1 /* $OpenBSD: ieee80211_crypto_tkip.c,v 1.25 2015/11/24 13:45:06 mpi Exp $ */ 2 3 /*- 4 * Copyright (c) 2008 Damien Bergamini <damien.bergamini@free.fr> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 /* 20 * This code implements the Temporal Key Integrity Protocol (TKIP) defined 21 * in IEEE Std 802.11-2007 section 8.3.2. 22 */ 23 24 #include <sys/param.h> 25 #include <sys/systm.h> 26 #include <sys/mbuf.h> 27 #include <sys/malloc.h> 28 #include <sys/kernel.h> 29 #include <sys/socket.h> 30 #include <sys/endian.h> 31 #include <sys/syslog.h> 32 33 #include <net/if.h> 34 #include <net/if_dl.h> 35 #include <net/if_media.h> 36 37 #include <netinet/in.h> 38 #include <netinet/if_ether.h> 39 40 #include <net80211/ieee80211_var.h> 41 #include <net80211/ieee80211_crypto.h> 42 43 #include <crypto/arc4.h> 44 #include <crypto/michael.h> 45 46 typedef u_int8_t byte; /* 8-bit byte (octet) */ 47 typedef u_int16_t u16b; /* 16-bit unsigned word */ 48 typedef u_int32_t u32b; /* 32-bit unsigned word */ 49 50 static void Phase1(u16b *, const byte *, const byte *, u32b); 51 static void Phase2(byte *, const byte *, const u16b *, u16b); 52 53 /* TKIP software crypto context */ 54 struct ieee80211_tkip_ctx { 55 struct rc4_ctx rc4; 56 const u_int8_t *txmic; 57 const u_int8_t *rxmic; 58 u_int16_t txttak[5]; 59 u_int16_t rxttak[5]; 60 u_int8_t txttak_ok; 61 u_int8_t rxttak_ok; 62 }; 63 64 /* 65 * Initialize software crypto context. This function can be overridden 66 * by drivers doing hardware crypto. 67 */ 68 int 69 ieee80211_tkip_set_key(struct ieee80211com *ic, struct ieee80211_key *k) 70 { 71 struct ieee80211_tkip_ctx *ctx; 72 73 ctx = malloc(sizeof(*ctx), M_DEVBUF, M_NOWAIT | M_ZERO); 74 if (ctx == NULL) 75 return ENOMEM; 76 /* 77 * Use bits 128-191 as the Michael key for AA->SPA and bits 78 * 192-255 as the Michael key for SPA->AA. 79 */ 80 #ifndef IEEE80211_STA_ONLY 81 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 82 ctx->txmic = &k->k_key[16]; 83 ctx->rxmic = &k->k_key[24]; 84 } else 85 #endif 86 { 87 ctx->rxmic = &k->k_key[16]; 88 ctx->txmic = &k->k_key[24]; 89 } 90 k->k_priv = ctx; 91 return 0; 92 } 93 94 void 95 ieee80211_tkip_delete_key(struct ieee80211com *ic, struct ieee80211_key *k) 96 { 97 if (k->k_priv != NULL) 98 free(k->k_priv, M_DEVBUF, 0); 99 k->k_priv = NULL; 100 } 101 102 /* pseudo-header used for TKIP MIC computation */ 103 struct ieee80211_tkip_frame { 104 u_int8_t i_da[IEEE80211_ADDR_LEN]; 105 u_int8_t i_sa[IEEE80211_ADDR_LEN]; 106 u_int8_t i_pri; 107 u_int8_t i_pad[3]; 108 } __packed; 109 110 /* 111 * Compute TKIP MIC over an mbuf chain starting "off" bytes from the 112 * beginning. This function should be kept independant from the software 113 * TKIP crypto code so that drivers doing hardware crypto but not MIC can 114 * call it without a software crypto context. 