1 /* $OpenBSD: ieee80211_crypto_tkip.c,v 1.33 2021/03/10 10:21:48 jsg Exp $ */
2
3 /*-
4 * Copyright (c) 2008 Damien Bergamini <damien.bergamini@free.fr>
5 *
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */
18
19 /*
20 * This code implements the Temporal Key Integrity Protocol (TKIP) defined
21 * in IEEE Std 802.11-2007 section 8.3.2.
22 */
23
24 #include <sys/param.h>
25 #include <sys/systm.h>
26 #include <sys/mbuf.h>
27 #include <sys/malloc.h>
28 #include <sys/kernel.h>
29 #include <sys/socket.h>
30 #include <sys/endian.h>
31 #include <sys/syslog.h>
32
33 #include <net/if.h>
34 #include <net/if_dl.h>
35 #include <net/if_media.h>
36
37 #include <netinet/in.h>
38 #include <netinet/if_ether.h>
39
40 #include <net80211/ieee80211_var.h>
41 #include <net80211/ieee80211_crypto.h>
42
43 #include <crypto/arc4.h>
44 #include <crypto/michael.h>
45
46 typedef u_int8_t byte; /* 8-bit byte (octet) */
47 typedef u_int16_t u16b; /* 16-bit unsigned word */
48 typedef u_int32_t u32b; /* 32-bit unsigned word */
49
50 static void Phase1(u16b *, const byte *, const byte *, u32b);
51 static void Phase2(byte *, const byte *, const u16b *, u16b);
52
53 /* TKIP software crypto context */
54 struct ieee80211_tkip_ctx {
55 struct rc4_ctx rc4;
56 const u_int8_t *txmic;
57 const u_int8_t *rxmic;
58 u_int16_t txttak[5];
59 u_int16_t rxttak[5];
60 u_int8_t txttak_ok;
61 u_int8_t rxttak_ok;
62 };
63
64 /*
65 * Initialize software crypto context. This function can be overridden
66 * by drivers doing hardware crypto.
67 */
68 int
ieee80211_tkip_set_key(struct ieee80211com * ic,struct ieee80211_key * k)69 ieee80211_tkip_set_key(struct ieee80211com *ic, struct ieee80211_key *k)
70 {
71 struct ieee80211_tkip_ctx *ctx;
72
73 ctx = malloc(sizeof(*ctx), M_DEVBUF, M_NOWAIT | M_ZERO);
74 if (ctx == NULL)
75 return ENOMEM;
76 /*
77 * Use bits 128-191 as the Michael key for AA->SPA and bits
78 * 192-255 as the Michael key for SPA->AA.
79 */
80 #ifndef IEEE80211_STA_ONLY
81 if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
82 ctx->txmic = &k->k_key[16];
83 ctx->rxmic = &k->k_key[24];
84 } else
85 #endif
86 {
87 ctx->rxmic = &k->k_key[16];
88 ctx->txmic = &k->k_key[24];
89 }
90 k->k_priv = ctx;
91 return 0;
92 }
93
94 void
ieee80211_tkip_delete_key(struct ieee80211com * ic,struct ieee80211_key * k)95 ieee80211_tkip_delete_key(struct ieee80211com *ic, struct ieee80211_key *k)
96 {
97 if (k->k_priv != NULL) {
98 explicit_bzero(k->k_priv, sizeof(struct ieee80211_tkip_ctx));
99 free(k->k_priv, M_DEVBUF, sizeof(struct ieee80211_tkip_ctx));
100 }
101 k->k_priv = NULL;
102 }
103
104 /* pseudo-header used for TKIP MIC computation */
105 struct ieee80211_tkip_frame {
106 u_int8_t i_da[IEEE80211_ADDR_LEN];
107 u_int8_t i_sa[IEEE80211_ADDR_LEN];
108 u_int8_t i_pri;
109 u_int8_t i_pad[3];
110 } __packed;
111
112 /*
113 * Compute TKIP MIC over an mbuf chain starting "off" bytes from the
114 * beginning. This function should be kept independent from the software
115 * TKIP crypto code so that drivers doing hardware crypto but not MIC can
116 * call it without a software crypto context.
