root/net80211/ieee80211_crypto.c

DEFINITIONS

1. ieee80211_crypto_attach
2. ieee80211_crypto_detach
3. ieee80211_encrypt
4. ieee80211_decrypt
5. ieee80211_ccmp_encrypt
6. ieee80211_ccmp_decrypt
7. ieee80211_tkip_encrypt
8. ieee80211_tkip_decrypt
9. ieee80211_wep_crypt
10. ieee80211_crc_init
11. ieee80211_crc_update
12. ieee80211_aes_key_wrap
13. ieee80211_aes_key_unwrap
14. ieee80211_hmac_md5_v
15. ieee80211_hmac_md5
16. ieee80211_hmac_sha1_v
17. ieee80211_hmac_sha1
18. ieee80211_prf
19. ieee80211_derive_ptk
20. ieee80211_derive_pmkid
21. ieee80211_derive_gtk
22. ieee80211_eapol_key_mic
23. ieee80211_eapol_key_check_mic
24. ieee80211_eapol_key_encrypt
25. ieee80211_eapol_key_decrypt
26. ieee80211_cipher_keylen

    1 /*      $OpenBSD: ieee80211_crypto.c,v 1.31 2007/08/03 16:51:06 damien Exp $    */
    2 /*      $NetBSD: ieee80211_crypto.c,v 1.5 2003/12/14 09:56:53 dyoung Exp $      */
    4 /*-
    5  * Copyright (c) 2001 Atsushi Onoe
    6  * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
    7  * Copyright (c) 2007 Damien Bergamini
    8  * All rights reserved.
    9  *
   10  * Redistribution and use in source and binary forms, with or without
   11  * modification, are permitted provided that the following conditions
   12  * are met:
   13  * 1. Redistributions of source code must retain the above copyright
   14  *    notice, this list of conditions and the following disclaimer.
   15  * 2. Redistributions in binary form must reproduce the above copyright
   16  *    notice, this list of conditions and the following disclaimer in the
   17  *    documentation and/or other materials provided with the distribution.
   18  * 3. The name of the author may not be used to endorse or promote products
   19  *    derived from this software without specific prior written permission.
   20  *
   21  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
   22  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
   23  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
   24  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
   25  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
   26  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
   27  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
   28  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
   29  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
   30  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
   31  */
   33 #include "bpfilter.h"
   35 #include <sys/param.h>
   36 #include <sys/systm.h>
   37 #include <sys/mbuf.h>
   38 #include <sys/malloc.h>
   39 #include <sys/kernel.h>
   40 #include <sys/socket.h>
   41 #include <sys/sockio.h>
   42 #include <sys/endian.h>
   43 #include <sys/errno.h>
   44 #include <sys/proc.h>
   45 #include <sys/sysctl.h>
   47 #include <net/if.h>
   48 #include <net/if_dl.h>
   49 #include <net/if_media.h>
   50 #include <net/if_arp.h>
   51 #include <net/if_llc.h>
   53 #if NBPFILTER > 0
   54 #include <net/bpf.h>
   55 #endif
   57 #ifdef INET
   58 #include <netinet/in.h>
   59 #include <netinet/if_ether.h>
   60 #endif
   62 #include <net80211/ieee80211_var.h>
   64 #include <dev/rndvar.h>
   65 #include <crypto/arc4.h>
   66 #include <crypto/md5.h>
   67 #include <crypto/sha1.h>
   68 #include <crypto/rijndael.h>
   70 struct vector {
   71         const void      *base;
size_t          len;
   73 };
   75 void    ieee80211_crc_init(void);
u_int32_t ieee80211_crc_update(u_int32_t, const u_int8_t *, int);
   77 struct mbuf *ieee80211_ccmp_encrypt(struct ieee80211com *, struct mbuf *,
   78             struct ieee80211_key *);
   79 struct mbuf *ieee80211_ccmp_decrypt(struct ieee80211com *, struct mbuf *,
   80             struct ieee80211_key *);
   81 struct mbuf *ieee80211_tkip_encrypt(struct ieee80211com *, struct mbuf *,
   82             struct ieee80211_key *);
   83 struct mbuf *ieee80211_tkip_decrypt(struct ieee80211com *, struct mbuf *,
   84             struct ieee80211_key *);
   85 void    ieee80211_aes_key_wrap(const u_int8_t *, size_t, const u_int8_t *,
size_t, u_int8_t *);
