Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]
FreeBSD/Linux Kernel Cross Reference
sys/net80211/ieee80211_crypto_tkip.c
Version:
- FREEBSD - FREEBSD-13-STABLE - FREEBSD-13-0 - FREEBSD-12-STABLE - FREEBSD-12-0 - FREEBSD-11-STABLE - FREEBSD-11-0 - FREEBSD-10-STABLE - FREEBSD-10-0 - FREEBSD-9-STABLE - FREEBSD-9-0 - FREEBSD-8-STABLE - FREEBSD-8-0 - FREEBSD-7-STABLE - FREEBSD-7-0 - FREEBSD-6-STABLE - FREEBSD-6-0 - FREEBSD-5-STABLE - FREEBSD-5-0 - FREEBSD-4-STABLE - FREEBSD-3-STABLE - FREEBSD22 - l41 - OPENBSD - linux-2.6 - MK84 - PLAN9 - xnu-8792
SearchContext: - none - 3 - 10
SearchContext: - none - 3 - 10
1 /*- 2 * Copyright (c) 2002-2008 Sam Leffler, Errno Consulting 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 */ 25 26 #include <sys/cdefs.h> 27 __FBSDID("$FreeBSD: releng/8.0/sys/net80211/ieee80211_crypto_tkip.c 193541 2009-06-05 23:10:30Z sam $"); 28 29 /* 30 * IEEE 802.11i TKIP crypto support. 31 * 32 * Part of this module is derived from similar code in the Host 33 * AP driver. The code is used with the consent of the author and 34 * it's license is included below. 35 */ 36 #include "opt_wlan.h" 37 38 #include <sys/param.h> 39 #include <sys/systm.h> 40 #include <sys/mbuf.h> 41 #include <sys/malloc.h> 42 #include <sys/kernel.h> 43 #include <sys/module.h> 44 #include <sys/endian.h> 45 46 #include <sys/socket.h> 47 48 #include <net/if.h> 49 #include <net/if_media.h> 50 #include <net/ethernet.h> 51 52 #include <net80211/ieee80211_var.h> 53 54 static void *tkip_attach(struct ieee80211vap *, struct ieee80211_key *); 55 static void tkip_detach(struct ieee80211_key *); 56 static int tkip_setkey(struct ieee80211_key *); 57 static int tkip_encap(struct ieee80211_key *, struct mbuf *m, uint8_t keyid); 58 static int tkip_enmic(struct ieee80211_key *, struct mbuf *, int); 59 static int tkip_decap(struct ieee80211_key *, struct mbuf *, int); 60 static int tkip_demic(struct ieee80211_key *, struct mbuf *, int); 61 62 static const struct ieee80211_cipher tkip = { 63 .ic_name = "TKIP", 64 .ic_cipher = IEEE80211_CIPHER_TKIP, 65 .ic_header = IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN + 66 IEEE80211_WEP_EXTIVLEN, 67 .ic_trailer = IEEE80211_WEP_CRCLEN, 68 .ic_miclen = IEEE80211_WEP_MICLEN, 69 .ic_attach = tkip_attach, 70 .ic_detach = tkip_detach, 71 .ic_setkey = tkip_setkey, 72 .ic_encap = tkip_encap, 73 .ic_decap = tkip_decap, 74 .ic_enmic = tkip_enmic, 75 .ic_demic = tkip_demic, 76 }; 77 78 typedef uint8_t u8; 79 typedef uint16_t u16; 80 typedef uint32_t __u32; 81 typedef uint32_t u32; 82 83 struct tkip_ctx { 84 struct ieee80211vap *tc_vap; /* for diagnostics+statistics */ 85 86 u16 tx_ttak[5]; 87 int tx_phase1_done; 88 u8 tx_rc4key[16]; /* XXX for test module; make locals? */ 89 90 u16 rx_ttak[5]; 91 int rx_phase1_done; 92 u8 rx_rc4key[16]; /* XXX for test module; make locals? */ 93 uint64_t rx_rsc; /* held until MIC verified */ 94 }; 95 96 static void michael_mic(struct tkip_ctx *, const u8 *key, 97 struct mbuf *m, u_int off, size_t data_len, 98 u8 mic[IEEE80211_WEP_MICLEN]); 99 static int tkip_encrypt(struct tkip_ctx *, struct ieee80211_key *, 100 struct mbuf *, int hdr_len); 101 static int tkip_decrypt(struct tkip_ctx *, struct ieee80211_key *, 102 struct mbuf *, int hdr_len); 103 104 /* number of references from net80211 layer */ 105 static int nrefs = 0; 106 107 static void * 108 tkip_attach(struct ieee80211vap *vap, struct ieee80211_key *k) 109 { 110 struct tkip_ctx *ctx; 111 112 ctx = (struct tkip_ctx *) malloc(sizeof(struct tkip_ctx), 113 M_80211_CRYPTO, M_NOWAIT | M_ZERO); 114 if (ctx == NULL) { 115 vap->iv_stats.is_crypto_nomem++; 116 return NULL; 117 } 118 119 ctx->tc_vap = vap; 120 nrefs++; /* NB: we assume caller locking */ 121 return ctx; 122 } 123 124 static void 125 tkip_detach(struct ieee80211_key *k) 126 { 127 struct tkip_ctx *ctx = k->wk_private; 128 129 