iPXE
Data Structures | Macros | Functions | Variables
wpa_tkip.c File Reference

Backend for WPA using the TKIP encryption standard. More...

#include <string.h>
#include <ipxe/net80211.h>
#include <ipxe/crypto.h>
#include <ipxe/hmac.h>
#include <ipxe/sha1.h>
#include <ipxe/md5.h>
#include <ipxe/crc32.h>
#include <ipxe/arc4.h>
#include <ipxe/wpa.h>
#include <byteswap.h>
#include <errno.h>

Go to the source code of this file.

Data Structures

struct  tkip_dir_ctx
 Context for one direction of TKIP, either encryption or decryption. More...
 
struct  tkip_ctx
 Context for TKIP encryption and decryption. More...
 
struct  tkip_head
 Header structure at the beginning of TKIP frame data. More...
 

Macros

#define TKIP_HEAD_LEN   8
 TKIP header overhead (IV + KID + ExtIV) More...
 
#define TKIP_FOOT_LEN   12
 TKIP trailer overhead (MIC + ICV) [assumes unfragmented]. More...
 
#define TKIP_MIC_LEN   8
 TKIP MIC length. More...
 
#define TKIP_ICV_LEN   4
 TKIP ICV length. More...
 

Functions

 FILE_LICENCE (GPL2_OR_LATER)
 
static u16 S (u16 v)
 Perform S-box mapping on a 16-bit value. More...
 
static u16 ror16 (u16 v, int bits)
 Rotate 16-bit value right. More...
 
static u32 ror32 (u32 v, int bits)
 Rotate 32-bit value right. More...
 
static u32 rol32 (u32 v, int bits)
 Rotate 32-bit value left. More...
 
static int tkip_init (struct net80211_crypto *crypto, const void *key, int keylen, const void *rsc)
 Initialise TKIP state and install key. More...
 
static void tkip_mix_1 (struct tkip_dir_ctx *dctx, struct tkip_tk *tk, u8 *mac)
 Perform TKIP key mixing, phase 1. More...
 
static void tkip_mix_2 (struct tkip_dir_ctx *dctx, struct tkip_tk *tk, void *key)
 Perform TKIP key mixing, phase 2. More...
 
static void tkip_feed_michael (u32 *V, u32 word)
 Update Michael message integrity code based on next 32-bit word of data. More...
 
static void tkip_michael (const void *key, const void *da, const void *sa, const void *data, size_t len, void *mic)
 Calculate Michael message integrity code. More...
 
static struct io_buffertkip_encrypt (struct net80211_crypto *crypto, struct io_buffer *iob)
 Encrypt a packet using TKIP. More...
 
static struct io_buffertkip_decrypt (struct net80211_crypto *crypto, struct io_buffer *eiob)
 Decrypt a packet using TKIP. More...
 
static void tkip_kie_mic (const void *kck, const void *msg, size_t len, void *mic)
 Calculate HMAC-MD5 MIC for EAPOL-Key frame. More...
 
static int tkip_kie_decrypt (const void *kek, const void *iv, void *msg, u16 *len)
 Decrypt key data in EAPOL-Key frame. More...
 

Variables

static const u16 Sbox [256]
 TKIP S-box. More...
 
struct net80211_crypto tkip_crypto __net80211_crypto
 TKIP cryptosystem. More...
 
struct wpa_kie tkip_kie __wpa_kie
 TKIP-style key integrity and encryption handler. More...
 

Detailed Description

Backend for WPA using the TKIP encryption standard.

Definition in file wpa_tkip.c.

Macro Definition Documentation

◆ TKIP_HEAD_LEN

#define TKIP_HEAD_LEN   8

TKIP header overhead (IV + KID + ExtIV)

Definition at line 83 of file wpa_tkip.c.

◆ TKIP_FOOT_LEN

#define TKIP_FOOT_LEN   12

TKIP trailer overhead (MIC + ICV) [assumes unfragmented].

Definition at line 86 of file wpa_tkip.c.

◆ TKIP_MIC_LEN

#define TKIP_MIC_LEN   8

TKIP MIC length.

Definition at line 89 of file wpa_tkip.c.

◆ TKIP_ICV_LEN

#define TKIP_ICV_LEN   4

TKIP ICV length.

Definition at line 92 of file wpa_tkip.c.

Function Documentation

◆ FILE_LICENCE()

FILE_LICENCE ( GPL2_OR_LATER  )

◆ S()

static u16 S ( u16  v)
inlinestatic

Perform S-box mapping on a 16-bit value.

Parameters
vValue to perform S-box mapping on
Return values
SvS-box mapped value

Definition at line 137 of file wpa_tkip.c.

138 {
139  return Sbox[v & 0xFF] ^ bswap_16 ( Sbox[v >> 8] );
140 }
Sbox
static const u16 Sbox[256]
TKIP S-box.
Definition: wpa_tkip.c:96
bswap_16
#define bswap_16(value)
Definition: byteswap.h:58

References bswap_16, and Sbox.

Referenced by arc4_setkey(), arc4_xor(), ccmp_ctr_xor(), tkip_mix_1(), and tkip_mix_2().

◆ ror16()

static u16 ror16 ( u16  v,
int  bits 
)
inlinestatic

Rotate 16-bit value right.

Parameters
vValue to rotate
bitsNumber of bits to rotate by
Return values
rotvRotated value

Definition at line 149 of file wpa_tkip.c.

150 {
151  return ( v >> bits ) | ( v << ( 16 - bits ) );
152 }
bits
static volatile void * bits
Definition: bitops.h:27

References bits.

