1 // SPDX-License-Identifier: GPL-2.0 2 /****************************************************************************** 3 * 4 * Copyright(c) 2007 - 2011 Realtek Corporation. All rights reserved. 5 * 6 ******************************************************************************/ 7 #include <linux/crc32.h> 8 #include <drv_types.h> 9 #include <crypto/aes.h> 10 #include <crypto/utils.h> 11 12 static const char * const _security_type_str[] = { 13 "N/A", 14 "WEP40", 15 "TKIP", 16 "TKIP_WM", 17 "AES", 18 "WEP104", 19 "SMS4", 20 "WEP_WPA", 21 "BIP", 22 }; 23 24 const char *security_type_str(u8 value) 25 { 26 if (value <= _BIP_) 27 return _security_type_str[value]; 28 return NULL; 29 } 30 31 /* WEP related ===== */ 32 33 /* Need to consider the fragment situation */ 34 void rtw_wep_encrypt(struct adapter *padapter, u8 *pxmitframe) 35 { /* exclude ICV */ 36 union { 37 __le32 f0; 38 unsigned char f1[4]; 39 } crc; 40 41 signed int curfragnum, length; 42 u32 keylength; 43 44 u8 *pframe, *payload, *iv; /* wepkey */ 45 u8 wepkey[16]; 46 u8 hw_hdr_offset = 0; 47 struct pkt_attrib *pattrib = &((struct xmit_frame *)pxmitframe)->attrib; 48 struct security_priv *psecuritypriv = &padapter->securitypriv; 49 struct xmit_priv *pxmitpriv = &padapter->xmitpriv; 50 struct arc4_ctx *ctx = &psecuritypriv->xmit_arc4_ctx; 51 52 if (!((struct xmit_frame *)pxmitframe)->buf_addr) 53 return; 54 55 hw_hdr_offset = TXDESC_OFFSET; 56 pframe = ((struct xmit_frame *)pxmitframe)->buf_addr + hw_hdr_offset; 57 58 /* start to encrypt each fragment */ 59 if ((pattrib->encrypt == _WEP40_) || (pattrib->encrypt == _WEP104_)) { 60 keylength = psecuritypriv->dot11DefKeylen[psecuritypriv->dot11PrivacyKeyIndex]; 61 62 for (curfragnum = 0; curfragnum < pattrib->nr_frags; curfragnum++) { 63 iv = pframe + pattrib->hdrlen; 64 memcpy(&wepkey[0], iv, 3); 65 memcpy(&wepkey[3], &psecuritypriv->dot11DefKey[psecuritypriv->dot11PrivacyKeyIndex].skey[0], keylength); 66 payload = pframe + pattrib->iv_len + pattrib->hdrlen; 67 68 if ((curfragnum + 1) == pattrib->nr_frags) { /* the last fragment */ 69 70 length = pattrib->last_txcmdsz - pattrib->hdrlen - pattrib->iv_len - pattrib->icv_len; 71 72 crc.f0 = cpu_to_le32(~crc32_le(~0, payload, length)); 73 74 arc4_setkey(ctx, wepkey, 3 + keylength); 75 arc4_crypt(ctx, payload, payload, length); 76 arc4_crypt(ctx, payload + length, crc.f1, 4); 77 78 } else { 79 length = pxmitpriv->frag_len - pattrib->hdrlen - pattrib->iv_len - pattrib->icv_len; 80 crc.f0 = cpu_to_le32(~crc32_le(~0, payload, length)); 81 arc4_setkey(ctx, wepkey, 3 + keylength); 82 arc4_crypt(ctx, payload, payload, length); 83 arc4_crypt(ctx, payload + length, crc.f1, 4); 84 85 pframe += pxmitpriv->frag_len; 86 pframe = (u8 *)round_up((SIZE_PTR)(pframe), 4); 87 } 88 } 89 } 90 } 91 92 void rtw_wep_decrypt(struct adapter *padapter, u8 *precvframe) 93 { 94 /* exclude ICV */ 95 u8 crc[4]; 96 signed int length; 97 u32 keylength; 98 u8 *pframe, *payload, *iv, wepkey[16]; 99 u8 keyindex; 100 struct rx_pkt_attrib *prxattrib = &(((union recv_frame *)precvframe)->u.hdr.attrib); 101 struct security_priv *psecuritypriv = &padapter->securitypriv; 102 struct arc4_ctx *ctx = &psecuritypriv->recv_arc4_ctx; 103 104 pframe = (unsigned char *)((union recv_frame *)precvframe)->u.hdr.rx_data; 105 106 /* start to decrypt recvframe */ 107 if ((prxattrib->encrypt == _WEP40_) || (prxattrib->encrypt == _WEP104_)) { 108 iv = pframe + prxattrib->hdrlen; 109 /* keyindex =(iv[3]&0x3); */ 110 keyindex = prxattrib->key_index; 111 keylength = psecuritypriv->dot11DefKeylen[keyindex]; 112 memcpy(&wepkey[0], iv, 3); 113 /* memcpy(&wepkey[3], &psecuritypriv->dot11DefKey[psecuritypriv->dot11PrivacyKeyIndex].skey[0], keylength); */ 114 memcpy(&wepkey[3], &psecuritypriv->dot11DefKey[keyindex].skey[0], keylength); 115 length = ((union recv_frame *)precvframe)->u.hdr.len - prxattrib->hdrlen - prxattrib->iv_len; 116 117 payload = pframe + prxattrib->iv_len + prxattrib->hdrlen; 118 119 /* decrypt payload include icv */ 120 arc4_setkey(ctx, wepkey, 3 + keylength); 121 arc4_crypt(ctx, payload, payload, length); 122 123 /* calculate icv and compare the icv */ 124 *((u32 *)crc) = ~crc32_le(~0, payload, length - 4); 125 126 } 127 } 128 129 /* 3 =====TKIP related ===== */ 130 131 static u32 secmicgetuint32(u8 *p) 132 /* Convert from Byte[] to Us3232 in a portable way */ 133 { 134 s32 i; 135 u32 res = 0; 136 137 for (i = 0; i < 4; i++) 138 res |= ((u32)(*p++)) << (8 * i); 139 140 return res; 141 } 142 143 static void secmicputuint32(u8 *p, u32 val) 144 /* Convert from Us3232 to Byte[] in a portable way */ 145 { 146 long i; 147 148 for (i = 0; i < 4; i++) { 149 *p++ = (u8) (val & 0xff); 150 val >>= 8; 151 } 152 } 153 154 static void secmicclear(struct mic_data *pmicdata) 155 { 156 /* Reset the state to the empty message. */ 157 pmicdata->L = pmicdata->K0; 158 pmicdata->R = pmicdata->K1; 159 pmicdata->nBytesInM = 0; 160 pmicdata->M = 0; 161 } 162 163 void rtw_secmicsetkey(struct mic_data *pmicdata, u8 *key) 164 { 165 /* Set the key */ 166 pmicdata->K0 = secmicgetuint32(key); 167 pmicdata->K1 = secmicgetuint32(key + 4); 168 /* and reset the message */ 169 secmicclear(pmicdata); 170 } 171 172 void rtw_secmicappendbyte(struct mic_data *pmicdata, u8 b) 173 { 174 /* Append the byte to our word-sized buffer */ 175 pmicdata->M |= ((unsigned long)b) << (8 * pmicdata->nBytesInM); 176 pmicdata->nBytesInM++; 177 /* Process the word if it is full. */ 178 if (pmicdata->nBytesInM >= 4) { 179 pmicdata->L ^= pmicdata->M; 180 pmicdata->R ^= ROL32(pmicdata->L, 17); 181 pmicdata->L += pmicdata->R; 182 pmicdata->R ^= ((pmicdata->L & 0xff00ff00) >> 8) | ((pmicdata->L & 0x00ff00ff) << 8); 183 pmicdata->L += pmicdata->R; 184 pmicdata->R ^= ROL32(pmicdata->L, 3); 185 pmicdata->L += pmicdata->R; 186 pmicdata->R ^= ROR32(pmicdata->L, 2); 187 pmicdata->L += pmicdata->R; 188 /* Clear the buffer */ 189 pmicdata->M = 0; 190 pmicdata->nBytesInM = 0; 191 } 192 } 193 194 void rtw_secmicappend(struct mic_data *pmicdata, u8 *src, u32 nbytes) 195 { 196 /* This is simple */ 197 while (nbytes > 0) { 198 rtw_secmicappendbyte(pmicdata, *src++); 199 nbytes--; 200 } 201 } 202 203 void rtw_secgetmic(struct mic_data *pmicdata, u8 *dst) 204 { 205 /* Append the minimum padding */ 206 rtw_secmicappendbyte(pmicdata, 