1 /* $OpenBSD: ieee80211_crypto_tkip.c,v 1.19 2011/04/05 11:48:28 blambert Exp $ */ 2 3 /*- 4 * Copyright (c) 2008 Damien Bergamini <damien.bergamini@free.fr> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 /* 20 * This code implements the Temporal Key Integrity Protocol (TKIP) defined 21 * in IEEE Std 802.11-2007 section 8.3.2. 22 */ 23 24 #include <sys/param.h> 25 #include <sys/systm.h> 26 #include <sys/mbuf.h> 27 #include <sys/malloc.h> 28 #include <sys/kernel.h> 29 #include <sys/socket.h> 30 #include <sys/endian.h> 31 #include <sys/syslog.h> 32 33 #include <net/if.h> 34 #include <net/if_dl.h> 35 #include <net/if_media.h> 36 #include <net/if_arp.h> 37 #include <net/if_llc.h> 38 39 #ifdef INET 40 #include <netinet/in.h> 41 #include <netinet/if_ether.h> 42 #endif 43 44 #include <net80211/ieee80211_var.h> 45 #include <net80211/ieee80211_crypto.h> 46 47 #include <crypto/arc4.h> 48 #include <crypto/michael.h> 49 50 typedef u_int8_t byte; /* 8-bit byte (octet) */ 51 typedef u_int16_t u16b; /* 16-bit unsigned word */ 52 typedef u_int32_t u32b; /* 32-bit unsigned word */ 53 54 static void Phase1(u16b *, const byte *, const byte *, u32b); 55 static void Phase2(byte *, const byte *, const u16b *, u16b); 56 57 /* TKIP software crypto context */ 58 struct ieee80211_tkip_ctx { 59 struct rc4_ctx rc4; 60 const u_int8_t *txmic; 61 const u_int8_t *rxmic; 62 u_int16_t txttak[5]; 63 u_int16_t rxttak[5]; 64 u_int8_t txttak_ok; 65 u_int8_t rxttak_ok; 66 }; 67 68 /* 69 * Initialize software crypto context. This function can be overridden 70 * by drivers doing hardware crypto. 71 */ 72 int 73 ieee80211_tkip_set_key(struct ieee80211com *ic, struct ieee80211_key *k) 74 { 75 struct ieee80211_tkip_ctx *ctx; 76 77 ctx = malloc(sizeof(*ctx), M_DEVBUF, M_NOWAIT | M_ZERO); 78 if (ctx == NULL) 79 return ENOMEM; 80 /* 81 * Use bits 128-191 as the Michael key for AA->SPA and bits 82 * 192-255 as the Michael key for SPA->AA. 83 */ 84 #ifndef IEEE80211_STA_ONLY 85 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 86 ctx->txmic = &k->k_key[16]; 87 ctx->rxmic = &k->k_key[24]; 88 } else 89 #endif 90 { 91 ctx->rxmic = &k->k_key[16]; 92 ctx->txmic = &k->k_key[24]; 93 } 94 k->k_priv = ctx; 95 return 0; 96 } 97 98 void 99 ieee80211_tkip_delete_key(struct ieee80211com *ic, struct ieee80211_key *k) 100 { 101 if (k->k_priv != NULL) 102 free(k->k_priv, M_DEVBUF); 103 k->k_priv = NULL; 104 } 105 106 /* pseudo-header used for TKIP MIC computation */ 107 struct ieee80211_tkip_frame { 108 u_int8_t i_da[IEEE80211_ADDR_LEN]; 109 u_int8_t i_sa[IEEE80211_ADDR_LEN]; 110 u_int8_t i_pri; 111 u_int8_t i_pad[3]; 112 } __packed; 113 114 /* 115 * Compute TKIP MIC over an mbuf chain starting "off" bytes from the 116 * beginning. This function should be kept independant from the software 117 * TKIP crypto code so that drivers doing hardware crypto but not MIC can 118 * call it without a software crypto context. 