1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD 3 * 4 * Copyright (c) 2002-2008 Sam Leffler, Errno Consulting 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 #include <sys/cdefs.h> 29 __FBSDID("$FreeBSD$"); 30 31 /* 32 * IEEE 802.11i TKIP crypto support. 33 * 34 * Part of this module is derived from similar code in the Host 35 * AP driver. The code is used with the consent of the author and 36 * it's license is included below. 37 */ 38 #include "opt_wlan.h" 39 40 #include <sys/param.h> 41 #include <sys/systm.h> 42 #include <sys/mbuf.h> 43 #include <sys/malloc.h> 44 #include <sys/kernel.h> 45 #include <sys/module.h> 46 #include <sys/endian.h> 47 48 #include <sys/socket.h> 49 50 #include <net/if.h> 51 #include <net/if_media.h> 52 #include <net/ethernet.h> 53 54 #include <net80211/ieee80211_var.h> 55 56 static void *tkip_attach(struct ieee80211vap *, struct ieee80211_key *); 57 static void tkip_detach(struct ieee80211_key *); 58 static int tkip_setkey(struct ieee80211_key *); 59 static void tkip_setiv(struct ieee80211_key *, uint8_t *); 60 static int tkip_encap(struct ieee80211_key *, struct mbuf *); 61 static int tkip_enmic(struct ieee80211_key *, struct mbuf *, int); 62 static int tkip_decap(struct ieee80211_key *, struct mbuf *, int); 63 static int tkip_demic(struct ieee80211_key *, struct mbuf *, int); 64 65 static const struct ieee80211_cipher tkip = { 66 .ic_name = "TKIP", 67 .ic_cipher = IEEE80211_CIPHER_TKIP, 68 .ic_header = IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN + 69 IEEE80211_WEP_EXTIVLEN, 70 .ic_trailer = IEEE80211_WEP_CRCLEN, 71 .ic_miclen = IEEE80211_WEP_MICLEN, 72 .ic_attach = tkip_attach, 73 .ic_detach = tkip_detach, 74 .ic_setkey = tkip_setkey, 75 .ic_setiv = tkip_setiv, 76 .ic_encap = tkip_encap, 77 .ic_decap = tkip_decap, 78 .ic_enmic = tkip_enmic, 79 .ic_demic = tkip_demic, 80 }; 81 82 typedef uint8_t u8; 83 typedef uint16_t u16; 84 typedef uint32_t __u32; 85 typedef uint32_t u32; 86 87 struct tkip_ctx { 88 struct ieee80211vap *tc_vap; /* for diagnostics+statistics */ 89 90 u16 tx_ttak[5]; 91 u8 tx_rc4key[16]; /* XXX for test module; make locals? */ 92 93 u16 rx_ttak[5]; 94 int rx_phase1_done; 95 u8 rx_rc4key[16]; /* XXX for test module; make locals? */ 96 uint64_t rx_rsc; /* held until MIC verified */ 97 }; 98 99 static void michael_mic(struct tkip_ctx *, const u8 *key, 100 struct mbuf *m, u_int off, size_t data_len, 101 u8 mic[IEEE80211_WEP_MICLEN]); 102 static int tkip_encrypt(struct tkip_ctx *, struct ieee80211_key *, 103 struct mbuf *, int hdr_len); 104 static int tkip_decrypt(struct tkip_ctx *, struct ieee80211_key *, 105 struct mbuf *, int hdr_len); 106 107 /* number of references from net80211 layer */ 108 static int nrefs = 0; 109 110 static void * 111 tkip_attach(struct ieee80211vap *vap, struct ieee80211_key *k) 112 { 113 struct tkip_ctx *ctx; 114 115 ctx = (struct tkip_ctx *) IEEE80211_MALLOC(sizeof(struct tkip_ctx), 116 M_80211_CRYPTO, IEEE80211_M_NOWAIT | IEEE80211_M_ZERO); 117 if (ctx == NULL) { 118 vap->iv_stats.is_crypto_nomem++; 119 return NULL; 120 } 121 122 ctx->tc_vap = vap; 123 nrefs++; /* NB: we assume caller locking */ 124 return ctx; 125 } 126 127 static void 128 tkip_detach(struct ieee80211_key *k) 129 { 130 struct tkip_ctx *ctx = k->wk_private; 131 132 IEEE80211_FREE(ctx, M_80211_CRYPTO); 133 KASSERT(nrefs > 0, ("imbalanced attach/detach")); 134 nrefs--; /* NB: we assume caller locking */ 135 } 136 137 static int 138 tkip_setkey(struct ieee80211_key *k) 139 { 140 struct tkip_ctx *ctx = k->wk_private; 141 142 if (k->wk_keylen != (128/NBBY)) { 143 (void) ctx; /* XXX */ 144 IEEE80211_DPRINTF(ctx->tc_vap, IEEE80211_MSG_CRYPTO, 145 "%s: Invalid key length %u, expecting %u\n", 146 __func__, k->wk_keylen, 128/NBBY); 147 return 0; 148 } 149 ctx->rx_phase1_done = 0; 150 return 1; 151 } 152 153 static void 154 tkip_setiv(struct ieee80211_key *k, uint8_t *ivp) 155 { 156 struct tkip_ctx *ctx = k->wk_private; 157 struct ieee80211vap *vap = ctx->tc_vap; 158 uint8_t keyid; 159 160 keyid = ieee80211_crypto_get_keyid(vap, k) << 6; 161 162 k->wk_keytsc++; 163 ivp[0] = k->wk_keytsc >> 8; /* TSC1 */ 164 ivp[1] = (ivp[0] | 0x20) & 0x7f; /* WEP seed */ 165 ivp[2] = k->wk_keytsc >> 0; /* TSC0 */ 166 ivp[3] = keyid | IEEE80211_WEP_EXTIV; /* KeyID | ExtID */ 167 ivp[4] = k->wk_keytsc >> 16; /* TSC2 */ 168 ivp[5] = k->wk_keytsc >> 24; /* TSC3 */ 169 ivp[6] = k->wk_keytsc >> 32; /* TSC4 */ 170 ivp[7] = k->wk_keytsc >> 40; /* TSC5 */ 171 } 172 173 /* 174 * Add privacy headers and do any s/w encryption required. 