1 /*
2 * lib80211 crypt: host-based TKIP encryption implementation for lib80211
3 *
4 * Copyright (c) 2003-2004, Jouni Malinen <j@w1.fi>
5 * Copyright (c) 2008, John W. Linville <linville@tuxdriver.com>
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License version 2 as
9 * published by the Free Software Foundation. See README and COPYING for
10 * more details.
11 */
12
13 #include <linux/err.h>
14 #include <linux/module.h>
15 #include <linux/init.h>
16 #include <linux/slab.h>
17 #include <linux/random.h>
18 #include <linux/scatterlist.h>
19 #include <linux/skbuff.h>
20 #include <linux/netdevice.h>
21 #include <linux/mm.h>
22 #include <linux/if_ether.h>
23 #include <linux/if_arp.h>
24 #include <asm/string.h>
25
26 #include <linux/wireless.h>
27 #include <linux/ieee80211.h>
28 #include <net/iw_handler.h>
29
30 #include <linux/crypto.h>
31 #include <linux/crc32.h>
32
33 #include <net/lib80211.h>
34
35 MODULE_AUTHOR("Jouni Malinen");
36 MODULE_DESCRIPTION("lib80211 crypt: TKIP");
37 MODULE_LICENSE("GPL");
38
39 struct lib80211_tkip_data {
40 #define TKIP_KEY_LEN 32
41 u8 key[TKIP_KEY_LEN];
42 int key_set;
43
44 u32 tx_iv32;
45 u16 tx_iv16;
46 u16 tx_ttak[5];
47 int tx_phase1_done;
48
49 u32 rx_iv32;
50 u16 rx_iv16;
51 u16 rx_ttak[5];
52 int rx_phase1_done;
53 u32 rx_iv32_new;
54 u16 rx_iv16_new;
55
56 u32 dot11RSNAStatsTKIPReplays;
57 u32 dot11RSNAStatsTKIPICVErrors;
58 u32 dot11RSNAStatsTKIPLocalMICFailures;
59
60 int key_idx;
61
62 struct crypto_blkcipher *rx_tfm_arc4;
63 struct crypto_hash *rx_tfm_michael;
64 struct crypto_blkcipher *tx_tfm_arc4;
65 struct crypto_hash *tx_tfm_michael;
66
67 /* scratch buffers for virt_to_page() (crypto API) */
68 u8 rx_hdr[16], tx_hdr[16];
69
70 unsigned long flags;
71 };
72
lib80211_tkip_set_flags(unsigned long flags,void * priv)73 static unsigned long lib80211_tkip_set_flags(unsigned long flags, void *priv)
74 {
75 struct lib80211_tkip_data *_priv = priv;
76 unsigned long old_flags = _priv->flags;
77 _priv->flags = flags;
78 return old_flags;
79 }
80
lib80211_tkip_get_flags(void * priv)81 static unsigned long lib80211_tkip_get_flags(void *priv)
82 {
83 struct lib80211_tkip_data *_priv = priv;
84 return _priv->flags;
85 }
86
lib80211_tkip_init(int key_idx)87 static void *lib80211_tkip_init(int key_idx)
88 {
89 struct lib80211_tkip_data *priv;
90
91 priv = kzalloc(sizeof(*priv), GFP_ATOMIC);
92 if (priv == NULL)
93 goto fail;
94
95 priv->key_idx = key_idx;
96
97 priv->tx_tfm_arc4 = crypto_alloc_blkcipher("ecb(arc4)", 0,
98 CRYPTO_ALG_ASYNC);
99 if (IS_ERR(priv->tx_tfm_arc4)) {
100 printk(KERN_DEBUG "lib80211_crypt_tkip: could not allocate "
101 "crypto API arc4\n");
102 priv->tx_tfm_arc4 = NULL;
103 goto fail;
104 }
105
106 priv->tx_tfm_michael = crypto_alloc_hash("michael_mic", 0,
107 CRYPTO_ALG_ASYNC);
108 if (IS_ERR(priv->tx_tfm_michael)) {
109 printk(KERN_DEBUG "lib80211_crypt_tkip: could not allocate "
110 "crypto API michael_mic\n");
111 priv->tx_tfm_michael = NULL;
112 goto fail;
113 }
114
115 priv->rx_tfm_arc4 = crypto_alloc_blkcipher("ecb(arc4)", 0,
