The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/net80211/ieee80211_crypto_tkip.c

Version: -  FREEBSD  -  FREEBSD-13-STABLE  -  FREEBSD-13-0  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  l41  -  OPENBSD  -  linux-2.6  -  MK84  -  PLAN9  -  xnu-8792 
SearchContext: -  none  -  3  -  10 

    1 /*-
    2  * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
    3  *
    4  * Copyright (c) 2002-2008 Sam Leffler, Errno Consulting
    5  * All rights reserved.
    6  *
    7  * Redistribution and use in source and binary forms, with or without
    8  * modification, are permitted provided that the following conditions
    9  * are met:
   10  * 1. Redistributions of source code must retain the above copyright
   11  *    notice, this list of conditions and the following disclaimer.
   12  * 2. Redistributions in binary form must reproduce the above copyright
   13  *    notice, this list of conditions and the following disclaimer in the
   14  *    documentation and/or other materials provided with the distribution.
   15  *
   16  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
   17  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
   18  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
   19  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
   20  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
   21  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
   22  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
   23  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
   24  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
   25  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
   26  */
   27 
   28 #include <sys/cdefs.h>
   29 __FBSDID("$FreeBSD$");
   30 
   31 /*
   32  * IEEE 802.11i TKIP crypto support.
   33  *
   34  * Part of this module is derived from similar code in the Host
   35  * AP driver. The code is used with the consent of the author and
   36  * it's license is included below.
   37  */
   38 #include "opt_wlan.h"
   39 
   40 #include <sys/param.h>
   41 #include <sys/systm.h> 
   42 #include <sys/mbuf.h>   
   43 #include <sys/malloc.h>
   44 #include <sys/kernel.h>
   45 #include <sys/module.h>
   46 #include <sys/endian.h>
   47 
   48 #include <sys/socket.h>
   49 
   50 #include <net/if.h>
   51 #include <net/if_media.h>
   52 #include <net/ethernet.h>
   53 
   54 #include <net80211/ieee80211_var.h>
   55 
   56 static  void *tkip_attach(struct ieee80211vap *, struct ieee80211_key *);
   57 static  void tkip_detach(struct ieee80211_key *);
   58 static  int tkip_setkey(struct ieee80211_key *);
   59 static  void tkip_setiv(struct ieee80211_key *, uint8_t *);
   60 static  int tkip_encap(struct ieee80211_key *, struct mbuf *);
   61 static  int tkip_enmic(struct ieee80211_key *, struct mbuf *, int);
   62 static  int tkip_decap(struct ieee80211_key *, struct mbuf *, int);
   63 static  int tkip_demic(struct ieee80211_key *, struct mbuf *, int);
   64 
   65 static const struct ieee80211_cipher tkip  = {
   66         .ic_name        = "TKIP",
   67         .ic_cipher      = IEEE80211_CIPHER_TKIP,
   68         .ic_header      = IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN +
   69                           IEEE80211_WEP_EXTIVLEN,
   70         .ic_trailer     = IEEE80211_WEP_CRCLEN,
   71         .ic_miclen      = IEEE80211_WEP_MICLEN,
   72         .ic_attach      = tkip_attach,
   73         .ic_detach      = tkip_detach,
   74         .ic_setkey      = tkip_setkey,
   75         .ic_setiv       = tkip_setiv,
   76         .ic_encap       = tkip_encap,
   77         .ic_decap       = tkip_decap,
   78         .ic_enmic       = tkip_enmic,
   79         .ic_demic       = tkip_demic,
   80 };
   81 
   82 typedef uint8_t u8;
   83 typedef uint16_t u16;
   84 typedef uint32_t __u32;
   85 typedef uint32_t u32;
   86 
   87 struct tkip_ctx {
   88         struct ieee80211vap *tc_vap;    /* for diagnostics+statistics */
   89 
   90         u16     tx_ttak[5];
   91         u8      tx_rc4key[16];          /* XXX for test module; make locals? */
   92 
   93         u16     rx_ttak[5];
   94         int     rx_phase1_done;
   95         u8      rx_rc4key[16];          /* XXX for test module; make locals? */
   96         uint64_t rx_rsc;                /* held until MIC verified */
   97 };
   98 
   99 static  void michael_mic(struct tkip_ctx *, const u8 *key,
  100                 struct mbuf *m, u_int off, size_t data_len,
  101                 u8 mic[IEEE80211_WEP_MICLEN]);
  102 static  int tkip_encrypt(struct tkip_ctx *, struct ieee80211_key *,
  103                 struct mbuf *, int hdr_len);
  104 static  int tkip_decrypt(struct tkip_ctx *, struct ieee80211_key *,
  105                 struct mbuf *, int hdr_len);
  106 
  107 /* number of references from net80211 layer */
  108 static  int nrefs = 0;
  109 
  110 static void *
  111 tkip_attach(struct ieee80211vap *vap, struct ieee80211_key *k)
  112 {
  113         struct tkip_ctx *ctx;
  114 
  115         ctx = (struct tkip_ctx *) IEEE80211_MALLOC(sizeof(struct tkip_ctx),
  116                 M_80211_CRYPTO, IEEE80211_M_NOWAIT | IEEE80211_M_ZERO);
  117         if (ctx == NULL) {
  118                 vap->iv_stats.is_crypto_nomem++;
  119                 return NULL;
  120         }
  121 
  122         ctx->tc_vap = vap;
  123         nrefs++;                        /* NB: we assume caller locking */
  124         return ctx;
  125 }
  126 
  127 static void
  128 tkip_detach(struct ieee80211_key *k)
  129 {
  130         struct tkip_ctx *ctx = k->wk_private;
  131 
  132         IEEE80211_FREE(ctx, M_80211_CRYPTO);
  133         KASSERT(nrefs > 0, ("imbalanced attach/detach"));
  134         nrefs--;                        /* NB: we assume caller locking */
  135 }
  136 
  137 static int
  138 tkip_setkey(struct ieee80211_key *k)
  139 {
  140         struct tkip_ctx *ctx = k->wk_private;
  141 
  142         if (k->wk_keylen != (128/NBBY)) {
  143                 (void) ctx;             /* XXX */
  144                 IEEE80211_DPRINTF(ctx->tc_vap, IEEE80211_MSG_CRYPTO,
  145                         "%s: Invalid key length %u, expecting %u\n",
  146                         __func__, k->wk_keylen, 128/NBBY);
  147                 return 0;
  148         }
  149         ctx->rx_phase1_done = 0;
  150         return 1;
  151 }
  152 
  153 static void
  154 tkip_setiv(struct ieee80211_key *k, uint8_t *ivp)
  155 {
  156         struct tkip_ctx *ctx = k->wk_private;
  157         struct ieee80211vap *vap = ctx->tc_vap;
  158         uint8_t keyid;
  159 
  160         keyid = ieee80211_crypto_get_keyid(vap, k) << 6;
  161 
  162         k->wk_keytsc++;
  163         ivp[0] = k->wk_keytsc >> 8;             /* TSC1 */
  164         ivp[1] = (ivp[0] | 0x20) & 0x7f;        /* WEP seed */
  165         ivp[2] = k->wk_keytsc >> 0;             /* TSC0 */
  166         ivp[3] = keyid | IEEE80211_WEP_EXTIV;   /* KeyID | ExtID */
  167         ivp[4] = k->wk_keytsc >> 16;            /* TSC2 */
  168         ivp[5] = k->wk_keytsc >> 24;            /* TSC3 */
  169         ivp[6] = k->wk_keytsc >> 32;            /* TSC4 */
  170         ivp[7] = k->wk_keytsc >> 40;            /* TSC5 */
  171 }
  172 
  173 /*
  174  * Add privacy headers and do any s/w encryption required.
