2 * Copyright (c) 2009 Joshua Oreman <oremanj@rwcr.net>.
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License as
6 * published by the Free Software Foundation; either version 2 of the
7 * License, or any later version.
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * General Public License for more details.
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write to the Free Software
16 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
20 FILE_LICENCE ( GPL2_OR_LATER );
23 #include <ipxe/net80211.h>
24 #include <ipxe/crypto.h>
25 #include <ipxe/hmac.h>
26 #include <ipxe/sha1.h>
28 #include <ipxe/crc32.h>
29 #include <ipxe/arc4.h>
36 * Backend for WPA using the TKIP encryption standard.
39 /** Context for one direction of TKIP, either encryption or decryption */
42 /** High 32 bits of last sequence counter value used */
45 /** Low 32 bits of last sequence counter value used */
48 /** MAC address used to derive TTAK */
51 /** If TRUE, TTAK is valid */
54 /** TKIP-mixed transmit address and key, depends on tsc_hi and MAC */
58 /** Context for TKIP encryption and decryption */
61 /** Temporal key to use */
64 /** State for encryption */
65 struct tkip_dir_ctx enc;
67 /** State for decryption */
68 struct tkip_dir_ctx dec;
71 /** Header structure at the beginning of TKIP frame data */
74 u8 tsc1; /**< High byte of low 16 bits of TSC */
75 u8 seed1; /**< Second byte of WEP seed */
76 u8 tsc0; /**< Low byte of TSC */
77 u8 kid; /**< Key ID and ExtIV byte */
78 u32 tsc_hi; /**< High 32 bits of TSC, as an ExtIV */
79 } __attribute__ (( packed ));
82 /** TKIP header overhead (IV + KID + ExtIV) */
83 #define TKIP_HEAD_LEN 8
85 /** TKIP trailer overhead (MIC + ICV) [assumes unfragmented] */
86 #define TKIP_FOOT_LEN 12
88 /** TKIP MIC length */
89 #define TKIP_MIC_LEN 8
91 /** TKIP ICV length */
92 #define TKIP_ICV_LEN 4
96 static const u16 Sbox[256] = {
97 0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154,
98 0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A,
99 0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B,
100 0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B,
101 0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F,
102 0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F,
103 0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5,
104 0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F,
105 0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB,
106 0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397,
107 0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED,
108 0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A,
109 0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194,
110 0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3,
111 0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104,
112 0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D,
113 0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39,
114 0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695,
