1 /*-
2 * SPDX-License-Identifier: BSD-2-Clause
3 *
4 * Copyright (c) 2002-2008 Sam Leffler, Errno Consulting
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26 */
27
28 #include <sys/cdefs.h>
29 /*
30 * IEEE 802.11i TKIP crypto support.
31 *
32 * Part of this module is derived from similar code in the Host
33 * AP driver. The code is used with the consent of the author and
34 * it's license is included below.
35 */
36 #include "opt_wlan.h"
37
38 #include <sys/param.h>
39 #include <sys/systm.h>
40 #include <sys/mbuf.h>
41 #include <sys/malloc.h>
42 #include <sys/kernel.h>
43 #include <sys/module.h>
44 #include <sys/endian.h>
45
46 #include <sys/socket.h>
47
48 #include <net/if.h>
49 #include <net/if_media.h>
50 #include <net/ethernet.h>
51
52 #include <net80211/ieee80211_var.h>
53
54 static void *tkip_attach(struct ieee80211vap *, struct ieee80211_key *);
55 static void tkip_detach(struct ieee80211_key *);
56 static int tkip_setkey(struct ieee80211_key *);
57 static void tkip_setiv(struct ieee80211_key *, uint8_t *);
58 static int tkip_encap(struct ieee80211_key *, struct mbuf *);
59 static int tkip_enmic(struct ieee80211_key *, struct mbuf *, int);
60 static int tkip_decap(struct ieee80211_key *, struct mbuf *, int);
61 static int tkip_demic(struct ieee80211_key *, struct mbuf *, int);
62
63 static const struct ieee80211_cipher tkip = {
64 .ic_name = "TKIP",
65 .ic_cipher = IEEE80211_CIPHER_TKIP,
66 .ic_header = IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN +
67 IEEE80211_WEP_EXTIVLEN,
68 .ic_trailer = IEEE80211_WEP_CRCLEN,
69 .ic_miclen = IEEE80211_WEP_MICLEN,
70 .ic_attach = tkip_attach,
71 .ic_detach = tkip_detach,
72 .ic_setkey = tkip_setkey,
73 .ic_setiv = tkip_setiv,
74 .ic_encap = tkip_encap,
75 .ic_decap = tkip_decap,
76 .ic_enmic = tkip_enmic,
77 .ic_demic = tkip_demic,
78 };
79
80 typedef uint8_t u8;
81 typedef uint16_t u16;
82 typedef uint32_t __u32;
83 typedef uint32_t u32;
84
85 struct tkip_ctx {
86 struct ieee80211vap *tc_vap; /* for diagnostics+statistics */
87
88 u16 tx_ttak[5];
89 u8 tx_rc4key[16]; /* XXX for test module; make locals? */
90
91 u16 rx_ttak[5];
92 int rx_phase1_done;
93 u8 rx_rc4key[16]; /* XXX for test module; make locals? */
94 uint64_t rx_rsc; /* held until MIC verified */
95 };
96
97 static void michael_mic(struct tkip_ctx *, const u8 *key,
98 struct mbuf *m, u_int off, size_t data_len,
99 u8 mic[IEEE80211_WEP_MICLEN]);
100 static int tkip_encrypt(struct tkip_ctx *, struct ieee80211_key *,
101 struct mbuf *, int hdr_len);
102 static int tkip_decrypt(struct tkip_ctx *, struct ieee80211_key *,
103 struct mbuf *, int hdr_len);
104
105 /* number of references from net80211 layer */
106 static int nrefs = 0;
107
108 static void *
tkip_attach(struct ieee80211vap * vap,struct ieee80211_key * k)109 tkip_attach(struct ieee80211vap *vap, struct ieee80211_key *k)
110 {
111 struct tkip_ctx *ctx;
112
113 ctx = (struct tkip_ctx *) IEEE80211_MALLOC(sizeof(struct tkip_ctx),
114 M_80211_CRYPTO, IEEE80211_M_NOWAIT | IEEE80211_M_ZERO);
115 if (ctx == NULL) {
116 vap->iv_stats.is_crypto_nomem++;
117 return NULL;
118 }
119
120 ctx->tc_vap = vap;
121 nrefs++; /* NB: we assume caller locking */
122 return ctx;
123 }
124
125 static void
tkip_detach(struct ieee80211_key * k)126 tkip_detach(struct ieee80211_key *k)
127 {
128 struct tkip_ctx *ctx = k->wk_private;
129
130 IEEE80211_FREE(ctx, M_80211_CRYPTO);
131 KASSERT(nrefs > 0, ("imbalanced attach/detach"));
132 nrefs--; /* NB: we assume caller locking */
133 }
134
135 static int
tkip_setkey(struct ieee80211_key * k)136 tkip_setkey(struct ieee80211_key *k)
137 {
138 struct tkip_ctx *ctx = k->wk_private;
139
140 if (k->wk_keylen != (128/NBBY)) {
141 (void) ctx; /* XXX */
142 IEEE80211_DPRINTF(ctx->tc_vap, IEEE80211_MSG_CRYPTO,
143 "%s: Invalid key length %u, expecting %u\n",
144 __func__, k->wk_keylen, 128/NBBY);
145 return 0;
146 }
147 ctx->rx_phase1_done = 0;
148 return 1;
149 }
150
151 static void
tkip_setiv(struct ieee80211_key * k,uint8_t * ivp)152 tkip_setiv(struct ieee80211_key *k, uint8_t *ivp)
153 {
154 struct tkip_ctx *ctx = k->wk_private;
155 struct ieee80211vap *vap = ctx->tc_vap;
156 uint8_t keyid;
157
158 keyid = ieee80211_crypto_get_keyid(vap, k) << 6;
159
160 k->wk_keytsc++;
161 ivp[0] = k->wk_keytsc >> 8; /* TSC1 */
162 ivp[1] = (ivp[0] | 0x20) & 0x7f; /* WEP seed */
163 ivp[2] = k->wk_keytsc >> 0; /* TSC0 */
164 ivp[3] = keyid | IEEE80211_WEP_EXTIV; /* KeyID | ExtID */
165 ivp[4] = k->wk_keytsc >> 16; /* TSC2 */
166 ivp[5] = k->wk_keytsc >> 24; /* TSC3 */
167 ivp[6] = k->wk_keytsc >> 32; /* TSC4 */
168 ivp[7] = k->wk_keytsc >> 40; /* TSC5 */
169 }
170
171 /*
172 * Add privacy headers and do any s/w encryption required.