0x5a); 207 rtw_secmicappendbyte(pmicdata, 0); 208 rtw_secmicappendbyte(pmicdata, 0); 209 rtw_secmicappendbyte(pmicdata, 0); 210 rtw_secmicappendbyte(pmicdata, 0); 211 /* and then zeroes until the length is a multiple of 4 */ 212 while (pmicdata->nBytesInM != 0) 213 rtw_secmicappendbyte(pmicdata, 0); 214 /* The appendByte function has already computed the result. */ 215 secmicputuint32(dst, pmicdata->L); 216 secmicputuint32(dst + 4, pmicdata->R); 217 /* Reset to the empty message. */ 218 secmicclear(pmicdata); 219 } 220 221 222 void rtw_seccalctkipmic(u8 *key, u8 *header, u8 *data, u32 data_len, u8 *mic_code, u8 pri) 223 { 224 225 struct mic_data micdata; 226 u8 priority[4] = {0x0, 0x0, 0x0, 0x0}; 227 228 rtw_secmicsetkey(&micdata, key); 229 priority[0] = pri; 230 231 /* Michael MIC pseudo header: DA, SA, 3 x 0, Priority */ 232 if (header[1] & 1) { /* ToDS == 1 */ 233 rtw_secmicappend(&micdata, &header[16], 6); /* DA */ 234 if (header[1] & 2) /* From Ds == 1 */ 235 rtw_secmicappend(&micdata, &header[24], 6); 236 else 237 rtw_secmicappend(&micdata, &header[10], 6); 238 } else { /* ToDS == 0 */ 239 rtw_secmicappend(&micdata, &header[4], 6); /* DA */ 240 if (header[1] & 2) /* From Ds == 1 */ 241 rtw_secmicappend(&micdata, &header[16], 6); 242 else 243 rtw_secmicappend(&micdata, &header[10], 6); 244 } 245 rtw_secmicappend(&micdata, &priority[0], 4); 246 247 248 rtw_secmicappend(&micdata, data, data_len); 249 250 rtw_secgetmic(&micdata, mic_code); 251 } 252 253 /* macros for extraction/creation of unsigned char/unsigned short values */ 254 #define RotR1(v16) ((((v16) >> 1) & 0x7FFF) ^ (((v16) & 1) << 15)) 255 #define Lo8(v16) ((u8)((v16) & 0x00FF)) 256 #define Hi8(v16) ((u8)(((v16) >> 8) & 0x00FF)) 257 #define Lo16(v32) ((u16)((v32) & 0xFFFF)) 258 #define Hi16(v32) ((u16)(((v32) >> 16) & 0xFFFF)) 259 #define Mk16(hi, lo) ((lo) ^ (((u16)(hi)) << 8)) 260 261 /* select the Nth 16-bit word of the temporal key unsigned char array TK[] */ 262 #define TK16(N) Mk16(tk[2 * (N) + 1], tk[2 * (N)]) 263 264 /* S-box lookup: 16 bits --> 16 bits */ 265 #define _S_(v16) (Sbox1[0][Lo8(v16)] ^ Sbox1[1][Hi8(v16)]) 266 267 /* fixed algorithm "parameters" */ 268 #define PHASE1_LOOP_CNT 8 /* this needs to be "big enough" */ 269 270 /* 2-unsigned char by 2-unsigned char subset of the full AES S-box table */ 271 static const unsigned short Sbox1[2][256] = { /* Sbox for hash (can be in ROM) */ 272 { 273 0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154, 274 0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A, 275 0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B, 276 0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B, 277 0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F, 278 0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F, 279 0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5, 280 0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F, 281 0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB, 282 0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397, 283 0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED, 284 0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A, 285 0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194, 286 0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3, 287 0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104, 288 0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D, 289 0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39, 290 0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695, 291 0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83, 292 0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76, 293 0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4, 294 0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B, 295 0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0, 296 0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018, 297 0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751, 298 0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85, 299 0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12, 300 0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9, 301 0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7, 302 0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A, 303 0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8, 304 0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A, 305 }, 306 307 308 { /* second half of table is unsigned char-reversed version of first! */ 309 0xA5C6, 0x84F8, 0x99EE, 0x8DF6, 0x0DFF, 0xBDD6, 0xB1DE, 0x5491, 310 0x5060, 0x0302, 0xA9CE, 0x7D56, 0x19E7, 0x62B5, 0xE64D, 0x9AEC, 311 0x458F, 0x9D1F, 0x4089, 0x87FA, 0x15EF, 0xEBB2, 0xC98E, 0x0BFB, 312 0xEC41, 0x67B3, 0xFD5F, 0xEA45, 0xBF23, 0xF753, 0x96E4, 0x5B9B, 313 0xC275, 0x1CE1, 0xAE3D, 0x6A4C, 0x5A6C, 0x417E, 0x02F5, 0x4F83, 314 0x5C68, 0xF451, 0x34D1, 0x08F9, 0x93E2, 0x73AB, 0x5362, 0x3F2A, 315 0x0C08, 0x5295, 0x6546, 0x5E9D, 0x2830, 0xA137, 0x0F0A, 0xB52F, 316 0x090E, 0x3624, 0x9B1B, 0x3DDF, 0x26CD, 0x694E, 0xCD7F, 0x9FEA, 317 0x1B12, 0x9E1D, 0x7458, 0x2E34, 0x2D36, 0xB2DC, 0xEEB4, 0xFB5B, 318 0xF6A4, 0x4D76, 0x61B7, 0xCE7D, 0x7B52, 0x3EDD, 0x715E, 0x9713, 319 0xF5A6, 0x68B9, 0x0000, 0x2CC1, 0x6040, 0x1FE3, 0xC879, 0xEDB6, 320 0xBED4, 0x468D, 0xD967, 0x4B72, 0xDE94, 0xD498, 0xE8B0, 0x4A85, 321 0x6BBB, 0x2AC5, 0xE54F, 0x16ED, 0xC586, 0xD79A, 0x5566, 0x9411, 322 0xCF8A, 0x10E9, 0x0604, 0x81FE, 0xF0A0, 0x4478, 0xBA25, 0xE34B, 323 0xF3A2, 0xFE5D, 0xC080, 0x8A05, 0xAD3F, 0xBC21, 0x4870, 0x04F1, 324 0xDF63, 0xC177, 0x75AF, 0x6342, 0x3020, 0x1AE5, 0x0EFD, 0x6DBF, 325 0x4C81, 0x1418, 0x3526, 0x2FC3, 0xE1BE, 0xA235, 0xCC88, 0x392E, 326 0x5793, 0xF255, 0x82FC, 0x477A, 0xACC8, 0xE7BA, 0x2B32, 0x95E6, 327 0xA0C0, 0x9819, 0xD19E, 0x7FA3, 0x6644, 0x7E54, 0xAB3B, 0x830B, 328 0xCA8C, 0x29C7, 0xD36B, 0x3C28, 0x79A7, 0xE2BC, 0x1D16, 0x76AD, 329 0x3BDB, 0x5664, 0x4E74, 0x1E14, 0xDB92, 0x0A0C, 0x6C48, 0xE4B8, 330 0x5D9F, 0x6EBD, 0xEF43, 0xA6C4, 0xA839, 0xA431, 0x37D3, 0x8BF2, 331 0x32D5, 0x438B, 0x596E, 0xB7DA, 0x8C01, 0x64B1, 0xD29C, 0xE049, 332 0xB4D8, 0xFAAC, 0x07F3, 0x25CF, 0xAFCA, 0x8EF4, 0xE947, 0x1810, 333 0xD56F, 0x88F0, 0x6F4A, 0x725C, 0x2438, 0xF157, 0xC773, 0x5197, 334 0x23CB, 0x7CA1, 0x9CE8, 0x213E, 0xDD96, 0xDC61, 0x860D, 0x850F, 335 0x90E0, 0x427C, 0xC471, 0xAACC, 0xD890, 0x0506, 0x01F7, 0x121C, 336 0xA3C2, 0x5F6A, 0xF9AE, 0xD069, 0x9117, 0x5899, 0x273A, 0xB927, 337 0x38D9, 0x13EB, 0xB32B, 0x3322, 0xBBD2, 0x70A9, 0x8907, 0xA733, 338 0xB62D, 0x223C, 0x9215, 0x20C9, 0x4987, 0xFFAA, 0x7850, 0x7AA5, 339 0x8F03, 0xF859, 0x8009, 0x171A, 0xDA65, 0x31D7, 0xC684, 0xB8D0, 340 0xC382, 0xB029, 0x775A, 0x111E, 0xCB7B, 0xFCA8, 0xD66D, 0x3A2C, 341 } 342 }; 343 344 /* 345 * Routine: Phase 1 -- generate P1K, given TA, TK, IV32 346 * 347 * Inputs: 348 * tk[] = temporal key [128 bits] 349 * ta[] = transmitter's MAC address [ 48 bits] 350 * iv32 = upper 32 bits of IV [ 32 bits] 351 * Output: 352 * p1k[] = Phase 1 key [ 80 bits] 353 * 354 * Note: 355 * This function only needs to be called every 2**16 packets, 356 * although in theory it could be called every packet. 