117 */
118 void
ieee80211_tkip_mic(struct mbuf * m0,int off,const u_int8_t * key,u_int8_t mic[IEEE80211_TKIP_MICLEN])119 ieee80211_tkip_mic(struct mbuf *m0, int off, const u_int8_t *key,
120 u_int8_t mic[IEEE80211_TKIP_MICLEN])
121 {
122 const struct ieee80211_frame *wh;
123 struct ieee80211_tkip_frame wht;
124 MICHAEL_CTX ctx; /* small enough */
125 struct mbuf *m;
126 caddr_t pos;
127 int len;
128
129 /* assumes 802.11 header is contiguous */
130 wh = mtod(m0, struct ieee80211_frame *);
131
132 /* construct pseudo-header for TKIP MIC computation */
133 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) {
134 case IEEE80211_FC1_DIR_NODS:
135 IEEE80211_ADDR_COPY(wht.i_da, wh->i_addr1);
136 IEEE80211_ADDR_COPY(wht.i_sa, wh->i_addr2);
137 break;
138 case IEEE80211_FC1_DIR_TODS:
139 IEEE80211_ADDR_COPY(wht.i_da, wh->i_addr3);
140 IEEE80211_ADDR_COPY(wht.i_sa, wh->i_addr2);
141 break;
142 case IEEE80211_FC1_DIR_FROMDS:
143 IEEE80211_ADDR_COPY(wht.i_da, wh->i_addr1);
144 IEEE80211_ADDR_COPY(wht.i_sa, wh->i_addr3);
145 break;
146 case IEEE80211_FC1_DIR_DSTODS:
147 IEEE80211_ADDR_COPY(wht.i_da, wh->i_addr3);
148 IEEE80211_ADDR_COPY(wht.i_sa,
149 ((const struct ieee80211_frame_addr4 *)wh)->i_addr4);
150 break;
151 }
152 if (ieee80211_has_qos(wh))
153 wht.i_pri = ieee80211_get_qos(wh) & IEEE80211_QOS_TID;
154 else
155 wht.i_pri = 0;
156 wht.i_pad[0] = wht.i_pad[1] = wht.i_pad[2] = 0;
157
158 michael_init(&ctx);
159 michael_key(key, &ctx);
160
161 michael_update(&ctx, (caddr_t)&wht, sizeof(wht));
162
163 m = m0;
164 /* assumes the first "off" bytes are contiguous */
165 pos = mtod(m, caddr_t) + off;
166 len = m->m_len - off;
167 for (;;) {
168 michael_update(&ctx, pos, len);
169 if ((m = m->m_next) == NULL)
170 break;
171 pos = mtod(m, caddr_t);
172 len = m->m_len;
173 }
174
175 michael_final(mic, &ctx);
176 }
177
178 /* shortcuts */
179 #define IEEE80211_TKIP_TAILLEN \
180 (IEEE80211_TKIP_MICLEN + IEEE80211_WEP_CRCLEN)
181 #define IEEE80211_TKIP_OVHD \
182 (IEEE80211_TKIP_HDRLEN + IEEE80211_TKIP_TAILLEN)
183
184 struct mbuf *
ieee80211_tkip_encrypt(struct ieee80211com * ic,struct mbuf * m0,struct ieee80211_key * k)185 ieee80211_tkip_encrypt(struct ieee80211com *ic, struct mbuf *m0,
186 struct ieee80211_key *k)
187 {
188 struct ieee80211_tkip_ctx *ctx = k->k_priv;
189 u_int16_t wepseed[8]; /* needs to be 16-bit aligned for Phase2 */
190 const struct ieee80211_frame *wh;
191 u_int8_t *ivp, *mic, *icvp;
192 struct mbuf *n0, *m, *n;
193 u_int32_t crc;
194 int left, moff, noff, len, hdrlen;
195
196 MGET(n0, M_DONTWAIT, m0->m_type);
197 if (n0 == NULL)
198 goto nospace;
199 if (m_dup_pkthdr(n0, m0, M_DONTWAIT))
200 goto nospace;
201 n0->m_pkthdr.len += IEEE80211_TKIP_HDRLEN;