116 CRYPTO_ALG_ASYNC);
117 if (IS_ERR(priv->rx_tfm_arc4)) {
118 printk(KERN_DEBUG "lib80211_crypt_tkip: could not allocate "
119 "crypto API arc4\n");
120 priv->rx_tfm_arc4 = NULL;
121 goto fail;
122 }
123
124 priv->rx_tfm_michael = crypto_alloc_hash("michael_mic", 0,
125 CRYPTO_ALG_ASYNC);
126 if (IS_ERR(priv->rx_tfm_michael)) {
127 printk(KERN_DEBUG "lib80211_crypt_tkip: could not allocate "
128 "crypto API michael_mic\n");
129 priv->rx_tfm_michael = NULL;
130 goto fail;
131 }
132
133 return priv;
134
135 fail:
136 if (priv) {
137 if (priv->tx_tfm_michael)
138 crypto_free_hash(priv->tx_tfm_michael);
139 if (priv->tx_tfm_arc4)
140 crypto_free_blkcipher(priv->tx_tfm_arc4);
141 if (priv->rx_tfm_michael)
142 crypto_free_hash(priv->rx_tfm_michael);
143 if (priv->rx_tfm_arc4)
144 crypto_free_blkcipher(priv->rx_tfm_arc4);
145 kfree(priv);
146 }
147
148 return NULL;
149 }
150
lib80211_tkip_deinit(void * priv)151 static void lib80211_tkip_deinit(void *priv)
152 {
153 struct lib80211_tkip_data *_priv = priv;
154 if (_priv) {
155 if (_priv->tx_tfm_michael)
156 crypto_free_hash(_priv->tx_tfm_michael);
157 if (_priv->tx_tfm_arc4)
158 crypto_free_blkcipher(_priv->tx_tfm_arc4);
159 if (_priv->rx_tfm_michael)
160 crypto_free_hash(_priv->rx_tfm_michael);
161 if (_priv->rx_tfm_arc4)
162 crypto_free_blkcipher(_priv->rx_tfm_arc4);
163 }
164 kfree(priv);
165 }
166
RotR1(u16 val)167 static inline u16 RotR1(u16 val)
168 {
169 return (val >> 1) | (val << 15);
170 }
171
Lo8(u16 val)172 static inline u8 Lo8(u16 val)
173 {
174 return val & 0xff;
175 }
176
Hi8(u16 val)177 static inline u8 Hi8(u16 val)
178 {
179 return val >> 8;
180 }
181
Lo16(u32 val)182 static inline u16 Lo16(u32 val)
183 {
184 return val & 0xffff;
185 }
186
Hi16(u32 val)187 static inline u16 Hi16(u32 val)
188 {
189 return val >> 16;
190 }
191
Mk16(u8 hi,u8 lo)192 static inline u16 Mk16(u8 hi, u8 lo)
193 {
194 return lo | (((u16) hi) << 8);
195 }
196
Mk16_le(__le16 * v)197 static inline u16 Mk16_le(__le16 * v)
198 {
199 return le16_to_cpu(*v);
200 }
201
202 static const u16 Sbox[256] = {
203 0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154,
204 0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A,
205 0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B,
206 0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B,
207 0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F,
208 0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F,
209 0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5,
210 0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F,
211 0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB,
212 0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397,
213 0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED,
214 0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A,
215 0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194,
216 0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3,
217 0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104,
218 0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D,
