Line data Source code
1 : /* $OpenBSD: ieee80211_crypto_tkip.c,v 1.29 2017/06/03 11:58:10 tb Exp $ */
2 :
3 : /*-
4 : * Copyright (c) 2008 Damien Bergamini <damien.bergamini@free.fr>
5 : *
6 : * Permission to use, copy, modify, and distribute this software for any
7 : * purpose with or without fee is hereby granted, provided that the above
8 : * copyright notice and this permission notice appear in all copies.
9 : *
10 : * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 : * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 : * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 : * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 : * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 : * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 : * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 : */
18 :
19 : /*
20 : * This code implements the Temporal Key Integrity Protocol (TKIP) defined
21 : * in IEEE Std 802.11-2007 section 8.3.2.
22 : */
23 :
24 : #include <sys/param.h>
25 : #include <sys/systm.h>
26 : #include <sys/mbuf.h>
27 : #include <sys/malloc.h>
28 : #include <sys/kernel.h>
29 : #include <sys/socket.h>
30 : #include <sys/endian.h>
31 : #include <sys/syslog.h>
32 :
33 : #include <net/if.h>
34 : #include <net/if_dl.h>
35 : #include <net/if_media.h>
36 :
37 : #include <netinet/in.h>
38 : #include <netinet/if_ether.h>
39 :
40 : #include <net80211/ieee80211_var.h>
41 : #include <net80211/ieee80211_crypto.h>
42 :
43 : #include <crypto/arc4.h>
44 : #include <crypto/michael.h>
45 :
46 : typedef u_int8_t byte; /* 8-bit byte (octet) */
47 : typedef u_int16_t u16b; /* 16-bit unsigned word */
48 : typedef u_int32_t u32b; /* 32-bit unsigned word */
49 :
50 : static void Phase1(u16b *, const byte *, const byte *, u32b);
51 : static void Phase2(byte *, const byte *, const u16b *, u16b);
52 :
53 : /* TKIP software crypto context */
54 : struct ieee80211_tkip_ctx {
55 : struct rc4_ctx rc4;
56 : const u_int8_t *txmic;
57 : const u_int8_t *rxmic;
58 : u_int16_t txttak[5];
59 : u_int16_t rxttak[5];
60 : u_int8_t txttak_ok;
61 : u_int8_t rxttak_ok;
62 : };
63 :
64 : /*
65 : * Initialize software crypto context. This function can be overridden
66 : * by drivers doing hardware crypto.
67 : */
68 : int
69 0 : ieee80211_tkip_set_key(struct ieee80211com *ic, struct ieee80211_key *k)
70 : {
71 : struct ieee80211_tkip_ctx *ctx;
72 :
73 0 : ctx = malloc(sizeof(*ctx), M_DEVBUF, M_NOWAIT | M_ZERO);
74 0 : if (ctx == NULL)
75 0 : return ENOMEM;
76 : /*
77 : * Use bits 128-191 as the Michael key for AA->SPA and bits
78 : * 192-255 as the Michael key for SPA->AA.
79 : */
80 : #ifndef IEEE80211_STA_ONLY
81 0 : if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
82 0 : ctx->txmic = &k->k_key[16];
83 0 : ctx->rxmic = &k->k_key[24];
84 0 : } else
85 : #endif
86 : {
87 0 : ctx->rxmic = &k->k_key[16];
88 0 : ctx->txmic = &k->k_key[24];
89 : }
90 0 : k->k_priv = ctx;
91 0 : return 0;
92 0 : }
93 :
94 : void
95 0 : ieee80211_tkip_delete_key(struct ieee80211com *ic, struct ieee80211_key *k)
96 : {
97 0 : if (k->k_priv != NULL) {
98 0 : explicit_bzero(k->k_priv, sizeof(struct ieee80211_tkip_ctx));
99 0 : free(k->k_priv, M_DEVBUF, sizeof(struct ieee80211_tkip_ctx));
100 0 : }
101 0 : k->k_priv = NULL;
102 0 : }
103 :
104 : /* pseudo-header used for TKIP MIC computation */
105 : struct ieee80211_tkip_frame {
106 : u_int8_t i_da[IEEE80211_ADDR_LEN];
107 : u_int8_t i_sa[IEEE80211_ADDR_LEN];
108 : u_int8_t i_pri;
109 : u_int8_t i_pad[3];
110 : } __packed;
111 :
112 : /*
113 : * Compute TKIP MIC over an mbuf chain starting "off" bytes from the
114 : * beginning. This function should be kept independant from the software
115 : * TKIP crypto code so that drivers doing hardware crypto but not MIC can
116 : * call it without a software crypto context.
