1 /*- 2 * Copyright (c) 2002-2008 Sam Leffler, Errno Consulting 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 * 25 * $FreeBSD: head/sys/net80211/ieee80211_crypto_tkip.c 203673 2010-02-08 18:16:59Z bschmidt $ 26 * $DragonFly$ 27 */ 28 29 #include <sys/cdefs.h> 30 31 /* 32 * IEEE 802.11i TKIP crypto support. 33 * 34 * Part of this module is derived from similar code in the Host 35 * AP driver. The code is used with the consent of the author and 36 * it's license is included below. 37 */ 38 #include "opt_wlan.h" 39 40 #include <sys/param.h> 41 #include <sys/systm.h> 42 #include <sys/mbuf.h> 43 #include <sys/malloc.h> 44 #include <sys/kernel.h> 45 #include <sys/module.h> 46 #include <sys/endian.h> 47 48 #include <sys/socket.h> 49 50 #include <net/if.h> 51 #include <net/if_media.h> 52 #include <net/ethernet.h> 53 #include <net/route.h> 54 55 #include <netproto/802_11/ieee80211_var.h> 56 57 static void *tkip_attach(struct ieee80211vap *, struct ieee80211_key *); 58 static void tkip_detach(struct ieee80211_key *); 59 static int tkip_setkey(struct ieee80211_key *); 60 static int tkip_encap(struct ieee80211_key *, struct mbuf *m, uint8_t keyid); 61 static int tkip_enmic(struct ieee80211_key *, struct mbuf *, int); 62 static int tkip_decap(struct ieee80211_key *, struct mbuf *, int); 63 static int tkip_demic(struct ieee80211_key *, struct mbuf *, int); 64 65 static const struct ieee80211_cipher tkip = { 66 .ic_name = "TKIP", 67 .ic_cipher = IEEE80211_CIPHER_TKIP, 68 .ic_header = IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN + 69 IEEE80211_WEP_EXTIVLEN, 70 .ic_trailer = IEEE80211_WEP_CRCLEN, 71 .ic_miclen = IEEE80211_WEP_MICLEN, 72 .ic_attach = tkip_attach, 73 .ic_detach = tkip_detach, 74 .ic_setkey = tkip_setkey, 75 .ic_encap = tkip_encap, 76 .ic_decap = tkip_decap, 77 .ic_enmic = tkip_enmic, 78 .ic_demic = tkip_demic, 79 }; 80 81 typedef uint8_t u8; 82 typedef uint16_t u16; 83 typedef uint32_t __u32; 84 typedef uint32_t u32; 85 86 struct tkip_ctx { 87 struct ieee80211vap *tc_vap; /* for diagnostics+statistics */ 88 89 u16 tx_ttak[5]; 90 int tx_phase1_done; 91 u8 tx_rc4key[16]; /* XXX for test module; make locals? */ 92 93 u16 rx_ttak[5]; 94 int rx_phase1_done; 95 u8 rx_rc4key[16]; /* XXX for test module; make locals? */ 96 uint64_t rx_rsc; /* held until MIC verified */ 97 }; 98 99 static void michael_mic(struct tkip_ctx *, const u8 *key, 100 struct mbuf *m, u_int off, size_t data_len, 101 u8 mic[IEEE80211_WEP_MICLEN]); 102 static int tkip_encrypt(struct tkip_ctx *, struct ieee80211_key *, 103 struct mbuf *, int hdr_len); 104 static int tkip_decrypt(struct tkip_ctx *, struct ieee80211_key *, 105 struct mbuf *, int hdr_len); 106 107 /* number of references from net80211 layer */ 108 static int nrefs = 0; 109 110 static void * 111 tkip_attach(struct ieee80211vap *vap, struct ieee80211_key *k) 112 { 113 struct tkip_ctx *ctx; 114 115 ctx = (struct tkip_ctx *) kmalloc(sizeof(struct tkip_ctx), 116 M_80211_CRYPTO, M_INTWAIT | M_ZERO); 117 if (ctx == NULL) { 118 vap->iv_stats.is_crypto_nomem++; 119 return NULL; 120 } 121 122 ctx->tc_vap = vap; 123 nrefs++; /* NB: we assume caller locking */ 124 return ctx; 125 } 126 127 static void 128 tkip_detach(struct ieee80211_key *k) 129 { 130 struct tkip_ctx *ctx = k->wk_private; 131 132 kfree(ctx, M_80211_CRYPTO); 133 KASSERT(nrefs > 0, ("imbalanced attach/detach")); 134 nrefs--; /* NB: we assume caller locking */ 135 } 136 137 static int 138 tkip_setkey(struct ieee80211_key *k) 139 { 140 struct tkip_ctx *ctx = k->wk_private; 141 142 if (k->wk_keylen != (128/NBBY)) { 143 (void) ctx; /* XXX */ 144 IEEE80211_DPRINTF(ctx->tc_vap, IEEE80211_MSG_CRYPTO, 145 "%s: Invalid key length %u, expecting %u\n", 146 __func__, k->wk_keylen, 128/NBBY); 147 return 0; 148 } 149 k->wk_keytsc = 1; /* TSC starts at 1 */ 150 ctx->rx_phase1_done = 0; 151 return 1; 152 } 153 154 /* 155 * Add privacy headers and do any s/w encryption required. 