wpa_tkip.c

Go to the documentation of this file.
00001 /*
00002  * Copyright (c) 2009 Joshua Oreman <oremanj@rwcr.net>.
00003  *
00004  * This program is free software; you can redistribute it and/or
00005  * modify it under the terms of the GNU General Public License as
00006  * published by the Free Software Foundation; either version 2 of the
00007  * License, or any later version.
00008  *
00009  * This program is distributed in the hope that it will be useful, but
00010  * WITHOUT ANY WARRANTY; without even the implied warranty of
00011  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
00012  * General Public License for more details.
00013  *
00014  * You should have received a copy of the GNU General Public License
00015  * along with this program; if not, write to the Free Software
00016  * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
00017  */
00018 
00019 FILE_LICENCE ( GPL2_OR_LATER );
00020 
00021 #include <gpxe/net80211.h>
00022 #include <gpxe/crypto.h>
00023 #include <gpxe/hmac.h>
00024 #include <gpxe/sha1.h>
00025 #include <gpxe/md5.h>
00026 #include <gpxe/crc32.h>
00027 #include <gpxe/arc4.h>
00028 #include <gpxe/wpa.h>
00029 #include <byteswap.h>
00030 #include <errno.h>
00031 
00032 /** @file
00033  *
00034  * Backend for WPA using the TKIP encryption standard.
00035  */
00036 
00037 /** Context for one direction of TKIP, either encryption or decryption */
00038 struct tkip_dir_ctx
00039 {
00040         /** High 32 bits of last sequence counter value used */
00041         u32 tsc_hi;
00042 
00043         /** Low 32 bits of last sequence counter value used */
00044         u16 tsc_lo;
00045 
00046         /** MAC address used to derive TTAK */
00047         u8 mac[ETH_ALEN];
00048 
00049         /** If TRUE, TTAK is valid */
00050         u16 ttak_ok;
00051 
00052         /** TKIP-mixed transmit address and key, depends on tsc_hi and MAC */
00053         u16 ttak[5];
00054 };
00055 
00056 /** Context for TKIP encryption and decryption */
00057 struct tkip_ctx
00058 {
00059         /** Temporal key to use */
00060         struct tkip_tk tk;
00061 
00062         /** State for encryption */
00063         struct tkip_dir_ctx enc;
00064 
00065         /** State for decryption */
00066         struct tkip_dir_ctx dec;
00067 };
00068 
00069 /** Header structure at the beginning of TKIP frame data */
00070 struct tkip_head
00071 {
00072         u8 tsc1;                /**< High byte of low 16 bits of TSC */
00073         u8 seed1;               /**< Second byte of WEP seed */
00074         u8 tsc0;                /**< Low byte of TSC */
00075         u8 kid;                 /**< Key ID and ExtIV byte */
00076         u32 tsc_hi;             /**< High 32 bits of TSC, as an ExtIV */
00077 } __attribute__ (( packed ));
00078 
00079 
00080 /** TKIP header overhead (IV + KID + ExtIV) */
00081 #define TKIP_HEAD_LEN   8
00082 
00083 /** TKIP trailer overhead (MIC + ICV) [assumes unfragmented] */
00084 #define TKIP_FOOT_LEN   12
00085 
00086 /** TKIP MIC length */
00087 #define TKIP_MIC_LEN    8
00088 
00089 /** TKIP ICV length */
00090 #define TKIP_ICV_LEN    4
00091 
00092 
00093 /** TKIP S-box */
00094 static const u16 Sbox[256] = {
00095         0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154,
00096         0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A,
00097         0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B,
00098         0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B,
00099         0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F,
00100         0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F,
00101         0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5,
00102         0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F,
00103         0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB,
