1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause
4  * Copyright (c) 2002-2008 Sam Leffler, Errno Consulting
94 	uint64_t rx_rsc;		/* held until MIC verified */
99 		u8 mic[IEEE80211_WEP_MICLEN]);
116 		vap->iv_stats.is_crypto_nomem++;  in tkip_attach()
120 	ctx->tc_vap = vap;  in tkip_attach()
128 	struct tkip_ctx *ctx = k->wk_private;  in tkip_detach()
132 	nrefs--;			/* NB: we assume caller locking */  in tkip_detach()
138 	struct tkip_ctx *ctx = k->wk_private;  in tkip_setkey()
140 	if (k->wk_keylen != (128/NBBY)) {  in tkip_setkey()
142 		IEEE80211_DPRINTF(ctx->tc_vap, IEEE80211_MSG_CRYPTO,  in tkip_setkey()
144 			__func__, k->wk_keylen, 128/NBBY);  in tkip_setkey()
147 	ctx->rx_phase1_done = 0;  in tkip_setkey()
154 	struct tkip_ctx *ctx = k->wk_private;  in tkip_setiv()
155 	struct ieee80211vap *vap = ctx->tc_vap;  in tkip_setiv()
160 	k->wk_keytsc++;  in tkip_setiv()
161 	ivp[0] = k->wk_keytsc >> 8;		/* TSC1 */  in tkip_setiv()
163 	ivp[2] = k->wk_keytsc >> 0;		/* TSC0 */  in tkip_setiv()
165 	ivp[4] = k->wk_keytsc >> 16;		/* TSC2 */  in tkip_setiv()
166 	ivp[5] = k->wk_keytsc >> 24;		/* TSC3 */  in tkip_setiv()
167 	ivp[6] = k->wk_keytsc >> 32;		/* TSC4 */  in tkip_setiv()
168 	ivp[7] = k->wk_keytsc >> 40;		/* TSC5 */  in tkip_setiv()
177 	struct tkip_ctx *ctx = k->wk_private;  in tkip_encap()
178 	struct ieee80211vap *vap = ctx->tc_vap;  in tkip_encap()
179 	struct ieee80211com *ic = vap->iv_ic;  in tkip_encap()
191 	if (vap->iv_flags & IEEE80211_F_COUNTERM) {  in tkip_encap()
196 		IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2,  in tkip_encap()
198 		vap->iv_stats.is_crypto_tkipcm++;  in tkip_encap()
205 	if (is_mgmt && (k->wk_flags & IEEE80211_KEY_NOIVMGT))  in tkip_encap()
207 	if ((! is_mgmt) && (k->wk_flags & IEEE80211_KEY_NOIV))  in tkip_encap()
227 	if ((k->wk_flags & IEEE80211_KEY_SWENCRYPT) &&  in tkip_encap()
235  * Add MIC to the frame as needed.
240 	struct tkip_ctx *ctx = k->wk_private;  in tkip_enmic()
248 	 * Check to see whether MIC needs to be included.  in tkip_enmic()
250 	if (is_mgmt && (k->wk_flags & IEEE80211_KEY_NOMICMGT))  in tkip_enmic()
252 	if ((! is_mgmt) && (k->wk_flags & IEEE80211_KEY_NOMIC))  in tkip_enmic()
255 	if (force || (k->wk_flags & IEEE80211_KEY_SWENMIC)) {  in tkip_enmic()
257 		struct ieee80211vap *vap = ctx->tc_vap;  in tkip_enmic()
258 		struct ieee80211com *ic = vap->iv_ic;  in tkip_enmic()
260 		uint8_t mic[IEEE80211_WEP_MICLEN];  in tkip_enmic()  local
262 		vap->iv_stats.is_crypto_tkipenmic++;  in tkip_enmic()
266 		michael_mic(ctx, k->wk_txmic,  in tkip_enmic()
267 			m, hdrlen, m->m_pkthdr.len - hdrlen, mic);  in tkip_enmic()
268 		return m_append(m, tkip.ic_miclen, mic);  in tkip_enmic()
290 	struct tkip_ctx *ctx = k->wk_private;  in tkip_decap()
291 	struct ieee80211vap *vap = ctx->tc_vap;  in tkip_decap()
300 	if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_IV_STRIP))  in tkip_decap()
313 		IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2,  in tkip_decap()
315 		vap->iv_stats.is_rx_tkipformat++;  in tkip_decap()
321 	if (vap->iv_flags & IEEE80211_F_COUNTERM) {  in tkip_decap()
322 		IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2,  in tkip_decap()
324 		vap->iv_stats.is_crypto_tkipcm++;  in tkip_decap()
329 	ctx->rx_rsc = READ_6(ivp[2], ivp[0], ivp[4], ivp[5], ivp[6], ivp[7]);  in tkip_decap()
330 	if (ctx->rx_rsc <= k->wk_keyrsc[tid] &&  in tkip_decap()
331 	    (k->wk_flags & IEEE80211_KEY_NOREPLAY) == 0) {  in tkip_decap()
335 		ieee80211_notify_replay_failure(vap, wh, k, ctx->rx_rsc, tid);  in tkip_decap()
336 		vap->iv_stats.is_rx_tkipreplay++;  in tkip_decap()
340 	 * NB: We can't update the rsc in the key until MIC is verified.  in tkip_decap()
343 	 * and updating wk_keyrsc when stripping the MIC in tkip_demic.  in tkip_decap()
353 	if ((k->wk_flags & IEEE80211_KEY_SWDECRYPT) &&  in tkip_decap()
360 	 * Copy up 802.11 header and strip crypto bits - but only if we  in tkip_decap()
363 	if (! ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_IV_STRIP))) {  in tkip_decap()
373 	if ((rxs == NULL) || (rxs->c_pktflags & IEEE80211_RX_F_ICV_STRIP) == 0)  in tkip_decap()
374 		m_adj(m, -tkip.ic_trailer);  in tkip_decap()
380  * Verify and strip MIC from the frame.
