1 /* 2 * Copyright (c) 2002-2005 Sam Leffler, Errno Consulting 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. The name of the author may not be used to endorse or promote products 14 * derived from this software without specific prior written permission. 15 * 16 * Alternatively, this software may be distributed under the terms of the 17 * GNU General Public License ("GPL") version 2 as published by the Free 18 * Software Foundation. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 21 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 22 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 23 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 25 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 26 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 27 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 29 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 * 31 * $FreeBSD: src/sys/net80211/ieee80211_crypto_tkip.c,v 1.9.2.2 2005/12/22 19:02:08 sam Exp $ 32 * $DragonFly: src/sys/netproto/802_11/wlan_tkip/ieee80211_crypto_tkip.c,v 1.6 2007/09/15 07:19:23 sephe Exp $ 33 */ 34 35 /* 36 * IEEE 802.11i TKIP crypto support. 37 * 38 * Part of this module is derived from similar code in the Host 39 * AP driver. The code is used with the consent of the author and 40 * it's license is included below. 41 */ 42 #include <sys/param.h> 43 #include <sys/systm.h> 44 #include <sys/mbuf.h> 45 #include <sys/malloc.h> 46 #include <sys/kernel.h> 47 #include <sys/module.h> 48 #include <sys/endian.h> 49 50 #include <sys/socket.h> 51 52 #include <net/if.h> 53 #include <net/if_arp.h> 54 #include <net/if_media.h> 55 #include <net/ethernet.h> 56 57 #include <netproto/802_11/ieee80211_var.h> 58 59 static void *tkip_attach(struct ieee80211com *, struct ieee80211_key *); 60 static void tkip_detach(struct ieee80211_key *); 61 static int tkip_setkey(struct ieee80211_key *); 62 static int tkip_encap(struct ieee80211_key *, struct mbuf *m, uint8_t keyid); 63 static int tkip_enmic(struct ieee80211_key *, struct mbuf *, int); 64 static int tkip_decap(struct ieee80211_key *, struct mbuf *, int); 65 static int tkip_demic(struct ieee80211_key *, struct mbuf *, int); 66 static int tkip_getiv(struct ieee80211_key *, struct ieee80211_crypto_iv *, 67 uint8_t); 68 static int tkip_update(struct ieee80211_key *, 69 const struct ieee80211_crypto_iv *, 70 const struct ieee80211_frame *); 71 72 static const struct ieee80211_cipher tkip = { 73 .ic_name = "TKIP", 74 .ic_cipher = IEEE80211_CIPHER_TKIP, 75 .ic_header = IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN + 76 IEEE80211_WEP_EXTIVLEN, 77 .ic_trailer = IEEE80211_WEP_CRCLEN, 78 .ic_miclen = IEEE80211_WEP_MICLEN, 79 .ic_attach = tkip_attach, 80 .ic_detach = tkip_detach, 81 .ic_setkey = tkip_setkey, 82 .ic_encap = tkip_encap, 83 .ic_decap = tkip_decap, 84 .ic_enmic = tkip_enmic, 85 .ic_demic = tkip_demic, 86 .ic_getiv = tkip_getiv, 87 .ic_update = tkip_update 88 }; 89 90 #define memmove(dst, src, n) ovbcopy(src, dst, n) 91 92 struct tkip_ctx { 93 struct ieee80211com *tc_ic; /* for diagnostics */ 94 95 uint16_t tx_ttak[5]; 96 int tx_phase1_done; 97 uint8_t tx_rc4key[16]; /* XXX for test module; make locals? */ 98 99 uint16_t rx_ttak[5]; 100 int rx_phase1_done; 101 uint8_t rx_rc4key[16]; /* XXX for test module; make locals? */ 102 uint64_t rx_rsc; /* held until MIC verified */ 103 }; 104 105 static void michael_mic(struct tkip_ctx *, const uint8_t *key, 106 struct mbuf *m, u_int off, size_t data_len, 107 uint8_t mic[IEEE80211_WEP_MICLEN]); 108 static int tkip_encrypt(struct tkip_ctx *, struct ieee80211_key *, 109 struct mbuf *, int hdr_len); 110 static int tkip_decrypt(struct tkip_ctx *, struct ieee80211_key *, 111 struct mbuf *, int hdr_len); 112 113 /* number of references from net80211 layer */ 114 static int nrefs = 0; 115 116 static void * 117 tkip_attach(struct ieee80211com *ic, struct ieee80211_key *k) 118 { 119 struct tkip_ctx *ctx; 120 121 ctx = kmalloc(sizeof(struct tkip_ctx), M_DEVBUF, M_NOWAIT | M_ZERO); 122 if (ctx == NULL) { 123 ic->ic_stats.is_crypto_nomem++; 124 return NULL; 125 } 126 127 ctx->tc_ic = ic; 128 nrefs++; /* NB: we assume caller locking */ 129 return ctx; 130 } 131 132 static void 133 tkip_detach(struct ieee80211_key *k) 134 { 135 