Merge branch 'core/rodata' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux...
[linux-2.6] / net / mac80211 / tkip.c
1 /*
2  * Copyright 2002-2004, Instant802 Networks, Inc.
3  * Copyright 2005, Devicescape Software, Inc.
4  *
5  * This program is free software; you can redistribute it and/or modify
6  * it under the terms of the GNU General Public License version 2 as
7  * published by the Free Software Foundation.
8  */
9
10 #include <linux/kernel.h>
11 #include <linux/types.h>
12 #include <linux/netdevice.h>
13
14 #include <net/mac80211.h>
15 #include "key.h"
16 #include "tkip.h"
17 #include "wep.h"
18
19
20 /* TKIP key mixing functions */
21
22
23 #define PHASE1_LOOP_COUNT 8
24
25
26 /* 2-byte by 2-byte subset of the full AES S-box table; second part of this
27  * table is identical to first part but byte-swapped */
28 static const u16 tkip_sbox[256] =
29 {
30         0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154,
31         0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A,
32         0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B,
33         0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B,
34         0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F,
35         0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F,
36         0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5,
37         0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F,
38         0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB,
39         0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397,
40         0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED,
41         0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A,
42         0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194,
43         0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3,
44         0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104,
45         0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D,
46         0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39,
47         0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695,
48         0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83,
49         0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76,
50         0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4,
51         0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B,
52         0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0,
53         0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018,
54         0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751,
55         0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85,
56         0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12,
57         0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9,
58         0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7,
59         0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A,
60         0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8,
61         0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A,
62 };
63
64
65 static inline u16 Mk16(u8 x, u8 y)
66 {
67         return ((u16) x << 8) | (u16) y;
68 }
69
70
71 static inline u8 Hi8(u16 v)
72 {
73         return v >> 8;
74 }
75
76
77 static inline u8 Lo8(u16 v)
78 {
79         return v & 0xff;
80 }
81
82
83 static inline u16 Hi16(u32 v)
84 {
85         return v >> 16;
86 }
87
88
89 static inline u16 Lo16(u32 v)
90 {
91         return v & 0xffff;
92 }
93
94
95 static inline u16 RotR1(u16 v)
96 {
97         return (v >> 1) | ((v & 0x0001) << 15);
98 }
99
100
101 static inline u16 tkip_S(u16 val)
102 {
103         u16 a = tkip_sbox[Hi8(val)];
104
105         return tkip_sbox[Lo8(val)] ^ Hi8(a) ^ (Lo8(a) << 8);
106 }
107
108
109
110 /* P1K := Phase1(TA, TK, TSC)
111  * TA = transmitter address (48 bits)
112  * TK = dot11DefaultKeyValue or dot11KeyMappingValue (128 bits)
113  * TSC = TKIP sequence counter (48 bits, only 32 msb bits used)
114  * P1K: 80 bits
115  */
116 static void tkip_mixing_phase1(const u8 *ta, const u8 *tk, u32 tsc_IV32,
117                                u16 *p1k)
118 {
119         int i, j;
120
121         p1k[0] = Lo16(tsc_IV32);