Referenced by tkip_mix_2().

◆ ror32()

static u32 ror32 ( u32  v,
int  bits 
)
inlinestatic

Rotate 32-bit value right.

Parameters
vValue to rotate
bitsNumber of bits to rotate by
Return values
rotvRotated value

Definition at line 161 of file wpa_tkip.c.

162 {
163  return ( v >> bits ) | ( v << ( 32 - bits ) );
164 }
bits
static volatile void * bits
Definition: bitops.h:27

References bits.

Referenced by aes_key_rotate(), des_generate(), sha256_digest(), and tkip_feed_michael().

◆ rol32()

static u32 rol32 ( u32  v,
int  bits 
)
inlinestatic

Rotate 32-bit value left.

Parameters
vValue to rotate
bitsNumber of bits to rotate by
Return values
rotvRotated value

Definition at line 173 of file wpa_tkip.c.

174 {
175  return ( v << bits ) | ( v >> ( 32 - bits ) );
176 }
bits
static volatile void * bits
Definition: bitops.h:27

References bits.

Referenced by aes_key_rotate(), aes_key_sbox(), des_rol28(), des_sbox(), md4_digest(), md5_digest(), sha1_digest(), and tkip_feed_michael().

◆ tkip_init()

static int tkip_init ( struct net80211_crypto crypto,
const void *  key,
int  keylen,
const void *  rsc 
)
static

Initialise TKIP state and install key.

Parameters
cryptoTKIP cryptosystem structure
keyPointer to tkip_tk to install
keylenLength of key (32 bytes)
rscInitial receive sequence counter

Definition at line 187 of file wpa_tkip.c.

189 {
190  struct tkip_ctx *ctx = crypto->priv;
191  const u8 *rscb = rsc;
192 
193  if ( keylen != sizeof ( ctx->tk ) )
194  return -EINVAL;
195 
196  if ( rscb ) {
197  ctx->dec.tsc_lo = ( rscb[1] << 8 ) | rscb[0];
198  ctx->dec.tsc_hi = ( ( rscb[5] << 24 ) | ( rscb[4] << 16 ) |
199  ( rscb[3] << 8 ) | rscb[2] );
200  }
201 
202  memcpy ( &ctx->tk, key, sizeof ( ctx->tk ) );
203 
204  return 0;
205 }
EINVAL
#define EINVAL
Invalid argument.
Definition: errno.h:428
ctx
struct golan_eq_context ctx
Definition: CIB_PRM.h:28
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
rsc
u8 rsc[8]
Receive sequence counter for GTK.
Definition: wpa.h:69
tkip_ctx
Context for TKIP encryption and decryption.
Definition: wpa_tkip.c:59
net80211_crypto::priv
void * priv
Private data for the algorithm to store key and state info.
Definition: net80211.h:766
u8
uint8_t u8
Definition: stdint.h:19
key
union @383 key
Sense key.
Definition: scsi.h:18

References ctx, EINVAL, key, memcpy(), net80211_crypto::priv, and rsc.

◆ tkip_mix_1()

static void tkip_mix_1 ( struct tkip_dir_ctx dctx,
struct tkip_tk tk,
u8 mac 
)
static

Perform TKIP key mixing, phase 1.

Parameters
dctxTKIP directional context
tkTKIP temporal key
macMAC address of transmitter

This recomputes the TTAK in dctx if necessary, and sets dctx->ttak_ok.

Definition at line 217 of file wpa_tkip.c.

218 {
219  int i, j;
220 
221  if ( dctx->ttak_ok && ! memcmp ( mac, dctx->mac, ETH_ALEN ) )
222  return;
223 
224  memcpy ( dctx->mac, mac, ETH_ALEN );
225 
226  dctx->ttak[0] = dctx->tsc_hi & 0xFFFF;
227  dctx->ttak[1] = dctx->tsc_hi >> 16;
228  dctx->ttak[2] = ( mac[1] << 8 ) | mac[0];
229  dctx->ttak[3] = ( mac[3] << 8 ) | mac[2];
230  dctx->ttak[4] = ( mac[5] << 8 ) | mac[4];
231 
232  for ( i = 0; i < 8; i++ ) {
233  j = 2 * ( i & 1 );
234 
235  dctx->ttak[0] += S ( dctx->ttak[4] ^ ( ( tk->key[1 + j] << 8 ) |
236  tk->key[0 + j] ) );
237  dctx->ttak[1] += S ( dctx->ttak[0] ^ ( ( tk->key[5 + j] << 8 ) |
238  tk->key[4 + j] ) );
239  dctx->ttak[2] += S ( dctx->ttak[1] ^ ( ( tk->key[9 + j] << 8 ) |
240  tk->key[8 + j] ) );
241  dctx->ttak[3] += S ( dctx->ttak[2] ^ ( ( tk->key[13+ j] << 8 ) |
242  tk->key[12+ j] ) );
243  dctx->ttak[4] += S ( dctx->ttak[3] ^ ( ( tk->key[1 + j] << 8 ) |
244  tk->key[0 + j] ) ) + i;
245  }
246 
247  dctx->ttak_ok = 1;
248 }
tkip_dir_ctx::mac
u8 mac[ETH_ALEN]
MAC address used to derive TTAK.
Definition: wpa_tkip.c:49
mac
uint8_t mac[ETH_ALEN]
MAC address.
Definition: ena.h:24
S
static u16 S(u16 v)
Perform S-box mapping on a 16-bit value.
Definition: wpa_tkip.c:137
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
tk
union wpa_tk tk
Temporal key.
Definition: wpa.h:34
ETH_ALEN
#define ETH_ALEN
Definition: if_ether.h:8
tkip_dir_ctx::ttak_ok
u16 ttak_ok
If TRUE, TTAK is valid.
Definition: wpa_tkip.c:52
tkip_dir_ctx::ttak
u16 ttak[5]
TKIP-mixed transmit address and key, depends on tsc_hi and MAC.
Definition: wpa_tkip.c:55
tkip_dir_ctx::tsc_hi
u32 tsc_hi
High 32 bits of last sequence counter value used.
Definition: wpa_tkip.c:43
memcmp
int memcmp(const void *first, const void *second, size_t len)
Compare memory regions.
Definition: string.c:114

