1 | #include <machine/rtems-bsd-kernel-space.h> |
---|
2 | |
---|
3 | /*- |
---|
4 | * Copyright (c) 2002-2008 Sam Leffler, Errno Consulting |
---|
5 | * All rights reserved. |
---|
6 | * |
---|
7 | * Redistribution and use in source and binary forms, with or without |
---|
8 | * modification, are permitted provided that the following conditions |
---|
9 | * are met: |
---|
10 | * 1. Redistributions of source code must retain the above copyright |
---|
11 | * notice, this list of conditions and the following disclaimer. |
---|
12 | * 2. Redistributions in binary form must reproduce the above copyright |
---|
13 | * notice, this list of conditions and the following disclaimer in the |
---|
14 | * documentation and/or other materials provided with the distribution. |
---|
15 | * |
---|
16 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
---|
17 | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
---|
18 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
---|
19 | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
---|
20 | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
---|
21 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
---|
22 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
---|
23 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
---|
24 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
---|
25 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
---|
26 | */ |
---|
27 | |
---|
28 | #include <sys/cdefs.h> |
---|
29 | __FBSDID("$FreeBSD$"); |
---|
30 | |
---|
31 | /* |
---|
32 | * IEEE 802.11i TKIP crypto support. |
---|
33 | * |
---|
34 | * Part of this module is derived from similar code in the Host |
---|
35 | * AP driver. The code is used with the consent of the author and |
---|
36 | * it's license is included below. |
---|
37 | */ |
---|
38 | #include <rtems/bsd/local/opt_wlan.h> |
---|
39 | |
---|
40 | #include <rtems/bsd/sys/param.h> |
---|
41 | #include <sys/systm.h> |
---|
42 | #include <sys/mbuf.h> |
---|
43 | #include <sys/malloc.h> |
---|
44 | #include <sys/kernel.h> |
---|
45 | #include <sys/module.h> |
---|
46 | #include <sys/endian.h> |
---|
47 | |
---|
48 | #include <sys/socket.h> |
---|
49 | |
---|
50 | #include <net/if.h> |
---|
51 | #include <net/if_media.h> |
---|
52 | #include <net/ethernet.h> |
---|
53 | |
---|
54 | #include <net80211/ieee80211_var.h> |
---|
55 | |
---|
56 | static void *tkip_attach(struct ieee80211vap *, struct ieee80211_key *); |
---|
57 | static void tkip_detach(struct ieee80211_key *); |
---|
58 | static int tkip_setkey(struct ieee80211_key *); |
---|
59 | static void tkip_setiv(struct ieee80211_key *, uint8_t *); |
---|
60 | static int tkip_encap(struct ieee80211_key *, struct mbuf *); |
---|
61 | static int tkip_enmic(struct ieee80211_key *, struct mbuf *, int); |
---|
62 | static int tkip_decap(struct ieee80211_key *, struct mbuf *, int); |
---|
63 | static int tkip_demic(struct ieee80211_key *, struct mbuf *, int); |
---|
64 | |
---|
65 | static const struct ieee80211_cipher tkip = { |
---|
66 | .ic_name = "TKIP", |
---|
67 | .ic_cipher = IEEE80211_CIPHER_TKIP, |
---|
68 | .ic_header = IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN + |
---|
69 | IEEE80211_WEP_EXTIVLEN, |
---|
70 | .ic_trailer = IEEE80211_WEP_CRCLEN, |
---|
71 | .ic_miclen = IEEE80211_WEP_MICLEN, |
---|
72 | .ic_attach = tkip_attach, |
---|
73 | .ic_detach = tkip_detach, |
---|
74 | .ic_setkey = tkip_setkey, |
---|
75 | .ic_setiv = tkip_setiv, |
---|
76 | .ic_encap = tkip_encap, |
---|
77 | .ic_decap = tkip_decap, |
---|
78 | .ic_enmic = tkip_enmic, |
---|
79 | .ic_demic = tkip_demic, |
---|
80 | }; |
---|
81 | |
---|
82 | typedef uint8_t u8; |
---|
83 | typedef uint16_t u16; |
---|
84 | typedef uint32_t __u32; |
---|
85 | typedef uint32_t u32; |
---|
86 | |
---|
87 | struct tkip_ctx { |
---|
88 | struct ieee80211vap *tc_vap; /* for diagnostics+statistics */ |
---|
89 | |
---|
90 | u16 tx_ttak[5]; |
---|
91 | u8 tx_rc4key[16]; /* XXX for test module; make locals? */ |
---|
92 | |
---|
93 | u16 rx_ttak[5]; |
---|
94 | int rx_phase1_done; |
---|
95 | u8 rx_rc4key[16]; /* XXX for test module; make locals? */ |
---|
96 | uint64_t rx_rsc; /* held until MIC verified */ |
---|
97 | }; |
---|
98 | |
---|
99 | static void michael_mic(struct tkip_ctx *, const u8 *key, |
---|
100 | struct mbuf *m, u_int off, size_t data_len, |
---|
101 | u8 mic[IEEE80211_WEP_MICLEN]); |
---|
102 | static int tkip_encrypt(struct tkip_ctx *, struct ieee80211_key *, |
---|
103 | struct mbuf *, int hdr_len); |
---|
104 | static int tkip_decrypt(struct tkip_ctx *, struct ieee80211_key *, |
---|
105 | struct mbuf *, int hdr_len); |
---|
106 | |
---|
107 | /* number of references from net80211 layer */ |
---|
108 | static int nrefs = 0; |
---|
109 | |
---|
110 | static void * |
---|
111 | tkip_attach(struct ieee80211vap *vap, struct ieee80211_key *k) |
---|
112 | { |
---|
113 | struct tkip_ctx *ctx; |
---|
114 | |
---|
115 | ctx = (struct tkip_ctx *) IEEE80211_MALLOC(sizeof(struct tkip_ctx), |
---|
116 | M_80211_CRYPTO, IEEE80211_M_NOWAIT | IEEE80211_M_ZERO); |
---|
117 | if (ctx == NULL) { |
---|
118 | vap->iv_stats.is_crypto_nomem++; |
---|
119 | return NULL; |
---|
120 | } |
---|
121 | |
---|
122 | ctx->tc_vap = vap; |
---|
123 | nrefs++; /* NB: we assume caller locking */ |
---|
124 | return ctx; |
---|
125 | } |
---|
126 | |
---|
127 | static void |
---|
