1 /*-
2 * Copyright (c) 2002-2008 Sam Leffler, Errno Consulting
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 */
25
26 #include <sys/cdefs.h>
27 __FBSDID("$FreeBSD: releng/11.1/sys/net80211/ieee80211_crypto_tkip.c 288526 2015-10-03 00:50:13Z adrian $");
28
29 /*
30 * IEEE 802.11i TKIP crypto support.
31 *
32 * Part of this module is derived from similar code in the Host
33 * AP driver. The code is used with the consent of the author and
34 * it's license is included below.
35 */
36 #include "opt_wlan.h"
37
38 #include <sys/param.h>
39 #include <sys/systm.h>
40 #include <sys/mbuf.h>
41 #include <sys/malloc.h>
42 #include <sys/kernel.h>
43 #include <sys/module.h>
44 #include <sys/endian.h>
45
46 #include <sys/socket.h>
47
48 #include <net/if.h>
49 #include <net/if_media.h>
50 #include <net/ethernet.h>
51
52 #include <net80211/ieee80211_var.h>
53
54 static void *tkip_attach(struct ieee80211vap *, struct ieee80211_key *);
55 static void tkip_detach(struct ieee80211_key *);
56 static int tkip_setkey(struct ieee80211_key *);
57 static void tkip_setiv(struct ieee80211_key *, uint8_t *);
58 static int tkip_encap(struct ieee80211_key *, struct mbuf *);
59 static int tkip_enmic(struct ieee80211_key *, struct mbuf *, int);
60 static int tkip_decap(struct ieee80211_key *, struct mbuf *, int);
61 static int tkip_demic(struct ieee80211_key *, struct mbuf *, int);
62
63 static const struct ieee80211_cipher tkip = {
64 .ic_name = "TKIP",
65 .ic_cipher = IEEE80211_CIPHER_TKIP,
66 .ic_header = IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN +
67 IEEE80211_WEP_EXTIVLEN,
68 .ic_trailer = IEEE80211_WEP_CRCLEN,
69 .ic_miclen = IEEE80211_WEP_MICLEN,
70 .ic_attach = tkip_attach,
71 .ic_detach = tkip_detach,
72 .ic_setkey = tkip_setkey,
73 .ic_setiv = tkip_setiv,
74 .ic_encap = tkip_encap,
75 .ic_decap = tkip_decap,
76 .ic_enmic = tkip_enmic,
77 .ic_demic = tkip_demic,
78 };
79
80 typedef uint8_t u8;
81 typedef uint16_t u16;
82 typedef uint32_t __u32;
83 typedef uint32_t u32;
84
85 struct tkip_ctx {
86 struct ieee80211vap *tc_vap; /* for diagnostics+statistics */
87
88 u16 tx_ttak[5];
89 u8 tx_rc4key[16]; /* XXX for test module; make locals? */
90
91 u16 rx_ttak[5];
92 int rx_phase1_done;
93 u8 rx_rc4key[16]; /* XXX for test module; make locals? */
94 uint64_t rx_rsc; /* held until MIC verified */
95 };
96
97 static void michael_mic(struct tkip_ctx *, const u8 *key,
98 struct mbuf *m, u_int off, size_t data_len,
99 u8 mic[IEEE80211_WEP_MICLEN]);
100 static int tkip_encrypt(struct tkip_ctx *, struct ieee80211_key *,
101 struct mbuf *, int hdr_len);
102 static int tkip_decrypt(struct tkip_ctx *, struct ieee80211_key *,
103 struct mbuf *, int hdr_len);
104
105 /* number of references from net80211 layer */
106 static int nrefs = 0;
107
108 static void *
109 tkip_attach(struct ieee80211vap *vap, struct ieee80211_key *k)
110 {
111 struct tkip_ctx *ctx;
112
113 ctx = (struct tkip_ctx *) IEEE80211_MALLOC(sizeof(struct tkip_ctx),
114 M_80211_CRYPTO, IEEE80211_M_NOWAIT | IEEE80211_M_ZERO);
115 if (ctx == NULL) {
116 vap->iv_stats.is_crypto_nomem++;
117 return NULL;
118 }
119
120 ctx->tc_vap = vap;
121 nrefs++; /* NB: we assume caller locking */
122 return ctx;
123 }
124
125 static void
126 tkip_detach(struct ieee80211_key *k)
127 {
128 struct tkip_ctx *ctx = k->wk_private;
129
130 IEEE80211_FREE(ctx, M_80211_CRYPTO);
131 KASSERT(nrefs > 0, ("imbalanced attach/detach"));
132 nrefs--; /* NB: we assume caller locking */
133 }
134
135 static int
136 tkip_setkey(struct ieee80211_key *k)
137 {
138 struct tkip_ctx *ctx = k->wk_private;
139
140 if (k->wk_keylen != (128/NBBY)) {
141 (void) ctx; /* XXX */
142 IEEE80211_DPRINTF(ctx->tc_vap, IEEE80211_MSG_CRYPTO,
143 "%s: Invalid key length %u, expecting %u\n",
144 __func__, k->wk_keylen, 128/NBBY);
145 return 0;
146 }
147 ctx->rx_phase1_done = 0;
148 return 1;
149 }
150
151 static void
152 tkip_setiv(struct ieee80211_key *k, uint8_t *ivp)
153 {
154 struct tkip_ctx *ctx = k->wk_private;
155 struct ieee80211vap *vap = ctx->tc_vap;
156 uint8_t keyid;
157
158 keyid = ieee80211_crypto_get_keyid(vap, k) << 6;
159
160 k->wk_keytsc++;
161 ivp[0] = k->wk_keytsc >> 8; /* TSC1 */
162 ivp[1] = (ivp[0] | 0x20) & 0x7f; /* WEP seed */
163 ivp[2] = k->wk_keytsc >> 0; /* TSC0 */
164 ivp[3] = keyid | IEEE80211_WEP_EXTIV; /* KeyID | ExtID */
165 ivp[4] = k->wk_keytsc >> 16; /* TSC2 */
166 ivp[5] = k->wk_keytsc >> 24; /* TSC3 */
167 ivp[6] = k->wk_keytsc >> 32; /* TSC4 */
168 ivp[7] = k->wk_keytsc >> 40; /* TSC5 */
169 }
170
171 /*
172 * Add privacy headers and do any s/w encryption required.
