Context Navigation

source: rtems-libbsd/freebsd/sys/net80211/ieee80211_crypto_tkip.c @ a241ea8

55-freebsd-126-freebsd-12

Last change on this file since a241ea8 was a241ea8, checked in by Christian Mauderer <Christian.Mauderer@…>, on 11/14/16 at 12:46:13
Import IEEE 802.11 from FreeBSD.
Property mode set to `100644`
File size: 30.3 KB

Line
1	#include <machine/rtems-bsd-kernel-space.h>
2
3	/*-
4	* Copyright (c) 2002-2008 Sam Leffler, Errno Consulting
5	* All rights reserved.
6	*
7	* Redistribution and use in source and binary forms, with or without
8	* modification, are permitted provided that the following conditions
9	* are met:
10	* 1. Redistributions of source code must retain the above copyright
11	* notice, this list of conditions and the following disclaimer.
12	* 2. Redistributions in binary form must reproduce the above copyright
13	* notice, this list of conditions and the following disclaimer in the
14	* documentation and/or other materials provided with the distribution.
15	*
16	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
20	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
21	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
22	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
23	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
25	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26	*/
27
28	#include <sys/cdefs.h>
29	__FBSDID("$FreeBSD$");
30
31	/*
32	* IEEE 802.11i TKIP crypto support.
33	*
34	* Part of this module is derived from similar code in the Host
35	* AP driver. The code is used with the consent of the author and
36	* it's license is included below.
37	*/
38	#include <rtems/bsd/local/opt_wlan.h>
39
40	#include <rtems/bsd/sys/param.h>
41	#include <sys/systm.h>
42	#include <sys/mbuf.h>
43	#include <sys/malloc.h>
44	#include <sys/kernel.h>
45	#include <sys/module.h>
46	#include <sys/endian.h>
47
48	#include <sys/socket.h>
49
50	#include <net/if.h>
51	#include <net/if_media.h>
52	#include <net/ethernet.h>
53
54	#include <net80211/ieee80211_var.h>
55
56	static void tkip_attach(struct ieee80211vap , struct ieee80211_key *);
57	static void tkip_detach(struct ieee80211_key *);
58	static int tkip_setkey(struct ieee80211_key *);
59	static void tkip_setiv(struct ieee80211_key , uint8_t );
60	static int tkip_encap(struct ieee80211_key , struct mbuf );
61	static int tkip_enmic(struct ieee80211_key , struct mbuf , int);
62	static int tkip_decap(struct ieee80211_key , struct mbuf , int);
63	static int tkip_demic(struct ieee80211_key , struct mbuf , int);
64
65	static const struct ieee80211_cipher tkip = {
66	.ic_name = "TKIP",
67	.ic_cipher = IEEE80211_CIPHER_TKIP,
68	.ic_header = IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN +
69	IEEE80211_WEP_EXTIVLEN,
70	.ic_trailer = IEEE80211_WEP_CRCLEN,
71	.ic_miclen = IEEE80211_WEP_MICLEN,
72	.ic_attach = tkip_attach,
73	.ic_detach = tkip_detach,
74	.ic_setkey = tkip_setkey,
75	.ic_setiv = tkip_setiv,
76	.ic_encap = tkip_encap,
77	.ic_decap = tkip_decap,
78	.ic_enmic = tkip_enmic,
79	.ic_demic = tkip_demic,
80	};
81
82	typedef uint8_t u8;