386 	struct tkip_ctx *ctx = k->wk_private;  in tkip_demic()
394 	 * If we are told about a MIC failure from the driver,  in tkip_demic()
398 	if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_FAIL_MMIC)) {  in tkip_demic()
399 		struct ieee80211vap *vap = ctx->tc_vap;  in tkip_demic()
401 		    k->wk_rxkeyix != IEEE80211_KEYIX_NONE ?  in tkip_demic()
402 		    k->wk_rxkeyix : k->wk_keyix);  in tkip_demic()
409 	if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_MMIC_STRIP))  in tkip_demic()
412 	if ((k->wk_flags & IEEE80211_KEY_SWDEMIC) || force) {  in tkip_demic()
413 		struct ieee80211vap *vap = ctx->tc_vap;  in tkip_demic()
414 		int hdrlen = ieee80211_hdrspace(vap->iv_ic, wh);  in tkip_demic()
415 		u8 mic[IEEE80211_WEP_MICLEN];  in tkip_demic()  local
418 		vap->iv_stats.is_crypto_tkipdemic++;  in tkip_demic()
420 		michael_mic(ctx, k->wk_rxmic,   in tkip_demic()
421 			m, hdrlen, m->m_pkthdr.len - (hdrlen + tkip.ic_miclen),  in tkip_demic()
422 			mic);  in tkip_demic()
423 		m_copydata(m, m->m_pkthdr.len - tkip.ic_miclen,  in tkip_demic()
425 		if (memcmp(mic, mic0, tkip.ic_miclen)) {  in tkip_demic()
428 				k->wk_rxkeyix != IEEE80211_KEYIX_NONE ?  in tkip_demic()
429 					k->wk_rxkeyix : k->wk_keyix);  in tkip_demic()
434 	 * Strip MIC from the tail.  in tkip_demic()
436 	m_adj(m, -tkip.ic_miclen);  in tkip_demic()
439 	 * Ok to update rsc now that MIC has been verified.  in tkip_demic()
442 	k->wk_keyrsc[tid] = ctx->rx_rsc;  in tkip_demic()
449  * Host AP crypt: host-based TKIP encryption implementation for Host AP driver
451  * Copyright (c) 2003-2004, Jouni Malinen <jkmaline@cc.hut.fi>
599 	/* Initialize the 80-bit TTAK from TSC (IV32) and TA[0..5] */  in tkip_mixing_phase1()
627 	/* Step 1 - make copy of TTAK and bring in TSC */  in tkip_mixing_phase2()
635 	/* Step 2 - 96-bit bijective mixing using S-box */  in tkip_mixing_phase2()
650 	/* Step 3 - bring in last of TK bits, assign 24-bit WEP IV value  in tkip_mixing_phase2()
673 	u8 *pos;  in wep_encrypt()  local
690 	pos = mtod(m, uint8_t *) + off;  in wep_encrypt()
691 	buflen = m->m_len - off;  in wep_encrypt()
695 		data_len -= buflen;  in wep_encrypt()
697 			crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8);  in wep_encrypt()
701 			*pos++ ^= S[(S[i] + S[j]) & 0xff];  in wep_encrypt()
703 		m = m->m_next;  in wep_encrypt()
709 		pos = mtod(m, uint8_t *);  in wep_encrypt()
710 		buflen = m->m_len;  in wep_encrypt()
714 	/* Append little-endian CRC32 and encrypt it to produce ICV */  in wep_encrypt()
732 	u8 *pos, icv[4];  in wep_decrypt()  local
747 	pos = mtod(m, uint8_t *) + off;  in wep_decrypt()
748 	buflen = m->m_len - off;  in wep_decrypt()
752 		data_len -= buflen;  in wep_decrypt()
757 			*pos ^= S[(S[i] + S[j]) & 0xff];  in wep_decrypt()
758 			crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8);  in wep_decrypt()
759 			pos++;  in wep_decrypt()
761 		m = m->m_next;  in wep_decrypt()
767 		pos = mtod(m, uint8_t *);  in wep_decrypt()
768 		buflen = m->m_len;  in wep_decrypt()
772 	/* Encrypt little-endian CRC32 and verify that it matches with the  in wep_decrypt()
782 		if ((icv[k] ^ S[(S[i] + S[j]) & 0xff]) != *pos++) {  in wep_decrypt()
783 			/* ICV mismatch - drop frame */  in wep_decrypt()
784 			return -1;  in wep_decrypt()
793 	return (val << bits) | (val >> (32 - bits));  in rotl()
798 	return (val >> bits) | (val << (32 - bits));  in rotr()
837  * Craft pseudo header used to calculate the MIC.
