1 /* 2 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 3 * Use is subject to license terms. 4 */ 5 6 /* 7 * Copyright (c) 2001 Atsushi Onoe 8 * Copyright (c) 2002-2008 Sam Leffler, Errno Consulting 9 * All rights reserved. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 3. The name of the author may not be used to endorse or promote products 20 * derived from this software without specific prior written permission. 21 * 22 * Alternatively, this software may be distributed under the terms of the 23 * GNU General Public License ("GPL") version 2 as published by the Free 24 * Software Foundation. 25 * 26 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 27 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 28 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 29 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 30 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 31 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 32 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 33 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 34 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 35 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 36 */ 37 38 /* 39 * IEEE 802.11i TKIP crypto support. 40 * 41 * Part of this module is derived from similar code in the Host 42 * AP driver. The code is used with the consent of the author and 43 * it's license is included below. 44 */ 45 46 #include <sys/byteorder.h> 47 #include <sys/crypto/common.h> 48 #include <sys/crypto/api.h> 49 #include <sys/crc32.h> 50 #include <sys/random.h> 51 #include <sys/strsun.h> 52 #include "net80211_impl.h" 53 54 static void *tkip_attach(struct ieee80211com *, struct ieee80211_key *); 55 static void tkip_detach(struct ieee80211_key *); 56 static int tkip_setkey(struct ieee80211_key *); 57 static int tkip_encap(struct ieee80211_key *, mblk_t *, uint8_t); 58 static int tkip_decap(struct ieee80211_key *, mblk_t *, int); 59 static int tkip_enmic(struct ieee80211_key *, mblk_t *, int); 60 static int tkip_demic(struct ieee80211_key *, mblk_t *, int); 61 62 const struct ieee80211_cipher tkip = { 63 "TKIP", 64 IEEE80211_CIPHER_TKIP, 65 IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN + 66 IEEE80211_WEP_EXTIVLEN, 67 IEEE80211_WEP_CRCLEN, 68 IEEE80211_WEP_MICLEN, 69 tkip_attach, 70 tkip_detach, 71 tkip_setkey, 72 tkip_encap, 73 tkip_decap, 74 tkip_enmic, 75 tkip_demic, 76 }; 77 78 struct tkip_ctx { 79 struct ieee80211com *tc_ic; /* for diagnostics */ 80 uint16_t tx_ttak[5]; 81 int tx_phase1_done; 82 uint8_t tx_rc4key[16]; 83 uint16_t rx_ttak[5]; 84 int rx_phase1_done; 85 uint8_t rx_rc4key[16]; 86 uint64_t rx_rsc; /* held until MIC verified */ 87 }; 88 89 static void michael_mic(struct tkip_ctx *, const uint8_t *, 90 mblk_t *, uint_t, size_t, uint8_t[]); 91 static int tkip_encrypt(struct tkip_ctx *, struct ieee80211_key *, 92 mblk_t *, int); 93 static int tkip_decrypt(struct tkip_ctx *, struct ieee80211_key *, 94 mblk_t *, int); 95 96 extern int rc4_init(crypto_context_t *, const uint8_t *, int); 97 extern int rc4_crypt(crypto_context_t, const uint8_t *, uint8_t *, int); 98 extern int rc4_final(crypto_context_t, uint8_t *, int); 99 100 /* ARGSUSED */ 101 static void * 102 tkip_attach(struct ieee80211com *ic, struct ieee80211_key *k) 103 { 104 struct tkip_ctx *ctx; 105 106 ctx = kmem_zalloc(sizeof (struct tkip_ctx), KM_SLEEP); 107 108 ctx->tc_ic = ic; 109 return (ctx); 110 } 111 112 static void 113 tkip_detach(struct ieee80211_key *k) 114 { 115 struct tkip_ctx *ctx = k->wk_private; 116 117 if (ctx != NULL) 118 kmem_free(ctx, sizeof (struct tkip_ctx)); 119 } 120 121 static int 122 tkip_setkey(struct ieee80211_key *k) 123 { 124 if (k->wk_keylen != (128/NBBY)) 125 return (0); 126 127 k->wk_keytsc = 1; /* TSC starts at 1 */ 128 return (1); 129 } 130 131 /* 132 * Add privacy headers appropriate for the specified key. 133 */ 134 static int 135 tkip_encap(struct ieee80211_key *k, mblk_t *mp, uint8_t keyid) 136 { 137 struct tkip_ctx *ctx = k->wk_private; 138 struct ieee80211com *ic = ctx->tc_ic; 139 uint8_t *ivp; 140 int hdrlen; 141 142 /* 143 * Handle TKIP counter measures requirement. 144 */ 145 if (ic->ic_flags & IEEE80211_F_COUNTERM) 146 return (0); 147 148 hdrlen = ieee80211_hdrspace(ic, mp->b_rptr); 149 /* 150 * Copy down 802.11 header and add the IV, KeyID, and ExtIV. 151 */ 152 ivp = mp->b_rptr; 153 ivp += hdrlen; 154 155 ivp[0] = k->wk_keytsc >> 8; /* TSC1 */ 156 ivp[1] = (ivp[0] | 0x20) & 0x7f; /* WEP seed */ 157 ivp[2] = k->wk_keytsc >> 0; /* TSC0 */ 158 ivp[3] = keyid | IEEE80211_WEP_EXTIV; /* KeyID | ExtID */ 159 ivp[4] = k->wk_keytsc >> 16; /* TSC2 */ 160 ivp[5] = k->wk_keytsc >> 24; /* TSC3 */ 161 ivp[6] = k->wk_keytsc >> 32; /* TSC4 */ 162 ivp[7] = k->wk_keytsc >> 40; /* TSC5 */ 163 164 /* 165 * Finally, do software encrypt if neeed. 166 */ 167 if (k->wk_flags & IEEE80211_KEY_SWCRYPT) { 168 if (!tkip_encrypt(ctx, k, mp, hdrlen)) 169 return (0); 170 } else 171 k->wk_keytsc++; /* wrap at 48 bits */ 172 173 return (1); 174 } 175 176 uint64_t 177 ieee80211_read_6(uint8_t b0, uint8_t b1, uint8_t b2, 178 uint8_t b3, uint8_t b4, uint8_t b5) 179 { 180 uint32_t iv32 = (b0 << 0) | (b1 << 8) | (b2 << 16) | (b3 << 24); 181 uint16_t iv16 = (b4 << 0) | (b5 << 8); 182 return ((((uint64_t)iv16) << 32) | iv32); 183 } 184 185 /* 186 * Validate and strip privacy headers (and trailer) for a 187 * received frame. If necessary, decrypt the frame using 188 * the specified key. 189 */ 190 static int 191 tkip_decap(struct ieee80211_key *k, mblk_t *mp, int hdrlen) 192 { 193 struct tkip_ctx *ctx = k->wk_private; 194 struct ieee80211com *ic = ctx->tc_ic; 195 uint8_t *ivp; 196 uint64_t pn; 197 198 /* 199 * Header should have extended IV and sequence number; 200 * verify the former and validate the latter. 201 */ 202 ivp = mp->b_rptr + hdrlen; 203 if ((ivp[IEEE80211_WEP_IVLEN] & IEEE80211_WEP_EXTIV) == 0) { 204 /* 205 * No extended IV; discard frame. 206 */ 207 return (0); 208 } 209 /* 210 * Handle TKIP counter measures requirement. 211 */ 212 if (ic->ic_flags & IEEE80211_F_COUNTERM) 213 return (0); 214 215 /* NB: assume IEEEE80211_WEP_MINLEN covers the extended IV */ 216 pn = ieee80211_read_6(ivp[2], ivp[0], ivp[4], ivp[5], ivp[6], ivp[7]); 217 ctx->rx_rsc = pn; 218 if (ctx->rx_rsc <= k->wk_keyrsc) 219 return (0); 220 /* 221 * NB: We can't update the rsc in the key until MIC is verified. 