1/* $OpenBSD: ieee80211_crypto_tkip.c,v 1.33 2021/03/10 10:21:48 jsg Exp $ */ 2 3/*- 4 * Copyright (c) 2008 Damien Bergamini <damien.bergamini@free.fr> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19/* 20 * This code implements the Temporal Key Integrity Protocol (TKIP) defined 21 * in IEEE Std 802.11-2007 section 8.3.2. 22 */ 23 24#include <sys/param.h> 25#include <sys/systm.h> 26#include <sys/mbuf.h> 27#include <sys/malloc.h> 28#include <sys/kernel.h> 29#include <sys/socket.h> 30#include <sys/endian.h> 31#include <sys/syslog.h> 32 33#include <net/if.h> 34#include <net/if_dl.h> 35#include <net/if_media.h> 36 37#include <netinet/in.h> 38#include <netinet/if_ether.h> 39 40#include <net80211/ieee80211_var.h> 41#include <net80211/ieee80211_crypto.h> 42 43#include <crypto/arc4.h> 44#include <crypto/michael.h> 45 46typedef u_int8_t byte; /* 8-bit byte (octet) */ 47typedef u_int16_t u16b; /* 16-bit unsigned word */ 48typedef u_int32_t u32b; /* 32-bit unsigned word */ 49 50static void Phase1(u16b *, const byte *, const byte *, u32b); 51static void Phase2(byte *, const byte *, const u16b *, u16b); 52 53/* TKIP software crypto context */ 54struct ieee80211_tkip_ctx { 55 struct rc4_ctx rc4; 56 const u_int8_t *txmic; 57 const u_int8_t *rxmic; 58 u_int16_t txttak[5]; 59 u_int16_t rxttak[5]; 60 u_int8_t txttak_ok; 61 u_int8_t rxttak_ok; 62}; 63 64/* 65 * Initialize software crypto context. This function can be overridden 66 * by drivers doing hardware crypto. 67 */ 68int 69ieee80211_tkip_set_key(struct ieee80211com *ic, struct ieee80211_key *k) 70{ 71 struct ieee80211_tkip_ctx *ctx; 72 73 ctx = malloc(sizeof(*ctx), M_DEVBUF, M_NOWAIT | M_ZERO); 74 if (ctx == NULL) 75 return ENOMEM; 76 /* 77 * Use bits 128-191 as the Michael key for AA->SPA and bits 78 * 192-255 as the Michael key for SPA->AA. 79 */ 80#ifndef IEEE80211_STA_ONLY 81 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 82 ctx->txmic = &k->k_key[16]; 83 ctx->rxmic = &k->k_key[24]; 84 } else 85#endif 86 { 87 ctx->rxmic = &k->k_key[16]; 88 ctx->txmic = &k->k_key[24]; 89 } 90 k->k_priv = ctx; 91 return 0; 92} 93 94void 95ieee80211_tkip_delete_key(struct ieee80211com *ic, struct ieee80211_key *k) 96{ 97 if (k->k_priv != NULL) { 98 explicit_bzero(k->k_priv, sizeof(struct ieee80211_tkip_ctx)); 99 free(k->k_priv, M_DEVBUF, sizeof(struct ieee80211_tkip_ctx)); 100 } 101 k->k_priv = NULL; 102} 103 104/* pseudo-header used for TKIP MIC computation */ 105struct ieee80211_tkip_frame { 106 u_int8_t i_da[IEEE80211_ADDR_LEN]; 107 u_int8_t i_sa[IEEE80211_ADDR_LEN]; 108 u_int8_t i_pri; 109 u_int8_t i_pad[3]; 110} __packed; 111 112/* 113 * Compute TKIP MIC over an mbuf chain starting "off" bytes from the 114 * beginning. This function should be kept independent from the software 115 * TKIP crypto code so that drivers doing hardware crypto but not MIC can 116 * call it without a software crypto context. 