xref: /freebsd/sys/net80211/ieee80211_crypto_tkip.c (revision 656f49f8e2b0656824a5f10aeb760a00fdd3753f)
1 /*-
2  * Copyright (c) 2002-2008 Sam Leffler, Errno Consulting
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24  */
25 
26 #include <sys/cdefs.h>
27 __FBSDID("$FreeBSD$");
28 
29 /*
30  * IEEE 802.11i TKIP crypto support.
31  *
32  * Part of this module is derived from similar code in the Host
33  * AP driver. The code is used with the consent of the author and
34  * it's license is included below.
35  */
36 #include "opt_wlan.h"
37 
38 #include <sys/param.h>
39 #include <sys/systm.h>
40 #include <sys/mbuf.h>
41 #include <sys/malloc.h>
42 #include <sys/kernel.h>
43 #include <sys/module.h>
44 #include <sys/endian.h>
45 
46 #include <sys/socket.h>
47 
48 #include <net/if.h>
49 #include <net/if_media.h>
50 #include <net/ethernet.h>
51 
52 #include <net80211/ieee80211_var.h>
53 
54 static	void *tkip_attach(struct ieee80211vap *, struct ieee80211_key *);
55 static	void tkip_detach(struct ieee80211_key *);
56 static	int tkip_setkey(struct ieee80211_key *);
57 static	void tkip_setiv(struct ieee80211_key *, uint8_t *);
58 static	int tkip_encap(struct ieee80211_key *, struct mbuf *);
59 static	int tkip_enmic(struct ieee80211_key *, struct mbuf *, int);
60 static	int tkip_decap(struct ieee80211_key *, struct mbuf *, int);
61 static	int tkip_demic(struct ieee80211_key *, struct mbuf *, int);
62 
63 static const struct ieee80211_cipher tkip  = {
64 	.ic_name	= "TKIP",
65 	.ic_cipher	= IEEE80211_CIPHER_TKIP,
66 	.ic_header	= IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN +
67 			  IEEE80211_WEP_EXTIVLEN,
68 	.ic_trailer	= IEEE80211_WEP_CRCLEN,
69 	.ic_miclen	= IEEE80211_WEP_MICLEN,
70 	.ic_attach	= tkip_attach,
71 	.ic_detach	= tkip_detach,
72 	.ic_setkey	= tkip_setkey,
73 	.ic_setiv	= tkip_setiv,
74 	.ic_encap	= tkip_encap,
75 	.ic_decap	= tkip_decap,
76 	.ic_enmic	= tkip_enmic,
77 	.ic_demic	= tkip_demic,
78 };
79 
80 typedef	uint8_t u8;
81 typedef	uint16_t u16;
82 typedef	uint32_t __u32;
83 typedef	uint32_t u32;
84 
85 struct tkip_ctx {
86 	struct ieee80211vap *tc_vap;	/* for diagnostics+statistics */
87 
88 	u16	tx_ttak[5];
89 	u8	tx_rc4key[16];		/* XXX for test module; make locals? */
90 
91 	u16	rx_ttak[5];
92 	int	rx_phase1_done;
93 	u8	rx_rc4key[16];		/* XXX for test module; make locals? */
94 	uint64_t rx_rsc;		/* held until MIC verified */
95 };
96 
97 static	void michael_mic(struct tkip_ctx *, const u8 *key,
98 		struct mbuf *m, u_int off, size_t data_len,
99 		u8 mic[IEEE80211_WEP_MICLEN]);
100 static	int tkip_encrypt(struct tkip_ctx *, struct ieee80211_key *,
101 		struct mbuf *, int hdr_len);
102 static	int tkip_decrypt(struct tkip_ctx *, struct ieee80211_key *,
103 		struct mbuf *, int hdr_len);
104 
105 /* number of references from net80211 layer */
106 static	int nrefs = 0;
107 
108 static void *
109 tkip_attach(struct ieee80211vap *vap, struct ieee80211_key *k)
110 {
111 	struct tkip_ctx *ctx;
112 
113 	ctx = (struct tkip_ctx *) IEEE80211_MALLOC(sizeof(struct tkip_ctx),
114 		M_80211_CRYPTO, IEEE80211_M_NOWAIT | IEEE80211_M_ZERO);
115 	if (ctx == NULL) {
116 		vap->iv_stats.is_crypto_nomem++;
117 		return NULL;
118 	}
119 
120 	ctx->tc_vap = vap;
121 	nrefs++;			/* NB: we assume caller locking */
122 	return ctx;
123 }
124 
125 static void
126 tkip_detach(struct ieee80211_key *k)
127 {
128 	struct tkip_ctx *ctx = k->wk_private;
129 
130 	IEEE80211_FREE(ctx, M_80211_CRYPTO);
131 	KASSERT(nrefs > 0, ("imbalanced attach/detach"));
132 	nrefs--;			/* NB: we assume caller locking */
133 }
134 
135 static int
136 tkip_setkey(struct ieee80211_key *k)
137 {
138 	struct tkip_ctx *ctx = k->wk_private;
139 
140 	if (k->wk_keylen != (128/NBBY)) {
141 		(void) ctx;		/* XXX */
142 		IEEE80211_DPRINTF(ctx->tc_vap, IEEE80211_MSG_CRYPTO,
143 			"%s: Invalid key length %u, expecting %u\n",
144 			__func__, k->wk_keylen, 128/NBBY);
145 		return 0;
146 	}
147 	ctx->rx_phase1_done = 0;
148 	return 1;
149 }
150 
151 static void
152 tkip_setiv(struct ieee80211_key *k, uint8_t *ivp)
153 {
154 	struct tkip_ctx *ctx = k->wk_private;
155 	struct ieee80211vap *vap = ctx->tc_vap;
156 	uint8_t keyid;
157 
158 	keyid = ieee80211_crypto_get_keyid(vap, k) << 6;
159 
160 	k->wk_keytsc++;
161 	ivp[0] = k->wk_keytsc >> 8;		/* TSC1 */
162 	ivp[1] = (ivp[0] | 0x20) & 0x7f;	/* WEP seed */
163 	ivp[2] = k->wk_keytsc >> 0;		/* TSC0 */
164 	ivp[3] = keyid | IEEE80211_WEP_EXTIV;	/* KeyID | ExtID */
165 	ivp[4] = k->wk_keytsc >> 16;		/* TSC2 */
166 	ivp[5] = k->wk_keytsc >> 24;		/* TSC3 */
167 	ivp[6] = k->wk_keytsc >> 32;		/* TSC4 */
168 	ivp[7] = k->wk_keytsc >> 40;		/* TSC5 */
169 }
170 
171 /*
172  * Add privacy headers and do any s/w encryption required.