175 */ 176 static int 177 tkip_encap(struct ieee80211_key *k, struct mbuf *m) 178 { 179 struct tkip_ctx *ctx = k->wk_private; 180 struct ieee80211vap *vap = ctx->tc_vap; 181 struct ieee80211com *ic = vap->iv_ic; 182 struct ieee80211_frame *wh; 183 uint8_t *ivp; 184 int hdrlen; 185 int is_mgmt; 186 187 wh = mtod(m, struct ieee80211_frame *); 188 is_mgmt = IEEE80211_IS_MGMT(wh); 189 190 /* 191 * Handle TKIP counter measures requirement. 192 */ 193 if (vap->iv_flags & IEEE80211_F_COUNTERM) { 194 #ifdef IEEE80211_DEBUG 195 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 196 #endif 197 198 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2, 199 "discard frame due to countermeasures (%s)", __func__); 200 vap->iv_stats.is_crypto_tkipcm++; 201 return 0; 202 } 203 204 /* 205 * Check to see whether IV needs to be included. 206 */ 207 if (is_mgmt && (k->wk_flags & IEEE80211_KEY_NOIVMGT)) 208 return 1; 209 if ((! is_mgmt) && (k->wk_flags & IEEE80211_KEY_NOIV)) 210 return 1; 211 212 213 hdrlen = ieee80211_hdrspace(ic, mtod(m, void *)); 214 215 /* 216 * Copy down 802.11 header and add the IV, KeyID, and ExtIV. 217 */ 218 M_PREPEND(m, tkip.ic_header, M_NOWAIT); 219 if (m == NULL) 220 return 0; 221 ivp = mtod(m, uint8_t *); 222 memmove(ivp, ivp + tkip.ic_header, hdrlen); 223 ivp += hdrlen; 224 225 tkip_setiv(k, ivp); 226 227 /* 228 * Finally, do software encrypt if needed. 229 */ 230 if ((k->wk_flags & IEEE80211_KEY_SWENCRYPT) && 231 !tkip_encrypt(ctx, k, m, hdrlen)) 232 return 0; 233 234 return 1; 235 } 236 237 /* 238 * Add MIC to the frame as needed. 239 */ 240 static int 241 tkip_enmic(struct ieee80211_key *k, struct mbuf *m, int force) 242 { 243 struct tkip_ctx *ctx = k->wk_private; 244 struct ieee80211_frame *wh; 245 int is_mgmt; 246 247 wh = mtod(m, struct ieee80211_frame *); 248 is_mgmt = IEEE80211_IS_MGMT(wh); 249 250 /* 251 * Check to see whether MIC needs to be included. 252 */ 253 if (is_mgmt && (k->wk_flags & IEEE80211_KEY_NOMICMGT)) 254 return 1; 255 if ((! is_mgmt) && (k->wk_flags & IEEE80211_KEY_NOMIC)) 256 return 1; 257 258 if (force || (k->wk_flags & IEEE80211_KEY_SWENMIC)) { 259 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 260 struct ieee80211vap *vap = ctx->tc_vap; 261 struct ieee80211com *ic = vap->iv_ic; 262 int hdrlen; 263 uint8_t mic[IEEE80211_WEP_MICLEN]; 264 265 vap->iv_stats.is_crypto_tkipenmic++; 266 267 hdrlen = ieee80211_hdrspace(ic, wh); 268 269 michael_mic(ctx, k->wk_txmic, 270 m, hdrlen, m->m_pkthdr.len - hdrlen, mic); 271 return m_append(m, tkip.ic_miclen, mic); 272 } 273 return 1; 274 } 275 276 static __inline uint64_t 277 READ_6(uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3, uint8_t b4, uint8_t b5) 278 { 279 uint32_t iv32 = (b0 << 0) | (b1 << 8) | (b2 << 16) | (b3 << 24); 280 uint16_t iv16 = (b4 << 0) | (b5 << 8); 281 return (((uint64_t)iv16) << 32) | iv32; 282 } 283 284 /* 285 * Validate and strip privacy headers (and trailer) for a 286 * received frame. If necessary, decrypt the frame using 287 * the specified key. 288 */ 289 static int 290 tkip_decap(struct ieee80211_key *k, struct mbuf *m, int hdrlen) 291 { 292 const struct ieee80211_rx_stats *rxs; 293 struct tkip_ctx *ctx = k->wk_private; 294 struct ieee80211vap *vap = ctx->tc_vap; 295 struct ieee80211_frame *wh; 296 uint8_t *ivp, tid; 297 298 rxs = ieee80211_get_rx_params_ptr(m); 299 300 /* 301 * If IV has been stripped, we skip most of the below. 302 */ 303 if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_IV_STRIP)) 304 goto finish; 305 306 /* 307 * Header should have extended IV and sequence number; 308 * verify the former and validate the latter. 