173 */
174 static int
tkip_encap(struct ieee80211_key * k,struct mbuf * m)175 tkip_encap(struct ieee80211_key *k, struct mbuf *m)
176 {
177 struct tkip_ctx *ctx = k->wk_private;
178 struct ieee80211vap *vap = ctx->tc_vap;
179 struct ieee80211com *ic = vap->iv_ic;
180 struct ieee80211_frame *wh;
181 uint8_t *ivp;
182 int hdrlen;
183 int is_mgmt;
184
185 wh = mtod(m, struct ieee80211_frame *);
186 is_mgmt = IEEE80211_IS_MGMT(wh);
187
188 /*
189 * Handle TKIP counter measures requirement.
190 */
191 if (vap->iv_flags & IEEE80211_F_COUNTERM) {
192 #ifdef IEEE80211_DEBUG
193 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *);
194 #endif
195
196 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2,
197 "discard frame due to countermeasures (%s)", __func__);
198 vap->iv_stats.is_crypto_tkipcm++;
199 return 0;
200 }
201
202 /*
203 * Check to see whether IV needs to be included.
204 */
205 if (is_mgmt && (k->wk_flags & IEEE80211_KEY_NOIVMGT))
206 return 1;
207 if ((! is_mgmt) && (k->wk_flags & IEEE80211_KEY_NOIV))
208 return 1;
209
210 hdrlen = ieee80211_hdrspace(ic, mtod(m, void *));
211
212 /*
213 * Copy down 802.11 header and add the IV, KeyID, and ExtIV.
214 */
215 M_PREPEND(m, tkip.ic_header, IEEE80211_M_NOWAIT);
216 if (m == NULL)
217 return 0;
218 ivp = mtod(m, uint8_t *);
219 memmove(ivp, ivp + tkip.ic_header, hdrlen);
220 ivp += hdrlen;
221
222 tkip_setiv(k, ivp);
223
224 /*
225 * Finally, do software encrypt if needed.
226 */
227 if ((k->wk_flags & IEEE80211_KEY_SWENCRYPT) &&
228 !tkip_encrypt(ctx, k, m, hdrlen))
229 return 0;
230
231 return 1;
232 }
233
234 /*
235 * Add MIC to the frame as needed.
236 */
237 static int
tkip_enmic(struct ieee80211_key * k,struct mbuf * m,int force)238 tkip_enmic(struct ieee80211_key *k, struct mbuf *m, int force)
239 {
240 struct tkip_ctx *ctx = k->wk_private;
241 struct ieee80211_frame *wh;
242 int is_mgmt;
243
244 wh = mtod(m, struct ieee80211_frame *);
245 is_mgmt = IEEE80211_IS_MGMT(wh);
246
247 /*
248 * Check to see whether MIC needs to be included.
249 */
250 if (is_mgmt && (k->wk_flags & IEEE80211_KEY_NOMICMGT))
251 return 1;
252 if ((! is_mgmt) && (k->wk_flags & IEEE80211_KEY_NOMIC))
253 return 1;
254
255 if (force || (k->wk_flags & IEEE80211_KEY_SWENMIC)) {
256 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *);
257 struct ieee80211vap *vap = ctx->tc_vap;
258 struct ieee80211com *ic = vap->iv_ic;
259 int hdrlen;
260 uint8_t mic[IEEE80211_WEP_MICLEN];
261
262 vap->iv_stats.is_crypto_tkipenmic++;
263
264 hdrlen = ieee80211_hdrspace(ic, wh);
265
266 michael_mic(ctx, k->wk_txmic,
267 m, hdrlen, m->m_pkthdr.len - hdrlen, mic);
268 return m_append(m, tkip.ic_miclen, mic);
269 }
270 return 1;
271 }
272
273 static __inline uint64_t
READ_6(uint8_t b0,uint8_t b1,uint8_t b2,uint8_t b3,uint8_t b4,uint8_t b5)274 READ_6(uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3, uint8_t b4, uint8_t b5)
275 {
276 uint32_t iv32 = (b0 << 0) | (b1 << 8) | (b2 << 16) | (b3 << 24);
277 uint16_t iv16 = (b4 << 0) | (b5 << 8);
278 return (((uint64_t)iv16) << 32) | iv32;
279 }
280
281 /*
282 * Validate and strip privacy headers (and trailer) for a
283 * received frame. If necessary, decrypt the frame using
284 * the specified key.
285 */
286 static int
tkip_decap(struct ieee80211_key * k,struct mbuf * m,int hdrlen)287 tkip_decap(struct ieee80211_key *k, struct mbuf *m, int hdrlen)
288 {
289 const struct ieee80211_rx_stats *rxs;
290 struct tkip_ctx *ctx = k->wk_private;
291 struct ieee80211vap *vap = ctx->tc_vap;
292 struct ieee80211_frame *wh;
293 uint8_t *ivp, tid;
294
295 rxs = ieee80211_get_rx_params_ptr(m);
296
297 /*
298 * If IV has been stripped, we skip most of the below.
299 */
300 if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_IV_STRIP))
301 goto finish;
302
303 /*
304 * Header should have extended IV and sequence number;
305 * verify the former and validate the latter.
