1 /* $OpenBSD: ieee80211_crypto_tkip.c,v 1.22 2014/07/12 18:44:22 tedu Exp $ */ 2 3 /*- 4 * Copyright (c) 2008 Damien Bergamini <damien.bergamini@free.fr> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 /* 20 * This code implements the Temporal Key Integrity Protocol (TKIP) defined 21 * in IEEE Std 802.11-2007 section 8.3.2. 22 */ 23 24 #include <sys/param.h> 25 #include <sys/systm.h> 26 #include <sys/mbuf.h> 27 #include <sys/malloc.h> 28 #include <sys/kernel.h> 29 #include <sys/socket.h> 30 #include <sys/endian.h> 31 #include <sys/syslog.h> 32 33 #include <net/if.h> 34 #include <net/if_dl.h> 35 #include <net/if_media.h> 36 #include <net/if_arp.h> 37 38 #ifdef INET 39 #include <netinet/in.h> 40 #include <netinet/if_ether.h> 41 #endif 42 43 #include <net80211/ieee80211_var.h> 44 #include <net80211/ieee80211_crypto.h> 45 46 #include <crypto/arc4.h> 47 #include <crypto/michael.h> 48 49 typedef u_int8_t byte; /* 8-bit byte (octet) */ 50 typedef u_int16_t u16b; /* 16-bit unsigned word */ 51 typedef u_int32_t u32b; /* 32-bit unsigned word */ 52 53 static void Phase1(u16b *, const byte *, const byte *, u32b); 54 static void Phase2(byte *, const byte *, const u16b *, u16b); 55 56 /* TKIP software crypto context */ 57 struct ieee80211_tkip_ctx { 58 struct rc4_ctx rc4; 59 const u_int8_t *txmic; 60 const u_int8_t *rxmic; 61 u_int16_t txttak[5]; 62 u_int16_t rxttak[5]; 63 u_int8_t txttak_ok; 64 u_int8_t rxttak_ok; 65 }; 66 67 /* 68 * Initialize software crypto context. This function can be overridden 69 * by drivers doing hardware crypto. 70 */ 71 int 72 ieee80211_tkip_set_key(struct ieee80211com *ic, struct ieee80211_key *k) 73 { 74 struct ieee80211_tkip_ctx *ctx; 75 76 ctx = malloc(sizeof(*ctx), M_DEVBUF, M_NOWAIT | M_ZERO); 77 if (ctx == NULL) 78 return ENOMEM; 79 /* 80 * Use bits 128-191 as the Michael key for AA->SPA and bits 81 * 192-255 as the Michael key for SPA->AA. 82 */ 83 #ifndef IEEE80211_STA_ONLY 84 if (ic->ic_opmode == IEEE80211_M_HOSTAP) { 85 ctx->txmic = &k->k_key[16]; 86 ctx->rxmic = &k->k_key[24]; 87 } else 88 #endif 89 { 90 ctx->rxmic = &k->k_key[16]; 91 ctx->txmic = &k->k_key[24]; 92 } 93 k->k_priv = ctx; 94 return 0; 95 } 96 97 void 98 ieee80211_tkip_delete_key(struct ieee80211com *ic, struct ieee80211_key *k) 99 { 100 if (k->k_priv != NULL) 101 free(k->k_priv, M_DEVBUF, 0); 102 k->k_priv = NULL; 103 } 104 105 /* pseudo-header used for TKIP MIC computation */ 106 struct ieee80211_tkip_frame { 107 u_int8_t i_da[IEEE80211_ADDR_LEN]; 108 u_int8_t i_sa[IEEE80211_ADDR_LEN]; 109 u_int8_t i_pri; 110 u_int8_t i_pad[3]; 111 } __packed; 112 113 /* 114 * Compute TKIP MIC over an mbuf chain starting "off" bytes from the 115 * beginning. This function should be kept independant from the software 116 * TKIP crypto code so that drivers doing hardware crypto but not MIC can 117 * call it without a software crypto context. 