ieee80211_crypto_tkip.c revision 1.14.4.5
1 /* $NetBSD: ieee80211_crypto_tkip.c,v 1.14.4.5 2020/04/08 14:08:57 martin Exp $ */ 2 3 /*- 4 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD 5 * 6 * Copyright (c) 2002-2008 Sam Leffler, Errno Consulting 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 19 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 20 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 21 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 23 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30 #include <sys/cdefs.h> 31 #ifdef __NetBSD__ 32 __KERNEL_RCSID(0, "$NetBSD: ieee80211_crypto_tkip.c,v 1.14.4.5 2020/04/08 14:08:57 martin Exp $"); 33 #endif 34 35 /* 36 * IEEE 802.11i TKIP crypto support. 37 * 38 * Part of this module is derived from similar code in the Host 39 * AP driver. The code is used with the consent of the author and 40 * it's license is included below. 41 */ 42 #ifdef _KERNEL_OPT 43 #include "opt_wlan.h" 44 #endif 45 46 #include <sys/param.h> 47 #include <sys/systm.h> 48 #include <sys/mbuf.h> 49 #include <sys/malloc.h> 50 #include <sys/kernel.h> 51 #include <sys/module.h> 52 #include <sys/endian.h> 53 54 #include <sys/socket.h> 55 56 #include <net/if.h> 57 #include <net/if_media.h> 58 #if __FreeBSD__ 59 #include <net/ethernet.h> 60 #endif 61 #ifdef __NetBSD__ 62 #include <net/route.h> 63 #endif 64 65 #include <net80211/ieee80211_var.h> 66 67 #ifdef __NetBSD__ 68 #undef KASSERT 69 #define KASSERT(__cond, __complaint) FBSDKASSERT(__cond, __complaint) 70 #endif 71 72 static void *tkip_attach(struct ieee80211vap *, struct ieee80211_key *); 73 static void tkip_detach(struct ieee80211_key *); 74 static int tkip_setkey(struct ieee80211_key *); 75 static void tkip_setiv(struct ieee80211_key *, uint8_t *); 76 static int tkip_encap(struct ieee80211_key *, struct mbuf *); 77 static int tkip_enmic(struct ieee80211_key *, struct mbuf *, int); 78 static int tkip_decap(struct ieee80211_key *, struct mbuf *, int); 79 static int tkip_demic(struct ieee80211_key *, struct mbuf *, int); 80 81 static const struct ieee80211_cipher tkip = { 82 .ic_name = "TKIP", 83 .ic_cipher = IEEE80211_CIPHER_TKIP, 84 .ic_header = IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN + 85 IEEE80211_WEP_EXTIVLEN, 86 .ic_trailer = IEEE80211_WEP_CRCLEN, 87 .ic_miclen = IEEE80211_WEP_MICLEN, 88 .ic_attach = tkip_attach, 89 .ic_detach = tkip_detach, 90 .ic_setkey = tkip_setkey, 91 .ic_setiv = tkip_setiv, 92 .ic_encap = tkip_encap, 93 .ic_decap = tkip_decap, 94 .ic_enmic = tkip_enmic, 95 .ic_demic = tkip_demic, 96 }; 97 98 typedef uint8_t u8; 99 typedef uint16_t u16; 100 typedef uint32_t __u32; 101 typedef uint32_t u32; 102 103 struct tkip_ctx { 104 struct ieee80211vap *tc_vap; /* for diagnostics+statistics */ 105 106 u16 tx_ttak[5]; 107 u8 tx_rc4key[16]; /* XXX for test module; make locals? */ 108 109 u16 rx_ttak[5]; 110 int rx_phase1_done; 111 u8 rx_rc4key[16]; /* XXX for test module; make locals? */ 112 uint64_t rx_rsc; /* held until MIC verified */ 113 }; 114 115 static void michael_mic(struct tkip_ctx *, const u8 *key, 116 struct mbuf *m, u_int off, size_t data_len, 117 u8 mic[IEEE80211_WEP_MICLEN]); 118 static int tkip_encrypt(struct tkip_ctx *, struct ieee80211_key *, 119 struct mbuf *, int hdr_len); 120 static int tkip_decrypt(struct tkip_ctx *, struct ieee80211_key *, 121 struct mbuf *, int hdr_len); 122 123 /* number of references from net80211 layer */ 124 static int nrefs = 0; 125 126 static void * 127 tkip_attach(struct ieee80211vap *vap, struct ieee80211_key *k) 128 { 129 struct tkip_ctx *ctx; 130 131 ctx = (struct tkip_ctx *) IEEE80211_MALLOC(sizeof(struct tkip_ctx), 132 M_80211_CRYPTO, IEEE80211_M_NOWAIT | IEEE80211_M_ZERO); 133 if (ctx == NULL) { 134 vap->iv_stats.is_crypto_nomem++; 135 return NULL; 136 } 137 138 ctx->tc_vap = vap; 139 nrefs++; /* NB: we assume caller locking */ 140 return ctx; 141 } 142 143 static void 144 tkip_detach(struct ieee80211_key *k) 145 { 146 struct tkip_ctx *ctx = k->wk_private; 147 148 IEEE80211_FREE(ctx, M_80211_CRYPTO); 149 KASSERT(nrefs > 0, ("imbalanced attach/detach")); 150 nrefs--; /* NB: we assume caller locking */ 151 } 152 153 static int 154 tkip_setkey(struct