iPXE
wpa_tkip.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2009 Joshua Oreman <oremanj@rwcr.net>.
3  *
4  * This program is free software; you can redistribute it and/or
5  * modify it under the terms of the GNU General Public License as
6  * published by the Free Software Foundation; either version 2 of the
7  * License, or any later version.
8  *
9  * This program is distributed in the hope that it will be useful, but
10  * WITHOUT ANY WARRANTY; without even the implied warranty of
11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12  * General Public License for more details.
13  *
14  * You should have received a copy of the GNU General Public License
15  * along with this program; if not, write to the Free Software
16  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
17  * 02110-1301, USA.
18  */
19 
20 FILE_LICENCE ( GPL2_OR_LATER );
21 
22 #include <string.h>
23 #include <ipxe/net80211.h>
24 #include <ipxe/crypto.h>
25 #include <ipxe/hmac.h>
26 #include <ipxe/sha1.h>
27 #include <ipxe/md5.h>
28 #include <ipxe/crc32.h>
29 #include <ipxe/arc4.h>
30 #include <ipxe/wpa.h>
31 #include <byteswap.h>
32 #include <errno.h>
33 
34 /** @file
35  *
36  * Backend for WPA using the TKIP encryption standard.
37  */
38 
39 /** Context for one direction of TKIP, either encryption or decryption */
41 {
42  /** High 32 bits of last sequence counter value used */
44 
45  /** Low 32 bits of last sequence counter value used */
47 
48  /** MAC address used to derive TTAK */
50 
51  /** If TRUE, TTAK is valid */
53 
54  /** TKIP-mixed transmit address and key, depends on tsc_hi and MAC */
55  u16 ttak[5];
56 };
57 
58 /** Context for TKIP encryption and decryption */
59 struct tkip_ctx
60 {
61  /** Temporal key to use */
62  struct tkip_tk tk;
63 
64  /** State for encryption */
65  struct tkip_dir_ctx enc;
66 
67  /** State for decryption */
68  struct tkip_dir_ctx dec;
69 };
70 
71 /** Header structure at the beginning of TKIP frame data */
72 struct tkip_head
73 {
74  u8 tsc1; /**< High byte of low 16 bits of TSC */
75  u8 seed1; /**< Second byte of WEP seed */
76  u8 tsc0; /**< Low byte of TSC */
77  u8 kid; /**< Key ID and ExtIV byte */
78  u32 tsc_hi; /**< High 32 bits of TSC, as an ExtIV */
79 } __attribute__ (( packed ));
80 
81 
82 /** TKIP header overhead (IV + KID + ExtIV) */
83 #define TKIP_HEAD_LEN 8
84 
85 /** TKIP trailer overhead (MIC + ICV) [assumes unfragmented] */
86 #define TKIP_FOOT_LEN 12
87 
88 /** TKIP MIC length */
89 #define TKIP_MIC_LEN 8
90 
91 /** TKIP ICV length */
92 #define TKIP_ICV_LEN 4
93 
94 
95 /** TKIP S-box */
96 static const u16 Sbox[256] = {
97  0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154,
98  0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A,
99  0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B,
100  0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B,
101  0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F,
102  0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F,
103  0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5,
104  0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F,
105  0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB,
106  0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397,
107  0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED,