117 : */
118 : void
119 0 : ieee80211_tkip_mic(struct mbuf *m0, int off, const u_int8_t *key,
120 : u_int8_t mic[IEEE80211_TKIP_MICLEN])
121 : {
122 : const struct ieee80211_frame *wh;
123 0 : struct ieee80211_tkip_frame wht;
124 0 : MICHAEL_CTX ctx; /* small enough */
125 : struct mbuf *m;
126 : caddr_t pos;
127 : int len;
128 :
129 : /* assumes 802.11 header is contiguous */
130 0 : wh = mtod(m0, struct ieee80211_frame *);
131 :
132 : /* construct pseudo-header for TKIP MIC computation */
133 0 : switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) {
134 : case IEEE80211_FC1_DIR_NODS:
135 0 : IEEE80211_ADDR_COPY(wht.i_da, wh->i_addr1);
136 0 : IEEE80211_ADDR_COPY(wht.i_sa, wh->i_addr2);
137 0 : break;
138 : case IEEE80211_FC1_DIR_TODS:
139 0 : IEEE80211_ADDR_COPY(wht.i_da, wh->i_addr3);
140 0 : IEEE80211_ADDR_COPY(wht.i_sa, wh->i_addr2);
141 0 : break;
142 : case IEEE80211_FC1_DIR_FROMDS:
143 0 : IEEE80211_ADDR_COPY(wht.i_da, wh->i_addr1);
144 0 : IEEE80211_ADDR_COPY(wht.i_sa, wh->i_addr3);
145 0 : break;
146 : case IEEE80211_FC1_DIR_DSTODS:
147 0 : IEEE80211_ADDR_COPY(wht.i_da, wh->i_addr3);
148 0 : IEEE80211_ADDR_COPY(wht.i_sa,
149 : ((const struct ieee80211_frame_addr4 *)wh)->i_addr4);
150 0 : break;
151 : }
152 0 : if (ieee80211_has_qos(wh))
153 0 : wht.i_pri = ieee80211_get_qos(wh) & IEEE80211_QOS_TID;
154 : else
155 0 : wht.i_pri = 0;
156 0 : wht.i_pad[0] = wht.i_pad[1] = wht.i_pad[2] = 0;
157 :
158 0 : michael_init(&ctx);
159 0 : michael_key(key, &ctx);
160 :
161 0 : michael_update(&ctx, (caddr_t)&wht, sizeof(wht));
162 :
163 : m = m0;
164 : /* assumes the first "off" bytes are contiguous */
165 0 : pos = mtod(m, caddr_t) + off;
166 0 : len = m->m_len - off;
167 0 : for (;;) {
168 0 : michael_update(&ctx, pos, len);
169 0 : if ((m = m->m_next) == NULL)
170 : break;
171 0 : pos = mtod(m, caddr_t);
172 0 : len = m->m_len;
173 : }
174 :
175 0 : michael_final(mic, &ctx);
176 0 : }
177 :
178 : /* shortcuts */
179 : #define IEEE80211_TKIP_TAILLEN \
180 : (IEEE80211_TKIP_MICLEN + IEEE80211_WEP_CRCLEN)
181 : #define IEEE80211_TKIP_OVHD \
182 : (IEEE80211_TKIP_HDRLEN + IEEE80211_TKIP_TAILLEN)
183 :
184 : struct mbuf *
185 0 : ieee80211_tkip_encrypt(struct ieee80211com *ic, struct mbuf *m0,
186 : struct ieee80211_key *k)
187 : {
188 0 : struct ieee80211_tkip_ctx *ctx = k->k_priv;
189 0 : u_int16_t wepseed[8]; /* needs to be 16-bit aligned for Phase2 */
190 : const struct ieee80211_frame *wh;
191 : u_int8_t *ivp, *mic, *icvp;
192 : struct mbuf *n0, *m, *n;
193 : u_int32_t crc;
194 : int left, moff, noff, len, hdrlen;
195 :
196 0 : MGET(n0, M_DONTWAIT, m0->m_type);
197 0 : if (n0 == NULL)
198 : goto nospace;
199 0 : if (m_dup_pkthdr(n0, m0, M_DONTWAIT))
200 : goto nospace;
201 0 : n0->m_pkthdr.len += IEEE80211_TKIP_HDRLEN;
202 0 : n0->m_len = MHLEN;
203 0 : if (n0->m_pkthdr.len >= MINCLSIZE - IEEE80211_TKIP_TAILLEN) {
204 0 : MCLGET(n0, M_DONTWAIT);
205 0 : if (n0->m_flags & M_EXT)
206 0 : n0->m_len = n0->m_ext.ext_size;