222 * 223 * We assume we are not preempted between doing the check above 224 * and updating wk_keyrsc when stripping the MIC in tkip_demic. 225 * Otherwise we might process another packet and discard it as 226 * a replay. 227 */ 228 229 /* 230 * Check if the device handled the decrypt in hardware. 231 * If so we just strip the header; otherwise we need to 232 * handle the decrypt in software. 233 */ 234 if (k->wk_flags & IEEE80211_KEY_SWCRYPT) { 235 if (!tkip_decrypt(ctx, k, mp, hdrlen)) 236 return (0); 237 } 238 239 /* 240 * Copy up 802.11 header and strip crypto bits. 241 */ 242 (void) memmove(mp->b_rptr + tkip.ic_header, mp->b_rptr, hdrlen); 243 mp->b_rptr += tkip.ic_header; 244 mp->b_wptr -= tkip.ic_trailer; 245 246 return (1); 247 } 248 249 /* 250 * Add MIC to the frame as needed. 251 */ 252 static int 253 tkip_enmic(struct ieee80211_key *k, mblk_t *mp, int force) 254 { 255 struct tkip_ctx *ctx = k->wk_private; 256 257 if (force || (k->wk_flags & IEEE80211_KEY_SWMIC)) { 258 int hdrlen; 259 uint8_t *mic; 260 261 hdrlen = ieee80211_hdrspace(ctx->tc_ic, mp->b_rptr); 262 mic = mp->b_wptr; 263 mp->b_wptr += tkip.ic_miclen; 264 265 if ((int)(MBLKL(mp) - 266 (hdrlen + tkip.ic_header + tkip.ic_miclen)) < 0) 267 return (0); /* dead packet */ 268 269 michael_mic(ctx, k->wk_txmic, mp, (hdrlen + tkip.ic_header), 270 MBLKL(mp) - 271 (hdrlen + tkip.ic_header + tkip.ic_miclen), mic); 272 } 273 return (1); 274 } 275 276 /* 277 * Verify and strip MIC from the frame. 278 */ 279 /* ARGSUSED */ 280 static int 281 tkip_demic(struct ieee80211_key *k, mblk_t *mp, int force) 282 { 283 struct tkip_ctx *ctx = k->wk_private; 284 285 if (force || (k->wk_flags & IEEE80211_KEY_SWMIC)) { 286 int hdrlen = ieee80211_hdrspace(ctx->tc_ic, mp->b_rptr); 287 uint8_t mic[IEEE80211_WEP_MICLEN]; 288 uint8_t mic0[IEEE80211_WEP_MICLEN]; 289 290 michael_mic(ctx, k->wk_rxmic, 291 mp, hdrlen, 292 MBLKL(mp) - (hdrlen + tkip.ic_miclen), 293 mic); 294 bcopy(mp->b_wptr - tkip.ic_miclen, mic0, tkip.ic_miclen); 295 if (bcmp(mic, mic0, tkip.ic_miclen)) { 296 ieee80211_dbg(IEEE80211_MSG_CRYPTO, 297 "tkip_demic() mic mismatch\n"); 298 return (0); 299 } 300 } 301 /* 302 * Strip MIC from the tail. 303 */ 304 mp->b_wptr -= tkip.ic_miclen; 305 /* 306 * Ok to update rsc now that MIC has been verified. 307 */ 308 k->wk_keyrsc = ctx->rx_rsc; 309 return (1); 310 } 311 312 /* 313 * For the avoidance of doubt, except that if any license choice other 314 * than GPL or LGPL is available it will apply instead, Sun elects to 315 * use only the General Public License version 2 (GPLv2) at this time 316 * for any software where a choice of GPL license versions is made 317 * available with the language indicating that GPLv2 or any later 318 * version may be used, or where a choice of which version of the GPL 319 * is applied is otherwise unspecified. 320 */ 321 322 /* 323 * Host AP crypt: host-based TKIP encryption implementation for Host AP driver 324 * 325 * Copyright (c) 2003-2004, Jouni Malinen <jkmaline@cc.hut.fi> 326 * 327 * This program is free software; you can redistribute it and/or modify 328 * it under the terms of the GNU General Public License version 2 as 329 * published by the Free Software Foundation. See README and COPYING for 330 * more details. 