117 */ 118void 119ieee80211_tkip_mic(struct mbuf *m0, int off, const u_int8_t *key, 120 u_int8_t mic[IEEE80211_TKIP_MICLEN]) 121{ 122 const struct ieee80211_frame *wh; 123 struct ieee80211_tkip_frame wht; 124 MICHAEL_CTX ctx; /* small enough */ 125 struct mbuf *m; 126 caddr_t pos; 127 int len; 128 129 /* assumes 802.11 header is contiguous */ 130 wh = mtod(m0, struct ieee80211_frame *); 131 132 /* construct pseudo-header for TKIP MIC computation */ 133 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 134 case IEEE80211_FC1_DIR_NODS: 135 IEEE80211_ADDR_COPY(wht.i_da, wh->i_addr1); 136 IEEE80211_ADDR_COPY(wht.i_sa, wh->i_addr2); 137 break; 138 case IEEE80211_FC1_DIR_TODS: 139 IEEE80211_ADDR_COPY(wht.i_da, wh->i_addr3); 140 IEEE80211_ADDR_COPY(wht.i_sa, wh->i_addr2); 141 break; 142 case IEEE80211_FC1_DIR_FROMDS: 143 IEEE80211_ADDR_COPY(wht.i_da, wh->i_addr1); 144 IEEE80211_ADDR_COPY(wht.i_sa, wh->i_addr3); 145 break; 146 case IEEE80211_FC1_DIR_DSTODS: 147 IEEE80211_ADDR_COPY(wht.i_da, wh->i_addr3); 148 IEEE80211_ADDR_COPY(wht.i_sa, 149 ((const struct ieee80211_frame_addr4 *)wh)->i_addr4); 150 break; 151 } 152 if (ieee80211_has_qos(wh)) 153 wht.i_pri = ieee80211_get_qos(wh) & IEEE80211_QOS_TID; 154 else 155 wht.i_pri = 0; 156 wht.i_pad[0] = wht.i_pad[1] = wht.i_pad[2] = 0; 157 158 michael_init(&ctx); 159 michael_key(key, &ctx); 160 161 michael_update(&ctx, (caddr_t)&wht, sizeof(wht)); 162 163 m = m0; 164 /* assumes the first "off" bytes are contiguous */ 165 pos = mtod(m, caddr_t) + off; 166 len = m->m_len - off; 167 for (;;) { 168 michael_update(&ctx, pos, len); 169 if ((m = m->m_next) == NULL) 170 break; 171 pos = mtod(m, caddr_t); 172 len = m->m_len; 173 } 174 175 michael_final(mic, &ctx); 176} 177 178/* shortcuts */ 179#define IEEE80211_TKIP_TAILLEN \ 180 (IEEE80211_TKIP_MICLEN + IEEE80211_WEP_CRCLEN) 181#define IEEE80211_TKIP_OVHD \ 182 (IEEE80211_TKIP_HDRLEN + IEEE80211_TKIP_TAILLEN) 183 184struct mbuf * 185ieee80211_tkip_encrypt(struct ieee80211com *ic, struct mbuf *m0, 186 struct ieee80211_key *k) 187{ 188 struct ieee80211_tkip_ctx *ctx = k->k_priv; 189 u_int16_t wepseed[8]; /* needs to be 16-bit aligned for Phase2 */ 190 const struct ieee80211_frame *wh; 191 u_int8_t *ivp, *mic, *icvp; 192 struct mbuf *n0, *m, *n; 193 u_int32_t crc; 194 int left, moff, noff, len, hdrlen; 195 196 MGET(n0, M_DONTWAIT, m0->m_type); 197 if (n0 == NULL) 198 goto nospace; 199 if (m_dup_pkthdr(n0, m0, M_DONTWAIT)) 200 goto nospace; 201 n0->m_pkthdr.len += IEEE80211_TKIP_HDRLEN; 202 n0->m_len = MHLEN; 203 if (n0->m_pkthdr.len >= MINCLSIZE - IEEE80211_TKIP_TAILLEN) { 204 MCLGET(n0, M_DONTWAIT); 205 if (n0->m_flags & M_EXT) 206 n0->m_len = n0->m_ext.ext_size; 207 } 208 if (n0->m_len > n0->m_pkthdr.len) 209 n0->m_len = n0->m_pkthdr.len; 210 211 /* copy 802.11 header */ 212 wh = mtod(m0, struct ieee80211_frame *); 213 hdrlen = ieee80211_get_hdrlen(wh); 214 memcpy(mtod(n0, caddr_t), wh, hdrlen); 215 216 k->k_tsc++; /* increment the 48-bit TSC */ 217 218 /* construct TKIP header */ 219 ivp = mtod(n0, u_int8_t *) + hdrlen; 220 ivp[0] = k->k_tsc >> 8; /* TSC1 */ 221 /* WEP Seed = (TSC1 | 0x20) & 0x7f (see 8.3.2.2) */ 222 ivp[1] = (ivp[0] | 0x20) & 0x7f; 223 ivp[2] = k->k_tsc; /* TSC0 */ 224 ivp[3] = k->k_id << 6 | IEEE80211_WEP_EXTIV; /* KeyID | ExtIV */ 225 ivp[4] = k->k_tsc >> 16; /* TSC2 */ 226 ivp[5] = k->k_tsc >> 24; /* TSC3 */ 