ieee80211_key *k) 155 { 156 struct tkip_ctx *ctx = k->wk_private; 157 158 if (k->wk_keylen != (128/NBBY)) { 159 (void) ctx; /* XXX */ 160 IEEE80211_DPRINTF(ctx->tc_vap, IEEE80211_MSG_CRYPTO, 161 "%s: Invalid key length %u, expecting %u\n", 162 __func__, k->wk_keylen, 128/NBBY); 163 return 0; 164 } 165 ctx->rx_phase1_done = 0; 166 return 1; 167 } 168 169 static void 170 tkip_setiv(struct ieee80211_key *k, uint8_t *ivp) 171 { 172 struct tkip_ctx *ctx = k->wk_private; 173 struct ieee80211vap *vap = ctx->tc_vap; 174 uint8_t keyid; 175 176 keyid = ieee80211_crypto_get_keyid(vap, k) << 6; 177 178 k->wk_keytsc++; 179 ivp[0] = k->wk_keytsc >> 8; /* TSC1 */ 180 ivp[1] = (ivp[0] | 0x20) & 0x7f; /* WEP seed */ 181 ivp[2] = k->wk_keytsc >> 0; /* TSC0 */ 182 ivp[3] = keyid | IEEE80211_WEP_EXTIV; /* KeyID | ExtID */ 183 ivp[4] = k->wk_keytsc >> 16; /* TSC2 */ 184 ivp[5] = k->wk_keytsc >> 24; /* TSC3 */ 185 ivp[6] = k->wk_keytsc >> 32; /* TSC4 */ 186 ivp[7] = k->wk_keytsc >> 40; /* TSC5 */ 187 } 188 189 /* 190 * Add privacy headers and do any s/w encryption required. 191 */ 192 static int 193 tkip_encap(struct ieee80211_key *k, struct mbuf *m) 194 { 195 struct tkip_ctx *ctx = k->wk_private; 196 struct ieee80211vap *vap = ctx->tc_vap; 197 struct ieee80211com *ic = vap->iv_ic; 198 struct ieee80211_frame *wh; 199 uint8_t *ivp; 200 int hdrlen; 201 int is_mgmt; 202 203 wh = mtod(m, struct ieee80211_frame *); 204 is_mgmt = IEEE80211_IS_MGMT(wh); 205 206 /* 207 * Handle TKIP counter measures requirement. 208 */ 209 if (vap->iv_flags & IEEE80211_F_COUNTERM) { 210 #if __FreeBSD__ 211 #ifdef IEEE80211_DEBUG 212 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 213 #endif 214 215 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2, 216 "discard frame due to countermeasures (%s)", __func__); 217 #elif __NetBSD__ 218 #ifdef IEEE80211_DEBUG 219 struct ieee80211_frame *wh1 = mtod(m, struct ieee80211_frame *); 220 #endif 221 222 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, 223 (const __uint8_t *)wh1->i_addr2, 224 "discard frame due to countermeasures (%s)", __func__); 225 #endif 226 vap->iv_stats.is_crypto_tkipcm++; 227 return 0; 228 } 229 230 /* 231 * Check to see whether IV needs to be included. 232 */ 233 if (is_mgmt && (k->wk_flags & IEEE80211_KEY_NOIVMGT)) 234 return 1; 235 if ((! is_mgmt) && (k->wk_flags & IEEE80211_KEY_NOIV)) 236 return 1; 237 238 239 hdrlen = ieee80211_hdrspace(ic, mtod(m, void *)); 240 241 /* 242 * Copy down 802.11 header and add the IV, KeyID, and ExtIV. 243 */ 244 M_PREPEND(m, tkip.ic_header, M_NOWAIT); 245 if (m == NULL) 246 return 0; 247 ivp = mtod(m, uint8_t *); 248 memmove(ivp, ivp + tkip.ic_header, hdrlen); 249 ivp += hdrlen; 250 251 tkip_setiv(k, ivp); 252 253 /* 254 * Finally, do software encrypt if needed. 255 */ 256 if ((k->wk_flags & IEEE80211_KEY_SWENCRYPT) && 257 !tkip_encrypt(ctx, k, m, hdrlen)) 258 return 0; 259 260 return 1; 261 } 262 263 /* 264 * Add MIC to the frame as needed. 265 */ 266 static int 267 tkip_enmic(struct ieee80211_key *k, struct mbuf *m, int force) 268 { 269 struct tkip_ctx *ctx = k->wk_private; 270 struct ieee80211_frame *wh; 271 int is_mgmt; 272 273 wh = mtod(m, struct ieee80211_frame *); 274 is_mgmt = IEEE80211_IS_MGMT(wh); 275 276 /* 277 * Check to see whether MIC needs to be included. 278 */ 279 if (is_mgmt && (k->wk_flags & IEEE80211_KEY_NOMICMGT)) 280 return 1; 281 if ((! is_mgmt) && (k->wk_flags & IEEE80211_KEY_NOMIC)) 282 return 1; 283 284 if (force || (k->wk_flags & IEEE80211_KEY_SWENMIC)) { 285 #if __FreeBSD__ 286 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 287 #elif __NetBSD__ 288 wh = mtod(m, struct ieee80211_frame *); 289 #endif 290 struct ieee80211vap *vap = ctx->tc_vap; 291 struct ieee80211com *ic = vap->iv_ic; 292 int hdrlen; 293 uint8_t mic[IEEE80211_WEP_MICLEN]; 294 295 vap->iv_stats.is_crypto_tkipenmic++; 296 297 hdrlen = ieee80211_hdrspace(ic, wh); 298 299 michael_mic(ctx, k->wk_txmic, 300 m, hdrlen, m->m_pkthdr.len - hdrlen, mic); 301 return m_append(m, tkip.ic_miclen, mic); 302 } 303 return 1; 304 } 305 306 static __inline uint64_t 307 READ_6(uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3, uint8_t b4, uint8_t b5) 308 { 309 uint32_t iv32 = (b0 << 0) | (b1 << 8) | (b2 << 16) | ((u32)b3 << 24); 310 uint16_t iv16 = (b4 << 0) | (b5 << 8); 311 return (((uint64_t)iv16) << 32) | iv32; 312 } 313 314 /* 315 * Validate and strip privacy headers (and trailer) for a 316 * received frame. If necessary, decrypt the frame using 317 * the specified key. 318 */ 319 static int 320 tkip_decap(struct ieee80211_key *k, struct mbuf *m, int hdrlen) 321 { 322 const struct ieee80211_rx_stats *rxs; 323 struct tkip_ctx *ctx = k->wk_private; 324 struct ieee80211vap *vap = ctx->tc_vap; 325 struct ieee80211_frame *wh; 326 uint8_t *ivp, tid; 327 328 rxs = ieee80211_get_rx_params_ptr(m); 329 330 /* 331 * If IV has been stripped, we skip most of the below. 332 */ 333 if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_IV_STRIP)) 334 goto finish; 335 336 /* 337 * Header should have extended IV and sequence number; 338 * verify the former and validate the latter. 339 */ 340 wh = mtod(m, struct ieee80211_frame *); 341 ivp = mtod(m, uint8_t *) + hdrlen; 342 if ((ivp[IEEE80211_WEP_IVLEN] & IEEE80211_WEP_EXTIV) == 0) { 343 /* 344 * No extended IV; discard frame. 345 */ 346 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2, 347 "%s", "missing ExtIV for TKIP cipher"); 348 vap->iv_stats.is_rx_tkipformat++; 349 return 0; 350 } 351 /* 352 * Handle TKIP counter measures requirement. 353 */ 354 if (vap->iv_flags & IEEE80211_F_COUNTERM) { 355 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2, 356 "discard frame due to countermeasures (%s)", __func__); 357 vap->iv_stats.is_crypto_tkipcm++; 358 return 0; 359 } 360 361 tid = ieee80211_gettid(wh); 362 ctx->rx_rsc = READ_6(ivp[2], ivp[0], ivp[4], ivp[5], ivp[6], ivp[7]); 363 if (ctx->rx_rsc <= k->wk_keyrsc[tid] && 364 (k->wk_flags & IEEE80211_KEY_NOREPLAY) == 0) { 365 /* 366 * Replay violation; notify upper layer. 367 */ 368 ieee80211_notify_replay_failure(vap, wh, k, ctx->rx_rsc, tid); 369 vap->iv_stats.is_rx_tkipreplay++; 370 return 0; 371 } 372 /* 373 * NB: We can't update the rsc in the key until MIC is verified. 374 * 375 * We assume we are not preempted between doing the check above 376 * and updating wk_keyrsc when stripping the MIC in tkip_demic. 377 * Otherwise we might process another packet and discard it as 378 * a replay. 379 */ 380 381 /* 382 * Check if the device handled the decrypt in hardware. 383 * If so we just strip the header; otherwise we need to 384 * handle the decrypt in software. 385 */ 386 if ((k->wk_flags & IEEE80211_KEY_SWDECRYPT) && 387 !tkip_decrypt(ctx, k, m, hdrlen)) 388 return 0; 389 390 finish: 391 392 /* 393 * Copy up 802.11 header and strip crypto bits - but only if we 394 * are required to. 395 */ 396 if (! ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_IV_STRIP))) { 397 memmove(mtod(m, uint8_t *) + tkip.ic_header, mtod(m, void *), 398 hdrlen); 399 m_adj(m, tkip.ic_header); 400 } 401 402 /* 403 * XXX TODO: do we need an option to potentially not strip the 404 * WEP trailer? Does "MMIC_STRIP" also mean this? Or? 405 */ 406 m_adj(m, -tkip.ic_trailer); 407 408 return 1; 409 } 410 411 /* 412 * Verify and strip MIC from the frame. 413 */ 414 static int 415 tkip_demic(struct ieee80211_key *k, struct mbuf *m, int force) 416 { 417 const struct ieee80211_rx_stats *rxs; 418 struct tkip_ctx *ctx = k->wk_private; 419 struct ieee80211_frame *wh; 420 uint8_t tid; 421 422 wh = mtod(m, struct ieee80211_frame *); 423 rxs = ieee80211_get_rx_params_ptr(m); 424 425 /* 426 * If we are told about a MIC failure from the driver, 427 * directly notify as a michael failure to the upper 428 * layers. 429 */ 430 if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_FAIL_MIC)) { 431 struct ieee80211vap *vap = ctx->tc_vap; 432 ieee80211_notify_michael_failure(vap, wh, 433 k->wk_rxkeyix != IEEE80211_KEYIX_NONE ? 434 k->wk_rxkeyix : k->wk_keyix); 435 return 0; 436 } 437 438 /* 439 * If IV has been stripped, we skip most of the below. 