331 * 332 * Alternatively, this software may be distributed under the terms of BSD 333 * license. 334 */ 335 336 /* Table of CRCs of all 8-bit messages */ 337 static uint32_t crc_table[] = { CRC32_TABLE }; 338 339 static uint16_t 340 RotR1(uint16_t val) 341 { 342 return ((val >> 1) | (val << 15)); 343 } 344 345 static uint8_t 346 Lo8(uint16_t val) 347 { 348 return (val & 0xff); 349 } 350 351 static uint8_t 352 Hi8(uint16_t val) 353 { 354 return (val >> 8); 355 } 356 357 static uint16_t 358 Lo16(uint32_t val) 359 { 360 return (val & 0xffff); 361 } 362 363 static uint16_t 364 Hi16(uint32_t val) 365 { 366 return (val >> 16); 367 } 368 369 static uint16_t 370 Mk16(uint8_t hi, uint8_t lo) 371 { 372 return (lo | (((uint16_t)hi) << 8)); 373 } 374 375 static uint16_t 376 Mk16_le(const uint16_t *v) 377 { 378 return (LE_16(*v)); 379 } 380 381 static const uint16_t Sbox[256] = { 382 0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154, 383 0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A, 384 0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B, 385 0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B, 386 0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F, 387 0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F, 388 0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5, 389 0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F, 390 0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB, 391 0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397, 392 0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED, 393 0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A, 394 0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194, 395 0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3, 396 0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104, 397 0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D, 398 0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39, 399 0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695, 400 0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83, 401 0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76, 402 0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4, 403 0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B, 404 0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0, 405 0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018, 406 0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751, 407 0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85, 408 0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12, 409 0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9, 410 0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7, 411 0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A, 412 0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8, 413 0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A, 414 }; 415 416 static uint16_t 417 _S_(uint16_t v) 418 { 419 uint16_t t = Sbox[Hi8(v)]; 420 return (Sbox[Lo8(v)] ^ ((t << 8) | (t >> 8))); 421 } 422 423 #define PHASE1_LOOP_COUNT 8 424 425 static void 426 tkip_mixing_phase1(uint16_t *TTAK, const uint8_t *TK, 427 const uint8_t *TA, uint32_t IV32) 