1/*-
2 * Copyright (c) 2002-2005 Sam Leffler, Errno Consulting
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. The name of the author may not be used to endorse or promote products
14 * derived from this software without specific prior written permission.
15 *
16 * Alternatively, this software may be distributed under the terms of the
17 * GNU General Public License ("GPL") version 2 as published by the Free
18 * Software Foundation.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
21 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
22 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
23 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
25 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
26 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
27 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
29 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 */
31
32#include <sys/cdefs.h>
33__FBSDID("$FreeBSD: head/sys/net80211/ieee80211_crypto_tkip.c 147252 2005-06-10 16:11:24Z sam $");
34
35/*
36 * IEEE 802.11i TKIP crypto support.
37 *
38 * Part of this module is derived from similar code in the Host
39 * AP driver. The code is used with the consent of the author and
40 * it's license is included below.
41 */
42#include <sys/param.h>
43#include <sys/systm.h>
44#include <sys/mbuf.h>
45#include <sys/malloc.h>
46#include <sys/kernel.h>
47#include <sys/module.h>
48#include <sys/endian.h>
49
50#include <sys/socket.h>
51
52#include <net/if.h>
53#include <net/if_media.h>
54#include <net/ethernet.h>
55
56#include <net80211/ieee80211_var.h>
57
58static void *tkip_attach(struct ieee80211com *, struct ieee80211_key *);
59static void tkip_detach(struct ieee80211_key *);
60static int tkip_setkey(struct ieee80211_key *);
61static int tkip_encap(struct ieee80211_key *, struct mbuf *m, u_int8_t keyid);
62static int tkip_enmic(struct ieee80211_key *, struct mbuf *, int);
63static int tkip_decap(struct ieee80211_key *, struct mbuf *, int);
64static int tkip_demic(struct ieee80211_key *, struct mbuf *, int);
65
66static const struct ieee80211_cipher tkip = {
67 .ic_name = "TKIP",
68 .ic_cipher = IEEE80211_CIPHER_TKIP,
69 .ic_header = IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN +
70 IEEE80211_WEP_EXTIVLEN,
71 .ic_trailer = IEEE80211_WEP_CRCLEN,
72 .ic_miclen = IEEE80211_WEP_MICLEN,
73 .ic_attach = tkip_attach,
74 .ic_detach = tkip_detach,
75 .ic_setkey = tkip_setkey,
76 .ic_encap = tkip_encap,
77 .ic_decap = tkip_decap,
78 .ic_enmic = tkip_enmic,
79 .ic_demic = tkip_demic,
80};
81
82typedef uint8_t u8;
83typedef uint16_t u16;
84typedef uint32_t __u32;
85typedef uint32_t u32;
86#define memmove(dst, src, n) ovbcopy(src, dst, n)
87
88struct tkip_ctx {
89 struct ieee80211com *tc_ic; /* for diagnostics */
90
91 u16 tx_ttak[5];
92 int tx_phase1_done;
93 u8 tx_rc4key[16]; /* XXX for test module; make locals? */
94
95 u16 rx_ttak[5];
96 int rx_phase1_done;
97 u8 rx_rc4key[16]; /* XXX for test module; make locals? */
98 uint64_t rx_rsc; /* held until MIC verified */
99};
100
101static void michael_mic(struct tkip_ctx *, const u8 *key,
102 struct mbuf *m, u_int off, size_t data_len,
103 u8 mic[IEEE80211_WEP_MICLEN]);
104static int tkip_encrypt(struct tkip_ctx *, struct ieee80211_key *,
105 struct mbuf *, int hdr_len);
106static int tkip_decrypt(struct tkip_ctx *, struct ieee80211_key *,
107 struct mbuf *, int hdr_len);
108
109static void *
110tkip_attach(struct ieee80211com *ic, struct ieee80211_key *k)
111{
112 struct tkip_ctx *ctx;
113
114 MALLOC(ctx, struct tkip_ctx *, sizeof(struct tkip_ctx),
115 M_DEVBUF, M_NOWAIT | M_ZERO);
116 if (ctx == NULL) {
117 ic->ic_stats.is_crypto_nomem++;
118 return NULL;
119 }
120
121 ctx->tc_ic = ic;
122 return ctx;
123}
124
125static void
126tkip_detach(struct ieee80211_key *k)
127{
128 struct tkip_ctx *ctx = k->wk_private;
129
130 FREE(ctx, M_DEVBUF);
131}
132
133static int
134tkip_setkey(struct ieee80211_key *k)
135{
136 struct tkip_ctx *ctx = k->wk_private;
137
138 if (k->wk_keylen != (128/NBBY)) {
139 (void) ctx; /* XXX */
140 IEEE80211_DPRINTF(ctx->tc_ic, IEEE80211_MSG_CRYPTO,
141 "%s: Invalid key length %u, expecting %u\n",
142 __func__, k->wk_keylen, 128/NBBY);
143 return 0;
144 }
145 k->wk_keytsc = 1; /* TSC starts at 1 */
146 return 1;
147}
148
149/*
150 * Add privacy headers and do any s/w encryption required.
151 */
152static int
153tkip_encap(struct ieee80211_key *k, struct mbuf *m, u_int8_t keyid)
154{
155 struct tkip_ctx *ctx = k->wk_private;
156 struct ieee80211com *ic = ctx->tc_ic;
157 u_int8_t *ivp;
158 int hdrlen;
159
160 /*
161 * Handle TKIP counter measures requirement.
162 */
163 if (ic->ic_flags & IEEE80211_F_COUNTERM) {
164#ifdef IEEE80211_DEBUG
165 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *);
166#endif
167
168 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO,
169 "[%s] Discard frame due to countermeasures (%s)\n",
170 ether_sprintf(wh->i_addr2), __func__);
171 ic->ic_stats.is_crypto_tkipcm++;
172 return 0;
173 }
174 hdrlen = ieee80211_hdrspace(ic, mtod(m, void *));
175
176 /*
177 * Copy down 802.11 header and add the IV, KeyID, and ExtIV.
178 */
179 M_PREPEND(m, tkip.ic_header, M_NOWAIT);
180 if (m == NULL)
181 return 0;
182 ivp = mtod(m, u_int8_t *);
183 memmove(ivp, ivp + tkip.ic_header, hdrlen);
184 ivp += hdrlen;
185
186 ivp[0] = k->wk_keytsc >> 8; /* TSC1 */
187 ivp[1] = (ivp[0] | 0x20) & 0x7f; /* WEP seed */
188 ivp[2] = k->wk_keytsc >> 0; /* TSC0 */
189 ivp[3] = keyid | IEEE80211_WEP_EXTIV; /* KeyID | ExtID */
190 ivp[4] = k->wk_keytsc >> 16; /* TSC2 */
191 ivp[5] = k->wk_keytsc >> 24; /* TSC3 */
192 ivp[6] = k->wk_keytsc >> 32; /* TSC4 */
193 ivp[7] = k->wk_keytsc >> 40; /* TSC5 */
194
195 /*
196 * Finally, do software encrypt if neeed.
197 */
198 if (k->wk_flags & IEEE80211_KEY_SWCRYPT) {
199 if (!tkip_encrypt(ctx, k, m, hdrlen))
200 return 0;
201 /* NB: tkip_encrypt handles wk_keytsc */
202 } else
203 k->wk_keytsc++;
204
205 return 1;
206}
207
208/*
209 * Add MIC to the frame as needed.
210 */
211static int
212tkip_enmic(struct ieee80211_key *k, struct mbuf *m, int force)
213{
214 struct tkip_ctx *ctx = k->wk_private;
215
216 if (force || (k->wk_flags & IEEE80211_KEY_SWMIC)) {
217 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *);
218 struct ieee80211com *ic = ctx->tc_ic;
219 int hdrlen;
220 uint8_t mic[IEEE80211_WEP_MICLEN];
221
222 ic->ic_stats.is_crypto_tkipenmic++;
223
224 hdrlen = ieee80211_hdrspace(ic, wh);
225
226 michael_mic(ctx, k->wk_txmic,
227 m, hdrlen, m->m_pkthdr.len - hdrlen, mic);
228 return m_append(m, tkip.ic_miclen, mic);
229 }
230 return 1;
231}
232
233static __inline uint64_t
234READ_6(uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3, uint8_t b4, uint8_t b5)
235{
236 uint32_t iv32 = (b0 << 0) | (b1 << 8) | (b2 << 16) | (b3 << 24);
237 uint16_t iv16 = (b4 << 0) | (b5 << 8);
238 return (((uint64_t)iv16) << 32) | iv32;
239}
240
241/*
242 * Validate and strip privacy headers (and trailer) for a
243 * received frame. If necessary, decrypt the frame using
244 * the specified key.
245 */
246static int
247tkip_decap(struct ieee80211_key *k, struct mbuf *m, int hdrlen)
248{
249 struct tkip_ctx *ctx = k->wk_private;
250 struct ieee80211com *ic = ctx->tc_ic;
251 struct ieee80211_frame *wh;
252 uint8_t *ivp;
253
254 /*
255 * Header should have extended IV and sequence number;
256 * verify the former and validate the latter.
257 */
258 wh = mtod(m, struct ieee80211_frame *);
259 ivp = mtod(m, uint8_t *) + hdrlen;
260 if ((ivp[IEEE80211_WEP_IVLEN] & IEEE80211_WEP_EXTIV) == 0) {
261 /*
262 * No extended IV; discard frame.
263 */
264 IEEE80211_DPRINTF(ctx->tc_ic, IEEE80211_MSG_CRYPTO,
265 "[%s] missing ExtIV for TKIP cipher\n",
266 ether_sprintf(wh->i_addr2));
267 ctx->tc_ic->ic_stats.is_rx_tkipformat++;
268 return 0;
269 }
270 /*
271 * Handle TKIP counter measures requirement.