   87 int     ieee80211_aes_key_unwrap(const u_int8_t *, size_t, const u_int8_t *,
u_int8_t *, size_t);
   89 void    ieee80211_hmac_md5_v(const struct vector *, int, const u_int8_t *,
size_t, u_int8_t digest[]);
   91 void    ieee80211_hmac_md5(const u_int8_t *, size_t, const u_int8_t *, size_t,
u_int8_t digest[]);
   93 void    ieee80211_hmac_sha1_v(const struct vector *, int, const u_int8_t *,
size_t, u_int8_t digest[]);
   95 void    ieee80211_hmac_sha1(const u_int8_t *, size_t, const u_int8_t *, size_t,
u_int8_t digest[]);
   97 void    ieee80211_prf(const u_int8_t *, size_t, struct vector *, int,
u_int8_t *, size_t);
   99 void    ieee80211_derive_pmkid(const u_int8_t *, size_t, const u_int8_t *,
  100             const u_int8_t *, u_int8_t *);
  101 void    ieee80211_derive_gtk(const u_int8_t *, size_t, const u_int8_t *,
  102             const u_int8_t *, u_int8_t *, size_t);
  104 void
ieee80211_crypto_attach(struct ifnet *ifp)
  106 {
  107         struct ieee80211com *ic = (void *)ifp;
ieee80211_crc_init();
  111         /* initialize 256-bit global key counter to a random value */
get_random_bytes(ic->ic_globalcnt, EAPOL_KEY_NONCE_LEN);
  113 }
  115 void
ieee80211_crypto_detach(struct ifnet *ifp)
  117 {
  118         struct ieee80211com *ic = (void *)ifp;
  120         if (ic->ic_wep_ctx != NULL) {
free(ic->ic_wep_ctx, M_DEVBUF);
ic->ic_wep_ctx = NULL;
  123         }
  124 }
  126 struct mbuf *
ieee80211_encrypt(struct ieee80211com *ic, struct mbuf *m0,
  128     struct ieee80211_node *ni)
  129 {
  130         struct ieee80211_frame *wh;
  131         struct ieee80211_key *k;
  133         /* select the key for encryption */
wh = mtod(m0, struct ieee80211_frame *);
  135         if (IEEE80211_IS_MULTICAST(wh->i_addr1) ||
ni->ni_pairwise_cipher == IEEE80211_CIPHER_USEGROUP)
k = &ic->ic_nw_keys[ic->ic_wep_txkey];
  138         else
k = &ni->ni_pairwise_key;
  141         switch (k->k_cipher) {
  142         case IEEE80211_CIPHER_WEP40:
  143         case IEEE80211_CIPHER_WEP104:
m0 = ieee80211_wep_crypt(&ic->ic_if, m0, 1);
  145                 break;
  146         case IEEE80211_CIPHER_TKIP:
m0 = ieee80211_tkip_encrypt(ic, m0, k);
  148                 break;
  149         case IEEE80211_CIPHER_CCMP:
m0 = ieee80211_ccmp_encrypt(ic, m0, k);
  151                 break;
  152         default:
  153                 /* should not get there */
m_freem(m0);
m0 = NULL;
  156         }
  157         return m0;
  158 }
  160 struct mbuf *
ieee80211_decrypt(struct ieee80211com *ic, struct mbuf *m0,
  162     struct ieee80211_node *ni)
  163 {
  164         struct ieee80211_frame *wh;
  165         struct ieee80211_key *k;
  167         /* select the key for decryption */
wh = mtod(m0, struct ieee80211_frame *);
  169         if (IEEE80211_IS_MULTICAST(wh->i_addr1) ||
ni->ni_pairwise_cipher == IEEE80211_CIPHER_USEGROUP) {
size_t hdrlen = sizeof(*wh);    /* XXX QoS */
u_int8_t *ivp = (u_int8_t *)wh + hdrlen;
  173                 /* key identifier is always located at the same index */
  174                 int kid = ivp[IEEE80211_WEP_IVLEN] >> 6;
k = &ic->ic_nw_keys[kid];
  176         } else
k = &ni->ni_pairwise_key;
  179         switch (k->k_cipher) {
  180         case IEEE80211_CIPHER_WEP40:
  181         case IEEE80211_CIPHER_WEP104:
m0 = ieee80211_wep_crypt(&ic->ic_if, m0, 0);
  183                 break;
  184         case IEEE80211_CIPHER_TKIP:
m0 = ieee80211_tkip_decrypt(ic, m0, k);
  186                 break;
  187         case IEEE80211_CIPHER_CCMP:
m0 = ieee80211_ccmp_decrypt(ic, m0, k);
  189                 break;
  190         default:
  191                 /* should not get there */
m_freem(m0);
m0 = NULL;
  194         }
  195         return m0;
  196 }
  198 #define IEEE80211_CCMP_HDRLEN   8
  199 #define IEEE80211_CCMP_MICLEN   8
  201 struct mbuf *
ieee80211_ccmp_encrypt(struct ieee80211com *ic, struct mbuf *m0,
  203     struct ieee80211_key *k)
  204 {
  205         struct ieee80211_frame *wh;
size_t hdrlen = sizeof(*wh);    /* XXX QoS */
u_int8_t *ivp;
M_PREPEND(m0, IEEE80211_CCMP_HDRLEN, M_NOWAIT);