173 */
174 static int
175 tkip_encap(struct ieee80211_key *k, struct mbuf *m)
176 {
177 struct tkip_ctx *ctx = k->wk_private;
178 struct ieee80211vap *vap = ctx->tc_vap;
179 struct ieee80211com *ic = vap->iv_ic;
180 uint8_t *ivp;
181 int hdrlen;
182
183 /*
184 * Handle TKIP counter measures requirement.
185 */
186 if (vap->iv_flags & IEEE80211_F_COUNTERM) {
187 #ifdef IEEE80211_DEBUG
188 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *);
189 #endif
190
191 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2,
192 "discard frame due to countermeasures (%s)", __func__);
193 vap->iv_stats.is_crypto_tkipcm++;
194 return 0;
195 }
196 hdrlen = ieee80211_hdrspace(ic, mtod(m, void *));
197
198 /*
199 * Copy down 802.11 header and add the IV, KeyID, and ExtIV.
200 */
201 M_PREPEND(m, tkip.ic_header, M_NOWAIT);
202 if (m == NULL)
203 return 0;
204 ivp = mtod(m, uint8_t *);
205 memmove(ivp, ivp + tkip.ic_header, hdrlen);
206 ivp += hdrlen;
207
208 tkip_setiv(k, ivp);
209
210 /*
211 * Finally, do software encrypt if needed.
212 */
213 if ((k->wk_flags & IEEE80211_KEY_SWENCRYPT) &&
214 !tkip_encrypt(ctx, k, m, hdrlen))
215 return 0;
216
217 return 1;
218 }
219
220 /*
221 * Add MIC to the frame as needed.
222 */
223 static int
224 tkip_enmic(struct ieee80211_key *k, struct mbuf *m, int force)
225 {
226 struct tkip_ctx *ctx = k->wk_private;
227
228 if (force || (k->wk_flags & IEEE80211_KEY_SWENMIC)) {
229 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *);
230 struct ieee80211vap *vap = ctx->tc_vap;
231 struct ieee80211com *ic = vap->iv_ic;
232 int hdrlen;
233 uint8_t mic[IEEE80211_WEP_MICLEN];
234
235 vap->iv_stats.is_crypto_tkipenmic++;
236
237 hdrlen = ieee80211_hdrspace(ic, wh);
238
239 michael_mic(ctx, k->wk_txmic,
240 m, hdrlen, m->m_pkthdr.len - hdrlen, mic);
241 return m_append(m, tkip.ic_miclen, mic);
242 }
243 return 1;
244 }
245
246 static __inline uint64_t
247 READ_6(uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3, uint8_t b4, uint8_t b5)
248 {
249 uint32_t iv32 = (b0 << 0) | (b1 << 8) | (b2 << 16) | (b3 << 24);
250 uint16_t iv16 = (b4 << 0) | (b5 << 8);
251 return (((uint64_t)iv16) << 32) | iv32;
252 }
253
254 /*
255 * Validate and strip privacy headers (and trailer) for a
256 * received frame. If necessary, decrypt the frame using
257 * the specified key.
258 */
259 static int
260 tkip_decap(struct ieee80211_key *k, struct mbuf *m, int hdrlen)
261 {
262 struct tkip_ctx *ctx = k->wk_private;
263 struct ieee80211vap *vap = ctx->tc_vap;
264 struct ieee80211_frame *wh;
265 uint8_t *ivp, tid;
266
267 /*
268 * Header should have extended IV and sequence number;
269 * verify the former and validate the latter.
270 */
271 wh = mtod(m, struct ieee80211_frame *);
272 ivp = mtod(m, uint8_t *) + hdrlen;
273 if ((ivp[IEEE80211_WEP_IVLEN] & IEEE80211_WEP_EXTIV) == 0) {
274 /*
275 * No extended IV; discard frame.
276 */
277 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2,
278 "%s", "missing ExtIV for TKIP cipher");
279 vap->iv_stats.is_rx_tkipformat++;
280 return 0;
281 }
282 /*
283 * Handle TKIP counter measures requirement.