156 */ 157 static int 158 tkip_encap(struct ieee80211_key *k, struct mbuf *m, uint8_t keyid) 159 { 160 struct tkip_ctx *ctx = k->wk_private; 161 struct ieee80211vap *vap = ctx->tc_vap; 162 struct ieee80211com *ic = vap->iv_ic; 163 uint8_t *ivp; 164 int hdrlen; 165 166 /* 167 * Handle TKIP counter measures requirement. 168 */ 169 if (vap->iv_flags & IEEE80211_F_COUNTERM) { 170 #ifdef IEEE80211_DEBUG 171 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 172 #endif 173 174 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2, 175 "discard frame due to countermeasures (%s)", __func__); 176 vap->iv_stats.is_crypto_tkipcm++; 177 return 0; 178 } 179 hdrlen = ieee80211_hdrspace(ic, mtod(m, void *)); 180 181 /* 182 * Copy down 802.11 header and add the IV, KeyID, and ExtIV. 183 */ 184 M_PREPEND(m, tkip.ic_header, MB_DONTWAIT); 185 if (m == NULL) 186 return 0; 187 ivp = mtod(m, uint8_t *); 188 memmove(ivp, ivp + tkip.ic_header, hdrlen); 189 ivp += hdrlen; 190 191 ivp[0] = k->wk_keytsc >> 8; /* TSC1 */ 192 ivp[1] = (ivp[0] | 0x20) & 0x7f; /* WEP seed */ 193 ivp[2] = k->wk_keytsc >> 0; /* TSC0 */ 194 ivp[3] = keyid | IEEE80211_WEP_EXTIV; /* KeyID | ExtID */ 195 ivp[4] = k->wk_keytsc >> 16; /* TSC2 */ 196 ivp[5] = k->wk_keytsc >> 24; /* TSC3 */ 197 ivp[6] = k->wk_keytsc >> 32; /* TSC4 */ 198 ivp[7] = k->wk_keytsc >> 40; /* TSC5 */ 199 200 /* 201 * Finally, do software encrypt if neeed. 202 */ 203 if (k->wk_flags & IEEE80211_KEY_SWENCRYPT) { 204 if (!tkip_encrypt(ctx, k, m, hdrlen)) 205 return 0; 206 /* NB: tkip_encrypt handles wk_keytsc */ 207 } else 208 k->wk_keytsc++; 209 210 return 1; 211 } 212 213 /* 214 * Add MIC to the frame as needed. 215 */ 216 static int 217 tkip_enmic(struct ieee80211_key *k, struct mbuf *m, int force) 218 { 219 struct tkip_ctx *ctx = k->wk_private; 220 221 if (force || (k->wk_flags & IEEE80211_KEY_SWENMIC)) { 222 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 223 struct ieee80211vap *vap = ctx->tc_vap; 224 struct ieee80211com *ic = vap->iv_ic; 225 int hdrlen; 226 uint8_t mic[IEEE80211_WEP_MICLEN]; 227 228 vap->iv_stats.is_crypto_tkipenmic++; 229 230 hdrlen = ieee80211_hdrspace(ic, wh); 231 232 michael_mic(ctx, k->wk_txmic, 233 m, hdrlen, m->m_pkthdr.len - hdrlen, mic); 234 return m_append(m, tkip.ic_miclen, mic); 235 } 236 return 1; 237 } 238 239 static __inline uint64_t 240 READ_6(uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3, uint8_t b4, uint8_t b5) 241 { 242 uint32_t iv32 = (b0 << 0) | (b1 << 8) | (b2 << 16) | (b3 << 24); 243 uint16_t iv16 = (b4 << 0) | (b5 << 8); 244 return (((uint64_t)iv16) << 32) | iv32; 245 } 246 247 /* 248 * Validate and strip privacy headers (and trailer) for a 249 * received frame. If necessary, decrypt the frame using 250 * the specified key. 251 */ 252 static int 253 tkip_decap(struct ieee80211_key *k, struct mbuf *m, int hdrlen) 254 { 255 struct tkip_ctx *ctx = k->wk_private; 256 struct ieee80211vap *vap = ctx->tc_vap; 257 struct ieee80211_frame *wh; 258 uint8_t *ivp, tid; 259 260 /* 261 * Header should have extended IV and sequence number; 262 * verify the former and validate the latter. 263 */ 264 wh = mtod(m, struct ieee80211_frame *); 265 ivp = mtod(m, uint8_t *) + hdrlen; 266 if ((ivp[IEEE80211_WEP_IVLEN] & IEEE80211_WEP_EXTIV) == 0) { 267 /* 268 * No extended IV; discard frame. 269 */ 270 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2, 271 "%s", "missing ExtIV for TKIP cipher"); 272 vap->iv_stats.is_rx_tkipformat++; 273 return 0; 274 } 275 /* 276 * Handle TKIP counter measures requirement. 