115 0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83,
116 0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76,
117 0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4,
118 0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B,
119 0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0,
120 0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018,
121 0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751,
122 0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85,
123 0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12,
124 0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9,
125 0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7,
126 0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A,
127 0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8,
128 0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A,
132 * Perform S-box mapping on a 16-bit value
134 * @v v Value to perform S-box mapping on
135 * @ret Sv S-box mapped value
137 static inline u16 S ( u16 v )
139 return Sbox[v & 0xFF] ^ swap16 ( Sbox[v >> 8] );
143 * Rotate 16-bit value right
145 * @v v Value to rotate
146 * @v bits Number of bits to rotate by
147 * @ret rotv Rotated value
149 static inline u16 ror16 ( u16 v, int bits )
151 return ( v >> bits ) | ( v << ( 16 - bits ) );
155 * Rotate 32-bit value right
157 * @v v Value to rotate
158 * @v bits Number of bits to rotate by
159 * @ret rotv Rotated value
161 static inline u32 ror32 ( u32 v, int bits )
163 return ( v >> bits ) | ( v << ( 32 - bits ) );
167 * Rotate 32-bit value left
169 * @v v Value to rotate
170 * @v bits Number of bits to rotate by
171 * @ret rotv Rotated value
173 static inline u32 rol32 ( u32 v, int bits )
175 return ( v << bits ) | ( v >> ( 32 - bits ) );
180 * Initialise TKIP state and install key
182 * @v crypto TKIP cryptosystem structure
183 * @v key Pointer to tkip_tk to install
184 * @v keylen Length of key (32 bytes)
185 * @v rsc Initial receive sequence counter
187 static int tkip_init ( struct net80211_crypto *crypto, const void *key,
188 int keylen, const void *rsc )
190 struct tkip_ctx *ctx = crypto->priv;
191 const u8 *rscb = rsc;
193 if ( keylen != sizeof ( ctx->tk ) )
197 ctx->dec.tsc_lo = ( rscb[1] << 8 ) | rscb[0];
198 ctx->dec.tsc_hi = ( ( rscb[5] << 24 ) | ( rscb[4] << 16 ) |
199 ( rscb[3] << 8 ) | rscb[2] );
202 memcpy ( &ctx->tk, key, sizeof ( ctx->tk ) );
208 * Perform TKIP key mixing, phase 1
210 * @v dctx TKIP directional context
211 * @v tk TKIP temporal key
212 * @v mac MAC address of transmitter
214 * This recomputes the TTAK in @a dctx if necessary, and sets
217 static void tkip_mix_1 ( struct tkip_dir_ctx *dctx, struct tkip_tk *tk, u8 *mac )
221 if ( dctx->ttak_ok && ! memcmp ( mac, dctx->mac, ETH_ALEN ) )
224 memcpy ( dctx->mac, mac, ETH_ALEN );
226 dctx->ttak[0] = dctx->tsc_hi & 0xFFFF;
227 dctx->ttak[1] = dctx->tsc_hi >> 16;
228 dctx->ttak[2] = ( mac[1] << 8 ) | mac[0];
229 dctx->ttak[3] = ( mac[3] << 8 ) | mac[2];
230 dctx->ttak[4] = ( mac[5] << 8 ) | mac[4];