References ETH_ALEN, mac, tkip_dir_ctx::mac, memcmp(), memcpy(), S(), tk, tkip_dir_ctx::tsc_hi, tkip_dir_ctx::ttak, and tkip_dir_ctx::ttak_ok.

Referenced by tkip_decrypt(), and tkip_encrypt().

◆ tkip_mix_2()

static void tkip_mix_2 ( struct tkip_dir_ctx dctx,
struct tkip_tk tk,
void *  key 
)
static

Perform TKIP key mixing, phase 2.

Parameters
dctxTKIP directional context
tkTKIP temporal key
Return values
keyARC4 key, 16 bytes long

Definition at line 257 of file wpa_tkip.c.

259 {
260  u8 *kb = key;
261  u16 ppk[6];
262  int i;
263 
264  memcpy ( ppk, dctx->ttak, sizeof ( dctx->ttak ) );
265  ppk[5] = dctx->ttak[4] + dctx->tsc_lo;
266 
267  ppk[0] += S ( ppk[5] ^ ( ( tk->key[1] << 8 ) | tk->key[0] ) );
268  ppk[1] += S ( ppk[0] ^ ( ( tk->key[3] << 8 ) | tk->key[2] ) );
269  ppk[2] += S ( ppk[1] ^ ( ( tk->key[5] << 8 ) | tk->key[4] ) );
270  ppk[3] += S ( ppk[2] ^ ( ( tk->key[7] << 8 ) | tk->key[6] ) );
271  ppk[4] += S ( ppk[3] ^ ( ( tk->key[9] << 8 ) | tk->key[8] ) );
272  ppk[5] += S ( ppk[4] ^ ( ( tk->key[11] << 8 ) | tk->key[10] ) );
273 
274  ppk[0] += ror16 ( ppk[5] ^ ( ( tk->key[13] << 8 ) | tk->key[12] ), 1 );
275  ppk[1] += ror16 ( ppk[0] ^ ( ( tk->key[15] << 8 ) | tk->key[14] ), 1 );
276  ppk[2] += ror16 ( ppk[1], 1 );
277  ppk[3] += ror16 ( ppk[2], 1 );
278  ppk[4] += ror16 ( ppk[3], 1 );
279  ppk[5] += ror16 ( ppk[4], 1 );
280 
281  kb[0] = dctx->tsc_lo >> 8;
282  kb[1] = ( ( dctx->tsc_lo >> 8 ) | 0x20 ) & 0x7F;
283  kb[2] = dctx->tsc_lo & 0xFF;
284  kb[3] = ( ( ppk[5] ^ ( ( tk->key[1] << 8 ) | tk->key[0] ) ) >> 1 )
285  & 0xFF;
286 
287  for ( i = 0; i < 6; i++ ) {
288  kb[4 + 2*i] = ppk[i] & 0xFF;
289  kb[5 + 2*i] = ppk[i] >> 8;
290  }
291 }
u16
uint16_t u16
Definition: stdint.h:21
S
static u16 S(u16 v)
Perform S-box mapping on a 16-bit value.
Definition: wpa_tkip.c:137
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
tk
union wpa_tk tk
Temporal key.
Definition: wpa.h:34
tkip_dir_ctx::tsc_lo
u16 tsc_lo
Low 32 bits of last sequence counter value used.
Definition: wpa_tkip.c:46
tkip_dir_ctx::ttak
u16 ttak[5]
TKIP-mixed transmit address and key, depends on tsc_hi and MAC.
Definition: wpa_tkip.c:55
ror16
static u16 ror16(u16 v, int bits)
Rotate 16-bit value right.
Definition: wpa_tkip.c:149
u8
uint8_t u8
Definition: stdint.h:19
key
union @383 key
Sense key.
Definition: scsi.h:18

References key, memcpy(), ror16(), S(), tk, tkip_dir_ctx::tsc_lo, and tkip_dir_ctx::ttak.

Referenced by tkip_decrypt(), and tkip_encrypt().

◆ tkip_feed_michael()

static void tkip_feed_michael ( u32 V,
u32  word 
)
static

Update Michael message integrity code based on next 32-bit word of data.

Parameters
VMichael code state (two 32-bit words)
wordNext 32-bit word of data

Definition at line 299 of file wpa_tkip.c.

300 {
301  V[0] ^= word;
302  V[1] ^= rol32 ( V[0], 17 );
303  V[0] += V[1];
304  V[1] ^= ( ( V[0] & 0xFF00FF00 ) >> 8 ) | ( ( V[0] & 0x00FF00FF ) << 8 );
305  V[0] += V[1];
306  V[1] ^= rol32 ( V[0], 3 );
307  V[0] += V[1];
308  V[1] ^= ror32 ( V[0], 2 );
309  V[0] += V[1];
310 }
rol32
static u32 rol32(u32 v, int bits)
Rotate 32-bit value left.
Definition: wpa_tkip.c:173
ror32
static u32 ror32(u32 v, int bits)
Rotate 32-bit value right.
Definition: wpa_tkip.c:161
word
unsigned short word
Definition: smc9000.h:39

References rol32(), and ror32().