00104         0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397,
00105         0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED,
00106         0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A,
00107         0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194,
00108         0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3,
00109         0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104,
00110         0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D,
00111         0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39,
00112         0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695,
00113         0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83,
00114         0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76,
00115         0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4,
00116         0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B,
00117         0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0,
00118         0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018,
00119         0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751,
00120         0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85,
00121         0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12,
00122         0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9,
00123         0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7,
00124         0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A,
00125         0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8,
00126         0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A,
00127 };
00128 
00129 /**
00130  * Perform S-box mapping on a 16-bit value
00131  *
00132  * @v v         Value to perform S-box mapping on
00133  * @ret Sv      S-box mapped value
00134  */
00135 static inline u16 S ( u16 v )
00136 {
00137         return Sbox[v & 0xFF] ^ swap16 ( Sbox[v >> 8] );
00138 }
00139 
00140 /**
00141  * Rotate 16-bit value right
00142  *
00143  * @v v         Value to rotate
00144  * @v bits      Number of bits to rotate by
00145  * @ret rotv    Rotated value
00146  */
00147 static inline u16 ror16 ( u16 v, int bits )
00148 {
00149         return ( v >> bits ) | ( v << ( 16 - bits ) );
00150 }
00151 
00152 /**
00153  * Rotate 32-bit value right
00154  *
00155  * @v v         Value to rotate
00156  * @v bits      Number of bits to rotate by
00157  * @ret rotv    Rotated value
00158  */
00159 static inline u32 ror32 ( u32 v, int bits )
00160 {
00161         return ( v >> bits ) | ( v << ( 32 - bits ) );
00162 }
00163 
00164 /**
00165  * Rotate 32-bit value left
00166  *
00167  * @v v         Value to rotate
00168  * @v bits      Number of bits to rotate by
00169  * @ret rotv    Rotated value
00170  */
00171 static inline u32 rol32 ( u32 v, int bits )
00172 {
00173         return ( v << bits ) | ( v >> ( 32 - bits ) );
00174 }
00175 
00176 
00177 /**
00178  * Initialise TKIP state and install key
00179  *
00180  * @v crypto    TKIP cryptosystem structure
00181  * @v key       Pointer to tkip_tk to install
00182  * @v keylen    Length of key (32 bytes)
00183  * @v rsc       Initial receive sequence counter
00184  */
00185 static int tkip_init ( struct net80211_crypto *crypto, const void *key,
00186                        int keylen, const void *rsc )
00187 {
00188         struct tkip_ctx *ctx = crypto->priv;
00189         const u8 *rscb = rsc;
00190 
00191         if ( keylen != sizeof ( ctx->tk ) )
00192                 return -EINVAL;
00193 
00194         if ( rscb ) {
00195                 ctx->dec.tsc_lo =   ( rscb[1] <<  8 ) |   rscb[0];
00196                 ctx->dec.tsc_hi = ( ( rscb[5] << 24 ) | ( rscb[4] << 16 ) |
00197                                     ( rscb[3] <<  8 ) |   rscb[2] );
00198         }
00199 