306 */
307 wh = mtod(m, struct ieee80211_frame *);
308 ivp = mtod(m, uint8_t *) + hdrlen;
309 if ((ivp[IEEE80211_WEP_IVLEN] & IEEE80211_WEP_EXTIV) == 0) {
310 /*
311 * No extended IV; discard frame.
312 */
313 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2,
314 "%s", "missing ExtIV for TKIP cipher");
315 vap->iv_stats.is_rx_tkipformat++;
316 return 0;
317 }
318 /*
319 * Handle TKIP counter measures requirement.
320 */
321 if (vap->iv_flags & IEEE80211_F_COUNTERM) {
322 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2,
323 "discard frame due to countermeasures (%s)", __func__);
324 vap->iv_stats.is_crypto_tkipcm++;
325 return 0;
326 }
327
328 tid = ieee80211_gettid(wh);
329 ctx->rx_rsc = READ_6(ivp[2], ivp[0], ivp[4], ivp[5], ivp[6], ivp[7]);
330 if (ctx->rx_rsc <= k->wk_keyrsc[tid] &&
331 (k->wk_flags & IEEE80211_KEY_NOREPLAY) == 0) {
332 /*
333 * Replay violation; notify upper layer.
334 */
335 ieee80211_notify_replay_failure(vap, wh, k, ctx->rx_rsc, tid);
336 vap->iv_stats.is_rx_tkipreplay++;
337 return 0;
338 }
339 /*
340 * NB: We can't update the rsc in the key until MIC is verified.
341 *
342 * We assume we are not preempted between doing the check above
343 * and updating wk_keyrsc when stripping the MIC in tkip_demic.
344 * Otherwise we might process another packet and discard it as
345 * a replay.
346 */
347
348 /*
349 * Check if the device handled the decrypt in hardware.
350 * If so we just strip the header; otherwise we need to
351 * handle the decrypt in software.
352 */
353 if ((k->wk_flags & IEEE80211_KEY_SWDECRYPT) &&
354 !tkip_decrypt(ctx, k, m, hdrlen))
355 return 0;
356
357 finish:
358
359 /*
360 * Copy up 802.11 header and strip crypto bits - but only if we
361 * are required to.
362 */
363 if (! ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_IV_STRIP))) {
364 /* XXX this assumes the header + IV are contiguous in an mbuf. */
365 memmove(mtod(m, uint8_t *) + tkip.ic_header, mtod(m, void *),
366 hdrlen);
367 m_adj(m, tkip.ic_header);
368 }
369
370 /*
371 * Strip the ICV if hardware has not done so already.
372 */
373 if ((rxs == NULL) || (rxs->c_pktflags & IEEE80211_RX_F_ICV_STRIP) == 0)
374 m_adj(m, -tkip.ic_trailer);
375
376 return 1;
377 }
378
379 /*
380 * Verify and strip MIC from the frame.
381 */
382 static int
tkip_demic(struct ieee80211_key * k,struct mbuf * m,int force)383 tkip_demic(struct ieee80211_key *k, struct mbuf *m, int force)
384 {
385 const struct ieee80211_rx_stats *rxs;
386 struct tkip_ctx *ctx = k->wk_private;
387 struct ieee80211_frame *wh;
388 uint8_t tid;
389
390 wh = mtod(m, struct ieee80211_frame *);
391 rxs = ieee80211_get_rx_params_ptr(m);
392
393 /*
394 * If we are told about a MIC failure from the driver,
395 * directly notify as a michael failure to the upper
396 * layers.
397 */
398 if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_FAIL_MMIC)) {
399 struct ieee80211vap *vap = ctx->tc_vap;
400 ieee80211_notify_michael_failure(vap, wh,
401 k->wk_rxkeyix != IEEE80211_KEYIX_NONE ?
402 k->wk_rxkeyix : k->wk_keyix);
403 return 0;
404 }
405
406 /*
407 * If MMIC has been stripped, we skip most of the below.
408 */
409 if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_MMIC_STRIP))
410 goto finish;
411
412 if ((k->wk_flags & IEEE80211_KEY_SWDEMIC) || force) {
413 struct ieee80211vap *vap = ctx->tc_vap;
414 int hdrlen = ieee80211_hdrspace(vap->iv_ic, wh);
415 u8 mic[IEEE80211_WEP_MICLEN];
416 u8 mic0[IEEE80211_WEP_MICLEN];
417
418 vap->iv_stats.is_crypto_tkipdemic++;
419
420 michael_mic(ctx, k->wk_rxmic,
421 m, hdrlen, m->m_pkthdr.len - (hdrlen + tkip.ic_miclen),
422 mic);
423 m_copydata(m, m->m_pkthdr.len - tkip.ic_miclen,
424 tkip.ic_miclen, mic0);
425 if (memcmp(mic, mic0, tkip.ic_miclen)) {
426 /* NB: 802.11 layer handles statistic and debug msg */
427 ieee80211_notify_michael_failure(vap, wh,
428 k->wk_rxkeyix != IEEE80211_KEYIX_NONE ?
429 k->wk_rxkeyix : k->wk_keyix);
430 return 0;
431 }
432 }
433 /*
434 * Strip MIC from the tail.
435 */
436 m_adj(m, -tkip.ic_miclen);
437
438 /*
439 * Ok to update rsc now that MIC has been verified.
440 */
441 tid = ieee80211_gettid(wh);
442 k->wk_keyrsc[tid] = ctx->rx_rsc;
443
444 finish:
445 return 1;
446 }
447
448 /*
449 * Host AP crypt: host-based TKIP encryption implementation for Host AP driver
450 *
451 * Copyright (c) 2003-2004, Jouni Malinen <jkmaline@cc.hut.fi>
452 *
453 * This program is free software; you can redistribute it and/or modify
454 * it under the terms of the GNU General Public License version 2 as
455 * published by the Free Software Foundation. See README and COPYING for
456 * more details.