  175  */
  176 static int
  177 tkip_encap(struct ieee80211_key *k, struct mbuf *m)
  178 {
  179         struct tkip_ctx *ctx = k->wk_private;
  180         struct ieee80211vap *vap = ctx->tc_vap;
  181         struct ieee80211com *ic = vap->iv_ic;
  182         struct ieee80211_frame *wh;
  183         uint8_t *ivp;
  184         int hdrlen;
  185         int is_mgmt;
  186 
  187         wh = mtod(m, struct ieee80211_frame *);
  188         is_mgmt = IEEE80211_IS_MGMT(wh);
  189 
  190         /*
  191          * Handle TKIP counter measures requirement.
  192          */
  193         if (vap->iv_flags & IEEE80211_F_COUNTERM) {
  194 #ifdef IEEE80211_DEBUG
  195                 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *);
  196 #endif
  197 
  198                 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2,
  199                     "discard frame due to countermeasures (%s)", __func__);
  200                 vap->iv_stats.is_crypto_tkipcm++;
  201                 return 0;
  202         }
  203 
  204         /*
  205          * Check to see whether IV needs to be included.
  206          */
  207         if (is_mgmt && (k->wk_flags & IEEE80211_KEY_NOIVMGT))
  208                 return 1;
  209         if ((! is_mgmt) && (k->wk_flags & IEEE80211_KEY_NOIV))
  210                 return 1;
  211 
  212 
  213         hdrlen = ieee80211_hdrspace(ic, mtod(m, void *));
  214 
  215         /*
  216          * Copy down 802.11 header and add the IV, KeyID, and ExtIV.
  217          */
  218         M_PREPEND(m, tkip.ic_header, M_NOWAIT);
  219         if (m == NULL)
  220                 return 0;
  221         ivp = mtod(m, uint8_t *);
  222         memmove(ivp, ivp + tkip.ic_header, hdrlen);
  223         ivp += hdrlen;
  224 
  225         tkip_setiv(k, ivp);
  226 
  227         /*
  228          * Finally, do software encrypt if needed.
  229          */
  230         if ((k->wk_flags & IEEE80211_KEY_SWENCRYPT) &&
  231             !tkip_encrypt(ctx, k, m, hdrlen))
  232                 return 0;
  233 
  234         return 1;
  235 }
  236 
  237 /*
  238  * Add MIC to the frame as needed.
  239  */
  240 static int
  241 tkip_enmic(struct ieee80211_key *k, struct mbuf *m, int force)
  242 {
  243         struct tkip_ctx *ctx = k->wk_private;
  244         struct ieee80211_frame *wh;
  245         int is_mgmt;
  246 
  247         wh = mtod(m, struct ieee80211_frame *);
  248         is_mgmt = IEEE80211_IS_MGMT(wh);
  249 
  250         /*
  251          * Check to see whether MIC needs to be included.
  252          */
  253         if (is_mgmt && (k->wk_flags & IEEE80211_KEY_NOMICMGT))
  254                 return 1;
  255         if ((! is_mgmt) && (k->wk_flags & IEEE80211_KEY_NOMIC))
  256                 return 1;
  257 
  258         if (force || (k->wk_flags & IEEE80211_KEY_SWENMIC)) {
  259                 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *);
  260                 struct ieee80211vap *vap = ctx->tc_vap;
  261                 struct ieee80211com *ic = vap->iv_ic;
  262                 int hdrlen;
  263                 uint8_t mic[IEEE80211_WEP_MICLEN];
  264 
  265                 vap->iv_stats.is_crypto_tkipenmic++;
  266 
  267                 hdrlen = ieee80211_hdrspace(ic, wh);
  268 
  269                 michael_mic(ctx, k->wk_txmic,
  270                         m, hdrlen, m->m_pkthdr.len - hdrlen, mic);
  271                 return m_append(m, tkip.ic_miclen, mic);
  272         }
  273         return 1;
  274 }
  275 
  276 static __inline uint64_t
  277 READ_6(uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3, uint8_t b4, uint8_t b5)
  278 {
  279         uint32_t iv32 = (b0 << 0) | (b1 << 8) | (b2 << 16) | (b3 << 24);
  280         uint16_t iv16 = (b4 << 0) | (b5 << 8);
  281         return (((uint64_t)iv16) << 32) | iv32;
  282 }
  283 
  284 /*
  285  * Validate and strip privacy headers (and trailer) for a
  286  * received frame.  If necessary, decrypt the frame using
  287  * the specified key.