219 0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39,
220 0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695,
221 0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83,
222 0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76,
223 0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4,
224 0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B,
225 0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0,
226 0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018,
227 0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751,
228 0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85,
229 0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12,
230 0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9,
231 0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7,
232 0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A,
233 0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8,
234 0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A,
235 };
236
_S_(u16 v)237 static inline u16 _S_(u16 v)
238 {
239 u16 t = Sbox[Hi8(v)];
240 return Sbox[Lo8(v)] ^ ((t << 8) | (t >> 8));
241 }
242
243 #define PHASE1_LOOP_COUNT 8
244
tkip_mixing_phase1(u16 * TTAK,const u8 * TK,const u8 * TA,u32 IV32)245 static void tkip_mixing_phase1(u16 * TTAK, const u8 * TK, const u8 * TA,
246 u32 IV32)
247 {
248 int i, j;
249
250 /* Initialize the 80-bit TTAK from TSC (IV32) and TA[0..5] */
251 TTAK[0] = Lo16(IV32);
252 TTAK[1] = Hi16(IV32);
253 TTAK[2] = Mk16(TA[1], TA[0]);
254 TTAK[3] = Mk16(TA[3], TA[2]);
255 TTAK[4] = Mk16(TA[5], TA[4]);
256
257 for (i = 0; i < PHASE1_LOOP_COUNT; i++) {
258 j = 2 * (i & 1);
259 TTAK[0] += _S_(TTAK[4] ^ Mk16(TK[1 + j], TK[0 + j]));
260 TTAK[1] += _S_(TTAK[0] ^ Mk16(TK[5 + j], TK[4 + j]));
261 TTAK[2] += _S_(TTAK[1] ^ Mk16(TK[9 + j], TK[8 + j]));
262 TTAK[3] += _S_(TTAK[2] ^ Mk16(TK[13 + j], TK[12 + j]));
263 TTAK[4] += _S_(TTAK[3] ^ Mk16(TK[1 + j], TK[0 + j])) + i;
264 }
265 }
266
tkip_mixing_phase2(u8 * WEPSeed,const u8 * TK,const u16 * TTAK,u16 IV16)267 static void tkip_mixing_phase2(u8 * WEPSeed, const u8 * TK, const u16 * TTAK,
268 u16 IV16)
269 {
270 /* Make temporary area overlap WEP seed so that the final copy can be
271 * avoided on little endian hosts. */
272 u16 *PPK = (u16 *) & WEPSeed[4];
273
274 /* Step 1 - make copy of TTAK and bring in TSC */
275 PPK[0] = TTAK[0];
276 PPK[1] = TTAK[1];
277 PPK[2] = TTAK[2];
278 PPK[3] = TTAK[3];
279 PPK[4] = TTAK[4];
280 PPK[5] = TTAK[4] + IV16;
281
282 /* Step 2 - 96-bit bijective mixing using S-box */
283 PPK[0] += _S_(PPK[5] ^ Mk16_le((__le16 *) & TK[0]));
284 PPK[1] += _S_(PPK[0] ^ Mk16_le((__le16 *) & TK[2]));
285 PPK[2] += _S_(PPK[1] ^ Mk16_le((__le16 *) & TK[4]));
286 PPK[3] += _S_(PPK[2] ^ Mk16_le((__le16 *) & TK[6]));
287 PPK[4] += _S_(PPK[3] ^ Mk16_le((__le16 *) & TK[8]));
288 PPK[5] += _S_(PPK[4] ^ Mk16_le((__le16 *) & TK[10]));
289
290 PPK[0] += RotR1(PPK[5] ^ Mk16_le((__le16 *) & TK[12]));
291 PPK[1] += RotR1(PPK[0] ^ Mk16_le((__le16 *) & TK[14]));
292 PPK[2] += RotR1(PPK[1]);
