iPXE
wpa_tkip.c
Go to the documentation of this file.
1/*
2 * Copyright (c) 2009 Joshua Oreman <oremanj@rwcr.net>.
3 *
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License as
6 * published by the Free Software Foundation; either version 2 of the
7 * License, or any later version.
8 *
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write to the Free Software
16 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
17 * 02110-1301, USA.
18 */
19
20FILE_LICENCE ( GPL2_OR_LATER );
21FILE_SECBOOT ( FORBIDDEN );
22
23#include <string.h>
24#include <ipxe/net80211.h>
25#include <ipxe/crypto.h>
26#include <ipxe/hmac.h>
27#include <ipxe/sha1.h>
28#include <ipxe/md5.h>
29#include <ipxe/crc32.h>
30#include <ipxe/arc4.h>
31#include <ipxe/wpa.h>
32#include <byteswap.h>
33#include <errno.h>
34
35/** @file
36 *
37 * Backend for WPA using the TKIP encryption standard.
38 */
39
40/** Context for one direction of TKIP, either encryption or decryption */
42{
43 /** High 32 bits of last sequence counter value used */
45
46 /** Low 32 bits of last sequence counter value used */
48
49 /** MAC address used to derive TTAK */
51
52 /** If TRUE, TTAK is valid */
54
55 /** TKIP-mixed transmit address and key, depends on tsc_hi and MAC */
57};
58
59/** Context for TKIP encryption and decryption */
61{
62 /** Temporal key to use */
63 struct tkip_tk tk;
64
65 /** State for encryption */
67
68 /** State for decryption */
70};
71
72/** Header structure at the beginning of TKIP frame data */
74{
75 u8 tsc1; /**< High byte of low 16 bits of TSC */
76 u8 seed1; /**< Second byte of WEP seed */
77 u8 tsc0; /**< Low byte of TSC */
78 u8 kid; /**< Key ID and ExtIV byte */
79 u32 tsc_hi; /**< High 32 bits of TSC, as an ExtIV */
80} __attribute__ (( packed ));
81
82
83/** TKIP header overhead (IV + KID + ExtIV) */
84#define TKIP_HEAD_LEN 8
85
86/** TKIP trailer overhead (MIC + ICV) [assumes unfragmented] */
87#define TKIP_FOOT_LEN 12
88
89/** TKIP MIC length */
90#define TKIP_MIC_LEN 8
91
92/** TKIP ICV length */
93#define TKIP_ICV_LEN 4
94
95
96/** TKIP S-box */
97static const u16 Sbox[256] = {
98 0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154,
99 0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A,
100 0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B,
101 0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B,
102 0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F,
103 0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F,
104 0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5,
105 0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F,
106 0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB,
107 0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397,
108 0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED,
109 0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A,
110 0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194,
111 0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3,
112 0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104,
113 0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D,
114 0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39,