122         p1k[1] = Hi16(tsc_IV32);
123         p1k[2] = Mk16(ta[1], ta[0]);
124         p1k[3] = Mk16(ta[3], ta[2]);
125         p1k[4] = Mk16(ta[5], ta[4]);
126
127         for (i = 0; i < PHASE1_LOOP_COUNT; i++) {
128                 j = 2 * (i & 1);
129                 p1k[0] += tkip_S(p1k[4] ^ Mk16(tk[ 1 + j], tk[ 0 + j]));
130                 p1k[1] += tkip_S(p1k[0] ^ Mk16(tk[ 5 + j], tk[ 4 + j]));
131                 p1k[2] += tkip_S(p1k[1] ^ Mk16(tk[ 9 + j], tk[ 8 + j]));
132                 p1k[3] += tkip_S(p1k[2] ^ Mk16(tk[13 + j], tk[12 + j]));
133                 p1k[4] += tkip_S(p1k[3] ^ Mk16(tk[ 1 + j], tk[ 0 + j])) + i;
134         }
135 }
136
137
138 static void tkip_mixing_phase2(const u16 *p1k, const u8 *tk, u16 tsc_IV16,
139                                u8 *rc4key)
140 {
141         u16 ppk[6];
142         int i;
143
144         ppk[0] = p1k[0];
145         ppk[1] = p1k[1];
146         ppk[2] = p1k[2];
147         ppk[3] = p1k[3];
148         ppk[4] = p1k[4];
149         ppk[5] = p1k[4] + tsc_IV16;
150
151         ppk[0] += tkip_S(ppk[5] ^ Mk16(tk[ 1], tk[ 0]));
152         ppk[1] += tkip_S(ppk[0] ^ Mk16(tk[ 3], tk[ 2]));
153         ppk[2] += tkip_S(ppk[1] ^ Mk16(tk[ 5], tk[ 4]));
154         ppk[3] += tkip_S(ppk[2] ^ Mk16(tk[ 7], tk[ 6]));
155         ppk[4] += tkip_S(ppk[3] ^ Mk16(tk[ 9], tk[ 8]));
156         ppk[5] += tkip_S(ppk[4] ^ Mk16(tk[11], tk[10]));
157         ppk[0] +=  RotR1(ppk[5] ^ Mk16(tk[13], tk[12]));
158         ppk[1] +=  RotR1(ppk[0] ^ Mk16(tk[15], tk[14]));
159         ppk[2] +=  RotR1(ppk[1]);
160         ppk[3] +=  RotR1(ppk[2]);
161         ppk[4] +=  RotR1(ppk[3]);
162         ppk[5] +=  RotR1(ppk[4]);
163
164         rc4key[0] = Hi8(tsc_IV16);
165         rc4key[1] = (Hi8(tsc_IV16) | 0x20) & 0x7f;
166         rc4key[2] = Lo8(tsc_IV16);
167         rc4key[3] = Lo8((ppk[5] ^ Mk16(tk[1], tk[0])) >> 1);
168
169         for (i = 0; i < 6; i++) {
170                 rc4key[4 + 2 * i] = Lo8(ppk[i]);
171                 rc4key[5 + 2 * i] = Hi8(ppk[i]);
172         }
173 }
174
175
176 /* Add TKIP IV and Ext. IV at @pos. @iv0, @iv1, and @iv2 are the first octets
177  * of the IV. Returns pointer to the octet following IVs (i.e., beginning of
178  * the packet payload). */
179 u8 * ieee80211_tkip_add_iv(u8 *pos, struct ieee80211_key *key,
180                            u8 iv0, u8 iv1, u8 iv2)
181 {
182         *pos++ = iv0;
183         *pos++ = iv1;
184         *pos++ = iv2;
185         *pos++ = (key->conf.keyidx << 6) | (1 << 5) /* Ext IV */;
186         *pos++ = key->u.tkip.iv32 & 0xff;
187         *pos++ = (key->u.tkip.iv32 >> 8) & 0xff;
188         *pos++ = (key->u.tkip.iv32 >> 16) & 0xff;
189         *pos++ = (key->u.tkip.iv32 >> 24) & 0xff;
190         return pos;
191 }
192
193
194 void ieee80211_tkip_gen_phase1key(struct ieee80211_key *key, u8 *ta,
195                                   u16 *phase1key)
196 {
197         tkip_mixing_phase1(ta, &key->conf.key[ALG_TKIP_TEMP_ENCR_KEY],
198                            key->u.tkip.iv32, phase1key);
199 }
200
201 void ieee80211_tkip_gen_rc4key(struct ieee80211_key *key, u8 *ta,
202                                u8 *rc4key)
203 {
204         /* Calculate per-packet key */
205         if (key->u.tkip.iv16 == 0 || !key->u.tkip.tx_initialized) {
206                 /* IV16 wrapped around - perform TKIP phase 1 */
207                 tkip_mixing_phase1(ta, &key->conf.key[ALG_TKIP_TEMP_ENCR_KEY],
208                                    key->u.tkip.iv32, key->u.tkip.p1k);
209                 key->u.tkip.tx_initialized = 1;
210         }
211
212         tkip_mixing_phase2(key->u.tkip.p1k,
213                            &key->conf.key[ALG_TKIP_TEMP_ENCR_KEY],
214                            key->u.tkip.iv16, rc4key);
215 }
216
217 void ieee80211_get_tkip_key(struct ieee80211_key_conf *keyconf,
218                         struct sk_buff *skb, enum ieee80211_tkip_key_type type,
219                         u8 *outkey)
220 {
221         struct ieee80211_key *key = (struct ieee80211_key *)
222                         container_of(keyconf, struct ieee80211_key, conf);
223         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
