[infiniband] Use "%#lx" as format specifier for queue pair numbers
[ipxe.git] / src / net / 80211 / wpa_tkip.c
1 /*
2 * Copyright (c) 2009 Joshua Oreman <oremanj@rwcr.net>.
3 *
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License as
6 * published by the Free Software Foundation; either version 2 of the
7 * License, or any later version.
8 *
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write to the Free Software
16 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
17 * 02110-1301, USA.
18 */
19
20 FILE_LICENCE ( GPL2_OR_LATER );
21
22 #include <string.h>
23 #include <ipxe/net80211.h>
24 #include <ipxe/crypto.h>
25 #include <ipxe/hmac.h>
26 #include <ipxe/sha1.h>
27 #include <ipxe/md5.h>
28 #include <ipxe/crc32.h>
29 #include <ipxe/arc4.h>
30 #include <ipxe/wpa.h>
31 #include <byteswap.h>
32 #include <errno.h>
33
34 /** @file
35 *
36 * Backend for WPA using the TKIP encryption standard.
37 */
38
39 /** Context for one direction of TKIP, either encryption or decryption */
40 struct tkip_dir_ctx
41 {
42 /** High 32 bits of last sequence counter value used */
43 u32 tsc_hi;
44
45 /** Low 32 bits of last sequence counter value used */
46 u16 tsc_lo;
47
48 /** MAC address used to derive TTAK */
49 u8 mac[ETH_ALEN];
50
51 /** If TRUE, TTAK is valid */
52 u16 ttak_ok;
53
54 /** TKIP-mixed transmit address and key, depends on tsc_hi and MAC */
55 u16 ttak[5];
56 };
57
58 /** Context for TKIP encryption and decryption */
59 struct tkip_ctx
60 {
61 /** Temporal key to use */
62 struct tkip_tk tk;
63
64 /** State for encryption */
65 struct tkip_dir_ctx enc;
66
67 /** State for decryption */
68 struct tkip_dir_ctx dec;
69 };
70
71 /** Header structure at the beginning of TKIP frame data */
72 struct tkip_head
73 {
74 u8 tsc1; /**< High byte of low 16 bits of TSC */
75 u8 seed1; /**< Second byte of WEP seed */
76 u8 tsc0; /**< Low byte of TSC */
77 u8 kid; /**< Key ID and ExtIV byte */
78 u32 tsc_hi; /**< High 32 bits of TSC, as an ExtIV */
79 } __attribute__ (( packed ));
80
81
82 /** TKIP header overhead (IV + KID + ExtIV) */
83 #define TKIP_HEAD_LEN 8
84
85 /** TKIP trailer overhead (MIC + ICV) [assumes unfragmented] */
86 #define TKIP_FOOT_LEN 12
87
88 /** TKIP MIC length */
89 #define TKIP_MIC_LEN 8
90
91 /** TKIP ICV length */
92 #define TKIP_ICV_LEN 4
93
94
95 /** TKIP S-box */
96 static const u16 Sbox[256] = {
97 0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154,
98 0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A,
99 0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B,
100 0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B,
101 0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F,
102 0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F,
103 0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5,
104 0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F,
105 0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB,