277 */ 278 if (vap->iv_flags & IEEE80211_F_COUNTERM) { 279 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2, 280 "discard frame due to countermeasures (%s)", __func__); 281 vap->iv_stats.is_crypto_tkipcm++; 282 return 0; 283 } 284 285 tid = ieee80211_gettid(wh); 286 ctx->rx_rsc = READ_6(ivp[2], ivp[0], ivp[4], ivp[5], ivp[6], ivp[7]); 287 if (ctx->rx_rsc <= k->wk_keyrsc[tid]) { 288 /* 289 * Replay violation; notify upper layer. 290 */ 291 ieee80211_notify_replay_failure(vap, wh, k, ctx->rx_rsc, tid); 292 vap->iv_stats.is_rx_tkipreplay++; 293 return 0; 294 } 295 /* 296 * NB: We can't update the rsc in the key until MIC is verified. 297 * 298 * We assume we are not preempted between doing the check above 299 * and updating wk_keyrsc when stripping the MIC in tkip_demic. 300 * Otherwise we might process another packet and discard it as 301 * a replay. 302 */ 303 304 /* 305 * Check if the device handled the decrypt in hardware. 306 * If so we just strip the header; otherwise we need to 307 * handle the decrypt in software. 308 */ 309 if ((k->wk_flags & IEEE80211_KEY_SWDECRYPT) && 310 !tkip_decrypt(ctx, k, m, hdrlen)) 311 return 0; 312 313 /* 314 * Copy up 802.11 header and strip crypto bits. 315 */ 316 memmove(mtod(m, uint8_t *) + tkip.ic_header, mtod(m, void *), hdrlen); 317 m_adj(m, tkip.ic_header); 318 m_adj(m, -tkip.ic_trailer); 319 320 return 1; 321 } 322 323 /* 324 * Verify and strip MIC from the frame. 325 */ 326 static int 327 tkip_demic(struct ieee80211_key *k, struct mbuf *m, int force) 328 { 329 struct tkip_ctx *ctx = k->wk_private; 330 struct ieee80211_frame *wh; 331 uint8_t tid; 332 333 wh = mtod(m, struct ieee80211_frame *); 334 if ((k->wk_flags & IEEE80211_KEY_SWDEMIC) || force) { 335 struct ieee80211vap *vap = ctx->tc_vap; 336 int hdrlen = ieee80211_hdrspace(vap->iv_ic, wh); 337 u8 mic[IEEE80211_WEP_MICLEN]; 338 u8 mic0[IEEE80211_WEP_MICLEN]; 339 340 vap->iv_stats.is_crypto_tkipdemic++; 341 342 michael_mic(ctx, k->wk_rxmic, 343 m, hdrlen, m->m_pkthdr.len - (hdrlen + tkip.ic_miclen), 344 mic); 345 m_copydata(m, m->m_pkthdr.len - tkip.ic_miclen, 346 tkip.ic_miclen, mic0); 347 if (memcmp(mic, mic0, tkip.ic_miclen)) { 348 /* NB: 802.11 layer handles statistic and debug msg */ 349 ieee80211_notify_michael_failure(vap, wh, 350 k->wk_rxkeyix != IEEE80211_KEYIX_NONE ? 351 k->wk_rxkeyix : k->wk_keyix); 352 return 0; 353 } 354 } 355 /* 356 * Strip MIC from the tail. 357 */ 358 m_adj(m, -tkip.ic_miclen); 359 360 /* 361 * Ok to update rsc now that MIC has been verified. 362 */ 363 tid = ieee80211_gettid(wh); 364 k->wk_keyrsc[tid] = ctx->rx_rsc; 365 366 return 1; 367 } 368 369 /* 370 * Host AP crypt: host-based TKIP encryption implementation for Host AP driver 371 * 372 * Copyright (c) 2003-2004, Jouni Malinen <jkmaline@cc.hut.fi> 373 * 374 * This program is free software; you can redistribute it and/or modify 375 * it under the terms of the GNU General Public License version 2 as 376 * published by the Free Software Foundation. See README and COPYING for 377 * more details. 378 * 379 * Alternatively, this software may be distributed under the terms of BSD 380 * license. 381 */ 382 383 static const __u32 crc32_table[256] = { 384 0x00000000L, 0x77073096L, 0xee0e612cL, 0x990951baL, 0x076dc419L, 385 0x706af48fL, 0xe963a535L, 0x9e6495a3L, 0x0edb8832L, 0x79dcb8a4L, 386 0xe0d5e91eL, 0x97d2d988L, 0x09b64c2bL, 0x7eb17cbdL, 0xe7b82d07L, 387 0x90bf1d91L, 0x1db71064L, 0x6ab020f2L, 0xf3b97148L, 0x84be41deL, 388 0x1adad47dL, 0x6ddde4ebL, 0xf4d4b551L, 0x83d385c7L, 0x136c9856L, 389 0x646ba8c0L, 0xfd62f97aL, 0x8a65c9ecL, 0x14015c4fL, 0x63066cd9L, 390 0xfa0f3d63L, 0x8d080df5L, 0x3b6e20c8L, 0x4c69105eL, 0xd56041e4L, 391 0xa2677172L, 0x3c03e4d1L, 0x4b04d447L, 0xd20d85fdL, 0xa50ab56bL, 392 0x35b5a8faL, 0x42b2986cL, 0xdbbbc9d6L, 0xacbcf940L, 0x32d86ce3L, 393 0x45df5c75L, 0xdcd60dcfL, 0xabd13d59L, 0x26d930acL, 0x51de003aL, 394 