284 */
285 if (vap->iv_flags & IEEE80211_F_COUNTERM) {
286 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2,
287 "discard frame due to countermeasures (%s)", __func__);
288 vap->iv_stats.is_crypto_tkipcm++;
289 return 0;
290 }
291
292 tid = ieee80211_gettid(wh);
293 ctx->rx_rsc = READ_6(ivp[2], ivp[0], ivp[4], ivp[5], ivp[6], ivp[7]);
294 if (ctx->rx_rsc <= k->wk_keyrsc[tid] &&
295 (k->wk_flags & IEEE80211_KEY_NOREPLAY) == 0) {
296 /*
297 * Replay violation; notify upper layer.
298 */
299 ieee80211_notify_replay_failure(vap, wh, k, ctx->rx_rsc, tid);
300 vap->iv_stats.is_rx_tkipreplay++;
301 return 0;
302 }
303 /*
304 * NB: We can't update the rsc in the key until MIC is verified.
305 *
306 * We assume we are not preempted between doing the check above
307 * and updating wk_keyrsc when stripping the MIC in tkip_demic.
308 * Otherwise we might process another packet and discard it as
309 * a replay.
310 */
311
312 /*
313 * Check if the device handled the decrypt in hardware.
314 * If so we just strip the header; otherwise we need to
315 * handle the decrypt in software.
316 */
317 if ((k->wk_flags & IEEE80211_KEY_SWDECRYPT) &&
318 !tkip_decrypt(ctx, k, m, hdrlen))
319 return 0;
320
321 /*
322 * Copy up 802.11 header and strip crypto bits.
323 */
324 memmove(mtod(m, uint8_t *) + tkip.ic_header, mtod(m, void *), hdrlen);
325 m_adj(m, tkip.ic_header);
326 m_adj(m, -tkip.ic_trailer);
327
328 return 1;
329 }
330
331 /*
332 * Verify and strip MIC from the frame.
333 */
334 static int
335 tkip_demic(struct ieee80211_key *k, struct mbuf *m, int force)
336 {
337 struct tkip_ctx *ctx = k->wk_private;
338 struct ieee80211_frame *wh;
339 uint8_t tid;
340
341 wh = mtod(m, struct ieee80211_frame *);
342 if ((k->wk_flags & IEEE80211_KEY_SWDEMIC) || force) {
343 struct ieee80211vap *vap = ctx->tc_vap;
344 int hdrlen = ieee80211_hdrspace(vap->iv_ic, wh);
345 u8 mic[IEEE80211_WEP_MICLEN];
346 u8 mic0[IEEE80211_WEP_MICLEN];
347
348 vap->iv_stats.is_crypto_tkipdemic++;
349
350 michael_mic(ctx, k->wk_rxmic,
351 m, hdrlen, m->m_pkthdr.len - (hdrlen + tkip.ic_miclen),
352 mic);
353 m_copydata(m, m->m_pkthdr.len - tkip.ic_miclen,
354 tkip.ic_miclen, mic0);
355 if (memcmp(mic, mic0, tkip.ic_miclen)) {
356 /* NB: 802.11 layer handles statistic and debug msg */
357 ieee80211_notify_michael_failure(vap, wh,
358 k->wk_rxkeyix != IEEE80211_KEYIX_NONE ?
359 k->wk_rxkeyix : k->wk_keyix);
360 return 0;
361 }
362 }
363 /*
364 * Strip MIC from the tail.
365 */
366 m_adj(m, -tkip.ic_miclen);
367
368 /*
369 * Ok to update rsc now that MIC has been verified.
370 */
371 tid = ieee80211_gettid(wh);
372 k->wk_keyrsc[tid] = ctx->rx_rsc;
373
374 return 1;
375 }
376
377 /*
378 * Host AP crypt: host-based TKIP encryption implementation for Host AP driver
379 *
380 * Copyright (c) 2003-2004, Jouni Malinen <jkmaline@cc.hut.fi>
381 *
382 * This program is free software; you can redistribute it and/or modify
383 * it under the terms of the GNU General Public License version 2 as
384 * published by the Free Software Foundation. See README and COPYING for
385 * more details.
386 *
387 * Alternatively, this software may be distributed under the terms of BSD
388 * license.