  210         if (m0 == NULL)
  211                 return m0;
wh = mtod(m0, struct ieee80211_frame *);
ovbcopy(mtod(m0, u_int8_t *) + IEEE80211_CCMP_HDRLEN, wh, hdrlen);
ivp = (u_int8_t *)wh + hdrlen;
k->k_tsc++;     /* increment the 48-bit PN */
ivp[0] = k->k_tsc;              /* PN0 */
ivp[1] = k->k_tsc >> 8;         /* PN1 */
ivp[2] = 0;                     /* Rsvd */
ivp[3] = k->k_id << 6 | IEEE80211_WEP_EXTIV;    /* KeyID | ExtIV */
ivp[4] = k->k_tsc >> 16;        /* PN2 */
ivp[5] = k->k_tsc >> 24;        /* PN3 */
ivp[6] = k->k_tsc >> 32;        /* PN4 */
ivp[7] = k->k_tsc >> 40;        /* PN5 */
  226         /* XXX encrypt payload if HW encryption not supported */
  228         return m0;
  229 }
  231 struct mbuf *
ieee80211_ccmp_decrypt(struct ieee80211com *ic, struct mbuf *m0,
  233     struct ieee80211_key *k)
  234 {
  235         struct ieee80211_frame *wh;
size_t hdrlen = sizeof(*wh);    /* XXX QoS */
u_int64_t pn;
u_int8_t *ivp;
wh = mtod(m0, struct ieee80211_frame *);
ivp = (u_int8_t *)wh + hdrlen;
  243         /* check that ExtIV bit is be set */
  244         if (!(ivp[3] & IEEE80211_WEP_EXTIV)) {
m_freem(m0);
  246                 return NULL;
  247         }
  248         /* extract the 48-bit PN from the CCMP header */
pn = (u_int64_t)ivp[0]       |
  250              (u_int64_t)ivp[1] <<  8 |
  251              (u_int64_t)ivp[4] << 16 |
  252              (u_int64_t)ivp[5] << 24 |
  253              (u_int64_t)ivp[6] << 32 |
  254              (u_int64_t)ivp[7] << 40;
  255         /* NB: the keys are refreshed, we'll never overflow the 48 bits */
  256         if (pn <= k->k_rsc) {
  257                 /* replayed frame, discard */
  258                 /* XXX statistics */
m_freem(m0);
  260                 return NULL;
  261         }
  263         /* XXX decrypt payload if HW encryption not supported */
ovbcopy(mtod(m0, u_int8_t *),
mtod(m0, u_int8_t *) + IEEE80211_CCMP_HDRLEN, hdrlen);
m_adj(m0, IEEE80211_CCMP_HDRLEN);
m_adj(m0, -IEEE80211_CCMP_MICLEN);
  270         /* update last seen packet number */
k->k_rsc = pn;
  273         return m0;
  274 }
  276 #define IEEE80211_TKIP_HDRLEN   8
  277 #define IEEE80211_TKIP_MICLEN   8
  278 #define IEEE80211_TKIP_ICVLEN   4
  280 struct mbuf *
ieee80211_tkip_encrypt(struct ieee80211com *ic, struct mbuf *m0,
  282     struct ieee80211_key *k)
  283 {
  284         struct ieee80211_frame *wh;
size_t hdrlen = sizeof(*wh);    /* XXX QoS */
u_int8_t *ivp;
M_PREPEND(m0, IEEE80211_TKIP_HDRLEN, M_NOWAIT);
  289         if (m0 == NULL)
  290                 return m0;
wh = mtod(m0, struct ieee80211_frame *);
ovbcopy(mtod(m0, u_int8_t *) + IEEE80211_TKIP_HDRLEN, wh, hdrlen);
ivp = (u_int8_t *)wh + hdrlen;
ivp[0] = k->k_tsc >> 8;         /* TSC1 */
  296         /* WEP Seed = (TSC1 | 0x20) & 0x7f (see 8.3.2.2) */
ivp[1] = (ivp[0] | 0x20) & 0x7f;
ivp[2] = k->k_tsc;              /* TSC0 */
ivp[3] = k->k_id << 6 | IEEE80211_WEP_EXTIV;    /* KeyID | ExtIV */
ivp[4] = k->k_tsc >> 16;        /* TSC2 */
ivp[5] = k->k_tsc >> 24;        /* TSC3 */
ivp[6] = k->k_tsc >> 32;        /* TSC4 */
ivp[7] = k->k_tsc >> 40;        /* TSC5 */
  305         /* XXX encrypt payload if HW encryption not supported */
k->k_tsc++;     /* increment the 48-bit TSC */
  309         return m0;
  310 }
  312 struct mbuf *
ieee80211_tkip_decrypt(struct ieee80211com *ic, struct mbuf *m0,
  314     struct ieee80211_key *k)
  315 {
  316         struct ieee80211_frame *wh;
size_t hdrlen = sizeof(*wh);    /* XXX QoS */
u_int64_t tsc;
u_int8_t *ivp;
wh = mtod(m0, struct ieee80211_frame *);
ivp = (u_int8_t *)wh + hdrlen;
  324         /* check that ExtIV bit is be set */
  325         if (!(ivp[3] & IEEE80211_WEP_EXTIV)) {
m_freem(m0);
  327                 return NULL;
  328         }
  329         /* extract the 48-bit TSC from the TKIP header */
tsc = (u_int64_t)ivp[2]       |
  331               (u_int64_t)ivp[0] <<  8 |
  332               (u_int64_t)ivp[4] << 16 |
  333               (u_int64_t)ivp[5] << 24 |
  334               (u_int64_t)ivp[6] << 32 |
  335               (u_int64_t)ivp[7] << 40;
