The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/net80211/ieee80211_crypto_tkip.c

Version: -  FREEBSD  -  FREEBSD-13-STABLE  -  FREEBSD-13-0  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  l41  -  OPENBSD  -  linux-2.6  -  MK84  -  PLAN9  -  xnu-8792 
SearchContext: -  none  -  3  -  10 

    1 /*-
    2  * Copyright (c) 2002-2008 Sam Leffler, Errno Consulting
    3  * All rights reserved.
    4  *
    5  * Redistribution and use in source and binary forms, with or without
    6  * modification, are permitted provided that the following conditions
    7  * are met:
    8  * 1. Redistributions of source code must retain the above copyright
    9  *    notice, this list of conditions and the following disclaimer.
   10  * 2. Redistributions in binary form must reproduce the above copyright
   11  *    notice, this list of conditions and the following disclaimer in the
   12  *    documentation and/or other materials provided with the distribution.
   13  *
   14  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
   15  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
   16  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
   17  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
   18  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
   19  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
   20  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
   21  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
   22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
   23  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
   24  */
   25 
   26 #include <sys/cdefs.h>
   27 __FBSDID("$FreeBSD: releng/11.0/sys/net80211/ieee80211_crypto_tkip.c 288526 2015-10-03 00:50:13Z adrian $");
   28 
   29 /*
   30  * IEEE 802.11i TKIP crypto support.
   31  *
   32  * Part of this module is derived from similar code in the Host
   33  * AP driver. The code is used with the consent of the author and
   34  * it's license is included below.
   35  */
   36 #include "opt_wlan.h"
   37 
   38 #include <sys/param.h>
   39 #include <sys/systm.h> 
   40 #include <sys/mbuf.h>   
   41 #include <sys/malloc.h>
   42 #include <sys/kernel.h>
   43 #include <sys/module.h>
   44 #include <sys/endian.h>
   45 
   46 #include <sys/socket.h>
   47 
   48 #include <net/if.h>
   49 #include <net/if_media.h>
   50 #include <net/ethernet.h>
   51 
   52 #include <net80211/ieee80211_var.h>
   53 
   54 static  void *tkip_attach(struct ieee80211vap *, struct ieee80211_key *);
   55 static  void tkip_detach(struct ieee80211_key *);
   56 static  int tkip_setkey(struct ieee80211_key *);
   57 static  void tkip_setiv(struct ieee80211_key *, uint8_t *);
   58 static  int tkip_encap(struct ieee80211_key *, struct mbuf *);
   59 static  int tkip_enmic(struct ieee80211_key *, struct mbuf *, int);
   60 static  int tkip_decap(struct ieee80211_key *, struct mbuf *, int);
   61 static  int tkip_demic(struct ieee80211_key *, struct mbuf *, int);
   62 
   63 static const struct ieee80211_cipher tkip  = {
   64         .ic_name        = "TKIP",
   65         .ic_cipher      = IEEE80211_CIPHER_TKIP,
   66         .ic_header      = IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN +
   67                           IEEE80211_WEP_EXTIVLEN,
   68         .ic_trailer     = IEEE80211_WEP_CRCLEN,
   69         .ic_miclen      = IEEE80211_WEP_MICLEN,
   70         .ic_attach      = tkip_attach,
   71         .ic_detach      = tkip_detach,
   72         .ic_setkey      = tkip_setkey,
   73         .ic_setiv       = tkip_setiv,
   74         .ic_encap       = tkip_encap,
   75         .ic_decap       = tkip_decap,
   76         .ic_enmic       = tkip_enmic,
   77         .ic_demic       = tkip_demic,
   78 };
   79 
   80 typedef uint8_t u8;
   81 typedef uint16_t u16;
   82 typedef uint32_t __u32;
   83 typedef uint32_t u32;
   84 
   85 struct tkip_ctx {
   86         struct ieee80211vap *tc_vap;    /* for diagnostics+statistics */
   87 
   88         u16     tx_ttak[5];
   89         u8      tx_rc4key[16];          /* XXX for test module; make locals? */
   90 
   91         u16     rx_ttak[5];
   92         int     rx_phase1_done;
   93         u8      rx_rc4key[16];          /* XXX for test module; make locals? */
   94         uint64_t rx_rsc;                /* held until MIC verified */
   95 };
   96 
   97 static  void michael_mic(struct tkip_ctx *, const u8 *key,
   98                 struct mbuf *m, u_int off, size_t data_len,
   99                 u8 mic[IEEE80211_WEP_MICLEN]);
  100 static  int tkip_encrypt(struct tkip_ctx *, struct ieee80211_key *,
  101                 struct mbuf *, int hdr_len);
  102 static  int tkip_decrypt(struct tkip_ctx *, struct ieee80211_key *,
  103                 struct mbuf *, int hdr_len);
  104 
  105 /* number of references from net80211 layer */
  106 static  int nrefs = 0;
  107 
  108 static void *
  109 tkip_attach(struct ieee80211vap *vap, struct ieee80211_key *k)
  110 {
  111         struct tkip_ctx *ctx;
  112 
  113         ctx = (struct tkip_ctx *) IEEE80211_MALLOC(sizeof(struct tkip_ctx),
  114                 M_80211_CRYPTO, IEEE80211_M_NOWAIT | IEEE80211_M_ZERO);
  115         if (ctx == NULL) {
  116                 vap->iv_stats.is_crypto_nomem++;
  117                 return NULL;
  118         }
  119 
  120         ctx->tc_vap = vap;
  121         nrefs++;                        /* NB: we assume caller locking */
