iPXE
Data Structures | Macros | Functions | Variables
wpa_tkip.c File Reference

Backend for WPA using the TKIP encryption standard. More...

#include <string.h>
#include <ipxe/net80211.h>
#include <ipxe/crypto.h>
#include <ipxe/hmac.h>
#include <ipxe/sha1.h>
#include <ipxe/md5.h>
#include <ipxe/crc32.h>
#include <ipxe/arc4.h>
#include <ipxe/wpa.h>
#include <byteswap.h>
#include <errno.h>

Go to the source code of this file.

Data Structures

struct  tkip_dir_ctx
 Context for one direction of TKIP, either encryption or decryption. More...
 
struct  tkip_ctx
 Context for TKIP encryption and decryption. More...
 
struct  tkip_head
 Header structure at the beginning of TKIP frame data. More...
 

Macros

#define TKIP_HEAD_LEN   8
 TKIP header overhead (IV + KID + ExtIV) More...
 
#define TKIP_FOOT_LEN   12
 TKIP trailer overhead (MIC + ICV) [assumes unfragmented]. More...
 
#define TKIP_MIC_LEN   8
 TKIP MIC length. More...
 
#define TKIP_ICV_LEN   4
 TKIP ICV length. More...
 

Functions

 FILE_LICENCE (GPL2_OR_LATER)
 
 FILE_SECBOOT (FORBIDDEN)
 
static u16 S (u16 v)
 Perform S-box mapping on a 16-bit value. More...
 
static u16 ror16 (u16 v, int bits)
 Rotate 16-bit value right. More...
 
static u32 ror32 (u32 v, int bits)
 Rotate 32-bit value right. More...
 
static u32 rol32 (u32 v, int bits)
 Rotate 32-bit value left. More...
 
static int tkip_init (struct net80211_crypto *crypto, const void *key, int keylen, const void *rsc)
 Initialise TKIP state and install key. More...
 
static void tkip_mix_1 (struct tkip_dir_ctx *dctx, struct tkip_tk *tk, u8 *mac)
 Perform TKIP key mixing, phase 1. More...
 
static void tkip_mix_2 (struct tkip_dir_ctx *dctx, struct tkip_tk *tk, void *key)
 Perform TKIP key mixing, phase 2. More...
 
static void tkip_feed_michael (u32 *V, u32 word)
 Update Michael message integrity code based on next 32-bit word of data. More...
 
static void tkip_michael (const void *key, const void *da, const void *sa, const void *data, size_t len, void *mic)
 Calculate Michael message integrity code. More...
 
static struct io_buffertkip_encrypt (struct net80211_crypto *crypto, struct io_buffer *iob)
 Encrypt a packet using TKIP. More...
 
static struct io_buffertkip_decrypt (struct net80211_crypto *crypto, struct io_buffer *eiob)
 Decrypt a packet using TKIP. More...
 
static void tkip_kie_mic (const void *kck, const void *msg, size_t len, void *mic)
 Calculate HMAC-MD5 MIC for EAPOL-Key frame. More...
 
static int tkip_kie_decrypt (const void *kek, const void *iv, void *msg, u16 *len)
 Decrypt key data in EAPOL-Key frame. More...
 

Variables

static const u16 Sbox [256]
 TKIP S-box. More...
 
struct net80211_crypto tkip_crypto __net80211_crypto
 TKIP cryptosystem. More...
 
struct wpa_kie tkip_kie __wpa_kie
 TKIP-style key integrity and encryption handler. More...
 

Detailed Description

Backend for WPA using the TKIP encryption standard.

Definition in file wpa_tkip.c.

Macro Definition Documentation

◆ TKIP_HEAD_LEN

#define TKIP_HEAD_LEN   8

TKIP header overhead (IV + KID + ExtIV)

Definition at line 84 of file wpa_tkip.c.

◆ TKIP_FOOT_LEN

#define TKIP_FOOT_LEN   12

TKIP trailer overhead (MIC + ICV) [assumes unfragmented].

Definition at line 87 of file wpa_tkip.c.

◆ TKIP_MIC_LEN

#define TKIP_MIC_LEN   8

TKIP MIC length.

Definition at line 90 of file wpa_tkip.c.

◆ TKIP_ICV_LEN

#define TKIP_ICV_LEN   4

TKIP ICV length.

Definition at line 93 of file wpa_tkip.c.

Function Documentation

◆ FILE_LICENCE()

FILE_LICENCE ( GPL2_OR_LATER  )

◆ FILE_SECBOOT()

FILE_SECBOOT ( FORBIDDEN  )

◆ S()

static u16 S ( u16  v)
inlinestatic

Perform S-box mapping on a 16-bit value.

Parameters
vValue to perform S-box mapping on
Return values
SvS-box mapped value

Definition at line 138 of file wpa_tkip.c.

139 {
140  return Sbox[v & 0xFF] ^ bswap_16 ( Sbox[v >> 8] );
141 }
Sbox
static const u16 Sbox[256]
TKIP S-box.
Definition: wpa_tkip.c:97
bswap_16
#define bswap_16(value)
Definition: byteswap.h:59

References bswap_16, and Sbox.

Referenced by arc4_setkey(), arc4_xor(), ccmp_ctr_xor(), tkip_mix_1(), and tkip_mix_2().

◆ ror16()

static u16 ror16 ( u16  v,
int  bits 
)
inlinestatic

Rotate 16-bit value right.

Parameters
vValue to rotate
bitsNumber of bits to rotate by
Return values
rotvRotated value

Definition at line 150 of file wpa_tkip.c.