108  0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A,
109  0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194,
110  0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3,
111  0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104,
112  0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D,
113  0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39,
114  0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695,
115  0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83,
116  0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76,
117  0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4,
118  0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B,
119  0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0,
120  0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018,
121  0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751,
122  0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85,
123  0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12,
124  0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9,
125  0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7,
126  0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A,
127  0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8,
128  0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A,
129 };
130 
131 /**
132  * Perform S-box mapping on a 16-bit value
133  *
134  * @v v Value to perform S-box mapping on
135  * @ret Sv S-box mapped value
136  */
137 static inline u16 S ( u16 v )
138 {
139  return Sbox[v & 0xFF] ^ bswap_16 ( Sbox[v >> 8] );
140 }
141 
142 /**
143  * Rotate 16-bit value right
144  *
145  * @v v Value to rotate
146  * @v bits Number of bits to rotate by
147  * @ret rotv Rotated value
148  */
149 static inline u16 ror16 ( u16 v, int bits )
150 {
151  return ( v >> bits ) | ( v << ( 16 - bits ) );
152 }
153 
154 /**
155  * Rotate 32-bit value right
156  *
157  * @v v Value to rotate
158  * @v bits Number of bits to rotate by
159  * @ret rotv Rotated value
160  */
161 static inline u32 ror32 ( u32 v, int bits )
162 {
163  return ( v >> bits ) | ( v << ( 32 - bits ) );
164 }
165 
166 /**
167  * Rotate 32-bit value left
168  *
169  * @v v Value to rotate
170  * @v bits Number of bits to rotate by
171  * @ret rotv Rotated value
172  */
173 static inline u32 rol32 ( u32 v, int bits )
174 {
175  return ( v << bits ) | ( v >> ( 32 - bits ) );
176 }
177 
178 
179 /**
180  * Initialise TKIP state and install key
181  *
182  * @v crypto TKIP cryptosystem structure
183  * @v key Pointer to tkip_tk to install
184  * @v keylen Length of key (32 bytes)
185  * @v rsc Initial receive sequence counter
186  */
187 static int tkip_init ( struct net80211_crypto *crypto, const void *key,
188  int keylen, const void *rsc )
189 {
190  struct tkip_ctx *ctx = crypto->priv;
191  const u8 *rscb = rsc;
192 
193  if ( keylen != sizeof ( ctx->tk ) )
194  return -EINVAL;
195 
196  if ( rscb ) {
197  ctx->dec.tsc_lo = ( rscb[1] << 8 ) | rscb[0];
198  ctx->dec.tsc_hi = ( ( rscb[5] << 24 ) | ( rscb[4] << 16 ) |
199  ( rscb[3] << 8 ) | rscb[2] );
200  }
201 
202  memcpy ( &ctx->tk, key, sizeof ( ctx->tk ) );
203 
204  return 0;
205 }
206 
207 /**
208  * Perform TKIP key mixing, phase 1
209  *
210  * @v dctx TKIP directional context
