2 * Copyright (c) 2002-2005 Sam Leffler, Errno Consulting
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. The name of the author may not be used to endorse or promote products
14 * derived from this software without specific prior written permission.
16 * Alternatively, this software may be distributed under the terms of the
17 * GNU General Public License ("GPL") version 2 as published by the Free
18 * Software Foundation.
20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
21 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
22 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
23 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
25 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
26 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
27 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
29 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 * $FreeBSD: src/sys/net80211/ieee80211_crypto_tkip.c,v 1.9.2.2 2005/12/22 19:02:08 sam Exp $
32 * $DragonFly: src/sys/netproto/802_11/wlan_tkip/ieee80211_crypto_tkip.c,v 1.6 2007/09/15 07:19:23 sephe Exp $
36 * IEEE 802.11i TKIP crypto support.
38 * Part of this module is derived from similar code in the Host
39 * AP driver. The code is used with the consent of the author and
40 * it's license is included below.
42 #include <sys/param.h>
43 #include <sys/systm.h>
45 #include <sys/malloc.h>
46 #include <sys/kernel.h>
47 #include <sys/module.h>
48 #include <sys/endian.h>
50 #include <sys/socket.h>
53 #include <net/if_arp.h>
54 #include <net/if_media.h>
55 #include <net/ethernet.h>
57 #include <netproto/802_11/ieee80211_var.h>
59 static void *tkip_attach(struct ieee80211com *, struct ieee80211_key *);
60 static void tkip_detach(struct ieee80211_key *);
61 static int tkip_setkey(struct ieee80211_key *);
62 static int tkip_encap(struct ieee80211_key *, struct mbuf *m, uint8_t keyid);
63 static int tkip_enmic(struct ieee80211_key *, struct mbuf *, int);
64 static int tkip_decap(struct ieee80211_key *, struct mbuf *, int);
65 static int tkip_demic(struct ieee80211_key *, struct mbuf *, int);
66 static int tkip_getiv(struct ieee80211_key *, struct ieee80211_crypto_iv *,
68 static int tkip_update(struct ieee80211_key *,
69 const struct ieee80211_crypto_iv *,
70 const struct ieee80211_frame *);
72 static const struct ieee80211_cipher tkip = {
74 .ic_cipher = IEEE80211_CIPHER_TKIP,
75 .ic_header = IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN +
76 IEEE80211_WEP_EXTIVLEN,
77 .ic_trailer = IEEE80211_WEP_CRCLEN,
78 .ic_miclen = IEEE80211_WEP_MICLEN,
79 .ic_attach = tkip_attach,
80 .ic_detach = tkip_detach,
81 .ic_setkey = tkip_setkey,
82 .ic_encap = tkip_encap,
83 .ic_decap = tkip_decap,
84 .ic_enmic = tkip_enmic,
85 .ic_demic = tkip_demic,
86 .ic_getiv = tkip_getiv,
87 .ic_update = tkip_update
90 #define memmove(dst, src, n) ovbcopy(src, dst, n)
93 struct ieee80211com *tc_ic; /* for diagnostics */
97 uint8_t tx_rc4key[16]; /* XXX for test module; make locals? */
101 uint8_t rx_rc4key[16]; /* XXX for test module; make locals? */
102 uint64_t rx_rsc; /* held until MIC verified */
105 static void michael_mic(struct tkip_ctx *, const uint8_t *key,
106 struct mbuf *m, u_int off, size_t data_len,
107 uint8_t mic[IEEE80211_WEP_MICLEN]);
108 static int tkip_encrypt(struct tkip_ctx *, struct ieee80211_key *,
109 struct mbuf *, int hdr_len);
110 static int tkip_decrypt(struct tkip_ctx *, struct ieee80211_key *,
111 struct mbuf *, int hdr_len);
113 /* number of references from net80211 layer */
114 static int nrefs = 0;
117 tkip_attach(struct ieee80211com *ic, struct ieee80211_key *k)
119 struct tkip_ctx *ctx;
121 ctx = kmalloc(sizeof(struct tkip_ctx), M_DEVBUF, M_NOWAIT | M_ZERO);
123 ic->ic_stats.is_crypto_nomem++;
128 nrefs++; /* NB: we assume caller locking */
133 tkip_detach(struct ieee80211_key *k)
135 struct tkip_ctx *ctx = k->wk_private;
137 kfree(ctx, M_DEVBUF);
138 KASSERT(nrefs > 0, ("imbalanced attach/detach"));
139 nrefs--; /* NB: we assume caller locking */
143 tkip_setkey(struct ieee80211_key *k)
145 struct tkip_ctx *ctx = k->wk_private;
147 if (k->wk_keylen != (128/NBBY)) {
148 (void) ctx; /* XXX */
149 IEEE80211_DPRINTF(ctx->tc_ic, IEEE80211_MSG_CRYPTO,
150 "%s: Invalid key length %u, expecting %u\n",
151 __func__, k->wk_keylen, 128/NBBY);
154 k->wk_keytsc = 1; /* TSC starts at 1 */
159 * Add privacy headers and do any s/w encryption required.