  122         return ctx;
  123 }
  124 
  125 static void
  126 tkip_detach(struct ieee80211_key *k)
  127 {
  128         struct tkip_ctx *ctx = k->wk_private;
  129 
  130         IEEE80211_FREE(ctx, M_80211_CRYPTO);
  131         KASSERT(nrefs > 0, ("imbalanced attach/detach"));
  132         nrefs--;                        /* NB: we assume caller locking */
  133 }
  134 
  135 static int
  136 tkip_setkey(struct ieee80211_key *k)
  137 {
  138         struct tkip_ctx *ctx = k->wk_private;
  139 
  140         if (k->wk_keylen != (128/NBBY)) {
  141                 (void) ctx;             /* XXX */
  142                 IEEE80211_DPRINTF(ctx->tc_vap, IEEE80211_MSG_CRYPTO,
  143                         "%s: Invalid key length %u, expecting %u\n",
  144                         __func__, k->wk_keylen, 128/NBBY);
  145                 return 0;
  146         }
  147         ctx->rx_phase1_done = 0;
  148         return 1;
  149 }
  150 
  151 static void
  152 tkip_setiv(struct ieee80211_key *k, uint8_t *ivp)
  153 {
  154         struct tkip_ctx *ctx = k->wk_private;
  155         struct ieee80211vap *vap = ctx->tc_vap;
  156         uint8_t keyid;
  157 
  158         keyid = ieee80211_crypto_get_keyid(vap, k) << 6;
  159 
  160         k->wk_keytsc++;
  161         ivp[0] = k->wk_keytsc >> 8;             /* TSC1 */
  162         ivp[1] = (ivp[0] | 0x20) & 0x7f;        /* WEP seed */
  163         ivp[2] = k->wk_keytsc >> 0;             /* TSC0 */
  164         ivp[3] = keyid | IEEE80211_WEP_EXTIV;   /* KeyID | ExtID */
  165         ivp[4] = k->wk_keytsc >> 16;            /* TSC2 */
  166         ivp[5] = k->wk_keytsc >> 24;            /* TSC3 */
  167         ivp[6] = k->wk_keytsc >> 32;            /* TSC4 */
  168         ivp[7] = k->wk_keytsc >> 40;            /* TSC5 */
  169 }
  170 
  171 /*
  172  * Add privacy headers and do any s/w encryption required.
  173  */
  174 static int
  175 tkip_encap(struct ieee80211_key *k, struct mbuf *m)
  176 {
  177         struct tkip_ctx *ctx = k->wk_private;
  178         struct ieee80211vap *vap = ctx->tc_vap;
  179         struct ieee80211com *ic = vap->iv_ic;
  180         uint8_t *ivp;
  181         int hdrlen;
  182 
  183         /*
  184          * Handle TKIP counter measures requirement.
  185          */
  186         if (vap->iv_flags & IEEE80211_F_COUNTERM) {
  187 #ifdef IEEE80211_DEBUG
  188                 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *);
  189 #endif
  190 
  191                 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2,
  192                     "discard frame due to countermeasures (%s)", __func__);
  193                 vap->iv_stats.is_crypto_tkipcm++;
  194                 return 0;
  195         }
  196         hdrlen = ieee80211_hdrspace(ic, mtod(m, void *));
  197 
  198         /*
  199          * Copy down 802.11 header and add the IV, KeyID, and ExtIV.
  200          */
  201         M_PREPEND(m, tkip.ic_header, M_NOWAIT);
  202         if (m == NULL)
  203                 return 0;
  204         ivp = mtod(m, uint8_t *);
  205         memmove(ivp, ivp + tkip.ic_header, hdrlen);
  206         ivp += hdrlen;
  207 
  208         tkip_setiv(k, ivp);
  209 
  210         /*
  211          * Finally, do software encrypt if needed.
  212          */
  213         if ((k->wk_flags & IEEE80211_KEY_SWENCRYPT) &&
  214             !tkip_encrypt(ctx, k, m, hdrlen))
  215                 return 0;
  216 
  217         return 1;
  218 }
  219 
  220 /*
  221  * Add MIC to the frame as needed.
  222  */
  223 static int
  224 tkip_enmic(struct ieee80211_key *k, struct mbuf *m, int force)
  225 {
  226         struct tkip_ctx *ctx = k->wk_private;
  227 
  228         if (force || (k->wk_flags & IEEE80211_KEY_SWENMIC)) {
  229                 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *);
  230                 struct ieee80211vap *vap = ctx->tc_vap;
  231                 struct ieee80211com *ic = vap->iv_ic;
  232                 int hdrlen;
  233                 uint8_t mic[IEEE80211_WEP_MICLEN];
  234 
  235                 vap->iv_stats.is_crypto_tkipenmic++;
  236 
  237                 hdrlen = ieee80211_hdrspace(ic, wh);
  238 
  239                 michael_mic(ctx, k->wk_txmic,
  240                         m, hdrlen, m->m_pkthdr.len - hdrlen, mic);
  241                 return m_append(m, tkip.ic_miclen, mic);
  242         }
  243         return 1;
  244 }
  245 
  246 static __inline uint64_t
  247 READ_6(uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3, uint8_t b4, uint8_t b5)
  248 {
  249         uint32_t iv32 = (b0 << 0) | (b1 << 8) | (b2 << 16) | (b3 << 24);
  250         uint16_t iv16 = (b4 << 0) | (b5 << 8);
  251         return (((uint64_t)iv16) << 32) | iv32;
  252 }
  253 
  254 /*
  255  * Validate and strip privacy headers (and trailer) for a
  256  * received frame.  If necessary, decrypt the frame using
  257  * the specified key.
  258  */
  259 static int
  260 tkip_decap(struct ieee80211_key *k, struct mbuf *m, int hdrlen)
  261 {
  262         struct tkip_ctx *ctx = k->wk_private;
  263         struct ieee80211vap *vap = ctx->tc_vap;
  264         struct ieee80211_frame *wh;
  265         uint8_t *ivp, tid;
  266 
  267         /*
  268          * Header should have extended IV and sequence number;
  269          * verify the former and validate the latter.