211  * @v tk TKIP temporal key
212  * @v mac MAC address of transmitter
213  *
214  * This recomputes the TTAK in @a dctx if necessary, and sets
215  * @c dctx->ttak_ok.
216  */
217 static void tkip_mix_1 ( struct tkip_dir_ctx *dctx, struct tkip_tk *tk, u8 *mac )
218 {
219  int i, j;
220 
221  if ( dctx->ttak_ok && ! memcmp ( mac, dctx->mac, ETH_ALEN ) )
222  return;
223 
224  memcpy ( dctx->mac, mac, ETH_ALEN );
225 
226  dctx->ttak[0] = dctx->tsc_hi & 0xFFFF;
227  dctx->ttak[1] = dctx->tsc_hi >> 16;
228  dctx->ttak[2] = ( mac[1] << 8 ) | mac[0];
229  dctx->ttak[3] = ( mac[3] << 8 ) | mac[2];
230  dctx->ttak[4] = ( mac[5] << 8 ) | mac[4];
231 
232  for ( i = 0; i < 8; i++ ) {
233  j = 2 * ( i & 1 );
234 
235  dctx->ttak[0] += S ( dctx->ttak[4] ^ ( ( tk->key[1 + j] << 8 ) |
236  tk->key[0 + j] ) );
237  dctx->ttak[1] += S ( dctx->ttak[0] ^ ( ( tk->key[5 + j] << 8 ) |
238  tk->key[4 + j] ) );
239  dctx->ttak[2] += S ( dctx->ttak[1] ^ ( ( tk->key[9 + j] << 8 ) |
240  tk->key[8 + j] ) );
241  dctx->ttak[3] += S ( dctx->ttak[2] ^ ( ( tk->key[13+ j] << 8 ) |
242  tk->key[12+ j] ) );
243  dctx->ttak[4] += S ( dctx->ttak[3] ^ ( ( tk->key[1 + j] << 8 ) |
244  tk->key[0 + j] ) ) + i;
245  }
246 
247  dctx->ttak_ok = 1;
248 }
249 
250 /**
251  * Perform TKIP key mixing, phase 2
252  *
253  * @v dctx TKIP directional context
254  * @v tk TKIP temporal key
255  * @ret key ARC4 key, 16 bytes long
256  */
257 static void tkip_mix_2 ( struct tkip_dir_ctx *dctx, struct tkip_tk *tk,
258  void *key )
259 {
260  u8 *kb = key;
261  u16 ppk[6];
262  int i;
263 
264  memcpy ( ppk, dctx->ttak, sizeof ( dctx->ttak ) );
265  ppk[5] = dctx->ttak[4] + dctx->tsc_lo;
266 
267  ppk[0] += S ( ppk[5] ^ ( ( tk->key[1] << 8 ) | tk->key[0] ) );
268  ppk[1] += S ( ppk[0] ^ ( ( tk->key[3] << 8 ) | tk->key[2] ) );
269  ppk[2] += S ( ppk[1] ^ ( ( tk->key[5] << 8 ) | tk->key[4] ) );
270  ppk[3] += S ( ppk[2] ^ ( ( tk->key[7] << 8 ) | tk->key[6] ) );
271  ppk[4] += S ( ppk[3] ^ ( ( tk->key[9] << 8 ) | tk->key[8] ) );
272  ppk[5] += S ( ppk[4] ^ ( ( tk->key[11] << 8 ) | tk->key[10] ) );
273 
274  ppk[0] += ror16 ( ppk[5] ^ ( ( tk->key[13] << 8 ) | tk->key[12] ), 1 );
275  ppk[1] += ror16 ( ppk[0] ^ ( ( tk->key[15] << 8 ) | tk->key[14] ), 1 );
276  ppk[2] += ror16 ( ppk[1], 1 );
277  ppk[3] += ror16 ( ppk[2], 1 );
278  ppk[4] += ror16 ( ppk[3], 1 );
279  ppk[5] += ror16 ( ppk[4], 1 );
280 
281  kb[0] = dctx->tsc_lo >> 8;
282  kb[1] = ( ( dctx->tsc_lo >> 8 ) | 0x20 ) & 0x7F;
283  kb[2] = dctx->tsc_lo & 0xFF;
284  kb[3] = ( ( ppk[5] ^ ( ( tk->key[1] << 8 ) | tk->key[0] ) ) >> 1 )
285  & 0xFF;
286 
287  for ( i = 0; i < 6; i++ ) {
288  kb[4 + 2*i] = ppk[i] & 0xFF;
289  kb[5 + 2*i] = ppk[i] >> 8;
290  }
291 }
292 
293 /**
294  * Update Michael message integrity code based on next 32-bit word of data
295  *
296  * @v V Michael code state (two 32-bit words)
297  * @v word Next 32-bit word of data
298  */
299 static void tkip_feed_michael ( u32 *V, u32 word )
300 {
301  V[0] ^= word;
302  V[1] ^= rol32 ( V[0], 17 );
303  V[0] += V[1];
304  V[1] ^= ( ( V[0] & 0xFF00FF00 ) >> 8 ) | ( ( V[0] & 0x00FF00FF ) << 8 );
305  V[0] += V[1];
306  V[1] ^= rol32 ( V[0], 3 );
307  V[0] += V[1];
308  V[1] ^= ror32 ( V[0], 2 );
309  V[0] += V[1];
310 }
311 
312 /**
313  * Calculate Michael message integrity code