118 */ 119 void 120 ieee80211_tkip_mic(struct mbuf *m0, int off, const u_int8_t *key, 121 u_int8_t mic[IEEE80211_TKIP_MICLEN]) 122 { 123 const struct ieee80211_frame *wh; 124 struct ieee80211_tkip_frame wht; 125 MICHAEL_CTX ctx; /* small enough */ 126 struct mbuf *m; 127 caddr_t pos; 128 int len; 129 130 /* assumes 802.11 header is contiguous */ 131 wh = mtod(m0, struct ieee80211_frame *); 132 133 /* construct pseudo-header for TKIP MIC computation */ 134 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 135 case IEEE80211_FC1_DIR_NODS: 136 IEEE80211_ADDR_COPY(wht.i_da, wh->i_addr1); 137 IEEE80211_ADDR_COPY(wht.i_sa, wh->i_addr2); 138 break; 139 case IEEE80211_FC1_DIR_TODS: 140 IEEE80211_ADDR_COPY(wht.i_da, wh->i_addr3); 141 IEEE80211_ADDR_COPY(wht.i_sa, wh->i_addr2); 142 break; 143 case IEEE80211_FC1_DIR_FROMDS: 144 IEEE80211_ADDR_COPY(wht.i_da, wh->i_addr1); 145 IEEE80211_ADDR_COPY(wht.i_sa, wh->i_addr3); 146 break; 147 case IEEE80211_FC1_DIR_DSTODS: 148 IEEE80211_ADDR_COPY(wht.i_da, wh->i_addr3); 149 IEEE80211_ADDR_COPY(wht.i_sa, 150 ((const struct ieee80211_frame_addr4 *)wh)->i_addr4); 151 break; 152 } 153 if (ieee80211_has_qos(wh)) 154 wht.i_pri = ieee80211_get_qos(wh) & IEEE80211_QOS_TID; 155 else 156 wht.i_pri = 0; 157 wht.i_pad[0] = wht.i_pad[1] = wht.i_pad[2] = 0; 158 159 michael_init(&ctx); 160 michael_key(key, &ctx); 161 162 michael_update(&ctx, (caddr_t)&wht, sizeof(wht)); 163 164 m = m0; 165 /* assumes the first "off" bytes are contiguous */ 166 pos = mtod(m, caddr_t) + off; 167 len = m->m_len - off; 168 for (;;) { 169 michael_update(&ctx, pos, len); 170 if ((m = m->m_next) == NULL) 171 break; 172 pos = mtod(m, caddr_t); 173 len = m->m_len; 174 } 175 176 michael_final(mic, &ctx); 177 } 178 179 /* shortcuts */ 180 #define IEEE80211_TKIP_TAILLEN \ 181 (IEEE80211_TKIP_MICLEN + IEEE80211_WEP_CRCLEN) 182 #define IEEE80211_TKIP_OVHD \ 183 (IEEE80211_TKIP_HDRLEN + IEEE80211_TKIP_TAILLEN) 184 185 struct mbuf * 186 ieee80211_tkip_encrypt(struct ieee80211com *ic, struct mbuf *m0, 187 struct ieee80211_key *k) 188 { 189 struct ieee80211_tkip_ctx *ctx = k->k_priv; 190 u_int16_t wepseed[8]; /* needs to be 16-bit aligned for Phase2 */ 191 const struct ieee80211_frame *wh; 192 u_int8_t *ivp, *mic, *icvp; 193 struct mbuf *n0, *m, *n; 194 u_int32_t crc; 195 int left, moff, noff, len, hdrlen; 196 197 MGET(n0, M_DONTWAIT, m0->m_type); 198 if (n0 == NULL) 199 goto nospace; 200 if (m_dup_pkthdr(n0, m0, M_DONTWAIT)) 201 goto nospace; 202 n0->m_pkthdr.len += IEEE80211_TKIP_HDRLEN; 203 n0->m_len = MHLEN; 204 if (n0->m_pkthdr.len >= MINCLSIZE - IEEE80211_TKIP_TAILLEN) { 205 MCLGET(n0, M_DONTWAIT); 206 if (n0->m_flags & M_EXT) 207 n0->m_len = n0->m_ext.ext_size; 208 } 209 if (n0->m_len > n0->m_pkthdr.len) 210 n0->m_len = n0->m_pkthdr.len; 211 212 /* copy 802.11 header */ 213 wh = mtod(m0, struct ieee80211_frame *); 214 hdrlen = ieee80211_get_hdrlen(wh); 215 memcpy(mtod(n0, caddr_t), wh, hdrlen); 216 217 k->k_tsc++; /* increment the 48-bit TSC */ 218 219 /* construct TKIP header */ 220 ivp = mtod(n0, u_int8_t *) + hdrlen; 221 ivp[0] = k->k_tsc >> 8; /* TSC1 */ 222 /* WEP Seed = (TSC1 | 0x20) & 0x7f (see 8.3.2.2) */ 223 ivp[1] = (ivp[0] | 0x20) & 0x7f; 224 ivp[2] = k->k_tsc; /* TSC0 */ 225 ivp[3] = k->k_id << 6 | IEEE80211_WEP_EXTIV; /* KeyID | ExtIV */ 226 ivp[4] = k->k_tsc >> 16; /* TSC2 */ 227 ivp[5] = k->k_tsc >> 24; /* TSC3 */ 228 ivp[6] = k->k_tsc >> 32; /* TSC4 */ 229 ivp[7] = k->k_tsc >> 40; /* TSC5 */ 230 231 /* compute WEP seed */ 232 if (!ctx->txttak_ok || (k->k_tsc & 0xffff) == 0) { 233 Phase1(ctx->txttak, k->k_key, wh->i_addr2, k->k_tsc >> 16); 234 ctx->txttak_ok = 1; 235 } 236 Phase2((u_int8_t *)wepseed, k->k_key, ctx->txttak, k->k_tsc & 0xffff); 237 rc4_keysetup(&ctx->rc4, (u_int8_t *)wepseed, 16); 238 239 /* encrypt frame body and compute WEP ICV */ 240 m = m0; 241 n = n0; 242 moff = hdrlen; 243 noff = hdrlen + IEEE80211_TKIP_HDRLEN; 244 left = m0->m_pkthdr.len - moff; 245 crc = ~0; 246 while (left > 0) { 247 if (moff == m->m_len) { 248 /* nothing left to copy from m */ 249 m = m->m_next; 250 moff = 0; 251 } 252 if (noff == n->m_len) { 253 /* n is full and there's more data to copy */ 254 MGET(n->m_next, M_DONTWAIT, n->m_type); 255 if (n->m_next == NULL) 256 goto nospace; 257 n = n->m_next; 258 n->m_len = MLEN; 259 if (left >= MINCLSIZE - IEEE80211_TKIP_TAILLEN) { 260 MCLGET(n, M_DONTWAIT); 261 if (n->m_flags & M_EXT) 262 n->m_len = n->m_ext.ext_size; 263 } 264 if (n->m_len > left) 265 n->m_len = left; 266 noff = 0; 267 } 268 len = min(m->m_len - moff, n->m_len - noff); 269 270 crc = ether_crc32_le_update(crc, mtod(m, caddr_t) + moff, len); 271 rc4_crypt(&ctx->rc4, mtod(m, caddr_t) + moff, 272 mtod(n, caddr_t) + noff, len); 273 274 moff += len; 275 noff += len; 276 left -= len; 277 } 278 279 /* reserve trailing space for TKIP MIC and WEP ICV */ 280 if (M_TRAILINGSPACE(n) < IEEE80211_TKIP_TAILLEN) { 281 MGET(n->m_next, M_DONTWAIT, n->m_type); 282 if (n->m_next == NULL) 283 goto nospace; 284 n = n->m_next; 285 n->m_len = 0; 286 } 287 288 /* compute TKIP MIC over clear text */ 289 mic = mtod(n, caddr_t) + n->m_len; 290 ieee80211_tkip_mic(m0, hdrlen, ctx->txmic, mic); 291 crc = ether_crc32_le_update(crc, mic, IEEE80211_TKIP_MICLEN); 292 rc4_crypt(&ctx->rc4, mic, mic, IEEE80211_TKIP_MICLEN); 293 n->m_len += IEEE80211_TKIP_MICLEN; 294 295 /* finalize WEP ICV */ 296 icvp = mtod(n, caddr_t) + n->m_len; 297 crc = ~crc; 298 icvp[0] = crc; 299 icvp[1] = crc >> 8; 300 icvp[2] = crc >> 16; 301 icvp[3] = crc >> 24; 302 rc4_crypt(&ctx->rc4, icvp, icvp, IEEE80211_WEP_CRCLEN); 303 n->m_len += IEEE80211_WEP_CRCLEN; 304 305 n0->m_pkthdr.len += IEEE80211_TKIP_TAILLEN; 306 307 m_freem(m0); 308 return n0; 309 nospace: 310 ic->ic_stats.is_tx_nombuf++; 311 m_freem(m0); 312 if (n0 != NULL) 313 m_freem(n0); 314 return NULL; 315 } 316 317 struct mbuf * 318 ieee80211_tkip_decrypt(struct ieee80211com *ic, struct mbuf *m0, 319 struct ieee80211_key *k) 320 { 321 struct ieee80211_tkip_ctx *ctx = k->k_priv; 322 struct ieee80211_frame *wh; 323 u_int16_t wepseed[8]; /* needs to