2 * Copyright 2002-2004, Instant802 Networks, Inc.
3 * Copyright 2005, Devicescape Software, Inc.
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
10 #include <linux/kernel.h>
11 #include <linux/types.h>
12 #include <linux/netdevice.h>
14 #include <net/mac80211.h>
20 /* TKIP key mixing functions */
23 #define PHASE1_LOOP_COUNT 8
26 /* 2-byte by 2-byte subset of the full AES S-box table; second part of this
27 * table is identical to first part but byte-swapped */
28 static const u16 tkip_sbox[256] =
30 0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154,
31 0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A,
32 0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B,
33 0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B,
34 0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F,
35 0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F,
36 0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5,
37 0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F,
38 0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB,
39 0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397,
40 0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED,
41 0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A,
42 0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194,
43 0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3,
44 0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104,
45 0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D,
46 0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39,
47 0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695,
48 0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83,
49 0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76,
50 0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4,
51 0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B,
52 0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0,
53 0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018,
54 0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751,
55 0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85,
56 0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12,
57 0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9,
58 0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7,
59 0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A,
60 0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8,
61 0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A,
65 static inline u16 Mk16(u8 x, u8 y)
67 return ((u16) x << 8) | (u16) y;
71 static inline u8 Hi8(u16 v)
77 static inline u8 Lo8(u16 v)
83 static inline u16 Hi16(u32 v)
89 static inline u16 Lo16(u32 v)
95 static inline u16 RotR1(u16 v)
97 return (v >> 1) | ((v & 0x0001) << 15);
101 static inline u16 tkip_S(u16 val)
103 u16 a = tkip_sbox[Hi8(val)];
105 return tkip_sbox[Lo8(val)] ^ Hi8(a) ^ (Lo8(a) << 8);
110 /* P1K := Phase1(TA, TK, TSC)
111 * TA = transmitter address (48 bits)
112 * TK = dot11DefaultKeyValue or dot11KeyMappingValue (128 bits)
113 * TSC = TKIP sequence counter (48 bits, only 32 msb bits used)
116 static void tkip_mixing_phase1(const u8 *ta, const u8 *tk, u32 tsc_IV32,
121 p1k[0] = Lo16(tsc_IV32);
122 p1k[1] = Hi16(tsc_IV32);
123 p1k[2] = Mk16(ta[1], ta[0]);
124 p1k[3] = Mk16(ta[3], ta[2]);
125 p1k[4] = Mk16(ta[5], ta[4]);
127 for (i = 0; i < PHASE1_LOOP_COUNT; i++) {
129 p1k[0] += tkip_S(p1k[4] ^ Mk16(tk[ 1 + j], tk[ 0 + j]));
130 p1k[1] += tkip_S(p1k[0] ^ Mk16(tk[ 5 + j], tk[ 4 + j]));
131 p1k[2] += tkip_S(p1k[1] ^ Mk16(tk[ 9 + j], tk[ 8 + j]));
132 p1k[3] += tkip_S(p1k[2] ^ Mk16(tk[13 + j], tk[12 + j]));
133 p1k[4] += tkip_S(p1k[3] ^ Mk16(tk[ 1 + j], tk[ 0 + j])) + i;
138 static void tkip_mixing_phase2(const u16 *p1k, const u8 *tk, u16 tsc_IV16,
149 ppk[5] = p1k[4] + tsc_IV16;