173  */
174 static int
175 tkip_encap(struct ieee80211_key *k, struct mbuf *m)
176 {
177 	struct tkip_ctx *ctx = k->wk_private;
178 	struct ieee80211vap *vap = ctx->tc_vap;
179 	struct ieee80211com *ic = vap->iv_ic;
180 	uint8_t *ivp;
181 	int hdrlen;
182 
183 	/*
184 	 * Handle TKIP counter measures requirement.
185 	 */
186 	if (vap->iv_flags & IEEE80211_F_COUNTERM) {
187 #ifdef IEEE80211_DEBUG
188 		struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *);
189 #endif
190 
191 		IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2,
192 		    "discard frame due to countermeasures (%s)", __func__);
193 		vap->iv_stats.is_crypto_tkipcm++;
194 		return 0;
195 	}
196 	hdrlen = ieee80211_hdrspace(ic, mtod(m, void *));
197 
198 	/*
199 	 * Copy down 802.11 header and add the IV, KeyID, and ExtIV.
200 	 */
201 	M_PREPEND(m, tkip.ic_header, M_NOWAIT);
202 	if (m == NULL)
203 		return 0;
204 	ivp = mtod(m, uint8_t *);
205 	memmove(ivp, ivp + tkip.ic_header, hdrlen);
206 	ivp += hdrlen;
207 
208 	tkip_setiv(k, ivp);
209 
210 	/*
211 	 * Finally, do software encrypt if needed.
212 	 */
213 	if ((k->wk_flags & IEEE80211_KEY_SWENCRYPT) &&
214 	    !tkip_encrypt(ctx, k, m, hdrlen))
215 		return 0;
216 
217 	return 1;
218 }
219 
220 /*
221  * Add MIC to the frame as needed.
222  */
223 static int
224 tkip_enmic(struct ieee80211_key *k, struct mbuf *m, int force)
225 {
226 	struct tkip_ctx *ctx = k->wk_private;
227 
228 	if (force || (k->wk_flags & IEEE80211_KEY_SWENMIC)) {
229 		struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *);
230 		struct ieee80211vap *vap = ctx->tc_vap;
231 		struct ieee80211com *ic = vap->iv_ic;
232 		int hdrlen;
233 		uint8_t mic[IEEE80211_WEP_MICLEN];
234 
235 		vap->iv_stats.is_crypto_tkipenmic++;
236 
237 		hdrlen = ieee80211_hdrspace(ic, wh);
238 
239 		michael_mic(ctx, k->wk_txmic,
240 			m, hdrlen, m->m_pkthdr.len - hdrlen, mic);
241 		return m_append(m, tkip.ic_miclen, mic);
242 	}
243 	return 1;
244 }
245 
246 static __inline uint64_t
247 READ_6(uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3, uint8_t b4, uint8_t b5)
248 {
249 	uint32_t iv32 = (b0 << 0) | (b1 << 8) | (b2 << 16) | (b3 << 24);
250 	uint16_t iv16 = (b4 << 0) | (b5 << 8);
251 	return (((uint64_t)iv16) << 32) | iv32;
252 }
253 
254 /*
255  * Validate and strip privacy headers (and trailer) for a
256  * received frame.  If necessary, decrypt the frame using
257  * the specified key.
258  */
259 static int
260 tkip_decap(struct ieee80211_key *k, struct mbuf *m, int hdrlen)
261 {
262 	struct tkip_ctx *ctx = k->wk_private;
263 	struct ieee80211vap *vap = ctx->tc_vap;
264 	struct ieee80211_frame *wh;
265 	uint8_t *ivp, tid;
266 
267 	/*
268 	 * Header should have extended IV and sequence number;
269 	 * verify the former and validate the latter.
270 	 */
271 	wh = mtod(m, struct ieee80211_frame *);
272 	ivp = mtod(m, uint8_t *) + hdrlen;
273 	if ((ivp[IEEE80211_WEP_IVLEN] & IEEE80211_WEP_EXTIV) == 0) {
274 		/*
275 		 * No extended IV; discard frame.
276 		 */
277 		IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2,
278 		    "%s", "missing ExtIV for TKIP cipher");
279 		vap->iv_stats.is_rx_tkipformat++;
280 		return 0;
281 	}
282 	/*
283 	 * Handle TKIP counter measures requirement.
