ieee80211_crypto_tkip.c revision 138816
1/*- 2 * Copyright (c) 2002-2004 Sam Leffler, Errno Consulting 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. The name of the author may not be used to endorse or promote products 14 * derived from this software without specific prior written permission. 15 * 16 * Alternatively, this software may be distributed under the terms of the 17 * GNU General Public License ("GPL") version 2 as published by the Free 18 * Software Foundation. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 21 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 22 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 23 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 25 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 26 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 27 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 29 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32#include <sys/cdefs.h> 33__FBSDID("$FreeBSD: head/sys/net80211/ieee80211_crypto_tkip.c 138816 2004-12-13 18:12:26Z sam $"); 34 35/* 36 * IEEE 802.11i TKIP crypto support. 37 * 38 * Part of this module is derived from similar code in the Host 39 * AP driver. The code is used with the consent of the author and 40 * it's license is included below. 41 */ 42#include <sys/param.h> 43#include <sys/systm.h> 44#include <sys/mbuf.h> 45#include <sys/malloc.h> 46#include <sys/kernel.h> 47#include <sys/module.h> 48#include <sys/endian.h> 49 50#include <sys/socket.h> 51 52#include <net/if.h> 53#include <net/if_media.h> 54#include <net/ethernet.h> 55 56#include <net80211/ieee80211_var.h> 57 58static void *tkip_attach(struct ieee80211com *, struct ieee80211_key *); 59static void tkip_detach(struct ieee80211_key *); 60static int tkip_setkey(struct ieee80211_key *); 61static int tkip_encap(struct ieee80211_key *, struct mbuf *m, u_int8_t keyid); 62static int tkip_enmic(struct ieee80211_key *, struct mbuf *); 63static int tkip_decap(struct ieee80211_key *, struct mbuf *); 64static int tkip_demic(struct ieee80211_key *, struct mbuf *); 65 66static const struct ieee80211_cipher tkip = { 67 .ic_name = "TKIP", 68 .ic_cipher = IEEE80211_CIPHER_TKIP, 69 .ic_header = IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN + 70 IEEE80211_WEP_EXTIVLEN, 71 .ic_trailer = IEEE80211_WEP_CRCLEN, 72 .ic_miclen = IEEE80211_WEP_MICLEN, 73 .ic_attach = tkip_attach, 74 .ic_detach = tkip_detach, 75 .ic_setkey = tkip_setkey, 76 .ic_encap = tkip_encap, 77 .ic_decap = tkip_decap, 78 .ic_enmic = tkip_enmic, 79 .ic_demic = tkip_demic, 80}; 81 82typedef uint8_t u8; 83typedef uint16_t u16; 84typedef uint32_t __u32; 85typedef uint32_t u32; 86#define memmove(dst, src, n) ovbcopy(src, dst, n) 87 88struct tkip_ctx { 89 struct ieee80211com *tc_ic; /* for diagnostics */ 90 91 u16 tx_ttak[5]; 92 int tx_phase1_done; 93 u8 tx_rc4key[16]; /* XXX for test module; make locals? */ 94 95 u16 rx_ttak[5]; 96 int rx_phase1_done; 97 u8 rx_rc4key[16]; /* XXX for test module; make locals? */ 98 uint64_t rx_rsc; /* held until MIC verified */ 99}; 100 101static void michael_mic(struct tkip_ctx *, const u8 *key, 102 struct mbuf *m, u_int off, size_t data_len, 103 u8 mic[IEEE80211_WEP_MICLEN]); 104static int tkip_encrypt(struct tkip_ctx *, struct ieee80211_key *, 105 struct mbuf *, int hdr_len); 106static int tkip_decrypt(struct tkip_ctx *, struct ieee80211_key *, 107 struct mbuf *, int hdr_len); 108 109static void * 110tkip_attach(struct ieee80211com *ic, struct ieee80211_key *k) 111{ 112 struct tkip_ctx *ctx; 113 114 MALLOC(ctx, struct tkip_ctx *, sizeof(struct tkip_ctx), 115 M_DEVBUF, M_NOWAIT | M_ZERO); 116 if (ctx == NULL) { 117 ic->ic_stats.is_crypto_nomem++; 118 return NULL; 119 } 120 121 ctx->tc_ic = ic; 