162 tkip_encap(struct ieee80211_key *k, struct mbuf *m, uint8_t keyid)
164 struct tkip_ctx *ctx = k->wk_private;
165 struct ieee80211com *ic = ctx->tc_ic;
170 * Handle TKIP counter measures requirement.
172 if (ic->ic_flags & IEEE80211_F_COUNTERM) {
173 #ifdef IEEE80211_DEBUG
174 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *);
177 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO,
178 "[%6D] Discard frame due to countermeasures (%s)\n",
179 wh->i_addr2, ":", __func__);
180 ic->ic_stats.is_crypto_tkipcm++;
183 hdrlen = ieee80211_hdrspace(ic, mtod(m, void *));
186 * Copy down 802.11 header and add the IV, KeyID, and ExtIV.
188 M_PREPEND(m, tkip.ic_header, MB_DONTWAIT);
191 ivp = mtod(m, uint8_t *);
192 memmove(ivp, ivp + tkip.ic_header, hdrlen);
195 ivp[0] = k->wk_keytsc >> 8; /* TSC1 */
196 ivp[1] = (ivp[0] | 0x20) & 0x7f; /* WEP seed */
197 ivp[2] = k->wk_keytsc >> 0; /* TSC0 */
198 ivp[3] = keyid | IEEE80211_WEP_EXTIV; /* KeyID | ExtID */
199 ivp[4] = k->wk_keytsc >> 16; /* TSC2 */
200 ivp[5] = k->wk_keytsc >> 24; /* TSC3 */
201 ivp[6] = k->wk_keytsc >> 32; /* TSC4 */
202 ivp[7] = k->wk_keytsc >> 40; /* TSC5 */
205 * Finally, do software encrypt if neeed.
207 if (k->wk_flags & IEEE80211_KEY_SWCRYPT) {
208 if (!tkip_encrypt(ctx, k, m, hdrlen))
210 /* NB: tkip_encrypt handles wk_keytsc */
218 tkip_getiv(struct ieee80211_key *k, struct ieee80211_crypto_iv *iv,
221 struct tkip_ctx *ctx = k->wk_private;
222 struct ieee80211com *ic = ctx->tc_ic;
223 uint8_t *ivp = (uint8_t *)iv;
226 * Handle TKIP counter measures requirement.
228 if (ic->ic_flags & IEEE80211_F_COUNTERM) {
229 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO,
230 "Discard frame due to countermeasures (%s)\n",
232 ic->ic_stats.is_crypto_tkipcm++;
236 ivp[0] = k->wk_keytsc >> 8; /* TSC1 */
237 ivp[1] = (ivp[0] | 0x20) & 0x7f; /* WEP seed */
238 ivp[2] = k->wk_keytsc >> 0; /* TSC0 */
239 ivp[3] = keyid | IEEE80211_WEP_EXTIV; /* KeyID | ExtID */
240 ivp[4] = k->wk_keytsc >> 16; /* TSC2 */
241 ivp[5] = k->wk_keytsc >> 24; /* TSC3 */
242 ivp[6] = k->wk_keytsc >> 32; /* TSC4 */
243 ivp[7] = k->wk_keytsc >> 40; /* TSC5 */
250 * Add MIC to the frame as needed.
253 tkip_enmic(struct ieee80211_key *k, struct mbuf *m, int force)
255 struct tkip_ctx *ctx = k->wk_private;
257 if (force || (k->wk_flags & IEEE80211_KEY_SWMIC)) {
258 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *);
259 struct ieee80211com *ic = ctx->tc_ic;
261 uint8_t mic[IEEE80211_WEP_MICLEN];
263 ic->ic_stats.is_crypto_tkipenmic++;
265 hdrlen = ieee80211_hdrspace(ic, wh);
267 michael_mic(ctx, k->wk_txmic,
268 m, hdrlen, m->m_pkthdr.len - hdrlen, mic);
269 return ieee80211_mbuf_append(m, tkip.ic_miclen, mic);
274 static __inline uint64_t
275 READ_6(uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3, uint8_t b4, uint8_t b5)
277 uint32_t iv32 = (b0 << 0) | (b1 << 8) | (b2 << 16) | (b3 << 24);
278 uint16_t iv16 = (b4 << 0) | (b5 << 8);
279 return (((uint64_t)iv16) << 32) | iv32;
283 * Validate and strip privacy headers (and trailer) for a
284 * received frame. If necessary, decrypt the frame using
288 tkip_decap(struct ieee80211_key *k, struct mbuf *m, int hdrlen)
290 struct tkip_ctx *ctx = k->wk_private;
291 struct ieee80211com *ic = ctx->tc_ic;
292 struct ieee80211_frame *wh;
296 * Header should have extended IV and sequence number;
297 * verify the former and validate the latter.
