1 /* 2 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 3 * Use is subject to license terms. 4 */ 5 6 /* 7 * Copyright (c) 2001 Atsushi Onoe 8 * Copyright (c) 2002-2005 Sam Leffler, Errno Consulting 9 * All rights reserved. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 3. The name of the author may not be used to endorse or promote products 20 * derived from this software without specific prior written permission. 21 * 22 * Alternatively, this software may be distributed under the terms of the 23 * GNU General Public License ("GPL") version 2 as published by the Free 24 * Software Foundation. 25 * 26 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 27 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 28 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 29 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 30 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 31 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 32 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 33 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 34 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 35 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 36 */ 37 38 /* 39 * IEEE 802.11i TKIP crypto support. 40 * 41 * Part of this module is derived from similar code in the Host 42 * AP driver. The code is used with the consent of the author and 43 * it's license is included below. 44 */ 45 46 #pragma ident "%Z%%M% %I% %E% SMI" 47 48 #include <sys/byteorder.h> 49 #include <sys/crypto/common.h> 50 #include <sys/crypto/api.h> 51 #include <sys/crc32.h> 52 #include <sys/random.h> 53 #include "net80211_impl.h" 54 55 static void *tkip_attach(struct ieee80211com *, struct ieee80211_key *); 56 static void tkip_detach(struct ieee80211_key *); 57 static int tkip_setkey(struct ieee80211_key *); 58 static int tkip_encap(struct ieee80211_key *, mblk_t *, uint8_t); 59 static int tkip_decap(struct ieee80211_key *, mblk_t *, int); 60 static int tkip_enmic(struct ieee80211_key *, mblk_t *, int); 61 static int tkip_demic(struct ieee80211_key *, mblk_t *, int); 62 63 const struct ieee80211_cipher tkip = { 64 "TKIP", 65 IEEE80211_CIPHER_TKIP, 66 IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN + 67 IEEE80211_WEP_EXTIVLEN, 68 IEEE80211_WEP_CRCLEN, 69 IEEE80211_WEP_MICLEN, 70 tkip_attach, 71 tkip_detach, 72 tkip_setkey, 73 tkip_encap, 74 tkip_decap, 75 tkip_enmic, 76 tkip_demic, 77 }; 78 79 struct tkip_ctx { 80 struct ieee80211com *tc_ic; /* for diagnostics */ 81 uint16_t tx_ttak[5]; 82 int tx_phase1_done; 83 uint8_t tx_rc4key[16]; 84 uint16_t rx_ttak[5]; 85 int rx_phase1_done; 86 uint8_t rx_rc4key[16]; 87 uint64_t rx_rsc; /* held until MIC verified */ 88 }; 89 90 static void michael_mic(struct tkip_ctx *, const uint8_t *, 91 mblk_t *, uint_t, size_t, uint8_t[]); 92 static int tkip_encrypt(struct tkip_ctx *, struct ieee80211_key *, 93 mblk_t *, int); 94 static int tkip_decrypt(struct tkip_ctx *, struct ieee80211_key *, 95 mblk_t *, int); 96 97 extern int rc4_init(crypto_context_t *, const uint8_t *, int); 98 extern int rc4_crypt(crypto_context_t, const uint8_t *, uint8_t *, int); 99 extern int rc4_final(crypto_context_t, uint8_t *, int); 100 101 /* ARGSUSED */ 102 static void * 103 tkip_attach(struct ieee80211com *ic, struct ieee80211_key *k) 104 { 105 struct tkip_ctx *ctx; 106 107 ctx = kmem_zalloc(sizeof (struct tkip_ctx), KM_SLEEP); 108 if (ctx == NULL) 109 return (NULL); 110 111 ctx->tc_ic = ic; 112 return (ctx); 113 } 114 115 static void 116 tkip_detach(struct ieee80211_key *k) 117 { 118 struct tkip_ctx *ctx = k->wk_private; 119 120 if (ctx != NULL) 121 kmem_free(ctx, sizeof (struct tkip_ctx)); 122 } 123 124 static int 125 tkip_setkey(struct ieee80211_key *k) 126 { 127 if (k->wk_keylen != (128/NBBY)) 128 return (0); 129 130 k->wk_keytsc = 1; /* TSC starts at 1 */ 131 return (1); 132 } 133 134 /* 135 * Add privacy headers appropriate for the specified key. 136 */ 137 static int 138 tkip_encap(struct ieee80211_key *k, mblk_t *mp, uint8_t keyid) 139 { 140 struct tkip_ctx *ctx = k->wk_private; 141 struct ieee80211com *ic = ctx->tc_ic; 142 uint8_t *ivp; 143 int hdrlen; 144 145 /* 146 * Handle TKIP counter measures requirement. 147 */ 148 if (ic->ic_flags & IEEE80211_F_COUNTERM) 149 return (0); 150 151 hdrlen = ieee80211_hdrspace(mp->b_rptr); 152 /* 153 * Copy down 802.11 header and add the IV, KeyID, and ExtIV. 154 */ 155 ivp = mp->b_rptr; 156 ivp += hdrlen; 157 158 ivp[0] = k->wk_keytsc >> 8; /* TSC1 */ 159 ivp[1] = (ivp[0] | 0x20) & 0x7f; /* WEP seed */ 160 ivp[2] = k->wk_keytsc >> 0; /* TSC0 */ 161 ivp[3] = keyid | IEEE80211_WEP_EXTIV; /* KeyID | ExtID */ 162 ivp[4] = k->wk_keytsc >> 16; /* TSC2 */ 163 ivp[5] = k->wk_keytsc >> 24; /* TSC3 */ 164 ivp[6] = k->wk_keytsc >> 32; /* TSC4 */ 165 ivp[7] = k->wk_keytsc >> 40; /* TSC5 */ 166 167 /* 168 * Finally, do software encrypt if neeed. 169 */ 170 if (k->wk_flags & IEEE80211_KEY_SWCRYPT) { 171 if (!tkip_encrypt(ctx, k, mp, hdrlen)) 172 return (0); 173 } else 174 k->wk_keytsc++; /* wrap at 48 bits */ 175 176 return (1); 177 } 178 179 uint64_t 180 ieee80211_read_6(uint8_t b0, uint8_t b1, uint8_t b2, 181 uint8_t b3, uint8_t b4, uint8_t b5) 182 { 183 uint32_t iv32 = (b0 << 0) | (b1 << 8) | (b2 << 16) | (b3 << 24); 184 uint16_t iv16 = (b4 << 0) | (b5 << 8); 185 return ((((uint64_t)iv16) << 32) | iv32); 186 } 187 188 /* 189 * Validate and strip privacy headers (and trailer) for a 190 * received frame. If necessary, decrypt the frame using 191 * the specified key. 192 */ 193 static int 194 tkip_decap(struct ieee80211_key *k, mblk_t *mp, int hdrlen) 195 { 196 struct tkip_ctx *ctx = k->wk_private; 197 struct ieee80211com *ic = ctx->tc_ic; 198 struct ieee80211_frame tmp; 199 uint8_t *ivp; 200 uint64_t pn; 201 202 /* 203 * Header should have extended IV and sequence number; 204 * verify the former and validate the latter. 205 */ 206 ivp = mp->b_rptr + hdrlen; 207 if ((ivp[IEEE80211_WEP_IVLEN] & IEEE80211_WEP_EXTIV) == 0) { 208 /* 209 * No extended IV; discard frame. 210 */ 211 return (0); 212 } 213 /* 214 * Handle TKIP counter measures requirement. 215 */ 216 if (ic->ic_flags & IEEE80211_F_COUNTERM) 217 return (0); 218 219 /* NB: assume IEEEE80211_WEP_MINLEN covers the extended IV */ 220 pn = ieee80211_read_6(ivp[2], ivp[0], ivp[4], ivp[5], ivp[6], ivp[7]); 221 ctx->rx_rsc = pn; 222 if (ctx->rx_rsc <= k->wk_keyrsc) 223 return (0); 224 /* 225 * NB: We can't update the rsc in the key until MIC is verified. 