struct tkip_ctx *ctx = k->wk_private; 136 137 kfree(ctx, M_DEVBUF); 138 KASSERT(nrefs > 0, ("imbalanced attach/detach")); 139 nrefs--; /* NB: we assume caller locking */ 140 } 141 142 static int 143 tkip_setkey(struct ieee80211_key *k) 144 { 145 struct tkip_ctx *ctx = k->wk_private; 146 147 if (k->wk_keylen != (128/NBBY)) { 148 (void) ctx; /* XXX */ 149 IEEE80211_DPRINTF(ctx->tc_ic, IEEE80211_MSG_CRYPTO, 150 "%s: Invalid key length %u, expecting %u\n", 151 __func__, k->wk_keylen, 128/NBBY); 152 return 0; 153 } 154 k->wk_keytsc = 1; /* TSC starts at 1 */ 155 return 1; 156 } 157 158 /* 159 * Add privacy headers and do any s/w encryption required. 160 */ 161 static int 162 tkip_encap(struct ieee80211_key *k, struct mbuf *m, uint8_t keyid) 163 { 164 struct tkip_ctx *ctx = k->wk_private; 165 struct ieee80211com *ic = ctx->tc_ic; 166 uint8_t *ivp; 167 int hdrlen; 168 169 /* 170 * Handle TKIP counter measures requirement. 171 */ 172 if (ic->ic_flags & IEEE80211_F_COUNTERM) { 173 #ifdef IEEE80211_DEBUG 174 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 175 #endif 176 177 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO, 178 "[%6D] Discard frame due to countermeasures (%s)\n", 179 wh->i_addr2, ":", __func__); 180 ic->ic_stats.is_crypto_tkipcm++; 181 return 0; 182 } 183 hdrlen = ieee80211_hdrspace(ic, mtod(m, void *)); 184 185 /* 186 * Copy down 802.11 header and add the IV, KeyID, and ExtIV. 187 */ 188 M_PREPEND(m, tkip.ic_header, MB_DONTWAIT); 189 if (m == NULL) 190 return 0; 191 ivp = mtod(m, uint8_t *); 192 memmove(ivp, ivp + tkip.ic_header, hdrlen); 193 ivp += hdrlen; 194 195 ivp[0] = k->wk_keytsc >> 8; /* TSC1 */ 196 ivp[1] = (ivp[0] | 0x20) & 0x7f; /* WEP seed */ 197 ivp[2] = k->wk_keytsc >> 0; /* TSC0 */ 198 ivp[3] = keyid | IEEE80211_WEP_EXTIV; /* KeyID | ExtID */ 199 ivp[4] = k->wk_keytsc >> 16; /* TSC2 */ 200 ivp[5] = k->wk_keytsc >> 24; /* TSC3 */ 201 ivp[6] = k->wk_keytsc >> 32; /* TSC4 */ 202 ivp[7] = k->wk_keytsc >> 40; /* TSC5 */ 203 204 /* 205 * Finally, do software encrypt if neeed. 206 */ 207 if (k->wk_flags & IEEE80211_KEY_SWCRYPT) { 208 if (!tkip_encrypt(ctx, k, m, hdrlen)) 209 return 0; 210 /* NB: tkip_encrypt handles wk_keytsc */ 211 } else 212 k->wk_keytsc++; 213 214 return 1; 215 } 216 217 static int 218 tkip_getiv(struct ieee80211_key *k, struct ieee80211_crypto_iv *iv, 219 uint8_t keyid) 220 { 221 struct tkip_ctx *ctx = k->wk_private; 222 struct ieee80211com *ic = ctx->tc_ic; 223 uint8_t *ivp = (uint8_t *)iv; 224 225 /* 226 * Handle TKIP counter measures requirement. 227 */ 228 if (ic->ic_flags & IEEE80211_F_COUNTERM) { 229 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO, 230 "Discard frame due to countermeasures (%s)\n", 231 __func__); 232 ic->ic_stats.is_crypto_tkipcm++; 233 return 0; 234 } 235 236 ivp[0] = k->wk_keytsc >> 8; /* TSC1 */ 237 ivp[1] = (ivp[0] | 0x20) & 0x7f; /* WEP seed */ 238 ivp[2] = k->wk_keytsc >> 0; /* TSC0 */ 239 ivp[3] = keyid | IEEE80211_WEP_EXTIV; /* KeyID | ExtID */ 240 ivp[4] = k->wk_keytsc >> 16; /* TSC2 */ 241 ivp[5] = k->wk_keytsc >> 24; /* TSC3 */ 242 ivp[6] = k->wk_keytsc >> 32; /* TSC4 */ 243 ivp[7] = k->wk_keytsc >> 40; /* TSC5 */ 244 245 k->wk_keytsc++; 246 return 1; 247 } 248 249 /* 250 * Add MIC to the frame as needed. 251 */ 252 static int 253 tkip_enmic(struct ieee80211_key *k, struct mbuf *m, int force) 254 { 255 struct tkip_ctx *ctx = k->wk_private; 256 257 if (force || (k->wk_flags & IEEE80211_KEY_SWMIC)) { 258 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 259 struct ieee80211com *ic = ctx->tc_ic; 260 int hdrlen; 261 uint8_t mic[IEEE80211_WEP_MICLEN]; 262 263 ic->ic_stats.is_crypto_tkipenmic++; 264 265 hdrlen = ieee80211_hdrspace(ic, wh); 266 267 michael_mic(ctx, k->wk_txmic, 268 m, hdrlen, m->m_pkthdr.len - hdrlen, mic); 269 return ieee80211_mbuf_append(m, tkip.ic_miclen, mic); 270 } 271 return 1; 272 } 273 274 static __inline uint64_t 275 READ_6(uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3, uint8_t b4, uint8_t b5) 276 { 277 uint32_t iv32 = (b0 << 0) | (b1 << 8) | (b2 << 16) | (b3 << 24); 278 uint16_t iv16 = (b4 << 0) | (b5 << 8); 279 return (((uint64_t)iv16) << 32) | iv32; 280 } 281 282 /* 283 * Validate and strip privacy headers (and trailer) for a 284 * received frame. If necessary, decrypt the frame using 285 * the specified key. 286 */ 287 static int 288 tkip_decap(struct ieee80211_key *k, struct mbuf *m, int hdrlen) 289 { 290 struct tkip_ctx *ctx = k->wk_private; 291 struct ieee80211com *ic = ctx->tc_ic; 292 struct ieee80211_frame *wh; 293 uint8_t *ivp; 294 295 /* 296 * Header should have extended IV and sequence number; 297 * verify the former and validate the latter. 