2
* Copyright 2002-2004, Instant802 Networks, Inc.
3
* Copyright 2005, Devicescape Software, Inc.
5
* This program is free software; you can redistribute it and/or modify
6
* it under the terms of the GNU General Public License version 2 as
7
* published by the Free Software Foundation.
10
#include <linux/kernel.h>
11
#include <linux/types.h>
12
#include <linux/netdevice.h>
14
#include <net/mac80211.h>
15
#include "ieee80211_key.h"
20
/* TKIP key mixing functions */
23
#define PHASE1_LOOP_COUNT 8
26
/* 2-byte by 2-byte subset of the full AES S-box table; second part of this
27
* table is identical to first part but byte-swapped */
28
static const u16 tkip_sbox[256] =
30
0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154,
31
0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A,
32
0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B,
33
0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B,
34
0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F,
35
0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F,
36
0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5,
37
0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F,
38
0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB,
39
0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397,
40
0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED,
41
0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A,
42
0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194,
43
0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3,
44
0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104,
45
0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D,
46
0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39,
47
0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695,
48
0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83,
49
0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76,
50
0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4,
51
0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B,
52
0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0,
53
0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018,
54
0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751,
55
0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85,
56
0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12,
57
0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9,
58
0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7,
59
0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A,
60
0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8,
61
0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A,
65
static inline u16 Mk16(u8 x, u8 y)
67
return ((u16) x << 8) | (u16) y;
71
static inline u8 Hi8(u16 v)
77
static inline u8 Lo8(u16 v)
83
static inline u16 Hi16(u32 v)
89
static inline u16 Lo16(u32 v)
95
static inline u16 RotR1(u16 v)
97
return (v >> 1) | ((v & 0x0001) << 15);
101
static inline u16 tkip_S(u16 val)
103
u16 a = tkip_sbox[Hi8(val)];
105
return tkip_sbox[Lo8(val)] ^ Hi8(a) ^ (Lo8(a) << 8);
110
/* P1K := Phase1(TA, TK, TSC)
111
* TA = transmitter address (48 bits)
112