226 * 227 * We assume we are not preempted between doing the check above 228 * and updating wk_keyrsc when stripping the MIC in tkip_demic. 229 * Otherwise we might process another packet and discard it as 230 * a replay. 231 */ 232 233 /* 234 * Check if the device handled the decrypt in hardware. 235 * If so we just strip the header; otherwise we need to 236 * handle the decrypt in software. 237 */ 238 if (k->wk_flags & IEEE80211_KEY_SWCRYPT) { 239 if (!tkip_decrypt(ctx, k, mp, hdrlen)) 240 return (0); 241 } 242 243 /* 244 * Copy up 802.11 header and strip crypto bits. 245 */ 246 bcopy(mp->b_rptr, &tmp, hdrlen); 247 bcopy(&tmp, mp->b_rptr + tkip.ic_header, hdrlen); 248 mp->b_rptr += tkip.ic_header; 249 mp->b_wptr -= tkip.ic_trailer; 250 251 return (1); 252 } 253 254 /* 255 * Add MIC to the frame as needed. 256 */ 257 static int 258 tkip_enmic(struct ieee80211_key *k, mblk_t *mp, int force) 259 { 260 struct tkip_ctx *ctx = k->wk_private; 261 262 if (force || (k->wk_flags & IEEE80211_KEY_SWMIC)) { 263 int hdrlen; 264 uint8_t *mic; 265 266 hdrlen = ieee80211_hdrspace(mp->b_rptr); 267 mic = mp->b_wptr; 268 mp->b_wptr += tkip.ic_miclen; 269 270 if ((int)((mp->b_wptr - mp->b_rptr) 271 - (hdrlen + tkip.ic_header + tkip.ic_miclen)) < 0) 272 return (0); /* dead packet */ 273 274 michael_mic(ctx, k->wk_txmic, mp, (hdrlen + tkip.ic_header), 275 (mp->b_wptr - mp->b_rptr) 276 - (hdrlen + tkip.ic_header + tkip.ic_miclen), mic); 277 } 278 return (1); 279 } 280 281 /* 282 * Verify and strip MIC from the frame. 283 */ 284 /* ARGSUSED */ 285 static int 286 tkip_demic(struct ieee80211_key *k, mblk_t *mp, int force) 287 { 288 struct tkip_ctx *ctx = k->wk_private; 289 290 if (force || (k->wk_flags & IEEE80211_KEY_SWMIC)) { 291 int hdrlen = ieee80211_hdrspace(mp->b_rptr); 292 uint8_t mic[IEEE80211_WEP_MICLEN]; 293 uint8_t mic0[IEEE80211_WEP_MICLEN]; 294 295 michael_mic(ctx, k->wk_rxmic, 296 mp, hdrlen, 297 (mp->b_wptr - mp->b_rptr) - (hdrlen + tkip.ic_miclen), 298 mic); 299 bcopy(mp->b_wptr - tkip.ic_miclen, mic0, tkip.ic_miclen); 300 if (bcmp(mic, mic0, tkip.ic_miclen)) { 301 ieee80211_dbg(IEEE80211_MSG_CRYPTO, 302 "tkip_demic() mic mismatch\n"); 303 return (0); 304 } 305 } 306 /* 307 * Strip MIC from the tail. 308 */ 309 mp->b_wptr -= tkip.ic_miclen; 310 /* 311 * Ok to update rsc now that MIC has been verified. 312 */ 313 k->wk_keyrsc = ctx->rx_rsc; 314 return (1); 315 } 316 317 /* 318 * For the avoidance of doubt, except that if any license choice other 319 * than GPL or LGPL is available it will apply instead, Sun elects to 320 * use only the General Public License version 2 (GPLv2) at this time 321 * for any software where a choice of GPL license versions is made 322 * available with the language indicating that GPLv2 or any later 323 * version may be used, or where a choice of which version of the GPL 324 * is applied is otherwise unspecified. 