ieee80211_crypto_tkip.c revision 1.14.4.2
1 /* $NetBSD: ieee80211_crypto_tkip.c,v 1.14.4.2 2018/07/12 16:35:34 phil Exp $ */ 2 3 /*- 4 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD 5 * 6 * Copyright (c) 2002-2008 Sam Leffler, Errno Consulting 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 19 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 20 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 21 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 23 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30 #include <sys/cdefs.h> 31 #if __FreeBSD__ 32 __FBSDID("$FreeBSD$"); 33 #endif 34 35 /* 36 * IEEE 802.11i TKIP crypto support. 37 * 38 * Part of this module is derived from similar code in the Host 39 * AP driver. The code is used with the consent of the author and 40 * it's license is included below. 41 */ 42 #include "opt_wlan.h" 43 44 #include <sys/param.h> 45 #include <sys/systm.h> 46 #include <sys/mbuf.h> 47 #include <sys/malloc.h> 48 #include <sys/kernel.h> 49 #include <sys/module.h> 50 #include <sys/endian.h> 51 52 #include <sys/socket.h> 53 54 #include <net/if.h> 55 #include <net/if_media.h> 56 #if __FreeBSD__ 57 #include <net/ethernet.h> 58 #endif 59 #ifdef __NetBSD__ 60 #include <net/route.h> 61 #endif 62 63 #include <net80211/ieee80211_var.h> 64 65 #ifdef __NetBSD__ 66 #undef KASSERT 67 #define KASSERT(__cond, __complaint) FBSDKASSERT(__cond, __complaint) 68 #endif 69 70 static void *tkip_attach(struct ieee80211vap *, struct ieee80211_key *); 71 static void tkip_detach(struct ieee80211_key *); 72 static int tkip_setkey(struct ieee80211_key *); 73 static void tkip_setiv(struct ieee80211_key *, uint8_t *); 74 static int tkip_encap(struct ieee80211_key *, struct mbuf *); 75 static int tkip_enmic(struct ieee80211_key *, struct mbuf *, int); 76 static int tkip_decap(struct ieee80211_key *, struct mbuf *, int); 77 static int tkip_demic(struct ieee80211_key *, struct mbuf *, int); 78 79 static const struct ieee80211_cipher tkip = { 80 .ic_name = "TKIP", 81 .ic_cipher = IEEE80211_CIPHER_TKIP, 82 .ic_header = IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN + 83 IEEE80211_WEP_EXTIVLEN, 84 .ic_trailer = IEEE80211_WEP_CRCLEN, 85 .ic_miclen = IEEE80211_WEP_MICLEN, 86 .ic_attach = tkip_attach, 87 .ic_detach = tkip_detach, 88 .ic_setkey = tkip_setkey, 89 .ic_setiv = tkip_setiv, 90 .ic_encap = tkip_encap, 91 .ic_decap = tkip_decap, 92 .ic_enmic = tkip_enmic, 93 .ic_demic = tkip_demic, 94 }; 95 96 typedef uint8_t u8; 97 typedef uint16_t u16; 98 typedef uint32_t __u32; 99 typedef uint32_t u32; 100 101 struct tkip_ctx { 102 struct ieee80211vap *tc_vap; /* for diagnostics+statistics */ 103 104 u16 tx_ttak[5]; 105 u8 tx_rc4key[16]; /* XXX for test module; make locals? */ 106 107 u16 rx_ttak[5]; 108 int rx_phase1_done; 109 u8 rx_rc4key[16]; /* XXX for test module; make locals? */ 110 uint64_t rx_rsc; /* held until MIC verified */ 111 }; 112 113 static void michael_mic(struct tkip_ctx *, const u8 *key, 114 struct mbuf *m, u_int off, size_t data_len, 115 u8 mic[IEEE80211_WEP_MICLEN]); 116 static int tkip_encrypt(struct tkip_ctx *, struct ieee80211_key *, 117 struct mbuf *, int hdr_len); 118 static int tkip_decrypt(struct tkip_ctx *, struct ieee80211_key *, 119 struct mbuf *, int hdr_len); 120 121 /* number of references from net80211 layer */ 122 static int nrefs = 0; 123 124 static void * 125 tkip_attach(struct ieee80211vap *vap, struct ieee80211_key *k) 126 { 127 struct tkip_ctx *ctx; 128 129 ctx = (struct tkip_ctx *) IEEE80211_MALLOC(sizeof(struct tkip_ctx), 130 M_80211_CRYPTO, IEEE80211_M_NOWAIT | IEEE80211_M_ZERO); 131 if (ctx == NULL) { 132 vap->iv_stats.is_crypto_nomem++; 133 return NULL; 134 } 135 136 ctx->tc_vap = vap; 137 nrefs++; /* NB: we assume caller locking */ 138 return ctx; 139 } 140 141 static void 142 tkip_detach(struct ieee80211_key *k) 143 { 144 struct tkip_ctx *ctx = k->wk_private; 145 146 IEEE80211_FREE(ctx, M_80211_CRYPTO); 147 KASSERT(nrefs > 0, ("imbalanced attach/detach")); 148 nrefs--; /* NB: we assume caller locking */ 149 } 150 151 static int 152 tkip_setkey(struct ieee80211_key *k) 153 { 154 struct tkip_ctx *ctx = k->wk_private; 155 156 if (k->wk_keylen != (128/NBBY)) { 157 (void) ctx; /* XXX */ 158 IEEE80211_DPRINTF(ctx->tc_vap, IEEE80211_MSG_CRYPTO, 159 "%s: Invalid key length %u, expecting %u\n", 160 __func__, k->wk_keylen, 128/NBBY); 161 return 0; 162 } 163 ctx->rx_phase1_done = 0; 164 return 1; 165 } 166 167 static void 168 tkip_setiv(struct ieee80211_key *k, uint8_t *ivp) 169 { 170 struct tkip_ctx *ctx = k->wk_private; 171 struct ieee80211vap *vap = ctx->tc_vap; 172 uint8_t keyid; 173 174 keyid = ieee80211_crypto_get_keyid(vap, k) << 6; 175 176 k->wk_keytsc++; 177 ivp[0] = k->wk_keytsc >> 8; /* TSC1 */ 178 ivp[1] = (ivp[0] | 0x20) & 0x7f; /* WEP seed */ 179 ivp[2] = k->wk_keytsc >> 0; /* TSC0 */ 180 ivp[3] = keyid | IEEE80211_WEP_EXTIV; /* KeyID | ExtID */ 181 ivp[4] = k->wk_keytsc >> 16; /* TSC2 */ 182 ivp[5] = k->wk_keytsc >> 24; /* TSC3 */ 183 ivp[6] = k->wk_keytsc >> 32; /* TSC4 */ 184 ivp[7] = k->wk_keytsc >> 40; /* TSC5 */ 185 } 186 187 /* 188 * Add privacy headers and do any s/w encryption required. 189 */ 190 static int 191 tkip_encap(struct ieee80211_key *k, struct mbuf *m) 192 { 193 struct tkip_ctx *ctx = k->wk_private; 194 struct ieee80211vap *vap = ctx->tc_vap; 195 struct ieee80211com *ic = vap->iv_ic; 196 struct ieee80211_frame *wh; 197 uint8_t *ivp; 198 int hdrlen; 199 int is_mgmt; 200 201 wh = mtod(m, struct ieee80211_frame *); 202 is_mgmt = IEEE80211_IS_MGMT(wh); 203 204 /* 205 * Handle TKIP counter measures requirement. 206 */ 207 if (vap->iv_flags & IEEE80211_F_COUNTERM) { 208 #ifdef IEEE80211_DEBUG 209 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 210 #endif 211 212 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2, 213 "discard frame due to countermeasures (%s)", __func__); 214 vap->iv_stats.is_crypto_tkipcm++; 215 return 0; 216 } 217 218 /* 219 * Check to see whether IV needs to be included. 220 */ 221 if (is_mgmt && (k->wk_flags & IEEE80211_KEY_NOIVMGT)) 222 return 1; 223 if ((! is_mgmt) && (k->wk_flags & IEEE80211_KEY_NOIV)) 224 return 1; 225 226 227 hdrlen = ieee80211_hdrspace(ic, mtod(m, void *)); 228 229 /* 230 * Copy down 802.11 header and add the IV, KeyID, and ExtIV. 231 */ 232 M_PREPEND(m, tkip.ic_header, M_NOWAIT); 233 if (m == NULL) 234 return 0; 235 ivp = mtod(m, uint8_t *); 236 memmove(ivp, ivp + tkip.ic_header, hdrlen); 237 ivp += hdrlen; 238 239 tkip_setiv(k, ivp); 240 241 /* 242 * Finally, do software encrypt if needed. 243 */ 244 if ((k->wk_flags & IEEE80211_KEY_SWENCRYPT) && 245 !tkip_encrypt(ctx, k, m, hdrlen)) 246 return 0; 247 248 return 1; 249 } 250 251 /* 252 * Add MIC to the frame as needed. 253 */ 254 static int 255 tkip_enmic(struct ieee80211_key *k, struct mbuf *m, int force) 256 { 257 struct tkip_ctx *ctx = k->wk_private; 258 struct ieee80211_frame *wh; 259 int is_mgmt; 260 261 wh = mtod(m, struct ieee80211_frame *); 262 is_mgmt = IEEE80211_IS_MGMT(wh); 263 264 /* 265 * Check to see whether MIC needs to be included. 266 */ 267 if (is_mgmt && (k->wk_flags & IEEE80211_KEY_NOMICMGT)) 268 return 1; 269 if ((! is_mgmt) && (k->wk_flags & IEEE80211_KEY_NOMIC)) 270 return 1; 271 272 if (force || (k->wk_flags & IEEE80211_KEY_SWENMIC)) { 273 #if __FreeBSD__ 274 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 275 #elif __NetBSD__ 276 wh = mtod(m, struct ieee80211_frame *); 277 #endif 278 struct ieee80211vap *vap = ctx->tc_vap; 279 struct ieee80211com *ic = vap->iv_ic; 280 int hdrlen; 281 uint8_t mic[IEEE80211_WEP_MICLEN]; 282 283 vap->iv_stats.is_crypto_tkipenmic++; 284 285 hdrlen = ieee80211_hdrspace(ic, wh); 286 287 michael_mic(ctx, k->wk_txmic, 288 m, hdrlen, m->m_pkthdr.len - hdrlen, mic); 289 return m_append(m, tkip.ic_miclen, mic); 290 } 291 return 1; 292 } 293 294 static __inline uint64_t 295 READ_6(uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3, uint8_t b4, uint8_t b5) 296 { 297 uint32_t iv32 = (b0 << 0) | (b1 << 8) | (b2 << 16) | (b3 << 24); 298 uint16_t iv16 = (b4 << 0) | (b5 << 8); 299 return (((uint64_t)iv16) << 32) | iv32; 300 } 301 302 /* 303 * Validate and strip privacy headers (and trailer) for a 304 * received frame. If necessary, decrypt the frame using 305 * the specified key. 306 */ 307 static int 308 tkip_decap(struct ieee80211_key *k, struct mbuf *m, int hdrlen) 309 { 310 const struct ieee80211_rx_stats *rxs; 311 struct tkip_ctx *ctx = k->wk_private; 312 struct ieee80211vap *vap = ctx->tc_vap; 313 struct ieee80211_frame *wh; 314 uint8_t *ivp, tid; 315 316 rxs = ieee80211_get_rx_params_ptr(m); 317 318 /* 319 * If IV has been stripped, we skip most of the below. 