151 {
152  return ( v >> bits ) | ( v << ( 16 - bits ) );
153 }
bits
static volatile void * bits
Definition: bitops.h:28

References bits.

Referenced by tkip_mix_2().

◆ ror32()

static u32 ror32 ( u32  v,
int  bits 
)
inlinestatic

Rotate 32-bit value right.

Parameters
vValue to rotate
bitsNumber of bits to rotate by
Return values
rotvRotated value

Definition at line 162 of file wpa_tkip.c.

163 {
164  return ( v >> bits ) | ( v << ( 32 - bits ) );
165 }
bits
static volatile void * bits
Definition: bitops.h:28

References bits.

Referenced by aes_key_rotate(), des_generate(), sha256_digest(), and tkip_feed_michael().

◆ rol32()

static u32 rol32 ( u32  v,
int  bits 
)
inlinestatic

Rotate 32-bit value left.

Parameters
vValue to rotate
bitsNumber of bits to rotate by
Return values
rotvRotated value

Definition at line 174 of file wpa_tkip.c.

175 {
176  return ( v << bits ) | ( v >> ( 32 - bits ) );
177 }
bits
static volatile void * bits
Definition: bitops.h:28

References bits.

Referenced by aes_key_rotate(), aes_key_sbox(), des_rol28(), des_sbox(), md4_digest(), md5_digest(), sha1_digest(), and tkip_feed_michael().

◆ tkip_init()

static int tkip_init ( struct net80211_crypto crypto,
const void *  key,
int  keylen,
const void *  rsc 
)
static

Initialise TKIP state and install key.

Parameters
cryptoTKIP cryptosystem structure
keyPointer to tkip_tk to install
keylenLength of key (32 bytes)
rscInitial receive sequence counter

Definition at line 188 of file wpa_tkip.c.

190 {
191  struct tkip_ctx *ctx = crypto->priv;
192  const u8 *rscb = rsc;
193 
194  if ( keylen != sizeof ( ctx->tk ) )
195  return -EINVAL;
196 
197  if ( rscb ) {
198  ctx->dec.tsc_lo = ( rscb[1] << 8 ) | rscb[0];
199  ctx->dec.tsc_hi = ( ( rscb[5] << 24 ) | ( rscb[4] << 16 ) |
200  ( rscb[3] << 8 ) | rscb[2] );
201  }
202 
203  memcpy ( &ctx->tk, key, sizeof ( ctx->tk ) );
204 
205  return 0;
206 }
EINVAL
#define EINVAL
Invalid argument.
Definition: errno.h:429
ctx
struct golan_eq_context ctx
Definition: CIB_PRM.h:28
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
rsc
u8 rsc[8]
Receive sequence counter for GTK.
Definition: wpa.h:69
tkip_ctx
Context for TKIP encryption and decryption.
Definition: wpa_tkip.c:60
net80211_crypto::priv
void * priv
Private data for the algorithm to store key and state info.
Definition: net80211.h:766
u8
uint8_t u8
Definition: stdint.h:20
key
union @391 key
Sense key.
Definition: scsi.h:18

References ctx, EINVAL, key, memcpy(), net80211_crypto::priv, and rsc.

◆ tkip_mix_1()

static void tkip_mix_1 ( struct tkip_dir_ctx dctx,
struct tkip_tk tk,
u8 mac 
)
static

Perform TKIP key mixing, phase 1.

Parameters
dctxTKIP directional context
tkTKIP temporal key
macMAC address of transmitter

This recomputes the TTAK in dctx if necessary, and sets dctx->ttak_ok.

Definition at line 218 of file wpa_tkip.c.

219 {
220  int i, j;
221 
222  if ( dctx->ttak_ok && ! memcmp ( mac, dctx->mac, ETH_ALEN ) )
223  return;
224 
225  memcpy ( dctx->mac, mac, ETH_ALEN );
226 
227  dctx->ttak[0] = dctx->tsc_hi & 0xFFFF;
228  dctx->ttak[1] = dctx->tsc_hi >> 16;
229  dctx->ttak[2] = ( mac[1] << 8 ) | mac[0];
230  dctx->ttak[3] = ( mac[3] << 8 ) | mac[2];
231  dctx->ttak[4] = ( mac[5] << 8 ) | mac[4];
232 
233  for ( i = 0; i < 8; i++ ) {
234  j = 2 * ( i & 1 );
235 
236  dctx->ttak[0] += S ( dctx->ttak[4] ^ ( ( tk->key[1 + j] << 8 ) |
237  tk->key[0 + j] ) );
238  dctx->ttak[1] += S ( dctx->ttak[0] ^ ( ( tk->key[5 + j] << 8 ) |
239  tk->key[4 + j] ) );
240  dctx->ttak[2] += S ( dctx->ttak[1] ^ ( ( tk->key[9 + j] << 8 ) |
241  tk->key[8 + j] ) );
242  dctx->ttak[3] += S ( dctx->ttak[2] ^ ( ( tk->key[13+ j] << 8 ) |
243  tk->key[12+ j] ) );
244  dctx->ttak[4] += S ( dctx->ttak[3] ^ ( ( tk->key[1 + j] << 8 ) |
245  tk->key[0 + j] ) ) + i;
246  }
247 
248  dctx->ttak_ok = 1;
249 }
tkip_dir_ctx::mac
u8 mac[ETH_ALEN]
MAC address used to derive TTAK.
Definition: wpa_tkip.c:50
mac
uint8_t mac[ETH_ALEN]
MAC address.
Definition: ena.h:24
S
static u16 S(u16 v)
Perform S-box mapping on a 16-bit value.
Definition: wpa_tkip.c:138
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
tk
union wpa_tk tk
Temporal key.
Definition: wpa.h:34
ETH_ALEN
#define ETH_ALEN
Definition: if_ether.h:9
tkip_dir_ctx::ttak_ok
u16 ttak_ok
If TRUE, TTAK is valid.
Definition: wpa_tkip.c:53
tkip_dir_ctx::ttak
u16 ttak[5]
TKIP-mixed transmit address and key, depends on tsc_hi and MAC.
Definition: wpa_tkip.c:56
tkip_dir_ctx::tsc_hi
u32 tsc_hi
High 32 bits of last sequence counter value used.
Definition: wpa_tkip.c:44
memcmp
int memcmp(const void *first, const void *second, size_t len)
Compare memory regions.
Definition: string.c:115

