xref: /freebsd/sys/net80211/ieee80211_crypto_tkip.c (revision 9ff086544d5f85b58349e28ed36a9811b8fe5cf9)
1 /*-
2  * Copyright (c) 2002-2008 Sam Leffler, Errno Consulting
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24  */
25 
26 #include <sys/cdefs.h>
27 __FBSDID("$FreeBSD$");
28 
29 /*
30  * IEEE 802.11i TKIP crypto support.
31  *
32  * Part of this module is derived from similar code in the Host
33  * AP driver. The code is used with the consent of the author and
34  * it's license is included below.
35  */
36 #include "opt_wlan.h"
37 
38 #include <sys/param.h>
39 #include <sys/systm.h>
40 #include <sys/mbuf.h>
41 #include <sys/malloc.h>
42 #include <sys/kernel.h>
43 #include <sys/module.h>
44 #include <sys/endian.h>
45 
46 #include <sys/socket.h>
47 
48 #include <net/if.h>
49 #include <net/if_media.h>
50 #include <net/ethernet.h>
51 
52 #include <net80211/ieee80211_var.h>
53 
54 static	void *tkip_attach(struct ieee80211vap *, struct ieee80211_key *);
55 static	void tkip_detach(struct ieee80211_key *);
56 static	int tkip_setkey(struct ieee80211_key *);
57 static	void tkip_setiv(struct ieee80211_key *, uint8_t *);
58 static	int tkip_encap(struct ieee80211_key *, struct mbuf *);
59 static	int tkip_enmic(struct ieee80211_key *, struct mbuf *, int);
60 static	int tkip_decap(struct ieee80211_key *, struct mbuf *, int);
61 static	int tkip_demic(struct ieee80211_key *, struct mbuf *, int);
62 
63 static const struct ieee80211_cipher tkip  = {
64 	.ic_name	= "TKIP",
65 	.ic_cipher	= IEEE80211_CIPHER_TKIP,
66 	.ic_header	= IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN +
67 			  IEEE80211_WEP_EXTIVLEN,
68 	.ic_trailer	= IEEE80211_WEP_CRCLEN,
69 	.ic_miclen	= IEEE80211_WEP_MICLEN,
70 	.ic_attach	= tkip_attach,
71 	.ic_detach	= tkip_detach,
72 	.ic_setkey	= tkip_setkey,
73 	.ic_setiv	= tkip_setiv,
74 	.ic_encap	= tkip_encap,
75 	.ic_decap	= tkip_decap,
76 	.ic_enmic	= tkip_enmic,
77 	.ic_demic	= tkip_demic,
78 };
79 
80 typedef	uint8_t u8;
81 typedef	uint16_t u16;
82 typedef	uint32_t __u32;
83 typedef	uint32_t u32;
84 
85 struct tkip_ctx {
86 	struct ieee80211vap *tc_vap;	/* for diagnostics+statistics */
87 
88 	u16	tx_ttak[5];
89 	u8	tx_rc4key[16];		/* XXX for test module; make locals? */
90 
91 	u16	rx_ttak[5];
92 	int	rx_phase1_done;
93 	u8	rx_rc4key[16];		/* XXX for test module; make locals? */
94 	uint64_t rx_rsc;		/* held until MIC verified */
95 };
96 
97 static	void michael_mic(struct tkip_ctx *, const u8 *key,
98 		struct mbuf *m, u_int off, size_t data_len,
99 		u8 mic[IEEE80211_WEP_MICLEN]);
100 static	int tkip_encrypt(struct tkip_ctx *, struct ieee80211_key *,
101 		struct mbuf *, int hdr_len);
102 static	int tkip_decrypt(struct tkip_ctx *, struct ieee80211_key *,
103 		struct mbuf *, int hdr_len);
104 
105 /* number of references from net80211 layer */
106 static	int nrefs = 0;
107 
108 static void *
109 tkip_attach(struct ieee80211vap *vap, struct ieee80211_key *k)
110 {
111 	struct tkip_ctx *ctx;
112 
113 	ctx = (struct tkip_ctx *) IEEE80211_MALLOC(sizeof(struct tkip_ctx),
114 		M_80211_CRYPTO, IEEE80211_M_NOWAIT | IEEE80211_M_ZERO);
115 	if (ctx == NULL) {
116 		vap->iv_stats.is_crypto_nomem++;
117 		return NULL;
118 	}
119 
120 	ctx->tc_vap = vap;
121 	nrefs++;			/* NB: we assume caller locking */
122 	return ctx;
123 }
124 
125 static void
126 tkip_detach(struct ieee80211_key *k)
127 {
128 	struct tkip_ctx *ctx = k->wk_private;
129 
130 	IEEE80211_FREE(ctx, M_80211_CRYPTO);
131 	KASSERT(nrefs > 0, ("imbalanced attach/detach"));
132 	nrefs--;			/* NB: we assume caller locking */
133 }
134 
135 static int
136 tkip_setkey(struct ieee80211_key *k)
137 {
138 	struct tkip_ctx *ctx = k->wk_private;
139 
140 	if (k->wk_keylen != (128/NBBY)) {
141 		(void) ctx;		/* XXX */
142 		IEEE80211_DPRINTF(ctx->tc_vap, IEEE80211_MSG_CRYPTO,
143 			"%s: Invalid key length %u, expecting %u\n",
144 			__func__, k->wk_keylen, 128/NBBY);
145 		return 0;
146 	}
147 	ctx->rx_phase1_done = 0;
148 	return 1;
149 }
150 
151 static void
152 tkip_setiv(struct ieee80211_key *k, uint8_t *ivp)
153 {
154 	struct tkip_ctx *ctx = k->wk_private;
155 	struct ieee80211vap *vap = ctx->tc_vap;
156 	uint8_t keyid;
157 
158 	keyid = ieee80211_crypto_get_keyid(vap, k) << 6;
159 
160 	k->wk_keytsc++;
161 	ivp[0] = k->wk_keytsc >> 8;		/* TSC1 */
162 	ivp[1] = (ivp[0] | 0x20) & 0x7f;	/* WEP seed */
163 	ivp[2] = k->wk_keytsc >> 0;		/* TSC0 */
164 	ivp[3] = keyid | IEEE80211_WEP_EXTIV;	/* KeyID | ExtID */
165 	ivp[4] = k->wk_keytsc >> 16;		/* TSC2 */
166 	ivp[5] = k->wk_keytsc >> 24;		/* TSC3 */
167 	ivp[6] = k->wk_keytsc >> 32;		/* TSC4 */
168 	ivp[7] = k->wk_keytsc >> 40;		/* TSC5 */
169 }
170 
171 /*
172  * Add privacy headers and do any s/w encryption required.