106 0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397,
107 0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED,
108 0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A,
109 0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194,
110 0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3,
111 0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104,
112 0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D,
113 0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39,
114 0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695,
115 0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83,
116 0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76,
117 0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4,
118 0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B,
119 0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0,
120 0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018,
121 0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751,
122 0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85,
123 0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12,
124 0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9,
125 0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7,
126 0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A,
127 0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8,
128 0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A,
129 };
130
131 /**
132 * Perform S-box mapping on a 16-bit value
133 *
134 * @v v Value to perform S-box mapping on
135 * @ret Sv S-box mapped value
136 */
137 static inline u16 S ( u16 v )
138 {
139 return Sbox[v & 0xFF] ^ bswap_16 ( Sbox[v >> 8] );
140 }
141
142 /**
143 * Rotate 16-bit value right
144 *
145 * @v v Value to rotate
146 * @v bits Number of bits to rotate by
147 * @ret rotv Rotated value
148 */
149 static inline u16 ror16 ( u16 v, int bits )
150 {
151 return ( v >> bits ) | ( v << ( 16 - bits ) );
152 }
153
154 /**
155 * Rotate 32-bit value right
156 *
157 * @v v Value to rotate
158 * @v bits Number of bits to rotate by
159 * @ret rotv Rotated value
160 */
161 static inline u32 ror32 ( u32 v, int bits )
162 {
163 return ( v >> bits ) | ( v << ( 32 - bits ) );
164 }
165
166 /**
167 * Rotate 32-bit value left
168 *
169 * @v v Value to rotate
170 * @v bits Number of bits to rotate by
171 * @ret rotv Rotated value
172 */
173 static inline u32 rol32 ( u32 v, int bits )
174 {
175 return ( v << bits ) | ( v >> ( 32 - bits ) );
176 }
177
178
179 /**
180 * Initialise TKIP state and install key
181 *
182 * @v crypto TKIP cryptosystem structure
183 * @v key Pointer to tkip_tk to install
184 * @v keylen Length of key (32 bytes)
185 * @v rsc Initial receive sequence counter
186 */
187 static int tkip_init ( struct net80211_crypto *crypto, const void *key,
188 int keylen, const void *rsc )
189 {
190 struct tkip_ctx *ctx = crypto->priv;
191 const u8 *rscb = rsc;
192
193 if ( keylen != sizeof ( ctx->tk ) )
194 return -EINVAL;
