Lines Matching +full:j +full:- +full:to +full:- +full:k
1 /*-
2 * SPDX-License-Identifier: BSD-2-Clause
4 * Copyright (c) 2002-2008 Sam Leffler, Errno Consulting
17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
109 tkip_attach(struct ieee80211vap *vap, struct ieee80211_key *k) in tkip_attach() argument
116 vap->iv_stats.is_crypto_nomem++; in tkip_attach()
120 ctx->tc_vap = vap; in tkip_attach()
126 tkip_detach(struct ieee80211_key *k) in tkip_detach() argument
128 struct tkip_ctx *ctx = k->wk_private; in tkip_detach()
132 nrefs--; /* NB: we assume caller locking */ in tkip_detach()
136 tkip_setkey(struct ieee80211_key *k) in tkip_setkey() argument
138 struct tkip_ctx *ctx = k->wk_private; in tkip_setkey()
140 if (k->wk_keylen != (128/NBBY)) { in tkip_setkey()
142 IEEE80211_DPRINTF(ctx->tc_vap, IEEE80211_MSG_CRYPTO, in tkip_setkey()
144 __func__, k->wk_keylen, 128/NBBY); in tkip_setkey()
147 ctx->rx_phase1_done = 0; in tkip_setkey()
152 tkip_setiv(struct ieee80211_key *k, uint8_t *ivp) in tkip_setiv() argument
154 struct tkip_ctx *ctx = k->wk_private; in tkip_setiv()
155 struct ieee80211vap *vap = ctx->tc_vap; in tkip_setiv()
158 keyid = ieee80211_crypto_get_keyid(vap, k) << 6; in tkip_setiv()
160 k->wk_keytsc++; in tkip_setiv()
161 ivp[0] = k->wk_keytsc >> 8; /* TSC1 */ in tkip_setiv()
163 ivp[2] = k->wk_keytsc >> 0; /* TSC0 */ in tkip_setiv()
165 ivp[4] = k->wk_keytsc >> 16; /* TSC2 */ in tkip_setiv()
166 ivp[5] = k->wk_keytsc >> 24; /* TSC3 */ in tkip_setiv()
167 ivp[6] = k->wk_keytsc >> 32; /* TSC4 */ in tkip_setiv()
168 ivp[7] = k->wk_keytsc >> 40; /* TSC5 */ in tkip_setiv()
175 tkip_encap(struct ieee80211_key *k, struct mbuf *m) in tkip_encap() argument
177 struct tkip_ctx *ctx = k->wk_private; in tkip_encap()
178 struct ieee80211vap *vap = ctx->tc_vap; in tkip_encap()
179 struct ieee80211com *ic = vap->iv_ic; in tkip_encap()
191 if (vap->iv_flags & IEEE80211_F_COUNTERM) { in tkip_encap()
196 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2, in tkip_encap()
197 "discard frame due to countermeasures (%s)", __func__); in tkip_encap()
198 vap->iv_stats.is_crypto_tkipcm++; in tkip_encap()
203 * Check to see whether IV needs to be included. in tkip_encap()
205 if (is_mgmt && (k->wk_flags & IEEE80211_KEY_NOIVMGT)) in tkip_encap()
207 if ((! is_mgmt) && (k->wk_flags & IEEE80211_KEY_NOIV)) in tkip_encap()
222 tkip_setiv(k, ivp); in tkip_encap()
227 if ((k->wk_flags & IEEE80211_KEY_SWENCRYPT) && in tkip_encap()
228 !tkip_encrypt(ctx, k, m, hdrlen)) in tkip_encap()
235 * Add MIC to the frame as needed.