  270          */
  271         wh = mtod(m, struct ieee80211_frame *);
  272         ivp = mtod(m, uint8_t *) + hdrlen;
  273         if ((ivp[IEEE80211_WEP_IVLEN] & IEEE80211_WEP_EXTIV) == 0) {
  274                 /*
  275                  * No extended IV; discard frame.
  276                  */
  277                 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2,
  278                     "%s", "missing ExtIV for TKIP cipher");
  279                 vap->iv_stats.is_rx_tkipformat++;
  280                 return 0;
  281         }
  282         /*
  283          * Handle TKIP counter measures requirement.
  284          */
  285         if (vap->iv_flags & IEEE80211_F_COUNTERM) {
  286                 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2,
  287                     "discard frame due to countermeasures (%s)", __func__);
  288                 vap->iv_stats.is_crypto_tkipcm++;
  289                 return 0;
  290         }
  291 
  292         tid = ieee80211_gettid(wh);
  293         ctx->rx_rsc = READ_6(ivp[2], ivp[0], ivp[4], ivp[5], ivp[6], ivp[7]);
  294         if (ctx->rx_rsc <= k->wk_keyrsc[tid] &&
  295             (k->wk_flags & IEEE80211_KEY_NOREPLAY) == 0) {
  296                 /*
  297                  * Replay violation; notify upper layer.
  298                  */
  299                 ieee80211_notify_replay_failure(vap, wh, k, ctx->rx_rsc, tid);
  300                 vap->iv_stats.is_rx_tkipreplay++;
  301                 return 0;
  302         }
  303         /*
  304          * NB: We can't update the rsc in the key until MIC is verified.
  305          *
  306          * We assume we are not preempted between doing the check above
  307          * and updating wk_keyrsc when stripping the MIC in tkip_demic.
  308          * Otherwise we might process another packet and discard it as
  309          * a replay.
  310          */
  311 
  312         /*
  313          * Check if the device handled the decrypt in hardware.
  314          * If so we just strip the header; otherwise we need to
  315          * handle the decrypt in software.
  316          */
  317         if ((k->wk_flags & IEEE80211_KEY_SWDECRYPT) &&
  318             !tkip_decrypt(ctx, k, m, hdrlen))
  319                 return 0;
  320 
  321         /*
  322          * Copy up 802.11 header and strip crypto bits.
  323          */
  324         memmove(mtod(m, uint8_t *) + tkip.ic_header, mtod(m, void *), hdrlen);
  325         m_adj(m, tkip.ic_header);
  326         m_adj(m, -tkip.ic_trailer);
  327 
  328         return 1;
  329 }
  330 
  331 /*
  332  * Verify and strip MIC from the frame.
  333  */
  334 static int
  335 tkip_demic(struct ieee80211_key *k, struct mbuf *m, int force)
  336 {
  337         struct tkip_ctx *ctx = k->wk_private;
  338         struct ieee80211_frame *wh;
  339         uint8_t tid;
  340 
  341         wh = mtod(m, struct ieee80211_frame *);
  342         if ((k->wk_flags & IEEE80211_KEY_SWDEMIC) || force) {
  343                 struct ieee80211vap *vap = ctx->tc_vap;
  344                 int hdrlen = ieee80211_hdrspace(vap->iv_ic, wh);
  345                 u8 mic[IEEE80211_WEP_MICLEN];
  346                 u8 mic0[IEEE80211_WEP_MICLEN];
  347 
  348                 vap->iv_stats.is_crypto_tkipdemic++;
  349 
  350                 michael_mic(ctx, k->wk_rxmic, 
  351                         m, hdrlen, m->m_pkthdr.len - (hdrlen + tkip.ic_miclen),
  352                         mic);
  353                 m_copydata(m, m->m_pkthdr.len - tkip.ic_miclen,
  354                         tkip.ic_miclen, mic0);
  355                 if (memcmp(mic, mic0, tkip.ic_miclen)) {
  356                         /* NB: 802.11 layer handles statistic and debug msg */
  357                         ieee80211_notify_michael_failure(vap, wh,
  358                                 k->wk_rxkeyix != IEEE80211_KEYIX_NONE ?
  359                                         k->wk_rxkeyix : k->wk_keyix);
  360                         return 0;
  361                 }
  362         }
  363         /*
  364          * Strip MIC from the tail.
  365          */
  366         m_adj(m, -tkip.ic_miclen);
  367 
  368         /*
  369          * Ok to update rsc now that MIC has been verified.
  370          */
  371         tid = ieee80211_gettid(wh);
  372         k->wk_keyrsc[tid] = ctx->rx_rsc;
  373 
  374         return 1;
  375 }
  376 
  377 /*
  378  * Host AP crypt: host-based TKIP encryption implementation for Host AP driver
  379  *
  380  * Copyright (c) 2003-2004, Jouni Malinen <jkmaline@cc.hut.fi>
  381  *
  382  * This program is free software; you can redistribute it and/or modify
  383  * it under the terms of the GNU General Public License version 2 as
  384  * published by the Free Software Foundation. See README and COPYING for
  385  * more details.
  386  *
  387  * Alternatively, this software may be distributed under the terms of BSD
  388  * license.