320 */ 321 if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_IV_STRIP)) 322 goto finish; 323 324 /* 325 * Header should have extended IV and sequence number; 326 * verify the former and validate the latter. 327 */ 328 wh = mtod(m, struct ieee80211_frame *); 329 ivp = mtod(m, uint8_t *) + hdrlen; 330 if ((ivp[IEEE80211_WEP_IVLEN] & IEEE80211_WEP_EXTIV) == 0) { 331 /* 332 * No extended IV; discard frame. 333 */ 334 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2, 335 "%s", "missing ExtIV for TKIP cipher"); 336 vap->iv_stats.is_rx_tkipformat++; 337 return 0; 338 } 339 /* 340 * Handle TKIP counter measures requirement. 341 */ 342 if (vap->iv_flags & IEEE80211_F_COUNTERM) { 343 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2, 344 "discard frame due to countermeasures (%s)", __func__); 345 vap->iv_stats.is_crypto_tkipcm++; 346 return 0; 347 } 348 349 tid = ieee80211_gettid(wh); 350 ctx->rx_rsc = READ_6(ivp[2], ivp[0], ivp[4], ivp[5], ivp[6], ivp[7]); 351 if (ctx->rx_rsc <= k->wk_keyrsc[tid] && 352 (k->wk_flags & IEEE80211_KEY_NOREPLAY) == 0) { 353 /* 354 * Replay violation; notify upper layer. 355 */ 356 ieee80211_notify_replay_failure(vap, wh, k, ctx->rx_rsc, tid); 357 vap->iv_stats.is_rx_tkipreplay++; 358 return 0; 359 } 360 /* 361 * NB: We can't update the rsc in the key until MIC is verified. 362 * 363 * We assume we are not preempted between doing the check above 364 * and updating wk_keyrsc when stripping the MIC in tkip_demic. 365 * Otherwise we might process another packet and discard it as 366 * a replay. 367 */ 368 369 /* 370 * Check if the device handled the decrypt in hardware. 371 * If so we just strip the header; otherwise we need to 372 * handle the decrypt in software. 373 */ 374 if ((k->wk_flags & IEEE80211_KEY_SWDECRYPT) && 375 !tkip_decrypt(ctx, k, m, hdrlen)) 376 return 0; 377 378 finish: 379 380 /* 381 * Copy up 802.11 header and strip crypto bits - but only if we 382 * are required to. 383 */ 384 if (! ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_IV_STRIP))) { 385 memmove(mtod(m, uint8_t *) + tkip.ic_header, mtod(m, void *), 386 hdrlen); 387 m_adj(m, tkip.ic_header); 388 } 389 390 /* 391 * XXX TODO: do we need an option to potentially not strip the 392 * WEP trailer? Does "MMIC_STRIP" also mean this? Or? 393 */ 394 m_adj(m, -tkip.ic_trailer); 395 396 return 1; 397 } 398 399 /* 400 * Verify and strip MIC from the frame. 401 */ 402 static int 403 tkip_demic(struct ieee80211_key *k, struct mbuf *m, int force) 404 { 405 const struct ieee80211_rx_stats *rxs; 406 struct tkip_ctx *ctx = k->wk_private; 407 struct ieee80211_frame *wh; 408 uint8_t tid; 409 410 wh = mtod(m, struct ieee80211_frame *); 411 rxs = ieee80211_get_rx_params_ptr(m); 412 413 /* 414 * If we are told about a MIC failure from the driver, 415 * directly notify as a michael failure to the upper 416 * layers. 417 */ 418 if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_FAIL_MIC)) { 419 struct ieee80211vap *vap = ctx->tc_vap; 420 ieee80211_notify_michael_failure(vap, wh, 421 k->wk_rxkeyix != IEEE80211_KEYIX_NONE ? 422 k->wk_rxkeyix : k->wk_keyix); 423 return 0; 424 } 425 426 /* 427 * If IV has been stripped, we skip most of the below. 428 */ 429 if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_MMIC_STRIP)) 430 goto finish; 431 432 if ((k->wk_flags & IEEE80211_KEY_SWDEMIC) || force) { 433 struct ieee80211vap *vap = ctx->tc_vap; 434 int hdrlen = ieee80211_hdrspace(vap->iv_ic, wh); 435 u8 mic[IEEE80211_WEP_MICLEN]; 436 u8 mic0[IEEE80211_WEP_MICLEN]; 437 438 vap->iv_stats.is_crypto_tkipdemic++; 439 440 michael_mic(ctx, k->wk_rxmic, 441 m, hdrlen, m->m_pkthdr.len - (hdrlen + tkip.ic_miclen), 442 mic); 443 m_copydata(m, m->m_pkthdr.len - tkip.ic_miclen, 444 tkip.ic_miclen, mic0); 445 if (memcmp(mic, mic0, tkip.ic_miclen)) { 446 /* NB: 802.11 layer handles statistic and debug msg */ 447 ieee80211_notify_michael_failure(vap, wh, 448 k->wk_rxkeyix != IEEE80211_KEYIX_NONE ? 