122 return ctx; 123} 124 125static void 126tkip_detach(struct ieee80211_key *k) 127{ 128 struct tkip_ctx *ctx = k->wk_private; 129 130 FREE(ctx, M_DEVBUF); 131} 132 133static int 134tkip_setkey(struct ieee80211_key *k) 135{ 136 struct tkip_ctx *ctx = k->wk_private; 137 138 if (k->wk_keylen != (128/NBBY)) { 139 (void) ctx; /* XXX */ 140 IEEE80211_DPRINTF(ctx->tc_ic, IEEE80211_MSG_CRYPTO, 141 "%s: Invalid key length %u, expecting %u\n", 142 __func__, k->wk_keylen, 128/NBBY); 143 return 0; 144 } 145 k->wk_keytsc = 1; /* TSC starts at 1 */ 146 return 1; 147} 148 149/* 150 * Add privacy headers and do any s/w encryption required. 151 */ 152static int 153tkip_encap(struct ieee80211_key *k, struct mbuf *m, u_int8_t keyid) 154{ 155 struct tkip_ctx *ctx = k->wk_private; 156 struct ieee80211com *ic = ctx->tc_ic; 157 u_int8_t *ivp; 158 int hdrlen; 159 160 /* 161 * Handle TKIP counter measures requirement. 162 */ 163 if (ic->ic_flags & IEEE80211_F_COUNTERM) { 164#ifdef IEEE80211_DEBUG 165 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 166#endif 167 168 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO, 169 "[%s] Discard frame due to countermeasures (%s)\n", 170 ether_sprintf(wh->i_addr2), __func__); 171 ic->ic_stats.is_crypto_tkipcm++; 172 return 0; 173 } 174 hdrlen = ieee80211_hdrsize(mtod(m, void *)); 175 176 /* 177 * Copy down 802.11 header and add the IV, KeyID, and ExtIV. 178 */ 179 M_PREPEND(m, tkip.ic_header, M_NOWAIT); 180 if (m == NULL) 181 return 0; 182 ivp = mtod(m, u_int8_t *); 183 memmove(ivp, ivp + tkip.ic_header, hdrlen); 184 ivp += hdrlen; 185 186 ivp[0] = k->wk_keytsc >> 8; /* TSC1 */ 187 ivp[1] = (ivp[0] | 0x20) & 0x7f; /* WEP seed */ 188 ivp[2] = k->wk_keytsc >> 0; /* TSC0 */ 189 ivp[3] = keyid | IEEE80211_WEP_EXTIV; /* KeyID | ExtID */ 190 ivp[4] = k->wk_keytsc >> 16; /* TSC2 */ 191 ivp[5] = k->wk_keytsc >> 24; /* TSC3 */ 192 ivp[6] = k->wk_keytsc >> 32; /* TSC4 */ 193 ivp[7] = k->wk_keytsc >> 40; /* TSC5 */ 194 195 /* 196 * Finally, do software encrypt if neeed. 197 */ 198 if (k->wk_flags & IEEE80211_KEY_SWCRYPT) { 199 if (!tkip_encrypt(ctx, k, m, hdrlen)) 200 return 0; 201 /* NB: tkip_encrypt handles wk_keytsc */ 202 } else 203 k->wk_keytsc++; /* XXX wrap at 48 bits */ 204 205 return 1; 206} 207 208/* 209 * Add MIC to the frame as needed. 210 */ 211static int 212tkip_enmic(struct ieee80211_key *k, struct mbuf *m) 213{ 214 struct tkip_ctx *ctx = k->wk_private; 215 216 if (k->wk_flags & IEEE80211_KEY_SWMIC) { 217 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 218 int hdrlen = ieee80211_hdrsize(wh); 219 uint8_t mic[IEEE80211_WEP_MICLEN]; 220 221 ctx->tc_ic->ic_stats.is_crypto_tkipenmic++; 222 223 michael_mic(ctx, k->wk_txmic, 224 m, hdrlen, m->m_pkthdr.len - hdrlen, mic); 225 return m_append(m, tkip.ic_miclen, mic); 226 } 227 return 1; 228} 229 230static __inline uint64_t 231READ_6(uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3, uint8_t b4, uint8_t b5) 232{ 233 uint32_t iv32 = (b0 << 0) | (b1 << 8) | (b2 << 16) | (b3 << 24); 234 uint16_t iv16 = (b4 << 0) | (b5 << 8); 235 return (((uint64_t)iv16) << 32) | iv32; 236} 237 238/* 239 * Validate and strip privacy headers (and trailer) for a 240 * received frame. If necessary, decrypt the frame using 241 * the specified key. 242 */ 243static int 244tkip_decap(struct ieee80211_key *k, struct mbuf *m) 245{ 246 struct tkip_ctx *ctx = k->wk_private; 247 struct ieee80211com *ic = ctx->tc_ic; 248 struct ieee80211_frame *wh; 249 uint8_t *ivp; 250 int hdrlen; 251 252 /* 253 * Header should have extended IV and sequence number; 254 * verify the former and validate the latter. 255 */ 256 wh = mtod(m, struct ieee80211_frame *); 257 hdrlen = ieee80211_hdrsize(wh); 258 ivp = mtod(m, uint8_t *) + hdrlen; 259 if ((ivp[IEEE80211_WEP_IVLEN] & IEEE80211_WEP_EXTIV) == 0) { 260 /* 261 * No extended IV; discard frame. 