ieee80211_crypto_tkip.c revision 1.14.4.3
1 /* $NetBSD: ieee80211_crypto_tkip.c,v 1.14.4.3 2018/07/16 20:11:11 phil Exp $ */ 2 3 /*- 4 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD 5 * 6 * Copyright (c) 2002-2008 Sam Leffler, Errno Consulting 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 19 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 20 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 21 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 23 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30 #include <sys/cdefs.h> 31 #if __FreeBSD__ 32 __FBSDID("$FreeBSD$"); 33 #endif 34 35 /* 36 * IEEE 802.11i TKIP crypto support. 37 * 38 * Part of this module is derived from similar code in the Host 39 * AP driver. The code is used with the consent of the author and 40 * it's license is included below. 41 */ 42 #include "opt_wlan.h" 43 44 #include <sys/param.h> 45 #include <sys/systm.h> 46 #include <sys/mbuf.h> 47 #include <sys/malloc.h> 48 #include <sys/kernel.h> 49 #include <sys/module.h> 50 #include <sys/endian.h> 51 52 #include <sys/socket.h> 53 54 #include <net/if.h> 55 #include <net/if_media.h> 56 #if __FreeBSD__ 57 #include <net/ethernet.h> 58 #endif 59 #ifdef __NetBSD__ 60 #include <net/route.h> 61 #endif 62 63 #include <net80211/ieee80211_var.h> 64 65 #ifdef __NetBSD__ 66 #undef KASSERT 67 #define KASSERT(__cond, __complaint) FBSDKASSERT(__cond, __complaint) 68 #endif 69 70 static void *tkip_attach(struct ieee80211vap *, struct ieee80211_key *); 71 static void tkip_detach(struct ieee80211_key *); 72 static int tkip_setkey(struct ieee80211_key *); 73 static void tkip_setiv(struct ieee80211_key *, uint8_t *); 74 static int tkip_encap(struct ieee80211_key *, struct mbuf *); 75 static int tkip_enmic(struct ieee80211_key *, struct mbuf *, int); 76 static int tkip_decap(struct ieee80211_key *, struct mbuf *, int); 77 static int tkip_demic(struct ieee80211_key *, struct mbuf *, int); 78 79 static const struct ieee80211_cipher tkip = { 80 .ic_name = "TKIP", 81 .ic_cipher = IEEE80211_CIPHER_TKIP, 82 .ic_header = IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN + 83 IEEE80211_WEP_EXTIVLEN, 84 .ic_trailer = IEEE80211_WEP_CRCLEN, 85 .ic_miclen = IEEE80211_WEP_MICLEN, 86 .ic_attach = tkip_attach, 87 .ic_detach = tkip_detach, 88 .ic_setkey = tkip_setkey, 89 .ic_setiv = tkip_setiv, 90 .ic_encap = tkip_encap, 91 .ic_decap = tkip_decap, 92 .ic_enmic = tkip_enmic, 93 .ic_demic = tkip_demic, 94 }; 95 96 typedef uint8_t u8; 97 typedef uint16_t u16; 98 typedef uint32_t __u32; 99 typedef uint32_t u32; 100 101 struct tkip_ctx { 102 struct ieee80211vap *tc_vap; /* for diagnostics+statistics */ 103 104 u16 tx_ttak[5]; 105 u8 tx_rc4key[16]; /* XXX for test module; make locals? */ 106 107 u16 rx_ttak[5]; 108 int rx_phase1_done; 109 u8 rx_rc4key[16]; /* XXX for test module; make locals? */ 110 uint64_t rx_rsc; /* held until MIC verified */ 111 }; 112 113 static void michael_mic(struct tkip_ctx *, const u8 *key, 114 struct mbuf *m, u_int off, size_t data_len, 115 u8 mic[IEEE80211_WEP_MICLEN]); 116 static int tkip_encrypt(struct tkip_ctx *, struct ieee80211_key *, 117 struct mbuf *, int hdr_len); 118 static int tkip_decrypt(struct tkip_ctx *, struct ieee80211_key *, 119 struct mbuf *, int hdr_len); 120 121 /* number of references from net80211 layer */ 122 static int nrefs = 0; 123 124 static void * 125 tkip_attach(struct ieee80211vap *vap, struct ieee80211_key *k) 126 { 127 struct tkip_ctx *ctx; 128 129 ctx = (struct tkip_ctx *) IEEE80211_MALLOC(sizeof(struct tkip_ctx), 130 M_80211_CRYPTO, IEEE80211_M_NOWAIT | IEEE80211_M_ZERO); 131 if (ctx == NULL) { 132 vap->iv_stats.is_crypto_nomem++; 133 return NULL; 134 } 135 136 ctx->tc_vap = vap; 137 nrefs++; /* NB: we assume caller locking */ 138 return ctx; 139 } 140 141 static void 142 tkip_detach(struct ieee80211_key *k) 143 { 144 struct tkip_ctx *ctx = k->wk_private; 145 146 IEEE80211_FREE(ctx, M_80211_CRYPTO); 147 KASSERT(nrefs > 0, ("imbalanced attach/detach")); 148 nrefs--; /* NB: we assume caller locking */ 149 } 150 151 static int 152 tkip_setkey(struct ieee80211_key *k) 153 { 154 struct tkip_ctx *ctx = k->wk_private; 155 156 if (k->wk_keylen != (128/NBBY)) { 157 (void) ctx; /* XXX */ 158 IEEE80211_DPRINTF(ctx->tc_vap, IEEE80211_MSG_CRYPTO, 159 "%s: Invalid key length %u, expecting %u\n", 160 __func__, k->wk_keylen, 128/NBBY); 161 return 0; 162 } 163 ctx->rx_phase1_done = 0; 164 return 1; 165 } 166 167 static void 168 tkip_setiv(struct ieee80211_key *k, uint8_t *ivp) 169 { 170 struct tkip_ctx *ctx = k->wk_private; 171 struct ieee80211vap *vap = ctx->tc_vap; 172 uint8_t keyid; 173 174 keyid = ieee80211_crypto_get_keyid(vap, k) << 6; 175 176 k->wk_keytsc++; 177 ivp[0] = k->wk_keytsc >> 8; /* TSC1 */ 178 ivp[1] = (ivp[0] | 0x20) & 0x7f; /* WEP seed */ 179 ivp[2] = k->wk_keytsc >> 0; /* TSC0 */ 180 ivp[3] = keyid | IEEE80211_WEP_EXTIV; /* KeyID | ExtID */ 181 ivp[4] = k->wk_keytsc >> 16; /* TSC2 */ 182 ivp[5] = k->wk_keytsc >> 24; /* TSC3 */ 183 ivp[6] = k->wk_keytsc >> 32; /* TSC4 */ 184 ivp[7] = k->wk_keytsc >> 40; /* TSC5 */ 185 } 186 187 /* 188 * Add privacy headers and do any s/w encryption required. 189 */ 190 static int 191 tkip_encap(struct ieee80211_key *k, struct mbuf *m) 192 { 193 struct tkip_ctx *ctx = k->wk_private; 194 struct ieee80211vap *vap = ctx->tc_vap; 195 struct ieee80211com *ic = vap->iv_ic; 196 struct ieee80211_frame *wh; 197 uint8_t *ivp; 198 int hdrlen; 199 int is_mgmt; 200 201 wh = mtod(m, struct ieee80211_frame *); 202 is_mgmt = IEEE80211_IS_MGMT(wh); 203 204 /* 205 * Handle TKIP counter measures requirement. 206 */ 207 if (vap->iv_flags & IEEE80211_F_COUNTERM) { 208 #if __FreeBSD__ 209 #ifdef IEEE80211_DEBUG 210 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 211 #endif 212 213 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2, 214 "discard frame due to countermeasures (%s)", __func__); 215 #elif __NetBSD__ 216 #ifdef IEEE80211_DEBUG 217 struct ieee80211_frame *wh1 = mtod(m, struct ieee80211_frame *); 218 #endif 219 220 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, 221 (const __uint8_t *)wh1->i_addr2, 222 "discard frame due to countermeasures (%s)", __func__); 223 #endif 224 vap->iv_stats.is_crypto_tkipcm++; 225 return 0; 226 } 227 228 /* 229 * Check to see whether IV needs to be included. 230 */ 231 if (is_mgmt && (k->wk_flags & IEEE80211_KEY_NOIVMGT)) 232 return 1; 233 if ((! is_mgmt) && (k->wk_flags & IEEE80211_KEY_NOIV)) 234 return 1; 235 236 237 hdrlen = ieee80211_hdrspace(ic, mtod(m, void *)); 238 239 /* 240 * Copy down 802.11 header and add the IV, KeyID, and ExtIV. 241 */ 242 M_PREPEND(m, tkip.ic_header, M_NOWAIT); 243 if (m == NULL) 244 return 0; 245 ivp = mtod(m, uint8_t *); 246 memmove(ivp, ivp + tkip.ic_header, hdrlen); 247 ivp += hdrlen; 248 249 tkip_setiv(k, ivp); 250 251 /* 252 * Finally, do software encrypt if needed. 253 */ 254 if ((k->wk_flags & IEEE80211_KEY_SWENCRYPT) && 255 !tkip_encrypt(ctx, k, m, hdrlen)) 256 return 0; 257 258 return 1; 259 } 260 261 /* 262 * Add MIC to the frame as needed. 263 */ 264 static int 265 tkip_enmic(struct ieee80211_key *k, struct mbuf *m, int force) 266 { 267 struct tkip_ctx *ctx = k->wk_private; 268 struct ieee80211_frame *wh; 269 int is_mgmt; 270 271 wh = mtod(m, struct ieee80211_frame *); 272 is_mgmt = IEEE80211_IS_MGMT(wh); 273 274 /* 275 * Check to see whether MIC needs to be included. 276 */ 277 if (is_mgmt && (k->wk_flags & IEEE80211_KEY_NOMICMGT)) 278 return 1; 279 if ((! is_mgmt) && (k->wk_flags & IEEE80211_KEY_NOMIC)) 280 return 1; 281 282 if (force || (k->wk_flags & IEEE80211_KEY_SWENMIC)) { 283 #if __FreeBSD__ 284 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 285 #elif __NetBSD__ 286 wh = mtod(m, struct ieee80211_frame *); 287 #endif 288 struct ieee80211vap *vap = ctx->tc_vap; 289 struct ieee80211com *ic = vap->iv_ic; 290 int hdrlen; 291 uint8_t mic[IEEE80211_WEP_MICLEN]; 292 293 vap->iv_stats.is_crypto_tkipenmic++; 294 295 hdrlen = ieee80211_hdrspace(ic, wh); 296 297 michael_mic(ctx, k->wk_txmic, 298 m, hdrlen, m->m_pkthdr.len - hdrlen, mic); 299 return m_append(m, tkip.ic_miclen, mic); 300 } 301 return 1; 302 } 303 304 static __inline uint64_t 305 READ_6(uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3, uint8_t b4, uint8_t b5) 306 { 307 uint32_t iv32 = (b0 << 0) | (b1 << 8) | (b2 << 16) | (b3 << 24); 308 uint16_t iv16 = (b4 << 0) | (b5 << 8); 309 return (((uint64_t)iv16) << 32) | iv32; 310 } 311 312 /* 313 * Validate and strip privacy headers (and trailer) for a 314 * received frame. If necessary, decrypt the frame using 315 * the specified key. 316 */ 317 static int 318 tkip_decap(struct ieee80211_key *k, struct mbuf *m, int hdrlen) 319 { 320 const struct ieee80211_rx_stats *rxs; 321 struct tkip_ctx *ctx = k->wk_private; 322 struct ieee80211vap *vap = ctx->tc_vap; 323 struct ieee80211_frame *wh; 324 uint8_t *ivp, tid; 325 326 rxs = ieee80211_get_rx_params_ptr(m); 327 328 /* 329 * If IV has been stripped, we skip most of the below. 