free(ctx, M_80211_CRYPTO); 130 KASSERT(nrefs > 0, ("imbalanced attach/detach")); 131 nrefs--; /* NB: we assume caller locking */ 132 } 133 134 static int 135 tkip_setkey(struct ieee80211_key *k) 136 { 137 struct tkip_ctx *ctx = k->wk_private; 138 139 if (k->wk_keylen != (128/NBBY)) { 140 (void) ctx; /* XXX */ 141 IEEE80211_DPRINTF(ctx->tc_vap, IEEE80211_MSG_CRYPTO, 142 "%s: Invalid key length %u, expecting %u\n", 143 __func__, k->wk_keylen, 128/NBBY); 144 return 0; 145 } 146 k->wk_keytsc = 1; /* TSC starts at 1 */ 147 return 1; 148 } 149 150 /* 151 * Add privacy headers and do any s/w encryption required. 152 */ 153 static int 154 tkip_encap(struct ieee80211_key *k, struct mbuf *m, uint8_t keyid) 155 { 156 struct tkip_ctx *ctx = k->wk_private; 157 struct ieee80211vap *vap = ctx->tc_vap; 158 struct ieee80211com *ic = vap->iv_ic; 159 uint8_t *ivp; 160 int hdrlen; 161 162 /* 163 * Handle TKIP counter measures requirement. 164 */ 165 if (vap->iv_flags & IEEE80211_F_COUNTERM) { 166 #ifdef IEEE80211_DEBUG 167 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 168 #endif 169 170 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2, 171 "discard frame due to countermeasures (%s)", __func__); 172 vap->iv_stats.is_crypto_tkipcm++; 173 return 0; 174 } 175 hdrlen = ieee80211_hdrspace(ic, mtod(m, void *)); 176 177 /* 178 * Copy down 802.11 header and add the IV, KeyID, and ExtIV. 179 */ 180 M_PREPEND(m, tkip.ic_header, M_NOWAIT); 181 if (m == NULL) 182 return 0; 183 ivp = mtod(m, uint8_t *); 184 memmove(ivp, ivp + tkip.ic_header, hdrlen); 185 ivp += hdrlen; 186 187 ivp[0] = k->wk_keytsc >> 8; /* TSC1 */ 188 ivp[1] = (ivp[0] | 0x20) & 0x7f; /* WEP seed */ 189 ivp[2] = k->wk_keytsc >> 0; /* TSC0 */ 190 ivp[3] = keyid | IEEE80211_WEP_EXTIV; /* KeyID | ExtID */ 191 ivp[4] = k->wk_keytsc >> 16; /* TSC2 */ 192 ivp[5] = k->wk_keytsc >> 24; /* TSC3 */ 193 ivp[6] = k->wk_keytsc >> 32; /* TSC4 */ 194 ivp[7] = k->wk_keytsc >> 40; /* TSC5 */ 195 196 /* 197 * Finally, do software encrypt if neeed. 198 */ 199 if (k->wk_flags & IEEE80211_KEY_SWENCRYPT) { 200 if (!tkip_encrypt(ctx, k, m, hdrlen)) 201 return 0; 202 /* NB: tkip_encrypt handles wk_keytsc */ 203 } else 204 k->wk_keytsc++; 205 206 return 1; 207 } 208 209 /* 210 * Add MIC to the frame as needed. 211 */ 212 static int 213 tkip_enmic(struct ieee80211_key *k, struct mbuf *m, int force) 214 { 215 struct tkip_ctx *ctx = k->wk_private; 216 217 if (force || (k->wk_flags & IEEE80211_KEY_SWENMIC)) { 218 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 219 struct ieee80211vap *vap = ctx->tc_vap; 220 struct ieee80211com *ic = vap->iv_ic; 221 int hdrlen; 222 uint8_t mic[IEEE80211_WEP_MICLEN]; 223 224 vap->iv_stats.is_crypto_tkipenmic++; 225 226 hdrlen = ieee80211_hdrspace(ic, wh); 227 228 michael_mic(ctx, k->wk_txmic, 229 m, hdrlen, m->m_pkthdr.len - hdrlen, mic); 230 return m_append(m, tkip.ic_miclen, mic); 231 } 232 return 1; 233 } 234 235 static __inline uint64_t 236 READ_6(uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3, uint8_t b4, uint8_t b5) 237 { 238 uint32_t iv32 = (b0 << 0) | (b1 << 8) | (b2 << 16) | (b3 << 24); 239 uint16_t iv16 = (b4 << 0) | (b5 << 8); 240 return (((uint64_t)iv16) << 32) | iv32; 241 } 242 243 /* 244 * Validate and strip privacy headers (and trailer) for a 245 * received frame. If necessary, decrypt the frame using 246 * the specified key. 247 */ 248 static int 249 tkip_decap(struct ieee80211_key *k, struct mbuf *m, int hdrlen) 250 { 251 struct tkip_ctx *ctx = k->wk_private; 252 struct ieee80211vap *vap = ctx->tc_vap; 253 struct ieee80211_frame *wh; 254 uint8_t *ivp, tid; 255 256 /* 257 * Header should have extended IV and sequence number; 258 * verify the former and validate the latter. 259 */ 260 wh = mtod(m, struct ieee80211_frame *); 261 ivp = mtod(m, uint8_t *) + hdrlen; 262 if ((ivp[IEEE80211_WEP_IVLEN] & IEEE80211_WEP_EXTIV) == 0) { 263 /* 264 * No extended IV; discard frame. 