227 ivp[6] = k->k_tsc >> 32; /* TSC4 */ 228 ivp[7] = k->k_tsc >> 40; /* TSC5 */ 229 230 /* compute WEP seed */ 231 if (!ctx->txttak_ok || (k->k_tsc & 0xffff) == 0) { 232 Phase1(ctx->txttak, k->k_key, wh->i_addr2, k->k_tsc >> 16); 233 ctx->txttak_ok = 1; 234 } 235 Phase2((u_int8_t *)wepseed, k->k_key, ctx->txttak, k->k_tsc & 0xffff); 236 rc4_keysetup(&ctx->rc4, (u_int8_t *)wepseed, 16); 237 explicit_bzero(wepseed, sizeof(wepseed)); 238 239 /* encrypt frame body and compute WEP ICV */ 240 m = m0; 241 n = n0; 242 moff = hdrlen; 243 noff = hdrlen + IEEE80211_TKIP_HDRLEN; 244 left = m0->m_pkthdr.len - moff; 245 crc = ~0; 246 while (left > 0) { 247 if (moff == m->m_len) { 248 /* nothing left to copy from m */ 249 m = m->m_next; 250 moff = 0; 251 } 252 if (noff == n->m_len) { 253 /* n is full and there's more data to copy */ 254 MGET(n->m_next, M_DONTWAIT, n->m_type); 255 if (n->m_next == NULL) 256 goto nospace; 257 n = n->m_next; 258 n->m_len = MLEN; 259 if (left >= MINCLSIZE - IEEE80211_TKIP_TAILLEN) { 260 MCLGET(n, M_DONTWAIT); 261 if (n->m_flags & M_EXT) 262 n->m_len = n->m_ext.ext_size; 263 } 264 if (n->m_len > left) 265 n->m_len = left; 266 noff = 0; 267 } 268 len = min(m->m_len - moff, n->m_len - noff); 269 270 crc = ether_crc32_le_update(crc, mtod(m, caddr_t) + moff, len); 271 rc4_crypt(&ctx->rc4, mtod(m, caddr_t) + moff, 272 mtod(n, caddr_t) + noff, len); 273 274 moff += len; 275 noff += len; 276 left -= len; 277 } 278 279 /* reserve trailing space for TKIP MIC and WEP ICV */ 280 if (m_trailingspace(n) < IEEE80211_TKIP_TAILLEN) { 281 MGET(n->m_next, M_DONTWAIT, n->m_type); 282 if (n->m_next == NULL) 283 goto nospace; 284 n = n->m_next; 285 n->m_len = 0; 286 } 287 288 /* compute TKIP MIC over clear text */ 289 mic = mtod(n, caddr_t) + n->m_len; 290 ieee80211_tkip_mic(m0, hdrlen, ctx->txmic, mic); 291 crc = ether_crc32_le_update(crc, mic, IEEE80211_TKIP_MICLEN); 292 rc4_crypt(&ctx->rc4, mic, mic, IEEE80211_TKIP_MICLEN); 293 n->m_len += IEEE80211_TKIP_MICLEN; 294 295 /* finalize WEP ICV */ 296 icvp = mtod(n, caddr_t) + n->m_len; 297 crc = ~crc; 298 icvp[0] = crc; 299 icvp[1] = crc >> 8; 300 icvp[2] = crc >> 16; 301 icvp[3] = crc >> 24; 302 rc4_crypt(&ctx->rc4, icvp, icvp, IEEE80211_WEP_CRCLEN); 303 n->m_len += IEEE80211_WEP_CRCLEN; 304 305 n0->m_pkthdr.len += IEEE80211_TKIP_TAILLEN; 306 307 m_freem(m0); 308 return n0; 309 nospace: 310 ic->ic_stats.is_tx_nombuf++; 311 m_freem(m0); 312 m_freem(n0); 313 return NULL; 314} 315 316int 317ieee80211_tkip_get_tsc(uint64_t *tsc, uint64_t **prsc, struct mbuf *m, 318 struct ieee80211_key *k) 319{ 320 struct ieee80211_frame *wh; 321 int hdrlen; 322 u_int8_t tid; 323 const u_int8_t *ivp; 324 325 wh = mtod(m, struct ieee80211_frame *); 326 hdrlen = ieee80211_get_hdrlen(wh); 327 328 if (m->m_pkthdr.len < hdrlen + IEEE80211_TKIP_HDRLEN) 329 return EINVAL; 330 331 ivp = (u_int8_t *)wh + hdrlen; 332 /* check that ExtIV bit is set */ 333 if (!(ivp[3] & IEEE80211_WEP_EXTIV)) 334 return EINVAL; 335 336 /* Retrieve last seen packet number for this frame priority. */ 337 tid = ieee80211_has_qos(wh) ? 