128 | tkip_detach(struct ieee80211_key *k) |
---|
129 | { |
---|
130 | struct tkip_ctx *ctx = k->wk_private; |
---|
131 | |
---|
132 | IEEE80211_FREE(ctx, M_80211_CRYPTO); |
---|
133 | KASSERT(nrefs > 0, ("imbalanced attach/detach")); |
---|
134 | nrefs--; /* NB: we assume caller locking */ |
---|
135 | } |
---|
136 | |
---|
137 | static int |
---|
138 | tkip_setkey(struct ieee80211_key *k) |
---|
139 | { |
---|
140 | struct tkip_ctx *ctx = k->wk_private; |
---|
141 | |
---|
142 | if (k->wk_keylen != (128/NBBY)) { |
---|
143 | (void) ctx; /* XXX */ |
---|
144 | IEEE80211_DPRINTF(ctx->tc_vap, IEEE80211_MSG_CRYPTO, |
---|
145 | "%s: Invalid key length %u, expecting %u\n", |
---|
146 | __func__, k->wk_keylen, 128/NBBY); |
---|
147 | return 0; |
---|
148 | } |
---|
149 | ctx->rx_phase1_done = 0; |
---|
150 | return 1; |
---|
151 | } |
---|
152 | |
---|
153 | static void |
---|
154 | tkip_setiv(struct ieee80211_key *k, uint8_t *ivp) |
---|
155 | { |
---|
156 | struct tkip_ctx *ctx = k->wk_private; |
---|
157 | struct ieee80211vap *vap = ctx->tc_vap; |
---|
158 | uint8_t keyid; |
---|
159 | |
---|
160 | keyid = ieee80211_crypto_get_keyid(vap, k) << 6; |
---|
161 | |
---|
162 | k->wk_keytsc++; |
---|
163 | ivp[0] = k->wk_keytsc >> 8; /* TSC1 */ |
---|
164 | ivp[1] = (ivp[0] | 0x20) & 0x7f; /* WEP seed */ |
---|
165 | ivp[2] = k->wk_keytsc >> 0; /* TSC0 */ |
---|
166 | ivp[3] = keyid | IEEE80211_WEP_EXTIV; /* KeyID | ExtID */ |
---|
167 | ivp[4] = k->wk_keytsc >> 16; /* TSC2 */ |
---|
168 | ivp[5] = k->wk_keytsc >> 24; /* TSC3 */ |
---|
169 | ivp[6] = k->wk_keytsc >> 32; /* TSC4 */ |
---|
170 | ivp[7] = k->wk_keytsc >> 40; /* TSC5 */ |
---|
171 | } |
---|
172 | |
---|
173 | /* |
---|
174 | * Add privacy headers and do any s/w encryption required. |
---|
175 | */ |
---|
176 | static int |
---|
177 | tkip_encap(struct ieee80211_key *k, struct mbuf *m) |
---|
178 | { |
---|
179 | struct tkip_ctx *ctx = k->wk_private; |
---|
180 | struct ieee80211vap *vap = ctx->tc_vap; |
---|
181 | struct ieee80211com *ic = vap->iv_ic; |
---|
182 | struct ieee80211_frame *wh; |
---|
183 | uint8_t *ivp; |
---|
184 | int hdrlen; |
---|
185 | int is_mgmt; |
---|
186 | |
---|
187 | wh = mtod(m, struct ieee80211_frame *); |
---|
188 | is_mgmt = IEEE80211_IS_MGMT(wh); |
---|
189 | |
---|
190 | /* |
---|
191 | * Handle TKIP counter measures requirement. |
---|
192 | */ |
---|
193 | if (vap->iv_flags & IEEE80211_F_COUNTERM) { |
---|
194 | #ifdef IEEE80211_DEBUG |
---|
195 | struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); |
---|
196 | #endif |
---|
197 | |
---|
198 | IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2, |
---|
199 | "discard frame due to countermeasures (%s)", __func__); |
---|
200 | vap->iv_stats.is_crypto_tkipcm++; |
---|
201 | return 0; |
---|
202 | } |
---|
203 | |
---|
204 | /* |
---|
205 | * Check to see whether IV needs to be included. |
---|
206 | */ |
---|
207 | if (is_mgmt && (k->wk_flags & IEEE80211_KEY_NOIVMGT)) |
---|
208 | return 1; |
---|
209 | if ((! is_mgmt) && (k->wk_flags & IEEE80211_KEY_NOIV)) |
---|
210 | return 1; |
---|
211 | |
---|
212 | |
---|
213 | hdrlen = ieee80211_hdrspace(ic, mtod(m, void *)); |
---|
214 | |
---|
215 | /* |
---|
216 | * Copy down 802.11 header and add the IV, KeyID, and ExtIV. |
---|
217 | */ |
---|
218 | M_PREPEND(m, tkip.ic_header, M_NOWAIT); |
---|
219 | if (m == NULL) |
---|
220 | return 0; |
---|
221 | ivp = mtod(m, uint8_t *); |
---|
222 | memmove(ivp, ivp + tkip.ic_header, hdrlen); |
---|
223 | ivp += hdrlen; |
---|
224 | |
---|
225 | tkip_setiv(k, ivp); |
---|
226 | |
---|
227 | /* |
---|
228 | * Finally, do software encrypt if needed. |
---|
229 | */ |
---|
230 | if ((k->wk_flags & IEEE80211_KEY_SWENCRYPT) && |
---|
231 | !tkip_encrypt(ctx, k, m, hdrlen)) |
---|
232 | return 0; |
---|
233 | |
---|
234 | return 1; |
---|
235 | } |
---|
236 | |
---|
237 | /* |
---|
238 | * Add MIC to the frame as needed. |
---|
239 | */ |
---|
240 | static int |
---|
241 | tkip_enmic(struct ieee80211_key *k, struct mbuf *m, int force) |
---|
242 | { |
---|
243 | struct tkip_ctx *ctx = k->wk_private; |
---|
244 | struct ieee80211_frame *wh; |
---|
245 | int is_mgmt; |
---|
246 | |
---|
247 | wh = mtod(m, struct ieee80211_frame *); |
---|
248 | is_mgmt = IEEE80211_IS_MGMT(wh); |
---|
249 | |
---|
250 | /* |
---|
251 | * Check to see whether MIC needs to be included. |
---|
252 | */ |
---|
253 | if (is_mgmt && (k->wk_flags & IEEE80211_KEY_NOMICMGT)) |
---|
254 | return 1; |
---|
255 | if ((! is_mgmt) && (k->wk_flags & IEEE80211_KEY_NOMIC)) |
---|
256 | return 1; |
---|
257 | |
---|
258 | if (force || (k->wk_flags & IEEE80211_KEY_SWENMIC)) { |
---|
259 | struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); |
---|
260 | struct ieee80211vap *vap = ctx->tc_vap; |
---|
261 | struct ieee80211com *ic = vap->iv_ic; |
---|
262 | int hdrlen; |
---|
263 | uint8_t mic[IEEE80211_WEP_MICLEN]; |
---|
264 | |
---|
265 | vap->iv_stats.is_crypto_tkipenmic++; |
---|
266 | |
---|
267 | hdrlen = ieee80211_hdrspace(ic, wh); |
---|
268 | |
---|
269 | michael_mic(ctx, k->wk_txmic, |
---|
270 | m, hdrlen, m->m_pkthdr.len - hdrlen, mic); |
---|
271 | return m_append(m, tkip.ic_miclen, mic); |
---|
272 | } |
---|
273 | return 1; |
---|
274 | } |
---|
275 | |
---|
276 | static __inline uint64_t |
---|
277 | READ_6(uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3, uint8_t b4, uint8_t b5) |