  389  */
  390 
  391 static const __u32 crc32_table[256] = {
  392         0x00000000L, 0x77073096L, 0xee0e612cL, 0x990951baL, 0x076dc419L,
  393         0x706af48fL, 0xe963a535L, 0x9e6495a3L, 0x0edb8832L, 0x79dcb8a4L,
  394         0xe0d5e91eL, 0x97d2d988L, 0x09b64c2bL, 0x7eb17cbdL, 0xe7b82d07L,
  395         0x90bf1d91L, 0x1db71064L, 0x6ab020f2L, 0xf3b97148L, 0x84be41deL,
  396         0x1adad47dL, 0x6ddde4ebL, 0xf4d4b551L, 0x83d385c7L, 0x136c9856L,
  397         0x646ba8c0L, 0xfd62f97aL, 0x8a65c9ecL, 0x14015c4fL, 0x63066cd9L,
  398         0xfa0f3d63L, 0x8d080df5L, 0x3b6e20c8L, 0x4c69105eL, 0xd56041e4L,
  399         0xa2677172L, 0x3c03e4d1L, 0x4b04d447L, 0xd20d85fdL, 0xa50ab56bL,
  400         0x35b5a8faL, 0x42b2986cL, 0xdbbbc9d6L, 0xacbcf940L, 0x32d86ce3L,
  401         0x45df5c75L, 0xdcd60dcfL, 0xabd13d59L, 0x26d930acL, 0x51de003aL,
  402         0xc8d75180L, 0xbfd06116L, 0x21b4f4b5L, 0x56b3c423L, 0xcfba9599L,
  403         0xb8bda50fL, 0x2802b89eL, 0x5f058808L, 0xc60cd9b2L, 0xb10be924L,
  404         0x2f6f7c87L, 0x58684c11L, 0xc1611dabL, 0xb6662d3dL, 0x76dc4190L,
  405         0x01db7106L, 0x98d220bcL, 0xefd5102aL, 0x71b18589L, 0x06b6b51fL,
  406         0x9fbfe4a5L, 0xe8b8d433L, 0x7807c9a2L, 0x0f00f934L, 0x9609a88eL,
  407         0xe10e9818L, 0x7f6a0dbbL, 0x086d3d2dL, 0x91646c97L, 0xe6635c01L,
  408         0x6b6b51f4L, 0x1c6c6162L, 0x856530d8L, 0xf262004eL, 0x6c0695edL,
  409         0x1b01a57bL, 0x8208f4c1L, 0xf50fc457L, 0x65b0d9c6L, 0x12b7e950L,
  410         0x8bbeb8eaL, 0xfcb9887cL, 0x62dd1ddfL, 0x15da2d49L, 0x8cd37cf3L,
  411         0xfbd44c65L, 0x4db26158L, 0x3ab551ceL, 0xa3bc0074L, 0xd4bb30e2L,
  412         0x4adfa541L, 0x3dd895d7L, 0xa4d1c46dL, 0xd3d6f4fbL, 0x4369e96aL,
  413         0x346ed9fcL, 0xad678846L, 0xda60b8d0L, 0x44042d73L, 0x33031de5L,
  414         0xaa0a4c5fL, 0xdd0d7cc9L, 0x5005713cL, 0x270241aaL, 0xbe0b1010L,
  415         0xc90c2086L, 0x5768b525L, 0x206f85b3L, 0xb966d409L, 0xce61e49fL,
  416         0x5edef90eL, 0x29d9c998L, 0xb0d09822L, 0xc7d7a8b4L, 0x59b33d17L,
  417         0x2eb40d81L, 0xb7bd5c3bL, 0xc0ba6cadL, 0xedb88320L, 0x9abfb3b6L,
  418         0x03b6e20cL, 0x74b1d29aL, 0xead54739L, 0x9dd277afL, 0x04db2615L,
  419         0x73dc1683L, 0xe3630b12L, 0x94643b84L, 0x0d6d6a3eL, 0x7a6a5aa8L,
  420         0xe40ecf0bL, 0x9309ff9dL, 0x0a00ae27L, 0x7d079eb1L, 0xf00f9344L,
  421         0x8708a3d2L, 0x1e01f268L, 0x6906c2feL, 0xf762575dL, 0x806567cbL,
  422         0x196c3671L, 0x6e6b06e7L, 0xfed41b76L, 0x89d32be0L, 0x10da7a5aL,
  423         0x67dd4accL, 0xf9b9df6fL, 0x8ebeeff9L, 0x17b7be43L, 0x60b08ed5L,
  424         0xd6d6a3e8L, 0xa1d1937eL, 0x38d8c2c4L, 0x4fdff252L, 0xd1bb67f1L,
  425         0xa6bc5767L, 0x3fb506ddL, 0x48b2364bL, 0xd80d2bdaL, 0xaf0a1b4cL,
  426         0x36034af6L, 0x41047a60L, 0xdf60efc3L, 0xa867df55L, 0x316e8eefL,
  427         0x4669be79L, 0xcb61b38cL, 0xbc66831aL, 0x256fd2a0L, 0x5268e236L,
  428         0xcc0c7795L, 0xbb0b4703L, 0x220216b9L, 0x5505262fL, 0xc5ba3bbeL,
  429         0xb2bd0b28L, 0x2bb45a92L, 0x5cb36a04L, 0xc2d7ffa7L, 0xb5d0cf31L,
  430         0x2cd99e8bL, 0x5bdeae1dL, 0x9b64c2b0L, 0xec63f226L, 0x756aa39cL,
  431         0x026d930aL, 0x9c0906a9L, 0xeb0e363fL, 0x72076785L, 0x05005713L,
  432         0x95bf4a82L, 0xe2b87a14L, 0x7bb12baeL, 0x0cb61b38L, 0x92d28e9bL,
  433         0xe5d5be0dL, 0x7cdcefb7L, 0x0bdbdf21L, 0x86d3d2d4L, 0xf1d4e242L,
  434         0x68ddb3f8L, 0x1fda836eL, 0x81be16cdL, 0xf6b9265bL, 0x6fb077e1L,
  435         0x18b74777L, 0x88085ae6L, 0xff0f6a70L, 0x66063bcaL, 0x11010b5cL,
  436         0x8f659effL, 0xf862ae69L, 0x616bffd3L, 0x166ccf45L, 0xa00ae278L,
  437         0xd70dd2eeL, 0x4e048354L, 0x3903b3c2L, 0xa7672661L, 0xd06016f7L,
  438         0x4969474dL, 0x3e6e77dbL, 0xaed16a4aL, 0xd9d65adcL, 0x40df0b66L,
  439         0x37d83bf0L, 0xa9bcae53L, 0xdebb9ec5L, 0x47b2cf7fL, 0x30b5ffe9L,
  440         0xbdbdf21cL, 0xcabac28aL, 0x53b39330L, 0x24b4a3a6L, 0xbad03605L,
  441         0xcdd70693L, 0x54de5729L, 0x23d967bfL, 0xb3667a2eL, 0xc4614ab8L,
  442         0x5d681b02L, 0x2a6f2b94L, 0xb40bbe37L, 0xc30c8ea1L, 0x5a05df1bL,
  443         0x2d02ef8dL
  444 };
  445 
  446 static __inline u16 RotR1(u16 val)
  447 {
  448         return (val >> 1) | (val << 15);
  449 }
  450 
  451 static __inline u8 Lo8(u16 val)
  452 {
  453         return val & 0xff;
  454 }
  455 
  456 static __inline u8 Hi8(u16 val)
  457 {
  458         return val >> 8;
  459 }
  460 
  461 static __inline u16 Lo16(u32 val)
  462 {
  463         return val & 0xffff;
  464 }
  465 
  466 static __inline u16 Hi16(u32 val)
  467 {
  468         return val >> 16;
  469 }
  470 
  471 static __inline u16 Mk16(u8 hi, u8 lo)
  472 {
  473         return lo | (((u16) hi) << 8);
  474 }
  475 
  476 static __inline u16 Mk16_le(const u16 *v)
  477 {
  478         return le16toh(*v);
  479 }
  480 
  481 static const u16 Sbox[256] = {
  482         0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154,
  483         0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A,
  484         0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B,
  485         0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B,
  486         0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F,