  288  */
  289 static int
  290 tkip_decap(struct ieee80211_key *k, struct mbuf *m, int hdrlen)
  291 {
  292         const struct ieee80211_rx_stats *rxs;
  293         struct tkip_ctx *ctx = k->wk_private;
  294         struct ieee80211vap *vap = ctx->tc_vap;
  295         struct ieee80211_frame *wh;
  296         uint8_t *ivp, tid;
  297 
  298         rxs = ieee80211_get_rx_params_ptr(m);
  299 
  300         /*
  301          * If IV has been stripped, we skip most of the below.
  302          */
  303         if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_IV_STRIP))
  304                 goto finish;
  305 
  306         /*
  307          * Header should have extended IV and sequence number;
  308          * verify the former and validate the latter.
  309          */
  310         wh = mtod(m, struct ieee80211_frame *);
  311         ivp = mtod(m, uint8_t *) + hdrlen;
  312         if ((ivp[IEEE80211_WEP_IVLEN] & IEEE80211_WEP_EXTIV) == 0) {
  313                 /*
  314                  * No extended IV; discard frame.
  315                  */
  316                 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2,
  317                     "%s", "missing ExtIV for TKIP cipher");
  318                 vap->iv_stats.is_rx_tkipformat++;
  319                 return 0;
  320         }
  321         /*
  322          * Handle TKIP counter measures requirement.
  323          */
  324         if (vap->iv_flags & IEEE80211_F_COUNTERM) {
  325                 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2,
  326                     "discard frame due to countermeasures (%s)", __func__);
  327                 vap->iv_stats.is_crypto_tkipcm++;
  328                 return 0;
  329         }
  330 
  331         tid = ieee80211_gettid(wh);
  332         ctx->rx_rsc = READ_6(ivp[2], ivp[0], ivp[4], ivp[5], ivp[6], ivp[7]);
  333         if (ctx->rx_rsc <= k->wk_keyrsc[tid] &&
  334             (k->wk_flags & IEEE80211_KEY_NOREPLAY) == 0) {
  335                 /*
  336                  * Replay violation; notify upper layer.
  337                  */
  338                 ieee80211_notify_replay_failure(vap, wh, k, ctx->rx_rsc, tid);
  339                 vap->iv_stats.is_rx_tkipreplay++;
  340                 return 0;
  341         }
  342         /*
  343          * NB: We can't update the rsc in the key until MIC is verified.
  344          *
  345          * We assume we are not preempted between doing the check above
  346          * and updating wk_keyrsc when stripping the MIC in tkip_demic.
  347          * Otherwise we might process another packet and discard it as
  348          * a replay.
  349          */
  350 
  351         /*
  352          * Check if the device handled the decrypt in hardware.
  353          * If so we just strip the header; otherwise we need to
  354          * handle the decrypt in software.
  355          */
  356         if ((k->wk_flags & IEEE80211_KEY_SWDECRYPT) &&
  357             !tkip_decrypt(ctx, k, m, hdrlen))
  358                 return 0;
  359 
  360 finish:
  361 
  362         /*
  363          * Copy up 802.11 header and strip crypto bits - but only if we
  364          * are required to.
  365          */
  366         if (! ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_IV_STRIP))) {
  367                 memmove(mtod(m, uint8_t *) + tkip.ic_header, mtod(m, void *),
  368                     hdrlen);
  369                 m_adj(m, tkip.ic_header);
  370         }
  371 
  372         /*
  373          * XXX TODO: do we need an option to potentially not strip the
  374          * WEP trailer?  Does "MMIC_STRIP" also mean this? Or?
  375          */
  376         m_adj(m, -tkip.ic_trailer);
  377 
  378         return 1;
  379 }
  380 
  381 /*
  382  * Verify and strip MIC from the frame.
  383  */
  384 static int
  385 tkip_demic(struct ieee80211_key *k, struct mbuf *m, int force)
  386 {
  387         const struct ieee80211_rx_stats *rxs;
  388         struct tkip_ctx *ctx = k->wk_private;
  389         struct ieee80211_frame *wh;
  390         uint8_t tid;
  391 
  392         wh = mtod(m, struct ieee80211_frame *);
  393         rxs = ieee80211_get_rx_params_ptr(m);
  394 
  395         /*
  396          * If we are told about a MIC failure from the driver,
  397          * directly notify as a michael failure to the upper
  398          * layers.
  399          */
  400         if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_FAIL_MIC)) {
  401                 struct ieee80211vap *vap = ctx->tc_vap;
  402                 ieee80211_notify_michael_failure(vap, wh,
  403                     k->wk_rxkeyix != IEEE80211_KEYIX_NONE ?
  404                     k->wk_rxkeyix : k->wk_keyix);
  405                 return 0;
  406         }
  407 
  408         /*
  409          * If IV has been stripped, we skip most of the below.
  410          */
  411         if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_MMIC_STRIP))
  412                 goto finish;
  413 
  414         if ((k->wk_flags & IEEE80211_KEY_SWDEMIC) || force) {
  415                 struct ieee80211vap *vap = ctx->tc_vap;
  416                 int hdrlen = ieee80211_hdrspace(vap->iv_ic, wh);
  417                 u8 mic[IEEE80211_WEP_MICLEN];
  418                 u8 mic0[IEEE80211_WEP_MICLEN];
  419 
  420                 vap->iv_stats.is_crypto_tkipdemic++;
  421 
  422                 michael_mic(ctx, k->wk_rxmic, 
  423                         m, hdrlen, m->m_pkthdr.len - (hdrlen + tkip.ic_miclen),
  424                         mic);
  425                 m_copydata(m, m->m_pkthdr.len - tkip.ic_miclen,
  426                         tkip.ic_miclen, mic0);
  427                 if (memcmp(mic, mic0, tkip.ic_miclen)) {
  428                         /* NB: 802.11 layer handles statistic and debug msg */
  429                         ieee80211_notify_michael_failure(vap, wh,
  430                                 k->wk_rxkeyix != IEEE80211_KEYIX_NONE ?
  431                                         k->wk_rxkeyix : k->wk_keyix);
  432                         return 0;
  433                 }
  434         }
  435         /*
  436          * Strip MIC from the tail.