293 PPK[3] += RotR1(PPK[2]);
294 PPK[4] += RotR1(PPK[3]);
295 PPK[5] += RotR1(PPK[4]);
296
297 /* Step 3 - bring in last of TK bits, assign 24-bit WEP IV value
298 * WEPSeed[0..2] is transmitted as WEP IV */
299 WEPSeed[0] = Hi8(IV16);
300 WEPSeed[1] = (Hi8(IV16) | 0x20) & 0x7F;
301 WEPSeed[2] = Lo8(IV16);
302 WEPSeed[3] = Lo8((PPK[5] ^ Mk16_le((__le16 *) & TK[0])) >> 1);
303
304 #ifdef __BIG_ENDIAN
305 {
306 int i;
307 for (i = 0; i < 6; i++)
308 PPK[i] = (PPK[i] << 8) | (PPK[i] >> 8);
309 }
310 #endif
311 }
312
lib80211_tkip_hdr(struct sk_buff * skb,int hdr_len,u8 * rc4key,int keylen,void * priv)313 static int lib80211_tkip_hdr(struct sk_buff *skb, int hdr_len,
314 u8 * rc4key, int keylen, void *priv)
315 {
316 struct lib80211_tkip_data *tkey = priv;
317 int len;
318 u8 *pos;
319 struct ieee80211_hdr *hdr;
320
321 hdr = (struct ieee80211_hdr *)skb->data;
322
323 if (skb_headroom(skb) < 8 || skb->len < hdr_len)
324 return -1;
325
326 if (rc4key == NULL || keylen < 16)
327 return -1;
328
329 if (!tkey->tx_phase1_done) {
330 tkip_mixing_phase1(tkey->tx_ttak, tkey->key, hdr->addr2,
331 tkey->tx_iv32);
332 tkey->tx_phase1_done = 1;
333 }
334 tkip_mixing_phase2(rc4key, tkey->key, tkey->tx_ttak, tkey->tx_iv16);
335
336 len = skb->len - hdr_len;
337 pos = skb_push(skb, 8);
338 memmove(pos, pos + 8, hdr_len);
339 pos += hdr_len;
340
341 *pos++ = *rc4key;
342 *pos++ = *(rc4key + 1);
343 *pos++ = *(rc4key + 2);
344 *pos++ = (tkey->key_idx << 6) | (1 << 5) /* Ext IV included */ ;
345 *pos++ = tkey->tx_iv32 & 0xff;
346 *pos++ = (tkey->tx_iv32 >> 8) & 0xff;
347 *pos++ = (tkey->tx_iv32 >> 16) & 0xff;
348 *pos++ = (tkey->tx_iv32 >> 24) & 0xff;
349
350 tkey->tx_iv16++;
351 if (tkey->tx_iv16 == 0) {
352 tkey->tx_phase1_done = 0;
353 tkey->tx_iv32++;
354 }
355
356 return 8;
357 }
358
lib80211_tkip_encrypt(struct sk_buff * skb,int hdr_len,void * priv)359 static int lib80211_tkip_encrypt(struct sk_buff *skb, int hdr_len, void *priv)
360 {
361 struct lib80211_tkip_data *tkey = priv;
362 struct blkcipher_desc desc = { .tfm = tkey->tx_tfm_arc4 };
363 int len;
364 u8 rc4key[16], *pos, *icv;
365 u32 crc;
366 struct scatterlist sg;
367
368 if (tkey->flags & IEEE80211_CRYPTO_TKIP_COUNTERMEASURES) {
369 if (net_ratelimit()) {
370 struct ieee80211_hdr *hdr =
371 (struct ieee80211_hdr *)skb->data;
372 printk(KERN_DEBUG ": TKIP countermeasures: dropped "
373 "TX packet to %pM\n", hdr->addr1);
374 }
375 return -1;
376 }
377
378 if (skb_tailroom(skb) < 4 || skb->len < hdr_len)
379 return -1;
380
381 len = skb->len - hdr_len;
382 pos = skb->data + hdr_len;
383
384 if ((lib80211_tkip_hdr(skb, hdr_len, rc4key, 16, priv)) < 0)
385 return -1;
386
387 icv = skb_put(skb, 4);
388
389 crc = ~crc32_le(~0, pos, len);
390 icv[0] = crc;
391 icv[1] = crc >> 8;
392 icv[2] = crc >> 16;
393 icv[3] = crc >> 24;
394
395 crypto_blkcipher_setkey(tkey->tx_tfm_arc4, rc4key, 16);
396 sg_init_one(&sg, pos, len + 4);
397 return crypto_blkcipher_encrypt(&desc, &sg, &sg, len + 4);
398 }
399
400 /*
401 * deal with seq counter wrapping correctly.