119 */ 120 void 121 ieee80211_tkip_mic(struct mbuf *m0, int off, const u_int8_t *key, 122 u_int8_t mic[IEEE80211_TKIP_MICLEN]) 123 { 124 const struct ieee80211_frame *wh; 125 struct ieee80211_tkip_frame wht; 126 MICHAEL_CTX ctx; /* small enough */ 127 struct mbuf *m; 128 caddr_t pos; 129 int len; 130 131 /* assumes 802.11 header is contiguous */ 132 wh = mtod(m0, struct ieee80211_frame *); 133 134 /* construct pseudo-header for TKIP MIC computation */ 135 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 136 case IEEE80211_FC1_DIR_NODS: 137 IEEE80211_ADDR_COPY(wht.i_da, wh->i_addr1); 138 IEEE80211_ADDR_COPY(wht.i_sa, wh->i_addr2); 139 break; 140 case IEEE80211_FC1_DIR_TODS: 141 IEEE80211_ADDR_COPY(wht.i_da, wh->i_addr3); 142 IEEE80211_ADDR_COPY(wht.i_sa, wh->i_addr2); 143 break; 144 case IEEE80211_FC1_DIR_FROMDS: 145 IEEE80211_ADDR_COPY(wht.i_da, wh->i_addr1); 146 IEEE80211_ADDR_COPY(wht.i_sa, wh->i_addr3); 147 break; 148 case IEEE80211_FC1_DIR_DSTODS: 149 IEEE80211_ADDR_COPY(wht.i_da, wh->i_addr3); 150 IEEE80211_ADDR_COPY(wht.i_sa, 151 ((const struct ieee80211_frame_addr4 *)wh)->i_addr4); 152 break; 153 } 154 if (ieee80211_has_qos(wh)) 155 wht.i_pri = ieee80211_get_qos(wh) & IEEE80211_QOS_TID; 156 else 157 wht.i_pri = 0; 158 wht.i_pad[0] = wht.i_pad[1] = wht.i_pad[2] = 0; 159 160 michael_init(&ctx); 161 michael_key(key, &ctx); 162 163 michael_update(&ctx, (caddr_t)&wht, sizeof(wht)); 164 165 m = m0; 166 /* assumes the first "off" bytes are contiguous */ 167 pos = mtod(m, caddr_t) + off; 168 len = m->m_len - off; 169 for (;;) { 170 michael_update(&ctx, pos, len); 171 if ((m = m->m_next) == NULL) 172 break; 173 pos = mtod(m, caddr_t); 174 len = m->m_len; 175 } 176 177 michael_final(mic, &ctx); 178 } 179 180 /* shortcuts */ 181 #define IEEE80211_TKIP_TAILLEN \ 182 (IEEE80211_TKIP_MICLEN + IEEE80211_WEP_CRCLEN) 183 #define IEEE80211_TKIP_OVHD \ 184 (IEEE80211_TKIP_HDRLEN + IEEE80211_TKIP_TAILLEN) 185 186 struct mbuf * 187 ieee80211_tkip_encrypt(struct ieee80211com *ic, struct mbuf *m0, 188 struct ieee80211_key *k) 189 { 190 struct ieee80211_tkip_ctx *ctx = k->k_priv; 191 u_int16_t wepseed[8]; /* needs to be 16-bit aligned for Phase2 */ 192 const struct ieee80211_frame *wh; 193 u_int8_t *ivp, *mic, *icvp; 194 struct mbuf *n0, *m, *n; 195 u_int32_t crc; 196 int left, moff, noff, len, hdrlen; 197 198 MGET(n0, M_DONTWAIT, m0->m_type); 199 if (n0 == NULL) 200 goto nospace; 201 if (m_dup_pkthdr(n0, m0, M_DONTWAIT)) 202 goto nospace; 203 n0->m_pkthdr.len += IEEE80211_TKIP_HDRLEN; 204 n0->m_len = MHLEN; 205 if (n0->m_pkthdr.len >= MINCLSIZE - IEEE80211_TKIP_TAILLEN) { 206 MCLGET(n0, M_DONTWAIT); 207 if (n0->m_flags & M_EXT) 208 n0->m_len = n0->m_ext.ext_size; 209 } 210 if (n0->m_len > n0->m_pkthdr.len) 211 n0->m_len = n0->m_pkthdr.len; 212 213 /* copy 802.11 header */ 214 wh = mtod(m0, struct ieee80211_frame *); 215 hdrlen = ieee80211_get_hdrlen(wh); 216 memcpy(mtod(n0, caddr_t), wh, hdrlen); 217 218 k->k_tsc++; /* increment the 48-bit TSC */ 219 220 /* construct TKIP header */ 221 ivp = mtod(n0, u_int8_t *) + hdrlen; 222 ivp[0] = k->k_tsc >> 8; /* TSC1 */ 223 /* WEP Seed = (TSC1 | 0x20) & 0x7f (see 8.3.2.2) */ 224 ivp[1] = (ivp[0] | 0x20) & 0x7f; 225 ivp[2] = k->k_tsc; /* TSC0 */ 226 ivp[3] = k->k_id << 6 | IEEE80211_WEP_EXTIV; /* KeyID | ExtIV */ 227 ivp[4] = k->k_tsc >> 16; /* TSC2 */ 228 ivp[5] = k->k_tsc >> 24; /* TSC3 */ 229 ivp[6] = k->k_tsc >> 32; /* TSC4 */ 230 ivp[7] = k->k_tsc >> 40; /* TSC5 */ 231 232 /* compute WEP seed */ 233 if (!ctx->txttak_ok || (k->k_tsc & 0xffff) == 0) { 234 Phase1(ctx->txttak, k->k_key, wh->i_addr2, k->k_tsc >> 16); 235 ctx->txttak_ok = 1; 236 } 237 Phase2((u_int8_t *)wepseed, k->k_key, ctx->txttak, k->k_tsc & 0xffff); 238 rc4_keysetup(&ctx->rc4, (u_int8_t *)wepseed, 16); 239 240 /* encrypt frame body and compute WEP ICV */ 241 m = m0; 242 n = n0; 243 moff = hdrlen; 244 noff = hdrlen + IEEE80211_TKIP_HDRLEN; 245 left = m0->m_pkthdr.len - moff; 246 crc = ~0; 247 while (left > 0) { 248 if (moff == m->m_len) { 249 /* nothing left to copy from m */ 250 m = m->m_next; 251 moff = 0; 252 } 253 if (noff == n->m_len) { 254 /* n is full and there's more data to copy */ 255 MGET(n->m_next, M_DONTWAIT, n->m_type); 256 if (n->m_next == NULL) 257 goto nospace; 258 n = n->m_next; 259 n->m_len = MLEN; 260 if (left >= MINCLSIZE - IEEE80211_TKIP_TAILLEN) { 261 MCLGET(n, M_DONTWAIT); 262 if (n->m_flags & M_EXT) 263 n->m_len = n->m_ext.ext_size; 264 } 265 if (n->m_len > left) 266 n->m_len = left; 267 noff = 0; 268 } 269 len = min(m->m_len - moff, n->m_len - noff); 270 271 crc = ether_crc32_le_update(crc, mtod(m, caddr_t) + moff, len); 272 rc4_crypt(&ctx->rc4, mtod(m, caddr_t) + moff, 273 mtod(n, caddr_t) + noff, len); 274 275 moff += len; 276 noff += len; 277 left -= len; 278 } 279 280 /* reserve trailing space for TKIP MIC and WEP ICV */ 281 if (M_TRAILINGSPACE(n) < IEEE80211_TKIP_TAILLEN) { 282 MGET(n->m_next, M_DONTWAIT, n->m_type); 283 if (n->m_next == NULL) 284 goto nospace; 285 n = n->m_next; 286 n->m_len = 0; 287 } 288 289 /* compute TKIP MIC over clear text */ 290 mic = mtod(n, caddr_t) + n->m_len; 291 ieee80211_tkip_mic(m0, hdrlen, ctx->txmic, mic); 292 crc = ether_crc32_le_update(crc, mic, IEEE80211_TKIP_MICLEN); 293 rc4_crypt(&ctx->rc4, mic, mic, IEEE80211_TKIP_MICLEN); 294 n->m_len += IEEE80211_TKIP_MICLEN; 295 296 /* finalize WEP ICV */ 297 icvp = mtod(n, caddr_t) + n->m_len; 298 crc = ~crc; 299 icvp[0] = crc; 300 icvp[1] = crc >> 8; 301 icvp[2] = crc >> 16; 302 icvp[3] = crc >> 24; 303 rc4_crypt(&ctx->rc4, icvp, icvp, IEEE80211_WEP_CRCLEN); 304 n->m_len += IEEE80211_WEP_CRCLEN; 305 306 n0->m_pkthdr.len += IEEE80211_TKIP_TAILLEN; 307 308 m_freem(m0); 309 return n0; 310 nospace: 311 ic->ic_stats.is_tx_nombuf++; 312 m_freem(m0); 313 if (n0 != NULL) 314 m_freem(n0); 315 return NULL; 316 } 317 318 struct mbuf * 319 ieee80211_tkip_decrypt(struct ieee80211com *ic, struct mbuf *m0, 320 struct ieee80211_key *k) 321 { 322 struct ieee80211_tkip_ctx *ctx = k->k_priv; 323 struct ieee80211_frame *wh; 324 u_int16_t