115 0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695,
116 0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83,
117 0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76,
118 0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4,
119 0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B,
120 0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0,
121 0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018,
122 0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751,
123 0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85,
124 0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12,
125 0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9,
126 0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7,
127 0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A,
128 0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8,
129 0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A,
130};
131
132/**
133 * Perform S-box mapping on a 16-bit value
134 *
135 * @v v Value to perform S-box mapping on
136 * @ret Sv S-box mapped value
137 */
138static inline u16 S ( u16 v )
139{
140 return Sbox[v & 0xFF] ^ bswap_16 ( Sbox[v >> 8] );
141}
142
143/**
144 * Rotate 16-bit value right
145 *
146 * @v v Value to rotate
147 * @v bits Number of bits to rotate by
148 * @ret rotv Rotated value
149 */
150static inline u16 ror16 ( u16 v, int bits )
151{
152 return ( v >> bits ) | ( v << ( 16 - bits ) );
153}
154
155/**
156 * Rotate 32-bit value right
157 *
158 * @v v Value to rotate
159 * @v bits Number of bits to rotate by
160 * @ret rotv Rotated value
161 */
162static inline u32 ror32 ( u32 v, int bits )
163{
164 return ( v >> bits ) | ( v << ( 32 - bits ) );
165}
166
167/**
168 * Rotate 32-bit value left
169 *
170 * @v v Value to rotate
171 * @v bits Number of bits to rotate by
172 * @ret rotv Rotated value
173 */
174static inline u32 rol32 ( u32 v, int bits )
175{
176 return ( v << bits ) | ( v >> ( 32 - bits ) );
177}
178
179
180/**
181 * Initialise TKIP state and install key
182 *
183 * @v crypto TKIP cryptosystem structure
184 * @v key Pointer to tkip_tk to install
185 * @v keylen Length of key (32 bytes)
186 * @v rsc Initial receive sequence counter
187 */
188static int tkip_init ( struct net80211_crypto *crypto, const void *key,
189 int keylen, const void *rsc )
190{
191 struct tkip_ctx *ctx = crypto->priv;
192 const u8 *rscb = rsc;
193
194 if ( keylen != sizeof ( ctx->tk ) )
195 return -EINVAL;
196
197 if ( rscb ) {
198 ctx->dec.tsc_lo = ( rscb[1] << 8 ) | rscb[0];
199 ctx->dec.tsc_hi = ( ( rscb[5] << 24 ) | ( rscb[4] << 16 ) |
200 ( rscb[3] << 8 ) | rscb[2] );
201 }
202
203 memcpy ( &ctx->tk, key, sizeof ( ctx->tk ) );
204
205 return 0;
206}
207
208/**
209 * Perform TKIP key mixing, phase 1
210 *
211 * @v dctx TKIP directional context
212 * @v tk TKIP temporal key
213 * @v mac MAC address of transmitter
214 *
215 * This recomputes the TTAK in @a dctx if necessary, and sets
216 * @c dctx->ttak_ok.
217 */
218static void tkip_mix_1 ( struct tkip_dir_ctx *dctx, struct tkip_tk *tk, u8 *mac )
219{
220 int i, j;
221
