net/mac80211/tkip.c

0001 // SPDX-License-Identifier: GPL-2.0-only
0002 /*
0003  * Copyright 2002-2004, Instant802 Networks, Inc.
0004  * Copyright 2005, Devicescape Software, Inc.
0005  * Copyright (C) 2016 Intel Deutschland GmbH
0006  */
0007 #include <linux/kernel.h>
0008 #include <linux/bitops.h>
0009 #include <linux/types.h>
0010 #include <linux/netdevice.h>
0011 #include <linux/export.h>
0012 #include <asm/unaligned.h>
0013
0014 #include <net/mac80211.h>
0015 #include "driver-ops.h"
0016 #include "key.h"
0017 #include "tkip.h"
0018 #include "wep.h"
0019
0020 #define PHASE1_LOOP_COUNT 8
0021
0022 /*
0023  * 2-byte by 2-byte subset of the full AES S-box table; second part of this
0024  * table is identical to first part but byte-swapped
0025  */
0026 static const u16 tkip_sbox[256] =
0027 {
0028     0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154,
0029     0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A,
0030     0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B,
0031     0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B,
0032     0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F,
0033     0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F,
0034     0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5,
0035     0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F,
0036     0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB,
0037     0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397,
0038     0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED,
0039     0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A,
0040     0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194,
0041     0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3,
0042     0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104,
0043     0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D,
0044     0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39,
0045     0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695,
0046     0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83,
0047     0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76,
0048     0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4,
0049     0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B,
0050     0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0,
0051     0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018,
0052     0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751,
0053     0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85,
0054     0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12,
0055     0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9,
0056     0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7,
0057     0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A,
0058     0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8,
0059     0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A,
0060 };
0061
0062 static u16 tkipS(u16 val)
0063 {
0064     return tkip_sbox[val & 0xff] ^ swab16(tkip_sbox[val >> 8]);
0065 }
0066
0067 static u8 *write_tkip_iv(u8 *pos, u16 iv16)
0068 {
0069     *pos++ = iv16 >> 8;
0070     *pos++ = ((iv16 >> 8) | 0x20) & 0x7f;
0071     *pos++ = iv16 & 0xFF;
0072     return pos;
0073 }
0074
0075 /*
0076  * P1K := Phase1(TA, TK, TSC)
0077  * TA = transmitter address (48 bits)
0078  * TK = dot11DefaultKeyValue or dot11KeyMappingValue (128 bits)
0079  * TSC = TKIP sequence counter (48 bits, only 32 msb bits used)