389 */
390
391 static const __u32 crc32_table[256] = {
392 0x00000000L, 0x77073096L, 0xee0e612cL, 0x990951baL, 0x076dc419L,
393 0x706af48fL, 0xe963a535L, 0x9e6495a3L, 0x0edb8832L, 0x79dcb8a4L,
394 0xe0d5e91eL, 0x97d2d988L, 0x09b64c2bL, 0x7eb17cbdL, 0xe7b82d07L,
395 0x90bf1d91L, 0x1db71064L, 0x6ab020f2L, 0xf3b97148L, 0x84be41deL,
396 0x1adad47dL, 0x6ddde4ebL, 0xf4d4b551L, 0x83d385c7L, 0x136c9856L,
397 0x646ba8c0L, 0xfd62f97aL, 0x8a65c9ecL, 0x14015c4fL, 0x63066cd9L,
398 0xfa0f3d63L, 0x8d080df5L, 0x3b6e20c8L, 0x4c69105eL, 0xd56041e4L,
399 0xa2677172L, 0x3c03e4d1L, 0x4b04d447L, 0xd20d85fdL, 0xa50ab56bL,
400 0x35b5a8faL, 0x42b2986cL, 0xdbbbc9d6L, 0xacbcf940L, 0x32d86ce3L,
401 0x45df5c75L, 0xdcd60dcfL, 0xabd13d59L, 0x26d930acL, 0x51de003aL,
402 0xc8d75180L, 0xbfd06116L, 0x21b4f4b5L, 0x56b3c423L, 0xcfba9599L,
403 0xb8bda50fL, 0x2802b89eL, 0x5f058808L, 0xc60cd9b2L, 0xb10be924L,
404 0x2f6f7c87L, 0x58684c11L, 0xc1611dabL, 0xb6662d3dL, 0x76dc4190L,
405 0x01db7106L, 0x98d220bcL, 0xefd5102aL, 0x71b18589L, 0x06b6b51fL,
406 0x9fbfe4a5L, 0xe8b8d433L, 0x7807c9a2L, 0x0f00f934L, 0x9609a88eL,
407 0xe10e9818L, 0x7f6a0dbbL, 0x086d3d2dL, 0x91646c97L, 0xe6635c01L,
408 0x6b6b51f4L, 0x1c6c6162L, 0x856530d8L, 0xf262004eL, 0x6c0695edL,
409 0x1b01a57bL, 0x8208f4c1L, 0xf50fc457L, 0x65b0d9c6L, 0x12b7e950L,
410 0x8bbeb8eaL, 0xfcb9887cL, 0x62dd1ddfL, 0x15da2d49L, 0x8cd37cf3L,
411 0xfbd44c65L, 0x4db26158L, 0x3ab551ceL, 0xa3bc0074L, 0xd4bb30e2L,
412 0x4adfa541L, 0x3dd895d7L, 0xa4d1c46dL, 0xd3d6f4fbL, 0x4369e96aL,
413 0x346ed9fcL, 0xad678846L, 0xda60b8d0L, 0x44042d73L, 0x33031de5L,
414 0xaa0a4c5fL, 0xdd0d7cc9L, 0x5005713cL, 0x270241aaL, 0xbe0b1010L,
415 0xc90c2086L, 0x5768b525L, 0x206f85b3L, 0xb966d409L, 0xce61e49fL,
416 0x5edef90eL, 0x29d9c998L, 0xb0d09822L, 0xc7d7a8b4L, 0x59b33d17L,
417 0x2eb40d81L, 0xb7bd5c3bL, 0xc0ba6cadL, 0xedb88320L, 0x9abfb3b6L,
418 0x03b6e20cL, 0x74b1d29aL, 0xead54739L, 0x9dd277afL, 0x04db2615L,
419 0x73dc1683L, 0xe3630b12L, 0x94643b84L, 0x0d6d6a3eL, 0x7a6a5aa8L,
420 0xe40ecf0bL, 0x9309ff9dL, 0x0a00ae27L, 0x7d079eb1L, 0xf00f9344L,
421 0x8708a3d2L, 0x1e01f268L, 0x6906c2feL, 0xf762575dL, 0x806567cbL,
422 0x196c3671L, 0x6e6b06e7L, 0xfed41b76L, 0x89d32be0L, 0x10da7a5aL,
423 0x67dd4accL, 0xf9b9df6fL, 0x8ebeeff9L, 0x17b7be43L, 0x60b08ed5L,
424 0xd6d6a3e8L, 0xa1d1937eL, 0x38d8c2c4L, 0x4fdff252L, 0xd1bb67f1L,
425 0xa6bc5767L, 0x3fb506ddL, 0x48b2364bL, 0xd80d2bdaL, 0xaf0a1b4cL,
426 0x36034af6L, 0x41047a60L, 0xdf60efc3L, 0xa867df55L, 0x316e8eefL,
427 0x4669be79L, 0xcb61b38cL, 0xbc66831aL, 0x256fd2a0L, 0x5268e236L,
428 0xcc0c7795L, 0xbb0b4703L, 0x220216b9L, 0x5505262fL, 0xc5ba3bbeL,
429 0xb2bd0b28L, 0x2bb45a92L, 0x5cb36a04L, 0xc2d7ffa7L, 0xb5d0cf31L,
430 0x2cd99e8bL, 0x5bdeae1dL, 0x9b64c2b0L, 0xec63f226L, 0x756aa39cL,
431 0x026d930aL, 0x9c0906a9L, 0xeb0e363fL, 0x72076785L, 0x05005713L,
432 0x95bf4a82L, 0xe2b87a14L, 0x7bb12baeL, 0x0cb61b38L, 0x92d28e9bL,
433 0xe5d5be0dL, 0x7cdcefb7L, 0x0bdbdf21L, 0x86d3d2d4L, 0xf1d4e242L,
434 0x68ddb3f8L, 0x1fda836eL, 0x81be16cdL, 0xf6b9265bL, 0x6fb077e1L,
435 0x18b74777L, 0x88085ae6L, 0xff0f6a70L, 0x66063bcaL, 0x11010b5cL,
436 0x8f659effL, 0xf862ae69L, 0x616bffd3L, 0x166ccf45L, 0xa00ae278L,
437 0xd70dd2eeL, 0x4e048354L, 0x3903b3c2L, 0xa7672661L, 0xd06016f7L,
438 0x4969474dL, 0x3e6e77dbL, 0xaed16a4aL, 0xd9d65adcL, 0x40df0b66L,
439 0x37d83bf0L, 0xa9bcae53L, 0xdebb9ec5L, 0x47b2cf7fL, 0x30b5ffe9L,
440 0xbdbdf21cL, 0xcabac28aL, 0x53b39330L, 0x24b4a3a6L, 0xbad03605L,
441 0xcdd70693L, 0x54de5729L, 0x23d967bfL, 0xb3667a2eL, 0xc4614ab8L,
442 0x5d681b02L, 0x2a6f2b94L, 0xb40bbe37L, 0xc30c8ea1L, 0x5a05df1bL,
443 0x2d02ef8dL
444 };
445
446 static __inline u16 RotR1(u16 val)
447 {
448 return (val >> 1) | (val << 15);
449 }
450
451 static __inline u8 Lo8(u16 val)
452 {
453 return val & 0xff;
454 }
455
456 static __inline u8 Hi8(u16 val)
457 {
458 return val >> 8;
459 }
460
461 static __inline u16 Lo16(u32 val)
462 {
463 return val & 0xffff;
464 }
465