325 */ 326 327 /* 328 * Host AP crypt: host-based TKIP encryption implementation for Host AP driver 329 * 330 * Copyright (c) 2003-2004, Jouni Malinen <jkmaline@cc.hut.fi> 331 * 332 * This program is free software; you can redistribute it and/or modify 333 * it under the terms of the GNU General Public License version 2 as 334 * published by the Free Software Foundation. See README and COPYING for 335 * more details. 336 * 337 * Alternatively, this software may be distributed under the terms of BSD 338 * license. 339 */ 340 341 /* Table of CRCs of all 8-bit messages */ 342 static uint32_t crc_table[] = { CRC32_TABLE }; 343 344 static uint16_t 345 RotR1(uint16_t val) 346 { 347 return ((val >> 1) | (val << 15)); 348 } 349 350 static uint8_t 351 Lo8(uint16_t val) 352 { 353 return (val & 0xff); 354 } 355 356 static uint8_t 357 Hi8(uint16_t val) 358 { 359 return (val >> 8); 360 } 361 362 static uint16_t 363 Lo16(uint32_t val) 364 { 365 return (val & 0xffff); 366 } 367 368 static uint16_t 369 Hi16(uint32_t val) 370 { 371 return (val >> 16); 372 } 373 374 static uint16_t 375 Mk16(uint8_t hi, uint8_t lo) 376 { 377 return (lo | (((uint16_t)hi) << 8)); 378 } 379 380 static uint16_t 381 Mk16_le(const uint16_t *v) 382 { 383 return (LE_16(*v)); 384 } 385 386 static const uint16_t Sbox[256] = { 387 0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154, 388 0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A, 389 0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B, 390 0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B, 391 0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F, 392 0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F, 393 0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5, 394 0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F, 395 0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB, 396 0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397, 397 0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED, 398 0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A, 399 0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194, 400 0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3, 401 0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104, 402 0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D, 403 0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39, 404 0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695, 405 0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83, 406 0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76, 407 0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4, 408 0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B, 409 0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0, 410 0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018, 411 0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751, 412 0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85, 413 0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12, 414 0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9, 415 0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7, 416 0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A, 417 0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8, 418 0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A, 419 }; 420 421 static uint16_t 422 _S_(uint16_t v) 423 { 424 uint16_t t = Sbox[Hi8(v)]; 