  487         0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F,
  488         0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5,
  489         0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F,
  490         0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB,
  491         0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397,
  492         0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED,
  493         0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A,
  494         0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194,
  495         0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3,
  496         0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104,
  497         0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D,
  498         0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39,
  499         0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695,
  500         0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83,
  501         0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76,
  502         0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4,
  503         0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B,
  504         0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0,
  505         0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018,
  506         0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751,
  507         0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85,
  508         0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12,
  509         0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9,
  510         0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7,
  511         0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A,
  512         0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8,
  513         0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A,
  514 };
  515 
  516 static __inline u16 _S_(u16 v)
  517 {
  518         u16 t = Sbox[Hi8(v)];
  519         return Sbox[Lo8(v)] ^ ((t << 8) | (t >> 8));
  520 }
  521 
  522 #define PHASE1_LOOP_COUNT 8
  523 
  524 static void tkip_mixing_phase1(u16 *TTAK, const u8 *TK, const u8 *TA, u32 IV32)
  525 {
  526         int i, j;
  527 
  528         /* Initialize the 80-bit TTAK from TSC (IV32) and TA[0..5] */
  529         TTAK[0] = Lo16(IV32);
  530         TTAK[1] = Hi16(IV32);
  531         TTAK[2] = Mk16(TA[1], TA[0]);
  532         TTAK[3] = Mk16(TA[3], TA[2]);
  533         TTAK[4] = Mk16(TA[5], TA[4]);
  534 
  535         for (i = 0; i < PHASE1_LOOP_COUNT; i++) {
  536                 j = 2 * (i & 1);
  537                 TTAK[0] += _S_(TTAK[4] ^ Mk16(TK[1 + j], TK[0 + j]));
  538                 TTAK[1] += _S_(TTAK[0] ^ Mk16(TK[5 + j], TK[4 + j]));
  539                 TTAK[2] += _S_(TTAK[1] ^ Mk16(TK[9 + j], TK[8 + j]));
  540                 TTAK[3] += _S_(TTAK[2] ^ Mk16(TK[13 + j], TK[12 + j]));
  541                 TTAK[4] += _S_(TTAK[3] ^ Mk16(TK[1 + j], TK[0 + j])) + i;
  542         }
  543 }
  544 
  545 #ifndef _BYTE_ORDER
  546 #error "Don't know native byte order"
  547 #endif
  548 
  549 static void tkip_mixing_phase2(u8 *WEPSeed, const u8 *TK, const u16 *TTAK,
  550                                u16 IV16)
  551 {
  552         /* Make temporary area overlap WEP seed so that the final copy can be
  553          * avoided on little endian hosts. */
  554         u16 *PPK = (u16 *) &WEPSeed[4];
  555 
  556         /* Step 1 - make copy of TTAK and bring in TSC */
  557         PPK[0] = TTAK[0];
  558         PPK[1] = TTAK[1];
  559         PPK[2] = TTAK[2];
  560         PPK[3] = TTAK[3];
  561         PPK[4] = TTAK[4];
  562         PPK[5] = TTAK[4] + IV16;
  563 
  564         /* Step 2 - 96-bit bijective mixing using S-box */
  565         PPK[0] += _S_(PPK[5] ^ Mk16_le((const u16 *) &TK[0]));
  566         PPK[1] += _S_(PPK[0] ^ Mk16_le((const u16 *) &TK[2]));
  567         PPK[2] += _S_(PPK[1] ^ Mk16_le((const u16 *) &TK[4]));
  568         PPK[3] += _S_(PPK[2] ^ Mk16_le((const u16 *) &TK[6]));
  569         PPK[4] += _S_(PPK[3] ^ Mk16_le((const u16 *) &TK[8]));
  570         PPK[5] += _S_(PPK[4] ^ Mk16_le((const u16 *) &TK[10]));
  571 
  572         PPK[0] += RotR1(PPK[5] ^ Mk16_le((const u16 *) &TK[12]));
  573         PPK[1] += RotR1(PPK[0] ^ Mk16_le((const u16 *) &TK[14]));
  574         PPK[2] += RotR1(PPK[1]);
  575         PPK[3] += RotR1(PPK[2]);
  576         PPK[4] += RotR1(PPK[3]);
  577         PPK[5] += RotR1(PPK[4]);
  578 
  579         /* Step 3 - bring in last of TK bits, assign 24-bit WEP IV value
  580          * WEPSeed[0..2] is transmitted as WEP IV */
  581         WEPSeed[0] = Hi8(IV16);
  582         WEPSeed[1] = (Hi8(IV16) | 0x20) & 0x7F;
  583         WEPSeed[2] = Lo8(IV16);
  584         WEPSeed[3] = Lo8((PPK[5] ^ Mk16_le((const u16 *) &TK[0])) >> 1);
  585 
  586 #if _BYTE_ORDER == _BIG_ENDIAN
  587         {
  588                 int i;
  589                 for (i = 0; i < 6; i++)
  590                         PPK[i] = (PPK[i] << 8) | (PPK[i] >> 8);
  591         }
  592 #endif
  593 }
  594 
  595 static void