Referenced by tkip_michael().

◆ tkip_michael()

static void tkip_michael ( const void *  key,
const void *  da,
const void *  sa,
const void *  data,
size_t  len,
void *  mic 
)
static

Calculate Michael message integrity code.

Parameters
keyMIC key to use (8 bytes)
daDestination link-layer address
saSource link-layer address
dataStart of data to calculate over
lenLength of header + data
Return values
micCalculated Michael MIC (8 bytes)

Definition at line 322 of file wpa_tkip.c.

324 {
325  u32 V[2]; /* V[0] = "l", V[1] = "r" in 802.11 */
326  union {
327  u8 byte[12];
328  u32 word[3];
329  } cap;
330  const u8 *ptr = data;
331  const u8 *end = ptr + len;
332  int i;
333 
334  memcpy ( V, key, sizeof ( V ) );
335  V[0] = le32_to_cpu ( V[0] );
336  V[1] = le32_to_cpu ( V[1] );
337 
338  /* Feed in header (we assume non-QoS, so Priority = 0) */
339  memcpy ( &cap.byte[0], da, ETH_ALEN );
340  memcpy ( &cap.byte[6], sa, ETH_ALEN );
341  tkip_feed_michael ( V, le32_to_cpu ( cap.word[0] ) );
342  tkip_feed_michael ( V, le32_to_cpu ( cap.word[1] ) );
343  tkip_feed_michael ( V, le32_to_cpu ( cap.word[2] ) );
344  tkip_feed_michael ( V, 0 );
345 
346  /* Feed in data */
347  while ( ptr + 4 <= end ) {
348  tkip_feed_michael ( V, le32_to_cpu ( *( u32 * ) ptr ) );
349  ptr += 4;
350  }
351 
352  /* Add unaligned part and padding */
353  for ( i = 0; ptr < end; i++ )
354  cap.byte[i] = *ptr++;
355  cap.byte[i++] = 0x5a;
356  for ( ; i < 8; i++ )
357  cap.byte[i] = 0;
358 
359  /* Feed in padding */
360  tkip_feed_michael ( V, le32_to_cpu ( cap.word[0] ) );
361  tkip_feed_michael ( V, le32_to_cpu ( cap.word[1] ) );
362 
363  /* Output MIC */
364  V[0] = cpu_to_le32 ( V[0] );
365  V[1] = cpu_to_le32 ( V[1] );
366  memcpy ( mic, V, sizeof ( V ) );
367 }
tkip_feed_michael
static void tkip_feed_michael(u32 *V, u32 word)
Update Michael message integrity code based on next 32-bit word of data.
Definition: wpa_tkip.c:299
le32_to_cpu
#define le32_to_cpu(value)
Definition: byteswap.h:113
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
sa
struct sockaddr sa
Definition: syslog.c:55
cpu_to_le32
#define cpu_to_le32(value)
Definition: byteswap.h:107
ETH_ALEN
#define ETH_ALEN
Definition: if_ether.h:8
word
unsigned short word
Definition: smc9000.h:39
end
uint32_t end
Ending offset.
Definition: netvsc.h:18
data
uint8_t data[48]
Additional event data.
Definition: ena.h:22
mic
u8 mic[16]
Message integrity code over the entire EAPOL frame.
Definition: wpa.h:81
len
uint32_t len
Length.
Definition: ena.h:14
u8
uint8_t u8
Definition: stdint.h:19
key
union @383 key
Sense key.
Definition: scsi.h:18
u32
uint32_t u32
Definition: stdint.h:23

References cpu_to_le32, data, end, ETH_ALEN, key, le32_to_cpu, len, memcpy(), mic, sa, and tkip_feed_michael().

Referenced by tkip_decrypt(), and tkip_encrypt().

◆ tkip_encrypt()

static struct io_buffer* tkip_encrypt ( struct net80211_crypto crypto,
struct io_buffer iob 
)
static

Encrypt a packet using TKIP.

Parameters
cryptoTKIP cryptosystem
iobI/O buffer containing cleartext packet
Return values
eiobI/O buffer containing encrypted packet

Definition at line 376 of file wpa_tkip.c.