References ETH_ALEN, mac, tkip_dir_ctx::mac, memcmp(), memcpy(), S(), tk, tkip_dir_ctx::tsc_hi, tkip_dir_ctx::ttak, and tkip_dir_ctx::ttak_ok.

Referenced by tkip_decrypt(), and tkip_encrypt().

◆ tkip_mix_2()

static void tkip_mix_2 ( struct tkip_dir_ctx dctx,
struct tkip_tk tk,
void *  key 
)
static

Perform TKIP key mixing, phase 2.

Parameters
dctxTKIP directional context
tkTKIP temporal key
Return values
keyARC4 key, 16 bytes long

Definition at line 258 of file wpa_tkip.c.

260 {
261  u8 *kb = key;
262  u16 ppk[6];
263  int i;
264 
265  memcpy ( ppk, dctx->ttak, sizeof ( dctx->ttak ) );
266  ppk[5] = dctx->ttak[4] + dctx->tsc_lo;
267 
268  ppk[0] += S ( ppk[5] ^ ( ( tk->key[1] << 8 ) | tk->key[0] ) );
269  ppk[1] += S ( ppk[0] ^ ( ( tk->key[3] << 8 ) | tk->key[2] ) );
270  ppk[2] += S ( ppk[1] ^ ( ( tk->key[5] << 8 ) | tk->key[4] ) );
271  ppk[3] += S ( ppk[2] ^ ( ( tk->key[7] << 8 ) | tk->key[6] ) );
272  ppk[4] += S ( ppk[3] ^ ( ( tk->key[9] << 8 ) | tk->key[8] ) );
273  ppk[5] += S ( ppk[4] ^ ( ( tk->key[11] << 8 ) | tk->key[10] ) );
274 
275  ppk[0] += ror16 ( ppk[5] ^ ( ( tk->key[13] << 8 ) | tk->key[12] ), 1 );
276  ppk[1] += ror16 ( ppk[0] ^ ( ( tk->key[15] << 8 ) | tk->key[14] ), 1 );
277  ppk[2] += ror16 ( ppk[1], 1 );
278  ppk[3] += ror16 ( ppk[2], 1 );
279  ppk[4] += ror16 ( ppk[3], 1 );
280  ppk[5] += ror16 ( ppk[4], 1 );
281 
282  kb[0] = dctx->tsc_lo >> 8;
283  kb[1] = ( ( dctx->tsc_lo >> 8 ) | 0x20 ) & 0x7F;
284  kb[2] = dctx->tsc_lo & 0xFF;
285  kb[3] = ( ( ppk[5] ^ ( ( tk->key[1] << 8 ) | tk->key[0] ) ) >> 1 )
286  & 0xFF;
287 
288  for ( i = 0; i < 6; i++ ) {
289  kb[4 + 2*i] = ppk[i] & 0xFF;
290  kb[5 + 2*i] = ppk[i] >> 8;
291  }
292 }
u16
uint16_t u16
Definition: stdint.h:22
S
static u16 S(u16 v)
Perform S-box mapping on a 16-bit value.
Definition: wpa_tkip.c:138
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
tk
union wpa_tk tk
Temporal key.
Definition: wpa.h:34
tkip_dir_ctx::tsc_lo
u16 tsc_lo
Low 32 bits of last sequence counter value used.
Definition: wpa_tkip.c:47
tkip_dir_ctx::ttak
u16 ttak[5]
TKIP-mixed transmit address and key, depends on tsc_hi and MAC.
Definition: wpa_tkip.c:56
ror16
static u16 ror16(u16 v, int bits)
Rotate 16-bit value right.
Definition: wpa_tkip.c:150
u8
uint8_t u8
Definition: stdint.h:20
key
union @391 key
Sense key.
Definition: scsi.h:18

References key, memcpy(), ror16(), S(), tk, tkip_dir_ctx::tsc_lo, and tkip_dir_ctx::ttak.

Referenced by tkip_decrypt(), and tkip_encrypt().

◆ tkip_feed_michael()

static void tkip_feed_michael ( u32 V,
u32  word 
)
static

Update Michael message integrity code based on next 32-bit word of data.

Parameters
VMichael code state (two 32-bit words)
wordNext 32-bit word of data

Definition at line 300 of file wpa_tkip.c.

301 {
302  V[0] ^= word;
303  V[1] ^= rol32 ( V[0], 17 );
304  V[0] += V[1];
305  V[1] ^= ( ( V[0] & 0xFF00FF00 ) >> 8 ) | ( ( V[0] & 0x00FF00FF ) << 8 );
306  V[0] += V[1];
307  V[1] ^= rol32 ( V[0], 3 );
308  V[0] += V[1];
309  V[1] ^= ror32 ( V[0], 2 );
310  V[0] += V[1];
311 }
rol32
static u32 rol32(u32 v, int bits)
Rotate 32-bit value left.
Definition: wpa_tkip.c:174
ror32
static u32 ror32(u32 v, int bits)
Rotate 32-bit value right.
Definition: wpa_tkip.c:162
word
unsigned short word
Definition: smc9000.h:39

References rol32(), and ror32().