  596 wep_encrypt(u8 *key, struct mbuf *m0, u_int off, size_t data_len,
  597         uint8_t icv[IEEE80211_WEP_CRCLEN])
  598 {
  599         u32 i, j, k, crc;
  600         size_t buflen;
  601         u8 S[256];
  602         u8 *pos;
  603         struct mbuf *m;
  604 #define S_SWAP(a,b) do { u8 t = S[a]; S[a] = S[b]; S[b] = t; } while(0)
  605 
  606         /* Setup RC4 state */
  607         for (i = 0; i < 256; i++)
  608                 S[i] = i;
  609         j = 0;
  610         for (i = 0; i < 256; i++) {
  611                 j = (j + S[i] + key[i & 0x0f]) & 0xff;
  612                 S_SWAP(i, j);
  613         }
  614 
  615         /* Compute CRC32 over unencrypted data and apply RC4 to data */
  616         crc = ~0;
  617         i = j = 0;
  618         m = m0;
  619         pos = mtod(m, uint8_t *) + off;
  620         buflen = m->m_len - off;
  621         for (;;) {
  622                 if (buflen > data_len)
  623                         buflen = data_len;
  624                 data_len -= buflen;
  625                 for (k = 0; k < buflen; k++) {
  626                         crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8);
  627                         i = (i + 1) & 0xff;
  628                         j = (j + S[i]) & 0xff;
  629                         S_SWAP(i, j);
  630                         *pos++ ^= S[(S[i] + S[j]) & 0xff];
  631                 }
  632                 m = m->m_next;
  633                 if (m == NULL) {
  634                         KASSERT(data_len == 0,
  635                             ("out of buffers with data_len %zu\n", data_len));
  636                         break;
  637                 }
  638                 pos = mtod(m, uint8_t *);
  639                 buflen = m->m_len;
  640         }
  641         crc = ~crc;
  642 
  643         /* Append little-endian CRC32 and encrypt it to produce ICV */
  644         icv[0] = crc;
  645         icv[1] = crc >> 8;
  646         icv[2] = crc >> 16;
  647         icv[3] = crc >> 24;
  648         for (k = 0; k < IEEE80211_WEP_CRCLEN; k++) {
  649                 i = (i + 1) & 0xff;
  650                 j = (j + S[i]) & 0xff;
  651                 S_SWAP(i, j);
  652                 icv[k] ^= S[(S[i] + S[j]) & 0xff];
  653         }
  654 }
  655 
  656 static int
  657 wep_decrypt(u8 *key, struct mbuf *m, u_int off, size_t data_len)
  658 {
  659         u32 i, j, k, crc;
  660         u8 S[256];
  661         u8 *pos, icv[4];
  662         size_t buflen;
  663 
  664         /* Setup RC4 state */
  665         for (i = 0; i < 256; i++)
  666                 S[i] = i;
  667         j = 0;
  668         for (i = 0; i < 256; i++) {
  669                 j = (j + S[i] + key[i & 0x0f]) & 0xff;
  670                 S_SWAP(i, j);
  671         }
  672 
  673         /* Apply RC4 to data and compute CRC32 over decrypted data */
  674         crc = ~0;
  675         i = j = 0;
  676         pos = mtod(m, uint8_t *) + off;
  677         buflen = m->m_len - off;
  678         for (;;) {
  679                 if (buflen > data_len)
  680                         buflen = data_len;
  681                 data_len -= buflen;
  682                 for (k = 0; k < buflen; k++) {
  683                         i = (i + 1) & 0xff;
  684                         j = (j + S[i]) & 0xff;
  685                         S_SWAP(i, j);
  686                         *pos ^= S[(S[i] + S[j]) & 0xff];
  687                         crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8);
  688                         pos++;
  689                 }
  690                 m = m->m_next;
  691                 if (m == NULL) {
  692                         KASSERT(data_len == 0,
  693                             ("out of buffers with data_len %zu\n", data_len));
  694                         break;
  695                 }
  696                 pos = mtod(m, uint8_t *);
  697                 buflen = m->m_len;
  698         }
  699         crc = ~crc;
  700 
  701         /* Encrypt little-endian CRC32 and verify that it matches with the
  702          * received ICV */
  703         icv[0] = crc;
  704         icv[1] = crc >> 8;
  705         icv[2] = crc >> 16;
  706         icv[3] = crc >> 24;
  707         for (k = 0; k < 4; k++) {
  708                 i = (i + 1) & 0xff;
  709                 j = (j + S[i]) & 0xff;
  710                 S_SWAP(i, j);
  711                 if ((icv[k] ^ S[(S[i] + S[j]) & 0xff]) != *pos++) {
  712                         /* ICV mismatch - drop frame */
  713                         return -1;
  714                 }
  715         }
  716 
  717         return 0;
  718 }
  719 
  720 
  721 static __inline u32 rotl(u32 val, int bits)
  722 {
  723         return (val << bits) | (val >> (32 - bits));
  724 }
  725 
  726 
  727 static __inline u32 rotr(u32 val, int bits)
  728 {
  729         return (val >> bits) | (val << (32 - bits));
  730 }
  731 
  732 
  733 static __inline u32 xswap(u32 val)
  734 {
  735         return ((val & 0x00ff00ff) << 8) | ((val & 0xff00ff00) >> 8);
  736 }
  737 
  738 
  739 #define michael_block(l, r)     \
  740 do {                            \