  336         /* NB: the keys are refreshed, we'll never overflow the 48 bits */
  337         if (tsc <= k->k_rsc) {
  338                 /* replayed frame, discard */
  339                 /* XXX statistics */
m_freem(m0);
  341                 return NULL;
  342         }
  344         /* XXX decrypt payload if HW encryption not supported */
ovbcopy(mtod(m0, u_int8_t *),
mtod(m0, u_int8_t *) + IEEE80211_TKIP_HDRLEN, hdrlen);
m_adj(m0, IEEE80211_TKIP_HDRLEN);
m_adj(m0, -IEEE80211_TKIP_ICVLEN);
  351         /* update last seen packet number */
k->k_rsc = tsc;
  354         return m0;
  355 }
  357 /* Round up to a multiple of IEEE80211_WEP_KEYLEN + IEEE80211_WEP_IVLEN */
  358 #define klen_round(x)                                                   \
  359         (((x) + (IEEE80211_WEP_KEYLEN + IEEE80211_WEP_IVLEN - 1)) &     \
  360         ~(IEEE80211_WEP_KEYLEN + IEEE80211_WEP_IVLEN - 1))
  362 struct mbuf *
ieee80211_wep_crypt(struct ifnet *ifp, struct mbuf *m0, int txflag)
  364 {
  365         struct ieee80211com *ic = (void *)ifp;
  366         struct mbuf *m, *n, *n0;
  367         struct ieee80211_frame *wh;
  368         int i, left, len, moff, noff, kid;
u_int32_t iv, crc;
u_int8_t *ivp;
  371         void *ctx;
u_int8_t keybuf[klen_round(IEEE80211_WEP_IVLEN + IEEE80211_KEYBUF_SIZE)];
u_int8_t crcbuf[IEEE80211_WEP_CRCLEN];
n0 = NULL;
  376         if ((ctx = ic->ic_wep_ctx) == NULL) {
ctx = malloc(sizeof(struct rc4_ctx), M_DEVBUF, M_NOWAIT);
  378                 if (ctx == NULL) {
ic->ic_stats.is_crypto_nomem++;
  380                         goto fail;
  381                 }
ic->ic_wep_ctx = ctx;
  383         }
m = m0;
left = m->m_pkthdr.len;
MGET(n, M_DONTWAIT, m->m_type);
n0 = n;
  388         if (n == NULL) {
  389                 if (txflag)
ic->ic_stats.is_tx_nombuf++;
  391                 else
ic->ic_stats.is_rx_nombuf++;
  393                 goto fail;
  394         }
M_DUP_PKTHDR(n, m);
len = IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN + IEEE80211_WEP_CRCLEN;
  397         if (txflag) {
n->m_pkthdr.len += len;
  399         } else {
n->m_pkthdr.len -= len;
left -= len;
  402         }
n->m_len = MHLEN;
  404         if (n->m_pkthdr.len >= MINCLSIZE) {
MCLGET(n, M_DONTWAIT);
  406                 if (n->m_flags & M_EXT)
n->m_len = n->m_ext.ext_size;
  408         }
wh = mtod(m, struct ieee80211_frame *);
  410         if ((wh->i_fc[0] &
  411              (IEEE80211_FC0_TYPE_MASK | IEEE80211_FC0_SUBTYPE_QOS)) ==
  412             (IEEE80211_FC0_TYPE_DATA | IEEE80211_FC0_SUBTYPE_QOS))
len = sizeof(struct ieee80211_qosframe);
  414         else
len = sizeof(struct ieee80211_frame);
memcpy(mtod(n, caddr_t), wh, len);
wh = mtod(n, struct ieee80211_frame *);
left -= len;
moff = len;
noff = len;
  421         if (txflag) {
kid = ic->ic_wep_txkey;
wh->i_fc[1] |= IEEE80211_FC1_WEP;
iv = ic->ic_iv ? ic->ic_iv : arc4random();
  425                 /*
  426                  * Skip 'bad' IVs from Fluhrer/Mantin/Shamir:
  427                  * (B, 255, N) with 3 <= B < 8
  428                  */
  429                 if (iv >= 0x03ff00 &&
  430                     (iv & 0xf8ff00) == 0x00ff00)
iv += 0x000100;
ic->ic_iv = iv + 1;
  433                 /* put iv in little endian to prepare 802.11i */
ivp = mtod(n, u_int8_t *) + noff;
  435                 for (i = 0; i < IEEE80211_WEP_IVLEN; i++) {
ivp[i] = iv & 0xff;
iv >>= 8;
  438                 }
ivp[IEEE80211_WEP_IVLEN] = kid << 6;    /* pad and keyid */
noff += IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN;
  441         } else {
wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
ivp = mtod(m, u_int8_t *) + moff;
kid = ivp[IEEE80211_WEP_IVLEN] >> 6;
moff += IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN;
  446         }
  448         /*
  449          * Copy the IV and the key material.  The input key has been padded
  450          * with zeros by the ioctl.  The output key buffer length is rounded
  451          * to a multiple of 64bit to allow variable length keys padded by
  452          * zeros.
