1 /*- 2 * Copyright (c) 2002-2008 Sam Leffler, Errno Consulting 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 */ 25 26 #include <sys/cdefs.h> 27 __FBSDID("$FreeBSD$"); 28 29 /* 30 * IEEE 802.11i TKIP crypto support. 31 * 32 * Part of this module is derived from similar code in the Host 33 * AP driver. The code is used with the consent of the author and 34 * it's license is included below. 35 */ 36 #include "opt_wlan.h" 37 38 #include <sys/param.h> 39 #include <sys/systm.h> 40 #include <sys/mbuf.h> 41 #include <sys/malloc.h> 42 #include <sys/kernel.h> 43 #include <sys/module.h> 44 #include <sys/endian.h> 45 46 #include <sys/socket.h> 47 48 #include <net/if.h> 49 #include <net/if_media.h> 50 #include <net/ethernet.h> 51 52 #include <netproto/802_11/ieee80211_var.h> 53 54 static void *tkip_attach(struct ieee80211vap *, struct ieee80211_key *); 55 static void tkip_detach(struct ieee80211_key *); 56 static int tkip_setkey(struct ieee80211_key *); 57 static void tkip_setiv(struct ieee80211_key *, uint8_t *); 58 static int tkip_encap(struct ieee80211_key *, struct mbuf *); 59 static int tkip_enmic(struct ieee80211_key *, struct mbuf *, int); 60 static int tkip_decap(struct ieee80211_key *, struct mbuf *, int); 61 static int tkip_demic(struct ieee80211_key *, struct mbuf *, int); 62 63 static const struct ieee80211_cipher tkip = { 64 .ic_name = "TKIP", 65 .ic_cipher = IEEE80211_CIPHER_TKIP, 66 .ic_header = IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN + 67 IEEE80211_WEP_EXTIVLEN, 68 .ic_trailer = IEEE80211_WEP_CRCLEN, 69 .ic_miclen = IEEE80211_WEP_MICLEN, 70 .ic_attach = tkip_attach, 71 .ic_detach = tkip_detach, 72 .ic_setkey = tkip_setkey, 73 .ic_setiv = tkip_setiv, 74 .ic_encap = tkip_encap, 75 .ic_decap = tkip_decap, 76 .ic_enmic = tkip_enmic, 77 .ic_demic = tkip_demic, 78 }; 79 80 typedef uint8_t u8; 81 typedef uint16_t u16; 82 typedef uint32_t __u32; 83 typedef uint32_t u32; 84 85 struct tkip_ctx { 86 struct ieee80211vap *tc_vap; /* for diagnostics+statistics */ 87 88 u16 tx_ttak[5]; 89 u8 tx_rc4key[16]; /* XXX for test module; make locals? */ 90 91 u16 rx_ttak[5]; 92 int rx_phase1_done; 93 u8 rx_rc4key[16]; /* XXX for test module; make locals? */ 94 uint64_t rx_rsc; /* held until MIC verified */ 95 }; 96 97 static void michael_mic(struct tkip_ctx *, const u8 *key, 98 struct mbuf *m, u_int off, size_t data_len, 99 u8 mic[IEEE80211_WEP_MICLEN]); 100 static int tkip_encrypt(struct tkip_ctx *, struct ieee80211_key *, 101 struct mbuf *, int hdr_len); 102 static int tkip_decrypt(struct tkip_ctx *, struct ieee80211_key *, 103 struct mbuf *, int hdr_len); 104 105 /* number of references from net80211 layer */ 106 static int nrefs = 0; 107 108 static void * 109 tkip_attach(struct ieee80211vap *vap, struct ieee80211_key *k) 110 { 111 struct tkip_ctx *ctx; 112 113 #if defined(__DragonFly__) 114 ctx = (struct tkip_ctx *) kmalloc(sizeof(struct tkip_ctx), 115 M_80211_CRYPTO, M_INTWAIT | M_ZERO); 116 #else 117 ctx = (struct tkip_ctx *) IEEE80211_MALLOC(sizeof(struct tkip_ctx), 118 M_80211_CRYPTO, IEEE80211_M_NOWAIT | IEEE80211_M_ZERO); 119 #endif 120 if (ctx == NULL) { 121 vap->iv_stats.is_crypto_nomem++; 122 return NULL; 123 } 124 125 ctx->tc_vap = vap; 126 nrefs++; /* NB: we assume caller locking */ 127 return ctx; 128 } 129 130 static void 131 tkip_detach(struct ieee80211_key *k) 132 { 133 struct tkip_ctx *ctx = k->wk_private; 134 135 IEEE80211_FREE(ctx, M_80211_CRYPTO); 136 KASSERT(nrefs > 0, ("imbalanced attach/detach")); 137 nrefs--; /* NB: we assume caller locking */ 138 } 139 140 static int 141 tkip_setkey(struct ieee80211_key *k) 142 { 143 struct tkip_ctx *ctx = k->wk_private; 144 145 if (k->wk_keylen != (128/NBBY)) { 146 (void) ctx; /* XXX */ 147 IEEE80211_DPRINTF(ctx->tc_vap, IEEE80211_MSG_CRYPTO, 148 "%s: Invalid key length %u, expecting %u\n", 149 __func__, k->wk_keylen, 128/NBBY); 150 return 0; 151 } 152 ctx->rx_phase1_done = 0; 153 return 1; 154 } 155 156 static void 157 tkip_setiv(struct ieee80211_key *k, uint8_t *ivp) 158 { 159 struct tkip_ctx *ctx = k->wk_private; 160 struct ieee80211vap *vap = ctx->tc_vap; 161 uint8_t keyid; 162 163 keyid = ieee80211_crypto_get_keyid(vap, k) << 6; 164 165 k->wk_keytsc++; 166 ivp[0] = k->wk_keytsc >> 8; /* TSC1 */ 167 ivp[1] = (ivp[0] | 0x20) & 0x7f; /* WEP seed */ 168 ivp[2] = k->wk_keytsc >> 0; /* TSC0 */ 169 ivp[3] = keyid | IEEE80211_WEP_EXTIV; /* KeyID | ExtID */ 170 ivp[4] = k->wk_keytsc >> 16; /* TSC2 */ 171 ivp[5] = k->wk_keytsc >> 24; /* TSC3 */ 172 ivp[6] = k->wk_keytsc >> 32; /* TSC4 */ 173 ivp[7] = k->wk_keytsc >> 40; /* TSC5 */ 174 } 175 176 /* 177 * Add privacy headers and do any s/w encryption required. 178 */ 179 static int 180 tkip_encap(struct ieee80211_key *k, struct mbuf *m) 181 { 182 struct tkip_ctx *ctx = k->wk_private; 183 struct ieee80211vap *vap = ctx->tc_vap; 184 struct ieee80211com *ic = vap->iv_ic; 185 uint8_t *ivp; 186 int hdrlen; 187 188 /* 189 * Handle TKIP counter measures requirement. 190 */ 191 if (vap->iv_flags & IEEE80211_F_COUNTERM) { 192 #ifdef IEEE80211_DEBUG 193 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 194 #endif 195 196 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2, 197 "discard frame due to countermeasures (%s)", __func__); 198 vap->iv_stats.is_crypto_tkipcm++; 199 return 0; 200 } 201 hdrlen = ieee80211_hdrspace(ic, mtod(m, void *)); 202 203 /* 204 * Copy down 802.11 header and add the IV, KeyID, and ExtIV. 205 */ 206 M_PREPEND(m, tkip.ic_header, M_NOWAIT); 207 if (m == NULL) 208 return 0; 209 ivp = mtod(m, uint8_t *); 210 memmove(ivp, ivp + tkip.ic_header, hdrlen); 211 ivp += hdrlen; 212 213 tkip_setiv(k, ivp); 214 215 /* 216 * Finally, do software encrypt if needed. 217 */ 218 if ((k->wk_flags & IEEE80211_KEY_SWENCRYPT) && 219 !tkip_encrypt(ctx, k, m, hdrlen)) 220 return 0; 221 222 return 1; 223 } 224 225 /* 226 * Add MIC to the frame as needed. 227 */ 228 static int 229 tkip_enmic(struct ieee80211_key *k, struct mbuf *m, int force) 230 { 231 struct tkip_ctx *ctx = k->wk_private; 232 233 if (force || (k->wk_flags & IEEE80211_KEY_SWENMIC)) { 234 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 235 struct ieee80211vap *vap = ctx->tc_vap; 236 struct ieee80211com *ic = vap->iv_ic; 237 int hdrlen; 238 uint8_t mic[IEEE80211_WEP_MICLEN]; 239 240 vap->iv_stats.is_crypto_tkipenmic++; 241 242 hdrlen = ieee80211_hdrspace(ic, wh); 243 244 michael_mic(ctx, k->wk_txmic, 245 m, hdrlen, m->m_pkthdr.len - hdrlen, mic); 246 return m_append(m, tkip.ic_miclen, mic); 247 } 248 return 1; 249 } 250 251 static __inline uint64_t 252 READ_6(uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3, uint8_t b4, uint8_t b5) 253 { 254 uint32_t iv32 = (b0 << 0) | (b1 << 8) | (b2 << 16) | (b3 << 24); 255 uint16_t iv16 = (b4 << 0) | (b5 << 8); 256 return (((uint64_t)iv16) << 32) | iv32; 257 } 258 259 /* 260 * Validate and strip privacy headers (and trailer) for a 261 * received frame. If necessary, decrypt the frame using 262 * the specified key. 263 */ 264 static int 265 tkip_decap(struct ieee80211_key *k, struct mbuf *m, int hdrlen) 266 { 267 struct tkip_ctx *ctx = k->wk_private; 268 struct ieee80211vap *vap = ctx->tc_vap; 269 struct ieee80211_frame *wh; 270 uint8_t *ivp, tid; 271 272 /* 273 * Header should have extended IV and sequence number; 274 * verify the former and validate the latter. 275 */ 276 wh = mtod(m, struct ieee80211_frame *); 277 ivp = mtod(m, uint8_t *) + hdrlen; 278 if ((ivp[IEEE80211_WEP_IVLEN] & IEEE80211_WEP_EXTIV) == 0) { 279 /* 280 * No extended IV; discard frame. 