202 n0->m_len = MHLEN;
203 if (n0->m_pkthdr.len >= MINCLSIZE - IEEE80211_TKIP_TAILLEN) {
204 MCLGET(n0, M_DONTWAIT);
205 if (n0->m_flags & M_EXT)
206 n0->m_len = n0->m_ext.ext_size;
207 }
208 if (n0->m_len > n0->m_pkthdr.len)
209 n0->m_len = n0->m_pkthdr.len;
210
211 /* copy 802.11 header */
212 wh = mtod(m0, struct ieee80211_frame *);
213 hdrlen = ieee80211_get_hdrlen(wh);
214 memcpy(mtod(n0, caddr_t), wh, hdrlen);
215
216 k->k_tsc++; /* increment the 48-bit TSC */
217
218 /* construct TKIP header */
219 ivp = mtod(n0, u_int8_t *) + hdrlen;
220 ivp[0] = k->k_tsc >> 8; /* TSC1 */
221 /* WEP Seed = (TSC1 | 0x20) & 0x7f (see 8.3.2.2) */
222 ivp[1] = (ivp[0] | 0x20) & 0x7f;
223 ivp[2] = k->k_tsc; /* TSC0 */
224 ivp[3] = k->k_id << 6 | IEEE80211_WEP_EXTIV; /* KeyID | ExtIV */
225 ivp[4] = k->k_tsc >> 16; /* TSC2 */
226 ivp[5] = k->k_tsc >> 24; /* TSC3 */
227 ivp[6] = k->k_tsc >> 32; /* TSC4 */
228 ivp[7] = k->k_tsc >> 40; /* TSC5 */
229
230 /* compute WEP seed */
231 if (!ctx->txttak_ok || (k->k_tsc & 0xffff) == 0) {
232 Phase1(ctx->txttak, k->k_key, wh->i_addr2, k->k_tsc >> 16);
233 ctx->txttak_ok = 1;
234 }
235 Phase2((u_int8_t *)wepseed, k->k_key, ctx->txttak, k->k_tsc & 0xffff);
236 rc4_keysetup(&ctx->rc4, (u_int8_t *)wepseed, 16);
237 explicit_bzero(wepseed, sizeof(wepseed));
238
239 /* encrypt frame body and compute WEP ICV */
240 m = m0;
241 n = n0;
242 moff = hdrlen;
243 noff = hdrlen + IEEE80211_TKIP_HDRLEN;
244 left = m0->m_pkthdr.len - moff;
245 crc = ~0;
246 while (left > 0) {
247 if (moff == m->m_len) {
248 /* nothing left to copy from m */
249 m = m->m_next;
250 moff = 0;
251 }
252 if (noff == n->m_len) {
253 /* n is full and there's more data to copy */
254 MGET(n->m_next, M_DONTWAIT, n->m_type);
255 if (n->m_next == NULL)
256 goto nospace;
257 n = n->m_next;
258 n->m_len = MLEN;
259 if (left >= MINCLSIZE - IEEE80211_TKIP_TAILLEN) {
260 MCLGET(n, M_DONTWAIT);
261 if (n->m_flags & M_EXT)
262 n->m_len = n->m_ext.ext_size;
263 }
264 if (n->m_len > left)
265 n->m_len = left;
266 noff = 0;
267 }
268 len = min(m->m_len - moff, n->m_len - noff);
269
270 crc = ether_crc32_le_update(crc, mtod(m, caddr_t) + moff, len);
271 rc4_crypt(&ctx->rc4, mtod(m, caddr_t) + moff,
272 mtod(n, caddr_t) + noff, len);
273
274 moff += len;
275 noff += len;
276 left -= len;
277 }
278
279 /* reserve trailing space for TKIP MIC and WEP ICV */
280 if (m_trailingspace(n) < IEEE80211_TKIP_TAILLEN) {
281 MGET(n->m_next, M_DONTWAIT, n->m_type);
282 if (n->m_next == NULL)
283 goto nospace;
284 n = n->m_next;
285 n->m_len = 0;
286 }
287
288 /* compute TKIP MIC over clear text */
289 mic = mtod(n, caddr_t) + n->m_len;
290 ieee80211_tkip_mic(m0, hdrlen, ctx->txmic, mic);