262 */ 263 IEEE80211_DPRINTF(ctx->tc_ic, IEEE80211_MSG_CRYPTO, 264 "[%s] Missing ExtIV for TKIP cipher\n", 265 ether_sprintf(wh->i_addr2)); 266 ctx->tc_ic->ic_stats.is_rx_tkipformat++; 267 return 0; 268 } 269 /* 270 * Handle TKIP counter measures requirement. 271 */ 272 if (ic->ic_flags & IEEE80211_F_COUNTERM) { 273 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO, 274 "[%s] Discard frame due to countermeasures (%s)\n", 275 ether_sprintf(wh->i_addr2), __func__); 276 ic->ic_stats.is_crypto_tkipcm++; 277 return 0; 278 } 279 280 ctx->rx_rsc = READ_6(ivp[2], ivp[0], ivp[4], ivp[5], 281 ivp[6], ivp[7]); 282 if (ctx->rx_rsc <= k->wk_keyrsc) { 283 /* 284 * Replay violation; notify upper layer. 285 */ 286 ieee80211_notify_replay_failure(ctx->tc_ic, wh, k, ctx->rx_rsc); 287 ctx->tc_ic->ic_stats.is_rx_tkipreplay++; 288 return 0; 289 } 290 /* 291 * NB: We can't update the rsc in the key until MIC is verified. 292 * 293 * We assume we are not preempted between doing the check above 294 * and updating wk_keyrsc when stripping the MIC in tkip_demic. 295 * Otherwise we might process another packet and discard it as 296 * a replay. 297 */ 298 299 /* 300 * Check if the device handled the decrypt in hardware. 301 * If so we just strip the header; otherwise we need to 302 * handle the decrypt in software. 303 */ 304 if ((k->wk_flags & IEEE80211_KEY_SWCRYPT) && 305 !tkip_decrypt(ctx, k, m, hdrlen)) 306 return 0; 307 308 /* 309 * Copy up 802.11 header and strip crypto bits. 310 */ 311 memmove(mtod(m, uint8_t *) + tkip.ic_header, mtod(m, void *), hdrlen); 312 m_adj(m, tkip.ic_header); 313 m_adj(m, -tkip.ic_trailer); 314 315 return 1; 316} 317 318/* 319 * Verify and strip MIC from the frame. 320 */ 321static int 322tkip_demic(struct ieee80211_key *k, struct mbuf *m) 323{ 324 struct tkip_ctx *ctx = k->wk_private; 325 326 if (k->wk_flags & IEEE80211_KEY_SWMIC) { 327 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 328 int hdrlen = ieee80211_hdrsize(wh); 329 u8 mic[IEEE80211_WEP_MICLEN]; 330 u8 mic0[IEEE80211_WEP_MICLEN]; 331 332 ctx->tc_ic->ic_stats.is_crypto_tkipdemic++; 333 334 michael_mic(ctx, k->wk_rxmic, 335 m, hdrlen, m->m_pkthdr.len - (hdrlen + tkip.ic_miclen), 336 mic); 337 m_copydata(m, m->m_pkthdr.len - tkip.ic_miclen, 338 tkip.ic_miclen, mic0); 339 if (memcmp(mic, mic0, tkip.ic_miclen)) { 340 /* NB: 802.11 layer handles statistic and debug msg */ 341 ieee80211_notify_michael_failure(ctx->tc_ic, wh, 342 k->wk_keyix); 343 return 0; 344 } 345 } 346 /* 347 * Strip MIC from the tail. 348 */ 349 m_adj(m, -tkip.ic_miclen); 350 351 /* 352 * Ok to update rsc now that MIC has been verified. 353 */ 354 k->wk_keyrsc = ctx->rx_rsc; 355 356 return 1; 357} 358 359/* 360 * Host AP crypt: host-based TKIP encryption implementation for Host AP driver 361 * 362 * Copyright (c) 2003-2004, Jouni Malinen <jkmaline@cc.hut.fi> 363 * 364 * This program is free software; you can redistribute it and/or modify 365 * it under the terms of the GNU General Public License version 2 as 366 * published by the Free Software Foundation. See README and COPYING for 367 * more details. 368 * 369 * Alternatively, this software may be distributed under the terms of BSD 370 * license. 