466 static __inline u16 Hi16(u32 val)
467 {
468 return val >> 16;
469 }
470
471 static __inline u16 Mk16(u8 hi, u8 lo)
472 {
473 return lo | (((u16) hi) << 8);
474 }
475
476 static __inline u16 Mk16_le(const u16 *v)
477 {
478 return le16toh(*v);
479 }
480
481 static const u16 Sbox[256] = {
482 0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154,
483 0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A,
484 0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B,
485 0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B,
486 0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F,
487 0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F,
488 0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5,
489 0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F,
490 0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB,
491 0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397,
492 0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED,
493 0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A,
494 0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194,
495 0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3,
496 0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104,
497 0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D,
498 0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39,
499 0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695,
500 0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83,
501 0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76,
502 0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4,
503 0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B,
504 0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0,
505 0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018,
506 0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751,
507 0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85,
508 0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12,
509 0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9,
510 0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7,
511 0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A,
512 0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8,
513 0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A,
514 };
515
516 static __inline u16 _S_(u16 v)
517 {
518 u16 t = Sbox[Hi8(v)];
519 return Sbox[Lo8(v)] ^ ((t << 8) | (t >> 8));
520 }
521
522 #define PHASE1_LOOP_COUNT 8
523
524 static void tkip_mixing_phase1(u16 *TTAK, const u8 *TK, const u8 *TA, u32 IV32)
525 {
526 int i, j;
527
528 /* Initialize the 80-bit TTAK from TSC (IV32) and TA[0..5] */
529 TTAK[0] = Lo16(IV32);
530 TTAK[1] = Hi16(IV32);
531 TTAK[2] = Mk16(TA[1], TA[0]);
532 TTAK[3] = Mk16(TA[3], TA[2]);
533 TTAK[4] = Mk16(TA[5], TA[4]);
534
535 for (i = 0; i < PHASE1_LOOP_COUNT; i++) {
536 j = 2 * (i & 1);
537 TTAK[0] += _S_(TTAK[4] ^ Mk16(TK[1 + j], TK[0 + j]));
538 TTAK[1] += _S_(TTAK[0] ^ Mk16(TK[5 + j], TK[4 + j]));
539 TTAK[2] += _S_(TTAK[1] ^ Mk16(TK[9 + j], TK[8 + j]));
540 TTAK[3] += _S_(TTAK[2] ^ Mk16(TK[13 + j], TK[12 + j]));
541 TTAK[4] += _S_(TTAK[3] ^ Mk16(TK[1 + j], TK[0 + j])) + i;
542 }
543 }
544
545 #ifndef _BYTE_ORDER
546 #error "Don't know native byte order"
547 #endif
548
549 static void tkip_mixing_phase2(u8 *WEPSeed, const u8 *TK, const u16 *TTAK,
550 u16 IV16)
551 {
552 /* Make temporary area overlap WEP seed so that the final copy can be
553 * avoided on little endian hosts. */
554 u16 *PPK = (u16 *) &WEPSeed[4];
555
556 /* Step 1 - make copy of TTAK and bring in TSC */
557 PPK[0] = TTAK[0];
558 PPK[1] = TTAK[1];
559 PPK[2] = TTAK[2];
560 PPK[3] = TTAK[3];
561 PPK[4] = TTAK[4];
562 PPK[5] = TTAK[4] + IV16;
563
564 /* Step 2 - 96-bit bijective mixing using S-box */
565 PPK[0] += _S_(PPK[5] ^ Mk16_le((const u16 *) &TK[0]));
566 PPK[1] += _S_(PPK[0] ^ Mk16_le((const u16 *) &TK[2]));
567 PPK[2] += _S_(PPK[1] ^ Mk16_le((const u16 *) &TK[4]));