Referenced by tkip_michael().

◆ tkip_michael()

static void tkip_michael ( const void *  key,
const void *  da,
const void *  sa,
const void *  data,
size_t  len,
void *  mic 
)
static

Calculate Michael message integrity code.

Parameters
keyMIC key to use (8 bytes)
daDestination link-layer address
saSource link-layer address
dataStart of data to calculate over
lenLength of header + data
Return values
micCalculated Michael MIC (8 bytes)

Definition at line 323 of file wpa_tkip.c.

325 {
326  u32 V[2]; /* V[0] = "l", V[1] = "r" in 802.11 */
327  union {
328  u8 byte[12];
329  u32 word[3];
330  } cap;
331  const u8 *ptr = data;
332  const u8 *end = ptr + len;
333  int i;
334 
335  memcpy ( V, key, sizeof ( V ) );
336  V[0] = le32_to_cpu ( V[0] );
337  V[1] = le32_to_cpu ( V[1] );
338 
339  /* Feed in header (we assume non-QoS, so Priority = 0) */
340  memcpy ( &cap.byte[0], da, ETH_ALEN );
341  memcpy ( &cap.byte[6], sa, ETH_ALEN );
342  tkip_feed_michael ( V, le32_to_cpu ( cap.word[0] ) );
343  tkip_feed_michael ( V, le32_to_cpu ( cap.word[1] ) );
344  tkip_feed_michael ( V, le32_to_cpu ( cap.word[2] ) );
345  tkip_feed_michael ( V, 0 );
346 
347  /* Feed in data */
348  while ( ptr + 4 <= end ) {
349  tkip_feed_michael ( V, le32_to_cpu ( *( u32 * ) ptr ) );
350  ptr += 4;
351  }
352 
353  /* Add unaligned part and padding */
354  for ( i = 0; ptr < end; i++ )
355  cap.byte[i] = *ptr++;
356  cap.byte[i++] = 0x5a;
357  for ( ; i < 8; i++ )
358  cap.byte[i] = 0;
359 
360  /* Feed in padding */
361  tkip_feed_michael ( V, le32_to_cpu ( cap.word[0] ) );
362  tkip_feed_michael ( V, le32_to_cpu ( cap.word[1] ) );
363 
364  /* Output MIC */
365  V[0] = cpu_to_le32 ( V[0] );
366  V[1] = cpu_to_le32 ( V[1] );
367  memcpy ( mic, V, sizeof ( V ) );
368 }
tkip_feed_michael
static void tkip_feed_michael(u32 *V, u32 word)
Update Michael message integrity code based on next 32-bit word of data.
Definition: wpa_tkip.c:300
le32_to_cpu
#define le32_to_cpu(value)
Definition: byteswap.h:114
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
len
ring len
Length.
Definition: dwmac.h:231
sa
struct sockaddr sa
Definition: syslog.c:57
cpu_to_le32
#define cpu_to_le32(value)
Definition: byteswap.h:108
ETH_ALEN
#define ETH_ALEN
Definition: if_ether.h:9
word
unsigned short word
Definition: smc9000.h:39
end
uint32_t end
Ending offset.
Definition: netvsc.h:18
data
uint8_t data[48]
Additional event data.
Definition: ena.h:22
mic
u8 mic[16]
Message integrity code over the entire EAPOL frame.
Definition: wpa.h:81
u8
uint8_t u8
Definition: stdint.h:20
key
union @391 key
Sense key.
Definition: scsi.h:18
u32
uint32_t u32
Definition: stdint.h:24

References cpu_to_le32, data, end, ETH_ALEN, key, le32_to_cpu, len, memcpy(), mic, sa, and tkip_feed_michael().

Referenced by tkip_decrypt(), and tkip_encrypt().

◆ tkip_encrypt()

static struct io_buffer* tkip_encrypt ( struct net80211_crypto crypto,
struct io_buffer iob 
)
static

Encrypt a packet using TKIP.

Parameters
cryptoTKIP cryptosystem
iobI/O buffer containing cleartext packet
Return values
eiobI/O buffer containing encrypted packet

Definition at line 377 of file wpa_tkip.c.