0xc8d75180L, 0xbfd06116L, 0x21b4f4b5L, 0x56b3c423L, 0xcfba9599L, 395 0xb8bda50fL, 0x2802b89eL, 0x5f058808L, 0xc60cd9b2L, 0xb10be924L, 396 0x2f6f7c87L, 0x58684c11L, 0xc1611dabL, 0xb6662d3dL, 0x76dc4190L, 397 0x01db7106L, 0x98d220bcL, 0xefd5102aL, 0x71b18589L, 0x06b6b51fL, 398 0x9fbfe4a5L, 0xe8b8d433L, 0x7807c9a2L, 0x0f00f934L, 0x9609a88eL, 399 0xe10e9818L, 0x7f6a0dbbL, 0x086d3d2dL, 0x91646c97L, 0xe6635c01L, 400 0x6b6b51f4L, 0x1c6c6162L, 0x856530d8L, 0xf262004eL, 0x6c0695edL, 401 0x1b01a57bL, 0x8208f4c1L, 0xf50fc457L, 0x65b0d9c6L, 0x12b7e950L, 402 0x8bbeb8eaL, 0xfcb9887cL, 0x62dd1ddfL, 0x15da2d49L, 0x8cd37cf3L, 403 0xfbd44c65L, 0x4db26158L, 0x3ab551ceL, 0xa3bc0074L, 0xd4bb30e2L, 404 0x4adfa541L, 0x3dd895d7L, 0xa4d1c46dL, 0xd3d6f4fbL, 0x4369e96aL, 405 0x346ed9fcL, 0xad678846L, 0xda60b8d0L, 0x44042d73L, 0x33031de5L, 406 0xaa0a4c5fL, 0xdd0d7cc9L, 0x5005713cL, 0x270241aaL, 0xbe0b1010L, 407 0xc90c2086L, 0x5768b525L, 0x206f85b3L, 0xb966d409L, 0xce61e49fL, 408 0x5edef90eL, 0x29d9c998L, 0xb0d09822L, 0xc7d7a8b4L, 0x59b33d17L, 409 0x2eb40d81L, 0xb7bd5c3bL, 0xc0ba6cadL, 0xedb88320L, 0x9abfb3b6L, 410 0x03b6e20cL, 0x74b1d29aL, 0xead54739L, 0x9dd277afL, 0x04db2615L, 411 0x73dc1683L, 0xe3630b12L, 0x94643b84L, 0x0d6d6a3eL, 0x7a6a5aa8L, 412 0xe40ecf0bL, 0x9309ff9dL, 0x0a00ae27L, 0x7d079eb1L, 0xf00f9344L, 413 0x8708a3d2L, 0x1e01f268L, 0x6906c2feL, 0xf762575dL, 0x806567cbL, 414 0x196c3671L, 0x6e6b06e7L, 0xfed41b76L, 0x89d32be0L, 0x10da7a5aL, 415 0x67dd4accL, 0xf9b9df6fL, 0x8ebeeff9L, 0x17b7be43L, 0x60b08ed5L, 416 0xd6d6a3e8L, 0xa1d1937eL, 0x38d8c2c4L, 0x4fdff252L, 0xd1bb67f1L, 417 0xa6bc5767L, 0x3fb506ddL, 0x48b2364bL, 0xd80d2bdaL, 0xaf0a1b4cL, 418 0x36034af6L, 0x41047a60L, 0xdf60efc3L, 0xa867df55L, 0x316e8eefL, 419 0x4669be79L, 0xcb61b38cL, 0xbc66831aL, 0x256fd2a0L, 0x5268e236L, 420 0xcc0c7795L, 0xbb0b4703L, 0x220216b9L, 0x5505262fL, 0xc5ba3bbeL, 421 0xb2bd0b28L, 0x2bb45a92L, 0x5cb36a04L, 0xc2d7ffa7L, 0xb5d0cf31L, 422 0x2cd99e8bL, 0x5bdeae1dL, 0x9b64c2b0L, 0xec63f226L, 0x756aa39cL, 423 0x026d930aL, 0x9c0906a9L, 0xeb0e363fL, 0x72076785L, 0x05005713L, 424 0x95bf4a82L, 0xe2b87a14L, 0x7bb12baeL, 0x0cb61b38L, 0x92d28e9bL, 425 0xe5d5be0dL, 0x7cdcefb7L, 0x0bdbdf21L, 0x86d3d2d4L, 0xf1d4e242L, 426 0x68ddb3f8L, 0x1fda836eL, 0x81be16cdL, 0xf6b9265bL, 0x6fb077e1L, 427 0x18b74777L, 0x88085ae6L, 0xff0f6a70L, 0x66063bcaL, 0x11010b5cL, 428 0x8f659effL, 0xf862ae69L, 0x616bffd3L, 0x166ccf45L, 0xa00ae278L, 429 0xd70dd2eeL, 0x4e048354L, 0x3903b3c2L, 0xa7672661L, 0xd06016f7L, 430 0x4969474dL, 0x3e6e77dbL, 0xaed16a4aL, 0xd9d65adcL, 0x40df0b66L, 431 0x37d83bf0L, 0xa9bcae53L, 0xdebb9ec5L, 0x47b2cf7fL, 0x30b5ffe9L, 432 0xbdbdf21cL, 0xcabac28aL, 0x53b39330L, 0x24b4a3a6L, 0xbad03605L, 433 0xcdd70693L, 0x54de5729L, 0x23d967bfL, 0xb3667a2eL, 0xc4614ab8L, 434 0x5d681b02L, 0x2a6f2b94L, 0xb40bbe37L, 0xc30c8ea1L, 0x5a05df1bL, 435 0x2d02ef8dL 436 }; 437 438 static __inline u16 RotR1(u16 val) 439 { 440 return (val >> 1) | (val << 15); 441 } 442 443 static __inline u8 Lo8(u16 val) 444 { 445 return val & 0xff; 446 } 447 448 static __inline u8 Hi8(u16 val) 449 { 450 return val >> 8; 451 } 452 453 static __inline u16 Lo16(u32 val) 454 { 455 return val & 0xffff; 456 } 457 458 static __inline u16 Hi16(u32 val) 459 { 460 return val >> 16; 461 } 462 463 static __inline u16 Mk16(u8 hi, u8 lo) 464 { 465 return lo | (((u16) hi) << 8); 466 } 467 468 static __inline u16 Mk16_le(const u16 *v) 469 { 470 return le16toh(*v); 471 } 472 473 static const u16 Sbox[256] = { 474 0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154, 475 0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A, 476 0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B, 477 0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B, 478 0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F, 479 