330 */ 331 if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_IV_STRIP)) 332 goto finish; 333 334 /* 335 * Header should have extended IV and sequence number; 336 * verify the former and validate the latter. 337 */ 338 wh = mtod(m, struct ieee80211_frame *); 339 ivp = mtod(m, uint8_t *) + hdrlen; 340 if ((ivp[IEEE80211_WEP_IVLEN] & IEEE80211_WEP_EXTIV) == 0) { 341 /* 342 * No extended IV; discard frame. 343 */ 344 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2, 345 "%s", "missing ExtIV for TKIP cipher"); 346 vap->iv_stats.is_rx_tkipformat++; 347 return 0; 348 } 349 /* 350 * Handle TKIP counter measures requirement. 351 */ 352 if (vap->iv_flags & IEEE80211_F_COUNTERM) { 353 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2, 354 "discard frame due to countermeasures (%s)", __func__); 355 vap->iv_stats.is_crypto_tkipcm++; 356 return 0; 357 } 358 359 tid = ieee80211_gettid(wh); 360 ctx->rx_rsc = READ_6(ivp[2], ivp[0], ivp[4], ivp[5], ivp[6], ivp[7]); 361 if (ctx->rx_rsc <= k->wk_keyrsc[tid] && 362 (k->wk_flags & IEEE80211_KEY_NOREPLAY) == 0) { 363 /* 364 * Replay violation; notify upper layer. 365 */ 366 ieee80211_notify_replay_failure(vap, wh, k, ctx->rx_rsc, tid); 367 vap->iv_stats.is_rx_tkipreplay++; 368 return 0; 369 } 370 /* 371 * NB: We can't update the rsc in the key until MIC is verified. 372 * 373 * We assume we are not preempted between doing the check above 374 * and updating wk_keyrsc when stripping the MIC in tkip_demic. 375 * Otherwise we might process another packet and discard it as 376 * a replay. 377 */ 378 379 /* 380 * Check if the device handled the decrypt in hardware. 381 * If so we just strip the header; otherwise we need to 382 * handle the decrypt in software. 383 */ 384 if ((k->wk_flags & IEEE80211_KEY_SWDECRYPT) && 385 !tkip_decrypt(ctx, k, m, hdrlen)) 386 return 0; 387 388 finish: 389 390 /* 391 * Copy up 802.11 header and strip crypto bits - but only if we 392 * are required to. 393 */ 394 if (! ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_IV_STRIP))) { 395 memmove(mtod(m, uint8_t *) + tkip.ic_header, mtod(m, void *), 396 hdrlen); 397 m_adj(m, tkip.ic_header); 398 } 399 400 /* 401 * XXX TODO: do we need an option to potentially not strip the 402 * WEP trailer? Does "MMIC_STRIP" also mean this? Or? 403 */ 404 m_adj(m, -tkip.ic_trailer); 405 406 return 1; 407 } 408 409 /* 410 * Verify and strip MIC from the frame. 411 */ 412 static int 413 tkip_demic(struct ieee80211_key *k, struct mbuf *m, int force) 414 { 415 const struct ieee80211_rx_stats *rxs; 416 struct tkip_ctx *ctx = k->wk_private; 417 struct ieee80211_frame *wh; 418 uint8_t tid; 419 420 wh = mtod(m, struct ieee80211_frame *); 421 rxs = ieee80211_get_rx_params_ptr(m); 422 423 /* 424 * If we are told about a MIC failure from the driver, 425 * directly notify as a michael failure to the upper 426 * layers. 427 */ 428 if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_FAIL_MIC)) { 429 struct ieee80211vap *vap = ctx->tc_vap; 430 ieee80211_notify_michael_failure(vap, wh, 431 k->wk_rxkeyix != IEEE80211_KEYIX_NONE ? 432 k->wk_rxkeyix : k->wk_keyix); 433 return 0; 434 } 435 436 /* 437 * If IV has been stripped, we skip most of the below. 