265 */ 266 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2, 267 "%s", "missing ExtIV for TKIP cipher"); 268 vap->iv_stats.is_rx_tkipformat++; 269 return 0; 270 } 271 /* 272 * Handle TKIP counter measures requirement. 273 */ 274 if (vap->iv_flags & IEEE80211_F_COUNTERM) { 275 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2, 276 "discard frame due to countermeasures (%s)", __func__); 277 vap->iv_stats.is_crypto_tkipcm++; 278 return 0; 279 } 280 281 tid = ieee80211_gettid(wh); 282 ctx->rx_rsc = READ_6(ivp[2], ivp[0], ivp[4], ivp[5], ivp[6], ivp[7]); 283 if (ctx->rx_rsc <= k->wk_keyrsc[tid]) { 284 /* 285 * Replay violation; notify upper layer. 286 */ 287 ieee80211_notify_replay_failure(vap, wh, k, ctx->rx_rsc, tid); 288 vap->iv_stats.is_rx_tkipreplay++; 289 return 0; 290 } 291 /* 292 * NB: We can't update the rsc in the key until MIC is verified. 293 * 294 * We assume we are not preempted between doing the check above 295 * and updating wk_keyrsc when stripping the MIC in tkip_demic. 296 * Otherwise we might process another packet and discard it as 297 * a replay. 298 */ 299 300 /* 301 * Check if the device handled the decrypt in hardware. 302 * If so we just strip the header; otherwise we need to 303 * handle the decrypt in software. 304 */ 305 if ((k->wk_flags & IEEE80211_KEY_SWDECRYPT) && 306 !tkip_decrypt(ctx, k, m, hdrlen)) 307 return 0; 308 309 /* 310 * Copy up 802.11 header and strip crypto bits. 311 */ 312 memmove(mtod(m, uint8_t *) + tkip.ic_header, mtod(m, void *), hdrlen); 313 m_adj(m, tkip.ic_header); 314 m_adj(m, -tkip.ic_trailer); 315 316 return 1; 317 } 318 319 /* 320 * Verify and strip MIC from the frame. 321 */ 322 static int 323 tkip_demic(struct ieee80211_key *k, struct mbuf *m, int force) 324 { 325 struct tkip_ctx *ctx = k->wk_private; 326 struct ieee80211_frame *wh; 327 uint8_t tid; 328 329 wh = mtod(m, struct ieee80211_frame *); 330 if ((k->wk_flags & IEEE80211_KEY_SWDEMIC) || force) { 331 struct ieee80211vap *vap = ctx->tc_vap; 332 int hdrlen = ieee80211_hdrspace(vap->iv_ic, wh); 333 u8 mic[IEEE80211_WEP_MICLEN]; 334 u8 mic0[IEEE80211_WEP_MICLEN]; 335 336 vap->iv_stats.is_crypto_tkipdemic++; 337 338 michael_mic(ctx, k->wk_rxmic, 339 m, hdrlen, m->m_pkthdr.len - (hdrlen + tkip.ic_miclen), 340 mic); 341 m_copydata(m, m->m_pkthdr.len - tkip.ic_miclen, 342 tkip.ic_miclen, mic0); 343 if (memcmp(mic, mic0, tkip.ic_miclen)) { 344 /* NB: 802.11 layer handles statistic and debug msg */ 345 ieee80211_notify_michael_failure(vap, wh, 346 k->wk_rxkeyix != IEEE80211_KEYIX_NONE ? 347 k->wk_rxkeyix : k->wk_keyix); 348 return 0; 349 } 350 } 351 /* 352 * Strip MIC from the tail. 353 */ 354 m_adj(m, -tkip.ic_miclen); 355 356 /* 357 * Ok to update rsc now that MIC has been verified. 358 */ 359 tid = ieee80211_gettid(wh); 360 k->wk_keyrsc[tid] = ctx->rx_rsc; 361 362 return 1; 363 } 364 365 /* 366 * Host AP crypt: host-based TKIP encryption implementation for Host AP driver 367 * 368 * Copyright (c) 2003-2004, Jouni Malinen <jkmaline@cc.hut.fi> 369 * 370 * This program is free software; you can redistribute it and/or modify 371 * it under the terms of the GNU General Public License version 2 as 372 * published by the Free Software Foundation. See README and COPYING for 373 * more details. 374 * 375 * Alternatively, this software may be distributed under the terms of BSD 376 * license. 