0080  * P1K: 80 bits
0081  */
0082 static void tkip_mixing_phase1(const u8 *tk, struct tkip_ctx *ctx,
0083                    const u8 *ta, u32 tsc_IV32)
0084 {
0085     int i, j;
0086     u16 *p1k = ctx->p1k;
0087
0088     p1k[0] = tsc_IV32 & 0xFFFF;
0089     p1k[1] = tsc_IV32 >> 16;
0090     p1k[2] = get_unaligned_le16(ta + 0);
0091     p1k[3] = get_unaligned_le16(ta + 2);
0092     p1k[4] = get_unaligned_le16(ta + 4);
0093
0094     for (i = 0; i < PHASE1_LOOP_COUNT; i++) {
0095         j = 2 * (i & 1);
0096         p1k[0] += tkipS(p1k[4] ^ get_unaligned_le16(tk + 0 + j));
0097         p1k[1] += tkipS(p1k[0] ^ get_unaligned_le16(tk + 4 + j));
0098         p1k[2] += tkipS(p1k[1] ^ get_unaligned_le16(tk + 8 + j));
0099         p1k[3] += tkipS(p1k[2] ^ get_unaligned_le16(tk + 12 + j));
0100         p1k[4] += tkipS(p1k[3] ^ get_unaligned_le16(tk + 0 + j)) + i;
0101     }
0102     ctx->state = TKIP_STATE_PHASE1_DONE;
0103     ctx->p1k_iv32 = tsc_IV32;
0104 }
0105
0106 static void tkip_mixing_phase2(const u8 *tk, struct tkip_ctx *ctx,
0107                    u16 tsc_IV16, u8 *rc4key)
0108 {
0109     u16 ppk[6];
0110     const u16 *p1k = ctx->p1k;
0111     int i;
0112
0113     ppk[0] = p1k[0];
0114     ppk[1] = p1k[1];
0115     ppk[2] = p1k[2];
0116     ppk[3] = p1k[3];
0117     ppk[4] = p1k[4];
0118     ppk[5] = p1k[4] + tsc_IV16;
0119
0120     ppk[0] += tkipS(ppk[5] ^ get_unaligned_le16(tk + 0));
0121     ppk[1] += tkipS(ppk[0] ^ get_unaligned_le16(tk + 2));
0122     ppk[2] += tkipS(ppk[1] ^ get_unaligned_le16(tk + 4));
0123     ppk[3] += tkipS(ppk[2] ^ get_unaligned_le16(tk + 6));
0124     ppk[4] += tkipS(ppk[3] ^ get_unaligned_le16(tk + 8));
0125     ppk[5] += tkipS(ppk[4] ^ get_unaligned_le16(tk + 10));
0126     ppk[0] += ror16(ppk[5] ^ get_unaligned_le16(tk + 12), 1);
0127     ppk[1] += ror16(ppk[0] ^ get_unaligned_le16(tk + 14), 1);
0128     ppk[2] += ror16(ppk[1], 1);
0129     ppk[3] += ror16(ppk[2], 1);
0130     ppk[4] += ror16(ppk[3], 1);
0131     ppk[5] += ror16(ppk[4], 1);
0132
0133     rc4key = write_tkip_iv(rc4key, tsc_IV16);
0134     *rc4key++ = ((ppk[5] ^ get_unaligned_le16(tk)) >> 1) & 0xFF;
0135
0136     for (i = 0; i < 6; i++)
0137         put_unaligned_le16(ppk[i], rc4key + 2 * i);
0138 }
0139
0140 /* Add TKIP IV and Ext. IV at @pos. @iv0, @iv1, and @iv2 are the first octets
0141  * of the IV. Returns pointer to the octet following IVs (i.e., beginning of
0142  * the packet payload). */
0143 u8 *ieee80211_tkip_add_iv(u8 *pos, struct ieee80211_key_conf *keyconf, u64 pn)
0144 {
0145     pos = write_tkip_iv(pos, TKIP_PN_TO_IV16(pn));
0146     *pos++ = (keyconf->keyidx << 6) | (1 << 5) /* Ext IV */;
0147     put_unaligned_le32(TKIP_PN_TO_IV32(pn), pos);
0148     return pos + 4;
0149 }
0150 EXPORT_SYMBOL_GPL(ieee80211_tkip_add_iv);
0151
0152 static void ieee80211_compute_tkip_p1k(struct ieee80211_key *key, u32 iv32)
0153 {
0154     struct ieee80211_sub_if_data *sdata = key->sdata;
0155     struct tkip_ctx *ctx = &key->u.tkip.tx;
0156     const u8 *tk = &key->conf.key[NL80211_TKIP_DATA_OFFSET_ENCR_KEY];
0157
0158     lockdep_assert_held(&key->u.tkip.txlock);
0159
0160     /*
0161      * Update the P1K when the IV32 is different from the value it
0162      * had when we last computed it (or when not initialised yet).
0163      * This might flip-flop back and forth if packets are processed
0164      * out-of-order due to the different ACs, but then we have to
0165      * just compute the P1K more often.