438 */ 439 if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_MMIC_STRIP)) 440 goto finish; 441 442 if ((k->wk_flags & IEEE80211_KEY_SWDEMIC) || force) { 443 struct ieee80211vap *vap = ctx->tc_vap; 444 int hdrlen = ieee80211_hdrspace(vap->iv_ic, wh); 445 u8 mic[IEEE80211_WEP_MICLEN]; 446 u8 mic0[IEEE80211_WEP_MICLEN]; 447 448 vap->iv_stats.is_crypto_tkipdemic++; 449 450 michael_mic(ctx, k->wk_rxmic, 451 m, hdrlen, m->m_pkthdr.len - (hdrlen + tkip.ic_miclen), 452 mic); 453 m_copydata(m, m->m_pkthdr.len - tkip.ic_miclen, 454 tkip.ic_miclen, mic0); 455 if (memcmp(mic, mic0, tkip.ic_miclen)) { 456 /* NB: 802.11 layer handles statistic and debug msg */ 457 ieee80211_notify_michael_failure(vap, wh, 458 k->wk_rxkeyix != IEEE80211_KEYIX_NONE ? 459 k->wk_rxkeyix : k->wk_keyix); 460 return 0; 461 } 462 } 463 /* 464 * Strip MIC from the tail. 465 */ 466 m_adj(m, -tkip.ic_miclen); 467 468 /* 469 * Ok to update rsc now that MIC has been verified. 470 */ 471 tid = ieee80211_gettid(wh); 472 k->wk_keyrsc[tid] = ctx->rx_rsc; 473 474 finish: 475 return 1; 476 } 477 478 /* 479 * Host AP crypt: host-based TKIP encryption implementation for Host AP driver 480 * 481 * Copyright (c) 2003-2004, Jouni Malinen <jkmaline (at) cc.hut.fi> 482 * 483 * This program is free software; you can redistribute it and/or modify 484 * it under the terms of the GNU General Public License version 2 as 485 * published by the Free Software Foundation. See README and COPYING for 486 * more details. 487 * 488 * Alternatively, this software may be distributed under the terms of BSD 489 * license. 490 */ 491 492 static const __u32 crc32_table[256] = { 493 0x00000000L, 0x77073096L, 0xee0e612cL, 0x990951baL, 0x076dc419L, 494 0x706af48fL, 0xe963a535L, 0x9e6495a3L, 0x0edb8832L, 0x79dcb8a4L, 495 0xe0d5e91eL, 0x97d2d988L, 0x09b64c2bL, 0x7eb17cbdL, 0xe7b82d07L, 496 0x90bf1d91L, 0x1db71064L, 0x6ab020f2L, 0xf3b97148L, 0x84be41deL, 497 0x1adad47dL, 0x6ddde4ebL, 0xf4d4b551L, 0x83d385c7L, 0x136c9856L, 498 0x646ba8c0L, 0xfd62f97aL, 0x8a65c9ecL, 0x14015c4fL, 0x63066cd9L, 499 0xfa0f3d63L, 0x8d080df5L, 0x3b6e20c8L, 0x4c69105eL, 0xd56041e4L, 500 0xa2677172L, 0x3c03e4d1L, 0x4b04d447L, 0xd20d85fdL, 0xa50ab56bL, 501 0x35b5a8faL, 0x42b2986cL, 0xdbbbc9d6L, 0xacbcf940L, 0x32d86ce3L, 502 0x45df5c75L, 0xdcd60dcfL, 0xabd13d59L, 0x26d930acL, 0x51de003aL, 503 0xc8d75180L, 0xbfd06116L, 0x21b4f4b5L, 0x56b3c423L, 0xcfba9599L, 504 0xb8bda50fL, 0x2802b89eL, 0x5f058808L, 0xc60cd9b2L, 0xb10be924L, 505 0x2f6f7c87L, 0x58684c11L, 0xc1611dabL, 0xb6662d3dL, 0x76dc4190L, 506 0x01db7106L, 0x98d220bcL, 0xefd5102aL, 0x71b18589L, 0x06b6b51fL, 507 0x9fbfe4a5L, 0xe8b8d433L, 0x7807c9a2L, 0x0f00f934L, 0x9609a88eL, 508 0xe10e9818L, 0x7f6a0dbbL, 0x086d3d2dL, 0x91646c97L, 0xe6635c01L, 509 0x6b6b51f4L, 0x1c6c6162L, 0x856530d8L, 0xf262004eL, 0x6c0695edL, 510 0x1b01a57bL, 0x8208f4c1L, 0xf50fc457L, 0x65b0d9c6L, 0x12b7e950L, 511 0x8bbeb8eaL, 0xfcb9887cL, 0x62dd1ddfL, 0x15da2d49L, 0x8cd37cf3L, 512 0xfbd44c65L, 0x4db26158L, 0x3ab551ceL, 0xa3bc0074L, 0xd4bb30e2L, 513 0x4adfa541L, 0x3dd895d7L, 0xa4d1c46dL, 0xd3d6f4fbL, 0x4369e96aL, 514 0x346ed9fcL, 0xad678846L, 0xda60b8d0L, 0x44042d73L, 0x33031de5L, 515 0xaa0a4c5fL, 0xdd0d7cc9L, 0x5005713cL, 0x270241aaL, 0xbe0b1010L, 516 0xc90c2086L, 0x5768b525L, 0x206f85b3L, 0xb966d409L, 0xce61e49fL, 517 0x5edef90eL, 0x29d9c998L, 0xb0d09822L, 0xc7d7a8b4L, 0x59b33d17L, 518 0x2eb40d81L, 0xb7bd5c3bL, 0xc0ba6cadL, 0xedb88320L, 0x9abfb3b6L, 519 0x03b6e20cL, 0x74b1d29aL, 0xead54739L, 0x9dd277afL, 0x04db2615L, 520 0x73dc1683L, 0xe3630b12L, 0x94643b84L, 0x0d6d6a3eL, 0x7a6a5aa8L, 521 0xe40ecf0bL, 0x9309ff9dL, 0x0a00ae27L, 0x7d079eb1L, 0xf00f9344L, 522 0x8708a3d2L, 0x1e01f268L, 0x6906c2feL, 0xf762575dL, 0x806567cbL, 523 0x196c3671L, 0x6e6b06e7L, 0xfed41b76L, 0x89d32be0L, 0x10da7a5aL, 524 0x67dd4accL, 0xf9b9df6fL, 0x8ebeeff9L, 0x17b7be43L, 0x60b08ed5L, 525 0xd6d6a3e8L, 0xa1d1937eL, 0x38d8c2c4L, 0x4fdff252L, 0xd1bb67f1L, 526 0xa6bc5767L, 0x3fb506ddL, 0x48b2364bL, 0xd80d2bdaL, 0xaf0a1b4cL, 527 0x36034af6L, 0x41047a60L, 0xdf60efc3L, 0xa867df55L, 0x316e8eefL, 528 0x4669be79L, 0xcb61b38cL, 0xbc66831aL, 0x256fd2a0L, 0x5268e236L, 529 0xcc0c7795L, 0xbb0b4703L, 0x220216b9L, 0x5505262fL, 0xc5ba3bbeL, 530 0xb2bd0b28L, 0x2bb45a92L, 0x5cb36a04L, 0xc2d7ffa7L, 0xb5d0cf31L, 531 0x2cd99e8bL, 0x5bdeae1dL, 0x9b64c2b0L, 0xec63f226L, 0x756aa39cL, 532 0x026d930aL, 0x9c0906a9L, 0xeb0e363fL, 0x72076785L, 0x05005713L, 533 0x95bf4a82L, 0xe2b87a14L, 0x7bb12baeL, 0x0cb61b38L, 0x92d28e9bL, 534 0xe5d5be0dL, 0x7cdcefb7L, 0x0bdbdf21L, 0x86d3d2d4L, 0xf1d4e242L, 535 0x68ddb3f8L, 0x1fda836eL, 