  741         r ^= rotl(l, 17);       \
  742         l += r;                 \
  743         r ^= xswap(l);          \
  744         l += r;                 \
  745         r ^= rotl(l, 3);        \
  746         l += r;                 \
  747         r ^= rotr(l, 2);        \
  748         l += r;                 \
  749 } while (0)
  750 
  751 
  752 static __inline u32 get_le32_split(u8 b0, u8 b1, u8 b2, u8 b3)
  753 {
  754         return b0 | (b1 << 8) | (b2 << 16) | (b3 << 24);
  755 }
  756 
  757 static __inline u32 get_le32(const u8 *p)
  758 {
  759         return get_le32_split(p[0], p[1], p[2], p[3]);
  760 }
  761 
  762 
  763 static __inline void put_le32(u8 *p, u32 v)
  764 {
  765         p[0] = v;
  766         p[1] = v >> 8;
  767         p[2] = v >> 16;
  768         p[3] = v >> 24;
  769 }
  770 
  771 /*
  772  * Craft pseudo header used to calculate the MIC.
  773  */
  774 static void
  775 michael_mic_hdr(const struct ieee80211_frame *wh0, uint8_t hdr[16])
  776 {
  777         const struct ieee80211_frame_addr4 *wh =
  778                 (const struct ieee80211_frame_addr4 *) wh0;
  779 
  780         switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) {
  781         case IEEE80211_FC1_DIR_NODS:
  782                 IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */
  783                 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2);
  784                 break;
  785         case IEEE80211_FC1_DIR_TODS:
  786                 IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */
  787                 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2);
  788                 break;
  789         case IEEE80211_FC1_DIR_FROMDS:
  790                 IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */
  791                 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr3);
  792                 break;
  793         case IEEE80211_FC1_DIR_DSTODS:
  794                 IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */
  795                 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr4);
  796                 break;
  797         }
  798 
  799         if (wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_QOS) {
  800                 const struct ieee80211_qosframe *qwh =
  801                         (const struct ieee80211_qosframe *) wh;
  802                 hdr[12] = qwh->i_qos[0] & IEEE80211_QOS_TID;
  803         } else
  804                 hdr[12] = 0;
  805         hdr[13] = hdr[14] = hdr[15] = 0; /* reserved */
  806 }
  807 
  808 static void
  809 michael_mic(struct tkip_ctx *ctx, const u8 *key,
  810         struct mbuf *m, u_int off, size_t data_len,
  811         u8 mic[IEEE80211_WEP_MICLEN])
  812 {
  813         uint8_t hdr[16];
  814         u32 l, r;
  815         const uint8_t *data;
  816         u_int space;
  817 
  818         michael_mic_hdr(mtod(m, struct ieee80211_frame *), hdr);
  819 
  820         l = get_le32(key);
  821         r = get_le32(key + 4);
  822 
  823         /* Michael MIC pseudo header: DA, SA, 3 x 0, Priority */
  824         l ^= get_le32(hdr);
  825         michael_block(l, r);
  826         l ^= get_le32(&hdr[4]);
  827         michael_block(l, r);
  828         l ^= get_le32(&hdr[8]);
  829         michael_block(l, r);
  830         l ^= get_le32(&hdr[12]);
  831         michael_block(l, r);
  832 
  833         /* first buffer has special handling */
  834         data = mtod(m, const uint8_t *) + off;
  835         space = m->m_len - off;
  836         for (;;) {
  837                 if (space > data_len)
  838                         space = data_len;
  839                 /* collect 32-bit blocks from current buffer */
  840                 while (space >= sizeof(uint32_t)) {
  841                         l ^= get_le32(data);
  842                         michael_block(l, r);
  843                         data += sizeof(uint32_t), space -= sizeof(uint32_t);
  844                         data_len -= sizeof(uint32_t);
  845                 }
  846                 /*
  847                  * NB: when space is zero we make one more trip around
  848                  * the loop to advance to the next mbuf where there is
  849                  * data.  This handles the case where there are 4*n
  850                  * bytes in an mbuf followed by <4 bytes in a later mbuf.
  851                  * By making an extra trip we'll drop out of the loop
  852                  * with m pointing at the mbuf with 3 bytes and space
  853                  * set as required by the remainder handling below.
  854                  */
  855                 if (data_len == 0 ||
  856                     (data_len < sizeof(uint32_t) && space != 0))
  857                         break;
  858                 m = m->m_next;
  859                 if (m == NULL) {
  860                         KASSERT(0, ("out of data, data_len %zu\n", data_len));
  861                         break;
  862                 }
  863                 if (space != 0) {
  864                         const uint8_t *data_next;
  865                         /*
  866                          * Block straddles buffers, split references.