238 tkip_enmic(struct ieee80211_key *k, struct mbuf *m, int force) in tkip_enmic() argument
240 struct tkip_ctx *ctx = k->wk_private; in tkip_enmic()
248 * Check to see whether MIC needs to be included. in tkip_enmic()
250 if (is_mgmt && (k->wk_flags & IEEE80211_KEY_NOMICMGT)) in tkip_enmic()
252 if ((! is_mgmt) && (k->wk_flags & IEEE80211_KEY_NOMIC)) in tkip_enmic()
255 if (force || (k->wk_flags & IEEE80211_KEY_SWENMIC)) { in tkip_enmic()
257 struct ieee80211vap *vap = ctx->tc_vap; in tkip_enmic()
258 struct ieee80211com *ic = vap->iv_ic; in tkip_enmic()
262 vap->iv_stats.is_crypto_tkipenmic++; in tkip_enmic()
266 michael_mic(ctx, k->wk_txmic, in tkip_enmic()
267 m, hdrlen, m->m_pkthdr.len - hdrlen, mic); in tkip_enmic()
287 tkip_decap(struct ieee80211_key *k, struct mbuf *m, int hdrlen) in tkip_decap() argument
290 struct tkip_ctx *ctx = k->wk_private; in tkip_decap()
291 struct ieee80211vap *vap = ctx->tc_vap; in tkip_decap()
300 if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_IV_STRIP)) in tkip_decap()
313 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2, in tkip_decap()
315 vap->iv_stats.is_rx_tkipformat++; in tkip_decap()
321 if (vap->iv_flags & IEEE80211_F_COUNTERM) { in tkip_decap()
322 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2, in tkip_decap()
323 "discard frame due to countermeasures (%s)", __func__); in tkip_decap()
324 vap->iv_stats.is_crypto_tkipcm++; in tkip_decap()
329 ctx->rx_rsc = READ_6(ivp[2], ivp[0], ivp[4], ivp[5], ivp[6], ivp[7]); in tkip_decap()
330 if (ctx->rx_rsc <= k->wk_keyrsc[tid] && in tkip_decap()
331 (k->wk_flags & IEEE80211_KEY_NOREPLAY) == 0) { in tkip_decap()
335 ieee80211_notify_replay_failure(vap, wh, k, ctx->rx_rsc, tid); in tkip_decap()
336 vap->iv_stats.is_rx_tkipreplay++; in tkip_decap()
350 * If so we just strip the header; otherwise we need to in tkip_decap()
353 if ((k->wk_flags & IEEE80211_KEY_SWDECRYPT) && in tkip_decap()
354 !tkip_decrypt(ctx, k, m, hdrlen)) in tkip_decap()
360 * Copy up 802.11 header and strip crypto bits - but only if we in tkip_decap()
361 * are required to. in tkip_decap()
363 if (! ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_IV_STRIP))) { in tkip_decap()
370 * XXX TODO: do we need an option to potentially not strip the in tkip_decap()
373 m_adj(m, -tkip.ic_trailer); in tkip_decap()
382 tkip_demic(struct ieee80211_key *k, struct mbuf *m, int force) in tkip_demic() argument
385 struct tkip_ctx *ctx = k->wk_private; in tkip_demic()
394 * directly notify as a michael failure to the upper in tkip_demic()
397 if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_FAIL_MIC)) { in tkip_demic()
398 struct ieee80211vap *vap = ctx->tc_vap; in tkip_demic()
400 k->wk_rxkeyix != IEEE80211_KEYIX_NONE ? in tkip_demic()
401 k->wk_rxkeyix : k->wk_keyix); in tkip_demic()
408 if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_MMIC_STRIP)) in tkip_demic()
411 if ((k->wk_flags & IEEE80211_KEY_SWDEMIC) || force) { in tkip_demic()
412 struct ieee80211vap *vap = ctx->tc_vap; in tkip_demic()
413 int hdrlen = ieee80211_hdrspace(vap->iv_ic, wh); in tkip_demic()
417 vap->iv_stats.is_crypto_tkipdemic++; in tkip_demic()
419 michael_mic(ctx, k->wk_rxmic, in tkip_demic()
420 m, hdrlen, m->m_pkthdr.len - (hdrlen + tkip.ic_miclen), in tkip_demic()
422 m_copydata(m, m->m_pkthdr.len - tkip.ic_miclen, in tkip_demic()