0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F, 480 0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5, 481 0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F, 482 0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB, 483 0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397, 484 0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED, 485 0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A, 486 0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194, 487 0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3, 488 0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104, 489 0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D, 490 0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39, 491 0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695, 492 0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83, 493 0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76, 494 0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4, 495 0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B, 496 0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0, 497 0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018, 498 0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751, 499 0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85, 500 0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12, 501 0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9, 502 0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7, 503 0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A, 504 0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8, 505 0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A, 506 }; 507 508 static __inline u16 _S_(u16 v) 509 { 510 u16 t = Sbox[Hi8(v)]; 511 return Sbox[Lo8(v)] ^ ((t << 8) | (t >> 8)); 512 } 513 514 #define PHASE1_LOOP_COUNT 8 515 516 static void tkip_mixing_phase1(u16 *TTAK, const u8 *TK, const u8 *TA, u32 IV32) 517 { 518 int i, j; 519 520 /* Initialize the 80-bit TTAK from TSC (IV32) and TA[0..5] */ 521 TTAK[0] = Lo16(IV32); 522 TTAK[1] = Hi16(IV32); 523 TTAK[2] = Mk16(TA[1], TA[0]); 524 TTAK[3] = Mk16(TA[3], TA[2]); 525 TTAK[4] = Mk16(TA[5], TA[4]); 526 527 for (i = 0; i < PHASE1_LOOP_COUNT; i++) { 528 j = 2 * (i & 1); 529 TTAK[0] += _S_(TTAK[4] ^ Mk16(TK[1 + j], TK[0 + j])); 530 TTAK[1] += _S_(TTAK[0] ^ Mk16(TK[5 + j], TK[4 + j])); 531 TTAK[2] += _S_(TTAK[1] ^ Mk16(TK[9 + j], TK[8 + j])); 532 TTAK[3] += _S_(TTAK[2] ^ Mk16(TK[13 + j], TK[12 + j])); 533 TTAK[4] += _S_(TTAK[3] ^ Mk16(TK[1 + j], TK[0 + j])) + i; 534 } 535 } 536 537 #ifndef _BYTE_ORDER 538 #error "Don't know native byte order" 539 #endif 540 541 static void tkip_mixing_phase2(u8 *WEPSeed, const u8 *TK, const u16 *TTAK, 542 u16 IV16) 543 { 544 /* Make temporary area overlap WEP seed so that the final copy can be 545 * avoided on little endian hosts. */ 546 u16 *PPK = (u16 *) &WEPSeed[4]; 547 548 /* Step 1 - make copy of TTAK and bring in TSC */ 549 PPK[0] = TTAK[0]; 550 PPK[1] = TTAK[1]; 551 PPK[2] = TTAK[2]; 552 PPK[3] = TTAK[3]; 553 PPK[4] = TTAK[4]; 554 PPK[5] = TTAK[4] + IV16; 555 556 /* Step 2 - 96-bit bijective mixing using S-box */ 557 PPK[0] += _S_(PPK[5] ^ Mk16_le((const u16 *) &TK[0])); 558 PPK[1] += _S_(PPK[0] ^ Mk16_le((const u16 *) &TK[2])); 559 PPK[2] += _S_(PPK[1] ^ Mk16_le((const u16 *) &TK[4])); 560 PPK[3] += _S_(PPK[2] ^ Mk16_le((const u16 *) &TK[6])); 561 PPK[4] += _S_(PPK[3] ^ Mk16_le((const u16 *) &TK[8])); 562 PPK[5] += _S_(PPK[4] ^ Mk16_le((const u16 *) &TK[10])); 563 564 PPK[0] += RotR1(PPK[5] ^ Mk16_le((const u16 *) &TK[12])); 565 PPK[1] += RotR1(PPK[0] ^ Mk16_le((const u16 *) &TK[14])); 566 PPK[2] += RotR1(PPK[1]); 567 PPK[3] += RotR1(PPK[2]); 568 PPK[4] += RotR1(PPK[3]); 569 PPK[5] += RotR1(PPK[4]); 570 571 /* Step 3 - bring in last of TK bits, assign 24-bit WEP