224         u8 *data = (u8 *) hdr;
225         u16 fc = le16_to_cpu(hdr->frame_control);
226         int hdr_len = ieee80211_get_hdrlen(fc);
227         u8 *ta = hdr->addr2;
228         u16 iv16;
229         u32 iv32;
230
231         iv16 = data[hdr_len] << 8;
232         iv16 += data[hdr_len + 2];
233         iv32 = data[hdr_len + 4] | (data[hdr_len + 5] << 8) |
234                (data[hdr_len + 6] << 16) | (data[hdr_len + 7] << 24);
235
236 #ifdef CONFIG_TKIP_DEBUG
237         printk(KERN_DEBUG "TKIP encrypt: iv16 = 0x%04x, iv32 = 0x%08x\n",
238                         iv16, iv32);
239
240         if (iv32 != key->u.tkip.iv32) {
241                 printk(KERN_DEBUG "skb: iv32 = 0x%08x key: iv32 = 0x%08x\n",
242                         iv32, key->u.tkip.iv32);
243                 printk(KERN_DEBUG "Wrap around of iv16 in the middle of a "
244                         "fragmented packet\n");
245         }
246 #endif /* CONFIG_TKIP_DEBUG */
247
248         /* Update the p1k only when the iv16 in the packet wraps around, this
249          * might occur after the wrap around of iv16 in the key in case of
250          * fragmented packets. */
251         if (iv16 == 0 || !key->u.tkip.tx_initialized) {
252                 /* IV16 wrapped around - perform TKIP phase 1 */
253                 tkip_mixing_phase1(ta, &key->conf.key[ALG_TKIP_TEMP_ENCR_KEY],
254                         iv32, key->u.tkip.p1k);
255                 key->u.tkip.tx_initialized = 1;
256         }
257
258         if (type == IEEE80211_TKIP_P1_KEY) {
259                 memcpy(outkey, key->u.tkip.p1k, sizeof(u16) * 5);
260                 return;
261         }
262
263         tkip_mixing_phase2(key->u.tkip.p1k,
264                 &key->conf.key[ALG_TKIP_TEMP_ENCR_KEY], iv16, outkey);
265 }
266 EXPORT_SYMBOL(ieee80211_get_tkip_key);
267
268 /* Encrypt packet payload with TKIP using @key. @pos is a pointer to the
269  * beginning of the buffer containing payload. This payload must include
270  * headroom of eight octets for IV and Ext. IV and taildroom of four octets
271  * for ICV. @payload_len is the length of payload (_not_ including extra
272  * headroom and tailroom). @ta is the transmitter addresses. */
273 void ieee80211_tkip_encrypt_data(struct crypto_blkcipher *tfm,
274                                  struct ieee80211_key *key,
275                                  u8 *pos, size_t payload_len, u8 *ta)
276 {
277         u8 rc4key[16];
278
279         ieee80211_tkip_gen_rc4key(key, ta, rc4key);
280         pos = ieee80211_tkip_add_iv(pos, key, rc4key[0], rc4key[1], rc4key[2]);
281         ieee80211_wep_encrypt_data(tfm, rc4key, 16, pos, payload_len);
282 }
283
284
285 /* Decrypt packet payload with TKIP using @key. @pos is a pointer to the
286  * beginning of the buffer containing IEEE 802.11 header payload, i.e.,
287  * including IV, Ext. IV, real data, Michael MIC, ICV. @payload_len is the
288  * length of payload, including IV, Ext. IV, MIC, ICV.  */
289 int ieee80211_tkip_decrypt_data(struct crypto_blkcipher *tfm,
290                                 struct ieee80211_key *key,
291                                 u8 *payload, size_t payload_len, u8 *ta,
292                                 u8 *ra, int only_iv, int queue,
293                                 u32 *out_iv32, u16 *out_iv16)
294 {
295         u32 iv32;
296         u32 iv16;
297         u8 rc4key[16], keyid, *pos = payload;
298         int res;
299
300         if (payload_len < 12)
301                 return -1;
302
303         iv16 = (pos[0] << 8) | pos[2];
304         keyid = pos[3];
305         iv32 = pos[4] | (pos[5] << 8) | (pos[6] << 16) | (pos[7] << 24);
306         pos += 8;
307 #ifdef CONFIG_TKIP_DEBUG
308         {
309                 int i;
310                 printk(KERN_DEBUG "TKIP decrypt: data(len=%zd)", payload_len);
311                 for (i = 0; i < payload_len; i++)
312                         printk(" %02x", payload[i]);
313                 printk("\n");
314                 printk(KERN_DEBUG "TKIP decrypt: iv16=%04x iv32=%08x\n",
315                        iv16, iv32);
316         }
317 #endif /* CONFIG_TKIP_DEBUG */
318
319         if (!(keyid & (1 << 5)))