457 *
458 * Alternatively, this software may be distributed under the terms of BSD
459 * license.
460 */
461
462 static const __u32 crc32_table[256] = {
463 0x00000000L, 0x77073096L, 0xee0e612cL, 0x990951baL, 0x076dc419L,
464 0x706af48fL, 0xe963a535L, 0x9e6495a3L, 0x0edb8832L, 0x79dcb8a4L,
465 0xe0d5e91eL, 0x97d2d988L, 0x09b64c2bL, 0x7eb17cbdL, 0xe7b82d07L,
466 0x90bf1d91L, 0x1db71064L, 0x6ab020f2L, 0xf3b97148L, 0x84be41deL,
467 0x1adad47dL, 0x6ddde4ebL, 0xf4d4b551L, 0x83d385c7L, 0x136c9856L,
468 0x646ba8c0L, 0xfd62f97aL, 0x8a65c9ecL, 0x14015c4fL, 0x63066cd9L,
469 0xfa0f3d63L, 0x8d080df5L, 0x3b6e20c8L, 0x4c69105eL, 0xd56041e4L,
470 0xa2677172L, 0x3c03e4d1L, 0x4b04d447L, 0xd20d85fdL, 0xa50ab56bL,
471 0x35b5a8faL, 0x42b2986cL, 0xdbbbc9d6L, 0xacbcf940L, 0x32d86ce3L,
472 0x45df5c75L, 0xdcd60dcfL, 0xabd13d59L, 0x26d930acL, 0x51de003aL,
473 0xc8d75180L, 0xbfd06116L, 0x21b4f4b5L, 0x56b3c423L, 0xcfba9599L,
474 0xb8bda50fL, 0x2802b89eL, 0x5f058808L, 0xc60cd9b2L, 0xb10be924L,
475 0x2f6f7c87L, 0x58684c11L, 0xc1611dabL, 0xb6662d3dL, 0x76dc4190L,
476 0x01db7106L, 0x98d220bcL, 0xefd5102aL, 0x71b18589L, 0x06b6b51fL,
477 0x9fbfe4a5L, 0xe8b8d433L, 0x7807c9a2L, 0x0f00f934L, 0x9609a88eL,
478 0xe10e9818L, 0x7f6a0dbbL, 0x086d3d2dL, 0x91646c97L, 0xe6635c01L,
479 0x6b6b51f4L, 0x1c6c6162L, 0x856530d8L, 0xf262004eL, 0x6c0695edL,
480 0x1b01a57bL, 0x8208f4c1L, 0xf50fc457L, 0x65b0d9c6L, 0x12b7e950L,
481 0x8bbeb8eaL, 0xfcb9887cL, 0x62dd1ddfL, 0x15da2d49L, 0x8cd37cf3L,
482 0xfbd44c65L, 0x4db26158L, 0x3ab551ceL, 0xa3bc0074L, 0xd4bb30e2L,
483 0x4adfa541L, 0x3dd895d7L, 0xa4d1c46dL, 0xd3d6f4fbL, 0x4369e96aL,
484 0x346ed9fcL, 0xad678846L, 0xda60b8d0L, 0x44042d73L, 0x33031de5L,
485 0xaa0a4c5fL, 0xdd0d7cc9L, 0x5005713cL, 0x270241aaL, 0xbe0b1010L,
486 0xc90c2086L, 0x5768b525L, 0x206f85b3L, 0xb966d409L, 0xce61e49fL,
487 0x5edef90eL, 0x29d9c998L, 0xb0d09822L, 0xc7d7a8b4L, 0x59b33d17L,
488 0x2eb40d81L, 0xb7bd5c3bL, 0xc0ba6cadL, 0xedb88320L, 0x9abfb3b6L,
489 0x03b6e20cL, 0x74b1d29aL, 0xead54739L, 0x9dd277afL, 0x04db2615L,
490 0x73dc1683L, 0xe3630b12L, 0x94643b84L, 0x0d6d6a3eL, 0x7a6a5aa8L,
491 0xe40ecf0bL, 0x9309ff9dL, 0x0a00ae27L, 0x7d079eb1L, 0xf00f9344L,
492 0x8708a3d2L, 0x1e01f268L, 0x6906c2feL, 0xf762575dL, 0x806567cbL,
493 0x196c3671L, 0x6e6b06e7L, 0xfed41b76L, 0x89d32be0L, 0x10da7a5aL,
494 0x67dd4accL, 0xf9b9df6fL, 0x8ebeeff9L, 0x17b7be43L, 0x60b08ed5L,
495 0xd6d6a3e8L, 0xa1d1937eL, 0x38d8c2c4L, 0x4fdff252L, 0xd1bb67f1L,
496 0xa6bc5767L, 0x3fb506ddL, 0x48b2364bL, 0xd80d2bdaL, 0xaf0a1b4cL,
497 0x36034af6L, 0x41047a60L, 0xdf60efc3L, 0xa867df55L, 0x316e8eefL,
498 0x4669be79L, 0xcb61b38cL, 0xbc66831aL, 0x256fd2a0L, 0x5268e236L,
499 0xcc0c7795L, 0xbb0b4703L, 0x220216b9L, 0x5505262fL, 0xc5ba3bbeL,
500 0xb2bd0b28L, 0x2bb45a92L, 0x5cb36a04L, 0xc2d7ffa7L, 0xb5d0cf31L,
501 0x2cd99e8bL, 0x5bdeae1dL, 0x9b64c2b0L, 0xec63f226L, 0x756aa39cL,
502 0x026d930aL, 0x9c0906a9L, 0xeb0e363fL, 0x72076785L, 0x05005713L,
503 0x95bf4a82L, 0xe2b87a14L, 0x7bb12baeL, 0x0cb61b38L, 0x92d28e9bL,
504 0xe5d5be0dL, 0x7cdcefb7L, 0x0bdbdf21L, 0x86d3d2d4L, 0xf1d4e242L,
505 0x68ddb3f8L, 0x1fda836eL, 0x81be16cdL, 0xf6b9265bL, 0x6fb077e1L,
506 0x18b74777L, 0x88085ae6L, 0xff0f6a70L, 0x66063bcaL, 0x11010b5cL,
507 0x8f659effL, 0xf862ae69L, 0x616bffd3L, 0x166ccf45L, 0xa00ae278L,
508 0xd70dd2eeL, 0x4e048354L, 0x3903b3c2L, 0xa7672661L, 0xd06016f7L,
509 0x4969474dL, 0x3e6e77dbL, 0xaed16a4aL, 0xd9d65adcL, 0x40df0b66L,
510 0x37d83bf0L, 0xa9bcae53L, 0xdebb9ec5L, 0x47b2cf7fL, 0x30b5ffe9L,
511 0xbdbdf21cL, 0xcabac28aL, 0x53b39330L, 0x24b4a3a6L, 0xbad03605L,
512 0xcdd70693L, 0x54de5729L, 0x23d967bfL, 0xb3667a2eL, 0xc4614ab8L,
513 0x5d681b02L, 0x2a6f2b94L, 0xb40bbe37L, 0xc30c8ea1L, 0x5a05df1bL,
514 0x2d02ef8dL
515 };
516
RotR1(u16 val)517 static __inline u16 RotR1(u16 val)
518 {
519 return (val >> 1) | (val << 15);
520 }
521
Lo8(u16 val)522 static __inline u8 Lo8(u16 val)
523 {
524 return val & 0xff;
525 }
526
Hi8(u16 val)527 static __inline u8 Hi8(u16 val)
528 {
529 return val >> 8;
530 }
531
Lo16(u32 val)532 static __inline u16 Lo16(u32 val)
533 {
534 return val & 0xffff;
535 }
536
Hi16(u32 val)537 static __inline u16 Hi16(u32 val)
538 {