402 * refer to timer_after() for jiffies wrapping handling
403 */
tkip_replay_check(u32 iv32_n,u16 iv16_n,u32 iv32_o,u16 iv16_o)404 static inline int tkip_replay_check(u32 iv32_n, u16 iv16_n,
405 u32 iv32_o, u16 iv16_o)
406 {
407 if ((s32)iv32_n - (s32)iv32_o < 0 ||
408 (iv32_n == iv32_o && iv16_n <= iv16_o))
409 return 1;
410 return 0;
411 }
412
lib80211_tkip_decrypt(struct sk_buff * skb,int hdr_len,void * priv)413 static int lib80211_tkip_decrypt(struct sk_buff *skb, int hdr_len, void *priv)
414 {
415 struct lib80211_tkip_data *tkey = priv;
416 struct blkcipher_desc desc = { .tfm = tkey->rx_tfm_arc4 };
417 u8 rc4key[16];
418 u8 keyidx, *pos;
419 u32 iv32;
420 u16 iv16;
421 struct ieee80211_hdr *hdr;
422 u8 icv[4];
423 u32 crc;
424 struct scatterlist sg;
425 int plen;
426
427 hdr = (struct ieee80211_hdr *)skb->data;
428
429 if (tkey->flags & IEEE80211_CRYPTO_TKIP_COUNTERMEASURES) {
430 if (net_ratelimit()) {
431 printk(KERN_DEBUG ": TKIP countermeasures: dropped "
432 "received packet from %pM\n", hdr->addr2);
433 }
434 return -1;
435 }
436
437 if (skb->len < hdr_len + 8 + 4)
438 return -1;
439
440 pos = skb->data + hdr_len;
441 keyidx = pos[3];
442 if (!(keyidx & (1 << 5))) {
443 if (net_ratelimit()) {
444 printk(KERN_DEBUG "TKIP: received packet without ExtIV"
445 " flag from %pM\n", hdr->addr2);
446 }
447 return -2;
448 }
449 keyidx >>= 6;
450 if (tkey->key_idx != keyidx) {
451 printk(KERN_DEBUG "TKIP: RX tkey->key_idx=%d frame "
452 "keyidx=%d priv=%p\n", tkey->key_idx, keyidx, priv);
453 return -6;
454 }
455 if (!tkey->key_set) {
456 if (net_ratelimit()) {
457 printk(KERN_DEBUG "TKIP: received packet from %pM"
458 " with keyid=%d that does not have a configured"
459 " key\n", hdr->addr2, keyidx);
460 }
461 return -3;
462 }
463 iv16 = (pos[0] << 8) | pos[2];
464 iv32 = pos[4] | (pos[5] << 8) | (pos[6] << 16) | (pos[7] << 24);
465 pos += 8;
466
467 if (tkip_replay_check(iv32, iv16, tkey->rx_iv32, tkey->rx_iv16)) {
468 #ifdef CONFIG_LIB80211_DEBUG
469 if (net_ratelimit()) {
470 printk(KERN_DEBUG "TKIP: replay detected: STA=%pM"
471 " previous TSC %08x%04x received TSC "
472 "%08x%04x\n", hdr->addr2,
473 tkey->rx_iv32, tkey->rx_iv16, iv32, iv16);
474 }
475 #endif
476 tkey->dot11RSNAStatsTKIPReplays++;
477 return -4;
478 }
479
480 if (iv32 != tkey->rx_iv32 || !tkey->rx_phase1_done) {
481 tkip_mixing_phase1(tkey->rx_ttak, tkey->key, hdr->addr2, iv32);
482 tkey->rx_phase1_done = 1;
483 }
484 tkip_mixing_phase2(rc4key, tkey->key, tkey->rx_ttak, iv16);
485
486 plen = skb->len - hdr_len - 12;
487
488 crypto_blkcipher_setkey(tkey->rx_tfm_arc4, rc4key, 16);
489 sg_init_one(&sg, pos, plen + 4);
490 if (crypto_blkcipher_decrypt(&desc, &sg, &sg, plen + 4)) {
491 if (net_ratelimit()) {
492 printk(KERN_DEBUG ": TKIP: failed to decrypt "
493 "received packet from %pM\n",
494 hdr->addr2);
495 }
496 return -7;
497 }
498
499 crc = ~crc32_le(~0, pos, plen);
500 icv[0] = crc;
501 icv[1] = crc >> 8;
502 icv[2] = crc >> 16;
503 icv[3] = crc >> 24;
504 if (memcmp(icv, pos + plen, 4) != 0) {
