1 /* $OpenBSD: ieee80211_crypto_tkip.c,v 1.30 2018/11/09 14:14:31 claudio Exp $ */ 2 3 /*- 4 * Copyright (c) 2008 Damien Bergamini <damien.bergamini@free.fr> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 /* 20 * This code implements the Temporal Key Integrity Protocol (TKIP) defined 21 * in IEEE Std 802.11-2007 section 8.3.2. 22 */ 23 24 #include <sys/param.h> 25 #include <sys/systm.h> 26 #include <sys/mbuf.h> 27 #include <sys/malloc.h> 28 #include <sys/kernel.h> 29 #include <sys/socket.h> 30 #include <sys/endian.h> 31 #include <sys/syslog.h> 32 33 #include <net/if.h> 34 #include <net/if_dl.h> 35 #include <net/if_media.h> 36 37 #include <netinet/in.h> 38 #include <netinet/if_ether.h> 39 40 #include <net80211/ieee80211_var.h> 41 #include <net80211/ieee80211_crypto.h> 42 43 #include <crypto/arc4.h> 44 #include <crypto/michael.h> 45 46 typedef u_int8_t byte; /* 8-bit byte (octet) */ 47 typedef u_int16_t u16b; /* 16-bit unsigned word */ 48 typedef u_int32_t u32b; /* 32-bit unsigned word */ 49 50 static void Phase1(u16b *, const byte *, const byte *, u32b); 51 static void Phase2(byte *, const byte *, const u16b *, u16b); 52 53 /* TKIP software crypto context */ 54 struct ieee80211_tkip_ctx { 55 struct rc4_ctx rc4; 56 const u_int8_t *txmic; 57 const u_int8_t *rxmic; 58 u_int16_t txttak[5]; 59 u_int16_t rxttak[5]; 60 u_int8_t txttak_ok; 61 u_int8_t rxttak_ok; 62 }; 63 64 /* 65 * Initialize software crypto context. This function can be overridden 66 * by drivers doing hardware crypto. 67 */ 68 int 69 ieee80211_tkip_set_key(struct ieee80211com *ic, struct ieee80211_key *k) 70 { 71 struct ieee80211_tkip_ctx *ctx; 72 73 ctx = malloc(sizeof(*ctx), M_DEVBUF, M_NOWAIT | M_ZERO); 74 if (ctx == NULL) 75 return ENOMEM; 76 /* 77 * Use bits 128-191 as the Michael key for AA->SPA and bits 78 * 192-255 as the Michael key for SPA->AA. 79 */ 80 #ifndef IEEE80211_STA_ONLY 81 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 82 ctx->txmic = &k->k_key[16]; 83 ctx->rxmic = &k->k_key[24]; 84 } else 85 #endif 86 { 87 ctx->rxmic = &k->k_key[16]; 88 ctx->txmic = &k->k_key[24]; 89 } 90 k->k_priv = ctx; 91 return 0; 92 } 93 94 void 95 ieee80211_tkip_delete_key(struct ieee80211com *ic, struct ieee80211_key *k) 96 { 97 if (k->k_priv != NULL) { 98 explicit_bzero(k->k_priv, sizeof(struct ieee80211_tkip_ctx)); 99 free(k->k_priv, M_DEVBUF, sizeof(struct ieee80211_tkip_ctx)); 100 } 101 k->k_priv = NULL; 102 } 103 104 /* pseudo-header used for TKIP MIC computation */ 105 struct ieee80211_tkip_frame { 106 u_int8_t i_da[IEEE80211_ADDR_LEN]; 107 u_int8_t i_sa[IEEE80211_ADDR_LEN]; 108 u_int8_t i_pri; 109 u_int8_t i_pad[3]; 110 } __packed; 111 112 /* 113 * Compute TKIP MIC over an mbuf chain starting "off" bytes from the 114 * beginning. This function should be kept independant from the software 115 * TKIP crypto code so that drivers doing hardware crypto but not MIC can 116 * call it without a software crypto context. 