195
196 if ( rscb ) {
197 ctx->dec.tsc_lo = ( rscb[1] << 8 ) | rscb[0];
198 ctx->dec.tsc_hi = ( ( rscb[5] << 24 ) | ( rscb[4] << 16 ) |
199 ( rscb[3] << 8 ) | rscb[2] );
200 }
201
202 memcpy ( &ctx->tk, key, sizeof ( ctx->tk ) );
203
204 return 0;
205 }
206
207 /**
208 * Perform TKIP key mixing, phase 1
209 *
210 * @v dctx TKIP directional context
211 * @v tk TKIP temporal key
212 * @v mac MAC address of transmitter
213 *
214 * This recomputes the TTAK in @a dctx if necessary, and sets
215 * @c dctx->ttak_ok.
216 */
217 static void tkip_mix_1 ( struct tkip_dir_ctx *dctx, struct tkip_tk *tk, u8 *mac )
218 {
219 int i, j;
220
221 if ( dctx->ttak_ok && ! memcmp ( mac, dctx->mac, ETH_ALEN ) )
222 return;
223
224 memcpy ( dctx->mac, mac, ETH_ALEN );
225
226 dctx->ttak[0] = dctx->tsc_hi & 0xFFFF;
227 dctx->ttak[1] = dctx->tsc_hi >> 16;
228 dctx->ttak[2] = ( mac[1] << 8 ) | mac[0];
229 dctx->ttak[3] = ( mac[3] << 8 ) | mac[2];
230 dctx->ttak[4] = ( mac[5] << 8 ) | mac[4];
231
232 for ( i = 0; i < 8; i++ ) {
233 j = 2 * ( i & 1 );
234
235 dctx->ttak[0] += S ( dctx->ttak[4] ^ ( ( tk->key[1 + j] << 8 ) |
236 tk->key[0 + j] ) );
237 dctx->ttak[1] += S ( dctx->ttak[0] ^ ( ( tk->key[5 + j] << 8 ) |
238 tk->key[4 + j] ) );
239 dctx->ttak[2] += S ( dctx->ttak[1] ^ ( ( tk->key[9 + j] << 8 ) |
240 tk->key[8 + j] ) );
241 dctx->ttak[3] += S ( dctx->ttak[2] ^ ( ( tk->key[13+ j] << 8 ) |
242 tk->key[12+ j] ) );
243 dctx->ttak[4] += S ( dctx->ttak[3] ^ ( ( tk->key[1 + j] << 8 ) |
244 tk->key[0 + j] ) ) + i;
245 }
246
247 dctx->ttak_ok = 1;
248 }
249
250 /**
251 * Perform TKIP key mixing, phase 2
252 *
253 * @v dctx TKIP directional context
254 * @v tk TKIP temporal key
255 * @ret key ARC4 key, 16 bytes long
256 */
257 static void tkip_mix_2 ( struct tkip_dir_ctx *dctx, struct tkip_tk *tk,
258 void *key )
259 {
260 u8 *kb = key;
261 u16 ppk[6];
262 int i;
263
264 memcpy ( ppk, dctx->ttak, sizeof ( dctx->ttak ) );
265 ppk[5] = dctx->ttak[4] + dctx->tsc_lo;
266
267 ppk[0] += S ( ppk[5] ^ ( ( tk->key[1] << 8 ) | tk->key[0] ) );
268 ppk[1] += S ( ppk[0] ^ ( ( tk->key[3] << 8 ) | tk->key[2] ) );
269 ppk[2] += S ( ppk[1] ^ ( ( tk->key[5] << 8 ) | tk->key[4] ) );
270 ppk[3] += S ( ppk[2] ^ ( ( tk->key[7] << 8 ) | tk->key[6] ) );
271 ppk[4] += S ( ppk[3] ^ ( ( tk->key[9] << 8 ) | tk->key[8] ) );
272 ppk[5] += S ( ppk[4] ^ ( ( tk->key[11] << 8 ) | tk->key[10] ) );
273
274 ppk[0] += ror16 ( ppk[5] ^ ( ( tk->key[13] << 8 ) | tk->key[12] ), 1 );
275 ppk[1] += ror16 ( ppk[0] ^ ( ( tk->key[15] << 8 ) | tk->key[14] ), 1 );
276 ppk[2] += ror16 ( ppk[1], 1 );
277 ppk[3] += ror16 ( ppk[2], 1 );
278 ppk[4] += ror16 ( ppk[3], 1 );
279 ppk[5] += ror16 ( ppk[4], 1 );
280
281 kb[0] = dctx->tsc_lo >> 8;
282 kb[1] = ( ( dctx->tsc_lo >> 8 ) | 0x20 ) & 0x7F;
283 kb[2] = dctx->tsc_lo & 0xFF;
284 kb[3] = ( ( ppk[5] ^ ( ( tk->key[1] << 8 ) | tk->key[0] ) ) >> 1 )
285 & 0xFF;
286
287 for ( i = 0; i < 6; i++ ) {
288 kb[4 + 2*i] = ppk[i] & 0xFF;