314  *
315  * @v key MIC key to use (8 bytes)
316  * @v da Destination link-layer address
317  * @v sa Source link-layer address
318  * @v data Start of data to calculate over
319  * @v len Length of header + data
320  * @ret mic Calculated Michael MIC (8 bytes)
321  */
322 static void tkip_michael ( const void *key, const void *da, const void *sa,
323  const void *data, size_t len, void *mic )
324 {
325  u32 V[2]; /* V[0] = "l", V[1] = "r" in 802.11 */
326  union {
327  u8 byte[12];
328  u32 word[3];
329  } cap;
330  const u8 *ptr = data;
331  const u8 *end = ptr + len;
332  int i;
333 
334  memcpy ( V, key, sizeof ( V ) );
335  V[0] = le32_to_cpu ( V[0] );
336  V[1] = le32_to_cpu ( V[1] );
337 
338  /* Feed in header (we assume non-QoS, so Priority = 0) */
339  memcpy ( &cap.byte[0], da, ETH_ALEN );
340  memcpy ( &cap.byte[6], sa, ETH_ALEN );
341  tkip_feed_michael ( V, le32_to_cpu ( cap.word[0] ) );
342  tkip_feed_michael ( V, le32_to_cpu ( cap.word[1] ) );
343  tkip_feed_michael ( V, le32_to_cpu ( cap.word[2] ) );
344  tkip_feed_michael ( V, 0 );
345 
346  /* Feed in data */
347  while ( ptr + 4 <= end ) {
348  tkip_feed_michael ( V, le32_to_cpu ( *( u32 * ) ptr ) );
349  ptr += 4;
350  }
351 
352  /* Add unaligned part and padding */
353  for ( i = 0; ptr < end; i++ )
354  cap.byte[i] = *ptr++;
355  cap.byte[i++] = 0x5a;
356  for ( ; i < 8; i++ )
357  cap.byte[i] = 0;
358 
359  /* Feed in padding */
360  tkip_feed_michael ( V, le32_to_cpu ( cap.word[0] ) );
361  tkip_feed_michael ( V, le32_to_cpu ( cap.word[1] ) );
362 
363  /* Output MIC */
364  V[0] = cpu_to_le32 ( V[0] );
365  V[1] = cpu_to_le32 ( V[1] );
366  memcpy ( mic, V, sizeof ( V ) );
367 }
368 
369 /**
370  * Encrypt a packet using TKIP
371  *
372  * @v crypto TKIP cryptosystem
373  * @v iob I/O buffer containing cleartext packet
374  * @ret eiob I/O buffer containing encrypted packet
375  */
376 static struct io_buffer * tkip_encrypt ( struct net80211_crypto *crypto,
377  struct io_buffer *iob )
378 {
379  struct tkip_ctx *ctx = crypto->priv;
380  struct ieee80211_frame *hdr = iob->data;
381  struct io_buffer *eiob;
382  struct arc4_ctx arc4;
383  u8 key[16];
384  struct tkip_head head;
385  u8 mic[8];
386  u32 icv;
387  const int hdrlen = IEEE80211_TYP_FRAME_HEADER_LEN;
388  int datalen = iob_len ( iob ) - hdrlen;
389 
390  ctx->enc.tsc_lo++;
391  if ( ctx->enc.tsc_lo == 0 ) {
392  ctx->enc.tsc_hi++;
393  ctx->enc.ttak_ok = 0;
394  }
395 
396  tkip_mix_1 ( &ctx->enc, &ctx->tk, hdr->addr2 );
397  tkip_mix_2 ( &ctx->enc, &ctx->tk, key );
398 
399  eiob = alloc_iob ( iob_len ( iob ) + TKIP_HEAD_LEN + TKIP_FOOT_LEN );
400  if ( ! eiob )
401  return NULL;
402 
403  /* Copy frame header */
404  memcpy ( iob_put ( eiob, hdrlen ), iob->data, hdrlen );
405  hdr = eiob->data;
407 
408  /* Fill in IV and key ID byte, and extended IV */
409  memcpy ( &head, key, 3 );
410  head.kid = 0x20; /* have Extended IV, key ID 0 */
411  head.tsc_hi = cpu_to_le32 ( ctx->enc.tsc_hi );
412  memcpy ( iob_put ( eiob, sizeof ( head ) ), &head, sizeof ( head ) );
413 
414  /* Copy and encrypt the data */
415  cipher_setkey ( &arc4_algorithm, &arc4, key, 16 );
416  cipher_encrypt ( &arc4_algorithm, &arc4, iob->data + hdrlen,
417  iob_put ( eiob, datalen ), datalen );
418 
419  /* Add MIC */
420  hdr = iob->data;