  437          */
  438         m_adj(m, -tkip.ic_miclen);
  439 
  440         /*
  441          * Ok to update rsc now that MIC has been verified.
  442          */
  443         tid = ieee80211_gettid(wh);
  444         k->wk_keyrsc[tid] = ctx->rx_rsc;
  445 
  446 finish:
  447         return 1;
  448 }
  449 
  450 /*
  451  * Host AP crypt: host-based TKIP encryption implementation for Host AP driver
  452  *
  453  * Copyright (c) 2003-2004, Jouni Malinen <jkmaline@cc.hut.fi>
  454  *
  455  * This program is free software; you can redistribute it and/or modify
  456  * it under the terms of the GNU General Public License version 2 as
  457  * published by the Free Software Foundation. See README and COPYING for
  458  * more details.
  459  *
  460  * Alternatively, this software may be distributed under the terms of BSD
  461  * license.
  462  */
  463 
  464 static const __u32 crc32_table[256] = {
  465         0x00000000L, 0x77073096L, 0xee0e612cL, 0x990951baL, 0x076dc419L,
  466         0x706af48fL, 0xe963a535L, 0x9e6495a3L, 0x0edb8832L, 0x79dcb8a4L,
  467         0xe0d5e91eL, 0x97d2d988L, 0x09b64c2bL, 0x7eb17cbdL, 0xe7b82d07L,
  468         0x90bf1d91L, 0x1db71064L, 0x6ab020f2L, 0xf3b97148L, 0x84be41deL,
  469         0x1adad47dL, 0x6ddde4ebL, 0xf4d4b551L, 0x83d385c7L, 0x136c9856L,
  470         0x646ba8c0L, 0xfd62f97aL, 0x8a65c9ecL, 0x14015c4fL, 0x63066cd9L,
  471         0xfa0f3d63L, 0x8d080df5L, 0x3b6e20c8L, 0x4c69105eL, 0xd56041e4L,
  472         0xa2677172L, 0x3c03e4d1L, 0x4b04d447L, 0xd20d85fdL, 0xa50ab56bL,
  473         0x35b5a8faL, 0x42b2986cL, 0xdbbbc9d6L, 0xacbcf940L, 0x32d86ce3L,
  474         0x45df5c75L, 0xdcd60dcfL, 0xabd13d59L, 0x26d930acL, 0x51de003aL,
  475         0xc8d75180L, 0xbfd06116L, 0x21b4f4b5L, 0x56b3c423L, 0xcfba9599L,
  476         0xb8bda50fL, 0x2802b89eL, 0x5f058808L, 0xc60cd9b2L, 0xb10be924L,
  477         0x2f6f7c87L, 0x58684c11L, 0xc1611dabL, 0xb6662d3dL, 0x76dc4190L,
  478         0x01db7106L, 0x98d220bcL, 0xefd5102aL, 0x71b18589L, 0x06b6b51fL,
  479         0x9fbfe4a5L, 0xe8b8d433L, 0x7807c9a2L, 0x0f00f934L, 0x9609a88eL,
  480         0xe10e9818L, 0x7f6a0dbbL, 0x086d3d2dL, 0x91646c97L, 0xe6635c01L,
  481         0x6b6b51f4L, 0x1c6c6162L, 0x856530d8L, 0xf262004eL, 0x6c0695edL,
  482         0x1b01a57bL, 0x8208f4c1L, 0xf50fc457L, 0x65b0d9c6L, 0x12b7e950L,
  483         0x8bbeb8eaL, 0xfcb9887cL, 0x62dd1ddfL, 0x15da2d49L, 0x8cd37cf3L,
  484         0xfbd44c65L, 0x4db26158L, 0x3ab551ceL, 0xa3bc0074L, 0xd4bb30e2L,
  485         0x4adfa541L, 0x3dd895d7L, 0xa4d1c46dL, 0xd3d6f4fbL, 0x4369e96aL,
  486         0x346ed9fcL, 0xad678846L, 0xda60b8d0L, 0x44042d73L, 0x33031de5L,
  487         0xaa0a4c5fL, 0xdd0d7cc9L, 0x5005713cL, 0x270241aaL, 0xbe0b1010L,
  488         0xc90c2086L, 0x5768b525L, 0x206f85b3L, 0xb966d409L, 0xce61e49fL,
  489         0x5edef90eL, 0x29d9c998L, 0xb0d09822L, 0xc7d7a8b4L, 0x59b33d17L,
  490         0x2eb40d81L, 0xb7bd5c3bL, 0xc0ba6cadL, 0xedb88320L, 0x9abfb3b6L,
  491         0x03b6e20cL, 0x74b1d29aL, 0xead54739L, 0x9dd277afL, 0x04db2615L,
  492         0x73dc1683L, 0xe3630b12L, 0x94643b84L, 0x0d6d6a3eL, 0x7a6a5aa8L,
  493         0xe40ecf0bL, 0x9309ff9dL, 0x0a00ae27L, 0x7d079eb1L, 0xf00f9344L,
  494         0x8708a3d2L, 0x1e01f268L, 0x6906c2feL, 0xf762575dL, 0x806567cbL,
  495         0x196c3671L, 0x6e6b06e7L, 0xfed41b76L, 0x89d32be0L, 0x10da7a5aL,
  496         0x67dd4accL, 0xf9b9df6fL, 0x8ebeeff9L, 0x17b7be43L, 0x60b08ed5L,
  497         0xd6d6a3e8L, 0xa1d1937eL, 0x38d8c2c4L, 0x4fdff252L, 0xd1bb67f1L,
  498         0xa6bc5767L, 0x3fb506ddL, 0x48b2364bL, 0xd80d2bdaL, 0xaf0a1b4cL,
  499         0x36034af6L, 0x41047a60L, 0xdf60efc3L, 0xa867df55L, 0x316e8eefL,
  500         0x4669be79L, 0xcb61b38cL, 0xbc66831aL, 0x256fd2a0L, 0x5268e236L,
  501         0xcc0c7795L, 0xbb0b4703L, 0x220216b9L, 0x5505262fL, 0xc5ba3bbeL,
  502         0xb2bd0b28L, 0x2bb45a92L, 0x5cb36a04L, 0xc2d7ffa7L, 0xb5d0cf31L,
  503         0x2cd99e8bL, 0x5bdeae1dL, 0x9b64c2b0L, 0xec63f226L, 0x756aa39cL,
  504         0x026d930aL, 0x9c0906a9L, 0xeb0e363fL, 0x72076785L, 0x05005713L,
  505         0x95bf4a82L, 0xe2b87a14L, 0x7bb12baeL, 0x0cb61b38L, 0x92d28e9bL,
  506         0xe5d5be0dL, 0x7cdcefb7L, 0x0bdbdf21L, 0x86d3d2d4L, 0xf1d4e242L,
  507         0x68ddb3f8L, 0x1fda836eL, 0x81be16cdL, 0xf6b9265bL, 0x6fb077e1L,
  508         0x18b74777L, 0x88085ae6L, 0xff0f6a70L, 0x66063bcaL, 0x11010b5cL,
  509         0x8f659effL, 0xf862ae69L, 0x616bffd3L, 0x166ccf45L, 0xa00ae278L,
  510         0xd70dd2eeL, 0x4e048354L, 0x3903b3c2L, 0xa7672661L, 0xd06016f7L,
  511         0x4969474dL, 0x3e6e77dbL, 0xaed16a4aL, 0xd9d65adcL, 0x40df0b66L,
  512         0x37d83bf0L, 0xa9bcae53L, 0xdebb9ec5L, 0x47b2cf7fL, 0x30b5ffe9L,
  513         0xbdbdf21cL, 0xcabac28aL, 0x53b39330L, 0x24b4a3a6L, 0xbad03605L,
  514         0xcdd70693L, 0x54de5729L, 0x23d967bfL, 0xb3667a2eL, 0xc4614ab8L,
  515         0x5d681b02L, 0x2a6f2b94L, 0xb40bbe37L, 0xc30c8ea1L, 0x5a05df1bL,
  516         0x2d02ef8dL
  517 };
  518 
  519 static __inline u16 RotR1(u16 val)
  520 {
  521         return (val >> 1) | (val << 15);
  522 }
  523 
  524 static __inline u8 Lo8(u16 val)
  525 {
  526         return val & 0xff;
  527 }
  528 
  529 static __inline u8 Hi8(u16 val)
  530 {
  531         return val >> 8;
  532 }
  533 
  534 static __inline u16 Lo16(u32 val)
  535 {
  536         return val & 0xffff;
  537 }
  538 
  539 static __inline u16 Hi16(u32 val)