IV value 572 * WEPSeed[0..2] is transmitted as WEP IV */ 573 WEPSeed[0] = Hi8(IV16); 574 WEPSeed[1] = (Hi8(IV16) | 0x20) & 0x7F; 575 WEPSeed[2] = Lo8(IV16); 576 WEPSeed[3] = Lo8((PPK[5] ^ Mk16_le((const u16 *) &TK[0])) >> 1); 577 578 #if _BYTE_ORDER == _BIG_ENDIAN 579 { 580 int i; 581 for (i = 0; i < 6; i++) 582 PPK[i] = (PPK[i] << 8) | (PPK[i] >> 8); 583 } 584 #endif 585 } 586 587 static void 588 wep_encrypt(u8 *key, struct mbuf *m0, u_int off, size_t data_len, 589 uint8_t icv[IEEE80211_WEP_CRCLEN]) 590 { 591 u32 i, j, k, crc; 592 size_t buflen; 593 u8 S[256]; 594 u8 *pos; 595 struct mbuf *m; 596 #define S_SWAP(a,b) do { u8 t = S[a]; S[a] = S[b]; S[b] = t; } while(0) 597 598 /* Setup RC4 state */ 599 for (i = 0; i < 256; i++) 600 S[i] = i; 601 j = 0; 602 for (i = 0; i < 256; i++) { 603 j = (j + S[i] + key[i & 0x0f]) & 0xff; 604 S_SWAP(i, j); 605 } 606 607 /* Compute CRC32 over unencrypted data and apply RC4 to data */ 608 crc = ~0; 609 i = j = 0; 610 m = m0; 611 pos = mtod(m, uint8_t *) + off; 612 buflen = m->m_len - off; 613 for (;;) { 614 if (buflen > data_len) 615 buflen = data_len; 616 data_len -= buflen; 617 for (k = 0; k < buflen; k++) { 618 crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8); 619 i = (i + 1) & 0xff; 620 j = (j + S[i]) & 0xff; 621 S_SWAP(i, j); 622 *pos++ ^= S[(S[i] + S[j]) & 0xff]; 623 } 624 m = m->m_next; 625 if (m == NULL) { 626 KASSERT(data_len == 0, 627 ("out of buffers with data_len %zu\n", data_len)); 628 break; 629 } 630 pos = mtod(m, uint8_t *); 631 buflen = m->m_len; 632 } 633 crc = ~crc; 634 635 /* Append little-endian CRC32 and encrypt it to produce ICV */ 636 icv[0] = crc; 637 icv[1] = crc >> 8; 638 icv[2] = crc >> 16; 639 icv[3] = crc >> 24; 640 for (k = 0; k < IEEE80211_WEP_CRCLEN; k++) { 641 i = (i + 1) & 0xff; 642 j = (j + S[i]) & 0xff; 643 S_SWAP(i, j); 644 icv[k] ^= S[(S[i] + S[j]) & 0xff]; 645 } 646 } 647 648 static int 649 wep_decrypt(u8 *key, struct mbuf *m, u_int off, size_t data_len) 650 { 651 u32 i, j, k, crc; 652 u8 S[256]; 653 u8 *pos, icv[4]; 654 size_t buflen; 655 656 /* Setup RC4 state */ 657 for (i = 0; i < 256; i++) 658 S[i] = i; 659 j = 0; 660 for (i = 0; i < 256; i++) { 661 j = (j + S[i] + key[i & 0x0f]) & 0xff; 662 S_SWAP(i, j); 663 } 664 665 /* Apply RC4 to data and compute CRC32 over decrypted data */ 666 crc = ~0; 667 i = j = 0; 668 pos = mtod(m, uint8_t *) + off; 669 buflen = m->m_len - off; 670 for (;;) { 671 if (buflen > data_len) 672 buflen = data_len; 673 data_len -= buflen; 674 for (k = 0; k < buflen; k++) { 675 i = (i + 1) & 0xff; 676 j = (j + S[i]) & 0xff; 677 S_SWAP(i, j); 678 *pos ^= S[(S[i] + S[j]) & 0xff]; 679 crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8); 680 pos++; 681 } 682 m = m->m_next; 683 if (m == NULL) { 684 KASSERT(data_len == 0, 685 ("out of buffers with data_len %zu\n", data_len)); 686 break; 687 } 688 pos = mtod(m, uint8_t *); 689 buflen = m->m_len; 690 } 691 crc = ~crc; 692 693 /* Encrypt little-endian CRC32 and verify that it matches with the 694 * received ICV */ 695 icv[0] = crc; 696 icv[1] = crc >> 8; 697 icv[2] = crc >> 16; 698 icv[3] = crc >> 24; 699 for (k = 0; k < 4; k++) { 700 i = (i + 1) & 0xff; 701 j = (j + S[i]) & 0xff; 702 S_SWAP(i, j); 703 if ((icv[k] ^ S[(S[i] + S[j]) & 0xff]) != *pos++) { 704 /* ICV mismatch - drop frame */ 705 return -1; 706 } 707 } 708 709 return 0; 710 } 711 712 713 static __inline u32 rotl(u32 val, int bits) 714 { 715 return (val << bits) | (val >> (32 - bits)); 716 } 717 718 719 static __inline u32 rotr(u32 val, int bits) 720 { 721 return (val >> bits) | (val << (32 - bits)); 722 } 723 724 725 static __inline u32 xswap(u32 val) 726 { 727 return ((val & 0x00ff00ff) << 8) | ((val & 0xff00ff00) >> 8); 728 } 729 730 731 #define michael_block(l, r) \ 732 do { \ 733 r ^= rotl(l, 