421  tkip_michael ( &ctx->tk.mic.tx, hdr->addr3, hdr->addr2,
422  iob->data + hdrlen, datalen, mic );
423  cipher_encrypt ( &arc4_algorithm, &arc4, mic,
424  iob_put ( eiob, sizeof ( mic ) ), sizeof ( mic ) );
425 
426  /* Add ICV */
427  icv = crc32_le ( ~0, iob->data + hdrlen, datalen );
428  icv = crc32_le ( icv, mic, sizeof ( mic ) );
429  icv = cpu_to_le32 ( ~icv );
430  cipher_encrypt ( &arc4_algorithm, &arc4, &icv,
431  iob_put ( eiob, TKIP_ICV_LEN ), TKIP_ICV_LEN );
432 
433  DBGC2 ( ctx, "WPA-TKIP %p: encrypted packet %p -> %p\n", ctx,
434  iob, eiob );
435 
436  return eiob;
437 }
438 
439 /**
440  * Decrypt a packet using TKIP
441  *
442  * @v crypto TKIP cryptosystem
443  * @v eiob I/O buffer containing encrypted packet
444  * @ret iob I/O buffer containing cleartext packet
445  */
446 static struct io_buffer * tkip_decrypt ( struct net80211_crypto *crypto,
447  struct io_buffer *eiob )
448 {
449  struct tkip_ctx *ctx = crypto->priv;
450  struct ieee80211_frame *hdr;
451  struct io_buffer *iob;
452  const int hdrlen = IEEE80211_TYP_FRAME_HEADER_LEN;
453  int datalen = iob_len ( eiob ) - hdrlen - TKIP_HEAD_LEN - TKIP_FOOT_LEN;
454  struct tkip_head *head;
455  struct arc4_ctx arc4;
456  u16 rx_tsc_lo;
457  u8 key[16];
458  u8 mic[8];
459  u32 icv, crc;
460 
461  iob = alloc_iob ( hdrlen + datalen + TKIP_FOOT_LEN );
462  if ( ! iob )
463  return NULL;
464 
465  /* Copy frame header */
466  memcpy ( iob_put ( iob, hdrlen ), eiob->data, hdrlen );
467  hdr = iob->data;
468  hdr->fc &= ~IEEE80211_FC_PROTECTED;
469 
470  /* Check and update TSC */
471  head = eiob->data + hdrlen;
472  rx_tsc_lo = ( head->tsc1 << 8 ) | head->tsc0;
473 
474  if ( head->tsc_hi < ctx->dec.tsc_hi ||
475  ( head->tsc_hi == ctx->dec.tsc_hi &&
476  rx_tsc_lo <= ctx->dec.tsc_lo ) ) {
477  DBGC ( ctx, "WPA-TKIP %p: packet received out of order "
478  "(%08x:%04x <= %08x:%04x)\n", ctx, head->tsc_hi,
479  rx_tsc_lo, ctx->dec.tsc_hi, ctx->dec.tsc_lo );
480  free_iob ( iob );
481  return NULL;
482  }
483  ctx->dec.tsc_lo = rx_tsc_lo;
484  if ( ctx->dec.tsc_hi != head->tsc_hi ) {
485  ctx->dec.ttak_ok = 0;
486  ctx->dec.tsc_hi = head->tsc_hi;
487  }
488 
489  /* Calculate key */
490  tkip_mix_1 ( &ctx->dec, &ctx->tk, hdr->addr2 );
491  tkip_mix_2 ( &ctx->dec, &ctx->tk, key );
492 
493  /* Copy-decrypt data, MIC, ICV */
494  cipher_setkey ( &arc4_algorithm, &arc4, key, 16 );
495  cipher_decrypt ( &arc4_algorithm, &arc4,
496  eiob->data + hdrlen + TKIP_HEAD_LEN,
497  iob_put ( iob, datalen ), datalen + TKIP_FOOT_LEN );
498 
499  /* Check ICV */
500  icv = le32_to_cpu ( *( u32 * ) ( iob->tail + TKIP_MIC_LEN ) );
501  crc = ~crc32_le ( ~0, iob->data + hdrlen, datalen + TKIP_MIC_LEN );
502  if ( crc != icv ) {
503  DBGC ( ctx, "WPA-TKIP %p CRC mismatch: expect %08x, get %08x\n",
504  ctx, icv, crc );
505  free_iob ( iob );
506  return NULL;
507  }
508 
509  /* Check MIC */
510  tkip_michael ( &ctx->tk.mic.rx, hdr->addr1, hdr->addr3,
511  iob->data + hdrlen, datalen, mic );
512  if ( memcmp ( mic, iob->tail, TKIP_MIC_LEN ) != 0 ) {
513  DBGC ( ctx, "WPA-TKIP %p ALERT! MIC failure\n", ctx );
514  /* XXX we should do the countermeasures here */
515  free_iob ( iob );
516  return NULL;
517  }
518 
519  DBGC2 ( ctx, "WPA-TKIP %p: decrypted packet %p -> %p\n", ctx,