  540 {
  541         return val >> 16;
  542 }
  543 
  544 static __inline u16 Mk16(u8 hi, u8 lo)
  545 {
  546         return lo | (((u16) hi) << 8);
  547 }
  548 
  549 static __inline u16 Mk16_le(const u16 *v)
  550 {
  551         return le16toh(*v);
  552 }
  553 
  554 static const u16 Sbox[256] = {
  555         0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154,
  556         0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A,
  557         0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B,
  558         0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B,
  559         0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F,
  560         0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F,
  561         0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5,
  562         0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F,
  563         0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB,
  564         0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397,
  565         0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED,
  566         0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A,
  567         0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194,
  568         0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3,
  569         0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104,
  570         0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D,
  571         0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39,
  572         0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695,
  573         0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83,
  574         0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76,
  575         0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4,
  576         0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B,
  577         0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0,
  578         0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018,
  579         0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751,
  580         0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85,
  581         0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12,
  582         0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9,
  583         0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7,
  584         0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A,
  585         0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8,
  586         0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A,
  587 };
  588 
  589 static __inline u16 _S_(u16 v)
  590 {
  591         u16 t = Sbox[Hi8(v)];
  592         return Sbox[Lo8(v)] ^ ((t << 8) | (t >> 8));
  593 }
  594 
  595 #define PHASE1_LOOP_COUNT 8
  596 
  597 static void tkip_mixing_phase1(u16 *TTAK, const u8 *TK, const u8 *TA, u32 IV32)
  598 {
  599         int i, j;
  600 
  601         /* Initialize the 80-bit TTAK from TSC (IV32) and TA[0..5] */
  602         TTAK[0] = Lo16(IV32);
  603         TTAK[1] = Hi16(IV32);
  604         TTAK[2] = Mk16(TA[1], TA[0]);
  605         TTAK[3] = Mk16(TA[3], TA[2]);
  606         TTAK[4] = Mk16(TA[5], TA[4]);
  607 
  608         for (i = 0; i < PHASE1_LOOP_COUNT; i++) {
  609                 j = 2 * (i & 1);
  610                 TTAK[0] += _S_(TTAK[4] ^ Mk16(TK[1 + j], TK[0 + j]));
  611                 TTAK[1] += _S_(TTAK[0] ^ Mk16(TK[5 + j], TK[4 + j]));
  612                 TTAK[2] += _S_(TTAK[1] ^ Mk16(TK[9 + j], TK[8 + j]));
  613                 TTAK[3] += _S_(TTAK[2] ^ Mk16(TK[13 + j], TK[12 + j]));
  614                 TTAK[4] += _S_(TTAK[3] ^ Mk16(TK[1 + j], TK[0 + j])) + i;
  615         }
  616 }
  617 
  618 #ifndef _BYTE_ORDER
  619 #error "Don't know native byte order"
  620 #endif
  621 
  622 static void tkip_mixing_phase2(u8 *WEPSeed, const u8 *TK, const u16 *TTAK,
  623                                u16 IV16)
  624 {
  625         /* Make temporary area overlap WEP seed so that the final copy can be
  626          * avoided on little endian hosts. */
  627         u16 *PPK = (u16 *) &WEPSeed[4];
  628 
  629         /* Step 1 - make copy of TTAK and bring in TSC */
  630         PPK[0] = TTAK[0];
  631         PPK[1] = TTAK[1];
  632         PPK[2] = TTAK[2];
  633         PPK[3] = TTAK[3];
  634         PPK[4] = TTAK[4];
  635         PPK[5] = TTAK[4] + IV16;
  636 
  637         /* Step 2 - 96-bit bijective mixing using S-box */
  638         PPK[0] += _S_(PPK[5] ^ Mk16_le((const u16 *) &TK[0]));
  639         PPK[1] += _S_(PPK[0] ^ Mk16_le((const u16 *) &TK[2]));
  640         PPK[2] += _S_(PPK[1] ^ Mk16_le((const u16 *) &TK[4]));
  641         PPK[3] += _S_(PPK[2] ^ Mk16_le((const u16 *) &TK[6]));
  642         PPK[4] += _S_(PPK[3] ^ Mk16_le((const u16 *) &TK[8]));
  643         PPK[5] += _S_(PPK[4] ^ Mk16_le((const u16 *) &TK[10]));
  644 
  645         PPK[0] += RotR1(PPK[5] ^ Mk16_le((const u16 *) &TK[12]));
  646         PPK[1] += RotR1(PPK[0] ^ Mk16_le((const u16 *) &TK[14]));
  647         PPK[2] += RotR1(PPK[1]);
  648         PPK[3] += RotR1(PPK[2]);
  649         PPK[4] += RotR1(PPK[3]);
  650         PPK[5] += RotR1(PPK[4]);
  651 
  652         /* Step 3 - bring in last of TK bits, assign 24-bit WEP IV value
  653          * WEPSeed[0..2] is transmitted as WEP IV */
  654         WEPSeed[0] = Hi8(IV16);