427 k->wk_rxkeyix != IEEE80211_KEYIX_NONE ? in tkip_demic()
428 k->wk_rxkeyix : k->wk_keyix); in tkip_demic()
435 m_adj(m, -tkip.ic_miclen); in tkip_demic()
438 * Ok to update rsc now that MIC has been verified. in tkip_demic()
441 k->wk_keyrsc[tid] = ctx->rx_rsc; in tkip_demic()
448 * Host AP crypt: host-based TKIP encryption implementation for Host AP driver
450 * Copyright (c) 2003-2004, Jouni Malinen <jkmaline@cc.hut.fi>
596 int i, j; in tkip_mixing_phase1() local
598 /* Initialize the 80-bit TTAK from TSC (IV32) and TA[0..5] */ in tkip_mixing_phase1()
606 j = 2 * (i & 1); in tkip_mixing_phase1()
607 TTAK[0] += _S_(TTAK[4] ^ Mk16(TK[1 + j], TK[0 + j])); in tkip_mixing_phase1()
608 TTAK[1] += _S_(TTAK[0] ^ Mk16(TK[5 + j], TK[4 + j])); in tkip_mixing_phase1()
609 TTAK[2] += _S_(TTAK[1] ^ Mk16(TK[9 + j], TK[8 + j])); in tkip_mixing_phase1()
610 TTAK[3] += _S_(TTAK[2] ^ Mk16(TK[13 + j], TK[12 + j])); in tkip_mixing_phase1()
611 TTAK[4] += _S_(TTAK[3] ^ Mk16(TK[1 + j], TK[0 + j])) + i; in tkip_mixing_phase1()
626 /* Step 1 - make copy of TTAK and bring in TSC */ in tkip_mixing_phase2()
634 /* Step 2 - 96-bit bijective mixing using S-box */ in tkip_mixing_phase2()
649 /* Step 3 - bring in last of TK bits, assign 24-bit WEP IV value in tkip_mixing_phase2()
669 u32 i, j, k, crc; in wep_encrypt() local
679 j = 0; in wep_encrypt()
681 j = (j + S[i] + key[i & 0x0f]) & 0xff; in wep_encrypt()
682 S_SWAP(i, j); in wep_encrypt()
685 /* Compute CRC32 over unencrypted data and apply RC4 to data */ in wep_encrypt()
687 i = j = 0; in wep_encrypt()
690 buflen = m->m_len - off; in wep_encrypt()
694 data_len -= buflen; in wep_encrypt()
695 for (k = 0; k < buflen; k++) { in wep_encrypt()
698 j = (j + S[i]) & 0xff; in wep_encrypt()
699 S_SWAP(i, j); in wep_encrypt()
700 *pos++ ^= S[(S[i] + S[j]) & 0xff]; in wep_encrypt()
702 m = m->m_next; in wep_encrypt()
709 buflen = m->m_len; in wep_encrypt()
713 /* Append little-endian CRC32 and encrypt it to produce ICV */ in wep_encrypt()
718 for (k = 0; k < IEEE80211_WEP_CRCLEN; k++) { in wep_encrypt()
720 j = (j + S[i]) & 0xff; in wep_encrypt()
721 S_SWAP(i, j); in wep_encrypt()
722 icv[k] ^= S[(S[i] + S[j]) & 0xff]; in wep_encrypt()
729 u32 i, j, k, crc; in wep_decrypt() local
737 j = 0; in wep_decrypt()
739 j = (j + S[i] + key[i & 0x0f]) & 0xff; in wep_decrypt()
740 S_SWAP(i, j); in wep_decrypt()
743 /* Apply RC4 to data and compute CRC32 over decrypted data */ in wep_decrypt()
745 i = j = 0; in wep_decrypt()
747 buflen = m->m_len - off; in wep_decrypt()
751 data_len -= buflen; in wep_decrypt()
752 for (k = 0; k < buflen; k++) { in wep_decrypt()
754 j = (j + S[i]) & 0xff; in wep_decrypt()
755 S_SWAP(i, j); in wep_decrypt()
756 *pos ^= S[(S[i] + S[j]) & 0xff]; in wep_decrypt()
760 m = m->m_next; in wep_decrypt()
767 buflen = m->m_len; in wep_decrypt()
771 /* Encrypt little-endian CRC32 and verify that it matches with the in wep_decrypt()
777 for (k = 0; k < 4; k++) { in wep_decrypt()
779 j = (j + S[i]) & 0xff; in wep_decrypt()
780 S_SWAP(i, j); in wep_decrypt()
781 if ((icv[k] ^ S[(S[i] + S[j]) & 0xff]) != *pos++) { in wep_decrypt()
782 /* ICV mismatch - drop frame */ in wep_decrypt()
783 return -1; in wep_decrypt()
792 return (val << bits) | (val >> (32 - bits)); in rotl()
797 return (val >> bits) | (val << (32 - bits)); in rotr()
836 * Craft pseudo header used to calculate the MIC.