378 {
379  struct tkip_ctx *ctx = crypto->priv;
380  struct ieee80211_frame *hdr = iob->data;
381  struct io_buffer *eiob;
382  struct arc4_ctx arc4;
383  u8 key[16];
384  struct tkip_head head;
385  u8 mic[8];
386  u32 icv;
387  const int hdrlen = IEEE80211_TYP_FRAME_HEADER_LEN;
388  int datalen = iob_len ( iob ) - hdrlen;
389 
390  ctx->enc.tsc_lo++;
391  if ( ctx->enc.tsc_lo == 0 ) {
392  ctx->enc.tsc_hi++;
393  ctx->enc.ttak_ok = 0;
394  }
395 
396  tkip_mix_1 ( &ctx->enc, &ctx->tk, hdr->addr2 );
397  tkip_mix_2 ( &ctx->enc, &ctx->tk, key );
398 
399  eiob = alloc_iob ( iob_len ( iob ) + TKIP_HEAD_LEN + TKIP_FOOT_LEN );
400  if ( ! eiob )
401  return NULL;
402 
403  /* Copy frame header */
404  memcpy ( iob_put ( eiob, hdrlen ), iob->data, hdrlen );
405  hdr = eiob->data;
406  hdr->fc |= IEEE80211_FC_PROTECTED;
407 
408  /* Fill in IV and key ID byte, and extended IV */
409  memcpy ( &head, key, 3 );
410  head.kid = 0x20; /* have Extended IV, key ID 0 */
411  head.tsc_hi = cpu_to_le32 ( ctx->enc.tsc_hi );
412  memcpy ( iob_put ( eiob, sizeof ( head ) ), &head, sizeof ( head ) );
413 
414  /* Copy and encrypt the data */
415  cipher_setkey ( &arc4_algorithm, &arc4, key, 16 );
416  cipher_encrypt ( &arc4_algorithm, &arc4, iob->data + hdrlen,
417  iob_put ( eiob, datalen ), datalen );
418 
419  /* Add MIC */
420  hdr = iob->data;
421  tkip_michael ( &ctx->tk.mic.tx, hdr->addr3, hdr->addr2,
422  iob->data + hdrlen, datalen, mic );
423  cipher_encrypt ( &arc4_algorithm, &arc4, mic,
424  iob_put ( eiob, sizeof ( mic ) ), sizeof ( mic ) );
425 
426  /* Add ICV */
427  icv = crc32_le ( ~0, iob->data + hdrlen, datalen );
428  icv = crc32_le ( icv, mic, sizeof ( mic ) );
429  icv = cpu_to_le32 ( ~icv );
430  cipher_encrypt ( &arc4_algorithm, &arc4, &icv,
431  iob_put ( eiob, TKIP_ICV_LEN ), TKIP_ICV_LEN );
432 
433  DBGC2 ( ctx, "WPA-TKIP %p: encrypted packet %p -> %p\n", ctx,
434  iob, eiob );
435 
436  return eiob;
437 }
iob_put
#define iob_put(iobuf, len)
Definition: iobuf.h:120
hdr
struct golan_inbox_hdr hdr
Message header.
Definition: CIB_PRM.h:28
arc4_ctx
Definition: arc4.h:10
ieee80211_frame
An 802.11 data or management frame without QoS or WDS header fields.
Definition: ieee80211.h:300
head
uint8_t head
Head number.
Definition: int13.h:34
ctx
struct golan_eq_context ctx
Definition: CIB_PRM.h:28
tkip_head
Header structure at the beginning of TKIP frame data.
Definition: wpa_tkip.c:72
alloc_iob
struct io_buffer * alloc_iob(size_t len)
Allocate I/O buffer.
Definition: iobuf.c:129
crc32_le
u32 crc32_le(u32 seed, const void *data, size_t len)
Calculate 32-bit little-endian CRC checksum.
Definition: crc32.c:39
cipher_encrypt
#define cipher_encrypt(cipher, ctx, src, dst, len)
Definition: crypto.h:235
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
IEEE80211_TYP_FRAME_HEADER_LEN
#define IEEE80211_TYP_FRAME_HEADER_LEN
Frame header length for frames we might work with.
Definition: ieee80211.h:60
datalen
u16 datalen
Length of the data field in bytes, network byte order.
Definition: wpa.h:84
tkip_michael
static void tkip_michael(const void *key, const void *da, const void *sa, const void *data, size_t len, void *mic)
Calculate Michael message integrity code.
Definition: wpa_tkip.c:322
cpu_to_le32
#define cpu_to_le32(value)
Definition: byteswap.h:107
TKIP_HEAD_LEN
#define TKIP_HEAD_LEN
TKIP header overhead (IV + KID + ExtIV)
Definition: wpa_tkip.c:83
IEEE80211_FC_PROTECTED
#define IEEE80211_FC_PROTECTED
802.11 Frame Control field: Protected flag
Definition: ieee80211.h:264
tkip_ctx
Context for TKIP encryption and decryption.
Definition: wpa_tkip.c:59
iob_len
static size_t iob_len(struct io_buffer *iobuf)
Calculate length of data in an I/O buffer.
Definition: iobuf.h:155
tkip_mix_1
static void tkip_mix_1(struct tkip_dir_ctx *dctx, struct tkip_tk *tk, u8 *mac)
Perform TKIP key mixing, phase 1.
Definition: wpa_tkip.c:217
net80211_crypto::priv
void * priv
Private data for the algorithm to store key and state info.
Definition: net80211.h:766
tkip_mix_2
static void tkip_mix_2(struct tkip_dir_ctx *dctx, struct tkip_tk *tk, void *key)
Perform TKIP key mixing, phase 2.
Definition: wpa_tkip.c:257
arc4_algorithm
struct cipher_algorithm arc4_algorithm
Definition: arc4.c:118
DBGC2
#define DBGC2(...)
Definition: compiler.h:522
TKIP_ICV_LEN
#define TKIP_ICV_LEN
TKIP ICV length.
Definition: wpa_tkip.c:92
io_buffer::data
void * data
Start of data.
Definition: iobuf.h:48
mic
u8 mic[16]
Message integrity code over the entire EAPOL frame.
Definition: wpa.h:81
NULL
#define NULL
NULL pointer (VOID *)
Definition: Base.h:321
TKIP_FOOT_LEN
#define TKIP_FOOT_LEN
TKIP trailer overhead (MIC + ICV) [assumes unfragmented].
Definition: wpa_tkip.c:86
u8
uint8_t u8
Definition: stdint.h:19
key
union @383 key
Sense key.
Definition: scsi.h:18
u32
uint32_t u32
Definition: stdint.h:23
cipher_setkey
static int cipher_setkey(struct cipher_algorithm *cipher, void *ctx, const void *key, size_t keylen)
Definition: crypto.h:219
io_buffer
A persistent I/O buffer.
Definition: iobuf.h:33

References alloc_iob(), arc4_algorithm, cipher_encrypt, cipher_setkey(), cpu_to_le32, crc32_le(), ctx, io_buffer::data, datalen, DBGC2, hdr, head, IEEE80211_FC_PROTECTED, IEEE80211_TYP_FRAME_HEADER_LEN, iob_len(), iob_put, key, memcpy(), mic, NULL, net80211_crypto::priv, TKIP_FOOT_LEN, TKIP_HEAD_LEN, TKIP_ICV_LEN, tkip_michael(), tkip_mix_1(), and tkip_mix_2().