272 */
273 if (ic->ic_flags & IEEE80211_F_COUNTERM) {
274 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO,
275 "[%s] discard frame due to countermeasures (%s)\n",
276 ether_sprintf(wh->i_addr2), __func__);
277 ic->ic_stats.is_crypto_tkipcm++;
278 return 0;
279 }
280
281 ctx->rx_rsc = READ_6(ivp[2], ivp[0], ivp[4], ivp[5], ivp[6], ivp[7]);
282 if (ctx->rx_rsc <= k->wk_keyrsc) {
283 /*
284 * Replay violation; notify upper layer.
285 */
286 ieee80211_notify_replay_failure(ctx->tc_ic, wh, k, ctx->rx_rsc);
287 ctx->tc_ic->ic_stats.is_rx_tkipreplay++;
288 return 0;
289 }
290 /*
291 * NB: We can't update the rsc in the key until MIC is verified.
292 *
293 * We assume we are not preempted between doing the check above
294 * and updating wk_keyrsc when stripping the MIC in tkip_demic.
295 * Otherwise we might process another packet and discard it as
296 * a replay.
297 */
298
299 /*
300 * Check if the device handled the decrypt in hardware.
301 * If so we just strip the header; otherwise we need to
302 * handle the decrypt in software.
303 */
304 if ((k->wk_flags & IEEE80211_KEY_SWCRYPT) &&
305 !tkip_decrypt(ctx, k, m, hdrlen))
306 return 0;
307
308 /*
309 * Copy up 802.11 header and strip crypto bits.
310 */
311 memmove(mtod(m, uint8_t *) + tkip.ic_header, mtod(m, void *), hdrlen);
312 m_adj(m, tkip.ic_header);
313 m_adj(m, -tkip.ic_trailer);
314
315 return 1;
316}
317
318/*
319 * Verify and strip MIC from the frame.
320 */
321static int
322tkip_demic(struct ieee80211_key *k, struct mbuf *m, int force)
323{
324 struct tkip_ctx *ctx = k->wk_private;
325
326 if (force || (k->wk_flags & IEEE80211_KEY_SWMIC)) {
327 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *);
328 struct ieee80211com *ic = ctx->tc_ic;
329 int hdrlen = ieee80211_hdrspace(ic, wh);
330 u8 mic[IEEE80211_WEP_MICLEN];
331 u8 mic0[IEEE80211_WEP_MICLEN];
332
333 ic->ic_stats.is_crypto_tkipdemic++;
334
335 michael_mic(ctx, k->wk_rxmic,
336 m, hdrlen, m->m_pkthdr.len - (hdrlen + tkip.ic_miclen),
337 mic);
338 m_copydata(m, m->m_pkthdr.len - tkip.ic_miclen,
339 tkip.ic_miclen, mic0);
340 if (memcmp(mic, mic0, tkip.ic_miclen)) {
341 /* NB: 802.11 layer handles statistic and debug msg */
342 ieee80211_notify_michael_failure(ic, wh, k->wk_keyix);
343 return 0;
344 }
345 }
346 /*
347 * Strip MIC from the tail.
348 */
349 m_adj(m, -tkip.ic_miclen);
350
351 /*
352 * Ok to update rsc now that MIC has been verified.
353 */
354 k->wk_keyrsc = ctx->rx_rsc;
355
356 return 1;
357}
358
359/*
360 * Host AP crypt: host-based TKIP encryption implementation for Host AP driver
361 *
362 * Copyright (c) 2003-2004, Jouni Malinen <jkmaline@cc.hut.fi>
363 *
364 * This program is free software; you can redistribute it and/or modify
365 * it under the terms of the GNU General Public License version 2 as
366 * published by the Free Software Foundation. See README and COPYING for
367 * more details.
368 *
369 * Alternatively, this software may be distributed under the terms of BSD
370 * license.
371 */
372
373static const __u32 crc32_table[256] = {
374 0x00000000L, 0x77073096L, 0xee0e612cL, 0x990951baL, 0x076dc419L,
375 0x706af48fL, 0xe963a535L, 0x9e6495a3L, 0x0edb8832L, 0x79dcb8a4L,
376 0xe0d5e91eL, 0x97d2d988L, 0x09b64c2bL, 0x7eb17cbdL, 0xe7b82d07L,
377 0x90bf1d91L, 0x1db71064L, 0x6ab020f2L, 0xf3b97148L, 0x84be41deL,
378 0x1adad47dL, 0x6ddde4ebL, 0xf4d4b551L, 0x83d385c7L, 0x136c9856L,
379 0x646ba8c0L, 0xfd62f97aL, 0x8a65c9ecL, 0x14015c4fL, 0x63066cd9L,
380 0xfa0f3d63L, 0x8d080df5L, 0x3b6e20c8L, 0x4c69105eL, 0xd56041e4L,
381 0xa2677172L, 0x3c03e4d1L, 0x4b04d447L, 0xd20d85fdL, 0xa50ab56bL,
382 0x35b5a8faL, 0x42b2986cL, 0xdbbbc9d6L, 0xacbcf940L, 0x32d86ce3L,
383 0x45df5c75L, 0xdcd60dcfL, 0xabd13d59L, 0x26d930acL, 0x51de003aL,
384 0xc8d75180L, 0xbfd06116L, 0x21b4f4b5L, 0x56b3c423L, 0xcfba9599L,
385 0xb8bda50fL, 0x2802b89eL, 0x5f058808L, 0xc60cd9b2L, 0xb10be924L,
386 0x2f6f7c87L, 0x58684c11L, 0xc1611dabL, 0xb6662d3dL, 0x76dc4190L,
387 0x01db7106L, 0x98d220bcL, 0xefd5102aL, 0x71b18589L, 0x06b6b51fL,
388 0x9fbfe4a5L, 0xe8b8d433L, 0x7807c9a2L, 0x0f00f934L, 0x9609a88eL,
389 0xe10e9818L, 0x7f6a0dbbL, 0x086d3d2dL, 0x91646c97L, 0xe6635c01L,
390 0x6b6b51f4L, 0x1c6c6162L, 0x856530d8L, 0xf262004eL, 0x6c0695edL,
391 0x1b01a57bL, 0x8208f4c1L, 0xf50fc457L, 0x65b0d9c6L, 0x12b7e950L,
392 0x8bbeb8eaL, 0xfcb9887cL, 0x62dd1ddfL, 0x15da2d49L, 0x8cd37cf3L,
393 0xfbd44c65L, 0x4db26158L, 0x3ab551ceL, 0xa3bc0074L, 0xd4bb30e2L,
394 0x4adfa541L, 0x3dd895d7L, 0xa4d1c46dL, 0xd3d6f4fbL, 0x4369e96aL,
395 0x346ed9fcL, 0xad678846L, 0xda60b8d0L, 0x44042d73L, 0x33031de5L,
396 0xaa0a4c5fL, 0xdd0d7cc9L, 0x5005713cL, 0x270241aaL, 0xbe0b1010L,
397 0xc90c2086L, 0x5768b525L, 0x206f85b3L, 0xb966d409L, 0xce61e49fL,
398 0x5edef90eL, 0x29d9c998L, 0xb0d09822L, 0xc7d7a8b4L, 0x59b33d17L,
399 0x2eb40d81L, 0xb7bd5c3bL, 0xc0ba6cadL, 0xedb88320L, 0x9abfb3b6L,
400 0x03b6e20cL, 0x74b1d29aL, 0xead54739L, 0x9dd277afL, 0x04db2615L,
401 0x73dc1683L, 0xe3630b12L, 0x94643b84L, 0x0d6d6a3eL, 0x7a6a5aa8L,
402 0xe40ecf0bL, 0x9309ff9dL, 0x0a00ae27L, 0x7d079eb1L, 0xf00f9344L,
403 0x8708a3d2L, 0x1e01f268L, 0x6906c2feL, 0xf762575dL, 0x806567cbL,
404 0x196c3671L, 0x6e6b06e7L, 0xfed41b76L, 0x89d32be0L, 0x10da7a5aL,
405 0x67dd4accL, 0xf9b9df6fL, 0x8ebeeff9L, 0x17b7be43L, 0x60b08ed5L,
406 0xd6d6a3e8L, 0xa1d1937eL, 0x38d8c2c4L, 0x4fdff252L, 0xd1bb67f1L,
407 0xa6bc5767L, 0x3fb506ddL, 0x48b2364bL, 0xd80d2bdaL, 0xaf0a1b4cL,
408 0x36034af6L, 0x41047a60L, 0xdf60efc3L, 0xa867df55L, 0x316e8eefL,
409 0x4669be79L, 0xcb61b38cL, 0xbc66831aL, 0x256fd2a0L, 0x5268e236L,
410 0xcc0c7795L, 0xbb0b4703L, 0x220216b9L, 0x5505262fL, 0xc5ba3bbeL,
411 0xb2bd0b28L, 0x2bb45a92L, 0x5cb36a04L, 0xc2d7ffa7L, 0xb5d0cf31L,
412 0x2cd99e8bL, 0x5bdeae1dL, 0x9b64c2b0L, 0xec63f226L, 0x756aa39cL,
413 0x026d930aL, 0x9c0906a9L, 0xeb0e363fL, 0x72076785L, 0x05005713L,
414 0x95bf4a82L, 0xe2b87a14L, 0x7bb12baeL, 0x0cb61b38L, 0x92d28e9bL,
415 0xe5d5be0dL, 0x7cdcefb7L, 0x0bdbdf21L, 0x86d3d2d4L, 0xf1d4e242L,
416 0x68ddb3f8L, 0x1fda836eL, 0x81be16cdL, 0xf6b9265bL, 0x6fb077e1L,
417 0x18b74777L, 0x88085ae6L, 0xff0f6a70L, 0x66063bcaL, 0x11010b5cL,
418 0x8f659effL, 0xf862ae69L, 0x616bffd3L, 0x166ccf45L, 0xa00ae278L,
419 0xd70dd2eeL, 0x4e048354L, 0x3903b3c2L, 0xa7672661L, 0xd06016f7L,
420 0x4969474dL, 0x3e6e77dbL, 0xaed16a4aL, 0xd9d65adcL, 0x40df0b66L,
421 0x37d83bf0L, 0xa9bcae53L, 0xdebb9ec5L, 0x47b2cf7fL, 0x30b5ffe9L,
422 0xbdbdf21cL, 0xcabac28aL, 0x53b39330L, 0x24b4a3a6L, 0xbad03605L,
423 0xcdd70693L, 0x54de5729L, 0x23d967bfL, 0xb3667a2eL, 0xc4614ab8L,
424 0x5d681b02L, 0x2a6f2b94L, 0xb40bbe37L, 0xc30c8ea1L, 0x5a05df1bL,
425 0x2d02ef8dL
426};
427
428static __inline u16 RotR1(u16 val)
429{
430 return (val >> 1) | (val << 15);
431}
432
433static __inline u8 Lo8(u16 val)
434{
435 return val & 0xff;
436}
437
438static __inline u8 Hi8(u16 val)
439{
440 return val >> 8;
441}
442
443static __inline u16 Lo16(u32 val)
444{
445 return val & 0xffff;
446}
447
448static __inline u16 Hi16(u32 val)
449{
450 return val >> 16;
451}
452
453static __inline u16 Mk16(u8 hi, u8 lo)
454{
455 return lo | (((u16) hi) << 8);
456}
457
458static __inline u16 Mk16_le(const u16 *v)
459{
460 return le16toh(*v);
461}
462
463static const u16 Sbox[256] = {
464 0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154,
465 0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A,
466 0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B,
467 0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B,
468 0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F,
469 0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F,
470 0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5,
471 0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F,
472 0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB,
473 0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397,