428 { 429 int i, j; 430 431 /* Initialize the 80-bit TTAK from TSC (IV32) and TA[0..5] */ 432 TTAK[0] = Lo16(IV32); 433 TTAK[1] = Hi16(IV32); 434 TTAK[2] = Mk16(TA[1], TA[0]); 435 TTAK[3] = Mk16(TA[3], TA[2]); 436 TTAK[4] = Mk16(TA[5], TA[4]); 437 438 for (i = 0; i < PHASE1_LOOP_COUNT; i++) { 439 j = 2 * (i & 1); 440 TTAK[0] += _S_(TTAK[4] ^ Mk16(TK[1 + j], TK[0 + j])); 441 TTAK[1] += _S_(TTAK[0] ^ Mk16(TK[5 + j], TK[4 + j])); 442 TTAK[2] += _S_(TTAK[1] ^ Mk16(TK[9 + j], TK[8 + j])); 443 TTAK[3] += _S_(TTAK[2] ^ Mk16(TK[13 + j], TK[12 + j])); 444 TTAK[4] += _S_(TTAK[3] ^ Mk16(TK[1 + j], TK[0 + j])) + i; 445 } 446 } 447 448 static void 449 tkip_mixing_phase2(uint8_t *WEPSeed, const uint8_t *TK, 450 const uint16_t *TTAK, uint16_t IV16) 451 { 452 /* 453 * Make temporary area overlap WEP seed so that the final copy can be 454 * avoided on little endian hosts. 455 */ 456 uint16_t *PPK = (uint16_t *)&WEPSeed[4]; 457 458 /* Step 1 - make copy of TTAK and bring in TSC */ 459 PPK[0] = TTAK[0]; 460 PPK[1] = TTAK[1]; 461 PPK[2] = TTAK[2]; 462 PPK[3] = TTAK[3]; 463 PPK[4] = TTAK[4]; 464 PPK[5] = TTAK[4] + IV16; 465 466 /* Step 2 - 96-bit bijective mixing using S-box */ 467 PPK[0] += _S_(PPK[5] ^ Mk16_le((const uint16_t *) &TK[0])); 468 PPK[1] += _S_(PPK[0] ^ Mk16_le((const uint16_t *) &TK[2])); 469 PPK[2] += _S_(PPK[1] ^ Mk16_le((const uint16_t *) &TK[4])); 470 PPK[3] += _S_(PPK[2] ^ Mk16_le((const uint16_t *) &TK[6])); 471 PPK[4] += _S_(PPK[3] ^ Mk16_le((const uint16_t *) &TK[8])); 472 PPK[5] += _S_(PPK[4] ^ Mk16_le((const uint16_t *) &TK[10])); 473 474 PPK[0] += RotR1(PPK[5] ^ Mk16_le((const uint16_t *) &TK[12])); 475 PPK[1] += RotR1(PPK[0] ^ Mk16_le((const uint16_t *) &TK[14])); 476 PPK[2] += RotR1(PPK[1]); 477 PPK[3] += RotR1(PPK[2]); 478 PPK[4] += RotR1(PPK[3]); 479 PPK[5] += RotR1(PPK[4]); 480 481 /* 482 * Step 3 - bring in last of TK bits, assign 24-bit WEP IV value 483 * WEPSeed[0..2] is transmitted as WEP IV 484 */ 485 WEPSeed[0] = Hi8(IV16); 486 WEPSeed[1] = (Hi8(IV16) | 0x20) & 0x7F; 487 WEPSeed[2] = Lo8(IV16); 488 WEPSeed[3] = Lo8((PPK[5] ^ Mk16_le((const uint16_t *) &TK[0])) >> 1); 489 490 #ifdef _BIG_ENDIAN 491 int i; 492 for (i = 0; i < 6; i++) 493 PPK[i] = (PPK[i] << 8) | (PPK[i] >> 8); 494 #endif 495 } 496 497 static int 498 wep_encrypt(uint8_t *key, mblk_t *mp, uint_t off, size_t data_len, 499 uint8_t icv[IEEE80211_WEP_CRCLEN]) 500 { 501 uint8_t crcbuf[IEEE80211_WEP_CRCLEN]; 502 uint32_t crc; 503 crypto_context_t ctx; 504 int rv; 505 506 ctx = NULL; 507 rv = rc4_init(&ctx, (const uint8_t *)key, 16); 508 if (rv != CRYPTO_SUCCESS) 509 return (0); 510 511 /* calculate CRC over unencrypted data */ 512 CRC32(crc, mp->b_rptr + off, data_len, -1U, crc_table); 513 514 /* encrypt data */ 515 (void) rc4_crypt(ctx, mp->b_rptr + off, mp->b_rptr + off, data_len); 516 517 /* tack on ICV */ 518 *(uint32_t *)crcbuf = LE_32(~crc); 519 (void) rc4_crypt(ctx, crcbuf, icv, IEEE80211_WEP_CRCLEN); 520 521 (void) rc4_final(ctx, icv, IEEE80211_WEP_CRCLEN); 522 523 return (1); 524 } 525 526 static int 527 wep_decrypt(uint8_t *key, mblk_t *mp, uint_t off, size_t data_len) 528 { 529 uint8_t crcbuf[IEEE80211_WEP_CRCLEN]; 530 uint8_t *icv; 531 uint32_t crc; 532 