---|
278 | { |
---|
279 | uint32_t iv32 = (b0 << 0) | (b1 << 8) | (b2 << 16) | (b3 << 24); |
---|
280 | uint16_t iv16 = (b4 << 0) | (b5 << 8); |
---|
281 | return (((uint64_t)iv16) << 32) | iv32; |
---|
282 | } |
---|
283 | |
---|
284 | /* |
---|
285 | * Validate and strip privacy headers (and trailer) for a |
---|
286 | * received frame. If necessary, decrypt the frame using |
---|
287 | * the specified key. |
---|
288 | */ |
---|
289 | static int |
---|
290 | tkip_decap(struct ieee80211_key *k, struct mbuf *m, int hdrlen) |
---|
291 | { |
---|
292 | const struct ieee80211_rx_stats *rxs; |
---|
293 | struct tkip_ctx *ctx = k->wk_private; |
---|
294 | struct ieee80211vap *vap = ctx->tc_vap; |
---|
295 | struct ieee80211_frame *wh; |
---|
296 | uint8_t *ivp, tid; |
---|
297 | |
---|
298 | rxs = ieee80211_get_rx_params_ptr(m); |
---|
299 | |
---|
300 | /* |
---|
301 | * If IV has been stripped, we skip most of the below. |
---|
302 | */ |
---|
303 | if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_IV_STRIP)) |
---|
304 | goto finish; |
---|
305 | |
---|
306 | /* |
---|
307 | * Header should have extended IV and sequence number; |
---|
308 | * verify the former and validate the latter. |
---|
309 | */ |
---|
310 | wh = mtod(m, struct ieee80211_frame *); |
---|
311 | ivp = mtod(m, uint8_t *) + hdrlen; |
---|
312 | if ((ivp[IEEE80211_WEP_IVLEN] & IEEE80211_WEP_EXTIV) == 0) { |
---|
313 | /* |
---|
314 | * No extended IV; discard frame. |
---|
315 | */ |
---|
316 | IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2, |
---|
317 | "%s", "missing ExtIV for TKIP cipher"); |
---|
318 | vap->iv_stats.is_rx_tkipformat++; |
---|
319 | return 0; |
---|
320 | } |
---|
321 | /* |
---|
322 | * Handle TKIP counter measures requirement. |
---|
323 | */ |
---|
324 | if (vap->iv_flags & IEEE80211_F_COUNTERM) { |
---|
325 | IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2, |
---|
326 | "discard frame due to countermeasures (%s)", __func__); |
---|
327 | vap->iv_stats.is_crypto_tkipcm++; |
---|
328 | return 0; |
---|
329 | } |
---|
330 | |
---|
331 | tid = ieee80211_gettid(wh); |
---|
332 | ctx->rx_rsc = READ_6(ivp[2], ivp[0], ivp[4], ivp[5], ivp[6], ivp[7]); |
---|
333 | if (ctx->rx_rsc <= k->wk_keyrsc[tid] && |
---|
334 | (k->wk_flags & IEEE80211_KEY_NOREPLAY) == 0) { |
---|
335 | /* |
---|
336 | * Replay violation; notify upper layer. |
---|
337 | */ |
---|
338 | ieee80211_notify_replay_failure(vap, wh, k, ctx->rx_rsc, tid); |
---|
339 | vap->iv_stats.is_rx_tkipreplay++; |
---|
340 | return 0; |
---|
341 | } |
---|
342 | /* |
---|
343 | * NB: We can't update the rsc in the key until MIC is verified. |
---|
344 | * |
---|
345 | * We assume we are not preempted between doing the check above |
---|
346 | * and updating wk_keyrsc when stripping the MIC in tkip_demic. |
---|
347 | * Otherwise we might process another packet and discard it as |
---|
348 | * a replay. |
---|
349 | */ |
---|
350 | |
---|
351 | /* |
---|
352 | * Check if the device handled the decrypt in hardware. |
---|
353 | * If so we just strip the header; otherwise we need to |
---|
354 | * handle the decrypt in software. |
---|
355 | */ |
---|
356 | if ((k->wk_flags & IEEE80211_KEY_SWDECRYPT) && |
---|
357 | !tkip_decrypt(ctx, k, m, hdrlen)) |
---|
358 | return 0; |
---|
359 | |
---|
360 | finish: |
---|
361 | |
---|
362 | /* |
---|
363 | * Copy up 802.11 header and strip crypto bits - but only if we |
---|
364 | * are required to. |
---|
365 | */ |
---|
366 | if (! ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_IV_STRIP))) { |
---|
367 | memmove(mtod(m, uint8_t *) + tkip.ic_header, mtod(m, void *), |
---|
368 | hdrlen); |
---|
369 | m_adj(m, tkip.ic_header); |
---|
370 | } |
---|
371 | |
---|
372 | /* |
---|
373 | * XXX TODO: do we need an option to potentially not strip the |
---|
374 | * WEP trailer? Does "MMIC_STRIP" also mean this? Or? |
---|
375 | */ |
---|
376 | m_adj(m, -tkip.ic_trailer); |
---|
377 | |
---|
378 | return 1; |
---|
379 | } |
---|
380 | |
---|
381 | /* |
---|
382 | * Verify and strip MIC from the frame. |
---|
383 | */ |
---|
384 | static int |
---|
385 | tkip_demic(struct ieee80211_key *k, struct mbuf *m, int force) |
---|
386 | { |
---|
387 | const struct ieee80211_rx_stats *rxs; |
---|
388 | struct tkip_ctx *ctx = k->wk_private; |
---|
389 | struct ieee80211_frame *wh; |
---|
390 | uint8_t tid; |
---|
391 | |
---|
392 | wh = mtod(m, struct ieee80211_frame *); |
---|
393 | rxs = ieee80211_get_rx_params_ptr(m); |
---|
394 | |
---|
395 | /* |
---|
396 | * If we are told about a MIC failure from the driver, |
---|
397 | * directly notify as a michael failure to the upper |
---|
398 | * layers. |
---|
399 | */ |
---|
400 | if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_FAIL_MIC)) { |
---|
401 | struct ieee80211vap *vap = ctx->tc_vap; |
---|
402 | ieee80211_notify_michael_failure(vap, wh, |
---|
403 | k->wk_rxkeyix != IEEE80211_KEYIX_NONE ? |
---|
404 | k->wk_rxkeyix : k->wk_keyix); |
---|
405 | return 0; |
---|
406 | } |
---|
407 | |
---|
408 | /* |
---|
409 | * If IV has been stripped, we skip most of the below. |
---|
410 | */ |
---|
411 | if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_MMIC_STRIP)) |
---|
412 | goto finish; |
---|
413 | |
---|
414 | if ((k->wk_flags & IEEE80211_KEY_SWDEMIC) || force) { |
---|
415 | struct ieee80211vap *vap = ctx->tc_vap; |
---|