207 : }
208 0 : if (n0->m_len > n0->m_pkthdr.len)
209 0 : n0->m_len = n0->m_pkthdr.len;
210 :
211 : /* copy 802.11 header */
212 0 : wh = mtod(m0, struct ieee80211_frame *);
213 0 : hdrlen = ieee80211_get_hdrlen(wh);
214 0 : memcpy(mtod(n0, caddr_t), wh, hdrlen);
215 :
216 0 : k->k_tsc++; /* increment the 48-bit TSC */
217 :
218 : /* construct TKIP header */
219 0 : ivp = mtod(n0, u_int8_t *) + hdrlen;
220 0 : ivp[0] = k->k_tsc >> 8; /* TSC1 */
221 : /* WEP Seed = (TSC1 | 0x20) & 0x7f (see 8.3.2.2) */
222 0 : ivp[1] = (ivp[0] | 0x20) & 0x7f;
223 0 : ivp[2] = k->k_tsc; /* TSC0 */
224 0 : ivp[3] = k->k_id << 6 | IEEE80211_WEP_EXTIV; /* KeyID | ExtIV */
225 0 : ivp[4] = k->k_tsc >> 16; /* TSC2 */
226 0 : ivp[5] = k->k_tsc >> 24; /* TSC3 */
227 0 : ivp[6] = k->k_tsc >> 32; /* TSC4 */
228 0 : ivp[7] = k->k_tsc >> 40; /* TSC5 */
229 :
230 : /* compute WEP seed */
231 0 : if (!ctx->txttak_ok || (k->k_tsc & 0xffff) == 0) {
232 0 : Phase1(ctx->txttak, k->k_key, wh->i_addr2, k->k_tsc >> 16);
233 0 : ctx->txttak_ok = 1;
234 0 : }
235 0 : Phase2((u_int8_t *)wepseed, k->k_key, ctx->txttak, k->k_tsc & 0xffff);
236 0 : rc4_keysetup(&ctx->rc4, (u_int8_t *)wepseed, 16);
237 0 : explicit_bzero(wepseed, sizeof(wepseed));
238 :
239 : /* encrypt frame body and compute WEP ICV */
240 : m = m0;
241 : n = n0;
242 : moff = hdrlen;
243 0 : noff = hdrlen + IEEE80211_TKIP_HDRLEN;
244 0 : left = m0->m_pkthdr.len - moff;
245 : crc = ~0;
246 0 : while (left > 0) {
247 0 : if (moff == m->m_len) {
248 : /* nothing left to copy from m */
249 0 : m = m->m_next;
250 : moff = 0;
251 0 : }
252 0 : if (noff == n->m_len) {
253 : /* n is full and there's more data to copy */
254 0 : MGET(n->m_next, M_DONTWAIT, n->m_type);
255 0 : if (n->m_next == NULL)
256 : goto nospace;
257 : n = n->m_next;
258 0 : n->m_len = MLEN;
259 0 : if (left >= MINCLSIZE - IEEE80211_TKIP_TAILLEN) {
260 0 : MCLGET(n, M_DONTWAIT);
261 0 : if (n->m_flags & M_EXT)
262 0 : n->m_len = n->m_ext.ext_size;
263 : }
264 0 : if (n->m_len > left)
265 0 : n->m_len = left;
266 : noff = 0;
267 0 : }
268 0 : len = min(m->m_len - moff, n->m_len - noff);
269 :
270 0 : crc = ether_crc32_le_update(crc, mtod(m, caddr_t) + moff, len);
271 0 : rc4_crypt(&ctx->rc4, mtod(m, caddr_t) + moff,
272 0 : mtod(n, caddr_t) + noff, len);
273 :
274 0 : moff += len;
275 0 : noff += len;
276 0 : left -= len;
277 : }
278 :
279 : /* reserve trailing space for TKIP MIC and WEP ICV */
280 0 : if (M_TRAILINGSPACE(n) < IEEE80211_TKIP_TAILLEN) {
281 0 : MGET(n->m_next, M_DONTWAIT, n->m_type);
282 0 : if (n->m_next == NULL)
283 : goto nospace;
284 : n = n->m_next;
285 0 : n->m_len = 0;
286 0 : }
287 :
288 : /* compute TKIP MIC over clear text */
289 0 : mic = mtod(n, caddr_t) + n->m_len;
290 0 : ieee80211_tkip_mic(m0, hdrlen, ctx->txmic, mic);
291 0 : crc = ether_crc32_le_update(crc, mic, IEEE80211_TKIP_MICLEN);
292 0 : rc4_crypt(&ctx->rc4, mic, mic, IEEE80211_TKIP_MICLEN);
293 0 : n->m_len += IEEE80211_TKIP_MICLEN;