371 */ 372 373static const __u32 crc32_table[256] = { 374 0x00000000L, 0x77073096L, 0xee0e612cL, 0x990951baL, 0x076dc419L, 375 0x706af48fL, 0xe963a535L, 0x9e6495a3L, 0x0edb8832L, 0x79dcb8a4L, 376 0xe0d5e91eL, 0x97d2d988L, 0x09b64c2bL, 0x7eb17cbdL, 0xe7b82d07L, 377 0x90bf1d91L, 0x1db71064L, 0x6ab020f2L, 0xf3b97148L, 0x84be41deL, 378 0x1adad47dL, 0x6ddde4ebL, 0xf4d4b551L, 0x83d385c7L, 0x136c9856L, 379 0x646ba8c0L, 0xfd62f97aL, 0x8a65c9ecL, 0x14015c4fL, 0x63066cd9L, 380 0xfa0f3d63L, 0x8d080df5L, 0x3b6e20c8L, 0x4c69105eL, 0xd56041e4L, 381 0xa2677172L, 0x3c03e4d1L, 0x4b04d447L, 0xd20d85fdL, 0xa50ab56bL, 382 0x35b5a8faL, 0x42b2986cL, 0xdbbbc9d6L, 0xacbcf940L, 0x32d86ce3L, 383 0x45df5c75L, 0xdcd60dcfL, 0xabd13d59L, 0x26d930acL, 0x51de003aL, 384 0xc8d75180L, 0xbfd06116L, 0x21b4f4b5L, 0x56b3c423L, 0xcfba9599L, 385 0xb8bda50fL, 0x2802b89eL, 0x5f058808L, 0xc60cd9b2L, 0xb10be924L, 386 0x2f6f7c87L, 0x58684c11L, 0xc1611dabL, 0xb6662d3dL, 0x76dc4190L, 387 0x01db7106L, 0x98d220bcL, 0xefd5102aL, 0x71b18589L, 0x06b6b51fL, 388 0x9fbfe4a5L, 0xe8b8d433L, 0x7807c9a2L, 0x0f00f934L, 0x9609a88eL, 389 0xe10e9818L, 0x7f6a0dbbL, 0x086d3d2dL, 0x91646c97L, 0xe6635c01L, 390 0x6b6b51f4L, 0x1c6c6162L, 0x856530d8L, 0xf262004eL, 0x6c0695edL, 391 0x1b01a57bL, 0x8208f4c1L, 0xf50fc457L, 0x65b0d9c6L, 0x12b7e950L, 392 0x8bbeb8eaL, 0xfcb9887cL, 0x62dd1ddfL, 0x15da2d49L, 0x8cd37cf3L, 393 0xfbd44c65L, 0x4db26158L, 0x3ab551ceL, 0xa3bc0074L, 0xd4bb30e2L, 394 0x4adfa541L, 0x3dd895d7L, 0xa4d1c46dL, 0xd3d6f4fbL, 0x4369e96aL, 395 0x346ed9fcL, 0xad678846L, 0xda60b8d0L, 0x44042d73L, 0x33031de5L, 396 0xaa0a4c5fL, 0xdd0d7cc9L, 0x5005713cL, 0x270241aaL, 0xbe0b1010L, 397 0xc90c2086L, 0x5768b525L, 0x206f85b3L, 0xb966d409L, 0xce61e49fL, 398 0x5edef90eL, 0x29d9c998L, 0xb0d09822L, 0xc7d7a8b4L, 0x59b33d17L, 399 0x2eb40d81L, 0xb7bd5c3bL, 0xc0ba6cadL, 0xedb88320L, 0x9abfb3b6L, 400 0x03b6e20cL, 0x74b1d29aL, 0xead54739L, 0x9dd277afL, 0x04db2615L, 401 0x73dc1683L, 0xe3630b12L, 0x94643b84L, 0x0d6d6a3eL, 0x7a6a5aa8L, 402 0xe40ecf0bL, 0x9309ff9dL, 0x0a00ae27L, 0x7d079eb1L, 0xf00f9344L, 403 0x8708a3d2L, 0x1e01f268L, 0x6906c2feL, 0xf762575dL, 0x806567cbL, 404 0x196c3671L, 0x6e6b06e7L, 0xfed41b76L, 0x89d32be0L, 0x10da7a5aL, 405 0x67dd4accL, 0xf9b9df6fL, 0x8ebeeff9L, 0x17b7be43L, 0x60b08ed5L, 406 0xd6d6a3e8L, 0xa1d1937eL, 0x38d8c2c4L, 0x4fdff252L, 0xd1bb67f1L, 407 0xa6bc5767L, 0x3fb506ddL, 0x48b2364bL, 0xd80d2bdaL, 0xaf0a1b4cL, 408 0x36034af6L, 0x41047a60L, 0xdf60efc3L, 0xa867df55L, 0x316e8eefL, 409 0x4669be79L, 0xcb61b38cL, 0xbc66831aL, 0x256fd2a0L, 0x5268e236L, 410 0xcc0c7795L, 0xbb0b4703L, 0x220216b9L, 0x5505262fL, 0xc5ba3bbeL, 411 0xb2bd0b28L, 0x2bb45a92L, 0x5cb36a04L, 0xc2d7ffa7L, 0xb5d0cf31L, 412 0x2cd99e8bL, 0x5bdeae1dL, 0x9b64c2b0L, 0xec63f226L, 0x756aa39cL, 413 0x026d930aL, 0x9c0906a9L, 0xeb0e363fL, 0x72076785L, 0x05005713L, 414 0x95bf4a82L, 0xe2b87a14L, 0x7bb12baeL, 0x0cb61b38L, 0x92d28e9bL, 415 0xe5d5be0dL, 0x7cdcefb7L, 0x0bdbdf21L, 0x86d3d2d4L, 0xf1d4e242L, 416 0x68ddb3f8L, 0x1fda836eL, 0x81be16cdL, 0xf6b9265bL, 0x6fb077e1L, 417 0x18b74777L, 0x88085ae6L, 0xff0f6a70L, 0x66063bcaL, 0x11010b5cL, 418 0x8f659effL, 0xf862ae69L, 0x616bffd3L, 0x166ccf45L, 0xa00ae278L, 419 0xd70dd2eeL, 0x4e048354L, 0x3903b3c2L, 0xa7672661L, 0xd06016f7L, 420 0x4969474dL, 0x3e6e77dbL, 0xaed16a4aL, 0xd9d65adcL, 0x40df0b66L, 421 0x37d83bf0L, 0xa9bcae53L, 0xdebb9ec5L, 0x47b2cf7fL, 0x30b5ffe9L, 422 0xbdbdf21cL, 0xcabac28aL, 0x53b39330L, 0x24b4a3a6L, 0xbad03605L, 423 0xcdd70693L, 0x54de5729L, 0x23d967bfL, 0xb3667a2eL, 0xc4614ab8L, 424 0x5d681b02L, 0x2a6f2b94L, 0xb40bbe37L, 0xc30c8ea1L, 0x5a05df1bL, 425 0x2d02ef8dL 426}; 427 428static __inline u16 RotR1(u16 val) 429{ 430 return (val >> 1) | (val << 15); 431} 432 433static __inline u8 Lo8(u16 val) 434{ 435 return val & 0xff; 436} 437 438static __inline u8 Hi8(u16 val) 439{ 440 return val >> 8; 441} 442 443static __inline u16 Lo16(u32 val) 444{ 445 return val & 0xffff; 446} 447 448static __inline u16 Hi16(u32 val) 449{ 450 return val >> 16; 451} 452 453static __inline u16 Mk16(u8 hi, u8 lo) 454{ 455 return lo | (((u16) hi) << 8); 456} 457 458static __inline u16 Mk16_le(const u16 *v) 459{ 460 return le16toh(*v); 461} 