0x81be16cdL, 0xf6b9265bL, 0x6fb077e1L, 536 0x18b74777L, 0x88085ae6L, 0xff0f6a70L, 0x66063bcaL, 0x11010b5cL, 537 0x8f659effL, 0xf862ae69L, 0x616bffd3L, 0x166ccf45L, 0xa00ae278L, 538 0xd70dd2eeL, 0x4e048354L, 0x3903b3c2L, 0xa7672661L, 0xd06016f7L, 539 0x4969474dL, 0x3e6e77dbL, 0xaed16a4aL, 0xd9d65adcL, 0x40df0b66L, 540 0x37d83bf0L, 0xa9bcae53L, 0xdebb9ec5L, 0x47b2cf7fL, 0x30b5ffe9L, 541 0xbdbdf21cL, 0xcabac28aL, 0x53b39330L, 0x24b4a3a6L, 0xbad03605L, 542 0xcdd70693L, 0x54de5729L, 0x23d967bfL, 0xb3667a2eL, 0xc4614ab8L, 543 0x5d681b02L, 0x2a6f2b94L, 0xb40bbe37L, 0xc30c8ea1L, 0x5a05df1bL, 544 0x2d02ef8dL 545 }; 546 547 static __inline u16 RotR1(u16 val) 548 { 549 return (val >> 1) | (val << 15); 550 } 551 552 static __inline u8 Lo8(u16 val) 553 { 554 return val & 0xff; 555 } 556 557 static __inline u8 Hi8(u16 val) 558 { 559 return val >> 8; 560 } 561 562 static __inline u16 Lo16(u32 val) 563 { 564 return val & 0xffff; 565 } 566 567 static __inline u16 Hi16(u32 val) 568 { 569 return val >> 16; 570 } 571 572 static __inline u16 Mk16(u8 hi, u8 lo) 573 { 574 return lo | (((u16) hi) << 8); 575 } 576 577 static __inline u16 Mk16_le(const u16 *v) 578 { 579 return le16toh(*v); 580 } 581 582 static const u16 Sbox[256] = { 583 0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154, 584 0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A, 585 0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B, 586 0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B, 587 0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F, 588 0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F, 589 0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5, 590 0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F, 591 0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB, 592 0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397, 593 0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED, 594 0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A, 595 0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194, 596 0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3, 597 0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104, 598 0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D, 599 0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39, 600 0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695, 601 0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83, 602 0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76, 603 0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4, 604 0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B, 605 0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0, 606 0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018, 607 0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751, 608 0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85, 609 0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12, 610 0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9, 611 0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7, 612 0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A, 613 0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8, 614 0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A, 615 }; 616 617 static __inline u16 _S_(u16 v) 618 { 619 u16 t = Sbox[Hi8(v)]; 620 return Sbox[Lo8(v)] ^ ((t << 8) | (t >> 8)); 621 } 622 623 #define PHASE1_LOOP_COUNT 8 624 625 static void tkip_mixing_phase1(u16 *TTAK, const u8 *TK, const u8 *TA, u32 IV32) 626 { 627 int i, j; 628 629 /* Initialize the 80-bit TTAK from TSC (IV32) and TA[0..5] */ 630 TTAK[0] = Lo16(IV32); 631 TTAK[1] = Hi16(IV32); 632 TTAK[2] = Mk16(TA[1], TA[0]); 633 TTAK[3] = Mk16(TA[3], TA[2]); 634 TTAK[4] = Mk16(TA[5], TA[4]); 635 636 for (i = 0; i < PHASE1_LOOP_COUNT; i++) { 637 j = 2 * (i & 1); 638 TTAK[0] += _S_(TTAK[4] ^ Mk16(TK[1 + j], TK[0 + j])); 639 TTAK[1] += _S_(TTAK[0] ^ Mk16(TK[5 + j], TK[4 + j])); 640 TTAK[2] += _S_(TTAK[1] ^ Mk16(TK[9 + j], TK[8 + j])); 641 TTAK[3] += _S_(TTAK[2] ^ Mk16(TK[13 + j], TK[12 + j])); 642 TTAK[4] += _S_(TTAK[3] ^ Mk16(TK[1 + j], TK[0 + j])) + i; 643 } 644 } 645 646 #ifndef _BYTE_ORDER 647 #error "Don't know native byte order" 648 #endif 649 650 static void