299 wh = mtod(m, struct ieee80211_frame *);
300 ivp = mtod(m, uint8_t *) + hdrlen;
301 if ((ivp[IEEE80211_WEP_IVLEN] & IEEE80211_WEP_EXTIV) == 0) {
303 * No extended IV; discard frame.
305 IEEE80211_DPRINTF(ctx->tc_ic, IEEE80211_MSG_CRYPTO,
306 "[%6D] missing ExtIV for TKIP cipher\n",
308 ctx->tc_ic->ic_stats.is_rx_tkipformat++;
312 * Handle TKIP counter measures requirement.
314 if (ic->ic_flags & IEEE80211_F_COUNTERM) {
315 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO,
316 "[%6D] discard frame due to countermeasures (%s)\n",
317 wh->i_addr2, ":", __func__);
318 ic->ic_stats.is_crypto_tkipcm++;
322 ctx->rx_rsc = READ_6(ivp[2], ivp[0], ivp[4], ivp[5], ivp[6], ivp[7]);
323 if (ctx->rx_rsc <= k->wk_keyrsc) {
325 * Replay violation; notify upper layer.
327 ieee80211_notify_replay_failure(ctx->tc_ic, wh, k, ctx->rx_rsc);
328 ctx->tc_ic->ic_stats.is_rx_tkipreplay++;
332 * NB: We can't update the rsc in the key until MIC is verified.
334 * We assume we are not preempted between doing the check above
335 * and updating wk_keyrsc when stripping the MIC in tkip_demic.
336 * Otherwise we might process another packet and discard it as
341 * Check if the device handled the decrypt in hardware.
342 * If so we just strip the header; otherwise we need to
343 * handle the decrypt in software.
345 if ((k->wk_flags & IEEE80211_KEY_SWCRYPT) &&
346 !tkip_decrypt(ctx, k, m, hdrlen))
350 * Copy up 802.11 header and strip crypto bits.
352 memmove(mtod(m, uint8_t *) + tkip.ic_header, mtod(m, void *), hdrlen);
353 m_adj(m, tkip.ic_header);
354 m_adj(m, -tkip.ic_trailer);
360 tkip_update(struct ieee80211_key *k, const struct ieee80211_crypto_iv *iv,
361 const struct ieee80211_frame *wh)
363 struct tkip_ctx *ctx = k->wk_private;
364 struct ieee80211com *ic = ctx->tc_ic;
365 const uint8_t *ivp = (const uint8_t *)iv;
368 * Header should have extended IV and sequence number;
369 * verify the former and validate the latter.
371 if ((ivp[IEEE80211_WEP_IVLEN] & IEEE80211_WEP_EXTIV) == 0) {
373 * No extended IV; discard frame.
375 IEEE80211_DPRINTF(ctx->tc_ic, IEEE80211_MSG_CRYPTO,
376 "[%6D] missing ExtIV for TKIP cipher\n",
378 ctx->tc_ic->ic_stats.is_rx_tkipformat++;
382 * Handle TKIP counter measures requirement.
384 if (ic->ic_flags & IEEE80211_F_COUNTERM) {
385 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO,
386 "[%6D] discard frame due to countermeasures (%s)\n",
387 wh->i_addr2, ":", __func__);
388 ic->ic_stats.is_crypto_tkipcm++;
392 ctx->rx_rsc = READ_6(ivp[2], ivp[0], ivp[4], ivp[5], ivp[6], ivp[7]);
393 if (ctx->rx_rsc <= k->wk_keyrsc) {
395 * Replay violation; notify upper layer.
397 ieee80211_notify_replay_failure(ctx->tc_ic, wh, k, ctx->rx_rsc);
398 ctx->tc_ic->ic_stats.is_rx_tkipreplay++;
403 * NB: We can't update the rsc in the key until MIC is verified.
405 * We assume we are not preempted between doing the check above
406 * and updating wk_keyrsc when stripping the MIC in tkip_demic.
407 * Otherwise we might process another packet and discard it as
414 * Verify and strip MIC from the frame.