wepseed[8]; /* needs to be 16-bit aligned for Phase2 */ 325 u_int8_t buf[IEEE80211_TKIP_MICLEN + IEEE80211_WEP_CRCLEN]; 326 u_int8_t mic[IEEE80211_TKIP_MICLEN]; 327 u_int64_t tsc, *prsc; 328 u_int32_t crc, crc0; 329 u_int8_t *ivp, *mic0; 330 u_int8_t tid; 331 struct mbuf *n0, *m, *n; 332 int hdrlen, left, moff, noff, len; 333 334 wh = mtod(m0, struct ieee80211_frame *); 335 hdrlen = ieee80211_get_hdrlen(wh); 336 337 if (m0->m_pkthdr.len < hdrlen + IEEE80211_TKIP_OVHD) { 338 m_freem(m0); 339 return NULL; 340 } 341 342 ivp = (u_int8_t *)wh + hdrlen; 343 /* check that ExtIV bit is set */ 344 if (!(ivp[3] & IEEE80211_WEP_EXTIV)) { 345 m_freem(m0); 346 return NULL; 347 } 348 349 /* retrieve last seen packet number for this frame priority */ 350 tid = ieee80211_has_qos(wh) ? 351 ieee80211_get_qos(wh) & IEEE80211_QOS_TID : 0; 352 prsc = &k->k_rsc[tid]; 353 354 /* extract the 48-bit TSC from the TKIP header */ 355 tsc = (u_int64_t)ivp[2] | 356 (u_int64_t)ivp[0] << 8 | 357 (u_int64_t)ivp[4] << 16 | 358 (u_int64_t)ivp[5] << 24 | 359 (u_int64_t)ivp[6] << 32 | 360 (u_int64_t)ivp[7] << 40; 361 if (tsc <= *prsc) { 362 /* replayed frame, discard */ 363 ic->ic_stats.is_tkip_replays++; 364 m_freem(m0); 365 return NULL; 366 } 367 368 MGET(n0, M_DONTWAIT, m0->m_type); 369 if (n0 == NULL) 370 goto nospace; 371 if (m_dup_pkthdr(n0, m0, M_DONTWAIT)) 372 goto nospace; 373 n0->m_pkthdr.len -= IEEE80211_TKIP_OVHD; 374 n0->m_len = MHLEN; 375 if (n0->m_pkthdr.len >= MINCLSIZE) { 376 MCLGET(n0, M_DONTWAIT); 377 if (n0->m_flags & M_EXT) 378 n0->m_len = n0->m_ext.ext_size; 379 } 380 if (n0->m_len > n0->m_pkthdr.len) 381 n0->m_len = n0->m_pkthdr.len; 382 383 /* copy 802.11 header and clear protected bit */ 384 memcpy(mtod(n0, caddr_t), wh, hdrlen); 385 wh = mtod(n0, struct ieee80211_frame *); 386 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 387 388 /* compute WEP seed */ 389 if (!ctx->rxttak_ok || (tsc >> 16) != (*prsc >> 16)) { 390 ctx->rxttak_ok = 0; /* invalidate cached TTAK (if any) */ 391 Phase1(ctx->rxttak, k->k_key, wh->i_addr2, tsc >> 16); 392 } 393 Phase2((u_int8_t *)wepseed, k->k_key, ctx->rxttak, tsc & 0xffff); 394 rc4_keysetup(&ctx->rc4, (u_int8_t *)wepseed, 16); 395 396 /* decrypt frame body and compute WEP ICV */ 397 m = m0; 398 n = n0; 399 moff = hdrlen + IEEE80211_TKIP_HDRLEN; 400 noff = hdrlen; 401 left = n0->m_pkthdr.len - noff; 402 crc = ~0; 403 while (left > 0) { 404 if (moff == m->m_len) { 405 /* nothing left to copy from m */ 406 m = m->m_next; 407 moff = 0; 408 } 409 if (noff == n->m_len) { 410 /* n is full and there's more data to copy */ 411 MGET(n->m_next, M_DONTWAIT, n->m_type); 412 if (n->m_next == NULL) 413 goto nospace; 414 n = n->m_next; 415 n->m_len = MLEN; 416 if (left >= MINCLSIZE) { 417 MCLGET(n, M_DONTWAIT); 418 if (n->m_flags & M_EXT) 419 n->m_len = n->m_ext.ext_size; 420 } 421 if (n->m_len > left) 422 n->m_len = left; 423 noff = 0; 424 } 425 len = min(m->m_len - moff, n->m_len - noff); 426 427 