tkip_mixing_phase2(u8 *WEPSeed, const u8 *TK, const u16 *TTAK, 651 u16 IV16) 652 { 653 /* Make temporary area overlap WEP seed so that the final copy can be 654 * avoided on little endian hosts. */ 655 u16 *PPK = (u16 *) &WEPSeed[4]; 656 657 /* Step 1 - make copy of TTAK and bring in TSC */ 658 PPK[0] = TTAK[0]; 659 PPK[1] = TTAK[1]; 660 PPK[2] = TTAK[2]; 661 PPK[3] = TTAK[3]; 662 PPK[4] = TTAK[4]; 663 PPK[5] = TTAK[4] + IV16; 664 665 /* Step 2 - 96-bit bijective mixing using S-box */ 666 PPK[0] += _S_(PPK[5] ^ Mk16_le((const u16 *) &TK[0])); 667 PPK[1] += _S_(PPK[0] ^ Mk16_le((const u16 *) &TK[2])); 668 PPK[2] += _S_(PPK[1] ^ Mk16_le((const u16 *) &TK[4])); 669 PPK[3] += _S_(PPK[2] ^ Mk16_le((const u16 *) &TK[6])); 670 PPK[4] += _S_(PPK[3] ^ Mk16_le((const u16 *) &TK[8])); 671 PPK[5] += _S_(PPK[4] ^ Mk16_le((const u16 *) &TK[10])); 672 673 PPK[0] += RotR1(PPK[5] ^ Mk16_le((const u16 *) &TK[12])); 674 PPK[1] += RotR1(PPK[0] ^ Mk16_le((const u16 *) &TK[14])); 675 PPK[2] += RotR1(PPK[1]); 676 PPK[3] += RotR1(PPK[2]); 677 PPK[4] += RotR1(PPK[3]); 678 PPK[5] += RotR1(PPK[4]); 679 680 /* Step 3 - bring in last of TK bits, assign 24-bit WEP IV value 681 * WEPSeed[0..2] is transmitted as WEP IV */ 682 WEPSeed[0] = Hi8(IV16); 683 WEPSeed[1] = (Hi8(IV16) | 0x20) & 0x7F; 684 WEPSeed[2] = Lo8(IV16); 685 WEPSeed[3] = Lo8((PPK[5] ^ Mk16_le((const u16 *) &TK[0])) >> 1); 686 687 #if _BYTE_ORDER == _BIG_ENDIAN 688 { 689 int i; 690 for (i = 0; i < 6; i++) 691 PPK[i] = (PPK[i] << 8) | (PPK[i] >> 8); 692 } 693 #endif 694 } 695 696 static void 697 wep_encrypt(u8 *key, struct mbuf *m0, u_int off, size_t data_len, 698 uint8_t icv[IEEE80211_WEP_CRCLEN]) 699 { 700 u32 i, j, k, crc; 701 size_t buflen; 702 u8 S[256]; 703 u8 *pos; 704 struct mbuf *m; 705 #define S_SWAP(a,b) do { u8 t = S[a]; S[a] = S[b]; S[b] = t; } while(0) 706 707 /* Setup RC4 state */ 708 for (i = 0; i < 256; i++) 709 S[i] = i; 710 j = 0; 711 for (i = 0; i < 256; i++) { 712 j = (j + S[i] + key[i & 0x0f]) & 0xff; 713 S_SWAP(i, j); 714 } 715 716 /* Compute CRC32 over unencrypted data and apply RC4 to data */ 717 crc = ~0; 718 i = j = 0; 719 m = m0; 720 pos = mtod(m, uint8_t *) + off; 721 buflen = m->m_len - off; 722 for (;;) { 723 if (buflen > data_len) 724 buflen = data_len; 725 data_len -= buflen; 726 for (k = 0; k < buflen; k++) { 727 crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8); 728 i = (i + 1) & 0xff; 729 j = (j + S[i]) & 0xff; 730 S_SWAP(i, j); 731 *pos++ ^= S[(S[i] + S[j]) & 0xff]; 732 } 733 m = m->m_next; 734 if (m == NULL) { 735 KASSERT(data_len == 0, 736 ("out of buffers with data_len %zu\n", data_len)); 737 break; 738 } 739 pos = mtod(m, uint8_t *); 740 buflen = m->m_len; 741 } 742 crc = ~crc; 743 744 /* Append little-endian CRC32 and encrypt it to produce ICV */ 745 icv[0] = crc; 746 icv[1] = crc >> 8; 747 icv[2] = crc >> 16; 748 icv[3] = crc >> 24; 749 for (k = 0; k < IEEE80211_WEP_CRCLEN; k++) { 750 i = (i + 1) & 0xff; 751 j = (j + S[i]) & 0xff; 752 S_SWAP(i, j); 753 icv[k] ^= S[(S[i] + S[j]) & 0xff]; 754 } 755 } 756 757 static int 758 wep_decrypt(u8 *key, struct mbuf *m, u_int off, size_t data_len) 759 { 760 u32 i, j, k, crc; 761 u8 S[256]; 762 u8 *pos, icv[4]; 763 size_t buflen; 764 765 /* Setup RC4 state */ 766 for (i = 0; i < 256; i++) 767 S[i] = i; 768 j = 0; 769 for (i = 0; i < 256; i++) { 770 j = (j + S[i] + key[i & 0x0f]) & 0xff; 771 S_SWAP(i, j); 772 } 773 774 /* Apply RC4 to data and compute CRC32 over decrypted data */ 775 crc = ~0; 776 i = j = 0; 777 pos = mtod(m, uint8_t *) + off; 778 buflen = m->m_len - off; 779 for (;;) { 780 if (buflen > data_len) 781 buflen = data_len; 782 data_len -= buflen; 783 for (k = 0; k < buflen; k++) { 784 i = (i + 1) & 0xff; 785 j = (j + S[i]) & 0xff; 786 S_SWAP(i, j); 787 *pos ^= S[(S[i] + S[j]) & 0xff]; 788 crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8); 789 pos++; 790 } 791 m = m->m_next; 792 if (m == NULL) { 793 KASSERT(data_len == 0, 794 ("out of buffers with data_len %zu\n", data_len)); 795 break; 796 } 797 pos = mtod(m, uint8_t *); 798 buflen = m->m_len; 799 } 800 crc = ~crc; 801 802 /* Encrypt little-endian CRC32 and verify that it matches with the 803 * received ICV */ 804 icv[0] = crc; 