520  eiob, iob );
521 
522  return iob;
523 }
524 
525 /** TKIP cryptosystem */
526 struct net80211_crypto tkip_crypto __net80211_crypto = {
528  .init = tkip_init,
529  .encrypt = tkip_encrypt,
530  .decrypt = tkip_decrypt,
531  .priv_len = sizeof ( struct tkip_ctx ),
532 };
533 
534 
535 
536 
537 /**
538  * Calculate HMAC-MD5 MIC for EAPOL-Key frame
539  *
540  * @v kck Key Confirmation Key, 16 bytes
541  * @v msg Message to calculate MIC over
542  * @v len Number of bytes to calculate MIC over
543  * @ret mic Calculated MIC, 16 bytes long
544  */
545 static void tkip_kie_mic ( const void *kck, const void *msg, size_t len,
546  void *mic )
547 {
549  u8 kckb[16];
550 
551  memcpy ( kckb, kck, sizeof ( kckb ) );
552 
553  hmac_init ( &md5_algorithm, ctx, kckb, sizeof ( kckb ) );
556 }
557 
558 /**
559  * Decrypt key data in EAPOL-Key frame
560  *
561  * @v kek Key Encryption Key, 16 bytes
562  * @v iv Initialisation vector, 16 bytes
563  * @v msg Message to decrypt
564  * @v len Length of message
565  * @ret msg Decrypted message in place of original
566  * @ret len Unchanged
567  * @ret rc Always 0 for success
568  */
569 static int tkip_kie_decrypt ( const void *kek, const void *iv,
570  void *msg, u16 *len )
571 {
572  u8 key[32];
573  memcpy ( key, iv, 16 );
574  memcpy ( key + 16, kek, 16 );
575 
576  arc4_skip ( key, 32, 256, msg, msg, *len );
577 
578  return 0;
579 }
580 
581 
582 /** TKIP-style key integrity and encryption handler */
583 struct wpa_kie tkip_kie __wpa_kie = {
585  .mic = tkip_kie_mic,
586  .decrypt = tkip_kie_decrypt,
587 };
#define EAPOL_KEY_VERSION_WPA
Key descriptor version field value for WPA (TKIP)
Definition: wpa.h:78
uint16_t u16
Definition: stdint.h:21
void hmac_init(struct digest_algorithm *digest, void *ctx, const void *key, size_t key_len)
Initialise HMAC.
Definition: hmac.c:57
#define __attribute__(x)
Definition: compiler.h:10
#define EINVAL
Invalid argument.
Definition: errno.h:428
static void tkip_feed_michael(u32 *V, u32 word)
Update Michael message integrity code based on next 32-bit word of data.
Definition: wpa_tkip.c:299
#define iob_put(iobuf, len)
Definition: iobuf.h:120
void msg(unsigned int row, const char *fmt,...)
Print message centred on specified row.
Definition: message.c:61
Context for one direction of TKIP, either encryption or decryption.
Definition: wpa_tkip.c:40
u8 mac[ETH_ALEN]
MAC address used to derive TTAK.
Definition: wpa_tkip.c:49
static int tkip_kie_decrypt(const void *kek, const void *iv, void *msg, u16 *len)
Decrypt key data in EAPOL-Key frame.
Definition: wpa_tkip.c:569
u8 tsc1
High byte of low 16 bits of TSC.
Definition: wpa_tkip.c:74
static u32 rol32(u32 v, int bits)
Rotate 32-bit value left.
Definition: wpa_tkip.c:173
#define le32_to_cpu(value)
Definition: byteswap.h:113
u8 seed1
Second byte of WEP seed.
Definition: wpa_tkip.c:75
Error codes.
struct golan_inbox_hdr hdr
Message header.
Definition: CIB_PRM.h:28
Definition: arc4.h:10
void free_iob(struct io_buffer *iobuf)
Free I/O buffer.
Definition: iobuf.c:146
WPA handshake key integrity and encryption handler.
Definition: wpa.h:371
u8 kck[WPA_KCK_LEN]
EAPOL-Key Key Confirmation Key (KCK)
Definition: wpa.h:28
#define DBGC(...)
Definition: compiler.h:505
An 802.11 data or management frame without QoS or WDS header fields.