379 {
380  struct tkip_ctx *ctx = crypto->priv;
381  struct ieee80211_frame *hdr = iob->data;
382  struct io_buffer *eiob;
383  struct arc4_ctx arc4;
384  u8 key[16];
385  struct tkip_head head;
386  u8 mic[8];
387  u32 icv;
388  const int hdrlen = IEEE80211_TYP_FRAME_HEADER_LEN;
389  int datalen = iob_len ( iob ) - hdrlen;
390 
391  ctx->enc.tsc_lo++;
392  if ( ctx->enc.tsc_lo == 0 ) {
393  ctx->enc.tsc_hi++;
394  ctx->enc.ttak_ok = 0;
395  }
396 
397  tkip_mix_1 ( &ctx->enc, &ctx->tk, hdr->addr2 );
398  tkip_mix_2 ( &ctx->enc, &ctx->tk, key );
399 
400  eiob = alloc_iob ( iob_len ( iob ) + TKIP_HEAD_LEN + TKIP_FOOT_LEN );
401  if ( ! eiob )
402  return NULL;
403 
404  /* Copy frame header */
405  memcpy ( iob_put ( eiob, hdrlen ), iob->data, hdrlen );
406  hdr = eiob->data;
407  hdr->fc |= IEEE80211_FC_PROTECTED;
408 
409  /* Fill in IV and key ID byte, and extended IV */
410  memcpy ( &head, key, 3 );
411  head.kid = 0x20; /* have Extended IV, key ID 0 */
412  head.tsc_hi = cpu_to_le32 ( ctx->enc.tsc_hi );
413  memcpy ( iob_put ( eiob, sizeof ( head ) ), &head, sizeof ( head ) );
414 
415  /* Copy and encrypt the data */
416  cipher_setkey ( &arc4_algorithm, &arc4, key, 16 );
417  cipher_encrypt ( &arc4_algorithm, &arc4, iob->data + hdrlen,
418  iob_put ( eiob, datalen ), datalen );
419 
420  /* Add MIC */
421  hdr = iob->data;
422  tkip_michael ( &ctx->tk.mic.tx, hdr->addr3, hdr->addr2,
423  iob->data + hdrlen, datalen, mic );
424  cipher_encrypt ( &arc4_algorithm, &arc4, mic,
425  iob_put ( eiob, sizeof ( mic ) ), sizeof ( mic ) );
426 
427  /* Add ICV */
428  icv = crc32_le ( ~0, iob->data + hdrlen, datalen );
429  icv = crc32_le ( icv, mic, sizeof ( mic ) );
430  icv = cpu_to_le32 ( ~icv );
431  cipher_encrypt ( &arc4_algorithm, &arc4, &icv,
432  iob_put ( eiob, TKIP_ICV_LEN ), TKIP_ICV_LEN );
433 
434  DBGC2 ( ctx, "WPA-TKIP %p: encrypted packet %p -> %p\n", ctx,
435  iob, eiob );
436 
437  return eiob;
438 }
iob_put
#define iob_put(iobuf, len)
Definition: iobuf.h:125
hdr
struct golan_inbox_hdr hdr
Message header.
Definition: CIB_PRM.h:28
arc4_ctx
Definition: arc4.h:10
ieee80211_frame
An 802.11 data or management frame without QoS or WDS header fields.
Definition: ieee80211.h:300
head
uint8_t head
Head number.
Definition: int13.h:34
ctx
struct golan_eq_context ctx
Definition: CIB_PRM.h:28
tkip_head
Header structure at the beginning of TKIP frame data.
Definition: wpa_tkip.c:73
alloc_iob
struct io_buffer * alloc_iob(size_t len)
Allocate I/O buffer.
Definition: iobuf.c:131
crc32_le
u32 crc32_le(u32 seed, const void *data, size_t len)
Calculate 32-bit little-endian CRC checksum.
Definition: crc32.c:40
cipher_encrypt
#define cipher_encrypt(cipher, ctx, src, dst, len)
Definition: crypto.h:251
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
IEEE80211_TYP_FRAME_HEADER_LEN
#define IEEE80211_TYP_FRAME_HEADER_LEN
Frame header length for frames we might work with.
Definition: ieee80211.h:60
datalen
u16 datalen
Length of the data field in bytes, network byte order.
Definition: wpa.h:84
tkip_michael
static void tkip_michael(const void *key, const void *da, const void *sa, const void *data, size_t len, void *mic)
Calculate Michael message integrity code.
Definition: wpa_tkip.c:323
cpu_to_le32
#define cpu_to_le32(value)
Definition: byteswap.h:108
TKIP_HEAD_LEN
#define TKIP_HEAD_LEN
TKIP header overhead (IV + KID + ExtIV)
Definition: wpa_tkip.c:84
IEEE80211_FC_PROTECTED
#define IEEE80211_FC_PROTECTED
802.11 Frame Control field: Protected flag
Definition: ieee80211.h:264
tkip_ctx
Context for TKIP encryption and decryption.
Definition: wpa_tkip.c:60
iob_len
static size_t iob_len(struct io_buffer *iobuf)
Calculate length of data in an I/O buffer.
Definition: iobuf.h:160
tkip_mix_1
static void tkip_mix_1(struct tkip_dir_ctx *dctx, struct tkip_tk *tk, u8 *mac)
Perform TKIP key mixing, phase 1.
Definition: wpa_tkip.c:218
net80211_crypto::priv
void * priv
Private data for the algorithm to store key and state info.
Definition: net80211.h:766
tkip_mix_2
static void tkip_mix_2(struct tkip_dir_ctx *dctx, struct tkip_tk *tk, void *key)
Perform TKIP key mixing, phase 2.
Definition: wpa_tkip.c:258
arc4_algorithm
struct cipher_algorithm arc4_algorithm
Definition: arc4.c:118
DBGC2
#define DBGC2(...)
Definition: compiler.h:522
TKIP_ICV_LEN
#define TKIP_ICV_LEN
TKIP ICV length.
Definition: wpa_tkip.c:93
io_buffer::data
void * data
Start of data.
Definition: iobuf.h:53
mic
u8 mic[16]
Message integrity code over the entire EAPOL frame.
Definition: wpa.h:81
NULL
#define NULL
NULL pointer (VOID *)
Definition: Base.h:322
TKIP_FOOT_LEN
#define TKIP_FOOT_LEN
TKIP trailer overhead (MIC + ICV) [assumes unfragmented].
Definition: wpa_tkip.c:87
u8
uint8_t u8
Definition: stdint.h:20
key
union @391 key
Sense key.
Definition: scsi.h:18
u32
uint32_t u32
Definition: stdint.h:24
cipher_setkey
static int cipher_setkey(struct cipher_algorithm *cipher, void *ctx, const void *key, size_t keylen)
Definition: crypto.h:235
io_buffer
A persistent I/O buffer.
Definition: iobuf.h:38

References alloc_iob(), arc4_algorithm, cipher_encrypt, cipher_setkey(), cpu_to_le32, crc32_le(), ctx, io_buffer::data, datalen, DBGC2, hdr, head, IEEE80211_FC_PROTECTED, IEEE80211_TYP_FRAME_HEADER_LEN, iob_len(), iob_put, key, memcpy(), mic, NULL, net80211_crypto::priv, TKIP_FOOT_LEN, TKIP_HEAD_LEN, TKIP_ICV_LEN, tkip_michael(), tkip_mix_1(), and tkip_mix_2().