474 0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED,
475 0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A,
476 0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194,
477 0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3,
478 0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104,
479 0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D,
480 0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39,
481 0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695,
482 0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83,
483 0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76,
484 0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4,
485 0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B,
486 0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0,
487 0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018,
488 0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751,
489 0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85,
490 0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12,
491 0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9,
492 0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7,
493 0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A,
494 0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8,
495 0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A,
496};
497
498static __inline u16 _S_(u16 v)
499{
500 u16 t = Sbox[Hi8(v)];
501 return Sbox[Lo8(v)] ^ ((t << 8) | (t >> 8));
502}
503
504#define PHASE1_LOOP_COUNT 8
505
506static void tkip_mixing_phase1(u16 *TTAK, const u8 *TK, const u8 *TA, u32 IV32)
507{
508 int i, j;
509
510 /* Initialize the 80-bit TTAK from TSC (IV32) and TA[0..5] */
511 TTAK[0] = Lo16(IV32);
512 TTAK[1] = Hi16(IV32);
513 TTAK[2] = Mk16(TA[1], TA[0]);
514 TTAK[3] = Mk16(TA[3], TA[2]);
515 TTAK[4] = Mk16(TA[5], TA[4]);
516
517 for (i = 0; i < PHASE1_LOOP_COUNT; i++) {
518 j = 2 * (i & 1);
519 TTAK[0] += _S_(TTAK[4] ^ Mk16(TK[1 + j], TK[0 + j]));
520 TTAK[1] += _S_(TTAK[0] ^ Mk16(TK[5 + j], TK[4 + j]));
521 TTAK[2] += _S_(TTAK[1] ^ Mk16(TK[9 + j], TK[8 + j]));
522 TTAK[3] += _S_(TTAK[2] ^ Mk16(TK[13 + j], TK[12 + j]));
523 TTAK[4] += _S_(TTAK[3] ^ Mk16(TK[1 + j], TK[0 + j])) + i;
524 }
525}
526
527#ifndef _BYTE_ORDER
528#error "Don't know native byte order"
529#endif
530
531static void tkip_mixing_phase2(u8 *WEPSeed, const u8 *TK, const u16 *TTAK,
532 u16 IV16)
533{
534 /* Make temporary area overlap WEP seed so that the final copy can be
535 * avoided on little endian hosts. */
536 u16 *PPK = (u16 *) &WEPSeed[4];
537
538 /* Step 1 - make copy of TTAK and bring in TSC */
539 PPK[0] = TTAK[0];
540 PPK[1] = TTAK[1];
541 PPK[2] = TTAK[2];
542 PPK[3] = TTAK[3];
543 PPK[4] = TTAK[4];
544 PPK[5] = TTAK[4] + IV16;
545
546 /* Step 2 - 96-bit bijective mixing using S-box */
547 PPK[0] += _S_(PPK[5] ^ Mk16_le((const u16 *) &TK[0]));
548 PPK[1] += _S_(PPK[0] ^ Mk16_le((const u16 *) &TK[2]));
549 PPK[2] += _S_(PPK[1] ^ Mk16_le((const u16 *) &TK[4]));
550 PPK[3] += _S_(PPK[2] ^ Mk16_le((const u16 *) &TK[6]));
551 PPK[4] += _S_(PPK[3] ^ Mk16_le((const u16 *) &TK[8]));
552 PPK[5] += _S_(PPK[4] ^ Mk16_le((const u16 *) &TK[10]));
553
554 PPK[0] += RotR1(PPK[5] ^ Mk16_le((const u16 *) &TK[12]));
555 PPK[1] += RotR1(PPK[0] ^ Mk16_le((const u16 *) &TK[14]));
556 PPK[2] += RotR1(PPK[1]);
557 PPK[3] += RotR1(PPK[2]);
558 PPK[4] += RotR1(PPK[3]);
559 PPK[5] += RotR1(PPK[4]);
560
561 /* Step 3 - bring in last of TK bits, assign 24-bit WEP IV value
562 * WEPSeed[0..2] is transmitted as WEP IV */
563 WEPSeed[0] = Hi8(IV16);
564 WEPSeed[1] = (Hi8(IV16) | 0x20) & 0x7F;
565 WEPSeed[2] = Lo8(IV16);
566 WEPSeed[3] = Lo8((PPK[5] ^ Mk16_le((const u16 *) &TK[0])) >> 1);
567
568#if _BYTE_ORDER == _BIG_ENDIAN
569 {
570 int i;
571 for (i = 0; i < 6; i++)
572 PPK[i] = (PPK[i] << 8) | (PPK[i] >> 8);
573 }
574#endif
575}
576
577static void
578wep_encrypt(u8 *key, struct mbuf *m0, u_int off, size_t data_len,
579 uint8_t icv[IEEE80211_WEP_CRCLEN])
580{
581 u32 i, j, k, crc;
582 size_t buflen;
583 u8 S[256];
584 u8 *pos;
585 struct mbuf *m;
586#define S_SWAP(a,b) do { u8 t = S[a]; S[a] = S[b]; S[b] = t; } while(0)
587
588 /* Setup RC4 state */
589 for (i = 0; i < 256; i++)
590 S[i] = i;
591 j = 0;
592 for (i = 0; i < 256; i++) {
593 j = (j + S[i] + key[i & 0x0f]) & 0xff;
594 S_SWAP(i, j);
595 }
596
597 /* Compute CRC32 over unencrypted data and apply RC4 to data */
598 crc = ~0;
599 i = j = 0;
600 m = m0;
601 pos = mtod(m, uint8_t *) + off;
602 buflen = m->m_len - off;
603 for (;;) {
604 if (buflen > data_len)
605 buflen = data_len;
606 data_len -= buflen;
607 for (k = 0; k < buflen; k++) {
608 crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8);
609 i = (i + 1) & 0xff;
610 j = (j + S[i]) & 0xff;
611 S_SWAP(i, j);
612 *pos++ ^= S[(S[i] + S[j]) & 0xff];
613 }
614 m = m->m_next;
615 if (m == NULL) {
616 KASSERT(data_len == 0,
617 ("out of buffers with data_len %zu\n", data_len));
618 break;
619 }
620 pos = mtod(m, uint8_t *);
621 buflen = m->m_len;
622 }
623 crc = ~crc;
624
625 /* Append little-endian CRC32 and encrypt it to produce ICV */
626 icv[0] = crc;
627 icv[1] = crc >> 8;
628 icv[2] = crc >> 16;
629 icv[3] = crc >> 24;
630 for (k = 0; k < IEEE80211_WEP_CRCLEN; k++) {
631 i = (i + 1) & 0xff;
632 j = (j + S[i]) & 0xff;
633 S_SWAP(i, j);
634 icv[k] ^= S[(S[i] + S[j]) & 0xff];
635 }
636}
637
638static int
639wep_decrypt(u8 *key, struct mbuf *m, u_int off, size_t data_len)
640{
641 u32 i, j, k, crc;
642 u8 S[256];
643 u8 *pos, icv[4];
644 size_t buflen;
645
646 /* Setup RC4 state */
647 for (i = 0; i < 256; i++)
648 S[i] = i;
649 j = 0;
650 for (i = 0; i < 256; i++) {
651 j = (j + S[i] + key[i & 0x0f]) & 0xff;
652 S_SWAP(i, j);
653 }
654
655 /* Apply RC4 to data and compute CRC32 over decrypted data */
656 crc = ~0;
657 i = j = 0;
658 pos = mtod(m, uint8_t *) + off;
659 buflen = m->m_len - off;
660 for (;;) {
661 if (buflen > data_len)
662 buflen = data_len;
663 data_len -= buflen;
664 for (k = 0; k < buflen; k++) {
665 i = (i + 1) & 0xff;
666 j = (j + S[i]) & 0xff;
667 S_SWAP(i, j);
668 *pos ^= S[(S[i] + S[j]) & 0xff];
669 crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8);
670 pos++;
671 }
672 m = m->m_next;
673 if (m == NULL) {
674 KASSERT(data_len == 0,
675 ("out of buffers with data_len %zu\n", data_len));
676 break;
677 }
678 pos = mtod(m, uint8_t *);
679 buflen = m->m_len;
680 }
681 crc = ~crc;
682
683 /* Encrypt little-endian CRC32 and verify that it matches with the
684 * received ICV */
685 icv[0] = crc;
686 icv[1] = crc >> 8;
687 icv[2] = crc >> 16;
688 icv[3] = crc >> 24;
689 for (k = 0; k < 4; k++) {
690 i = (i + 1) & 0xff;
691 j = (j + S[i]) & 0xff;
692 S_SWAP(i, j);
693 if ((icv[k] ^ S[(S[i] + S[j]) & 0xff]) != *pos++) {
694 /* ICV mismatch - drop frame */
695 return -1;
696 }
697 }
698
699 return 0;
700}
701
702
703static __inline u32 rotl(u32 val, int bits)
704{
705 return (val << bits) | (val >> (32 - bits));
706}
707
708
709static __inline u32 rotr(u32 val, int bits)
710{
711 return (val >> bits) | (val << (32 - bits));
712}
713
714
715static __inline u32 xswap(u32 val)
716{
717 return ((val & 0x00ff00ff) << 8) | ((val & 0xff00ff00) >> 8);
718}
719
720
721#define michael_block(l, r) \
722do { \
723 r ^= rotl(l, 17); \
724 l += r; \
725 r ^= xswap(l); \
726 l += r; \
727 r ^= rotl(l, 3); \
728 l += r; \
729 r ^= rotr(l, 2); \
730 l += r; \
731} while (0)
732
733
734static __inline u32 get_le32_split(u8 b0, u8 b1, u8 b2, u8 b3)
735{
736 return b0 | (b1 << 8) | (b2 << 16) | (b3 << 24);
737}
738
739static __inline u32 get_le32(const u8 *p)
740{
741 return get_le32_split(p[0], p[1], p[2], p[3]);
742}
743
744
745static __inline void put_le32(u8 *p, u32 v)
746{
747 p[0] = v;
748 p[1] = v >> 8;
749 p[2] = v >> 16;
750 p[3] = v >> 24;
751}
752
753/*
754 * Craft pseudo header used to calculate the MIC.