00200         memcpy ( &ctx->tk, key, sizeof ( ctx->tk ) );
00201 
00202         return 0;
00203 }
00204 
00205 /**
00206  * Perform TKIP key mixing, phase 1
00207  *
00208  * @v dctx      TKIP directional context
00209  * @v tk        TKIP temporal key
00210  * @v mac       MAC address of transmitter
00211  *
00212  * This recomputes the TTAK in @a dctx if necessary, and sets
00213  * @c dctx->ttak_ok.
00214  */
00215 static void tkip_mix_1 ( struct tkip_dir_ctx *dctx, struct tkip_tk *tk, u8 *mac )
00216 {
00217         int i, j;
00218 
00219         if ( dctx->ttak_ok && ! memcmp ( mac, dctx->mac, ETH_ALEN ) )
00220                 return;
00221 
00222         memcpy ( dctx->mac, mac, ETH_ALEN );
00223 
00224         dctx->ttak[0] = dctx->tsc_hi & 0xFFFF;
00225         dctx->ttak[1] = dctx->tsc_hi >> 16;
00226         dctx->ttak[2] = ( mac[1] << 8 ) | mac[0];
00227         dctx->ttak[3] = ( mac[3] << 8 ) | mac[2];
00228         dctx->ttak[4] = ( mac[5] << 8 ) | mac[4];
00229 
00230         for ( i = 0; i < 8; i++ ) {
00231                 j = 2 * ( i & 1 );
00232 
00233                 dctx->ttak[0] += S ( dctx->ttak[4] ^ ( ( tk->key[1 + j] << 8 ) |
00234                                                          tk->key[0 + j] ) );
00235                 dctx->ttak[1] += S ( dctx->ttak[0] ^ ( ( tk->key[5 + j] << 8 ) |
00236                                                          tk->key[4 + j] ) );
00237                 dctx->ttak[2] += S ( dctx->ttak[1] ^ ( ( tk->key[9 + j] << 8 ) |
00238                                                          tk->key[8 + j] ) );
00239                 dctx->ttak[3] += S ( dctx->ttak[2] ^ ( ( tk->key[13+ j] << 8 ) |
00240                                                          tk->key[12+ j] ) );
00241                 dctx->ttak[4] += S ( dctx->ttak[3] ^ ( ( tk->key[1 + j] << 8 ) |
00242                                                          tk->key[0 + j] ) ) + i;
00243         }
00244 
00245         dctx->ttak_ok = 1;
00246 }
00247 
00248 /**
00249  * Perform TKIP key mixing, phase 2
00250  *
00251  * @v dctx      TKIP directional context
00252  * @v tk        TKIP temporal key
00253  * @ret key     ARC4 key, 16 bytes long
00254  */
00255 static void tkip_mix_2 ( struct tkip_dir_ctx *dctx, struct tkip_tk *tk,
00256                          void *key )
00257 {
00258         u8 *kb = key;
00259         u16 ppk[6];
00260         int i;
00261 
00262         memcpy ( ppk, dctx->ttak, sizeof ( dctx->ttak ) );
00263         ppk[5] = dctx->ttak[4] + dctx->tsc_lo;
00264 
00265         ppk[0] += S ( ppk[5] ^ ( ( tk->key[1] << 8 ) | tk->key[0] ) );
00266         ppk[1] += S ( ppk[0] ^ ( ( tk->key[3] << 8 ) | tk->key[2] ) );
00267         ppk[2] += S ( ppk[1] ^ ( ( tk->key[5] << 8 ) | tk->key[4] ) );
00268         ppk[3] += S ( ppk[2] ^ ( ( tk->key[7] << 8 ) | tk->key[6] ) );
00269         ppk[4] += S ( ppk[3] ^ ( ( tk->key[9] << 8 ) | tk->key[8] ) );
00270         ppk[5] += S ( ppk[4] ^ ( ( tk->key[11] << 8 ) | tk->key[10] ) );
00271 
00272         ppk[0] += ror16 ( ppk[5] ^ ( ( tk->key[13] << 8 ) | tk->key[12] ), 1 );
00273         ppk[1] += ror16 ( ppk[0] ^ ( ( tk->key[15] << 8 ) | tk->key[14] ), 1 );
00274         ppk[2] += ror16 ( ppk[1], 1 );
00275         ppk[3] += ror16 ( ppk[2], 1 );
00276         ppk[4] += ror16 ( ppk[3], 1 );
00277         ppk[5] += ror16 ( ppk[4], 1 );
00278 
00279         kb[0] = dctx->tsc_lo >> 8;
00280         kb[1] = ( ( dctx->tsc_lo >> 8 ) | 0x20 ) & 0x7F;
00281         kb[2] = dctx->tsc_lo & 0xFF;
00282         kb[3] = ( ( ppk[5] ^ ( ( tk->key[1] << 8 ) | tk->key[0] ) ) >> 1 )
00283                 & 0xFF;
00284 
00285         for ( i = 0; i < 6; i++ ) {
00286                 kb[4 + 2*i] = ppk[i] & 0xFF;
00287                 kb[5 + 2*i] = ppk[i] >> 8;
00288         }
00289 }
00290 
00291 /**