◆ tkip_decrypt()

static struct io_buffer* tkip_decrypt ( struct net80211_crypto crypto,
struct io_buffer eiob 
)
static

Decrypt a packet using TKIP.

Parameters
cryptoTKIP cryptosystem
eiobI/O buffer containing encrypted packet
Return values
iobI/O buffer containing cleartext packet

Definition at line 447 of file wpa_tkip.c.

449 {
450  struct tkip_ctx *ctx = crypto->priv;
451  struct ieee80211_frame *hdr;
452  struct io_buffer *iob;
453  const int hdrlen = IEEE80211_TYP_FRAME_HEADER_LEN;
454  int datalen = iob_len ( eiob ) - hdrlen - TKIP_HEAD_LEN - TKIP_FOOT_LEN;
455  struct tkip_head *head;
456  struct arc4_ctx arc4;
457  u16 rx_tsc_lo;
458  u8 key[16];
459  u8 mic[8];
460  u32 icv, crc;
461 
462  iob = alloc_iob ( hdrlen + datalen + TKIP_FOOT_LEN );
463  if ( ! iob )
464  return NULL;
465 
466  /* Copy frame header */
467  memcpy ( iob_put ( iob, hdrlen ), eiob->data, hdrlen );
468  hdr = iob->data;
469  hdr->fc &= ~IEEE80211_FC_PROTECTED;
470 
471  /* Check and update TSC */
472  head = eiob->data + hdrlen;
473  rx_tsc_lo = ( head->tsc1 << 8 ) | head->tsc0;
474 
475  if ( head->tsc_hi < ctx->dec.tsc_hi ||
476  ( head->tsc_hi == ctx->dec.tsc_hi &&
477  rx_tsc_lo <= ctx->dec.tsc_lo ) ) {
478  DBGC ( ctx, "WPA-TKIP %p: packet received out of order "
479  "(%08x:%04x <= %08x:%04x)\n", ctx, head->tsc_hi,
480  rx_tsc_lo, ctx->dec.tsc_hi, ctx->dec.tsc_lo );
481  free_iob ( iob );
482  return NULL;
483  }
484  ctx->dec.tsc_lo = rx_tsc_lo;
485  if ( ctx->dec.tsc_hi != head->tsc_hi ) {
486  ctx->dec.ttak_ok = 0;
487  ctx->dec.tsc_hi = head->tsc_hi;
488  }
489 
490  /* Calculate key */
491  tkip_mix_1 ( &ctx->dec, &ctx->tk, hdr->addr2 );
492  tkip_mix_2 ( &ctx->dec, &ctx->tk, key );
493 
494  /* Copy-decrypt data, MIC, ICV */
495  cipher_setkey ( &arc4_algorithm, &arc4, key, 16 );
496  cipher_decrypt ( &arc4_algorithm, &arc4,
497  eiob->data + hdrlen + TKIP_HEAD_LEN,
498  iob_put ( iob, datalen ), datalen + TKIP_FOOT_LEN );
499 
500  /* Check ICV */
501  icv = le32_to_cpu ( *( u32 * ) ( iob->tail + TKIP_MIC_LEN ) );
502  crc = ~crc32_le ( ~0, iob->data + hdrlen, datalen + TKIP_MIC_LEN );
503  if ( crc != icv ) {
504  DBGC ( ctx, "WPA-TKIP %p CRC mismatch: expect %08x, get %08x\n",
505  ctx, icv, crc );
506  free_iob ( iob );
507  return NULL;
508  }
509 
510  /* Check MIC */
511  tkip_michael ( &ctx->tk.mic.rx, hdr->addr1, hdr->addr3,
512  iob->data + hdrlen, datalen, mic );
513  if ( memcmp ( mic, iob->tail, TKIP_MIC_LEN ) != 0 ) {
514  DBGC ( ctx, "WPA-TKIP %p ALERT! MIC failure\n", ctx );
515  /* XXX we should do the countermeasures here */
516  free_iob ( iob );
517  return NULL;
518  }
519 
520  DBGC2 ( ctx, "WPA-TKIP %p: decrypted packet %p -> %p\n", ctx,
521  eiob, iob );
522 
523  return iob;
524 }
u16
uint16_t u16
Definition: stdint.h:22
iob_put
#define iob_put(iobuf, len)
Definition: iobuf.h:125
le32_to_cpu
#define le32_to_cpu(value)
Definition: byteswap.h:114
hdr
struct golan_inbox_hdr hdr
Message header.
Definition: CIB_PRM.h:28
arc4_ctx
Definition: arc4.h:10
free_iob
void free_iob(struct io_buffer *iobuf)
Free I/O buffer.
Definition: iobuf.c:153
DBGC