83	typedef uint16_t u16;
84	typedef uint32_t __u32;
85	typedef uint32_t u32;
86
87	struct tkip_ctx {
88	struct ieee80211vap tc_vap; / for diagnostics+statistics */
89
90	u16 tx_ttak[5];
91	u8 tx_rc4key[16]; /* XXX for test module; make locals? */
92
93	u16 rx_ttak[5];
94	int rx_phase1_done;
95	u8 rx_rc4key[16]; /* XXX for test module; make locals? */
96	uint64_t rx_rsc; /* held until MIC verified */
97	};
98
99	static void michael_mic(struct tkip_ctx , const u8 key,
100	struct mbuf *m, u_int off, size_t data_len,
101	u8 mic[IEEE80211_WEP_MICLEN]);
102	static int tkip_encrypt(struct tkip_ctx , struct ieee80211_key ,
103	struct mbuf *, int hdr_len);
104	static int tkip_decrypt(struct tkip_ctx , struct ieee80211_key ,
105	struct mbuf *, int hdr_len);
106
107	/* number of references from net80211 layer */
108	static int nrefs = 0;
109
110	static void *
111	tkip_attach(struct ieee80211vap vap, struct ieee80211_key k)
112	{
113	struct tkip_ctx *ctx;
114
115	ctx = (struct tkip_ctx *) IEEE80211_MALLOC(sizeof(struct tkip_ctx),
116	M_80211_CRYPTO, IEEE80211_M_NOWAIT \| IEEE80211_M_ZERO);
117	if (ctx == NULL) {
118	vap->iv_stats.is_crypto_nomem++;
119	return NULL;
120	}
121
122	ctx->tc_vap = vap;
123	nrefs++; /* NB: we assume caller locking */
124	return ctx;
125	}
126
127	static void
128	tkip_detach(struct ieee80211_key *k)
129	{
130	struct tkip_ctx *ctx = k->wk_private;
131
132	IEEE80211_FREE(ctx, M_80211_CRYPTO);
133	KASSERT(nrefs > 0, ("imbalanced attach/detach"));
134	nrefs--; /* NB: we assume caller locking */
135	}
136
137	static int
138	tkip_setkey(struct ieee80211_key *k)
139	{
140	struct tkip_ctx *ctx = k->wk_private;
141
142	if (k->wk_keylen != (128/NBBY)) {
143	(void) ctx; /* XXX */
144	IEEE80211_DPRINTF(ctx->tc_vap, IEEE80211_MSG_CRYPTO,
145	"%s: Invalid key length %u, expecting %u\n",
146	__func__, k->wk_keylen, 128/NBBY);
147	return 0;
148	}
149	ctx->rx_phase1_done = 0;
150	return 1;
151	}
152
153	static void
154	tkip_setiv(struct ieee80211_key k, uint8_t ivp)
155	{
156	struct tkip_ctx *ctx = k->wk_private;
157	struct ieee80211vap *vap = ctx->tc_vap;
158	uint8_t keyid;
159
160	keyid = ieee80211_crypto_get_keyid(vap, k) << 6;
161
162	k->wk_keytsc++;
163	ivp[0] = k->wk_keytsc >> 8; /* TSC1 */
164	ivp[1] = (ivp[0] \| 0x20) & 0x7f; /* WEP seed */
165	ivp[2] = k->wk_keytsc >> 0; /* TSC0 */
166	ivp[3] = keyid \| IEEE80211_WEP_EXTIV; /* KeyID \| ExtID */
167	ivp[4] = k->wk_keytsc >> 16; /* TSC2 */
168	ivp[5] = k->wk_keytsc >> 24; /* TSC3 */
169	ivp[6] = k->wk_keytsc >> 32; /* TSC4 */
170	ivp[7] = k->wk_keytsc >> 40; /* TSC5 */
171	}
172
173	/*
174	* Add privacy headers and do any s/w encryption required.
175	*/
176	static int
177	tkip_encap(struct ieee80211_key k, struct mbuf m)
178	{
179	struct tkip_ctx *ctx = k->wk_private;
180	struct ieee80211vap *vap = ctx->tc_vap;
181	struct ieee80211com *ic = vap->iv_ic;
182	struct ieee80211_frame *wh;
183	uint8_t *ivp;
184	int hdrlen;
185	int is_mgmt;
186
187	wh = mtod(m, struct ieee80211_frame *);
188	is_mgmt = IEEE80211_IS_MGMT(wh);
189
190	/*
191	* Handle TKIP counter measures requirement.