505 if (iv32 != tkey->rx_iv32) {
506 /* Previously cached Phase1 result was already lost, so
507 * it needs to be recalculated for the next packet. */
508 tkey->rx_phase1_done = 0;
509 }
510 #ifdef CONFIG_LIB80211_DEBUG
511 if (net_ratelimit()) {
512 printk(KERN_DEBUG "TKIP: ICV error detected: STA="
513 "%pM\n", hdr->addr2);
514 }
515 #endif
516 tkey->dot11RSNAStatsTKIPICVErrors++;
517 return -5;
518 }
519
520 /* Update real counters only after Michael MIC verification has
521 * completed */
522 tkey->rx_iv32_new = iv32;
523 tkey->rx_iv16_new = iv16;
524
525 /* Remove IV and ICV */
526 memmove(skb->data + 8, skb->data, hdr_len);
527 skb_pull(skb, 8);
528 skb_trim(skb, skb->len - 4);
529
530 return keyidx;
531 }
532
michael_mic(struct crypto_hash * tfm_michael,u8 * key,u8 * hdr,u8 * data,size_t data_len,u8 * mic)533 static int michael_mic(struct crypto_hash *tfm_michael, u8 * key, u8 * hdr,
534 u8 * data, size_t data_len, u8 * mic)
535 {
536 struct hash_desc desc;
537 struct scatterlist sg[2];
538
539 if (tfm_michael == NULL) {
540 printk(KERN_WARNING "michael_mic: tfm_michael == NULL\n");
541 return -1;
542 }
543 sg_init_table(sg, 2);
544 sg_set_buf(&sg[0], hdr, 16);
545 sg_set_buf(&sg[1], data, data_len);
546
547 if (crypto_hash_setkey(tfm_michael, key, 8))
548 return -1;
549
550 desc.tfm = tfm_michael;
551 desc.flags = 0;
552 return crypto_hash_digest(&desc, sg, data_len + 16, mic);
553 }
554
michael_mic_hdr(struct sk_buff * skb,u8 * hdr)555 static void michael_mic_hdr(struct sk_buff *skb, u8 * hdr)
556 {
557 struct ieee80211_hdr *hdr11;
558
559 hdr11 = (struct ieee80211_hdr *)skb->data;
560
561 switch (le16_to_cpu(hdr11->frame_control) &
562 (IEEE80211_FCTL_FROMDS | IEEE80211_FCTL_TODS)) {
563 case IEEE80211_FCTL_TODS:
564 memcpy(hdr, hdr11->addr3, ETH_ALEN); /* DA */
565 memcpy(hdr + ETH_ALEN, hdr11->addr2, ETH_ALEN); /* SA */
566 break;
567 case IEEE80211_FCTL_FROMDS:
568 memcpy(hdr, hdr11->addr1, ETH_ALEN); /* DA */
569 memcpy(hdr + ETH_ALEN, hdr11->addr3, ETH_ALEN); /* SA */
570 break;
571 case IEEE80211_FCTL_FROMDS | IEEE80211_FCTL_TODS:
572 memcpy(hdr, hdr11->addr3, ETH_ALEN); /* DA */
573 memcpy(hdr + ETH_ALEN, hdr11->addr4, ETH_ALEN); /* SA */
574 break;
575 case 0:
576 memcpy(hdr, hdr11->addr1, ETH_ALEN); /* DA */
577 memcpy(hdr + ETH_ALEN, hdr11->addr2, ETH_ALEN); /* SA */
578 break;
579 }
580
581 if (ieee80211_is_data_qos(hdr11->frame_control)) {
582 hdr[12] = le16_to_cpu(*ieee80211_get_qos_ctl(hdr11))
583 & IEEE80211_QOS_CTL_TID_MASK;
584 } else
585 hdr[12] = 0; /* priority */
586
587 hdr[13] = hdr[14] = hdr[15] = 0; /* reserved */
588 }
589
lib80211_michael_mic_add(struct sk_buff * skb,int hdr_len,void * priv)590 static int lib80211_michael_mic_add(struct sk_buff *skb, int hdr_len,
591 void *priv)
592 {
593 struct lib80211_tkip_data *tkey = priv;
594 u8 *pos;
595
596 if (skb_tailroom(skb) < 8 || skb->len < hdr_len) {
597 printk(KERN_DEBUG "Invalid packet for Michael MIC add "
598 "(tailroom=%d hdr_len=%d skb->len=%d)\n",
599 skb_tailroom(skb), hdr_len, skb->len);