298 */ 299 wh = mtod(m, struct ieee80211_frame *); 300 ivp = mtod(m, uint8_t *) + hdrlen; 301 if ((ivp[IEEE80211_WEP_IVLEN] & IEEE80211_WEP_EXTIV) == 0) { 302 /* 303 * No extended IV; discard frame. 304 */ 305 IEEE80211_DPRINTF(ctx->tc_ic, IEEE80211_MSG_CRYPTO, 306 "[%6D] missing ExtIV for TKIP cipher\n", 307 wh->i_addr2, ":"); 308 ctx->tc_ic->ic_stats.is_rx_tkipformat++; 309 return 0; 310 } 311 /* 312 * Handle TKIP counter measures requirement. 313 */ 314 if (ic->ic_flags & IEEE80211_F_COUNTERM) { 315 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO, 316 "[%6D] discard frame due to countermeasures (%s)\n", 317 wh->i_addr2, ":", __func__); 318 ic->ic_stats.is_crypto_tkipcm++; 319 return 0; 320 } 321 322 ctx->rx_rsc = READ_6(ivp[2], ivp[0], ivp[4], ivp[5], ivp[6], ivp[7]); 323 if (ctx->rx_rsc <= k->wk_keyrsc) { 324 /* 325 * Replay violation; notify upper layer. 326 */ 327 ieee80211_notify_replay_failure(ctx->tc_ic, wh, k, ctx->rx_rsc); 328 ctx->tc_ic->ic_stats.is_rx_tkipreplay++; 329 return 0; 330 } 331 /* 332 * NB: We can't update the rsc in the key until MIC is verified. 333 * 334 * We assume we are not preempted between doing the check above 335 * and updating wk_keyrsc when stripping the MIC in tkip_demic. 336 * Otherwise we might process another packet and discard it as 337 * a replay. 338 */ 339 340 /* 341 * Check if the device handled the decrypt in hardware. 342 * If so we just strip the header; otherwise we need to 343 * handle the decrypt in software. 344 */ 345 if ((k->wk_flags & IEEE80211_KEY_SWCRYPT) && 346 !tkip_decrypt(ctx, k, m, hdrlen)) 347 return 0; 348 349 /* 350 * Copy up 802.11 header and strip crypto bits. 351 */ 352 memmove(mtod(m, uint8_t *) + tkip.ic_header, mtod(m, void *), hdrlen); 353 m_adj(m, tkip.ic_header); 354 m_adj(m, -tkip.ic_trailer); 355 356 return 1; 357 } 358 359 static int 360 tkip_update(struct ieee80211_key *k, const struct ieee80211_crypto_iv *iv, 361 const struct ieee80211_frame *wh) 362 { 363 struct tkip_ctx *ctx = k->wk_private; 364 struct ieee80211com *ic = ctx->tc_ic; 365 const uint8_t *ivp = (const uint8_t *)iv; 366 367 /* 368 * Header should have extended IV and sequence number; 369 * verify the former and validate the latter. 370 */ 371 if ((ivp[IEEE80211_WEP_IVLEN] & IEEE80211_WEP_EXTIV) == 0) { 372 /* 373 * No extended IV; discard frame. 374 */ 375 IEEE80211_DPRINTF(ctx->tc_ic, IEEE80211_MSG_CRYPTO, 376 "[%6D] missing ExtIV for TKIP cipher\n", 377 wh->i_addr2, ":"); 378 ctx->tc_ic->ic_stats.is_rx_tkipformat++; 379 return 0; 380 } 381 /* 382 * Handle TKIP counter measures requirement. 383 */ 384 if (ic->ic_flags & IEEE80211_F_COUNTERM) { 385 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO, 386 "[%6D] discard frame due to countermeasures (%s)\n", 387 wh->i_addr2, ":", __func__); 388 ic->ic_stats.is_crypto_tkipcm++; 389 return 0; 390 } 391 392 ctx->rx_rsc = READ_6(ivp[2], ivp[0], ivp[4], ivp[5], ivp[6], ivp[7]); 393 if (ctx->rx_rsc <= k->wk_keyrsc) { 394 /* 395 * Replay violation; notify upper layer. 396 */ 397 ieee80211_notify_replay_failure(ctx->tc_ic, wh, k, ctx->rx_rsc); 398 ctx->tc_ic->ic_stats.is_rx_tkipreplay++; 399 return 0; 400 } 401 402 /* 403 * NB: We can't update the rsc in the key until MIC is verified. 404 * 405 * We assume we are not preempted between doing the check above 406 * and updating wk_keyrsc when stripping the MIC in tkip_demic. 407 * Otherwise we might process another packet and discard it as 408 * a replay. 409 */ 410 return 1; 411 } 412 413 /* 414 * Verify and strip MIC from the frame. 