539 return val >> 16;
540 }
541
Mk16(u8 hi,u8 lo)542 static __inline u16 Mk16(u8 hi, u8 lo)
543 {
544 return lo | (((u16) hi) << 8);
545 }
546
Mk16_le(const u16 * v)547 static __inline u16 Mk16_le(const u16 *v)
548 {
549 return le16toh(*v);
550 }
551
552 static const u16 Sbox[256] = {
553 0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154,
554 0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A,
555 0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B,
556 0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B,
557 0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F,
558 0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F,
559 0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5,
560 0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F,
561 0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB,
562 0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397,
563 0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED,
564 0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A,
565 0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194,
566 0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3,
567 0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104,
568 0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D,
569 0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39,
570 0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695,
571 0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83,
572 0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76,
573 0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4,
574 0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B,
575 0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0,
576 0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018,
577 0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751,
578 0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85,
579 0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12,
580 0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9,
581 0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7,
582 0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A,
583 0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8,
584 0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A,
585 };
586
_S_(u16 v)587 static __inline u16 _S_(u16 v)
588 {
589 u16 t = Sbox[Hi8(v)];
590 return Sbox[Lo8(v)] ^ ((t << 8) | (t >> 8));
591 }
592
593 #define PHASE1_LOOP_COUNT 8
594
tkip_mixing_phase1(u16 * TTAK,const u8 * TK,const u8 * TA,u32 IV32)595 static void tkip_mixing_phase1(u16 *TTAK, const u8 *TK, const u8 *TA, u32 IV32)
596 {
597 int i, j;
598
599 /* Initialize the 80-bit TTAK from TSC (IV32) and TA[0..5] */
600 TTAK[0] = Lo16(IV32);
601 TTAK[1] = Hi16(IV32);
602 TTAK[2] = Mk16(TA[1], TA[0]);
603 TTAK[3] = Mk16(TA[3], TA[2]);
604 TTAK[4] = Mk16(TA[5], TA[4]);
605
606 for (i = 0; i < PHASE1_LOOP_COUNT; i++) {
607 j = 2 * (i & 1);
608 TTAK[0] += _S_(TTAK[4] ^ Mk16(TK[1 + j], TK[0 + j]));
609 TTAK[1] += _S_(TTAK[0] ^ Mk16(TK[5 + j], TK[4 + j]));
610 TTAK[2] += _S_(TTAK[1] ^ Mk16(TK[9 + j], TK[8 + j]));
611 TTAK[3] += _S_(TTAK[2] ^ Mk16(TK[13 + j], TK[12 + j]));
612 TTAK[4] += _S_(TTAK[3] ^ Mk16(TK[1 + j], TK[0 + j])) + i;
613 }
614 }
615
616 #ifndef _BYTE_ORDER
617 #error "Don't know native byte order"
618 #endif
619
tkip_mixing_phase2(u8 * WEPSeed,const u8 * TK,const u16 * TTAK,u16 IV16)620 static void tkip_mixing_phase2(u8 *WEPSeed, const u8 *TK, const u16 *TTAK,
621 u16 IV16)
622 {
623 /* Make temporary area overlap WEP seed so that the final copy can be
624 * avoided on little endian hosts. */
625 u16 *PPK = (u16 *) &WEPSeed[4];
626
627 /* Step 1 - make copy of TTAK and bring in TSC */
628 PPK[0] = TTAK[0];
629 PPK[1] = TTAK[1];
630 PPK[2] = TTAK[2];
631 PPK[3] = TTAK[3];
632 PPK[4] = TTAK[4];
633 PPK[5] = TTAK[4] + IV16;
634
635 /* Step 2 - 96-bit bijective mixing using S-box */
636 PPK[0] += _S_(PPK[5] ^ Mk16_le((const u16 *) &TK[0]));
637 PPK[1] += _S_(PPK[0] ^ Mk16_le((const u16 *) &TK[2]));
638 PPK[2] += _S_(PPK[1] ^ Mk16_le((const u16 *) &TK[4]));
639 PPK[3] += _S_(PPK[2] ^ Mk16_le((const u16 *) &TK[6]));