  867                          */
  868                         data_next = mtod(m, const uint8_t *);
  869                         KASSERT(m->m_len >= sizeof(uint32_t) - space,
  870                                 ("not enough data in following buffer, "
  871                                 "m_len %u need %zu\n", m->m_len,
  872                                 sizeof(uint32_t) - space));
  873                         switch (space) {
  874                         case 1:
  875                                 l ^= get_le32_split(data[0], data_next[0],
  876                                         data_next[1], data_next[2]);
  877                                 data = data_next + 3;
  878                                 space = m->m_len - 3;
  879                                 break;
  880                         case 2:
  881                                 l ^= get_le32_split(data[0], data[1],
  882                                         data_next[0], data_next[1]);
  883                                 data = data_next + 2;
  884                                 space = m->m_len - 2;
  885                                 break;
  886                         case 3:
  887                                 l ^= get_le32_split(data[0], data[1],
  888                                         data[2], data_next[0]);
  889                                 data = data_next + 1;
  890                                 space = m->m_len - 1;
  891                                 break;
  892                         }
  893                         michael_block(l, r);
  894                         data_len -= sizeof(uint32_t);
  895                 } else {
  896                         /*
  897                          * Setup for next buffer.
  898                          */
  899                         data = mtod(m, const uint8_t *);
  900                         space = m->m_len;
  901                 }
  902         }
  903         /*
  904          * Catch degenerate cases like mbuf[4*n+1 bytes] followed by
  905          * mbuf[2 bytes].  I don't believe these should happen; if they
  906          * do then we'll need more involved logic.
  907          */
  908         KASSERT(data_len <= space,
  909             ("not enough data, data_len %zu space %u\n", data_len, space));
  910 
  911         /* Last block and padding (0x5a, 4..7 x 0) */
  912         switch (data_len) {
  913         case 0:
  914                 l ^= get_le32_split(0x5a, 0, 0, 0);
  915                 break;
  916         case 1:
  917                 l ^= get_le32_split(data[0], 0x5a, 0, 0);
  918                 break;
  919         case 2:
  920                 l ^= get_le32_split(data[0], data[1], 0x5a, 0);
  921                 break;
  922         case 3:
  923                 l ^= get_le32_split(data[0], data[1], data[2], 0x5a);
  924                 break;
  925         }
  926         michael_block(l, r);
  927         /* l ^= 0; */
  928         michael_block(l, r);
  929 
  930         put_le32(mic, l);
  931         put_le32(mic + 4, r);
  932 }
  933 
  934 static int
  935 tkip_encrypt(struct tkip_ctx *ctx, struct ieee80211_key *key,
  936         struct mbuf *m, int hdrlen)
  937 {
  938         struct ieee80211_frame *wh;
  939         uint8_t icv[IEEE80211_WEP_CRCLEN];
  940 
  941         ctx->tc_vap->iv_stats.is_crypto_tkip++;
  942 
  943         wh = mtod(m, struct ieee80211_frame *);
  944         if ((u16)(key->wk_keytsc) == 0 || key->wk_keytsc == 1) {
  945                 tkip_mixing_phase1(ctx->tx_ttak, key->wk_key, wh->i_addr2,
  946                                    (u32)(key->wk_keytsc >> 16));
  947         }
  948         tkip_mixing_phase2(ctx->tx_rc4key, key->wk_key, ctx->tx_ttak,
  949                 (u16) key->wk_keytsc);
  950 
  951         wep_encrypt(ctx->tx_rc4key,
  952                 m, hdrlen + tkip.ic_header,
  953                 m->m_pkthdr.len - (hdrlen + tkip.ic_header),
  954                 icv);
  955         (void) m_append(m, IEEE80211_WEP_CRCLEN, icv);  /* XXX check return */
  956 
  957         return 1;
  958 }
  959 
  960 static int
  961 tkip_decrypt(struct tkip_ctx *ctx, struct ieee80211_key *key,
  962         struct mbuf *m, int hdrlen)
  963 {
  964         struct ieee80211_frame *wh;
  965         struct ieee80211vap *vap = ctx->tc_vap;
  966         u32 iv32;
  967         u16 iv16;
  968         u8 tid;
  969 
  970         vap->iv_stats.is_crypto_tkip++;
  971 
  972         wh = mtod(m, struct ieee80211_frame *);
  973         /* NB: tkip_decap already verified header and left seq in rx_rsc */
  974         iv16 = (u16) ctx->rx_rsc;
  975         iv32 = (u32) (ctx->rx_rsc >> 16);
  976 
  977         tid = ieee80211_gettid(wh);
  978         if (iv32 != (u32)(key->wk_keyrsc[tid] >> 16) || !ctx->rx_phase1_done) {
  979                 tkip_mixing_phase1(ctx->rx_ttak, key->wk_key,
  980                         wh->i_addr2, iv32);
  981                 ctx->rx_phase1_done = 1;
  982         }
  983         tkip_mixing_phase2(ctx->rx_rc4key, key->wk_key, ctx->rx_ttak, iv16);
  984 
  985         /* NB: m is unstripped; deduct headers + ICV to get payload */
  986         if (wep_decrypt(ctx->rx_rc4key,
  987                 m, hdrlen + tkip.ic_header,
  988                 m->m_pkthdr.len - (hdrlen + tkip.ic_header + tkip.ic_trailer))) {
  989                 if (iv32 != (u32)(key->wk_keyrsc[tid] >> 16)) {
  990                         /* Previously cached Phase1 result was already lost, so
  991                          * it needs to be recalculated for the next packet. */
  992                         ctx->rx_phase1_done = 0;
  993                 }
  994                 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2,
  995                     "%s", "TKIP ICV mismatch on decrypt");
  996                 vap->iv_stats.is_rx_tkipicv++;
  997                 return 0;
  998         }
  999         return 1;
 1000 }
 1001 
 1002 /*
 1003  * Module glue.
 1004  */
 1005 IEEE80211_CRYPTO_MODULE(tkip, 1);

Cache object: 66ba538d7f8eb84e0a1f1de384953077


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.