425 return (Sbox[Lo8(v)] ^ ((t << 8) | (t >> 8))); 426 } 427 428 #define PHASE1_LOOP_COUNT 8 429 430 static void 431 tkip_mixing_phase1(uint16_t *TTAK, const uint8_t *TK, 432 const uint8_t *TA, uint32_t IV32) 433 { 434 int i, j; 435 436 /* Initialize the 80-bit TTAK from TSC (IV32) and TA[0..5] */ 437 TTAK[0] = Lo16(IV32); 438 TTAK[1] = Hi16(IV32); 439 TTAK[2] = Mk16(TA[1], TA[0]); 440 TTAK[3] = Mk16(TA[3], TA[2]); 441 TTAK[4] = Mk16(TA[5], TA[4]); 442 443 for (i = 0; i < PHASE1_LOOP_COUNT; i++) { 444 j = 2 * (i & 1); 445 TTAK[0] += _S_(TTAK[4] ^ Mk16(TK[1 + j], TK[0 + j])); 446 TTAK[1] += _S_(TTAK[0] ^ Mk16(TK[5 + j], TK[4 + j])); 447 TTAK[2] += _S_(TTAK[1] ^ Mk16(TK[9 + j], TK[8 + j])); 448 TTAK[3] += _S_(TTAK[2] ^ Mk16(TK[13 + j], TK[12 + j])); 449 TTAK[4] += _S_(TTAK[3] ^ Mk16(TK[1 + j], TK[0 + j])) + i; 450 } 451 } 452 453 static void 454 tkip_mixing_phase2(uint8_t *WEPSeed, const uint8_t *TK, 455 const uint16_t *TTAK, uint16_t IV16) 456 { 457 /* 458 * Make temporary area overlap WEP seed so that the final copy can be 459 * avoided on little endian hosts. 460 */ 461 uint16_t *PPK = (uint16_t *)&WEPSeed[4]; 462 463 /* Step 1 - make copy of TTAK and bring in TSC */ 464 PPK[0] = TTAK[0]; 465 PPK[1] = TTAK[1]; 466 PPK[2] = TTAK[2]; 467 PPK[3] = TTAK[3]; 468 PPK[4] = TTAK[4]; 469 PPK[5] = TTAK[4] + IV16; 470 471 /* Step 2 - 96-bit bijective mixing using S-box */ 472 PPK[0] += _S_(PPK[5] ^ Mk16_le((const uint16_t *) &TK[0])); 473 PPK[1] += _S_(PPK[0] ^ Mk16_le((const uint16_t *) &TK[2])); 474 PPK[2] += _S_(PPK[1] ^ Mk16_le((const uint16_t *) &TK[4])); 475 PPK[3] += _S_(PPK[2] ^ Mk16_le((const uint16_t *) &TK[6])); 476 PPK[4] += _S_(PPK[3] ^ Mk16_le((const uint16_t *) &TK[8])); 477 PPK[5] += _S_(PPK[4] ^ Mk16_le((const uint16_t *) &TK[10])); 478 479 PPK[0] += RotR1(PPK[5] ^ Mk16_le((const uint16_t *) &TK[12])); 480 PPK[1] += RotR1(PPK[0] ^ Mk16_le((const uint16_t *) &TK[14])); 481 PPK[2] += RotR1(PPK[1]); 482 PPK[3] += RotR1(PPK[2]); 483 PPK[4] += RotR1(PPK[3]); 484 PPK[5] += RotR1(PPK[4]); 485 486 /* 487 * Step 3 - bring in last of TK bits, assign 24-bit WEP IV value 488 * WEPSeed[0..2] is transmitted as WEP IV 489 */ 490 WEPSeed[0] = Hi8(IV16); 491 WEPSeed[1] = (Hi8(IV16) | 0x20) & 0x7F; 492 WEPSeed[2] = Lo8(IV16); 493 WEPSeed[3] = Lo8((PPK[5] ^ Mk16_le((const uint16_t *) &TK[0])) >> 1); 494 } 495 496 static int 497 wep_encrypt(uint8_t *key, mblk_t *mp, uint_t off, size_t data_len, 498 uint8_t icv[IEEE80211_WEP_CRCLEN]) 499 { 500 uint8_t crcbuf[IEEE80211_WEP_CRCLEN]; 501 uint32_t crc; 502 crypto_context_t ctx; 503 int rv; 504 505 ctx = NULL; 506 rv = rc4_init(&ctx, (const uint8_t *)key, 16); 507 if (rv != CRYPTO_SUCCESS) 508 return (0); 509 510 /* calculate CRC over unencrypted data */ 511 CRC32(crc, mp->b_rptr + off, data_len, -1U, crc_table); 512 513 /* encrypt data */ 514 (void) rc4_crypt(ctx, mp->b_rptr + off, mp->b_rptr + off, data_len); 515 516 /* tack on ICV */ 517 *(uint32_t *)crcbuf = LE_32(~crc); 518 (void) rc4_crypt(ctx, crcbuf, icv, IEEE80211_WEP_CRCLEN); 519 520 (void) rc4_final(ctx, icv, IEEE80211_WEP_CRCLEN); 521 522 return (1); 523 } 524 525 static int 526 wep_decrypt(uint8_t *key, mblk_t *mp, uint_t