◆ tkip_decrypt()

static struct io_buffer* tkip_decrypt ( struct net80211_crypto crypto,
struct io_buffer eiob 
)
static

Decrypt a packet using TKIP.

Parameters
cryptoTKIP cryptosystem
eiobI/O buffer containing encrypted packet
Return values
iobI/O buffer containing cleartext packet

Definition at line 446 of file wpa_tkip.c.

448 {
449  struct tkip_ctx *ctx = crypto->priv;
450  struct ieee80211_frame *hdr;
451  struct io_buffer *iob;
452  const int hdrlen = IEEE80211_TYP_FRAME_HEADER_LEN;
453  int datalen = iob_len ( eiob ) - hdrlen - TKIP_HEAD_LEN - TKIP_FOOT_LEN;
454  struct tkip_head *head;
455  struct arc4_ctx arc4;
456  u16 rx_tsc_lo;
457  u8 key[16];
458  u8 mic[8];
459  u32 icv, crc;
460 
461  iob = alloc_iob ( hdrlen + datalen + TKIP_FOOT_LEN );
462  if ( ! iob )
463  return NULL;
464 
465  /* Copy frame header */
466  memcpy ( iob_put ( iob, hdrlen ), eiob->data, hdrlen );
467  hdr = iob->data;
468  hdr->fc &= ~IEEE80211_FC_PROTECTED;
469 
470  /* Check and update TSC */
471  head = eiob->data + hdrlen;
472  rx_tsc_lo = ( head->tsc1 << 8 ) | head->tsc0;
473 
474  if ( head->tsc_hi < ctx->dec.tsc_hi ||
475  ( head->tsc_hi == ctx->dec.tsc_hi &&
476  rx_tsc_lo <= ctx->dec.tsc_lo ) ) {
477  DBGC ( ctx, "WPA-TKIP %p: packet received out of order "
478  "(%08x:%04x <= %08x:%04x)\n", ctx, head->tsc_hi,
479  rx_tsc_lo, ctx->dec.tsc_hi, ctx->dec.tsc_lo );
480  free_iob ( iob );
481  return NULL;
482  }
483  ctx->dec.tsc_lo = rx_tsc_lo;
484  if ( ctx->dec.tsc_hi != head->tsc_hi ) {
485  ctx->dec.ttak_ok = 0;
486  ctx->dec.tsc_hi = head->tsc_hi;
487  }
488 
489  /* Calculate key */
490  tkip_mix_1 ( &ctx->dec, &ctx->tk, hdr->addr2 );
491  tkip_mix_2 ( &ctx->dec, &ctx->tk, key );
492 
493  /* Copy-decrypt data, MIC, ICV */
494  cipher_setkey ( &arc4_algorithm, &arc4, key, 16 );
495  cipher_decrypt ( &arc4_algorithm, &arc4,
496  eiob->data + hdrlen + TKIP_HEAD_LEN,
497  iob_put ( iob, datalen ), datalen + TKIP_FOOT_LEN );
498 
499  /* Check ICV */
500  icv = le32_to_cpu ( *( u32 * ) ( iob->tail + TKIP_MIC_LEN ) );
501  crc = ~crc32_le ( ~0, iob->data + hdrlen, datalen + TKIP_MIC_LEN );
502  if ( crc != icv ) {
503  DBGC ( ctx, "WPA-TKIP %p CRC mismatch: expect %08x, get %08x\n",
504  ctx, icv, crc );
505  free_iob ( iob );
506  return NULL;
507  }
508 
509  /* Check MIC */
510  tkip_michael ( &ctx->tk.mic.rx, hdr->addr1, hdr->addr3,
511  iob->data + hdrlen, datalen, mic );
512  if ( memcmp ( mic, iob->tail, TKIP_MIC_LEN ) != 0 ) {
513  DBGC ( ctx, "WPA-TKIP %p ALERT! MIC failure\n", ctx );
514  /* XXX we should do the countermeasures here */
515  free_iob ( iob );
516  return NULL;
517  }
518 
519  DBGC2 ( ctx, "WPA-TKIP %p: decrypted packet %p -> %p\n", ctx,
520  eiob, iob );
521 
522  return iob;
523 }
u16
uint16_t u16
Definition: stdint.h:21
iob_put
#define iob_put(iobuf, len)
Definition: iobuf.h:120
le32_to_cpu
#define le32_to_cpu(value)
Definition: byteswap.h:113
hdr
struct golan_inbox_hdr hdr
Message header.
Definition: CIB_PRM.h:28
arc4_ctx
Definition: arc4.h:10
free_iob
void free_iob(struct io_buffer *iobuf)
Free I/O buffer.
Definition: iobuf.c:146
DBGC