  453          */
bzero(&keybuf, sizeof(keybuf));
memcpy(keybuf, ivp, IEEE80211_WEP_IVLEN);
memcpy(keybuf + IEEE80211_WEP_IVLEN, ic->ic_nw_keys[kid].k_key,
ic->ic_nw_keys[kid].k_len);
len = klen_round(IEEE80211_WEP_IVLEN + ic->ic_nw_keys[kid].k_len);
rc4_keysetup(ctx, keybuf, len);
  461         /* encrypt with calculating CRC */
crc = ~0;
  463         while (left > 0) {
len = m->m_len - moff;
  465                 if (len == 0) {
m = m->m_next;
moff = 0;
  468                         continue;
  469                 }
  470                 if (len > n->m_len - noff) {
len = n->m_len - noff;
  472                         if (len == 0) {
MGET(n->m_next, M_DONTWAIT, n->m_type);
  474                                 if (n->m_next == NULL) {
  475                                         if (txflag)
ic->ic_stats.is_tx_nombuf++;
  477                                         else
ic->ic_stats.is_rx_nombuf++;
  479                                         goto fail;
  480                                 }
n = n->m_next;
n->m_len = MLEN;
  483                                 if (left >= MINCLSIZE) {
MCLGET(n, M_DONTWAIT);
  485                                         if (n->m_flags & M_EXT)
n->m_len = n->m_ext.ext_size;
  487                                 }
noff = 0;
  489                                 continue;
  490                         }
  491                 }
  492                 if (len > left)
len = left;
rc4_crypt(ctx, mtod(m, caddr_t) + moff,
mtod(n, caddr_t) + noff, len);
  496                 if (txflag)
crc = ieee80211_crc_update(crc,
mtod(m, u_int8_t *) + moff, len);
  499                 else
crc = ieee80211_crc_update(crc,
mtod(n, u_int8_t *) + noff, len);
left -= len;
moff += len;
noff += len;
  505         }
crc = ~crc;
  507         if (txflag) {
  508                 *(u_int32_t *)crcbuf = htole32(crc);
  509                 if (n->m_len >= noff + sizeof(crcbuf))
n->m_len = noff + sizeof(crcbuf);
  511                 else {
n->m_len = noff;
MGET(n->m_next, M_DONTWAIT, n->m_type);
  514                         if (n->m_next == NULL) {
ic->ic_stats.is_tx_nombuf++;
  516                                 goto fail;
  517                         }
n = n->m_next;
n->m_len = sizeof(crcbuf);
noff = 0;
  521                 }
rc4_crypt(ctx, crcbuf, mtod(n, caddr_t) + noff,
  523                     sizeof(crcbuf));
  524         } else {
n->m_len = noff;
  526                 for (noff = 0; noff < sizeof(crcbuf); noff += len) {
len = sizeof(crcbuf) - noff;
  528                         if (len > m->m_len - moff)
len = m->m_len - moff;
  530                         if (len > 0)
rc4_crypt(ctx, mtod(m, caddr_t) + moff,
crcbuf + noff, len);
m = m->m_next;
moff = 0;
  535                 }
  536                 if (crc != letoh32(*(u_int32_t *)crcbuf)) {
  537 #ifdef IEEE80211_DEBUG
  538                         if (ieee80211_debug) {
printf("%s: decrypt CRC error\n",
ifp->if_xname);
  541                                 if (ieee80211_debug > 1)
ieee80211_dump_pkt(n0->m_data,
n0->m_len, -1, -1);
  544                         }
  545 #endif
ic->ic_stats.is_rx_decryptcrc++;
  547                         goto fail;
  548                 }
  549         }
m_freem(m0);
  551         return n0;
fail:
m_freem(m0);
m_freem(n0);
  556         return NULL;
  557 }
  559 /*
  560  * CRC 32 -- routine from RFC 2083
  561  */
  563 /* Table of CRCs of all 8-bit messages */
  564 static u_int32_t ieee80211_crc_table[256];
  566 /* Make the table for a fast CRC. */
  567 void
ieee80211_crc_init(void)
  569 {
u_int32_t c;
  571         int n, k;
  573         for (n = 0; n < 256; n++) {
c = (u_int32_t)n;
  575                 for (k = 0; k < 8; k++) {
  576                         if (c & 1)
c = 0xedb88320UL ^ (c >> 1);
  578                         else
c = c >> 1;
  580                 }
ieee80211_crc_table[n] = c;
  582         }
  583 }
  585 /*
  586  * Update a running CRC with the bytes buf[0..len-1]--the CRC
  587  * should be initialized to all 1's, and the transmitted value
  588  * is the 1's complement of the final running CRC
  589  */
u_int32_t
ieee80211_crc_update(u_int32_t crc, const u_int8_t *buf, int len)
  592 {
  593         const u_int8_t *endbuf;
  595         for (endbuf = buf + len; buf < endbuf; buf++)
crc = ieee80211_crc_table[(crc ^ *buf) & 0xff] ^ (crc >> 8);
  597         return crc;
  598 }
  600 /*
  601  * AES Key Wrap Algorithm (see RFC 3394).
  602  */
  603 static const u_int8_t aes_key_wrap_iv[8] =
  604         { 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6 };
  606 void
ieee80211_aes_key_wrap(const u_int8_t *kek, size_t kek_len, const u_int8_t *pt,
size_t len, u_int8_t *ct)
  609 {
rijndael_ctx ctx;
u_int8_t *a, *r, ar[16];
u_int64_t t, b[2];