338 ieee80211_get_qos(wh) & IEEE80211_QOS_TID : 0; 339 *prsc = &k->k_rsc[tid]; 340 341 /* extract the 48-bit TSC from the TKIP header */ 342 *tsc = (u_int64_t)ivp[2] | 343 (u_int64_t)ivp[0] << 8 | 344 (u_int64_t)ivp[4] << 16 | 345 (u_int64_t)ivp[5] << 24 | 346 (u_int64_t)ivp[6] << 32 | 347 (u_int64_t)ivp[7] << 40; 348 349 return 0; 350} 351 352struct mbuf * 353ieee80211_tkip_decrypt(struct ieee80211com *ic, struct mbuf *m0, 354 struct ieee80211_key *k) 355{ 356 struct ieee80211_tkip_ctx *ctx = k->k_priv; 357 struct ieee80211_frame *wh; 358 u_int16_t wepseed[8]; /* needs to be 16-bit aligned for Phase2 */ 359 u_int8_t buf[IEEE80211_TKIP_MICLEN + IEEE80211_WEP_CRCLEN]; 360 u_int8_t mic[IEEE80211_TKIP_MICLEN]; 361 u_int64_t tsc, *prsc; 362 u_int32_t crc, crc0; 363 u_int8_t *mic0; 364 struct mbuf *n0, *m, *n; 365 int hdrlen, left, moff, noff, len; 366 367 wh = mtod(m0, struct ieee80211_frame *); 368 hdrlen = ieee80211_get_hdrlen(wh); 369 370 if (m0->m_pkthdr.len < hdrlen + IEEE80211_TKIP_OVHD) { 371 m_freem(m0); 372 return NULL; 373 } 374 375 /* 376 * Get the frame's Transmit Sequence Counter (TSC), and a pointer to 377 * our last-seen Receive Sequence Counter (RSC) with which we can 378 * detect replays. 379 */ 380 if (ieee80211_tkip_get_tsc(&tsc, &prsc, m0, k) != 0) { 381 m_freem(m0); 382 return NULL; 383 } 384 if (tsc <= *prsc) { 385 /* replayed frame, discard */ 386 ic->ic_stats.is_tkip_replays++; 387 m_freem(m0); 388 return NULL; 389 } 390 391 MGET(n0, M_DONTWAIT, m0->m_type); 392 if (n0 == NULL) 393 goto nospace; 394 if (m_dup_pkthdr(n0, m0, M_DONTWAIT)) 395 goto nospace; 396 n0->m_pkthdr.len -= IEEE80211_TKIP_OVHD; 397 n0->m_len = MHLEN; 398 if (n0->m_pkthdr.len >= MINCLSIZE) { 399 MCLGET(n0, M_DONTWAIT); 400 if (n0->m_flags & M_EXT) 401 n0->m_len = n0->m_ext.ext_size; 402 } 403 if (n0->m_len > n0->m_pkthdr.len) 404 n0->m_len = n0->m_pkthdr.len; 405 406 /* copy 802.11 header and clear protected bit */ 407 memcpy(mtod(n0, caddr_t), wh, hdrlen); 408 wh = mtod(n0, struct ieee80211_frame *); 409 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 410 411 /* compute WEP seed */ 412 if (!ctx->rxttak_ok || (tsc >> 16) != (*prsc >> 16)) { 413 ctx->rxttak_ok = 0; /* invalidate cached TTAK (if any) */ 414 Phase1(ctx->rxttak, k->k_key, wh->i_addr2, tsc >> 16); 415 } 416 Phase2((u_int8_t *)wepseed, k->k_key, ctx->rxttak, tsc & 0xffff); 417 rc4_keysetup(&ctx->rc4, (u_int8_t *)wepseed, 16); 418 explicit_bzero(wepseed, sizeof(wepseed)); 419 420 /* decrypt frame body and compute WEP ICV */ 421 m = m0; 422 n = n0; 423 moff = hdrlen + IEEE80211_TKIP_HDRLEN; 424 noff = hdrlen; 425 left = n0->m_pkthdr.len - noff; 426 crc = ~0; 427 while (left > 0) { 428 if (moff == m->m_len) { 429 /* nothing left to copy from m */ 430 m = m->m_next; 431 moff = 0; 432 } 433 if (noff == n->m_len) { 434 /* n is full and there's more data to copy */ 435 MGET(n->m_next, M_DONTWAIT, n->m_type); 436 if (n->m_next == NULL) 437 goto nospace; 438 n = n->m_next; 439 n->m_len = MLEN; 440 if (left >= MINCLSIZE) { 441 MCLGET(n, M_DONTWAIT); 442 if (n->m_flags & M_EXT) 443 n->m_len = n->m_ext.ext_size; 444 } 445 if (n->m_len > left) 446 n->m_len = left; 447 noff = 0; 448 } 