115 */ 116 void 117 ieee80211_tkip_mic(struct mbuf *m0, int off, const u_int8_t *key, 118 u_int8_t mic[IEEE80211_TKIP_MICLEN]) 119 { 120 const struct ieee80211_frame *wh; 121 struct ieee80211_tkip_frame wht; 122 MICHAEL_CTX ctx; /* small enough */ 123 struct mbuf *m; 124 caddr_t pos; 125 int len; 126 127 /* assumes 802.11 header is contiguous */ 128 wh = mtod(m0, struct ieee80211_frame *); 129 130 /* construct pseudo-header for TKIP MIC computation */ 131 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 132 case IEEE80211_FC1_DIR_NODS: 133 IEEE80211_ADDR_COPY(wht.i_da, wh->i_addr1); 134 IEEE80211_ADDR_COPY(wht.i_sa, wh->i_addr2); 135 break; 136 case IEEE80211_FC1_DIR_TODS: 137 IEEE80211_ADDR_COPY(wht.i_da, wh->i_addr3); 138 IEEE80211_ADDR_COPY(wht.i_sa, wh->i_addr2); 139 break; 140 case IEEE80211_FC1_DIR_FROMDS: 141 IEEE80211_ADDR_COPY(wht.i_da, wh->i_addr1); 142 IEEE80211_ADDR_COPY(wht.i_sa, wh->i_addr3); 143 break; 144 case IEEE80211_FC1_DIR_DSTODS: 145 IEEE80211_ADDR_COPY(wht.i_da, wh->i_addr3); 146 IEEE80211_ADDR_COPY(wht.i_sa, 147 ((const struct ieee80211_frame_addr4 *)wh)->i_addr4); 148 break; 149 } 150 if (ieee80211_has_qos(wh)) 151 wht.i_pri = ieee80211_get_qos(wh) & IEEE80211_QOS_TID; 152 else 153 wht.i_pri = 0; 154 wht.i_pad[0] = wht.i_pad[1] = wht.i_pad[2] = 0; 155 156 michael_init(&ctx); 157 michael_key(key, &ctx); 158 159 michael_update(&ctx, (caddr_t)&wht, sizeof(wht)); 160 161 m = m0; 162 /* assumes the first "off" bytes are contiguous */ 163 pos = mtod(m, caddr_t) + off; 164 len = m->m_len - off; 165 for (;;) { 166 michael_update(&ctx, pos, len); 167 if ((m = m->m_next) == NULL) 168 break; 169 pos = mtod(m, caddr_t); 170 len = m->m_len; 171 } 172 173 michael_final(mic, &ctx); 174 } 175 176 /* shortcuts */ 177 #define IEEE80211_TKIP_TAILLEN \ 178 (IEEE80211_TKIP_MICLEN + IEEE80211_WEP_CRCLEN) 179 #define IEEE80211_TKIP_OVHD \ 180 (IEEE80211_TKIP_HDRLEN + IEEE80211_TKIP_TAILLEN) 181 182 struct mbuf * 183 ieee80211_tkip_encrypt(struct ieee80211com *ic, struct mbuf *m0, 184 struct ieee80211_key *k) 185 { 186 struct ieee80211_tkip_ctx *ctx = k->k_priv; 187 u_int16_t wepseed[8]; /* needs to be 16-bit aligned for Phase2 */ 188 const struct ieee80211_frame *wh; 189 u_int8_t *ivp, *mic, *icvp; 190 struct mbuf *n0, *m, *n; 191 u_int32_t crc; 192 int left, moff, noff, len, hdrlen; 193 194 MGET(n0, M_DONTWAIT, m0->m_type); 195 if (n0 == NULL) 196 goto nospace; 197 if (m_dup_pkthdr(n0, m0, M_DONTWAIT)) 198 goto nospace; 199 n0->m_pkthdr.len += IEEE80211_TKIP_HDRLEN; 200 n0->m_len = MHLEN; 201 if (n0->m_pkthdr.len >= MINCLSIZE - IEEE80211_TKIP_TAILLEN) { 202 MCLGET(n0, M_DONTWAIT); 203 if (n0->m_flags & M_EXT) 204 n0->m_len = n0->m_ext.ext_size; 205 } 206 if (n0->m_len > n0->m_pkthdr.len) 207 n0->m_len = n0->m_pkthdr.len; 208 209 /* copy 802.11 header */ 210 wh = mtod(m0, struct ieee80211_frame *); 211 hdrlen = ieee80211_get_hdrlen(wh); 212 memcpy(mtod(n0, caddr_t), wh, hdrlen); 213 214 k->k_tsc++; /* increment the 48-bit TSC */ 215 216 /* construct TKIP header */ 217 ivp = mtod(n0, u_int8_t *) + hdrlen; 218 ivp[0] = k->k_tsc >> 8; /* TSC1 */ 