415 */ 416 static int 417 tkip_demic(struct ieee80211_key *k, struct mbuf *m, int force) 418 { 419 struct tkip_ctx *ctx = k->wk_private; 420 421 if (force || (k->wk_flags & IEEE80211_KEY_SWMIC)) { 422 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 423 struct ieee80211com *ic = ctx->tc_ic; 424 int hdrlen = ieee80211_hdrspace(ic, wh); 425 uint8_t mic[IEEE80211_WEP_MICLEN]; 426 uint8_t mic0[IEEE80211_WEP_MICLEN]; 427 428 ic->ic_stats.is_crypto_tkipdemic++; 429 430 michael_mic(ctx, k->wk_rxmic, 431 m, hdrlen, m->m_pkthdr.len - (hdrlen + tkip.ic_miclen), 432 mic); 433 m_copydata(m, m->m_pkthdr.len - tkip.ic_miclen, 434 tkip.ic_miclen, (caddr_t)mic0); 435 if (memcmp(mic, mic0, tkip.ic_miclen)) { 436 /* NB: 802.11 layer handles statistic and debug msg */ 437 ieee80211_notify_michael_failure(ic, wh, 438 k->wk_rxkeyix != IEEE80211_KEYIX_NONE ? 439 k->wk_rxkeyix : k->wk_keyix); 440 return 0; 441 } 442 } 443 444 if (force || (k->wk_flags & IEEE80211_KEY_NOMIC) == 0) { 445 /* 446 * Strip MIC from the tail. 447 */ 448 m_adj(m, -tkip.ic_miclen); 449 } 450 451 /* 452 * Ok to update rsc now that MIC has been verified. 453 */ 454 k->wk_keyrsc = ctx->rx_rsc; 455 456 return 1; 457 } 458 459 /* 460 * Host AP crypt: host-based TKIP encryption implementation for Host AP driver 461 * 462 * Copyright (c) 2003-2004, Jouni Malinen <jkmaline@cc.hut.fi> 463 * 464 * This program is free software; you can redistribute it and/or modify 465 * it under the terms of the GNU General Public License version 2 as 466 * published by the Free Software Foundation. See README and COPYING for 467 * more details. 468 * 469 * Alternatively, this software may be distributed under the terms of BSD 470 * license. 471 */ 472 473 static const uint32_t crc32_table[256] = { 474 0x00000000L, 0x77073096L, 0xee0e612cL, 0x990951baL, 0x076dc419L, 475 0x706af48fL, 0xe963a535L, 0x9e6495a3L, 0x0edb8832L, 0x79dcb8a4L, 476 0xe0d5e91eL, 0x97d2d988L, 0x09b64c2bL, 0x7eb17cbdL, 0xe7b82d07L, 477 0x90bf1d91L, 0x1db71064L, 0x6ab020f2L, 0xf3b97148L, 0x84be41deL, 478 0x1adad47dL, 0x6ddde4ebL, 0xf4d4b551L, 0x83d385c7L, 0x136c9856L, 479 0x646ba8c0L, 0xfd62f97aL, 0x8a65c9ecL, 0x14015c4fL, 0x63066cd9L, 480 0xfa0f3d63L, 0x8d080df5L, 0x3b6e20c8L, 0x4c69105eL, 0xd56041e4L, 481 0xa2677172L, 0x3c03e4d1L, 0x4b04d447L, 0xd20d85fdL, 0xa50ab56bL, 482 0x35b5a8faL, 0x42b2986cL, 0xdbbbc9d6L, 0xacbcf940L, 0x32d86ce3L, 483 0x45df5c75L, 0xdcd60dcfL, 0xabd13d59L, 0x26d930acL, 0x51de003aL, 484 0xc8d75180L, 0xbfd06116L, 0x21b4f4b5L, 0x56b3c423L, 0xcfba9599L, 485 0xb8bda50fL, 0x2802b89eL, 0x5f058808L, 0xc60cd9b2L, 0xb10be924L, 486 0x2f6f7c87L, 0x58684c11L, 0xc1611dabL, 0xb6662d3dL, 0x76dc4190L, 487 0x01db7106L, 0x98d220bcL, 0xefd5102aL, 0x71b18589L, 0x06b6b51fL, 488 0x9fbfe4a5L, 0xe8b8d433L, 0x7807c9a2L, 0x0f00f934L, 0x9609a88eL, 489 0xe10e9818L, 0x7f6a0dbbL, 0x086d3d2dL, 0x91646c97L, 0xe6635c01L, 490 0x6b6b51f4L, 0x1c6c6162L, 0x856530d8L, 0xf262004eL, 0x6c0695edL, 491 0x1b01a57bL, 0x8208f4c1L, 0xf50fc457L, 0x65b0d9c6L, 0x12b7e950L, 492 0x8bbeb8eaL, 0xfcb9887cL, 0x62dd1ddfL, 0x15da2d49L, 0x8cd37cf3L, 493 0xfbd44c65L, 0x4db26158L, 0x3ab551ceL, 0xa3bc0074L, 0xd4bb30e2L, 494 0x4adfa541L, 0x3dd895d7L, 0xa4d1c46dL, 0xd3d6f4fbL, 0x4369e96aL, 495 0x346ed9fcL, 0xad678846L, 0xda60b8d0L, 0x44042d73L, 0x33031de5L, 496 0xaa0a4c5fL, 0xdd0d7cc9L, 0x5005713cL, 0x270241aaL, 0xbe0b1010L, 497 0xc90c2086L, 0x5768b525L, 0x206f85b3L, 0xb966d409L, 0xce61e49fL, 498 0x5edef90eL, 0x29d9c998L, 0xb0d09822L, 0xc7d7a8b4L, 0x59b33d17L, 499 0x2eb40d81L, 0xb7bd5c3bL, 0xc0ba6cadL, 0xedb88320L, 0x9abfb3b6L, 500 0x03b6e20cL, 0x74b1d29aL, 0xead54739L, 0x9dd277afL, 0x04db2615L, 501 0x73dc1683L, 0xe3630b12L, 0x94643b84L, 0x0d6d6a3eL, 0x7a6a5aa8L, 502 0xe40ecf0bL, 0x9309ff9dL, 0x0a00ae27L, 0x7d079eb1L, 0xf00f9344L, 503 0x8708a3d2L, 0x1e01f268L, 0x6906c2feL, 0xf762575dL, 0x806567cbL, 504 0x196c3671L, 0x6e6b06e7L, 0xfed41b76L, 0x89d32be0L, 0x10da7a5aL, 505 0x67dd4accL, 0xf9b9df6fL, 0x8ebeeff9L, 0x17b7be43L, 0x60b08ed5L, 506 0xd6d6a3e8L, 0xa1d1937eL, 0x38d8c2c4L, 0x4fdff252L, 0xd1bb67f1L, 507 0xa6bc5767L, 0x3fb506ddL, 0x48b2364bL, 0xd80d2bdaL, 0xaf0a1b4cL, 508 0x36034af6L, 0x41047a60L, 0xdf60efc3L, 0xa867df55L, 0x316e8eefL, 509 0x4669be79L, 0xcb61b38cL, 0xbc66831aL, 0x256fd2a0L, 0x5268e236L, 510 0xcc0c7795L, 0xbb0b4703L, 0x220216b9L, 0x5505262fL, 0xc5ba3bbeL, 511 0xb2bd0b28L, 0x2bb45a92L, 0x5cb36a04L, 0xc2d7ffa7L, 0xb5d0cf31L, 512 0x2cd99e8bL, 0x5bdeae1dL, 0x9b64c2b0L, 0xec63f226L, 0x756aa39cL, 513 0x026d930aL, 0x9c0906a9L, 0xeb0e363fL, 0x72076785L, 0x05005713L, 514 0x95bf4a82L, 0xe2b87a14L, 0x7bb12baeL, 0x0cb61b38L, 0x92d28e9bL, 515 0xe5d5be0dL, 0x7cdcefb7L, 