309 */ 310 wh = mtod(m, struct ieee80211_frame *); 311 ivp = mtod(m, uint8_t *) + hdrlen; 312 if ((ivp[IEEE80211_WEP_IVLEN] & IEEE80211_WEP_EXTIV) == 0) { 313 /* 314 * No extended IV; discard frame. 315 */ 316 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2, 317 "%s", "missing ExtIV for TKIP cipher"); 318 vap->iv_stats.is_rx_tkipformat++; 319 return 0; 320 } 321 /* 322 * Handle TKIP counter measures requirement. 323 */ 324 if (vap->iv_flags & IEEE80211_F_COUNTERM) { 325 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2, 326 "discard frame due to countermeasures (%s)", __func__); 327 vap->iv_stats.is_crypto_tkipcm++; 328 return 0; 329 } 330 331 tid = ieee80211_gettid(wh); 332 ctx->rx_rsc = READ_6(ivp[2], ivp[0], ivp[4], ivp[5], ivp[6], ivp[7]); 333 if (ctx->rx_rsc <= k->wk_keyrsc[tid] && 334 (k->wk_flags & IEEE80211_KEY_NOREPLAY) == 0) { 335 /* 336 * Replay violation; notify upper layer. 337 */ 338 ieee80211_notify_replay_failure(vap, wh, k, ctx->rx_rsc, tid); 339 vap->iv_stats.is_rx_tkipreplay++; 340 return 0; 341 } 342 /* 343 * NB: We can't update the rsc in the key until MIC is verified. 344 * 345 * We assume we are not preempted between doing the check above 346 * and updating wk_keyrsc when stripping the MIC in tkip_demic. 347 * Otherwise we might process another packet and discard it as 348 * a replay. 349 */ 350 351 /* 352 * Check if the device handled the decrypt in hardware. 353 * If so we just strip the header; otherwise we need to 354 * handle the decrypt in software. 355 */ 356 if ((k->wk_flags & IEEE80211_KEY_SWDECRYPT) && 357 !tkip_decrypt(ctx, k, m, hdrlen)) 358 return 0; 359 360 finish: 361 362 /* 363 * Copy up 802.11 header and strip crypto bits - but only if we 364 * are required to. 365 */ 366 if (! ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_IV_STRIP))) { 367 memmove(mtod(m, uint8_t *) + tkip.ic_header, mtod(m, void *), 368 hdrlen); 369 m_adj(m, tkip.ic_header); 370 } 371 372 /* 373 * XXX TODO: do we need an option to potentially not strip the 374 * WEP trailer? Does "MMIC_STRIP" also mean this? Or? 375 */ 376 m_adj(m, -tkip.ic_trailer); 377 378 return 1; 379 } 380 381 /* 382 * Verify and strip MIC from the frame. 383 */ 384 static int 385 tkip_demic(struct ieee80211_key *k, struct mbuf *m, int force) 386 { 387 const struct ieee80211_rx_stats *rxs; 388 struct tkip_ctx *ctx = k->wk_private; 389 struct ieee80211_frame *wh; 390 uint8_t tid; 391 392 wh = mtod(m, struct ieee80211_frame *); 393 rxs = ieee80211_get_rx_params_ptr(m); 394 395 /* 396 * If we are told about a MIC failure from the driver, 397 * directly notify as a michael failure to the upper 398 * layers. 399 */ 400 if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_FAIL_MIC)) { 401 struct ieee80211vap *vap = ctx->tc_vap; 402 ieee80211_notify_michael_failure(vap, wh, 403 k->wk_rxkeyix != IEEE80211_KEYIX_NONE ? 404 k->wk_rxkeyix : k->wk_keyix); 405 return 0; 406 } 407 408 /* 409 * If IV has been stripped, we skip most of the below. 410 */ 411 if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_MMIC_STRIP)) 412 goto finish; 413 414 if ((k->wk_flags & IEEE80211_KEY_SWDEMIC) || force) { 415 struct ieee80211vap *vap = ctx->tc_vap; 416 int hdrlen = ieee80211_hdrspace(vap->iv_ic, wh); 417 u8 mic[IEEE80211_WEP_MICLEN]; 418 u8 mic0[IEEE80211_WEP_MICLEN]; 419 420 vap->iv_stats.is_crypto_tkipdemic++; 421 422 michael_mic(ctx, k->wk_rxmic, 423 m, hdrlen, m->m_pkthdr.len - (hdrlen + tkip.ic_miclen), 424 mic); 425 m_copydata(m, m->m_pkthdr.len - tkip.ic_miclen, 426 tkip.ic_miclen, mic0); 427 if (memcmp(mic, mic0, tkip.ic_miclen)) { 428 /* NB: 802.11 layer handles statistic and debug msg */ 429 ieee80211_notify_michael_failure(vap, wh, 430 k->wk_rxkeyix != IEEE80211_KEYIX_NONE ? 431 k->wk_rxkeyix : k->wk_keyix); 432 return 0; 433 } 434 } 435 /* 436 * Strip MIC from the tail. 437 */ 438 m_adj(m, -tkip.ic_miclen); 439 440 /* 441 * Ok to update rsc now that MIC has been verified. 