* TK = dot11DefaultKeyValue or dot11KeyMappingValue (128 bits)
113
* TSC = TKIP sequence counter (48 bits, only 32 msb bits used)
116
static void tkip_mixing_phase1(const u8 *ta, const u8 *tk, u32 tsc_IV32,
121
p1k[0] = Lo16(tsc_IV32);
122
p1k[1] = Hi16(tsc_IV32);
123
p1k[2] = Mk16(ta[1], ta[0]);
124
p1k[3] = Mk16(ta[3], ta[2]);
125
p1k[4] = Mk16(ta[5], ta[4]);
127
for (i = 0; i < PHASE1_LOOP_COUNT; i++) {
129
p1k[0] += tkip_S(p1k[4] ^ Mk16(tk[ 1 + j], tk[ 0 + j]));
130
p1k[1] += tkip_S(p1k[0] ^ Mk16(tk[ 5 + j], tk[ 4 + j]));
131
p1k[2] += tkip_S(p1k[1] ^ Mk16(tk[ 9 + j], tk[ 8 + j]));
132
p1k[3] += tkip_S(p1k[2] ^ Mk16(tk[13 + j], tk[12 + j]));
133
p1k[4] += tkip_S(p1k[3] ^ Mk16(tk[ 1 + j], tk[ 0 + j])) + i;
138
static void tkip_mixing_phase2(const u16 *p1k, const u8 *tk, u16 tsc_IV16,
149
ppk[5] = p1k[4] + tsc_IV16;
151
ppk[0] += tkip_S(ppk[5] ^ Mk16(tk[ 1], tk[ 0]));
152
ppk[1] += tkip_S(ppk[0] ^ Mk16(tk[ 3], tk[ 2]));
153
ppk[2] += tkip_S(ppk[1] ^ Mk16(tk[ 5], tk[ 4]));
154
ppk[3] += tkip_S(ppk[2] ^ Mk16(tk[ 7], tk[ 6]));
155
ppk[4] += tkip_S(ppk[3] ^ Mk16(tk[ 9], tk[ 8]));
156
ppk[5] += tkip_S(ppk[4] ^ Mk16(tk[11], tk[10]));
157
ppk[0] += RotR1(ppk[5] ^ Mk16(tk[13], tk[12]));
158
ppk[1] += RotR1(ppk[0] ^ Mk16(tk[15], tk[14]));
159
ppk[2] += RotR1(ppk[1]);
160
ppk[3] += RotR1(ppk[2]);
161
ppk[4] += RotR1(ppk[3]);
162
ppk[5] += RotR1(ppk[4]);
164
rc4key[0] = Hi8(tsc_IV16);
165
rc4key[1] = (Hi8(tsc_IV16) | 0x20) & 0x7f;
166
rc4key[2] = Lo8(tsc_IV16);
167
rc4key[3] = Lo8((ppk[5] ^ Mk16(tk[1], tk[0])) >> 1);
169
for (i = 0; i < 6; i++) {
170
rc4key[4 + 2 * i] = Lo8(ppk[i]);
171
rc4key[5 + 2 * i] = Hi8(ppk[i]);
176
/* Add TKIP IV and Ext. IV at @pos. @iv0, @iv1, and @iv2 are the first octets
177
* of the IV. Returns pointer to the octet following IVs (i.e., beginning of
178
* the packet payload). */
179
u8 * ieee80211_tkip_add_iv(u8 *pos, struct ieee80211_key *key,
180
u8 iv0, u8 iv1, u8 iv2)
185
*pos++ = (key->keyidx << 6) | (1 << 5) /* Ext IV */;
186
*pos++ = key->u.tkip.iv32 & 0xff;
187
*pos++ = (key->u.tkip.iv32 >> 8) & 0xff;
188
*pos++ = (key->u.tkip.iv32 >> 16) & 0xff;
189
*pos++ = (key->u.tkip.iv32 >> 24) & 0xff;
194
void ieee80211_tkip_gen_phase1key(struct ieee80211_key *key, u8 *ta,
197
tkip_mixing_phase1(ta, &key->key[ALG_TKIP_TEMP_ENCR_KEY],
198
key->u.tkip.iv32, phase1key);
201
void ieee80211_tkip_gen_rc4key(struct ieee80211_key *key, u8 *ta,
204
/* Calculate per-packet key */
205
if (key->u.tkip.iv16 == 0 || !key->u.tkip.tx_initialized) {
206
/* IV16 wrapped around - perform TKIP phase 1 */
207
tkip_mixing_phase1(ta, &key->key[ALG_TKIP_TEMP_ENCR_KEY],
208
key->u.tkip.iv32, key->u.tkip.p1k);
209
key->u.tkip.tx_initialized = 1;
212
tkip_mixing_phase2(key->u.tkip.p1k, &key->key[ALG_TKIP_TEMP_ENCR_KEY],
213
key->u.tkip.iv16, rc4key);
216
/* Encrypt packet payload with TKIP using @key. @pos is a pointer to the
217
* beginning of the buffer containing payload. This payload must include
218
* headroom of eight octets for IV and Ext. IV and taildroom of four octets
219
* for ICV. @payload_len is the length of payload (_not_ including extra
220
* headroom and tailroom). @ta is the transmitter addresses. */