284 	 */
285 	if (vap->iv_flags & IEEE80211_F_COUNTERM) {
286 		IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2,
287 		    "discard frame due to countermeasures (%s)", __func__);
288 		vap->iv_stats.is_crypto_tkipcm++;
289 		return 0;
290 	}
291 
292 	tid = ieee80211_gettid(wh);
293 	ctx->rx_rsc = READ_6(ivp[2], ivp[0], ivp[4], ivp[5], ivp[6], ivp[7]);
294 	if (ctx->rx_rsc <= k->wk_keyrsc[tid] &&
295 	    (k->wk_flags & IEEE80211_KEY_NOREPLAY) == 0) {
296 		/*
297 		 * Replay violation; notify upper layer.
298 		 */
299 		ieee80211_notify_replay_failure(vap, wh, k, ctx->rx_rsc, tid);
300 		vap->iv_stats.is_rx_tkipreplay++;
301 		return 0;
302 	}
303 	/*
304 	 * NB: We can't update the rsc in the key until MIC is verified.
305 	 *
306 	 * We assume we are not preempted between doing the check above
307 	 * and updating wk_keyrsc when stripping the MIC in tkip_demic.
308 	 * Otherwise we might process another packet and discard it as
309 	 * a replay.
310 	 */
311 
312 	/*
313 	 * Check if the device handled the decrypt in hardware.
314 	 * If so we just strip the header; otherwise we need to
315 	 * handle the decrypt in software.
316 	 */
317 	if ((k->wk_flags & IEEE80211_KEY_SWDECRYPT) &&
318 	    !tkip_decrypt(ctx, k, m, hdrlen))
319 		return 0;
320 
321 	/*
322 	 * Copy up 802.11 header and strip crypto bits.
323 	 */
324 	memmove(mtod(m, uint8_t *) + tkip.ic_header, mtod(m, void *), hdrlen);
325 	m_adj(m, tkip.ic_header);
326 	m_adj(m, -tkip.ic_trailer);
327 
328 	return 1;
329 }
330 
331 /*
332  * Verify and strip MIC from the frame.
333  */
334 static int
335 tkip_demic(struct ieee80211_key *k, struct mbuf *m, int force)
336 {
337 	struct tkip_ctx *ctx = k->wk_private;
338 	struct ieee80211_frame *wh;
339 	uint8_t tid;
340 
341 	wh = mtod(m, struct ieee80211_frame *);
342 	if ((k->wk_flags & IEEE80211_KEY_SWDEMIC) || force) {
343 		struct ieee80211vap *vap = ctx->tc_vap;
344 		int hdrlen = ieee80211_hdrspace(vap->iv_ic, wh);
345 		u8 mic[IEEE80211_WEP_MICLEN];
346 		u8 mic0[IEEE80211_WEP_MICLEN];
347 
348 		vap->iv_stats.is_crypto_tkipdemic++;
349 
350 		michael_mic(ctx, k->wk_rxmic,
351 			m, hdrlen, m->m_pkthdr.len - (hdrlen + tkip.ic_miclen),
352 			mic);
353 		m_copydata(m, m->m_pkthdr.len - tkip.ic_miclen,
354 			tkip.ic_miclen, mic0);
355 		if (memcmp(mic, mic0, tkip.ic_miclen)) {
356 			/* NB: 802.11 layer handles statistic and debug msg */
357 			ieee80211_notify_michael_failure(vap, wh,
358 				k->wk_rxkeyix != IEEE80211_KEYIX_NONE ?
359 					k->wk_rxkeyix : k->wk_keyix);
360 			return 0;
361 		}
362 	}
363 	/*
364 	 * Strip MIC from the tail.
365 	 */
366 	m_adj(m, -tkip.ic_miclen);
367 
368 	/*
369 	 * Ok to update rsc now that MIC has been verified.
370 	 */
371 	tid = ieee80211_gettid(wh);
372 	k->wk_keyrsc[tid] = ctx->rx_rsc;
373 
374 	return 1;
375 }
376 
377 /*
378  * Host AP crypt: host-based TKIP encryption implementation for Host AP driver
379  *
380  * Copyright (c) 2003-2004, Jouni Malinen <jkmaline@cc.hut.fi>
381  *
382  * This program is free software; you can redistribute it and/or modify
383  * it under the terms of the GNU General Public License version 2 as
384  * published by the Free Software Foundation. See README and COPYING for
385  * more details.
386  *
387  * Alternatively, this software may be distributed under the terms of BSD
388  * license.