17); \ 734 l += r; \ 735 r ^= xswap(l); \ 736 l += r; \ 737 r ^= rotl(l, 3); \ 738 l += r; \ 739 r ^= rotr(l, 2); \ 740 l += r; \ 741 } while (0) 742 743 744 static __inline u32 get_le32_split(u8 b0, u8 b1, u8 b2, u8 b3) 745 { 746 return b0 | (b1 << 8) | (b2 << 16) | (b3 << 24); 747 } 748 749 static __inline u32 get_le32(const u8 *p) 750 { 751 return get_le32_split(p[0], p[1], p[2], p[3]); 752 } 753 754 755 static __inline void put_le32(u8 *p, u32 v) 756 { 757 p[0] = v; 758 p[1] = v >> 8; 759 p[2] = v >> 16; 760 p[3] = v >> 24; 761 } 762 763 /* 764 * Craft pseudo header used to calculate the MIC. 765 */ 766 static void 767 michael_mic_hdr(const struct ieee80211_frame *wh0, uint8_t hdr[16]) 768 { 769 const struct ieee80211_frame_addr4 *wh = 770 (const struct ieee80211_frame_addr4 *) wh0; 771 772 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 773 case IEEE80211_FC1_DIR_NODS: 774 IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */ 775 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2); 776 break; 777 case IEEE80211_FC1_DIR_TODS: 778 IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */ 779 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2); 780 break; 781 case IEEE80211_FC1_DIR_FROMDS: 782 IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */ 783 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr3); 784 break; 785 case IEEE80211_FC1_DIR_DSTODS: 786 IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */ 787 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr4); 788 break; 789 } 790 791 if (wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_QOS) { 792 const struct ieee80211_qosframe *qwh = 793 (const struct ieee80211_qosframe *) wh; 794 hdr[12] = qwh->i_qos[0] & IEEE80211_QOS_TID; 795 } else 796 hdr[12] = 0; 797 hdr[13] = hdr[14] = hdr[15] = 0; /* reserved */ 798 } 799 800 static void 801 michael_mic(struct tkip_ctx *ctx, const u8 *key, 802 struct mbuf *m, u_int off, size_t data_len, 803 u8 mic[IEEE80211_WEP_MICLEN]) 804 { 805 uint8_t hdr[16]; 806 u32 l, r; 807 const uint8_t *data; 808 u_int space; 809 810 michael_mic_hdr(mtod(m, struct ieee80211_frame *), hdr); 811 812 l = get_le32(key); 813 r = get_le32(key + 4); 814 815 /* Michael MIC pseudo header: DA, SA, 3 x 0, Priority */ 816 l ^= get_le32(hdr); 817 michael_block(l, r); 818 l ^= get_le32(&hdr[4]); 819 michael_block(l, r); 820 l ^= get_le32(&hdr[8]); 821 michael_block(l, r); 822 l ^= get_le32(&hdr[12]); 823 michael_block(l, r); 824 825 /* first buffer has special handling */ 826 data = mtod(m, const uint8_t *) + off; 827 space = m->m_len - off; 828 for (;;) { 829 if (space > data_len) 830 space = data_len; 831 /* collect 32-bit blocks from current buffer */ 832 while (space >= sizeof(uint32_t)) { 833 l ^= get_le32(data); 834 michael_block(l, r); 835 data += sizeof(uint32_t), space -= sizeof(uint32_t); 836 data_len -= sizeof(uint32_t); 837 } 838 /* 839 * NB: when space is zero we make one more trip around 840 * the loop to advance to the next mbuf where there is 841 * data. This handles the case where there are 4*n 842 * bytes in an mbuf followed by <4 bytes in a later mbuf. 843 * By making an extra trip we'll drop out of the loop 844 * with m pointing at the mbuf with 3 bytes and space 845 * set as required by the remainder handling below. 846 */ 847 if (data_len == 0 || 848 (data_len < sizeof(uint32_t) && space != 0)) 849 break; 850 m = m->m_next; 851 if (m == NULL) { 852 KASSERT(0, ("out of data, data_len %zu\n", data_len)); 853 break; 854 } 855 if (space != 0) { 856 const uint8_t *data_next; 857 /* 858 * Block straddles buffers, split references. 