151 ppk[0] += tkip_S(ppk[5] ^ Mk16(tk[ 1], tk[ 0]));
152 ppk[1] += tkip_S(ppk[0] ^ Mk16(tk[ 3], tk[ 2]));
153 ppk[2] += tkip_S(ppk[1] ^ Mk16(tk[ 5], tk[ 4]));
154 ppk[3] += tkip_S(ppk[2] ^ Mk16(tk[ 7], tk[ 6]));
155 ppk[4] += tkip_S(ppk[3] ^ Mk16(tk[ 9], tk[ 8]));
156 ppk[5] += tkip_S(ppk[4] ^ Mk16(tk[11], tk[10]));
157 ppk[0] += RotR1(ppk[5] ^ Mk16(tk[13], tk[12]));
158 ppk[1] += RotR1(ppk[0] ^ Mk16(tk[15], tk[14]));
159 ppk[2] += RotR1(ppk[1]);
160 ppk[3] += RotR1(ppk[2]);
161 ppk[4] += RotR1(ppk[3]);
162 ppk[5] += RotR1(ppk[4]);
164 rc4key[0] = Hi8(tsc_IV16);
165 rc4key[1] = (Hi8(tsc_IV16) | 0x20) & 0x7f;
166 rc4key[2] = Lo8(tsc_IV16);
167 rc4key[3] = Lo8((ppk[5] ^ Mk16(tk[1], tk[0])) >> 1);
169 for (i = 0; i < 6; i++) {
170 rc4key[4 + 2 * i] = Lo8(ppk[i]);
171 rc4key[5 + 2 * i] = Hi8(ppk[i]);
176 /* Add TKIP IV and Ext. IV at @pos. @iv0, @iv1, and @iv2 are the first octets
177 * of the IV. Returns pointer to the octet following IVs (i.e., beginning of
178 * the packet payload). */
179 u8 * ieee80211_tkip_add_iv(u8 *pos, struct ieee80211_key *key,
180 u8 iv0, u8 iv1, u8 iv2)
185 *pos++ = (key->conf.keyidx << 6) | (1 << 5) /* Ext IV */;
186 *pos++ = key->u.tkip.iv32 & 0xff;
187 *pos++ = (key->u.tkip.iv32 >> 8) & 0xff;
188 *pos++ = (key->u.tkip.iv32 >> 16) & 0xff;
189 *pos++ = (key->u.tkip.iv32 >> 24) & 0xff;
194 void ieee80211_tkip_gen_phase1key(struct ieee80211_key *key, u8 *ta,
197 tkip_mixing_phase1(ta, &key->conf.key[ALG_TKIP_TEMP_ENCR_KEY],
198 key->u.tkip.iv32, phase1key);
201 void ieee80211_tkip_gen_rc4key(struct ieee80211_key *key, u8 *ta,
204 /* Calculate per-packet key */
205 if (key->u.tkip.iv16 == 0 || !key->u.tkip.tx_initialized) {
206 /* IV16 wrapped around - perform TKIP phase 1 */
207 tkip_mixing_phase1(ta, &key->conf.key[ALG_TKIP_TEMP_ENCR_KEY],
208 key->u.tkip.iv32, key->u.tkip.p1k);
209 key->u.tkip.tx_initialized = 1;
212 tkip_mixing_phase2(key->u.tkip.p1k,
213 &key->conf.key[ALG_TKIP_TEMP_ENCR_KEY],
214 key->u.tkip.iv16, rc4key);
217 void ieee80211_get_tkip_key(struct ieee80211_key_conf *keyconf,
218 struct sk_buff *skb, enum ieee80211_tkip_key_type type,
221 struct ieee80211_key *key = (struct ieee80211_key *)
222 container_of(keyconf, struct ieee80211_key, conf);
223 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
224 u8 *data = (u8 *) hdr;
225 u16 fc = le16_to_cpu(hdr->frame_control);
226 int hdr_len = ieee80211_get_hdrlen(fc);
231 iv16 = data[hdr_len] << 8;
232 iv16 += data[hdr_len + 2];
233 iv32 = data[hdr_len + 4] | (data[hdr_len + 5] << 8) |
234 (data[hdr_len + 6] << 16) | (data[hdr_len + 7] << 24);
236 #ifdef CONFIG_TKIP_DEBUG
237 printk(KERN_DEBUG "TKIP encrypt: iv16 = 0x%04x, iv32 = 0x%08x\n",
240 if (iv32 != key->u.tkip.iv32) {
241 printk(KERN_DEBUG "skb: iv32 = 0x%08x key: iv32 = 0x%08x\n",
242 iv32, key->u.tkip.iv32);
243 printk(KERN_DEBUG "Wrap around of iv16 in the middle of a "
244 "fragmented packet\n");
246 #endif /* CONFIG_TKIP_DEBUG */
248 /* Update the p1k only when the iv16 in the packet wraps around, this
249 * might occur after the wrap around of iv16 in the key in case of
250 * fragmented packets. */
251 if (iv16 == 0 || !key->u.tkip.tx_initialized) {
252 /* IV16 wrapped around - perform TKIP phase 1 */
253 tkip_mixing_phase1(ta, &key->conf.key[ALG_TKIP_TEMP_ENCR_KEY],
254 iv32, key->u.tkip.p1k);
255 key->u.tkip.tx_initialized = 1;
258 if (type == IEEE80211_TKIP_P1_KEY) {
259 memcpy(outkey, key->u.tkip.p1k, sizeof(u16) * 5);
263 tkip_mixing_phase2(key->u.tkip.p1k,
264 &key->conf.key[ALG_TKIP_TEMP_ENCR_KEY], iv16, outkey);
266 EXPORT_SYMBOL(ieee80211_get_tkip_key);
268 /* Encrypt packet payload with TKIP using @key. @pos is a pointer to the
269 * beginning of the buffer containing payload. This payload must include
270 * headroom of eight octets for IV and Ext. IV and taildroom of four octets