291 crc = ether_crc32_le_update(crc, mic, IEEE80211_TKIP_MICLEN);
292 rc4_crypt(&ctx->rc4, mic, mic, IEEE80211_TKIP_MICLEN);
293 n->m_len += IEEE80211_TKIP_MICLEN;
294
295 /* finalize WEP ICV */
296 icvp = mtod(n, caddr_t) + n->m_len;
297 crc = ~crc;
298 icvp[0] = crc;
299 icvp[1] = crc >> 8;
300 icvp[2] = crc >> 16;
301 icvp[3] = crc >> 24;
302 rc4_crypt(&ctx->rc4, icvp, icvp, IEEE80211_WEP_CRCLEN);
303 n->m_len += IEEE80211_WEP_CRCLEN;
304
305 n0->m_pkthdr.len += IEEE80211_TKIP_TAILLEN;
306
307 m_freem(m0);
308 return n0;
309 nospace:
310 ic->ic_stats.is_tx_nombuf++;
311 m_freem(m0);
312 m_freem(n0);
313 return NULL;
314 }
315
316 int
ieee80211_tkip_get_tsc(uint64_t * tsc,uint64_t ** prsc,struct mbuf * m,struct ieee80211_key * k)317 ieee80211_tkip_get_tsc(uint64_t *tsc, uint64_t **prsc, struct mbuf *m,
318 struct ieee80211_key *k)
319 {
320 struct ieee80211_frame *wh;
321 int hdrlen;
322 u_int8_t tid;
323 const u_int8_t *ivp;
324
325 wh = mtod(m, struct ieee80211_frame *);
326 hdrlen = ieee80211_get_hdrlen(wh);
327
328 if (m->m_pkthdr.len < hdrlen + IEEE80211_TKIP_HDRLEN)
329 return EINVAL;
330
331 ivp = (u_int8_t *)wh + hdrlen;
332 /* check that ExtIV bit is set */
333 if (!(ivp[3] & IEEE80211_WEP_EXTIV))
334 return EINVAL;
335
336 /* Retrieve last seen packet number for this frame priority. */
337 tid = ieee80211_has_qos(wh) ?
338 ieee80211_get_qos(wh) & IEEE80211_QOS_TID : 0;
339 *prsc = &k->k_rsc[tid];
340
341 /* extract the 48-bit TSC from the TKIP header */
342 *tsc = (u_int64_t)ivp[2] |
343 (u_int64_t)ivp[0] << 8 |
344 (u_int64_t)ivp[4] << 16 |
345 (u_int64_t)ivp[5] << 24 |
346 (u_int64_t)ivp[6] << 32 |
347 (u_int64_t)ivp[7] << 40;
348
349 return 0;
350 }
351
352 struct mbuf *
ieee80211_tkip_decrypt(struct ieee80211com * ic,struct mbuf * m0,struct ieee80211_key * k)353 ieee80211_tkip_decrypt(struct ieee80211com *ic, struct mbuf *m0,
354 struct ieee80211_key *k)
355 {
356 struct ieee80211_tkip_ctx *ctx = k->k_priv;
357 struct ieee80211_frame *wh;
358 u_int16_t wepseed[8]; /* needs to be 16-bit aligned for Phase2 */
359 u_int8_t buf[IEEE80211_TKIP_MICLEN + IEEE80211_WEP_CRCLEN];
360 u_int8_t mic[IEEE80211_TKIP_MICLEN];
361 u_int64_t tsc, *prsc;
362 u_int32_t crc, crc0;
363 u_int8_t *mic0;
364 struct mbuf *n0, *m, *n;
365 int hdrlen, left, moff, noff, len;
366
367 wh = mtod(m0, struct ieee80211_frame *);
368 hdrlen = ieee80211_get_hdrlen(wh);
369
370 if (m0->m_pkthdr.len < hdrlen + IEEE80211_TKIP_OVHD) {
371 m_freem(m0);
372 return NULL;
373 }
374
375 /*
376 * Get the frame's Transmit Sequence Counter (TSC), and a pointer to
377 * our last-seen Receive Sequence Counter (RSC) with which we can
378 * detect replays.