640 PPK[4] += _S_(PPK[3] ^ Mk16_le((const u16 *) &TK[8]));
641 PPK[5] += _S_(PPK[4] ^ Mk16_le((const u16 *) &TK[10]));
642
643 PPK[0] += RotR1(PPK[5] ^ Mk16_le((const u16 *) &TK[12]));
644 PPK[1] += RotR1(PPK[0] ^ Mk16_le((const u16 *) &TK[14]));
645 PPK[2] += RotR1(PPK[1]);
646 PPK[3] += RotR1(PPK[2]);
647 PPK[4] += RotR1(PPK[3]);
648 PPK[5] += RotR1(PPK[4]);
649
650 /* Step 3 - bring in last of TK bits, assign 24-bit WEP IV value
651 * WEPSeed[0..2] is transmitted as WEP IV */
652 WEPSeed[0] = Hi8(IV16);
653 WEPSeed[1] = (Hi8(IV16) | 0x20) & 0x7F;
654 WEPSeed[2] = Lo8(IV16);
655 WEPSeed[3] = Lo8((PPK[5] ^ Mk16_le((const u16 *) &TK[0])) >> 1);
656
657 #if _BYTE_ORDER == _BIG_ENDIAN
658 {
659 int i;
660 for (i = 0; i < 6; i++)
661 PPK[i] = (PPK[i] << 8) | (PPK[i] >> 8);
662 }
663 #endif
664 }
665
666 static void
wep_encrypt(u8 * key,struct mbuf * m0,u_int off,size_t data_len,uint8_t icv[IEEE80211_WEP_CRCLEN])667 wep_encrypt(u8 *key, struct mbuf *m0, u_int off, size_t data_len,
668 uint8_t icv[IEEE80211_WEP_CRCLEN])
669 {
670 u32 i, j, k, crc;
671 size_t buflen;
672 u8 S[256];
673 u8 *pos;
674 struct mbuf *m;
675 #define S_SWAP(a,b) do { u8 t = S[a]; S[a] = S[b]; S[b] = t; } while(0)
676
677 /* Setup RC4 state */
678 for (i = 0; i < 256; i++)
679 S[i] = i;
680 j = 0;
681 for (i = 0; i < 256; i++) {
682 j = (j + S[i] + key[i & 0x0f]) & 0xff;
683 S_SWAP(i, j);
684 }
685
686 /* Compute CRC32 over unencrypted data and apply RC4 to data */
687 crc = ~0;
688 i = j = 0;
689 m = m0;
690 pos = mtod(m, uint8_t *) + off;
691 buflen = m->m_len - off;
692 for (;;) {
693 if (buflen > data_len)
694 buflen = data_len;
695 data_len -= buflen;
696 for (k = 0; k < buflen; k++) {
697 crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8);
698 i = (i + 1) & 0xff;
699 j = (j + S[i]) & 0xff;
700 S_SWAP(i, j);
701 *pos++ ^= S[(S[i] + S[j]) & 0xff];
702 }
703 m = m->m_next;
704 if (m == NULL) {
705 KASSERT(data_len == 0,
706 ("out of buffers with data_len %zu\n", data_len));
707 break;
708 }
709 pos = mtod(m, uint8_t *);
710 buflen = m->m_len;
711 }
712 crc = ~crc;
713
714 /* Append little-endian CRC32 and encrypt it to produce ICV */
715 icv[0] = crc;
716 icv[1] = crc >> 8;
717 icv[2] = crc >> 16;
718 icv[3] = crc >> 24;
719 for (k = 0; k < IEEE80211_WEP_CRCLEN; k++) {
720 i = (i + 1) & 0xff;
721 j = (j + S[i]) & 0xff;
722 S_SWAP(i, j);
723 icv[k] ^= S[(S[i] + S[j]) & 0xff];
724 }
725 }
726
727 static int
wep_decrypt(u8 * key,struct mbuf * m,u_int off,size_t data_len)728 wep_decrypt(u8 *key, struct mbuf *m, u_int off, size_t data_len)
729 {
730 u32 i, j, k, crc;
731 u8 S[256];
732 u8 *pos, icv[4];
733 size_t buflen;
734
735 /* Setup RC4 state */
736 for (i = 0; i < 256; i++)
737 S[i] = i;
738 j = 0;
739 for (i = 0; i < 256; i++) {
740 j = (j + S[i] + key[i & 0x0f]) & 0xff;
741 S_SWAP(i, j);
742 }
743
744 /* Apply RC4 to data and compute CRC32 over decrypted data */
745 crc = ~0;
746 i = j = 0;
747 pos = mtod(m, uint8_t *) + off;
748 buflen = m->m_len - off;
749 for (;;) {
750 if (buflen > data_len)
751 buflen = data_len;
752 data_len -= buflen;
753 for (k = 0; k < buflen; k++) {
754 i = (i + 1) & 0xff;
755 j = (j + S[i]) & 0xff;
756 S_SWAP(i, j);
757 *pos ^= S[(S[i] + S[j]) & 0xff];
758 crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8);
759 pos++;
760 }
761 m = m->m_next;
762 if (m == NULL) {
763 KASSERT(data_len == 0,
764 ("out of buffers with data_len %zu\n", data_len));
765 break;
766 }
767 pos = mtod(m, uint8_t *);
768 buflen = m->m_len;
769 }
770 crc = ~crc;
771
772 /* Encrypt little-endian CRC32 and verify that it matches with the
773 * received ICV */
774 icv[0] = crc;
775 icv[1] = crc >> 8;
776 icv[2] = crc >> 16;
777 icv[3] = crc >> 24;
778 for (k = 0; k < 4; k++) {
779 i = (i + 1) & 0xff;
780 j = (j + S[i]) & 0xff;
781 S_SWAP(i, j);
782 if ((icv[k] ^ S[(S[i] + S[j]) & 0xff]) != *pos++) {
783 /* ICV mismatch - drop frame */
784 return -1;
785 }
786 }
787
788 return 0;
789 }
790
rotl(u32 val,int bits)791 static __inline u32 rotl(u32 val, int bits)
792 {
793 return (val << bits) | (val >> (32 - bits));
794 }
795
rotr(u32 val,int bits)796 static __inline u32 rotr(u32 val, int bits)
797 {