845 	switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) {  in michael_mic_hdr()
847 		IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */  in michael_mic_hdr()
848 		IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2);  in michael_mic_hdr()
851 		IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */  in michael_mic_hdr()
852 		IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2);  in michael_mic_hdr()
855 		IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */  in michael_mic_hdr()
856 		IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr3);  in michael_mic_hdr()
859 		IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */  in michael_mic_hdr()
860 		IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr4);  in michael_mic_hdr()
868 		hdr[12] = qwh->i_qos[0] & IEEE80211_QOS_TID;  in michael_mic_hdr()
877 	u8 mic[IEEE80211_WEP_MICLEN])  in michael_mic()
889 	/* Michael MIC pseudo header: DA, SA, 3 x 0, Priority */  in michael_mic()
901 	space = m->m_len - off;  in michael_mic()
905 		/* collect 32-bit blocks from current buffer */  in michael_mic()
909 			data += sizeof(uint32_t), space -= sizeof(uint32_t);  in michael_mic()
910 			data_len -= sizeof(uint32_t);  in michael_mic()
924 		m = m->m_next;  in michael_mic()
935 			KASSERT(m->m_len >= sizeof(uint32_t) - space,  in michael_mic()
937 				"m_len %u need %zu\n", m->m_len,  in michael_mic()
938 				sizeof(uint32_t) - space));  in michael_mic()
944 				space = m->m_len - 3;  in michael_mic()
950 				space = m->m_len - 2;  in michael_mic()
956 				space = m->m_len - 1;  in michael_mic()
960 			data_len -= sizeof(uint32_t);  in michael_mic()
966 			space = m->m_len;  in michael_mic()
996 	put_le32(mic, l);  in michael_mic()
997 	put_le32(mic + 4, r);  in michael_mic()
1007 	ctx->tc_vap->iv_stats.is_crypto_tkip++;  in tkip_encrypt()
1010 	if ((u16)(key->wk_keytsc) == 0 || key->wk_keytsc == 1) {  in tkip_encrypt()
1011 		tkip_mixing_phase1(ctx->tx_ttak, key->wk_key, wh->i_addr2,  in tkip_encrypt()
1012 				   (u32)(key->wk_keytsc >> 16));  in tkip_encrypt()
1014 	tkip_mixing_phase2(ctx->tx_rc4key, key->wk_key, ctx->tx_ttak,  in tkip_encrypt()
1015 		(u16) key->wk_keytsc);  in tkip_encrypt()
1017 	wep_encrypt(ctx->tx_rc4key,  in tkip_encrypt()
1019 		m->m_pkthdr.len - (hdrlen + tkip.ic_header),  in tkip_encrypt()
1031 	struct ieee80211vap *vap = ctx->tc_vap;  in tkip_decrypt()
1036 	vap->iv_stats.is_crypto_tkip++;  in tkip_decrypt()
1040 	iv16 = (u16) ctx->rx_rsc;  in tkip_decrypt()
1041 	iv32 = (u32) (ctx->rx_rsc >> 16);  in tkip_decrypt()
1044 	if (iv32 != (u32)(key->wk_keyrsc[tid] >> 16) || !ctx->rx_phase1_done) {  in tkip_decrypt()
1045 		tkip_mixing_phase1(ctx->rx_ttak, key->wk_key,  in tkip_decrypt()
1046 			wh->i_addr2, iv32);  in tkip_decrypt()
1047 		ctx->rx_phase1_done = 1;  in tkip_decrypt()
1049 	tkip_mixing_phase2(ctx->rx_rc4key, key->wk_key, ctx->rx_ttak, iv16);  in tkip_decrypt()
1052 	if (wep_decrypt(ctx->rx_rc4key,  in tkip_decrypt()
1054 	        m->m_pkthdr.len - (hdrlen + tkip.ic_header + tkip.ic_trailer))) {  in tkip_decrypt()
1055 		if (iv32 != (u32)(key->wk_keyrsc[tid] >> 16)) {  in tkip_decrypt()
1058 			ctx->rx_phase1_done = 0;  in tkip_decrypt()
1060 		IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2,  in tkip_decrypt()
1062 		vap->iv_stats.is_rx_tkipicv++;  in tkip_decrypt()