462 463static const u16 Sbox[256] = { 464 0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154, 465 0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A, 466 0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B, 467 0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B, 468 0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F, 469 0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F, 470 0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5, 471 0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F, 472 0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB, 473 0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397, 474 0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED, 475 0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A, 476 0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194, 477 0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3, 478 0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104, 479 0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D, 480 0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39, 481 0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695, 482 0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83, 483 0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76, 484 0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4, 485 0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B, 486 0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0, 487 0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018, 488 0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751, 489 0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85, 490 0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12, 491 0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9, 492 0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7, 493 0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A, 494 0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8, 495 0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A, 496}; 497 498static __inline u16 _S_(u16 v) 499{ 500 u16 t = Sbox[Hi8(v)]; 501 return Sbox[Lo8(v)] ^ ((t << 8) | (t >> 8)); 502} 503 504#define PHASE1_LOOP_COUNT 8 505 506static void tkip_mixing_phase1(u16 *TTAK, const u8 *TK, const u8 *TA, u32 IV32) 507{ 508 int i, j; 509 510 /* Initialize the 80-bit TTAK from TSC (IV32) and TA[0..5] */ 511 TTAK[0] = Lo16(IV32); 512 TTAK[1] = Hi16(IV32); 513 TTAK[2] = Mk16(TA[1], TA[0]); 514 TTAK[3] = Mk16(TA[3], TA[2]); 515 TTAK[4] = Mk16(TA[5], TA[4]); 516 517 for (i = 0; i < PHASE1_LOOP_COUNT; i++) { 518 j = 2 * (i & 1); 519 TTAK[0] += _S_(TTAK[4] ^ Mk16(TK[1 + j], TK[0 + j])); 520 TTAK[1] += _S_(TTAK[0] ^ Mk16(TK[5 + j], TK[4 + j])); 521 TTAK[2] += _S_(TTAK[1] ^ Mk16(TK[9 + j], TK[8 + j])); 522 TTAK[3] += _S_(TTAK[2] ^ Mk16(TK[13 + j], TK[12 + j])); 523 TTAK[4] += _S_(TTAK[3] ^ Mk16(TK[1 + j], TK[0 + j])) + i; 524 } 525} 526 527#ifndef _BYTE_ORDER 528#error "Don't know native byte order" 529#endif 530 531static void tkip_mixing_phase2(u8 *WEPSeed, const u8 *TK, const u16 *TTAK, 532 u16 IV16) 533{ 534 /* Make temporary area overlap WEP seed so that the final copy can be 535 * avoided on little endian hosts. */ 536 u16 *PPK = (u16 *) &WEPSeed[4]; 537 538 /* Step 1 - make copy of TTAK and bring in TSC */ 539 PPK[0] = TTAK[0]; 540 PPK[1] = TTAK[1]; 541 PPK[2] = TTAK[2]; 542 PPK[3] = TTAK[3]; 543 PPK[4] = TTAK[4]; 544 PPK[5] = TTAK[4] + IV16; 545 546 /* Step 2 - 96-bit bijective mixing using S-box */ 547 PPK[0] += _S_(PPK[5] ^ Mk16_le((const u16 *) &TK[0])); 548 PPK[1] += _S_(PPK[0] ^ Mk16_le((const u16 *) &TK[2])); 549 PPK[2] += _S_(PPK[1] ^ Mk16_le((const u16 *) &TK[4])); 550 PPK[3] += _S_(PPK[2] ^ Mk16_le((const u16 *) &TK[6])); 551 PPK[4] += _S_(PPK[3] ^ Mk16_le((const u16 *) &TK[8])); 552 PPK[5] += _S_(PPK[4] ^ Mk16_le((const u16 *) &TK[10])); 553 554 PPK[0] += RotR1(PPK[5] ^ Mk16_le((const u16 *) &TK[12])); 555 PPK[1] += RotR1(PPK[0] ^ Mk16_le((const u16 *) &TK[14])); 556 PPK[2] += RotR1(PPK[1]); 557 PPK[3] += RotR1(PPK[2]); 558 PPK[4] += RotR1(PPK[3]); 559 PPK[5] += RotR1(PPK[4]); 560 561 /* Step 3 - bring in last of TK bits, assign 24-bit WEP IV value 562 * WEPSeed[0..2] is transmitted as WEP IV */ 563 WEPSeed[0] = Hi8(IV16); 564 WEPSeed[1] = (Hi8(IV16) | 0x20) & 0x7F; 565 WEPSeed[2] = Lo8(IV16); 566 WEPSeed[3] = Lo8((PPK[5] ^ Mk16_le((const u16 *) &TK[0])) >> 1); 567 568#if _BYTE_ORDER == _BIG_ENDIAN 569 { 570 int i; 571 for (i = 0; i < 6; i++) 572 PPK[i] = (PPK[i] << 8) | (PPK[i] >> 8); 573 } 574#endif 575} 576 577static void 578wep_encrypt(u8 *key, struct mbuf *m0, u_int off, size_t data_len, 579 uint8_t icv[IEEE80211_WEP_CRCLEN]) 580{ 581 u32 i, j, k, crc; 582 size_t buflen; 583 u8 S[256]; 584 u8 *pos; 585 struct mbuf *m; 586#define S_SWAP(a,b) do { u8 t = S[a]; S[a] = S[b]; S[b] = t; } while(0) 587 588 /* Setup RC4 state */ 589 for (i = 0; i < 256; i++) 590 S[i] = i; 591 j = 0; 592 for (i = 0; i < 256; i++) { 593 j = (j + S[i] + key[i & 0x0f]) & 0xff; 594 S_SWAP(i, j); 595 } 596 597 /* Compute CRC32 over unencrypted data and apply RC4 to data */ 598 crc = ~0; 599 i = j = 0; 600 m = m0; 601 pos = mtod(m, uint8_t *) + off; 602 buflen = m->m_len - off; 603 for (;;) { 604 if (buflen > data_len) 605 buflen = data_len; 606 data_len -= buflen; 607 for (k = 0; k < buflen; k++) { 608 crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8); 609 i = (i + 1) & 0xff; 610 j = (j + S[i]) & 0xff; 611 S_SWAP(i, j); 612 *pos++ ^= S[(S[i] + S[j]) & 0xff]; 613 } 614 m = m->m_next; 615 if (m == NULL) { 616 KASSERT(data_len == 0, 617 ("out of buffers with data_len %zu\n", data_len)); 618 break; 619 } 620 pos = mtod(m, uint8_t *); 621 buflen = m->m_len; 622 } 623 crc = ~crc; 624 625 /* Append little-endian CRC32 and encrypt it to produce ICV */ 626 icv[0] = crc; 627 icv[1] = crc >> 8; 628 icv[2] = crc >> 16; 629 icv[3] = crc >> 24; 630 for (k = 0; k < IEEE80211_WEP_CRCLEN; k++) { 631 i = (i + 1) & 0xff; 632 j = (j + S[i]) & 0xff; 633 S_SWAP(i, j); 634 icv[k] ^= S[(S[i] + S[j]) & 0xff]; 635 } 636} 637 638static int 639wep_decrypt(u8 *key, struct mbuf *m, u_int off, size_t data_len) 640{ 641 u32 i, j, k, crc; 642 u8 S[256]; 643 u8 *pos, icv[4]; 644 size_t buflen; 645 646 /* Setup RC4 state */ 647 for (i = 0; i < 256; i++) 648 S[i] = i; 649 j = 0; 650 for (i = 0; i < 256; i++) { 651 j = (j + S[i] + key[i & 0x0f]) & 0xff; 652 S_SWAP(i, j); 653 } 654 655 /* Apply RC4 to data and compute CRC32 over decrypted data */ 656 crc = ~0; 657 i = j = 0; 658 pos = mtod(m, uint8_t *) + off; 659 buflen = m->m_len - off; 660 for (;;) { 661 if (buflen > data_len) 662 buflen = data_len; 663 data_len -= buflen; 664 for (k = 0; k < buflen; k++) { 665 i = (i + 1) & 0xff; 666 j = (j + S[i]) & 0xff; 667 S_SWAP(i, j); 668 *pos ^= S[(S[i] + S[j]) & 0xff]; 669 crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8); 670 pos++; 671 } 672 m = m->m_next; 673 if (m == NULL) { 674 KASSERT(data_len == 0, 675 ("out of buffers with data_len %zu\n", data_len)); 676 break; 677 } 678 pos = mtod(m, uint8_t *); 679 buflen = m->m_len; 680 } 681 crc = ~crc; 682 683 /* Encrypt little-endian CRC32 and verify that it matches with the 684 * received ICV */ 685 icv[0] = crc; 686 icv[1] = crc >> 8; 687 icv[2] = crc >> 16; 688 icv[3] = crc >> 24; 689 for (k = 0; k < 4; k++) { 690 i = (i + 1) & 0xff; 691 j = (j + S[i]) & 0xff; 692 S_SWAP(i, j); 693 if ((icv[k] ^ S[(S[i] + S[j]) & 0xff]) != *pos++) { 694 /* ICV mismatch - drop frame */ 695 return -1; 696 } 697 } 698 699 return 