449 k->wk_rxkeyix : k->wk_keyix); 450 return 0; 451 } 452 } 453 /* 454 * Strip MIC from the tail. 455 */ 456 m_adj(m, -tkip.ic_miclen); 457 458 /* 459 * Ok to update rsc now that MIC has been verified. 460 */ 461 tid = ieee80211_gettid(wh); 462 k->wk_keyrsc[tid] = ctx->rx_rsc; 463 464 finish: 465 return 1; 466 } 467 468 /* 469 * Host AP crypt: host-based TKIP encryption implementation for Host AP driver 470 * 471 * Copyright (c) 2003-2004, Jouni Malinen <jkmaline (at) cc.hut.fi> 472 * 473 * This program is free software; you can redistribute it and/or modify 474 * it under the terms of the GNU General Public License version 2 as 475 * published by the Free Software Foundation. See README and COPYING for 476 * more details. 477 * 478 * Alternatively, this software may be distributed under the terms of BSD 479 * license. 480 */ 481 482 static const __u32 crc32_table[256] = { 483 0x00000000L, 0x77073096L, 0xee0e612cL, 0x990951baL, 0x076dc419L, 484 0x706af48fL, 0xe963a535L, 0x9e6495a3L, 0x0edb8832L, 0x79dcb8a4L, 485 0xe0d5e91eL, 0x97d2d988L, 0x09b64c2bL, 0x7eb17cbdL, 0xe7b82d07L, 486 0x90bf1d91L, 0x1db71064L, 0x6ab020f2L, 0xf3b97148L, 0x84be41deL, 487 0x1adad47dL, 0x6ddde4ebL, 0xf4d4b551L, 0x83d385c7L, 0x136c9856L, 488 0x646ba8c0L, 0xfd62f97aL, 0x8a65c9ecL, 0x14015c4fL, 0x63066cd9L, 489 0xfa0f3d63L, 0x8d080df5L, 0x3b6e20c8L, 0x4c69105eL, 0xd56041e4L, 490 0xa2677172L, 0x3c03e4d1L, 0x4b04d447L, 0xd20d85fdL, 0xa50ab56bL, 491 0x35b5a8faL, 0x42b2986cL, 0xdbbbc9d6L, 0xacbcf940L, 0x32d86ce3L, 492 0x45df5c75L, 0xdcd60dcfL, 0xabd13d59L, 0x26d930acL, 0x51de003aL, 493 0xc8d75180L, 0xbfd06116L, 0x21b4f4b5L, 0x56b3c423L, 0xcfba9599L, 494 0xb8bda50fL, 0x2802b89eL, 0x5f058808L, 0xc60cd9b2L, 0xb10be924L, 495 0x2f6f7c87L, 0x58684c11L, 0xc1611dabL, 0xb6662d3dL, 0x76dc4190L, 496 0x01db7106L, 0x98d220bcL, 0xefd5102aL, 0x71b18589L, 0x06b6b51fL, 497 0x9fbfe4a5L, 0xe8b8d433L, 0x7807c9a2L, 0x0f00f934L, 0x9609a88eL, 498 0xe10e9818L, 0x7f6a0dbbL, 0x086d3d2dL, 0x91646c97L, 0xe6635c01L, 499 0x6b6b51f4L, 0x1c6c6162L, 0x856530d8L, 0xf262004eL, 0x6c0695edL, 500 0x1b01a57bL, 0x8208f4c1L, 0xf50fc457L, 0x65b0d9c6L, 0x12b7e950L, 501 0x8bbeb8eaL, 0xfcb9887cL, 0x62dd1ddfL, 0x15da2d49L, 0x8cd37cf3L, 502 0xfbd44c65L, 0x4db26158L, 0x3ab551ceL, 0xa3bc0074L, 0xd4bb30e2L, 503 0x4adfa541L, 0x3dd895d7L, 0xa4d1c46dL, 0xd3d6f4fbL, 0x4369e96aL, 504 0x346ed9fcL, 0xad678846L, 0xda60b8d0L, 0x44042d73L, 0x33031de5L, 505 0xaa0a4c5fL, 0xdd0d7cc9L, 0x5005713cL, 0x270241aaL, 0xbe0b1010L, 506 0xc90c2086L, 0x5768b525L, 0x206f85b3L, 0xb966d409L, 0xce61e49fL, 507 0x5edef90eL, 0x29d9c998L, 0xb0d09822L, 0xc7d7a8b4L, 0x59b33d17L, 508 0x2eb40d81L, 0xb7bd5c3bL, 0xc0ba6cadL, 0xedb88320L, 0x9abfb3b6L, 509 0x03b6e20cL, 0x74b1d29aL, 0xead54739L, 0x9dd277afL, 0x04db2615L, 510 0x73dc1683L, 0xe3630b12L, 0x94643b84L, 0x0d6d6a3eL, 0x7a6a5aa8L, 511 0xe40ecf0bL, 0x9309ff9dL, 0x0a00ae27L, 0x7d079eb1L, 0xf00f9344L, 512 0x8708a3d2L, 0x1e01f268L, 0x6906c2feL, 0xf762575dL, 0x806567cbL, 513 0x196c3671L, 0x6e6b06e7L, 0xfed41b76L, 0x89d32be0L, 0x10da7a5aL, 514 0x67dd4accL, 0xf9b9df6fL, 0x8ebeeff9L, 0x17b7be43L, 0x60b08ed5L, 515 0xd6d6a3e8L, 0xa1d1937eL, 0x38d8c2c4L, 0x4fdff252L, 0xd1bb67f1L, 516 0xa6bc5767L, 0x3fb506ddL, 0x48b2364bL, 0xd80d2bdaL, 0xaf0a1b4cL, 517 0x36034af6L, 0x41047a60L, 0xdf60efc3L, 0xa867df55L, 0x316e8eefL, 518 0x4669be79L, 0xcb61b38cL, 0xbc66831aL, 0x256fd2a0L, 0x5268e236L, 519 0xcc0c7795L, 0xbb0b4703L, 0x220216b9L, 0x5505262fL, 0xc5ba3bbeL, 520 0xb2bd0b28L, 0x2bb45a92L, 0x5cb36a04L, 0xc2d7ffa7L, 0xb5d0cf31L, 521 0x2cd99e8bL, 0x5bdeae1dL, 0x9b64c2b0L, 0xec63f226L, 0x756aa39cL, 522 0x026d930aL, 0x9c0906a9L, 0xeb0e363fL, 0x72076785L, 0x05005713L, 523 0x95bf4a82L, 0xe2b87a14L, 0x7bb12baeL, 0x0cb61b38L, 0x92d28e9bL, 524 0xe5d5be0dL, 0x7cdcefb7L, 0x0bdbdf21L, 0x86d3d2d4L, 0xf1d4e242L, 525 0x68ddb3f8L, 0x1fda836eL, 0x81be16cdL, 0xf6b9265bL, 0x6fb077e1L, 526 0x18b74777L, 0x88085ae6L, 0xff0f6a70L, 0x66063bcaL, 0x11010b5cL, 527 0x8f659effL, 0xf862ae69L, 0x616bffd3L, 