173  */
174 static int
175 tkip_encap(struct ieee80211_key *k, struct mbuf *m)
176 {
177 	struct tkip_ctx *ctx = k->wk_private;
178 	struct ieee80211vap *vap = ctx->tc_vap;
179 	struct ieee80211com *ic = vap->iv_ic;
180 	struct ieee80211_frame *wh;
181 	uint8_t *ivp;
182 	int hdrlen;
183 	int is_mgmt;
184 
185 	wh = mtod(m, struct ieee80211_frame *);
186 	is_mgmt = IEEE80211_IS_MGMT(wh);
187 
188 	/*
189 	 * Handle TKIP counter measures requirement.
190 	 */
191 	if (vap->iv_flags & IEEE80211_F_COUNTERM) {
192 #ifdef IEEE80211_DEBUG
193 		struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *);
194 #endif
195 
196 		IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2,
197 		    "discard frame due to countermeasures (%s)", __func__);
198 		vap->iv_stats.is_crypto_tkipcm++;
199 		return 0;
200 	}
201 
202 	/*
203 	 * Check to see whether IV needs to be included.
204 	 */
205 	if (is_mgmt && (k->wk_flags & IEEE80211_KEY_NOIVMGT))
206 		return 1;
207 	if ((! is_mgmt) && (k->wk_flags & IEEE80211_KEY_NOIV))
208 		return 1;
209 
210 
211 	hdrlen = ieee80211_hdrspace(ic, mtod(m, void *));
212 
213 	/*
214 	 * Copy down 802.11 header and add the IV, KeyID, and ExtIV.
215 	 */
216 	M_PREPEND(m, tkip.ic_header, M_NOWAIT);
217 	if (m == NULL)
218 		return 0;
219 	ivp = mtod(m, uint8_t *);
220 	memmove(ivp, ivp + tkip.ic_header, hdrlen);
221 	ivp += hdrlen;
222 
223 	tkip_setiv(k, ivp);
224 
225 	/*
226 	 * Finally, do software encrypt if needed.
227 	 */
228 	if ((k->wk_flags & IEEE80211_KEY_SWENCRYPT) &&
229 	    !tkip_encrypt(ctx, k, m, hdrlen))
230 		return 0;
231 
232 	return 1;
233 }
234 
235 /*
236  * Add MIC to the frame as needed.
237  */
238 static int
239 tkip_enmic(struct ieee80211_key *k, struct mbuf *m, int force)
240 {
241 	struct tkip_ctx *ctx = k->wk_private;
242 	struct ieee80211_frame *wh;
243 	int is_mgmt;
244 
245 	wh = mtod(m, struct ieee80211_frame *);
246 	is_mgmt = IEEE80211_IS_MGMT(wh);
247 
248 	/*
249 	 * Check to see whether MIC needs to be included.
250 	 */
251 	if (is_mgmt && (k->wk_flags & IEEE80211_KEY_NOMICMGT))
252 		return 1;
253 	if ((! is_mgmt) && (k->wk_flags & IEEE80211_KEY_NOMIC))
254 		return 1;
255 
256 	if (force || (k->wk_flags & IEEE80211_KEY_SWENMIC)) {
257 		struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *);
258 		struct ieee80211vap *vap = ctx->tc_vap;
259 		struct ieee80211com *ic = vap->iv_ic;
260 		int hdrlen;
261 		uint8_t mic[IEEE80211_WEP_MICLEN];
262 
263 		vap->iv_stats.is_crypto_tkipenmic++;
264 
265 		hdrlen = ieee80211_hdrspace(ic, wh);
266 
267 		michael_mic(ctx, k->wk_txmic,
268 			m, hdrlen, m->m_pkthdr.len - hdrlen, mic);
269 		return m_append(m, tkip.ic_miclen, mic);
270 	}
271 	return 1;
272 }
273 
274 static __inline uint64_t
275 READ_6(uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3, uint8_t b4, uint8_t b5)
276 {
277 	uint32_t iv32 = (b0 << 0) | (b1 << 8) | (b2 << 16) | (b3 << 24);
278 	uint16_t iv16 = (b4 << 0) | (b5 << 8);
279 	return (((uint64_t)iv16) << 32) | iv32;
280 }
281 
282 /*
283  * Validate and strip privacy headers (and trailer) for a
284  * received frame.  If necessary, decrypt the frame using
285  * the specified key.
286  */
287 static int
288 tkip_decap(struct ieee80211_key *k, struct mbuf *m, int hdrlen)
289 {
290 	const struct ieee80211_rx_stats *rxs;
291 	struct tkip_ctx *ctx = k->wk_private;
292 	struct ieee80211vap *vap = ctx->tc_vap;
293 	struct ieee80211_frame *wh;
294 	uint8_t *ivp, tid;
295 
296 	rxs = ieee80211_get_rx_params_ptr(m);
297 
298 	/*
299 	 * If IV has been stripped, we skip most of the below.