192	*/
193	if (vap->iv_flags & IEEE80211_F_COUNTERM) {
194	#ifdef IEEE80211_DEBUG
195	struct ieee80211_frame wh = mtod(m, struct ieee80211_frame );
196	#endif
197
198	IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2,
199	"discard frame due to countermeasures (%s)", __func__);
200	vap->iv_stats.is_crypto_tkipcm++;
201	return 0;
202	}
203
204	/*
205	* Check to see whether IV needs to be included.
206	*/
207	if (is_mgmt && (k->wk_flags & IEEE80211_KEY_NOIVMGT))
208	return 1;
209	if ((! is_mgmt) && (k->wk_flags & IEEE80211_KEY_NOIV))
210	return 1;
211
212
213	hdrlen = ieee80211_hdrspace(ic, mtod(m, void *));
214
215	/*
216	* Copy down 802.11 header and add the IV, KeyID, and ExtIV.
217	*/
218	M_PREPEND(m, tkip.ic_header, M_NOWAIT);
219	if (m == NULL)
220	return 0;
221	ivp = mtod(m, uint8_t *);
222	memmove(ivp, ivp + tkip.ic_header, hdrlen);
223	ivp += hdrlen;
224
225	tkip_setiv(k, ivp);
226
227	/*
228	* Finally, do software encrypt if needed.
229	*/
230	if ((k->wk_flags & IEEE80211_KEY_SWENCRYPT) &&
231	!tkip_encrypt(ctx, k, m, hdrlen))
232	return 0;
233
234	return 1;
235	}
236
237	/*
238	* Add MIC to the frame as needed.
239	*/
240	static int
241	tkip_enmic(struct ieee80211_key k, struct mbuf m, int force)
242	{
243	struct tkip_ctx *ctx = k->wk_private;
244	struct ieee80211_frame *wh;
245	int is_mgmt;
246
247	wh = mtod(m, struct ieee80211_frame *);
248	is_mgmt = IEEE80211_IS_MGMT(wh);
249
250	/*
251	* Check to see whether MIC needs to be included.
252	*/
253	if (is_mgmt && (k->wk_flags & IEEE80211_KEY_NOMICMGT))
254	return 1;
255	if ((! is_mgmt) && (k->wk_flags & IEEE80211_KEY_NOMIC))
256	return 1;
257
258	if (force \|\| (k->wk_flags & IEEE80211_KEY_SWENMIC)) {
259	struct ieee80211_frame wh = mtod(m, struct ieee80211_frame );
260	struct ieee80211vap *vap = ctx->tc_vap;
261	struct ieee80211com *ic = vap->iv_ic;
262	int hdrlen;
263	uint8_t mic[IEEE80211_WEP_MICLEN];
264
265	vap->iv_stats.is_crypto_tkipenmic++;
266
267	hdrlen = ieee80211_hdrspace(ic, wh);
268
269	michael_mic(ctx, k->wk_txmic,
270	m, hdrlen, m->m_pkthdr.len - hdrlen, mic);
271	return m_append(m, tkip.ic_miclen, mic);
272	}
273	return 1;
274	}
275
276	static __inline uint64_t
277	READ_6(uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3, uint8_t b4, uint8_t b5)
278	{
279	uint32_t iv32 = (b0 << 0) \| (b1 << 8) \| (b2 << 16) \| (b3 << 24);
280	uint16_t iv16 = (b4 << 0) \| (b5 << 8);
281	return (((uint64_t)iv16) << 32) \| iv32;
282	}
283
284	/*
285	* Validate and strip privacy headers (and trailer) for a
286	* received frame. If necessary, decrypt the frame using
287	* the specified key.
288	*/
289	static int
290	tkip_decap(struct ieee80211_key k, struct mbuf m, int hdrlen)
291	{
292	const struct ieee80211_rx_stats *rxs;
293	struct tkip_ctx *ctx = k->wk_private;
294	struct ieee80211vap *vap = ctx->tc_vap;
295	struct ieee80211_frame *wh;
296	uint8_t *ivp, tid;
297
298	rxs = ieee80211_get_rx_params_ptr(m);
299
300	/*
301	* If IV has been stripped, we skip most of the below.
302	*/
303	if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_IV_STRIP))
304	goto finish;
305
306	/*
307	* Header should have extended IV and sequence number;
308	* verify the former and validate the latter.