379 */
380 if (ieee80211_tkip_get_tsc(&tsc, &prsc, m0, k) != 0) {
381 m_freem(m0);
382 return NULL;
383 }
384 if (tsc <= *prsc) {
385 /* replayed frame, discard */
386 ic->ic_stats.is_tkip_replays++;
387 m_freem(m0);
388 return NULL;
389 }
390
391 MGET(n0, M_DONTWAIT, m0->m_type);
392 if (n0 == NULL)
393 goto nospace;
394 if (m_dup_pkthdr(n0, m0, M_DONTWAIT))
395 goto nospace;
396 n0->m_pkthdr.len -= IEEE80211_TKIP_OVHD;
397 n0->m_len = MHLEN;
398 if (n0->m_pkthdr.len >= MINCLSIZE) {
399 MCLGET(n0, M_DONTWAIT);
400 if (n0->m_flags & M_EXT)
401 n0->m_len = n0->m_ext.ext_size;
402 }
403 if (n0->m_len > n0->m_pkthdr.len)
404 n0->m_len = n0->m_pkthdr.len;
405
406 /* copy 802.11 header and clear protected bit */
407 memcpy(mtod(n0, caddr_t), wh, hdrlen);
408 wh = mtod(n0, struct ieee80211_frame *);
409 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
410
411 /* compute WEP seed */
412 if (!ctx->rxttak_ok || (tsc >> 16) != (*prsc >> 16)) {
413 ctx->rxttak_ok = 0; /* invalidate cached TTAK (if any) */
414 Phase1(ctx->rxttak, k->k_key, wh->i_addr2, tsc >> 16);
415 }
416 Phase2((u_int8_t *)wepseed, k->k_key, ctx->rxttak, tsc & 0xffff);
417 rc4_keysetup(&ctx->rc4, (u_int8_t *)wepseed, 16);
418 explicit_bzero(wepseed, sizeof(wepseed));
419
420 /* decrypt frame body and compute WEP ICV */
421 m = m0;
422 n = n0;
423 moff = hdrlen + IEEE80211_TKIP_HDRLEN;
424 noff = hdrlen;
425 left = n0->m_pkthdr.len - noff;
426 crc = ~0;
427 while (left > 0) {
428 if (moff == m->m_len) {
429 /* nothing left to copy from m */
430 m = m->m_next;
431 moff = 0;
432 }
433 if (noff == n->m_len) {
434 /* n is full and there's more data to copy */
435 MGET(n->m_next, M_DONTWAIT, n->m_type);
436 if (n->m_next == NULL)
437 goto nospace;
438 n = n->m_next;
439 n->m_len = MLEN;
440 if (left >= MINCLSIZE) {
441 MCLGET(n, M_DONTWAIT);
442 if (n->m_flags & M_EXT)
443 n->m_len = n->m_ext.ext_size;
444 }
445 if (n->m_len > left)
446 n->m_len = left;
447 noff = 0;
448 }
449 len = min(m->m_len - moff, n->m_len - noff);
450
451 rc4_crypt(&ctx->rc4, mtod(m, caddr_t) + moff,
452 mtod(n, caddr_t) + noff, len);
453 crc = ether_crc32_le_update(crc, mtod(n, caddr_t) + noff, len);
454
455 moff += len;
456 noff += len;
457 left -= len;
458 }
459
460 /* extract and decrypt TKIP MIC and WEP ICV from m0's tail */
461 m_copydata(m, moff, IEEE80211_TKIP_TAILLEN, buf);
462 rc4_crypt(&ctx->rc4, buf, buf, IEEE80211_TKIP_TAILLEN);
463
464 /* include TKIP MIC in WEP ICV */
465 mic0 = buf;
466 crc = ether_crc32_le_update(crc, mic0, IEEE80211_TKIP_MICLEN);
467 crc = ~crc;
468
469 /* decrypt ICV and compare it with calculated ICV */
470 crc0 = *(u_int32_t *)(buf + IEEE80211_TKIP_MICLEN);
471 if (crc != letoh32(crc0)) {
472 ic->ic_stats.is_tkip_icv_errs++;
473 m_freem(m0);
474 m_freem(n0);
475 return NULL;
476 }
477
478 /* compute TKIP MIC over decrypted message */
479 ieee80211_tkip_mic(n0, hdrlen, ctx->rxmic, mic);
480 /* check that it matches the MIC in received frame */
481 if (timingsafe_bcmp(mic0, mic, IEEE80211_TKIP_MICLEN) != 0) {
482 m_freem(m0);
483 m_freem(n0);
484 ic->ic_stats.is_rx_locmicfail++;
485 ieee80211_michael_mic_failure(ic, tsc);
486 return NULL;
487 }
488
489 /* update last seen packet number (MIC is validated) */
490 *prsc = tsc;
491 /* mark cached TTAK as valid */
492 ctx->rxttak_ok = 1;
493
494 m_freem(m0);
495 return n0;
496 nospace:
497 ic->ic_stats.is_rx_nombuf++;
498 m_freem(m0);
499 m_freem(n0);
500 return NULL;
501 }
502
503 #ifndef IEEE80211_STA_ONLY
504 /*
505 * This function is called in HostAP mode to deauthenticate all STAs using
506 * TKIP as their pairwise or group cipher (as part of TKIP countermeasures).