416 | int hdrlen = ieee80211_hdrspace(vap->iv_ic, wh); |
---|
417 | u8 mic[IEEE80211_WEP_MICLEN]; |
---|
418 | u8 mic0[IEEE80211_WEP_MICLEN]; |
---|
419 | |
---|
420 | vap->iv_stats.is_crypto_tkipdemic++; |
---|
421 | |
---|
422 | michael_mic(ctx, k->wk_rxmic, |
---|
423 | m, hdrlen, m->m_pkthdr.len - (hdrlen + tkip.ic_miclen), |
---|
424 | mic); |
---|
425 | m_copydata(m, m->m_pkthdr.len - tkip.ic_miclen, |
---|
426 | tkip.ic_miclen, mic0); |
---|
427 | if (memcmp(mic, mic0, tkip.ic_miclen)) { |
---|
428 | /* NB: 802.11 layer handles statistic and debug msg */ |
---|
429 | ieee80211_notify_michael_failure(vap, wh, |
---|
430 | k->wk_rxkeyix != IEEE80211_KEYIX_NONE ? |
---|
431 | k->wk_rxkeyix : k->wk_keyix); |
---|
432 | return 0; |
---|
433 | } |
---|
434 | } |
---|
435 | /* |
---|
436 | * Strip MIC from the tail. |
---|
437 | */ |
---|
438 | m_adj(m, -tkip.ic_miclen); |
---|
439 | |
---|
440 | /* |
---|
441 | * Ok to update rsc now that MIC has been verified. |
---|
442 | */ |
---|
443 | tid = ieee80211_gettid(wh); |
---|
444 | k->wk_keyrsc[tid] = ctx->rx_rsc; |
---|
445 | |
---|
446 | finish: |
---|
447 | return 1; |
---|
448 | } |
---|
449 | |
---|
450 | /* |
---|
451 | * Host AP crypt: host-based TKIP encryption implementation for Host AP driver |
---|
452 | * |
---|
453 | * Copyright (c) 2003-2004, Jouni Malinen <jkmaline@cc.hut.fi> |
---|
454 | * |
---|
455 | * This program is free software; you can redistribute it and/or modify |
---|
456 | * it under the terms of the GNU General Public License version 2 as |
---|
457 | * published by the Free Software Foundation. See README and COPYING for |
---|
458 | * more details. |
---|
459 | * |
---|
460 | * Alternatively, this software may be distributed under the terms of BSD |
---|
461 | * license. |
---|
462 | */ |
---|
463 | |
---|
464 | static const __u32 crc32_table[256] = { |
---|
465 | 0x00000000L, 0x77073096L, 0xee0e612cL, 0x990951baL, 0x076dc419L, |
---|
466 | 0x706af48fL, 0xe963a535L, 0x9e6495a3L, 0x0edb8832L, 0x79dcb8a4L, |
---|
467 | 0xe0d5e91eL, 0x97d2d988L, 0x09b64c2bL, 0x7eb17cbdL, 0xe7b82d07L, |
---|
468 | 0x90bf1d91L, 0x1db71064L, 0x6ab020f2L, 0xf3b97148L, 0x84be41deL, |
---|
469 | 0x1adad47dL, 0x6ddde4ebL, 0xf4d4b551L, 0x83d385c7L, 0x136c9856L, |
---|
470 | 0x646ba8c0L, 0xfd62f97aL, 0x8a65c9ecL, 0x14015c4fL, 0x63066cd9L, |
---|
471 | 0xfa0f3d63L, 0x8d080df5L, 0x3b6e20c8L, 0x4c69105eL, 0xd56041e4L, |
---|
472 | 0xa2677172L, 0x3c03e4d1L, 0x4b04d447L, 0xd20d85fdL, 0xa50ab56bL, |
---|
473 | 0x35b5a8faL, 0x42b2986cL, 0xdbbbc9d6L, 0xacbcf940L, 0x32d86ce3L, |
---|
474 | 0x45df5c75L, 0xdcd60dcfL, 0xabd13d59L, 0x26d930acL, 0x51de003aL, |
---|
475 | 0xc8d75180L, 0xbfd06116L, 0x21b4f4b5L, 0x56b3c423L, 0xcfba9599L, |
---|
476 | 0xb8bda50fL, 0x2802b89eL, 0x5f058808L, 0xc60cd9b2L, 0xb10be924L, |
---|
477 | 0x2f6f7c87L, 0x58684c11L, 0xc1611dabL, 0xb6662d3dL, 0x76dc4190L, |
---|
478 | 0x01db7106L, 0x98d220bcL, 0xefd5102aL, 0x71b18589L, 0x06b6b51fL, |
---|
479 | 0x9fbfe4a5L, 0xe8b8d433L, 0x7807c9a2L, 0x0f00f934L, 0x9609a88eL, |
---|
480 | 0xe10e9818L, 0x7f6a0dbbL, 0x086d3d2dL, 0x91646c97L, 0xe6635c01L, |
---|
481 | 0x6b6b51f4L, 0x1c6c6162L, 0x856530d8L, 0xf262004eL, 0x6c0695edL, |
---|
482 | 0x1b01a57bL, 0x8208f4c1L, 0xf50fc457L, 0x65b0d9c6L, 0x12b7e950L, |
---|
483 | 0x8bbeb8eaL, 0xfcb9887cL, 0x62dd1ddfL, 0x15da2d49L, 0x8cd37cf3L, |
---|
484 | 0xfbd44c65L, 0x4db26158L, 0x3ab551ceL, 0xa3bc0074L, 0xd4bb30e2L, |
---|
485 | 0x4adfa541L, 0x3dd895d7L, 0xa4d1c46dL, 0xd3d6f4fbL, 0x4369e96aL, |
---|
486 | 0x346ed9fcL, 0xad678846L, 0xda60b8d0L, 0x44042d73L, 0x33031de5L, |
---|
487 | 0xaa0a4c5fL, 0xdd0d7cc9L, 0x5005713cL, 0x270241aaL, 0xbe0b1010L, |
---|
488 | 0xc90c2086L, 0x5768b525L, 0x206f85b3L, 0xb966d409L, 0xce61e49fL, |
---|
489 | 0x5edef90eL, 0x29d9c998L, 0xb0d09822L, 0xc7d7a8b4L, 0x59b33d17L, |
---|
490 | 0x2eb40d81L, 0xb7bd5c3bL, 0xc0ba6cadL, 0xedb88320L, 0x9abfb3b6L, |
---|
491 | 0x03b6e20cL, 0x74b1d29aL, 0xead54739L, 0x9dd277afL, 0x04db2615L, |
---|
492 | 0x73dc1683L, 0xe3630b12L, 0x94643b84L, 0x0d6d6a3eL, 0x7a6a5aa8L, |
---|
493 | 0xe40ecf0bL, 0x9309ff9dL, 0x0a00ae27L, 0x7d079eb1L, 0xf00f9344L, |
---|
494 | 0x8708a3d2L, 0x1e01f268L, 0x6906c2feL, 0xf762575dL, 0x806567cbL, |
---|
495 | 0x196c3671L, 0x6e6b06e7L, 0xfed41b76L, 0x89d32be0L, 0x10da7a5aL, |
---|
496 | 0x67dd4accL, 0xf9b9df6fL, 0x8ebeeff9L, 0x17b7be43L, 0x60b08ed5L, |
---|
497 | 0xd6d6a3e8L, 0xa1d1937eL, 0x38d8c2c4L, 0x4fdff252L, 0xd1bb67f1L, |
---|
498 | 0xa6bc5767L, 0x3fb506ddL, 0x48b2364bL, 0xd80d2bdaL, 0xaf0a1b4cL, |
---|
499 | 0x36034af6L, 0x41047a60L, 0xdf60efc3L, 0xa867df55L, 0x316e8eefL, |
---|
500 | 0x4669be79L, 0xcb61b38cL, 0xbc66831aL, 0x256fd2a0L, 0x5268e236L, |
---|
501 | 0xcc0c7795L, 0xbb0b4703L, 0x220216b9L, 0x5505262fL, 0xc5ba3bbeL, |
---|
502 | 0xb2bd0b28L, 0x2bb45a92L, 0x5cb36a04L, 0xc2d7ffa7L, 0xb5d0cf31L, |
---|
503 | 0x2cd99e8bL, 0x5bdeae1dL, 0x9b64c2b0L, 0xec63f226L, 0x756aa39cL, |
---|
504 | 0x026d930aL, 0x9c0906a9L, 0xeb0e363fL, 0x72076785L, 0x05005713L, |
---|
505 | 0x95bf4a82L, 0xe2b87a14L, 0x7bb12baeL, 0x0cb61b38L, 0x92d28e9bL, |
---|
506 | 0xe5d5be0dL, 0x7cdcefb7L, 0x0bdbdf21L, 0x86d3d2d4L, 0xf1d4e242L, |
---|
507 | 0x68ddb3f8L, 0x1fda836eL, 0x81be16cdL, 0xf6b9265bL, 0x6fb077e1L, |
---|
508 | 0x18b74777L, 0x88085ae6L, 0xff0f6a70L, 0x66063bcaL, 0x11010b5cL, |
---|
509 | 0x8f659effL, 0xf862ae69L, 0x616bffd3L, 0x166ccf45L, 0xa00ae278L, |
---|