281 */ 282 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2, 283 "%s", "missing ExtIV for TKIP cipher"); 284 vap->iv_stats.is_rx_tkipformat++; 285 return 0; 286 } 287 /* 288 * Handle TKIP counter measures requirement. 289 */ 290 if (vap->iv_flags & IEEE80211_F_COUNTERM) { 291 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2, 292 "discard frame due to countermeasures (%s)", __func__); 293 vap->iv_stats.is_crypto_tkipcm++; 294 return 0; 295 } 296 297 tid = ieee80211_gettid(wh); 298 ctx->rx_rsc = READ_6(ivp[2], ivp[0], ivp[4], ivp[5], ivp[6], ivp[7]); 299 if (ctx->rx_rsc <= k->wk_keyrsc[tid] && 300 (k->wk_flags & IEEE80211_KEY_NOREPLAY) == 0) { 301 /* 302 * Replay violation; notify upper layer. 303 */ 304 ieee80211_notify_replay_failure(vap, wh, k, ctx->rx_rsc, tid); 305 vap->iv_stats.is_rx_tkipreplay++; 306 return 0; 307 } 308 /* 309 * NB: We can't update the rsc in the key until MIC is verified. 310 * 311 * We assume we are not preempted between doing the check above 312 * and updating wk_keyrsc when stripping the MIC in tkip_demic. 313 * Otherwise we might process another packet and discard it as 314 * a replay. 315 */ 316 317 /* 318 * Check if the device handled the decrypt in hardware. 319 * If so we just strip the header; otherwise we need to 320 * handle the decrypt in software. 321 */ 322 if ((k->wk_flags & IEEE80211_KEY_SWDECRYPT) && 323 !tkip_decrypt(ctx, k, m, hdrlen)) 324 return 0; 325 326 /* 327 * Copy up 802.11 header and strip crypto bits. 328 */ 329 memmove(mtod(m, uint8_t *) + tkip.ic_header, mtod(m, void *), hdrlen); 330 m_adj(m, tkip.ic_header); 331 m_adj(m, -tkip.ic_trailer); 332 333 return 1; 334 } 335 336 /* 337 * Verify and strip MIC from the frame. 338 */ 339 static int 340 tkip_demic(struct ieee80211_key *k, struct mbuf *m, int force) 341 { 342 struct tkip_ctx *ctx = k->wk_private; 343 struct ieee80211_frame *wh; 344 uint8_t tid; 345 346 wh = mtod(m, struct ieee80211_frame *); 347 if ((k->wk_flags & IEEE80211_KEY_SWDEMIC) || force) { 348 struct ieee80211vap *vap = ctx->tc_vap; 349 int hdrlen = ieee80211_hdrspace(vap->iv_ic, wh); 350 u8 mic[IEEE80211_WEP_MICLEN]; 351 u8 mic0[IEEE80211_WEP_MICLEN]; 352 353 vap->iv_stats.is_crypto_tkipdemic++; 354 355 michael_mic(ctx, k->wk_rxmic, 356 m, hdrlen, m->m_pkthdr.len - (hdrlen + tkip.ic_miclen), 357 mic); 358 m_copydata(m, m->m_pkthdr.len - tkip.ic_miclen, 359 tkip.ic_miclen, mic0); 360 if (memcmp(mic, mic0, tkip.ic_miclen)) { 361 /* NB: 802.11 layer handles statistic and debug msg */ 362 ieee80211_notify_michael_failure(vap, wh, 363 k->wk_rxkeyix != IEEE80211_KEYIX_NONE ? 364 k->wk_rxkeyix : k->wk_keyix); 365 return 0; 366 } 367 } 368 /* 369 * Strip MIC from the tail. 370 */ 371 m_adj(m, -tkip.ic_miclen); 372 373 /* 374 * Ok to update rsc now that MIC has been verified. 375 */ 376 tid = ieee80211_gettid(wh); 377 k->wk_keyrsc[tid] = ctx->rx_rsc; 378 379 return 1; 380 } 381 382 /* 383 * Host AP crypt: host-based TKIP encryption implementation for Host AP driver 384 * 385 * Copyright (c) 2003-2004, Jouni Malinen <jkmaline@cc.hut.fi> 386 * 387 * This program is free software; you can redistribute it and/or modify 388 * it under the terms of the GNU General Public License version 2 as 389 * published by the Free Software Foundation. See README and COPYING for 390 * more details. 391 * 392 * Alternatively, this software may be distributed under the terms of BSD 393 * license. 