417 tkip_demic(struct ieee80211_key *k, struct mbuf *m, int force)
419 struct tkip_ctx *ctx = k->wk_private;
421 if (force || (k->wk_flags & IEEE80211_KEY_SWMIC)) {
422 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *);
423 struct ieee80211com *ic = ctx->tc_ic;
424 int hdrlen = ieee80211_hdrspace(ic, wh);
425 uint8_t mic[IEEE80211_WEP_MICLEN];
426 uint8_t mic0[IEEE80211_WEP_MICLEN];
428 ic->ic_stats.is_crypto_tkipdemic++;
430 michael_mic(ctx, k->wk_rxmic,
431 m, hdrlen, m->m_pkthdr.len - (hdrlen + tkip.ic_miclen),
433 m_copydata(m, m->m_pkthdr.len - tkip.ic_miclen,
434 tkip.ic_miclen, (caddr_t)mic0);
435 if (memcmp(mic, mic0, tkip.ic_miclen)) {
436 /* NB: 802.11 layer handles statistic and debug msg */
437 ieee80211_notify_michael_failure(ic, wh,
438 k->wk_rxkeyix != IEEE80211_KEYIX_NONE ?
439 k->wk_rxkeyix : k->wk_keyix);
444 if (force || (k->wk_flags & IEEE80211_KEY_NOMIC) == 0) {
446 * Strip MIC from the tail.
448 m_adj(m, -tkip.ic_miclen);
452 * Ok to update rsc now that MIC has been verified.
454 k->wk_keyrsc = ctx->rx_rsc;
460 * Host AP crypt: host-based TKIP encryption implementation for Host AP driver
462 * Copyright (c) 2003-2004, Jouni Malinen <jkmaline@cc.hut.fi>
464 * This program is free software; you can redistribute it and/or modify
465 * it under the terms of the GNU General Public License version 2 as
466 * published by the Free Software Foundation. See README and COPYING for
469 * Alternatively, this software may be distributed under the terms of BSD
473 static const uint32_t crc32_table[256] = {
474 0x00000000L, 0x77073096L, 0xee0e612cL, 0x990951baL, 0x076dc419L,
475 0x706af48fL, 0xe963a535L, 0x9e6495a3L, 0x0edb8832L, 0x79dcb8a4L,
476 0xe0d5e91eL, 0x97d2d988L, 0x09b64c2bL, 0x7eb17cbdL, 0xe7b82d07L,
477 0x90bf1d91L, 0x1db71064L, 0x6ab020f2L, 0xf3b97148L, 0x84be41deL,
478 0x1adad47dL, 0x6ddde4ebL, 0xf4d4b551L, 0x83d385c7L, 0x136c9856L,
479 0x646ba8c0L, 0xfd62f97aL, 0x8a65c9ecL, 0x14015c4fL, 0x63066cd9L,
480 0xfa0f3d63L, 0x8d080df5L, 0x3b6e20c8L, 0x4c69105eL, 0xd56041e4L,
481 0xa2677172L, 0x3c03e4d1L, 0x4b04d447L, 0xd20d85fdL, 0xa50ab56bL,
482 0x35b5a8faL, 0x42b2986cL, 0xdbbbc9d6L, 0xacbcf940L, 0x32d86ce3L,
483 0x45df5c75L, 0xdcd60dcfL, 0xabd13d59L, 0x26d930acL, 0x51de003aL,
484 0xc8d75180L, 0xbfd06116L, 0x21b4f4b5L, 0x56b3c423L, 0xcfba9599L,
485 0xb8bda50fL, 0x2802b89eL, 0x5f058808L, 0xc60cd9b2L, 0xb10be924L,
486 0x2f6f7c87L, 0x58684c11L, 0xc1611dabL, 0xb6662d3dL, 0x76dc4190L,
487 0x01db7106L, 0x98d220bcL, 0xefd5102aL, 0x71b18589L, 0x06b6b51fL,
488 0x9fbfe4a5L, 0xe8b8d433L, 0x7807c9a2L, 0x0f00f934L, 0x9609a88eL,
489 0xe10e9818L, 0x7f6a0dbbL, 0x086d3d2dL, 0x91646c97L, 0xe6635c01L,
490 0x6b6b51f4L, 0x1c6c6162L, 0x856530d8L, 0xf262004eL, 0x6c0695edL,
491 0x1b01a57bL, 0x8208f4c1L, 0xf50fc457L, 0x65b0d9c6L, 0x12b7e950L,
492 0x8bbeb8eaL, 0xfcb9887cL, 0x62dd1ddfL, 0x15da2d49L, 0x8cd37cf3L,
493 0xfbd44c65L, 0x4db26158L, 0x3ab551ceL, 0xa3bc0074L, 0xd4bb30e2L,
494 0x4adfa541L, 0x3dd895d7L, 0xa4d1c46dL, 0xd3d6f4fbL, 0x4369e96aL,
495 0x346ed9fcL, 0xad678846L, 0xda60b8d0L, 0x44042d73L, 0x33031de5L,
496 0xaa0a4c5fL, 0xdd0d7cc9L, 0x5005713cL, 0x270241aaL, 0xbe0b1010L,
497 0xc90c2086L, 0x5768b525L, 0x206f85b3L, 0xb966d409L, 0xce61e49fL,
498 0x5edef90eL, 0x29d9c998L, 0xb0d09822L, 0xc7d7a8b4L, 0x59b33d17L,
499 0x2eb40d81L, 0xb7bd5c3bL, 0xc0ba6cadL, 0xedb88320L, 0x9abfb3b6L,
500 0x03b6e20cL, 0x74b1d29aL, 0xead54739L, 0x9dd277afL, 0x04db2615L,
501 0x73dc1683L, 0xe3630b12L, 0x94643b84L, 0x0d6d6a3eL, 0x7a6a5aa8L,
502 0xe40ecf0bL, 0x9309ff9dL, 0x0a00ae27L, 0x7d079eb1L, 0xf00f9344L,