389  */
390 
391 static const __u32 crc32_table[256] = {
392 	0x00000000L, 0x77073096L, 0xee0e612cL, 0x990951baL, 0x076dc419L,
393 	0x706af48fL, 0xe963a535L, 0x9e6495a3L, 0x0edb8832L, 0x79dcb8a4L,
394 	0xe0d5e91eL, 0x97d2d988L, 0x09b64c2bL, 0x7eb17cbdL, 0xe7b82d07L,
395 	0x90bf1d91L, 0x1db71064L, 0x6ab020f2L, 0xf3b97148L, 0x84be41deL,
396 	0x1adad47dL, 0x6ddde4ebL, 0xf4d4b551L, 0x83d385c7L, 0x136c9856L,
397 	0x646ba8c0L, 0xfd62f97aL, 0x8a65c9ecL, 0x14015c4fL, 0x63066cd9L,
398 	0xfa0f3d63L, 0x8d080df5L, 0x3b6e20c8L, 0x4c69105eL, 0xd56041e4L,
399 	0xa2677172L, 0x3c03e4d1L, 0x4b04d447L, 0xd20d85fdL, 0xa50ab56bL,
400 	0x35b5a8faL, 0x42b2986cL, 0xdbbbc9d6L, 0xacbcf940L, 0x32d86ce3L,
401 	0x45df5c75L, 0xdcd60dcfL, 0xabd13d59L, 0x26d930acL, 0x51de003aL,
402 	0xc8d75180L, 0xbfd06116L, 0x21b4f4b5L, 0x56b3c423L, 0xcfba9599L,
403 	0xb8bda50fL, 0x2802b89eL, 0x5f058808L, 0xc60cd9b2L, 0xb10be924L,
404 	0x2f6f7c87L, 0x58684c11L, 0xc1611dabL, 0xb6662d3dL, 0x76dc4190L,
405 	0x01db7106L, 0x98d220bcL, 0xefd5102aL, 0x71b18589L, 0x06b6b51fL,
406 	0x9fbfe4a5L, 0xe8b8d433L, 0x7807c9a2L, 0x0f00f934L, 0x9609a88eL,
407 	0xe10e9818L, 0x7f6a0dbbL, 0x086d3d2dL, 0x91646c97L, 0xe6635c01L,
408 	0x6b6b51f4L, 0x1c6c6162L, 0x856530d8L, 0xf262004eL, 0x6c0695edL,
409 	0x1b01a57bL, 0x8208f4c1L, 0xf50fc457L, 0x65b0d9c6L, 0x12b7e950L,
410 	0x8bbeb8eaL, 0xfcb9887cL, 0x62dd1ddfL, 0x15da2d49L, 0x8cd37cf3L,
411 	0xfbd44c65L, 0x4db26158L, 0x3ab551ceL, 0xa3bc0074L, 0xd4bb30e2L,
412 	0x4adfa541L, 0x3dd895d7L, 0xa4d1c46dL, 0xd3d6f4fbL, 0x4369e96aL,
413 	0x346ed9fcL, 0xad678846L, 0xda60b8d0L, 0x44042d73L, 0x33031de5L,
414 	0xaa0a4c5fL, 0xdd0d7cc9L, 0x5005713cL, 0x270241aaL, 0xbe0b1010L,
415 	0xc90c2086L, 0x5768b525L, 0x206f85b3L, 0xb966d409L, 0xce61e49fL,
416 	0x5edef90eL, 0x29d9c998L, 0xb0d09822L, 0xc7d7a8b4L, 0x59b33d17L,
417 	0x2eb40d81L, 0xb7bd5c3bL, 0xc0ba6cadL, 0xedb88320L, 0x9abfb3b6L,
418 	0x03b6e20cL, 0x74b1d29aL, 0xead54739L, 0x9dd277afL, 0x04db2615L,
419 	0x73dc1683L, 0xe3630b12L, 0x94643b84L, 0x0d6d6a3eL, 0x7a6a5aa8L,
420 	0xe40ecf0bL, 0x9309ff9dL, 0x0a00ae27L, 0x7d079eb1L, 0xf00f9344L,
421 	0x8708a3d2L, 0x1e01f268L, 0x6906c2feL, 0xf762575dL, 0x806567cbL,
422 	0x196c3671L, 0x6e6b06e7L, 0xfed41b76L, 0x89d32be0L, 0x10da7a5aL,
423 	0x67dd4accL, 0xf9b9df6fL, 0x8ebeeff9L, 0x17b7be43L, 0x60b08ed5L,
424 	0xd6d6a3e8L, 0xa1d1937eL, 0x38d8c2c4L, 0x4fdff252L, 0xd1bb67f1L,
425 	0xa6bc5767L, 0x3fb506ddL, 0x48b2364bL, 0xd80d2bdaL, 0xaf0a1b4cL,
426 	0x36034af6L, 0x41047a60L, 0xdf60efc3L, 0xa867df55L, 0x316e8eefL,
427 	0x4669be79L, 0xcb61b38cL, 0xbc66831aL, 0x256fd2a0L, 0x5268e236L,
428 	0xcc0c7795L, 0xbb0b4703L, 0x220216b9L, 0x5505262fL, 0xc5ba3bbeL,
429 	0xb2bd0b28L, 0x2bb45a92L, 0x5cb36a04L, 0xc2d7ffa7L, 0xb5d0cf31L,
430 	0x2cd99e8bL, 0x5bdeae1dL, 0x9b64c2b0L, 0xec63f226L, 0x756aa39cL,
431 	0x026d930aL, 0x9c0906a9L, 0xeb0e363fL, 0x72076785L, 0x05005713L,
432 	0x95bf4a82L, 0xe2b87a14L, 0x7bb12baeL, 0x0cb61b38L, 0x92d28e9bL,
433 	0xe5d5be0dL, 0x7cdcefb7L, 0x0bdbdf21L, 0x86d3d2d4L, 0xf1d4e242L,
434 	0x68ddb3f8L, 0x1fda836eL, 0x81be16cdL, 0xf6b9265bL, 0x6fb077e1L,
435 	0x18b74777L, 0x88085ae6L, 0xff0f6a70L, 0x66063bcaL, 0x11010b5cL,
436 	0x8f659effL, 0xf862ae69L, 0x616bffd3L, 0x166ccf45L, 0xa00ae278L,
437 	0xd70dd2eeL, 0x4e048354L, 0x3903b3c2L, 0xa7672661L, 0xd06016f7L,
438 	0x4969474dL, 0x3e6e77dbL, 0xaed16a4aL, 0xd9d65adcL, 0x40df0b66L,
439 	0x37d83bf0L, 0xa9bcae53L, 0xdebb9ec5L, 0x47b2cf7fL, 0x30b5ffe9L,
440 	0xbdbdf21cL, 0xcabac28aL, 0x53b39330L, 0x24b4a3a6L, 0xbad03605L,
441 	0xcdd70693L, 0x54de5729L, 0x23d967bfL, 0xb3667a2eL, 0xc4614ab8L,
442 	0x5d681b02L, 0x2a6f2b94L, 0xb40bbe37L, 0xc30c8ea1L, 0x5a05df1bL,
443 	0x2d02ef8dL
444 };
445 
446 static __inline u16 RotR1(u16 val)
447 {
448 	return (val >> 1) | (val << 15);
449 }
450 
451 static __inline u8 Lo8(u16 val)
452 {
453 	return val & 0xff;
454 }
455 
456 static __inline u8 Hi8(u16 val)
457 {
458 	return val >> 8;
459 }
460 
461 static __inline u16 Lo16(u32 val)
462 {
463 	return val & 0xffff;
464 }
465 
466 static __inline u16 Hi16(u32 val)
467 {
468 	return val >> 16;
469 }
470 