300 	 */
301 	if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_IV_STRIP))
302 		goto finish;
303 
304 	/*
305 	 * Header should have extended IV and sequence number;
306 	 * verify the former and validate the latter.
307 	 */
308 	wh = mtod(m, struct ieee80211_frame *);
309 	ivp = mtod(m, uint8_t *) + hdrlen;
310 	if ((ivp[IEEE80211_WEP_IVLEN] & IEEE80211_WEP_EXTIV) == 0) {
311 		/*
312 		 * No extended IV; discard frame.
313 		 */
314 		IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2,
315 		    "%s", "missing ExtIV for TKIP cipher");
316 		vap->iv_stats.is_rx_tkipformat++;
317 		return 0;
318 	}
319 	/*
320 	 * Handle TKIP counter measures requirement.
321 	 */
322 	if (vap->iv_flags & IEEE80211_F_COUNTERM) {
323 		IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2,
324 		    "discard frame due to countermeasures (%s)", __func__);
325 		vap->iv_stats.is_crypto_tkipcm++;
326 		return 0;
327 	}
328 
329 	tid = ieee80211_gettid(wh);
330 	ctx->rx_rsc = READ_6(ivp[2], ivp[0], ivp[4], ivp[5], ivp[6], ivp[7]);
331 	if (ctx->rx_rsc <= k->wk_keyrsc[tid] &&
332 	    (k->wk_flags & IEEE80211_KEY_NOREPLAY) == 0) {
333 		/*
334 		 * Replay violation; notify upper layer.
335 		 */
336 		ieee80211_notify_replay_failure(vap, wh, k, ctx->rx_rsc, tid);
337 		vap->iv_stats.is_rx_tkipreplay++;
338 		return 0;
339 	}
340 	/*
341 	 * NB: We can't update the rsc in the key until MIC is verified.
342 	 *
343 	 * We assume we are not preempted between doing the check above
344 	 * and updating wk_keyrsc when stripping the MIC in tkip_demic.
345 	 * Otherwise we might process another packet and discard it as
346 	 * a replay.
347 	 */
348 
349 	/*
350 	 * Check if the device handled the decrypt in hardware.
351 	 * If so we just strip the header; otherwise we need to
352 	 * handle the decrypt in software.
353 	 */
354 	if ((k->wk_flags & IEEE80211_KEY_SWDECRYPT) &&
355 	    !tkip_decrypt(ctx, k, m, hdrlen))
356 		return 0;
357 
358 finish:
359 
360 	/*
361 	 * Copy up 802.11 header and strip crypto bits - but only if we
362 	 * are required to.
363 	 */
364 	if (! ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_IV_STRIP))) {
365 		memmove(mtod(m, uint8_t *) + tkip.ic_header, mtod(m, void *),
366 		    hdrlen);
367 		m_adj(m, tkip.ic_header);
368 	}
369 
370 	/*
371 	 * XXX TODO: do we need an option to potentially not strip the
372 	 * WEP trailer?  Does "MMIC_STRIP" also mean this? Or?
373 	 */
374 	m_adj(m, -tkip.ic_trailer);
375 
376 	return 1;
377 }
378 
379 /*
380  * Verify and strip MIC from the frame.
381  */
382 static int
383 tkip_demic(struct ieee80211_key *k, struct mbuf *m, int force)
384 {
385 	const struct ieee80211_rx_stats *rxs;
386 	struct tkip_ctx *ctx = k->wk_private;
387 	struct ieee80211_frame *wh;
388 	uint8_t tid;
389 
390 	wh = mtod(m, struct ieee80211_frame *);
391 	rxs = ieee80211_get_rx_params_ptr(m);
392 
393 	/*
394 	 * If we are told about a MIC failure from the driver,
395 	 * directly notify as a michael failure to the upper
396 	 * layers.
397 	 */
398 	if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_FAIL_MIC)) {
399 		struct ieee80211vap *vap = ctx->tc_vap;
400 		ieee80211_notify_michael_failure(vap, wh,
401 		    k->wk_rxkeyix != IEEE80211_KEYIX_NONE ?
402 		    k->wk_rxkeyix : k->wk_keyix);
403 		return 0;
404 	}
405 
406 	/*
407 	 * If IV has been stripped, we skip most of the below.
408 	 */
409 	if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_MMIC_STRIP))
410 		goto finish;
411 
412 	if ((k->wk_flags & IEEE80211_KEY_SWDEMIC) || force) {
413 		struct ieee80211vap *vap = ctx->tc_vap;
414 		int hdrlen = ieee80211_hdrspace(vap->iv_ic, wh);
415 		u8 mic[IEEE80211_WEP_MICLEN];
416 		u8 mic0[IEEE80211_WEP_MICLEN];
417 
418 		vap->iv_stats.is_crypto_tkipdemic++;
419 
420 		michael_mic(ctx, k->wk_rxmic,
421 			m, hdrlen, m->m_pkthdr.len - (hdrlen + tkip.ic_miclen),
422 			mic);
423 		m_copydata(m, m->m_pkthdr.len - tkip.ic_miclen,
424 			tkip.ic_miclen, mic0);
425 		if (memcmp(mic, mic0, tkip.ic_miclen)) {
426 			/* NB: 802.11 layer handles statistic and debug msg */
427 			ieee80211_notify_michael_failure(vap, wh,
428 				k->wk_rxkeyix != IEEE80211_KEYIX_NONE ?
429 					k->wk_rxkeyix : k->wk_keyix);
430 			return 0;
431 		}
432 	}
433 	/*
434 	 * Strip MIC from the tail.
435 	 */
436 	m_adj(m, -tkip.ic_miclen);
437 
438 	/*
439 	 * Ok to update rsc now that MIC has been verified.