rc4_crypt(&ctx->rc4, mtod(m, caddr_t) + moff, 428 mtod(n, caddr_t) + noff, len); 429 crc = ether_crc32_le_update(crc, mtod(n, caddr_t) + noff, len); 430 431 moff += len; 432 noff += len; 433 left -= len; 434 } 435 436 /* extract and decrypt TKIP MIC and WEP ICV from m0's tail */ 437 m_copydata(m, moff, IEEE80211_TKIP_TAILLEN, buf); 438 rc4_crypt(&ctx->rc4, buf, buf, IEEE80211_TKIP_TAILLEN); 439 440 /* include TKIP MIC in WEP ICV */ 441 mic0 = buf; 442 crc = ether_crc32_le_update(crc, mic0, IEEE80211_TKIP_MICLEN); 443 crc = ~crc; 444 445 /* decrypt ICV and compare it with calculated ICV */ 446 crc0 = *(u_int32_t *)(buf + IEEE80211_TKIP_MICLEN); 447 if (crc != letoh32(crc0)) { 448 ic->ic_stats.is_tkip_icv_errs++; 449 m_freem(m0); 450 m_freem(n0); 451 return NULL; 452 } 453 454 /* compute TKIP MIC over decrypted message */ 455 ieee80211_tkip_mic(n0, hdrlen, ctx->rxmic, mic); 456 /* check that it matches the MIC in received frame */ 457 if (timingsafe_bcmp(mic0, mic, IEEE80211_TKIP_MICLEN) != 0) { 458 m_freem(m0); 459 m_freem(n0); 460 ic->ic_stats.is_rx_locmicfail++; 461 ieee80211_michael_mic_failure(ic, tsc); 462 return NULL; 463 } 464 465 /* update last seen packet number (MIC is validated) */ 466 *prsc = tsc; 467 /* mark cached TTAK as valid */ 468 ctx->rxttak_ok = 1; 469 470 m_freem(m0); 471 return n0; 472 nospace: 473 ic->ic_stats.is_rx_nombuf++; 474 m_freem(m0); 475 if (n0 != NULL) 476 m_freem(n0); 477 return NULL; 478 } 479 480 #ifndef IEEE80211_STA_ONLY 481 /* 482 * This function is called in HostAP mode to deauthenticate all STAs using 483 * TKIP as their pairwise or group cipher (as part of TKIP countermeasures). 484 */ 485 static void 486 ieee80211_tkip_deauth(void *arg, struct ieee80211_node *ni) 487 { 488 struct ieee80211com *ic = arg; 489 490 if (ni->ni_state == IEEE80211_STA_ASSOC && 491 (ic->ic_bss->ni_rsngroupcipher == IEEE80211_CIPHER_TKIP || 492 ni->ni_rsncipher == IEEE80211_CIPHER_TKIP)) { 493 /* deauthenticate STA */ 494 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 495 IEEE80211_REASON_MIC_FAILURE); 496 ieee80211_node_leave(ic, ni); 497 } 498 } 499 #endif /* IEEE80211_STA_ONLY */ 500 501 /* 502 * This function can be called by the software TKIP crypto code or by the 503 * drivers when their hardware crypto engines detect a Michael MIC failure. 504 */ 505 void 506 ieee80211_michael_mic_failure(struct ieee80211com *ic, u_int64_t tsc) 507 { 508 extern int ticks; 509 510 if (ic->ic_flags & IEEE80211_F_COUNTERM) 511 return; /* countermeasures already active */ 512 513 log(LOG_WARNING, "%s: Michael MIC failure\n", ic->ic_if.if_xname); 514 515 /* 516 * NB. do not send Michael MIC Failure reports as recommended since 517 * these may be used as an oracle to verify CRC guesses as described 518 * in Beck, M. and Tews S. "Practical attacks against WEP and WPA" 519 * http://dl.aircrack-ng.org/breakingwepandwpa.pdf 520 */ 521 522 /* 523 * Activate TKIP countermeasures (see 8.3.2.4) if less than 60 524 * seconds have passed since the most recent previous MIC failure. 