309	*/
310	wh = mtod(m, struct ieee80211_frame *);
311	ivp = mtod(m, uint8_t *) + hdrlen;
312	if ((ivp[IEEE80211_WEP_IVLEN] & IEEE80211_WEP_EXTIV) == 0) {
313	/*
314	* No extended IV; discard frame.
315	*/
316	IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2,
317	"%s", "missing ExtIV for TKIP cipher");
318	vap->iv_stats.is_rx_tkipformat++;
319	return 0;
320	}
321	/*
322	* Handle TKIP counter measures requirement.
323	*/
324	if (vap->iv_flags & IEEE80211_F_COUNTERM) {
325	IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2,
326	"discard frame due to countermeasures (%s)", __func__);
327	vap->iv_stats.is_crypto_tkipcm++;
328	return 0;
329	}
330
331	tid = ieee80211_gettid(wh);
332	ctx->rx_rsc = READ_6(ivp[2], ivp[0], ivp[4], ivp[5], ivp[6], ivp[7]);
333	if (ctx->rx_rsc <= k->wk_keyrsc[tid] &&
334	(k->wk_flags & IEEE80211_KEY_NOREPLAY) == 0) {
335	/*
336	* Replay violation; notify upper layer.
337	*/
338	ieee80211_notify_replay_failure(vap, wh, k, ctx->rx_rsc, tid);
339	vap->iv_stats.is_rx_tkipreplay++;
340	return 0;
341	}
342	/*
343	* NB: We can't update the rsc in the key until MIC is verified.
344	*
345	* We assume we are not preempted between doing the check above
346	* and updating wk_keyrsc when stripping the MIC in tkip_demic.
347	* Otherwise we might process another packet and discard it as
348	* a replay.
349	*/
350
351	/*
352	* Check if the device handled the decrypt in hardware.
353	* If so we just strip the header; otherwise we need to
354	* handle the decrypt in software.
355	*/
356	if ((k->wk_flags & IEEE80211_KEY_SWDECRYPT) &&
357	!tkip_decrypt(ctx, k, m, hdrlen))
358	return 0;
359
360	finish:
361
362	/*
363	* Copy up 802.11 header and strip crypto bits - but only if we
364	* are required to.
365	*/
366	if (! ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_IV_STRIP))) {
367	memmove(mtod(m, uint8_t ) + tkip.ic_header, mtod(m, void ),
368	hdrlen);
369	m_adj(m, tkip.ic_header);
370	}
371
372	/*
373	* XXX TODO: do we need an option to potentially not strip the
374	* WEP trailer? Does "MMIC_STRIP" also mean this? Or?
375	*/
376	m_adj(m, -tkip.ic_trailer);
377
378	return 1;
379	}
380
381	/*
382	* Verify and strip MIC from the frame.
383	*/
384	static int
385	tkip_demic(struct ieee80211_key k, struct mbuf m, int force)
386	{
387	const struct ieee80211_rx_stats *rxs;
388	struct tkip_ctx *ctx = k->wk_private;
389	struct ieee80211_frame *wh;
390	uint8_t tid;
391
392	wh = mtod(m, struct ieee80211_frame *);
393	rxs = ieee80211_get_rx_params_ptr(m);
394
395	/*
396	* If we are told about a MIC failure from the driver,
397	* directly notify as a michael failure to the upper
398	* layers.
399	*/
400	if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_FAIL_MIC)) {
401	struct ieee80211vap *vap = ctx->tc_vap;
402	ieee80211_notify_michael_failure(vap, wh,
403	k->wk_rxkeyix != IEEE80211_KEYIX_NONE ?
404	k->wk_rxkeyix : k->wk_keyix);
405	return 0;
406	}
407
408	/*
409	* If IV has been stripped, we skip most of the below.