117 */ 118 void 119 ieee80211_tkip_mic(struct mbuf *m0, int off, const u_int8_t *key, 120 u_int8_t mic[IEEE80211_TKIP_MICLEN]) 121 { 122 const struct ieee80211_frame *wh; 123 struct ieee80211_tkip_frame wht; 124 MICHAEL_CTX ctx; /* small enough */ 125 struct mbuf *m; 126 caddr_t pos; 127 int len; 128 129 /* assumes 802.11 header is contiguous */ 130 wh = mtod(m0, struct ieee80211_frame *); 131 132 /* construct pseudo-header for TKIP MIC computation */ 133 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 134 case IEEE80211_FC1_DIR_NODS: 135 IEEE80211_ADDR_COPY(wht.i_da, wh->i_addr1); 136 IEEE80211_ADDR_COPY(wht.i_sa, wh->i_addr2); 137 break; 138 case IEEE80211_FC1_DIR_TODS: 139 IEEE80211_ADDR_COPY(wht.i_da, wh->i_addr3); 140 IEEE80211_ADDR_COPY(wht.i_sa, wh->i_addr2); 141 break; 142 case IEEE80211_FC1_DIR_FROMDS: 143 IEEE80211_ADDR_COPY(wht.i_da, wh->i_addr1); 144 IEEE80211_ADDR_COPY(wht.i_sa, wh->i_addr3); 145 break; 146 case IEEE80211_FC1_DIR_DSTODS: 147 IEEE80211_ADDR_COPY(wht.i_da, wh->i_addr3); 148 IEEE80211_ADDR_COPY(wht.i_sa, 149 ((const struct ieee80211_frame_addr4 *)wh)->i_addr4); 150 break; 151 } 152 if (ieee80211_has_qos(wh)) 153 wht.i_pri = ieee80211_get_qos(wh) & IEEE80211_QOS_TID; 154 else 155 wht.i_pri = 0; 156 wht.i_pad[0] = wht.i_pad[1] = wht.i_pad[2] = 0; 157 158 michael_init(&ctx); 159 michael_key(key, &ctx); 160 161 michael_update(&ctx, (caddr_t)&wht, sizeof(wht)); 162 163 m = m0; 164 /* assumes the first "off" bytes are contiguous */ 165 pos = mtod(m, caddr_t) + off; 166 len = m->m_len - off; 167 for (;;) { 168 michael_update(&ctx, pos, len); 169 if ((m = m->m_next) == NULL) 170 break; 171 pos = mtod(m, caddr_t); 172 len = m->m_len; 173 } 174 175 michael_final(mic, &ctx); 176 } 177 178 /* shortcuts */ 179 #define IEEE80211_TKIP_TAILLEN \ 180 (IEEE80211_TKIP_MICLEN + IEEE80211_WEP_CRCLEN) 181 #define IEEE80211_TKIP_OVHD \ 182 (IEEE80211_TKIP_HDRLEN + IEEE80211_TKIP_TAILLEN) 183 184 struct mbuf * 185 ieee80211_tkip_encrypt(struct ieee80211com *ic, struct mbuf *m0, 186 struct ieee80211_key *k) 187 { 188 struct ieee80211_tkip_ctx *ctx = k->k_priv; 189 u_int16_t wepseed[8]; /* needs to be 16-bit aligned for Phase2 */ 190 const struct ieee80211_frame *wh; 191 u_int8_t *ivp, *mic, *icvp; 192 struct mbuf *n0, *m, *n; 193 u_int32_t crc; 194 int left, moff, noff, len, hdrlen; 195 196 MGET(n0, M_DONTWAIT, m0->m_type); 197 if (n0 == NULL) 198 goto nospace; 199 if (m_dup_pkthdr(n0, m0, M_DONTWAIT)) 200 goto nospace; 201 n0->m_pkthdr.len += IEEE80211_TKIP_HDRLEN; 202 n0->m_len = MHLEN; 203 if (n0->m_pkthdr.len >= MINCLSIZE - IEEE80211_TKIP_TAILLEN) { 204 MCLGET(n0, M_DONTWAIT); 205 if (n0->m_flags & M_EXT) 206 n0->m_len = n0->m_ext.ext_size; 207 } 208 if (n0->m_len > n0->m_pkthdr.len) 209 n0->m_len = n0->m_pkthdr.len; 210 211 /* copy 802.11 header */ 212 wh = mtod(m0, struct ieee80211_frame *); 213 hdrlen = ieee80211_get_hdrlen(wh); 214 memcpy(mtod(n0, caddr_t), wh, hdrlen); 215 216 k->k_tsc++; /* increment the 48-bit TSC */ 217 218 /* construct TKIP header */ 219 ivp = mtod(n0, u_int8_t *) + hdrlen; 220 ivp[0] = k->k_tsc >> 8; /* TSC1 */ 221 /* WEP Seed = (TSC1 | 0x20) & 0x7f (see 8.3.2.2) */ 222 ivp[1] = (ivp[0] | 0x20) & 0x7f; 