0; 700} 701 702 703static __inline u32 rotl(u32 val, int bits) 704{ 705 return (val << bits) | (val >> (32 - bits)); 706} 707 708 709static __inline u32 rotr(u32 val, int bits) 710{ 711 return (val >> bits) | (val << (32 - bits)); 712} 713 714 715static __inline u32 xswap(u32 val) 716{ 717 return ((val & 0x00ff00ff) << 8) | ((val & 0xff00ff00) >> 8); 718} 719 720 721#define michael_block(l, r) \ 722do { \ 723 r ^= rotl(l, 17); \ 724 l += r; \ 725 r ^= xswap(l); \ 726 l += r; \ 727 r ^= rotl(l, 3); \ 728 l += r; \ 729 r ^= rotr(l, 2); \ 730 l += r; \ 731} while (0) 732 733 734static __inline u32 get_le32_split(u8 b0, u8 b1, u8 b2, u8 b3) 735{ 736 return b0 | (b1 << 8) | (b2 << 16) | (b3 << 24); 737} 738 739static __inline u32 get_le32(const u8 *p) 740{ 741 return get_le32_split(p[0], p[1], p[2], p[3]); 742} 743 744 745static __inline void put_le32(u8 *p, u32 v) 746{ 747 p[0] = v; 748 p[1] = v >> 8; 749 p[2] = v >> 16; 750 p[3] = v >> 24; 751} 752 753/* 754 * Craft pseudo header used to calculate the MIC. 755 */ 756static void 757michael_mic_hdr(const struct ieee80211_frame *wh0, uint8_t hdr[16]) 758{ 759 const struct ieee80211_frame_addr4 *wh = 760 (const struct ieee80211_frame_addr4 *) wh0; 761 762 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 763 case IEEE80211_FC1_DIR_NODS: 764 IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */ 765 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2); 766 break; 767 case IEEE80211_FC1_DIR_TODS: 768 IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */ 769 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2); 770 break; 771 case IEEE80211_FC1_DIR_FROMDS: 772 IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */ 773 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr3); 774 break; 775 case IEEE80211_FC1_DIR_DSTODS: 776 IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */ 777 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr4); 778 break; 779 } 780 781 hdr[12] = 0; /* XXX qos priority */ 782 hdr[13] = hdr[14] = hdr[15] = 0; /* reserved */ 783} 784 785static void 786michael_mic(struct tkip_ctx *ctx, const u8 *key, 787 struct mbuf *m, u_int off, size_t data_len, 788 u8 mic[IEEE80211_WEP_MICLEN]) 789{ 790 uint8_t hdr[16]; 791 u32 l, r; 792 const uint8_t *data; 793 u_int space; 794 795 michael_mic_hdr(mtod(m, struct ieee80211_frame *), hdr); 796 797 l = get_le32(key); 798 r = get_le32(key + 4); 799 800 /* Michael MIC pseudo header: DA, SA, 3 x 0, Priority */ 801 l ^= get_le32(hdr); 802 michael_block(l, r); 803 l ^= get_le32(&hdr[4]); 804 michael_block(l, r); 805 l ^= get_le32(&hdr[8]); 806 michael_block(l, r); 807 l ^= get_le32(&hdr[12]); 808 michael_block(l, r); 809 810 /* first buffer has special handling */ 811 data = mtod(m, const uint8_t *) + off; 812 space = m->m_len - off; 813 for (;;) { 814 if (space > data_len) 815 space = data_len; 816 /* collect 32-bit blocks from current buffer */ 817 while (space >= sizeof(uint32_t)) { 818 l ^= get_le32(data); 819 michael_block(l, r); 820 data += sizeof(uint32_t), space -= sizeof(uint32_t); 821 data_len -= sizeof(uint32_t); 822 } 823 if (data_len < sizeof(uint32_t)) 824 break; 825 m = m->m_next; 826 if (m == NULL) { 827 KASSERT(0, ("out of data, data_len %zu\n", data_len)); 828 break; 829 } 830 if (space != 0) { 831 const uint8_t *data_next; 832 /* 833 * Block straddles buffers, split references. 