600 return -1;
601 }
602
603 michael_mic_hdr(skb, tkey->tx_hdr);
604 pos = skb_put(skb, 8);
605 if (michael_mic(tkey->tx_tfm_michael, &tkey->key[16], tkey->tx_hdr,
606 skb->data + hdr_len, skb->len - 8 - hdr_len, pos))
607 return -1;
608
609 return 0;
610 }
611
lib80211_michael_mic_failure(struct net_device * dev,struct ieee80211_hdr * hdr,int keyidx)612 static void lib80211_michael_mic_failure(struct net_device *dev,
613 struct ieee80211_hdr *hdr,
614 int keyidx)
615 {
616 union iwreq_data wrqu;
617 struct iw_michaelmicfailure ev;
618
619 /* TODO: needed parameters: count, keyid, key type, TSC */
620 memset(&ev, 0, sizeof(ev));
621 ev.flags = keyidx & IW_MICFAILURE_KEY_ID;
622 if (hdr->addr1[0] & 0x01)
623 ev.flags |= IW_MICFAILURE_GROUP;
624 else
625 ev.flags |= IW_MICFAILURE_PAIRWISE;
626 ev.src_addr.sa_family = ARPHRD_ETHER;
627 memcpy(ev.src_addr.sa_data, hdr->addr2, ETH_ALEN);
628 memset(&wrqu, 0, sizeof(wrqu));
629 wrqu.data.length = sizeof(ev);
630 wireless_send_event(dev, IWEVMICHAELMICFAILURE, &wrqu, (char *)&ev);
631 }
632
lib80211_michael_mic_verify(struct sk_buff * skb,int keyidx,int hdr_len,void * priv)633 static int lib80211_michael_mic_verify(struct sk_buff *skb, int keyidx,
634 int hdr_len, void *priv)
635 {
636 struct lib80211_tkip_data *tkey = priv;
637 u8 mic[8];
638
639 if (!tkey->key_set)
640 return -1;
641
642 michael_mic_hdr(skb, tkey->rx_hdr);
643 if (michael_mic(tkey->rx_tfm_michael, &tkey->key[24], tkey->rx_hdr,
644 skb->data + hdr_len, skb->len - 8 - hdr_len, mic))
645 return -1;
646 if (memcmp(mic, skb->data + skb->len - 8, 8) != 0) {
647 struct ieee80211_hdr *hdr;
648 hdr = (struct ieee80211_hdr *)skb->data;
649 printk(KERN_DEBUG "%s: Michael MIC verification failed for "
650 "MSDU from %pM keyidx=%d\n",
651 skb->dev ? skb->dev->name : "N/A", hdr->addr2,
652 keyidx);
653 if (skb->dev)
654 lib80211_michael_mic_failure(skb->dev, hdr, keyidx);
655 tkey->dot11RSNAStatsTKIPLocalMICFailures++;
656 return -1;
657 }
658
659 /* Update TSC counters for RX now that the packet verification has
660 * completed. */
661 tkey->rx_iv32 = tkey->rx_iv32_new;
662 tkey->rx_iv16 = tkey->rx_iv16_new;
663
664 skb_trim(skb, skb->len - 8);
665
666 return 0;
667 }
668
lib80211_tkip_set_key(void * key,int len,u8 * seq,void * priv)669 static int lib80211_tkip_set_key(void *key, int len, u8 * seq, void *priv)
670 {
671 struct lib80211_tkip_data *tkey = priv;
672 int keyidx;
673 struct crypto_hash *tfm = tkey->tx_tfm_michael;
674 struct crypto_blkcipher *tfm2 = tkey->tx_tfm_arc4;
675 struct crypto_hash *tfm3 = tkey->rx_tfm_michael;
676 struct crypto_blkcipher *tfm4 = tkey->rx_tfm_arc4;
677
678 keyidx = tkey->key_idx;
679 memset(tkey, 0, sizeof(*tkey));
680 tkey->key_idx = keyidx;
681 tkey->tx_tfm_michael = tfm;
682 tkey->tx_tfm_arc4 = tfm2;
683 tkey->rx_tfm_michael = tfm3;
684 tkey->rx_tfm_arc4 = tfm4;
685 if (len == TKIP_KEY_LEN) {
686 memcpy(tkey->key, key, TKIP_KEY_LEN);
687 tkey->key_set = 1;
688 tkey->tx_iv16 = 1; /* TSC is initialized to 1 */
689 if (seq) {