219 /* WEP Seed = (TSC1 | 0x20) & 0x7f (see 8.3.2.2) */ 220 ivp[1] = (ivp[0] | 0x20) & 0x7f; 221 ivp[2] = k->k_tsc; /* TSC0 */ 222 ivp[3] = k->k_id << 6 | IEEE80211_WEP_EXTIV; /* KeyID | ExtIV */ 223 ivp[4] = k->k_tsc >> 16; /* TSC2 */ 224 ivp[5] = k->k_tsc >> 24; /* TSC3 */ 225 ivp[6] = k->k_tsc >> 32; /* TSC4 */ 226 ivp[7] = k->k_tsc >> 40; /* TSC5 */ 227 228 /* compute WEP seed */ 229 if (!ctx->txttak_ok || (k->k_tsc & 0xffff) == 0) { 230 Phase1(ctx->txttak, k->k_key, wh->i_addr2, k->k_tsc >> 16); 231 ctx->txttak_ok = 1; 232 } 233 Phase2((u_int8_t *)wepseed, k->k_key, ctx->txttak, k->k_tsc & 0xffff); 234 rc4_keysetup(&ctx->rc4, (u_int8_t *)wepseed, 16); 235 236 /* encrypt frame body and compute WEP ICV */ 237 m = m0; 238 n = n0; 239 moff = hdrlen; 240 noff = hdrlen + IEEE80211_TKIP_HDRLEN; 241 left = m0->m_pkthdr.len - moff; 242 crc = ~0; 243 while (left > 0) { 244 if (moff == m->m_len) { 245 /* nothing left to copy from m */ 246 m = m->m_next; 247 moff = 0; 248 } 249 if (noff == n->m_len) { 250 /* n is full and there's more data to copy */ 251 MGET(n->m_next, M_DONTWAIT, n->m_type); 252 if (n->m_next == NULL) 253 goto nospace; 254 n = n->m_next; 255 n->m_len = MLEN; 256 if (left >= MINCLSIZE - IEEE80211_TKIP_TAILLEN) { 257 MCLGET(n, M_DONTWAIT); 258 if (n->m_flags & M_EXT) 259 n->m_len = n->m_ext.ext_size; 260 } 261 if (n->m_len > left) 262 n->m_len = left; 263 noff = 0; 264 } 265 len = min(m->m_len - moff, n->m_len - noff); 266 267 crc = ether_crc32_le_update(crc, mtod(m, caddr_t) + moff, len); 268 rc4_crypt(&ctx->rc4, mtod(m, caddr_t) + moff, 269 mtod(n, caddr_t) + noff, len); 270 271 moff += len; 272 noff += len; 273 left -= len; 274 } 275 276 /* reserve trailing space for TKIP MIC and WEP ICV */ 277 if (M_TRAILINGSPACE(n) < IEEE80211_TKIP_TAILLEN) { 278 MGET(n->m_next, M_DONTWAIT, n->m_type); 279 if (n->m_next == NULL) 280 goto nospace; 281 n = n->m_next; 282 n->m_len = 0; 283 } 284 285 /* compute TKIP MIC over clear text */ 286 mic = mtod(n, caddr_t) + n->m_len; 287 ieee80211_tkip_mic(m0, hdrlen, ctx->txmic, mic); 288 crc = ether_crc32_le_update(crc, mic, IEEE80211_TKIP_MICLEN); 289 rc4_crypt(&ctx->rc4, mic, mic, IEEE80211_TKIP_MICLEN); 290 n->m_len += IEEE80211_TKIP_MICLEN; 291 292 /* finalize WEP ICV */ 293 icvp = mtod(n, caddr_t) + n->m_len; 294 crc = ~crc; 295 icvp[0] = crc; 296 icvp[1] = crc >> 8; 297 icvp[2] = crc >> 16; 298 icvp[3] = crc >> 24; 299 rc4_crypt(&ctx->rc4, icvp, icvp, IEEE80211_WEP_CRCLEN); 300 n->m_len += IEEE80211_WEP_CRCLEN; 301 302 n0->m_pkthdr.len += IEEE80211_TKIP_TAILLEN; 303 304 m_freem(m0); 305 return n0; 306 nospace: 307 ic->ic_stats.is_tx_nombuf++; 308 m_freem(m0); 309 m_freem(n0); 310 return NULL; 311 } 312 313 struct mbuf * 314 ieee80211_tkip_decrypt(struct ieee80211com *ic, struct mbuf *m0, 315 struct ieee80211_key *k) 316 { 317 struct ieee80211_tkip_ctx *ctx = k->k_priv; 318 struct ieee80211_frame *wh; 319 u_int16_t wepseed[8]; /* needs to be 16-bit aligned for Phase2 */ 