507 */
508 static void
ieee80211_tkip_deauth(void * arg,struct ieee80211_node * ni)509 ieee80211_tkip_deauth(void *arg, struct ieee80211_node *ni)
510 {
511 struct ieee80211com *ic = arg;
512
513 if (ni->ni_state == IEEE80211_STA_ASSOC &&
514 (ic->ic_bss->ni_rsngroupcipher == IEEE80211_CIPHER_TKIP ||
515 ni->ni_rsncipher == IEEE80211_CIPHER_TKIP)) {
516 /* deauthenticate STA */
517 IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
518 IEEE80211_REASON_MIC_FAILURE);
519 ieee80211_node_leave(ic, ni);
520 }
521 }
522
523 void
ieee80211_michael_mic_failure_timeout(void * arg)524 ieee80211_michael_mic_failure_timeout(void *arg)
525 {
526 struct ieee80211com *ic = arg;
527
528 /* Disable TKIP countermeasures. */
529 ic->ic_flags &= ~IEEE80211_F_COUNTERM;
530 }
531 #endif /* IEEE80211_STA_ONLY */
532
533 /*
534 * This function can be called by the software TKIP crypto code or by the
535 * drivers when their hardware crypto engines detect a Michael MIC failure.
536 */
537 void
ieee80211_michael_mic_failure(struct ieee80211com * ic,u_int64_t tsc)538 ieee80211_michael_mic_failure(struct ieee80211com *ic, u_int64_t tsc)
539 {
540 time_t now;
541 #ifndef IEEE80211_STA_ONLY
542 int sec;
543 #endif
544
545 if (ic->ic_flags & IEEE80211_F_COUNTERM)
546 return; /* countermeasures already active */
547
548 log(LOG_WARNING, "%s: Michael MIC failure\n", ic->ic_if.if_xname);
549
550 /*
551 * NB. do not send Michael MIC Failure reports as recommended since
552 * these may be used as an oracle to verify CRC guesses as described
553 * in Beck, M. and Tews S. "Practical attacks against WEP and WPA"
554 * http://dl.aircrack-ng.org/breakingwepandwpa.pdf
555 */
556
557 /*
558 * Activate TKIP countermeasures (see 802.11-2012 11.4.2.4) if less than
559 * 60 seconds have passed since the most recent previous MIC failure.
560 */
561 now = getuptime();
562 if (ic->ic_tkip_micfail == 0 || ic->ic_tkip_micfail + 60 >= now) {
563 ic->ic_tkip_micfail = now;
564 ic->ic_tkip_micfail_last_tsc = tsc;
565 return;
566 }
567
568 switch (ic->ic_opmode) {
569 #ifndef IEEE80211_STA_ONLY
570 case IEEE80211_M_HOSTAP:
571 /* refuse new TKIP associations for at least 60 seconds */
572 ic->ic_flags |= IEEE80211_F_COUNTERM;
573 sec = 60 + arc4random_uniform(30);
574 log(LOG_WARNING, "%s: HostAP will be disabled for %d seconds "
575 "as a countermeasure against TKIP key cracking attempts\n",
576 ic->ic_if.if_xname, sec);
577 timeout_add_sec(&ic->ic_tkip_micfail_timeout, sec);
578
579 /* deauthenticate all currently associated STAs using TKIP */
580 ieee80211_iterate_nodes(ic, ieee80211_tkip_deauth, ic);
581
582 /* schedule a GTK change */
583 timeout_add_sec(&ic->ic_rsn_timeout, 1);
584 break;
585 #endif
586 case IEEE80211_M_STA:
587 /*
588 * Notify the AP of MIC failures: send two Michael
589 * MIC Failure Report frames back-to-back to trigger
590 * countermeasures at the AP end.