294 :
295 : /* finalize WEP ICV */
296 0 : icvp = mtod(n, caddr_t) + n->m_len;
297 0 : crc = ~crc;
298 0 : icvp[0] = crc;
299 0 : icvp[1] = crc >> 8;
300 0 : icvp[2] = crc >> 16;
301 0 : icvp[3] = crc >> 24;
302 0 : rc4_crypt(&ctx->rc4, icvp, icvp, IEEE80211_WEP_CRCLEN);
303 0 : n->m_len += IEEE80211_WEP_CRCLEN;
304 :
305 0 : n0->m_pkthdr.len += IEEE80211_TKIP_TAILLEN;
306 :
307 0 : m_freem(m0);
308 0 : return n0;
309 : nospace:
310 0 : ic->ic_stats.is_tx_nombuf++;
311 0 : m_freem(m0);
312 0 : m_freem(n0);
313 0 : return NULL;
314 0 : }
315 :
316 : struct mbuf *
317 0 : ieee80211_tkip_decrypt(struct ieee80211com *ic, struct mbuf *m0,
318 : struct ieee80211_key *k)
319 : {
320 0 : struct ieee80211_tkip_ctx *ctx = k->k_priv;
321 : struct ieee80211_frame *wh;
322 0 : u_int16_t wepseed[8]; /* needs to be 16-bit aligned for Phase2 */
323 0 : u_int8_t buf[IEEE80211_TKIP_MICLEN + IEEE80211_WEP_CRCLEN];
324 0 : u_int8_t mic[IEEE80211_TKIP_MICLEN];
325 : u_int64_t tsc, *prsc;
326 : u_int32_t crc, crc0;
327 : u_int8_t *ivp, *mic0;
328 : u_int8_t tid;
329 : struct mbuf *n0, *m, *n;
330 : int hdrlen, left, moff, noff, len;
331 :
332 0 : wh = mtod(m0, struct ieee80211_frame *);
333 0 : hdrlen = ieee80211_get_hdrlen(wh);
334 :
335 0 : if (m0->m_pkthdr.len < hdrlen + IEEE80211_TKIP_OVHD) {
336 0 : m_freem(m0);
337 0 : return NULL;
338 : }
339 :
340 0 : ivp = (u_int8_t *)wh + hdrlen;
341 : /* check that ExtIV bit is set */
342 0 : if (!(ivp[3] & IEEE80211_WEP_EXTIV)) {
343 0 : m_freem(m0);
344 0 : return NULL;
345 : }
346 :
347 : /* retrieve last seen packet number for this frame priority */
348 0 : tid = ieee80211_has_qos(wh) ?
349 0 : ieee80211_get_qos(wh) & IEEE80211_QOS_TID : 0;
350 0 : prsc = &k->k_rsc[tid];
351 :
352 : /* extract the 48-bit TSC from the TKIP header */
353 0 : tsc = (u_int64_t)ivp[2] |
354 0 : (u_int64_t)ivp[0] << 8 |
355 0 : (u_int64_t)ivp[4] << 16 |
356 0 : (u_int64_t)ivp[5] << 24 |
357 0 : (u_int64_t)ivp[6] << 32 |
358 0 : (u_int64_t)ivp[7] << 40;
359 0 : if (tsc <= *prsc) {
360 : /* replayed frame, discard */
361 0 : ic->ic_stats.is_tkip_replays++;
362 0 : m_freem(m0);
363 0 : return NULL;
364 : }
365 :
366 0 : MGET(n0, M_DONTWAIT, m0->m_type);
367 0 : if (n0 == NULL)
368 : goto nospace;
369 0 : if (m_dup_pkthdr(n0, m0, M_DONTWAIT))
370 : goto nospace;
371 0 : n0->m_pkthdr.len -= IEEE80211_TKIP_OVHD;
372 0 : n0->m_len = MHLEN;
373 0 : if (n0->m_pkthdr.len >= MINCLSIZE) {
374 0 : MCLGET(n0, M_DONTWAIT);
375 0 : if (n0->m_flags & M_EXT)
376 0 : n0->m_len = n0->m_ext.ext_size;
377 : }
378 0 : if (n0->m_len > n0->m_pkthdr.len)
379 0 : n0->m_len = n0->m_pkthdr.len;
380 :
381 : /* copy 802.11 header and clear protected bit */
382 0 : memcpy(mtod(n0, caddr_t), wh, hdrlen);
383 0 : wh = mtod(n0, struct ieee80211_frame *);
384 0 : wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
385 :
386 : /* compute WEP seed */
387 0 : if (!ctx->rxttak_ok || (tsc >> 16) != (*prsc >> 16)) {