503 0x8708a3d2L, 0x1e01f268L, 0x6906c2feL, 0xf762575dL, 0x806567cbL,
504 0x196c3671L, 0x6e6b06e7L, 0xfed41b76L, 0x89d32be0L, 0x10da7a5aL,
505 0x67dd4accL, 0xf9b9df6fL, 0x8ebeeff9L, 0x17b7be43L, 0x60b08ed5L,
506 0xd6d6a3e8L, 0xa1d1937eL, 0x38d8c2c4L, 0x4fdff252L, 0xd1bb67f1L,
507 0xa6bc5767L, 0x3fb506ddL, 0x48b2364bL, 0xd80d2bdaL, 0xaf0a1b4cL,
508 0x36034af6L, 0x41047a60L, 0xdf60efc3L, 0xa867df55L, 0x316e8eefL,
509 0x4669be79L, 0xcb61b38cL, 0xbc66831aL, 0x256fd2a0L, 0x5268e236L,
510 0xcc0c7795L, 0xbb0b4703L, 0x220216b9L, 0x5505262fL, 0xc5ba3bbeL,
511 0xb2bd0b28L, 0x2bb45a92L, 0x5cb36a04L, 0xc2d7ffa7L, 0xb5d0cf31L,
512 0x2cd99e8bL, 0x5bdeae1dL, 0x9b64c2b0L, 0xec63f226L, 0x756aa39cL,
513 0x026d930aL, 0x9c0906a9L, 0xeb0e363fL, 0x72076785L, 0x05005713L,
514 0x95bf4a82L, 0xe2b87a14L, 0x7bb12baeL, 0x0cb61b38L, 0x92d28e9bL,
515 0xe5d5be0dL, 0x7cdcefb7L, 0x0bdbdf21L, 0x86d3d2d4L, 0xf1d4e242L,
516 0x68ddb3f8L, 0x1fda836eL, 0x81be16cdL, 0xf6b9265bL, 0x6fb077e1L,
517 0x18b74777L, 0x88085ae6L, 0xff0f6a70L, 0x66063bcaL, 0x11010b5cL,
518 0x8f659effL, 0xf862ae69L, 0x616bffd3L, 0x166ccf45L, 0xa00ae278L,
519 0xd70dd2eeL, 0x4e048354L, 0x3903b3c2L, 0xa7672661L, 0xd06016f7L,
520 0x4969474dL, 0x3e6e77dbL, 0xaed16a4aL, 0xd9d65adcL, 0x40df0b66L,
521 0x37d83bf0L, 0xa9bcae53L, 0xdebb9ec5L, 0x47b2cf7fL, 0x30b5ffe9L,
522 0xbdbdf21cL, 0xcabac28aL, 0x53b39330L, 0x24b4a3a6L, 0xbad03605L,
523 0xcdd70693L, 0x54de5729L, 0x23d967bfL, 0xb3667a2eL, 0xc4614ab8L,
524 0x5d681b02L, 0x2a6f2b94L, 0xb40bbe37L, 0xc30c8ea1L, 0x5a05df1bL,
528 static __inline uint16_t
531 return (val >> 1) | (val << 15);
534 static __inline uint8_t
540 static __inline uint8_t
546 static __inline uint16_t
552 static __inline uint16_t
558 static __inline uint16_t
559 Mk16(uint8_t hi, uint8_t lo)
561 return lo | (((uint16_t) hi) << 8);
564 static __inline uint16_t
565 Mk16_le(const uint16_t *v)
570 static const uint16_t Sbox[256] = {
571 0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154,
572 0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A,
573 0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B,
574 0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B,
575 0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F,
576 0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F,
577 0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5,
578 0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F,
579 0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB,
580 0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397,
581 0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED,
582 0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A,
583 0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194,
584 0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3,
585 0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104,
586 0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D,
587 0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39,
588 0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695,
589 0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83,
590 0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76,
591 0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4,
592 0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B,
593 0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0,
594 0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018,
595 0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751,
596 0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85,
597 0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12,