320 u_int8_t buf[IEEE80211_TKIP_MICLEN + IEEE80211_WEP_CRCLEN]; 321 u_int8_t mic[IEEE80211_TKIP_MICLEN]; 322 u_int64_t tsc, *prsc; 323 u_int32_t crc, crc0; 324 u_int8_t *ivp, *mic0; 325 u_int8_t tid; 326 struct mbuf *n0, *m, *n; 327 int hdrlen, left, moff, noff, len; 328 329 wh = mtod(m0, struct ieee80211_frame *); 330 hdrlen = ieee80211_get_hdrlen(wh); 331 332 if (m0->m_pkthdr.len < hdrlen + IEEE80211_TKIP_OVHD) { 333 m_freem(m0); 334 return NULL; 335 } 336 337 ivp = (u_int8_t *)wh + hdrlen; 338 /* check that ExtIV bit is set */ 339 if (!(ivp[3] & IEEE80211_WEP_EXTIV)) { 340 m_freem(m0); 341 return NULL; 342 } 343 344 /* retrieve last seen packet number for this frame priority */ 345 tid = ieee80211_has_qos(wh) ? 346 ieee80211_get_qos(wh) & IEEE80211_QOS_TID : 0; 347 prsc = &k->k_rsc[tid]; 348 349 /* extract the 48-bit TSC from the TKIP header */ 350 tsc = (u_int64_t)ivp[2] | 351 (u_int64_t)ivp[0] << 8 | 352 (u_int64_t)ivp[4] << 16 | 353 (u_int64_t)ivp[5] << 24 | 354 (u_int64_t)ivp[6] << 32 | 355 (u_int64_t)ivp[7] << 40; 356 if (tsc <= *prsc) { 357 /* replayed frame, discard */ 358 ic->ic_stats.is_tkip_replays++; 359 m_freem(m0); 360 return NULL; 361 } 362 363 MGET(n0, M_DONTWAIT, m0->m_type); 364 if (n0 == NULL) 365 goto nospace; 366 if (m_dup_pkthdr(n0, m0, M_DONTWAIT)) 367 goto nospace; 368 n0->m_pkthdr.len -= IEEE80211_TKIP_OVHD; 369 n0->m_len = MHLEN; 370 if (n0->m_pkthdr.len >= MINCLSIZE) { 371 MCLGET(n0, M_DONTWAIT); 372 if (n0->m_flags & M_EXT) 373 n0->m_len = n0->m_ext.ext_size; 374 } 375 if (n0->m_len > n0->m_pkthdr.len) 376 n0->m_len = n0->m_pkthdr.len; 377 378 /* copy 802.11 header and clear protected bit */ 379 memcpy(mtod(n0, caddr_t), wh, hdrlen); 380 wh = mtod(n0, struct ieee80211_frame *); 381 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 382 383 /* compute WEP seed */ 384 if (!ctx->rxttak_ok || (tsc >> 16) != (*prsc >> 16)) { 385 ctx->rxttak_ok = 0; /* invalidate cached TTAK (if any) */ 386 Phase1(ctx->rxttak, k->k_key, wh->i_addr2, tsc >> 16); 387 } 388 Phase2((u_int8_t *)wepseed, k->k_key, ctx->rxttak, tsc & 0xffff); 389 rc4_keysetup(&ctx->rc4, (u_int8_t *)wepseed, 16); 390 391 /* decrypt frame body and compute WEP ICV */ 392 m = m0; 393 n = n0; 394 moff = hdrlen + IEEE80211_TKIP_HDRLEN; 395 noff = hdrlen; 396 left = n0->m_pkthdr.len - noff; 397 crc = ~0; 398 while (left > 0) { 399 if (moff == m->m_len) { 400 /* nothing left to copy from m */ 401 m = m->m_next; 402 moff = 0; 403 } 404 if (noff == n->m_len) { 405 /* n is full and there's more data to copy */ 406 MGET(n->m_next, M_DONTWAIT, n->m_type); 407 if (n->m_next == NULL) 408 goto nospace; 409 n = n->m_next; 410 n->m_len = MLEN; 411 if (left >= MINCLSIZE) { 412 MCLGET(n, M_DONTWAIT); 413 if (n->m_flags & M_EXT) 414 n->m_len = n->m_ext.ext_size; 415 } 416 if (n->m_len > left) 417 n->m_len = left; 418 noff = 0; 419 } 420 len = min(m->m_len - moff, n->m_len - noff); 421 422 rc4_crypt(&ctx->rc4, mtod(m, caddr_t) + moff, 423 