525 */ 526 if (ic->ic_tkip_micfail == 0 || 527 ticks >= ic->ic_tkip_micfail + 60 * hz) { 528 ic->ic_tkip_micfail = ticks; 529 ic->ic_tkip_micfail_last_tsc = tsc; 530 return; 531 } 532 533 switch (ic->ic_opmode) { 534 #ifndef IEEE80211_STA_ONLY 535 case IEEE80211_M_HOSTAP: 536 /* refuse new TKIP associations for the next 60 seconds */ 537 ic->ic_flags |= IEEE80211_F_COUNTERM; 538 539 /* deauthenticate all currently associated STAs using TKIP */ 540 ieee80211_iterate_nodes(ic, ieee80211_tkip_deauth, ic); 541 break; 542 #endif 543 case IEEE80211_M_STA: 544 /* 545 * Notify the AP of MIC failures: send two Michael 546 * MIC Failure Report frames back-to-back to trigger 547 * countermeasures at the AP end. 548 */ 549 (void)ieee80211_send_eapol_key_req(ic, ic->ic_bss, 550 EAPOL_KEY_KEYMIC | EAPOL_KEY_ERROR | EAPOL_KEY_SECURE, 551 ic->ic_tkip_micfail_last_tsc); 552 (void)ieee80211_send_eapol_key_req(ic, ic->ic_bss, 553 EAPOL_KEY_KEYMIC | EAPOL_KEY_ERROR | EAPOL_KEY_SECURE, 554 tsc); 555 556 /* deauthenticate from the AP.. */ 557 IEEE80211_SEND_MGMT(ic, ic->ic_bss, 558 IEEE80211_FC0_SUBTYPE_DEAUTH, 559 IEEE80211_REASON_MIC_FAILURE); 560 /* ..and find another one */ 561 (void)ieee80211_new_state(ic, IEEE80211_S_SCAN, -1); 562 break; 563 default: 564 break; 565 } 566 567 ic->ic_tkip_micfail = ticks; 568 ic->ic_tkip_micfail_last_tsc = tsc; 569 } 570 571 /*********************************************************************** 572 Contents: Generate IEEE 802.11 per-frame RC4 key hash test vectors 573 Date: April 19, 2002 574 Notes: 575 This code is written for pedagogical purposes, NOT for performance. 576 ************************************************************************/ 577 578 /* macros for extraction/creation of byte/u16b values */ 579 #define RotR1(v16) ((((v16) >> 1) & 0x7FFF) ^ (((v16) & 1) << 15)) 580 #define Lo8(v16) ((byte)( (v16) & 0x00FF)) 581 #define Hi8(v16) ((byte)(((v16) >> 8) & 0x00FF)) 582 #define Lo16(v32) ((u16b)( (v32) & 0xFFFF)) 583 #define Hi16(v32) ((u16b)(((v32) >>16) & 0xFFFF)) 584 #define Mk16(hi,lo) ((lo) ^ (((u16b)(hi)) << 8)) 585 586 /* select the Nth 16-bit word of the Temporal Key byte array TK[] */ 587 #define TK16(N) Mk16(TK[2 * (N) + 1], TK[2 * (N)]) 588 589 /* S-box lookup: 16 bits --> 16 bits */ 590 #define _S_(v16) (Sbox[Lo8(v16)] ^ swap16(Sbox[Hi8(v16)])) 591 592 /* fixed algorithm "parameters" */ 593 #define PHASE1_LOOP_CNT 8 /* this needs to be "big enough" */ 594 #define TA_SIZE 6 /* 48-bit transmitter address */ 595 #define TK_SIZE 16 /* 128-bit Temporal Key */ 596 #define P1K_SIZE 10 /* 80-bit Phase1 key */ 597 #define RC4_KEY_SIZE 16 /* 128-bit RC4KEY (104 bits unknown) */ 598 599 /* 2-byte by 2-byte subset of the full AES S-box table */ 600 static const u16b Sbox[256]= /* Sbox for hash */ 601 { 602 0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154, 603 0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A, 604 0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B, 