off, size_t data_len) 527 { 528 uint8_t crcbuf[IEEE80211_WEP_CRCLEN]; 529 uint8_t *icv; 530 uint32_t crc; 531 crypto_context_t ctx; 532 int rv; 533 534 ctx = NULL; 535 rv = rc4_init(&ctx, (const uint8_t *)key, 16); 536 if (rv != CRYPTO_SUCCESS) 537 return (0); 538 539 /* decrypt data */ 540 (void) rc4_crypt(ctx, mp->b_rptr + off, mp->b_rptr + off, data_len); 541 542 /* calculate CRC over unencrypted data */ 543 CRC32(crc, mp->b_rptr + off, data_len, -1U, crc_table); 544 545 /* decrypt ICV and compare to CRC */ 546 icv = mp->b_wptr - IEEE80211_WEP_CRCLEN; 547 (void) rc4_crypt(ctx, icv, crcbuf, IEEE80211_WEP_CRCLEN); 548 (void) rc4_final(ctx, crcbuf, IEEE80211_WEP_CRCLEN); 549 550 return (crc == ~LE_32(*(uint32_t *)crcbuf)); 551 } 552 553 static uint32_t 554 rotl(uint32_t val, int bits) 555 { 556 return ((val << bits) | (val >> (32 - bits))); 557 } 558 559 560 static uint32_t 561 rotr(uint32_t val, int bits) 562 { 563 return ((val >> bits) | (val << (32 - bits))); 564 } 565 566 567 static uint32_t 568 xswap(uint32_t val) 569 { 570 return (((val & 0x00ff00ff) << 8) | ((val & 0xff00ff00) >> 8)); 571 } 572 573 574 #define michael_block(l, r) \ 575 do { \ 576 r ^= rotl(l, 17); \ 577 l += r; \ 578 r ^= xswap(l); \ 579 l += r; \ 580 r ^= rotl(l, 3); \ 581 l += r; \ 582 r ^= rotr(l, 2); \ 583 l += r; \ 584 _NOTE(CONSTANTCONDITION)\ 585 } while (0) 586 587 588 static uint32_t 589 get_le32_split(uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3) 590 { 591 return (b0 | (b1 << 8) | (b2 << 16) | (b3 << 24)); 592 } 593 594 static uint32_t 595 get_le32(const uint8_t *p) 596 { 597 return (get_le32_split(p[0], p[1], p[2], p[3])); 598 } 599 600 601 static void 602 put_le32(uint8_t *p, uint32_t v) 603 { 604 p[0] = (uint8_t)v; 605 p[1] = v >> 8; 606 p[2] = v >> 16; 607 p[3] = v >> 24; 608 } 609 610 /* 611 * Craft pseudo header used to calculate the MIC. 612 */ 613 static void 614 michael_mic_hdr(const struct ieee80211_frame *wh0, uint8_t hdr[16]) 615 { 616 const struct ieee80211_frame_addr4 *wh = 617 (const struct ieee80211_frame_addr4 *)wh0; 618 619 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 620 case IEEE80211_FC1_DIR_NODS: 621 IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */ 622 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2); 623 break; 624 case IEEE80211_FC1_DIR_TODS: 625 IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */ 626 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2); 627 break; 628 case IEEE80211_FC1_DIR_FROMDS: 629 IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */ 630 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr3); 631 break; 632 case IEEE80211_FC1_DIR_DSTODS: 633 IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */ 634 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr4); 635 break; 636 } 637 638 hdr[12] = 0; /* QoS not supported */ 639 hdr[13] = hdr[14] = hdr[15] = 0; /* reserved */ 640 } 641 642 /* ARGSUSED */ 643 static void 644 michael_mic(struct tkip_ctx *ctx, const uint8_t *key, 645 mblk_t *mp, uint_t off, size_t data_len, 646 uint8_t mic[IEEE80211_WEP_MICLEN]) 647 { 648 uint8_t hdr[16]; 649 uint32_t l, r; 650 const uint8_t *data; 651 int