Definition: ieee80211.h:300
Cryptographic API.
uint8_t head
Head number.
Definition: int13.h:34
uint8_t mac[ETH_ALEN]
MAC address.
Definition: ena.h:24
struct golan_eq_context ctx
Definition: CIB_PRM.h:28
Header structure at the beginning of TKIP frame data.
Definition: wpa_tkip.c:72
u32 tsc_hi
High 32 bits of TSC, as an ExtIV.
Definition: wpa_tkip.c:78
static u32 ror32(u32 v, int bits)
Rotate 32-bit value right.
Definition: wpa_tkip.c:161
struct io_buffer * alloc_iob(size_t len)
Allocate I/O buffer.
Definition: iobuf.c:129
u8 iv[16]
Initialization vector.
Definition: wpa.h:60
#define TKIP_MIC_LEN
TKIP MIC length.
Definition: wpa_tkip.c:89
u32 crc32_le(u32 seed, const void *data, size_t len)
Calculate 32-bit little-endian CRC checksum.
Definition: crc32.c:39
FILE_LICENCE(GPL2_OR_LATER)
static u16 S(u16 v)
Perform S-box mapping on a 16-bit value.
Definition: wpa_tkip.c:137
#define cipher_encrypt(cipher, ctx, src, dst, len)
Definition: crypto.h:233
void * tail
End of data.
Definition: iobuf.h:50
enum net80211_crypto_alg algorithm
The cryptographic algorithm implemented.
Definition: net80211.h:692
void * memcpy(void *dest, const void *src, size_t len) __nonnull
union wpa_tk tk
Temporal key.
Definition: wpa.h:34
Common definitions for all types of WPA-protected networks.
static const u16 Sbox[256]
TKIP S-box.
Definition: wpa_tkip.c:96
Keyed-Hashing for Message Authentication.
void arc4_skip(const void *key, size_t keylen, size_t skip, const void *src, void *dst, size_t msglen)
Perform ARC4 encryption or decryption, skipping initial keystream bytes.
Definition: arc4.c:109
#define IEEE80211_TYP_FRAME_HEADER_LEN
Frame header length for frames we might work with.
Definition: ieee80211.h:60
#define bswap_16(value)
Definition: byteswap.h:58
u8 rsc[8]
Receive sequence counter for GTK.
Definition: wpa.h:69
u16 datalen
Length of the data field in bytes, network byte order.
Definition: wpa.h:84
struct sockaddr sa
Definition: syslog.c:55
int version
Value of version bits in EAPOL-Key info field for which to use.
Definition: wpa.h:376
static void tkip_michael(const void *key, const void *da, const void *sa, const void *data, size_t len, void *mic)
Calculate Michael message integrity code.
Definition: wpa_tkip.c:322
#define cpu_to_le32(value)
Definition: byteswap.h:107
#define TKIP_HEAD_LEN
TKIP header overhead (IV + KID + ExtIV)
Definition: wpa_tkip.c:83
#define IEEE80211_FC_PROTECTED
802.11 Frame Control field: Protected flag
Definition: ieee80211.h:264
static void hmac_update(struct digest_algorithm *digest, void *ctx, const void *data, size_t len)
Update HMAC.
Definition: hmac.h:42
Context for TKIP encryption and decryption.
Definition: wpa_tkip.c:59
u8 tsc0
Low byte of TSC.
Definition: wpa_tkip.c:76
The iPXE 802.11 MAC layer.
static size_t iob_len(struct io_buffer *iobuf)
Calculate length of data in an I/O buffer.
Definition: iobuf.h:155
u8 kek[WPA_KEK_LEN]
EAPOL-Key Key Encryption Key (KEK)
Definition: wpa.h:31
struct net80211_crypto tkip_crypto __net80211_crypto
TKIP cryptosystem.
Definition: wpa_tkip.c:526
struct tkip_dir_ctx enc
State for encryption.
Definition: wpa_tkip.c:65
#define MD5_CTX_SIZE
MD5 context size.
Definition: md5.h:66
static int tkip_init(struct net80211_crypto *crypto, const void *key, int keylen, const void *rsc)
Initialise TKIP state and install key.
Definition: wpa_tkip.c:187
unsigned char uint8_t
Definition: stdint.h:10
static struct io_buffer * tkip_encrypt(struct net80211_crypto *crypto, struct io_buffer *iob)
Encrypt a packet using TKIP.
