iPXE
wpa_tkip.c
Go to the documentation of this file.
00001 /*
00002  * Copyright (c) 2009 Joshua Oreman <oremanj@rwcr.net>.
00003  *
00004  * This program is free software; you can redistribute it and/or
00005  * modify it under the terms of the GNU General Public License as
00006  * published by the Free Software Foundation; either version 2 of the
00007  * License, or any later version.
00008  *
00009  * This program is distributed in the hope that it will be useful, but
00010  * WITHOUT ANY WARRANTY; without even the implied warranty of
00011  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
00012  * General Public License for more details.
00013  *
00014  * You should have received a copy of the GNU General Public License
00015  * along with this program; if not, write to the Free Software
00016  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
00017  * 02110-1301, USA.
00018  */
00019 
00020 FILE_LICENCE ( GPL2_OR_LATER );
00021 
00022 #include <string.h>
00023 #include <ipxe/net80211.h>
00024 #include <ipxe/crypto.h>
00025 #include <ipxe/hmac.h>
00026 #include <ipxe/sha1.h>
00027 #include <ipxe/md5.h>
00028 #include <ipxe/crc32.h>
00029 #include <ipxe/arc4.h>
00030 #include <ipxe/wpa.h>
00031 #include <byteswap.h>
00032 #include <errno.h>
00033 
00034 /** @file
00035  *
00036  * Backend for WPA using the TKIP encryption standard.
00037  */
00038 
00039 /** Context for one direction of TKIP, either encryption or decryption */
00040 struct tkip_dir_ctx
00041 {
00042         /** High 32 bits of last sequence counter value used */
00043         u32 tsc_hi;
00044 
00045         /** Low 32 bits of last sequence counter value used */
00046         u16 tsc_lo;
00047 
00048         /** MAC address used to derive TTAK */
00049         u8 mac[ETH_ALEN];
00050 
00051         /** If TRUE, TTAK is valid */
00052         u16 ttak_ok;
00053 
00054         /** TKIP-mixed transmit address and key, depends on tsc_hi and MAC */
00055         u16 ttak[5];
00056 };
00057 
00058 /** Context for TKIP encryption and decryption */
00059 struct tkip_ctx
00060 {
00061         /** Temporal key to use */
00062         struct tkip_tk tk;
00063 
00064         /** State for encryption */
00065         struct tkip_dir_ctx enc;
00066 
00067         /** State for decryption */
00068         struct tkip_dir_ctx dec;
00069 };
00070 
00071 /** Header structure at the beginning of TKIP frame data */
00072 struct tkip_head
00073 {
00074         u8 tsc1;                /**< High byte of low 16 bits of TSC */
00075         u8 seed1;               /**< Second byte of WEP seed */
00076         u8 tsc0;                /**< Low byte of TSC */
00077         u8 kid;                 /**< Key ID and ExtIV byte */
00078         u32 tsc_hi;             /**< High 32 bits of TSC, as an ExtIV */
00079 } __attribute__ (( packed ));
00080 
00081 
00082 /** TKIP header overhead (IV + KID + ExtIV) */
00083 #define TKIP_HEAD_LEN   8
00084 
00085 /** TKIP trailer overhead (MIC + ICV) [assumes unfragmented] */
00086 #define TKIP_FOOT_LEN   12
00087 
00088 /** TKIP MIC length */
00089 #define TKIP_MIC_LEN    8
00090 
00091 /** TKIP ICV length */
00092 #define TKIP_ICV_LEN    4
00093 
00094 
00095 /** TKIP S-box */
00096 static const u16 Sbox[256] = {
00097         0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154,
00098         0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A,
00099         0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B,
00100         0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B,
00101         0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F,
00102         0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F,
00103         0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5,
00104         0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F,