568 PPK[3] += _S_(PPK[2] ^ Mk16_le((const u16 *) &TK[6]));
569 PPK[4] += _S_(PPK[3] ^ Mk16_le((const u16 *) &TK[8]));
570 PPK[5] += _S_(PPK[4] ^ Mk16_le((const u16 *) &TK[10]));
571
572 PPK[0] += RotR1(PPK[5] ^ Mk16_le((const u16 *) &TK[12]));
573 PPK[1] += RotR1(PPK[0] ^ Mk16_le((const u16 *) &TK[14]));
574 PPK[2] += RotR1(PPK[1]);
575 PPK[3] += RotR1(PPK[2]);
576 PPK[4] += RotR1(PPK[3]);
577 PPK[5] += RotR1(PPK[4]);
578
579 /* Step 3 - bring in last of TK bits, assign 24-bit WEP IV value
580 * WEPSeed[0..2] is transmitted as WEP IV */
581 WEPSeed[0] = Hi8(IV16);
582 WEPSeed[1] = (Hi8(IV16) | 0x20) & 0x7F;
583 WEPSeed[2] = Lo8(IV16);
584 WEPSeed[3] = Lo8((PPK[5] ^ Mk16_le((const u16 *) &TK[0])) >> 1);
585
586 #if _BYTE_ORDER == _BIG_ENDIAN
587 {
588 int i;
589 for (i = 0; i < 6; i++)
590 PPK[i] = (PPK[i] << 8) | (PPK[i] >> 8);
591 }
592 #endif
593 }
594
595 static void
596 wep_encrypt(u8 *key, struct mbuf *m0, u_int off, size_t data_len,
597 uint8_t icv[IEEE80211_WEP_CRCLEN])
598 {
599 u32 i, j, k, crc;
600 size_t buflen;
601 u8 S[256];
602 u8 *pos;
603 struct mbuf *m;
604 #define S_SWAP(a,b) do { u8 t = S[a]; S[a] = S[b]; S[b] = t; } while(0)
605
606 /* Setup RC4 state */
607 for (i = 0; i < 256; i++)
608 S[i] = i;
609 j = 0;
610 for (i = 0; i < 256; i++) {
611 j = (j + S[i] + key[i & 0x0f]) & 0xff;
612 S_SWAP(i, j);
613 }
614
615 /* Compute CRC32 over unencrypted data and apply RC4 to data */
616 crc = ~0;
617 i = j = 0;
618 m = m0;
619 pos = mtod(m, uint8_t *) + off;
620 buflen = m->m_len - off;
621 for (;;) {
622 if (buflen > data_len)
623 buflen = data_len;
624 data_len -= buflen;
625 for (k = 0; k < buflen; k++) {
626 crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8);
627 i = (i + 1) & 0xff;
628 j = (j + S[i]) & 0xff;
629 S_SWAP(i, j);
630 *pos++ ^= S[(S[i] + S[j]) & 0xff];
631 }
632 m = m->m_next;
633 if (m == NULL) {
634 KASSERT(data_len == 0,
635 ("out of buffers with data_len %zu\n", data_len));
636 break;
637 }
638 pos = mtod(m, uint8_t *);
639 buflen = m->m_len;
640 }
641 crc = ~crc;
642
643 /* Append little-endian CRC32 and encrypt it to produce ICV */
644 icv[0] = crc;
645 icv[1] = crc >> 8;
646 icv[2] = crc >> 16;
647 icv[3] = crc >> 24;
648 for (k = 0; k < IEEE80211_WEP_CRCLEN; k++) {
649 i = (i + 1) & 0xff;
650 j = (j + S[i]) & 0xff;
651 S_SWAP(i, j);
652 icv[k] ^= S[(S[i] + S[j]) & 0xff];
653 }
654 }
655
656 static int
657 wep_decrypt(u8 *key, struct mbuf *m, u_int off, size_t data_len)
658 {
659 u32 i, j, k, crc;
660 u8 S[256];
661 u8 *pos, icv[4];
662 size_t buflen;
663
664 /* Setup RC4 state */
665 for (i = 0; i < 256; i++)
666 S[i] = i;
667 j = 0;
668 for (i = 0; i < 256; i++) {
669 j = (j + S[i] + key[i & 0x0f]) & 0xff;
670 S_SWAP(i, j);
671 }
672
673 /* Apply RC4 to data and compute CRC32 over decrypted data */
674 crc = ~0;
675 i = j = 0;
676 pos = mtod(m, uint8_t *) + off;
677 buflen = m->m_len - off;
678 for (;;) {
679 if (buflen > data_len)
680 buflen = data_len;
681 data_len -= buflen;
682 for (k = 0; k < buflen; k++) {
683 i = (i + 1) & 0xff;
684 j = (j + S[i]) & 0xff;
685 S_SWAP(i, j);
686 *pos ^= S[(S[i] + S[j]) & 0xff];
687 crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8);
688 pos++;
689 }
690 m = m->m_next;
691 if (m == NULL) {
692 KASSERT(data_len == 0,
693 ("out of buffers with data_len %zu\n", data_len));
694 break;
695 }
696 pos = mtod(m, uint8_t *);
697 buflen = m->m_len;
698 }
699 crc = ~crc;
700
701 /* Encrypt little-endian CRC32 and verify that it matches with the
702 * received ICV */
703 icv[0] = crc;
704 icv[1] = crc >> 8;
705 icv[2] = crc >> 16;
706 icv[3] = crc >> 24;
707 for (k = 0; k < 4; k++) {
708 i = (i + 1) & 0xff;
709 j = (j + S[i]) & 0xff;
710 S_SWAP(i, j);
711 if ((icv[k] ^ S[(S[i] + S[j]) & 0xff]) != *pos++) {
712 /* ICV mismatch - drop frame */
713 return -1;
714 }
715 }
716
717 return 0;
718 }
719
720
721 static __inline u32 rotl(u32 val, int bits)
722 {
723 return (val << bits) | (val >> (32 - bits));