410	*/
411	if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_MMIC_STRIP))
412	goto finish;
413
414	if ((k->wk_flags & IEEE80211_KEY_SWDEMIC) \|\| force) {
415	struct ieee80211vap *vap = ctx->tc_vap;
416	int hdrlen = ieee80211_hdrspace(vap->iv_ic, wh);
417	u8 mic[IEEE80211_WEP_MICLEN];
418	u8 mic0[IEEE80211_WEP_MICLEN];
419
420	vap->iv_stats.is_crypto_tkipdemic++;
421
422	michael_mic(ctx, k->wk_rxmic,
423	m, hdrlen, m->m_pkthdr.len - (hdrlen + tkip.ic_miclen),
424	mic);
425	m_copydata(m, m->m_pkthdr.len - tkip.ic_miclen,
426	tkip.ic_miclen, mic0);
427	if (memcmp(mic, mic0, tkip.ic_miclen)) {
428	/* NB: 802.11 layer handles statistic and debug msg */
429	ieee80211_notify_michael_failure(vap, wh,
430	k->wk_rxkeyix != IEEE80211_KEYIX_NONE ?
431	k->wk_rxkeyix : k->wk_keyix);
432	return 0;
433	}
434	}
435	/*
436	* Strip MIC from the tail.
437	*/
438	m_adj(m, -tkip.ic_miclen);
439
440	/*
441	* Ok to update rsc now that MIC has been verified.
442	*/
443	tid = ieee80211_gettid(wh);
444	k->wk_keyrsc[tid] = ctx->rx_rsc;
445
446	finish:
447	return 1;
448	}
449
450	/*
451	* Host AP crypt: host-based TKIP encryption implementation for Host AP driver
452	*
453	* Copyright (c) 2003-2004, Jouni Malinen <jkmaline@cc.hut.fi>
454	*
455	* This program is free software; you can redistribute it and/or modify
456	* it under the terms of the GNU General Public License version 2 as
457	* published by the Free Software Foundation. See README and COPYING for
458	* more details.
459	*
460	* Alternatively, this software may be distributed under the terms of BSD
461	* license.
462	*/
463
464	static const __u32 crc32_table[256] = {
465	0x00000000L, 0x77073096L, 0xee0e612cL, 0x990951baL, 0x076dc419L,
466	0x706af48fL, 0xe963a535L, 0x9e6495a3L, 0x0edb8832L, 0x79dcb8a4L,
467	0xe0d5e91eL, 0x97d2d988L, 0x09b64c2bL, 0x7eb17cbdL, 0xe7b82d07L,
468	0x90bf1d91L, 0x1db71064L, 0x6ab020f2L, 0xf3b97148L, 0x84be41deL,
469	0x1adad47dL, 0x6ddde4ebL, 0xf4d4b551L, 0x83d385c7L, 0x136c9856L,
470	0x646ba8c0L, 0xfd62f97aL, 0x8a65c9ecL, 0x14015c4fL, 0x63066cd9L,
471	0xfa0f3d63L, 0x8d080df5L, 0x3b6e20c8L, 0x4c69105eL, 0xd56041e4L,
472	0xa2677172L, 0x3c03e4d1L, 0x4b04d447L, 0xd20d85fdL, 0xa50ab56bL,
473	0x35b5a8faL, 0x42b2986cL, 0xdbbbc9d6L, 0xacbcf940L, 0x32d86ce3L,
474	0x45df5c75L, 0xdcd60dcfL, 0xabd13d59L, 0x26d930acL, 0x51de003aL,
475	0xc8d75180L, 0xbfd06116L, 0x21b4f4b5L, 0x56b3c423L, 0xcfba9599L,
476	0xb8bda50fL, 0x2802b89eL, 0x5f058808L, 0xc60cd9b2L, 0xb10be924L,
477	0x2f6f7c87L, 0x58684c11L, 0xc1611dabL, 0xb6662d3dL, 0x76dc4190L,
478	0x01db7106L, 0x98d220bcL, 0xefd5102aL, 0x71b18589L, 0x06b6b51fL,
479	0x9fbfe4a5L, 0xe8b8d433L, 0x7807c9a2L, 0x0f00f934L, 0x9609a88eL,
480	0xe10e9818L, 0x7f6a0dbbL, 0x086d3d2dL, 0x91646c97L, 0xe6635c01L,
481	0x6b6b51f4L, 0x1c6c6162L, 0x856530d8L, 0xf262004eL, 0x6c0695edL,