805 icv[1] = crc >> 8; 806 icv[2] = crc >> 16; 807 icv[3] = crc >> 24; 808 for (k = 0; k < 4; k++) { 809 i = (i + 1) & 0xff; 810 j = (j + S[i]) & 0xff; 811 S_SWAP(i, j); 812 if ((icv[k] ^ S[(S[i] + S[j]) & 0xff]) != *pos++) { 813 /* ICV mismatch - drop frame */ 814 return -1; 815 } 816 } 817 818 return 0; 819 } 820 821 822 static __inline u32 rotl(u32 val, int bits) 823 { 824 return (val << bits) | (val >> (32 - bits)); 825 } 826 827 828 static __inline u32 rotr(u32 val, int bits) 829 { 830 return (val >> bits) | (val << (32 - bits)); 831 } 832 833 834 static __inline u32 xswap(u32 val) 835 { 836 return ((val & 0x00ff00ff) << 8) | ((val & 0xff00ff00) >> 8); 837 } 838 839 840 #define michael_block(l, r) \ 841 do { \ 842 r ^= rotl(l, 17); \ 843 l += r; \ 844 r ^= xswap(l); \ 845 l += r; \ 846 r ^= rotl(l, 3); \ 847 l += r; \ 848 r ^= rotr(l, 2); \ 849 l += r; \ 850 } while (0) 851 852 853 static __inline u32 get_le32_split(u8 b0, u8 b1, u8 b2, u8 b3) 854 { 855 return b0 | (b1 << 8) | (b2 << 16) | (b3 << 24); 856 } 857 858 static __inline u32 get_le32(const u8 *p) 859 { 860 return get_le32_split(p[0], p[1], p[2], p[3]); 861 } 862 863 864 static __inline void put_le32(u8 *p, u32 v) 865 { 866 p[0] = v; 867 p[1] = v >> 8; 868 p[2] = v >> 16; 869 p[3] = v >> 24; 870 } 871 872 /* 873 * Craft pseudo header used to calculate the MIC. 874 */ 875 static void 876 michael_mic_hdr(const struct ieee80211_frame *wh0, uint8_t hdr[16]) 877 { 878 const struct ieee80211_frame_addr4 *wh = 879 (const struct ieee80211_frame_addr4 *) wh0; 880 881 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 882 case IEEE80211_FC1_DIR_NODS: 883 IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */ 884 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2); 885 break; 886 case IEEE80211_FC1_DIR_TODS: 887 IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */ 888 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2); 889 break; 890 case IEEE80211_FC1_DIR_FROMDS: 891 IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */ 892 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr3); 893 break; 894 case IEEE80211_FC1_DIR_DSTODS: 895 IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */ 896 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr4); 897 break; 898 } 899 900 if (wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_QOS) { 901 const struct ieee80211_qosframe *qwh = 902 (const struct ieee80211_qosframe *) wh; 903 hdr[12] = qwh->i_qos[0] & IEEE80211_QOS_TID; 904 } else 905 hdr[12] = 0; 906 hdr[13] = hdr[14] = hdr[15] = 0; /* reserved */ 907 } 908 909 static void 910 michael_mic(struct tkip_ctx *ctx, const u8 *key, 911 struct mbuf *m, u_int off, size_t data_len, 912 u8 mic[IEEE80211_WEP_MICLEN]) 913 { 914 uint8_t hdr[16]; 915 u32 l, r; 916 const uint8_t *data; 917 u_int space; 918 919 michael_mic_hdr(mtod(m, struct ieee80211_frame *), hdr); 920 921 l = get_le32(key); 922 r = get_le32(key + 4); 923 924 /* Michael MIC pseudo header: DA, SA, 3 x 0, Priority */ 925 l ^= get_le32(hdr); 926 michael_block(l, r); 927 l ^= get_le32(&hdr[4]); 928 michael_block(l, r); 929 l ^= get_le32(&hdr[8]); 930 michael_block(l, r); 931 l ^= get_le32(&hdr[12]); 932 michael_block(l, r); 933 934 /* first buffer has special handling */ 935 data = mtod(m, const uint8_t *) + off; 936 space = m->m_len - off; 937 for (;;) { 938 if (space > data_len) 939 space = data_len; 940 /* collect 32-bit blocks from current buffer */ 941 while (space >= sizeof(uint32_t)) { 942 l ^= get_le32(data); 943 michael_block(l, r); 944 data += sizeof(uint32_t), space -= sizeof(uint32_t); 945 data_len -= sizeof(uint32_t); 946 } 947 /* 948 * NB: when space is zero we make one more trip around 949 * the loop to advance to the next mbuf where there is 950 * data. This handles the case where there are 4*n 951 * bytes in an mbuf followed by <4 bytes in a later mbuf. 952 * By making an extra trip we'll drop out of the loop 953 * with m pointing at the mbuf with 3 bytes and space 954 * set as required by the remainder handling below. 