0166      */
0167     if (ctx->p1k_iv32 != iv32 || ctx->state == TKIP_STATE_NOT_INIT)
0168         tkip_mixing_phase1(tk, ctx, sdata->vif.addr, iv32);
0169 }
0170
0171 void ieee80211_get_tkip_p1k_iv(struct ieee80211_key_conf *keyconf,
0172                    u32 iv32, u16 *p1k)
0173 {
0174     struct ieee80211_key *key = (struct ieee80211_key *)
0175             container_of(keyconf, struct ieee80211_key, conf);
0176     struct tkip_ctx *ctx = &key->u.tkip.tx;
0177
0178     spin_lock_bh(&key->u.tkip.txlock);
0179     ieee80211_compute_tkip_p1k(key, iv32);
0180     memcpy(p1k, ctx->p1k, sizeof(ctx->p1k));
0181     spin_unlock_bh(&key->u.tkip.txlock);
0182 }
0183 EXPORT_SYMBOL(ieee80211_get_tkip_p1k_iv);
0184
0185 void ieee80211_get_tkip_rx_p1k(struct ieee80211_key_conf *keyconf,
0186                    const u8 *ta, u32 iv32, u16 *p1k)
0187 {
0188     const u8 *tk = &keyconf->key[NL80211_TKIP_DATA_OFFSET_ENCR_KEY];
0189     struct tkip_ctx ctx;
0190
0191     tkip_mixing_phase1(tk, &ctx, ta, iv32);
0192     memcpy(p1k, ctx.p1k, sizeof(ctx.p1k));
0193 }
0194 EXPORT_SYMBOL(ieee80211_get_tkip_rx_p1k);
0195
0196 void ieee80211_get_tkip_p2k(struct ieee80211_key_conf *keyconf,
0197                 struct sk_buff *skb, u8 *p2k)
0198 {
0199     struct ieee80211_key *key = (struct ieee80211_key *)
0200             container_of(keyconf, struct ieee80211_key, conf);
0201     const u8 *tk = &key->conf.key[NL80211_TKIP_DATA_OFFSET_ENCR_KEY];
0202     struct tkip_ctx *ctx = &key->u.tkip.tx;
0203     struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
0204     const u8 *data = (u8 *)hdr + ieee80211_hdrlen(hdr->frame_control);
0205     u32 iv32 = get_unaligned_le32(&data[4]);
0206     u16 iv16 = data[2] | (data[0] << 8);
0207
0208     spin_lock(&key->u.tkip.txlock);
0209     ieee80211_compute_tkip_p1k(key, iv32);
0210     tkip_mixing_phase2(tk, ctx, iv16, p2k);
0211     spin_unlock(&key->u.tkip.txlock);
0212 }
0213 EXPORT_SYMBOL(ieee80211_get_tkip_p2k);
0214
0215 /*
0216  * Encrypt packet payload with TKIP using @key. @pos is a pointer to the
0217  * beginning of the buffer containing payload. This payload must include
0218  * the IV/Ext.IV and space for (taildroom) four octets for ICV.
0219  * @payload_len is the length of payload (_not_ including IV/ICV length).
0220  * @ta is the transmitter addresses.