388 0 : ctx->rxttak_ok = 0; /* invalidate cached TTAK (if any) */
389 0 : Phase1(ctx->rxttak, k->k_key, wh->i_addr2, tsc >> 16);
390 0 : }
391 0 : Phase2((u_int8_t *)wepseed, k->k_key, ctx->rxttak, tsc & 0xffff);
392 0 : rc4_keysetup(&ctx->rc4, (u_int8_t *)wepseed, 16);
393 0 : explicit_bzero(wepseed, sizeof(wepseed));
394 :
395 : /* decrypt frame body and compute WEP ICV */
396 : m = m0;
397 : n = n0;
398 0 : moff = hdrlen + IEEE80211_TKIP_HDRLEN;
399 : noff = hdrlen;
400 0 : left = n0->m_pkthdr.len - noff;
401 : crc = ~0;
402 0 : while (left > 0) {
403 0 : if (moff == m->m_len) {
404 : /* nothing left to copy from m */
405 0 : m = m->m_next;
406 : moff = 0;
407 0 : }
408 0 : if (noff == n->m_len) {
409 : /* n is full and there's more data to copy */
410 0 : MGET(n->m_next, M_DONTWAIT, n->m_type);
411 0 : if (n->m_next == NULL)
412 : goto nospace;
413 : n = n->m_next;
414 0 : n->m_len = MLEN;
415 0 : if (left >= MINCLSIZE) {
416 0 : MCLGET(n, M_DONTWAIT);
417 0 : if (n->m_flags & M_EXT)
418 0 : n->m_len = n->m_ext.ext_size;
419 : }
420 0 : if (n->m_len > left)
421 0 : n->m_len = left;
422 : noff = 0;
423 0 : }
424 0 : len = min(m->m_len - moff, n->m_len - noff);
425 :
426 0 : rc4_crypt(&ctx->rc4, mtod(m, caddr_t) + moff,
427 0 : mtod(n, caddr_t) + noff, len);
428 0 : crc = ether_crc32_le_update(crc, mtod(n, caddr_t) + noff, len);
429 :
430 0 : moff += len;
431 0 : noff += len;
432 0 : left -= len;
433 : }
434 :
435 : /* extract and decrypt TKIP MIC and WEP ICV from m0's tail */
436 0 : m_copydata(m, moff, IEEE80211_TKIP_TAILLEN, buf);
437 0 : rc4_crypt(&ctx->rc4, buf, buf, IEEE80211_TKIP_TAILLEN);
438 :
439 : /* include TKIP MIC in WEP ICV */
440 : mic0 = buf;
441 0 : crc = ether_crc32_le_update(crc, mic0, IEEE80211_TKIP_MICLEN);
442 0 : crc = ~crc;
443 :
444 : /* decrypt ICV and compare it with calculated ICV */
445 0 : crc0 = *(u_int32_t *)(buf + IEEE80211_TKIP_MICLEN);
446 0 : if (crc != letoh32(crc0)) {
447 0 : ic->ic_stats.is_tkip_icv_errs++;
448 0 : m_freem(m0);
449 0 : m_freem(n0);
450 0 : return NULL;
451 : }
452 :
453 : /* compute TKIP MIC over decrypted message */
454 0 : ieee80211_tkip_mic(n0, hdrlen, ctx->rxmic, mic);
455 : /* check that it matches the MIC in received frame */
456 0 : if (timingsafe_bcmp(mic0, mic, IEEE80211_TKIP_MICLEN) != 0) {
457 0 : m_freem(m0);
458 0 : m_freem(n0);
459 0 : ic->ic_stats.is_rx_locmicfail++;
460 0 : ieee80211_michael_mic_failure(ic, tsc);
461 0 : return NULL;
462 : }
463 :
464 : /* update last seen packet number (MIC is validated) */
465 0 : *prsc = tsc;
466 : /* mark cached TTAK as valid */
467 0 : ctx->rxttak_ok = 1;
468 :
469 0 : m_freem(m0);
470 0 : return n0;
471 : nospace:
472 0 : ic->ic_stats.is_rx_nombuf++;
473 0 : m_freem(m0);
474 0 : m_freem(n0);
475 0 : return NULL;
476 0 : }
477 :
478 : #ifndef IEEE80211_STA_ONLY
479 : /*
480 : * This function is called in HostAP mode to deauthenticate all STAs using
481 : * TKIP as their pairwise or group cipher (as part of TKIP countermeasures).