00105         0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB,
00106         0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397,
00107         0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED,
00108         0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A,
00109         0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194,
00110         0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3,
00111         0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104,
00112         0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D,
00113         0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39,
00114         0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695,
00115         0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83,
00116         0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76,
00117         0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4,
00118         0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B,
00119         0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0,
00120         0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018,
00121         0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751,
00122         0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85,
00123         0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12,
00124         0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9,
00125         0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7,
00126         0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A,
00127         0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8,
00128         0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A,
00129 };
00130 
00131 /**
00132  * Perform S-box mapping on a 16-bit value
00133  *
00134  * @v v         Value to perform S-box mapping on
00135  * @ret Sv      S-box mapped value
00136  */
00137 static inline u16 S ( u16 v )
00138 {
00139         return Sbox[v & 0xFF] ^ bswap_16 ( Sbox[v >> 8] );
00140 }
00141 
00142 /**
00143  * Rotate 16-bit value right
00144  *
00145  * @v v         Value to rotate
00146  * @v bits      Number of bits to rotate by
00147  * @ret rotv    Rotated value
00148  */
00149 static inline u16 ror16 ( u16 v, int bits )
00150 {
00151         return ( v >> bits ) | ( v << ( 16 - bits ) );
00152 }
00153 
00154 /**
00155  * Rotate 32-bit value right
00156  *
00157  * @v v         Value to rotate
00158  * @v bits      Number of bits to rotate by
00159  * @ret rotv    Rotated value
00160  */
00161 static inline u32 ror32 ( u32 v, int bits )
00162 {
00163         return ( v >> bits ) | ( v << ( 32 - bits ) );
00164 }
00165 
00166 /**
00167  * Rotate 32-bit value left
00168  *
00169  * @v v         Value to rotate
00170  * @v bits      Number of bits to rotate by
00171  * @ret rotv    Rotated value
00172  */
00173 static inline u32 rol32 ( u32 v, int bits )
00174 {
00175         return ( v << bits ) | ( v >> ( 32 - bits ) );
00176 }
00177 
00178 
00179 /**
00180  * Initialise TKIP state and install key
00181  *
00182  * @v crypto    TKIP cryptosystem structure
00183  * @v key       Pointer to tkip_tk to install
00184  * @v keylen    Length of key (32 bytes)
00185  * @v rsc       Initial receive sequence counter
00186  */
00187 static int tkip_init ( struct net80211_crypto *crypto, const void *key,
00188                        int keylen, const void *rsc )
00189 {
00190         struct tkip_ctx *ctx = crypto->priv;
00191         const u8 *rscb = rsc;
00192 
00193         if ( keylen != sizeof ( ctx->tk ) )
00194                 return -EINVAL;
00195 
00196         if ( rscb ) {
00197                 ctx->dec.tsc_lo =   ( rscb[1] <<  8 ) |   rscb[0];
00198                 ctx->dec.tsc_hi = ( ( rscb[5] << 24 ) | ( rscb[4] << 16 ) |
00199                                     ( rscb[3] <<  8 ) |   rscb[2] );