size_t i;
  614         int j;
  616         /* allow ciphertext and plaintext to overlap (ct == pt) */
ovbcopy(pt, ct + 8, len * 8);
a = ct;
memcpy(a, aes_key_wrap_iv, 8);  /* default IV */
rijndael_set_key_enc_only(&ctx, (u_int8_t *)kek, kek_len * 8);
  623         for (j = 0, t = 1; j < 6; j++) {
r = ct + 8;
  625                 for (i = 0; i < len; i++, t++) {
memcpy(ar, a, 8);
memcpy(ar + 8, r, 8);
rijndael_encrypt(&ctx, ar, (u_int8_t *)b);
b[0] ^= htobe64(t);
memcpy(a, &b[0], 8);
memcpy(r, &b[1], 8);
r += 8;
  634                 }
  635         }
  636 }
  638 int
ieee80211_aes_key_unwrap(const u_int8_t *kek, size_t kek_len,
  640     const u_int8_t *ct, u_int8_t *pt, size_t len)
  641 {
rijndael_ctx ctx;
u_int8_t a[8], *r, b[16];
u_int64_t t, ar[2];
size_t i;
  646         int j;
memcpy(a, ct, 8);
  649         /* allow ciphertext and plaintext to overlap (ct == pt) */
ovbcopy(ct + 8, pt, len * 8);
rijndael_set_key(&ctx, (u_int8_t *)kek, kek_len * 8);
  654         for (j = 0, t = 6 * len; j < 6; j++) {
r = pt + (len - 1) * 8;
  656                 for (i = 0; i < len; i++, t--) {
memcpy(&ar[0], a, 8);
ar[0] ^= htobe64(t);
memcpy(&ar[1], r, 8);
rijndael_decrypt(&ctx, (u_int8_t *)ar, b);
memcpy(a, b, 8);
memcpy(r, b + 8, 8);
r -= 8;
  665                 }
  666         }
  667         return memcmp(a, aes_key_wrap_iv, 8) != 0;
  668 }
  670 void
ieee80211_hmac_md5_v(const struct vector *vec, int vcnt, const u_int8_t *key,
size_t key_len, u_int8_t digest[MD5_DIGEST_LENGTH])
  673 {
MD5_CTX ctx;
u_int8_t k_pad[MD5_BLOCK_LENGTH];
u_int8_t tk[MD5_DIGEST_LENGTH];
  677         int i;
  679         if (key_len > MD5_BLOCK_LENGTH) {
MD5Init(&ctx);
MD5Update(&ctx, (u_int8_t *)key, key_len);
MD5Final(tk, &ctx);
key = tk;
key_len = MD5_DIGEST_LENGTH;
  686         }
bzero(k_pad, sizeof k_pad);
bcopy(key, k_pad, key_len);
  690         for (i = 0; i < MD5_BLOCK_LENGTH; i++)
k_pad[i] ^= 0x36;
MD5Init(&ctx);
MD5Update(&ctx, k_pad, MD5_BLOCK_LENGTH);
  695         for (i = 0; i < vcnt; i++)
MD5Update(&ctx, (u_int8_t *)vec[i].base, vec[i].len);
MD5Final(digest, &ctx);
bzero(k_pad, sizeof k_pad);
bcopy(key, k_pad, key_len);
  701         for (i = 0; i < MD5_BLOCK_LENGTH; i++)
k_pad[i] ^= 0x5c;
MD5Init(&ctx);
MD5Update(&ctx, k_pad, MD5_BLOCK_LENGTH);
MD5Update(&ctx, digest, MD5_DIGEST_LENGTH);
MD5Final(digest, &ctx);
  708 }
  710 void
ieee80211_hmac_md5(const u_int8_t *text, size_t text_len, const u_int8_t *key,
size_t key_len, u_int8_t digest[MD5_DIGEST_LENGTH])
  713 {
  714         struct vector vec;
vec.base = text;
vec.len  = text_len;
ieee80211_hmac_md5_v(&vec, 1, key, key_len, digest);
  718 }
  720 void
ieee80211_hmac_sha1_v(const struct vector *vec, int vcnt, const u_int8_t *key,
size_t key_len, u_int8_t digest[SHA1_DIGEST_LENGTH])
  723 {
SHA1_CTX ctx;
u_int8_t k_pad[SHA1_BLOCK_LENGTH];
u_int8_t tk[SHA1_DIGEST_LENGTH];
  727         int i;
  729         if (key_len > SHA1_BLOCK_LENGTH) {
SHA1Init(&ctx);
SHA1Update(&ctx, (u_int8_t *)key, key_len);
SHA1Final(tk, &ctx);
key = tk;
key_len = SHA1_DIGEST_LENGTH;
  736         }
bzero(k_pad, sizeof k_pad);
bcopy(key, k_pad, key_len);
  740         for (i = 0; i < SHA1_BLOCK_LENGTH; i++)
k_pad[i] ^= 0x36;
SHA1Init(&ctx);
SHA1Update(&ctx, k_pad, SHA1_BLOCK_LENGTH);
  745         for (i = 0; i < vcnt; i++)
SHA1Update(&ctx, (u_int8_t *)vec[i].base, vec[i].len);
SHA1Final(digest, &ctx);
bzero(k_pad, sizeof k_pad);
bcopy(key, k_pad, key_len);
  751         for (i = 0; i < SHA1_BLOCK_LENGTH; i++)
k_pad[i] ^= 0x5c;
SHA1Init(&ctx);
SHA1Update(&ctx, k_pad, SHA1_BLOCK_LENGTH);
SHA1Update(&ctx, digest, SHA1_DIGEST_LENGTH);
SHA1Final(digest, &ctx);
  758 }
  760 void
ieee80211_hmac_sha1(const u_int8_t *text, size_t text_len, const u_int8_t *key,
size_t key_len, u_int8_t digest[SHA1_DIGEST_LENGTH])
  763 {
  764         struct vector vec;
vec.base = text;
vec.len  = text_len;
ieee80211_hmac_sha1_v(&vec, 1, key, key_len, digest);
  768 }
  770 /*
  771  * SHA1-based Pseudo-Random Function (see 8.5.1.1).
  772  */
  773 void
ieee80211_prf(const u_int8_t *key, size_t key_len, struct vector *vec,
  775     int vcnt, u_int8_t *output, size_t len)
  776 {
u_int8_t hash[SHA1_DIGEST_LENGTH];
u_int8_t count = 0;
  780         /* single octet count, starts at 0 */
vec[vcnt].base = &count;
vec[vcnt].len  = 1;
vcnt++;
  785         while (len > SHA1_DIGEST_LENGTH) {
ieee80211_hmac_sha1_v(vec, vcnt, key, key_len, output);
count++;
output += SHA1_DIGEST_LENGTH;
len -= SHA1_DIGEST_LENGTH;
  791         }
  792         if (len > 0) {
ieee80211_hmac_sha1_v(vec, vcnt, key, key_len, hash);
  794                 /* truncate HMAC-SHA1 to len bytes */
memcpy(output, hash, len);
  796         }
  797 }
  799 /*
  800  * Derive Pairwise Transient Key (PTK) (see 8.5.1.2).