be 16-bit aligned for Phase2 */ 324 u_int8_t buf[IEEE80211_TKIP_MICLEN + IEEE80211_WEP_CRCLEN]; 325 u_int8_t mic[IEEE80211_TKIP_MICLEN]; 326 u_int64_t tsc, *prsc; 327 u_int32_t crc, crc0; 328 u_int8_t *ivp, *mic0; 329 u_int8_t tid; 330 struct mbuf *n0, *m, *n; 331 int hdrlen, left, moff, noff, len; 332 333 wh = mtod(m0, struct ieee80211_frame *); 334 hdrlen = ieee80211_get_hdrlen(wh); 335 336 if (m0->m_pkthdr.len < hdrlen + IEEE80211_TKIP_OVHD) { 337 m_freem(m0); 338 return NULL; 339 } 340 341 ivp = (u_int8_t *)wh + hdrlen; 342 /* check that ExtIV bit is set */ 343 if (!(ivp[3] & IEEE80211_WEP_EXTIV)) { 344 m_freem(m0); 345 return NULL; 346 } 347 348 /* retrieve last seen packet number for this frame priority */ 349 tid = ieee80211_has_qos(wh) ? 350 ieee80211_get_qos(wh) & IEEE80211_QOS_TID : 0; 351 prsc = &k->k_rsc[tid]; 352 353 /* extract the 48-bit TSC from the TKIP header */ 354 tsc = (u_int64_t)ivp[2] | 355 (u_int64_t)ivp[0] << 8 | 356 (u_int64_t)ivp[4] << 16 | 357 (u_int64_t)ivp[5] << 24 | 358 (u_int64_t)ivp[6] << 32 | 359 (u_int64_t)ivp[7] << 40; 360 if (tsc <= *prsc) { 361 /* replayed frame, discard */ 362 ic->ic_stats.is_tkip_replays++; 363 m_freem(m0); 364 return NULL; 365 } 366 367 MGET(n0, M_DONTWAIT, m0->m_type); 368 if (n0 == NULL) 369 goto nospace; 370 if (m_dup_pkthdr(n0, m0, M_DONTWAIT)) 371 goto nospace; 372 n0->m_pkthdr.len -= IEEE80211_TKIP_OVHD; 373 n0->m_len = MHLEN; 374 if (n0->m_pkthdr.len >= MINCLSIZE) { 375 MCLGET(n0, M_DONTWAIT); 376 if (n0->m_flags & M_EXT) 377 n0->m_len = n0->m_ext.ext_size; 378 } 379 if (n0->m_len > n0->m_pkthdr.len) 380 n0->m_len = n0->m_pkthdr.len; 381 382 /* copy 802.11 header and clear protected bit */ 383 memcpy(mtod(n0, caddr_t), wh, hdrlen); 384 wh = mtod(n0, struct ieee80211_frame *); 385 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 386 387 /* compute WEP seed */ 388 if (!ctx->rxttak_ok || (tsc >> 16) != (*prsc >> 16)) { 389 ctx->rxttak_ok = 0; /* invalidate cached TTAK (if any) */ 390 Phase1(ctx->rxttak, k->k_key, wh->i_addr2, tsc >> 16); 391 } 392 Phase2((u_int8_t *)wepseed, k->k_key, ctx->rxttak, tsc & 0xffff); 393 rc4_keysetup(&ctx->rc4, (u_int8_t *)wepseed, 16); 394 395 /* decrypt frame body and compute WEP ICV */ 396 m = m0; 397 n = n0; 398 moff = hdrlen + IEEE80211_TKIP_HDRLEN; 399 noff = hdrlen; 400 left = n0->m_pkthdr.len - noff; 401 crc = ~0; 402 while (left > 0) { 403 if (moff == m->m_len) { 404 /* nothing left to copy from m */ 405 m = m->m_next; 406 moff = 0; 407 } 408 if (noff == n->m_len) { 409 /* n is full and there's more data to copy */ 410 MGET(n->m_next, M_DONTWAIT, n->m_type); 411 if (n->m_next == NULL) 412 goto nospace; 413 n = n->m_next; 414 n->m_len = MLEN; 415 if (left >= MINCLSIZE) { 416 MCLGET(n, M_DONTWAIT); 417 if (n->m_flags & M_EXT) 418 n->m_len = n->m_ext.ext_size; 419 } 420 if (n->m_len > left) 421 n->m_len = left; 422 noff = 0; 423 } 424 len = min(m->m_len - moff, n->m_len - noff); 425 426 rc4_crypt(&ctx->rc4, mtod(m, caddr_t) + moff, 