598 0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9,
599 0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7,
600 0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A,
601 0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8,
602 0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A,
605 static __inline uint16_t
608 uint16_t t = Sbox[Hi8(v)];
609 return Sbox[Lo8(v)] ^ ((t << 8) | (t >> 8));
612 #define PHASE1_LOOP_COUNT 8
615 tkip_mixing_phase1(uint16_t *TTAK, const uint8_t *TK, const uint8_t *TA,
620 /* Initialize the 80-bit TTAK from TSC (IV32) and TA[0..5] */
621 TTAK[0] = Lo16(IV32);
622 TTAK[1] = Hi16(IV32);
623 TTAK[2] = Mk16(TA[1], TA[0]);
624 TTAK[3] = Mk16(TA[3], TA[2]);
625 TTAK[4] = Mk16(TA[5], TA[4]);
627 for (i = 0; i < PHASE1_LOOP_COUNT; i++) {
629 TTAK[0] += _S_(TTAK[4] ^ Mk16(TK[1 + j], TK[0 + j]));
630 TTAK[1] += _S_(TTAK[0] ^ Mk16(TK[5 + j], TK[4 + j]));
631 TTAK[2] += _S_(TTAK[1] ^ Mk16(TK[9 + j], TK[8 + j]));
632 TTAK[3] += _S_(TTAK[2] ^ Mk16(TK[13 + j], TK[12 + j]));
633 TTAK[4] += _S_(TTAK[3] ^ Mk16(TK[1 + j], TK[0 + j])) + i;
638 #error "Don't know native byte order"
642 tkip_mixing_phase2(uint8_t *WEPSeed, const uint8_t *TK, const uint16_t *TTAK,
645 /* Make temporary area overlap WEP seed so that the final copy can be
646 * avoided on little endian hosts. */
647 uint16_t *PPK = (uint16_t *) &WEPSeed[4];
649 /* Step 1 - make copy of TTAK and bring in TSC */
655 PPK[5] = TTAK[4] + IV16;
657 /* Step 2 - 96-bit bijective mixing using S-box */
658 PPK[0] += _S_(PPK[5] ^ Mk16_le((const uint16_t *) &TK[0]));
659 PPK[1] += _S_(PPK[0] ^ Mk16_le((const uint16_t *) &TK[2]));
660 PPK[2] += _S_(PPK[1] ^ Mk16_le((const uint16_t *) &TK[4]));
661 PPK[3] += _S_(PPK[2] ^ Mk16_le((const uint16_t *) &TK[6]));
662 PPK[4] += _S_(PPK[3] ^ Mk16_le((const uint16_t *) &TK[8]));
663 PPK[5] += _S_(PPK[4] ^ Mk16_le((const uint16_t *) &TK[10]));
665 PPK[0] += RotR1(PPK[5] ^ Mk16_le((const uint16_t *) &TK[12]));
666 PPK[1] += RotR1(PPK[0] ^ Mk16_le((const uint16_t *) &TK[14]));
667 PPK[2] += RotR1(PPK[1]);
668 PPK[3] += RotR1(PPK[2]);
669 PPK[4] += RotR1(PPK[3]);
670 PPK[5] += RotR1(PPK[4]);
672 /* Step 3 - bring in last of TK bits, assign 24-bit WEP IV value
673 * WEPSeed[0..2] is transmitted as WEP IV */
674 WEPSeed[0] = Hi8(IV16);
675 WEPSeed[1] = (Hi8(IV16) | 0x20) & 0x7F;
676 WEPSeed[2] = Lo8(IV16);
677 WEPSeed[3] = Lo8((PPK[5] ^ Mk16_le((const uint16_t *) &TK[0])) >> 1);
679 #if _BYTE_ORDER == _BIG_ENDIAN
682 for (i = 0; i < 6; i++)
683 PPK[i] = (PPK[i] << 8) | (PPK[i] >> 8);
689 wep_encrypt(uint8_t *key, struct mbuf *m0, u_int off, size_t data_len,
690 uint8_t icv[IEEE80211_WEP_CRCLEN])
692 uint32_t i, j, k, crc;
697 #define S_SWAP(a,b) do { uint8_t t = S[a]; S[a] = S[b]; S[b] = t; } while(0)
699 /* Setup RC4 state */
700 for (i = 0; i < 256; i++)
703 for (i = 0; i < 256; i++) {
704 j = (j + S[i] + key[i & 0x0f]) & 0xff;
708 /* Compute CRC32 over unencrypted data and apply RC4 to data */
712 pos = mtod(m, uint8_t *) + off;
713 buflen = m->m_len - off;
715 if (buflen > data_len)
718 for (k = 0; k < buflen; k++) {
719 crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8);
721 j = (j + S[i]) & 0xff;
723 *pos++ ^= S[(S[i] + S[j]) & 0xff];
727 KASSERT(data_len == 0,
728 ("out of buffers with data_len %zu\n", data_len));
731 pos = mtod(m, uint8_t *);
736 /* Append little-endian CRC32 and encrypt it to produce ICV */
741 for (k = 0; k < IEEE80211_WEP_CRCLEN; k++) {
743 j = (j + S[i]) & 0xff;
745 icv[k] ^= S[(S[i] + S[j]) & 0xff];