394 */ 395 396 static const __u32 crc32_table[256] = { 397 0x00000000L, 0x77073096L, 0xee0e612cL, 0x990951baL, 0x076dc419L, 398 0x706af48fL, 0xe963a535L, 0x9e6495a3L, 0x0edb8832L, 0x79dcb8a4L, 399 0xe0d5e91eL, 0x97d2d988L, 0x09b64c2bL, 0x7eb17cbdL, 0xe7b82d07L, 400 0x90bf1d91L, 0x1db71064L, 0x6ab020f2L, 0xf3b97148L, 0x84be41deL, 401 0x1adad47dL, 0x6ddde4ebL, 0xf4d4b551L, 0x83d385c7L, 0x136c9856L, 402 0x646ba8c0L, 0xfd62f97aL, 0x8a65c9ecL, 0x14015c4fL, 0x63066cd9L, 403 0xfa0f3d63L, 0x8d080df5L, 0x3b6e20c8L, 0x4c69105eL, 0xd56041e4L, 404 0xa2677172L, 0x3c03e4d1L, 0x4b04d447L, 0xd20d85fdL, 0xa50ab56bL, 405 0x35b5a8faL, 0x42b2986cL, 0xdbbbc9d6L, 0xacbcf940L, 0x32d86ce3L, 406 0x45df5c75L, 0xdcd60dcfL, 0xabd13d59L, 0x26d930acL, 0x51de003aL, 407 0xc8d75180L, 0xbfd06116L, 0x21b4f4b5L, 0x56b3c423L, 0xcfba9599L, 408 0xb8bda50fL, 0x2802b89eL, 0x5f058808L, 0xc60cd9b2L, 0xb10be924L, 409 0x2f6f7c87L, 0x58684c11L, 0xc1611dabL, 0xb6662d3dL, 0x76dc4190L, 410 0x01db7106L, 0x98d220bcL, 0xefd5102aL, 0x71b18589L, 0x06b6b51fL, 411 0x9fbfe4a5L, 0xe8b8d433L, 0x7807c9a2L, 0x0f00f934L, 0x9609a88eL, 412 0xe10e9818L, 0x7f6a0dbbL, 0x086d3d2dL, 0x91646c97L, 0xe6635c01L, 413 0x6b6b51f4L, 0x1c6c6162L, 0x856530d8L, 0xf262004eL, 0x6c0695edL, 414 0x1b01a57bL, 0x8208f4c1L, 0xf50fc457L, 0x65b0d9c6L, 0x12b7e950L, 415 0x8bbeb8eaL, 0xfcb9887cL, 0x62dd1ddfL, 0x15da2d49L, 0x8cd37cf3L, 416 0xfbd44c65L, 0x4db26158L, 0x3ab551ceL, 0xa3bc0074L, 0xd4bb30e2L, 417 0x4adfa541L, 0x3dd895d7L, 0xa4d1c46dL, 0xd3d6f4fbL, 0x4369e96aL, 418 0x346ed9fcL, 0xad678846L, 0xda60b8d0L, 0x44042d73L, 0x33031de5L, 419 0xaa0a4c5fL, 0xdd0d7cc9L, 0x5005713cL, 0x270241aaL, 0xbe0b1010L, 420 0xc90c2086L, 0x5768b525L, 0x206f85b3L, 0xb966d409L, 0xce61e49fL, 421 0x5edef90eL, 0x29d9c998L, 0xb0d09822L, 0xc7d7a8b4L, 0x59b33d17L, 422 0x2eb40d81L, 0xb7bd5c3bL, 0xc0ba6cadL, 0xedb88320L, 0x9abfb3b6L, 423 0x03b6e20cL, 0x74b1d29aL, 0xead54739L, 0x9dd277afL, 0x04db2615L, 424 0x73dc1683L, 0xe3630b12L, 0x94643b84L, 0x0d6d6a3eL, 0x7a6a5aa8L, 425 0xe40ecf0bL, 0x9309ff9dL, 0x0a00ae27L, 0x7d079eb1L, 0xf00f9344L, 426 0x8708a3d2L, 0x1e01f268L, 0x6906c2feL, 0xf762575dL, 0x806567cbL, 427 0x196c3671L, 0x6e6b06e7L, 0xfed41b76L, 0x89d32be0L, 0x10da7a5aL, 428 0x67dd4accL, 0xf9b9df6fL, 0x8ebeeff9L, 0x17b7be43L, 0x60b08ed5L, 429 0xd6d6a3e8L, 0xa1d1937eL, 0x38d8c2c4L, 0x4fdff252L, 0xd1bb67f1L, 430 0xa6bc5767L, 0x3fb506ddL, 0x48b2364bL, 0xd80d2bdaL, 0xaf0a1b4cL, 431 0x36034af6L, 0x41047a60L, 0xdf60efc3L, 0xa867df55L, 0x316e8eefL, 432 0x4669be79L, 0xcb61b38cL, 0xbc66831aL, 0x256fd2a0L, 0x5268e236L, 433 0xcc0c7795L, 0xbb0b4703L, 0x220216b9L, 0x5505262fL, 0xc5ba3bbeL, 434 0xb2bd0b28L, 0x2bb45a92L, 0x5cb36a04L, 0xc2d7ffa7L, 0xb5d0cf31L, 435 0x2cd99e8bL, 0x5bdeae1dL, 0x9b64c2b0L, 0xec63f226L, 0x756aa39cL, 436 0x026d930aL, 0x9c0906a9L, 0xeb0e363fL, 0x72076785L, 0x05005713L, 437 0x95bf4a82L, 0xe2b87a14L, 0x7bb12baeL, 0x0cb61b38L, 0x92d28e9bL, 438 0xe5d5be0dL, 0x7cdcefb7L, 0x0bdbdf21L, 0x86d3d2d4L, 0xf1d4e242L, 439 0x68ddb3f8L, 0x1fda836eL, 0x81be16cdL, 0xf6b9265bL, 0x6fb077e1L, 440 0x18b74777L, 0x88085ae6L, 0xff0f6a70L, 0x66063bcaL, 0x11010b5cL, 441 0x8f659effL, 0xf862ae69L, 0x616bffd3L, 0x166ccf45L, 0xa00ae278L, 442 0xd70dd2eeL, 0x4e048354L, 0x3903b3c2L, 0xa7672661L, 0xd06016f7L, 443 0x4969474dL, 0x3e6e77dbL, 0xaed16a4aL, 0xd9d65adcL, 0x40df0b66L, 444 0x37d83bf0L, 0xa9bcae53L, 0xdebb9ec5L, 0x47b2cf7fL, 0x30b5ffe9L, 445 0xbdbdf21cL, 0xcabac28aL, 0x53b39330L, 0x24b4a3a6L, 0xbad03605L, 446 0xcdd70693L, 0x54de5729L, 0x23d967bfL, 0xb3667a2eL, 0xc4614ab8L, 447 0x5d681b02L, 0x2a6f2b94L, 0xb40bbe37L, 0xc30c8ea1L, 0x5a05df1bL, 448 0x2d02ef8dL 449 }; 450 451 static __inline u16 RotR1(u16 val) 452 { 453 return (val >> 1) | (val << 15); 454 } 455 456 static __inline u8 Lo8(u16 val) 457 { 458 return val & 0xff; 459 } 460 461 static __inline u8 Hi8(u16 val) 462 { 463 return val >> 8; 464 } 465 466 static __inline u16 Lo16(u32 val) 467 { 468 return val & 0xffff; 469 } 470 471 static __inline u16 Hi16(u32 val) 472 { 473 return val >> 16; 474 } 475 476 static __inline u16 Mk16(u8 hi, u8 lo) 477 { 478 return lo | (((u16) hi) << 8); 479 } 480 481 static __inline u16 Mk16_le(const u16 *v) 482 { 483 return le16toh(*v); 484 } 485 486 static const u16 Sbox[256] = { 487 0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154, 488 0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A, 