510 | 0xd70dd2eeL, 0x4e048354L, 0x3903b3c2L, 0xa7672661L, 0xd06016f7L, |
---|
511 | 0x4969474dL, 0x3e6e77dbL, 0xaed16a4aL, 0xd9d65adcL, 0x40df0b66L, |
---|
512 | 0x37d83bf0L, 0xa9bcae53L, 0xdebb9ec5L, 0x47b2cf7fL, 0x30b5ffe9L, |
---|
513 | 0xbdbdf21cL, 0xcabac28aL, 0x53b39330L, 0x24b4a3a6L, 0xbad03605L, |
---|
514 | 0xcdd70693L, 0x54de5729L, 0x23d967bfL, 0xb3667a2eL, 0xc4614ab8L, |
---|
515 | 0x5d681b02L, 0x2a6f2b94L, 0xb40bbe37L, 0xc30c8ea1L, 0x5a05df1bL, |
---|
516 | 0x2d02ef8dL |
---|
517 | }; |
---|
518 | |
---|
519 | static __inline u16 RotR1(u16 val) |
---|
520 | { |
---|
521 | return (val >> 1) | (val << 15); |
---|
522 | } |
---|
523 | |
---|
524 | static __inline u8 Lo8(u16 val) |
---|
525 | { |
---|
526 | return val & 0xff; |
---|
527 | } |
---|
528 | |
---|
529 | static __inline u8 Hi8(u16 val) |
---|
530 | { |
---|
531 | return val >> 8; |
---|
532 | } |
---|
533 | |
---|
534 | static __inline u16 Lo16(u32 val) |
---|
535 | { |
---|
536 | return val & 0xffff; |
---|
537 | } |
---|
538 | |
---|
539 | static __inline u16 Hi16(u32 val) |
---|
540 | { |
---|
541 | return val >> 16; |
---|
542 | } |
---|
543 | |
---|
544 | static __inline u16 Mk16(u8 hi, u8 lo) |
---|
545 | { |
---|
546 | return lo | (((u16) hi) << 8); |
---|
547 | } |
---|
548 | |
---|
549 | static __inline u16 Mk16_le(const u16 *v) |
---|
550 | { |
---|
551 | return le16toh(*v); |
---|
552 | } |
---|
553 | |
---|
554 | static const u16 Sbox[256] = { |
---|
555 | 0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154, |
---|
556 | 0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A, |
---|
557 | 0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B, |
---|
558 | 0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B, |
---|
559 | 0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F, |
---|
560 | 0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F, |
---|
561 | 0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5, |
---|
562 | 0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F, |
---|
563 | 0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB, |
---|
564 | 0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397, |
---|
565 | 0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED, |
---|
566 | 0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A, |
---|
567 | 0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194, |
---|
568 | 0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3, |
---|
569 | 0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104, |
---|
570 | 0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D, |
---|
571 | 0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39, |
---|
572 | 0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695, |
---|
573 | 0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83, |
---|
574 | 0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76, |
---|
575 | 0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4, |
---|
576 | 0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B, |
---|
577 | 0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0, |
---|
578 | 0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018, |
---|
579 | 0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751, |
---|
580 | 0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85, |
---|
581 | 0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12, |
---|
582 | 0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9, |
---|
583 | 0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7, |
---|
584 | 0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A, |
---|
585 | 0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8, |
---|
586 | 0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A, |
---|
587 | }; |
---|
588 | |
---|
589 | static __inline u16 _S_(u16 v) |
---|
590 | { |
---|
591 | u16 t = Sbox[Hi8(v)]; |
---|
592 | return Sbox[Lo8(v)] ^ ((t << 8) | (t >> 8)); |
---|
593 | } |
---|
594 | |
---|
595 | #define PHASE1_LOOP_COUNT 8 |
---|
596 | |
---|
597 | static void tkip_mixing_phase1(u16 *TTAK, const u8 *TK, const u8 *TA, u32 IV32) |
---|
598 | { |
---|
599 | int i, j; |
---|
600 | |
---|
601 | /* Initialize the 80-bit TTAK from TSC (IV32) and TA[0..5] */ |
---|
602 | TTAK[0] = Lo16(IV32); |
---|
603 | TTAK[1] = Hi16(IV32); |
---|
604 | TTAK[2] = Mk16(TA[1], TA[0]); |
---|
605 | TTAK[3] = Mk16(TA[3], TA[2]); |
---|
606 | TTAK[4] = Mk16(TA[5], TA[4]); |
---|
607 | |
---|
608 | for (i = 0; i < PHASE1_LOOP_COUNT; i++) { |
---|
609 | j = 2 * (i & 1); |
---|
610 | TTAK[0] += _S_(TTAK[4] ^ Mk16(TK[1 + j], TK[0 + j])); |
---|
611 | TTAK[1] += _S_(TTAK[0] ^ Mk16(TK[5 + j], TK[4 + j])); |
---|
612 | TTAK[2] += _S_(TTAK[1] ^ Mk16(TK[9 + j], TK[8 + j])); |
---|
613 | TTAK[3] += _S_(TTAK[2] ^ Mk16(TK[13 + j], TK[12 + j])); |
---|
614 | TTAK[4] += _S_(TTAK[3] ^ Mk16(TK[1 + j], TK[0 + j])) + i; |
---|
615 | } |
---|
616 | } |
---|
617 | |
---|
618 | #ifndef _BYTE_ORDER |
---|
619 | #error "Don't know native byte order" |
---|
620 | #endif |
---|
621 | |
---|
622 | static void tkip_mixing_phase2(u8 *WEPSeed, const u8 *TK, const u16 *TTAK, |
---|
623 | u16 IV16) |
---|
624 | { |
---|
625 | /* Make temporary area overlap WEP seed so that the final copy can be |
---|
626 | * avoided on little endian hosts. */ |
---|
627 | u16 *PPK = (u16 *) &WEPSeed[4]; |
---|
628 | |
---|
629 | /* Step 1 - make copy of TTAK and bring in TSC */ |
---|
630 | PPK[0] = TTAK[0]; |
---|
631 | PPK[1] = TTAK[1]; |