223 ivp[2] = k->k_tsc; /* TSC0 */ 224 ivp[3] = k->k_id << 6 | IEEE80211_WEP_EXTIV; /* KeyID | ExtIV */ 225 ivp[4] = k->k_tsc >> 16; /* TSC2 */ 226 ivp[5] = k->k_tsc >> 24; /* TSC3 */ 227 ivp[6] = k->k_tsc >> 32; /* TSC4 */ 228 ivp[7] = k->k_tsc >> 40; /* TSC5 */ 229 230 /* compute WEP seed */ 231 if (!ctx->txttak_ok || (k->k_tsc & 0xffff) == 0) { 232 Phase1(ctx->txttak, k->k_key, wh->i_addr2, k->k_tsc >> 16); 233 ctx->txttak_ok = 1; 234 } 235 Phase2((u_int8_t *)wepseed, k->k_key, ctx->txttak, k->k_tsc & 0xffff); 236 rc4_keysetup(&ctx->rc4, (u_int8_t *)wepseed, 16); 237 explicit_bzero(wepseed, sizeof(wepseed)); 238 239 /* encrypt frame body and compute WEP ICV */ 240 m = m0; 241 n = n0; 242 moff = hdrlen; 243 noff = hdrlen + IEEE80211_TKIP_HDRLEN; 244 left = m0->m_pkthdr.len - moff; 245 crc = ~0; 246 while (left > 0) { 247 if (moff == m->m_len) { 248 /* nothing left to copy from m */ 249 m = m->m_next; 250 moff = 0; 251 } 252 if (noff == n->m_len) { 253 /* n is full and there's more data to copy */ 254 MGET(n->m_next, M_DONTWAIT, n->m_type); 255 if (n->m_next == NULL) 256 goto nospace; 257 n = n->m_next; 258 n->m_len = MLEN; 259 if (left >= MINCLSIZE - IEEE80211_TKIP_TAILLEN) { 260 MCLGET(n, M_DONTWAIT); 261 if (n->m_flags & M_EXT) 262 n->m_len = n->m_ext.ext_size; 263 } 264 if (n->m_len > left) 265 n->m_len = left; 266 noff = 0; 267 } 268 len = min(m->m_len - moff, n->m_len - noff); 269 270 crc = ether_crc32_le_update(crc, mtod(m, caddr_t) + moff, len); 271 rc4_crypt(&ctx->rc4, mtod(m, caddr_t) + moff, 272 mtod(n, caddr_t) + noff, len); 273 274 moff += len; 275 noff += len; 276 left -= len; 277 } 278 279 /* reserve trailing space for TKIP MIC and WEP ICV */ 280 if (m_trailingspace(n) < IEEE80211_TKIP_TAILLEN) { 281 MGET(n->m_next, M_DONTWAIT, n->m_type); 282 if (n->m_next == NULL) 283 goto nospace; 284 n = n->m_next; 285 n->m_len = 0; 286 } 287 288 /* compute TKIP MIC over clear text */ 289 mic = mtod(n, caddr_t) + n->m_len; 290 ieee80211_tkip_mic(m0, hdrlen, ctx->txmic, mic); 291 crc = ether_crc32_le_update(crc, mic, IEEE80211_TKIP_MICLEN); 292 rc4_crypt(&ctx->rc4, mic, mic, IEEE80211_TKIP_MICLEN); 293 n->m_len += IEEE80211_TKIP_MICLEN; 294 295 /* finalize WEP ICV */ 296 icvp = mtod(n, caddr_t) + n->m_len; 297 crc = ~crc; 298 icvp[0] = crc; 299 icvp[1] = crc >> 8; 300 icvp[2] = crc >> 16; 301 icvp[3] = crc >> 24; 302 rc4_crypt(&ctx->rc4, icvp, icvp, IEEE80211_WEP_CRCLEN); 303 n->m_len += IEEE80211_WEP_CRCLEN; 304 305 n0->m_pkthdr.len += IEEE80211_TKIP_TAILLEN; 306 307 m_freem(m0); 308 return n0; 309 nospace: 310 ic->ic_stats.is_tx_nombuf++; 311 m_freem(m0); 312 m_freem(n0); 313 return NULL; 314 } 315 316 struct mbuf * 317 ieee80211_tkip_decrypt(struct ieee80211com *ic, struct mbuf *m0, 318 struct ieee80211_key *k) 319 { 320 struct ieee80211_tkip_ctx *ctx = k->k_priv; 321 struct ieee80211_frame *wh; 322 u_int16_t wepseed[8]; /* needs to be 16-bit aligned for Phase2 */ 323 u_int8_t buf[IEEE80211_TKIP_MICLEN + IEEE80211_WEP_CRCLEN]; 324 u_int8_t mic[IEEE80211_TKIP_MICLEN]; 325 u_int64_t tsc, *prsc; 326 u_int32_t crc, crc0; 327 u_int8_t *ivp, *mic0; 328 u_int8_t tid; 329 struct mbuf *n0, *m, *n; 330 int hdrlen, left, moff, noff, len; 331 332 wh = mtod(m0, struct ieee80211_frame *); 333 hdrlen = ieee80211_get_hdrlen(wh); 334 335 if (m0->m_pkthdr.len < hdrlen + IEEE80211_TKIP_OVHD) { 336 m_freem(m0); 337 return NULL; 338 } 339 340 ivp = (u_int8_t *)wh + hdrlen; 341 /* check that ExtIV bit is set */ 342 if (!