427 mtod(n, caddr_t) + noff, len); 428 crc = ether_crc32_le_update(crc, mtod(n, caddr_t) + noff, len); 429 430 moff += len; 431 noff += len; 432 left -= len; 433 } 434 435 /* extract and decrypt TKIP MIC and WEP ICV from m0's tail */ 436 m_copydata(m, moff, IEEE80211_TKIP_TAILLEN, buf); 437 rc4_crypt(&ctx->rc4, buf, buf, IEEE80211_TKIP_TAILLEN); 438 439 /* include TKIP MIC in WEP ICV */ 440 mic0 = buf; 441 crc = ether_crc32_le_update(crc, mic0, IEEE80211_TKIP_MICLEN); 442 crc = ~crc; 443 444 /* decrypt ICV and compare it with calculated ICV */ 445 crc0 = *(u_int32_t *)(buf + IEEE80211_TKIP_MICLEN); 446 if (crc != letoh32(crc0)) { 447 ic->ic_stats.is_tkip_icv_errs++; 448 m_freem(m0); 449 m_freem(n0); 450 return NULL; 451 } 452 453 /* compute TKIP MIC over decrypted message */ 454 ieee80211_tkip_mic(n0, hdrlen, ctx->rxmic, mic); 455 /* check that it matches the MIC in received frame */ 456 if (timingsafe_bcmp(mic0, mic, IEEE80211_TKIP_MICLEN) != 0) { 457 m_freem(m0); 458 m_freem(n0); 459 ic->ic_stats.is_rx_locmicfail++; 460 ieee80211_michael_mic_failure(ic, tsc); 461 return NULL; 462 } 463 464 /* update last seen packet number (MIC is validated) */ 465 *prsc = tsc; 466 /* mark cached TTAK as valid */ 467 ctx->rxttak_ok = 1; 468 469 m_freem(m0); 470 return n0; 471 nospace: 472 ic->ic_stats.is_rx_nombuf++; 473 m_freem(m0); 474 if (n0 != NULL) 475 m_freem(n0); 476 return NULL; 477 } 478 479 #ifndef IEEE80211_STA_ONLY 480 /* 481 * This function is called in HostAP mode to deauthenticate all STAs using 482 * TKIP as their pairwise or group cipher (as part of TKIP countermeasures). 483 */ 484 static void 485 ieee80211_tkip_deauth(void *arg, struct ieee80211_node *ni) 486 { 487 struct ieee80211com *ic = arg; 488 489 if (ni->ni_state == IEEE80211_STA_ASSOC && 490 (ic->ic_bss->ni_rsngroupcipher == IEEE80211_CIPHER_TKIP || 491 ni->ni_rsncipher == IEEE80211_CIPHER_TKIP)) { 492 /* deauthenticate STA */ 493 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH, 494 IEEE80211_REASON_MIC_FAILURE); 495 ieee80211_node_leave(ic, ni); 496 } 497 } 498 #endif /* IEEE80211_STA_ONLY */ 499 500 /* 501 * This function can be called by the software TKIP crypto code or by the 502 * drivers when their hardware crypto engines detect a Michael MIC failure. 503 */ 504 void 505 ieee80211_michael_mic_failure(struct ieee80211com *ic, u_int64_t tsc) 506 { 507 extern int ticks; 508 509 if (ic->ic_flags & IEEE80211_F_COUNTERM) 510 return; /* countermeasures already active */ 511 512 log(LOG_WARNING, "%s: Michael MIC failure\n", ic->ic_if.if_xname); 513 514 /* 515 * NB. do not send Michael MIC Failure reports as recommended since 516 * these may be used as an oracle to verify CRC guesses as described 517 * in Beck, M. and Tews S. "Practical attacks against WEP and WPA" 518 * http://dl.aircrack-ng.org/breakingwepandwpa.pdf 519 */ 520 521 /* 522 * Activate TKIP countermeasures (see 8.3.2.4) if less than 60 523 * seconds have passed since the most recent previous MIC failure. 