232 for ( i = 0; i < 8; i++ ) {
235 dctx->ttak[0] += S ( dctx->ttak[4] ^ ( ( tk->key[1 + j] << 8 ) |
237 dctx->ttak[1] += S ( dctx->ttak[0] ^ ( ( tk->key[5 + j] << 8 ) |
239 dctx->ttak[2] += S ( dctx->ttak[1] ^ ( ( tk->key[9 + j] << 8 ) |
241 dctx->ttak[3] += S ( dctx->ttak[2] ^ ( ( tk->key[13+ j] << 8 ) |
243 dctx->ttak[4] += S ( dctx->ttak[3] ^ ( ( tk->key[1 + j] << 8 ) |
244 tk->key[0 + j] ) ) + i;
251 * Perform TKIP key mixing, phase 2
253 * @v dctx TKIP directional context
254 * @v tk TKIP temporal key
255 * @ret key ARC4 key, 16 bytes long
257 static void tkip_mix_2 ( struct tkip_dir_ctx *dctx, struct tkip_tk *tk,
264 memcpy ( ppk, dctx->ttak, sizeof ( dctx->ttak ) );
265 ppk[5] = dctx->ttak[4] + dctx->tsc_lo;
267 ppk[0] += S ( ppk[5] ^ ( ( tk->key[1] << 8 ) | tk->key[0] ) );
268 ppk[1] += S ( ppk[0] ^ ( ( tk->key[3] << 8 ) | tk->key[2] ) );
269 ppk[2] += S ( ppk[1] ^ ( ( tk->key[5] << 8 ) | tk->key[4] ) );
270 ppk[3] += S ( ppk[2] ^ ( ( tk->key[7] << 8 ) | tk->key[6] ) );
271 ppk[4] += S ( ppk[3] ^ ( ( tk->key[9] << 8 ) | tk->key[8] ) );
272 ppk[5] += S ( ppk[4] ^ ( ( tk->key[11] << 8 ) | tk->key[10] ) );
274 ppk[0] += ror16 ( ppk[5] ^ ( ( tk->key[13] << 8 ) | tk->key[12] ), 1 );
275 ppk[1] += ror16 ( ppk[0] ^ ( ( tk->key[15] << 8 ) | tk->key[14] ), 1 );
276 ppk[2] += ror16 ( ppk[1], 1 );
277 ppk[3] += ror16 ( ppk[2], 1 );
278 ppk[4] += ror16 ( ppk[3], 1 );
279 ppk[5] += ror16 ( ppk[4], 1 );
281 kb[0] = dctx->tsc_lo >> 8;
282 kb[1] = ( ( dctx->tsc_lo >> 8 ) | 0x20 ) & 0x7F;
283 kb[2] = dctx->tsc_lo & 0xFF;
284 kb[3] = ( ( ppk[5] ^ ( ( tk->key[1] << 8 ) | tk->key[0] ) ) >> 1 )
287 for ( i = 0; i < 6; i++ ) {
288 kb[4 + 2*i] = ppk[i] & 0xFF;
289 kb[5 + 2*i] = ppk[i] >> 8;
294 * Update Michael message integrity code based on next 32-bit word of data
296 * @v V Michael code state (two 32-bit words)
297 * @v word Next 32-bit word of data
299 static void tkip_feed_michael ( u32 *V, u32 word )
302 V[1] ^= rol32 ( V[0], 17 );
304 V[1] ^= ( ( V[0] & 0xFF00FF00 ) >> 8 ) | ( ( V[0] & 0x00FF00FF ) << 8 );
306 V[1] ^= rol32 ( V[0], 3 );
308 V[1] ^= ror32 ( V[0], 2 );
313 * Calculate Michael message integrity code
315 * @v key MIC key to use (8 bytes)
316 * @v da Destination link-layer address
317 * @v sa Source link-layer address
318 * @v data Start of data to calculate over
319 * @v len Length of header + data
320 * @ret mic Calculated Michael MIC (8 bytes)
322 static void tkip_michael ( const void *key, const void *da, const void *sa,
323 const void *data, size_t len, void *mic )
325 u32 V[2]; /* V[0] = "l", V[1] = "r" in 802.11 */
330 const u8 *ptr = data;
331 const u8 *end = ptr + len;
334 memcpy ( V, key, sizeof ( V ) );
335 V[0] = le32_to_cpu ( V[0] );
336 V[1] = le32_to_cpu ( V[1] );
338 /* Feed in header (we assume non-QoS, so Priority = 0) */
339 memcpy ( &cap.byte[0], da, ETH_ALEN );
340 memcpy ( &cap.byte[6], sa, ETH_ALEN );
341 tkip_feed_michael ( V, le32_to_cpu ( cap.word[0] ) );
342 tkip_feed_michael ( V, le32_to_cpu ( cap.word[1] ) );