0x166ccf45L, 0xa00ae278L, 528 0xd70dd2eeL, 0x4e048354L, 0x3903b3c2L, 0xa7672661L, 0xd06016f7L, 529 0x4969474dL, 0x3e6e77dbL, 0xaed16a4aL, 0xd9d65adcL, 0x40df0b66L, 530 0x37d83bf0L, 0xa9bcae53L, 0xdebb9ec5L, 0x47b2cf7fL, 0x30b5ffe9L, 531 0xbdbdf21cL, 0xcabac28aL, 0x53b39330L, 0x24b4a3a6L, 0xbad03605L, 532 0xcdd70693L, 0x54de5729L, 0x23d967bfL, 0xb3667a2eL, 0xc4614ab8L, 533 0x5d681b02L, 0x2a6f2b94L, 0xb40bbe37L, 0xc30c8ea1L, 0x5a05df1bL, 534 0x2d02ef8dL 535 }; 536 537 static __inline u16 RotR1(u16 val) 538 { 539 return (val >> 1) | (val << 15); 540 } 541 542 static __inline u8 Lo8(u16 val) 543 { 544 return val & 0xff; 545 } 546 547 static __inline u8 Hi8(u16 val) 548 { 549 return val >> 8; 550 } 551 552 static __inline u16 Lo16(u32 val) 553 { 554 return val & 0xffff; 555 } 556 557 static __inline u16 Hi16(u32 val) 558 { 559 return val >> 16; 560 } 561 562 static __inline u16 Mk16(u8 hi, u8 lo) 563 { 564 return lo | (((u16) hi) << 8); 565 } 566 567 static __inline u16 Mk16_le(const u16 *v) 568 { 569 return le16toh(*v); 570 } 571 572 static const u16 Sbox[256] = { 573 0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154, 574 0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A, 575 0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B, 576 0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B, 577 0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F, 578 0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F, 579 0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5, 580 0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F, 581 0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB, 582 0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397, 583 0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED, 584 0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A, 585 0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194, 586 0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3, 587 0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104, 588 0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D, 589 0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39, 590 0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695, 591 0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83, 592 0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76, 593 0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4, 594 0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B, 595 0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0, 596 0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018, 597 0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751, 598 0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85, 599 0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12, 600 0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9, 601 0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7, 602 0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A, 603 0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8, 604 0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A, 605 }; 606 607 static __inline u16 _S_(u16 v) 608 { 609 u16 t = Sbox[Hi8(v)]; 610 return Sbox[Lo8(v)] ^ ((t << 8) | (t >> 8)); 611 } 612 613 #define PHASE1_LOOP_COUNT 8 614 615 static void tkip_mixing_phase1(u16 *TTAK, const u8 *TK, const u8 *TA, u32 IV32) 616 { 617 int i, j; 618 619 /* Initialize the 80-bit TTAK from TSC (IV32) and TA[0..5] */ 620 TTAK[0] = Lo16(IV32); 621 TTAK[1] = Hi16(IV32); 622 TTAK[2] = Mk16(TA[1], TA[0]); 623 TTAK[3] = Mk16(TA[3], TA[2]); 624 TTAK[4] = Mk16(TA[5], TA[4]); 625 626 for (i = 0; i < PHASE1_LOOP_COUNT; i++) { 627 j = 2 * (i & 1); 628 TTAK[0] += _S_(TTAK[4] ^ Mk16(TK[1 + j], TK[0 + j])); 629 TTAK[1] += _S_(TTAK[0] ^ Mk16(TK[5 + j], TK[4 + j])); 630 TTAK[2] += _S_(TTAK[1] ^ Mk16(TK[9 + j], TK[8 + j])); 631 TTAK[3] += _S_(TTAK[2] ^ Mk16(TK[13 + j], TK[12 + j])); 632 TTAK[4] += _S_(TTAK[3] ^ Mk16(TK[1 + j], TK[0 + j])) + i; 633 } 634 } 635 636 #ifndef _BYTE_ORDER 637 #error "Don't know native byte order" 638 #endif 639 640 static void tkip_mixing_phase2(u8 *WEPSeed, const u8 *TK, const u16 *TTAK, 641 u16 IV16) 642 { 643 /* Make temporary area overlap