449 len = min(m->m_len - moff, n->m_len - noff); 450 451 rc4_crypt(&ctx->rc4, mtod(m, caddr_t) + moff, 452 mtod(n, caddr_t) + noff, len); 453 crc = ether_crc32_le_update(crc, mtod(n, caddr_t) + noff, len); 454 455 moff += len; 456 noff += len; 457 left -= len; 458 } 459 460 /* extract and decrypt TKIP MIC and WEP ICV from m0's tail */ 461 m_copydata(m, moff, IEEE80211_TKIP_TAILLEN, buf); 462 rc4_crypt(&ctx->rc4, buf, buf, IEEE80211_TKIP_TAILLEN); 463 464 /* include TKIP MIC in WEP ICV */ 465 mic0 = buf; 466 crc = ether_crc32_le_update(crc, mic0, IEEE80211_TKIP_MICLEN); 467 crc = ~crc; 468 469 /* decrypt ICV and compare it with calculated ICV */ 470 crc0 = *(u_int32_t *)(buf + IEEE80211_TKIP_MICLEN); 471 if (crc != letoh32(crc0)) { 472 ic->ic_stats.is_tkip_icv_errs++; 473 m_freem(m0); 474 m_freem(n0); 475 return NULL; 476 } 477 478 /* compute TKIP MIC over decrypted message */ 479 ieee80211_tkip_mic(n0, hdrlen, ctx->rxmic, mic); 480 /* check that it matches the MIC in received frame */ 481 if (timingsafe_bcmp(mic0, mic, IEEE80211_TKIP_MICLEN) != 0) { 482 m_freem(m0); 483 m_freem(n0); 484 ic->ic_stats.is_rx_locmicfail++; 485 ieee80211_michael_mic_failure(ic, tsc); 486 return NULL; 487 } 488 489 /* update last seen packet number (MIC is validated) */ 490 *prsc = tsc; 491 /* mark cached TTAK as valid */ 492 ctx->rxttak_ok = 1; 493 494 m_freem(m0); 495 return n0; 496 nospace: 497 ic->ic_stats.is_rx_nombuf++; 498 m_freem(m0); 499 m_freem(n0); 500 return NULL; 501} 502 503#ifndef IEEE80211_STA_ONLY 504/* 505 * This function is called in HostAP mode to deauthenticate all STAs using 506 * TKIP as their pairwise or group cipher (as part of TKIP countermeasures). 507 */ 508static void 509ieee80211_tkip_deauth(void *arg, struct ieee80211_node *ni) 510{ 511 struct ieee80211com *ic = arg; 512 513 if (ni->ni_state == IEEE80211_STA_ASSOC && 514 (ic->ic_bss->ni_rsngroupcipher == IEEE80211_CIPHER_TKIP || 515 ni->ni_rsncipher == IEEE80211_CIPHER_TKIP)) { 516 /* deauthenticate STA */ 517 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 518 IEEE80211_REASON_MIC_FAILURE); 519 ieee80211_node_leave(ic, ni); 520 } 521} 522 523void 524ieee80211_michael_mic_failure_timeout(void *arg) 525{ 526 struct ieee80211com *ic = arg; 527 528 /* Disable TKIP countermeasures. */ 529 ic->ic_flags &= ~IEEE80211_F_COUNTERM; 530} 531#endif /* IEEE80211_STA_ONLY */ 532 533/* 534 * This function can be called by the software TKIP crypto code or by the 535 * drivers when their hardware crypto engines detect a Michael MIC failure. 536 */ 537void 538ieee80211_michael_mic_failure(struct ieee80211com *ic, u_int64_t tsc) 539{ 540 time_t now; 541#ifndef IEEE80211_STA_ONLY 542 int sec; 543#endif 544 545 if (ic->ic_flags & IEEE80211_F_COUNTERM) 546 return; /* countermeasures already active */ 547 548 log(LOG_WARNING, "%s: Michael MIC failure\n", ic->ic_if.if_xname); 549 550 /* 551 * NB. do not send Michael MIC Failure reports as recommended since 552 * these may be used as an oracle to verify CRC guesses as described 553 * in Beck, M. and Tews S. "Practical attacks against WEP and WPA" 554 * http://dl.aircrack-ng.org/breakingwepandwpa.pdf 555 */ 556 557 /* 558 * Activate TKIP countermeasures (see 802.11-2012 11.4.2.4) if less than 559 * 60 seconds have passed since the most recent previous MIC failure. 