222 if ( dctx->ttak_ok && ! memcmp ( mac, dctx->mac, ETH_ALEN ) )
223 return;
224
225 memcpy ( dctx->mac, mac, ETH_ALEN );
226
227 dctx->ttak[0] = dctx->tsc_hi & 0xFFFF;
228 dctx->ttak[1] = dctx->tsc_hi >> 16;
229 dctx->ttak[2] = ( mac[1] << 8 ) | mac[0];
230 dctx->ttak[3] = ( mac[3] << 8 ) | mac[2];
231 dctx->ttak[4] = ( mac[5] << 8 ) | mac[4];
232
233 for ( i = 0; i < 8; i++ ) {
234 j = 2 * ( i & 1 );
235
236 dctx->ttak[0] += S ( dctx->ttak[4] ^ ( ( tk->key[1 + j] << 8 ) |
237 tk->key[0 + j] ) );
238 dctx->ttak[1] += S ( dctx->ttak[0] ^ ( ( tk->key[5 + j] << 8 ) |
239 tk->key[4 + j] ) );
240 dctx->ttak[2] += S ( dctx->ttak[1] ^ ( ( tk->key[9 + j] << 8 ) |
241 tk->key[8 + j] ) );
242 dctx->ttak[3] += S ( dctx->ttak[2] ^ ( ( tk->key[13+ j] << 8 ) |
243 tk->key[12+ j] ) );
244 dctx->ttak[4] += S ( dctx->ttak[3] ^ ( ( tk->key[1 + j] << 8 ) |
245 tk->key[0 + j] ) ) + i;
246 }
247
248 dctx->ttak_ok = 1;
249}
250
251/**
252 * Perform TKIP key mixing, phase 2
253 *
254 * @v dctx TKIP directional context
255 * @v tk TKIP temporal key
256 * @ret key ARC4 key, 16 bytes long
257 */
258static void tkip_mix_2 ( struct tkip_dir_ctx *dctx, struct tkip_tk *tk,
259 void *key )
260{
261 u8 *kb = key;
262 u16 ppk[6];
263 int i;
264
265 memcpy ( ppk, dctx->ttak, sizeof ( dctx->ttak ) );
266 ppk[5] = dctx->ttak[4] + dctx->tsc_lo;
267
268 ppk[0] += S ( ppk[5] ^ ( ( tk->key[1] << 8 ) | tk->key[0] ) );
269 ppk[1] += S ( ppk[0] ^ ( ( tk->key[3] << 8 ) | tk->key[2] ) );
270 ppk[2] += S ( ppk[1] ^ ( ( tk->key[5] << 8 ) | tk->key[4] ) );
271 ppk[3] += S ( ppk[2] ^ ( ( tk->key[7] << 8 ) | tk->key[6] ) );
272 ppk[4] += S ( ppk[3] ^ ( ( tk->key[9] << 8 ) | tk->key[8] ) );
273 ppk[5] += S ( ppk[4] ^ ( ( tk->key[11] << 8 ) | tk->key[10] ) );
274
275 ppk[0] += ror16 ( ppk[5] ^ ( ( tk->key[13] << 8 ) | tk->key[12] ), 1 );
276 ppk[1] += ror16 ( ppk[0] ^ ( ( tk->key[15] << 8 ) | tk->key[14] ), 1 );
277 ppk[2] += ror16 ( ppk[1], 1 );
278 ppk[3] += ror16 ( ppk[2], 1 );
279 ppk[4] += ror16 ( ppk[3], 1 );
280 ppk[5] += ror16 ( ppk[4], 1 );
281
282 kb[0] = dctx->tsc_lo >> 8;
283 kb[1] = ( ( dctx->tsc_lo >> 8 ) | 0x20 ) & 0x7F;
284 kb[2] = dctx->tsc_lo & 0xFF;
285 kb[3] = ( ( ppk[5] ^ ( ( tk->key[1] << 8 ) | tk->key[0] ) ) >> 1 )
286 & 0xFF;
287
288 for ( i = 0; i < 6; i++ ) {
289 kb[4 + 2*i] = ppk[i] & 0xFF;
290 kb[5 + 2*i] = ppk[i] >> 8;
291 }
292}
293
294/**
295 * Update Michael message integrity code based on next 32-bit word of data
296 *
297 * @v V Michael code state (two 32-bit words)
298 * @v word Next 32-bit word of data
299 */
300static void tkip_feed_michael ( u32 *V, u32 word )
301{
302 V[0] ^= word;
303 V[1] ^= rol32 ( V[0], 17 );
304 V[0] += V[1];
305 V[1] ^= ( ( V[0] & 0xFF00FF00 ) >> 8 ) | ( ( V[0] & 0x00FF00FF ) << 8 );
306 V[0] += V[1];
307 V[1] ^= rol32 ( V[0], 3 );
308 V[0] += V[1];
309 V[1] ^= ror32 ( V[0], 2 );
310 V[0] += V[1];
311}
312
313/**
314 * Calculate Michael message integrity code
315 *
316 * @v key MIC key to use (8 bytes)
317 * @v da Destination link-layer address
318 * @v sa Source link-layer address
319 * @v data Start of data to calculate over
320 * @v len Length of header + data