357 */ 358 static void phase1(u16 *p1k, const u8 *tk, const u8 *ta, u32 iv32) 359 { 360 signed int i; 361 362 /* Initialize the 80 bits of P1K[] from IV32 and TA[0..5] */ 363 p1k[0] = Lo16(iv32); 364 p1k[1] = Hi16(iv32); 365 p1k[2] = Mk16(ta[1], ta[0]); /* use TA[] as little-endian */ 366 p1k[3] = Mk16(ta[3], ta[2]); 367 p1k[4] = Mk16(ta[5], ta[4]); 368 369 /* Now compute an unbalanced Feistel cipher with 80-bit block */ 370 /* size on the 80-bit block P1K[], using the 128-bit key TK[] */ 371 for (i = 0; i < PHASE1_LOOP_CNT; i++) { 372 /* Each add operation here is mod 2**16 */ 373 p1k[0] += _S_(p1k[4] ^ TK16((i & 1) + 0)); 374 p1k[1] += _S_(p1k[0] ^ TK16((i & 1) + 2)); 375 p1k[2] += _S_(p1k[1] ^ TK16((i & 1) + 4)); 376 p1k[3] += _S_(p1k[2] ^ TK16((i & 1) + 6)); 377 p1k[4] += _S_(p1k[3] ^ TK16((i & 1) + 0)); 378 p1k[4] += (unsigned short)i; /* avoid "slide attacks" */ 379 } 380 } 381 382 383 /* 384 * Routine: Phase 2 -- generate RC4KEY, given TK, P1K, IV16 385 * 386 * Inputs: 387 * tk[] = Temporal key [128 bits] 388 * p1k[] = Phase 1 output key [ 80 bits] 389 * iv16 = low 16 bits of IV counter [ 16 bits] 390 * Output: 391 * rc4key[] = the key used to encrypt the packet [128 bits] 392 * 393 * Note: 394 * The value {TA, IV32, IV16} for Phase1/Phase2 must be unique 395 * across all packets using the same key TK value. Then, for a 396 * given value of TK[], this TKIP48 construction guarantees that 397 * the final RC4KEY value is unique across all packets. 398 * 399 * Suggested implementation optimization: if PPK[] is "overlaid" 400 * appropriately on RC4KEY[], there is no need for the final 401 * for loop below that copies the PPK[] result into RC4KEY[]. 402 */ 403 static void phase2(u8 *rc4key, const u8 *tk, const u16 *p1k, u16 iv16) 404 { 405 signed int i; 406 u16 PPK[6]; /* temporary key for mixing */ 407 408 /* Note: all adds in the PPK[] equations below are mod 2**16 */ 409 for (i = 0; i < 5; i++) 410 PPK[i] = p1k[i]; /* first, copy P1K to PPK */ 411 412 PPK[5] = p1k[4] + iv16; /* next, add in IV16 */ 413 414 /* Bijective non-linear mixing of the 96 bits of PPK[0..5] */ 415 PPK[0] += _S_(PPK[5] ^ TK16(0)); /* Mix key in each "round" */ 416 PPK[1] += _S_(PPK[0] ^ TK16(1)); 417 PPK[2] += _S_(PPK[1] ^ TK16(2)); 418 PPK[3] += _S_(PPK[2] ^ TK16(3)); 419 PPK[4] += _S_(PPK[3] ^ TK16(4)); 420 PPK[5] += _S_(PPK[4] ^ TK16(5)); /* Total # S-box lookups == 6 */ 421 422 /* Final sweep: bijective, "linear". Rotates kill LSB correlations */ 423 PPK[0] += RotR1(PPK[5] ^ TK16(6)); 424 PPK[1] += RotR1(PPK[0] ^ TK16(7)); /* Use all of TK[] in Phase2 */ 425 PPK[2] += RotR1(PPK[1]); 426 PPK[3] += RotR1(PPK[2]); 427 PPK[4] += RotR1(PPK[3]); 428 PPK[5] += RotR1(PPK[4]); 429 /* Note: At this point, for a given key TK[0..15], the 96-bit output */ 430 /* value PPK[0..5] is guaranteed to be unique, as a function */ 431 /* of the 96-bit "input" value {TA, IV32, IV16}. That is, P1K */ 432 /* is now a keyed permutation of {TA, IV32, IV16}. */ 433 434 /* Set RC4KEY[0..3], which includes "cleartext" portion of RC4 key */ 435 rc4key[0] = Hi8(iv16); /* RC4KEY[0..2] is the WEP IV */ 436 rc4key[1] = (Hi8(iv16) | 0x20) & 0x7F; /* Help avoid weak (FMS) keys */ 437 rc4key[2] = Lo8(iv16); 438 rc4key[3] = Lo8((PPK[5] ^ TK16(0)) >> 1); 439 440 441 /* Copy 96 bits of PPK[0..5] to RC4KEY[4..15] (little-endian) */ 442 for (i = 0; i < 6; i++) { 443 rc4key[4 + 2 * i] = Lo8(PPK[i]); 444 rc4key[5 + 2 * i] = Hi8(PPK[i]); 445 } 446 } 447 448 449 /* The hlen isn't include the IV */ 450 u32 rtw_tkip_encrypt(struct adapter *padapter, u8 *pxmitframe) 451 { /* exclude ICV */ 452 u16 pnl; 453 u32 pnh; 454 u8 rc4key[16]; 455 u8 ttkey[16]; 456 union { 457 __le32 f0; 458 u8 f1[4]; 459 } crc; 460 u8 hw_hdr_offset = 0; 461 signed int curfragnum, length; 462 463 u8 *pframe, *payload, *iv, *prwskey; 464 union pn48 dot11txpn; 465 struct pkt_attrib *pattrib = &((struct xmit_frame *)pxmitframe)->attrib; 466 struct security_priv *psecuritypriv = &padapter->securitypriv; 467 struct xmit_priv *pxmitpriv = &padapter->xmitpriv; 468 struct arc4_ctx *ctx = &psecuritypriv->xmit_arc4_ctx; 469 u32 res = _SUCCESS; 470 471 if (!((struct xmit_frame *)pxmitframe)->buf_addr) 472 return _FAIL; 473 474 hw_hdr_offset = TXDESC_OFFSET; 475 pframe = ((struct xmit_frame *)pxmitframe)->buf_addr + hw_hdr_offset; 476 477 /* 4 start to encrypt each fragment */ 478 if (pattrib->encrypt == _TKIP_) { 479 480 { 481 if (is_multicast_ether_addr(pattrib->ra)) 482 prwskey = psecuritypriv->dot118021XGrpKey[psecuritypriv->dot118021XGrpKeyid].skey; 483 else 484 prwskey = pattrib->dot118021x_UncstKey.skey; 485 486 for (curfragnum = 0; curfragnum < pattrib->nr_frags; curfragnum++) { 487 iv = pframe + pattrib->hdrlen; 488 payload = pframe + pattrib->iv_len + pattrib->hdrlen; 489 490 GET_TKIP_PN(iv, dot11txpn); 491 492 pnl = (u16)(dot11txpn.val); 493 pnh = (u32)(dot11txpn.val >> 16); 494 495 phase1((u16 *)&ttkey[0], prwskey, &pattrib->ta[0], pnh); 496 497 phase2(&rc4key[0], prwskey, (u16 *)&ttkey[0], pnl); 498 499 if ((curfragnum + 1) == pattrib->nr_frags) { /* 4 the last fragment */ 500 length = pattrib->last_txcmdsz - pattrib->hdrlen - pattrib->iv_len - pattrib->icv_len; 501 crc.f0 = cpu_to_le32(~crc32_le(~0, payload, length)); 502 503 arc4_setkey(ctx, rc4key, 16); 504 arc4_crypt(ctx, payload, payload, length); 505 arc4_crypt(ctx, payload + length, crc.f1, 4); 506 507 } else { 508 length = pxmitpriv->frag_len - pattrib->hdrlen - pattrib->iv_len - pattrib->icv_len; 509 crc.f0 = cpu_to_le32(~crc32_le(~0, payload, length)); 510 511 arc4_setkey(ctx, rc4key, 16); 512 arc4_crypt(ctx, payload, payload, length); 513 arc4_crypt(ctx, payload + length, crc.f1, 4); 514 515 pframe += pxmitpriv->frag_len; 516 pframe = (u8 *)round_up((SIZE_PTR)(pframe), 4); 517 } 518 } 519 } 520 } 521 return res; 522 } 523 524 525 /* The hlen isn't include the IV */ 526 u32 rtw_tkip_decrypt(struct adapter *padapter, u8 *precvframe) 527 { /* exclude ICV */ 528 u16 pnl; 529 u32 pnh; 530 u8 rc4key[16]; 531 u8 ttkey[16]; 532 u8 crc[4]; 533 signed int length; 534 535 u8 *pframe, *payload, *iv, *prwskey; 536 union pn48 dot11txpn; 537 struct sta_info *stainfo; 538 struct rx_pkt_attrib *prxattrib = &((union recv_frame *)precvframe)->u.hdr.attrib; 539 struct security_priv *psecuritypriv = &padapter->securitypriv; 540 struct arc4_ctx *ctx = &psecuritypriv->recv_arc4_ctx; 541 u32 res = _SUCCESS; 542 543 pframe = (unsigned char *)((union recv_frame *)precvframe)->u.hdr.rx_data; 544 545 /* 4 start to decrypt recvframe */ 546 if (prxattrib->encrypt == _TKIP_) { 547 stainfo = rtw_get_stainfo(&padapter->stapriv, &prxattrib->ta[0]); 548 if (stainfo) { 549 if (is_multicast_ether_addr(prxattrib->ra)) { 550 static unsigned long start; 551 static u32 no_gkey_bc_cnt; 552 static u32 no_gkey_mc_cnt; 553 554 if (!psecuritypriv->binstallGrpkey) { 555 res = _FAIL; 556 557 if (start == 0) 558 start = jiffies; 559 560 if (is_broadcast_mac_addr(prxattrib->ra)) 561 no_gkey_bc_cnt++; 562 else 563 no_gkey_mc_cnt++; 564 565 if (jiffies_to_msecs(jiffies - start) > 1000) { 566 if (no_gkey_bc_cnt || no_gkey_mc_cnt) { 567 netdev_dbg(padapter->pnetdev, 568 FUNC_ADPT_FMT " no_gkey_bc_cnt:%u, no_gkey_mc_cnt:%u\n", 569 FUNC_ADPT_ARG(padapter), 570 no_gkey_bc_cnt, 571 no_gkey_mc_cnt); 572 } 573 start = jiffies; 574 no_gkey_bc_cnt = 0; 575 no_gkey_mc_cnt = 0; 576 } 577 goto exit; 578 } 579 580 if (no_gkey_bc_cnt || no_gkey_mc_cnt) { 581 netdev_dbg(padapter->pnetdev, 582 FUNC_ADPT_FMT " gkey installed. no_gkey_bc_cnt:%u, no_gkey_mc_cnt:%u\n", 583 FUNC_ADPT_ARG(padapter), 584 no_gkey_bc_cnt, 585 no_gkey_mc_cnt); 586 } 587 start = 0; 588 no_gkey_bc_cnt = 0; 589 no_gkey_mc_cnt = 0; 590 591 prwskey = psecuritypriv->dot118021XGrpKey[prxattrib->key_index].skey; 592 } else { 593 prwskey = &stainfo->dot118021x_UncstKey.skey[0]; 594 } 595 596 iv = pframe + prxattrib->hdrlen; 597 payload = pframe + prxattrib->iv_len + prxattrib->hdrlen; 598 length = ((union recv_frame *)precvframe)->u.hdr.len - prxattrib->hdrlen - prxattrib->iv_len; 599 600 GET_TKIP_PN(iv, dot11txpn); 601 602 pnl = (u16)(dot11txpn.val); 603 pnh = (u32)(dot11txpn.val >> 16); 604 605 phase1((u16 *)&ttkey[0], prwskey, &prxattrib->ta[0], pnh); 606 phase2(&rc4key[0], prwskey, (unsigned short *)&ttkey[0], pnl); 607 608 /* 4 decrypt payload include icv */ 609 610 arc4_setkey(ctx, rc4key, 16); 611 arc4_crypt(ctx, payload, payload, length); 612 613 *((u32 *)crc) = ~crc32_le(~0, payload, length - 4); 614 615 if (crc[3] != payload[length - 1] || crc[2] != payload[length - 2] || 616 crc[1] != payload[length - 3] || crc[0] != payload[length - 4]) 617 res = _FAIL; 618 } else { 619 res = _FAIL; 620 } 621 } 622 exit: 623 return res; 624 } 625 626 627 /* 3 =====AES related ===== */ 628 629 630 631 #define MAX_MSG_SIZE 2048 632 633 /****************************************/ 634 /* aes128k128d() */ 635 /* Performs a 128 bit AES encrypt with */ 636 /* 128 bit data. */ 637 /****************************************/ 638 static void aes128k128d(u8 *key, u8 *data, u8 *ciphertext) 639 { 640 struct aes_enckey aes; 641 642 aes_prepareenckey(&aes, key, 16); 643 aes_encrypt(&aes, ciphertext, data); 644 memzero_explicit(&aes, sizeof(aes)); 645 } 646 647 /************************************************/ 648 /* construct_mic_iv() */ 649 /* Builds the MIC IV from header fields and PN */ 650 /* Baron think the function is construct CCM */ 651 /* nonce */ 652 /************************************************/ 653 static void construct_mic_iv(u8 *mic_iv, 654 signed int qc_exists, 655 signed int a4_exists, 656 u8 *mpdu, 657 uint payload_length, 658 u8 *pn_vector, 659 uint frtype) /* add for CONFIG_IEEE80211W, none 11w also can use */ 660 { 661 signed int i; 662 663 mic_iv[0] = 0x59; 664 665 if (qc_exists && a4_exists) 666 mic_iv[1] = mpdu[30] & 0x0f; /* QoS_TC */ 667 668 if (qc_exists && !a4_exists) 669 mic_iv[1] = mpdu[24] & 0x0f; /* mute bits 7-4 */ 670 671 if (!qc_exists) 672 mic_iv[1] = 0x00; 673 674 /* 802.11w management frame should set management bit(4) */ 675 if (frtype == WIFI_MGT_TYPE) 676 mic_iv[1] |= BIT(4); 677 678 for (i = 2; i < 8; i++) 679 mic_iv[i] = mpdu[i + 8]; /* mic_iv[2:7] = A2[0:5] = mpdu[10:15] */ 680 #ifdef CONSISTENT_PN_ORDER 681 for (i = 8; i < 14; i++) 682 mic_iv[i] = pn_vector[i - 8]; /* mic_iv[8:13] = PN[0:5] */ 683 #else 684 for (i = 8; i < 14; i++) 685 mic_iv[i] = pn_vector[13 - i]; /* mic_iv[8:13] = PN[5:0] */ 686 #endif 687 mic_iv[14] = (unsigned char) (payload_length / 256); 688 mic_iv[15] = (unsigned char) (payload_length % 256); 689 } 690 691 /************************************************/ 692 /* construct_mic_header1() */ 693 /* Builds the first MIC header block from */ 694 /* header fields. */ 695 /* Build AAD SC, A1, A2 */ 696 /************************************************/ 697 static void construct_mic_header1(u8 *mic_header1, 698 signed int header_length, 699 u8 *mpdu, 700 uint frtype) /* for CONFIG_IEEE80211W, none 11w also can use */ 701 { 702 mic_header1[0] = (u8)((header_length - 2) / 256); 703 mic_header1[1] = (u8)((header_length - 2) % 256); 704 705 /* 802.11w management frame don't AND subtype bits 4, 5, 6 of frame control field */ 706 if (frtype == WIFI_MGT_TYPE) 707 mic_header1[2] = mpdu[0]; 708 else 709 mic_header1[2] = mpdu[0] & 0xcf; /* Mute CF poll & CF ack bits */ 710 711 mic_header1[3] = mpdu[1] & 0xc7; /* Mute retry, more data and pwr mgt bits */ 712 mic_header1[4] = mpdu[4]; /* A1 */ 713 mic_header1[5] = mpdu[5]; 714 mic_header1[6] = mpdu[6]; 715 mic_header1[7] = mpdu[7]; 716 mic_header1[8] = mpdu[8]; 717 mic_header1[9] = mpdu[9]; 718 mic_header1[10] = mpdu[10]; /* A2 */ 719 mic_header1[11] = mpdu[11]; 720 mic_header1[12] = mpdu[12]; 721 mic_header1[13] = mpdu[13]; 722 mic_header1[14] = mpdu[14]; 