798 return (val >> bits) | (val << (32 - bits));
799 }
800
xswap(u32 val)801 static __inline u32 xswap(u32 val)
802 {
803 return ((val & 0x00ff00ff) << 8) | ((val & 0xff00ff00) >> 8);
804 }
805
806 #define michael_block(l, r) \
807 do { \
808 r ^= rotl(l, 17); \
809 l += r; \
810 r ^= xswap(l); \
811 l += r; \
812 r ^= rotl(l, 3); \
813 l += r; \
814 r ^= rotr(l, 2); \
815 l += r; \
816 } while (0)
817
get_le32_split(u8 b0,u8 b1,u8 b2,u8 b3)818 static __inline u32 get_le32_split(u8 b0, u8 b1, u8 b2, u8 b3)
819 {
820 return b0 | (b1 << 8) | (b2 << 16) | (b3 << 24);
821 }
822
get_le32(const u8 * p)823 static __inline u32 get_le32(const u8 *p)
824 {
825 return get_le32_split(p[0], p[1], p[2], p[3]);
826 }
827
put_le32(u8 * p,u32 v)828 static __inline void put_le32(u8 *p, u32 v)
829 {
830 p[0] = v;
831 p[1] = v >> 8;
832 p[2] = v >> 16;
833 p[3] = v >> 24;
834 }
835
836 /*
837 * Craft pseudo header used to calculate the MIC.
838 */
839 static void
michael_mic_hdr(const struct ieee80211_frame * wh0,uint8_t hdr[16])840 michael_mic_hdr(const struct ieee80211_frame *wh0, uint8_t hdr[16])
841 {
842 const struct ieee80211_frame_addr4 *wh =
843 (const struct ieee80211_frame_addr4 *) wh0;
844
845 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) {
846 case IEEE80211_FC1_DIR_NODS:
847 IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */
848 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2);
849 break;
850 case IEEE80211_FC1_DIR_TODS:
851 IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */
852 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2);
853 break;
854 case IEEE80211_FC1_DIR_FROMDS:
855 IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */
856 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr3);
857 break;
858 case IEEE80211_FC1_DIR_DSTODS:
859 IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */
860 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr4);
861 break;
862 }
863
864 /* Match on any QOS frame, not just data */
865 if (IEEE80211_IS_QOS_ANY(wh)) {
866 const struct ieee80211_qosframe *qwh =
867 (const struct ieee80211_qosframe *) wh;
868 hdr[12] = qwh->i_qos[0] & IEEE80211_QOS_TID;
869 } else
870 hdr[12] = 0;
871 hdr[13] = hdr[14] = hdr[15] = 0; /* reserved */
872 }
873
874 static void
michael_mic(struct tkip_ctx * ctx,const u8 * key,struct mbuf * m,u_int off,size_t data_len,u8 mic[IEEE80211_WEP_MICLEN])875 michael_mic(struct tkip_ctx *ctx, const u8 *key,
876 struct mbuf *m, u_int off, size_t data_len,
877 u8 mic[IEEE80211_WEP_MICLEN])
878 {
879 uint8_t hdr[16];
880 u32 l, r;
881 const uint8_t *data;
882 u_int space;
883
884 michael_mic_hdr(mtod(m, struct ieee80211_frame *), hdr);
885
886 l = get_le32(key);
887 r = get_le32(key + 4);
888
889 /* Michael MIC pseudo header: DA, SA, 3 x 0, Priority */
890 l ^= get_le32(hdr);
891 michael_block(l, r);
892 l ^= get_le32(&hdr[4]);
893 michael_block(l, r);
894 l ^= get_le32(&hdr[8]);
895 michael_block(l, r);
896 l ^= get_le32(&hdr[12]);
897 michael_block(l, r);
898
899 /* first buffer has special handling */
900 data = mtod(m, const uint8_t *) + off;
901 space = m->m_len - off;
902 for (;;) {
903 if (space > data_len)
904 space = data_len;
905 /* collect 32-bit blocks from current buffer */
906 while (space >= sizeof(uint32_t)) {
907 l ^= get_le32(data);
908 michael_block(l, r);
909 data += sizeof(uint32_t), space -= sizeof(uint32_t);
910 data_len -= sizeof(uint32_t);
911 }
912 /*
913 * NB: when space is zero we make one more trip around
914 * the loop to advance to the next mbuf where there is
915 * data. This handles the case where there are 4*n
916 * bytes in an mbuf followed by <4 bytes in a later mbuf.
917 * By making an extra trip we'll drop out of the loop
918 * with m pointing at the mbuf with 3 bytes and space
919 * set as required by the remainder handling below.
920 */
921 if (data_len == 0 ||
922 (data_len < sizeof(uint32_t) && space != 0))
923 break;
924 m = m->m_next;
925 if (m == NULL) {
926 KASSERT(0, ("out of data, data_len %zu\n", data_len));
927 break;
928 }
929 if (space != 0) {
930 const uint8_t *data_next;
931 /*
932 * Block straddles buffers, split references.