crypto_context_t ctx; 533 int rv; 534 535 ctx = NULL; 536 rv = rc4_init(&ctx, (const uint8_t *)key, 16); 537 if (rv != CRYPTO_SUCCESS) 538 return (0); 539 540 /* decrypt data */ 541 (void) rc4_crypt(ctx, mp->b_rptr + off, mp->b_rptr + off, data_len); 542 543 /* calculate CRC over unencrypted data */ 544 CRC32(crc, mp->b_rptr + off, data_len, -1U, crc_table); 545 546 /* decrypt ICV and compare to CRC */ 547 icv = mp->b_wptr - IEEE80211_WEP_CRCLEN; 548 (void) rc4_crypt(ctx, icv, crcbuf, IEEE80211_WEP_CRCLEN); 549 (void) rc4_final(ctx, crcbuf, IEEE80211_WEP_CRCLEN); 550 551 return (crc == ~LE_32(*(uint32_t *)crcbuf)); 552 } 553 554 static uint32_t 555 rotl(uint32_t val, int bits) 556 { 557 return ((val << bits) | (val >> (32 - bits))); 558 } 559 560 561 static uint32_t 562 rotr(uint32_t val, int bits) 563 { 564 return ((val >> bits) | (val << (32 - bits))); 565 } 566 567 568 static uint32_t 569 xswap(uint32_t val) 570 { 571 return (((val & 0x00ff00ff) << 8) | ((val & 0xff00ff00) >> 8)); 572 } 573 574 575 #define michael_block(l, r) \ 576 do { \ 577 r ^= rotl(l, 17); \ 578 l += r; \ 579 r ^= xswap(l); \ 580 l += r; \ 581 r ^= rotl(l, 3); \ 582 l += r; \ 583 r ^= rotr(l, 2); \ 584 l += r; \ 585 _NOTE(CONSTANTCONDITION)\ 586 } while (0) 587 588 589 static uint32_t 590 get_le32_split(uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3) 591 { 592 return (b0 | (b1 << 8) | (b2 << 16) | (b3 << 24)); 593 } 594 595 static uint32_t 596 get_le32(const uint8_t *p) 597 { 598 return (get_le32_split(p[0], p[1], p[2], p[3])); 599 } 600 601 602 static void 603 put_le32(uint8_t *p, uint32_t v) 604 { 605 p[0] = (uint8_t)v; 606 p[1] = v >> 8; 607 p[2] = v >> 16; 608 p[3] = v >> 24; 609 } 610 611 /* 612 * Craft pseudo header used to calculate the MIC. 613 */ 614 static void 615 michael_mic_hdr(const struct ieee80211_frame *wh0, uint8_t hdr[16]) 616 { 617 const struct ieee80211_frame_addr4 *wh = 618 (const struct ieee80211_frame_addr4 *)wh0; 619 620 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 621 case IEEE80211_FC1_DIR_NODS: 622 IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */ 623 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2); 624 break; 625 case IEEE80211_FC1_DIR_TODS: 626 IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */ 627 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2); 628 break; 629 case IEEE80211_FC1_DIR_FROMDS: 630 IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */ 631 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr3); 632 break; 633 case IEEE80211_FC1_DIR_DSTODS: 634 IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */ 635 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr4); 636 break; 637 } 638 639 if (wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_QOS) { 640 const struct ieee80211_qosframe *qwh = 641 (const struct ieee80211_qosframe *)wh; 642 hdr[12] = qwh->i_qos[0] & IEEE80211_QOS_TID; 643 } else 644 hdr[12] = 0; 645 hdr[13] = hdr[14] = hdr[15] = 0; /* reserved */ 646 } 647 648 /* ARGSUSED */ 649 static void 650 michael_mic(struct tkip_ctx *ctx, const uint8_t *key, 651 mblk_t *mp, uint_t off, size_t data_len, 652 uint8_t mic[IEEE80211_WEP_MICLEN]) 653 { 654 uint8_t hdr[16]; 