690 tkey->rx_iv32 = (seq[5] << 24) | (seq[4] << 16) |
691 (seq[3] << 8) | seq[2];
692 tkey->rx_iv16 = (seq[1] << 8) | seq[0];
693 }
694 } else if (len == 0)
695 tkey->key_set = 0;
696 else
697 return -1;
698
699 return 0;
700 }
701
lib80211_tkip_get_key(void * key,int len,u8 * seq,void * priv)702 static int lib80211_tkip_get_key(void *key, int len, u8 * seq, void *priv)
703 {
704 struct lib80211_tkip_data *tkey = priv;
705
706 if (len < TKIP_KEY_LEN)
707 return -1;
708
709 if (!tkey->key_set)
710 return 0;
711 memcpy(key, tkey->key, TKIP_KEY_LEN);
712
713 if (seq) {
714 /* Return the sequence number of the last transmitted frame. */
715 u16 iv16 = tkey->tx_iv16;
716 u32 iv32 = tkey->tx_iv32;
717 if (iv16 == 0)
718 iv32--;
719 iv16--;
720 seq[0] = tkey->tx_iv16;
721 seq[1] = tkey->tx_iv16 >> 8;
722 seq[2] = tkey->tx_iv32;
723 seq[3] = tkey->tx_iv32 >> 8;
724 seq[4] = tkey->tx_iv32 >> 16;
725 seq[5] = tkey->tx_iv32 >> 24;
726 }
727
728 return TKIP_KEY_LEN;
729 }
730
lib80211_tkip_print_stats(char * p,void * priv)731 static char *lib80211_tkip_print_stats(char *p, void *priv)
732 {
733 struct lib80211_tkip_data *tkip = priv;
734 p += sprintf(p, "key[%d] alg=TKIP key_set=%d "
735 "tx_pn=%02x%02x%02x%02x%02x%02x "
736 "rx_pn=%02x%02x%02x%02x%02x%02x "
737 "replays=%d icv_errors=%d local_mic_failures=%d\n",
738 tkip->key_idx, tkip->key_set,
739 (tkip->tx_iv32 >> 24) & 0xff,
740 (tkip->tx_iv32 >> 16) & 0xff,
741 (tkip->tx_iv32 >> 8) & 0xff,
742 tkip->tx_iv32 & 0xff,
743 (tkip->tx_iv16 >> 8) & 0xff,
744 tkip->tx_iv16 & 0xff,
745 (tkip->rx_iv32 >> 24) & 0xff,
746 (tkip->rx_iv32 >> 16) & 0xff,
747 (tkip->rx_iv32 >> 8) & 0xff,
748 tkip->rx_iv32 & 0xff,
749 (tkip->rx_iv16 >> 8) & 0xff,
750 tkip->rx_iv16 & 0xff,
751 tkip->dot11RSNAStatsTKIPReplays,
752 tkip->dot11RSNAStatsTKIPICVErrors,
753 tkip->dot11RSNAStatsTKIPLocalMICFailures);
754 return p;
755 }
756
757 static struct lib80211_crypto_ops lib80211_crypt_tkip = {
758 .name = "TKIP",
759 .init = lib80211_tkip_init,
760 .deinit = lib80211_tkip_deinit,
761 .build_iv = lib80211_tkip_hdr,
762 .encrypt_mpdu = lib80211_tkip_encrypt,
763 .decrypt_mpdu = lib80211_tkip_decrypt,
764 .encrypt_msdu = lib80211_michael_mic_add,
765 .decrypt_msdu = lib80211_michael_mic_verify,
766 .set_key = lib80211_tkip_set_key,
767 .get_key = lib80211_tkip_get_key,
768 .print_stats = lib80211_tkip_print_stats,
769 .extra_mpdu_prefix_len = 4 + 4, /* IV + ExtIV */
770 .extra_mpdu_postfix_len = 4, /* ICV */
771 .extra_msdu_postfix_len = 8, /* MIC */
772 .get_flags = lib80211_tkip_get_flags,
773 .set_flags = lib80211_tkip_set_flags,
774 .owner = THIS_MODULE,
775 };
776
lib80211_crypto_tkip_init(void)777 static int __init lib80211_crypto_tkip_init(void)
778 {
779 return lib80211_register_crypto_ops(&lib80211_crypt_tkip);
780 }
781
lib80211_crypto_tkip_exit(void)782 static void __exit lib80211_crypto_tkip_exit(void)
783 {
784 lib80211_unregister_crypto_ops(&lib80211_crypt_tkip);
785 }
786
787 module_init(lib80211_crypto_tkip_init);
788 module_exit(lib80211_crypto_tkip_exit);
789