755 */
756static void
757michael_mic_hdr(const struct ieee80211_frame *wh0, uint8_t hdr[16])
758{
759 const struct ieee80211_frame_addr4 *wh =
760 (const struct ieee80211_frame_addr4 *) wh0;
761
762 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) {
763 case IEEE80211_FC1_DIR_NODS:
764 IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */
765 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2);
766 break;
767 case IEEE80211_FC1_DIR_TODS:
768 IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */
769 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2);
770 break;
771 case IEEE80211_FC1_DIR_FROMDS:
772 IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */
773 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr3);
774 break;
775 case IEEE80211_FC1_DIR_DSTODS:
776 IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */
777 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr4);
778 break;
779 }
780
781 if (wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_QOS) {
782 const struct ieee80211_qosframe *qwh =
783 (const struct ieee80211_qosframe *) wh;
784 hdr[12] = qwh->i_qos[0] & IEEE80211_QOS_TID;
785 } else
786 hdr[12] = 0;
787 hdr[13] = hdr[14] = hdr[15] = 0; /* reserved */
788}
789
790static void
791michael_mic(struct tkip_ctx *ctx, const u8 *key,
792 struct mbuf *m, u_int off, size_t data_len,
793 u8 mic[IEEE80211_WEP_MICLEN])
794{
795 uint8_t hdr[16];
796 u32 l, r;
797 const uint8_t *data;
798 u_int space;
799
800 michael_mic_hdr(mtod(m, struct ieee80211_frame *), hdr);
801
802 l = get_le32(key);
803 r = get_le32(key + 4);
804
805 /* Michael MIC pseudo header: DA, SA, 3 x 0, Priority */
806 l ^= get_le32(hdr);
807 michael_block(l, r);
808 l ^= get_le32(&hdr[4]);
809 michael_block(l, r);
810 l ^= get_le32(&hdr[8]);
811 michael_block(l, r);
812 l ^= get_le32(&hdr[12]);
813 michael_block(l, r);
814
815 /* first buffer has special handling */
816 data = mtod(m, const uint8_t *) + off;
817 space = m->m_len - off;
818 for (;;) {
819 if (space > data_len)
820 space = data_len;
821 /* collect 32-bit blocks from current buffer */
822 while (space >= sizeof(uint32_t)) {
823 l ^= get_le32(data);
824 michael_block(l, r);
825 data += sizeof(uint32_t), space -= sizeof(uint32_t);
826 data_len -= sizeof(uint32_t);
827 }
828 if (data_len < sizeof(uint32_t))
829 break;
830 m = m->m_next;
831 if (m == NULL) {
832 KASSERT(0, ("out of data, data_len %zu\n", data_len));
833 break;
834 }
835 if (space != 0) {
836 const uint8_t *data_next;
837 /*
838 * Block straddles buffers, split references.
839 */
840 data_next = mtod(m, const uint8_t *);
841 KASSERT(m->m_len >= sizeof(uint32_t) - space,
842 ("not enough data in following buffer, "
843 "m_len %u need %zu\n", m->m_len,
844 sizeof(uint32_t) - space));
845 switch (space) {
846 case 1:
847 l ^= get_le32_split(data[0], data_next[0],
848 data_next[1], data_next[2]);
849 data = data_next + 3;
850 space = m->m_len - 3;
851 break;
852 case 2:
853 l ^= get_le32_split(data[0], data[1],
854 data_next[0], data_next[1]);
855 data = data_next + 2;
856 space = m->m_len - 2;
857 break;
858 case 3:
859 l ^= get_le32_split(data[0], data[1],
860 data[2], data_next[0]);
861 data = data_next + 1;
862 space = m->m_len - 1;
863 break;
864 }
865 michael_block(l, r);
866 data_len -= sizeof(uint32_t);
867 } else {
868 /*
869 * Setup for next buffer.
870 */
871 data = mtod(m, const uint8_t *);
872 space = m->m_len;
873 }
874 }
875 /* Last block and padding (0x5a, 4..7 x 0) */
876 switch (data_len) {
877 case 0:
878 l ^= get_le32_split(0x5a, 0, 0, 0);
879 break;
880 case 1:
881 l ^= get_le32_split(data[0], 0x5a, 0, 0);
882 break;
883 case 2:
884 l ^= get_le32_split(data[0], data[1], 0x5a, 0);
885 break;
886 case 3:
887 l ^= get_le32_split(data[0], data[1], data[2], 0x5a);
888 break;
889 }
890 michael_block(l, r);
891 /* l ^= 0; */
892 michael_block(l, r);
893
894 put_le32(mic, l);
895 put_le32(mic + 4, r);
896}
897
898static int
899tkip_encrypt(struct tkip_ctx *ctx, struct ieee80211_key *key,
900 struct mbuf *m, int hdrlen)
901{
902 struct ieee80211_frame *wh;
903 uint8_t icv[IEEE80211_WEP_CRCLEN];
904
905 ctx->tc_ic->ic_stats.is_crypto_tkip++;
906
907 wh = mtod(m, struct ieee80211_frame *);
908 if (!ctx->tx_phase1_done) {
909 tkip_mixing_phase1(ctx->tx_ttak, key->wk_key, wh->i_addr2,
910 (u32)(key->wk_keytsc >> 16));
911 ctx->tx_phase1_done = 1;
912 }
913 tkip_mixing_phase2(ctx->tx_rc4key, key->wk_key, ctx->tx_ttak,
914 (u16) key->wk_keytsc);
915
916 wep_encrypt(ctx->tx_rc4key,
917 m, hdrlen + tkip.ic_header,
918 m->m_pkthdr.len - (hdrlen + tkip.ic_header),
919 icv);
920 (void) m_append(m, IEEE80211_WEP_CRCLEN, icv); /* XXX check return */
921
922 key->wk_keytsc++;
923 if ((u16)(key->wk_keytsc) == 0)
924 ctx->tx_phase1_done = 0;
925 return 1;
926}
927
928static int
929tkip_decrypt(struct tkip_ctx *ctx, struct ieee80211_key *key,
930 struct mbuf *m, int hdrlen)
931{
932 struct ieee80211_frame *wh;
933 u32 iv32;
934 u16 iv16;
935
936 ctx->tc_ic->ic_stats.is_crypto_tkip++;
937
938 wh = mtod(m, struct ieee80211_frame *);
939 /* NB: tkip_decap already verified header and left seq in rx_rsc */
940 iv16 = (u16) ctx->rx_rsc;
941 iv32 = (u32) (ctx->rx_rsc >> 16);
942
943 if (iv32 != (u32)(key->wk_keyrsc >> 16) || !ctx->rx_phase1_done) {
944 tkip_mixing_phase1(ctx->rx_ttak, key->wk_key,
945 wh->i_addr2, iv32);
946 ctx->rx_phase1_done = 1;
947 }
948 tkip_mixing_phase2(ctx->rx_rc4key, key->wk_key, ctx->rx_ttak, iv16);
949
950 /* NB: m is unstripped; deduct headers + ICV to get payload */
951 if (wep_decrypt(ctx->rx_rc4key,
952 m, hdrlen + tkip.ic_header,
953 m->m_pkthdr.len - (hdrlen + tkip.ic_header + tkip.ic_trailer))) {
954 if (iv32 != (u32)(key->wk_keyrsc >> 16)) {
955 /* Previously cached Phase1 result was already lost, so
956 * it needs to be recalculated for the next packet. */
957 ctx->rx_phase1_done = 0;
958 }
959 IEEE80211_DPRINTF(ctx->tc_ic, IEEE80211_MSG_CRYPTO,
960 "[%s] TKIP ICV mismatch on decrypt\n",
961 ether_sprintf(wh->i_addr2));
962 ctx->tc_ic->ic_stats.is_rx_tkipicv++;
963 return 0;
964 }
965 return 1;
966}
967
968/*
969 * Module glue.
970 */
971static int
972tkip_modevent(module_t mod, int type, void *unused)
973{
974 switch (type) {
975 case MOD_LOAD:
976 ieee80211_crypto_register(&tkip);
977 return 0;
978 case MOD_UNLOAD:
979 ieee80211_crypto_unregister(&tkip);
980 return 0;
981 }
982 return EINVAL;
983}
984
985static moduledata_t tkip_mod = {
986 "wlan_tkip",
987 tkip_modevent,
988 0
989};
990DECLARE_MODULE(wlan_tkip, tkip_mod, SI_SUB_DRIVERS, SI_ORDER_FIRST);
991MODULE_VERSION(wlan_tkip, 1);
992MODULE_DEPEND(wlan_tkip, wlan, 1, 1, 1);
2 * Copyright (c) 2002-2005 Sam Leffler, Errno Consulting
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. The name of the author may not be used to endorse or promote products
14 * derived from this software without specific prior written permission.