605 0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B, 606 0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F, 607 0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F, 608 0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5, 609 0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F, 610 0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB, 611 0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397, 612 0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED, 613 0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A, 614 0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194, 615 0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3, 616 0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104, 617 0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D, 618 0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39, 619 0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695, 620 0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83, 621 0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76, 622 0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4, 623 0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B, 624 0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0, 625 0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018, 626 0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751, 627 0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85, 628 0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12, 629 0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9, 630 0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7, 631 0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A, 632 0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8, 633 0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A 634 }; 635 636 /* 637 ********************************************************************** 638 * Routine: Phase 1 -- generate P1K, given TA, TK, IV32 639 * 640 * Inputs: 641 * TK[] = Temporal Key [128 bits] 642 * TA[] = transmitter's MAC address [ 48 bits] 643 * IV32 = upper 32 bits of IV [ 32 bits] 644 * Output: 645 * P1K[] = Phase 1 key [ 80 bits] 646 * 647 * Note: 648 * This function only needs to be called every 2**16 frames, 649 * although in theory it could be called every frame. 650 * 651 ********************************************************************** 652 */ 653 static void 654 Phase1(u16b *P1K, const byte *TK, const byte *TA, u32b IV32) 655 { 656 int i; 657 658 /* Initialize the 80 bits of P1K[] from IV32 and TA[0..5] */ 659 P1K[0] = Lo16(IV32); 660 P1K[1] = Hi16(IV32); 661 P1K[2] = Mk16(TA[1], TA[0]); /* use TA[] as little-endian */ 662 P1K[3] = Mk16(TA[3], TA[2]); 663 P1K[4] = Mk16(TA[5], TA[4]); 664 665 /* Now compute an unbalanced Feistel cipher with 80-bit block */ 666 /* size on the 80-bit block P1K[], using the 128-bit key TK[] */ 667 for (i = 0; i < PHASE1_LOOP_CNT; i++) { 668 /* Each add operation here is mod 2**16 */ 669 