(ivp[3] & IEEE80211_WEP_EXTIV)) { 343 m_freem(m0); 344 return NULL; 345 } 346 347 /* retrieve last seen packet number for this frame priority */ 348 tid = ieee80211_has_qos(wh) ? 349 ieee80211_get_qos(wh) & IEEE80211_QOS_TID : 0; 350 prsc = &k->k_rsc[tid]; 351 352 /* extract the 48-bit TSC from the TKIP header */ 353 tsc = (u_int64_t)ivp[2] | 354 (u_int64_t)ivp[0] << 8 | 355 (u_int64_t)ivp[4] << 16 | 356 (u_int64_t)ivp[5] << 24 | 357 (u_int64_t)ivp[6] << 32 | 358 (u_int64_t)ivp[7] << 40; 359 if (tsc <= *prsc) { 360 /* replayed frame, discard */ 361 ic->ic_stats.is_tkip_replays++; 362 m_freem(m0); 363 return NULL; 364 } 365 366 MGET(n0, M_DONTWAIT, m0->m_type); 367 if (n0 == NULL) 368 goto nospace; 369 if (m_dup_pkthdr(n0, m0, M_DONTWAIT)) 370 goto nospace; 371 n0->m_pkthdr.len -= IEEE80211_TKIP_OVHD; 372 n0->m_len = MHLEN; 373 if (n0->m_pkthdr.len >= MINCLSIZE) { 374 MCLGET(n0, M_DONTWAIT); 375 if (n0->m_flags & M_EXT) 376 n0->m_len = n0->m_ext.ext_size; 377 } 378 if (n0->m_len > n0->m_pkthdr.len) 379 n0->m_len = n0->m_pkthdr.len; 380 381 /* copy 802.11 header and clear protected bit */ 382 memcpy(mtod(n0, caddr_t), wh, hdrlen); 383 wh = mtod(n0, struct ieee80211_frame *); 384 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 385 386 /* compute WEP seed */ 387 if (!ctx->rxttak_ok || (tsc >> 16) != (*prsc >> 16)) { 388 ctx->rxttak_ok = 0; /* invalidate cached TTAK (if any) */ 389 Phase1(ctx->rxttak, k->k_key, wh->i_addr2, tsc >> 16); 390 } 391 Phase2((u_int8_t *)wepseed, k->k_key, ctx->rxttak, tsc & 0xffff); 392 rc4_keysetup(&ctx->rc4, (u_int8_t *)wepseed, 16); 393 explicit_bzero(wepseed, sizeof(wepseed)); 394 395 /* decrypt frame body and compute WEP ICV */ 396 m = m0; 397 n = n0; 398 moff = hdrlen + IEEE80211_TKIP_HDRLEN; 399 noff = hdrlen; 400 left = n0->m_pkthdr.len - noff; 401 crc = ~0; 402 while (left > 0) { 403 if (moff == m->m_len) { 404 /* nothing left to copy from m */ 405 m = m->m_next; 406 moff = 0; 407 } 408 if (noff == n->m_len) { 409 /* n is full and there's more data to copy */ 410 MGET(n->m_next, M_DONTWAIT, n->m_type); 411 if (n->m_next == NULL) 412 goto nospace; 413 n = n->m_next; 414 n->m_len = MLEN; 415 if (left >= MINCLSIZE) { 416 MCLGET(n, M_DONTWAIT); 417 if (n->m_flags & M_EXT) 418 n->m_len = n->m_ext.ext_size; 419 } 420 if (n->m_len > left) 421 n->m_len = left; 422 noff = 0; 423 } 424 len = min(m->m_len - moff, n->m_len - noff); 425 426 rc4_crypt(&ctx->rc4, mtod(m, caddr_t) + moff, 427 mtod(n, caddr_t) + noff, len); 428 crc = ether_crc32_le_update(crc, mtod(n, caddr_t) + noff, len); 429 430 moff += len; 431 noff += len; 432 left -= len; 433 } 434 435 /* extract and decrypt TKIP MIC and WEP ICV