15 *
16 * Alternatively, this software may be distributed under the terms of the
17 * GNU General Public License ("GPL") version 2 as published by the Free
18 * Software Foundation.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
21 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
22 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
23 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
25 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
26 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
27 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
29 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 */
31
32#include <sys/cdefs.h>
33__FBSDID("$FreeBSD: head/sys/net80211/ieee80211_crypto_tkip.c 147252 2005-06-10 16:11:24Z sam $");
34
35/*
36 * IEEE 802.11i TKIP crypto support.
37 *
38 * Part of this module is derived from similar code in the Host
39 * AP driver. The code is used with the consent of the author and
40 * it's license is included below.
41 */
42#include <sys/param.h>
43#include <sys/systm.h>
44#include <sys/mbuf.h>
45#include <sys/malloc.h>
46#include <sys/kernel.h>
47#include <sys/module.h>
48#include <sys/endian.h>
49
50#include <sys/socket.h>
51
52#include <net/if.h>
53#include <net/if_media.h>
54#include <net/ethernet.h>
55
56#include <net80211/ieee80211_var.h>
57
58static void *tkip_attach(struct ieee80211com *, struct ieee80211_key *);
59static void tkip_detach(struct ieee80211_key *);
60static int tkip_setkey(struct ieee80211_key *);
61static int tkip_encap(struct ieee80211_key *, struct mbuf *m, u_int8_t keyid);
62static int tkip_enmic(struct ieee80211_key *, struct mbuf *, int);
63static int tkip_decap(struct ieee80211_key *, struct mbuf *, int);
64static int tkip_demic(struct ieee80211_key *, struct mbuf *, int);
65
66static const struct ieee80211_cipher tkip = {
67 .ic_name = "TKIP",
68 .ic_cipher = IEEE80211_CIPHER_TKIP,
69 .ic_header = IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN +
70 IEEE80211_WEP_EXTIVLEN,
71 .ic_trailer = IEEE80211_WEP_CRCLEN,
72 .ic_miclen = IEEE80211_WEP_MICLEN,
73 .ic_attach = tkip_attach,
74 .ic_detach = tkip_detach,
75 .ic_setkey = tkip_setkey,
76 .ic_encap = tkip_encap,
77 .ic_decap = tkip_decap,
78 .ic_enmic = tkip_enmic,
79 .ic_demic = tkip_demic,
80};
81
82typedef uint8_t u8;
83typedef uint16_t u16;
84typedef uint32_t __u32;
85typedef uint32_t u32;
86#define memmove(dst, src, n) ovbcopy(src, dst, n)
87
88struct tkip_ctx {
89 struct ieee80211com *tc_ic; /* for diagnostics */
90
91 u16 tx_ttak[5];
92 int tx_phase1_done;
93 u8 tx_rc4key[16]; /* XXX for test module; make locals? */
94
95 u16 rx_ttak[5];
96 int rx_phase1_done;
97 u8 rx_rc4key[16]; /* XXX for test module; make locals? */
98 uint64_t rx_rsc; /* held until MIC verified */
99};
100
101static void michael_mic(struct tkip_ctx *, const u8 *key,
102 struct mbuf *m, u_int off, size_t data_len,
103 u8 mic[IEEE80211_WEP_MICLEN]);
104static int tkip_encrypt(struct tkip_ctx *, struct ieee80211_key *,
105 struct mbuf *, int hdr_len);
106static int tkip_decrypt(struct tkip_ctx *, struct ieee80211_key *,
107 struct mbuf *, int hdr_len);
108
109static void *
110tkip_attach(struct ieee80211com *ic, struct ieee80211_key *k)
111{
112 struct tkip_ctx *ctx;
113
114 MALLOC(ctx, struct tkip_ctx *, sizeof(struct tkip_ctx),
115 M_DEVBUF, M_NOWAIT | M_ZERO);
116 if (ctx == NULL) {
117 ic->ic_stats.is_crypto_nomem++;
118 return NULL;
119 }
120
121 ctx->tc_ic = ic;
122 return ctx;
123}
124
125static void
126tkip_detach(struct ieee80211_key *k)
127{
128 struct tkip_ctx *ctx = k->wk_private;
129
130 FREE(ctx, M_DEVBUF);
131}
132
133static int
134tkip_setkey(struct ieee80211_key *k)
135{
136 struct tkip_ctx *ctx = k->wk_private;
137
138 if (k->wk_keylen != (128/NBBY)) {
139 (void) ctx; /* XXX */
140 IEEE80211_DPRINTF(ctx->tc_ic, IEEE80211_MSG_CRYPTO,
141 "%s: Invalid key length %u, expecting %u\n",
142 __func__, k->wk_keylen, 128/NBBY);
143 return 0;
144 }
145 k->wk_keytsc = 1; /* TSC starts at 1 */
146 return 1;
147}
148
149/*
150 * Add privacy headers and do any s/w encryption required.
151 */
152static int
153tkip_encap(struct ieee80211_key *k, struct mbuf *m, u_int8_t keyid)
154{
155 struct tkip_ctx *ctx = k->wk_private;
156 struct ieee80211com *ic = ctx->tc_ic;
157 u_int8_t *ivp;
158 int hdrlen;
159
160 /*
161 * Handle TKIP counter measures requirement.
162 */
163 if (ic->ic_flags & IEEE80211_F_COUNTERM) {
164#ifdef IEEE80211_DEBUG
165 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *);
166#endif
167
168 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO,
169 "[%s] Discard frame due to countermeasures (%s)\n",
170 ether_sprintf(wh->i_addr2), __func__);
171 ic->ic_stats.is_crypto_tkipcm++;
172 return 0;
173 }
174 hdrlen = ieee80211_hdrspace(ic, mtod(m, void *));
175
176 /*
177 * Copy down 802.11 header and add the IV, KeyID, and ExtIV.
178 */
179 M_PREPEND(m, tkip.ic_header, M_NOWAIT);
180 if (m == NULL)
181 return 0;
182 ivp = mtod(m, u_int8_t *);
183 memmove(ivp, ivp + tkip.ic_header, hdrlen);
184 ivp += hdrlen;
185
186 ivp[0] = k->wk_keytsc >> 8; /* TSC1 */
187 ivp[1] = (ivp[0] | 0x20) & 0x7f; /* WEP seed */
188 ivp[2] = k->wk_keytsc >> 0; /* TSC0 */
189 ivp[3] = keyid | IEEE80211_WEP_EXTIV; /* KeyID | ExtID */
190 ivp[4] = k->wk_keytsc >> 16; /* TSC2 */
191 ivp[5] = k->wk_keytsc >> 24; /* TSC3 */
192 ivp[6] = k->wk_keytsc >> 32; /* TSC4 */
193 ivp[7] = k->wk_keytsc >> 40; /* TSC5 */
194
195 /*
196 * Finally, do software encrypt if neeed.
197 */
198 if (k->wk_flags & IEEE80211_KEY_SWCRYPT) {
199 if (!tkip_encrypt(ctx, k, m, hdrlen))
200 return 0;
201 /* NB: tkip_encrypt handles wk_keytsc */
202 } else
203 k->wk_keytsc++;
204
205 return 1;
206}
207
208/*
209 * Add MIC to the frame as needed.
210 */
211static int
212tkip_enmic(struct ieee80211_key *k, struct mbuf *m, int force)
213{
214 struct tkip_ctx *ctx = k->wk_private;
215
216 if (force || (k->wk_flags & IEEE80211_KEY_SWMIC)) {
217 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *);
218 struct ieee80211com *ic = ctx->tc_ic;
219 int hdrlen;
220 uint8_t mic[IEEE80211_WEP_MICLEN];
221
222 ic->ic_stats.is_crypto_tkipenmic++;
223
224 hdrlen = ieee80211_hdrspace(ic, wh);
225
226 michael_mic(ctx, k->wk_txmic,
227 m, hdrlen, m->m_pkthdr.len - hdrlen, mic);
228 return m_append(m, tkip.ic_miclen, mic);
229 }
230 return 1;
231}
232
233static __inline uint64_t
234READ_6(uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3, uint8_t b4, uint8_t b5)
235{
236 uint32_t iv32 = (b0 << 0) | (b1 << 8) | (b2 << 16) | (b3 << 24);
237 uint16_t iv16 = (b4 << 0) | (b5 << 8);
238 return (((uint64_t)iv16) << 32) | iv32;
239}
240
241/*
242 * Validate and strip privacy headers (and trailer) for a
243 * received frame. If necessary, decrypt the frame using
244 * the specified key.
245 */
246static int
247tkip_decap(struct ieee80211_key *k, struct mbuf *m, int hdrlen)
248{
249 struct tkip_ctx *ctx = k->wk_private;
250 struct ieee80211com *ic = ctx->tc_ic;
251 struct ieee80211_frame *wh;
252 uint8_t *ivp;
253
254 /*
255 * Header should have extended IV and sequence number;
256 * verify the former and validate the latter.
257 */
258 wh = mtod(m, struct ieee80211_frame *);
259 ivp = mtod(m, uint8_t *) + hdrlen;
260 if ((ivp[IEEE80211_WEP_IVLEN] & IEEE80211_WEP_EXTIV) == 0) {
261 /*
262 * No extended IV; discard frame.
263 */
264 IEEE80211_DPRINTF(ctx->tc_ic, IEEE80211_MSG_CRYPTO,
265 "[%s] missing ExtIV for TKIP cipher\n",
266 ether_sprintf(wh->i_addr2));
267 ctx->tc_ic->ic_stats.is_rx_tkipformat++;
268 return 0;
269 }
270 /*
271 * Handle TKIP counter measures requirement.