482	0x1b01a57bL, 0x8208f4c1L, 0xf50fc457L, 0x65b0d9c6L, 0x12b7e950L,
483	0x8bbeb8eaL, 0xfcb9887cL, 0x62dd1ddfL, 0x15da2d49L, 0x8cd37cf3L,
484	0xfbd44c65L, 0x4db26158L, 0x3ab551ceL, 0xa3bc0074L, 0xd4bb30e2L,
485	0x4adfa541L, 0x3dd895d7L, 0xa4d1c46dL, 0xd3d6f4fbL, 0x4369e96aL,
486	0x346ed9fcL, 0xad678846L, 0xda60b8d0L, 0x44042d73L, 0x33031de5L,
487	0xaa0a4c5fL, 0xdd0d7cc9L, 0x5005713cL, 0x270241aaL, 0xbe0b1010L,
488	0xc90c2086L, 0x5768b525L, 0x206f85b3L, 0xb966d409L, 0xce61e49fL,
489	0x5edef90eL, 0x29d9c998L, 0xb0d09822L, 0xc7d7a8b4L, 0x59b33d17L,
490	0x2eb40d81L, 0xb7bd5c3bL, 0xc0ba6cadL, 0xedb88320L, 0x9abfb3b6L,
491	0x03b6e20cL, 0x74b1d29aL, 0xead54739L, 0x9dd277afL, 0x04db2615L,
492	0x73dc1683L, 0xe3630b12L, 0x94643b84L, 0x0d6d6a3eL, 0x7a6a5aa8L,
493	0xe40ecf0bL, 0x9309ff9dL, 0x0a00ae27L, 0x7d079eb1L, 0xf00f9344L,
494	0x8708a3d2L, 0x1e01f268L, 0x6906c2feL, 0xf762575dL, 0x806567cbL,
495	0x196c3671L, 0x6e6b06e7L, 0xfed41b76L, 0x89d32be0L, 0x10da7a5aL,
496	0x67dd4accL, 0xf9b9df6fL, 0x8ebeeff9L, 0x17b7be43L, 0x60b08ed5L,
497	0xd6d6a3e8L, 0xa1d1937eL, 0x38d8c2c4L, 0x4fdff252L, 0xd1bb67f1L,
498	0xa6bc5767L, 0x3fb506ddL, 0x48b2364bL, 0xd80d2bdaL, 0xaf0a1b4cL,
499	0x36034af6L, 0x41047a60L, 0xdf60efc3L, 0xa867df55L, 0x316e8eefL,
500	0x4669be79L, 0xcb61b38cL, 0xbc66831aL, 0x256fd2a0L, 0x5268e236L,
501	0xcc0c7795L, 0xbb0b4703L, 0x220216b9L, 0x5505262fL, 0xc5ba3bbeL,
502	0xb2bd0b28L, 0x2bb45a92L, 0x5cb36a04L, 0xc2d7ffa7L, 0xb5d0cf31L,
503	0x2cd99e8bL, 0x5bdeae1dL, 0x9b64c2b0L, 0xec63f226L, 0x756aa39cL,
504	0x026d930aL, 0x9c0906a9L, 0xeb0e363fL, 0x72076785L, 0x05005713L,
505	0x95bf4a82L, 0xe2b87a14L, 0x7bb12baeL, 0x0cb61b38L, 0x92d28e9bL,
506	0xe5d5be0dL, 0x7cdcefb7L, 0x0bdbdf21L, 0x86d3d2d4L, 0xf1d4e242L,
507	0x68ddb3f8L, 0x1fda836eL, 0x81be16cdL, 0xf6b9265bL, 0x6fb077e1L,
508	0x18b74777L, 0x88085ae6L, 0xff0f6a70L, 0x66063bcaL, 0x11010b5cL,
509	0x8f659effL, 0xf862ae69L, 0x616bffd3L, 0x166ccf45L, 0xa00ae278L,
510	0xd70dd2eeL, 0x4e048354L, 0x3903b3c2L, 0xa7672661L, 0xd06016f7L,
511	0x4969474dL, 0x3e6e77dbL, 0xaed16a4aL, 0xd9d65adcL, 0x40df0b66L,
512	0x37d83bf0L, 0xa9bcae53L, 0xdebb9ec5L, 0x47b2cf7fL, 0x30b5ffe9L,
513	0xbdbdf21cL, 0xcabac28aL, 0x53b39330L, 0x24b4a3a6L, 0xbad03605L,
514	0xcdd70693L, 0x54de5729L, 0x23d967bfL, 0xb3667a2eL, 0xc4614ab8L,
515	0x5d681b02L, 0x2a6f2b94L, 0xb40bbe37L, 0xc30c8ea1L, 0x5a05df1bL,
516	0x2d02ef8dL
517	};
518
519	static __inline u16 RotR1(u16 val)
520	{
521	return (val >> 1) \| (val << 15);
522	}
523
524	static __inline u8 Lo8(u16 val)
525	{
526	return val & 0xff;
527	}
528
529	static __inline u8 Hi8(u16 val)
530	{
531	return val >> 8;
532	}
533
534	static __inline u16 Lo16(u32 val)
535	{
536	return val & 0xffff;
537	}
538
539	static __inline u16 Hi16(u32 val)
540	{
541	return val >> 16;
542	}
543
544	static __inline u16 Mk16(u8 hi, u8 lo)
545	{
546	return lo \| (((u16) hi) << 8);
547	}
548