482 : */
483 : static void
484 0 : ieee80211_tkip_deauth(void *arg, struct ieee80211_node *ni)
485 : {
486 0 : struct ieee80211com *ic = arg;
487 :
488 0 : if (ni->ni_state == IEEE80211_STA_ASSOC &&
489 0 : (ic->ic_bss->ni_rsngroupcipher == IEEE80211_CIPHER_TKIP ||
490 0 : ni->ni_rsncipher == IEEE80211_CIPHER_TKIP)) {
491 : /* deauthenticate STA */
492 0 : IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
493 : IEEE80211_REASON_MIC_FAILURE);
494 0 : ieee80211_node_leave(ic, ni);
495 0 : }
496 0 : }
497 :
498 : void
499 0 : ieee80211_michael_mic_failure_timeout(void *arg)
500 : {
501 0 : struct ieee80211com *ic = arg;
502 :
503 : /* Disable TKIP countermeasures. */
504 0 : ic->ic_flags &= ~IEEE80211_F_COUNTERM;
505 0 : }
506 : #endif /* IEEE80211_STA_ONLY */
507 :
508 : /*
509 : * This function can be called by the software TKIP crypto code or by the
510 : * drivers when their hardware crypto engines detect a Michael MIC failure.
511 : */
512 : void
513 0 : ieee80211_michael_mic_failure(struct ieee80211com *ic, u_int64_t tsc)
514 : {
515 : extern int ticks;
516 : #ifndef IEEE80211_STA_ONLY
517 : int sec;
518 : #endif
519 :
520 0 : if (ic->ic_flags & IEEE80211_F_COUNTERM)
521 0 : return; /* countermeasures already active */
522 :
523 0 : log(LOG_WARNING, "%s: Michael MIC failure\n", ic->ic_if.if_xname);
524 :
525 : /*
526 : * NB. do not send Michael MIC Failure reports as recommended since
527 : * these may be used as an oracle to verify CRC guesses as described
528 : * in Beck, M. and Tews S. "Practical attacks against WEP and WPA"
529 : * http://dl.aircrack-ng.org/breakingwepandwpa.pdf
530 : */
531 :
532 : /*
533 : * Activate TKIP countermeasures (see 802.11-2012 11.4.2.4) if less than
534 : * 60 seconds have passed since the most recent previous MIC failure.
535 : */
536 0 : if (ic->ic_tkip_micfail == 0 ||
537 0 : ticks - (ic->ic_tkip_micfail + 60 * hz) >= 0) {
538 0 : ic->ic_tkip_micfail = ticks;
539 0 : ic->ic_tkip_micfail_last_tsc = tsc;
540 0 : return;
541 : }
542 :
543 0 : switch (ic->ic_opmode) {
544 : #ifndef IEEE80211_STA_ONLY
545 : case IEEE80211_M_HOSTAP:
546 : /* refuse new TKIP associations for at least 60 seconds */
547 0 : ic->ic_flags |= IEEE80211_F_COUNTERM;
548 0 : sec = 60 + arc4random_uniform(30);
549 0 : log(LOG_WARNING, "%s: HostAP will be disabled for %d seconds "
550 : "as a countermeasure against TKIP key cracking attempts\n",
551 : ic->ic_if.if_xname, sec);
552 0 : timeout_add_sec(&ic->ic_tkip_micfail_timeout, sec);
553 :
554 : /* deauthenticate all currently associated STAs using TKIP */
555 0 : ieee80211_iterate_nodes(ic, ieee80211_tkip_deauth, ic);
556 :
557 : /* schedule a GTK change */
558 0 : timeout_add_sec(&ic->ic_rsn_timeout, 1);
559 0 : break;
560 : #endif
561 : case IEEE80211_M_STA:
562 : /*
563 : * Notify the AP of MIC failures: send two Michael
564 : * MIC Failure Report frames back-to-back to trigger
565 : * countermeasures at the AP end.
566 : */
567 0 : (void)ieee80211_send_eapol_key_req(ic, ic->ic_bss,
568 : EAPOL_KEY_KEYMIC | EAPOL_KEY_ERROR | EAPOL_KEY_SECURE,
569 0 : ic->ic_tkip_micfail_last_tsc);
570 0 : (void)ieee80211_send_eapol_key_req(ic, ic->ic_bss,
571 : EAPOL_KEY_KEYMIC | EAPOL_KEY_ERROR | EAPOL_KEY_SECURE,
572 : tsc);
573 :
574 : /* deauthenticate from the AP.. */
575 0 : IEEE80211_SEND_MGMT(ic, ic->ic_bss,
576 : IEEE80211_FC0_SUBTYPE_DEAUTH,
577 : IEEE80211_REASON_MIC_FAILURE);
578 : /* ..and find another one */
579 0 : (void)ieee80211_new_state(ic, IEEE80211_S_SCAN, -1);
580 0 : break;
581 : default:
582 : break;
583 : }
584 :
585 0 : ic->ic_tkip_micfail = ticks;
586 0 : ic->ic_tkip_micfail_last_tsc = tsc;
587 0 : }
588 :
589 : /***********************************************************************
590 : Contents: Generate IEEE 802.11 per-frame RC4 key hash test vectors
591 : Date: April 19, 2002
592 : Notes:
593 : This code is written for pedagogical purposes, NOT for performance.