955 */ 956 if (data_len == 0 || 957 (data_len < sizeof(uint32_t) && space != 0)) 958 break; 959 m = m->m_next; 960 if (m == NULL) { 961 KASSERT(0, ("out of data, data_len %zu\n", data_len)); 962 break; 963 } 964 if (space != 0) { 965 const uint8_t *data_next; 966 /* 967 * Block straddles buffers, split references. 968 */ 969 data_next = mtod(m, const uint8_t *); 970 KASSERT(m->m_len >= sizeof(uint32_t) - space, 971 ("not enough data in following buffer, " 972 "m_len %u need %zu\n", m->m_len, 973 sizeof(uint32_t) - space)); 974 switch (space) { 975 case 1: 976 l ^= get_le32_split(data[0], data_next[0], 977 data_next[1], data_next[2]); 978 data = data_next + 3; 979 space = m->m_len - 3; 980 break; 981 case 2: 982 l ^= get_le32_split(data[0], data[1], 983 data_next[0], data_next[1]); 984 data = data_next + 2; 985 space = m->m_len - 2; 986 break; 987 case 3: 988 l ^= get_le32_split(data[0], data[1], 989 data[2], data_next[0]); 990 data = data_next + 1; 991 space = m->m_len - 1; 992 break; 993 } 994 michael_block(l, r); 995 data_len -= sizeof(uint32_t); 996 } else { 997 /* 998 * Setup for next buffer. 999 */ 1000 data = mtod(m, const uint8_t *); 1001 space = m->m_len; 1002 } 1003 } 1004 /* 1005 * Catch degenerate cases like mbuf[4*n+1 bytes] followed by 1006 * mbuf[2 bytes]. I don't believe these should happen; if they 1007 * do then we'll need more involved logic. 1008 */ 1009 KASSERT(data_len <= space, 1010 ("not enough data, data_len %zu space %u\n", data_len, space)); 1011 1012 /* Last block and padding (0x5a, 4..7 x 0) */ 1013 switch (data_len) { 1014 case 0: 1015 l ^= get_le32_split(0x5a, 0, 0, 0); 1016 break; 1017 case 1: 1018 l ^= get_le32_split(data[0], 0x5a, 0, 0); 1019 break; 1020 case 2: 1021 l ^= get_le32_split(data[0], data[1], 0x5a, 0); 1022 break; 1023 case 3: 1024 l ^= get_le32_split(data[0], data[1], data[2], 0x5a); 1025 break; 1026 } 1027 michael_block(l, r); 1028 /* l ^= 0; */ 1029 michael_block(l, r); 1030 1031 put_le32(mic, l); 1032 put_le32(mic + 4, r); 1033 } 1034 1035 static int 1036 tkip_encrypt(struct tkip_ctx *ctx, struct ieee80211_key *key, 1037 struct mbuf *m, int hdrlen) 1038 { 1039 struct ieee80211_frame *wh; 1040 uint8_t icv[IEEE80211_WEP_CRCLEN]; 1041 1042 ctx->tc_vap->iv_stats.is_crypto_tkip++; 1043 1044 wh = mtod(m, struct ieee80211_frame *); 1045 if ((u16)(key->wk_keytsc) == 0 || key->wk_keytsc == 1) { 1046 tkip_mixing_phase1(ctx->tx_ttak, key->wk_key, wh->i_addr2, 1047 (u32)(key->wk_keytsc >> 16)); 1048 } 1049 tkip_mixing_phase2(ctx->tx_rc4key, key->wk_key, ctx->tx_ttak, 1050 (u16) key->wk_keytsc); 1051 1052 wep_encrypt(ctx->tx_rc4key, 1053 m, hdrlen + tkip.ic_header, 1054 m->m_pkthdr.len - (hdrlen + tkip.ic_header), 1055 icv); 1056 (void) m_append(m, IEEE80211_WEP_CRCLEN, icv); /* XXX check return */ 1057 1058 return 1; 1059 } 1060 1061 static int 1062 tkip_decrypt(struct tkip_ctx *ctx, struct ieee80211_key *key, 1063 struct mbuf *m, int hdrlen) 1064 { 1065 struct ieee80211_frame *wh; 1066 struct ieee80211vap *vap = ctx->tc_vap; 1067 u32 iv32; 1068 u16 iv16; 1069 u8 tid; 1070 1071 vap->iv_stats.is_crypto_tkip++; 1072 1073 wh = mtod(m, struct ieee80211_frame *); 1074 /* NB: tkip_decap already verified header and left seq in rx_rsc */ 1075 iv16 = (u16) ctx->rx_rsc; 1076 iv32 = (u32) (ctx->rx_rsc >> 16); 1077 1078 tid = ieee80211_gettid(wh); 1079 if (iv32 != (u32)(key->wk_keyrsc[tid] >> 16) || !ctx->rx_phase1_done) { 1080 tkip_mixing_phase1(ctx->rx_ttak, key->wk_key, 1081 wh->i_addr2, iv32); 1082 ctx->rx_phase1_done = 1; 1083 } 1084 tkip_mixing_phase2(ctx->rx_rc4key, key->wk_key, ctx->rx_ttak, iv16); 1085 1086 /* NB: m is unstripped; deduct headers + ICV to get payload */ 1087 if (wep_decrypt(ctx->rx_rc4key, 1088 m, hdrlen + tkip.ic_header, 1089 m->m_pkthdr.len - (hdrlen + tkip.ic_header + tkip.ic_trailer))) { 1090 if (iv32 != (u32)(key->wk_keyrsc[tid] >> 16)) { 1091 /* Previously cached Phase1 result was already lost, so 1092 * it needs to be recalculated for the next packet. */ 1093 ctx->rx_phase1_done = 0; 1094 } 1095 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2, 1096 "%s", "TKIP ICV mismatch on decrypt"); 1097 vap->iv_stats.is_rx_tkipicv++; 1098 return 0; 1099 } 1100 return 1; 1101 } 1102 1103 /* 1104 * Module glue. 1105 */ 1106 IEEE80211_CRYPTO_MODULE(tkip, 1); 1107
Indexes created Tue Sep 30 17:09:57 GMT 2025