724 }
725
726
727 static __inline u32 rotr(u32 val, int bits)
728 {
729 return (val >> bits) | (val << (32 - bits));
730 }
731
732
733 static __inline u32 xswap(u32 val)
734 {
735 return ((val & 0x00ff00ff) << 8) | ((val & 0xff00ff00) >> 8);
736 }
737
738
739 #define michael_block(l, r) \
740 do { \
741 r ^= rotl(l, 17); \
742 l += r; \
743 r ^= xswap(l); \
744 l += r; \
745 r ^= rotl(l, 3); \
746 l += r; \
747 r ^= rotr(l, 2); \
748 l += r; \
749 } while (0)
750
751
752 static __inline u32 get_le32_split(u8 b0, u8 b1, u8 b2, u8 b3)
753 {
754 return b0 | (b1 << 8) | (b2 << 16) | (b3 << 24);
755 }
756
757 static __inline u32 get_le32(const u8 *p)
758 {
759 return get_le32_split(p[0], p[1], p[2], p[3]);
760 }
761
762
763 static __inline void put_le32(u8 *p, u32 v)
764 {
765 p[0] = v;
766 p[1] = v >> 8;
767 p[2] = v >> 16;
768 p[3] = v >> 24;
769 }
770
771 /*
772 * Craft pseudo header used to calculate the MIC.
773 */
774 static void
775 michael_mic_hdr(const struct ieee80211_frame *wh0, uint8_t hdr[16])
776 {
777 const struct ieee80211_frame_addr4 *wh =
778 (const struct ieee80211_frame_addr4 *) wh0;
779
780 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) {
781 case IEEE80211_FC1_DIR_NODS:
782 IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */
783 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2);
784 break;
785 case IEEE80211_FC1_DIR_TODS:
786 IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */
787 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2);
788 break;
789 case IEEE80211_FC1_DIR_FROMDS:
790 IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */
791 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr3);
792 break;
793 case IEEE80211_FC1_DIR_DSTODS:
794 IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */
795 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr4);
796 break;
797 }
798
799 if (wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_QOS) {
800 const struct ieee80211_qosframe *qwh =
801 (const struct ieee80211_qosframe *) wh;
802 hdr[12] = qwh->i_qos[0] & IEEE80211_QOS_TID;
803 } else
804 hdr[12] = 0;
805 hdr[13] = hdr[14] = hdr[15] = 0; /* reserved */
806 }
807
808 static void
809 michael_mic(struct tkip_ctx *ctx, const u8 *key,
810 struct mbuf *m, u_int off, size_t data_len,
811 u8 mic[IEEE80211_WEP_MICLEN])
812 {
813 uint8_t hdr[16];
814 u32 l, r;
815 const uint8_t *data;
816 u_int space;
817
818 michael_mic_hdr(mtod(m, struct ieee80211_frame *), hdr);
819
820 l = get_le32(key);
821 r = get_le32(key + 4);
822
823 /* Michael MIC pseudo header: DA, SA, 3 x 0, Priority */
824 l ^= get_le32(hdr);
825 michael_block(l, r);
826 l ^= get_le32(&hdr[4]);
827 michael_block(l, r);
828 l ^= get_le32(&hdr[8]);
829 michael_block(l, r);
830 l ^= get_le32(&hdr[12]);
831 michael_block(l, r);
832
833 /* first buffer has special handling */
834 data = mtod(m, const uint8_t *) + off;
835 space = m->m_len - off;
836 for (;;) {
837 if (space > data_len)
838 space = data_len;
839 /* collect 32-bit blocks from current buffer */
840 while (space >= sizeof(uint32_t)) {
841 l ^= get_le32(data);
842 michael_block(l, r);
843 data += sizeof(uint32_t), space -= sizeof(uint32_t);
844 data_len -= sizeof(uint32_t);
845 }
846 /*
847 * NB: when space is zero we make one more trip around
848 * the loop to advance to the next mbuf where there is
849 * data. This handles the case where there are 4*n
850 * bytes in an mbuf followed by <4 bytes in a later mbuf.
851 * By making an extra trip we'll drop out of the loop
852 * with m pointing at the mbuf with 3 bytes and space
853 * set as required by the remainder handling below.
854 */
855 if (data_len == 0 ||
856 (data_len < sizeof(uint32_t) && space != 0))
857 break;
858 m = m->m_next;
859 if (m == NULL) {
860 KASSERT(0, ("out of data, data_len %zu\n", data_len));
861 break;
862 }
863 if (space != 0) {
864 const uint8_t *data_next;
865 /*
866 * Block straddles buffers, split references.