549	static __inline u16 Mk16_le(const u16 *v)
550	{
551	return le16toh(*v);
552	}
553
554	static const u16 Sbox[256] = {
555	0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154,
556	0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A,
557	0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B,
558	0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B,
559	0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F,
560	0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F,
561	0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5,
562	0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F,
563	0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB,
564	0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397,
565	0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED,
566	0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A,
567	0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194,
568	0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3,
569	0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104,
570	0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D,
571	0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39,
572	0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695,
573	0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83,
574	0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76,
575	0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4,
576	0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B,
577	0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0,
578	0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018,
579	0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751,
580	0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85,
581	0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12,
582	0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9,
583	0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7,
584	0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A,
585	0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8,
586	0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A,
587	};
588
589	static __inline u16 _S_(u16 v)
590	{
591	u16 t = Sbox[Hi8(v)];
592	return Sbox[Lo8(v)] ^ ((t << 8) \| (t >> 8));
593	}
594
595	#define PHASE1_LOOP_COUNT 8
596
597	static void tkip_mixing_phase1(u16 TTAK, const u8 TK, const u8 *TA, u32 IV32)
598	{
599	int i, j;
600
601	/* Initialize the 80-bit TTAK from TSC (IV32) and TA[0..5] */
602	TTAK[0] = Lo16(IV32);
603	TTAK[1] = Hi16(IV32);
604	TTAK[2] = Mk16(TA[1], TA[0]);
605	TTAK[3] = Mk16(TA[3], TA[2]);
606	TTAK[4] = Mk16(TA[5], TA[4]);
607
608	for (i = 0; i < PHASE1_LOOP_COUNT; i++) {
609	j = 2 * (i & 1);
610	TTAK[0] += _S_(TTAK[4] ^ Mk16(TK[1 + j], TK[0 + j]));
611	TTAK[1] += _S_(TTAK[0] ^ Mk16(TK[5 + j], TK[4 + j]));
612	TTAK[2] += _S_(TTAK[1] ^ Mk16(TK[9 + j], TK[8 + j]));