377 */ 378 379 static const __u32 crc32_table[256] = { 380 0x00000000L, 0x77073096L, 0xee0e612cL, 0x990951baL, 0x076dc419L, 381 0x706af48fL, 0xe963a535L, 0x9e6495a3L, 0x0edb8832L, 0x79dcb8a4L, 382 0xe0d5e91eL, 0x97d2d988L, 0x09b64c2bL, 0x7eb17cbdL, 0xe7b82d07L, 383 0x90bf1d91L, 0x1db71064L, 0x6ab020f2L, 0xf3b97148L, 0x84be41deL, 384 0x1adad47dL, 0x6ddde4ebL, 0xf4d4b551L, 0x83d385c7L, 0x136c9856L, 385 0x646ba8c0L, 0xfd62f97aL, 0x8a65c9ecL, 0x14015c4fL, 0x63066cd9L, 386 0xfa0f3d63L, 0x8d080df5L, 0x3b6e20c8L, 0x4c69105eL, 0xd56041e4L, 387 0xa2677172L, 0x3c03e4d1L, 0x4b04d447L, 0xd20d85fdL, 0xa50ab56bL, 388 0x35b5a8faL, 0x42b2986cL, 0xdbbbc9d6L, 0xacbcf940L, 0x32d86ce3L, 389 0x45df5c75L, 0xdcd60dcfL, 0xabd13d59L, 0x26d930acL, 0x51de003aL, 390 0xc8d75180L, 0xbfd06116L, 0x21b4f4b5L, 0x56b3c423L, 0xcfba9599L, 391 0xb8bda50fL, 0x2802b89eL, 0x5f058808L, 0xc60cd9b2L, 0xb10be924L, 392 0x2f6f7c87L, 0x58684c11L, 0xc1611dabL, 0xb6662d3dL, 0x76dc4190L, 393 0x01db7106L, 0x98d220bcL, 0xefd5102aL, 0x71b18589L, 0x06b6b51fL, 394 0x9fbfe4a5L, 0xe8b8d433L, 0x7807c9a2L, 0x0f00f934L, 0x9609a88eL, 395 0xe10e9818L, 0x7f6a0dbbL, 0x086d3d2dL, 0x91646c97L, 0xe6635c01L, 396 0x6b6b51f4L, 0x1c6c6162L, 0x856530d8L, 0xf262004eL, 0x6c0695edL, 397 0x1b01a57bL, 0x8208f4c1L, 0xf50fc457L, 0x65b0d9c6L, 0x12b7e950L, 398 0x8bbeb8eaL, 0xfcb9887cL, 0x62dd1ddfL, 0x15da2d49L, 0x8cd37cf3L, 399 0xfbd44c65L, 0x4db26158L, 0x3ab551ceL, 0xa3bc0074L, 0xd4bb30e2L, 400 0x4adfa541L, 0x3dd895d7L, 0xa4d1c46dL, 0xd3d6f4fbL, 0x4369e96aL, 401 0x346ed9fcL, 0xad678846L, 0xda60b8d0L, 0x44042d73L, 0x33031de5L, 402 0xaa0a4c5fL, 0xdd0d7cc9L, 0x5005713cL, 0x270241aaL, 0xbe0b1010L, 403 0xc90c2086L, 0x5768b525L, 0x206f85b3L, 0xb966d409L, 0xce61e49fL, 404 0x5edef90eL, 0x29d9c998L, 0xb0d09822L, 0xc7d7a8b4L, 0x59b33d17L, 405 0x2eb40d81L, 0xb7bd5c3bL, 0xc0ba6cadL, 0xedb88320L, 0x9abfb3b6L, 406 0x03b6e20cL, 0x74b1d29aL, 0xead54739L, 0x9dd277afL, 0x04db2615L, 407 0x73dc1683L, 0xe3630b12L, 0x94643b84L, 0x0d6d6a3eL, 0x7a6a5aa8L, 408 0xe40ecf0bL, 0x9309ff9dL, 0x0a00ae27L, 0x7d079eb1L, 0xf00f9344L, 409 0x8708a3d2L, 0x1e01f268L, 0x6906c2feL, 0xf762575dL, 0x806567cbL, 410 0x196c3671L, 0x6e6b06e7L, 0xfed41b76L, 0x89d32be0L, 0x10da7a5aL, 411 0x67dd4accL, 0xf9b9df6fL, 0x8ebeeff9L, 0x17b7be43L, 0x60b08ed5L, 412 0xd6d6a3e8L, 0xa1d1937eL, 0x38d8c2c4L, 0x4fdff252L, 0xd1bb67f1L, 413 0xa6bc5767L, 0x3fb506ddL, 0x48b2364bL, 0xd80d2bdaL, 0xaf0a1b4cL, 414 0x36034af6L, 0x41047a60L, 0xdf60efc3L, 0xa867df55L, 0x316e8eefL, 415 0x4669be79L, 0xcb61b38cL, 0xbc66831aL, 0x256fd2a0L, 0x5268e236L, 416 0xcc0c7795L, 0xbb0b4703L, 0x220216b9L, 0x5505262fL, 0xc5ba3bbeL, 417 0xb2bd0b28L, 0x2bb45a92L, 0x5cb36a04L, 0xc2d7ffa7L, 0xb5d0cf31L, 418 0x2cd99e8bL, 0x5bdeae1dL, 0x9b64c2b0L, 0xec63f226L, 0x756aa39cL, 419 0x026d930aL, 0x9c0906a9L, 0xeb0e363fL, 0x72076785L, 0x05005713L, 420 0x95bf4a82L, 0xe2b87a14L, 0x7bb12baeL, 0x0cb61b38L, 0x92d28e9bL, 421 0xe5d5be0dL, 0x7cdcefb7L, 0x0bdbdf21L, 0x86d3d2d4L, 0xf1d4e242L, 422 0x68ddb3f8L, 0x1fda836eL, 0x81be16cdL, 0xf6b9265bL, 0x6fb077e1L, 423 0x18b74777L, 0x88085ae6L, 0xff0f6a70L, 0x66063bcaL, 0x11010b5cL, 424 0x8f659effL, 0xf862ae69L, 0x616bffd3L, 0x166ccf45L, 0xa00ae278L, 425 0xd70dd2eeL, 0x4e048354L, 0x3903b3c2L, 0xa7672661L, 0xd06016f7L, 426 0x4969474dL, 0x3e6e77dbL, 0xaed16a4aL, 0xd9d65adcL, 0x40df0b66L, 427 0x37d83bf0L, 0xa9bcae53L, 0xdebb9ec5L, 0x47b2cf7fL, 0x30b5ffe9L, 428 0xbdbdf21cL, 0xcabac28aL, 0x53b39330L, 0x24b4a3a6L, 0xbad03605L, 429 0xcdd70693L, 0x54de5729L, 0x23d967bfL, 0xb3667a2eL, 0xc4614ab8L, 430 0x5d681b02L, 0x2a6f2b94L, 0xb40bbe37L, 0xc30c8ea1L, 0x5a05df1bL, 431 0x2d02ef8dL 432 }; 433 434 static __inline u16 RotR1(u16 val) 435 { 436 return (val >> 1) | (val << 15); 437 } 438 439 static __inline u8 Lo8(u16 val) 440 { 441 return val & 0xff; 442 } 443 444 static __inline u8 Hi8(u16 val) 445 { 446 return val >> 8; 447 } 448 449 static __inline u16 Lo16(u32 val) 450 { 451 return val & 0xffff; 452 } 453 454 static __inline u16 Hi16(u32 val) 455 { 456 return val >> 16; 457 } 458 459 static __inline u16 Mk16(u8 hi, u8 lo) 460 { 461 return lo | (((u16) hi) << 8); 462 } 463 464 static __inline u16 Mk16_le(const u16 *v) 465 { 466 return le16toh(*v); 467 } 468 469 static const u16 Sbox[256] = { 470 0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154, 471 0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A, 