00292  * Update Michael message integrity code based on next 32-bit word of data
00293  *
00294  * @v V         Michael code state (two 32-bit words)
00295  * @v word      Next 32-bit word of data
00296  */
00297 static void tkip_feed_michael ( u32 *V, u32 word )
00298 {
00299         V[0] ^= word;
00300         V[1] ^= rol32 ( V[0], 17 );
00301         V[0] += V[1];
00302         V[1] ^= ( ( V[0] & 0xFF00FF00 ) >> 8 ) | ( ( V[0] & 0x00FF00FF ) << 8 );
00303         V[0] += V[1];
00304         V[1] ^= rol32 ( V[0], 3 );
00305         V[0] += V[1];
00306         V[1] ^= ror32 ( V[0], 2 );
00307         V[0] += V[1];
00308 }
00309 
00310 /**
00311  * Calculate Michael message integrity code
00312  *
00313  * @v key       MIC key to use (8 bytes)
00314  * @v da        Destination link-layer address
00315  * @v sa        Source link-layer address
00316  * @v data      Start of data to calculate over
00317  * @v len       Length of header + data
00318  * @ret mic     Calculated Michael MIC (8 bytes)
00319  */
00320 static void tkip_michael ( const void *key, const void *da, const void *sa,
00321                            const void *data, size_t len, void *mic )
00322 {
00323         u32 V[2];               /* V[0] = "l", V[1] = "r" in 802.11 */
00324         union {
00325                 u8 byte[12];
00326                 u32 word[3];
00327         } cap;
00328         const u8 *ptr = data;
00329         const u8 *end = ptr + len;
00330         int i;
00331 
00332         memcpy ( V, key, sizeof ( V ) );
00333         V[0] = le32_to_cpu ( V[0] );
00334         V[1] = le32_to_cpu ( V[1] );
00335 
00336         /* Feed in header (we assume non-QoS, so Priority = 0) */
00337         memcpy ( &cap.byte[0], da, ETH_ALEN );
00338         memcpy ( &cap.byte[6], sa, ETH_ALEN );
00339         tkip_feed_michael ( V, le32_to_cpu ( cap.word[0] ) );
00340         tkip_feed_michael ( V, le32_to_cpu ( cap.word[1] ) );
00341         tkip_feed_michael ( V, le32_to_cpu ( cap.word[2] ) );
00342         tkip_feed_michael ( V, 0 );
00343 
00344         /* Feed in data */
00345         while ( ptr + 4 <= end ) {
00346                 tkip_feed_michael ( V, le32_to_cpu ( *( u32 * ) ptr ) );
00347                 ptr += 4;
00348         }
00349 
00350         /* Add unaligned part and padding */
00351         for ( i = 0; ptr < end; i++ )
00352                 cap.byte[i] = *ptr++;
00353         cap.byte[i++] = 0x5a;
00354         for ( ; i < 8; i++ )
00355                 cap.byte[i] = 0;
00356 
00357         /* Feed in padding */
00358         tkip_feed_michael ( V, le32_to_cpu ( cap.word[0] ) );
00359         tkip_feed_michael ( V, le32_to_cpu ( cap.word[1] ) );
00360 
00361         /* Output MIC */
00362         V[0] = cpu_to_le32 ( V[0] );
00363         V[1] = cpu_to_le32 ( V[1] );
00364         memcpy ( mic, V, sizeof ( V ) );
00365 }
00366 
00367 /**
00368  * Encrypt a packet using TKIP
00369  *
00370  * @v crypto    TKIP cryptosystem
00371  * @v iob       I/O buffer containing cleartext packet
00372  * @ret eiob    I/O buffer containing encrypted packet
00373  */
00374 static struct io_buffer * tkip_encrypt ( struct net80211_crypto *crypto,
00375                                          struct io_buffer *iob )
00376 {
00377         struct tkip_ctx *ctx = crypto->priv;
00378         struct ieee80211_frame *hdr = iob->data;
00379         struct io_buffer *eiob;
00380         struct arc4_ctx arc4;
00381         u8 key[16];
00382         struct tkip_head head;
00383         u8 mic[8];
00384         u32 icv;
00385         const int hdrlen = IEEE80211_TYP_FRAME_HEADER_LEN;
00386         int datalen = iob_len ( iob ) - hdrlen;
00387 
00388         ctx->enc.tsc_lo++;
00389         if ( ctx->enc.tsc_lo == 0 ) {
00390                 ctx->enc.tsc_hi++;
00391                 ctx->enc.ttak_ok = 0;
00392         }
00393 