723 mic_header1[15] = mpdu[15]; 724 } 725 726 /************************************************/ 727 /* construct_mic_header2() */ 728 /* Builds the last MIC header block from */ 729 /* header fields. */ 730 /************************************************/ 731 static void construct_mic_header2(u8 *mic_header2, 732 u8 *mpdu, 733 signed int a4_exists, 734 signed int qc_exists) 735 { 736 signed int i; 737 738 for (i = 0; i < 16; i++) 739 mic_header2[i] = 0x00; 740 741 mic_header2[0] = mpdu[16]; /* A3 */ 742 mic_header2[1] = mpdu[17]; 743 mic_header2[2] = mpdu[18]; 744 mic_header2[3] = mpdu[19]; 745 mic_header2[4] = mpdu[20]; 746 mic_header2[5] = mpdu[21]; 747 748 mic_header2[6] = 0x00; 749 mic_header2[7] = 0x00; /* mpdu[23]; */ 750 751 if (!qc_exists && a4_exists) { 752 for (i = 0; i < 6; i++) 753 mic_header2[8 + i] = mpdu[24 + i]; /* A4 */ 754 } 755 756 if (qc_exists && !a4_exists) { 757 mic_header2[8] = mpdu[24] & 0x0f; /* mute bits 15 - 4 */ 758 mic_header2[9] = mpdu[25] & 0x00; 759 } 760 761 if (qc_exists && a4_exists) { 762 for (i = 0; i < 6; i++) 763 mic_header2[8 + i] = mpdu[24 + i]; /* A4 */ 764 765 mic_header2[14] = mpdu[30] & 0x0f; 766 mic_header2[15] = mpdu[31] & 0x00; 767 } 768 } 769 770 /************************************************/ 771 /* construct_mic_header2() */ 772 /* Builds the last MIC header block from */ 773 /* header fields. */ 774 /* Baron think the function is construct CCM */ 775 /* nonce */ 776 /************************************************/ 777 static void construct_ctr_preload(u8 *ctr_preload, 778 signed int a4_exists, 779 signed int qc_exists, 780 u8 *mpdu, 781 u8 *pn_vector, 782 signed int c, 783 uint frtype) /* for CONFIG_IEEE80211W, none 11w also can use */ 784 { 785 signed int i = 0; 786 787 for (i = 0; i < 16; i++) 788 ctr_preload[i] = 0x00; 789 i = 0; 790 791 ctr_preload[0] = 0x01; /* flag */ 792 if (qc_exists && a4_exists) 793 ctr_preload[1] = mpdu[30] & 0x0f; /* QoC_Control */ 794 if (qc_exists && !a4_exists) 795 ctr_preload[1] = mpdu[24] & 0x0f; 796 797 /* 802.11w management frame should set management bit(4) */ 798 if (frtype == WIFI_MGT_TYPE) 799 ctr_preload[1] |= BIT(4); 800 801 for (i = 2; i < 8; i++) 802 ctr_preload[i] = mpdu[i + 8]; /* ctr_preload[2:7] = A2[0:5] = mpdu[10:15] */ 803 #ifdef CONSISTENT_PN_ORDER 804 for (i = 8; i < 14; i++) 805 ctr_preload[i] = pn_vector[i - 8]; /* ctr_preload[8:13] = PN[0:5] */ 806 #else 807 for (i = 8; i < 14; i++) 808 ctr_preload[i] = pn_vector[13 - i]; /* ctr_preload[8:13] = PN[5:0] */ 809 #endif 810 ctr_preload[14] = (unsigned char) (c / 256); /* Ctr */ 811 ctr_preload[15] = (unsigned char) (c % 256); 812 } 813 814 static signed int aes_cipher(u8 *key, uint hdrlen, 815 u8 *pframe, uint plen) 816 { 817 uint qc_exists, a4_exists, i, j, payload_remainder, 818 num_blocks, payload_index; 819 820 u8 pn_vector[6]; 821 u8 mic_iv[16] = {}; 822 u8 mic_header1[16] = {}; 823 u8 mic_header2[16] = {}; 824 u8 ctr_preload[16] = {}; 825 826 /* Intermediate Buffers */ 827 u8 chain_buffer[16] = {}; 828 u8 aes_out[16] = {}; 829 u8 padded_buffer[16] = {}; 830 u8 mic[8]; 831 uint frtype = GetFrameType(pframe); 832 uint frsubtype = GetFrameSubType(pframe); 833 834 frsubtype = frsubtype >> 4; 835 836 if ((hdrlen == WLAN_HDR_A3_LEN) || (hdrlen == WLAN_HDR_A3_QOS_LEN)) 837 a4_exists = 0; 838 else 839 a4_exists = 1; 840 841 if (((frtype | frsubtype) == WIFI_DATA_CFACK) || 842 ((frtype | frsubtype) == WIFI_DATA_CFPOLL) || 843 ((frtype | frsubtype) == WIFI_DATA_CFACKPOLL)) { 844 qc_exists = 1; 845 if (hdrlen != WLAN_HDR_A3_QOS_LEN) 846 hdrlen += 2; 847 848 } else if ((frtype == WIFI_DATA) && /* add for CONFIG_IEEE80211W, none 11w also can use */ 849 ((frsubtype == 0x08) || 850 (frsubtype == 0x09) || 851 (frsubtype == 0x0a) || 852 (frsubtype == 0x0b))) { 853 if (hdrlen != WLAN_HDR_A3_QOS_LEN) 854 hdrlen += 2; 855 856 qc_exists = 1; 857 } else { 858 qc_exists = 0; 859 } 860 861 pn_vector[0] = pframe[hdrlen]; 862 pn_vector[1] = pframe[hdrlen + 1]; 863 pn_vector[2] = pframe[hdrlen + 4]; 864 pn_vector[3] = pframe[hdrlen + 5]; 865 pn_vector[4] = pframe[hdrlen + 6]; 866 pn_vector[5] = pframe[hdrlen + 7]; 867 868 construct_mic_iv(mic_iv, 869 qc_exists, 870 a4_exists, 871 pframe, /* message, */ 872 plen, 873 pn_vector, 874 frtype); /* add for CONFIG_IEEE80211W, none 11w also can use */ 875 876 construct_mic_header1(mic_header1, 877 hdrlen, 878 pframe, /* message */ 879 frtype); /* add for CONFIG_IEEE80211W, none 11w also can use */ 880 881 construct_mic_header2(mic_header2, 882 pframe, /* message, */ 883 a4_exists, 884 qc_exists); 885 886 payload_remainder = plen % 16; 887 num_blocks = plen / 16; 888 889 /* Find start of payload */ 890 payload_index = (hdrlen + 8); 891 892 /* Calculate MIC */ 893 aes128k128d(key, mic_iv, aes_out); 894 crypto_xor_cpy(chain_buffer, aes_out, mic_header1, 16); 895 aes128k128d(key, chain_buffer, aes_out); 896 crypto_xor_cpy(chain_buffer, aes_out, mic_header2, 16); 897 aes128k128d(key, chain_buffer, aes_out); 898 899 for (i = 0; i < num_blocks; i++) { 900 crypto_xor_cpy(chain_buffer, aes_out, &pframe[payload_index], 16); 901 902 payload_index += 16; 903 aes128k128d(key, chain_buffer, aes_out); 904 } 905 906 /* Add on the final payload block if it needs padding */ 907 if (payload_remainder > 0) { 908 for (j = 0; j < 16; j++) 909 padded_buffer[j] = 0x00; 910 for (j = 0; j < payload_remainder; j++) 911 padded_buffer[j] = pframe[payload_index++]; 912 913 crypto_xor_cpy(chain_buffer, aes_out, padded_buffer, 16); 914 aes128k128d(key, chain_buffer, aes_out); 915 } 916 917 for (j = 0 ; j < 8; j++) 918 mic[j] = aes_out[j]; 919 920 /* Insert MIC into payload */ 921 for (j = 0; j < 8; j++) 922 pframe[payload_index + j] = mic[j]; 923 924 payload_index = hdrlen + 8; 925 for (i = 0; i < num_blocks; i++) { 926 construct_ctr_preload(ctr_preload, a4_exists, qc_exists, pframe, /* message, */ 927 pn_vector, i + 1, frtype); 928 /* add for CONFIG_IEEE80211W, none 11w also can use */ 929 aes128k128d(key, ctr_preload, aes_out); 930 crypto_xor_cpy(chain_buffer, aes_out, &pframe[payload_index], 16); 931 for (j = 0; j < 16; j++) 932 pframe[payload_index++] = chain_buffer[j]; 933 } 934 935 if (payload_remainder > 0) { 936 /* If there is a short final block, then pad it,*/ 937 /* encrypt it and copy