834 */ 835 data_next = mtod(m, const uint8_t *); 836 KASSERT(m->m_len >= sizeof(uint32_t) - space, 837 ("not enough data in following buffer, " 838 "m_len %u need %zu\n", m->m_len, 839 sizeof(uint32_t) - space)); 840 switch (space) { 841 case 1: 842 l ^= get_le32_split(data[0], data_next[0], 843 data_next[1], data_next[2]); 844 data = data_next + 3; 845 space = m->m_len - 3; 846 break; 847 case 2: 848 l ^= get_le32_split(data[0], data[1], 849 data_next[0], data_next[1]); 850 data = data_next + 2; 851 space = m->m_len - 2; 852 break; 853 case 3: 854 l ^= get_le32_split(data[0], data[1], 855 data[2], data_next[0]); 856 data = data_next + 1; 857 space = m->m_len - 1; 858 break; 859 } 860 michael_block(l, r); 861 data_len -= sizeof(uint32_t); 862 } else { 863 /* 864 * Setup for next buffer. 865 */ 866 data = mtod(m, const uint8_t *); 867 space = m->m_len; 868 } 869 } 870 /* Last block and padding (0x5a, 4..7 x 0) */ 871 switch (data_len) { 872 case 0: 873 l ^= get_le32_split(0x5a, 0, 0, 0); 874 break; 875 case 1: 876 l ^= get_le32_split(data[0], 0x5a, 0, 0); 877 break; 878 case 2: 879 l ^= get_le32_split(data[0], data[1], 0x5a, 0); 880 break; 881 case 3: 882 l ^= get_le32_split(data[0], data[1], data[2], 0x5a); 883 break; 884 } 885 michael_block(l, r); 886 /* l ^= 0; */ 887 michael_block(l, r); 888 889 put_le32(mic, l); 890 put_le32(mic + 4, r); 891} 892 893static int 894tkip_encrypt(struct tkip_ctx *ctx, struct ieee80211_key *key, 895 struct mbuf *m, int hdrlen) 896{ 897 struct ieee80211_frame *wh; 898 uint8_t icv[IEEE80211_WEP_CRCLEN]; 899 900 ctx->tc_ic->ic_stats.is_crypto_tkip++; 901 902 wh = mtod(m, struct ieee80211_frame *); 903 if (!ctx->tx_phase1_done) { 904 tkip_mixing_phase1(ctx->tx_ttak, key->wk_key, wh->i_addr2, 905 (u32)(key->wk_keytsc >> 16)); 906 ctx->tx_phase1_done = 1; 907 } 908 tkip_mixing_phase2(ctx->tx_rc4key, key->wk_key, ctx->tx_ttak, 909 (u16) key->wk_keytsc); 910 911 wep_encrypt(ctx->tx_rc4key, 912 m, hdrlen + tkip.ic_header, 913 m->m_pkthdr.len - (hdrlen + tkip.ic_header), 914 icv); 915 (void) m_append(m, IEEE80211_WEP_CRCLEN, icv); /* XXX check return */ 916 917 key->wk_keytsc++; /* XXX wrap at 48 bits */ 918 if ((u16)(key->wk_keytsc) == 0) 919 ctx->tx_phase1_done = 0; 920 return 1; 921} 922 923static int 924tkip_decrypt(struct tkip_ctx *ctx, struct ieee80211_key *key, 925 struct mbuf *m, int hdrlen) 926{ 927 struct ieee80211_frame *wh; 928 u32 iv32; 929 u16 iv16; 930 931 ctx->tc_ic->ic_stats.is_crypto_tkip++; 932 933 wh = mtod(m, struct ieee80211_frame *); 934 /* NB: tkip_decap already verified header and left seq in rx_rsc */ 935 iv16 = (u16) ctx->rx_rsc; 936 iv32 = (u32) (ctx->rx_rsc >> 16); 937 938 if (iv32 != (u32)(key->wk_keyrsc >> 16) || !ctx->rx_phase1_done) { 939 tkip_mixing_phase1(ctx->rx_ttak, key->wk_key, 940 wh->i_addr2, iv32); 941 ctx->rx_phase1_done = 1; 942 } 943 tkip_mixing_phase2(ctx->rx_rc4key, key->wk_key, ctx->rx_ttak, iv16); 944 945 /* NB: m is unstripped; deduct headers + ICV to get payload */ 946 if (wep_decrypt(ctx->rx_rc4key, 947 m, hdrlen + tkip.ic_header, 948 m->m_pkthdr.len - (hdrlen + tkip.ic_header + tkip.ic_trailer))) { 949 if (iv32 != (u32)(key->wk_keyrsc >> 16)) { 950 /* Previously cached Phase1 result was already lost, so 951 * it needs to be recalculated for the next packet. */ 952 ctx->rx_phase1_done = 0; 953 } 954 IEEE80211_DPRINTF(ctx->tc_ic, IEEE80211_MSG_CRYPTO, 955 "[%s] TKIP ICV mismatch on decrypt\n", 956 ether_sprintf(wh->i_addr2)); 957 ctx->tc_ic->ic_stats.is_rx_tkipicv++; 958 return 0; 959 } 960 return 1; 961} 962 963/* 964 * Module glue. 965 */ 966static int 967tkip_modevent(module_t mod, int type, void *unused) 968{ 969 switch (type) { 970 case MOD_LOAD: 971 ieee80211_crypto_register(&tkip); 972 return 0; 973 case MOD_UNLOAD: 974 ieee80211_crypto_unregister(&tkip); 975 return 0; 976 } 977 return EINVAL; 978} 979 980static moduledata_t tkip_mod = { 981 "wlan_tkip", 982 tkip_modevent, 983 0 984}; 985DECLARE_MODULE(wlan_tkip, tkip_mod, SI_SUB_DRIVERS, SI_ORDER_FIRST); 986MODULE_VERSION(wlan_tkip, 1); 987MODULE_DEPEND(wlan_tkip, wlan, 1, 1, 1); 988