271 * for ICV. @payload_len is the length of payload (_not_ including extra
272 * headroom and tailroom). @ta is the transmitter addresses. */
273 void ieee80211_tkip_encrypt_data(struct crypto_blkcipher *tfm,
274 struct ieee80211_key *key,
275 u8 *pos, size_t payload_len, u8 *ta)
279 ieee80211_tkip_gen_rc4key(key, ta, rc4key);
280 pos = ieee80211_tkip_add_iv(pos, key, rc4key[0], rc4key[1], rc4key[2]);
281 ieee80211_wep_encrypt_data(tfm, rc4key, 16, pos, payload_len);
285 /* Decrypt packet payload with TKIP using @key. @pos is a pointer to the
286 * beginning of the buffer containing IEEE 802.11 header payload, i.e.,
287 * including IV, Ext. IV, real data, Michael MIC, ICV. @payload_len is the
288 * length of payload, including IV, Ext. IV, MIC, ICV. */
289 int ieee80211_tkip_decrypt_data(struct crypto_blkcipher *tfm,
290 struct ieee80211_key *key,
291 u8 *payload, size_t payload_len, u8 *ta,
292 u8 *ra, int only_iv, int queue,
293 u32 *out_iv32, u16 *out_iv16)
297 u8 rc4key[16], keyid, *pos = payload;
300 if (payload_len < 12)
303 iv16 = (pos[0] << 8) | pos[2];
305 iv32 = pos[4] | (pos[5] << 8) | (pos[6] << 16) | (pos[7] << 24);
307 #ifdef CONFIG_TKIP_DEBUG
310 printk(KERN_DEBUG "TKIP decrypt: data(len=%zd)", payload_len);
311 for (i = 0; i < payload_len; i++)
312 printk(" %02x", payload[i]);
314 printk(KERN_DEBUG "TKIP decrypt: iv16=%04x iv32=%08x\n",
317 #endif /* CONFIG_TKIP_DEBUG */
319 if (!(keyid & (1 << 5)))
320 return TKIP_DECRYPT_NO_EXT_IV;
322 if ((keyid >> 6) != key->conf.keyidx)
323 return TKIP_DECRYPT_INVALID_KEYIDX;
325 if (key->u.tkip.rx_initialized[queue] &&
326 (iv32 < key->u.tkip.iv32_rx[queue] ||
327 (iv32 == key->u.tkip.iv32_rx[queue] &&
328 iv16 <= key->u.tkip.iv16_rx[queue]))) {
329 #ifdef CONFIG_TKIP_DEBUG
330 DECLARE_MAC_BUF(mac);
331 printk(KERN_DEBUG "TKIP replay detected for RX frame from "
332 "%s (RX IV (%04x,%02x) <= prev. IV (%04x,%02x)\n",
334 iv32, iv16, key->u.tkip.iv32_rx[queue],
335 key->u.tkip.iv16_rx[queue]);
336 #endif /* CONFIG_TKIP_DEBUG */
337 return TKIP_DECRYPT_REPLAY;
341 res = TKIP_DECRYPT_OK;
342 key->u.tkip.rx_initialized[queue] = 1;
346 if (!key->u.tkip.rx_initialized[queue] ||
347 key->u.tkip.iv32_rx[queue] != iv32) {
348 key->u.tkip.rx_initialized[queue] = 1;
349 /* IV16 wrapped around - perform TKIP phase 1 */
350 tkip_mixing_phase1(ta, &key->conf.key[ALG_TKIP_TEMP_ENCR_KEY],
351 iv32, key->u.tkip.p1k_rx[queue]);
352 #ifdef CONFIG_TKIP_DEBUG
355 DECLARE_MAC_BUF(mac);
356 printk(KERN_DEBUG "TKIP decrypt: Phase1 TA=%s"
357 " TK=", print_mac(mac, ta));
358 for (i = 0; i < 16; i++)
361 ALG_TKIP_TEMP_ENCR_KEY + i]);
363 printk(KERN_DEBUG "TKIP decrypt: P1K=");
364 for (i = 0; i < 5; i++)
365 printk("%04x ", key->u.tkip.p1k_rx[queue][i]);
368 #endif /* CONFIG_TKIP_DEBUG */
369 if (key->local->ops->update_tkip_key &&
370 key->flags & KEY_FLAG_UPLOADED_TO_HARDWARE) {
372 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff};
373 u8 *sta_addr = key->sta->addr;
375 if (is_multicast_ether_addr(ra))
378 key->local->ops->update_tkip_key(
379 local_to_hw(key->local), &key->conf,
380 sta_addr, iv32, key->u.tkip.p1k_rx[queue]);
384 tkip_mixing_phase2(key->u.tkip.p1k_rx[queue],
385 &key->conf.key[ALG_TKIP_TEMP_ENCR_KEY],
387 #ifdef CONFIG_TKIP_DEBUG
390 printk(KERN_DEBUG "TKIP decrypt: Phase2 rc4key=");
391 for (i = 0; i < 16; i++)
392 printk("%02x ", rc4key[i]);
395 #endif /* CONFIG_TKIP_DEBUG */
397 res = ieee80211_wep_decrypt_data(tfm, rc4key, 16, pos, payload_len - 12);
399 if (res == TKIP_DECRYPT_OK) {
401 * Record previously received IV, will be copied into the
402 * key information after MIC verification. It is possible
403 * that we don't catch replays of fragments but that's ok
404 * because the Michael MIC verication will then fail.