the unpadded part back */ 938 construct_ctr_preload(ctr_preload, a4_exists, qc_exists, pframe, /* message, */ 939 pn_vector, num_blocks + 1, frtype); 940 /* add for CONFIG_IEEE80211W, none 11w also can use */ 941 942 for (j = 0; j < 16; j++) 943 padded_buffer[j] = 0x00; 944 for (j = 0; j < payload_remainder; j++) 945 padded_buffer[j] = pframe[payload_index + j]; 946 947 aes128k128d(key, ctr_preload, aes_out); 948 crypto_xor_cpy(chain_buffer, aes_out, padded_buffer, 16); 949 for (j = 0; j < payload_remainder; j++) 950 pframe[payload_index++] = chain_buffer[j]; 951 } 952 953 /* Encrypt the MIC */ 954 construct_ctr_preload(ctr_preload, a4_exists, qc_exists, pframe, /* message, */ 955 pn_vector, 0, frtype); 956 /* add for CONFIG_IEEE80211W, none 11w also can use */ 957 958 for (j = 0; j < 16; j++) 959 padded_buffer[j] = 0x00; 960 for (j = 0; j < 8; j++) 961 padded_buffer[j] = pframe[j + hdrlen + 8 + plen]; 962 963 aes128k128d(key, ctr_preload, aes_out); 964 crypto_xor_cpy(chain_buffer, aes_out, padded_buffer, 16); 965 for (j = 0; j < 8; j++) 966 pframe[payload_index++] = chain_buffer[j]; 967 968 return _SUCCESS; 969 } 970 971 u32 rtw_aes_encrypt(struct adapter *padapter, u8 *pxmitframe) 972 { /* exclude ICV */ 973 974 /*static*/ 975 /* unsigned char message[MAX_MSG_SIZE]; */ 976 977 /* Intermediate Buffers */ 978 signed int curfragnum, length; 979 u8 *pframe, *prwskey; /* *payload,*iv */ 980 u8 hw_hdr_offset = 0; 981 struct pkt_attrib *pattrib = &((struct xmit_frame *)pxmitframe)->attrib; 982 struct security_priv *psecuritypriv = &padapter->securitypriv; 983 struct xmit_priv *pxmitpriv = &padapter->xmitpriv; 984 985 u32 res = _SUCCESS; 986 987 if (!((struct xmit_frame *)pxmitframe)->buf_addr) 988 return _FAIL; 989 990 hw_hdr_offset = TXDESC_OFFSET; 991 pframe = ((struct xmit_frame *)pxmitframe)->buf_addr + hw_hdr_offset; 992 993 /* 4 start to encrypt each fragment */ 994 if (pattrib->encrypt == _AES_) { 995 if (is_multicast_ether_addr(pattrib->ra)) 996 prwskey = psecuritypriv->dot118021XGrpKey[psecuritypriv->dot118021XGrpKeyid].skey; 997 else 998 prwskey = pattrib->dot118021x_UncstKey.skey; 999 1000 for (curfragnum = 0; curfragnum < pattrib->nr_frags; curfragnum++) { 1001 if ((curfragnum + 1) == pattrib->nr_frags) { /* 4 the last fragment */ 1002 length = pattrib->last_txcmdsz - pattrib->hdrlen - pattrib->iv_len - pattrib->icv_len; 1003 1004 aes_cipher(prwskey, pattrib->hdrlen, pframe, length); 1005 } else { 1006 length = pxmitpriv->frag_len - pattrib->hdrlen - pattrib->iv_len - pattrib->icv_len; 1007 1008 aes_cipher(prwskey, pattrib->hdrlen, pframe, length); 1009 pframe += pxmitpriv->frag_len; 1010 pframe = (u8 *)round_up((SIZE_PTR)(pframe), 4); 1011 } 1012 } 1013 } 1014 return res; 1015 } 1016 1017 static signed int aes_decipher(u8 *key, uint hdrlen, 1018 u8 *pframe, uint plen) 1019 { 1020 static u8 message[MAX_MSG_SIZE]; 1021 uint qc_exists, a4_exists, i, j, payload_remainder, 1022 num_blocks, payload_index; 1023 signed int res = _SUCCESS; 1024 u8 pn_vector[6]; 1025 u8 mic_iv[16] = {}; 1026 u8 mic_header1[16] = {}; 1027 u8 mic_header2[16] = {}; 1028 u8 ctr_preload[16] = {}; 1029 1030 /* Intermediate Buffers */ 1031 u8 chain_buffer[16] = {}; 1032 u8 aes_out[16] = {}; 1033 u8 padded_buffer[16] = {}; 1034 u8 mic[8]; 1035 1036 uint frtype = GetFrameType(pframe); 1037 uint frsubtype = GetFrameSubType(pframe); 1038 1039 frsubtype = frsubtype >> 4; 1040 1041 /* start to decrypt the payload */ 1042 1043 num_blocks = (plen - 8) / 16; /* plen including LLC, payload_length and mic) */ 1044 1045 payload_remainder = (plen - 8) % 16; 1046 1047 pn_vector[0] = pframe[hdrlen]; 1048 pn_vector[1] = pframe[hdrlen + 1]; 1049 pn_vector[2] = pframe[hdrlen + 4]; 1050 pn_vector[3] = pframe[hdrlen + 5]; 1051 pn_vector[4] = pframe[hdrlen + 6]; 1052 pn_vector[5] = pframe[hdrlen + 7]; 1053 1054 if ((hdrlen == WLAN_HDR_A3_LEN) || (hdrlen == WLAN_HDR_A3_QOS_LEN)) 1055 a4_exists = 0; 1056 else 1057 a4_exists = 1; 1058 1059 if (((frtype | frsubtype) == WIFI_DATA_CFACK) || 1060 ((frtype | frsubtype) == WIFI_DATA_CFPOLL) || 1061 ((frtype | frsubtype) == WIFI_DATA_CFACKPOLL)) { 1062 qc_exists = 1; 1063 if (hdrlen != WLAN_HDR_A3_QOS_LEN) 1064 hdrlen += 2; 1065 1066 } else if ((frtype == WIFI_DATA) && /* only for data packet . add for CONFIG_IEEE80211W, none 11w also can use */ 1067 ((frsubtype == 0x08) || 1068 (frsubtype == 0x09) || 1069 (frsubtype == 0x0a) || 1070 (frsubtype == 0x0b))) { 1071 if (hdrlen != WLAN_HDR_A3_QOS_LEN) 1072 hdrlen += 2; 1073 1074 qc_exists = 1; 1075 } else { 1076 qc_exists = 0; 1077 } 1078 1079 /* now, decrypt pframe with hdrlen offset and plen long */ 1080 1081 payload_index = hdrlen + 8; /* 8 is for extiv */ 1082 1083 for (i = 0; i < num_blocks; i++) { 1084 construct_ctr_preload(ctr_preload, a4_exists, 1085 qc_exists, pframe, 1086 pn_vector, i + 1, 1087 frtype); /* add for CONFIG_IEEE80211W, none 11w also can use */ 1088 1089 aes128k128d(key, ctr_preload, aes_out); 1090 crypto_xor_cpy(chain_buffer, aes_out, &pframe[payload_index], 16); 1091 1092 for (j = 0; j < 16; j++) 1093 pframe[payload_index++] = chain_buffer[j]; 1094 } 1095 1096 if (payload_remainder > 0) { 1097 /* If there is a short final block, then pad it,*/ 1098 /* encrypt it and copy the unpadded part back */ 1099 construct_ctr_preload(ctr_preload, a4_exists, qc_exists, pframe, pn_vector, 1100 num_blocks + 1, frtype); 1101 /* add for CONFIG_IEEE80211W, none 11w also can use */ 1102 1103 for (j = 0; j < 16; j++) 1104 padded_buffer[j] = 0x00; 1105 for (j = 0; j < payload_remainder; j++) 1106 padded_buffer[j] = pframe[payload_index + j]; 1107 1108 aes128k128d(key, ctr_preload, aes_out); 1109 crypto_xor_cpy(chain_buffer, aes_out, padded_buffer, 16); 1110 for (j = 0; j < payload_remainder; j++) 1111 pframe[payload_index++] = chain_buffer[j]; 1112 } 1113 1114 /* start to calculate the mic */ 1115 if ((hdrlen + plen + 8) <= MAX_MSG_SIZE) 1116 memcpy((void *)message, pframe, (hdrlen + plen + 8)); /* 8 is for ext iv len */ 1117 1118 pn_vector[0] = pframe[hdrlen]; 1119 pn_vector[1] = pframe[hdrlen + 1]; 1120 pn_vector[2] = pframe[hdrlen + 4]; 1121 pn_vector[3] = pframe[hdrlen + 5]; 1122 pn_vector[4] = pframe[hdrlen + 6]; 1123 pn_vector[5] = pframe[hdrlen + 7]; 1124 1125 construct_mic_iv(mic_iv, qc_exists, a4_exists, message, plen - 8, pn_vector, frtype); 1126 /* add for CONFIG_IEEE80211W, none 11w also can use */ 1127 1128 construct_mic_header1(mic_header1, hdrlen, message, frtype); 1129 /* add for CONFIG_IEEE80211W, none 11w also can use */ 1130 construct_mic_header2(mic_header2, message, a4_exists, qc_exists); 1131 1132 payload_remainder = (plen - 8) % 16; 1133 num_blocks = (plen - 8) / 16; 1134 1135 /* Find start of payload */ 1136 payload_index = (hdrlen + 8); 1137 1138 /* Calculate MIC */ 1139 aes128k128d(key, mic_iv, aes_out); 1140 crypto_xor_cpy(chain_buffer, aes_out, mic_header1, 16); 1141 aes128k128d(key, chain_buffer, aes_out); 1142 crypto_xor_cpy(chain_buffer, aes_out, mic_header2, 16); 1143 aes128k128d(key, chain_buffer, aes_out); 1144 1145 for (i = 0; i < num_blocks; i++) { 1146 crypto_xor_cpy(chain_buffer, aes_out, &message[payload_index], 16); 1147 1148 payload_index += 16; 1149 aes128k128d(key, chain_buffer, aes_out); 1150 } 1151 1152 /* Add on the final payload block if it needs padding */ 1153 if (payload_remainder > 0) { 1154 for (j = 0; j < 16; j++) 1155 padded_buffer[j] = 0x00; 1156 for (j = 0; j < payload_remainder; j++) 1157 padded_buffer[j] = message[payload_index++]; 1158 1159 crypto_xor_cpy(chain_buffer, aes_out, padded_buffer, 16); 1160 aes128k128d(key, chain_buffer, aes_out); 1161 } 1162 1163 for (j = 0; j < 8; j++) 1164 mic[j] = aes_out[j]; 1165 1166 /* Insert MIC into payload */ 1167 for (j = 0; j < 8; j++) 1168 message[payload_index + j] = mic[j]; 1169 1170 payload_index = hdrlen + 8; 1171 for (i = 0; i < num_blocks; i++) { 1172 construct_ctr_preload(ctr_preload, a4_exists, qc_exists, message, pn_vector, i + 1, 1173 frtype); 1174 /* add for CONFIG_IEEE80211W, none 11w also can use */ 1175 aes128k128d(key, ctr_preload, aes_out); 1176 crypto_xor_cpy(chain_buffer, aes_out, &message[payload_index], 16); 1177 for (j = 0; j < 16; j++) 1178 message[payload_index++] = chain_buffer[j]; 1179 } 1180 1181 if (payload_remainder > 0) { 1182 /* If there is a short final block, then pad it,*/ 1183 /* encrypt it and copy the unpadded part back */ 1184 construct_ctr_preload(ctr_preload, a4_exists, qc_exists, message, pn_vector, 1185 num_blocks + 1, frtype); 1186 /* add for CONFIG_IEEE80211W, none 11w also can use */ 1187 1188 for (j = 0; j < 16; j++) 1189 padded_buffer[j] = 0x00; 1190 for (j = 0; j < payload_remainder; j++) 1191 padded_buffer[j] = message[payload_index + j]; 1192 1193 aes128k128d(key, ctr_preload, aes_out); 1194 crypto_xor_cpy(chain_buffer, aes_out, padded_buffer, 16); 1195 for (j = 0; j < payload_remainder; j++) 1196 message[payload_index++] = chain_buffer[j]; 1197 } 1198 1199 /* Encrypt the MIC */ 1200 construct_ctr_preload(ctr_preload, a4_exists, qc_exists, message, pn_vector, 0, frtype); 1201 /* add for CONFIG_IEEE80211W, none 11w also can use */ 1202 1203 for (j = 0; j < 16; j++) 1204 padded_buffer[j] = 0x00; 1205 for (j = 0; j < 8; j++) 1206 padded_buffer[j] = message[j + hdrlen + 8 + plen - 8]; 1207 1208 aes128k128d(key, ctr_preload, aes_out); 1209 crypto_xor_cpy(chain_buffer, aes_out, padded_buffer, 16); 1210 for (j = 0; j < 8; j++) 1211 message[payload_index++] = chain_buffer[j]; 1212 1213 /* compare the mic */ 1214 for (i = 0; i < 8; i++) { 1215 if (pframe[hdrlen + 8 + plen - 8 + i] != message[hdrlen + 8 + plen - 8 + i]) 1216 res = _FAIL; 1217 } 1218 return res; 1219 } 1220 1221 u32 rtw_aes_decrypt(struct adapter *padapter, u8 *precvframe) 1222 { /* exclude ICV */ 1223 1224 /*static*/ 1225 /* unsigned char message[MAX_MSG_SIZE]; */ 1226 1227 /* Intermediate Buffers */ 1228 1229 signed int length; 1230 u8 *pframe, *prwskey; /* *payload,*iv */ 1231 struct sta_info *stainfo; 1232 struct rx_pkt_attrib *prxattrib = &((union recv_frame *)precvframe)->u.hdr.attrib; 1233 struct security_priv *psecuritypriv = &padapter->securitypriv; 1234 u32 res = _SUCCESS; 1235 1236 pframe = (unsigned char *)((union recv_frame *)precvframe)->u.hdr.rx_data; 1237 /* 4 start to encrypt each fragment */ 1238 if (prxattrib->encrypt == _AES_) { 1239 stainfo = rtw_get_stainfo(&padapter->stapriv, &prxattrib->ta[0]); 1240 if (stainfo) { 1241 if (is_multicast_ether_addr(prxattrib->ra)) { 1242 static unsigned long start; 1243 static u32 no_gkey_bc_cnt; 1244 static u32 no_gkey_mc_cnt; 1245 1246 if (!psecuritypriv->binstallGrpkey) { 1247 res = _FAIL; 1248 1249 if (start == 0) 1250 start = jiffies; 1251 1252 if (is_broadcast_mac_addr(prxattrib->ra)) 1253 no_gkey_bc_cnt++; 1254 else 1255 no_gkey_mc_cnt++; 1256 1257 if (jiffies_to_msecs(jiffies - start) > 1000) { 1258 if (no_gkey_bc_cnt || no_gkey_mc_cnt) { 1259 netdev_dbg(padapter->pnetdev, 1260 FUNC_ADPT_FMT " no_gkey_bc_cnt:%u, no_gkey_mc_cnt:%u\n", 1261 FUNC_ADPT_ARG(padapter), 1262 no_gkey_bc_cnt, 1263 no_gkey_mc_cnt); 1264 } 1265 start = jiffies; 1266 no_gkey_bc_cnt = 0; 1267 no_gkey_mc_cnt = 0; 1268 } 1269 1270 goto exit; 1271 } 1272 1273 if (no_gkey_bc_cnt || no_gkey_mc_cnt) { 1274 netdev_dbg(padapter->pnetdev, 1275 FUNC_ADPT_FMT " gkey installed. no_gkey_bc_cnt:%u, no_gkey_mc_cnt:%u\n", 1276 FUNC_ADPT_ARG(padapter), 1277 no_gkey_bc_cnt, 1278 no_gkey_mc_cnt); 1279 } 1280 start = 0; 1281 no_gkey_bc_cnt = 0; 1282 no_gkey_mc_cnt = 0; 1283 1284 prwskey = psecuritypriv->dot118021XGrpKey[prxattrib->key_index].skey; 1285 if (psecuritypriv->dot118021XGrpKeyid != prxattrib->key_index) { 1286 res = _FAIL; 1287 goto exit; 1288 } 1289 } else { 1290 prwskey = &stainfo->dot118021x_UncstKey.skey[0]; 1291 } 1292 1293 length = ((union recv_frame *)precvframe)->u.hdr.len - prxattrib->hdrlen - prxattrib->iv_len; 1294 1295 res = aes_decipher(prwskey, prxattrib->hdrlen, pframe, length); 1296 1297 } else { 1298 res = _FAIL; 1299 } 1300 } 1301 exit: 1302 return res; 1303 } 1304 1305 u32 rtw_BIP_verify(struct adapter *padapter, u8 *precvframe) 1306 { 1307 struct rx_pkt_attrib *pattrib = &((union recv_frame *)precvframe)->u.hdr.attrib; 1308 u8 *pframe; 1309 u8 *BIP_AAD, *p; 1310 u32 res = _FAIL; 1311 uint len, ori_len; 1312 struct ieee80211_hdr *pwlanhdr; 1313 u8 mic[16]; 1314 struct mlme_ext_priv *pmlmeext = &padapter->mlmeextpriv; 1315 __le16 le_tmp; 1316 __le64 le_tmp64; 1317 1318 ori_len = pattrib->pkt_len - WLAN_HDR_A3_LEN + BIP_AAD_SIZE; 1319 BIP_AAD = rtw_zmalloc(ori_len); 1320 1321 if (!BIP_AAD) 1322 return _FAIL; 1323 