) { 881 case 0: 882 l ^= get_le32_split(0x5a, 0, 0, 0); 883 break; 884 case 1: 885 l ^= get_le32_split(data[0], 0x5a, 0, 0); 886 break; 887 case 2: 888 l ^= get_le32_split(data[0], data[1], 0x5a, 0); 889 break; 890 case 3: 891 l ^= get_le32_split(data[0], data[1], data[2], 0x5a); 892 break; 893 } 894 michael_block(l, r); 895 /* l ^= 0; */ 896 michael_block(l, r); 897 898 put_le32(mic, l); 899 put_le32(mic + 4, r); 900 } 901 902 static int 903 tkip_encrypt(struct tkip_ctx *ctx, struct ieee80211_key *key, 904 struct mbuf *m, int hdrlen) 905 { 906 struct ieee80211_frame *wh; 907 uint8_t icv[IEEE80211_WEP_CRCLEN]; 908 909 ctx->tc_ic->ic_stats.is_crypto_tkip++; 910 911 wh = mtod(m, struct ieee80211_frame *); 912 if (!ctx->tx_phase1_done) { 913 tkip_mixing_phase1(ctx->tx_ttak, key->wk_key, wh->i_addr2, 914 (u32)(key->wk_keytsc >> 16)); 915 ctx->tx_phase1_done = 1; 916 } 917 tkip_mixing_phase2(ctx->tx_rc4key, key->wk_key, ctx->tx_ttak, 918 (u16) key->wk_keytsc); 919 920 wep_encrypt(ctx->tx_rc4key, 921 m, hdrlen + tkip.ic_header, 922 m->m_pkthdr.len - (hdrlen + tkip.ic_header), 923 icv); 924 (void) m_append(m, IEEE80211_WEP_CRCLEN, icv); /* XXX check return */ 925 926 key->wk_keytsc++; 927 if ((u16)(key->wk_keytsc) == 0) 928 ctx->tx_phase1_done = 0; 929 return 1; 930 } 931 932 static int 933 tkip_decrypt(struct tkip_ctx *ctx, struct ieee80211_key *key, 934 struct mbuf *m, int hdrlen) 935 { 936 struct ieee80211_frame *wh; 937 u32 iv32; 938 u16 iv16; 939 940 ctx->tc_ic->ic_stats.is_crypto_tkip++; 941 942 wh = mtod(m, struct ieee80211_frame *); 943 /* NB: tkip_decap already verified header and left seq in rx_rsc */ 944 iv16 = (u16) ctx->rx_rsc; 945 iv32 = (u32) (ctx->rx_rsc >> 16); 946 947 if (iv32 != (u32)(key->wk_keyrsc >> 16) || !ctx->rx_phase1_done) { 948 tkip_mixing_phase1(ctx->rx_ttak, key->wk_key, 949 wh->i_addr2, iv32); 950 ctx->rx_phase1_done = 1; 951 } 952 tkip_mixing_phase2(ctx->rx_rc4key, key->wk_key, ctx->rx_ttak, iv16); 953 954 /* NB: m is unstripped; deduct headers + ICV to get payload */ 955 if (wep_decrypt(ctx->rx_rc4key, 956 m, hdrlen + tkip.ic_header, 957 m->m_pkthdr.len - (hdrlen + tkip.ic_header + tkip.ic_trailer))) { 958 if (iv32 != (u32)(key->wk_keyrsc >> 16)) { 959 /* Previously cached Phase1 result was already lost, so 960 * it needs to be recalculated for the next packet. */ 961 ctx->rx_phase1_done = 0; 962 } 963 IEEE80211_DPRINTF(ctx->tc_ic, IEEE80211_MSG_CRYPTO, 964 "[%s] TKIP ICV mismatch on decrypt\n", 965 ether_sprintf(wh->i_addr2)); 966 ctx->tc_ic->ic_stats.is_rx_tkipicv++; 967 return 0; 968 } 969 return 1; 970 } 971
Indexes created Tue Sep 23 22:09:46 GMT 2025