591 */
592 (void)ieee80211_send_eapol_key_req(ic, ic->ic_bss,
593 EAPOL_KEY_KEYMIC | EAPOL_KEY_ERROR | EAPOL_KEY_SECURE,
594 ic->ic_tkip_micfail_last_tsc);
595 (void)ieee80211_send_eapol_key_req(ic, ic->ic_bss,
596 EAPOL_KEY_KEYMIC | EAPOL_KEY_ERROR | EAPOL_KEY_SECURE,
597 tsc);
598
599 /* deauthenticate from the AP.. */
600 IEEE80211_SEND_MGMT(ic, ic->ic_bss,
601 IEEE80211_FC0_SUBTYPE_DEAUTH,
602 IEEE80211_REASON_MIC_FAILURE);
603 /* ..and find another one */
604 (void)ieee80211_new_state(ic, IEEE80211_S_SCAN, -1);
605 break;
606 default:
607 break;
608 }
609
610 ic->ic_tkip_micfail = now;
611 ic->ic_tkip_micfail_last_tsc = tsc;
612 }
613
614 /***********************************************************************
615 Contents: Generate IEEE 802.11 per-frame RC4 key hash test vectors
616 Date: April 19, 2002
617 Notes:
618 This code is written for pedagogical purposes, NOT for performance.
619 ************************************************************************/
620
621 /* macros for extraction/creation of byte/u16b values */
622 #define RotR1(v16) ((((v16) >> 1) & 0x7FFF) ^ (((v16) & 1) << 15))
623 #define Lo8(v16) ((byte)( (v16) & 0x00FF))
624 #define Hi8(v16) ((byte)(((v16) >> 8) & 0x00FF))
625 #define Lo16(v32) ((u16b)( (v32) & 0xFFFF))
626 #define Hi16(v32) ((u16b)(((v32) >>16) & 0xFFFF))
627 #define Mk16(hi,lo) ((lo) ^ (((u16b)(hi)) << 8))
628
629 /* select the Nth 16-bit word of the Temporal Key byte array TK[] */
630 #define TK16(N) Mk16(TK[2 * (N) + 1], TK[2 * (N)])
631
632 /* S-box lookup: 16 bits --> 16 bits */
633 #define _S_(v16) (Sbox[Lo8(v16)] ^ swap16(Sbox[Hi8(v16)]))
634
635 /* fixed algorithm "parameters" */
636 #define PHASE1_LOOP_CNT 8 /* this needs to be "big enough" */
637 #define TA_SIZE 6 /* 48-bit transmitter address */
638 #define TK_SIZE 16 /* 128-bit Temporal Key */
639 #define P1K_SIZE 10 /* 80-bit Phase1 key */
640 #define RC4_KEY_SIZE 16 /* 128-bit RC4KEY (104 bits unknown) */
641
642 /* 2-byte by 2-byte subset of the full AES S-box table */
643 static const u16b Sbox[256]= /* Sbox for hash */
644 {
645 0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154,
646 0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A,
647 0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B,
648 0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B,
649 0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F,
650 0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F,
651 0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5,
652 0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F,
653 0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB,
654 0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397,
655 0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED,
656 0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A,
657 0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194,
658 0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3,
659 0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104,
660 0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D,
661 0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39,
662 0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695,
663 0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83,
664 0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76,
665 0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4,
666 0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B,
667 0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0,
668 0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018,
669 0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751,
670 0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85,
671 0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12,
672 0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9,
673 0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7,
674 0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A,
675 0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8,
676 0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A
677 };
678
679 /*
680 **********************************************************************
681 * Routine: Phase 1 -- generate P1K, given TA, TK, IV32
682 *
683 * Inputs:
684 * TK[] = Temporal Key [128 bits]
685 * TA[] = transmitter's MAC address [ 48 bits]
686 * IV32 = upper 32 bits of IV [ 32 bits]
687 * Output:
688 * P1K[] = Phase 1 key [ 80 bits]
689 *
690 * Note:
691 * This function only needs to be called every 2**16 frames,
692 * although in theory it could be called every frame.