---|
632 | PPK[2] = TTAK[2]; |
---|
633 | PPK[3] = TTAK[3]; |
---|
634 | PPK[4] = TTAK[4]; |
---|
635 | PPK[5] = TTAK[4] + IV16; |
---|
636 | |
---|
637 | /* Step 2 - 96-bit bijective mixing using S-box */ |
---|
638 | PPK[0] += _S_(PPK[5] ^ Mk16_le((const u16 *) &TK[0])); |
---|
639 | PPK[1] += _S_(PPK[0] ^ Mk16_le((const u16 *) &TK[2])); |
---|
640 | PPK[2] += _S_(PPK[1] ^ Mk16_le((const u16 *) &TK[4])); |
---|
641 | PPK[3] += _S_(PPK[2] ^ Mk16_le((const u16 *) &TK[6])); |
---|
642 | PPK[4] += _S_(PPK[3] ^ Mk16_le((const u16 *) &TK[8])); |
---|
643 | PPK[5] += _S_(PPK[4] ^ Mk16_le((const u16 *) &TK[10])); |
---|
644 | |
---|
645 | PPK[0] += RotR1(PPK[5] ^ Mk16_le((const u16 *) &TK[12])); |
---|
646 | PPK[1] += RotR1(PPK[0] ^ Mk16_le((const u16 *) &TK[14])); |
---|
647 | PPK[2] += RotR1(PPK[1]); |
---|
648 | PPK[3] += RotR1(PPK[2]); |
---|
649 | PPK[4] += RotR1(PPK[3]); |
---|
650 | PPK[5] += RotR1(PPK[4]); |
---|
651 | |
---|
652 | /* Step 3 - bring in last of TK bits, assign 24-bit WEP IV value |
---|
653 | * WEPSeed[0..2] is transmitted as WEP IV */ |
---|
654 | WEPSeed[0] = Hi8(IV16); |
---|
655 | WEPSeed[1] = (Hi8(IV16) | 0x20) & 0x7F; |
---|
656 | WEPSeed[2] = Lo8(IV16); |
---|
657 | WEPSeed[3] = Lo8((PPK[5] ^ Mk16_le((const u16 *) &TK[0])) >> 1); |
---|
658 | |
---|
659 | #if _BYTE_ORDER == _BIG_ENDIAN |
---|
660 | { |
---|
661 | int i; |
---|
662 | for (i = 0; i < 6; i++) |
---|
663 | PPK[i] = (PPK[i] << 8) | (PPK[i] >> 8); |
---|
664 | } |
---|
665 | #endif |
---|
666 | } |
---|
667 | |
---|
668 | static void |
---|
669 | wep_encrypt(u8 *key, struct mbuf *m0, u_int off, size_t data_len, |
---|
670 | uint8_t icv[IEEE80211_WEP_CRCLEN]) |
---|
671 | { |
---|
672 | u32 i, j, k, crc; |
---|
673 | size_t buflen; |
---|
674 | u8 S[256]; |
---|
675 | u8 *pos; |
---|
676 | struct mbuf *m; |
---|
677 | #define S_SWAP(a,b) do { u8 t = S[a]; S[a] = S[b]; S[b] = t; } while(0) |
---|
678 | |
---|
679 | /* Setup RC4 state */ |
---|
680 | for (i = 0; i < 256; i++) |
---|
681 | S[i] = i; |
---|
682 | j = 0; |
---|
683 | for (i = 0; i < 256; i++) { |
---|
684 | j = (j + S[i] + key[i & 0x0f]) & 0xff; |
---|
685 | S_SWAP(i, j); |
---|
686 | } |
---|
687 | |
---|
688 | /* Compute CRC32 over unencrypted data and apply RC4 to data */ |
---|
689 | crc = ~0; |
---|
690 | i = j = 0; |
---|
691 | m = m0; |
---|
692 | pos = mtod(m, uint8_t *) + off; |
---|
693 | buflen = m->m_len - off; |
---|
694 | for (;;) { |
---|
695 | if (buflen > data_len) |
---|
696 | buflen = data_len; |
---|
697 | data_len -= buflen; |
---|
698 | for (k = 0; k < buflen; k++) { |
---|
699 | crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8); |
---|
700 | i = (i + 1) & 0xff; |
---|
701 | j = (j + S[i]) & 0xff; |
---|
702 | S_SWAP(i, j); |
---|
703 | *pos++ ^= S[(S[i] + S[j]) & 0xff]; |
---|
704 | } |
---|
705 | m = m->m_next; |
---|
706 | if (m == NULL) { |
---|
707 | KASSERT(data_len == 0, |
---|
708 | ("out of buffers with data_len %zu\n", data_len)); |
---|
709 | break; |
---|
710 | } |
---|
711 | pos = mtod(m, uint8_t *); |
---|
712 | buflen = m->m_len; |
---|
713 | } |
---|
714 | crc = ~crc; |
---|
715 | |
---|
716 | /* Append little-endian CRC32 and encrypt it to produce ICV */ |
---|
717 | icv[0] = crc; |
---|
718 | icv[1] = crc >> 8; |
---|
719 | icv[2] = crc >> 16; |
---|
720 | icv[3] = crc >> 24; |
---|
721 | for (k = 0; k < IEEE80211_WEP_CRCLEN; k++) { |
---|
722 | i = (i + 1) & 0xff; |
---|
723 | j = (j + S[i]) & 0xff; |
---|
724 | S_SWAP(i, j); |
---|
725 | icv[k] ^= S[(S[i] + S[j]) & 0xff]; |
---|
726 | } |
---|
727 | } |
---|
728 | |
---|
729 | static int |
---|
730 | wep_decrypt(u8 *key, struct mbuf *m, u_int off, size_t data_len) |
---|
731 | { |
---|
732 | u32 i, j, k, crc; |
---|
733 | u8 S[256]; |
---|
734 | u8 *pos, icv[4]; |
---|
735 | size_t buflen; |
---|
736 | |
---|
737 | /* Setup RC4 state */ |
---|
738 | for (i = 0; i < 256; i++) |
---|
739 | S[i] = i; |
---|
740 | j = 0; |
---|
741 | for (i = 0; i < 256; i++) { |
---|
742 | j = (j + S[i] + key[i & 0x0f]) & 0xff; |
---|
743 | S_SWAP(i, j); |
---|
744 | } |
---|
745 | |
---|
746 | /* Apply RC4 to data and compute CRC32 over decrypted data */ |
---|
747 | crc = ~0; |
---|
748 | i = j = 0; |
---|
749 | pos = mtod(m, uint8_t *) + off; |
---|
750 | buflen = m->m_len - off; |
---|
751 | for (;;) { |
---|
752 | if (buflen > data_len) |
---|
753 | buflen = data_len; |
---|
754 | data_len -= buflen; |
---|
755 | for (k = 0; k < buflen; k++) { |
---|
756 | i = (i + 1) & 0xff; |
---|
757 | j = (j + S[i]) & 0xff; |
---|
758 | S_SWAP(i, j); |
---|
759 | *pos ^= S[(S[i] + S[j]) & 0xff]; |
---|
760 | crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8); |
---|
761 | pos++; |
---|
762 | } |
---|
763 | m = m->m_next; |
---|
764 | if (m == NULL) { |
---|
765 | KASSERT(data_len == 0, |
---|
766 | ("out of buffers with data_len %zu\n", data_len)); |
---|
767 | break; |
---|
768 | } |
---|
769 | pos = mtod(m, uint8_t *); |
---|
770 | buflen = m->m_len; |
---|
771 | } |
---|
772 | crc = ~crc; |
---|
773 | |
---|
774 | /* Encrypt little-endian CRC32 and verify that it matches with the |
---|
775 | * received ICV */ |
---|
776 | icv[0] = crc; |
---|
777 | icv[1] = crc >> 8; |
---|
778 | icv[2] = crc >> 16; |
---|
779 | icv[3] = crc >> 24; |
---|
780 | for (k = 0; k < 4; k++) { |
---|
781 | i = (i + 1) & 0xff; |
---|
782 | j = (j + S[i]) & 0xff; |
---|
783 | S_SWAP(i, j); |