442 */ 443 tid = ieee80211_gettid(wh); 444 k->wk_keyrsc[tid] = ctx->rx_rsc; 445 446 finish: 447 return 1; 448 } 449 450 /* 451 * Host AP crypt: host-based TKIP encryption implementation for Host AP driver 452 * 453 * Copyright (c) 2003-2004, Jouni Malinen <jkmaline@cc.hut.fi> 454 * 455 * This program is free software; you can redistribute it and/or modify 456 * it under the terms of the GNU General Public License version 2 as 457 * published by the Free Software Foundation. See README and COPYING for 458 * more details. 459 * 460 * Alternatively, this software may be distributed under the terms of BSD 461 * license. 462 */ 463 464 static const __u32 crc32_table[256] = { 465 0x00000000L, 0x77073096L, 0xee0e612cL, 0x990951baL, 0x076dc419L, 466 0x706af48fL, 0xe963a535L, 0x9e6495a3L, 0x0edb8832L, 0x79dcb8a4L, 467 0xe0d5e91eL, 0x97d2d988L, 0x09b64c2bL, 0x7eb17cbdL, 0xe7b82d07L, 468 0x90bf1d91L, 0x1db71064L, 0x6ab020f2L, 0xf3b97148L, 0x84be41deL, 469 0x1adad47dL, 0x6ddde4ebL, 0xf4d4b551L, 0x83d385c7L, 0x136c9856L, 470 0x646ba8c0L, 0xfd62f97aL, 0x8a65c9ecL, 0x14015c4fL, 0x63066cd9L, 471 0xfa0f3d63L, 0x8d080df5L, 0x3b6e20c8L, 0x4c69105eL, 0xd56041e4L, 472 0xa2677172L, 0x3c03e4d1L, 0x4b04d447L, 0xd20d85fdL, 0xa50ab56bL, 473 0x35b5a8faL, 0x42b2986cL, 0xdbbbc9d6L, 0xacbcf940L, 0x32d86ce3L, 474 0x45df5c75L, 0xdcd60dcfL, 0xabd13d59L, 0x26d930acL, 0x51de003aL, 475 0xc8d75180L, 0xbfd06116L, 0x21b4f4b5L, 0x56b3c423L, 0xcfba9599L, 476 0xb8bda50fL, 0x2802b89eL, 0x5f058808L, 0xc60cd9b2L, 0xb10be924L, 477 0x2f6f7c87L, 0x58684c11L, 0xc1611dabL, 0xb6662d3dL, 0x76dc4190L, 478 0x01db7106L, 0x98d220bcL, 0xefd5102aL, 0x71b18589L, 0x06b6b51fL, 479 0x9fbfe4a5L, 0xe8b8d433L, 0x7807c9a2L, 0x0f00f934L, 0x9609a88eL, 480 0xe10e9818L, 0x7f6a0dbbL, 0x086d3d2dL, 0x91646c97L, 0xe6635c01L, 481 0x6b6b51f4L, 0x1c6c6162L, 0x856530d8L, 0xf262004eL, 0x6c0695edL, 482 0x1b01a57bL, 0x8208f4c1L, 0xf50fc457L, 0x65b0d9c6L, 0x12b7e950L, 483 0x8bbeb8eaL, 0xfcb9887cL, 0x62dd1ddfL, 0x15da2d49L, 0x8cd37cf3L, 484 0xfbd44c65L, 0x4db26158L, 0x3ab551ceL, 0xa3bc0074L, 0xd4bb30e2L, 485 0x4adfa541L, 0x3dd895d7L, 0xa4d1c46dL, 0xd3d6f4fbL, 0x4369e96aL, 486 0x346ed9fcL, 0xad678846L, 0xda60b8d0L, 0x44042d73L, 0x33031de5L, 487 0xaa0a4c5fL, 0xdd0d7cc9L, 0x5005713cL, 0x270241aaL, 0xbe0b1010L, 488 0xc90c2086L, 0x5768b525L, 0x206f85b3L, 0xb966d409L, 0xce61e49fL, 489 0x5edef90eL, 0x29d9c998L, 0xb0d09822L, 0xc7d7a8b4L, 0x59b33d17L, 490 0x2eb40d81L, 0xb7bd5c3bL, 0xc0ba6cadL, 0xedb88320L, 0x9abfb3b6L, 491 0x03b6e20cL, 0x74b1d29aL, 0xead54739L, 0x9dd277afL, 0x04db2615L, 492 0x73dc1683L, 0xe3630b12L, 0x94643b84L, 0x0d6d6a3eL, 0x7a6a5aa8L, 493 0xe40ecf0bL, 0x9309ff9dL, 0x0a00ae27L, 0x7d079eb1L, 0xf00f9344L, 494 0x8708a3d2L, 0x1e01f268L, 0x6906c2feL, 0xf762575dL, 0x806567cbL, 495 0x196c3671L, 0x6e6b06e7L, 0xfed41b76L, 0x89d32be0L, 0x10da7a5aL, 496 0x67dd4accL, 0xf9b9df6fL, 0x8ebeeff9L, 0x17b7be43L, 0x60b08ed5L, 497 0xd6d6a3e8L, 0xa1d1937eL, 0x38d8c2c4L, 0x4fdff252L, 0xd1bb67f1L, 498 0xa6bc5767L, 0x3fb506ddL, 0x48b2364bL, 0xd80d2bdaL, 0xaf0a1b4cL, 499 0x36034af6L, 0x41047a60L, 0xdf60efc3L, 0xa867df55L, 0x316e8eefL, 500 0x4669be79L, 0xcb61b38cL, 0xbc66831aL, 0x256fd2a0L, 0x5268e236L, 501 0xcc0c7795L, 0xbb0b4703L, 0x220216b9L, 0x5505262fL, 0xc5ba3bbeL, 502 0xb2bd0b28L, 0x2bb45a92L, 0x5cb36a04L, 0xc2d7ffa7L, 0xb5d0cf31L, 503 0x2cd99e8bL, 0x5bdeae1dL, 0x9b64c2b0L, 0xec63f226L, 0x756aa39cL, 504 0x026d930aL, 0x9c0906a9L, 0xeb0e363fL, 0x72076785L, 0x05005713L, 505 0x95bf4a82L, 0xe2b87a14L, 0x7bb12baeL, 0x0cb61b38L, 0x92d28e9bL, 506 0xe5d5be0dL, 0x7cdcefb7L, 0x0bdbdf21L, 0x86d3d2d4L, 0xf1d4e242L, 507 0x68ddb3f8L, 0x1fda836eL, 0x81be16cdL, 0xf6b9265bL, 0x6fb077e1L, 508 0x18b74777L, 0x88085ae6L, 0xff0f6a70L, 0x66063bcaL, 0x11010b5cL, 509 0x8f659effL, 0xf862ae69L, 0x616bffd3L, 0x166ccf45L, 0xa00ae278L, 510 0xd70dd2eeL, 0x4e048354L, 0x3903b3c2L, 0xa7672661L, 0xd06016f7L, 511 0x4969474dL, 0x3e6e77dbL, 0xaed16a4aL, 0xd9d65adcL, 0x40df0b66L, 512 0x37d83bf0L, 0xa9bcae53L, 0xdebb9ec5L, 0x47b2cf7fL, 0x30b5ffe9L, 513 0xbdbdf21cL, 0xcabac28aL, 0x53b39330L, 0x24b4a3a6L, 0xbad03605L, 514 0xcdd70693L, 0x54de5729L, 