00394         tkip_mix_1 ( &ctx->enc, &ctx->tk, hdr->addr2 );
00395         tkip_mix_2 ( &ctx->enc, &ctx->tk, key );
00396 
00397         eiob = alloc_iob ( iob_len ( iob ) + TKIP_HEAD_LEN + TKIP_FOOT_LEN );
00398         if ( ! eiob )
00399                 return NULL;
00400 
00401         /* Copy frame header */
00402         memcpy ( iob_put ( eiob, hdrlen ), iob->data, hdrlen );
00403         hdr = eiob->data;
00404         hdr->fc |= IEEE80211_FC_PROTECTED;
00405 
00406         /* Fill in IV and key ID byte, and extended IV */
00407         memcpy ( &head, key, 3 );
00408         head.kid = 0x20;                /* have Extended IV, key ID 0 */
00409         head.tsc_hi = cpu_to_le32 ( ctx->enc.tsc_hi );
00410         memcpy ( iob_put ( eiob, sizeof ( head ) ), &head, sizeof ( head ) );
00411 
00412         /* Copy and encrypt the data */
00413         cipher_setkey ( &arc4_algorithm, &arc4, key, 16 );
00414         cipher_encrypt ( &arc4_algorithm, &arc4, iob->data + hdrlen,
00415                          iob_put ( eiob, datalen ), datalen );
00416 
00417         /* Add MIC */
00418         hdr = iob->data;
00419         tkip_michael ( &ctx->tk.mic.tx, hdr->addr3, hdr->addr2,
00420                        iob->data + hdrlen, datalen, mic );
00421         cipher_encrypt ( &arc4_algorithm, &arc4, mic,
00422                          iob_put ( eiob, sizeof ( mic ) ), sizeof ( mic ) );
00423 
00424         /* Add ICV */
00425         icv = crc32_le ( ~0, iob->data + hdrlen, datalen );
00426         icv = crc32_le ( icv, mic, sizeof ( mic ) );
00427         icv = cpu_to_le32 ( ~icv );
00428         cipher_encrypt ( &arc4_algorithm, &arc4, &icv,
00429                          iob_put ( eiob, TKIP_ICV_LEN ), TKIP_ICV_LEN );
00430 
00431         DBGC2 ( ctx, "WPA-TKIP %p: encrypted packet %p -> %p\n", ctx,
00432                 iob, eiob );
00433 
00434         return eiob;
00435 }
00436 
00437 /**
00438  * Decrypt a packet using TKIP
00439  *
00440  * @v crypto    TKIP cryptosystem
00441  * @v eiob      I/O buffer containing encrypted packet
00442  * @ret iob     I/O buffer containing cleartext packet
00443  */
00444 static struct io_buffer * tkip_decrypt ( struct net80211_crypto *crypto,
00445                                          struct io_buffer *eiob )
00446 {
00447         struct tkip_ctx *ctx = crypto->priv;
00448         struct ieee80211_frame *hdr;
00449         struct io_buffer *iob;
00450         const int hdrlen = IEEE80211_TYP_FRAME_HEADER_LEN;
00451         int datalen = iob_len ( eiob ) - hdrlen - TKIP_HEAD_LEN - TKIP_FOOT_LEN;
00452         struct tkip_head *head;
00453         struct arc4_ctx arc4;
00454         u16 rx_tsc_lo;
00455         u8 key[16];
00456         u8 mic[8];
00457         u32 icv, crc;
00458 
00459         iob = alloc_iob ( hdrlen + datalen + TKIP_FOOT_LEN );
00460         if ( ! iob )
00461                 return NULL;
00462 
00463         /* Copy frame header */
00464         memcpy ( iob_put ( iob, hdrlen ), eiob->data, hdrlen );
00465         hdr = iob->data;
00466         hdr->fc &= ~IEEE80211_FC_PROTECTED;
00467 
00468         /* Check and update TSC */
00469         head = eiob->data + hdrlen;
00470         rx_tsc_lo = ( head->tsc1 << 8 ) | head->tsc0;
00471 
00472         if ( head->tsc_hi < ctx->dec.tsc_hi ||
00473              ( head->tsc_hi == ctx->dec.tsc_hi &&
00474                rx_tsc_lo <= ctx->dec.tsc_lo ) ) {
00475                 DBGC ( ctx, "WPA-TKIP %p: packet received out of order "
00476                        "(%08x:%04x <= %08x:%04x)\n", ctx, head->tsc_hi,
00477                        rx_tsc_lo, ctx->dec.tsc_hi, ctx->dec.tsc_lo );
00478                 free_iob ( iob );
00479                 return NULL;
00480         }
00481         ctx->dec.tsc_lo = rx_tsc_lo;
00482         if ( ctx->dec.tsc_hi != head->tsc_hi ) {