---|
784 | if ((icv[k] ^ S[(S[i] + S[j]) & 0xff]) != *pos++) { |
---|
785 | /* ICV mismatch - drop frame */ |
---|
786 | return -1; |
---|
787 | } |
---|
788 | } |
---|
789 | |
---|
790 | return 0; |
---|
791 | } |
---|
792 | |
---|
793 | |
---|
794 | static __inline u32 rotl(u32 val, int bits) |
---|
795 | { |
---|
796 | return (val << bits) | (val >> (32 - bits)); |
---|
797 | } |
---|
798 | |
---|
799 | |
---|
800 | static __inline u32 rotr(u32 val, int bits) |
---|
801 | { |
---|
802 | return (val >> bits) | (val << (32 - bits)); |
---|
803 | } |
---|
804 | |
---|
805 | |
---|
806 | static __inline u32 xswap(u32 val) |
---|
807 | { |
---|
808 | return ((val & 0x00ff00ff) << 8) | ((val & 0xff00ff00) >> 8); |
---|
809 | } |
---|
810 | |
---|
811 | |
---|
812 | #define michael_block(l, r) \ |
---|
813 | do { \ |
---|
814 | r ^= rotl(l, 17); \ |
---|
815 | l += r; \ |
---|
816 | r ^= xswap(l); \ |
---|
817 | l += r; \ |
---|
818 | r ^= rotl(l, 3); \ |
---|
819 | l += r; \ |
---|
820 | r ^= rotr(l, 2); \ |
---|
821 | l += r; \ |
---|
822 | } while (0) |
---|
823 | |
---|
824 | |
---|
825 | static __inline u32 get_le32_split(u8 b0, u8 b1, u8 b2, u8 b3) |
---|
826 | { |
---|
827 | return b0 | (b1 << 8) | (b2 << 16) | (b3 << 24); |
---|
828 | } |
---|
829 | |
---|
830 | static __inline u32 get_le32(const u8 *p) |
---|
831 | { |
---|
832 | return get_le32_split(p[0], p[1], p[2], p[3]); |
---|
833 | } |
---|
834 | |
---|
835 | |
---|
836 | static __inline void put_le32(u8 *p, u32 v) |
---|
837 | { |
---|
838 | p[0] = v; |
---|
839 | p[1] = v >> 8; |
---|
840 | p[2] = v >> 16; |
---|
841 | p[3] = v >> 24; |
---|
842 | } |
---|
843 | |
---|
844 | /* |
---|
845 | * Craft pseudo header used to calculate the MIC. |
---|
846 | */ |
---|
847 | static void |
---|
848 | michael_mic_hdr(const struct ieee80211_frame *wh0, uint8_t hdr[16]) |
---|
849 | { |
---|
850 | const struct ieee80211_frame_addr4 *wh = |
---|
851 | (const struct ieee80211_frame_addr4 *) wh0; |
---|
852 | |
---|
853 | switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { |
---|
854 | case IEEE80211_FC1_DIR_NODS: |
---|
855 | IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */ |
---|
856 | IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2); |
---|
857 | break; |
---|
858 | case IEEE80211_FC1_DIR_TODS: |
---|
859 | IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */ |
---|
860 | IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2); |
---|
861 | break; |
---|
862 | case IEEE80211_FC1_DIR_FROMDS: |
---|
863 | IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */ |
---|
864 | IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr3); |
---|
865 | break; |
---|
866 | case IEEE80211_FC1_DIR_DSTODS: |
---|
867 | IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */ |
---|
868 | IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr4); |
---|
869 | break; |
---|
870 | } |
---|
871 | |
---|
872 | if (wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_QOS) { |
---|
873 | const struct ieee80211_qosframe *qwh = |
---|
874 | (const struct ieee80211_qosframe *) wh; |
---|
875 | hdr[12] = qwh->i_qos[0] & IEEE80211_QOS_TID; |
---|
876 | } else |
---|
877 | hdr[12] = 0; |
---|
878 | hdr[13] = hdr[14] = hdr[15] = 0; /* reserved */ |
---|
879 | } |
---|
880 | |
---|
881 | static void |
---|
882 | michael_mic(struct tkip_ctx *ctx, const u8 *key, |
---|
883 | struct mbuf *m, u_int off, size_t data_len, |
---|
884 | u8 mic[IEEE80211_WEP_MICLEN]) |
---|
885 | { |
---|
886 | uint8_t hdr[16]; |
---|
887 | u32 l, r; |
---|
888 | const uint8_t *data; |
---|
889 | u_int space; |
---|
890 | |
---|
891 | michael_mic_hdr(mtod(m, struct ieee80211_frame *), hdr); |
---|
892 | |
---|
893 | l = get_le32(key); |
---|
894 | r = get_le32(key + 4); |
---|
895 | |
---|
896 | /* Michael MIC pseudo header: DA, SA, 3 x 0, Priority */ |
---|
897 | l ^= get_le32(hdr); |
---|
898 | michael_block(l, r); |
---|
899 | l ^= get_le32(&hdr[4]); |
---|
900 | michael_block(l, r); |
---|
901 | l ^= get_le32(&hdr[8]); |
---|
902 | michael_block(l, r); |
---|
903 | l ^= get_le32(&hdr[12]); |
---|
904 | michael_block(l, r); |
---|
905 | |
---|
906 | /* first buffer has special handling */ |
---|
907 | data = mtod(m, const uint8_t *) + off; |
---|
908 | space = m->m_len - off; |
---|
909 | for (;;) { |
---|
910 | if (space > data_len) |
---|
911 | space = data_len; |
---|
912 | /* collect 32-bit blocks from current buffer */ |
---|
913 | while (space >= sizeof(uint32_t)) { |
---|
914 | l ^= get_le32(data); |
---|
915 | michael_block(l, r); |
---|
916 | data += sizeof(uint32_t), space -= sizeof(uint32_t); |
---|
917 | data_len -= sizeof(uint32_t); |
---|
918 | } |
---|
919 | /* |
---|
920 | * NB: when space is zero we make one more trip around |
---|
921 | * the loop to advance to the next mbuf where there is |
---|
922 | * data. This handles the case where there are 4*n |
---|
923 | * bytes in an mbuf followed by <4 bytes in a later mbuf. |
---|
924 | * By making an extra trip we'll drop out of the loop |
---|
925 | * with m pointing at the mbuf with 3 bytes and space |
---|
926 | * set as required by the remainder handling below. |
---|
927 | */ |
---|
928 | if (data_len == 0 || |
---|
929 | (data_len < sizeof(uint32_t) && space != 0)) |
---|
930 | break; |
---|
931 | m = m->m_next; |
---|
932 | if (m == NULL) { |
---|
933 | KASSERT(0, ("out of data, data_len %zu\n", data_len)); |