0x23d967bfL, 0xb3667a2eL, 0xc4614ab8L, 515 0x5d681b02L, 0x2a6f2b94L, 0xb40bbe37L, 0xc30c8ea1L, 0x5a05df1bL, 516 0x2d02ef8dL 517 }; 518 519 static __inline u16 RotR1(u16 val) 520 { 521 return (val >> 1) | (val << 15); 522 } 523 524 static __inline u8 Lo8(u16 val) 525 { 526 return val & 0xff; 527 } 528 529 static __inline u8 Hi8(u16 val) 530 { 531 return val >> 8; 532 } 533 534 static __inline u16 Lo16(u32 val) 535 { 536 return val & 0xffff; 537 } 538 539 static __inline u16 Hi16(u32 val) 540 { 541 return val >> 16; 542 } 543 544 static __inline u16 Mk16(u8 hi, u8 lo) 545 { 546 return lo | (((u16) hi) << 8); 547 } 548 549 static __inline u16 Mk16_le(const u16 *v) 550 { 551 return le16toh(*v); 552 } 553 554 static const u16 Sbox[256] = { 555 0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154, 556 0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A, 557 0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B, 558 0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B, 559 0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F, 560 0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F, 561 0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5, 562 0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F, 563 0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB, 564 0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397, 565 0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED, 566 0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A, 567 0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194, 568 0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3, 569 0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104, 570 0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D, 571 0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39, 572 0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695, 573 0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83, 574 0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76, 575 0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4, 576 0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B, 577 0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0, 578 0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018, 579 0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751, 580 0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85, 581 0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12, 582 0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9, 583 0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7, 584 0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A, 585 0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8, 586 0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A, 587 }; 588 589 static __inline u16 _S_(u16 v) 590 { 591 u16 t = Sbox[Hi8(v)]; 592 return Sbox[Lo8(v)] ^ ((t << 8) | (t >> 8)); 593 } 594 595 #define PHASE1_LOOP_COUNT 8 596 597 static void tkip_mixing_phase1(u16 *TTAK, const u8 *TK, const u8 *TA, u32 IV32) 598 { 599 int i, j; 600 601 /* Initialize the 80-bit TTAK from TSC (IV32) and TA[0..5] */ 602 TTAK[0] = Lo16(IV32); 603 TTAK[1] = Hi16(IV32); 604 TTAK[2] = Mk16(TA[1], TA[0]); 605 TTAK[3] = Mk16(TA[3], TA[2]); 606 TTAK[4] = Mk16(TA[5], TA[4]); 607 608 for (i = 0; i < PHASE1_LOOP_COUNT; i++) { 609 j = 2 * (i & 1); 610 TTAK[0] += _S_(TTAK[4] ^ Mk16(TK[1 + j], TK[0 + j])); 611 TTAK[1] += _S_(TTAK[0] ^ Mk16(TK[5 + j], TK[4 + j])); 612 TTAK[2] += _S_(TTAK[1] ^ Mk16(TK[9 + j], TK[8 + j])); 613 TTAK[3] += _S_(TTAK[2] ^ Mk16(TK[13 + j], TK[12 + j])); 614 TTAK[4] += _S_(TTAK[3] ^ Mk16(TK[1 + j], TK[0 + j])) + i; 615 } 616 } 617 618 #ifndef _BYTE_ORDER 619 #error "Don't know native byte order" 620 #endif 621 622 static void tkip_mixing_phase2(u8 *WEPSeed, const u8 *TK, const u16 *TTAK, 623 u16 IV16) 624 { 625 /* Make temporary area overlap WEP seed so that the final copy can be 626 * avoided on little endian hosts. */ 627 u16 *PPK = (u16 *) &WEPSeed[4]; 628 629 /* Step 1 - make copy of TTAK and bring in TSC */ 630 PPK[0] = TTAK[0]; 631 PPK[1] = TTAK[1]; 632 