289 kb[5 + 2*i] = ppk[i] >> 8;
290 }
291 }
292
293 /**
294 * Update Michael message integrity code based on next 32-bit word of data
295 *
296 * @v V Michael code state (two 32-bit words)
297 * @v word Next 32-bit word of data
298 */
299 static void tkip_feed_michael ( u32 *V, u32 word )
300 {
301 V[0] ^= word;
302 V[1] ^= rol32 ( V[0], 17 );
303 V[0] += V[1];
304 V[1] ^= ( ( V[0] & 0xFF00FF00 ) >> 8 ) | ( ( V[0] & 0x00FF00FF ) << 8 );
305 V[0] += V[1];
306 V[1] ^= rol32 ( V[0], 3 );
307 V[0] += V[1];
308 V[1] ^= ror32 ( V[0], 2 );
309 V[0] += V[1];
310 }
311
312 /**
313 * Calculate Michael message integrity code
314 *
315 * @v key MIC key to use (8 bytes)
316 * @v da Destination link-layer address
317 * @v sa Source link-layer address
318 * @v data Start of data to calculate over
319 * @v len Length of header + data
320 * @ret mic Calculated Michael MIC (8 bytes)
321 */
322 static void tkip_michael ( const void *key, const void *da, const void *sa,
323 const void *data, size_t len, void *mic )
324 {
325 u32 V[2]; /* V[0] = "l", V[1] = "r" in 802.11 */
326 union {
327 u8 byte[12];
328 u32 word[3];
329 } cap;
330 const u8 *ptr = data;
331 const u8 *end = ptr + len;
332 int i;
333
334 memcpy ( V, key, sizeof ( V ) );
335 V[0] = le32_to_cpu ( V[0] );
336 V[1] = le32_to_cpu ( V[1] );
337
338 /* Feed in header (we assume non-QoS, so Priority = 0) */
339 memcpy ( &cap.byte[0], da, ETH_ALEN );
340 memcpy ( &cap.byte[6], sa, ETH_ALEN );
341 tkip_feed_michael ( V, le32_to_cpu ( cap.word[0] ) );
342 tkip_feed_michael ( V, le32_to_cpu ( cap.word[1] ) );
343 tkip_feed_michael ( V, le32_to_cpu ( cap.word[2] ) );
344 tkip_feed_michael ( V, 0 );
345
346 /* Feed in data */
347 while ( ptr + 4 <= end ) {
348 tkip_feed_michael ( V, le32_to_cpu ( *( u32 * ) ptr ) );
349 ptr += 4;
350 }
351
352 /* Add unaligned part and padding */
353 for ( i = 0; ptr < end; i++ )
354 cap.byte[i] = *ptr++;
355 cap.byte[i++] = 0x5a;
356 for ( ; i < 8; i++ )
357 cap.byte[i] = 0;
358
359 /* Feed in padding */
360 tkip_feed_michael ( V, le32_to_cpu ( cap.word[0] ) );
361 tkip_feed_michael ( V, le32_to_cpu ( cap.word[1] ) );
362
363 /* Output MIC */
364 V[0] = cpu_to_le32 ( V[0] );
365 V[1] = cpu_to_le32 ( V[1] );
366 memcpy ( mic, V, sizeof ( V ) );
367 }
368
369 /**
370 * Encrypt a packet using TKIP
371 *
372 * @v crypto TKIP cryptosystem
373 * @v iob I/O buffer containing cleartext packet
374 * @ret eiob I/O buffer containing encrypted packet
375 */
376 static struct io_buffer * tkip_encrypt ( struct net80211_crypto *crypto,
377 struct io_buffer *iob )
378 {
379 struct tkip_ctx *ctx = crypto->priv;
380 struct ieee80211_frame *hdr = iob->data;
381 struct io_buffer *eiob;
382 struct arc4_ctx arc4;
383 u8 key[16];
384 struct tkip_head head;
385 u8 mic[8];
386 u32 icv;
387 const int hdrlen = IEEE80211_TYP_FRAME_HEADER_LEN;
388 int datalen = iob_len ( iob ) - hdrlen;
389
390 ctx->enc.tsc_lo++;
391 if ( ctx->enc.tsc_lo == 0 ) {