693 *
694 **********************************************************************
695 */
696 static void
Phase1(u16b * P1K,const byte * TK,const byte * TA,u32b IV32)697 Phase1(u16b *P1K, const byte *TK, const byte *TA, u32b IV32)
698 {
699 int i;
700
701 /* Initialize the 80 bits of P1K[] from IV32 and TA[0..5] */
702 P1K[0] = Lo16(IV32);
703 P1K[1] = Hi16(IV32);
704 P1K[2] = Mk16(TA[1], TA[0]); /* use TA[] as little-endian */
705 P1K[3] = Mk16(TA[3], TA[2]);
706 P1K[4] = Mk16(TA[5], TA[4]);
707
708 /* Now compute an unbalanced Feistel cipher with 80-bit block */
709 /* size on the 80-bit block P1K[], using the 128-bit key TK[] */
710 for (i = 0; i < PHASE1_LOOP_CNT; i++) {
711 /* Each add operation here is mod 2**16 */
712 P1K[0] += _S_(P1K[4] ^ TK16((i & 1) + 0));
713 P1K[1] += _S_(P1K[0] ^ TK16((i & 1) + 2));
714 P1K[2] += _S_(P1K[1] ^ TK16((i & 1) + 4));
715 P1K[3] += _S_(P1K[2] ^ TK16((i & 1) + 6));
716 P1K[4] += _S_(P1K[3] ^ TK16((i & 1) + 0));
717 P1K[4] += i; /* avoid "slide attacks" */
718 }
719 }
720
721 /*
722 **********************************************************************
723 * Routine: Phase 2 -- generate RC4KEY, given TK, P1K, IV16
724 *
725 * Inputs:
726 * TK[] = Temporal Key [128 bits]
727 * P1K[] = Phase 1 output key [ 80 bits]
728 * IV16 = low 16 bits of IV counter [ 16 bits]
729 * Output:
730 * RC4KEY[] = the key used to encrypt the frame [128 bits]
731 *
732 * Note:
733 * The value {TA,IV32,IV16} for Phase1/Phase2 must be unique
734 * across all frames using the same key TK value. Then, for a
735 * given value of TK[], this TKIP48 construction guarantees that
736 * the final RC4KEY value is unique across all frames.
737 *
738 **********************************************************************
739 */
740 static void
Phase2(byte * RC4KEY,const byte * TK,const u16b * P1K,u16b IV16)741 Phase2(byte *RC4KEY, const byte *TK, const u16b *P1K, u16b IV16)
742 {
743 u16b *PPK; /* temporary key for mixing */
744 int i;
745
746 /*
747 * Suggested implementation optimization: if PPK[] is "overlaid"
748 * appropriately on RC4KEY[], there is no need for the final for
749 * loop that copies the PPK[] result into RC4KEY[].
750 */
751 PPK = (u16b *)&RC4KEY[4];
752
753 /* all adds in the PPK[] equations below are mod 2**16 */
754 for (i = 0; i < 5; i++)
755 PPK[i] = P1K[i]; /* first, copy P1K to PPK */
756 PPK[5] = P1K[4] + IV16; /* next, add in IV16 */
757
758 /* Bijective non-linear mixing of the 96 bits of PPK[0..5] */
759 PPK[0] += _S_(PPK[5] ^ TK16(0)); /* Mix key in each "round" */
760 PPK[1] += _S_(PPK[0] ^ TK16(1));
761 PPK[2] += _S_(PPK[1] ^ TK16(2));
762 PPK[3] += _S_(PPK[2] ^ TK16(3));
763 PPK[4] += _S_(PPK[3] ^ TK16(4));
764 PPK[5] += _S_(PPK[4] ^ TK16(5)); /* Total # S-box lookups == 6 */
765
766 /* Final sweep: bijective, linear. Rotates kill LSB correlations */
767 PPK[0] += RotR1(PPK[5] ^ TK16(6));
768 PPK[1] += RotR1(PPK[0] ^ TK16(7)); /* Use all of TK[] in Phase2 */
769 PPK[2] += RotR1(PPK[1]);
770 PPK[3] += RotR1(PPK[2]);
771 PPK[4] += RotR1(PPK[3]);
772 PPK[5] += RotR1(PPK[4]);
773
774 /* At this point, for a given key TK[0..15], the 96-bit output */
775 /* value PPK[0..5] is guaranteed to be unique, as a function */
776 /* of the 96-bit "input" value {TA,IV32,IV16}. That is, P1K */
777 /* is now a keyed permutation of {TA,IV32,IV16}. */
778 /* Set RC4KEY[0..3], which includes cleartext portion of RC4 key */
779 RC4KEY[0] = Hi8(IV16); /* RC4KEY[0..2] is the WEP IV */
780 RC4KEY[1] =(Hi8(IV16) | 0x20) & 0x7F; /* Help avoid FMS weak keys */
781 RC4KEY[2] = Lo8(IV16);
782 RC4KEY[3] = Lo8((PPK[5] ^ TK16(0)) >> 1);
783
784 #if BYTE_ORDER == BIG_ENDIAN
785 /* Copy 96 bits of PPK[0..5] to RC4KEY[4..15] (little-endian) */
786 for (i = 0; i < 6; i++)
787 PPK[i] = swap16(PPK[i]);
788 #endif
789 }
790