440 */ 441 if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_MMIC_STRIP)) 442 goto finish; 443 444 if ((k->wk_flags & IEEE80211_KEY_SWDEMIC) || force) { 445 struct ieee80211vap *vap = ctx->tc_vap; 446 int hdrlen = ieee80211_hdrspace(vap->iv_ic, wh); 447 u8 mic[IEEE80211_WEP_MICLEN]; 448 u8 mic0[IEEE80211_WEP_MICLEN]; 449 450 vap->iv_stats.is_crypto_tkipdemic++; 451 452 michael_mic(ctx, k->wk_rxmic, 453 m, hdrlen, m->m_pkthdr.len - (hdrlen + tkip.ic_miclen), 454 mic); 455 m_copydata(m, m->m_pkthdr.len - tkip.ic_miclen, 456 tkip.ic_miclen, mic0); 457 if (memcmp(mic, mic0, tkip.ic_miclen)) { 458 /* NB: 802.11 layer handles statistic and debug msg */ 459 ieee80211_notify_michael_failure(vap, wh, 460 k->wk_rxkeyix != IEEE80211_KEYIX_NONE ? 461 k->wk_rxkeyix : k->wk_keyix); 462 return 0; 463 } 464 } 465 /* 466 * Strip MIC from the tail. 467 */ 468 m_adj(m, -tkip.ic_miclen); 469 470 /* 471 * Ok to update rsc now that MIC has been verified. 472 */ 473 tid = ieee80211_gettid(wh); 474 k->wk_keyrsc[tid] = ctx->rx_rsc; 475 476 finish: 477 return 1; 478 } 479 480 /* 481 * Host AP crypt: host-based TKIP encryption implementation for Host AP driver 482 * 483 * Copyright (c) 2003-2004, Jouni Malinen <jkmaline (at) cc.hut.fi> 484 * 485 * This program is free software; you can redistribute it and/or modify 486 * it under the terms of the GNU General Public License version 2 as 487 * published by the Free Software Foundation. See README and COPYING for 488 * more details. 489 * 490 * Alternatively, this software may be distributed under the terms of BSD 491 * license. 492 */ 493 494 static const __u32 crc32_table[256] = { 495 0x00000000L, 0x77073096L, 0xee0e612cL, 0x990951baL, 0x076dc419L, 496 0x706af48fL, 0xe963a535L, 0x9e6495a3L, 0x0edb8832L, 0x79dcb8a4L, 497 0xe0d5e91eL, 0x97d2d988L, 0x09b64c2bL, 0x7eb17cbdL, 0xe7b82d07L, 498 0x90bf1d91L, 0x1db71064L, 0x6ab020f2L, 0xf3b97148L, 0x84be41deL, 499 0x1adad47dL, 0x6ddde4ebL, 0xf4d4b551L, 0x83d385c7L, 0x136c9856L, 500 0x646ba8c0L, 0xfd62f97aL, 0x8a65c9ecL, 0x14015c4fL, 0x63066cd9L, 501 0xfa0f3d63L, 0x8d080df5L, 0x3b6e20c8L, 0x4c69105eL, 0xd56041e4L, 502 0xa2677172L, 0x3c03e4d1L, 0x4b04d447L, 0xd20d85fdL, 0xa50ab56bL, 503 0x35b5a8faL, 0x42b2986cL, 0xdbbbc9d6L, 0xacbcf940L, 0x32d86ce3L, 504 0x45df5c75L, 0xdcd60dcfL, 0xabd13d59L, 0x26d930acL, 0x51de003aL, 505 0xc8d75180L, 0xbfd06116L, 0x21b4f4b5L, 0x56b3c423L, 0xcfba9599L, 506 0xb8bda50fL, 0x2802b89eL, 0x5f058808L, 0xc60cd9b2L, 0xb10be924L, 507 0x2f6f7c87L, 0x58684c11L, 0xc1611dabL, 0xb6662d3dL, 0x76dc4190L, 508 0x01db7106L, 0x98d220bcL, 0xefd5102aL, 0x71b18589L, 0x06b6b51fL, 509 0x9fbfe4a5L, 0xe8b8d433L, 0x7807c9a2L, 0x0f00f934L, 0x9609a88eL, 510 0xe10e9818L, 0x7f6a0dbbL, 0x086d3d2dL, 0x91646c97L, 0xe6635c01L, 511 0x6b6b51f4L, 0x1c6c6162L, 0x856530d8L, 0xf262004eL, 0x6c0695edL, 512 0x1b01a57bL, 0x8208f4c1L, 0xf50fc457L, 0x65b0d9c6L, 0x12b7e950L, 513 0x8bbeb8eaL, 0xfcb9887cL, 0x62dd1ddfL, 0x15da2d49L, 0x8cd37cf3L, 514 0xfbd44c65L, 0x4db26158L, 0x3ab551ceL, 0xa3bc0074L, 0xd4bb30e2L, 515 0x4adfa541L, 0x3dd895d7L, 0xa4d1c46dL, 0xd3d6f4fbL, 0x4369e96aL, 516 0x346ed9fcL, 0xad678846L, 0xda60b8d0L, 0x44042d73L, 0x33031de5L, 517 0xaa0a4c5fL, 0xdd0d7cc9L, 0x5005713cL, 0x270241aaL, 0xbe0b1010L, 518 0xc90c2086L, 0x5768b525L, 0x206f85b3L, 0xb966d409L, 0xce61e49fL, 519 0x5edef90eL, 0x29d9c998L, 0xb0d09822L, 0xc7d7a8b4L, 0x59b33d17L, 520 0x2eb40d81L, 0xb7bd5c3bL, 0xc0ba6cadL, 0xedb88320L, 0x9abfb3b6L, 521 0x03b6e20cL, 0x74b1d29aL, 0xead54739L, 0x9dd277afL, 0x04db2615L, 522 0x73dc1683L, 0xe3630b12L, 0x94643b84L, 0x0d6d6a3eL, 0x7a6a5aa8L, 523 0xe40ecf0bL, 0x9309ff9dL, 0x0a00ae27L, 0x7d079eb1L, 0xf00f9344L, 524 0x8708a3d2L, 0x1e01f268L, 0x6906c2feL, 0xf762575dL, 0x806567cbL, 525 0x196c3671L, 0x6e6b06e7L, 0xfed41b76L, 0x89d32be0L, 0x10da7a5aL, 526 0x67dd4accL, 0xf9b9df6fL, 0x8ebeeff9L, 0x17b7be43L, 0x60b08ed5L, 527 0xd6d6a3e8L, 0xa1d1937eL, 0x38d8c2c4L, 0x4fdff252L, 0xd1bb67f1L, 528 0xa6bc5767L, 0x3fb506ddL, 0x48b2364bL, 0xd80d2bdaL, 0xaf0a1b4cL, 529 0x36034af6L, 0x41047a60L, 0xdf60efc3L, 0xa867df55L, 0x316e8eefL, 530 0x4669be79L, 0xcb61b38cL, 0xbc66831aL, 0x256fd2a0L, 0x5268e236L, 531 0xcc0c7795L, 0xbb0b4703L, 0x220216b9L, 0x5505262fL, 0xc5ba3bbeL, 532 0xb2bd0b28L, 0x2bb45a92L, 0x5cb36a04L, 0xc2d7ffa7L, 0xb5d0cf31L, 533 0x2cd99e8bL, 0x5bdeae1dL, 0x9b64c2b0L, 0xec63f226L, 0x756aa39cL, 534 0x026d930aL, 0x9c0906a9L, 0xeb0e363fL, 0x72076785L, 0x05005713L, 535 0x95bf4a82L, 0xe2b87a14L, 0x7bb12baeL, 0x0cb61b38L, 0x92d28e9bL, 536 0xe5d5be0dL, 0x7cdcefb7L, 0x0bdbdf21L, 