471 static __inline u16 Mk16(u8 hi, u8 lo)
472 {
473 	return lo | (((u16) hi) << 8);
474 }
475 
476 static __inline u16 Mk16_le(const u16 *v)
477 {
478 	return le16toh(*v);
479 }
480 
481 static const u16 Sbox[256] = {
482 	0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154,
483 	0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A,
484 	0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B,
485 	0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B,
486 	0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F,
487 	0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F,
488 	0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5,
489 	0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F,
490 	0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB,
491 	0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397,
492 	0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED,
493 	0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A,
494 	0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194,
495 	0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3,
496 	0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104,
497 	0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D,
498 	0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39,
499 	0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695,
500 	0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83,
501 	0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76,
502 	0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4,
503 	0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B,
504 	0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0,
505 	0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018,
506 	0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751,
507 	0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85,
508 	0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12,
509 	0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9,
510 	0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7,
511 	0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A,
512 	0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8,
513 	0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A,
514 };
515 
516 static __inline u16 _S_(u16 v)
517 {
518 	u16 t = Sbox[Hi8(v)];
519 	return Sbox[Lo8(v)] ^ ((t << 8) | (t >> 8));
520 }
521 
522 #define PHASE1_LOOP_COUNT 8
523 
524 static void tkip_mixing_phase1(u16 *TTAK, const u8 *TK, const u8 *TA, u32 IV32)
525 {
526 	int i, j;
527 
528 	/* Initialize the 80-bit TTAK from TSC (IV32) and TA[0..5] */
529 	TTAK[0] = Lo16(IV32);
530 	TTAK[1] = Hi16(IV32);
531 	TTAK[2] = Mk16(TA[1], TA[0]);
532 	TTAK[3] = Mk16(TA[3], TA[2]);
533 	TTAK[4] = Mk16(TA[5], TA[4]);
534 
535 	for (i = 0; i < PHASE1_LOOP_COUNT; i++) {
536 		j = 2 * (i & 1);
537 		TTAK[0] += _S_(TTAK[4] ^ Mk16(TK[1 + j], TK[0 + j]));
538 		TTAK[1] += _S_(TTAK[0] ^ Mk16(TK[5 + j], TK[4 + j]));
539 		TTAK[2] += _S_(TTAK[1] ^ Mk16(TK[9 + j], TK[8 + j]));
540 		TTAK[3] += _S_(TTAK[2] ^ Mk16(TK[13 + j], TK[12 + j]));
541 		TTAK[4] += _S_(TTAK[3] ^ Mk16(TK[1 + j], TK[0 + j])) + i;
542 	}
543 }
544 
545 #ifndef _BYTE_ORDER
546 #error "Don't know native byte order"
547 #endif
548 
549 static void tkip_mixing_phase2(u8 *WEPSeed, const u8 *TK, const u16 *TTAK,
550 			       u16 IV16)
551 {
552 	/* Make temporary area overlap WEP seed so that the final copy can be
553 	 * avoided on little endian hosts. */
554 	u16 *PPK = (u16 *) &WEPSeed[4];
555 
556 	/* Step 1 - make copy of TTAK and bring in TSC */
557 	PPK[0] = TTAK[0];
558 	PPK[1] = TTAK[1];
559 	PPK[2] = TTAK[2];
560 	PPK[3] = TTAK[3];
561 	PPK[4] = TTAK[4];
562 	PPK[5] = TTAK[4] + IV16;
563 
564 	/* Step 2 - 96-bit bijective mixing using S-box */
565 	PPK[0] += _S_(PPK[5] ^ Mk16_le((const u16 *) &TK[0]));
566 	PPK[1] += _S_(PPK[0] ^ Mk16_le((const u16 *) &TK[2]));
567 	PPK[2] += _S_(PPK[1] ^ Mk16_le((const u16 *) &TK[4]));
568 	PPK[3] += _S_(PPK[2] ^ Mk16_le((const u16 *) &TK[6]));
569 	PPK[4] += _S_(PPK[3] ^ Mk16_le((const u16 *) &TK[8]));
570 	PPK[5] += _S_(PPK[4] ^ Mk16_le((const u16 *) &TK[10]));