0x0bdbdf21L, 0x86d3d2d4L, 0xf1d4e242L, 516 0x68ddb3f8L, 0x1fda836eL, 0x81be16cdL, 0xf6b9265bL, 0x6fb077e1L, 517 0x18b74777L, 0x88085ae6L, 0xff0f6a70L, 0x66063bcaL, 0x11010b5cL, 518 0x8f659effL, 0xf862ae69L, 0x616bffd3L, 0x166ccf45L, 0xa00ae278L, 519 0xd70dd2eeL, 0x4e048354L, 0x3903b3c2L, 0xa7672661L, 0xd06016f7L, 520 0x4969474dL, 0x3e6e77dbL, 0xaed16a4aL, 0xd9d65adcL, 0x40df0b66L, 521 0x37d83bf0L, 0xa9bcae53L, 0xdebb9ec5L, 0x47b2cf7fL, 0x30b5ffe9L, 522 0xbdbdf21cL, 0xcabac28aL, 0x53b39330L, 0x24b4a3a6L, 0xbad03605L, 523 0xcdd70693L, 0x54de5729L, 0x23d967bfL, 0xb3667a2eL, 0xc4614ab8L, 524 0x5d681b02L, 0x2a6f2b94L, 0xb40bbe37L, 0xc30c8ea1L, 0x5a05df1bL, 525 0x2d02ef8dL 526 }; 527 528 static __inline uint16_t 529 RotR1(uint16_t val) 530 { 531 return (val >> 1) | (val << 15); 532 } 533 534 static __inline uint8_t 535 Lo8(uint16_t val) 536 { 537 return val & 0xff; 538 } 539 540 static __inline uint8_t 541 Hi8(uint16_t val) 542 { 543 return val >> 8; 544 } 545 546 static __inline uint16_t 547 Lo16(uint32_t val) 548 { 549 return val & 0xffff; 550 } 551 552 static __inline uint16_t 553 Hi16(uint32_t val) 554 { 555 return val >> 16; 556 } 557 558 static __inline uint16_t 559 Mk16(uint8_t hi, uint8_t lo) 560 { 561 return lo | (((uint16_t) hi) << 8); 562 } 563 564 static __inline uint16_t 565 Mk16_le(const uint16_t *v) 566 { 567 return le16toh(*v); 568 } 569 570 static const uint16_t Sbox[256] = { 571 0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154, 572 0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A, 573 0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B, 574 0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B, 575 0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F, 576 0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F, 577 0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5, 578 0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F, 579 0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB, 580 0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397, 581 0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED, 582 0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A, 583 0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194, 584 0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3, 585 0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104, 586 0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D, 587 0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39, 588 0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695, 589 0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83, 590 0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76, 591 0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4, 592 0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B, 593 0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0, 594 0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018, 595 0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751, 596 0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85, 597 0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12, 598 0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9, 599 0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7, 600 0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A, 601 0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8, 602 0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A, 603 }; 604 605 static __inline uint16_t 606 _S_(uint16_t v) 607 { 608 uint16_t t = Sbox[Hi8(v)]; 609 return Sbox[Lo8(v)] ^ ((t << 8) | (t >> 8)); 610 } 611 612 #define PHASE1_LOOP_COUNT 8 613 614 static void 615 tkip_mixing_phase1(uint16_t *TTAK, const uint8_t *TK, const uint8_t *TA, 616 uint32_t IV32) 617 { 618 int i, j; 619 620 /* Initialize the 80-bit TTAK from TSC (IV32) and TA[0..5] */ 621 TTAK[0] = Lo16(IV32); 622 TTAK[1] = Hi16(IV32); 623 TTAK[2] = Mk16(TA[1], TA[0]); 624 TTAK[3] = Mk16(TA[3], TA[2]); 625 TTAK[4] = Mk16(TA[5], TA[4]); 626 627 for (i = 0; i < PHASE1_LOOP_COUNT; i++) { 628 j = 2 * (i & 1); 629 TTAK[0] += _S_(TTAK[4] ^ Mk16(TK[1 + j], TK[0 + j])); 630 TTAK[1] += _S_(TTAK[0] ^ Mk16(TK[5 + j], TK[4 + j])); 631 TTAK[2] += _S_(TTAK[1] ^ Mk16(TK[9 + j], TK[8 + j])); 632 TTAK[3] += _S_(TTAK[2] ^ Mk16(TK[13 + j], TK[12 + j])); 633 TTAK[4] += _S_(TTAK[3] ^ Mk16(TK[1 + j], TK[0 + j])) + i; 634 } 635 } 636 637 #ifndef _BYTE_ORDER 638 #error "Don't know native byte order" 639 #endif 640 641 static void 642 tkip_mixing_phase2(uint8_t *WEPSeed, const uint8_t *TK, const uint16_t *TTAK, 643 uint16_t IV16) 644 { 645 /* Make temporary area overlap WEP seed so that the final copy can be 646 * avoided on little endian hosts. */ 647 uint16_t *PPK = (uint16_t *) &WEPSeed[4]; 648 649 /* Step 1 - make copy of TTAK and bring in TSC */ 650 PPK[0] = TTAK[0]; 651 PPK[1] = TTAK[1]; 652 PPK[2] = TTAK[2]; 653 PPK[3] = TTAK[3]; 654 PPK[4] = TTAK[4]; 655 PPK[5] = TTAK[4] + IV16; 656 657 /* Step 2 - 96-bit bijective mixing using S-box */ 658 PPK[0] += _S_(PPK[5] ^ Mk16_le((const uint16_t *) &TK[0])); 659 PPK[1] += _S_(PPK[0] ^ Mk16_le((const uint16_t *) &TK[2])); 660 PPK[2] += _S_(PPK[1] ^ Mk16_le((const uint16_t *) &TK[4])); 661 PPK[3] += _S_(PPK[2] ^ Mk16_le((const uint16_t *) &TK[6])); 662 PPK[4] += _S_(PPK[3] ^ Mk16_le((const uint16_t *) &TK[8])); 663 PPK[5] += _S_(PPK[4] ^ Mk16_le((const uint16_t *) &TK[10])); 664 665 PPK[0] += RotR1(PPK[5] ^ Mk16_le((const uint16_t *) &TK[12])); 666 PPK[1] += RotR1(PPK[0] ^ Mk16_le((const uint16_t *) &TK[14])); 667 PPK[2] += RotR1(PPK[1]); 668 PPK[3] += RotR1(PPK[2]); 669 PPK[4] += RotR1(PPK[3]); 670 PPK[5] += RotR1(PPK[4]); 671 672 /* Step 3 - bring in last of TK bits, assign 24-bit WEP IV value 673 * WEPSeed[0..2] is transmitted as WEP IV */ 674 WEPSeed[0] = Hi8(IV16); 675 WEPSeed[1] = (Hi8(IV16) | 0x20) & 0x7F; 676 WEPSeed[2] = Lo8(IV16); 677 WEPSeed[3] = Lo8((PPK[5] ^ Mk16_le((const uint16_t *) &TK[0])) >> 1); 678 679 #if _BYTE_ORDER == _BIG_ENDIAN 680 { 681 int i; 682 for (i = 0; i < 6; i++) 683 PPK[i] = (PPK[i] << 8) | (PPK[i] >> 8); 684 } 685 #endif 686 } 687 688 static void 689 wep_encrypt(uint8_t *key, struct mbuf *m0, u_int off, size_t data_len, 690 uint8_t icv[IEEE80211_WEP_CRCLEN]) 691 { 692 uint32_t i, j, k, crc; 693 size_t buflen; 694 uint8_t S[256]; 695 uint8_t *pos; 696 struct mbuf *m; 697 #define S_SWAP(a,b) do { uint8_t t = S[a]; S[a] = S[b]; S[b] = t; } while(0) 698 699 /* Setup RC4 state */ 700 for (i = 0; i < 256; i++) 701 S[i] = i; 702 j = 0; 703 for (i = 0; i < 256; i++) { 704 j = (j + S[i] + key[i & 0x0f]) & 0xff; 705 S_SWAP(i, j); 706 } 707 708 /* Compute CRC32 over unencrypted data and apply RC4 to data */ 709 crc = ~0; 710 i = j = 0; 711 m = m0; 712 pos = mtod(m, uint8_t *) + off; 713 buflen = m->m_len - off; 714 for (;;) { 715 if (buflen > data_len) 716 buflen = data_len; 717 data_len -= buflen; 718 for (k = 0; k < buflen; k++) { 719 crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8); 720 i = (i + 1) & 0xff; 721 j = (j + S[i]) & 0xff; 722 S_SWAP(i, j); 723 *pos++ ^= S[(S[i] + S[j]) & 0xff]; 724 } 725 m = m->m_next; 726 if (m == NULL) { 727 KASSERT(data_len == 0, 728 ("out of buffers with data_len %zu\n", data_len)); 729 break; 730 } 731 pos = mtod(m, uint8_t *); 732 buflen = m->m_len; 733 } 734 crc = ~crc; 735 736 /* Append little-endian CRC32 and encrypt it to produce ICV */ 737 icv[0] = crc; 738 icv[1] = crc >> 8; 739 icv[2] = crc >> 16; 740 icv[3] = crc >> 24; 741 for (k = 0; k < IEEE80211_WEP_CRCLEN; k++) { 742 i = (i + 1) & 0xff; 743 j = (j + S[i]) & 0xff; 744 S_SWAP(i, j); 745 icv[k] ^= S[(S[i] + S[j]) & 0xff]; 746 } 747 } 748 749 static int 750 wep_decrypt(uint8_t *key, struct mbuf *m, u_int off, size_t data_len) 751 { 752 uint32_t i, j, k, crc; 753 uint8_t S[256]; 754 uint8_t *pos, icv[4]; 755 size_t buflen; 756 757 /* Setup RC4 state */ 758 for (i = 0; i < 256; i++) 759 S[i] = i; 760 j = 0; 761 for (i = 0; i < 256; i++) { 762 j = (j + S[i] + key[i & 0x0f]) & 0xff; 763 S_SWAP(i, j); 764 } 765 766 /* Apply RC4 to data and compute CRC32 over decrypted data */ 767 crc = ~0; 768 i = j = 0; 769 pos = mtod(m, uint8_t *) + off; 770 buflen = m->m_len - off; 771 for (;;) { 772 if (buflen > data_len) 773 buflen = data_len; 774 data_len -= buflen; 775 for (k = 0; k < buflen; k++) { 776 i = (i + 1) & 0xff; 777 j = (j + S[i]) & 0xff; 778 S_SWAP(i, j); 779 *pos ^= S[(S[i] + S[j]) & 0xff]; 780 crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8); 781 pos++; 782 } 783 m = m->m_next; 784 if (m == NULL) { 785 KASSERT(data_len == 0, 786 ("out of buffers with data_len %zu\n", data_len)); 787 break; 788 } 789 pos = mtod(m, uint8_t *); 790 buflen = m->m_len; 791 } 792 crc = ~crc; 793 794 /* Encrypt little-endian CRC32 and verify that it matches with the 795 * received ICV */ 796 icv[0] = crc; 797 icv[1] = crc >> 8; 798 icv[2] = crc >> 16; 799 icv[3] = crc >> 24; 800 for (k = 0; k < 4; k++) { 801 i = (i + 1) & 0xff; 802 j = (j + S[i]) & 0xff; 803 S_SWAP(i, j); 804 if ((icv[k] ^ S[(S[i] + S[j]) & 0xff]) != *pos++) { 805 /* ICV mismatch - drop frame */ 806 return -1; 807 } 808 } 809 810 return 0; 811 } 812 813 814 static __inline uint32_t 815 rotl(uint32_t val, int bits) 816 { 817 return (val << bits) | (val >> (32 - bits)); 818 } 819 820 821 static __inline uint32_t 822 rotr(uint32_t val, int bits) 823 { 824 return (val >> bits) | (val << (32 - bits)); 825 } 826 827 828 static __inline uint32_t 829 xswap(uint32_t val) 830 { 831 return ((val & 0x00ff00ff) << 8) | ((val & 0xff00ff00) >> 8); 832 } 833 834 835 #define michael_block(l, r) \ 836 do { \ 837 r ^= rotl(l, 17); \ 838 l += r; \ 839 r ^= xswap(l); \ 840 l += r; \ 841 r ^= rotl(l, 3); \ 842 l += r; \ 843 r ^= rotr(l, 2); \ 844 l += r; \ 845 } while (0) 846 847 848 static __inline uint32_t 849 get_le32_split(uint8_t b0, uint8_t b1, uint8_t b2, 850 uint8_t b3) 851 { 852 return b0 | (b1 << 8) | (b2 << 16) | (b3 << 24); 853 } 854 855 static __inline uint32_t 856 get_le32(const uint8_t *p) 857 { 858 return get_le32_split(p[0], p[1], p[2], p[3]); 859 } 860 861 862 static __inline void 863 put_le32(uint8_t *p, uint32_t v) 864 { 865 p[0] = v; 866 p[1] = v >> 8; 867 p[2] = v >> 16; 868 p[3] = v >> 24; 869 } 870 871 /* 872 * Craft pseudo header used to calculate the MIC. 873 */ 874 static void 875 michael_mic_hdr(const struct ieee80211_frame *wh0, uint8_t hdr[16]) 876 { 877 const struct ieee80211_frame_addr4 *wh = 878 (const struct ieee80211_frame_addr4 *) wh0; 879 880 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 881 case IEEE80211_FC1_DIR_NODS: 882 IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */ 883 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2); 884 break; 885 case IEEE80211_FC1_DIR_TODS: 886 IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */ 887 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2); 888 break; 889 case IEEE80211_FC1_DIR_FROMDS: 890 IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */ 891 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr3); 892 break; 893 case IEEE80211_FC1_DIR_DSTODS: 894 IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */ 895 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr4); 896 break; 897 } 898 899 if (wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_QOS) { 900 const struct ieee80211_qosframe *qwh = 901 (const struct ieee80211_qosframe *) wh; 902 hdr[12] = qwh->i_qos[0] & IEEE80211_QOS_TID; 903 } else 904 hdr[12] = 0; 905 hdr[13] = hdr[14] = hdr[15] = 0; /* reserved */ 906 } 907 908 static void 909 michael_mic(struct tkip_ctx *ctx, const uint8_t *key, 910 struct mbuf *m, u_int off, size_t data_len, 911 uint8_t mic[IEEE80211_WEP_MICLEN]) 912 { 913 uint8_t hdr[16]; 914 uint32_t l, r; 915 const uint8_t *data; 916 u_int space; 917 918 michael_mic_hdr(mtod(m, struct ieee80211_frame *), hdr); 919 920 l = get_le32(key); 921 r = get_le32(key + 4); 922 923 /* Michael MIC pseudo header: DA, SA, 3 x 0, Priority */ 924 l ^= get_le32(hdr); 925 michael_block(l, r); 926 l ^= get_le32(&hdr[4]); 927 michael_block(l, r); 928 l ^= get_le32(&hdr[8]); 929 michael_block(l, r); 930 l ^= get_le32(&hdr[12]); 931 michael_block(l, r); 932 933 /* first buffer has special handling */ 934 data = mtod(m, const uint8_t *) + off; 935 space = m->m_len - off; 936 for (;;) { 937 if (space > data_len) 938 space = data_len; 939 /* collect 32-bit blocks from current buffer */ 940 while (space >= sizeof(uint32_t)) { 941 l ^= get_le32(data); 942 michael_block(l, r); 943 data += sizeof(uint32_t), space -= sizeof(uint32_t); 944 data_len -= sizeof(uint32_t); 945 } 946 if (data_len < sizeof(uint32_t)) 947 break; 948 m = m->m_next; 949 if (m == NULL) { 950 KASSERT(0, ("out of data, data_len %zu\n", data_len)); 951 break; 952 } 953 if (space != 0) { 954 const uint8_t *data_next; 955 /* 956 * Block straddles buffers, split references. 