0x86d3d2d4L, 0xf1d4e242L, 537 0x68ddb3f8L, 0x1fda836eL, 0x81be16cdL, 0xf6b9265bL, 0x6fb077e1L, 538 0x18b74777L, 0x88085ae6L, 0xff0f6a70L, 0x66063bcaL, 0x11010b5cL, 539 0x8f659effL, 0xf862ae69L, 0x616bffd3L, 0x166ccf45L, 0xa00ae278L, 540 0xd70dd2eeL, 0x4e048354L, 0x3903b3c2L, 0xa7672661L, 0xd06016f7L, 541 0x4969474dL, 0x3e6e77dbL, 0xaed16a4aL, 0xd9d65adcL, 0x40df0b66L, 542 0x37d83bf0L, 0xa9bcae53L, 0xdebb9ec5L, 0x47b2cf7fL, 0x30b5ffe9L, 543 0xbdbdf21cL, 0xcabac28aL, 0x53b39330L, 0x24b4a3a6L, 0xbad03605L, 544 0xcdd70693L, 0x54de5729L, 0x23d967bfL, 0xb3667a2eL, 0xc4614ab8L, 545 0x5d681b02L, 0x2a6f2b94L, 0xb40bbe37L, 0xc30c8ea1L, 0x5a05df1bL, 546 0x2d02ef8dL 547 }; 548 549 static __inline u16 RotR1(u16 val) 550 { 551 return (val >> 1) | (val << 15); 552 } 553 554 static __inline u8 Lo8(u16 val) 555 { 556 return val & 0xff; 557 } 558 559 static __inline u8 Hi8(u16 val) 560 { 561 return val >> 8; 562 } 563 564 static __inline u16 Lo16(u32 val) 565 { 566 return val & 0xffff; 567 } 568 569 static __inline u16 Hi16(u32 val) 570 { 571 return val >> 16; 572 } 573 574 static __inline u16 Mk16(u8 hi, u8 lo) 575 { 576 return lo | (((u16) hi) << 8); 577 } 578 579 static __inline u16 Mk16_le(const u16 *v) 580 { 581 return le16toh(*v); 582 } 583 584 static const u16 Sbox[256] = { 585 0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154, 586 0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A, 587 0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B, 588 0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B, 589 0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F, 590 0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F, 591 0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5, 592 0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F, 593 0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB, 594 0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397, 595 0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED, 596 0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A, 597 0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194, 598 0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3, 599 0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104, 600 0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D, 601 0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39, 602 0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695, 603 0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83, 604 0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76, 605 0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4, 606 0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B, 607 0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0, 608 0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018, 609 0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751, 610 0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85, 611 0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12, 612 0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9, 613 0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7, 614 0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A, 615 0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8, 616 0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A, 617 }; 618 619 static __inline u16 _S_(u16 v) 620 { 621 u16 t = Sbox[Hi8(v)]; 622 return Sbox[Lo8(v)] ^ ((t << 8) | (t >> 8)); 623 } 624 625 #define PHASE1_LOOP_COUNT 8 626 627 static void tkip_mixing_phase1(u16 *TTAK, const u8 *TK, const u8 *TA, u32 IV32) 628 { 629 int i, j; 630 631 /* Initialize the 80-bit TTAK from TSC (IV32) and TA[0..5] */ 632 TTAK[0] = Lo16(IV32); 633 TTAK[1] = Hi16(IV32); 634 TTAK[2] = Mk16(TA[1], TA[0]); 635 TTAK[3] = Mk16(TA[3], TA[2]); 636 TTAK[4] = Mk16(TA[5], TA[4]); 637 638 for (i = 0; i < PHASE1_LOOP_COUNT; i++) { 639 j = 2 * (i & 1); 640 TTAK[0] += _S_(TTAK[4] ^ Mk16(TK[1 + j], TK[0 + j])); 641 TTAK[1] += _S_(TTAK[0] ^ Mk16(TK[5 + j], TK[4 + j])); 642 TTAK[2] += _S_(TTAK[1] ^ Mk16(TK[9 + j], TK[8 + j])); 643 TTAK[3] += _S_(TTAK[2] ^ Mk16(TK[13 + j], TK[12 + j])); 644 TTAK[4] += _S_(TTAK[3] ^ Mk16(TK[1 + j], TK[0 + j])) + i; 645 } 646 } 647 648 #ifndef _BYTE_ORDER 649 #error "Don't know native byte