WEP seed so that the final copy can be 644 * avoided on little endian hosts. */ 645 u16 *PPK = (u16 *) &WEPSeed[4]; 646 647 /* Step 1 - make copy of TTAK and bring in TSC */ 648 PPK[0] = TTAK[0]; 649 PPK[1] = TTAK[1]; 650 PPK[2] = TTAK[2]; 651 PPK[3] = TTAK[3]; 652 PPK[4] = TTAK[4]; 653 PPK[5] = TTAK[4] + IV16; 654 655 /* Step 2 - 96-bit bijective mixing using S-box */ 656 PPK[0] += _S_(PPK[5] ^ Mk16_le((const u16 *) &TK[0])); 657 PPK[1] += _S_(PPK[0] ^ Mk16_le((const u16 *) &TK[2])); 658 PPK[2] += _S_(PPK[1] ^ Mk16_le((const u16 *) &TK[4])); 659 PPK[3] += _S_(PPK[2] ^ Mk16_le((const u16 *) &TK[6])); 660 PPK[4] += _S_(PPK[3] ^ Mk16_le((const u16 *) &TK[8])); 661 PPK[5] += _S_(PPK[4] ^ Mk16_le((const u16 *) &TK[10])); 662 663 PPK[0] += RotR1(PPK[5] ^ Mk16_le((const u16 *) &TK[12])); 664 PPK[1] += RotR1(PPK[0] ^ Mk16_le((const u16 *) &TK[14])); 665 PPK[2] += RotR1(PPK[1]); 666 PPK[3] += RotR1(PPK[2]); 667 PPK[4] += RotR1(PPK[3]); 668 PPK[5] += RotR1(PPK[4]); 669 670 /* Step 3 - bring in last of TK bits, assign 24-bit WEP IV value 671 * WEPSeed[0..2] is transmitted as WEP IV */ 672 WEPSeed[0] = Hi8(IV16); 673 WEPSeed[1] = (Hi8(IV16) | 0x20) & 0x7F; 674 WEPSeed[2] = Lo8(IV16); 675 WEPSeed[3] = Lo8((PPK[5] ^ Mk16_le((const u16 *) &TK[0])) >> 1); 676 677 #if _BYTE_ORDER == _BIG_ENDIAN 678 { 679 int i; 680 for (i = 0; i < 6; i++) 681 PPK[i] = (PPK[i] << 8) | (PPK[i] >> 8); 682 } 683 #endif 684 } 685 686 static void 687 wep_encrypt(u8 *key, struct mbuf *m0, u_int off, size_t data_len, 688 uint8_t icv[IEEE80211_WEP_CRCLEN]) 689 { 690 u32 i, j, k, crc; 691 size_t buflen; 692 u8 S[256]; 693 u8 *pos; 694 struct mbuf *m; 695 #define S_SWAP(a,b) do { u8 t = S[a]; S[a] = S[b]; S[b] = t; } while(0) 696 697 /* Setup RC4 state */ 698 for (i = 0; i < 256; i++) 699 S[i] = i; 700 j = 0; 701 for (i = 0; i < 256; i++) { 702 j = (j + S[i] + key[i & 0x0f]) & 0xff; 703 S_SWAP(i, j); 704 } 705 706 /* Compute CRC32 over unencrypted data and apply RC4 to data */ 707 crc = ~0; 708 i = j = 0; 709 m = m0; 710 pos = mtod(m, uint8_t *) + off; 711 buflen = m->m_len - off; 712 for (;;) { 713 if (buflen > data_len) 714 buflen = data_len; 715 data_len -= buflen; 716 for (k = 0; k < buflen; k++) { 717 crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8); 718 i = (i + 1) & 0xff; 719 j = (j + S[i]) & 0xff; 720 S_SWAP(i, j); 721 *pos++ ^= S[(S[i] + S[j]) & 0xff]; 722 } 723 m = m->m_next; 724 if (m == NULL) { 725 KASSERT(data_len == 0, 726 ("out of buffers with data_len %zu\n", data_len)); 727 break; 728 } 729 pos = mtod(m, uint8_t *); 730 buflen = m->m_len; 731 } 732 crc = ~crc; 733 734 /* Append little-endian CRC32 and encrypt it to produce ICV */ 735 icv[0] = crc; 736 icv[1] = crc >> 8; 737 icv[2] = crc >> 16; 738 icv[3] = crc >> 24; 739 for (k = 0; k < IEEE80211_WEP_CRCLEN; k++) { 740 i = (i + 1) & 0xff; 741 j = (j + S[i]) & 0xff; 742 S_SWAP(i, j); 743 icv[k] ^= S[(S[i] + S[j]) & 0xff]; 744 } 745 } 746 747 static int 748 wep_decrypt(u8 *key, struct mbuf *m, u_int off, size_t data_len) 749 { 750 u32 i, j, k, crc; 751 u8 S[256]; 752 u8 *pos, icv[4]; 753 size_t buflen; 754 755 /* Setup RC4 state */ 756 for (i = 0; i < 256; i++) 757 S[i] = i; 758 j = 0; 759 for (i = 0; i < 256; i++) { 760 j = (j + S[i] + key[i & 0x0f]) & 0xff; 761 S_SWAP(i, j); 762 } 763 764 /* Apply RC4 to data and compute CRC32 over decrypted data */ 765 crc = ~0; 766 i = j = 0; 767 pos = mtod(m, uint8_t *) + off; 768 buflen = m->m_len - off; 769 for (;;) { 770 if (buflen > data_len) 771 buflen = data_len; 772 data_len -= buflen; 773 for (k = 0; k < buflen; k++) { 774 i = (i + 1) & 0xff; 775 j = (j + S[i]) & 0xff; 776 S_SWAP(i, j); 777 *pos ^= S[(S[i] + S[j]) & 0xff]; 778 crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8); 779 pos++; 780 } 781 m = m->m_next; 782 if (m == NULL) { 783 KASSERT(data_len == 0, 784 ("out of buffers with data_len %zu\n", data_len)); 785 break; 786 } 787 pos = mtod(m, uint8_t *); 788 buflen = m->m_len; 789 } 790 crc = ~crc; 791 792 /* Encrypt little-endian CRC32 and verify that it matches with the 793 * received ICV */ 794 icv[0] = crc; 795 icv[1] = crc >> 8; 796 icv[2] = crc >> 16; 797 icv[3] = crc >> 