321 * @ret mic Calculated Michael MIC (8 bytes)
322 */
323static void tkip_michael ( const void *key, const void *da, const void *sa,
324 const void *data, size_t len, void *mic )
325{
326 u32 V[2]; /* V[0] = "l", V[1] = "r" in 802.11 */
327 union {
328 u8 byte[12];
329 u32 word[3];
330 } cap;
331 const u8 *ptr = data;
332 const u8 *end = ptr + len;
333 int i;
334
335 memcpy ( V, key, sizeof ( V ) );
336 V[0] = le32_to_cpu ( V[0] );
337 V[1] = le32_to_cpu ( V[1] );
338
339 /* Feed in header (we assume non-QoS, so Priority = 0) */
340 memcpy ( &cap.byte[0], da, ETH_ALEN );
341 memcpy ( &cap.byte[6], sa, ETH_ALEN );
342 tkip_feed_michael ( V, le32_to_cpu ( cap.word[0] ) );
343 tkip_feed_michael ( V, le32_to_cpu ( cap.word[1] ) );
344 tkip_feed_michael ( V, le32_to_cpu ( cap.word[2] ) );
345 tkip_feed_michael ( V, 0 );
346
347 /* Feed in data */
348 while ( ptr + 4 <= end ) {
349 tkip_feed_michael ( V, le32_to_cpu ( *( u32 * ) ptr ) );
350 ptr += 4;
351 }
352
353 /* Add unaligned part and padding */
354 for ( i = 0; ptr < end; i++ )
355 cap.byte[i] = *ptr++;
356 cap.byte[i++] = 0x5a;
357 for ( ; i < 8; i++ )
358 cap.byte[i] = 0;
359
360 /* Feed in padding */
361 tkip_feed_michael ( V, le32_to_cpu ( cap.word[0] ) );
362 tkip_feed_michael ( V, le32_to_cpu ( cap.word[1] ) );
363
364 /* Output MIC */
365 V[0] = cpu_to_le32 ( V[0] );
366 V[1] = cpu_to_le32 ( V[1] );
367 memcpy ( mic, V, sizeof ( V ) );
368}
369
370/**
371 * Encrypt a packet using TKIP
372 *
373 * @v crypto TKIP cryptosystem
374 * @v iob I/O buffer containing cleartext packet
375 * @ret eiob I/O buffer containing encrypted packet
376 */
377static struct io_buffer * tkip_encrypt ( struct net80211_crypto *crypto,
378 struct io_buffer *iob )
379{
380 struct tkip_ctx *ctx = crypto->priv;
381 struct ieee80211_frame *hdr = iob->data;
382 struct io_buffer *eiob;
383 struct arc4_ctx arc4;
384 u8 key[16];
385 struct tkip_head head;
386 u8 mic[8];
387 u32 icv;
388 const int hdrlen = IEEE80211_TYP_FRAME_HEADER_LEN;
389 int datalen = iob_len ( iob ) - hdrlen;
390
391 ctx->enc.tsc_lo++;
392 if ( ctx->enc.tsc_lo == 0 ) {
393 ctx->enc.tsc_hi++;
394 ctx->enc.ttak_ok = 0;
395 }
396
397 tkip_mix_1 ( &ctx->enc, &ctx->tk, hdr->addr2 );
398 tkip_mix_2 ( &ctx->enc, &ctx->tk, key );
399
400 eiob = alloc_iob ( iob_len ( iob ) + TKIP_HEAD_LEN + TKIP_FOOT_LEN );
401 if ( ! eiob )
402 return NULL;
403
404 /* Copy frame header */
405 memcpy ( iob_put ( eiob, hdrlen ), iob->data, hdrlen );
406 hdr = eiob->data;
408
409 /* Fill in IV and key ID byte, and extended IV */
410 memcpy ( &head, key, 3 );
411 head.kid = 0x20; /* have Extended IV, key ID 0 */
412 head.tsc_hi = cpu_to_le32 ( ctx->enc.tsc_hi );
413 memcpy ( iob_put ( eiob, sizeof ( head ) ), &head, sizeof ( head ) );
414
415 /* Copy and encrypt the data */
416 cipher_setkey ( &arc4_algorithm, &arc4, key, 16 );
417 cipher_encrypt ( &arc4_algorithm, &arc4, iob->data + hdrlen,
418 iob_put ( eiob, datalen ), datalen );
419
420 /* Add MIC */
421 hdr = iob->data;
422 tkip_michael ( &ctx->tk.mic.tx, hdr->addr3, hdr->addr2,
423 iob->data + hdrlen, datalen, mic );
425 iob_put ( eiob, sizeof ( mic ) ), sizeof ( mic ) );