order" 650 #endif 651 652 static void tkip_mixing_phase2(u8 *WEPSeed, const u8 *TK, const u16 *TTAK, 653 u16 IV16) 654 { 655 /* Make temporary area overlap WEP seed so that the final copy can be 656 * avoided on little endian hosts. */ 657 u16 *PPK = (u16 *) &WEPSeed[4]; 658 659 /* Step 1 - make copy of TTAK and bring in TSC */ 660 PPK[0] = TTAK[0]; 661 PPK[1] = TTAK[1]; 662 PPK[2] = TTAK[2]; 663 PPK[3] = TTAK[3]; 664 PPK[4] = TTAK[4]; 665 PPK[5] = TTAK[4] + IV16; 666 667 /* Step 2 - 96-bit bijective mixing using S-box */ 668 PPK[0] += _S_(PPK[5] ^ Mk16_le((const u16 *) &TK[0])); 669 PPK[1] += _S_(PPK[0] ^ Mk16_le((const u16 *) &TK[2])); 670 PPK[2] += _S_(PPK[1] ^ Mk16_le((const u16 *) &TK[4])); 671 PPK[3] += _S_(PPK[2] ^ Mk16_le((const u16 *) &TK[6])); 672 PPK[4] += _S_(PPK[3] ^ Mk16_le((const u16 *) &TK[8])); 673 PPK[5] += _S_(PPK[4] ^ Mk16_le((const u16 *) &TK[10])); 674 675 PPK[0] += RotR1(PPK[5] ^ Mk16_le((const u16 *) &TK[12])); 676 PPK[1] += RotR1(PPK[0] ^ Mk16_le((const u16 *) &TK[14])); 677 PPK[2] += RotR1(PPK[1]); 678 PPK[3] += RotR1(PPK[2]); 679 PPK[4] += RotR1(PPK[3]); 680 PPK[5] += RotR1(PPK[4]); 681 682 /* Step 3 - bring in last of TK bits, assign 24-bit WEP IV value 683 * WEPSeed[0..2] is transmitted as WEP IV */ 684 WEPSeed[0] = Hi8(IV16); 685 WEPSeed[1] = (Hi8(IV16) | 0x20) & 0x7F; 686 WEPSeed[2] = Lo8(IV16); 687 WEPSeed[3] = Lo8((PPK[5] ^ Mk16_le((const u16 *) &TK[0])) >> 1); 688 689 #if _BYTE_ORDER == _BIG_ENDIAN 690 { 691 int i; 692 for (i = 0; i < 6; i++) 693 PPK[i] = (PPK[i] << 8) | (PPK[i] >> 8); 694 } 695 #endif 696 } 697 698 static void 699 wep_encrypt(u8 *key, struct mbuf *m0, u_int off, size_t data_len, 700 uint8_t icv[IEEE80211_WEP_CRCLEN]) 701 { 702 u32 i, j, k, crc; 703 size_t buflen; 704 u8 S[256]; 705 u8 *pos; 706 struct mbuf *m; 707 #define S_SWAP(a,b) do { u8 t = S[a]; S[a] = S[b]; S[b] = t; } while(0) 708 709 /* Setup RC4 state */ 710 for (i = 0; i < 256; i++) 711 S[i] = i; 712 j = 0; 713 for (i = 0; i < 256; i++) { 714 j = (j + S[i] + key[i & 0x0f]) & 0xff; 715 S_SWAP(i, j); 716 } 717 718 /* Compute CRC32 over unencrypted data and apply RC4 to data */ 719 crc = ~0; 720 i = j = 0; 721 m = m0; 722 pos = mtod(m, uint8_t *) + off; 723 buflen = m->m_len - off; 724 for (;;) { 725 if (buflen > data_len) 726 buflen = data_len; 727 data_len -= buflen; 728 for (k = 0; k < buflen; k++) { 729 crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8); 730 i = (i + 1) & 0xff; 731 j = (j + S[i]) & 0xff; 732 S_SWAP(i, j); 733 *pos++ ^= S[(S[i] + S[j]) & 0xff]; 734 } 735 m = m->m_next; 736 if (m == NULL) { 737 KASSERT(data_len == 0, 738 ("out of buffers with data_len %zu\n", data_len)); 739 break; 740 } 741 pos = mtod(m, uint8_t *); 742 buflen = m->m_len; 743 } 744 crc = ~crc; 745 746 /* Append little-endian CRC32 and encrypt it to produce ICV */ 747 icv[0] = crc; 748 icv[1] = crc >> 8; 749 icv[2] = crc >> 16; 750 icv[3] = crc >> 24; 751 for (k = 0; k < IEEE80211_WEP_CRCLEN; k++) { 752 i = (i + 1) & 0xff; 753 j = (j + S[i]) & 0xff; 754 S_SWAP(i, j); 755 icv[k] ^= S[(S[i] + S[j]) & 0xff]; 756 } 757 } 758 759 static int 760 wep_decrypt(u8 *key, struct mbuf *m, u_int off, size_t data_len) 761 { 762 u32 i, j, k, crc; 763 u8 S[256]; 764 u8 *pos, icv[4]; 765 size_t buflen; 766 767 /* Setup RC4 state */ 768 for (i = 0; i < 256; i++) 769 S[i] = i; 770 j = 0; 771 for (i = 0; i < 256; i++) { 772 j = (j + S[i] + key[i & 0x0f]) & 0xff; 773 S_SWAP(i, j); 774 } 775 776 /* Apply RC4 to data and compute CRC32 over decrypted data */ 777 crc = ~0; 778 i = j = 0; 779 pos = mtod(m, uint8_t *) + off; 780 buflen = m->m_len - off; 781 for (;;) { 782 if (buflen > data_len) 783 buflen = data_len; 784 data_len -= buflen; 785 for (k = 0; k < buflen; k++) { 786 i = (i + 1) & 0xff; 787 j = (j + S[i]) & 0xff; 788 S_SWAP(i, j); 789 *pos ^= S[(S[i] + S[j]) & 0xff]; 790 crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8); 791 pos++; 792 } 793 m = m->m_next; 794 if (m == NULL) { 795 KASSERT(data_len == 0, 796 ("out of buffers with data_len %zu\n", data_len)); 797 break; 798 } 799 pos = mtod(m, uint8_t *); 800 buflen = m->m_len; 801 } 802 crc = ~crc; 803 804 /* Encrypt little-endian CRC32 and verify that it matches with the 805 * received