343 tkip_feed_michael ( V, le32_to_cpu ( cap.word[2] ) );
344 tkip_feed_michael ( V, 0 );
347 while ( ptr + 4 <= end ) {
348 tkip_feed_michael ( V, le32_to_cpu ( *( u32 * ) ptr ) );
352 /* Add unaligned part and padding */
353 for ( i = 0; ptr < end; i++ )
354 cap.byte[i] = *ptr++;
355 cap.byte[i++] = 0x5a;
359 /* Feed in padding */
360 tkip_feed_michael ( V, le32_to_cpu ( cap.word[0] ) );
361 tkip_feed_michael ( V, le32_to_cpu ( cap.word[1] ) );
364 V[0] = cpu_to_le32 ( V[0] );
365 V[1] = cpu_to_le32 ( V[1] );
366 memcpy ( mic, V, sizeof ( V ) );
370 * Encrypt a packet using TKIP
372 * @v crypto TKIP cryptosystem
373 * @v iob I/O buffer containing cleartext packet
374 * @ret eiob I/O buffer containing encrypted packet
376 static struct io_buffer * tkip_encrypt ( struct net80211_crypto *crypto,
377 struct io_buffer *iob )
379 struct tkip_ctx *ctx = crypto->priv;
380 struct ieee80211_frame *hdr = iob->data;
381 struct io_buffer *eiob;
382 struct arc4_ctx arc4;
384 struct tkip_head head;
387 const int hdrlen = IEEE80211_TYP_FRAME_HEADER_LEN;
388 int datalen = iob_len ( iob ) - hdrlen;
391 if ( ctx->enc.tsc_lo == 0 ) {
393 ctx->enc.ttak_ok = 0;
396 tkip_mix_1 ( &ctx->enc, &ctx->tk, hdr->addr2 );
397 tkip_mix_2 ( &ctx->enc, &ctx->tk, key );
399 eiob = alloc_iob ( iob_len ( iob ) + TKIP_HEAD_LEN + TKIP_FOOT_LEN );
403 /* Copy frame header */
404 memcpy ( iob_put ( eiob, hdrlen ), iob->data, hdrlen );
406 hdr->fc |= IEEE80211_FC_PROTECTED;
408 /* Fill in IV and key ID byte, and extended IV */
409 memcpy ( &head, key, 3 );
410 head.kid = 0x20; /* have Extended IV, key ID 0 */
411 head.tsc_hi = cpu_to_le32 ( ctx->enc.tsc_hi );
412 memcpy ( iob_put ( eiob, sizeof ( head ) ), &head, sizeof ( head ) );
414 /* Copy and encrypt the data */
415 cipher_setkey ( &arc4_algorithm, &arc4, key, 16 );
416 cipher_encrypt ( &arc4_algorithm, &arc4, iob->data + hdrlen,
417 iob_put ( eiob, datalen ), datalen );
421 tkip_michael ( &ctx->tk.mic.tx, hdr->addr3, hdr->addr2,
422 iob->data + hdrlen, datalen, mic );
423 cipher_encrypt ( &arc4_algorithm, &arc4, mic,
424 iob_put ( eiob, sizeof ( mic ) ), sizeof ( mic ) );
427 icv = crc32_le ( ~0, iob->data + hdrlen, datalen );
428 icv = crc32_le ( icv, mic, sizeof ( mic ) );
429 icv = cpu_to_le32 ( ~icv );
430 cipher_encrypt ( &arc4_algorithm, &arc4, &icv,
431 iob_put ( eiob, TKIP_ICV_LEN ), TKIP_ICV_LEN );
433 DBGC2 ( ctx, "WPA-TKIP %p: encrypted packet %p -> %p\n", ctx,
440 * Decrypt a packet using TKIP
442 * @v crypto TKIP cryptosystem
443 * @v eiob I/O buffer containing encrypted packet
444 * @ret iob I/O buffer containing cleartext packet
446 static struct io_buffer * tkip_decrypt ( struct net80211_crypto *crypto,
447 struct io_buffer *eiob )
449 struct tkip_ctx *ctx = crypto->priv;
450 struct ieee80211_frame *hdr;
451 struct io_buffer *iob;
452 const int hdrlen = IEEE80211_TYP_FRAME_HEADER_LEN;
453 int datalen = iob_len ( eiob ) - hdrlen - TKIP_HEAD_LEN - TKIP_FOOT_LEN;
454 struct tkip_head *head;
455 struct arc4_ctx arc4;