524 */ 525 if (ic->ic_tkip_micfail == 0 || 526 ticks - (ic->ic_tkip_micfail + 60 * hz) >= 0) { 527 ic->ic_tkip_micfail = ticks; 528 ic->ic_tkip_micfail_last_tsc = tsc; 529 return; 530 } 531 532 switch (ic->ic_opmode) { 533 #ifndef IEEE80211_STA_ONLY 534 case IEEE80211_M_HOSTAP: 535 /* refuse new TKIP associations for the next 60 seconds */ 536 ic->ic_flags |= IEEE80211_F_COUNTERM; 537 538 /* deauthenticate all currently associated STAs using TKIP */ 539 ieee80211_iterate_nodes(ic, ieee80211_tkip_deauth, ic); 540 break; 541 #endif 542 case IEEE80211_M_STA: 543 /* 544 * Notify the AP of MIC failures: send two Michael 545 * MIC Failure Report frames back-to-back to trigger 546 * countermeasures at the AP end. 547 */ 548 (void)ieee80211_send_eapol_key_req(ic, ic->ic_bss, 549 EAPOL_KEY_KEYMIC | EAPOL_KEY_ERROR | EAPOL_KEY_SECURE, 550 ic->ic_tkip_micfail_last_tsc); 551 (void)ieee80211_send_eapol_key_req(ic, ic->ic_bss, 552 EAPOL_KEY_KEYMIC | EAPOL_KEY_ERROR | EAPOL_KEY_SECURE, 553 tsc); 554 555 /* deauthenticate from the AP.. */ 556 IEEE80211_SEND_MGMT(ic, ic->ic_bss, 557 IEEE80211_FC0_SUBTYPE_DEAUTH, 558 IEEE80211_REASON_MIC_FAILURE); 559 /* ..and find another one */ 560 (void)ieee80211_new_state(ic, IEEE80211_S_SCAN, -1); 561 break; 562 default: 563 break; 564 } 565 566 ic->ic_tkip_micfail = ticks; 567 ic->ic_tkip_micfail_last_tsc = tsc; 568 } 569 570 /*********************************************************************** 571 Contents: Generate IEEE 802.11 per-frame RC4 key hash test vectors 572 Date: April 19, 2002 573 Notes: 574 This code is written for pedagogical purposes, NOT for performance. 575 ************************************************************************/ 576 577 /* macros for extraction/creation of byte/u16b values */ 578 #define RotR1(v16) ((((v16) >> 1) & 0x7FFF) ^ (((v16) & 1) << 15)) 579 #define Lo8(v16) ((byte)( (v16) & 0x00FF)) 580 #define Hi8(v16) ((byte)(((v16) >> 8) & 0x00FF)) 581 #define Lo16(v32) ((u16b)( (v32) & 0xFFFF)) 582 #define Hi16(v32) ((u16b)(((v32) >>16) & 0xFFFF)) 583 #define Mk16(hi,lo) ((lo) ^ (((u16b)(hi)) << 8)) 584 585 /* select the Nth 16-bit word of the Temporal Key byte array TK[] */ 586 #define TK16(N) Mk16(TK[2 * (N) + 1], TK[2 * (N)]) 587 588 /* S-box lookup: 16 bits --> 16 bits */ 589 #define _S_(v16) (Sbox[Lo8(v16)] ^ swap16(Sbox[Hi8(v16)])) 590 591 /* fixed algorithm "parameters" */ 592 #define PHASE1_LOOP_CNT 8 /* this needs to be "big enough" */ 593 #define TA_SIZE 6 /* 48-bit transmitter address */ 594 #define TK_SIZE 16 /* 128-bit Temporal Key */ 595 #define P1K_SIZE 10 /* 80-bit Phase1 key */ 596 #define RC4_KEY_SIZE 16 /* 128-bit RC4KEY (104 bits unknown) */ 597 598 /* 2-byte by 2-byte subset of the full AES S-box table */ 599 static const u16b Sbox[256]= /* Sbox for hash */ 600 { 601 0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154, 602 0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A, 603 0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B, 