489 0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B, 490 0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B, 491 0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F, 492 0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F, 493 0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5, 494 0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F, 495 0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB, 496 0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397, 497 0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED, 498 0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A, 499 0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194, 500 0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3, 501 0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104, 502 0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D, 503 0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39, 504 0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695, 505 0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83, 506 0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76, 507 0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4, 508 0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B, 509 0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0, 510 0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018, 511 0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751, 512 0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85, 513 0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12, 514 0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9, 515 0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7, 516 0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A, 517 0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8, 518 0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A, 519 }; 520 521 static __inline u16 _S_(u16 v) 522 { 523 u16 t = Sbox[Hi8(v)]; 524 return Sbox[Lo8(v)] ^ ((t << 8) | (t >> 8)); 525 } 526 527 #define PHASE1_LOOP_COUNT 8 528 529 static void tkip_mixing_phase1(u16 *TTAK, const u8 *TK, const u8 *TA, u32 IV32) 530 { 531 int i, j; 532 533 /* Initialize the 80-bit TTAK from TSC (IV32) and TA[0..5] */ 534 TTAK[0] = Lo16(IV32); 535 TTAK[1] = Hi16(IV32); 536 TTAK[2] = Mk16(TA[1], TA[0]); 537 TTAK[3] = Mk16(TA[3], TA[2]); 538 TTAK[4] = Mk16(TA[5], TA[4]); 539 540 for (i = 0; i < PHASE1_LOOP_COUNT; i++) { 541 j = 2 * (i & 1); 542 TTAK[0] += _S_(TTAK[4] ^ Mk16(TK[1 + j], TK[0 + j])); 543 TTAK[1] += _S_(TTAK[0] ^ Mk16(TK[5 + j], TK[4 + j])); 544 TTAK[2] += _S_(TTAK[1] ^ Mk16(TK[9 + j], TK[8 + j])); 545 TTAK[3] += _S_(TTAK[2] ^ Mk16(TK[13 + j], TK[12 + j])); 546 TTAK[4] += _S_(TTAK[3] ^ Mk16(TK[1 + j], TK[0 + j])) + i; 547 } 548 } 549 550 #ifndef _BYTE_ORDER 551 #error "Don't know native byte order" 552 #endif 553 554 static void tkip_mixing_phase2(u8 *WEPSeed, const u8 *TK, const u16 *TTAK, 555 u16 IV16) 556 { 557 /* Make temporary area overlap WEP seed so that the final copy can be 558 * avoided on little endian hosts. */ 559 u16 *PPK = (u16 *) &WEPSeed[4]; 560 561 /* Step 1 - make copy of TTAK and bring in TSC */ 562 PPK[0] = TTAK[0]; 563 PPK[1] = TTAK[1]; 564 PPK[2] = TTAK[2]; 565 PPK[3] = TTAK[3]; 566 PPK[4] = TTAK[4]; 567 PPK[5] = TTAK[4] + IV16; 568 569 /* Step 2 - 96-bit bijective mixing using S-box */ 570 PPK[0] += _S_(PPK[5] ^ Mk16_le((const u16 *) &TK[0])); 571 PPK[1] += _S_(PPK[0] ^ Mk16_le((const u16 *) &TK[2])); 572 PPK[2] += _S_(PPK[1] ^ Mk16_le((const u16 *) &TK[4])); 573 PPK[3] += _S_(PPK[2] ^ Mk16_le((const u16 *) &TK[6])); 574 PPK[4] += _S_(PPK[3] ^ Mk16_le((const u16 *) &TK[8])); 575 PPK[5] += _S_(PPK[4] ^ Mk16_le((const u16 *) &TK[10])); 576 577 PPK[0] += RotR1(PPK[5] ^ Mk16_le((const u16 *) &TK[12])); 578 PPK[1] += RotR1(PPK[0] ^ Mk16_le((const u16 *) &TK[14])); 579 