440 	 */
441 	tid = ieee80211_gettid(wh);
442 	k->wk_keyrsc[tid] = ctx->rx_rsc;
443 
444 finish:
445 	return 1;
446 }
447 
448 /*
449  * Host AP crypt: host-based TKIP encryption implementation for Host AP driver
450  *
451  * Copyright (c) 2003-2004, Jouni Malinen <jkmaline@cc.hut.fi>
452  *
453  * This program is free software; you can redistribute it and/or modify
454  * it under the terms of the GNU General Public License version 2 as
455  * published by the Free Software Foundation. See README and COPYING for
456  * more details.
457  *
458  * Alternatively, this software may be distributed under the terms of BSD
459  * license.
460  */
461 
462 static const __u32 crc32_table[256] = {
463 	0x00000000L, 0x77073096L, 0xee0e612cL, 0x990951baL, 0x076dc419L,
464 	0x706af48fL, 0xe963a535L, 0x9e6495a3L, 0x0edb8832L, 0x79dcb8a4L,
465 	0xe0d5e91eL, 0x97d2d988L, 0x09b64c2bL, 0x7eb17cbdL, 0xe7b82d07L,
466 	0x90bf1d91L, 0x1db71064L, 0x6ab020f2L, 0xf3b97148L, 0x84be41deL,
467 	0x1adad47dL, 0x6ddde4ebL, 0xf4d4b551L, 0x83d385c7L, 0x136c9856L,
468 	0x646ba8c0L, 0xfd62f97aL, 0x8a65c9ecL, 0x14015c4fL, 0x63066cd9L,
469 	0xfa0f3d63L, 0x8d080df5L, 0x3b6e20c8L, 0x4c69105eL, 0xd56041e4L,
470 	0xa2677172L, 0x3c03e4d1L, 0x4b04d447L, 0xd20d85fdL, 0xa50ab56bL,
471 	0x35b5a8faL, 0x42b2986cL, 0xdbbbc9d6L, 0xacbcf940L, 0x32d86ce3L,
472 	0x45df5c75L, 0xdcd60dcfL, 0xabd13d59L, 0x26d930acL, 0x51de003aL,
473 	0xc8d75180L, 0xbfd06116L, 0x21b4f4b5L, 0x56b3c423L, 0xcfba9599L,
474 	0xb8bda50fL, 0x2802b89eL, 0x5f058808L, 0xc60cd9b2L, 0xb10be924L,
475 	0x2f6f7c87L, 0x58684c11L, 0xc1611dabL, 0xb6662d3dL, 0x76dc4190L,
476 	0x01db7106L, 0x98d220bcL, 0xefd5102aL, 0x71b18589L, 0x06b6b51fL,
477 	0x9fbfe4a5L, 0xe8b8d433L, 0x7807c9a2L, 0x0f00f934L, 0x9609a88eL,
478 	0xe10e9818L, 0x7f6a0dbbL, 0x086d3d2dL, 0x91646c97L, 0xe6635c01L,
479 	0x6b6b51f4L, 0x1c6c6162L, 0x856530d8L, 0xf262004eL, 0x6c0695edL,
480 	0x1b01a57bL, 0x8208f4c1L, 0xf50fc457L, 0x65b0d9c6L, 0x12b7e950L,
481 	0x8bbeb8eaL, 0xfcb9887cL, 0x62dd1ddfL, 0x15da2d49L, 0x8cd37cf3L,
482 	0xfbd44c65L, 0x4db26158L, 0x3ab551ceL, 0xa3bc0074L, 0xd4bb30e2L,
483 	0x4adfa541L, 0x3dd895d7L, 0xa4d1c46dL, 0xd3d6f4fbL, 0x4369e96aL,
484 	0x346ed9fcL, 0xad678846L, 0xda60b8d0L, 0x44042d73L, 0x33031de5L,
485 	0xaa0a4c5fL, 0xdd0d7cc9L, 0x5005713cL, 0x270241aaL, 0xbe0b1010L,
486 	0xc90c2086L, 0x5768b525L, 0x206f85b3L, 0xb966d409L, 0xce61e49fL,
487 	0x5edef90eL, 0x29d9c998L, 0xb0d09822L, 0xc7d7a8b4L, 0x59b33d17L,
488 	0x2eb40d81L, 0xb7bd5c3bL, 0xc0ba6cadL, 0xedb88320L, 0x9abfb3b6L,
489 	0x03b6e20cL, 0x74b1d29aL, 0xead54739L, 0x9dd277afL, 0x04db2615L,
490 	0x73dc1683L, 0xe3630b12L, 0x94643b84L, 0x0d6d6a3eL, 0x7a6a5aa8L,
491 	0xe40ecf0bL, 0x9309ff9dL, 0x0a00ae27L, 0x7d079eb1L, 0xf00f9344L,
492 	0x8708a3d2L, 0x1e01f268L, 0x6906c2feL, 0xf762575dL, 0x806567cbL,
493 	0x196c3671L, 0x6e6b06e7L, 0xfed41b76L, 0x89d32be0L, 0x10da7a5aL,
494 	0x67dd4accL, 0xf9b9df6fL, 0x8ebeeff9L, 0x17b7be43L, 0x60b08ed5L,
495 	0xd6d6a3e8L, 0xa1d1937eL, 0x38d8c2c4L, 0x4fdff252L, 0xd1bb67f1L,
496 	0xa6bc5767L, 0x3fb506ddL, 0x48b2364bL, 0xd80d2bdaL, 0xaf0a1b4cL,
497 	0x36034af6L, 0x41047a60L, 0xdf60efc3L, 0xa867df55L, 0x316e8eefL,
498 	0x4669be79L, 0xcb61b38cL, 0xbc66831aL, 0x256fd2a0L, 0x5268e236L,
499 	0xcc0c7795L, 0xbb0b4703L, 0x220216b9L, 0x5505262fL, 0xc5ba3bbeL,
500 	0xb2bd0b28L, 0x2bb45a92L, 0x5cb36a04L, 0xc2d7ffa7L, 0xb5d0cf31L,
501 	0x2cd99e8bL, 0x5bdeae1dL, 0x9b64c2b0L, 0xec63f226L, 0x756aa39cL,
502 	0x026d930aL, 0x9c0906a9L, 0xeb0e363fL, 0x72076785L, 0x05005713L,
503 	0x95bf4a82L, 0xe2b87a14L, 0x7bb12baeL, 0x0cb61b38L, 0x92d28e9bL,
504 	0xe5d5be0dL, 0x7cdcefb7L, 0x0bdbdf21L, 0x86d3d2d4L, 0xf1d4e242L,
505 	0x68ddb3f8L, 0x1fda836eL, 0x81be16cdL, 0xf6b9265bL, 0x6fb077e1L,
506 	0x18b74777L, 0x88085ae6L, 0xff0f6a70L, 0x66063bcaL, 0x11010b5cL,
507 	0x8f659effL, 0xf862ae69L, 0x616bffd3L, 0x166ccf45L, 0xa00ae278L,
508 	0xd70dd2eeL, 0x4e048354L, 0x3903b3c2L, 0xa7672661L, 0xd06016f7L,
509 	0x4969474dL, 0x3e6e77dbL, 0xaed16a4aL, 0xd9d65adcL, 0x40df0b66L,
510 	0x37d83bf0L, 0xa9bcae53L, 0xdebb9ec5L, 0x47b2cf7fL, 0x30b5ffe9L,
511 	0xbdbdf21cL, 0xcabac28aL, 0x53b39330L, 0x24b4a3a6L, 0xbad03605L,
512 	0xcdd70693L, 0x54de5729L, 0x23d967bfL, 0xb3667a2eL, 0xc4614ab8L,
513 	0x5d681b02L, 0x2a6f2b94L, 0xb40bbe37L, 0xc30c8ea1L, 0x5a05df1bL,