#define DBGC(...)
Definition: compiler.h:505
ieee80211_frame
An 802.11 data or management frame without QoS or WDS header fields.
Definition: ieee80211.h:300
head
uint8_t head
Head number.
Definition: int13.h:34
ctx
struct golan_eq_context ctx
Definition: CIB_PRM.h:28
tkip_head
Header structure at the beginning of TKIP frame data.
Definition: wpa_tkip.c:73
alloc_iob
struct io_buffer * alloc_iob(size_t len)
Allocate I/O buffer.
Definition: iobuf.c:131
TKIP_MIC_LEN
#define TKIP_MIC_LEN
TKIP MIC length.
Definition: wpa_tkip.c:90
crc32_le
u32 crc32_le(u32 seed, const void *data, size_t len)
Calculate 32-bit little-endian CRC checksum.
Definition: crc32.c:40
io_buffer::tail
void * tail
End of data.
Definition: iobuf.h:55
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
IEEE80211_TYP_FRAME_HEADER_LEN
#define IEEE80211_TYP_FRAME_HEADER_LEN
Frame header length for frames we might work with.
Definition: ieee80211.h:60
datalen
u16 datalen
Length of the data field in bytes, network byte order.
Definition: wpa.h:84
tkip_michael
static void tkip_michael(const void *key, const void *da, const void *sa, const void *data, size_t len, void *mic)
Calculate Michael message integrity code.
Definition: wpa_tkip.c:323
TKIP_HEAD_LEN
#define TKIP_HEAD_LEN
TKIP header overhead (IV + KID + ExtIV)
Definition: wpa_tkip.c:84
IEEE80211_FC_PROTECTED
#define IEEE80211_FC_PROTECTED
802.11 Frame Control field: Protected flag
Definition: ieee80211.h:264
tkip_ctx
Context for TKIP encryption and decryption.
Definition: wpa_tkip.c:60
iob_len
static size_t iob_len(struct io_buffer *iobuf)
Calculate length of data in an I/O buffer.
Definition: iobuf.h:160
cipher_decrypt
#define cipher_decrypt(cipher, ctx, src, dst, len)
Definition: crypto.h:261
tkip_mix_1
static void tkip_mix_1(struct tkip_dir_ctx *dctx, struct tkip_tk *tk, u8 *mac)
Perform TKIP key mixing, phase 1.
Definition: wpa_tkip.c:218
net80211_crypto::priv
void * priv
Private data for the algorithm to store key and state info.
Definition: net80211.h:766
tkip_mix_2
static void tkip_mix_2(struct tkip_dir_ctx *dctx, struct tkip_tk *tk, void *key)
Perform TKIP key mixing, phase 2.
Definition: wpa_tkip.c:258
arc4_algorithm
struct cipher_algorithm arc4_algorithm
Definition: arc4.c:118
DBGC2
#define DBGC2(...)
Definition: compiler.h:522
io_buffer::data
void * data
Start of data.
Definition: iobuf.h:53
memcmp
int memcmp(const void *first, const void *second, size_t len)
Compare memory regions.
Definition: string.c:115
mic
u8 mic[16]
Message integrity code over the entire EAPOL frame.
Definition: wpa.h:81
NULL
#define NULL
NULL pointer (VOID *)
Definition: Base.h:322
TKIP_FOOT_LEN
#define TKIP_FOOT_LEN
TKIP trailer overhead (MIC + ICV) [assumes unfragmented].
Definition: wpa_tkip.c:87
u8
uint8_t u8
Definition: stdint.h:20
key
union @391 key
Sense key.
Definition: scsi.h:18
u32
uint32_t u32
Definition: stdint.h:24
cipher_setkey
static int cipher_setkey(struct cipher_algorithm *cipher, void *ctx, const void *key, size_t keylen)
Definition: crypto.h:235
if
if(natsemi->flags &NATSEMI_64BIT) return 1
io_buffer
A persistent I/O buffer.
Definition: iobuf.h:38