472 0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B, 473 0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B, 474 0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F, 475 0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F, 476 0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5, 477 0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F, 478 0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB, 479 0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397, 480 0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED, 481 0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A, 482 0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194, 483 0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3, 484 0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104, 485 0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D, 486 0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39, 487 0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695, 488 0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83, 489 0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76, 490 0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4, 491 0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B, 492 0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0, 493 0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018, 494 0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751, 495 0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85, 496 0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12, 497 0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9, 498 0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7, 499 0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A, 500 0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8, 501 0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A, 502 }; 503 504 static __inline u16 _S_(u16 v) 505 { 506 u16 t = Sbox[Hi8(v)]; 507 return Sbox[Lo8(v)] ^ ((t << 8) | (t >> 8)); 508 } 509 510 #define PHASE1_LOOP_COUNT 8 511 512 static void tkip_mixing_phase1(u16 *TTAK, const u8 *TK, const u8 *TA, u32 IV32) 513 { 514 int i, j; 515 516 /* Initialize the 80-bit TTAK from TSC (IV32) and TA[0..5] */ 517 TTAK[0] = Lo16(IV32); 518 TTAK[1] = Hi16(IV32); 519 TTAK[2] = Mk16(TA[1], TA[0]); 520 TTAK[3] = Mk16(TA[3], TA[2]); 521 TTAK[4] = Mk16(TA[5], TA[4]); 522 523 for (i = 0; i < PHASE1_LOOP_COUNT; i++) { 524 j = 2 * (i & 1); 525 TTAK[0] += _S_(TTAK[4] ^ Mk16(TK[1 + j], TK[0 + j])); 526 TTAK[1] += _S_(TTAK[0] ^ Mk16(TK[5 + j], TK[4 + j])); 527 TTAK[2] += _S_(TTAK[1] ^ Mk16(TK[9 + j], TK[8 + j])); 528 TTAK[3] += _S_(TTAK[2] ^ Mk16(TK[13 + j], TK[12 + j])); 529 TTAK[4] += _S_(TTAK[3] ^ Mk16(TK[1 + j], TK[0 + j])) + i; 530 } 531 } 532 533 #ifndef _BYTE_ORDER 534 #error "Don't know native byte order" 535 #endif 536 537 static void tkip_mixing_phase2(u8 *WEPSeed, const u8 *TK, const u16 *TTAK, 538 u16 IV16) 539 { 540 /* Make temporary area overlap WEP seed so that the final copy can be 541 * avoided on little endian hosts. */ 542 u16 *PPK = (u16 *) &WEPSeed[4]; 543 544 /* Step 1 - make copy of TTAK and bring in TSC */ 545 PPK[0] = TTAK[0]; 546 PPK[1] = TTAK[1]; 547 PPK[2] = TTAK[2]; 548 PPK[3] = TTAK[3]; 549 PPK[4] = TTAK[4]; 550 PPK[5] = TTAK[4] + IV16; 551 552 /* Step 2 - 96-bit bijective mixing using S-box */ 553 PPK[0] += _S_(PPK[5] ^ Mk16_le((const u16 *) &TK[0])); 554 PPK[1] += _S_(PPK[0] ^ Mk16_le((const u16 *) &TK[2])); 555 PPK[2] += _S_(PPK[1] ^ Mk16_le((const u16 *) &TK[4])); 556 PPK[3] += _S_(PPK[2] ^ Mk16_le((const u16 *) &TK[6])); 557 PPK[4] += _S_(PPK[3] ^ Mk16_le((const u16 *) &TK[8])); 558 PPK[5] += _S_(PPK[4] ^ Mk16_le((const u16 *) &TK[10])); 559 560 PPK[0] += RotR1(PPK[5] ^ Mk16_le((const u16 *) &TK[12])); 561 PPK[1] += RotR1(PPK[0] ^ Mk16_le((const u16 *) &TK[14])); 562 PPK[2] += RotR1(PPK[1]); 563 