461 iob = alloc_iob ( hdrlen + datalen + TKIP_FOOT_LEN );
465 /* Copy frame header */
466 memcpy ( iob_put ( iob, hdrlen ), eiob->data, hdrlen );
468 hdr->fc &= ~IEEE80211_FC_PROTECTED;
470 /* Check and update TSC */
471 head = eiob->data + hdrlen;
472 rx_tsc_lo = ( head->tsc1 << 8 ) | head->tsc0;
474 if ( head->tsc_hi < ctx->dec.tsc_hi ||
475 ( head->tsc_hi == ctx->dec.tsc_hi &&
476 rx_tsc_lo <= ctx->dec.tsc_lo ) ) {
477 DBGC ( ctx, "WPA-TKIP %p: packet received out of order "
478 "(%08x:%04x <= %08x:%04x)\n", ctx, head->tsc_hi,
479 rx_tsc_lo, ctx->dec.tsc_hi, ctx->dec.tsc_lo );
483 ctx->dec.tsc_lo = rx_tsc_lo;
484 if ( ctx->dec.tsc_hi != head->tsc_hi ) {
485 ctx->dec.ttak_ok = 0;
486 ctx->dec.tsc_hi = head->tsc_hi;
490 tkip_mix_1 ( &ctx->dec, &ctx->tk, hdr->addr2 );
491 tkip_mix_2 ( &ctx->dec, &ctx->tk, key );
493 /* Copy-decrypt data, MIC, ICV */
494 cipher_setkey ( &arc4_algorithm, &arc4, key, 16 );
495 cipher_decrypt ( &arc4_algorithm, &arc4,
496 eiob->data + hdrlen + TKIP_HEAD_LEN,
497 iob_put ( iob, datalen ), datalen + TKIP_FOOT_LEN );
500 icv = le32_to_cpu ( *( u32 * ) ( iob->tail + TKIP_MIC_LEN ) );
501 crc = ~crc32_le ( ~0, iob->data + hdrlen, datalen + TKIP_MIC_LEN );
503 DBGC ( ctx, "WPA-TKIP %p CRC mismatch: expect %08x, get %08x\n",
510 tkip_michael ( &ctx->tk.mic.rx, hdr->addr1, hdr->addr3,
511 iob->data + hdrlen, datalen, mic );
512 if ( memcmp ( mic, iob->tail, TKIP_MIC_LEN ) != 0 ) {
513 DBGC ( ctx, "WPA-TKIP %p ALERT! MIC failure\n", ctx );
514 /* XXX we should do the countermeasures here */
519 DBGC2 ( ctx, "WPA-TKIP %p: decrypted packet %p -> %p\n", ctx,
525 /** TKIP cryptosystem */
526 struct net80211_crypto tkip_crypto __net80211_crypto = {
527 .algorithm = NET80211_CRYPT_TKIP,
529 .encrypt = tkip_encrypt,
530 .decrypt = tkip_decrypt,
531 .priv_len = sizeof ( struct tkip_ctx ),
538 * Calculate HMAC-MD5 MIC for EAPOL-Key frame
540 * @v kck Key Confirmation Key, 16 bytes
541 * @v msg Message to calculate MIC over
542 * @v len Number of bytes to calculate MIC over
543 * @ret mic Calculated MIC, 16 bytes long
545 static void tkip_kie_mic ( const void *kck, const void *msg, size_t len,
548 uint8_t ctx[MD5_CTX_SIZE];
552 memcpy ( kckb, kck, kck_len );
554 hmac_init ( &md5_algorithm, ctx, kckb, &kck_len );
555 hmac_update ( &md5_algorithm, ctx, msg, len );
556 hmac_final ( &md5_algorithm, ctx, kckb, &kck_len, mic );
560 * Decrypt key data in EAPOL-Key frame
562 * @v kek Key Encryption Key, 16 bytes
563 * @v iv Initialisation vector, 16 bytes
564 * @v msg Message to decrypt
565 * @v len Length of message
566 * @ret msg Decrypted message in place of original
568 * @ret rc Always 0 for success
570 static int tkip_kie_decrypt ( const void *kek, const void *iv,
571 void *msg, u16 *len )
574 memcpy ( key, iv, 16 );
575 memcpy ( key + 16, kek, 16 );
577 arc4_skip ( key, 32, 256, msg, msg, *len );
583 /** TKIP-style key integrity and encryption handler */
584 struct wpa_kie tkip_kie __wpa_kie = {
585 .version = EAPOL_KEY_VERSION_WPA,
587 .decrypt = tkip_kie_decrypt,