859 */ 860 data_next = mtod(m, const uint8_t *); 861 KASSERT(m->m_len >= sizeof(uint32_t) - space, 862 ("not enough data in following buffer, " 863 "m_len %u need %zu\n", m->m_len, 864 sizeof(uint32_t) - space)); 865 switch (space) { 866 case 1: 867 l ^= get_le32_split(data[0], data_next[0], 868 data_next[1], data_next[2]); 869 data = data_next + 3; 870 space = m->m_len - 3; 871 break; 872 case 2: 873 l ^= get_le32_split(data[0], data[1], 874 data_next[0], data_next[1]); 875 data = data_next + 2; 876 space = m->m_len - 2; 877 break; 878 case 3: 879 l ^= get_le32_split(data[0], data[1], 880 data[2], data_next[0]); 881 data = data_next + 1; 882 space = m->m_len - 1; 883 break; 884 } 885 michael_block(l, r); 886 data_len -= sizeof(uint32_t); 887 } else { 888 /* 889 * Setup for next buffer. 890 */ 891 data = mtod(m, const uint8_t *); 892 space = m->m_len; 893 } 894 } 895 /* 896 * Catch degenerate cases like mbuf[4*n+1 bytes] followed by 897 * mbuf[2 bytes]. I don't believe these should happen; if they 898 * do then we'll need more involved logic. 899 */ 900 KASSERT(data_len <= space, 901 ("not enough data, data_len %zu space %u\n", data_len, space)); 902 903 /* Last block and padding (0x5a, 4..7 x 0) */ 904 switch (data_len) { 905 case 0: 906 l ^= get_le32_split(0x5a, 0, 0, 0); 907 break; 908 case 1: 909 l ^= get_le32_split(data[0], 0x5a, 0, 0); 910 break; 911 case 2: 912 l ^= get_le32_split(data[0], data[1], 0x5a, 0); 913 break; 914 case 3: 915 l ^= get_le32_split(data[0], data[1], data[2], 0x5a); 916 break; 917 } 918 michael_block(l, r); 919 /* l ^= 0; */ 920 michael_block(l, r); 921 922 put_le32(mic, l); 923 put_le32(mic + 4, r); 924 } 925 926 static int 927 tkip_encrypt(struct tkip_ctx *ctx, struct ieee80211_key *key, 928 struct mbuf *m, int hdrlen) 929 { 930 struct ieee80211_frame *wh; 931 uint8_t icv[IEEE80211_WEP_CRCLEN]; 932 933 ctx->tc_vap->iv_stats.is_crypto_tkip++; 934 935 wh = mtod(m, struct ieee80211_frame *); 936 if (!ctx->tx_phase1_done) { 937 tkip_mixing_phase1(ctx->tx_ttak, key->wk_key, wh->i_addr2, 938 (u32)(key->wk_keytsc >> 16)); 939 ctx->tx_phase1_done = 1; 940 } 941 tkip_mixing_phase2(ctx->tx_rc4key, key->wk_key, ctx->tx_ttak, 942 (u16) key->wk_keytsc); 943 944 wep_encrypt(ctx->tx_rc4key, 945 m, hdrlen + tkip.ic_header, 946 m->m_pkthdr.len - (hdrlen + tkip.ic_header), 947 icv); 948 (void) m_append(m, IEEE80211_WEP_CRCLEN, icv); /* XXX check return */ 949 950 key->wk_keytsc++; 951 if ((u16)(key->wk_keytsc) == 0) 952 ctx->tx_phase1_done = 0; 953 return 1; 954 } 955 956 static int 957 tkip_decrypt(struct tkip_ctx *ctx, struct ieee80211_key *key, 958 struct mbuf *m, int hdrlen) 959 { 960 struct ieee80211_frame *wh; 961 struct ieee80211vap *vap = ctx->tc_vap; 962 u32 iv32; 963 u16 iv16; 964 u8 tid; 965 966 vap->iv_stats.is_crypto_tkip++; 967 968 wh = mtod(m, struct ieee80211_frame *); 969 /* NB: tkip_decap already verified header and left seq in rx_rsc */ 970 iv16 = (u16) ctx->rx_rsc; 971 iv32 = (u32) (ctx->rx_rsc >> 16); 972 973 tid = ieee80211_gettid(wh); 974 if (iv32 != (u32)(key->wk_keyrsc[tid] >> 16) || !ctx->rx_phase1_done) { 975 tkip_mixing_phase1(ctx->rx_ttak, key->wk_key, 976 wh->i_addr2, iv32); 977 ctx->rx_phase1_done = 1; 978 } 979 tkip_mixing_phase2(ctx->rx_rc4key, key->wk_key, ctx->rx_ttak, iv16); 980 981 /* NB: m is unstripped; deduct headers + ICV to get payload */ 982 if (wep_decrypt(ctx->rx_rc4key, 983 m, hdrlen + tkip.ic_header, 984 m->m_pkthdr.len - (hdrlen + tkip.ic_header + tkip.ic_trailer))) { 985 if (iv32 != (u32)(key->wk_keyrsc[tid] >> 16)) { 986 /* Previously cached Phase1 result was already lost, so 987 * it needs to be recalculated for the next packet. */ 988 ctx->rx_phase1_done = 0; 989 } 990 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2, 991 "%s", "TKIP ICV mismatch on decrypt"); 992 vap->iv_stats.is_rx_tkipicv++; 993 return 0; 994 } 995 return 1; 996 } 997 998 /* 999 * Module glue. 1000 */ 1001 IEEE80211_CRYPTO_MODULE(tkip, 1); 1002