426
427 /* Add ICV */
428 icv = crc32_le ( ~0, iob->data + hdrlen, datalen );
429 icv = crc32_le ( icv, mic, sizeof ( mic ) );
430 icv = cpu_to_le32 ( ~icv );
431 cipher_encrypt ( &arc4_algorithm, &arc4, &icv,
432 iob_put ( eiob, TKIP_ICV_LEN ), TKIP_ICV_LEN );
433
434 DBGC2 ( ctx, "WPA-TKIP %p: encrypted packet %p -> %p\n", ctx,
435 iob, eiob );
436
437 return eiob;
438}
439
440/**
441 * Decrypt a packet using TKIP
442 *
443 * @v crypto TKIP cryptosystem
444 * @v eiob I/O buffer containing encrypted packet
445 * @ret iob I/O buffer containing cleartext packet
446 */
447static struct io_buffer * tkip_decrypt ( struct net80211_crypto *crypto,
448 struct io_buffer *eiob )
449{
450 struct tkip_ctx *ctx = crypto->priv;
451 struct ieee80211_frame *hdr;
452 struct io_buffer *iob;
453 const int hdrlen = IEEE80211_TYP_FRAME_HEADER_LEN;
454 int datalen = iob_len ( eiob ) - hdrlen - TKIP_HEAD_LEN - TKIP_FOOT_LEN;
455 struct tkip_head *head;
456 struct arc4_ctx arc4;
457 u16 rx_tsc_lo;
458 u8 key[16];
459 u8 mic[8];
460 u32 icv, crc;
461
462 iob = alloc_iob ( hdrlen + datalen + TKIP_FOOT_LEN );
463 if ( ! iob )
464 return NULL;
465
466 /* Copy frame header */
467 memcpy ( iob_put ( iob, hdrlen ), eiob->data, hdrlen );
468 hdr = iob->data;
470
471 /* Check and update TSC */
472 head = eiob->data + hdrlen;
473 rx_tsc_lo = ( head->tsc1 << 8 ) | head->tsc0;
474
475 if ( head->tsc_hi < ctx->dec.tsc_hi ||
476 ( head->tsc_hi == ctx->dec.tsc_hi &&
477 rx_tsc_lo <= ctx->dec.tsc_lo ) ) {
478 DBGC ( ctx, "WPA-TKIP %p: packet received out of order "
479 "(%08x:%04x <= %08x:%04x)\n", ctx, head->tsc_hi,
480 rx_tsc_lo, ctx->dec.tsc_hi, ctx->dec.tsc_lo );
481 free_iob ( iob );
482 return NULL;
483 }
484 ctx->dec.tsc_lo = rx_tsc_lo;
485 if ( ctx->dec.tsc_hi != head->tsc_hi ) {
486 ctx->dec.ttak_ok = 0;
487 ctx->dec.tsc_hi = head->tsc_hi;
488 }
489
490 /* Calculate key */
491 tkip_mix_1 ( &ctx->dec, &ctx->tk, hdr->addr2 );
492 tkip_mix_2 ( &ctx->dec, &ctx->tk, key );
493
494 /* Copy-decrypt data, MIC, ICV */
495 cipher_setkey ( &arc4_algorithm, &arc4, key, 16 );
497 eiob->data + hdrlen + TKIP_HEAD_LEN,
498 iob_put ( iob, datalen ), datalen + TKIP_FOOT_LEN );
499
500 /* Check ICV */
501 icv = le32_to_cpu ( *( u32 * ) ( iob->tail + TKIP_MIC_LEN ) );
502 crc = ~crc32_le ( ~0, iob->data + hdrlen, datalen + TKIP_MIC_LEN );
503 if ( crc != icv ) {
504 DBGC ( ctx, "WPA-TKIP %p CRC mismatch: expect %08x, get %08x\n",
505 ctx, icv, crc );
506 free_iob ( iob );
507 return NULL;
508 }
509
510 /* Check MIC */
511 tkip_michael ( &ctx->tk.mic.rx, hdr->addr1, hdr->addr3,
512 iob->data + hdrlen, datalen, mic );
513 if ( memcmp ( mic, iob->tail, TKIP_MIC_LEN ) != 0 ) {
514 DBGC ( ctx, "WPA-TKIP %p ALERT! MIC failure\n", ctx );
515 /* XXX we should do the countermeasures here */
516 free_iob ( iob );
517 return NULL;
518 }
519
520 DBGC2 ( ctx, "WPA-TKIP %p: decrypted packet %p -> %p\n", ctx,
521 eiob, iob );
522
523 return iob;
524}
525
526/** TKIP cryptosystem */
527struct net80211_crypto tkip_crypto __net80211_crypto = {
528 .algorithm = NET80211_CRYPT_TKIP,
529 .init = tkip_init,
530 .encrypt = tkip_encrypt,