Definition: wpa_tkip.c:376
u8 kid
Key ID and ExtIV byte.
Definition: wpa_tkip.c:77
#define MD5_BLOCK_SIZE
MD5 block size.
Definition: md5.h:69
u16 tsc_lo
Low 32 bits of last sequence counter value used.
Definition: wpa_tkip.c:46
#define ETH_ALEN
Definition: if_ether.h:8
#define cipher_decrypt(cipher, ctx, src, dst, len)
Definition: crypto.h:243
static void tkip_mix_1(struct tkip_dir_ctx *dctx, struct tkip_tk *tk, u8 *mac)
Perform TKIP key mixing, phase 1.
Definition: wpa_tkip.c:217
void * priv
Private data for the algorithm to store key and state info.
Definition: net80211.h:766
static void tkip_mix_2(struct tkip_dir_ctx *dctx, struct tkip_tk *tk, void *key)
Perform TKIP key mixing, phase 2.
Definition: wpa_tkip.c:257
struct cipher_algorithm arc4_algorithm
Definition: arc4.c:118
u16 ttak_ok
If TRUE, TTAK is valid.
Definition: wpa_tkip.c:52
static struct io_buffer * tkip_decrypt(struct net80211_crypto *crypto, struct io_buffer *eiob)
Decrypt a packet using TKIP.
Definition: wpa_tkip.c:446
static volatile void * bits
Definition: bitops.h:27
Structure of the Temporal Key for TKIP encryption.
Definition: wpa.h:229
#define DBGC2(...)
Definition: compiler.h:522
SHA-1 algorithm.
#define TKIP_ICV_LEN
TKIP ICV length.
Definition: wpa_tkip.c:92
struct wpa_kie tkip_kie __wpa_kie
TKIP-style key integrity and encryption handler.
Definition: wpa_tkip.c:583
struct tkip_tk tk
Temporal key to use.
Definition: wpa_tkip.c:62
void * data
Start of data.
Definition: iobuf.h:48
u16 ttak[5]
TKIP-mixed transmit address and key, depends on tsc_hi and MAC.
Definition: wpa_tkip.c:55
unsigned short word
Definition: smc9000.h:39
uint32_t end
Ending offset.
Definition: netvsc.h:18
uint8_t data[48]
Additional event data.
Definition: ena.h:22
void hmac_final(struct digest_algorithm *digest, void *ctx, void *hmac)
Finalise HMAC.
Definition: hmac.c:87
static u16 ror16(u16 v, int bits)
Rotate 16-bit value right.
Definition: wpa_tkip.c:149
struct tkip_dir_ctx dec
State for decryption.
Definition: wpa_tkip.c:68
Network protected with TKIP (better RC4-based system)
Definition: net80211.h:163
u32 tsc_hi
High 32 bits of last sequence counter value used.
Definition: wpa_tkip.c:43
Interface to an 802.11 cryptosystem.
Definition: net80211.h:689
MD5 algorithm.
int memcmp(const void *first, const void *second, size_t len)
Compare memory regions.
Definition: string.c:114
u8 mic[16]
Message integrity code over the entire EAPOL frame.
Definition: wpa.h:81
uint32_t len
Length.
Definition: ena.h:14
#define NULL
NULL pointer (VOID *)
Definition: Base.h:321
String functions.
static void tkip_kie_mic(const void *kck, const void *msg, size_t len, void *mic)
Calculate HMAC-MD5 MIC for EAPOL-Key frame.
Definition: wpa_tkip.c:545
#define TKIP_FOOT_LEN
TKIP trailer overhead (MIC + ICV) [assumes unfragmented].
Definition: wpa_tkip.c:86
uint8_t u8
Definition: stdint.h:19
union @383 key
Sense key.
Definition: scsi.h:18
uint32_t u32
Definition: stdint.h:23
struct digest_algorithm md5_algorithm
MD5 algorithm.
Definition: md5.c:286
static int cipher_setkey(struct cipher_algorithm *cipher, void *ctx, const void *key, size_t keylen)
Definition: crypto.h:217
if(natsemi->flags &NATSEMI_64BIT) return 1
A persistent I/O buffer.
Definition: iobuf.h:33