from m0's tail */ 436 m_copydata(m, moff, IEEE80211_TKIP_TAILLEN, buf); 437 rc4_crypt(&ctx->rc4, buf, buf, IEEE80211_TKIP_TAILLEN); 438 439 /* include TKIP MIC in WEP ICV */ 440 mic0 = buf; 441 crc = ether_crc32_le_update(crc, mic0, IEEE80211_TKIP_MICLEN); 442 crc = ~crc; 443 444 /* decrypt ICV and compare it with calculated ICV */ 445 crc0 = *(u_int32_t *)(buf + IEEE80211_TKIP_MICLEN); 446 if (crc != letoh32(crc0)) { 447 ic->ic_stats.is_tkip_icv_errs++; 448 m_freem(m0); 449 m_freem(n0); 450 return NULL; 451 } 452 453 /* compute TKIP MIC over decrypted message */ 454 ieee80211_tkip_mic(n0, hdrlen, ctx->rxmic, mic); 455 /* check that it matches the MIC in received frame */ 456 if (timingsafe_bcmp(mic0, mic, IEEE80211_TKIP_MICLEN) != 0) { 457 m_freem(m0); 458 m_freem(n0); 459 ic->ic_stats.is_rx_locmicfail++; 460 ieee80211_michael_mic_failure(ic, tsc); 461 return NULL; 462 } 463 464 /* update last seen packet number (MIC is validated) */ 465 *prsc = tsc; 466 /* mark cached TTAK as valid */ 467 ctx->rxttak_ok = 1; 468 469 m_freem(m0); 470 return n0; 471 nospace: 472 ic->ic_stats.is_rx_nombuf++; 473 m_freem(m0); 474 m_freem(n0); 475 return NULL; 476 } 477 478 #ifndef IEEE80211_STA_ONLY 479 /* 480 * This function is called in HostAP mode to deauthenticate all STAs using 481 * TKIP as their pairwise or group cipher (as part of TKIP countermeasures). 482 */ 483 static void 484 ieee80211_tkip_deauth(void *arg, struct ieee80211_node *ni) 485 { 486 struct ieee80211com *ic = arg; 487 488 if (ni->ni_state == IEEE80211_STA_ASSOC && 489 (ic->ic_bss->ni_rsngroupcipher == IEEE80211_CIPHER_TKIP || 490 ni->ni_rsncipher == IEEE80211_CIPHER_TKIP)) { 491 /* deauthenticate STA */ 492 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 493 IEEE80211_REASON_MIC_FAILURE); 494 ieee80211_node_leave(ic, ni); 495 } 496 } 497 498 void 499 ieee80211_michael_mic_failure_timeout(void *arg) 500 { 501 struct ieee80211com *ic = arg; 502 503 /* Disable TKIP countermeasures. */ 504 ic->ic_flags &= ~IEEE80211_F_COUNTERM; 505 } 506 #endif /* IEEE80211_STA_ONLY */ 507 508 /* 509 * This function can be called by the software TKIP crypto code or by the 510 * drivers when their hardware crypto engines detect a Michael MIC failure. 511 */ 512 void 513 ieee80211_michael_mic_failure(struct ieee80211com *ic, u_int64_t tsc) 514 { 515 extern int ticks; 516 #ifndef IEEE80211_STA_ONLY 517 int sec; 518 #endif 519 520 if (ic->ic_flags & IEEE80211_F_COUNTERM) 521 return; /* countermeasures already active */ 522 523 log(LOG_WARNING, "%s: Michael MIC failure\n", ic->ic_if.if_xname); 524 525 /* 526 * NB. do not send Michael MIC Failure reports as recommended since 527 * these may be used as an oracle to verify CRC guesses as described 528 * in Beck, M. and Tews S. "Practical attacks against WEP and WPA" 529 * http://dl.aircrack-ng.org/breakingwepandwpa.pdf 530 */ 531 532 /* 533 * Activate TKIP countermeasures (see 802.11-2012 11.4.2.4) if less than 534 * 60 seconds have passed since the most recent previous MIC failure. 