00200         }
00201 
00202         memcpy ( &ctx->tk, key, sizeof ( ctx->tk ) );
00203 
00204         return 0;
00205 }
00206 
00207 /**
00208  * Perform TKIP key mixing, phase 1
00209  *
00210  * @v dctx      TKIP directional context
00211  * @v tk        TKIP temporal key
00212  * @v mac       MAC address of transmitter
00213  *
00214  * This recomputes the TTAK in @a dctx if necessary, and sets
00215  * @c dctx->ttak_ok.
00216  */
00217 static void tkip_mix_1 ( struct tkip_dir_ctx *dctx, struct tkip_tk *tk, u8 *mac )
00218 {
00219         int i, j;
00220 
00221         if ( dctx->ttak_ok && ! memcmp ( mac, dctx->mac, ETH_ALEN ) )
00222                 return;
00223 
00224         memcpy ( dctx->mac, mac, ETH_ALEN );
00225 
00226         dctx->ttak[0] = dctx->tsc_hi & 0xFFFF;
00227         dctx->ttak[1] = dctx->tsc_hi >> 16;
00228         dctx->ttak[2] = ( mac[1] << 8 ) | mac[0];
00229         dctx->ttak[3] = ( mac[3] << 8 ) | mac[2];
00230         dctx->ttak[4] = ( mac[5] << 8 ) | mac[4];
00231 
00232         for ( i = 0; i < 8; i++ ) {
00233                 j = 2 * ( i & 1 );
00234 
00235                 dctx->ttak[0] += S ( dctx->ttak[4] ^ ( ( tk->key[1 + j] << 8 ) |
00236                                                          tk->key[0 + j] ) );
00237                 dctx->ttak[1] += S ( dctx->ttak[0] ^ ( ( tk->key[5 + j] << 8 ) |
00238                                                          tk->key[4 + j] ) );
00239                 dctx->ttak[2] += S ( dctx->ttak[1] ^ ( ( tk->key[9 + j] << 8 ) |
00240                                                          tk->key[8 + j] ) );
00241                 dctx->ttak[3] += S ( dctx->ttak[2] ^ ( ( tk->key[13+ j] << 8 ) |
00242                                                          tk->key[12+ j] ) );
00243                 dctx->ttak[4] += S ( dctx->ttak[3] ^ ( ( tk->key[1 + j] << 8 ) |
00244                                                          tk->key[0 + j] ) ) + i;
00245         }
00246 
00247         dctx->ttak_ok = 1;
00248 }
00249 
00250 /**
00251  * Perform TKIP key mixing, phase 2
00252  *
00253  * @v dctx      TKIP directional context
00254  * @v tk        TKIP temporal key
00255  * @ret key     ARC4 key, 16 bytes long
00256  */
00257 static void tkip_mix_2 ( struct tkip_dir_ctx *dctx, struct tkip_tk *tk,
00258                          void *key )
00259 {
00260         u8 *kb = key;
00261         u16 ppk[6];
00262         int i;
00263 
00264         memcpy ( ppk, dctx->ttak, sizeof ( dctx->ttak ) );
00265         ppk[5] = dctx->ttak[4] + dctx->tsc_lo;
00266 
00267         ppk[0] += S ( ppk[5] ^ ( ( tk->key[1] << 8 ) | tk->key[0] ) );
00268         ppk[1] += S ( ppk[0] ^ ( ( tk->key[3] << 8 ) | tk->key[2] ) );
00269         ppk[2] += S ( ppk[1] ^ ( ( tk->key[5] << 8 ) | tk->key[4] ) );
00270         ppk[3] += S ( ppk[2] ^ ( ( tk->key[7] << 8 ) | tk->key[6] ) );
00271         ppk[4] += S ( ppk[3] ^ ( ( tk->key[9] << 8 ) | tk->key[8] ) );
00272         ppk[5] += S ( ppk[4] ^ ( ( tk->key[11] << 8 ) | tk->key[10] ) );
00273 
00274         ppk[0] += ror16 ( ppk[5] ^ ( ( tk->key[13] << 8 ) | tk->key[12] ), 1 );
00275         ppk[1] += ror16 ( ppk[0] ^ ( ( tk->key[15] << 8 ) | tk->key[14] ), 1 );
00276         ppk[2] += ror16 ( ppk[1], 1 );
00277         ppk[3] += ror16 ( ppk[2], 1 );
00278         ppk[4] += ror16 ( ppk[3], 1 );
00279         ppk[5] += ror16 ( ppk[4], 1 );
00280 
00281         kb[0] = dctx->tsc_lo >> 8;
00282         kb[1] = ( ( dctx->tsc_lo >> 8 ) | 0x20 ) & 0x7F;
00283         kb[2] = dctx->tsc_lo & 0xFF;
00284         kb[3] = ( ( ppk[5] ^ ( ( tk->key[1] << 8 ) | tk->key[0] ) ) >> 1 )
00285                 & 0xFF;
00286 
00287         for ( i = 0; i < 6; i++ ) {
00288                 kb[4 + 2*i] = ppk[i] & 0xFF;
00289                 kb[5 + 2*i] = ppk[i] >> 8;
00290         }
00291 }
00292 