P1K[0] += _S_(P1K[4] ^ TK16((i & 1) + 0)); 670 P1K[1] += _S_(P1K[0] ^ TK16((i & 1) + 2)); 671 P1K[2] += _S_(P1K[1] ^ TK16((i & 1) + 4)); 672 P1K[3] += _S_(P1K[2] ^ TK16((i & 1) + 6)); 673 P1K[4] += _S_(P1K[3] ^ TK16((i & 1) + 0)); 674 P1K[4] += i; /* avoid "slide attacks" */ 675 } 676 } 677 678 /* 679 ********************************************************************** 680 * Routine: Phase 2 -- generate RC4KEY, given TK, P1K, IV16 681 * 682 * Inputs: 683 * TK[] = Temporal Key [128 bits] 684 * P1K[] = Phase 1 output key [ 80 bits] 685 * IV16 = low 16 bits of IV counter [ 16 bits] 686 * Output: 687 * RC4KEY[] = the key used to encrypt the frame [128 bits] 688 * 689 * Note: 690 * The value {TA,IV32,IV16} for Phase1/Phase2 must be unique 691 * across all frames using the same key TK value. Then, for a 692 * given value of TK[], this TKIP48 construction guarantees that 693 * the final RC4KEY value is unique across all frames. 694 * 695 ********************************************************************** 696 */ 697 static void 698 Phase2(byte *RC4KEY, const byte *TK, const u16b *P1K, u16b IV16) 699 { 700 u16b *PPK; /* temporary key for mixing */ 701 int i; 702 703 /* 704 * Suggested implementation optimization: if PPK[] is "overlaid" 705 * appropriately on RC4KEY[], there is no need for the final for 706 * loop that copies the PPK[] result into RC4KEY[]. 707 */ 708 PPK = (u16b *)&RC4KEY[4]; 709 710 /* all adds in the PPK[] equations below are mod 2**16 */ 711 for (i = 0; i < 5; i++) 712 PPK[i] = P1K[i]; /* first, copy P1K to PPK */ 713 PPK[5] = P1K[4] + IV16; /* next, add in IV16 */ 714 715 /* Bijective non-linear mixing of the 96 bits of PPK[0..5] */ 716 PPK[0] += _S_(PPK[5] ^ TK16(0)); /* Mix key in each "round" */ 717 PPK[1] += _S_(PPK[0] ^ TK16(1)); 718 PPK[2] += _S_(PPK[1] ^ TK16(2)); 719 PPK[3] += _S_(PPK[2] ^ TK16(3)); 720 PPK[4] += _S_(PPK[3] ^ TK16(4)); 721 PPK[5] += _S_(PPK[4] ^ TK16(5)); /* Total # S-box lookups == 6 */ 722 723 /* Final sweep: bijective, linear. Rotates kill LSB correlations */ 724 PPK[0] += RotR1(PPK[5] ^ TK16(6)); 725 PPK[1] += RotR1(PPK[0] ^ TK16(7)); /* Use all of TK[] in Phase2 */ 726 PPK[2] += RotR1(PPK[1]); 727 PPK[3] += RotR1(PPK[2]); 728 PPK[4] += RotR1(PPK[3]); 729 PPK[5] += RotR1(PPK[4]); 730 731 /* At this point, for a given key TK[0..15], the 96-bit output */ 732 /* value PPK[0..5] is guaranteed to be unique, as a function */ 733 /* of the 96-bit "input" value {TA,IV32,IV16}. That is, P1K */ 734 /* is now a keyed permutation of {TA,IV32,IV16}. */ 735 /* Set RC4KEY[0..3], which includes cleartext portion of RC4 key */ 736 RC4KEY[0] = Hi8(IV16); /* RC4KEY[0..2] is the WEP IV */ 737 RC4KEY[1] =(Hi8(IV16) | 0x20) & 0x7F; /* Help avoid FMS weak keys */ 738 RC4KEY[2] = Lo8(IV16); 739 RC4KEY[3] = Lo8((PPK[5] ^ TK16(0)) >> 1); 740 741 #if BYTE_ORDER == BIG_ENDIAN 742 /* Copy 96 bits of PPK[0..5] to RC4KEY[4..15] (little-endian) */ 743 for (i = 0; i < 6; i++) 744 PPK[i] = swap16(PPK[i]); 745 #endif 746 } 747