mtod(n, caddr_t) + noff, len); 424 crc = ether_crc32_le_update(crc, mtod(n, caddr_t) + noff, len); 425 426 moff += len; 427 noff += len; 428 left -= len; 429 } 430 431 /* extract and decrypt TKIP MIC and WEP ICV from m0's tail */ 432 m_copydata(m, moff, IEEE80211_TKIP_TAILLEN, buf); 433 rc4_crypt(&ctx->rc4, buf, buf, IEEE80211_TKIP_TAILLEN); 434 435 /* include TKIP MIC in WEP ICV */ 436 mic0 = buf; 437 crc = ether_crc32_le_update(crc, mic0, IEEE80211_TKIP_MICLEN); 438 crc = ~crc; 439 440 /* decrypt ICV and compare it with calculated ICV */ 441 crc0 = *(u_int32_t *)(buf + IEEE80211_TKIP_MICLEN); 442 if (crc != letoh32(crc0)) { 443 ic->ic_stats.is_tkip_icv_errs++; 444 m_freem(m0); 445 m_freem(n0); 446 return NULL; 447 } 448 449 /* compute TKIP MIC over decrypted message */ 450 ieee80211_tkip_mic(n0, hdrlen, ctx->rxmic, mic); 451 /* check that it matches the MIC in received frame */ 452 if (timingsafe_bcmp(mic0, mic, IEEE80211_TKIP_MICLEN) != 0) { 453 m_freem(m0); 454 m_freem(n0); 455 ic->ic_stats.is_rx_locmicfail++; 456 ieee80211_michael_mic_failure(ic, tsc); 457 return NULL; 458 } 459 460 /* update last seen packet number (MIC is validated) */ 461 *prsc = tsc; 462 /* mark cached TTAK as valid */ 463 ctx->rxttak_ok = 1; 464 465 m_freem(m0); 466 return n0; 467 nospace: 468 ic->ic_stats.is_rx_nombuf++; 469 m_freem(m0); 470 m_freem(n0); 471 return NULL; 472 } 473 474 #ifndef IEEE80211_STA_ONLY 475 /* 476 * This function is called in HostAP mode to deauthenticate all STAs using 477 * TKIP as their pairwise or group cipher (as part of TKIP countermeasures). 478 */ 479 static void 480 ieee80211_tkip_deauth(void *arg, struct ieee80211_node *ni) 481 { 482 struct ieee80211com *ic = arg; 483 484 if (ni->ni_state == IEEE80211_STA_ASSOC && 485 (ic->ic_bss->ni_rsngroupcipher == IEEE80211_CIPHER_TKIP || 486 ni->ni_rsncipher == IEEE80211_CIPHER_TKIP)) { 487 /* deauthenticate STA */ 488 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 489 IEEE80211_REASON_MIC_FAILURE); 490 ieee80211_node_leave(ic, ni); 491 } 492 } 493 #endif /* IEEE80211_STA_ONLY */ 494 495 /* 496 * This function can be called by the software TKIP crypto code or by the 497 * drivers when their hardware crypto engines detect a Michael MIC failure. 498 */ 499 void 500 ieee80211_michael_mic_failure(struct ieee80211com *ic, u_int64_t tsc) 501 { 502 extern int ticks; 503 504 if (ic->ic_flags & IEEE80211_F_COUNTERM) 505 return; /* countermeasures already active */ 506 507 log(LOG_WARNING, "%s: Michael MIC failure\n", ic->ic_if.if_xname); 508 509 /* 510 * NB. do not send Michael MIC Failure reports as recommended since 511 * these may be used as an oracle to verify CRC guesses as described 512 * in Beck, M. and Tews S. "Practical attacks against WEP and WPA" 513 * http://dl.aircrack-ng.org/breakingwepandwpa.pdf 514 */ 515 516 /* 517 * Activate TKIP countermeasures (see 8.3.2.4) if less than 60 518 * seconds have passed since the most recent previous MIC failure. 