655 uint32_t l, r; 656 const uint8_t *data; 657 int i, blocks, last; 658 659 michael_mic_hdr((struct ieee80211_frame *)mp->b_rptr, hdr); 660 661 l = get_le32(key); 662 r = get_le32(key + 4); 663 664 /* Michael MIC pseudo header: DA, SA, 3 x 0, Priority */ 665 l ^= get_le32(hdr); 666 michael_block(l, r); 667 l ^= get_le32(&hdr[4]); 668 michael_block(l, r); 669 l ^= get_le32(&hdr[8]); 670 michael_block(l, r); 671 l ^= get_le32(&hdr[12]); 672 michael_block(l, r); 673 674 /* first buffer has special handling */ 675 data = mp->b_rptr + off; 676 677 blocks = data_len / 4; 678 last = data_len % 4; 679 680 for (i = 0; i < blocks; i++) { 681 l ^= get_le32(&data[4 * i]); 682 michael_block(l, r); 683 } 684 685 /* Last block and padding (0x5a, 4..7 x 0) */ 686 switch (last) { 687 case 0: 688 l ^= 0x5a; 689 break; 690 case 1: 691 l ^= data[4 * i] | 0x5a00; 692 break; 693 case 2: 694 l ^= data[4 * i] | (data[4 * i + 1] << 8) | 0x5a0000; 695 break; 696 case 3: 697 l ^= data[4 * i] | (data[4 * i + 1] << 8) | 698 (data[4 * i + 2] << 16) | 0x5a000000; 699 break; 700 } 701 michael_block(l, r); 702 /* l ^= 0; */ 703 michael_block(l, r); 704 705 put_le32(mic, l); 706 put_le32(mic + 4, r); 707 } 708 709 static int 710 tkip_encrypt(struct tkip_ctx *ctx, struct ieee80211_key *key, 711 mblk_t *mp, int hdrlen) 712 { 713 struct ieee80211_frame *wh; 714 uint8_t *icv; 715 716 wh = (struct ieee80211_frame *)mp->b_rptr; 717 if (!ctx->tx_phase1_done) { 718 tkip_mixing_phase1(ctx->tx_ttak, key->wk_key, wh->i_addr2, 719 (uint32_t)(key->wk_keytsc >> 16)); 720 ctx->tx_phase1_done = 1; 721 } 722 tkip_mixing_phase2(ctx->tx_rc4key, key->wk_key, ctx->tx_ttak, 723 (uint16_t)key->wk_keytsc); 724 725 icv = mp->b_wptr; 726 mp->b_wptr += tkip.ic_trailer; 727 728 (void) wep_encrypt(ctx->tx_rc4key, 729 mp, hdrlen + tkip.ic_header, 730 MBLKL(mp) - 731 (hdrlen + tkip.ic_header + tkip.ic_trailer), 732 icv); 733 734 key->wk_keytsc++; 735 if ((uint16_t)(key->wk_keytsc) == 0) 736 ctx->tx_phase1_done = 0; 737 return (1); 738 } 739 740 static int 741 tkip_decrypt(struct tkip_ctx *ctx, struct ieee80211_key *key, 742 mblk_t *mp, int hdrlen) 743 { 744 struct ieee80211_frame *wh; 745 uint32_t iv32; 746 uint16_t iv16; 747 748 wh = (struct ieee80211_frame *)mp->b_rptr; 749 /* tkip_decap already verified header and left seq in rx_rsc */ 750 iv16 = (uint16_t)ctx->rx_rsc; 751 iv32 = (uint32_t)(ctx->rx_rsc >> 16); 752 753 if (iv32 != (uint32_t)(key->wk_keyrsc >> 16) || !ctx->rx_phase1_done) { 754 tkip_mixing_phase1(ctx->rx_ttak, key->wk_key, 755 wh->i_addr2, iv32); 756 ctx->rx_phase1_done = 0; /* DHCP */ 757 } 758 tkip_mixing_phase2(ctx->rx_rc4key, key->wk_key, ctx->rx_ttak, iv16); 759 760 /* m is unstripped; deduct headers + ICV to get payload */ 761 if (!wep_decrypt(ctx->rx_rc4key, 762 mp, hdrlen + tkip.ic_header, 763 MBLKL(mp) - 764 (hdrlen + tkip.ic_header + tkip.ic_trailer))) { 765 if (iv32 != (uint32_t)(key->wk_keyrsc >> 16)) { 766 /* 767 * Previously cached Phase1 result was already lost, so 768 * it needs to be recalculated for the next packet. 769 */ 770 ctx->rx_phase1_done = 0; 771 } 772 ieee80211_dbg(IEEE80211_MSG_CRYPTO, "tkip_decrypt() error\n"); 773 return (0); 774 } 775 return (1); 776 }