1324 /* PKT start */ 1325 pframe = (unsigned char *)((union recv_frame *)precvframe)->u.hdr.rx_data; 1326 /* mapping to wlan header */ 1327 pwlanhdr = (struct ieee80211_hdr *)pframe; 1328 /* save the frame body + MME */ 1329 memcpy(BIP_AAD + BIP_AAD_SIZE, pframe + WLAN_HDR_A3_LEN, pattrib->pkt_len - WLAN_HDR_A3_LEN); 1330 /* find MME IE pointer */ 1331 p = rtw_get_ie(BIP_AAD + BIP_AAD_SIZE, WLAN_EID_MMIE, &len, pattrib->pkt_len - WLAN_HDR_A3_LEN); 1332 /* Baron */ 1333 if (p) { 1334 u16 keyid = 0; 1335 u64 temp_ipn = 0; 1336 /* save packet number */ 1337 memcpy(&le_tmp64, p + 4, 6); 1338 temp_ipn = le64_to_cpu(le_tmp64); 1339 /* BIP packet number should bigger than previous BIP packet */ 1340 if (temp_ipn <= pmlmeext->mgnt_80211w_IPN_rx) 1341 goto BIP_exit; 1342 1343 /* copy key index */ 1344 memcpy(&le_tmp, p + 2, 2); 1345 keyid = le16_to_cpu(le_tmp); 1346 if (keyid != padapter->securitypriv.dot11wBIPKeyid) 1347 goto BIP_exit; 1348 1349 /* clear the MIC field of MME to zero */ 1350 memset(p + 2 + len - 8, 0, 8); 1351 1352 /* conscruct AAD, copy frame control field */ 1353 memcpy(BIP_AAD, &pwlanhdr->frame_control, 2); 1354 ClearRetry(BIP_AAD); 1355 ClearPwrMgt(BIP_AAD); 1356 ClearMData(BIP_AAD); 1357 /* conscruct AAD, copy address 1 to address 3 */ 1358 memcpy(BIP_AAD + 2, &pwlanhdr->addrs, sizeof(pwlanhdr->addrs)); 1359 1360 if (omac1_aes_128(padapter->securitypriv.dot11wBIPKey[padapter->securitypriv.dot11wBIPKeyid].skey 1361 , BIP_AAD, ori_len, mic)) 1362 goto BIP_exit; 1363 1364 /* MIC field should be last 8 bytes of packet (packet without FCS) */ 1365 if (!memcmp(mic, pframe+pattrib->pkt_len-8, 8)) { 1366 pmlmeext->mgnt_80211w_IPN_rx = temp_ipn; 1367 res = _SUCCESS; 1368 } else { 1369 } 1370 1371 } else { 1372 res = RTW_RX_HANDLED; 1373 } 1374 BIP_exit: 1375 1376 kfree(BIP_AAD); 1377 return res; 1378 } 1379 1380 static void gf_mulx(u8 *pad) 1381 { 1382 int i, carry; 1383 1384 carry = pad[0] & 0x80; 1385 for (i = 0; i < AES_BLOCK_SIZE - 1; i++) 1386 pad[i] = (pad[i] << 1) | (pad[i + 1] >> 7); 1387 1388 pad[AES_BLOCK_SIZE - 1] <<= 1; 1389 if (carry) 1390 pad[AES_BLOCK_SIZE - 1] ^= 0x87; 1391 } 1392 1393 /** 1394 * omac1_aes_128_vector - One-Key CBC MAC (OMAC1) hash with AES-128 1395 * @key: 128-bit key for the hash operation 1396 * @num_elem: Number of elements in the data vector 1397 * @addr: Pointers to the data areas 1398 * @len: Lengths of the data blocks 1399 * @mac: Buffer for MAC (128 bits, i.e., 16 bytes) 1400 * Returns: 0 on success, -1 on failure 1401 * 1402 * This is a mode for using block cipher (AES in this case) for authentication. 1403 * OMAC1 was standardized with the name CMAC by NIST in a Special Publication 1404 * (SP) 800-38B. 1405 */ 1406 static int omac1_aes_128_vector(u8 *key, size_t num_elem, 1407 u8 *addr[], size_t *len, u8 *mac) 1408 { 1409 struct aes_enckey aes; 1410 u8 cbc[AES_BLOCK_SIZE], pad[AES_BLOCK_SIZE]; 1411 u8 *pos, *end; 1412 size_t i, e, left, total_len; 1413 int ret; 1414 1415 ret = aes_prepareenckey(&aes, key, 16); 1416 if (ret) 1417 return -1; 1418 memset(cbc, 0, AES_BLOCK_SIZE); 1419 1420 total_len = 0; 1421 for (e = 0; e < num_elem; e++) 1422 total_len += len[e]; 1423 left = total_len; 1424 1425 e = 0; 1426 pos = addr[0]; 1427 end = pos + len[0]; 1428 1429 while (left >= AES_BLOCK_SIZE) { 1430 for (i = 0; i < AES_BLOCK_SIZE; i++) { 1431 cbc[i] ^= *pos++; 1432 if (pos >= end) { 1433 e++; 1434 pos = addr[e]; 1435 end = pos + len[e]; 1436 } 1437 } 1438 if (left > AES_BLOCK_SIZE) 1439 aes_encrypt(&aes, cbc, cbc); 1440 left -= AES_BLOCK_SIZE; 1441 } 1442 1443 memset(pad, 0, AES_BLOCK_SIZE); 1444 aes_encrypt(&aes, pad, pad); 1445 gf_mulx(pad); 1446 1447 if (left || total_len == 0) { 1448 for (i = 0; i < left; i++) { 1449 cbc[i] ^= *pos++; 1450 if (pos >= end) { 1451 e++; 1452 pos = addr[e]; 1453 end = pos + len[e]; 1454 } 1455 } 1456 cbc[left] ^= 0x80; 1457 gf_mulx(pad); 1458 } 1459 1460 for (i = 0; i < AES_BLOCK_SIZE; i++) 1461 pad[i] ^= cbc[i]; 1462 aes_encrypt(&aes, pad, mac); 1463 memzero_explicit(&aes, sizeof(aes)); 1464 return 0; 1465 } 1466 1467 /** 1468 * omac1_aes_128 - One-Key CBC MAC (OMAC1) hash with AES-128 (aka AES-CMAC) 1469 * @key: 128-bit key for the hash operation 1470 * @data: Data buffer for which a MAC is determined 1471 * @data_len: Length of data buffer in bytes 1472 * @mac: Buffer for MAC (128 bits, i.e., 16 bytes) 1473 * Returns: 0 on success, -1 on failure 1474 * 1475 * This is a mode for using block cipher (AES in this case) for authentication. 1476 * OMAC1 was standardized with the name CMAC by NIST in a Special Publication 1477 * (SP) 800-38B. 1478 * modify for CONFIG_IEEE80211W 1479 */ 1480 int omac1_aes_128(u8 *key, u8 *data, size_t data_len, u8 *mac) 1481 { 1482 return omac1_aes_128_vector(key, 1, &data, &data_len, mac); 1483 } 1484 1485 /* Restore HW wep key setting according to key_mask */ 1486 void rtw_sec_restore_wep_key(struct adapter *adapter) 1487 { 1488 struct security_priv *securitypriv = &(adapter->securitypriv); 1489 signed int keyid; 1490 1491 if ((_WEP40_ == securitypriv->dot11PrivacyAlgrthm) || (_WEP104_ == securitypriv->dot11PrivacyAlgrthm)) { 1492 for (keyid = 0; keyid < 4; keyid++) { 1493 if (securitypriv->key_mask & BIT(keyid)) { 1494 if (keyid == securitypriv->dot11PrivacyKeyIndex) 1495 rtw_set_key(adapter, securitypriv, keyid, 1, false); 1496 else 1497 rtw_set_key(adapter, securitypriv, keyid, 0, false); 1498 } 1499 } 1500 } 1501 } 1502 1503 u8 rtw_handle_tkip_countermeasure(struct adapter *adapter, const char *caller) 1504 { 1505 struct security_priv *securitypriv = &(adapter->securitypriv); 1506 u8 status = _SUCCESS; 1507 1508 if (securitypriv->btkip_countermeasure) { 1509 unsigned long passing_ms = jiffies_to_msecs(jiffies - securitypriv->btkip_countermeasure_time); 1510 1511 if (passing_ms > 60 * 1000) { 1512 netdev_dbg(adapter->pnetdev, 1513 "%s(%s) countermeasure time:%lus > 60s\n", 1514 caller, ADPT_ARG(adapter), 1515 passing_ms / 1000); 1516 securitypriv->btkip_countermeasure = false; 1517 securitypriv->btkip_countermeasure_time = 0; 1518 } else { 1519 netdev_dbg(adapter->pnetdev, 1520 "%s(%s) countermeasure time:%lus < 60s\n", 1521 caller, ADPT_ARG(adapter), 1522 passing_ms / 1000); 1523 status = _FAIL; 1524 } 1525 } 1526 1527 return status; 1528 } 1529