531 .decrypt = tkip_decrypt,
532 .priv_len = sizeof ( struct tkip_ctx ),
533};
534
535
536
537
538/**
539 * Calculate HMAC-MD5 MIC for EAPOL-Key frame
540 *
541 * @v kck Key Confirmation Key, 16 bytes
542 * @v msg Message to calculate MIC over
543 * @v len Number of bytes to calculate MIC over
544 * @ret mic Calculated MIC, 16 bytes long
545 */
546static void tkip_kie_mic ( const void *kck, const void *msg, size_t len,
547 void *mic )
548{
550 u8 kckb[16];
551
552 memcpy ( kckb, kck, sizeof ( kckb ) );
553
554 hmac_init ( &md5_algorithm, ctx, kckb, sizeof ( kckb ) );
557}
558
559/**
560 * Decrypt key data in EAPOL-Key frame
561 *
562 * @v kek Key Encryption Key, 16 bytes
563 * @v iv Initialisation vector, 16 bytes
564 * @v msg Message to decrypt
565 * @v len Length of message
566 * @ret msg Decrypted message in place of original
567 * @ret len Unchanged
568 * @ret rc Always 0 for success
569 */
570static int tkip_kie_decrypt ( const void *kek, const void *iv,
571 void *msg, u16 *len )
572{
573 u8 key[32];
574 memcpy ( key, iv, 16 );
575 memcpy ( key + 16, kek, 16 );
576
577 arc4_skip ( key, 32, 256, msg, msg, *len );
578
579 return 0;
580}
581
582
583/** TKIP-style key integrity and encryption handler */
584struct wpa_kie tkip_kie __wpa_kie = {
585 .version = EAPOL_KEY_VERSION_WPA,
586 .mic = tkip_kie_mic,
587 .decrypt = tkip_kie_decrypt,
588};
#define NULL
NULL pointer (VOID *)
Definition Base.h:322
union @162305117151260234136356364136041353210355154177 key
Sense key.
Definition scsi.h:3
struct golan_eq_context ctx
Definition CIB_PRM.h:0
struct golan_inbox_hdr hdr
Message header.
Definition CIB_PRM.h:0
void arc4_skip(const void *key, size_t keylen, size_t skip, const void *src, void *dst, size_t msglen)
Perform ARC4 encryption or decryption, skipping initial keystream bytes.
Definition arc4.c:109
struct cipher_algorithm arc4_algorithm
Definition arc4.c:118
unsigned char uint8_t
Definition stdint.h:10
static volatile void * bits
Definition bitops.h:28
u32 crc32_le(u32 seed, const void *data, size_t len)
Calculate 32-bit little-endian CRC checksum.
Definition crc32.c:40
ring len
Length.
Definition dwmac.h:226
uint8_t data[48]
Additional event data.
Definition ena.h:11
uint8_t mac[ETH_ALEN]
MAC address.
Definition ena.h:13
Error codes.
#define DBGC2(...)
Definition compiler.h:522
#define DBGC(...)
Definition compiler.h:505
#define EAPOL_KEY_VERSION_WPA
Key descriptor version field value for WPA (TKIP)
Definition wpa.h:78
#define IEEE80211_FC_PROTECTED
802.11 Frame Control field: Protected flag
Definition ieee80211.h:264
#define IEEE80211_TYP_FRAME_HEADER_LEN
Frame header length for frames we might work with.
Definition ieee80211.h:60
uint8_t head
Head number.
Definition int13.h:23
#define FILE_LICENCE(_licence)
Declare a particular licence as applying to a file.
Definition compiler.h:896
#define EINVAL
Invalid argument.
Definition errno.h:429
#define FILE_SECBOOT(_status)
Declare a file's UEFI Secure Boot permission status.
Definition compiler.h:926
void hmac_init(struct digest_algorithm *digest, void *ctx, const void *key, size_t key_len)
Initialise HMAC.