392 ctx->enc.tsc_hi++;
393 ctx->enc.ttak_ok = 0;
394 }
395
396 tkip_mix_1 ( &ctx->enc, &ctx->tk, hdr->addr2 );
397 tkip_mix_2 ( &ctx->enc, &ctx->tk, key );
398
399 eiob = alloc_iob ( iob_len ( iob ) + TKIP_HEAD_LEN + TKIP_FOOT_LEN );
400 if ( ! eiob )
401 return NULL;
402
403 /* Copy frame header */
404 memcpy ( iob_put ( eiob, hdrlen ), iob->data, hdrlen );
405 hdr = eiob->data;
406 hdr->fc |= IEEE80211_FC_PROTECTED;
407
408 /* Fill in IV and key ID byte, and extended IV */
409 memcpy ( &head, key, 3 );
410 head.kid = 0x20; /* have Extended IV, key ID 0 */
411 head.tsc_hi = cpu_to_le32 ( ctx->enc.tsc_hi );
412 memcpy ( iob_put ( eiob, sizeof ( head ) ), &head, sizeof ( head ) );
413
414 /* Copy and encrypt the data */
415 cipher_setkey ( &arc4_algorithm, &arc4, key, 16 );
416 cipher_encrypt ( &arc4_algorithm, &arc4, iob->data + hdrlen,
417 iob_put ( eiob, datalen ), datalen );
418
419 /* Add MIC */
420 hdr = iob->data;
421 tkip_michael ( &ctx->tk.mic.tx, hdr->addr3, hdr->addr2,
422 iob->data + hdrlen, datalen, mic );
423 cipher_encrypt ( &arc4_algorithm, &arc4, mic,
424 iob_put ( eiob, sizeof ( mic ) ), sizeof ( mic ) );
425
426 /* Add ICV */
427 icv = crc32_le ( ~0, iob->data + hdrlen, datalen );
428 icv = crc32_le ( icv, mic, sizeof ( mic ) );
429 icv = cpu_to_le32 ( ~icv );
430 cipher_encrypt ( &arc4_algorithm, &arc4, &icv,
431 iob_put ( eiob, TKIP_ICV_LEN ), TKIP_ICV_LEN );
432
433 DBGC2 ( ctx, "WPA-TKIP %p: encrypted packet %p -> %p\n", ctx,
434 iob, eiob );
435
436 return eiob;
437 }
438
439 /**
440 * Decrypt a packet using TKIP
441 *
442 * @v crypto TKIP cryptosystem
443 * @v eiob I/O buffer containing encrypted packet
444 * @ret iob I/O buffer containing cleartext packet
445 */
446 static struct io_buffer * tkip_decrypt ( struct net80211_crypto *crypto,
447 struct io_buffer *eiob )
448 {
449 struct tkip_ctx *ctx = crypto->priv;
450 struct ieee80211_frame *hdr;
451 struct io_buffer *iob;
452 const int hdrlen = IEEE80211_TYP_FRAME_HEADER_LEN;
453 int datalen = iob_len ( eiob ) - hdrlen - TKIP_HEAD_LEN - TKIP_FOOT_LEN;
454 struct tkip_head *head;
455 struct arc4_ctx arc4;
456 u16 rx_tsc_lo;
457 u8 key[16];
458 u8 mic[8];
459 u32 icv, crc;
460
461 iob = alloc_iob ( hdrlen + datalen + TKIP_FOOT_LEN );
462 if ( ! iob )
463 return NULL;
464
465 /* Copy frame header */
466 memcpy ( iob_put ( iob, hdrlen ), eiob->data, hdrlen );
467 hdr = iob->data;
468 hdr->fc &= ~IEEE80211_FC_PROTECTED;
469
470 /* Check and update TSC */
471 head = eiob->data + hdrlen;
472 rx_tsc_lo = ( head->tsc1 << 8 ) | head->tsc0;
473
474 if ( head->tsc_hi < ctx->dec.tsc_hi ||
475 ( head->tsc_hi == ctx->dec.tsc_hi &&
476 rx_tsc_lo <= ctx->dec.tsc_lo ) ) {
477 DBGC ( ctx, "WPA-TKIP %p: packet received out of order "
478 "(%08x:%04x <= %08x:%04x)\n", ctx, head->tsc_hi,
479 rx_tsc_lo, ctx->dec.tsc_hi, ctx->dec.tsc_lo );
480 free_iob ( iob );
481 return NULL;
482 }
483 ctx->dec.tsc_lo = rx_tsc_lo;
484 if ( ctx->dec.tsc_hi != head->tsc_hi ) {