#define DBGC(...)
Definition: compiler.h:505
ieee80211_frame
An 802.11 data or management frame without QoS or WDS header fields.
Definition: ieee80211.h:300
head
uint8_t head
Head number.
Definition: int13.h:34
ctx
struct golan_eq_context ctx
Definition: CIB_PRM.h:28
tkip_head
Header structure at the beginning of TKIP frame data.
Definition: wpa_tkip.c:72
alloc_iob
struct io_buffer * alloc_iob(size_t len)
Allocate I/O buffer.
Definition: iobuf.c:129
TKIP_MIC_LEN
#define TKIP_MIC_LEN
TKIP MIC length.
Definition: wpa_tkip.c:89
crc32_le
u32 crc32_le(u32 seed, const void *data, size_t len)
Calculate 32-bit little-endian CRC checksum.
Definition: crc32.c:39
io_buffer::tail
void * tail
End of data.
Definition: iobuf.h:50
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
IEEE80211_TYP_FRAME_HEADER_LEN
#define IEEE80211_TYP_FRAME_HEADER_LEN
Frame header length for frames we might work with.
Definition: ieee80211.h:60
datalen
u16 datalen
Length of the data field in bytes, network byte order.
Definition: wpa.h:84
tkip_michael
static void tkip_michael(const void *key, const void *da, const void *sa, const void *data, size_t len, void *mic)
Calculate Michael message integrity code.
Definition: wpa_tkip.c:322
TKIP_HEAD_LEN
#define TKIP_HEAD_LEN
TKIP header overhead (IV + KID + ExtIV)
Definition: wpa_tkip.c:83
IEEE80211_FC_PROTECTED
#define IEEE80211_FC_PROTECTED
802.11 Frame Control field: Protected flag
Definition: ieee80211.h:264
tkip_ctx
Context for TKIP encryption and decryption.
Definition: wpa_tkip.c:59
iob_len
static size_t iob_len(struct io_buffer *iobuf)
Calculate length of data in an I/O buffer.
Definition: iobuf.h:155
cipher_decrypt
#define cipher_decrypt(cipher, ctx, src, dst, len)
Definition: crypto.h:245
tkip_mix_1
static void tkip_mix_1(struct tkip_dir_ctx *dctx, struct tkip_tk *tk, u8 *mac)
Perform TKIP key mixing, phase 1.
Definition: wpa_tkip.c:217
net80211_crypto::priv
void * priv
Private data for the algorithm to store key and state info.
Definition: net80211.h:766
tkip_mix_2
static void tkip_mix_2(struct tkip_dir_ctx *dctx, struct tkip_tk *tk, void *key)
Perform TKIP key mixing, phase 2.
Definition: wpa_tkip.c:257
arc4_algorithm
struct cipher_algorithm arc4_algorithm
Definition: arc4.c:118
DBGC2
#define DBGC2(...)
Definition: compiler.h:522
io_buffer::data
void * data
Start of data.
Definition: iobuf.h:48
memcmp
int memcmp(const void *first, const void *second, size_t len)
Compare memory regions.
Definition: string.c:114
mic
u8 mic[16]
Message integrity code over the entire EAPOL frame.
Definition: wpa.h:81
NULL
#define NULL
NULL pointer (VOID *)
Definition: Base.h:321
TKIP_FOOT_LEN
#define TKIP_FOOT_LEN
TKIP trailer overhead (MIC + ICV) [assumes unfragmented].
Definition: wpa_tkip.c:86
u8
uint8_t u8
Definition: stdint.h:19
key
union @383 key
Sense key.
Definition: scsi.h:18
u32
uint32_t u32
Definition: stdint.h:23
cipher_setkey
static int cipher_setkey(struct cipher_algorithm *cipher, void *ctx, const void *key, size_t keylen)
Definition: crypto.h:219
if
if(natsemi->flags &NATSEMI_64BIT) return 1
io_buffer
A persistent I/O buffer.
Definition: iobuf.h:33