00293 /**
00294  * Update Michael message integrity code based on next 32-bit word of data
00295  *
00296  * @v V         Michael code state (two 32-bit words)
00297  * @v word      Next 32-bit word of data
00298  */
00299 static void tkip_feed_michael ( u32 *V, u32 word )
00300 {
00301         V[0] ^= word;
00302         V[1] ^= rol32 ( V[0], 17 );
00303         V[0] += V[1];
00304         V[1] ^= ( ( V[0] & 0xFF00FF00 ) >> 8 ) | ( ( V[0] & 0x00FF00FF ) << 8 );
00305         V[0] += V[1];
00306         V[1] ^= rol32 ( V[0], 3 );
00307         V[0] += V[1];
00308         V[1] ^= ror32 ( V[0], 2 );
00309         V[0] += V[1];
00310 }
00311 
00312 /**
00313  * Calculate Michael message integrity code
00314  *
00315  * @v key       MIC key to use (8 bytes)
00316  * @v da        Destination link-layer address
00317  * @v sa        Source link-layer address
00318  * @v data      Start of data to calculate over
00319  * @v len       Length of header + data
00320  * @ret mic     Calculated Michael MIC (8 bytes)
00321  */
00322 static void tkip_michael ( const void *key, const void *da, const void *sa,
00323                            const void *data, size_t len, void *mic )
00324 {
00325         u32 V[2];               /* V[0] = "l", V[1] = "r" in 802.11 */
00326         union {
00327                 u8 byte[12];
00328                 u32 word[3];
00329         } cap;
00330         const u8 *ptr = data;
00331         const u8 *end = ptr + len;
00332         int i;
00333 
00334         memcpy ( V, key, sizeof ( V ) );
00335         V[0] = le32_to_cpu ( V[0] );
00336         V[1] = le32_to_cpu ( V[1] );
00337 
00338         /* Feed in header (we assume non-QoS, so Priority = 0) */
00339         memcpy ( &cap.byte[0], da, ETH_ALEN );
00340         memcpy ( &cap.byte[6], sa, ETH_ALEN );
00341         tkip_feed_michael ( V, le32_to_cpu ( cap.word[0] ) );
00342         tkip_feed_michael ( V, le32_to_cpu ( cap.word[1] ) );
00343         tkip_feed_michael ( V, le32_to_cpu ( cap.word[2] ) );
00344         tkip_feed_michael ( V, 0 );
00345 
00346         /* Feed in data */
00347         while ( ptr + 4 <= end ) {
00348                 tkip_feed_michael ( V, le32_to_cpu ( *( u32 * ) ptr ) );
00349                 ptr += 4;
00350         }
00351 
00352         /* Add unaligned part and padding */
00353         for ( i = 0; ptr < end; i++ )
00354                 cap.byte[i] = *ptr++;
00355         cap.byte[i++] = 0x5a;
00356         for ( ; i < 8; i++ )
00357                 cap.byte[i] = 0;
00358 
00359         /* Feed in padding */
00360         tkip_feed_michael ( V, le32_to_cpu ( cap.word[0] ) );
00361         tkip_feed_michael ( V, le32_to_cpu ( cap.word[1] ) );
00362 
00363         /* Output MIC */
00364         V[0] = cpu_to_le32 ( V[0] );
00365         V[1] = cpu_to_le32 ( V[1] );
00366         memcpy ( mic, V, sizeof ( V ) );
00367 }
00368 
00369 /**
00370  * Encrypt a packet using TKIP
00371  *
00372  * @v crypto    TKIP cryptosystem
00373  * @v iob       I/O buffer containing cleartext packet
00374  * @ret eiob    I/O buffer containing encrypted packet
00375  */
00376 static struct io_buffer * tkip_encrypt ( struct net80211_crypto *crypto,
00377                                          struct io_buffer *iob )
00378 {
00379         struct tkip_ctx *ctx = crypto->priv;
00380         struct ieee80211_frame *hdr = iob->data;
00381         struct io_buffer *eiob;
00382         struct arc4_ctx arc4;
00383         u8 key[16];
00384         struct tkip_head head;
00385         u8 mic[8];
00386         u32 icv;
00387         const int hdrlen = IEEE80211_TYP_FRAME_HEADER_LEN;
00388         int datalen = iob_len ( iob ) - hdrlen;
00389 
00390         ctx->enc.tsc_lo++;
00391         if ( ctx->enc.tsc_lo == 0 ) {
00392                 ctx->enc.tsc_hi++;
00393                 ctx->enc.ttak_ok = 0;