560 */ 561 now = getuptime(); 562 if (ic->ic_tkip_micfail == 0 || ic->ic_tkip_micfail + 60 >= now) { 563 ic->ic_tkip_micfail = now; 564 ic->ic_tkip_micfail_last_tsc = tsc; 565 return; 566 } 567 568 switch (ic->ic_opmode) { 569#ifndef IEEE80211_STA_ONLY 570 case IEEE80211_M_HOSTAP: 571 /* refuse new TKIP associations for at least 60 seconds */ 572 ic->ic_flags |= IEEE80211_F_COUNTERM; 573 sec = 60 + arc4random_uniform(30); 574 log(LOG_WARNING, "%s: HostAP will be disabled for %d seconds " 575 "as a countermeasure against TKIP key cracking attempts\n", 576 ic->ic_if.if_xname, sec); 577 timeout_add_sec(&ic->ic_tkip_micfail_timeout, sec); 578 579 /* deauthenticate all currently associated STAs using TKIP */ 580 ieee80211_iterate_nodes(ic, ieee80211_tkip_deauth, ic); 581 582 /* schedule a GTK change */ 583 timeout_add_sec(&ic->ic_rsn_timeout, 1); 584 break; 585#endif 586 case IEEE80211_M_STA: 587 /* 588 * Notify the AP of MIC failures: send two Michael 589 * MIC Failure Report frames back-to-back to trigger 590 * countermeasures at the AP end. 591 */ 592 (void)ieee80211_send_eapol_key_req(ic, ic->ic_bss, 593 EAPOL_KEY_KEYMIC | EAPOL_KEY_ERROR | EAPOL_KEY_SECURE, 594 ic->ic_tkip_micfail_last_tsc); 595 (void)ieee80211_send_eapol_key_req(ic, ic->ic_bss, 596 EAPOL_KEY_KEYMIC | EAPOL_KEY_ERROR | EAPOL_KEY_SECURE, 597 tsc); 598 599 /* deauthenticate from the AP.. */ 600 IEEE80211_SEND_MGMT(ic, ic->ic_bss, 601 IEEE80211_FC0_SUBTYPE_DEAUTH, 602 IEEE80211_REASON_MIC_FAILURE); 603 /* ..and find another one */ 604 (void)ieee80211_new_state(ic, IEEE80211_S_SCAN, -1); 605 break; 606 default: 607 break; 608 } 609 610 ic->ic_tkip_micfail = now; 611 ic->ic_tkip_micfail_last_tsc = tsc; 612} 613 614/*********************************************************************** 615 Contents: Generate IEEE 802.11 per-frame RC4 key hash test vectors 616 Date: April 19, 2002 617 Notes: 618 This code is written for pedagogical purposes, NOT for performance. 619************************************************************************/ 620 621/* macros for extraction/creation of byte/u16b values */ 622#define RotR1(v16) ((((v16) >> 1) & 0x7FFF) ^ (((v16) & 1) << 15)) 623#define Lo8(v16) ((byte)( (v16) & 0x00FF)) 624#define Hi8(v16) ((byte)(((v16) >> 8) & 0x00FF)) 625#define Lo16(v32) ((u16b)( (v32) & 0xFFFF)) 626#define Hi16(v32) ((u16b)(((v32) >>16) & 0xFFFF)) 627#define Mk16(hi,lo) ((lo) ^ (((u16b)(hi)) << 8)) 628 629/* select the Nth 16-bit word of the Temporal Key byte array TK[] */ 630#define TK16(N) Mk16(TK[2 * (N) + 1], TK[2 * (N)]) 631 632/* S-box lookup: 16 bits --> 16 bits */ 633#define _S_(v16) (Sbox[Lo8(v16)] ^ swap16(Sbox[Hi8(v16)])) 634 635/* fixed algorithm "parameters" */ 636#define PHASE1_LOOP_CNT 8 /* this needs to be "big enough" */ 637#define TA_SIZE 6 /* 48-bit transmitter address */ 638#define TK_SIZE 16 /* 128-bit Temporal Key */ 639#define P1K_SIZE 10 /* 80-bit Phase1 key */ 640#define RC4_KEY_SIZE 16 /* 128-bit