221
void ieee80211_tkip_encrypt_data(struct crypto_blkcipher *tfm,
222
struct ieee80211_key *key,
223
u8 *pos, size_t payload_len, u8 *ta)
227
ieee80211_tkip_gen_rc4key(key, ta, rc4key);
228
pos = ieee80211_tkip_add_iv(pos, key, rc4key[0], rc4key[1], rc4key[2]);
229
ieee80211_wep_encrypt_data(tfm, rc4key, 16, pos, payload_len);
233
/* Decrypt packet payload with TKIP using @key. @pos is a pointer to the
234
* beginning of the buffer containing IEEE 802.11 header payload, i.e.,
235
* including IV, Ext. IV, real data, Michael MIC, ICV. @payload_len is the
236
* length of payload, including IV, Ext. IV, MIC, ICV. */
237
int ieee80211_tkip_decrypt_data(struct crypto_blkcipher *tfm,
238
struct ieee80211_key *key,
239
u8 *payload, size_t payload_len, u8 *ta,
240
int only_iv, int queue)
244
u8 rc4key[16], keyid, *pos = payload;
247
if (payload_len < 12)
250
iv16 = (pos[0] << 8) | pos[2];
252
iv32 = pos[4] | (pos[5] << 8) | (pos[6] << 16) | (pos[7] << 24);
254
#ifdef CONFIG_TKIP_DEBUG
257
printk(KERN_DEBUG "TKIP decrypt: data(len=%zd)", payload_len);
258
for (i = 0; i < payload_len; i++)
259
printk(" %02x", payload[i]);
261
printk(KERN_DEBUG "TKIP decrypt: iv16=%04x iv32=%08x\n",
264
#endif /* CONFIG_TKIP_DEBUG */
266
if (!(keyid & (1 << 5)))
267
return TKIP_DECRYPT_NO_EXT_IV;
269
if ((keyid >> 6) != key->keyidx)
270
return TKIP_DECRYPT_INVALID_KEYIDX;
272
if (key->u.tkip.rx_initialized[queue] &&
273
(iv32 < key->u.tkip.iv32_rx[queue] ||
274
(iv32 == key->u.tkip.iv32_rx[queue] &&
275
iv16 <= key->u.tkip.iv16_rx[queue]))) {
276
#ifdef CONFIG_TKIP_DEBUG
277
printk(KERN_DEBUG "TKIP replay detected for RX frame from "
278
MAC_FMT " (RX IV (%04x,%02x) <= prev. IV (%04x,%02x)\n",
280
iv32, iv16, key->u.tkip.iv32_rx[queue],
281
key->u.tkip.iv16_rx[queue]);
282
#endif /* CONFIG_TKIP_DEBUG */
283
return TKIP_DECRYPT_REPLAY;
287
res = TKIP_DECRYPT_OK;
288
key->u.tkip.rx_initialized[queue] = 1;
292
if (!key->u.tkip.rx_initialized[queue] ||
293
key->u.tkip.iv32_rx[queue] != iv32) {
294
key->u.tkip.rx_initialized[queue] = 1;
295
/* IV16 wrapped around - perform TKIP phase 1 */
296
tkip_mixing_phase1(ta, &key->key[ALG_TKIP_TEMP_ENCR_KEY],
297
iv32, key->u.tkip.p1k_rx[queue]);
298
#ifdef CONFIG_TKIP_DEBUG
301
printk(KERN_DEBUG "TKIP decrypt: Phase1 TA=" MAC_FMT
302
" TK=", MAC_ARG(ta));
303
for (i = 0; i < 16; i++)
305
key->key[ALG_TKIP_TEMP_ENCR_KEY + i]);
307
printk(KERN_DEBUG "TKIP decrypt: P1K=");
308
for (i = 0; i < 5; i++)
309
printk("%04x ", key->u.tkip.p1k_rx[queue][i]);
312
#endif /* CONFIG_TKIP_DEBUG */
315
tkip_mixing_phase2(key->u.tkip.p1k_rx[queue],
316
&key->key[ALG_TKIP_TEMP_ENCR_KEY],
318
#ifdef CONFIG_TKIP_DEBUG
321
printk(KERN_DEBUG "TKIP decrypt: Phase2 rc4key=");
322
for (i = 0; i < 16; i++)
323
printk("%02x ", rc4key[i]);
326
#endif /* CONFIG_TKIP_DEBUG */
328
res = ieee80211_wep_decrypt_data(tfm, rc4key, 16, pos, payload_len - 12);
330
if (res == TKIP_DECRYPT_OK) {
331
/* FIX: these should be updated only after Michael MIC has been
333
/* Record previously received IV */
334
key->u.tkip.iv32_rx[queue] = iv32;
335
key->u.tkip.iv16_rx[queue] = iv16;