594 : ************************************************************************/
595 :
596 : /* macros for extraction/creation of byte/u16b values */
597 : #define RotR1(v16) ((((v16) >> 1) & 0x7FFF) ^ (((v16) & 1) << 15))
598 : #define Lo8(v16) ((byte)( (v16) & 0x00FF))
599 : #define Hi8(v16) ((byte)(((v16) >> 8) & 0x00FF))
600 : #define Lo16(v32) ((u16b)( (v32) & 0xFFFF))
601 : #define Hi16(v32) ((u16b)(((v32) >>16) & 0xFFFF))
602 : #define Mk16(hi,lo) ((lo) ^ (((u16b)(hi)) << 8))
603 :
604 : /* select the Nth 16-bit word of the Temporal Key byte array TK[] */
605 : #define TK16(N) Mk16(TK[2 * (N) + 1], TK[2 * (N)])
606 :
607 : /* S-box lookup: 16 bits --> 16 bits */
608 : #define _S_(v16) (Sbox[Lo8(v16)] ^ swap16(Sbox[Hi8(v16)]))
609 :
610 : /* fixed algorithm "parameters" */
611 : #define PHASE1_LOOP_CNT 8 /* this needs to be "big enough" */
612 : #define TA_SIZE 6 /* 48-bit transmitter address */
613 : #define TK_SIZE 16 /* 128-bit Temporal Key */
614 : #define P1K_SIZE 10 /* 80-bit Phase1 key */
615 : #define RC4_KEY_SIZE 16 /* 128-bit RC4KEY (104 bits unknown) */
616 :
617 : /* 2-byte by 2-byte subset of the full AES S-box table */
618 : static const u16b Sbox[256]= /* Sbox for hash */
619 : {
620 : 0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154,
621 : 0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A,
622 : 0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B,
623 : 0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B,
624 : 0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F,
625 : 0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F,
626 : 0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5,
627 : 0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F,
628 : 0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB,
629 : 0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397,
630 : 0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED,
631 : 0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A,
632 : 0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194,
633 : 0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3,
634 : 0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104,
635 : 0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D,
636 : 0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39,
637 : 0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695,
638 : 0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83,
639 : 0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76,
640 : 0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4,
641 : 0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B,
642 : 0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0,
643 : 0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018,
644 : 0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751,
645 : 0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85,
646 : 0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12,
647 : 0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9,
648 : 0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7,
649 : 0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A,
650 : 0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8,
651 : 0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A
652 : };
653 :
654 : /*
655 : **********************************************************************
656 : * Routine: Phase 1 -- generate P1K, given TA, TK, IV32
657 : *
658 : * Inputs:
659 : * TK[] = Temporal Key [128 bits]
660 : * TA[] = transmitter's MAC address [ 48 bits]
661 : * IV32 = upper 32 bits of IV [ 32 bits]
662 : * Output:
663 : * P1K[] = Phase 1 key [ 80 bits]
664 : *
665 : * Note:
666 : * This function only needs to be called every 2**16 frames,
667 : * although in theory it could be called every frame.