  801  */
  802 void
ieee80211_derive_ptk(const u_int8_t *pmk, size_t pmk_len, const u_int8_t *aa,
  804     const u_int8_t *spa, const u_int8_t *anonce, const u_int8_t *snonce,
u_int8_t *ptk, size_t ptk_len)
  806 {
  807         struct vector vec[6];   /* +1 for PRF */
  808         int ret;
vec[0].base = "Pairwise key expansion";
vec[0].len  = 23;       /* include trailing '\0' */
ret = memcmp(aa, spa, IEEE80211_ADDR_LEN) < 0;
  814         /* Min(AA,SPA) */
vec[1].base = ret ? aa : spa;
vec[1].len  = IEEE80211_ADDR_LEN;
  817         /* Max(AA,SPA) */
vec[2].base = ret ? spa : aa;
vec[2].len  = IEEE80211_ADDR_LEN;
ret = memcmp(anonce, snonce, EAPOL_KEY_NONCE_LEN) < 0;
  822         /* Min(ANonce,SNonce) */
vec[3].base = ret ? anonce : snonce;
vec[3].len  = EAPOL_KEY_NONCE_LEN;
  825         /* Max(ANonce,SNonce) */
vec[4].base = ret ? snonce : anonce;
vec[4].len  = EAPOL_KEY_NONCE_LEN;
ieee80211_prf(pmk, pmk_len, vec, 5, ptk, ptk_len);
  830 }
  832 /*
  833  * Derive Pairwise Master Key Identifier (PMKID) (see 8.5.1.2).
  834  */
  835 void
ieee80211_derive_pmkid(const u_int8_t *pmk, size_t pmk_len, const u_int8_t *aa,
  837     const u_int8_t *spa, u_int8_t *pmkid)
  838 {
  839         struct vector vec[3];
u_int8_t hash[SHA1_DIGEST_LENGTH];
vec[0].base = "PMK Name";
vec[0].len  = 8;        /* does *not* include trailing '\0' */
vec[1].base = aa;
vec[1].len  = IEEE80211_ADDR_LEN;
vec[2].base = spa;
vec[2].len  = IEEE80211_ADDR_LEN;
ieee80211_hmac_sha1_v(vec, 3, pmk, pmk_len, hash);
  850         /* use the first 128 bits of the HMAC-SHA1 */
memcpy(pmkid, hash, IEEE80211_PMKID_LEN);
  852 }
  854 /*
  855  * Derive Group Temporal Key (GTK) (see 8.5.1.3).
  856  */
  857 void
ieee80211_derive_gtk(const u_int8_t *gmk, size_t gmk_len, const u_int8_t *aa,
  859     const u_int8_t *gnonce, u_int8_t *gtk, size_t gtk_len)
  860 {
  861         struct vector vec[4];   /* +1 for PRF */
vec[0].base = "Group key expansion";
vec[0].len  = 20;       /* include trailing '\0' */
vec[1].base = aa;
vec[1].len  = IEEE80211_ADDR_LEN;
vec[2].base = gnonce;
vec[2].len  = EAPOL_KEY_NONCE_LEN;
ieee80211_prf(gmk, gmk_len, vec, 3, gtk, gtk_len);
  871 }
  873 /* unaligned big endian access */
  874 #define BE_READ_2(p)                            \
  875         ((u_int16_t)                            \
  876          ((((const u_int8_t *)(p))[0] << 8) |   \
  877           (((const u_int8_t *)(p))[1])))
  879 #define BE_WRITE_2(p, v) do {                   \
  880         ((u_int8_t *)(p))[0] = (v) >> 8;        \
  881         ((u_int8_t *)(p))[1] = (v) & 0xff;      \
  882 } while (0)
  884 /*
  885  * Compute the Key MIC field of an EAPOL-Key frame using the specified Key
  886  * Confirmation Key (KCK).  The hash function can be either HMAC-MD5 or
  887  * HMAC-SHA1 depending on the EAPOL-Key Key Descriptor Version.
  888  */
  889 void
ieee80211_eapol_key_mic(struct ieee80211_eapol_key *key, const u_int8_t *kck)
  891 {
u_int8_t hash[SHA1_DIGEST_LENGTH];
u_int16_t len, info;
len  = BE_READ_2(key->len) + 4;
info = BE_READ_2(key->info);
  898         switch (info & EAPOL_KEY_VERSION_MASK) {
  899         case EAPOL_KEY_DESC_V1:
ieee80211_hmac_md5((u_int8_t *)key, len, kck, 16, key->mic);
  901                 break;
  902         case EAPOL_KEY_DESC_V2:
ieee80211_hmac_sha1((u_int8_t *)key, len, kck, 16, hash);
  904                 /* truncate HMAC-SHA1 to its 128 MSBs */
memcpy(key->mic, hash, EAPOL_KEY_MIC_LEN);
  906                 break;
  907         }
  908 }
  910 /*
  911  * Check the MIC of a received EAPOL-Key frame using the specified Key
  912  * Confirmation Key (KCK).