Definition hmac.c:58
void hmac_final(struct digest_algorithm *digest, void *ctx, void *hmac)
Finalise HMAC.
Definition hmac.c:88
Keyed-Hashing for Message Authentication.
static void hmac_update(struct digest_algorithm *digest, void *ctx, const void *data, size_t len)
Update HMAC.
Definition hmac.h:43
#define ETH_ALEN
Definition if_ether.h:9
#define u8
Definition igbvf_osdep.h:40
#define le32_to_cpu(value)
Definition byteswap.h:114
#define cpu_to_le32(value)
Definition byteswap.h:108
#define bswap_16(value)
Definition byteswap.h:59
#define __attribute__(x)
Definition compiler.h:10
Cryptographic API.
static int cipher_setkey(struct cipher_algorithm *cipher, void *ctx, const void *key, size_t keylen)
Definition crypto.h:235
#define cipher_decrypt(cipher, ctx, src, dst, len)
Definition crypto.h:261
#define cipher_encrypt(cipher, ctx, src, dst, len)
Definition crypto.h:251
String functions.
void * memcpy(void *dest, const void *src, size_t len) __nonnull
void free_iob(struct io_buffer *iobuf)
Free I/O buffer.
Definition iobuf.c:153
struct io_buffer * alloc_iob(size_t len)
Allocate I/O buffer.
Definition iobuf.c:131
#define iob_put(iobuf, len)
Definition iobuf.h:125
static size_t iob_len(struct io_buffer *iobuf)
Calculate length of data in an I/O buffer.
Definition iobuf.h:160
struct digest_algorithm md5_algorithm
MD5 algorithm.
Definition md5.c:287
MD5 algorithm.
#define MD5_CTX_SIZE
MD5 context size.
Definition md5.h:67
#define MD5_BLOCK_SIZE
MD5 block size.
Definition md5.h:70
void msg(unsigned int row, const char *fmt,...)
Print message centred on specified row.
Definition message.c:62
The iPXE 802.11 MAC layer.
@ NET80211_CRYPT_TKIP
Network protected with TKIP (better RC4-based system)
Definition net80211.h:163
#define __net80211_crypto
Definition net80211.h:770
uint32_t end
Ending offset.
Definition netvsc.h:7
SHA-1 algorithm.
unsigned short word
Definition smc9000.h:39
int memcmp(const void *first, const void *second, size_t len)
Compare memory regions.
Definition string.c:115
An 802.11 data or management frame without QoS or WDS header fields.
Definition ieee80211.h:301
A persistent I/O buffer.
Definition iobuf.h:38
void * data
Start of data.
Definition iobuf.h:53
void * tail
End of data.
Definition iobuf.h:55
Interface to an 802.11 cryptosystem.
Definition net80211.h:690
void * priv
Private data for the algorithm to store key and state info.
Definition net80211.h:766
Context for TKIP encryption and decryption.
Definition wpa_tkip.c:61
struct tkip_dir_ctx dec
State for decryption.
Definition wpa_tkip.c:69
struct tkip_tk tk
Temporal key to use.
Definition wpa_tkip.c:63
struct tkip_dir_ctx enc
State for encryption.
Definition wpa_tkip.c:66
Context for one direction of TKIP, either encryption or decryption.
Definition wpa_tkip.c:42
u16 tsc_lo
Low 32 bits of last sequence counter value used.
Definition wpa_tkip.c:47
u8 mac[ETH_ALEN]
MAC address used to derive TTAK.
Definition wpa_tkip.c:50
u16 ttak[5]
TKIP-mixed transmit address and key, depends on tsc_hi and MAC.
Definition wpa_tkip.c:56
u32 tsc_hi
High 32 bits of last sequence counter value used.
Definition wpa_tkip.c:44
u16 ttak_ok
If TRUE, TTAK is valid.
Definition wpa_tkip.c:53
Header structure at the beginning of TKIP frame data.
Definition wpa_tkip.c:74
u8 tsc0
Low byte of TSC.
Definition wpa_tkip.c:77
u8 seed1
Second byte of WEP seed.