References alloc_iob(), arc4_algorithm, cipher_decrypt, cipher_setkey(), crc32_le(), ctx, io_buffer::data, datalen, DBGC, DBGC2, free_iob(), hdr, head, IEEE80211_FC_PROTECTED, IEEE80211_TYP_FRAME_HEADER_LEN, if(), iob_len(), iob_put, key, le32_to_cpu, memcmp(), memcpy(), mic, NULL, net80211_crypto::priv, io_buffer::tail, TKIP_FOOT_LEN, TKIP_HEAD_LEN, TKIP_MIC_LEN, tkip_michael(), tkip_mix_1(), and tkip_mix_2().

◆ tkip_kie_mic()

static void tkip_kie_mic ( const void *  kck,
const void *  msg,
size_t  len,
void *  mic 
)
static

Calculate HMAC-MD5 MIC for EAPOL-Key frame.

Parameters
kckKey Confirmation Key, 16 bytes
msgMessage to calculate MIC over
lenNumber of bytes to calculate MIC over
Return values
micCalculated MIC, 16 bytes long

Definition at line 545 of file wpa_tkip.c.

547 {
548  uint8_t ctx[MD5_CTX_SIZE + MD5_BLOCK_SIZE];
549  u8 kckb[16];
550 
551  memcpy ( kckb, kck, sizeof ( kckb ) );
552 
553  hmac_init ( &md5_algorithm, ctx, kckb, sizeof ( kckb ) );
554  hmac_update ( &md5_algorithm, ctx, msg, len );
555  hmac_final ( &md5_algorithm, ctx, mic );
556 }
hmac_init
void hmac_init(struct digest_algorithm *digest, void *ctx, const void *key, size_t key_len)
Initialise HMAC.
Definition: hmac.c:57
msg
void msg(unsigned int row, const char *fmt,...)
Print message centred on specified row.
Definition: message.c:61
kck
u8 kck[WPA_KCK_LEN]
EAPOL-Key Key Confirmation Key (KCK)
Definition: wpa.h:28
ctx
struct golan_eq_context ctx
Definition: CIB_PRM.h:28
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
hmac_update
static void hmac_update(struct digest_algorithm *digest, void *ctx, const void *data, size_t len)
Update HMAC.
Definition: hmac.h:42
MD5_CTX_SIZE
#define MD5_CTX_SIZE
MD5 context size.
Definition: md5.h:66
uint8_t
unsigned char uint8_t
Definition: stdint.h:10
MD5_BLOCK_SIZE
#define MD5_BLOCK_SIZE
MD5 block size.
Definition: md5.h:69
hmac_final
void hmac_final(struct digest_algorithm *digest, void *ctx, void *hmac)
Finalise HMAC.
Definition: hmac.c:87
mic
u8 mic[16]
Message integrity code over the entire EAPOL frame.
Definition: wpa.h:81
len
uint32_t len
Length.
Definition: ena.h:14
u8
uint8_t u8
Definition: stdint.h:19
md5_algorithm
struct digest_algorithm md5_algorithm
MD5 algorithm.
Definition: md5.c:286

References ctx, hmac_final(), hmac_init(), hmac_update(), kck, len, md5_algorithm, MD5_BLOCK_SIZE, MD5_CTX_SIZE, memcpy(), mic, and msg().

◆ tkip_kie_decrypt()

static int tkip_kie_decrypt ( const void *  kek,
const void *  iv,
void *  msg,
u16 len 
)
static

Decrypt key data in EAPOL-Key frame.

Parameters
kekKey Encryption Key, 16 bytes
ivInitialisation vector, 16 bytes
msgMessage to decrypt
lenLength of message
Return values
msgDecrypted message in place of original
lenUnchanged
rcAlways 0 for success

Definition at line 569 of file wpa_tkip.c.

571 {
572  u8 key[32];
573  memcpy ( key, iv, 16 );
574  memcpy ( key + 16, kek, 16 );
575 
576  arc4_skip ( key, 32, 256, msg, msg, *len );
577 
578  return 0;
579 }
msg
void msg(unsigned int row, const char *fmt,...)
Print message centred on specified row.
Definition: message.c:61
iv
u8 iv[16]
Initialization vector.
Definition: wpa.h:60
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
arc4_skip
void arc4_skip(const void *key, size_t keylen, size_t skip, const void *src, void *dst, size_t msglen)
Perform ARC4 encryption or decryption, skipping initial keystream bytes.
Definition: arc4.c:109
kek
u8 kek[WPA_KEK_LEN]
EAPOL-Key Key Encryption Key (KEK)
Definition: wpa.h:31
len
uint32_t len
Length.
Definition: ena.h:14
u8
uint8_t u8
Definition: stdint.h:19
key
union @383 key
Sense key.
Definition: scsi.h:18

References arc4_skip(), iv, kek, key, len, memcpy(), and msg().

Variable Documentation

◆ Sbox

const u16 Sbox[256]
static

TKIP S-box.

Definition at line 96 of file wpa_tkip.c.

Referenced by S().

◆ __net80211_crypto

struct net80211_crypto tkip_crypto __net80211_crypto
Initial value:
= {
.algorithm = NET80211_CRYPT_TKIP,
.init = tkip_init,
.encrypt = tkip_encrypt,
.decrypt = tkip_decrypt,
.priv_len = sizeof ( struct tkip_ctx ),
}
tkip_ctx
Context for TKIP encryption and decryption.
Definition: wpa_tkip.c:59
tkip_init
static int tkip_init(struct net80211_crypto *crypto, const void *key, int keylen, const void *rsc)
Initialise TKIP state and install key.
Definition: wpa_tkip.c:187
tkip_encrypt
static struct io_buffer * tkip_encrypt(struct net80211_crypto *crypto, struct io_buffer *iob)
Encrypt a packet using TKIP.
Definition: wpa_tkip.c:376
tkip_decrypt
static struct io_buffer * tkip_decrypt(struct net80211_crypto *crypto, struct io_buffer *eiob)
Decrypt a packet using TKIP.
Definition: wpa_tkip.c:446
NET80211_CRYPT_TKIP
Network protected with TKIP (better RC4-based system)
Definition: net80211.h:163

TKIP cryptosystem.

Definition at line 526 of file wpa_tkip.c.

◆ __wpa_kie

struct wpa_kie tkip_kie __wpa_kie
Initial value:
= {
.version = EAPOL_KEY_VERSION_WPA,
.mic = tkip_kie_mic,
.decrypt = tkip_kie_decrypt,
}
EAPOL_KEY_VERSION_WPA
#define EAPOL_KEY_VERSION_WPA
Key descriptor version field value for WPA (TKIP)
Definition: wpa.h:78
tkip_kie_decrypt
static int tkip_kie_decrypt(const void *kek, const void *iv, void *msg, u16 *len)
Decrypt key data in EAPOL-Key frame.
Definition: wpa_tkip.c:569
tkip_kie_mic
static void tkip_kie_mic(const void *kck, const void *msg, size_t len, void *mic)
Calculate HMAC-MD5 MIC for EAPOL-Key frame.
Definition: wpa_tkip.c:545

TKIP-style key integrity and encryption handler.

Definition at line 583 of file wpa_tkip.c.

Generated by   doxygen 1.8.15