844 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { in michael_mic_hdr()
846 IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */ in michael_mic_hdr()
847 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2); in michael_mic_hdr()
850 IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */ in michael_mic_hdr()
851 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2); in michael_mic_hdr()
854 IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */ in michael_mic_hdr()
855 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr3); in michael_mic_hdr()
858 IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */ in michael_mic_hdr()
859 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr4); in michael_mic_hdr()
867 hdr[12] = qwh->i_qos[0] & IEEE80211_QOS_TID; in michael_mic_hdr()
900 space = m->m_len - off; in michael_mic()
904 /* collect 32-bit blocks from current buffer */ in michael_mic()
908 data += sizeof(uint32_t), space -= sizeof(uint32_t); in michael_mic()
909 data_len -= sizeof(uint32_t); in michael_mic()
913 * the loop to advance to the next mbuf where there is in michael_mic()
923 m = m->m_next; in michael_mic()
934 KASSERT(m->m_len >= sizeof(uint32_t) - space, in michael_mic()
936 "m_len %u need %zu\n", m->m_len, in michael_mic()
937 sizeof(uint32_t) - space)); in michael_mic()
943 space = m->m_len - 3; in michael_mic()
949 space = m->m_len - 2; in michael_mic()
955 space = m->m_len - 1; in michael_mic()
959 data_len -= sizeof(uint32_t); in michael_mic()
965 space = m->m_len; in michael_mic()
1006 ctx->tc_vap->iv_stats.is_crypto_tkip++; in tkip_encrypt()
1009 if ((u16)(key->wk_keytsc) == 0 || key->wk_keytsc == 1) { in tkip_encrypt()
1010 tkip_mixing_phase1(ctx->tx_ttak, key->wk_key, wh->i_addr2, in tkip_encrypt()
1011 (u32)(key->wk_keytsc >> 16)); in tkip_encrypt()
1013 tkip_mixing_phase2(ctx->tx_rc4key, key->wk_key, ctx->tx_ttak, in tkip_encrypt()
1014 (u16) key->wk_keytsc); in tkip_encrypt()
1016 wep_encrypt(ctx->tx_rc4key, in tkip_encrypt()
1018 m->m_pkthdr.len - (hdrlen + tkip.ic_header), in tkip_encrypt()
1030 struct ieee80211vap *vap = ctx->tc_vap; in tkip_decrypt()
1035 vap->iv_stats.is_crypto_tkip++; in tkip_decrypt()
1039 iv16 = (u16) ctx->rx_rsc; in tkip_decrypt()
1040 iv32 = (u32) (ctx->rx_rsc >> 16); in tkip_decrypt()
1043 if (iv32 != (u32)(key->wk_keyrsc[tid] >> 16) || !ctx->rx_phase1_done) { in tkip_decrypt()
1044 tkip_mixing_phase1(ctx->rx_ttak, key->wk_key, in tkip_decrypt()
1045 wh->i_addr2, iv32); in tkip_decrypt()
1046 ctx->rx_phase1_done = 1; in tkip_decrypt()
1048 tkip_mixing_phase2(ctx->rx_rc4key, key->wk_key, ctx->rx_ttak, iv16); in tkip_decrypt()
1050 /* NB: m is unstripped; deduct headers + ICV to get payload */ in tkip_decrypt()
1051 if (wep_decrypt(ctx->rx_rc4key, in tkip_decrypt()
1053 m->m_pkthdr.len - (hdrlen + tkip.ic_header + tkip.ic_trailer))) { in tkip_decrypt()
1054 if (iv32 != (u32)(key->wk_keyrsc[tid] >> 16)) { in tkip_decrypt()
1056 * it needs to be recalculated for the next packet. */ in tkip_decrypt()
1057 ctx->rx_phase1_done = 0; in tkip_decrypt()
1059 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2, in tkip_decrypt()
1061 vap->iv_stats.is_rx_tkipicv++; in tkip_decrypt()