---|
934 | break; |
---|
935 | } |
---|
936 | if (space != 0) { |
---|
937 | const uint8_t *data_next; |
---|
938 | /* |
---|
939 | * Block straddles buffers, split references. |
---|
940 | */ |
---|
941 | data_next = mtod(m, const uint8_t *); |
---|
942 | KASSERT(m->m_len >= sizeof(uint32_t) - space, |
---|
943 | ("not enough data in following buffer, " |
---|
944 | "m_len %u need %zu\n", m->m_len, |
---|
945 | sizeof(uint32_t) - space)); |
---|
946 | switch (space) { |
---|
947 | case 1: |
---|
948 | l ^= get_le32_split(data[0], data_next[0], |
---|
949 | data_next[1], data_next[2]); |
---|
950 | data = data_next + 3; |
---|
951 | space = m->m_len - 3; |
---|
952 | break; |
---|
953 | case 2: |
---|
954 | l ^= get_le32_split(data[0], data[1], |
---|
955 | data_next[0], data_next[1]); |
---|
956 | data = data_next + 2; |
---|
957 | space = m->m_len - 2; |
---|
958 | break; |
---|
959 | case 3: |
---|
960 | l ^= get_le32_split(data[0], data[1], |
---|
961 | data[2], data_next[0]); |
---|
962 | data = data_next + 1; |
---|
963 | space = m->m_len - 1; |
---|
964 | break; |
---|
965 | } |
---|
966 | michael_block(l, r); |
---|
967 | data_len -= sizeof(uint32_t); |
---|
968 | } else { |
---|
969 | /* |
---|
970 | * Setup for next buffer. |
---|
971 | */ |
---|
972 | data = mtod(m, const uint8_t *); |
---|
973 | space = m->m_len; |
---|
974 | } |
---|
975 | } |
---|
976 | /* |
---|
977 | * Catch degenerate cases like mbuf[4*n+1 bytes] followed by |
---|
978 | * mbuf[2 bytes]. I don't believe these should happen; if they |
---|
979 | * do then we'll need more involved logic. |
---|
980 | */ |
---|
981 | KASSERT(data_len <= space, |
---|
982 | ("not enough data, data_len %zu space %u\n", data_len, space)); |
---|
983 | |
---|
984 | /* Last block and padding (0x5a, 4..7 x 0) */ |
---|
985 | switch (data_len) { |
---|
986 | case 0: |
---|
987 | l ^= get_le32_split(0x5a, 0, 0, 0); |
---|
988 | break; |
---|
989 | case 1: |
---|
990 | l ^= get_le32_split(data[0], 0x5a, 0, 0); |
---|
991 | break; |
---|
992 | case 2: |
---|
993 | l ^= get_le32_split(data[0], data[1], 0x5a, 0); |
---|
994 | break; |
---|
995 | case 3: |
---|
996 | l ^= get_le32_split(data[0], data[1], data[2], 0x5a); |
---|
997 | break; |
---|
998 | } |
---|
999 | michael_block(l, r); |
---|
1000 | /* l ^= 0; */ |
---|
1001 | michael_block(l, r); |
---|
1002 | |
---|
1003 | put_le32(mic, l); |
---|
1004 | put_le32(mic + 4, r); |
---|
1005 | } |
---|
1006 | |
---|
1007 | static int |
---|
1008 | tkip_encrypt(struct tkip_ctx *ctx, struct ieee80211_key *key, |
---|
1009 | struct mbuf *m, int hdrlen) |
---|
1010 | { |
---|
1011 | struct ieee80211_frame *wh; |
---|
1012 | uint8_t icv[IEEE80211_WEP_CRCLEN]; |
---|
1013 | |
---|
1014 | ctx->tc_vap->iv_stats.is_crypto_tkip++; |
---|
1015 | |
---|
1016 | wh = mtod(m, struct ieee80211_frame *); |
---|
1017 | if ((u16)(key->wk_keytsc) == 0 || key->wk_keytsc == 1) { |
---|
1018 | tkip_mixing_phase1(ctx->tx_ttak, key->wk_key, wh->i_addr2, |
---|
1019 | (u32)(key->wk_keytsc >> 16)); |
---|
1020 | } |
---|
1021 | tkip_mixing_phase2(ctx->tx_rc4key, key->wk_key, ctx->tx_ttak, |
---|
1022 | (u16) key->wk_keytsc); |
---|
1023 | |
---|
1024 | wep_encrypt(ctx->tx_rc4key, |
---|
1025 | m, hdrlen + tkip.ic_header, |
---|
1026 | m->m_pkthdr.len - (hdrlen + tkip.ic_header), |
---|
1027 | icv); |
---|
1028 | (void) m_append(m, IEEE80211_WEP_CRCLEN, icv); /* XXX check return */ |
---|
1029 | |
---|
1030 | return 1; |
---|
1031 | } |
---|
1032 | |
---|
1033 | static int |
---|
1034 | tkip_decrypt(struct tkip_ctx *ctx, struct ieee80211_key *key, |
---|
1035 | struct mbuf *m, int hdrlen) |
---|
1036 | { |
---|
1037 | struct ieee80211_frame *wh; |
---|
1038 | struct ieee80211vap *vap = ctx->tc_vap; |
---|
1039 | u32 iv32; |
---|
1040 | u16 iv16; |
---|
1041 | u8 tid; |
---|
1042 | |
---|
1043 | vap->iv_stats.is_crypto_tkip++; |
---|
1044 | |
---|
1045 | wh = mtod(m, struct ieee80211_frame *); |
---|
1046 | /* NB: tkip_decap already verified header and left seq in rx_rsc */ |
---|
1047 | iv16 = (u16) ctx->rx_rsc; |
---|
1048 | iv32 = (u32) (ctx->rx_rsc >> 16); |
---|
1049 | |
---|
1050 | tid = ieee80211_gettid(wh); |
---|
1051 | if (iv32 != (u32)(key->wk_keyrsc[tid] >> 16) || !ctx->rx_phase1_done) { |
---|
1052 | tkip_mixing_phase1(ctx->rx_ttak, key->wk_key, |
---|
1053 | wh->i_addr2, iv32); |
---|
1054 | ctx->rx_phase1_done = 1; |
---|
1055 | } |
---|
1056 | tkip_mixing_phase2(ctx->rx_rc4key, key->wk_key, ctx->rx_ttak, iv16); |
---|
1057 | |
---|
1058 | /* NB: m is unstripped; deduct headers + ICV to get payload */ |
---|
1059 | if (wep_decrypt(ctx->rx_rc4key, |
---|
1060 | m, hdrlen + tkip.ic_header, |
---|
1061 | m->m_pkthdr.len - (hdrlen + tkip.ic_header + tkip.ic_trailer))) { |
---|
1062 | if (iv32 != (u32)(key->wk_keyrsc[tid] >> 16)) { |
---|
1063 | /* Previously cached Phase1 result was already lost, so |
---|
1064 | * it needs to be recalculated for the next packet. */ |
---|
1065 | ctx->rx_phase1_done = 0; |
---|
1066 | } |
---|
1067 | IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2, |
---|
1068 | "%s", "TKIP ICV mismatch on decrypt"); |
---|
1069 | vap->iv_stats.is_rx_tkipicv++; |
---|
1070 | return 0; |
---|
1071 | } |
---|
1072 | return 1; |
---|
1073 | } |
---|
1074 | |
---|
1075 | /* |
---|
1076 | * Module glue. |
---|
1077 | */ |
---|
1078 | IEEE80211_CRYPTO_MODULE(tkip, 1); |
---|