514 	0x2d02ef8dL
515 };
516 
517 static __inline u16 RotR1(u16 val)
518 {
519 	return (val >> 1) | (val << 15);
520 }
521 
522 static __inline u8 Lo8(u16 val)
523 {
524 	return val & 0xff;
525 }
526 
527 static __inline u8 Hi8(u16 val)
528 {
529 	return val >> 8;
530 }
531 
532 static __inline u16 Lo16(u32 val)
533 {
534 	return val & 0xffff;
535 }
536 
537 static __inline u16 Hi16(u32 val)
538 {
539 	return val >> 16;
540 }
541 
542 static __inline u16 Mk16(u8 hi, u8 lo)
543 {
544 	return lo | (((u16) hi) << 8);
545 }
546 
547 static __inline u16 Mk16_le(const u16 *v)
548 {
549 	return le16toh(*v);
550 }
551 
552 static const u16 Sbox[256] = {
553 	0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154,
554 	0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A,
555 	0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B,
556 	0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B,
557 	0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F,
558 	0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F,
559 	0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5,
560 	0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F,
561 	0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB,
562 	0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397,
563 	0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED,
564 	0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A,
565 	0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194,
566 	0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3,
567 	0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104,
568 	0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D,
569 	0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39,
570 	0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695,
571 	0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83,
572 	0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76,
573 	0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4,
574 	0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B,
575 	0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0,
576 	0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018,
577 	0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751,
578 	0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85,
579 	0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12,
580 	0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9,
581 	0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7,
582 	0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A,
583 	0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8,
584 	0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A,
585 };
586 
587 static __inline u16 _S_(u16 v)
588 {
589 	u16 t = Sbox[Hi8(v)];
590 	return Sbox[Lo8(v)] ^ ((t << 8) | (t >> 8));
591 }
592 
593 #define PHASE1_LOOP_COUNT 8
594 
595 static void tkip_mixing_phase1(u16 *TTAK, const u8 *TK, const u8 *TA, u32 IV32)
596 {
597 	int i, j;
598 
599 	/* Initialize the 80-bit TTAK from TSC (IV32) and TA[0..5] */
600 	TTAK[0] = Lo16(IV32);
601 	TTAK[1] = Hi16(IV32);
602 	TTAK[2] = Mk16(TA[1], TA[0]);
603 	TTAK[3] = Mk16(TA[3], TA[2]);
604 	TTAK[4] = Mk16(TA[5], TA[4]);
605 
606 	for (i = 0; i < PHASE1_LOOP_COUNT; i++) {
607 		j = 2 * (i & 1);
608 		TTAK[0] += _S_(TTAK[4] ^ Mk16(TK[1 + j], TK[0 + j]));
609 		TTAK[1] += _S_(TTAK[0] ^ Mk16(TK[5 + j], TK[4 + j]));
610 		TTAK[2] += _S_(TTAK[1] ^ Mk16(TK[9 + j], TK[8 + j]));
611 		TTAK[3] += _S_(TTAK[2] ^ Mk16(TK[13 + j], TK[12 + j]));
612 		TTAK[4] += _S_(TTAK[3] ^ Mk16(TK[1 + j], TK[0 + j])) + i;
613 	}
614 }
615 
616 #ifndef _BYTE_ORDER
617 #error "Don't know native byte order"
618 #endif
619 
620 static void tkip_mixing_phase2(u8 *WEPSeed, const u8 *TK, const u16 *TTAK,
621 			       u16 IV16)
622 {
623 	/* Make temporary area overlap WEP seed so that the final copy can be
624 	 * avoided on little endian hosts. */
625 	u16 *PPK = (u16 *) &WEPSeed[4];
626 
627 	/* Step 1 - make copy of TTAK and bring in TSC */
628 	PPK[0] = TTAK[0];
629 	PPK[1] = TTAK[1];
630 	PPK[2] = TTAK[2];
631 	PPK[3] = TTAK[3];
632 	PPK[4] = TTAK[4];
633 	PPK[5] = TTAK[4] + IV16;
634 
635 	/* Step 2 - 96-bit bijective mixing using S-box */