519 */ 520 if (ic->ic_tkip_micfail == 0 || 521 ticks - (ic->ic_tkip_micfail + 60 * hz) >= 0) { 522 ic->ic_tkip_micfail = ticks; 523 ic->ic_tkip_micfail_last_tsc = tsc; 524 return; 525 } 526 527 switch (ic->ic_opmode) { 528 #ifndef IEEE80211_STA_ONLY 529 case IEEE80211_M_HOSTAP: 530 /* refuse new TKIP associations for the next 60 seconds */ 531 ic->ic_flags |= IEEE80211_F_COUNTERM; 532 533 /* deauthenticate all currently associated STAs using TKIP */ 534 ieee80211_iterate_nodes(ic, ieee80211_tkip_deauth, ic); 535 break; 536 #endif 537 case IEEE80211_M_STA: 538 /* 539 * Notify the AP of MIC failures: send two Michael 540 * MIC Failure Report frames back-to-back to trigger 541 * countermeasures at the AP end. 542 */ 543 (void)ieee80211_send_eapol_key_req(ic, ic->ic_bss, 544 EAPOL_KEY_KEYMIC | EAPOL_KEY_ERROR | EAPOL_KEY_SECURE, 545 ic->ic_tkip_micfail_last_tsc); 546 (void)ieee80211_send_eapol_key_req(ic, ic->ic_bss, 547 EAPOL_KEY_KEYMIC | EAPOL_KEY_ERROR | EAPOL_KEY_SECURE, 548 tsc); 549 550 /* deauthenticate from the AP.. */ 551 IEEE80211_SEND_MGMT(ic, ic->ic_bss, 552 IEEE80211_FC0_SUBTYPE_DEAUTH, 553 IEEE80211_REASON_MIC_FAILURE); 554 /* ..and find another one */ 555 (void)ieee80211_new_state(ic, IEEE80211_S_SCAN, -1); 556 break; 557 default: 558 break; 559 } 560 561 ic->ic_tkip_micfail = ticks; 562 ic->ic_tkip_micfail_last_tsc = tsc; 563 } 564 565 /*********************************************************************** 566 Contents: Generate IEEE 802.11 per-frame RC4 key hash test vectors 567 Date: April 19, 2002 568 Notes: 569 This code is written for pedagogical purposes, NOT for performance. 570 ************************************************************************/ 571 572 /* macros for extraction/creation of byte/u16b values */ 573 #define RotR1(v16) ((((v16) >> 1) & 0x7FFF) ^ (((v16) & 1) << 15)) 574 #define Lo8(v16) ((byte)( (v16) & 0x00FF)) 575 #define Hi8(v16) ((byte)(((v16) >> 8) & 0x00FF)) 576 #define Lo16(v32) ((u16b)( (v32) & 0xFFFF)) 577 #define Hi16(v32) ((u16b)(((v32) >>16) & 0xFFFF)) 578 #define Mk16(hi,lo) ((lo) ^ (((u16b)(hi)) << 8)) 579 580 /* select the Nth 16-bit word of the Temporal Key byte array TK[] */ 581 #define TK16(N) Mk16(TK[2 * (N) + 1], TK[2 * (N)]) 582 583 /* S-box lookup: 16 bits --> 16 bits */ 584 #define _S_(v16) (Sbox[Lo8(v16)] ^ swap16(Sbox[Hi8(v16)])) 585 586 /* fixed algorithm "parameters" */ 587 #define PHASE1_LOOP_CNT 8 /* this needs to be "big enough" */ 588 #define TA_SIZE 6 /* 48-bit transmitter address */ 589 #define TK_SIZE 16 /* 128-bit Temporal Key */ 590 #define P1K_SIZE 10 /* 80-bit Phase1 key */ 591 #define RC4_KEY_SIZE 16 /* 128-bit RC4KEY (104 bits unknown) */ 592 593 /* 2-byte by 2-byte subset of the full AES S-box table */ 594 static const u16b Sbox[256]= /* Sbox for hash */ 595 { 596 0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154, 597 0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A, 598 0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B, 599 