571 
572 	PPK[0] += RotR1(PPK[5] ^ Mk16_le((const u16 *) &TK[12]));
573 	PPK[1] += RotR1(PPK[0] ^ Mk16_le((const u16 *) &TK[14]));
574 	PPK[2] += RotR1(PPK[1]);
575 	PPK[3] += RotR1(PPK[2]);
576 	PPK[4] += RotR1(PPK[3]);
577 	PPK[5] += RotR1(PPK[4]);
578 
579 	/* Step 3 - bring in last of TK bits, assign 24-bit WEP IV value
580 	 * WEPSeed[0..2] is transmitted as WEP IV */
581 	WEPSeed[0] = Hi8(IV16);
582 	WEPSeed[1] = (Hi8(IV16) | 0x20) & 0x7F;
583 	WEPSeed[2] = Lo8(IV16);
584 	WEPSeed[3] = Lo8((PPK[5] ^ Mk16_le((const u16 *) &TK[0])) >> 1);
585 
586 #if _BYTE_ORDER == _BIG_ENDIAN
587 	{
588 		int i;
589 		for (i = 0; i < 6; i++)
590 			PPK[i] = (PPK[i] << 8) | (PPK[i] >> 8);
591 	}
592 #endif
593 }
594 
595 static void
596 wep_encrypt(u8 *key, struct mbuf *m0, u_int off, size_t data_len,
597 	uint8_t icv[IEEE80211_WEP_CRCLEN])
598 {
599 	u32 i, j, k, crc;
600 	size_t buflen;
601 	u8 S[256];
602 	u8 *pos;
603 	struct mbuf *m;
604 #define S_SWAP(a,b) do { u8 t = S[a]; S[a] = S[b]; S[b] = t; } while(0)
605 
606 	/* Setup RC4 state */
607 	for (i = 0; i < 256; i++)
608 		S[i] = i;
609 	j = 0;
610 	for (i = 0; i < 256; i++) {
611 		j = (j + S[i] + key[i & 0x0f]) & 0xff;
612 		S_SWAP(i, j);
613 	}
614 
615 	/* Compute CRC32 over unencrypted data and apply RC4 to data */
616 	crc = ~0;
617 	i = j = 0;
618 	m = m0;
619 	pos = mtod(m, uint8_t *) + off;
620 	buflen = m->m_len - off;
621 	for (;;) {
622 		if (buflen > data_len)
623 			buflen = data_len;
624 		data_len -= buflen;
625 		for (k = 0; k < buflen; k++) {
626 			crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8);
627 			i = (i + 1) & 0xff;
628 			j = (j + S[i]) & 0xff;
629 			S_SWAP(i, j);
630 			*pos++ ^= S[(S[i] + S[j]) & 0xff];
631 		}
632 		m = m->m_next;
633 		if (m == NULL) {
634 			KASSERT(data_len == 0,
635 			    ("out of buffers with data_len %zu\n", data_len));
636 			break;
637 		}
638 		pos = mtod(m, uint8_t *);
639 		buflen = m->m_len;
640 	}
641 	crc = ~crc;
642 
643 	/* Append little-endian CRC32 and encrypt it to produce ICV */
644 	icv[0] = crc;
645 	icv[1] = crc >> 8;
646 	icv[2] = crc >> 16;
647 	icv[3] = crc >> 24;
648 	for (k = 0; k < IEEE80211_WEP_CRCLEN; k++) {
649 		i = (i + 1) & 0xff;
650 		j = (j + S[i]) & 0xff;
651 		S_SWAP(i, j);
652 		icv[k] ^= S[(S[i] + S[j]) & 0xff];
653 	}
654 }
655 
656 static int
657 wep_decrypt(u8 *key, struct mbuf *m, u_int off, size_t data_len)
658 {
659 	u32 i, j, k, crc;
660 	u8 S[256];
661 	u8 *pos, icv[4];
662 	size_t buflen;
663 
664 	/* Setup RC4 state */
665 	for (i = 0; i < 256; i++)
666 		S[i] = i;
667 	j = 0;
668 	for (i = 0; i < 256; i++) {
669 		j = (j + S[i] + key[i & 0x0f]) & 0xff;
670 		S_SWAP(i, j);
671 	}
672 
673 	/* Apply RC4 to data and compute CRC32 over decrypted data */
674 	crc = ~0;
675 	i = j = 0;
676 	pos = mtod(m, uint8_t *) + off;
677 	buflen = m->m_len - off;
678 	for (;;) {
679 		if (buflen > data_len)
680 			buflen = data_len;
681 		data_len -= buflen;
682 		for (k = 0; k < buflen; k++) {
683 			i = (i + 1) & 0xff;
684 			j = (j + S[i]) & 0xff;
685 			S_SWAP(i, j);
686 			*pos ^= S[(S[i] + S[j]) & 0xff];
687 			crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8);
688 			pos++;
689 		}
690 		m = m->m_next;
691 		if (m == NULL) {
692 			KASSERT(data_len == 0,
693 			    ("out of buffers with data_len %zu\n", data_len));
694 			break;
695 		}
696 		pos = mtod(m, uint8_t *);
697 		buflen = m->m_len;
698 	}
699 	crc = ~crc;
700 
701 	/* Encrypt little-endian CRC32 and verify that it matches with the
702 	 * received ICV */
703 	icv[0] = crc;
704 	icv[1] = crc >> 8;
705 	icv[2] = crc >> 16;
706 	icv[3] = crc >> 24;
707 	for (k = 0; k < 4; k++) {
708 		i = (i + 1) & 0xff;
709 		j = (j + S[i]) & 0xff;
710 		S_SWAP(i, j);
711 		if ((icv[k] ^ S[(S[i] + S[j]) & 0xff]) != *pos++) {
712 			/* ICV mismatch - drop frame */
713 			return -1;
714 		}
715 	}
716 
717 	return 0;
718 }
719 
720 
721 static __inline u32 rotl(u32 val, int bits)
722 {
723 	return (val << bits) | (val >> (32 - bits));
724 }
725 
726 
727 static __inline u32 rotr(u32 val, int bits)