636 	PPK[0] += _S_(PPK[5] ^ Mk16_le((const u16 *) &TK[0]));
637 	PPK[1] += _S_(PPK[0] ^ Mk16_le((const u16 *) &TK[2]));
638 	PPK[2] += _S_(PPK[1] ^ Mk16_le((const u16 *) &TK[4]));
639 	PPK[3] += _S_(PPK[2] ^ Mk16_le((const u16 *) &TK[6]));
640 	PPK[4] += _S_(PPK[3] ^ Mk16_le((const u16 *) &TK[8]));
641 	PPK[5] += _S_(PPK[4] ^ Mk16_le((const u16 *) &TK[10]));
642 
643 	PPK[0] += RotR1(PPK[5] ^ Mk16_le((const u16 *) &TK[12]));
644 	PPK[1] += RotR1(PPK[0] ^ Mk16_le((const u16 *) &TK[14]));
645 	PPK[2] += RotR1(PPK[1]);
646 	PPK[3] += RotR1(PPK[2]);
647 	PPK[4] += RotR1(PPK[3]);
648 	PPK[5] += RotR1(PPK[4]);
649 
650 	/* Step 3 - bring in last of TK bits, assign 24-bit WEP IV value
651 	 * WEPSeed[0..2] is transmitted as WEP IV */
652 	WEPSeed[0] = Hi8(IV16);
653 	WEPSeed[1] = (Hi8(IV16) | 0x20) & 0x7F;
654 	WEPSeed[2] = Lo8(IV16);
655 	WEPSeed[3] = Lo8((PPK[5] ^ Mk16_le((const u16 *) &TK[0])) >> 1);
656 
657 #if _BYTE_ORDER == _BIG_ENDIAN
658 	{
659 		int i;
660 		for (i = 0; i < 6; i++)
661 			PPK[i] = (PPK[i] << 8) | (PPK[i] >> 8);
662 	}
663 #endif
664 }
665 
666 static void
667 wep_encrypt(u8 *key, struct mbuf *m0, u_int off, size_t data_len,
668 	uint8_t icv[IEEE80211_WEP_CRCLEN])
669 {
670 	u32 i, j, k, crc;
671 	size_t buflen;
672 	u8 S[256];
673 	u8 *pos;
674 	struct mbuf *m;
675 #define S_SWAP(a,b) do { u8 t = S[a]; S[a] = S[b]; S[b] = t; } while(0)
676 
677 	/* Setup RC4 state */
678 	for (i = 0; i < 256; i++)
679 		S[i] = i;
680 	j = 0;
681 	for (i = 0; i < 256; i++) {
682 		j = (j + S[i] + key[i & 0x0f]) & 0xff;
683 		S_SWAP(i, j);
684 	}
685 
686 	/* Compute CRC32 over unencrypted data and apply RC4 to data */
687 	crc = ~0;
688 	i = j = 0;
689 	m = m0;
690 	pos = mtod(m, uint8_t *) + off;
691 	buflen = m->m_len - off;
692 	for (;;) {
693 		if (buflen > data_len)
694 			buflen = data_len;
695 		data_len -= buflen;
696 		for (k = 0; k < buflen; k++) {
697 			crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8);
698 			i = (i + 1) & 0xff;
699 			j = (j + S[i]) & 0xff;
700 			S_SWAP(i, j);
701 			*pos++ ^= S[(S[i] + S[j]) & 0xff];
702 		}
703 		m = m->m_next;
704 		if (m == NULL) {
705 			KASSERT(data_len == 0,
706 			    ("out of buffers with data_len %zu\n", data_len));
707 			break;
708 		}
709 		pos = mtod(m, uint8_t *);
710 		buflen = m->m_len;
711 	}
712 	crc = ~crc;
713 
714 	/* Append little-endian CRC32 and encrypt it to produce ICV */
715 	icv[0] = crc;
716 	icv[1] = crc >> 8;
717 	icv[2] = crc >> 16;
718 	icv[3] = crc >> 24;
719 	for (k = 0; k < IEEE80211_WEP_CRCLEN; k++) {
720 		i = (i + 1) & 0xff;
721 		j = (j + S[i]) & 0xff;
722 		S_SWAP(i, j);
723 		icv[k] ^= S[(S[i] + S[j]) & 0xff];
724 	}
725 }
726 
727 static int
728 wep_decrypt(u8 *key, struct mbuf *m, u_int off, size_t data_len)
729 {
730 	u32 i, j, k, crc;
731 	u8 S[256];
732 	u8 *pos, icv[4];
733 	size_t buflen;
734 
735 	/* Setup RC4 state */
736 	for (i = 0; i < 256; i++)
737 		S[i] = i;
738 	j = 0;
739 	for (i = 0; i < 256; i++) {
740 		j = (j + S[i] + key[i & 0x0f]) & 0xff;
741 		S_SWAP(i, j);
742 	}
743 
744 	/* Apply RC4 to data and compute CRC32 over decrypted data */
745 	crc = ~0;
746 	i = j = 0;
747 	pos = mtod(m, uint8_t *) + off;
748 	buflen = m->m_len - off;
749 	for (;;) {
750 		if (buflen > data_len)
751 			buflen = data_len;
752 		data_len -= buflen;
753 		for (k = 0; k < buflen; k++) {
754 			i = (i + 1) & 0xff;
755 			j = (j + S[i]) & 0xff;
756 			S_SWAP(i, j);
757 			*pos ^= S[(S[i] + S[j]) & 0xff];
758 			crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8);
759 			pos++;
760 		}
761 		m = m->m_next;
762 		if (m == NULL) {
763 			KASSERT(data_len == 0,
764 			    ("out of buffers with data_len %zu\n", data_len));
765 			break;
766 		}
767 		pos = mtod(m, uint8_t *);
768 		buflen = m->m_len;
769 	}
770 	crc = ~crc;
771 
772 	/* Encrypt little-endian CRC32 and verify that it matches with the
773 	 * received ICV */
774 	icv[0] = crc;
775 	icv[1] = crc >> 8;
776 	icv[2] = crc >> 16;
777 	icv[3] = crc >> 24;
778 	for (k = 0; k < 4; k++) {
779 		i = (i + 1) & 0xff;
780 		j = (j + S[i]) & 0xff;
781 		S_SWAP(i, j);
782 		if ((icv[k] ^ S[(S[i] + S[j]) & 0xff]) != *pos++) {
783 			/* ICV mismatch - drop frame */
784 			return -1;
785 		}
786 	}
787 
788 	return 0;
789 }
790 
791 