PPK[2] += RotR1(PPK[1]); 580 PPK[3] += RotR1(PPK[2]); 581 PPK[4] += RotR1(PPK[3]); 582 PPK[5] += RotR1(PPK[4]); 583 584 /* Step 3 - bring in last of TK bits, assign 24-bit WEP IV value 585 * WEPSeed[0..2] is transmitted as WEP IV */ 586 WEPSeed[0] = Hi8(IV16); 587 WEPSeed[1] = (Hi8(IV16) | 0x20) & 0x7F; 588 WEPSeed[2] = Lo8(IV16); 589 WEPSeed[3] = Lo8((PPK[5] ^ Mk16_le((const u16 *) &TK[0])) >> 1); 590 591 #if _BYTE_ORDER == _BIG_ENDIAN 592 { 593 int i; 594 for (i = 0; i < 6; i++) 595 PPK[i] = (PPK[i] << 8) | (PPK[i] >> 8); 596 } 597 #endif 598 } 599 600 static void 601 wep_encrypt(u8 *key, struct mbuf *m0, u_int off, size_t data_len, 602 uint8_t icv[IEEE80211_WEP_CRCLEN]) 603 { 604 u32 i, j, k, crc; 605 size_t buflen; 606 u8 S[256]; 607 u8 *pos; 608 struct mbuf *m; 609 #define S_SWAP(a,b) do { u8 t = S[a]; S[a] = S[b]; S[b] = t; } while(0) 610 611 /* Setup RC4 state */ 612 for (i = 0; i < 256; i++) 613 S[i] = i; 614 j = 0; 615 for (i = 0; i < 256; i++) { 616 j = (j + S[i] + key[i & 0x0f]) & 0xff; 617 S_SWAP(i, j); 618 } 619 620 /* Compute CRC32 over unencrypted data and apply RC4 to data */ 621 crc = ~0; 622 i = j = 0; 623 m = m0; 624 pos = mtod(m, uint8_t *) + off; 625 buflen = m->m_len - off; 626 for (;;) { 627 if (buflen > data_len) 628 buflen = data_len; 629 data_len -= buflen; 630 for (k = 0; k < buflen; k++) { 631 crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8); 632 i = (i + 1) & 0xff; 633 j = (j + S[i]) & 0xff; 634 S_SWAP(i, j); 635 *pos++ ^= S[(S[i] + S[j]) & 0xff]; 636 } 637 m = m->m_next; 638 if (m == NULL) { 639 KASSERT(data_len == 0, 640 ("out of buffers with data_len %zu\n", data_len)); 641 break; 642 } 643 pos = mtod(m, uint8_t *); 644 buflen = m->m_len; 645 } 646 crc = ~crc; 647 648 /* Append little-endian CRC32 and encrypt it to produce ICV */ 649 icv[0] = crc; 650 icv[1] = crc >> 8; 651 icv[2] = crc >> 16; 652 icv[3] = crc >> 24; 653 for (k = 0; k < IEEE80211_WEP_CRCLEN; k++) { 654 i = (i + 1) & 0xff; 655 j = (j + S[i]) & 0xff; 656 S_SWAP(i, j); 657 icv[k] ^= S[(S[i] + S[j]) & 0xff]; 658 } 659 } 660 661 static int 662 wep_decrypt(u8 *key, struct mbuf *m, u_int off, size_t data_len) 663 { 664 u32 i, j, k, crc; 665 u8 S[256]; 666 u8 *pos, icv[4]; 667 size_t buflen; 668 669 /* Setup RC4 state */ 670 for (i = 0; i < 256; i++) 671 S[i] = i; 672 j = 0; 673 for (i = 0; i < 256; i++) { 674 j = (j + S[i] + key[i & 0x0f]) & 0xff; 675 S_SWAP(i, j); 676 } 677 678 /* Apply RC4 to data and compute CRC32 over decrypted data */ 679 crc = ~0; 680 i = j = 0; 681 pos = mtod(m, uint8_t *) + off; 682 buflen = m->m_len - off; 683 for (;;) { 684 if (buflen > data_len) 685 buflen = data_len; 686 data_len -= buflen; 687 for (k = 0; k < buflen; k++) { 688 i = (i + 1) & 0xff; 689 j = (j + S[i]) & 0xff; 690 S_SWAP(i, j); 691 *pos ^= S[(S[i] + S[j]) & 0xff]; 692 crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8); 693 pos++; 694 } 695 m = m->m_next; 696 if (m == NULL) { 697 KASSERT(data_len == 0, 698 ("out of buffers with data_len %zu\n", data_len)); 699 break; 700 } 701 pos = mtod(m, uint8_t *); 702 buflen = m->m_len; 703 } 704 crc = ~crc; 705 706 /* Encrypt little-endian CRC32 and verify that it matches with the 707 * received ICV */ 708 icv[0] = crc; 709 icv[1] = crc >> 8; 710 icv[2] = crc >> 16; 711 icv[3] = crc >> 24; 712 for (k = 0; k < 4; k++) { 713 i = (i + 1) & 0xff; 714 j = (j + S[i]) & 0xff; 715 S_SWAP(i, j); 716 if ((icv[k] ^ S[(S[i] + S[j]) & 0xff]) != *pos++) { 717 /* ICV mismatch - drop frame */ 718 return -1; 719 } 720 } 721 722 return 0; 723 } 724 725 726 static __inline u32 rotl(u32 val, int bits) 727 { 728 return (val << bits) | (val >> (32 - bits)); 729 } 730 731 732 static __inline u32 rotr(u32 val, int bits) 733 { 734 return (val >> bits) | (val << (32 - bits)); 735 } 736 737 738 static __inline u32 xswap(u32 val) 739 { 740 return ((val & 0x00ff00ff) << 8) | ((val & 0xff00ff00) >> 8); 741 } 742 743 744 #define michael_block(l, r) \ 745 do { \ 746 r ^= rotl(l, 17); \ 747 l += r; \ 748 r ^= xswap(l); \ 749 l += r; \ 750 r ^= rotl(l, 3); \ 751 l += r; \ 752 r ^= rotr(l, 2); \ 753 l += r; \ 754 } while (0) 755 756 757 static __inline u32 get_le32_split(u8 b0, u8 b1, u8 b2, u8 b3) 758 { 759 return b0 | (b1 << 8) | (b2 << 16) | (b3 << 24); 760 } 761 762 static __inline u32 get_le32(const u8 *p) 763 { 764 return get_le32_split(p[0], p[1], p[2], p[3]); 765 } 766 767 768 static __inline void put_le32(u8 *p, u32 v) 769 { 770 p[0] = v; 771 p[1] = v >> 8; 772 p[2] = v >> 16; 773 p[3] = v >> 24; 774 } 775 776 /* 777 * Craft pseudo header used to calculate the MIC. 778 */ 779 static void 780 michael_mic_hdr(const struct ieee80211_frame *wh0, uint8_t hdr[16]) 781 { 782 const struct ieee80211_frame_addr4 *wh = 783 (const struct ieee80211_frame_addr4 *) wh0; 784 785 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 786 case IEEE80211_FC1_DIR_NODS: 787 IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */ 788 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2); 789 break; 790 case IEEE80211_FC1_DIR_TODS: 791 IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */ 792 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2); 793 break; 794 case IEEE80211_FC1_DIR_FROMDS: 795 IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */ 796 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr3); 797 break; 798 case IEEE80211_FC1_DIR_DSTODS: 799 IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */ 800 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr4); 801 break; 802 } 803 804 if (wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_QOS) { 805 const struct ieee80211_qosframe *qwh = 806 (const struct ieee80211_qosframe *) wh; 807 hdr[12] = qwh->i_qos[0] & IEEE80211_QOS_TID; 808 } else 809 hdr[12] = 0; 810 hdr[13] = hdr[14] = hdr[15] = 0; /* reserved */ 811 } 812 813 static void 814 michael_mic(struct tkip_ctx *ctx, const u8 *key, 815 struct mbuf *m, u_int off, size_t data_len, 816 u8 mic[IEEE80211_WEP_MICLEN]) 817 { 818 uint8_t hdr[16]; 819 u32 l, r; 820 const uint8_t *data; 821 u_int space; 822 823 michael_mic_hdr(mtod(m, struct ieee80211_frame *), hdr); 824 825 l = get_le32(key); 826 r = get_le32(key + 4); 827 828 /* Michael MIC pseudo header: DA, SA, 3 x 0, Priority */ 829 l ^= get_le32(hdr); 830 michael_block(l, r); 831 l ^= get_le32(&hdr[4]); 832 michael_block(l, r); 833 l ^= get_le32(&hdr[8]); 834 michael_block(l, r); 835 l ^= get_le32(&hdr[12]); 836 michael_block(l, r); 837 838 /* first buffer has special handling */ 839 data = mtod(m, const uint8_t *) + off; 840 space = m->m_len - off; 841 for (;;) { 842 if (space > data_len) 843 space = data_len; 844 /* collect 32-bit blocks from current buffer */ 845 while (space >= sizeof(uint32_t)) { 846 l ^= get_le32(data); 847 michael_block(l, r); 848 data += sizeof(uint32_t), space -= sizeof(uint32_t); 849 data_len -= sizeof(uint32_t); 850 } 851 /* 852 * NB: when space is zero we make one more trip around 853 * the loop to advance to the next mbuf where there is 854 * data. This handles the case where there are 4*n 855 * bytes in an mbuf followed by <4 bytes in a later mbuf. 856 * By making an extra trip we'll drop out of the loop 857 * with m pointing at the mbuf with 3 bytes and space 858 * set as required by the remainder handling below. 859 */ 860 if (data_len == 0 || 861 (data_len < sizeof(uint32_t) && space != 0)) 862 break; 863 m = m->m_next; 864 if (m == NULL) { 865 KASSERT(0, ("out of data, data_len %zu\n", data_len)); 866 break; 867 } 868 if (space != 0) { 869 const uint8_t *data_next; 870 /* 871 * Block straddles buffers, split references. 