  655         WEPSeed[1] = (Hi8(IV16) | 0x20) & 0x7F;
  656         WEPSeed[2] = Lo8(IV16);
  657         WEPSeed[3] = Lo8((PPK[5] ^ Mk16_le((const u16 *) &TK[0])) >> 1);
  658 
  659 #if _BYTE_ORDER == _BIG_ENDIAN
  660         {
  661                 int i;
  662                 for (i = 0; i < 6; i++)
  663                         PPK[i] = (PPK[i] << 8) | (PPK[i] >> 8);
  664         }
  665 #endif
  666 }
  667 
  668 static void
  669 wep_encrypt(u8 *key, struct mbuf *m0, u_int off, size_t data_len,
  670         uint8_t icv[IEEE80211_WEP_CRCLEN])
  671 {
  672         u32 i, j, k, crc;
  673         size_t buflen;
  674         u8 S[256];
  675         u8 *pos;
  676         struct mbuf *m;
  677 #define S_SWAP(a,b) do { u8 t = S[a]; S[a] = S[b]; S[b] = t; } while(0)
  678 
  679         /* Setup RC4 state */
  680         for (i = 0; i < 256; i++)
  681                 S[i] = i;
  682         j = 0;
  683         for (i = 0; i < 256; i++) {
  684                 j = (j + S[i] + key[i & 0x0f]) & 0xff;
  685                 S_SWAP(i, j);
  686         }
  687 
  688         /* Compute CRC32 over unencrypted data and apply RC4 to data */
  689         crc = ~0;
  690         i = j = 0;
  691         m = m0;
  692         pos = mtod(m, uint8_t *) + off;
  693         buflen = m->m_len - off;
  694         for (;;) {
  695                 if (buflen > data_len)
  696                         buflen = data_len;
  697                 data_len -= buflen;
  698                 for (k = 0; k < buflen; k++) {
  699                         crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8);
  700                         i = (i + 1) & 0xff;
  701                         j = (j + S[i]) & 0xff;
  702                         S_SWAP(i, j);
  703                         *pos++ ^= S[(S[i] + S[j]) & 0xff];
  704                 }
  705                 m = m->m_next;
  706                 if (m == NULL) {
  707                         KASSERT(data_len == 0,
  708                             ("out of buffers with data_len %zu\n", data_len));
  709                         break;
  710                 }
  711                 pos = mtod(m, uint8_t *);
  712                 buflen = m->m_len;
  713         }
  714         crc = ~crc;
  715 
  716         /* Append little-endian CRC32 and encrypt it to produce ICV */
  717         icv[0] = crc;
  718         icv[1] = crc >> 8;
  719         icv[2] = crc >> 16;
  720         icv[3] = crc >> 24;
  721         for (k = 0; k < IEEE80211_WEP_CRCLEN; k++) {
  722                 i = (i + 1) & 0xff;
  723                 j = (j + S[i]) & 0xff;
  724                 S_SWAP(i, j);
  725                 icv[k] ^= S[(S[i] + S[j]) & 0xff];
  726         }
  727 }
  728 
  729 static int
  730 wep_decrypt(u8 *key, struct mbuf *m, u_int off, size_t data_len)
  731 {
  732         u32 i, j, k, crc;
  733         u8 S[256];
  734         u8 *pos, icv[4];
  735         size_t buflen;
  736 
  737         /* Setup RC4 state */
  738         for (i = 0; i < 256; i++)
  739                 S[i] = i;
  740         j = 0;
  741         for (i = 0; i < 256; i++) {
  742                 j = (j + S[i] + key[i & 0x0f]) & 0xff;
  743                 S_SWAP(i, j);
  744         }
  745 
  746         /* Apply RC4 to data and compute CRC32 over decrypted data */
  747         crc = ~0;
  748         i = j = 0;
  749         pos = mtod(m, uint8_t *) + off;
  750         buflen = m->m_len - off;
  751         for (;;) {
  752                 if (buflen > data_len)
  753                         buflen = data_len;
  754                 data_len -= buflen;
  755                 for (k = 0; k < buflen; k++) {
  756                         i = (i + 1) & 0xff;
  757                         j = (j + S[i]) & 0xff;
  758                         S_SWAP(i, j);
  759                         *pos ^= S[(S[i] + S[j]) & 0xff];
  760                         crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8);
  761                         pos++;
  762                 }
  763                 m = m->m_next;
  764                 if (m == NULL) {
  765                         KASSERT(data_len == 0,
  766                             ("out of buffers with data_len %zu\n", data_len));
  767                         break;
  768                 }
  769                 pos = mtod(m, uint8_t *);
  770                 buflen = m->m_len;
  771         }
  772         crc = ~crc;
  773 
  774         /* Encrypt little-endian CRC32 and verify that it matches with the
  775          * received ICV */
  776         icv[0] = crc;
  777         icv[1] = crc >> 8;
  778         icv[2] = crc >> 16;
  779         icv[3] = crc >> 24;
  780         for (k = 0; k < 4; k++) {
  781                 i = (i + 1) & 0xff;
  782                 j = (j + S[i]) & 0xff;
  783                 S_SWAP(i, j);
  784                 if ((icv[k] ^ S[(S[i] + S[j]) & 0xff]) != *pos++) {
  785                         /* ICV mismatch - drop frame */
  786                         return -1;
  787                 }
  788         }
  789 
  790         return 0;
  791 }
  792 
  793 
  794 static __inline u32 rotl(u32 val, int bits)
  795 {
  796         return (val << bits) | (val >> (32 - bits));
  797 }
  798 
  799 
  800 static __inline u32 rotr(u32 val, int bits)
  801 {
  802         return (val >> bits) | (val << (32 - bits));
  803 }
  804 
  805 
  806 static __inline u32 xswap(u32 val)