RC4KEY (104 bits unknown) */ 641 642/* 2-byte by 2-byte subset of the full AES S-box table */ 643static const u16b Sbox[256]= /* Sbox for hash */ 644{ 645 0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154, 646 0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A, 647 0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B, 648 0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B, 649 0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F, 650 0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F, 651 0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5, 652 0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F, 653 0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB, 654 0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397, 655 0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED, 656 0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A, 657 0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194, 658 0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3, 659 0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104, 660 0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D, 661 0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39, 662 0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695, 663 0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83, 664 0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76, 665 0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4, 666 0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B, 667 0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0, 668 0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018, 669 0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751, 670 0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85, 671 0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12, 672 0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9, 673 0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7, 674 0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A, 675 0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8, 676 0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A 677}; 678 679/* 680 ********************************************************************** 681 * Routine: Phase 1 -- generate P1K, given TA, TK, IV32 682 * 683 * Inputs: 684 * TK[] = Temporal Key [128 bits] 685 * TA[] = transmitter's MAC address [ 48 bits] 686 * IV32 = upper 32 bits of IV [ 32 bits] 687 * Output: 688 * P1K[] = Phase 1 key [ 80 bits] 689 * 690 * Note: 691 * This function only needs to be called every 2**16 frames, 692 * although in theory it could be called every frame. 693 * 694 ********************************************************************** 695 */ 696static void 697Phase1(u16b *P1K, const byte *TK, const byte *TA, u32b IV32) 698{ 699 int i; 700 701 /* Initialize the 80 bits of P1K[] from IV32 and TA[0..5] */ 702 P1K[0] = Lo16(IV32); 703 P1K[1] = Hi16(IV32); 704 P1K[2] = Mk16(TA[1], TA[0]); /* use TA[] as little-endian */ 705 P1K[3] = Mk16(TA[3], TA[2]); 706 P1K[4] = Mk16(TA[5], TA[4]); 707 708 /* Now compute an unbalanced Feistel cipher with 80-bit block */ 709 /* size on