PPK[3] += RotR1(PPK[2]); 564 PPK[4] += RotR1(PPK[3]); 565 PPK[5] += RotR1(PPK[4]); 566 567 /* Step 3 - bring in last of TK bits, assign 24-bit WEP IV value 568 * WEPSeed[0..2] is transmitted as WEP IV */ 569 WEPSeed[0] = Hi8(IV16); 570 WEPSeed[1] = (Hi8(IV16) | 0x20) & 0x7F; 571 WEPSeed[2] = Lo8(IV16); 572 WEPSeed[3] = Lo8((PPK[5] ^ Mk16_le((const u16 *) &TK[0])) >> 1); 573 574 #if _BYTE_ORDER == _BIG_ENDIAN 575 { 576 int i; 577 for (i = 0; i < 6; i++) 578 PPK[i] = (PPK[i] << 8) | (PPK[i] >> 8); 579 } 580 #endif 581 } 582 583 static void 584 wep_encrypt(u8 *key, struct mbuf *m0, u_int off, size_t data_len, 585 uint8_t icv[IEEE80211_WEP_CRCLEN]) 586 { 587 u32 i, j, k, crc; 588 size_t buflen; 589 u8 S[256]; 590 u8 *pos; 591 struct mbuf *m; 592 #define S_SWAP(a,b) do { u8 t = S[a]; S[a] = S[b]; S[b] = t; } while(0) 593 594 /* Setup RC4 state */ 595 for (i = 0; i < 256; i++) 596 S[i] = i; 597 j = 0; 598 for (i = 0; i < 256; i++) { 599 j = (j + S[i] + key[i & 0x0f]) & 0xff; 600 S_SWAP(i, j); 601 } 602 603 /* Compute CRC32 over unencrypted data and apply RC4 to data */ 604 crc = ~0; 605 i = j = 0; 606 m = m0; 607 pos = mtod(m, uint8_t *) + off; 608 buflen = m->m_len - off; 609 for (;;) { 610 if (buflen > data_len) 611 buflen = data_len; 612 data_len -= buflen; 613 for (k = 0; k < buflen; k++) { 614 crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8); 615 i = (i + 1) & 0xff; 616 j = (j + S[i]) & 0xff; 617 S_SWAP(i, j); 618 *pos++ ^= S[(S[i] + S[j]) & 0xff]; 619 } 620 m = m->m_next; 621 if (m == NULL) { 622 KASSERT(data_len == 0, 623 ("out of buffers with data_len %zu\n", data_len)); 624 break; 625 } 626 pos = mtod(m, uint8_t *); 627 buflen = m->m_len; 628 } 629 crc = ~crc; 630 631 /* Append little-endian CRC32 and encrypt it to produce ICV */ 632 icv[0] = crc; 633 icv[1] = crc >> 8; 634 icv[2] = crc >> 16; 635 icv[3] = crc >> 24; 636 for (k = 0; k < IEEE80211_WEP_CRCLEN; k++) { 637 i = (i + 1) & 0xff; 638 j = (j + S[i]) & 0xff; 639 S_SWAP(i, j); 640 icv[k] ^= S[(S[i] + S[j]) & 0xff]; 641 } 642 } 643 644 static int 645 wep_decrypt(u8 *key, struct mbuf *m, u_int off, size_t data_len) 646 { 647 u32 i, j, k, crc; 648 u8 S[256]; 649 u8 *pos, icv[4]; 650 size_t buflen; 651 652 /* Setup RC4 state */ 653 for (i = 0; i < 256; i++) 654 S[i] = i; 655 j = 0; 656 for (i = 0; i < 256; i++) { 657 j = (j + S[i] + key[i & 0x0f]) & 0xff; 658 S_SWAP(i, j); 659 } 660 661 /* Apply RC4 to data and compute CRC32 over decrypted data */ 662 crc = ~0; 663 i = j = 0; 664 pos = mtod(m, uint8_t *) + off; 665 buflen = m->m_len - off; 666 for (;;) { 667 if (buflen > data_len) 668 buflen = data_len; 669 data_len -= buflen; 670 for (k = 0; k < buflen; k++) { 671 i = (i + 1) & 0xff; 672 j = (j + S[i]) & 0xff; 673 S_SWAP(i, j); 674 *pos ^= S[(S[i] + S[j]) & 0xff]; 675 crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8); 676 pos++; 677 } 678 m = m->m_next; 679 if (m == NULL) { 680 KASSERT(data_len == 0, 681 ("out of buffers with data_len %zu\n", data_len)); 682 break; 683 } 684 pos = mtod(m, uint8_t *); 685 buflen = m->m_len; 686 } 687 crc = ~crc; 688 689 /* Encrypt little-endian CRC32 and verify that it matches with the 690 * received ICV */ 691 icv[0] = crc; 692 icv[1] = crc >> 8; 693 icv[2] = crc >> 16; 694 icv[3] = crc >> 24; 695 for (k = 0; k < 4; k++) { 696 i = (i + 1) & 0xff; 697 j = (j + S[i]) & 0xff; 698 S_SWAP(i, j); 699 if ((icv[k] ^ S[(S[i] + S[j]) & 0xff]) != *pos++) { 700 /* ICV mismatch - drop frame */ 701 return -1; 702 } 703 } 704 705 return 0; 706 } 707 708 709 static __inline u32 rotl(u32 val, int bits) 710 { 711 return (val << bits) | (val >> (32 - bits)); 712 } 713 714 715 static __inline u32 rotr(u32 val, int bits) 716 { 717 return (val >> bits) | (val << (32 - bits)); 718 } 719 720 721 static __inline u32 xswap(u32 val) 722 { 723 return ((val & 0x00ff00ff) << 8) | ((val & 0xff00ff00) >> 8); 724 } 725 