668 : *
669 : **********************************************************************
670 : */
671 : static void
672 0 : Phase1(u16b *P1K, const byte *TK, const byte *TA, u32b IV32)
673 : {
674 : int i;
675 :
676 : /* Initialize the 80 bits of P1K[] from IV32 and TA[0..5] */
677 0 : P1K[0] = Lo16(IV32);
678 0 : P1K[1] = Hi16(IV32);
679 0 : P1K[2] = Mk16(TA[1], TA[0]); /* use TA[] as little-endian */
680 0 : P1K[3] = Mk16(TA[3], TA[2]);
681 0 : P1K[4] = Mk16(TA[5], TA[4]);
682 :
683 : /* Now compute an unbalanced Feistel cipher with 80-bit block */
684 : /* size on the 80-bit block P1K[], using the 128-bit key TK[] */
685 0 : for (i = 0; i < PHASE1_LOOP_CNT; i++) {
686 : /* Each add operation here is mod 2**16 */
687 0 : P1K[0] += _S_(P1K[4] ^ TK16((i & 1) + 0));
688 0 : P1K[1] += _S_(P1K[0] ^ TK16((i & 1) + 2));
689 0 : P1K[2] += _S_(P1K[1] ^ TK16((i & 1) + 4));
690 0 : P1K[3] += _S_(P1K[2] ^ TK16((i & 1) + 6));
691 0 : P1K[4] += _S_(P1K[3] ^ TK16((i & 1) + 0));
692 0 : P1K[4] += i; /* avoid "slide attacks" */
693 : }
694 0 : }
695 :
696 : /*
697 : **********************************************************************
698 : * Routine: Phase 2 -- generate RC4KEY, given TK, P1K, IV16
699 : *
700 : * Inputs:
701 : * TK[] = Temporal Key [128 bits]
702 : * P1K[] = Phase 1 output key [ 80 bits]
703 : * IV16 = low 16 bits of IV counter [ 16 bits]
704 : * Output:
705 : * RC4KEY[] = the key used to encrypt the frame [128 bits]
706 : *
707 : * Note:
708 : * The value {TA,IV32,IV16} for Phase1/Phase2 must be unique
709 : * across all frames using the same key TK value. Then, for a
710 : * given value of TK[], this TKIP48 construction guarantees that
711 : * the final RC4KEY value is unique across all frames.
712 : *
713 : **********************************************************************
714 : */
715 : static void
716 0 : Phase2(byte *RC4KEY, const byte *TK, const u16b *P1K, u16b IV16)
717 : {
718 : u16b *PPK; /* temporary key for mixing */
719 : int i;
720 :
721 : /*
722 : * Suggested implementation optimization: if PPK[] is "overlaid"
723 : * appropriately on RC4KEY[], there is no need for the final for
724 : * loop that copies the PPK[] result into RC4KEY[].
725 : */
726 0 : PPK = (u16b *)&RC4KEY[4];
727 :
728 : /* all adds in the PPK[] equations below are mod 2**16 */
729 0 : for (i = 0; i < 5; i++)
730 0 : PPK[i] = P1K[i]; /* first, copy P1K to PPK */
731 0 : PPK[5] = P1K[4] + IV16; /* next, add in IV16 */
732 :
733 : /* Bijective non-linear mixing of the 96 bits of PPK[0..5] */
734 0 : PPK[0] += _S_(PPK[5] ^ TK16(0)); /* Mix key in each "round" */
735 0 : PPK[1] += _S_(PPK[0] ^ TK16(1));
736 0 : PPK[2] += _S_(PPK[1] ^ TK16(2));
737 0 : PPK[3] += _S_(PPK[2] ^ TK16(3));
738 0 : PPK[4] += _S_(PPK[3] ^ TK16(4));
739 0 : PPK[5] += _S_(PPK[4] ^ TK16(5)); /* Total # S-box lookups == 6 */
740 :
741 : /* Final sweep: bijective, linear. Rotates kill LSB correlations */
742 0 : PPK[0] += RotR1(PPK[5] ^ TK16(6));
743 0 : PPK[1] += RotR1(PPK[0] ^ TK16(7)); /* Use all of TK[] in Phase2 */
744 0 : PPK[2] += RotR1(PPK[1]);
745 0 : PPK[3] += RotR1(PPK[2]);
746 0 : PPK[4] += RotR1(PPK[3]);
747 0 : PPK[5] += RotR1(PPK[4]);
748 :
749 : /* At this point, for a given key TK[0..15], the 96-bit output */
750 : /* value PPK[0..5] is guaranteed to be unique, as a function */
751 : /* of the 96-bit "input" value {TA,IV32,IV16}. That is, P1K */
752 : /* is now a keyed permutation of {TA,IV32,IV16}. */
753 : /* Set RC4KEY[0..3], which includes cleartext portion of RC4 key */
754 0 : RC4KEY[0] = Hi8(IV16); /* RC4KEY[0..2] is the WEP IV */
755 0 : RC4KEY[1] =(Hi8(IV16) | 0x20) & 0x7F; /* Help avoid FMS weak keys */
756 0 : RC4KEY[2] = Lo8(IV16);
757 0 : RC4KEY[3] = Lo8((PPK[5] ^ TK16(0)) >> 1);
758 :
759 : #if BYTE_ORDER == BIG_ENDIAN
760 : /* Copy 96 bits of PPK[0..5] to RC4KEY[4..15] (little-endian) */
761 : for (i = 0; i < 6; i++)
762 : PPK[i] = swap16(PPK[i]);
763 : #endif
764 0 : }
|