0221  */
0222 int ieee80211_tkip_encrypt_data(struct arc4_ctx *ctx,
0223                 struct ieee80211_key *key,
0224                 struct sk_buff *skb,
0225                 u8 *payload, size_t payload_len)
0226 {
0227     u8 rc4key[16];
0228
0229     ieee80211_get_tkip_p2k(&key->conf, skb, rc4key);
0230
0231     return ieee80211_wep_encrypt_data(ctx, rc4key, 16,
0232                       payload, payload_len);
0233 }
0234
0235 /* Decrypt packet payload with TKIP using @key. @pos is a pointer to the
0236  * beginning of the buffer containing IEEE 802.11 header payload, i.e.,
0237  * including IV, Ext. IV, real data, Michael MIC, ICV. @payload_len is the
0238  * length of payload, including IV, Ext. IV, MIC, ICV.  */
0239 int ieee80211_tkip_decrypt_data(struct arc4_ctx *ctx,
0240                 struct ieee80211_key *key,
0241                 u8 *payload, size_t payload_len, u8 *ta,
0242                 u8 *ra, int only_iv, int queue,
0243                 u32 *out_iv32, u16 *out_iv16)
0244 {
0245     u32 iv32;
0246     u32 iv16;
0247     u8 rc4key[16], keyid, *pos = payload;
0248     int res;
0249     const u8 *tk = &key->conf.key[NL80211_TKIP_DATA_OFFSET_ENCR_KEY];
0250     struct tkip_ctx_rx *rx_ctx = &key->u.tkip.rx[queue];
0251
0252     if (payload_len < 12)
0253         return -1;
0254
0255     iv16 = (pos[0] << 8) | pos[2];
0256     keyid = pos[3];
0257     iv32 = get_unaligned_le32(pos + 4);
0258     pos += 8;
0259
0260     if (!(keyid & (1 << 5)))
0261         return TKIP_DECRYPT_NO_EXT_IV;
0262
0263     if ((keyid >> 6) != key->conf.keyidx)
0264         return TKIP_DECRYPT_INVALID_KEYIDX;
0265
0266     /* Reject replays if the received TSC is smaller than or equal to the
0267      * last received value in a valid message, but with an exception for
0268      * the case where a new key has been set and no valid frame using that
0269      * key has yet received and the local RSC was initialized to 0. This
0270      * exception allows the very first frame sent by the transmitter to be
0271      * accepted even if that transmitter were to use TSC 0 (IEEE 802.11
0272      * described TSC to be initialized to 1 whenever a new key is taken into
0273      * use).
0274      */
0275     if (iv32 < rx_ctx->iv32 ||
0276         (iv32 == rx_ctx->iv32 &&
0277          (iv16 < rx_ctx->iv16 ||
0278           (iv16 == rx_ctx->iv16 &&
0279            (rx_ctx->iv32 || rx_ctx->iv16 ||
0280         rx_ctx->ctx.state != TKIP_STATE_NOT_INIT)))))
0281         return TKIP_DECRYPT_REPLAY;
0282
0283     if (only_iv) {
0284         res = TKIP_DECRYPT_OK;
0285         rx_ctx->ctx.state = TKIP_STATE_PHASE1_HW_UPLOADED;
0286         goto done;
0287     }
0288
0289     if (rx_ctx->ctx.state == TKIP_STATE_NOT_INIT ||
0290         rx_ctx->iv32 != iv32) {
0291         /* IV16 wrapped around - perform TKIP phase 1 */
0292         tkip_mixing_phase1(tk, &rx_ctx->ctx, ta, iv32);
0293     }
0294     if (key->local->ops->update_tkip_key &&
0295         key->flags & KEY_FLAG_UPLOADED_TO_HARDWARE &&
0296         rx_ctx->ctx.state != TKIP_STATE_PHASE1_HW_UPLOADED) {
0297         struct ieee80211_sub_if_data *sdata = key->sdata;
0298
0299         if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
0300             sdata = container_of(key->sdata->bss,
0301                     struct ieee80211_sub_if_data, u.ap);
0302         drv_update_tkip_key(key->local, sdata, &key->conf, key->sta,
0303                 iv32, rx_ctx->ctx.p1k);
0304         rx_ctx->ctx.state = TKIP_STATE_PHASE1_HW_UPLOADED;
0305     }
0306
0307     tkip_mixing_phase2(tk, &rx_ctx->ctx, iv16, rc4key);
0308
0309     res = ieee80211_wep_decrypt_data(ctx, rc4key, 16, pos, payload_len - 12);
0310  done:
0311     if (res == TKIP_DECRYPT_OK) {
0312         /*
0313          * Record previously received IV, will be copied into the
0314          * key information after MIC verification. It is possible
0315          * that we don't catch replays of fragments but that's ok
0316          * because the Michael MIC verication will then fail.
0317          */
0318         *out_iv32 = iv32;
0319         *out_iv16 = iv16;
0320     }
0321
0322     return res;
0323 }