957 */ 958 data_next = mtod(m, const uint8_t *); 959 KASSERT(m->m_len >= sizeof(uint32_t) - space, 960 ("not enough data in following buffer, " 961 "m_len %u need %zu\n", m->m_len, 962 sizeof(uint32_t) - space)); 963 switch (space) { 964 case 1: 965 l ^= get_le32_split(data[0], data_next[0], 966 data_next[1], data_next[2]); 967 data = data_next + 3; 968 space = m->m_len - 3; 969 break; 970 case 2: 971 l ^= get_le32_split(data[0], data[1], 972 data_next[0], data_next[1]); 973 data = data_next + 2; 974 space = m->m_len - 2; 975 break; 976 case 3: 977 l ^= get_le32_split(data[0], data[1], 978 data[2], data_next[0]); 979 data = data_next + 1; 980 space = m->m_len - 1; 981 break; 982 } 983 michael_block(l, r); 984 data_len -= sizeof(uint32_t); 985 } else { 986 /* 987 * Setup for next buffer. 988 */ 989 data = mtod(m, const uint8_t *); 990 space = m->m_len; 991 } 992 } 993 /* Last block and padding (0x5a, 4..7 x 0) */ 994 switch (data_len) { 995 case 0: 996 l ^= get_le32_split(0x5a, 0, 0, 0); 997 break; 998 case 1: 999 l ^= get_le32_split(data[0], 0x5a, 0, 0); 1000 break; 1001 case 2: 1002 l ^= get_le32_split(data[0], data[1], 0x5a, 0); 1003 break; 1004 case 3: 1005 l ^= get_le32_split(data[0], data[1], data[2], 0x5a); 1006 break; 1007 } 1008 michael_block(l, r); 1009 /* l ^= 0; */ 1010 michael_block(l, r); 1011 1012 put_le32(mic, l); 1013 put_le32(mic + 4, r); 1014 } 1015 1016 static int 1017 tkip_encrypt(struct tkip_ctx *ctx, struct ieee80211_key *key, 1018 struct mbuf *m, int hdrlen) 1019 { 1020 struct ieee80211_frame *wh; 1021 uint8_t icv[IEEE80211_WEP_CRCLEN]; 1022 1023 ctx->tc_ic->ic_stats.is_crypto_tkip++; 1024 1025 wh = mtod(m, struct ieee80211_frame *); 1026 if (!ctx->tx_phase1_done) { 1027 tkip_mixing_phase1(ctx->tx_ttak, key->wk_key, wh->i_addr2, 1028 (uint32_t)(key->wk_keytsc >> 16)); 1029 ctx->tx_phase1_done = 1; 1030 } 1031 tkip_mixing_phase2(ctx->tx_rc4key, key->wk_key, ctx->tx_ttak, 1032 (uint16_t)key->wk_keytsc); 1033 1034 wep_encrypt(ctx->tx_rc4key, 1035 m, hdrlen + tkip.ic_header, 1036 m->m_pkthdr.len - (hdrlen + tkip.ic_header), 1037 icv); 1038 1039 /* XXX check return */ 1040 ieee80211_mbuf_append(m, IEEE80211_WEP_CRCLEN, icv); 1041 1042 key->wk_keytsc++; 1043 if ((uint16_t)(key->wk_keytsc) == 0) 1044 ctx->tx_phase1_done = 0; 1045 return 1; 1046 } 1047 1048 static int 1049 tkip_decrypt(struct tkip_ctx *ctx, struct ieee80211_key *key, 1050 struct mbuf *m, int hdrlen) 1051 { 1052 struct ieee80211_frame *wh; 1053 uint32_t iv32; 1054 uint16_t iv16; 1055 1056 ctx->tc_ic->ic_stats.is_crypto_tkip++; 1057 1058 wh = mtod(m, struct ieee80211_frame *); 1059 /* NB: tkip_decap already verified header and left seq in rx_rsc */ 1060 iv16 = (uint16_t)ctx->rx_rsc; 1061 iv32 = (uint32_t)(ctx->rx_rsc >> 16); 1062 1063 if (iv32 != (uint32_t)(key->wk_keyrsc >> 16) || !ctx->rx_phase1_done) { 1064 tkip_mixing_phase1(ctx->rx_ttak, key->wk_key, 1065 wh->i_addr2, iv32); 1066 ctx->rx_phase1_done = 1; 1067 } 1068 tkip_mixing_phase2(ctx->rx_rc4key, key->wk_key, ctx->rx_ttak, iv16); 1069 1070 /* NB: m is unstripped; deduct headers + ICV to get payload */ 1071 if (wep_decrypt(ctx->rx_rc4key, 1072 m, hdrlen + tkip.ic_header, 1073 m->m_pkthdr.len - (hdrlen + tkip.ic_header + tkip.ic_trailer))) { 1074 if (iv32 != (uint32_t)(key->wk_keyrsc >> 16)) { 1075 /* Previously cached Phase1 result was already lost, so 1076 * it needs to be recalculated for the next packet. */ 1077 ctx->rx_phase1_done = 0; 1078 } 1079 IEEE80211_DPRINTF(ctx->tc_ic, IEEE80211_MSG_CRYPTO, 1080 "[%6D] TKIP ICV mismatch on decrypt\n", 1081 wh->i_addr2, ":"); 1082 ctx->tc_ic->ic_stats.is_rx_tkipicv++; 1083 return 0; 1084 } 1085 return 1; 1086 } 1087 1088 /* 1089 * Module glue. 1090 */ 1091 static int 1092 tkip_modevent(module_t mod, int type, void *unused) 1093 { 1094 switch (type) { 1095 case MOD_LOAD: 1096 ieee80211_crypto_register(&tkip); 1097 return 0; 1098 case MOD_UNLOAD: 1099 if (nrefs) { 1100 kprintf("wlan_tkip: still in use (%u dynamic refs)\n", 1101 nrefs); 1102 return EBUSY; 1103 } 1104 ieee80211_crypto_unregister(&tkip); 1105 return 0; 1106 } 1107 return EINVAL; 1108 } 1109 1110 static moduledata_t tkip_mod = { 1111 "wlan_tkip", 1112 tkip_modevent, 1113 0 1114 }; 1115 DECLARE_MODULE(wlan_tkip, tkip_mod, SI_SUB_DRIVERS, SI_ORDER_FIRST); 1116 MODULE_VERSION(wlan_tkip, 1); 1117 MODULE_DEPEND(wlan_tkip, wlan, 1, 1, 1); 1118