933 */
934 data_next = mtod(m, const uint8_t *);
935 KASSERT(m->m_len >= sizeof(uint32_t) - space,
936 ("not enough data in following buffer, "
937 "m_len %u need %zu\n", m->m_len,
938 sizeof(uint32_t) - space));
939 switch (space) {
940 case 1:
941 l ^= get_le32_split(data[0], data_next[0],
942 data_next[1], data_next[2]);
943 data = data_next + 3;
944 space = m->m_len - 3;
945 break;
946 case 2:
947 l ^= get_le32_split(data[0], data[1],
948 data_next[0], data_next[1]);
949 data = data_next + 2;
950 space = m->m_len - 2;
951 break;
952 case 3:
953 l ^= get_le32_split(data[0], data[1],
954 data[2], data_next[0]);
955 data = data_next + 1;
956 space = m->m_len - 1;
957 break;
958 }
959 michael_block(l, r);
960 data_len -= sizeof(uint32_t);
961 } else {
962 /*
963 * Setup for next buffer.
964 */
965 data = mtod(m, const uint8_t *);
966 space = m->m_len;
967 }
968 }
969 /*
970 * Catch degenerate cases like mbuf[4*n+1 bytes] followed by
971 * mbuf[2 bytes]. I don't believe these should happen; if they
972 * do then we'll need more involved logic.
973 */
974 KASSERT(data_len <= space,
975 ("not enough data, data_len %zu space %u\n", data_len, space));
976
977 /* Last block and padding (0x5a, 4..7 x 0) */
978 switch (data_len) {
979 case 0:
980 l ^= get_le32_split(0x5a, 0, 0, 0);
981 break;
982 case 1:
983 l ^= get_le32_split(data[0], 0x5a, 0, 0);
984 break;
985 case 2:
986 l ^= get_le32_split(data[0], data[1], 0x5a, 0);
987 break;
988 case 3:
989 l ^= get_le32_split(data[0], data[1], data[2], 0x5a);
990 break;
991 }
992 michael_block(l, r);
993 /* l ^= 0; */
994 michael_block(l, r);
995
996 put_le32(mic, l);
997 put_le32(mic + 4, r);
998 }
999
1000 static int
tkip_encrypt(struct tkip_ctx * ctx,struct ieee80211_key * key,struct mbuf * m,int hdrlen)1001 tkip_encrypt(struct tkip_ctx *ctx, struct ieee80211_key *key,
1002 struct mbuf *m, int hdrlen)
1003 {
1004 struct ieee80211_frame *wh;
1005 uint8_t icv[IEEE80211_WEP_CRCLEN];
1006
1007 ctx->tc_vap->iv_stats.is_crypto_tkip++;
1008
1009 wh = mtod(m, struct ieee80211_frame *);
1010 if ((u16)(key->wk_keytsc) == 0 || key->wk_keytsc == 1) {
1011 tkip_mixing_phase1(ctx->tx_ttak, key->wk_key, wh->i_addr2,
1012 (u32)(key->wk_keytsc >> 16));
1013 }
1014 tkip_mixing_phase2(ctx->tx_rc4key, key->wk_key, ctx->tx_ttak,
1015 (u16) key->wk_keytsc);
1016
1017 wep_encrypt(ctx->tx_rc4key,
1018 m, hdrlen + tkip.ic_header,
1019 m->m_pkthdr.len - (hdrlen + tkip.ic_header),
1020 icv);
1021 (void) m_append(m, IEEE80211_WEP_CRCLEN, icv); /* XXX check return */
1022
1023 return 1;
1024 }
1025
1026 static int
tkip_decrypt(struct tkip_ctx * ctx,struct ieee80211_key * key,struct mbuf * m,int hdrlen)1027 tkip_decrypt(struct tkip_ctx *ctx, struct ieee80211_key *key,
1028 struct mbuf *m, int hdrlen)
1029 {
1030 struct ieee80211_frame *wh;
1031 struct ieee80211vap *vap = ctx->tc_vap;
1032 u32 iv32;
1033 u16 iv16;
1034 u8 tid;
1035
1036 vap->iv_stats.is_crypto_tkip++;
1037
1038 wh = mtod(m, struct ieee80211_frame *);
1039 /* NB: tkip_decap already verified header and left seq in rx_rsc */
1040 iv16 = (u16) ctx->rx_rsc;
1041 iv32 = (u32) (ctx->rx_rsc >> 16);
1042
1043 tid = ieee80211_gettid(wh);
1044 if (iv32 != (u32)(key->wk_keyrsc[tid] >> 16) || !ctx->rx_phase1_done) {
1045 tkip_mixing_phase1(ctx->rx_ttak, key->wk_key,
1046 wh->i_addr2, iv32);
1047 ctx->rx_phase1_done = 1;
1048 }
1049 tkip_mixing_phase2(ctx->rx_rc4key, key->wk_key, ctx->rx_ttak, iv16);
1050
1051 /* NB: m is unstripped; deduct headers + ICV to get payload */
1052 if (wep_decrypt(ctx->rx_rc4key,
1053 m, hdrlen + tkip.ic_header,
1054 m->m_pkthdr.len - (hdrlen + tkip.ic_header + tkip.ic_trailer))) {
1055 if (iv32 != (u32)(key->wk_keyrsc[tid] >> 16)) {
1056 /* Previously cached Phase1 result was already lost, so
1057 * it needs to be recalculated for the next packet. */
1058 ctx->rx_phase1_done = 0;
1059 }
1060 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2,
1061 "%s", "TKIP ICV mismatch on decrypt");
1062 vap->iv_stats.is_rx_tkipicv++;
1063 return 0;
1064 }
1065 return 1;
1066 }
1067
1068 /*
1069 * Module glue.
1070 */
1071 IEEE80211_CRYPTO_MODULE(tkip, 1);
1072