272 */
273 if (ic->ic_flags & IEEE80211_F_COUNTERM) {
274 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO,
275 "[%s] discard frame due to countermeasures (%s)\n",
276 ether_sprintf(wh->i_addr2), __func__);
277 ic->ic_stats.is_crypto_tkipcm++;
278 return 0;
279 }
280
281 ctx->rx_rsc = READ_6(ivp[2], ivp[0], ivp[4], ivp[5], ivp[6], ivp[7]);
282 if (ctx->rx_rsc <= k->wk_keyrsc) {
283 /*
284 * Replay violation; notify upper layer.
285 */
286 ieee80211_notify_replay_failure(ctx->tc_ic, wh, k, ctx->rx_rsc);
287 ctx->tc_ic->ic_stats.is_rx_tkipreplay++;
288 return 0;
289 }
290 /*
291 * NB: We can't update the rsc in the key until MIC is verified.
292 *
293 * We assume we are not preempted between doing the check above
294 * and updating wk_keyrsc when stripping the MIC in tkip_demic.
295 * Otherwise we might process another packet and discard it as
296 * a replay.
297 */
298
299 /*
300 * Check if the device handled the decrypt in hardware.
301 * If so we just strip the header; otherwise we need to
302 * handle the decrypt in software.
303 */
304 if ((k->wk_flags & IEEE80211_KEY_SWCRYPT) &&
305 !tkip_decrypt(ctx, k, m, hdrlen))
306 return 0;
307
308 /*
309 * Copy up 802.11 header and strip crypto bits.
310 */
311 memmove(mtod(m, uint8_t *) + tkip.ic_header, mtod(m, void *), hdrlen);
312 m_adj(m, tkip.ic_header);
313 m_adj(m, -tkip.ic_trailer);
314
315 return 1;
316}
317
318/*
319 * Verify and strip MIC from the frame.
320 */
321static int
322tkip_demic(struct ieee80211_key *k, struct mbuf *m, int force)
323{
324 struct tkip_ctx *ctx = k->wk_private;
325
326 if (force || (k->wk_flags & IEEE80211_KEY_SWMIC)) {
327 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *);
328 struct ieee80211com *ic = ctx->tc_ic;
329 int hdrlen = ieee80211_hdrspace(ic, wh);
330 u8 mic[IEEE80211_WEP_MICLEN];
331 u8 mic0[IEEE80211_WEP_MICLEN];
332
333 ic->ic_stats.is_crypto_tkipdemic++;
334
335 michael_mic(ctx, k->wk_rxmic,
336 m, hdrlen, m->m_pkthdr.len - (hdrlen + tkip.ic_miclen),
337 mic);
338 m_copydata(m, m->m_pkthdr.len - tkip.ic_miclen,
339 tkip.ic_miclen, mic0);
340 if (memcmp(mic, mic0, tkip.ic_miclen)) {
341 /* NB: 802.11 layer handles statistic and debug msg */
342 ieee80211_notify_michael_failure(ic, wh, k->wk_keyix);
343 return 0;
344 }
345 }
346 /*
347 * Strip MIC from the tail.
348 */
349 m_adj(m, -tkip.ic_miclen);
350
351 /*
352 * Ok to update rsc now that MIC has been verified.
353 */
354 k->wk_keyrsc = ctx->rx_rsc;
355
356 return 1;
357}
358
359/*
360 * Host AP crypt: host-based TKIP encryption implementation for Host AP driver
361 *
362 * Copyright (c) 2003-2004, Jouni Malinen <jkmaline@cc.hut.fi>
363 *
364 * This program is free software; you can redistribute it and/or modify
365 * it under the terms of the GNU General Public License version 2 as
366 * published by the Free Software Foundation. See README and COPYING for
367 * more details.
368 *
369 * Alternatively, this software may be distributed under the terms of BSD
370 * license.
371 */
372
373static const __u32 crc32_table[256] = {
374 0x00000000L, 0x77073096L, 0xee0e612cL, 0x990951baL, 0x076dc419L,
375 0x706af48fL, 0xe963a535L, 0x9e6495a3L, 0x0edb8832L, 0x79dcb8a4L,
376 0xe0d5e91eL, 0x97d2d988L, 0x09b64c2bL, 0x7eb17cbdL, 0xe7b82d07L,
377 0x90bf1d91L, 0x1db71064L, 0x6ab020f2L, 0xf3b97148L, 0x84be41deL,
378 0x1adad47dL, 0x6ddde4ebL, 0xf4d4b551L, 0x83d385c7L, 0x136c9856L,
379 0x646ba8c0L, 0xfd62f97aL, 0x8a65c9ecL, 0x14015c4fL, 0x63066cd9L,
380 0xfa0f3d63L, 0x8d080df5L, 0x3b6e20c8L, 0x4c69105eL, 0xd56041e4L,
381 0xa2677172L, 0x3c03e4d1L, 0x4b04d447L, 0xd20d85fdL, 0xa50ab56bL,
382 0x35b5a8faL, 0x42b2986cL, 0xdbbbc9d6L, 0xacbcf940L, 0x32d86ce3L,
383 0x45df5c75L, 0xdcd60dcfL, 0xabd13d59L, 0x26d930acL, 0x51de003aL,
384 0xc8d75180L, 0xbfd06116L, 0x21b4f4b5L, 0x56b3c423L, 0xcfba9599L,
385 0xb8bda50fL, 0x2802b89eL, 0x5f058808L, 0xc60cd9b2L, 0xb10be924L,
386 0x2f6f7c87L, 0x58684c11L, 0xc1611dabL, 0xb6662d3dL, 0x76dc4190L,
387 0x01db7106L, 0x98d220bcL, 0xefd5102aL, 0x71b18589L, 0x06b6b51fL,
388 0x9fbfe4a5L, 0xe8b8d433L, 0x7807c9a2L, 0x0f00f934L, 0x9609a88eL,
389 0xe10e9818L, 0x7f6a0dbbL, 0x086d3d2dL, 0x91646c97L, 0xe6635c01L,
390 0x6b6b51f4L, 0x1c6c6162L, 0x856530d8L, 0xf262004eL, 0x6c0695edL,
391 0x1b01a57bL, 0x8208f4c1L, 0xf50fc457L, 0x65b0d9c6L, 0x12b7e950L,
392 0x8bbeb8eaL, 0xfcb9887cL, 0x62dd1ddfL, 0x15da2d49L, 0x8cd37cf3L,
393 0xfbd44c65L, 0x4db26158L, 0x3ab551ceL, 0xa3bc0074L, 0xd4bb30e2L,
394 0x4adfa541L, 0x3dd895d7L, 0xa4d1c46dL, 0xd3d6f4fbL, 0x4369e96aL,
395 0x346ed9fcL, 0xad678846L, 0xda60b8d0L, 0x44042d73L, 0x33031de5L,
396 0xaa0a4c5fL, 0xdd0d7cc9L, 0x5005713cL, 0x270241aaL, 0xbe0b1010L,
397 0xc90c2086L, 0x5768b525L, 0x206f85b3L, 0xb966d409L, 0xce61e49fL,
398 0x5edef90eL, 0x29d9c998L, 0xb0d09822L, 0xc7d7a8b4L, 0x59b33d17L,
399 0x2eb40d81L, 0xb7bd5c3bL, 0xc0ba6cadL, 0xedb88320L, 0x9abfb3b6L,
400 0x03b6e20cL, 0x74b1d29aL, 0xead54739L, 0x9dd277afL, 0x04db2615L,
401 0x73dc1683L, 0xe3630b12L, 0x94643b84L, 0x0d6d6a3eL, 0x7a6a5aa8L,
402 0xe40ecf0bL, 0x9309ff9dL, 0x0a00ae27L, 0x7d079eb1L, 0xf00f9344L,
403 0x8708a3d2L, 0x1e01f268L, 0x6906c2feL, 0xf762575dL, 0x806567cbL,
404 0x196c3671L, 0x6e6b06e7L, 0xfed41b76L, 0x89d32be0L, 0x10da7a5aL,
405 0x67dd4accL, 0xf9b9df6fL, 0x8ebeeff9L, 0x17b7be43L, 0x60b08ed5L,
406 0xd6d6a3e8L, 0xa1d1937eL, 0x38d8c2c4L, 0x4fdff252L, 0xd1bb67f1L,
407 0xa6bc5767L, 0x3fb506ddL, 0x48b2364bL, 0xd80d2bdaL, 0xaf0a1b4cL,
408 0x36034af6L, 0x41047a60L, 0xdf60efc3L, 0xa867df55L, 0x316e8eefL,
409 0x4669be79L, 0xcb61b38cL, 0xbc66831aL, 0x256fd2a0L, 0x5268e236L,
410 0xcc0c7795L, 0xbb0b4703L, 0x220216b9L, 0x5505262fL, 0xc5ba3bbeL,
411 0xb2bd0b28L, 0x2bb45a92L, 0x5cb36a04L, 0xc2d7ffa7L, 0xb5d0cf31L,
412 0x2cd99e8bL, 0x5bdeae1dL, 0x9b64c2b0L, 0xec63f226L, 0x756aa39cL,
413 0x026d930aL, 0x9c0906a9L, 0xeb0e363fL, 0x72076785L, 0x05005713L,
414 0x95bf4a82L, 0xe2b87a14L, 0x7bb12baeL, 0x0cb61b38L, 0x92d28e9bL,
415 0xe5d5be0dL, 0x7cdcefb7L, 0x0bdbdf21L, 0x86d3d2d4L, 0xf1d4e242L,
416 0x68ddb3f8L, 0x1fda836eL, 0x81be16cdL, 0xf6b9265bL, 0x6fb077e1L,
417 0x18b74777L, 0x88085ae6L, 0xff0f6a70L, 0x66063bcaL, 0x11010b5cL,
418 0x8f659effL, 0xf862ae69L, 0x616bffd3L, 0x166ccf45L, 0xa00ae278L,
419 0xd70dd2eeL, 0x4e048354L, 0x3903b3c2L, 0xa7672661L, 0xd06016f7L,
420 0x4969474dL, 0x3e6e77dbL, 0xaed16a4aL, 0xd9d65adcL, 0x40df0b66L,
421 0x37d83bf0L, 0xa9bcae53L, 0xdebb9ec5L, 0x47b2cf7fL, 0x30b5ffe9L,
422 0xbdbdf21cL, 0xcabac28aL, 0x53b39330L, 0x24b4a3a6L, 0xbad03605L,
423 0xcdd70693L, 0x54de5729L, 0x23d967bfL, 0xb3667a2eL, 0xc4614ab8L,
424 0x5d681b02L, 0x2a6f2b94L, 0xb40bbe37L, 0xc30c8ea1L, 0x5a05df1bL,
425 0x2d02ef8dL
426};
427
428static __inline u16 RotR1(u16 val)
429{
430 return (val >> 1) | (val << 15);
431}
432
433static __inline u8 Lo8(u16 val)
434{
435 return val & 0xff;
436}
437
438static __inline u8 Hi8(u16 val)
439{
440 return val >> 8;
441}
442
443static __inline u16 Lo16(u32 val)
444{
445 return val & 0xffff;
446}
447
448static __inline u16 Hi16(u32 val)
449{
450 return val >> 16;
451}
452
453static __inline u16 Mk16(u8 hi, u8 lo)
454{
455 return lo | (((u16) hi) << 8);
456}
457
458static __inline u16 Mk16_le(const u16 *v)
459{
460 return le16toh(*v);
461}
462
463static const u16 Sbox[256] = {
464 0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154,
465 0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A,
466 0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B,
467 0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B,
468 0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F,
469 0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F,
470 0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5,
471 0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F,
472 0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB,
473 0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397,