  913  */
  914 int
ieee80211_eapol_key_check_mic(struct ieee80211_eapol_key *key,
  916     const u_int8_t *kck)
  917 {
u_int8_t mic[EAPOL_KEY_MIC_LEN];
memcpy(mic, key->mic, EAPOL_KEY_MIC_LEN);
memset(key->mic, 0, EAPOL_KEY_MIC_LEN);
ieee80211_eapol_key_mic(key, kck);
  924         return memcmp(key->mic, mic, EAPOL_KEY_MIC_LEN) != 0;
  925 }
  927 /*
  928  * Encrypt the Key Data field of an EAPOL-Key frame using the specified Key
  929  * Encryption Key (KEK).  The encryption algorithm can be either ARC4 or
  930  * AES Key Wrap depending on the EAPOL-Key Key Descriptor Version.
  931  */
  932 void
ieee80211_eapol_key_encrypt(struct ieee80211com *ic,
  934     struct ieee80211_eapol_key *key, const u_int8_t *kek)
  935 {
  936         struct rc4_ctx ctx;
u_int8_t keybuf[EAPOL_KEY_IV_LEN + 16];
u_int16_t len, info;
u_int8_t *data;
  940         int n;
len  = BE_READ_2(key->paylen);
info = BE_READ_2(key->info);
data = (u_int8_t *)(key + 1);
  946         switch (info & EAPOL_KEY_VERSION_MASK) {
  947         case EAPOL_KEY_DESC_V1:
  948                 /* set IV to the lower 16 octets of our global key counter */
memcpy(key->iv, ic->ic_globalcnt + 16, 16);
  950                 /* increment our global key counter (256-bit, big-endian) */
  951                 for (n = 31; n >= 0 && ++ic->ic_globalcnt[n] == 0; n--);
  953                 /* concatenate the EAPOL-Key IV field and the KEK */
memcpy(keybuf, key->iv, EAPOL_KEY_IV_LEN);
memcpy(keybuf + EAPOL_KEY_IV_LEN, kek, 16);
rc4_keysetup(&ctx, keybuf, sizeof keybuf);
  958                 /* discard the first 256 octets of the ARC4 key stream */
rc4_skip(&ctx, RC4STATE);
rc4_crypt(&ctx, data, data, len);
  961                 break;
  962         case EAPOL_KEY_DESC_V2:
  963                 if (len < 16 || (len & 7) != 0) {
  964                         /* insert padding */
n = (len < 16) ? 16 - len : 8 - (len & 7);
data[len++] = IEEE80211_ELEMID_VENDOR;
memset(&data[len], 0, n - 1);
len += n - 1;
  969                 }
ieee80211_aes_key_wrap(kek, 16, data, len / 8, data);
len += 8;       /* AES Key Wrap adds 8 bytes */
  972                 /* update key data length */
BE_WRITE_2(key->paylen, len);
  974                 /* update packet body length */
BE_WRITE_2(key->len, sizeof(*key) + len - 4);
  976                 break;
  977         }
  978 }
  980 /*
  981  * Decrypt the Key Data field of an EAPOL-Key frame using the specified Key
  982  * Encryption Key (KEK).  The encryption algorithm can be either ARC4 or
  983  * AES Key Wrap depending on the EAPOL-Key Key Descriptor Version.
  984  */
  985 int
ieee80211_eapol_key_decrypt(struct ieee80211_eapol_key *key,
  987     const u_int8_t *kek)
  988 {
  989         struct rc4_ctx ctx;
u_int8_t keybuf[EAPOL_KEY_IV_LEN + 16];
u_int16_t len, info;
u_int8_t *data;
len  = BE_READ_2(key->paylen);
info = BE_READ_2(key->info);
data = (u_int8_t *)(key + 1);
  998         switch (info & EAPOL_KEY_VERSION_MASK) {
  999         case EAPOL_KEY_DESC_V1:
 1000                 /* concatenate the EAPOL-Key IV field and the KEK */
memcpy(keybuf, key->iv, EAPOL_KEY_IV_LEN);
memcpy(keybuf + EAPOL_KEY_IV_LEN, kek, 16);
rc4_keysetup(&ctx, keybuf, sizeof keybuf);
 1005                 /* discard the first 256 octets of the ARC4 key stream */
rc4_skip(&ctx, RC4STATE);
rc4_crypt(&ctx, data, data, len);
 1008                 return 0;
 1009         case EAPOL_KEY_DESC_V2:
 1010                 /* Key Data Length must be a multiple of 8 */
 1011                 if (len < 16 + 8 || (len & 7) != 0)
 1012                         return 1;
len -= 8;       /* AES Key Wrap adds 8 bytes */
 1014                 return ieee80211_aes_key_unwrap(kek, 16, data, data, len / 8);
 1015         }
 1017         return 1;       /* unknown Key Descriptor Version */
 1018 }
 1020 /*
 1021  * Return the length in bytes of a cipher suite key (see Table 60).
 1022  */
 1023 int
ieee80211_cipher_keylen(enum ieee80211_cipher cipher)
 1025 {
 1026         switch (cipher) {
 1027         case IEEE80211_CIPHER_WEP40:
 1028                 return 5;
 1029         case IEEE80211_CIPHER_TKIP:
 1030                 return 32;
 1031         case IEEE80211_CIPHER_CCMP:
 1032                 return 16;
 1033         case IEEE80211_CIPHER_WEP104:
 1034                 return 13;
 1035         default:        /* unknown cipher */
 1036                 return 0;
 1037         }
 1038 }