535 */ 536 if (ic->ic_tkip_micfail == 0 || 537 ticks - (ic->ic_tkip_micfail + 60 * hz) >= 0) { 538 ic->ic_tkip_micfail = ticks; 539 ic->ic_tkip_micfail_last_tsc = tsc; 540 return; 541 } 542 543 switch (ic->ic_opmode) { 544 #ifndef IEEE80211_STA_ONLY 545 case IEEE80211_M_HOSTAP: 546 /* refuse new TKIP associations for at least 60 seconds */ 547 ic->ic_flags |= IEEE80211_F_COUNTERM; 548 sec = 60 + arc4random_uniform(30); 549 log(LOG_WARNING, "%s: HostAP will be disabled for %d seconds " 550 "as a countermeasure against TKIP key cracking attempts\n", 551 ic->ic_if.if_xname, sec); 552 timeout_add_sec(&ic->ic_tkip_micfail_timeout, sec); 553 554 /* deauthenticate all currently associated STAs using TKIP */ 555 ieee80211_iterate_nodes(ic, ieee80211_tkip_deauth, ic); 556 557 /* schedule a GTK change */ 558 timeout_add_sec(&ic->ic_rsn_timeout, 1); 559 break; 560 #endif 561 case IEEE80211_M_STA: 562 /* 563 * Notify the AP of MIC failures: send two Michael 564 * MIC Failure Report frames back-to-back to trigger 565 * countermeasures at the AP end. 566 */ 567 (void)ieee80211_send_eapol_key_req(ic, ic->ic_bss, 568 EAPOL_KEY_KEYMIC | EAPOL_KEY_ERROR | EAPOL_KEY_SECURE, 569 ic->ic_tkip_micfail_last_tsc); 570 (void)ieee80211_send_eapol_key_req(ic, ic->ic_bss, 571 EAPOL_KEY_KEYMIC | EAPOL_KEY_ERROR | EAPOL_KEY_SECURE, 572 tsc); 573 574 /* deauthenticate from the AP.. */ 575 IEEE80211_SEND_MGMT(ic, ic->ic_bss, 576 IEEE80211_FC0_SUBTYPE_DEAUTH, 577 IEEE80211_REASON_MIC_FAILURE); 578 /* ..and find another one */ 579 (void)ieee80211_new_state(ic, IEEE80211_S_SCAN, -1); 580 break; 581 default: 582 break; 583 } 584 585 ic->ic_tkip_micfail = ticks; 586 ic->ic_tkip_micfail_last_tsc = tsc; 587 } 588 589 /*********************************************************************** 590 Contents: Generate IEEE 802.11 per-frame RC4 key hash test vectors 591 Date: April 19, 2002 592 Notes: 593 This code is written for pedagogical purposes, NOT for performance. 594 ************************************************************************/ 595 596 /* macros for extraction/creation of byte/u16b values */ 597 #define RotR1(v16) ((((v16) >> 1) & 0x7FFF) ^ (((v16) & 1) << 15)) 598 #define Lo8(v16) ((byte)( (v16) & 0x00FF)) 599 #define Hi8(v16) ((byte)(((v16) >> 8) & 0x00FF)) 600 #define Lo16(v32) ((u16b)( (v32) & 0xFFFF)) 601 #define Hi16(v32) ((u16b)(((v32) >>16) & 0xFFFF)) 602 #define Mk16(hi,lo) ((lo) ^ (((u16b)(hi)) << 8)) 603 604 /* select the Nth 16-bit word of the Temporal Key byte array TK[] */ 605 #define TK16(N) Mk16(TK[2 * (N) + 1], TK[2 * (N)]) 606 607 /* S-box lookup: 16 bits --> 16 bits */ 608 #define _S_(v16) (Sbox[Lo8(v16)] ^ swap16(Sbox[Hi8(v16)])) 609 610 /* fixed algorithm "parameters" */ 611 #define PHASE1_LOOP_CNT 8 /* this needs to be "big enough" */ 612 #define TA_SIZE 6 /* 48-bit transmitter address */ 613 #define TK_SIZE 16 /* 128-bit Temporal Key */ 614 #define P1K_SIZE 10 /* 80-bit Phase1 key */ 615 #define RC4_KEY_SIZE 16 /* 128-bit RC4KEY (104 bits unknown) */ 616 617 /* 2-byte by 2-byte subset of the full AES S-box table */ 618 static const u16b Sbox[256]= /* Sbox for hash */ 619 { 620 0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154, 621 0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A, 622 0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B, 623 0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B, 624 0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F, 625 0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F, 626 0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5, 627 0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F, 628 0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB, 629 0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397, 630 0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED, 631 0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A, 632 0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194, 633 0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3, 634 0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104, 635 0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D, 636 0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39, 637 0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695, 638 0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83, 639 0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76, 640 0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4, 641 0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B, 642 0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0, 643 0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018, 644 0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751, 645 0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85, 646 0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12, 647 0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9, 648 0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7, 649 0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A, 650 0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8, 651 0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A 652 }; 653 654 /* 655 ********************************************************************** 656 * Routine: Phase 1 -- generate P1K, given TA, TK, IV32 657 * 658 * Inputs: 659 * TK[] = Temporal Key [128 bits] 660 * TA[] = transmitter's MAC address [ 48 bits] 661 * IV32 = upper 32 bits of IV [ 32 bits] 662 * Output: 663 * P1K[] = Phase 1 key [ 80 bits] 664 * 665 * Note: 666 * This function only needs to be called every 2**16 frames, 667 * although in theory it could be called every frame. 668 * 669 ********************************************************************** 670 */ 671 static void 672 Phase1(u16b *P1K, const byte *TK, const byte *TA, u32b IV32) 673 { 674 int i; 675 676 /* Initialize the 80 bits of P1K[] from IV32 and TA[0..5] */ 677 P1K[0] = Lo16(IV32); 678 P1K[1] = Hi16(IV32); 679 P1K[2] = Mk16(TA[1], TA[0]); /* use TA[] as little-endian */ 680 P1K[3] = Mk16(TA[3], TA[2]); 681 P1K[4] = Mk16(TA[5], TA[4]); 682 683 /* Now compute an unbalanced Feistel cipher with 80-bit block */ 684 /* size on the 80-bit block P1K[], using the 128-bit key TK[] */ 685 for (i = 0; i < PHASE1_LOOP_CNT; i++) { 686 /* Each add operation here is mod 2**16 */ 687 P1K[0] += _S_(P1K[4] ^ TK16((i & 1) + 0)); 688 P1K[1] += _S_(P1K[0] ^ TK16((i & 1) + 2)); 689 P1K[2] += _S_(P1K[1] ^ TK16((i & 1) + 4)); 690 P1K[3] += _S_(P1K[2] ^ TK16((i & 1) + 6)); 691 P1K[4] += _S_(P1K[3] ^ TK16((i & 1) + 0)); 692 P1K[4] += i; /* avoid "slide attacks" */ 693 } 694 } 695 696 /* 697 ********************************************************************** 698 * Routine: Phase 2 -- generate RC4KEY, given TK, P1K, IV16 699 * 700 * Inputs: 701 * TK[] = Temporal Key [128 bits] 702 * P1K[] = Phase 1 output key [ 80 bits] 703 * IV16 = low 16 bits of IV counter [ 16 bits] 704 * Output: 705 * RC4KEY[] = the key used to encrypt the frame [128 bits] 706 * 707 * Note: 708 * The value {TA,IV32,IV16} for Phase1/Phase2 must be unique 709 * across all frames using the same key TK value. Then, for a 710 * given value of TK[], this TKIP48 construction guarantees that 711 * the final RC4KEY value is unique across all frames. 712 * 713 ********************************************************************** 714 */ 715 static void 716 Phase2(byte *RC4KEY, const byte *TK, const u16b *P1K, u16b IV16) 717 { 718 u16b *PPK; /* temporary key for mixing */ 719 int i; 720 721 /* 722 * Suggested implementation optimization: if PPK[] is "overlaid" 723 * appropriately on RC4KEY[], there is no need for the final for 724 * loop that copies the PPK[] result into RC4KEY[]. 725 */ 726 PPK = (u16b *)&RC4KEY[4]; 727 728 /* all adds in the PPK[] equations below are mod 2**16 */ 729 for (i = 0; i < 5; i++) 730 PPK[i] = P1K[i]; /* first, copy P1K to PPK */ 731 PPK[5] = P1K[4] + IV16; /* next, add in IV16 */ 732 733 /* Bijective non-linear mixing of the 96 bits of PPK[0..5] */ 734 PPK[0] += _S_(PPK[5] ^ TK16(0)); /* Mix key in each "round" */ 735 PPK[1] += _S_(PPK[0] ^ TK16(1)); 736 PPK[2] += _S_(PPK[1] ^ TK16(2)); 737 PPK[3] += _S_(PPK[2] ^ TK16(3)); 738 PPK[4] += _S_(PPK[3] ^ TK16(4)); 739 PPK[5] += _S_(PPK[4] ^ TK16(5)); /* Total # S-box lookups == 6 */ 740 741 /* Final sweep: bijective, linear. Rotates kill LSB correlations */ 742 PPK[0] += RotR1(PPK[5] ^ TK16(6)); 743 PPK[1] += RotR1(PPK[0] ^ TK16(7)); /* Use all of TK[] in Phase2 */ 744 PPK[2] += RotR1(PPK[1]); 745 PPK[3] += RotR1(PPK[2]); 746 PPK[4] += RotR1(PPK[3]); 747 PPK[5] += RotR1(PPK[4]); 748 749 /* At this point, for a given key TK[0..15], the 96-bit output */ 750 /* value PPK[0..5] is guaranteed to be unique, as a function */ 751 /* of the 96-bit "input" value {TA,IV32,IV16}. That is, P1K */ 752 /* is now a keyed permutation of {TA,IV32,IV16}. */ 753 /* Set RC4KEY[0..3], which includes cleartext portion of RC4 key */ 754 RC4KEY[0] = Hi8(IV16); /* RC4KEY[0..2] is the WEP IV */ 755 RC4KEY[1] =(Hi8(IV16) | 0x20) & 0x7F; /* Help avoid FMS weak keys */ 756 RC4KEY[2] = Lo8(IV16); 757 RC4KEY[3] = Lo8((PPK[5] ^ TK16(0)) >> 1); 758 759 #if BYTE_ORDER == BIG_ENDIAN 760 /* Copy 96 bits of PPK[0..5] to RC4KEY[4..15] (little-endian) */ 761 for (i = 0; i < 6; i++) 762 PPK[i] = swap16(PPK[i]); 763 #endif 764 } 765