24; 798 for (k = 0; k < 4; k++) { 799 i = (i + 1) & 0xff; 800 j = (j + S[i]) & 0xff; 801 S_SWAP(i, j); 802 if ((icv[k] ^ S[(S[i] + S[j]) & 0xff]) != *pos++) { 803 /* ICV mismatch - drop frame */ 804 return -1; 805 } 806 } 807 808 return 0; 809 } 810 811 812 static __inline u32 rotl(u32 val, int bits) 813 { 814 return (val << bits) | (val >> (32 - bits)); 815 } 816 817 818 static __inline u32 rotr(u32 val, int bits) 819 { 820 return (val >> bits) | (val << (32 - bits)); 821 } 822 823 824 static __inline u32 xswap(u32 val) 825 { 826 return ((val & 0x00ff00ff) << 8) | ((val & 0xff00ff00) >> 8); 827 } 828 829 830 #define michael_block(l, r) \ 831 do { \ 832 r ^= rotl(l, 17); \ 833 l += r; \ 834 r ^= xswap(l); \ 835 l += r; \ 836 r ^= rotl(l, 3); \ 837 l += r; \ 838 r ^= rotr(l, 2); \ 839 l += r; \ 840 } while (0) 841 842 843 static __inline u32 get_le32_split(u8 b0, u8 b1, u8 b2, u8 b3) 844 { 845 return b0 | (b1 << 8) | (b2 << 16) | (b3 << 24); 846 } 847 848 static __inline u32 get_le32(const u8 *p) 849 { 850 return get_le32_split(p[0], p[1], p[2], p[3]); 851 } 852 853 854 static __inline void put_le32(u8 *p, u32 v) 855 { 856 p[0] = v; 857 p[1] = v >> 8; 858 p[2] = v >> 16; 859 p[3] = v >> 24; 860 } 861 862 /* 863 * Craft pseudo header used to calculate the MIC. 864 */ 865 static void 866 michael_mic_hdr(const struct ieee80211_frame *wh0, uint8_t hdr[16]) 867 { 868 const struct ieee80211_frame_addr4 *wh = 869 (const struct ieee80211_frame_addr4 *) wh0; 870 871 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 872 case IEEE80211_FC1_DIR_NODS: 873 IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */ 874 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2); 875 break; 876 case IEEE80211_FC1_DIR_TODS: 877 IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */ 878 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2); 879 break; 880 case IEEE80211_FC1_DIR_FROMDS: 881 IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */ 882 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr3); 883 break; 884 case IEEE80211_FC1_DIR_DSTODS: 885 IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */ 886 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr4); 887 break; 888 } 889 890 if (wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_QOS) { 891 const struct ieee80211_qosframe *qwh = 892 (const struct ieee80211_qosframe *) wh; 893 hdr[12] = qwh->i_qos[0] & IEEE80211_QOS_TID; 894 } else 895 hdr[12] = 0; 896 hdr[13] = hdr[14] = hdr[15] = 0; /* reserved */ 897 } 898 899 static void 900 michael_mic(struct tkip_ctx *ctx, const u8 *key, 901 struct mbuf *m, u_int off, size_t data_len, 902 u8 mic[IEEE80211_WEP_MICLEN]) 903 { 904 uint8_t hdr[16]; 905 u32 l, r; 906 const uint8_t *data; 907 u_int space; 908 909 michael_mic_hdr(mtod(m, struct ieee80211_frame *), hdr); 910 911 l = get_le32(key); 912 r = get_le32(key + 4); 913 914 /* Michael MIC pseudo header: DA, SA, 3 x 0, Priority */ 915 l ^= get_le32(hdr); 916 michael_block(l, r); 917 l ^= get_le32(&hdr[4]); 918 michael_block(l, r); 919 l ^= get_le32(&hdr[8]); 920 michael_block(l, r); 921 l ^= get_le32(&hdr[12]); 922 michael_block(l, r); 923 924 /* first buffer has special handling */ 925 data = mtod(m, const uint8_t *) + off; 926 space = m->m_len - off; 927 for (;;) { 928 if (space > data_len) 929 space = data_len; 930 /* collect 32-bit blocks from current buffer */ 931 while (space >= sizeof(uint32_t)) { 932 l ^= get_le32(data); 933 michael_block(l, r); 934 data += sizeof(uint32_t), space -= sizeof(uint32_t); 935 data_len -= sizeof(uint32_t); 936 } 937 /* 938 * NB: when space is zero we make one more trip around 939 * the loop to advance to the next mbuf where there is 940 * data. This handles the case where there are 4*n 941 * bytes in an mbuf followed by <4 bytes in a later mbuf. 942 * By making an extra trip we'll drop out of the loop 943 * with m pointing at the mbuf with 3 bytes and space 944 * set as required by the remainder handling below. 945 */ 946 if (data_len == 0 || 947 (data_len < sizeof(uint32_t) && space != 0)) 948 break; 949 m = m->m_next; 950 if (m == NULL) { 951 KASSERT(0, ("out of data, data_len %zu\n", data_len)); 952 break; 953 } 954 if (space != 0) { 955 const uint8_t *data_next; 956 /* 957 * Block straddles buffers, split references. 