726 727 #define michael_block(l, r) \ 728 do { \ 729 r ^= rotl(l, 17); \ 730 l += r; \ 731 r ^= xswap(l); \ 732 l += r; \ 733 r ^= rotl(l, 3); \ 734 l += r; \ 735 r ^= rotr(l, 2); \ 736 l += r; \ 737 } while (0) 738 739 740 static __inline u32 get_le32_split(u8 b0, u8 b1, u8 b2, u8 b3) 741 { 742 return b0 | (b1 << 8) | (b2 << 16) | (b3 << 24); 743 } 744 745 static __inline u32 get_le32(const u8 *p) 746 { 747 return get_le32_split(p[0], p[1], p[2], p[3]); 748 } 749 750 751 static __inline void put_le32(u8 *p, u32 v) 752 { 753 p[0] = v; 754 p[1] = v >> 8; 755 p[2] = v >> 16; 756 p[3] = v >> 24; 757 } 758 759 /* 760 * Craft pseudo header used to calculate the MIC. 761 */ 762 static void 763 michael_mic_hdr(const struct ieee80211_frame *wh0, uint8_t hdr[16]) 764 { 765 const struct ieee80211_frame_addr4 *wh = 766 (const struct ieee80211_frame_addr4 *) wh0; 767 768 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 769 case IEEE80211_FC1_DIR_NODS: 770 IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */ 771 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2); 772 break; 773 case IEEE80211_FC1_DIR_TODS: 774 IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */ 775 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2); 776 break; 777 case IEEE80211_FC1_DIR_FROMDS: 778 IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */ 779 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr3); 780 break; 781 case IEEE80211_FC1_DIR_DSTODS: 782 IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */ 783 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr4); 784 break; 785 } 786 787 if (wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_QOS) { 788 const struct ieee80211_qosframe *qwh = 789 (const struct ieee80211_qosframe *) wh; 790 hdr[12] = qwh->i_qos[0] & IEEE80211_QOS_TID; 791 } else 792 hdr[12] = 0; 793 hdr[13] = hdr[14] = hdr[15] = 0; /* reserved */ 794 } 795 796 static void 797 michael_mic(struct tkip_ctx *ctx, const u8 *key, 798 struct mbuf *m, u_int off, size_t data_len, 799 u8 mic[IEEE80211_WEP_MICLEN]) 800 { 801 uint8_t hdr[16]; 802 u32 l, r; 803 const uint8_t *data; 804 u_int space; 805 806 michael_mic_hdr(mtod(m, struct ieee80211_frame *), hdr); 807 808 l = get_le32(key); 809 r = get_le32(key + 4); 810 811 /* Michael MIC pseudo header: DA, SA, 3 x 0, Priority */ 812 l ^= get_le32(hdr); 813 michael_block(l, r); 814 l ^= get_le32(&hdr[4]); 815 michael_block(l, r); 816 l ^= get_le32(&hdr[8]); 817 michael_block(l, r); 818 l ^= get_le32(&hdr[12]); 819 michael_block(l, r); 820 821 /* first buffer has special handling */ 822 data = mtod(m, const uint8_t *) + off; 823 space = m->m_len - off; 824 for (;;) { 825 if (space > data_len) 826 space = data_len; 827 /* collect 32-bit blocks from current buffer */ 828 while (space >= sizeof(uint32_t)) { 829 l ^= get_le32(data); 830 michael_block(l, r); 831 data += sizeof(uint32_t), space -= sizeof(uint32_t); 832 data_len -= sizeof(uint32_t); 833 } 834 /* 835 * NB: when space is zero we make one more trip around 836 * the loop to advance to the next mbuf where there is 837 * data. This handles the case where there are 4*n 838 * bytes in an mbuf followed by <4 bytes in a later mbuf. 839 * By making an extra trip we'll drop out of the loop 840 * with m pointing at the mbuf with 3 bytes and space 841 * set as required by the remainder handling below. 842 */ 843 if (data_len == 0 || 844 (data_len < sizeof(uint32_t) && space != 0)) 845 break; 846 m = m->m_next; 847 if (m == NULL) { 848 KASSERT(0, ("out of data, data_len %zu\n", data_len)); 849 break; 850 } 851 if (space != 0) { 852 const uint8_t *data_next; 853 /* 854 * Block straddles buffers, split references. 