750 wep_decrypt(uint8_t *key, struct mbuf *m, u_int off, size_t data_len)
752 uint32_t i, j, k, crc;
754 uint8_t *pos, icv[4];
757 /* Setup RC4 state */
758 for (i = 0; i < 256; i++)
761 for (i = 0; i < 256; i++) {
762 j = (j + S[i] + key[i & 0x0f]) & 0xff;
766 /* Apply RC4 to data and compute CRC32 over decrypted data */
769 pos = mtod(m, uint8_t *) + off;
770 buflen = m->m_len - off;
772 if (buflen > data_len)
775 for (k = 0; k < buflen; k++) {
777 j = (j + S[i]) & 0xff;
779 *pos ^= S[(S[i] + S[j]) & 0xff];
780 crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8);
785 KASSERT(data_len == 0,
786 ("out of buffers with data_len %zu\n", data_len));
789 pos = mtod(m, uint8_t *);
794 /* Encrypt little-endian CRC32 and verify that it matches with the
800 for (k = 0; k < 4; k++) {
802 j = (j + S[i]) & 0xff;
804 if ((icv[k] ^ S[(S[i] + S[j]) & 0xff]) != *pos++) {
805 /* ICV mismatch - drop frame */
814 static __inline uint32_t
815 rotl(uint32_t val, int bits)
817 return (val << bits) | (val >> (32 - bits));
821 static __inline uint32_t
822 rotr(uint32_t val, int bits)
824 return (val >> bits) | (val << (32 - bits));
828 static __inline uint32_t
831 return ((val & 0x00ff00ff) << 8) | ((val & 0xff00ff00) >> 8);
835 #define michael_block(l, r) \
848 static __inline uint32_t
849 get_le32_split(uint8_t b0, uint8_t b1, uint8_t b2,
852 return b0 | (b1 << 8) | (b2 << 16) | (b3 << 24);
855 static __inline uint32_t
856 get_le32(const uint8_t *p)
858 return get_le32_split(p[0], p[1], p[2], p[3]);
863 put_le32(uint8_t *p, uint32_t v)
872 * Craft pseudo header used to calculate the MIC.
875 michael_mic_hdr(const struct ieee80211_frame *wh0, uint8_t hdr[16])
877 const struct ieee80211_frame_addr4 *wh =
878 (const struct ieee80211_frame_addr4 *) wh0;
880 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) {
881 case IEEE80211_FC1_DIR_NODS:
882 IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */
883 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2);
885 case IEEE80211_FC1_DIR_TODS:
886 IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */
887 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2);
889 case IEEE80211_FC1_DIR_FROMDS:
890 IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */
891 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr3);
893 case IEEE80211_FC1_DIR_DSTODS:
894 IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */
895 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr4);
899 if (wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_QOS) {
900 const struct ieee80211_qosframe *qwh =
901 (const struct ieee80211_qosframe *) wh;
902 hdr[12] = qwh->i_qos[0] & IEEE80211_QOS_TID;
905 hdr[13] = hdr[14] = hdr[15] = 0; /* reserved */
909 michael_mic(struct tkip_ctx *ctx, const uint8_t *key,
910 struct mbuf *m, u_int off, size_t data_len,
911 uint8_t mic[IEEE80211_WEP_MICLEN])
918 michael_mic_hdr(mtod(m, struct ieee80211_frame *), hdr);
921 r = get_le32(key + 4);
923 /* Michael MIC pseudo header: DA, SA, 3 x 0, Priority */
926 l ^= get_le32(&hdr[4]);
928 l ^= get_le32(&hdr[8]);
930 l ^= get_le32(&hdr[12]);
933 /* first buffer has special handling */
934 data = mtod(m, const uint8_t *) + off;
935 space = m->m_len - off;
937 if (space > data_len)
939 /* collect 32-bit blocks from current buffer */
940 while (space >= sizeof(uint32_t)) {
943 data += sizeof(uint32_t), space -= sizeof(uint32_t);
944 data_len -= sizeof(uint32_t);
946 if (data_len < sizeof(uint32_t))
950 KASSERT(0, ("out of data, data_len %zu\n", data_len));
954 const uint8_t *data_next;
956 * Block straddles buffers, split references.