320                 return TKIP_DECRYPT_NO_EXT_IV;
321
322         if ((keyid >> 6) != key->conf.keyidx)
323                 return TKIP_DECRYPT_INVALID_KEYIDX;
324
325         if (key->u.tkip.rx_initialized[queue] &&
326             (iv32 < key->u.tkip.iv32_rx[queue] ||
327              (iv32 == key->u.tkip.iv32_rx[queue] &&
328               iv16 <= key->u.tkip.iv16_rx[queue]))) {
329 #ifdef CONFIG_TKIP_DEBUG
330                 DECLARE_MAC_BUF(mac);
331                 printk(KERN_DEBUG "TKIP replay detected for RX frame from "
332                        "%s (RX IV (%04x,%02x) <= prev. IV (%04x,%02x)\n",
333                        print_mac(mac, ta),
334                        iv32, iv16, key->u.tkip.iv32_rx[queue],
335                        key->u.tkip.iv16_rx[queue]);
336 #endif /* CONFIG_TKIP_DEBUG */
337                 return TKIP_DECRYPT_REPLAY;
338         }
339
340         if (only_iv) {
341                 res = TKIP_DECRYPT_OK;
342                 key->u.tkip.rx_initialized[queue] = 1;
343                 goto done;
344         }
345
346         if (!key->u.tkip.rx_initialized[queue] ||
347             key->u.tkip.iv32_rx[queue] != iv32) {
348                 key->u.tkip.rx_initialized[queue] = 1;
349                 /* IV16 wrapped around - perform TKIP phase 1 */
350                 tkip_mixing_phase1(ta, &key->conf.key[ALG_TKIP_TEMP_ENCR_KEY],
351                                    iv32, key->u.tkip.p1k_rx[queue]);
352 #ifdef CONFIG_TKIP_DEBUG
353                 {
354                         int i;
355                         DECLARE_MAC_BUF(mac);
356                         printk(KERN_DEBUG "TKIP decrypt: Phase1 TA=%s"
357                                " TK=", print_mac(mac, ta));
358                         for (i = 0; i < 16; i++)
359                                 printk("%02x ",
360                                        key->conf.key[
361                                                 ALG_TKIP_TEMP_ENCR_KEY + i]);
362                         printk("\n");
363                         printk(KERN_DEBUG "TKIP decrypt: P1K=");
364                         for (i = 0; i < 5; i++)
365                                 printk("%04x ", key->u.tkip.p1k_rx[queue][i]);
366                         printk("\n");
367                 }
368 #endif /* CONFIG_TKIP_DEBUG */
369                 if (key->local->ops->update_tkip_key &&
370                         key->flags & KEY_FLAG_UPLOADED_TO_HARDWARE) {
371                         u8 bcast[ETH_ALEN] =
372                                 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff};
373                         u8 *sta_addr = key->sta->addr;
374
375                         if (is_multicast_ether_addr(ra))
376                                 sta_addr = bcast;
377
378                         key->local->ops->update_tkip_key(
379                                 local_to_hw(key->local), &key->conf,
380                                 sta_addr, iv32, key->u.tkip.p1k_rx[queue]);
381                 }
382         }
383
384         tkip_mixing_phase2(key->u.tkip.p1k_rx[queue],
385                            &key->conf.key[ALG_TKIP_TEMP_ENCR_KEY],
386                            iv16, rc4key);
387 #ifdef CONFIG_TKIP_DEBUG
388         {
389                 int i;
390                 printk(KERN_DEBUG "TKIP decrypt: Phase2 rc4key=");
391                 for (i = 0; i < 16; i++)
392                         printk("%02x ", rc4key[i]);
393                 printk("\n");
394         }
395 #endif /* CONFIG_TKIP_DEBUG */
396
397         res = ieee80211_wep_decrypt_data(tfm, rc4key, 16, pos, payload_len - 12);
398  done:
399         if (res == TKIP_DECRYPT_OK) {
400                 /*
401                  * Record previously received IV, will be copied into the
402                  * key information after MIC verification. It is possible
403                  * that we don't catch replays of fragments but that's ok
404                  * because the Michael MIC verication will then fail.
405                  */
406                 *out_iv32 = iv32;
407                 *out_iv16 = iv16;
408         }
409
410         return res;
411 }
412
413