ICV */ 806 icv[0] = crc; 807 icv[1] = crc >> 8; 808 icv[2] = crc >> 16; 809 icv[3] = crc >> 24; 810 for (k = 0; k < 4; k++) { 811 i = (i + 1) & 0xff; 812 j = (j + S[i]) & 0xff; 813 S_SWAP(i, j); 814 if ((icv[k] ^ S[(S[i] + S[j]) & 0xff]) != *pos++) { 815 /* ICV mismatch - drop frame */ 816 return -1; 817 } 818 } 819 820 return 0; 821 } 822 823 824 static __inline u32 rotl(u32 val, int bits) 825 { 826 return (val << bits) | (val >> (32 - bits)); 827 } 828 829 830 static __inline u32 rotr(u32 val, int bits) 831 { 832 return (val >> bits) | (val << (32 - bits)); 833 } 834 835 836 static __inline u32 xswap(u32 val) 837 { 838 return ((val & 0x00ff00ff) << 8) | ((val & 0xff00ff00) >> 8); 839 } 840 841 842 #define michael_block(l, r) \ 843 do { \ 844 r ^= rotl(l, 17); \ 845 l += r; \ 846 r ^= xswap(l); \ 847 l += r; \ 848 r ^= rotl(l, 3); \ 849 l += r; \ 850 r ^= rotr(l, 2); \ 851 l += r; \ 852 } while (0) 853 854 855 static __inline u32 get_le32_split(u8 b0, u8 b1, u8 b2, u8 b3) 856 { 857 return b0 | (b1 << 8) | (b2 << 16) | ((u32)b3 << 24); 858 } 859 860 static __inline u32 get_le32(const u8 *p) 861 { 862 return get_le32_split(p[0], p[1], p[2], p[3]); 863 } 864 865 866 static __inline void put_le32(u8 *p, u32 v) 867 { 868 p[0] = v; 869 p[1] = v >> 8; 870 p[2] = v >> 16; 871 p[3] = v >> 24; 872 } 873 874 /* 875 * Craft pseudo header used to calculate the MIC. 876 */ 877 static void 878 michael_mic_hdr(const struct ieee80211_frame *wh0, uint8_t hdr[16]) 879 { 880 const struct ieee80211_frame_addr4 *wh = 881 (const struct ieee80211_frame_addr4 *) wh0; 882 883 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 884 case IEEE80211_FC1_DIR_NODS: 885 IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */ 886 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2); 887 break; 888 case IEEE80211_FC1_DIR_TODS: 889 IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */ 890 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2); 891 break; 892 case IEEE80211_FC1_DIR_FROMDS: 893 IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */ 894 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr3); 895 break; 896 case IEEE80211_FC1_DIR_DSTODS: 897 IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */ 898 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr4); 899 break; 900 } 901 902 if (wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_QOS) { 903 const struct ieee80211_qosframe *qwh = 904 (const struct ieee80211_qosframe *) wh; 905 hdr[12] = qwh->i_qos[0] & IEEE80211_QOS_TID; 906 } else 907 hdr[12] = 0; 908 hdr[13] = hdr[14] = hdr[15] = 0; /* reserved */ 909 } 910 911 static void 912 michael_mic(struct tkip_ctx *ctx, const u8 *key, 913 struct mbuf *m, u_int off, size_t data_len, 914 u8 mic[IEEE80211_WEP_MICLEN]) 915 { 916 uint8_t hdr[16]; 917 u32 l, r; 918 const uint8_t *data; 919 u_int space; 920 921 michael_mic_hdr(mtod(m, struct ieee80211_frame *), hdr); 922 923 l = get_le32(key); 924 r = get_le32(key + 4); 925 926 /* Michael MIC pseudo header: DA, SA, 3 x 0, Priority */ 927 l ^= get_le32(hdr); 928 michael_block(l, r); 929 l ^= get_le32(&hdr[4]); 930 michael_block(l, r); 931 l ^= get_le32(&hdr[8]); 932 michael_block(l, r); 933 l ^= get_le32(&hdr[12]); 934 michael_block(l, r); 935 936 /* first buffer has special handling */ 937 data = mtod(m, const uint8_t *) + off; 938 space = m->m_len - off; 939 for (;;) { 940 if (space > data_len) 941 space = data_len; 942 /* collect 32-bit blocks from current buffer */ 943 while (space >= sizeof(uint32_t)) { 944 l ^= get_le32(data); 945 michael_block(l, r); 946 data += sizeof(uint32_t), space -= sizeof(uint32_t); 947 data_len -= sizeof(uint32_t); 948 } 949 /* 950 * NB: when space is zero we make one more trip around 951 * the loop to advance to the next mbuf where there is 952 * data. This handles the case where there are 4*n 953 * bytes in an mbuf followed by <4 bytes in a later mbuf. 954 * By making an extra trip we'll drop out of the loop 955 * with m pointing at the mbuf with 3 bytes and space 956 * set as required by the remainder handling below. 