958 data_next = mtod(m, const uint8_t *);
959 KASSERT(m->m_len >= sizeof(uint32_t) - space,
960 ("not enough data in following buffer, "
961 "m_len %u need %zu\n", m->m_len,
962 sizeof(uint32_t) - space));
965 l ^= get_le32_split(data[0], data_next[0],
966 data_next[1], data_next[2]);
967 data = data_next + 3;
968 space = m->m_len - 3;
971 l ^= get_le32_split(data[0], data[1],
972 data_next[0], data_next[1]);
973 data = data_next + 2;
974 space = m->m_len - 2;
977 l ^= get_le32_split(data[0], data[1],
978 data[2], data_next[0]);
979 data = data_next + 1;
980 space = m->m_len - 1;
984 data_len -= sizeof(uint32_t);
987 * Setup for next buffer.
989 data = mtod(m, const uint8_t *);
993 /* Last block and padding (0x5a, 4..7 x 0) */
996 l ^= get_le32_split(0x5a, 0, 0, 0);
999 l ^= get_le32_split(data[0], 0x5a, 0, 0);
1002 l ^= get_le32_split(data[0], data[1], 0x5a, 0);
1005 l ^= get_le32_split(data[0], data[1], data[2], 0x5a);
1008 michael_block(l, r);
1010 michael_block(l, r);
1013 put_le32(mic + 4, r);
1017 tkip_encrypt(struct tkip_ctx *ctx, struct ieee80211_key *key,
1018 struct mbuf *m, int hdrlen)
1020 struct ieee80211_frame *wh;
1021 uint8_t icv[IEEE80211_WEP_CRCLEN];
1023 ctx->tc_ic->ic_stats.is_crypto_tkip++;
1025 wh = mtod(m, struct ieee80211_frame *);
1026 if (!ctx->tx_phase1_done) {
1027 tkip_mixing_phase1(ctx->tx_ttak, key->wk_key, wh->i_addr2,
1028 (uint32_t)(key->wk_keytsc >> 16));
1029 ctx->tx_phase1_done = 1;
1031 tkip_mixing_phase2(ctx->tx_rc4key, key->wk_key, ctx->tx_ttak,
1032 (uint16_t)key->wk_keytsc);
1034 wep_encrypt(ctx->tx_rc4key,
1035 m, hdrlen + tkip.ic_header,
1036 m->m_pkthdr.len - (hdrlen + tkip.ic_header),
1039 /* XXX check return */
1040 ieee80211_mbuf_append(m, IEEE80211_WEP_CRCLEN, icv);
1043 if ((uint16_t)(key->wk_keytsc) == 0)
1044 ctx->tx_phase1_done = 0;
1049 tkip_decrypt(struct tkip_ctx *ctx, struct ieee80211_key *key,
1050 struct mbuf *m, int hdrlen)
1052 struct ieee80211_frame *wh;
1056 ctx->tc_ic->ic_stats.is_crypto_tkip++;
1058 wh = mtod(m, struct ieee80211_frame *);
1059 /* NB: tkip_decap already verified header and left seq in rx_rsc */
1060 iv16 = (uint16_t)ctx->rx_rsc;
1061 iv32 = (uint32_t)(ctx->rx_rsc >> 16);
1063 if (iv32 != (uint32_t)(key->wk_keyrsc >> 16) || !ctx->rx_phase1_done) {
1064 tkip_mixing_phase1(ctx->rx_ttak, key->wk_key,
1066 ctx->rx_phase1_done = 1;
1068 tkip_mixing_phase2(ctx->rx_rc4key, key->wk_key, ctx->rx_ttak, iv16);
1070 /* NB: m is unstripped; deduct headers + ICV to get payload */
1071 if (wep_decrypt(ctx->rx_rc4key,
1072 m, hdrlen + tkip.ic_header,
1073 m->m_pkthdr.len - (hdrlen + tkip.ic_header + tkip.ic_trailer))) {
1074 if (iv32 != (uint32_t)(key->wk_keyrsc >> 16)) {
1075 /* Previously cached Phase1 result was already lost, so
1076 * it needs to be recalculated for the next packet. */
1077 ctx->rx_phase1_done = 0;
1079 IEEE80211_DPRINTF(ctx->tc_ic, IEEE80211_MSG_CRYPTO,
1080 "[%6D] TKIP ICV mismatch on decrypt\n",
1082 ctx->tc_ic->ic_stats.is_rx_tkipicv++;
1092 tkip_modevent(module_t mod, int type, void *unused)
1096 ieee80211_crypto_register(&tkip);
1100 kprintf("wlan_tkip: still in use (%u dynamic refs)\n",
1104 ieee80211_crypto_unregister(&tkip);
1110 static moduledata_t tkip_mod = {
1115 DECLARE_MODULE(wlan_tkip, tkip_mod, SI_SUB_DRIVERS, SI_ORDER_FIRST);
1116 MODULE_VERSION(wlan_tkip, 1);
1117 MODULE_DEPEND(wlan_tkip, wlan, 1, 1, 1);
projects / dragonfly.git / blob