PPK[2] = TTAK[2]; 633 PPK[3] = TTAK[3]; 634 PPK[4] = TTAK[4]; 635 PPK[5] = TTAK[4] + IV16; 636 637 /* Step 2 - 96-bit bijective mixing using S-box */ 638 PPK[0] += _S_(PPK[5] ^ Mk16_le((const u16 *) &TK[0])); 639 PPK[1] += _S_(PPK[0] ^ Mk16_le((const u16 *) &TK[2])); 640 PPK[2] += _S_(PPK[1] ^ Mk16_le((const u16 *) &TK[4])); 641 PPK[3] += _S_(PPK[2] ^ Mk16_le((const u16 *) &TK[6])); 642 PPK[4] += _S_(PPK[3] ^ Mk16_le((const u16 *) &TK[8])); 643 PPK[5] += _S_(PPK[4] ^ Mk16_le((const u16 *) &TK[10])); 644 645 PPK[0] += RotR1(PPK[5] ^ Mk16_le((const u16 *) &TK[12])); 646 PPK[1] += RotR1(PPK[0] ^ Mk16_le((const u16 *) &TK[14])); 647 PPK[2] += RotR1(PPK[1]); 648 PPK[3] += RotR1(PPK[2]); 649 PPK[4] += RotR1(PPK[3]); 650 PPK[5] += RotR1(PPK[4]); 651 652 /* Step 3 - bring in last of TK bits, assign 24-bit WEP IV value 653 * WEPSeed[0..2] is transmitted as WEP IV */ 654 WEPSeed[0] = Hi8(IV16); 655 WEPSeed[1] = (Hi8(IV16) | 0x20) & 0x7F; 656 WEPSeed[2] = Lo8(IV16); 657 WEPSeed[3] = Lo8((PPK[5] ^ Mk16_le((const u16 *) &TK[0])) >> 1); 658 659 #if _BYTE_ORDER == _BIG_ENDIAN 660 { 661 int i; 662 for (i = 0; i < 6; i++) 663 PPK[i] = (PPK[i] << 8) | (PPK[i] >> 8); 664 } 665 #endif 666 } 667 668 static void 669 wep_encrypt(u8 *key, struct mbuf *m0, u_int off, size_t data_len, 670 uint8_t icv[IEEE80211_WEP_CRCLEN]) 671 { 672 u32 i, j, k, crc; 673 size_t buflen; 674 u8 S[256]; 675 u8 *pos; 676 struct mbuf *m; 677 #define S_SWAP(a,b) do { u8 t = S[a]; S[a] = S[b]; S[b] = t; } while(0) 678 679 /* Setup RC4 state */ 680 for (i = 0; i < 256; i++) 681 S[i] = i; 682 j = 0; 683 for (i = 0; i < 256; i++) { 684 j = (j + S[i] + key[i & 0x0f]) & 0xff; 685 S_SWAP(i, j); 686 } 687 688 /* Compute CRC32 over unencrypted data and apply RC4 to data */ 689 crc = ~0; 690 i = j = 0; 691 m = m0; 692 pos = mtod(m, uint8_t *) + off; 693 buflen = m->m_len - off; 694 for (;;) { 695 if (buflen > data_len) 696 buflen = data_len; 697 data_len -= buflen; 698 for (k = 0; k < buflen; k++) { 699 crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8); 700 i = (i + 1) & 0xff; 701 j = (j + S[i]) & 0xff; 702 S_SWAP(i, j); 703 *pos++ ^= S[(S[i] + S[j]) & 0xff]; 704 } 705 m = m->m_next; 706 if (m == NULL) { 707 KASSERT(data_len == 0, 708 ("out of buffers with data_len %zu\n", data_len)); 709 break; 710 } 711 pos = mtod(m, uint8_t *); 712 buflen = m->m_len; 713 } 714 crc = ~crc; 715 716 /* Append little-endian CRC32 and encrypt it to produce ICV */ 717 icv[0] = crc; 718 icv[1] = crc >> 8; 719 icv[2] = crc >> 16; 720 icv[3] = crc >> 24; 721 for (k = 0; k < IEEE80211_WEP_CRCLEN; k++) { 722 i = (i + 1) & 0xff; 723 j = (j + S[i]) & 0xff; 724 S_SWAP(i, j); 725 icv[k] ^= S[(S[i] + S[j]) & 0xff]; 726 } 727 } 728 729 static int 730 wep_decrypt(u8 *key, struct mbuf *m, u_int off, size_t data_len) 731 { 732 u32 i, j, k, crc; 733 u8 S[256]; 734 u8 *pos, icv[4]; 735 size_t buflen; 736 737 /* Setup RC4 state */ 738 for (i = 0; i < 256; i++) 739 S[i] = i; 740 j = 0; 741 for (i = 0; i < 256; i++) { 742 j = (j + S[i] + key[i & 0x0f]) & 0xff; 743 S_SWAP(i, j); 744 } 745 746 /* Apply RC4 to data and compute CRC32 over decrypted data */ 747 crc = ~0; 748 i = j = 0; 749 pos = mtod(m, uint8_t *) + off; 750 buflen = m->m_len - off; 751 for (;;) { 752 if (buflen > data_len) 753 buflen = data_len; 754 data_len -= buflen; 755 for (k = 0; k < buflen; k++) { 756 i = (i + 1) & 0xff; 757 j = (j + S[i]) & 0xff; 758 S_SWAP(i, j); 759 *pos ^= S[(S[i] + S[j]) & 0xff]; 760 crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8); 761 pos++; 762 } 763 m = m->m_next; 764 if (m == NULL) { 765 KASSERT(data_len == 0, 766 ("out of buffers with data_len %zu\n", data_len)); 767 break; 768 } 769 pos = mtod(m, uint8_t *); 770 buflen = m->m_len; 771 } 772 crc = ~crc; 773 774 /* Encrypt little-endian CRC32 and verify that it matches with the 775 * received ICV */ 776 icv[0] = crc; 777 icv[1] = crc >> 8; 778 icv[2] = crc >> 16; 779 icv[3] = crc >> 24; 780 for (k = 0; k < 4; k++) { 781 i = (i + 1) & 0xff; 782 j = (j + S[i]) & 0xff; 783 S_SWAP(i, j); 784 if ((icv[k] ^ S[(S[i] + S[j]) & 