474 0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED,
475 0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A,
476 0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194,
477 0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3,
478 0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104,
479 0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D,
480 0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39,
481 0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695,
482 0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83,
483 0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76,
484 0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4,
485 0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B,
486 0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0,
487 0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018,
488 0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751,
489 0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85,
490 0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12,
491 0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9,
492 0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7,
493 0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A,
494 0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8,
495 0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A,
496};
497
498static __inline u16 _S_(u16 v)
499{
500 u16 t = Sbox[Hi8(v)];
501 return Sbox[Lo8(v)] ^ ((t << 8) | (t >> 8));
502}
503
504#define PHASE1_LOOP_COUNT 8
505
506static void tkip_mixing_phase1(u16 *TTAK, const u8 *TK, const u8 *TA, u32 IV32)
507{
508 int i, j;
509
510 /* Initialize the 80-bit TTAK from TSC (IV32) and TA[0..5] */
511 TTAK[0] = Lo16(IV32);
512 TTAK[1] = Hi16(IV32);
513 TTAK[2] = Mk16(TA[1], TA[0]);
514 TTAK[3] = Mk16(TA[3], TA[2]);
515 TTAK[4] = Mk16(TA[5], TA[4]);
516
517 for (i = 0; i < PHASE1_LOOP_COUNT; i++) {
518 j = 2 * (i & 1);
519 TTAK[0] += _S_(TTAK[4] ^ Mk16(TK[1 + j], TK[0 + j]));
520 TTAK[1] += _S_(TTAK[0] ^ Mk16(TK[5 + j], TK[4 + j]));
521 TTAK[2] += _S_(TTAK[1] ^ Mk16(TK[9 + j], TK[8 + j]));
522 TTAK[3] += _S_(TTAK[2] ^ Mk16(TK[13 + j], TK[12 + j]));
523 TTAK[4] += _S_(TTAK[3] ^ Mk16(TK[1 + j], TK[0 + j])) + i;
524 }
525}
526
527#ifndef _BYTE_ORDER
528#error "Don't know native byte order"
529#endif
530
531static void tkip_mixing_phase2(u8 *WEPSeed, const u8 *TK, const u16 *TTAK,
532 u16 IV16)
533{
534 /* Make temporary area overlap WEP seed so that the final copy can be
535 * avoided on little endian hosts. */
536 u16 *PPK = (u16 *) &WEPSeed[4];
537
538 /* Step 1 - make copy of TTAK and bring in TSC */
539 PPK[0] = TTAK[0];
540 PPK[1] = TTAK[1];
541 PPK[2] = TTAK[2];
542 PPK[3] = TTAK[3];
543 PPK[4] = TTAK[4];
544 PPK[5] = TTAK[4] + IV16;
545
546 /* Step 2 - 96-bit bijective mixing using S-box */
547 PPK[0] += _S_(PPK[5] ^ Mk16_le((const u16 *) &TK[0]));
548 PPK[1] += _S_(PPK[0] ^ Mk16_le((const u16 *) &TK[2]));
549 PPK[2] += _S_(PPK[1] ^ Mk16_le((const u16 *) &TK[4]));
550 PPK[3] += _S_(PPK[2] ^ Mk16_le((const u16 *) &TK[6]));
551 PPK[4] += _S_(PPK[3] ^ Mk16_le((const u16 *) &TK[8]));
552 PPK[5] += _S_(PPK[4] ^ Mk16_le((const u16 *) &TK[10]));
553
554 PPK[0] += RotR1(PPK[5] ^ Mk16_le((const u16 *) &TK[12]));
555 PPK[1] += RotR1(PPK[0] ^ Mk16_le((const u16 *) &TK[14]));
556 PPK[2] += RotR1(PPK[1]);
557 PPK[3] += RotR1(PPK[2]);
558 PPK[4] += RotR1(PPK[3]);
559 PPK[5] += RotR1(PPK[4]);
560
561 /* Step 3 - bring in last of TK bits, assign 24-bit WEP IV value
562 * WEPSeed[0..2] is transmitted as WEP IV */
563 WEPSeed[0] = Hi8(IV16);
564 WEPSeed[1] = (Hi8(IV16) | 0x20) & 0x7F;
565 WEPSeed[2] = Lo8(IV16);
566 WEPSeed[3] = Lo8((PPK[5] ^ Mk16_le((const u16 *) &TK[0])) >> 1);
567
568#if _BYTE_ORDER == _BIG_ENDIAN
569 {
570 int i;
571 for (i = 0; i < 6; i++)
572 PPK[i] = (PPK[i] << 8) | (PPK[i] >> 8);
573 }
574#endif
575}
576
577static void
578wep_encrypt(u8 *key, struct mbuf *m0, u_int off, size_t data_len,
579 uint8_t icv[IEEE80211_WEP_CRCLEN])
580{
581 u32 i, j, k, crc;
582 size_t buflen;
583 u8 S[256];
584 u8 *pos;
585 struct mbuf *m;
586#define S_SWAP(a,b) do { u8 t = S[a]; S[a] = S[b]; S[b] = t; } while(0)
587
588 /* Setup RC4 state */
589 for (i = 0; i < 256; i++)
590 S[i] = i;
591 j = 0;
592 for (i = 0; i < 256; i++) {
593 j = (j + S[i] + key[i & 0x0f]) & 0xff;
594 S_SWAP(i, j);
595 }
596
597 /* Compute CRC32 over unencrypted data and apply RC4 to data */
598 crc = ~0;
599 i = j = 0;
600 m = m0;
601 pos = mtod(m, uint8_t *) + off;
602 buflen = m->m_len - off;
603 for (;;) {
604 if (buflen > data_len)
605 buflen = data_len;
606 data_len -= buflen;
607 for (k = 0; k < buflen; k++) {
608 crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8);
609 i = (i + 1) & 0xff;
610 j = (j + S[i]) & 0xff;
611 S_SWAP(i, j);
612 *pos++ ^= S[(S[i] + S[j]) & 0xff];
613 }
614 m = m->m_next;
615 if (m == NULL) {
616 KASSERT(data_len == 0,
617 ("out of buffers with data_len %zu\n", data_len));
618 break;
619 }
620 pos = mtod(m, uint8_t *);
621 buflen = m->m_len;
622 }
623 crc = ~crc;
624
625 /* Append little-endian CRC32 and encrypt it to produce ICV */
626 icv[0] = crc;
627 icv[1] = crc >> 8;
628 icv[2] = crc >> 16;
629 icv[3] = crc >> 24;
630 for (k = 0; k < IEEE80211_WEP_CRCLEN; k++) {
631 i = (i + 1) & 0xff;
632 j = (j + S[i]) & 0xff;
633 S_SWAP(i, j);
634 icv[k] ^= S[(S[i] + S[j]) & 0xff];
635 }
636}
637
638static int
639wep_decrypt(u8 *key, struct mbuf *m, u_int off, size_t data_len)
640{
641 u32 i, j, k, crc;
642 u8 S[256];
643 u8 *pos, icv[4];
644 size_t buflen;
645
646 /* Setup RC4 state */
647 for (i = 0; i < 256; i++)
648 S[i] = i;
649 j = 0;
650 for (i = 0; i < 256; i++) {
651 j = (j + S[i] + key[i & 0x0f]) & 0xff;
652 S_SWAP(i, j);
653 }
654
655 /* Apply RC4 to data and compute CRC32 over decrypted data */
656 crc = ~0;
657 i = j = 0;
658 pos = mtod(m, uint8_t *) + off;
659 buflen = m->m_len - off;
660 for (;;) {
661 if (buflen > data_len)
662 buflen = data_len;
663 data_len -= buflen;
664 for (k = 0; k < buflen; k++) {
665 i = (i + 1) & 0xff;
666 j = (j + S[i]) & 0xff;
667 S_SWAP(i, j);
668 *pos ^= S[(S[i] + S[j]) & 0xff];
669 crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8);
670 pos++;
671 }
672 m = m->m_next;
673 if (m == NULL) {
674 KASSERT(data_len == 0,
675 ("out of buffers with data_len %zu\n", data_len));
676 break;
677 }
678 pos = mtod(m, uint8_t *);
679 buflen = m->m_len;
680 }
681 crc = ~crc;
682
683 /* Encrypt little-endian CRC32 and verify that it matches with the
684 * received ICV */
685 icv[0] = crc;
686 icv[1] = crc >> 8;
687 icv[2] = crc >> 16;
688 icv[3] = crc >> 24;
689 for (k = 0; k < 4; k++) {
690 i = (i + 1) & 0xff;
691 j = (j + S[i]) & 0xff;
692 S_SWAP(i, j);
693 if ((icv[k] ^ S[(S[i] + S[j]) & 0xff]) != *pos++) {
694 /* ICV mismatch - drop frame */
695 return -1;
696 }
697 }
698
699 return 0;
700}
701
702
703static __inline u32 rotl(u32 val, int bits)
704{
705 return (val << bits) | (val >> (32 - bits));
706}
707
708
709static __inline u32 rotr(u32 val, int bits)
710{
711 return (val >> bits) | (val << (32 - bits));
712}
713
714
715static __inline u32 xswap(u32 val)
716{
717 return ((val & 0x00ff00ff) << 8) | ((val & 0xff00ff00) >> 8);
718}
719
720
721#define michael_block(l, r) \
722do { \
723 r ^= rotl(l, 17); \
724 l += r; \
725 r ^= xswap(l); \
726 l += r; \
727 r ^= rotl(l, 3); \
728 l += r; \
729 r ^= rotr(l, 2); \
730 l += r; \
731} while (0)
732
733
734static __inline u32 get_le32_split(u8 b0, u8 b1, u8 b2, u8 b3)
735{
736 return b0 | (b1 << 8) | (b2 << 16) | (b3 << 24);
737}
738
739static __inline u32 get_le32(const u8 *p)
740{
741 return get_le32_split(p[0], p[1], p[2], p[3]);
742}
743
744
745static __inline void put_le32(u8 *p, u32 v)
746{
747 p[0] = v;
748 p[1] = v >> 8;
749 p[2] = v >> 16;
750 p[3] = v >> 24;
751}
752
753/*
754 * Craft pseudo header used to calculate the MIC.