867 */
868 data_next = mtod(m, const uint8_t *);
869 KASSERT(m->m_len >= sizeof(uint32_t) - space,
870 ("not enough data in following buffer, "
871 "m_len %u need %zu\n", m->m_len,
872 sizeof(uint32_t) - space));
873 switch (space) {
874 case 1:
875 l ^= get_le32_split(data[0], data_next[0],
876 data_next[1], data_next[2]);
877 data = data_next + 3;
878 space = m->m_len - 3;
879 break;
880 case 2:
881 l ^= get_le32_split(data[0], data[1],
882 data_next[0], data_next[1]);
883 data = data_next + 2;
884 space = m->m_len - 2;
885 break;
886 case 3:
887 l ^= get_le32_split(data[0], data[1],
888 data[2], data_next[0]);
889 data = data_next + 1;
890 space = m->m_len - 1;
891 break;
892 }
893 michael_block(l, r);
894 data_len -= sizeof(uint32_t);
895 } else {
896 /*
897 * Setup for next buffer.
898 */
899 data = mtod(m, const uint8_t *);
900 space = m->m_len;
901 }
902 }
903 /*
904 * Catch degenerate cases like mbuf[4*n+1 bytes] followed by
905 * mbuf[2 bytes]. I don't believe these should happen; if they
906 * do then we'll need more involved logic.
907 */
908 KASSERT(data_len <= space,
909 ("not enough data, data_len %zu space %u\n", data_len, space));
910
911 /* Last block and padding (0x5a, 4..7 x 0) */
912 switch (data_len) {
913 case 0:
914 l ^= get_le32_split(0x5a, 0, 0, 0);
915 break;
916 case 1:
917 l ^= get_le32_split(data[0], 0x5a, 0, 0);
918 break;
919 case 2:
920 l ^= get_le32_split(data[0], data[1], 0x5a, 0);
921 break;
922 case 3:
923 l ^= get_le32_split(data[0], data[1], data[2], 0x5a);
924 break;
925 }
926 michael_block(l, r);
927 /* l ^= 0; */
928 michael_block(l, r);
929
930 put_le32(mic, l);
931 put_le32(mic + 4, r);
932 }
933
934 static int
935 tkip_encrypt(struct tkip_ctx *ctx, struct ieee80211_key *key,
936 struct mbuf *m, int hdrlen)
937 {
938 struct ieee80211_frame *wh;
939 uint8_t icv[IEEE80211_WEP_CRCLEN];
940
941 ctx->tc_vap->iv_stats.is_crypto_tkip++;
942
943 wh = mtod(m, struct ieee80211_frame *);
944 if ((u16)(key->wk_keytsc) == 0 || key->wk_keytsc == 1) {
945 tkip_mixing_phase1(ctx->tx_ttak, key->wk_key, wh->i_addr2,
946 (u32)(key->wk_keytsc >> 16));
947 }
948 tkip_mixing_phase2(ctx->tx_rc4key, key->wk_key, ctx->tx_ttak,
949 (u16) key->wk_keytsc);
950
951 wep_encrypt(ctx->tx_rc4key,
952 m, hdrlen + tkip.ic_header,
953 m->m_pkthdr.len - (hdrlen + tkip.ic_header),
954 icv);
955 (void) m_append(m, IEEE80211_WEP_CRCLEN, icv); /* XXX check return */
956
957 return 1;
958 }
959
960 static int
961 tkip_decrypt(struct tkip_ctx *ctx, struct ieee80211_key *key,
962 struct mbuf *m, int hdrlen)
963 {
964 struct ieee80211_frame *wh;
965 struct ieee80211vap *vap = ctx->tc_vap;
966 u32 iv32;
967 u16 iv16;
968 u8 tid;
969
970 vap->iv_stats.is_crypto_tkip++;
971
972 wh = mtod(m, struct ieee80211_frame *);
973 /* NB: tkip_decap already verified header and left seq in rx_rsc */
974 iv16 = (u16) ctx->rx_rsc;
975 iv32 = (u32) (ctx->rx_rsc >> 16);
976
977 tid = ieee80211_gettid(wh);
978 if (iv32 != (u32)(key->wk_keyrsc[tid] >> 16) || !ctx->rx_phase1_done) {
979 tkip_mixing_phase1(ctx->rx_ttak, key->wk_key,
980 wh->i_addr2, iv32);
981 ctx->rx_phase1_done = 1;
982 }
983 tkip_mixing_phase2(ctx->rx_rc4key, key->wk_key, ctx->rx_ttak, iv16);
984
985 /* NB: m is unstripped; deduct headers + ICV to get payload */
986 if (wep_decrypt(ctx->rx_rc4key,
987 m, hdrlen + tkip.ic_header,
988 m->m_pkthdr.len - (hdrlen + tkip.ic_header + tkip.ic_trailer))) {
989 if (iv32 != (u32)(key->wk_keyrsc[tid] >> 16)) {
990 /* Previously cached Phase1 result was already lost, so
991 * it needs to be recalculated for the next packet. */
992 ctx->rx_phase1_done = 0;
993 }
994 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2,
995 "%s", "TKIP ICV mismatch on decrypt");
996 vap->iv_stats.is_rx_tkipicv++;
997 return 0;
998 }
999 return 1;
1000 }
1001
1002 /*
1003 * Module glue.
1004 */
1005 IEEE80211_CRYPTO_MODULE(tkip, 1);
Cache object: 6db59dbd9648541338d05b9d95c032b3
|