  807 {
  808         return ((val & 0x00ff00ff) << 8) | ((val & 0xff00ff00) >> 8);
  809 }
  810 
  811 
  812 #define michael_block(l, r)     \
  813 do {                            \
  814         r ^= rotl(l, 17);       \
  815         l += r;                 \
  816         r ^= xswap(l);          \
  817         l += r;                 \
  818         r ^= rotl(l, 3);        \
  819         l += r;                 \
  820         r ^= rotr(l, 2);        \
  821         l += r;                 \
  822 } while (0)
  823 
  824 
  825 static __inline u32 get_le32_split(u8 b0, u8 b1, u8 b2, u8 b3)
  826 {
  827         return b0 | (b1 << 8) | (b2 << 16) | (b3 << 24);
  828 }
  829 
  830 static __inline u32 get_le32(const u8 *p)
  831 {
  832         return get_le32_split(p[0], p[1], p[2], p[3]);
  833 }
  834 
  835 
  836 static __inline void put_le32(u8 *p, u32 v)
  837 {
  838         p[0] = v;
  839         p[1] = v >> 8;
  840         p[2] = v >> 16;
  841         p[3] = v >> 24;
  842 }
  843 
  844 /*
  845  * Craft pseudo header used to calculate the MIC.
  846  */
  847 static void
  848 michael_mic_hdr(const struct ieee80211_frame *wh0, uint8_t hdr[16])
  849 {
  850         const struct ieee80211_frame_addr4 *wh =
  851                 (const struct ieee80211_frame_addr4 *) wh0;
  852 
  853         switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) {
  854         case IEEE80211_FC1_DIR_NODS:
  855                 IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */
  856                 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2);
  857                 break;
  858         case IEEE80211_FC1_DIR_TODS:
  859                 IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */
  860                 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2);
  861                 break;
  862         case IEEE80211_FC1_DIR_FROMDS:
  863                 IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */
  864                 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr3);
  865                 break;
  866         case IEEE80211_FC1_DIR_DSTODS:
  867                 IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */
  868                 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr4);
  869                 break;
  870         }
  871 
  872         if (wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_QOS) {
  873                 const struct ieee80211_qosframe *qwh =
  874                         (const struct ieee80211_qosframe *) wh;
  875                 hdr[12] = qwh->i_qos[0] & IEEE80211_QOS_TID;
  876         } else
  877                 hdr[12] = 0;
  878         hdr[13] = hdr[14] = hdr[15] = 0; /* reserved */
  879 }
  880 
  881 static void
  882 michael_mic(struct tkip_ctx *ctx, const u8 *key,
  883         struct mbuf *m, u_int off, size_t data_len,
  884         u8 mic[IEEE80211_WEP_MICLEN])
  885 {
  886         uint8_t hdr[16];
  887         u32 l, r;
  888         const uint8_t *data;
  889         u_int space;
  890 
  891         michael_mic_hdr(mtod(m, struct ieee80211_frame *), hdr);
  892 
  893         l = get_le32(key);
  894         r = get_le32(key + 4);
  895 
  896         /* Michael MIC pseudo header: DA, SA, 3 x 0, Priority */
  897         l ^= get_le32(hdr);
  898         michael_block(l, r);
  899         l ^= get_le32(&hdr[4]);
  900         michael_block(l, r);
  901         l ^= get_le32(&hdr[8]);
  902         michael_block(l, r);
  903         l ^= get_le32(&hdr[12]);
  904         michael_block(l, r);
  905 
  906         /* first buffer has special handling */
  907         data = mtod(m, const uint8_t *) + off;
  908         space = m->m_len - off;
  909         for (;;) {
  910                 if (space > data_len)
  911                         space = data_len;
  912                 /* collect 32-bit blocks from current buffer */
  913                 while (space >= sizeof(uint32_t)) {
  914                         l ^= get_le32(data);
  915                         michael_block(l, r);
  916                         data += sizeof(uint32_t), space -= sizeof(uint32_t);
  917                         data_len -= sizeof(uint32_t);
  918                 }
  919                 /*
  920                  * NB: when space is zero we make one more trip around
  921                  * the loop to advance to the next mbuf where there is
  922                  * data.  This handles the case where there are 4*n
  923                  * bytes in an mbuf followed by <4 bytes in a later mbuf.
  924                  * By making an extra trip we'll drop out of the loop
  925                  * with m pointing at the mbuf with 3 bytes and space
  926                  * set as required by the remainder handling below.
  927                  */
  928                 if (data_len == 0 ||
  929                     (data_len < sizeof(uint32_t) && space != 0))
  930                         break;
  931                 m = m->m_next;
  932                 if (m == NULL) {
  933                         KASSERT(0, ("out of data, data_len %zu\n", data_len));
  934                         break;
  935                 }
  936                 if (space != 0) {
  937                         const uint8_t *data_next;
  938                         /*
  939                          * Block straddles buffers, split references.