958 */ 959 data_next = mtod(m, const uint8_t *); 960 KASSERT(m->m_len >= sizeof(uint32_t) - space, 961 ("not enough data in following buffer, " 962 "m_len %u need %zu\n", m->m_len, 963 sizeof(uint32_t) - space)); 964 switch (space) { 965 case 1: 966 l ^= get_le32_split(data[0], data_next[0], 967 data_next[1], data_next[2]); 968 data = data_next + 3; 969 space = m->m_len - 3; 970 break; 971 case 2: 972 l ^= get_le32_split(data[0], data[1], 973 data_next[0], data_next[1]); 974 data = data_next + 2; 975 space = m->m_len - 2; 976 break; 977 case 3: 978 l ^= get_le32_split(data[0], data[1], 979 data[2], data_next[0]); 980 data = data_next + 1; 981 space = m->m_len - 1; 982 break; 983 } 984 michael_block(l, r); 985 data_len -= sizeof(uint32_t); 986 } else { 987 /* 988 * Setup for next buffer. 989 */ 990 data = mtod(m, const uint8_t *); 991 space = m->m_len; 992 } 993 } 994 /* 995 * Catch degenerate cases like mbuf[4*n+1 bytes] followed by 996 * mbuf[2 bytes]. I don't believe these should happen; if they 997 * do then we'll need more involved logic. 998 */ 999 KASSERT(data_len <= space, 1000 ("not enough data, data_len %zu space %u\n", data_len, space)); 1001 1002 /* Last block and padding (0x5a, 4..7 x 0) */ 1003 switch (data_len) { 1004 case 0: 1005 l ^= get_le32_split(0x5a, 0, 0, 0); 1006 break; 1007 case 1: 1008 l ^= get_le32_split(data[0], 0x5a, 0, 0); 1009 break; 1010 case 2: 1011 l ^= get_le32_split(data[0], data[1], 0x5a, 0); 1012 break; 1013 case 3: 1014 l ^= get_le32_split(data[0], data[1], data[2], 0x5a); 1015 break; 1016 } 1017 michael_block(l, r); 1018 /* l ^= 0; */ 1019 michael_block(l, r); 1020 1021 put_le32(mic, l); 1022 put_le32(mic + 4, r); 1023 } 1024 1025 static int 1026 tkip_encrypt(struct tkip_ctx *ctx, struct ieee80211_key *key, 1027 struct mbuf *m, int hdrlen) 1028 { 1029 struct ieee80211_frame *wh; 1030 uint8_t icv[IEEE80211_WEP_CRCLEN]; 1031 1032 ctx->tc_vap->iv_stats.is_crypto_tkip++; 1033 1034 wh = mtod(m, struct ieee80211_frame *); 1035 if ((u16)(key->wk_keytsc) == 0 || key->wk_keytsc == 1) { 1036 tkip_mixing_phase1(ctx->tx_ttak, key->wk_key, wh->i_addr2, 1037 (u32)(key->wk_keytsc >> 16)); 1038 } 1039 tkip_mixing_phase2(ctx->tx_rc4key, key->wk_key, ctx->tx_ttak, 1040 (u16) key->wk_keytsc); 1041 1042 wep_encrypt(ctx->tx_rc4key, 1043 m, hdrlen + tkip.ic_header, 1044 m->m_pkthdr.len - (hdrlen + tkip.ic_header), 1045 icv); 1046 (void) m_append(m, IEEE80211_WEP_CRCLEN, icv); /* XXX check return */ 1047 1048 return 1; 1049 } 1050 1051 static int 1052 tkip_decrypt(struct tkip_ctx *ctx, struct ieee80211_key *key, 1053 struct mbuf *m, int hdrlen) 1054 { 1055 struct ieee80211_frame *wh; 1056 struct ieee80211vap *vap = ctx->tc_vap; 1057 u32 iv32; 1058 u16 iv16; 1059 u8 tid; 1060 1061 vap->iv_stats.is_crypto_tkip++; 1062 1063 wh = mtod(m, struct ieee80211_frame *); 1064 /* NB: tkip_decap already verified header and left seq in rx_rsc */ 1065 iv16 = (u16) ctx->rx_rsc; 1066 iv32 = (u32) (ctx->rx_rsc >> 16); 1067 1068 tid = ieee80211_gettid(wh); 1069 if (iv32 != (u32)(key->wk_keyrsc[tid] >> 16) || !ctx->rx_phase1_done) { 1070 tkip_mixing_phase1(ctx->rx_ttak, key->wk_key, 1071 wh->i_addr2, iv32); 1072 ctx->rx_phase1_done = 1; 1073 } 1074 tkip_mixing_phase2(ctx->rx_rc4key, key->wk_key, ctx->rx_ttak, iv16); 1075 1076 /* NB: m is unstripped; deduct headers + ICV to get payload */ 1077 if (wep_decrypt(ctx->rx_rc4key, 1078 m, hdrlen + tkip.ic_header, 1079 m->m_pkthdr.len - (hdrlen + tkip.ic_header + tkip.ic_trailer))) { 1080 if (iv32 != (u32)(key->wk_keyrsc[tid] >> 16)) { 1081 /* Previously cached Phase1 result was already lost, so 1082 * it needs to be recalculated for the next packet. */ 1083 ctx->rx_phase1_done = 0; 1084 } 1085 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2, 1086 "%s", "TKIP ICV mismatch on decrypt"); 1087 vap->iv_stats.is_rx_tkipicv++; 1088 return 0; 1089 } 1090 return 1; 1091 } 1092 1093 /* 1094 * Module glue. 1095 */ 1096 IEEE80211_CRYPTO_MODULE(tkip, 1); 1097
Indexes created Tue Sep 30 20:09:53 GMT 2025