the 80-bit block P1K[], using the 128-bit key TK[] */ 710 for (i = 0; i < PHASE1_LOOP_CNT; i++) { 711 /* Each add operation here is mod 2**16 */ 712 P1K[0] += _S_(P1K[4] ^ TK16((i & 1) + 0)); 713 P1K[1] += _S_(P1K[0] ^ TK16((i & 1) + 2)); 714 P1K[2] += _S_(P1K[1] ^ TK16((i & 1) + 4)); 715 P1K[3] += _S_(P1K[2] ^ TK16((i & 1) + 6)); 716 P1K[4] += _S_(P1K[3] ^ TK16((i & 1) + 0)); 717 P1K[4] += i; /* avoid "slide attacks" */ 718 } 719} 720 721/* 722 ********************************************************************** 723 * Routine: Phase 2 -- generate RC4KEY, given TK, P1K, IV16 724 * 725 * Inputs: 726 * TK[] = Temporal Key [128 bits] 727 * P1K[] = Phase 1 output key [ 80 bits] 728 * IV16 = low 16 bits of IV counter [ 16 bits] 729 * Output: 730 * RC4KEY[] = the key used to encrypt the frame [128 bits] 731 * 732 * Note: 733 * The value {TA,IV32,IV16} for Phase1/Phase2 must be unique 734 * across all frames using the same key TK value. Then, for a 735 * given value of TK[], this TKIP48 construction guarantees that 736 * the final RC4KEY value is unique across all frames. 737 * 738 ********************************************************************** 739 */ 740static void 741Phase2(byte *RC4KEY, const byte *TK, const u16b *P1K, u16b IV16) 742{ 743 u16b *PPK; /* temporary key for mixing */ 744 int i; 745 746 /* 747 * Suggested implementation optimization: if PPK[] is "overlaid" 748 * appropriately on RC4KEY[], there is no need for the final for 749 * loop that copies the PPK[] result into RC4KEY[]. 750 */ 751 PPK = (u16b *)&RC4KEY[4]; 752 753 /* all adds in the PPK[] equations below are mod 2**16 */ 754 for (i = 0; i < 5; i++) 755 PPK[i] = P1K[i]; /* first, copy P1K to PPK */ 756 PPK[5] = P1K[4] + IV16; /* next, add in IV16 */ 757 758 /* Bijective non-linear mixing of the 96 bits of PPK[0..5] */ 759 PPK[0] += _S_(PPK[5] ^ TK16(0)); /* Mix key in each "round" */ 760 PPK[1] += _S_(PPK[0] ^ TK16(1)); 761 PPK[2] += _S_(PPK[1] ^ TK16(2)); 762 PPK[3] += _S_(PPK[2] ^ TK16(3)); 763 PPK[4] += _S_(PPK[3] ^ TK16(4)); 764 PPK[5] += _S_(PPK[4] ^ TK16(5)); /* Total # S-box lookups == 6 */ 765 766 /* Final sweep: bijective, linear. Rotates kill LSB correlations */ 767 PPK[0] += RotR1(PPK[5] ^ TK16(6)); 768 PPK[1] += RotR1(PPK[0] ^ TK16(7)); /* Use all of TK[] in Phase2 */ 769 PPK[2] += RotR1(PPK[1]); 770 PPK[3] += RotR1(PPK[2]); 771 PPK[4] += RotR1(PPK[3]); 772 PPK[5] += RotR1(PPK[4]); 773 774 /* At this point, for a given key TK[0..15], the 96-bit output */ 775 /* value PPK[0..5] is guaranteed to be unique, as a function */ 776 /* of the 96-bit "input" value {TA,IV32,IV16}. That is, P1K */ 777 /* is now a keyed permutation of {TA,IV32,IV16}. */ 778 /* Set RC4KEY[0..3], which includes cleartext portion of RC4 key */ 779 RC4KEY[0] = Hi8(IV16); /* RC4KEY[0..2] is the WEP IV */ 780 RC4KEY[1] =(Hi8(IV16) | 0x20) & 0x7F; /* Help avoid FMS weak keys */ 781 RC4KEY[2] = Lo8(IV16); 782 RC4KEY[3] = Lo8((PPK[5] ^ TK16(0)) >> 1); 783 784#if BYTE_ORDER == BIG_ENDIAN 785 /* Copy 96 bits of PPK[0..5] to RC4KEY[4..15] (little-endian) */ 786 for (i = 0; i < 6; i++) 787 PPK[i] = swap16(PPK[i]); 788#endif 789} 790