  940                          */
  941                         data_next = mtod(m, const uint8_t *);
  942                         KASSERT(m->m_len >= sizeof(uint32_t) - space,
  943                                 ("not enough data in following buffer, "
  944                                 "m_len %u need %zu\n", m->m_len,
  945                                 sizeof(uint32_t) - space));
  946                         switch (space) {
  947                         case 1:
  948                                 l ^= get_le32_split(data[0], data_next[0],
  949                                         data_next[1], data_next[2]);
  950                                 data = data_next + 3;
  951                                 space = m->m_len - 3;
  952                                 break;
  953                         case 2:
  954                                 l ^= get_le32_split(data[0], data[1],
  955                                         data_next[0], data_next[1]);
  956                                 data = data_next + 2;
  957                                 space = m->m_len - 2;
  958                                 break;
  959                         case 3:
  960                                 l ^= get_le32_split(data[0], data[1],
  961                                         data[2], data_next[0]);
  962                                 data = data_next + 1;
  963                                 space = m->m_len - 1;
  964                                 break;
  965                         }
  966                         michael_block(l, r);
  967                         data_len -= sizeof(uint32_t);
  968                 } else {
  969                         /*
  970                          * Setup for next buffer.
  971                          */
  972                         data = mtod(m, const uint8_t *);
  973                         space = m->m_len;
  974                 }
  975         }
  976         /*
  977          * Catch degenerate cases like mbuf[4*n+1 bytes] followed by
  978          * mbuf[2 bytes].  I don't believe these should happen; if they
  979          * do then we'll need more involved logic.
  980          */
  981         KASSERT(data_len <= space,
  982             ("not enough data, data_len %zu space %u\n", data_len, space));
  983 
  984         /* Last block and padding (0x5a, 4..7 x 0) */
  985         switch (data_len) {
  986         case 0:
  987                 l ^= get_le32_split(0x5a, 0, 0, 0);
  988                 break;
  989         case 1:
  990                 l ^= get_le32_split(data[0], 0x5a, 0, 0);
  991                 break;
  992         case 2:
  993                 l ^= get_le32_split(data[0], data[1], 0x5a, 0);
  994                 break;
  995         case 3:
  996                 l ^= get_le32_split(data[0], data[1], data[2], 0x5a);
  997                 break;
  998         }
  999         michael_block(l, r);
 1000         /* l ^= 0; */
 1001         michael_block(l, r);
 1002 
 1003         put_le32(mic, l);
 1004         put_le32(mic + 4, r);
 1005 }
 1006 
 1007 static int
 1008 tkip_encrypt(struct tkip_ctx *ctx, struct ieee80211_key *key,
 1009         struct mbuf *m, int hdrlen)
 1010 {
 1011         struct ieee80211_frame *wh;
 1012         uint8_t icv[IEEE80211_WEP_CRCLEN];
 1013 
 1014         ctx->tc_vap->iv_stats.is_crypto_tkip++;
 1015 
 1016         wh = mtod(m, struct ieee80211_frame *);
 1017         if ((u16)(key->wk_keytsc) == 0 || key->wk_keytsc == 1) {
 1018                 tkip_mixing_phase1(ctx->tx_ttak, key->wk_key, wh->i_addr2,
 1019                                    (u32)(key->wk_keytsc >> 16));
 1020         }
 1021         tkip_mixing_phase2(ctx->tx_rc4key, key->wk_key, ctx->tx_ttak,
 1022                 (u16) key->wk_keytsc);
 1023 
 1024         wep_encrypt(ctx->tx_rc4key,
 1025                 m, hdrlen + tkip.ic_header,
 1026                 m->m_pkthdr.len - (hdrlen + tkip.ic_header),
 1027                 icv);
 1028         (void) m_append(m, IEEE80211_WEP_CRCLEN, icv);  /* XXX check return */
 1029 
 1030         return 1;
 1031 }
 1032 
 1033 static int
 1034 tkip_decrypt(struct tkip_ctx *ctx, struct ieee80211_key *key,
 1035         struct mbuf *m, int hdrlen)
 1036 {
 1037         struct ieee80211_frame *wh;
 1038         struct ieee80211vap *vap = ctx->tc_vap;
 1039         u32 iv32;
 1040         u16 iv16;
 1041         u8 tid;
 1042 
 1043         vap->iv_stats.is_crypto_tkip++;
 1044 
 1045         wh = mtod(m, struct ieee80211_frame *);
 1046         /* NB: tkip_decap already verified header and left seq in rx_rsc */
 1047         iv16 = (u16) ctx->rx_rsc;
 1048         iv32 = (u32) (ctx->rx_rsc >> 16);
 1049 
 1050         tid = ieee80211_gettid(wh);
 1051         if (iv32 != (u32)(key->wk_keyrsc[tid] >> 16) || !ctx->rx_phase1_done) {
 1052                 tkip_mixing_phase1(ctx->rx_ttak, key->wk_key,
 1053                         wh->i_addr2, iv32);
 1054                 ctx->rx_phase1_done = 1;
 1055         }
 1056         tkip_mixing_phase2(ctx->rx_rc4key, key->wk_key, ctx->rx_ttak, iv16);
 1057 
 1058         /* NB: m is unstripped; deduct headers + ICV to get payload */
 1059         if (wep_decrypt(ctx->rx_rc4key,
 1060                 m, hdrlen + tkip.ic_header,
 1061                 m->m_pkthdr.len - (hdrlen + tkip.ic_header + tkip.ic_trailer))) {
 1062                 if (iv32 != (u32)(key->wk_keyrsc[tid] >> 16)) {
 1063                         /* Previously cached Phase1 result was already lost, so
 1064                          * it needs to be recalculated for the next packet. */
 1065                         ctx->rx_phase1_done = 0;
 1066                 }
 1067                 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2,
 1068                     "%s", "TKIP ICV mismatch on decrypt");
 1069                 vap->iv_stats.is_rx_tkipicv++;
 1070                 return 0;
 1071         }
 1072         return 1;
 1073 }
 1074 
 1075 /*
 1076  * Module glue.
 1077  */
 1078 IEEE80211_CRYPTO_MODULE(tkip, 1);

Cache object: eebc00fb1701c80e58bc03a47f028eb6


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.