References alloc_iob(), arc4_algorithm, cipher_decrypt, cipher_setkey(), crc32_le(), ctx, io_buffer::data, datalen, DBGC, DBGC2, free_iob(), hdr, head, IEEE80211_FC_PROTECTED, IEEE80211_TYP_FRAME_HEADER_LEN, if(), iob_len(), iob_put, key, le32_to_cpu, memcmp(), memcpy(), mic, NULL, net80211_crypto::priv, io_buffer::tail, TKIP_FOOT_LEN, TKIP_HEAD_LEN, TKIP_MIC_LEN, tkip_michael(), tkip_mix_1(), and tkip_mix_2().

◆ tkip_kie_mic()

static void tkip_kie_mic ( const void *  kck,
const void *  msg,
size_t  len,
void *  mic 
)
static

Calculate HMAC-MD5 MIC for EAPOL-Key frame.

Parameters
kckKey Confirmation Key, 16 bytes
msgMessage to calculate MIC over
lenNumber of bytes to calculate MIC over
Return values
micCalculated MIC, 16 bytes long

Definition at line 546 of file wpa_tkip.c.

548 {
549  uint8_t ctx[MD5_CTX_SIZE + MD5_BLOCK_SIZE];
550  u8 kckb[16];
551 
552  memcpy ( kckb, kck, sizeof ( kckb ) );
553 
554  hmac_init ( &md5_algorithm, ctx, kckb, sizeof ( kckb ) );
555  hmac_update ( &md5_algorithm, ctx, msg, len );
556  hmac_final ( &md5_algorithm, ctx, mic );
557 }
hmac_init
void hmac_init(struct digest_algorithm *digest, void *ctx, const void *key, size_t key_len)
Initialise HMAC.
Definition: hmac.c:58
msg
void msg(unsigned int row, const char *fmt,...)
Print message centred on specified row.
Definition: message.c:62
kck
u8 kck[WPA_KCK_LEN]
EAPOL-Key Key Confirmation Key (KCK)
Definition: wpa.h:28
ctx
struct golan_eq_context ctx
Definition: CIB_PRM.h:28
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
len
ring len
Length.
Definition: dwmac.h:231
hmac_update
static void hmac_update(struct digest_algorithm *digest, void *ctx, const void *data, size_t len)
Update HMAC.
Definition: hmac.h:43
MD5_CTX_SIZE
#define MD5_CTX_SIZE
MD5 context size.
Definition: md5.h:67
uint8_t
unsigned char uint8_t
Definition: stdint.h:10
MD5_BLOCK_SIZE
#define MD5_BLOCK_SIZE
MD5 block size.
Definition: md5.h:70
hmac_final
void hmac_final(struct digest_algorithm *digest, void *ctx, void *hmac)
Finalise HMAC.
Definition: hmac.c:88
mic
u8 mic[16]
Message integrity code over the entire EAPOL frame.
Definition: wpa.h:81
u8
uint8_t u8
Definition: stdint.h:20
md5_algorithm
struct digest_algorithm md5_algorithm
MD5 algorithm.
Definition: md5.c:287

References ctx, hmac_final(), hmac_init(), hmac_update(), kck, len, md5_algorithm, MD5_BLOCK_SIZE, MD5_CTX_SIZE, memcpy(), mic, and msg().

◆ tkip_kie_decrypt()

static int tkip_kie_decrypt ( const void *  kek,
const void *  iv,
void *  msg,
u16 len 
)
static

Decrypt key data in EAPOL-Key frame.

Parameters
kekKey Encryption Key, 16 bytes
ivInitialisation vector, 16 bytes
msgMessage to decrypt
lenLength of message
Return values
msgDecrypted message in place of original
lenUnchanged
rcAlways 0 for success

Definition at line 570 of file wpa_tkip.c.

572 {
573  u8 key[32];
574  memcpy ( key, iv, 16 );
575  memcpy ( key + 16, kek, 16 );
576 
577  arc4_skip ( key, 32, 256, msg, msg, *len );
578 
579  return 0;
580 }
msg
void msg(unsigned int row, const char *fmt,...)
Print message centred on specified row.
Definition: message.c:62
iv
u8 iv[16]
Initialization vector.
Definition: wpa.h:60
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
arc4_skip
void arc4_skip(const void *key, size_t keylen, size_t skip, const void *src, void *dst, size_t msglen)
Perform ARC4 encryption or decryption, skipping initial keystream bytes.
Definition: arc4.c:109
len
ring len
Length.
Definition: dwmac.h:231
kek
u8 kek[WPA_KEK_LEN]
EAPOL-Key Key Encryption Key (KEK)
Definition: wpa.h:31
u8
uint8_t u8
Definition: stdint.h:20
key
union @391 key
Sense key.
Definition: scsi.h:18

References arc4_skip(), iv, kek, key, len, memcpy(), and msg().

Variable Documentation

◆ Sbox

const u16 Sbox[256]
static

TKIP S-box.

Definition at line 97 of file wpa_tkip.c.

Referenced by S().

◆ __net80211_crypto

struct net80211_crypto tkip_crypto __net80211_crypto
Initial value:
= {
.algorithm = NET80211_CRYPT_TKIP,
.init = tkip_init,
.encrypt = tkip_encrypt,
.decrypt = tkip_decrypt,
.priv_len = sizeof ( struct tkip_ctx ),
}
tkip_ctx
Context for TKIP encryption and decryption.
Definition: wpa_tkip.c:60
tkip_init
static int tkip_init(struct net80211_crypto *crypto, const void *key, int keylen, const void *rsc)
Initialise TKIP state and install key.
Definition: wpa_tkip.c:188
tkip_encrypt
static struct io_buffer * tkip_encrypt(struct net80211_crypto *crypto, struct io_buffer *iob)
Encrypt a packet using TKIP.
Definition: wpa_tkip.c:377
tkip_decrypt
static struct io_buffer * tkip_decrypt(struct net80211_crypto *crypto, struct io_buffer *eiob)
Decrypt a packet using TKIP.
Definition: wpa_tkip.c:447
NET80211_CRYPT_TKIP
Network protected with TKIP (better RC4-based system)
Definition: net80211.h:163

TKIP cryptosystem.

Definition at line 527 of file wpa_tkip.c.

◆ __wpa_kie

struct wpa_kie tkip_kie __wpa_kie
Initial value:
= {
.version = EAPOL_KEY_VERSION_WPA,
.mic = tkip_kie_mic,
.decrypt = tkip_kie_decrypt,
}
EAPOL_KEY_VERSION_WPA
#define EAPOL_KEY_VERSION_WPA
Key descriptor version field value for WPA (TKIP)
Definition: wpa.h:78
tkip_kie_decrypt
static int tkip_kie_decrypt(const void *kek, const void *iv, void *msg, u16 *len)
Decrypt key data in EAPOL-Key frame.
Definition: wpa_tkip.c:570
tkip_kie_mic
static void tkip_kie_mic(const void *kck, const void *msg, size_t len, void *mic)
Calculate HMAC-MD5 MIC for EAPOL-Key frame.
Definition: wpa_tkip.c:546

TKIP-style key integrity and encryption handler.

Definition at line 584 of file wpa_tkip.c.

Generated by   doxygen 1.8.15