792 static __inline u32 rotl(u32 val, int bits)
793 {
794 	return (val << bits) | (val >> (32 - bits));
795 }
796 
797 
798 static __inline u32 rotr(u32 val, int bits)
799 {
800 	return (val >> bits) | (val << (32 - bits));
801 }
802 
803 
804 static __inline u32 xswap(u32 val)
805 {
806 	return ((val & 0x00ff00ff) << 8) | ((val & 0xff00ff00) >> 8);
807 }
808 
809 
810 #define michael_block(l, r)	\
811 do {				\
812 	r ^= rotl(l, 17);	\
813 	l += r;			\
814 	r ^= xswap(l);		\
815 	l += r;			\
816 	r ^= rotl(l, 3);	\
817 	l += r;			\
818 	r ^= rotr(l, 2);	\
819 	l += r;			\
820 } while (0)
821 
822 
823 static __inline u32 get_le32_split(u8 b0, u8 b1, u8 b2, u8 b3)
824 {
825 	return b0 | (b1 << 8) | (b2 << 16) | (b3 << 24);
826 }
827 
828 static __inline u32 get_le32(const u8 *p)
829 {
830 	return get_le32_split(p[0], p[1], p[2], p[3]);
831 }
832 
833 
834 static __inline void put_le32(u8 *p, u32 v)
835 {
836 	p[0] = v;
837 	p[1] = v >> 8;
838 	p[2] = v >> 16;
839 	p[3] = v >> 24;
840 }
841 
842 /*
843  * Craft pseudo header used to calculate the MIC.
844  */
845 static void
846 michael_mic_hdr(const struct ieee80211_frame *wh0, uint8_t hdr[16])
847 {
848 	const struct ieee80211_frame_addr4 *wh =
849 		(const struct ieee80211_frame_addr4 *) wh0;
850 
851 	switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) {
852 	case IEEE80211_FC1_DIR_NODS:
853 		IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */
854 		IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2);
855 		break;
856 	case IEEE80211_FC1_DIR_TODS:
857 		IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */
858 		IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2);
859 		break;
860 	case IEEE80211_FC1_DIR_FROMDS:
861 		IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */
862 		IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr3);
863 		break;
864 	case IEEE80211_FC1_DIR_DSTODS:
865 		IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */
866 		IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr4);
867 		break;
868 	}
869 
870 	if (wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_QOS) {
871 		const struct ieee80211_qosframe *qwh =
872 			(const struct ieee80211_qosframe *) wh;
873 		hdr[12] = qwh->i_qos[0] & IEEE80211_QOS_TID;
874 	} else
875 		hdr[12] = 0;
876 	hdr[13] = hdr[14] = hdr[15] = 0; /* reserved */
877 }
878 
879 static void
880 michael_mic(struct tkip_ctx *ctx, const u8 *key,
881 	struct mbuf *m, u_int off, size_t data_len,
882 	u8 mic[IEEE80211_WEP_MICLEN])
883 {
884 	uint8_t hdr[16];
885 	u32 l, r;
886 	const uint8_t *data;
887 	u_int space;
888 
889 	michael_mic_hdr(mtod(m, struct ieee80211_frame *), hdr);
890 
891 	l = get_le32(key);
892 	r = get_le32(key + 4);
893 
894 	/* Michael MIC pseudo header: DA, SA, 3 x 0, Priority */
895 	l ^= get_le32(hdr);
896 	michael_block(l, r);
897 	l ^= get_le32(&hdr[4]);
898 	michael_block(l, r);
899 	l ^= get_le32(&hdr[8]);
900 	michael_block(l, r);
901 	l ^= get_le32(&hdr[12]);
902 	michael_block(l, r);
903 
904 	/* first buffer has special handling */
905 	data = mtod(m, const uint8_t *) + off;
906 	space = m->m_len - off;
907 	for (;;) {
908 		if (space > data_len)
909 			space = data_len;
910 		/* collect 32-bit blocks from current buffer */
911 		while (space >= sizeof(uint32_t)) {
912 			l ^= get_le32(data);
913 			michael_block(l, r);
914 			data += sizeof(uint32_t), space -= sizeof(uint32_t);
915 			data_len -= sizeof(uint32_t);
916 		}
917 		/*
918 		 * NB: when space is zero we make one more trip around
919 		 * the loop to advance to the next mbuf where there is
920 		 * data.  This handles the case where there are 4*n
921 		 * bytes in an mbuf followed by <4 bytes in a later mbuf.
922 		 * By making an extra trip we'll drop out of the loop
923 		 * with m pointing at the mbuf with 3 bytes and space
924 		 * set as required by the remainder handling below.
925 		 */
926 		if (data_len == 0 ||
927 		    (data_len < sizeof(uint32_t) && space != 0))
928 			break;
929 		m = m->m_next;
930 		if (m == NULL) {
931 			KASSERT(0, ("out of data, data_len %zu\n", data_len));
932 			break;
933 		}
934 		if (space != 0) {
935 			const uint8_t *data_next;
936 			/*
937 			 * Block straddles buffers, split references.