0xff]) != *pos++) { 785 /* ICV mismatch - drop frame */ 786 return -1; 787 } 788 } 789 790 return 0; 791 } 792 793 794 static __inline u32 rotl(u32 val, int bits) 795 { 796 return (val << bits) | (val >> (32 - bits)); 797 } 798 799 800 static __inline u32 rotr(u32 val, int bits) 801 { 802 return (val >> bits) | (val << (32 - bits)); 803 } 804 805 806 static __inline u32 xswap(u32 val) 807 { 808 return ((val & 0x00ff00ff) << 8) | ((val & 0xff00ff00) >> 8); 809 } 810 811 812 #define michael_block(l, r) \ 813 do { \ 814 r ^= rotl(l, 17); \ 815 l += r; \ 816 r ^= xswap(l); \ 817 l += r; \ 818 r ^= rotl(l, 3); \ 819 l += r; \ 820 r ^= rotr(l, 2); \ 821 l += r; \ 822 } while (0) 823 824 825 static __inline u32 get_le32_split(u8 b0, u8 b1, u8 b2, u8 b3) 826 { 827 return b0 | (b1 << 8) | (b2 << 16) | (b3 << 24); 828 } 829 830 static __inline u32 get_le32(const u8 *p) 831 { 832 return get_le32_split(p[0], p[1], p[2], p[3]); 833 } 834 835 836 static __inline void put_le32(u8 *p, u32 v) 837 { 838 p[0] = v; 839 p[1] = v >> 8; 840 p[2] = v >> 16; 841 p[3] = v >> 24; 842 } 843 844 /* 845 * Craft pseudo header used to calculate the MIC. 846 */ 847 static void 848 michael_mic_hdr(const struct ieee80211_frame *wh0, uint8_t hdr[16]) 849 { 850 const struct ieee80211_frame_addr4 *wh = 851 (const struct ieee80211_frame_addr4 *) wh0; 852 853 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 854 case IEEE80211_FC1_DIR_NODS: 855 IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */ 856 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2); 857 break; 858 case IEEE80211_FC1_DIR_TODS: 859 IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */ 860 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2); 861 break; 862 case IEEE80211_FC1_DIR_FROMDS: 863 IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */ 864 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr3); 865 break; 866 case IEEE80211_FC1_DIR_DSTODS: 867 IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */ 868 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr4); 869 break; 870 } 871 872 if (wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_QOS) { 873 const struct ieee80211_qosframe *qwh = 874 (const struct ieee80211_qosframe *) wh; 875 hdr[12] = qwh->i_qos[0] & IEEE80211_QOS_TID; 876 } else 877 hdr[12] = 0; 878 hdr[13] = hdr[14] = hdr[15] = 0; /* reserved */ 879 } 880 881 static void 882 michael_mic(struct tkip_ctx *ctx, const u8 *key, 883 struct mbuf *m, u_int off, size_t data_len, 884 u8 mic[IEEE80211_WEP_MICLEN]) 885 { 886 uint8_t hdr[16]; 887 u32 l, r; 888 const uint8_t *data; 889 u_int space; 890 891 michael_mic_hdr(mtod(m, struct ieee80211_frame *), hdr); 892 893 l = get_le32(key); 894 r = get_le32(key + 4); 895 896 /* Michael MIC pseudo header: DA, SA, 3 x 0, Priority */ 897 l ^= get_le32(hdr); 898 michael_block(l, r); 899 l ^= get_le32(&hdr[4]); 900 michael_block(l, r); 901 l ^= get_le32(&hdr[8]); 902 michael_block(l, r); 903 l ^= get_le32(&hdr[12]); 904 michael_block(l, r); 905 906 /* first buffer has special handling */ 907 data = mtod(m, const uint8_t *) + off; 908 space = m->m_len - off; 909 for (;;) { 910 if (space > data_len) 911 space = data_len; 912 /* collect 32-bit blocks from current buffer */ 913 while (space >= sizeof(uint32_t)) { 914 l ^= get_le32(data); 915 michael_block(l, r); 916 data += sizeof(uint32_t), space -= sizeof(uint32_t); 917 data_len -= sizeof(uint32_t); 918 } 919 /* 920 * NB: when space is zero we make one more trip around 921 * the loop to advance to the next mbuf where there is 922 * data. This handles the case where there are 4*n 923 * bytes in an mbuf followed by <4 bytes in a later mbuf. 924 * By making an extra trip we'll drop out of the loop 925 * with m pointing at the mbuf with 3 bytes and space 926 * set as required by the remainder handling below. 927 */ 928 if (data_len == 0 || 929 (data_len < sizeof(uint32_t) && space != 0)) 930 break; 931 m = m->m_next; 932 if (m == NULL) { 933 KASSERT(0, ("out of data, data_len %zu\n", data_len)); 934 break; 935 } 936 if (space != 0) { 937 const uint8_t *data_next; 938 /* 939 * Block straddles buffers, split references. 