957 */ 958 if (data_len == 0 || 959 (data_len < sizeof(uint32_t) && space != 0)) 960 break; 961 m = m->m_next; 962 if (m == NULL) { 963 KASSERT(0, ("out of data, data_len %zu\n", data_len)); 964 break; 965 } 966 if (space != 0) { 967 const uint8_t *data_next; 968 /* 969 * Block straddles buffers, split references. 970 */ 971 data_next = mtod(m, const uint8_t *); 972 KASSERT(m->m_len >= sizeof(uint32_t) - space, 973 ("not enough data in following buffer, " 974 "m_len %u need %zu\n", m->m_len, 975 sizeof(uint32_t) - space)); 976 switch (space) { 977 case 1: 978 l ^= get_le32_split(data[0], data_next[0], 979 data_next[1], data_next[2]); 980 data = data_next + 3; 981 space = m->m_len - 3; 982 break; 983 case 2: 984 l ^= get_le32_split(data[0], data[1], 985 data_next[0], data_next[1]); 986 data = data_next + 2; 987 space = m->m_len - 2; 988 break; 989 case 3: 990 l ^= get_le32_split(data[0], data[1], 991 data[2], data_next[0]); 992 data = data_next + 1; 993 space = m->m_len - 1; 994 break; 995 } 996 michael_block(l, r); 997 data_len -= sizeof(uint32_t); 998 } else { 999 /* 1000 * Setup for next buffer. 1001 */ 1002 data = mtod(m, const uint8_t *); 1003 space = m->m_len; 1004 } 1005 } 1006 /* 1007 * Catch degenerate cases like mbuf[4*n+1 bytes] followed by 1008 * mbuf[2 bytes]. I don't believe these should happen; if they 1009 * do then we'll need more involved logic. 1010 */ 1011 KASSERT(data_len <= space, 1012 ("not enough data, data_len %zu space %u\n", data_len, space)); 1013 1014 /* Last block and padding (0x5a, 4..7 x 0) */ 1015 switch (data_len) { 1016 case 0: 1017 l ^= get_le32_split(0x5a, 0, 0, 0); 1018 break; 1019 case 1: 1020 l ^= get_le32_split(data[0], 0x5a, 0, 0); 1021 break; 1022 case 2: 1023 l ^= get_le32_split(data[0], data[1], 0x5a, 0); 1024 break; 1025 case 3: 1026 l ^= get_le32_split(data[0], data[1], data[2], 0x5a); 1027 break; 1028 } 1029 michael_block(l, r); 1030 /* l ^= 0; */ 1031 michael_block(l, r); 1032 1033 put_le32(mic, l); 1034 put_le32(mic + 4, r); 1035 } 1036 1037 static int 1038 tkip_encrypt(struct tkip_ctx *ctx, struct ieee80211_key *key, 1039 struct mbuf *m, int hdrlen) 1040 { 1041 struct ieee80211_frame *wh; 1042 uint8_t icv[IEEE80211_WEP_CRCLEN]; 1043 1044 ctx->tc_vap->iv_stats.is_crypto_tkip++; 1045 1046 wh = mtod(m, struct ieee80211_frame *); 1047 if ((u16)(key->wk_keytsc) == 0 || key->wk_keytsc == 1) { 1048 tkip_mixing_phase1(ctx->tx_ttak, key->wk_key, wh->i_addr2, 1049 (u32)(key->wk_keytsc >> 16)); 1050 } 1051 tkip_mixing_phase2(ctx->tx_rc4key, key->wk_key, ctx->tx_ttak, 1052 (u16) key->wk_keytsc); 1053 1054 wep_encrypt(ctx->tx_rc4key, 1055 m, hdrlen + tkip.ic_header, 1056 m->m_pkthdr.len - (hdrlen + tkip.ic_header), 1057 icv); 1058 (void) m_append(m, IEEE80211_WEP_CRCLEN, icv); /* XXX check return */ 1059 1060 return 1; 1061 } 1062 1063 static int 1064 tkip_decrypt(struct tkip_ctx *ctx, struct ieee80211_key *key, 1065 struct mbuf *m, int hdrlen) 1066 { 1067 struct ieee80211_frame *wh; 1068 struct ieee80211vap *vap = ctx->tc_vap; 1069 u32 iv32; 1070 u16 iv16; 1071 u8 tid; 1072 1073 vap->iv_stats.is_crypto_tkip++; 1074 1075 wh = mtod(m, struct ieee80211_frame *); 1076 /* NB: tkip_decap already verified header and left seq in rx_rsc */ 1077 iv16 = (u16) ctx->rx_rsc; 1078 iv32 = (u32) (ctx->rx_rsc >> 16); 1079 1080 tid = ieee80211_gettid(wh); 1081 if (iv32 != (u32)(key->wk_keyrsc[tid] >> 16) || !ctx->rx_phase1_done) { 1082 tkip_mixing_phase1(ctx->rx_ttak, key->wk_key, 1083 wh->i_addr2, iv32); 1084 ctx->rx_phase1_done = 1; 1085 } 1086 tkip_mixing_phase2(ctx->rx_rc4key, key->wk_key, ctx->rx_ttak, iv16); 1087 1088 /* NB: m is unstripped; deduct headers + ICV to get payload */ 1089 if (wep_decrypt(ctx->rx_rc4key, 1090 m, hdrlen + tkip.ic_header, 1091 m->m_pkthdr.len - (hdrlen + tkip.ic_header + tkip.ic_trailer))) { 1092 if (iv32 != (u32)(key->wk_keyrsc[tid] >> 16)) { 1093 /* Previously cached Phase1 result was already lost, so 1094 * it needs to be recalculated for the next packet. */ 1095 ctx->rx_phase1_done = 0; 1096 } 1097 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2, 1098 "%s", "TKIP ICV mismatch on decrypt"); 1099 vap->iv_stats.is_rx_tkipicv++; 1100 return 0; 1101 } 1102 return 1; 1103 } 1104 1105 /* 1106 * Module glue. 1107 */ 1108 IEEE80211_CRYPTO_MODULE(tkip, 1); 1109
Indexes created Tue Sep 30 11:09:46 GMT 2025