938 			 */
939 			data_next = mtod(m, const uint8_t *);
940 			KASSERT(m->m_len >= sizeof(uint32_t) - space,
941 				("not enough data in following buffer, "
942 				"m_len %u need %zu\n", m->m_len,
943 				sizeof(uint32_t) - space));
944 			switch (space) {
945 			case 1:
946 				l ^= get_le32_split(data[0], data_next[0],
947 					data_next[1], data_next[2]);
948 				data = data_next + 3;
949 				space = m->m_len - 3;
950 				break;
951 			case 2:
952 				l ^= get_le32_split(data[0], data[1],
953 					data_next[0], data_next[1]);
954 				data = data_next + 2;
955 				space = m->m_len - 2;
956 				break;
957 			case 3:
958 				l ^= get_le32_split(data[0], data[1],
959 					data[2], data_next[0]);
960 				data = data_next + 1;
961 				space = m->m_len - 1;
962 				break;
963 			}
964 			michael_block(l, r);
965 			data_len -= sizeof(uint32_t);
966 		} else {
967 			/*
968 			 * Setup for next buffer.
969 			 */
970 			data = mtod(m, const uint8_t *);
971 			space = m->m_len;
972 		}
973 	}
974 	/*
975 	 * Catch degenerate cases like mbuf[4*n+1 bytes] followed by
976 	 * mbuf[2 bytes].  I don't believe these should happen; if they
977 	 * do then we'll need more involved logic.
978 	 */
979 	KASSERT(data_len <= space,
980 	    ("not enough data, data_len %zu space %u\n", data_len, space));
981 
982 	/* Last block and padding (0x5a, 4..7 x 0) */
983 	switch (data_len) {
984 	case 0:
985 		l ^= get_le32_split(0x5a, 0, 0, 0);
986 		break;
987 	case 1:
988 		l ^= get_le32_split(data[0], 0x5a, 0, 0);
989 		break;
990 	case 2:
991 		l ^= get_le32_split(data[0], data[1], 0x5a, 0);
992 		break;
993 	case 3:
994 		l ^= get_le32_split(data[0], data[1], data[2], 0x5a);
995 		break;
996 	}
997 	michael_block(l, r);
998 	/* l ^= 0; */
999 	michael_block(l, r);
1000 
1001 	put_le32(mic, l);
1002 	put_le32(mic + 4, r);
1003 }
1004 
1005 static int
1006 tkip_encrypt(struct tkip_ctx *ctx, struct ieee80211_key *key,
1007 	struct mbuf *m, int hdrlen)
1008 {
1009 	struct ieee80211_frame *wh;
1010 	uint8_t icv[IEEE80211_WEP_CRCLEN];
1011 
1012 	ctx->tc_vap->iv_stats.is_crypto_tkip++;
1013 
1014 	wh = mtod(m, struct ieee80211_frame *);
1015 	if ((u16)(key->wk_keytsc) == 0 || key->wk_keytsc == 1) {
1016 		tkip_mixing_phase1(ctx->tx_ttak, key->wk_key, wh->i_addr2,
1017 				   (u32)(key->wk_keytsc >> 16));
1018 	}
1019 	tkip_mixing_phase2(ctx->tx_rc4key, key->wk_key, ctx->tx_ttak,
1020 		(u16) key->wk_keytsc);
1021 
1022 	wep_encrypt(ctx->tx_rc4key,
1023 		m, hdrlen + tkip.ic_header,
1024 		m->m_pkthdr.len - (hdrlen + tkip.ic_header),
1025 		icv);
1026 	(void) m_append(m, IEEE80211_WEP_CRCLEN, icv);	/* XXX check return */
1027 
1028 	return 1;
1029 }
1030 
1031 static int
1032 tkip_decrypt(struct tkip_ctx *ctx, struct ieee80211_key *key,
1033 	struct mbuf *m, int hdrlen)
1034 {
1035 	struct ieee80211_frame *wh;
1036 	struct ieee80211vap *vap = ctx->tc_vap;
1037 	u32 iv32;
1038 	u16 iv16;
1039 	u8 tid;
1040 
1041 	vap->iv_stats.is_crypto_tkip++;
1042 
1043 	wh = mtod(m, struct ieee80211_frame *);
1044 	/* NB: tkip_decap already verified header and left seq in rx_rsc */
1045 	iv16 = (u16) ctx->rx_rsc;
1046 	iv32 = (u32) (ctx->rx_rsc >> 16);
1047 
1048 	tid = ieee80211_gettid(wh);
1049 	if (iv32 != (u32)(key->wk_keyrsc[tid] >> 16) || !ctx->rx_phase1_done) {
1050 		tkip_mixing_phase1(ctx->rx_ttak, key->wk_key,
1051 			wh->i_addr2, iv32);
1052 		ctx->rx_phase1_done = 1;
1053 	}
1054 	tkip_mixing_phase2(ctx->rx_rc4key, key->wk_key, ctx->rx_ttak, iv16);
1055 
1056 	/* NB: m is unstripped; deduct headers + ICV to get payload */
1057 	if (wep_decrypt(ctx->rx_rc4key,
1058 		m, hdrlen + tkip.ic_header,
1059 	        m->m_pkthdr.len - (hdrlen + tkip.ic_header + tkip.ic_trailer))) {
1060 		if (iv32 != (u32)(key->wk_keyrsc[tid] >> 16)) {
1061 			/* Previously cached Phase1 result was already lost, so
1062 			 * it needs to be recalculated for the next packet. */
1063 			ctx->rx_phase1_done = 0;
1064 		}
1065 		IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2,
1066 		    "%s", "TKIP ICV mismatch on decrypt");
1067 		vap->iv_stats.is_rx_tkipicv++;
1068 		return 0;
1069 	}
1070 	return 1;
1071 }
1072 
1073 /*
1074  * Module glue.
1075  */
1076 IEEE80211_CRYPTO_MODULE(tkip, 1);
1077