855 */ 856 data_next = mtod(m, const uint8_t *); 857 KASSERT(m->m_len >= sizeof(uint32_t) - space, 858 ("not enough data in following buffer, " 859 "m_len %u need %zu\n", m->m_len, 860 sizeof(uint32_t) - space)); 861 switch (space) { 862 case 1: 863 l ^= get_le32_split(data[0], data_next[0], 864 data_next[1], data_next[2]); 865 data = data_next + 3; 866 space = m->m_len - 3; 867 break; 868 case 2: 869 l ^= get_le32_split(data[0], data[1], 870 data_next[0], data_next[1]); 871 data = data_next + 2; 872 space = m->m_len - 2; 873 break; 874 case 3: 875 l ^= get_le32_split(data[0], data[1], 876 data[2], data_next[0]); 877 data = data_next + 1; 878 space = m->m_len - 1; 879 break; 880 } 881 michael_block(l, r); 882 data_len -= sizeof(uint32_t); 883 } else { 884 /* 885 * Setup for next buffer. 886 */ 887 data = mtod(m, const uint8_t *); 888 space = m->m_len; 889 } 890 } 891 /* 892 * Catch degenerate cases like mbuf[4*n+1 bytes] followed by 893 * mbuf[2 bytes]. I don't believe these should happen; if they 894 * do then we'll need more involved logic. 895 */ 896 KASSERT(data_len <= space, 897 ("not enough data, data_len %zu space %u\n", data_len, space)); 898 899 /* Last block and padding (0x5a, 4..7 x 0) */ 900 switch (data_len) { 901 case 0: 902 l ^= get_le32_split(0x5a, 0, 0, 0); 903 break; 904 case 1: 905 l ^= get_le32_split(data[0], 0x5a, 0, 0); 906 break; 907 case 2: 908 l ^= get_le32_split(data[0], data[1], 0x5a, 0); 909 break; 910 case 3: 911 l ^= get_le32_split(data[0], data[1], data[2], 0x5a); 912 break; 913 } 914 michael_block(l, r); 915 /* l ^= 0; */ 916 michael_block(l, r); 917 918 put_le32(mic, l); 919 put_le32(mic + 4, r); 920 } 921 922 static int 923 tkip_encrypt(struct tkip_ctx *ctx, struct ieee80211_key *key, 924 struct mbuf *m, int hdrlen) 925 { 926 struct ieee80211_frame *wh; 927 uint8_t icv[IEEE80211_WEP_CRCLEN]; 928 929 ctx->tc_vap->iv_stats.is_crypto_tkip++; 930 931 wh = mtod(m, struct ieee80211_frame *); 932 if (!ctx->tx_phase1_done) { 933 tkip_mixing_phase1(ctx->tx_ttak, key->wk_key, wh->i_addr2, 934 (u32)(key->wk_keytsc >> 16)); 935 ctx->tx_phase1_done = 1; 936 } 937 tkip_mixing_phase2(ctx->tx_rc4key, key->wk_key, ctx->tx_ttak, 938 (u16) key->wk_keytsc); 939 940 wep_encrypt(ctx->tx_rc4key, 941 m, hdrlen + tkip.ic_header, 942 m->m_pkthdr.len - (hdrlen + tkip.ic_header), 943 icv); 944 (void) m_append(m, IEEE80211_WEP_CRCLEN, icv); /* XXX check return */ 945 946 key->wk_keytsc++; 947 if ((u16)(key->wk_keytsc) == 0) 948 ctx->tx_phase1_done = 0; 949 return 1; 950 } 951 952 static int 953 tkip_decrypt(struct tkip_ctx *ctx, struct ieee80211_key *key, 954 struct mbuf *m, int hdrlen) 955 { 956 struct ieee80211_frame *wh; 957 struct ieee80211vap *vap = ctx->tc_vap; 958 u32 iv32; 959 u16 iv16; 960 u8 tid; 961 962 vap->iv_stats.is_crypto_tkip++; 963 964 wh = mtod(m, struct ieee80211_frame *); 965 /* NB: tkip_decap already verified header and left seq in rx_rsc */ 966 iv16 = (u16) ctx->rx_rsc; 967 iv32 = (u32) (ctx->rx_rsc >> 16); 968 969 tid = ieee80211_gettid(wh); 970 if (iv32 != (u32)(key->wk_keyrsc[tid] >> 16) || !ctx->rx_phase1_done) { 971 tkip_mixing_phase1(ctx->rx_ttak, key->wk_key, 972 wh->i_addr2, iv32); 973 ctx->rx_phase1_done = 1; 974 } 975 tkip_mixing_phase2(ctx->rx_rc4key, key->wk_key, ctx->rx_ttak, iv16); 976 977 /* NB: m is unstripped; deduct headers + ICV to get payload */ 978 if (wep_decrypt(ctx->rx_rc4key, 979 m, hdrlen + tkip.ic_header, 980 m->m_pkthdr.len - (hdrlen + tkip.ic_header + tkip.ic_trailer))) { 981 if (iv32 != (u32)(key->wk_keyrsc[tid] >> 16)) { 982 /* Previously cached Phase1 result was already lost, so 983 * it needs to be recalculated for the next packet. */ 984 ctx->rx_phase1_done = 0; 985 } 986 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2, 987 "%s", "TKIP ICV mismatch on decrypt"); 988 vap->iv_stats.is_rx_tkipicv++; 989 return 0; 990 } 991 return 1; 992 } 993 994 /* 995 * Module glue. 996 */ 997 IEEE80211_CRYPTO_MODULE(tkip, 1);
Cache object: bfee8459a4010bf095a65e5f22fea9df
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]