0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B, 600 0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F, 601 0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F, 602 0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5, 603 0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F, 604 0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB, 605 0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397, 606 0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED, 607 0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A, 608 0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194, 609 0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3, 610 0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104, 611 0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D, 612 0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39, 613 0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695, 614 0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83, 615 0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76, 616 0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4, 617 0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B, 618 0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0, 619 0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018, 620 0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751, 621 0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85, 622 0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12, 623 0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9, 624 0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7, 625 0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A, 626 0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8, 627 0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A 628 }; 629 630 /* 631 ********************************************************************** 632 * Routine: Phase 1 -- generate P1K, given TA, TK, IV32 633 * 634 * Inputs: 635 * TK[] = Temporal Key [128 bits] 636 * TA[] = transmitter's MAC address [ 48 bits] 637 * IV32 = upper 32 bits of IV [ 32 bits] 638 * Output: 639 * P1K[] = Phase 1 key [ 80 bits] 640 * 641 * Note: 642 * This function only needs to be called every 2**16 frames, 643 * although in theory it could be called every frame. 644 * 645 ********************************************************************** 646 */ 647 static void 648 Phase1(u16b *P1K, const byte *TK, const byte *TA, u32b IV32) 649 { 650 int i; 651 652 /* Initialize the 80 bits of P1K[] from IV32 and TA[0..5] */ 653 P1K[0] = Lo16(IV32); 654 P1K[1] = Hi16(IV32); 655 P1K[2] = Mk16(TA[1], TA[0]); /* use TA[] as little-endian */ 656 P1K[3] = Mk16(TA[3], TA[2]); 657 P1K[4] = Mk16(TA[5], TA[4]); 658 659 /* Now compute an unbalanced Feistel cipher with 80-bit block */ 660 /* size on the 80-bit block P1K[], using the 128-bit key TK[] */ 661 for (i = 0; i < PHASE1_LOOP_CNT; i++) { 662 /* Each add operation here is mod 2**16 */ 663 P1K[0] += _S_(P1K[4] ^ TK16((i & 1) + 0)); 664 P1K[1] += _S_(P1K[0] ^ TK16((i & 1) + 2)); 665 P1K[2] += _S_(P1K[1] ^ TK16((i & 1) + 4)); 666 P1K[3] += _S_(P1K[2] ^ TK16((i & 1) + 6)); 667 P1K[4] += _S_(P1K[3] ^ TK16((i & 1) + 0)); 668 P1K[4] += i; /* avoid "slide attacks" */ 669 } 670 } 671 672 /* 673 ********************************************************************** 674 * Routine: Phase 2 -- generate RC4KEY, given TK, P1K, IV16 675 * 676 * Inputs: 677 * TK[] = Temporal Key [128 bits] 678 * P1K[] = Phase 1 output key [ 80 bits] 679 * IV16 = low 16 bits of IV counter [ 16 bits] 680 * Output: 681 * RC4KEY[] = the key used to encrypt the frame [128 bits] 682 * 683 * Note: 684 * The value {TA,IV32,IV16} for Phase1/Phase2 must be unique 685 * across all frames using the same key TK value. Then, for a 686 * given value of TK[], this TKIP48 construction guarantees that 687 * the final RC4KEY value is unique across all frames. 688 * 689 ********************************************************************** 690 */ 691 static void 692 Phase2(byte *RC4KEY, const byte *TK, const u16b *P1K, u16b IV16) 693 { 694 u16b *PPK; /* temporary key for mixing */ 695 int i; 696 697 /* 698 * Suggested implementation optimization: if PPK[] is "overlaid" 699 * appropriately on RC4KEY[], there is no need for the final for 700 * loop that copies the PPK[] result into RC4KEY[]. 701 */ 702 PPK = (u16b *)&RC4KEY[4]; 703 704 /* all adds in the PPK[] equations below are mod 2**16 */ 705 for (i = 0; i < 5; i++) 706 PPK[i] = P1K[i]; /* first, copy P1K to PPK */ 707 PPK[5] = P1K[4] + IV16; /* next, add in IV16 */ 708 709 /* Bijective non-linear mixing of the 96 bits of PPK[0..5] */ 710 PPK[0] += _S_(PPK[5] ^ TK16(0)); /* Mix key in each "round" */ 711 PPK[1] += _S_(PPK[0] ^ TK16(1)); 712 PPK[2] += _S_(PPK[1] ^ TK16(2)); 713 PPK[3] += _S_(PPK[2] ^ TK16(3)); 714 PPK[4] += _S_(PPK[3] ^ TK16(4)); 715 PPK[5] += _S_(PPK[4] ^ TK16(5)); /* Total # S-box lookups == 6 */ 716 717 /* Final sweep: bijective, linear. Rotates kill LSB correlations */ 718 PPK[0] += RotR1(PPK[5] ^ TK16(6)); 719 PPK[1] += RotR1(PPK[0] ^ TK16(7)); /* Use all of TK[] in Phase2 */ 720 PPK[2] += RotR1(PPK[1]); 721 PPK[3] += RotR1(PPK[2]); 722 PPK[4] += RotR1(PPK[3]); 723 PPK[5] += RotR1(PPK[4]); 724 725 /* At this point, for a given key TK[0..15], the 96-bit output */ 726 /* value PPK[0..5] is guaranteed to be unique, as a function */ 727 /* of the 96-bit "input" value {TA,IV32,IV16}. That is, P1K */ 728 /* is now a keyed permutation of {TA,IV32,IV16}. */ 729 /* Set RC4KEY[0..3], which includes cleartext portion of RC4 key */ 730 RC4KEY[0] = Hi8(IV16); /* RC4KEY[0..2] is the WEP IV */ 731 RC4KEY[1] =(Hi8(IV16) | 0x20) & 0x7F; /* Help avoid FMS weak keys */ 732 RC4KEY[2] = Lo8(IV16); 733 RC4KEY[3] = Lo8((PPK[5] ^ TK16(0)) >> 1); 734 735 #if BYTE_ORDER == BIG_ENDIAN 736 /* Copy 96 bits of PPK[0..5] to RC4KEY[4..15] (little-endian) */ 737 for (i = 0; i < 6; i++) 738 PPK[i] = swap16(PPK[i]); 739 #endif 740 } 741