604 0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B, 605 0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F, 606 0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F, 607 0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5, 608 0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F, 609 0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB, 610 0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397, 611 0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED, 612 0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A, 613 0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194, 614 0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3, 615 0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104, 616 0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D, 617 0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39, 618 0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695, 619 0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83, 620 0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76, 621 0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4, 622 0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B, 623 0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0, 624 0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018, 625 0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751, 626 0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85, 627 0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12, 628 0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9, 629 0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7, 630 0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A, 631 0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8, 632 0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A 633 }; 634 635 /* 636 ********************************************************************** 637 * Routine: Phase 1 -- generate P1K, given TA, TK, IV32 638 * 639 * Inputs: 640 * TK[] = Temporal Key [128 bits] 641 * TA[] = transmitter's MAC address [ 48 bits] 642 * IV32 = upper 32 bits of IV [ 32 bits] 643 * Output: 644 * P1K[] = Phase 1 key [ 80 bits] 645 * 646 * Note: 647 * This function only needs to be called every 2**16 frames, 648 * although in theory it could be called every frame. 649 * 650 ********************************************************************** 651 */ 652 static void 653 Phase1(u16b *P1K, const byte *TK, const byte *TA, u32b IV32) 654 { 655 int i; 656 657 /* Initialize the 80 bits of P1K[] from IV32 and TA[0..5] */ 658 P1K[0] = Lo16(IV32); 659 P1K[1] = Hi16(IV32); 660 P1K[2] = Mk16(TA[1], TA[0]); /* use TA[] as little-endian */ 661 P1K[3] = Mk16(TA[3], TA[2]); 662 P1K[4] = Mk16(TA[5], TA[4]); 663 664 /* Now compute an unbalanced Feistel cipher with 80-bit block */ 665 /* size on the 80-bit block P1K[], using the 128-bit key TK[] */ 666 for (i = 0; i < PHASE1_LOOP_CNT; i++) { 667 /* Each add operation here is mod 2**16 */ 668 P1K[0] += _S_(P1K[4] ^ TK16((i & 1) + 0)); 669 P1K[1] += _S_(P1K[0] ^ TK16((i & 1) + 2)); 670 P1K[2] += _S_(P1K[1] ^ TK16((i & 1) + 4)); 671 P1K[3] += _S_(P1K[2] ^ TK16((i & 1) + 6)); 672 P1K[4] += _S_(P1K[3] ^ TK16((i & 1) + 0)); 673 P1K[4] += i; /* avoid "slide attacks" */ 674 } 675 } 676 677 /* 678 ********************************************************************** 679 * Routine: Phase 2 -- generate RC4KEY, given TK, P1K, IV16 680 * 681 * Inputs: 682 * TK[] = Temporal Key [128 bits] 683 * P1K[] = Phase 1 output key [ 80 bits] 684 * IV16 = low 16 bits of IV counter [ 16 bits] 685 * Output: 686 * RC4KEY[] = the key used to encrypt the frame [128 bits] 687 * 688 * Note: 689 * The value {TA,IV32,IV16} for Phase1/Phase2 must be unique 690 * across all frames using the same key TK value. Then, for a 691 * given value of TK[], this TKIP48 construction guarantees that 692 * the final RC4KEY value is unique across all frames. 693 * 694 ********************************************************************** 695 */ 696 static void 697 Phase2(byte *RC4KEY, const byte *TK, const u16b *P1K, u16b IV16) 698 { 699 u16b *PPK; /* temporary key for mixing */ 700 int i; 701 702 /* 703 * Suggested implementation optimization: if PPK[] is "overlaid" 704 * appropriately on RC4KEY[], there is no need for the final for 705 * loop that copies the PPK[] result into RC4KEY[]. 706 */ 707 PPK = (u16b *)&RC4KEY[4]; 708 709 /* all adds in the PPK[] equations below are mod 2**16 */ 710 for (i = 0; i < 5; i++) 711 PPK[i] = P1K[i]; /* first, copy P1K to PPK */ 712 PPK[5] = P1K[4] + IV16; /* next, add in IV16 */ 713 714 /* Bijective non-linear mixing of the 96 bits of PPK[0..5] */ 715 PPK[0] += _S_(PPK[5] ^ TK16(0)); /* Mix key in each "round" */ 716 PPK[1] += _S_(PPK[0] ^ TK16(1)); 717 PPK[2] += _S_(PPK[1] ^ TK16(2)); 718 PPK[3] += _S_(PPK[2] ^ TK16(3)); 719 PPK[4] += _S_(PPK[3] ^ TK16(4)); 720 PPK[5] += _S_(PPK[4] ^ TK16(5)); /* Total # S-box lookups == 6 */ 721 722 /* Final sweep: bijective, linear. Rotates kill LSB correlations */ 723 PPK[0] += RotR1(PPK[5] ^ TK16(6)); 724 PPK[1] += RotR1(PPK[0] ^ TK16(7)); /* Use all of TK[] in Phase2 */ 725 PPK[2] += RotR1(PPK[1]); 726 PPK[3] += RotR1(PPK[2]); 727 PPK[4] += RotR1(PPK[3]); 728 PPK[5] += RotR1(PPK[4]); 729 730 /* At this point, for a given key TK[0..15], the 96-bit output */ 731 /* value PPK[0..5] is guaranteed to be unique, as a function */ 732 /* of the 96-bit "input" value {TA,IV32,IV16}. That is, P1K */ 733 /* is now a keyed permutation of {TA,IV32,IV16}. */ 734 /* Set RC4KEY[0..3], which includes cleartext portion of RC4 key */ 735 RC4KEY[0] = Hi8(IV16); /* RC4KEY[0..2] is the WEP IV */ 736 RC4KEY[1] =(Hi8(IV16) | 0x20) & 0x7F; /* Help avoid FMS weak keys */ 737 RC4KEY[2] = Lo8(IV16); 738 RC4KEY[3] = Lo8((PPK[5] ^ TK16(0)) >> 1); 739 740 #if BYTE_ORDER == BIG_ENDIAN 741 /* Copy 96 bits of PPK[0..5] to RC4KEY[4..15] (little-endian) */ 742 for (i = 0; i < 6; i++) 743 PPK[i] = swap16(PPK[i]); 744 #endif 745 } 746