00394         }
00395 
00396         tkip_mix_1 ( &ctx->enc, &ctx->tk, hdr->addr2 );
00397         tkip_mix_2 ( &ctx->enc, &ctx->tk, key );
00398 
00399         eiob = alloc_iob ( iob_len ( iob ) + TKIP_HEAD_LEN + TKIP_FOOT_LEN );
00400         if ( ! eiob )
00401                 return NULL;
00402 
00403         /* Copy frame header */
00404         memcpy ( iob_put ( eiob, hdrlen ), iob->data, hdrlen );
00405         hdr = eiob->data;
00406         hdr->fc |= IEEE80211_FC_PROTECTED;
00407 
00408         /* Fill in IV and key ID byte, and extended IV */
00409         memcpy ( &head, key, 3 );
00410         head.kid = 0x20;                /* have Extended IV, key ID 0 */
00411         head.tsc_hi = cpu_to_le32 ( ctx->enc.tsc_hi );
00412         memcpy ( iob_put ( eiob, sizeof ( head ) ), &head, sizeof ( head ) );
00413 
00414         /* Copy and encrypt the data */
00415         cipher_setkey ( &arc4_algorithm, &arc4, key, 16 );
00416         cipher_encrypt ( &arc4_algorithm, &arc4, iob->data + hdrlen,
00417                          iob_put ( eiob, datalen ), datalen );
00418 
00419         /* Add MIC */
00420         hdr = iob->data;
00421         tkip_michael ( &ctx->tk.mic.tx, hdr->addr3, hdr->addr2,
00422                        iob->data + hdrlen, datalen, mic );
00423         cipher_encrypt ( &arc4_algorithm, &arc4, mic,
00424                          iob_put ( eiob, sizeof ( mic ) ), sizeof ( mic ) );
00425 
00426         /* Add ICV */
00427         icv = crc32_le ( ~0, iob->data + hdrlen, datalen );
00428         icv = crc32_le ( icv, mic, sizeof ( mic ) );
00429         icv = cpu_to_le32 ( ~icv );
00430         cipher_encrypt ( &arc4_algorithm, &arc4, &icv,
00431                          iob_put ( eiob, TKIP_ICV_LEN ), TKIP_ICV_LEN );
00432 
00433         DBGC2 ( ctx, "WPA-TKIP %p: encrypted packet %p -> %p\n", ctx,
00434                 iob, eiob );
00435 
00436         return eiob;
00437 }
00438 
00439 /**
00440  * Decrypt a packet using TKIP
00441  *
00442  * @v crypto    TKIP cryptosystem
00443  * @v eiob      I/O buffer containing encrypted packet
00444  * @ret iob     I/O buffer containing cleartext packet
00445  */
00446 static struct io_buffer * tkip_decrypt ( struct net80211_crypto *crypto,
00447                                          struct io_buffer *eiob )
00448 {
00449         struct tkip_ctx *ctx = crypto->priv;
00450         struct ieee80211_frame *hdr;
00451         struct io_buffer *iob;
00452         const int hdrlen = IEEE80211_TYP_FRAME_HEADER_LEN;
00453         int datalen = iob_len ( eiob ) - hdrlen - TKIP_HEAD_LEN - TKIP_FOOT_LEN;
00454         struct tkip_head *head;
00455         struct arc4_ctx arc4;
00456         u16 rx_tsc_lo;
00457         u8 key[16];
00458         u8 mic[8];
00459         u32 icv, crc;
00460 
00461         iob = alloc_iob ( hdrlen + datalen + TKIP_FOOT_LEN );
00462         if ( ! iob )
00463                 return NULL;
00464 
00465         /* Copy frame header */
00466         memcpy ( iob_put ( iob, hdrlen ), eiob->data, hdrlen );
00467         hdr = iob->data;
00468         hdr->fc &= ~IEEE80211_FC_PROTECTED;
00469 
00470         /* Check and update TSC */
00471         head = eiob->data + hdrlen;
00472         rx_tsc_lo = ( head->tsc1 << 8 ) | head->tsc0;
00473 
00474         if ( head->tsc_hi < ctx->dec.tsc_hi ||
00475              ( head->tsc_hi == ctx->dec.tsc_hi &&
00476                rx_tsc_lo <= ctx->dec.tsc_lo ) ) {
00477                 DBGC ( ctx, "WPA-TKIP %p: packet received out of order "
00478                        "(%08x:%04x <= %08x:%04x)\n", ctx, head->tsc_hi,
00479                        rx_tsc_lo, ctx->dec.tsc_hi, ctx->dec.tsc_lo );
00480                 free_iob ( iob );
00481                 return NULL;
00482         }
00483         ctx->dec.tsc_lo = rx_tsc_lo;
00484         if ( ctx->dec.tsc_hi != head->tsc_hi ) {