00483                 ctx->dec.ttak_ok = 0;
00484                 ctx->dec.tsc_hi = head->tsc_hi;
00485         }
00486 
00487         /* Calculate key */
00488         tkip_mix_1 ( &ctx->dec, &ctx->tk, hdr->addr2 );
00489         tkip_mix_2 ( &ctx->dec, &ctx->tk, key );
00490 
00491         /* Copy-decrypt data, MIC, ICV */
00492         cipher_setkey ( &arc4_algorithm, &arc4, key, 16 );
00493         cipher_decrypt ( &arc4_algorithm, &arc4,
00494                          eiob->data + hdrlen + TKIP_HEAD_LEN,
00495                          iob_put ( iob, datalen ), datalen + TKIP_FOOT_LEN );
00496 
00497         /* Check ICV */
00498         icv = le32_to_cpu ( *( u32 * ) ( iob->tail + TKIP_MIC_LEN ) );
00499         crc = ~crc32_le ( ~0, iob->data + hdrlen, datalen + TKIP_MIC_LEN );
00500         if ( crc != icv ) {
00501                 DBGC ( ctx, "WPA-TKIP %p CRC mismatch: expect %08x, get %08x\n",
00502                        ctx, icv, crc );
00503                 free_iob ( iob );
00504                 return NULL;
00505         }
00506 
00507         /* Check MIC */
00508         tkip_michael ( &ctx->tk.mic.rx, hdr->addr1, hdr->addr3,
00509                        iob->data + hdrlen, datalen, mic );
00510         if ( memcmp ( mic, iob->tail, TKIP_MIC_LEN ) != 0 ) {
00511                 DBGC ( ctx, "WPA-TKIP %p ALERT! MIC failure\n", ctx );
00512                 /* XXX we should do the countermeasures here */
00513                 free_iob ( iob );
00514                 return NULL;
00515         }
00516 
00517         DBGC2 ( ctx, "WPA-TKIP %p: decrypted packet %p -> %p\n", ctx,
00518                 eiob, iob );
00519 
00520         return iob;
00521 }
00522 
00523 /** TKIP cryptosystem */
00524 struct net80211_crypto tkip_crypto __net80211_crypto = {
00525         .algorithm = NET80211_CRYPT_TKIP,
00526         .init = tkip_init,
00527         .encrypt = tkip_encrypt,
00528         .decrypt = tkip_decrypt,
00529         .priv_len = sizeof ( struct tkip_ctx ),
00530 };
00531 
00532 
00533 
00534 
00535 /**
00536  * Calculate HMAC-MD5 MIC for EAPOL-Key frame
00537  *
00538  * @v kck       Key Confirmation Key, 16 bytes
00539  * @v msg       Message to calculate MIC over
00540  * @v len       Number of bytes to calculate MIC over
00541  * @ret mic     Calculated MIC, 16 bytes long
00542  */
00543 static void tkip_kie_mic ( const void *kck, const void *msg, size_t len,
00544                            void *mic )
00545 {
00546         struct md5_ctx md5;
00547         u8 kckb[16];
00548         size_t kck_len = 16;
00549 
00550         memcpy ( kckb, kck, kck_len );
00551 
00552         hmac_init ( &md5_algorithm, &md5, kckb, &kck_len );
00553         hmac_update ( &md5_algorithm, &md5, msg, len );
00554         hmac_final ( &md5_algorithm, &md5, kckb, &kck_len, mic );
00555 }
00556 
00557 /**
00558  * Decrypt key data in EAPOL-Key frame
00559  *
00560  * @v kek       Key Encryption Key, 16 bytes
00561  * @v iv        Initialisation vector, 16 bytes
00562  * @v msg       Message to decrypt
00563  * @v len       Length of message
00564  * @ret msg     Decrypted message in place of original
00565  * @ret len     Unchanged
00566  * @ret rc      Always 0 for success
00567  */
00568 static int tkip_kie_decrypt ( const void *kek, const void *iv,
00569                               void *msg, u16 *len )
00570 {
00571         u8 key[32];
00572         memcpy ( key, iv, 16 );
00573         memcpy ( key + 16, kek, 16 );
00574 
00575         arc4_skip ( key, 32, 256, msg, msg, *len );
00576 
00577         return 0;
00578 }
00579 
00580 
00581 /** TKIP-style key integrity and encryption handler */
00582 struct wpa_kie tkip_kie __wpa_kie = {
00583         .version = EAPOL_KEY_VERSION_WPA,
00584         .mic = tkip_kie_mic,
00585         .decrypt = tkip_kie_decrypt,
00586 };