728 {
729 	return (val >> bits) | (val << (32 - bits));
730 }
731 
732 
733 static __inline u32 xswap(u32 val)
734 {
735 	return ((val & 0x00ff00ff) << 8) | ((val & 0xff00ff00) >> 8);
736 }
737 
738 
739 #define michael_block(l, r)	\
740 do {				\
741 	r ^= rotl(l, 17);	\
742 	l += r;			\
743 	r ^= xswap(l);		\
744 	l += r;			\
745 	r ^= rotl(l, 3);	\
746 	l += r;			\
747 	r ^= rotr(l, 2);	\
748 	l += r;			\
749 } while (0)
750 
751 
752 static __inline u32 get_le32_split(u8 b0, u8 b1, u8 b2, u8 b3)
753 {
754 	return b0 | (b1 << 8) | (b2 << 16) | (b3 << 24);
755 }
756 
757 static __inline u32 get_le32(const u8 *p)
758 {
759 	return get_le32_split(p[0], p[1], p[2], p[3]);
760 }
761 
762 
763 static __inline void put_le32(u8 *p, u32 v)
764 {
765 	p[0] = v;
766 	p[1] = v >> 8;
767 	p[2] = v >> 16;
768 	p[3] = v >> 24;
769 }
770 
771 /*
772  * Craft pseudo header used to calculate the MIC.
773  */
774 static void
775 michael_mic_hdr(const struct ieee80211_frame *wh0, uint8_t hdr[16])
776 {
777 	const struct ieee80211_frame_addr4 *wh =
778 		(const struct ieee80211_frame_addr4 *) wh0;
779 
780 	switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) {
781 	case IEEE80211_FC1_DIR_NODS:
782 		IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */
783 		IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2);
784 		break;
785 	case IEEE80211_FC1_DIR_TODS:
786 		IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */
787 		IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2);
788 		break;
789 	case IEEE80211_FC1_DIR_FROMDS:
790 		IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */
791 		IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr3);
792 		break;
793 	case IEEE80211_FC1_DIR_DSTODS:
794 		IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */
795 		IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr4);
796 		break;
797 	}
798 
799 	if (wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_QOS) {
800 		const struct ieee80211_qosframe *qwh =
801 			(const struct ieee80211_qosframe *) wh;
802 		hdr[12] = qwh->i_qos[0] & IEEE80211_QOS_TID;
803 	} else
804 		hdr[12] = 0;
805 	hdr[13] = hdr[14] = hdr[15] = 0; /* reserved */
806 }
807 
808 static void
809 michael_mic(struct tkip_ctx *ctx, const u8 *key,
810 	struct mbuf *m, u_int off, size_t data_len,
811 	u8 mic[IEEE80211_WEP_MICLEN])
812 {
813 	uint8_t hdr[16];
814 	u32 l, r;
815 	const uint8_t *data;
816 	u_int space;
817 
818 	michael_mic_hdr(mtod(m, struct ieee80211_frame *), hdr);
819 
820 	l = get_le32(key);
821 	r = get_le32(key + 4);
822 
823 	/* Michael MIC pseudo header: DA, SA, 3 x 0, Priority */
824 	l ^= get_le32(hdr);
825 	michael_block(l, r);
826 	l ^= get_le32(&hdr[4]);
827 	michael_block(l, r);
828 	l ^= get_le32(&hdr[8]);
829 	michael_block(l, r);
830 	l ^= get_le32(&hdr[12]);
831 	michael_block(l, r);
832 
833 	/* first buffer has special handling */
834 	data = mtod(m, const uint8_t *) + off;
835 	space = m->m_len - off;
836 	for (;;) {
837 		if (space > data_len)
838 			space = data_len;
839 		/* collect 32-bit blocks from current buffer */
840 		while (space >= sizeof(uint32_t)) {
841 			l ^= get_le32(data);
842 			michael_block(l, r);
843 			data += sizeof(uint32_t), space -= sizeof(uint32_t);
844 			data_len -= sizeof(uint32_t);
845 		}
846 		/*
847 		 * NB: when space is zero we make one more trip around
848 		 * the loop to advance to the next mbuf where there is
849 		 * data.  This handles the case where there are 4*n
850 		 * bytes in an mbuf followed by <4 bytes in a later mbuf.
851 		 * By making an extra trip we'll drop out of the loop
852 		 * with m pointing at the mbuf with 3 bytes and space
853 		 * set as required by the remainder handling below.
854 		 */
855 		if (data_len == 0 ||
856 		    (data_len < sizeof(uint32_t) && space != 0))
857 			break;
858 		m = m->m_next;
859 		if (m == NULL) {
860 			KASSERT(0, ("out of data, data_len %zu\n", data_len));
861 			break;
862 		}
863 		if (space != 0) {
864 			const uint8_t *data_next;
865 			/*
866 			 * Block straddles buffers, split references.