485 ctx->dec.ttak_ok = 0;
486 ctx->dec.tsc_hi = head->tsc_hi;
487 }
488
489 /* Calculate key */
490 tkip_mix_1 ( &ctx->dec, &ctx->tk, hdr->addr2 );
491 tkip_mix_2 ( &ctx->dec, &ctx->tk, key );
492
493 /* Copy-decrypt data, MIC, ICV */
494 cipher_setkey ( &arc4_algorithm, &arc4, key, 16 );
495 cipher_decrypt ( &arc4_algorithm, &arc4,
496 eiob->data + hdrlen + TKIP_HEAD_LEN,
497 iob_put ( iob, datalen ), datalen + TKIP_FOOT_LEN );
498
499 /* Check ICV */
500 icv = le32_to_cpu ( *( u32 * ) ( iob->tail + TKIP_MIC_LEN ) );
501 crc = ~crc32_le ( ~0, iob->data + hdrlen, datalen + TKIP_MIC_LEN );
502 if ( crc != icv ) {
503 DBGC ( ctx, "WPA-TKIP %p CRC mismatch: expect %08x, get %08x\n",
504 ctx, icv, crc );
505 free_iob ( iob );
506 return NULL;
507 }
508
509 /* Check MIC */
510 tkip_michael ( &ctx->tk.mic.rx, hdr->addr1, hdr->addr3,
511 iob->data + hdrlen, datalen, mic );
512 if ( memcmp ( mic, iob->tail, TKIP_MIC_LEN ) != 0 ) {
513 DBGC ( ctx, "WPA-TKIP %p ALERT! MIC failure\n", ctx );
514 /* XXX we should do the countermeasures here */
515 free_iob ( iob );
516 return NULL;
517 }
518
519 DBGC2 ( ctx, "WPA-TKIP %p: decrypted packet %p -> %p\n", ctx,
520 eiob, iob );
521
522 return iob;
523 }
524
525 /** TKIP cryptosystem */
526 struct net80211_crypto tkip_crypto __net80211_crypto = {
527 .algorithm = NET80211_CRYPT_TKIP,
528 .init = tkip_init,
529 .encrypt = tkip_encrypt,
530 .decrypt = tkip_decrypt,
531 .priv_len = sizeof ( struct tkip_ctx ),
532 };
533
534
535
536
537 /**
538 * Calculate HMAC-MD5 MIC for EAPOL-Key frame
539 *
540 * @v kck Key Confirmation Key, 16 bytes
541 * @v msg Message to calculate MIC over
542 * @v len Number of bytes to calculate MIC over
543 * @ret mic Calculated MIC, 16 bytes long
544 */
545 static void tkip_kie_mic ( const void *kck, const void *msg, size_t len,
546 void *mic )
547 {
548 uint8_t ctx[MD5_CTX_SIZE];
549 u8 kckb[16];
550 size_t kck_len = 16;
551
552 memcpy ( kckb, kck, kck_len );
553
554 hmac_init ( &md5_algorithm, ctx, kckb, &kck_len );
555 hmac_update ( &md5_algorithm, ctx, msg, len );
556 hmac_final ( &md5_algorithm, ctx, kckb, &kck_len, mic );
557 }
558
559 /**
560 * Decrypt key data in EAPOL-Key frame
561 *
562 * @v kek Key Encryption Key, 16 bytes
563 * @v iv Initialisation vector, 16 bytes
564 * @v msg Message to decrypt
565 * @v len Length of message
566 * @ret msg Decrypted message in place of original
567 * @ret len Unchanged
568 * @ret rc Always 0 for success
569 */
570 static int tkip_kie_decrypt ( const void *kek, const void *iv,
571 void *msg, u16 *len )
572 {
573 u8 key[32];
574 memcpy ( key, iv, 16 );
575 memcpy ( key + 16, kek, 16 );
576
577 arc4_skip ( key, 32, 256, msg, msg, *len );
578
579 return 0;
580 }
581
582
583 /** TKIP-style key integrity and encryption handler */
584 struct wpa_kie tkip_kie __wpa_kie = {
585 .version = EAPOL_KEY_VERSION_WPA,
586 .mic = tkip_kie_mic,
587 .decrypt = tkip_kie_decrypt,
588 };