i, blocks, last; 652 653 michael_mic_hdr((struct ieee80211_frame *)mp->b_rptr, hdr); 654 655 l = get_le32(key); 656 r = get_le32(key + 4); 657 658 /* Michael MIC pseudo header: DA, SA, 3 x 0, Priority */ 659 l ^= get_le32(hdr); 660 michael_block(l, r); 661 l ^= get_le32(&hdr[4]); 662 michael_block(l, r); 663 l ^= get_le32(&hdr[8]); 664 michael_block(l, r); 665 l ^= get_le32(&hdr[12]); 666 michael_block(l, r); 667 668 /* first buffer has special handling */ 669 data = mp->b_rptr + off; 670 671 blocks = data_len / 4; 672 last = data_len % 4; 673 674 for (i = 0; i < blocks; i++) { 675 l ^= get_le32(&data[4 * i]); 676 michael_block(l, r); 677 } 678 679 /* Last block and padding (0x5a, 4..7 x 0) */ 680 switch (last) { 681 case 0: 682 l ^= 0x5a; 683 break; 684 case 1: 685 l ^= data[4 * i] | 0x5a00; 686 break; 687 case 2: 688 l ^= data[4 * i] | (data[4 * i + 1] << 8) | 0x5a0000; 689 break; 690 case 3: 691 l ^= data[4 * i] | (data[4 * i + 1] << 8) | 692 (data[4 * i + 2] << 16) | 0x5a000000; 693 break; 694 } 695 michael_block(l, r); 696 /* l ^= 0; */ 697 michael_block(l, r); 698 699 put_le32(mic, l); 700 put_le32(mic + 4, r); 701 } 702 703 static int 704 tkip_encrypt(struct tkip_ctx *ctx, struct ieee80211_key *key, 705 mblk_t *mp, int hdrlen) 706 { 707 struct ieee80211_frame *wh; 708 uint8_t *icv; 709 710 wh = (struct ieee80211_frame *)mp->b_rptr; 711 if (!ctx->tx_phase1_done) { 712 tkip_mixing_phase1(ctx->tx_ttak, key->wk_key, wh->i_addr2, 713 (uint32_t)(key->wk_keytsc >> 16)); 714 ctx->tx_phase1_done = 1; 715 } 716 tkip_mixing_phase2(ctx->tx_rc4key, key->wk_key, ctx->tx_ttak, 717 (uint16_t)key->wk_keytsc); 718 719 icv = mp->b_wptr; 720 mp->b_wptr += tkip.ic_trailer; 721 722 (void) wep_encrypt(ctx->tx_rc4key, 723 mp, hdrlen + tkip.ic_header, 724 (mp->b_wptr - mp->b_rptr) 725 - (hdrlen + tkip.ic_header + tkip.ic_trailer), 726 icv); 727 728 key->wk_keytsc++; 729 if ((uint16_t)(key->wk_keytsc) == 0) 730 ctx->tx_phase1_done = 0; 731 return (1); 732 } 733 734 static int 735 tkip_decrypt(struct tkip_ctx *ctx, struct ieee80211_key *key, 736 mblk_t *mp, int hdrlen) 737 { 738 struct ieee80211_frame *wh; 739 uint32_t iv32; 740 uint16_t iv16; 741 742 wh = (struct ieee80211_frame *)mp->b_rptr; 743 /* tkip_decap already verified header and left seq in rx_rsc */ 744 iv16 = (uint16_t)ctx->rx_rsc; 745 iv32 = (uint32_t)(ctx->rx_rsc >> 16); 746 747 if (iv32 != (uint32_t)(key->wk_keyrsc >> 16) || !ctx->rx_phase1_done) { 748 tkip_mixing_phase1(ctx->rx_ttak, key->wk_key, 749 wh->i_addr2, iv32); 750 ctx->rx_phase1_done = 0; /* DHCP */ 751 } 752 tkip_mixing_phase2(ctx->rx_rc4key, key->wk_key, ctx->rx_ttak, iv16); 753 754 /* m is unstripped; deduct headers + ICV to get payload */ 755 if (!wep_decrypt(ctx->rx_rc4key, 756 mp, hdrlen + tkip.ic_header, 757 (mp->b_wptr - mp->b_rptr) 758 - (hdrlen + tkip.ic_header + tkip.ic_trailer))) { 759 if (iv32 != (uint32_t)(key->wk_keyrsc >> 16)) { 760 /* 761 * Previously cached Phase1 result was already lost, so 762 * it needs to be recalculated for the next packet. 763 */ 764 ctx->rx_phase1_done = 0; 765 } 766 ieee80211_dbg(IEEE80211_MSG_CRYPTO, "tkip_decrypt() error\n"); 767 return (0); 768 } 769 return (1); 770 } 771