867 			 */
868 			data_next = mtod(m, const uint8_t *);
869 			KASSERT(m->m_len >= sizeof(uint32_t) - space,
870 				("not enough data in following buffer, "
871 				"m_len %u need %zu\n", m->m_len,
872 				sizeof(uint32_t) - space));
873 			switch (space) {
874 			case 1:
875 				l ^= get_le32_split(data[0], data_next[0],
876 					data_next[1], data_next[2]);
877 				data = data_next + 3;
878 				space = m->m_len - 3;
879 				break;
880 			case 2:
881 				l ^= get_le32_split(data[0], data[1],
882 					data_next[0], data_next[1]);
883 				data = data_next + 2;
884 				space = m->m_len - 2;
885 				break;
886 			case 3:
887 				l ^= get_le32_split(data[0], data[1],
888 					data[2], data_next[0]);
889 				data = data_next + 1;
890 				space = m->m_len - 1;
891 				break;
892 			}
893 			michael_block(l, r);
894 			data_len -= sizeof(uint32_t);
895 		} else {
896 			/*
897 			 * Setup for next buffer.
898 			 */
899 			data = mtod(m, const uint8_t *);
900 			space = m->m_len;
901 		}
902 	}
903 	/*
904 	 * Catch degenerate cases like mbuf[4*n+1 bytes] followed by
905 	 * mbuf[2 bytes].  I don't believe these should happen; if they
906 	 * do then we'll need more involved logic.
907 	 */
908 	KASSERT(data_len <= space,
909 	    ("not enough data, data_len %zu space %u\n", data_len, space));
910 
911 	/* Last block and padding (0x5a, 4..7 x 0) */
912 	switch (data_len) {
913 	case 0:
914 		l ^= get_le32_split(0x5a, 0, 0, 0);
915 		break;
916 	case 1:
917 		l ^= get_le32_split(data[0], 0x5a, 0, 0);
918 		break;
919 	case 2:
920 		l ^= get_le32_split(data[0], data[1], 0x5a, 0);
921 		break;
922 	case 3:
923 		l ^= get_le32_split(data[0], data[1], data[2], 0x5a);
924 		break;
925 	}
926 	michael_block(l, r);
927 	/* l ^= 0; */
928 	michael_block(l, r);
929 
930 	put_le32(mic, l);
931 	put_le32(mic + 4, r);
932 }
933 
934 static int
935 tkip_encrypt(struct tkip_ctx *ctx, struct ieee80211_key *key,
936 	struct mbuf *m, int hdrlen)
937 {
938 	struct ieee80211_frame *wh;
939 	uint8_t icv[IEEE80211_WEP_CRCLEN];
940 
941 	ctx->tc_vap->iv_stats.is_crypto_tkip++;
942 
943 	wh = mtod(m, struct ieee80211_frame *);
944 	if ((u16)(key->wk_keytsc) == 0 || key->wk_keytsc == 1) {
945 		tkip_mixing_phase1(ctx->tx_ttak, key->wk_key, wh->i_addr2,
946 				   (u32)(key->wk_keytsc >> 16));
947 	}
948 	tkip_mixing_phase2(ctx->tx_rc4key, key->wk_key, ctx->tx_ttak,
949 		(u16) key->wk_keytsc);
950 
951 	wep_encrypt(ctx->tx_rc4key,
952 		m, hdrlen + tkip.ic_header,
953 		m->m_pkthdr.len - (hdrlen + tkip.ic_header),
954 		icv);
955 	(void) m_append(m, IEEE80211_WEP_CRCLEN, icv);	/* XXX check return */
956 
957 	return 1;
958 }
959 
960 static int
961 tkip_decrypt(struct tkip_ctx *ctx, struct ieee80211_key *key,
962 	struct mbuf *m, int hdrlen)
963 {
964 	struct ieee80211_frame *wh;
965 	struct ieee80211vap *vap = ctx->tc_vap;
966 	u32 iv32;
967 	u16 iv16;
968 	u8 tid;
969 
970 	vap->iv_stats.is_crypto_tkip++;
971 
972 	wh = mtod(m, struct ieee80211_frame *);
973 	/* NB: tkip_decap already verified header and left seq in rx_rsc */
974 	iv16 = (u16) ctx->rx_rsc;
975 	iv32 = (u32) (ctx->rx_rsc >> 16);
976 
977 	tid = ieee80211_gettid(wh);
978 	if (iv32 != (u32)(key->wk_keyrsc[tid] >> 16) || !ctx->rx_phase1_done) {
979 		tkip_mixing_phase1(ctx->rx_ttak, key->wk_key,
980 			wh->i_addr2, iv32);
981 		ctx->rx_phase1_done = 1;
982 	}
983 	tkip_mixing_phase2(ctx->rx_rc4key, key->wk_key, ctx->rx_ttak, iv16);
984 
985 	/* NB: m is unstripped; deduct headers + ICV to get payload */
986 	if (wep_decrypt(ctx->rx_rc4key,
987 		m, hdrlen + tkip.ic_header,
988 	        m->m_pkthdr.len - (hdrlen + tkip.ic_header + tkip.ic_trailer))) {
989 		if (iv32 != (u32)(key->wk_keyrsc[tid] >> 16)) {
990 			/* Previously cached Phase1 result was already lost, so
991 			 * it needs to be recalculated for the next packet. */
992 			ctx->rx_phase1_done = 0;
993 		}
994 		IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2,
995 		    "%s", "TKIP ICV mismatch on decrypt");
996 		vap->iv_stats.is_rx_tkipicv++;
997 		return 0;
998 	}
999 	return 1;
1000 }
1001 
1002 /*
1003  * Module glue.
1004  */
1005 IEEE80211_CRYPTO_MODULE(tkip, 1);
1006