940 */ 941 data_next = mtod(m, const uint8_t *); 942 KASSERT(m->m_len >= sizeof(uint32_t) - space, 943 ("not enough data in following buffer, " 944 "m_len %u need %zu\n", m->m_len, 945 sizeof(uint32_t) - space)); 946 switch (space) { 947 case 1: 948 l ^= get_le32_split(data[0], data_next[0], 949 data_next[1], data_next[2]); 950 data = data_next + 3; 951 space = m->m_len - 3; 952 break; 953 case 2: 954 l ^= get_le32_split(data[0], data[1], 955 data_next[0], data_next[1]); 956 data = data_next + 2; 957 space = m->m_len - 2; 958 break; 959 case 3: 960 l ^= get_le32_split(data[0], data[1], 961 data[2], data_next[0]); 962 data = data_next + 1; 963 space = m->m_len - 1; 964 break; 965 } 966 michael_block(l, r); 967 data_len -= sizeof(uint32_t); 968 } else { 969 /* 970 * Setup for next buffer. 971 */ 972 data = mtod(m, const uint8_t *); 973 space = m->m_len; 974 } 975 } 976 /* 977 * Catch degenerate cases like mbuf[4*n+1 bytes] followed by 978 * mbuf[2 bytes]. I don't believe these should happen; if they 979 * do then we'll need more involved logic. 980 */ 981 KASSERT(data_len <= space, 982 ("not enough data, data_len %zu space %u\n", data_len, space)); 983 984 /* Last block and padding (0x5a, 4..7 x 0) */ 985 switch (data_len) { 986 case 0: 987 l ^= get_le32_split(0x5a, 0, 0, 0); 988 break; 989 case 1: 990 l ^= get_le32_split(data[0], 0x5a, 0, 0); 991 break; 992 case 2: 993 l ^= get_le32_split(data[0], data[1], 0x5a, 0); 994 break; 995 case 3: 996 l ^= get_le32_split(data[0], data[1], data[2], 0x5a); 997 break; 998 } 999 michael_block(l, r); 1000 /* l ^= 0; */ 1001 michael_block(l, r); 1002 1003 put_le32(mic, l); 1004 put_le32(mic + 4, r); 1005 } 1006 1007 static int 1008 tkip_encrypt(struct tkip_ctx *ctx, struct ieee80211_key *key, 1009 struct mbuf *m, int hdrlen) 1010 { 1011 struct ieee80211_frame *wh; 1012 uint8_t icv[IEEE80211_WEP_CRCLEN]; 1013 1014 ctx->tc_vap->iv_stats.is_crypto_tkip++; 1015 1016 wh = mtod(m, struct ieee80211_frame *); 1017 if ((u16)(key->wk_keytsc) == 0 || key->wk_keytsc == 1) { 1018 tkip_mixing_phase1(ctx->tx_ttak, key->wk_key, wh->i_addr2, 1019 (u32)(key->wk_keytsc >> 16)); 1020 } 1021 tkip_mixing_phase2(ctx->tx_rc4key, key->wk_key, ctx->tx_ttak, 1022 (u16) key->wk_keytsc); 1023 1024 wep_encrypt(ctx->tx_rc4key, 1025 m, hdrlen + tkip.ic_header, 1026 m->m_pkthdr.len - (hdrlen + tkip.ic_header), 1027 icv); 1028 (void) m_append(m, IEEE80211_WEP_CRCLEN, icv); /* XXX check return */ 1029 1030 return 1; 1031 } 1032 1033 static int 1034 tkip_decrypt(struct tkip_ctx *ctx, struct ieee80211_key *key, 1035 struct mbuf *m, int hdrlen) 1036 { 1037 struct ieee80211_frame *wh; 1038 struct ieee80211vap *vap = ctx->tc_vap; 1039 u32 iv32; 1040 u16 iv16; 1041 u8 tid; 1042 1043 vap->iv_stats.is_crypto_tkip++; 1044 1045 wh = mtod(m, struct ieee80211_frame *); 1046 /* NB: tkip_decap already verified header and left seq in rx_rsc */ 1047 iv16 = (u16) ctx->rx_rsc; 1048 iv32 = (u32) (ctx->rx_rsc >> 16); 1049 1050 tid = ieee80211_gettid(wh); 1051 if (iv32 != (u32)(key->wk_keyrsc[tid] >> 16) || !ctx->rx_phase1_done) { 1052 tkip_mixing_phase1(ctx->rx_ttak, key->wk_key, 1053 wh->i_addr2, iv32); 1054 ctx->rx_phase1_done = 1; 1055 } 1056 tkip_mixing_phase2(ctx->rx_rc4key, key->wk_key, ctx->rx_ttak, iv16); 1057 1058 /* NB: m is unstripped; deduct headers + ICV to get payload */ 1059 if (wep_decrypt(ctx->rx_rc4key, 1060 m, hdrlen + tkip.ic_header, 1061 m->m_pkthdr.len - (hdrlen + tkip.ic_header + tkip.ic_trailer))) { 1062 if (iv32 != (u32)(key->wk_keyrsc[tid] >> 16)) { 1063 /* Previously cached Phase1 result was already lost, so 1064 * it needs to be recalculated for the next packet. */ 1065 ctx->rx_phase1_done = 0; 1066 } 1067 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2, 1068 "%s", "TKIP ICV mismatch on decrypt"); 1069 vap->iv_stats.is_rx_tkipicv++; 1070 return 0; 1071 } 1072 return 1; 1073 } 1074 1075 /* 1076 * Module glue. 1077 */ 1078 IEEE80211_CRYPTO_MODULE(tkip, 1); 1079