872 */ 873 data_next = mtod(m, const uint8_t *); 874 KASSERT(m->m_len >= sizeof(uint32_t) - space, 875 ("not enough data in following buffer, " 876 "m_len %u need %zu\n", m->m_len, 877 sizeof(uint32_t) - space)); 878 switch (space) { 879 case 1: 880 l ^= get_le32_split(data[0], data_next[0], 881 data_next[1], data_next[2]); 882 data = data_next + 3; 883 space = m->m_len - 3; 884 break; 885 case 2: 886 l ^= get_le32_split(data[0], data[1], 887 data_next[0], data_next[1]); 888 data = data_next + 2; 889 space = m->m_len - 2; 890 break; 891 case 3: 892 l ^= get_le32_split(data[0], data[1], 893 data[2], data_next[0]); 894 data = data_next + 1; 895 space = m->m_len - 1; 896 break; 897 } 898 michael_block(l, r); 899 data_len -= sizeof(uint32_t); 900 } else { 901 /* 902 * Setup for next buffer. 903 */ 904 data = mtod(m, const uint8_t *); 905 space = m->m_len; 906 } 907 } 908 /* 909 * Catch degenerate cases like mbuf[4*n+1 bytes] followed by 910 * mbuf[2 bytes]. I don't believe these should happen; if they 911 * do then we'll need more involved logic. 912 */ 913 KASSERT(data_len <= space, 914 ("not enough data, data_len %zu space %u\n", data_len, space)); 915 916 /* Last block and padding (0x5a, 4..7 x 0) */ 917 switch (data_len) { 918 case 0: 919 l ^= get_le32_split(0x5a, 0, 0, 0); 920 break; 921 case 1: 922 l ^= get_le32_split(data[0], 0x5a, 0, 0); 923 break; 924 case 2: 925 l ^= get_le32_split(data[0], data[1], 0x5a, 0); 926 break; 927 case 3: 928 l ^= get_le32_split(data[0], data[1], data[2], 0x5a); 929 break; 930 } 931 michael_block(l, r); 932 /* l ^= 0; */ 933 michael_block(l, r); 934 935 put_le32(mic, l); 936 put_le32(mic + 4, r); 937 } 938 939 static int 940 tkip_encrypt(struct tkip_ctx *ctx, struct ieee80211_key *key, 941 struct mbuf *m, int hdrlen) 942 { 943 struct ieee80211_frame *wh; 944 uint8_t icv[IEEE80211_WEP_CRCLEN]; 945 946 ctx->tc_vap->iv_stats.is_crypto_tkip++; 947 948 wh = mtod(m, struct ieee80211_frame *); 949 if ((u16)(key->wk_keytsc) == 0 || key->wk_keytsc == 1) { 950 tkip_mixing_phase1(ctx->tx_ttak, key->wk_key, wh->i_addr2, 951 (u32)(key->wk_keytsc >> 16)); 952 } 953 tkip_mixing_phase2(ctx->tx_rc4key, key->wk_key, ctx->tx_ttak, 954 (u16) key->wk_keytsc); 955 956 wep_encrypt(ctx->tx_rc4key, 957 m, hdrlen + tkip.ic_header, 958 m->m_pkthdr.len - (hdrlen + tkip.ic_header), 959 icv); 960 (void) m_append(m, IEEE80211_WEP_CRCLEN, icv); /* XXX check return */ 961 962 return 1; 963 } 964 965 static int 966 tkip_decrypt(struct tkip_ctx *ctx, struct ieee80211_key *key, 967 struct mbuf *m, int hdrlen) 968 { 969 struct ieee80211_frame *wh; 970 struct ieee80211vap *vap = ctx->tc_vap; 971 u32 iv32; 972 u16 iv16; 973 u8 tid; 974 975 vap->iv_stats.is_crypto_tkip++; 976 977 wh = mtod(m, struct ieee80211_frame *); 978 /* NB: tkip_decap already verified header and left seq in rx_rsc */ 979 iv16 = (u16) ctx->rx_rsc; 980 iv32 = (u32) (ctx->rx_rsc >> 16); 981 982 tid = ieee80211_gettid(wh); 983 if (iv32 != (u32)(key->wk_keyrsc[tid] >> 16) || !ctx->rx_phase1_done) { 984 tkip_mixing_phase1(ctx->rx_ttak, key->wk_key, 985 wh->i_addr2, iv32); 986 ctx->rx_phase1_done = 1; 987 } 988 tkip_mixing_phase2(ctx->rx_rc4key, key->wk_key, ctx->rx_ttak, iv16); 989 990 /* NB: m is unstripped; deduct headers + ICV to get payload */ 991 if (wep_decrypt(ctx->rx_rc4key, 992 m, hdrlen + tkip.ic_header, 993 m->m_pkthdr.len - (hdrlen + tkip.ic_header + tkip.ic_trailer))) { 994 if (iv32 != (u32)(key->wk_keyrsc[tid] >> 16)) { 995 /* Previously cached Phase1 result was already lost, so 996 * it needs to be recalculated for the next packet. */ 997 ctx->rx_phase1_done = 0; 998 } 999 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2, 1000 "%s", "TKIP ICV mismatch on decrypt"); 1001 vap->iv_stats.is_rx_tkipicv++; 1002 return 0; 1003 } 1004 return 1; 1005 } 1006 1007 /* 1008 * Module glue. 1009 */ 1010 IEEE80211_CRYPTO_MODULE(tkip, 1); 1011