755 */
756static void
757michael_mic_hdr(const struct ieee80211_frame *wh0, uint8_t hdr[16])
758{
759 const struct ieee80211_frame_addr4 *wh =
760 (const struct ieee80211_frame_addr4 *) wh0;
761
762 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) {
763 case IEEE80211_FC1_DIR_NODS:
764 IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */
765 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2);
766 break;
767 case IEEE80211_FC1_DIR_TODS:
768 IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */
769 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2);
770 break;
771 case IEEE80211_FC1_DIR_FROMDS:
772 IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */
773 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr3);
774 break;
775 case IEEE80211_FC1_DIR_DSTODS:
776 IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */
777 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr4);
778 break;
779 }
780
781 if (wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_QOS) {
782 const struct ieee80211_qosframe *qwh =
783 (const struct ieee80211_qosframe *) wh;
784 hdr[12] = qwh->i_qos[0] & IEEE80211_QOS_TID;
785 } else
786 hdr[12] = 0;
787 hdr[13] = hdr[14] = hdr[15] = 0; /* reserved */
788}
789
790static void
791michael_mic(struct tkip_ctx *ctx, const u8 *key,
792 struct mbuf *m, u_int off, size_t data_len,
793 u8 mic[IEEE80211_WEP_MICLEN])
794{
795 uint8_t hdr[16];
796 u32 l, r;
797 const uint8_t *data;
798 u_int space;
799
800 michael_mic_hdr(mtod(m, struct ieee80211_frame *), hdr);
801
802 l = get_le32(key);
803 r = get_le32(key + 4);
804
805 /* Michael MIC pseudo header: DA, SA, 3 x 0, Priority */
806 l ^= get_le32(hdr);
807 michael_block(l, r);
808 l ^= get_le32(&hdr[4]);
809 michael_block(l, r);
810 l ^= get_le32(&hdr[8]);
811 michael_block(l, r);
812 l ^= get_le32(&hdr[12]);
813 michael_block(l, r);
814
815 /* first buffer has special handling */
816 data = mtod(m, const uint8_t *) + off;
817 space = m->m_len - off;
818 for (;;) {
819 if (space > data_len)
820 space = data_len;
821 /* collect 32-bit blocks from current buffer */
822 while (space >= sizeof(uint32_t)) {
823 l ^= get_le32(data);
824 michael_block(l, r);
825 data += sizeof(uint32_t), space -= sizeof(uint32_t);
826 data_len -= sizeof(uint32_t);
827 }
828 if (data_len < sizeof(uint32_t))
829 break;
830 m = m->m_next;
831 if (m == NULL) {
832 KASSERT(0, ("out of data, data_len %zu\n", data_len));
833 break;
834 }
835 if (space != 0) {
836 const uint8_t *data_next;
837 /*
838 * Block straddles buffers, split references.
839 */
840 data_next = mtod(m, const uint8_t *);
841 KASSERT(m->m_len >= sizeof(uint32_t) - space,
842 ("not enough data in following buffer, "
843 "m_len %u need %zu\n", m->m_len,
844 sizeof(uint32_t) - space));
845 switch (space) {
846 case 1:
847 l ^= get_le32_split(data[0], data_next[0],
848 data_next[1], data_next[2]);
849 data = data_next + 3;
850 space = m->m_len - 3;
851 break;
852 case 2:
853 l ^= get_le32_split(data[0], data[1],
854 data_next[0], data_next[1]);
855 data = data_next + 2;
856 space = m->m_len - 2;
857 break;
858 case 3:
859 l ^= get_le32_split(data[0], data[1],
860 data[2], data_next[0]);
861 data = data_next + 1;
862 space = m->m_len - 1;
863 break;
864 }
865 michael_block(l, r);
866 data_len -= sizeof(uint32_t);
867 } else {
868 /*
869 * Setup for next buffer.
870 */
871 data = mtod(m, const uint8_t *);
872 space = m->m_len;
873 }
874 }
875 /* Last block and padding (0x5a, 4..7 x 0) */
876 switch (data_len) {
877 case 0:
878 l ^= get_le32_split(0x5a, 0, 0, 0);
879 break;
880 case 1:
881 l ^= get_le32_split(data[0], 0x5a, 0, 0);
882 break;
883 case 2:
884 l ^= get_le32_split(data[0], data[1], 0x5a, 0);
885 break;
886 case 3:
887 l ^= get_le32_split(data[0], data[1], data[2], 0x5a);
888 break;
889 }
890 michael_block(l, r);
891 /* l ^= 0; */
892 michael_block(l, r);
893
894 put_le32(mic, l);
895 put_le32(mic + 4, r);
896}
897
898static int
899tkip_encrypt(struct tkip_ctx *ctx, struct ieee80211_key *key,
900 struct mbuf *m, int hdrlen)
901{
902 struct ieee80211_frame *wh;
903 uint8_t icv[IEEE80211_WEP_CRCLEN];
904
905 ctx->tc_ic->ic_stats.is_crypto_tkip++;
906
907 wh = mtod(m, struct ieee80211_frame *);
908 if (!ctx->tx_phase1_done) {
909 tkip_mixing_phase1(ctx->tx_ttak, key->wk_key, wh->i_addr2,
910 (u32)(key->wk_keytsc >> 16));
911 ctx->tx_phase1_done = 1;
912 }
913 tkip_mixing_phase2(ctx->tx_rc4key, key->wk_key, ctx->tx_ttak,
914 (u16) key->wk_keytsc);
915
916 wep_encrypt(ctx->tx_rc4key,
917 m, hdrlen + tkip.ic_header,
918 m->m_pkthdr.len - (hdrlen + tkip.ic_header),
919 icv);
920 (void) m_append(m, IEEE80211_WEP_CRCLEN, icv); /* XXX check return */
921
922 key->wk_keytsc++;
923 if ((u16)(key->wk_keytsc) == 0)
924 ctx->tx_phase1_done = 0;
925 return 1;
926}
927
928static int
929tkip_decrypt(struct tkip_ctx *ctx, struct ieee80211_key *key,
930 struct mbuf *m, int hdrlen)
931{
932 struct ieee80211_frame *wh;
933 u32 iv32;
934 u16 iv16;
935
936 ctx->tc_ic->ic_stats.is_crypto_tkip++;
937
938 wh = mtod(m, struct ieee80211_frame *);
939 /* NB: tkip_decap already verified header and left seq in rx_rsc */
940 iv16 = (u16) ctx->rx_rsc;
941 iv32 = (u32) (ctx->rx_rsc >> 16);
942
943 if (iv32 != (u32)(key->wk_keyrsc >> 16) || !ctx->rx_phase1_done) {
944 tkip_mixing_phase1(ctx->rx_ttak, key->wk_key,
945 wh->i_addr2, iv32);
946 ctx->rx_phase1_done = 1;
947 }
948 tkip_mixing_phase2(ctx->rx_rc4key, key->wk_key, ctx->rx_ttak, iv16);
949
950 /* NB: m is unstripped; deduct headers + ICV to get payload */
951 if (wep_decrypt(ctx->rx_rc4key,
952 m, hdrlen + tkip.ic_header,
953 m->m_pkthdr.len - (hdrlen + tkip.ic_header + tkip.ic_trailer))) {
954 if (iv32 != (u32)(key->wk_keyrsc >> 16)) {
955 /* Previously cached Phase1 result was already lost, so
956 * it needs to be recalculated for the next packet. */
957 ctx->rx_phase1_done = 0;
958 }
959 IEEE80211_DPRINTF(ctx->tc_ic, IEEE80211_MSG_CRYPTO,
960 "[%s] TKIP ICV mismatch on decrypt\n",
961 ether_sprintf(wh->i_addr2));
962 ctx->tc_ic->ic_stats.is_rx_tkipicv++;
963 return 0;
964 }
965 return 1;
966}
967
968/*
969 * Module glue.
970 */
971static int
972tkip_modevent(module_t mod, int type, void *unused)
973{
974 switch (type) {
975 case MOD_LOAD:
976 ieee80211_crypto_register(&tkip);
977 return 0;
978 case MOD_UNLOAD:
979 ieee80211_crypto_unregister(&tkip);
980 return 0;
981 }
982 return EINVAL;
983}
984
985static moduledata_t tkip_mod = {
986 "wlan_tkip",
987 tkip_modevent,
988 0
989};
990DECLARE_MODULE(wlan_tkip, tkip_mod, SI_SUB_DRIVERS, SI_ORDER_FIRST);
991MODULE_VERSION(wlan_tkip, 1);
992MODULE_DEPEND(wlan_tkip, wlan, 1, 1, 1);