00485                 ctx->dec.ttak_ok = 0;
00486                 ctx->dec.tsc_hi = head->tsc_hi;
00487         }
00488 
00489         /* Calculate key */
00490         tkip_mix_1 ( &ctx->dec, &ctx->tk, hdr->addr2 );
00491         tkip_mix_2 ( &ctx->dec, &ctx->tk, key );
00492 
00493         /* Copy-decrypt data, MIC, ICV */
00494         cipher_setkey ( &arc4_algorithm, &arc4, key, 16 );
00495         cipher_decrypt ( &arc4_algorithm, &arc4,
00496                          eiob->data + hdrlen + TKIP_HEAD_LEN,
00497                          iob_put ( iob, datalen ), datalen + TKIP_FOOT_LEN );
00498 
00499         /* Check ICV */
00500         icv = le32_to_cpu ( *( u32 * ) ( iob->tail + TKIP_MIC_LEN ) );
00501         crc = ~crc32_le ( ~0, iob->data + hdrlen, datalen + TKIP_MIC_LEN );
00502         if ( crc != icv ) {
00503                 DBGC ( ctx, "WPA-TKIP %p CRC mismatch: expect %08x, get %08x\n",
00504                        ctx, icv, crc );
00505                 free_iob ( iob );
00506                 return NULL;
00507         }
00508 
00509         /* Check MIC */
00510         tkip_michael ( &ctx->tk.mic.rx, hdr->addr1, hdr->addr3,
00511                        iob->data + hdrlen, datalen, mic );
00512         if ( memcmp ( mic, iob->tail, TKIP_MIC_LEN ) != 0 ) {
00513                 DBGC ( ctx, "WPA-TKIP %p ALERT! MIC failure\n", ctx );
00514                 /* XXX we should do the countermeasures here */
00515                 free_iob ( iob );
00516                 return NULL;
00517         }
00518 
00519         DBGC2 ( ctx, "WPA-TKIP %p: decrypted packet %p -> %p\n", ctx,
00520                 eiob, iob );
00521 
00522         return iob;
00523 }
00524 
00525 /** TKIP cryptosystem */
00526 struct net80211_crypto tkip_crypto __net80211_crypto = {
00527         .algorithm = NET80211_CRYPT_TKIP,
00528         .init = tkip_init,
00529         .encrypt = tkip_encrypt,
00530         .decrypt = tkip_decrypt,
00531         .priv_len = sizeof ( struct tkip_ctx ),
00532 };
00533 
00534 
00535 
00536 
00537 /**
00538  * Calculate HMAC-MD5 MIC for EAPOL-Key frame
00539  *
00540  * @v kck       Key Confirmation Key, 16 bytes
00541  * @v msg       Message to calculate MIC over
00542  * @v len       Number of bytes to calculate MIC over
00543  * @ret mic     Calculated MIC, 16 bytes long
00544  */
00545 static void tkip_kie_mic ( const void *kck, const void *msg, size_t len,
00546                            void *mic )
00547 {
00548         uint8_t ctx[MD5_CTX_SIZE];
00549         u8 kckb[16];
00550         size_t kck_len = 16;
00551 
00552         memcpy ( kckb, kck, kck_len );
00553 
00554         hmac_init ( &md5_algorithm, ctx, kckb, &kck_len );
00555         hmac_update ( &md5_algorithm, ctx, msg, len );
00556         hmac_final ( &md5_algorithm, ctx, kckb, &kck_len, mic );
00557 }
00558 
00559 /**
00560  * Decrypt key data in EAPOL-Key frame
00561  *
00562  * @v kek       Key Encryption Key, 16 bytes
00563  * @v iv        Initialisation vector, 16 bytes
00564  * @v msg       Message to decrypt
00565  * @v len       Length of message
00566  * @ret msg     Decrypted message in place of original
00567  * @ret len     Unchanged
00568  * @ret rc      Always 0 for success
00569  */
00570 static int tkip_kie_decrypt ( const void *kek, const void *iv,
00571                               void *msg, u16 *len )
00572 {
00573         u8 key[32];
00574         memcpy ( key, iv, 16 );
00575         memcpy ( key + 16, kek, 16 );
00576 
00577         arc4_skip ( key, 32, 256, msg, msg, *len );
00578 
00579         return 0;
00580 }
00581 
00582 
00583 /** TKIP-style key integrity and encryption handler */
00584 struct wpa_kie tkip_kie __wpa_kie = {
00585         .version = EAPOL_KEY_VERSION_WPA,
00586         .mic = tkip_kie_mic,
00587         .decrypt = tkip_kie_decrypt,
00588 };