Definition wpa_tkip.c:76
u32 tsc_hi
High 32 bits of TSC, as an ExtIV.
Definition wpa_tkip.c:79
u8 tsc1
High byte of low 16 bits of TSC.
Definition wpa_tkip.c:75
u8 kid
Key ID and ExtIV byte.
Definition wpa_tkip.c:78
Structure of the Temporal Key for TKIP encryption.
Definition wpa.h:230
WPA handshake key integrity and encryption handler.
Definition wpa.h:371
struct sockaddr sa
Definition syslog.c:57
#define u16
Definition vga.h:20
#define u32
Definition vga.h:21
Common definitions for all types of WPA-protected networks.
u16 datalen
Length of the data field in bytes, network byte order.
Definition wpa.h:57
#define __wpa_kie
Definition wpa.h:408
u8 iv[16]
Initialization vector.
Definition wpa.h:33
u8 rsc[8]
Receive sequence counter for GTK.
Definition wpa.h:42
union wpa_tk tk
Temporal key.
Definition wpa.h:7
u8 mic[16]
Message integrity code over the entire EAPOL frame.
Definition wpa.h:54
u8 kek[WPA_KEK_LEN]
EAPOL-Key Key Encryption Key (KEK)
Definition wpa.h:4
u8 kck[WPA_KCK_LEN]
EAPOL-Key Key Confirmation Key (KCK)
Definition wpa.h:1
static struct io_buffer * tkip_decrypt(struct net80211_crypto *crypto, struct io_buffer *eiob)
Decrypt a packet using TKIP.
Definition wpa_tkip.c:447
static u32 ror32(u32 v, int bits)
Rotate 32-bit value right.
Definition wpa_tkip.c:162
static void tkip_kie_mic(const void *kck, const void *msg, size_t len, void *mic)
Calculate HMAC-MD5 MIC for EAPOL-Key frame.
Definition wpa_tkip.c:546
static u16 ror16(u16 v, int bits)
Rotate 16-bit value right.
Definition wpa_tkip.c:150
static u32 rol32(u32 v, int bits)
Rotate 32-bit value left.
Definition wpa_tkip.c:174
static int tkip_kie_decrypt(const void *kek, const void *iv, void *msg, u16 *len)
Decrypt key data in EAPOL-Key frame.
Definition wpa_tkip.c:570
#define TKIP_ICV_LEN
TKIP ICV length.
Definition wpa_tkip.c:93
#define TKIP_MIC_LEN
TKIP MIC length.
Definition wpa_tkip.c:90
#define TKIP_FOOT_LEN
TKIP trailer overhead (MIC + ICV) [assumes unfragmented].
Definition wpa_tkip.c:87
static const u16 Sbox[256]
TKIP S-box.
Definition wpa_tkip.c:97
static void tkip_feed_michael(u32 *V, u32 word)
Update Michael message integrity code based on next 32-bit word of data.
Definition wpa_tkip.c:300
static void tkip_mix_1(struct tkip_dir_ctx *dctx, struct tkip_tk *tk, u8 *mac)
Perform TKIP key mixing, phase 1.
Definition wpa_tkip.c:218
static u16 S(u16 v)
Perform S-box mapping on a 16-bit value.
Definition wpa_tkip.c:138
static void tkip_michael(const void *key, const void *da, const void *sa, const void *data, size_t len, void *mic)
Calculate Michael message integrity code.
Definition wpa_tkip.c:323
static void tkip_mix_2(struct tkip_dir_ctx *dctx, struct tkip_tk *tk, void *key)
Perform TKIP key mixing, phase 2.
Definition wpa_tkip.c:258
#define TKIP_HEAD_LEN
TKIP header overhead (IV + KID + ExtIV)
Definition wpa_tkip.c:84
static struct io_buffer * tkip_encrypt(struct net80211_crypto *crypto, struct io_buffer *iob)
Encrypt a packet using TKIP.
Definition wpa_tkip.c:377
static int tkip_init(struct net80211_crypto *crypto, const void *key, int keylen, const void *rsc)
Initialise TKIP state and install key.
Definition wpa_tkip.c:188