613	TTAK[3] += _S_(TTAK[2] ^ Mk16(TK[13 + j], TK[12 + j]));
614	TTAK[4] += _S_(TTAK[3] ^ Mk16(TK[1 + j], TK[0 + j])) + i;
615	}
616	}
617
618	#ifndef _BYTE_ORDER
619	#error "Don't know native byte order"
620	#endif
621
622	static void tkip_mixing_phase2(u8 WEPSeed, const u8 TK, const u16 *TTAK,
623	u16 IV16)
624	{
625	/* Make temporary area overlap WEP seed so that the final copy can be
626	* avoided on little endian hosts. */
627	u16 PPK = (u16 ) &WEPSeed[4];
628
629	/* Step 1 - make copy of TTAK and bring in TSC */
630	PPK[0] = TTAK[0];
631	PPK[1] = TTAK[1];
632	PPK[2] = TTAK[2];
633	PPK[3] = TTAK[3];
634	PPK[4] = TTAK[4];
635	PPK[5] = TTAK[4] + IV16;
636
637	/* Step 2 - 96-bit bijective mixing using S-box */
638	PPK[0] += _S_(PPK[5] ^ Mk16_le((const u16 *) &TK[0]));
639	PPK[1] += _S_(PPK[0] ^ Mk16_le((const u16 *) &TK[2]));
640	PPK[2] += _S_(PPK[1] ^ Mk16_le((const u16 *) &TK[4]));
641	PPK[3] += _S_(PPK[2] ^ Mk16_le((const u16 *) &TK[6]));
642	PPK[4] += _S_(PPK[3] ^ Mk16_le((const u16 *) &TK[8]));
643	PPK[5] += _S_(PPK[4] ^ Mk16_le((const u16 *) &TK[10]));
644
645	PPK[0] += RotR1(PPK[5] ^ Mk16_le((const u16 *) &TK[12]));
646	PPK[1] += RotR1(PPK[0] ^ Mk16_le((const u16 *) &TK[14]));
647	PPK[2] += RotR1(PPK[1]);
648	PPK[3] += RotR1(PPK[2]);
649	PPK[4] += RotR1(PPK[3]);
650	PPK[5] += RotR1(PPK[4]);
651
652	/* Step 3 - bring in last of TK bits, assign 24-bit WEP IV value
653	* WEPSeed[0..2] is transmitted as WEP IV */
654	WEPSeed[0] = Hi8(IV16);
655	WEPSeed[1] = (Hi8(IV16) \| 0x20) & 0x7F;
656	WEPSeed[2] = Lo8(IV16);
657	WEPSeed[3] = Lo8((PPK[5] ^ Mk16_le((const u16 *) &TK[0])) >> 1);
658
659	#if _BYTE_ORDER == _BIG_ENDIAN
660	{
661	int i;
662	for (i = 0; i < 6; i++)
663	PPK[i] = (PPK[i] << 8) \| (PPK[i] >> 8);
664	}
665	#endif
666	}
667
668	static void
669	wep_encrypt(u8 key, struct mbuf m0, u_int off, size_t data_len,
670	uint8_t icv[IEEE80211_WEP_CRCLEN])
671	{
672	u32 i, j, k, crc;
673	size_t buflen;
674	u8 S[256];
675	u8 *pos;
676	struct mbuf *m;
677	#define S_SWAP(a,b) do { u8 t = S[a]; S[a] = S[b]; S[b] = t; } while(0)
678
679	/* Setup RC4 state */
680	for (i = 0; i < 256; i++)
681	S[i] = i;
682	j = 0;
683	for (i = 0; i < 256; i++) {
684	j = (j + S[i] + key[i & 0x0f]) & 0xff;
685	S_SWAP(i, j);
686	}
687
688	/* Compute CRC32 over unencrypted data and apply RC4 to data */
689	crc = ~0;
690	i = j = 0;
691	m = m0;
692	pos = mtod(m, uint8_t *) + off;
693	buflen = m->m_len - off;
694	for (;;) {
695	if (buflen > data_len)
696	buflen = data_len;
697	data_len -= buflen;
698	for (k = 0; k < buflen; k++) {
699	crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8);
700	i = (i + 1) & 0xff;
701	j = (j + S[i]) & 0xff;
702	S_SWAP(i, j);
703	*pos++ ^= S[(S[i] + S[j]) & 0xff];
704	}
705	m = m->m_next;
706	if (m == NULL) {
707	KASSERT(data_len == 0,
708	("out of buffers with data_len %zu\n", data_len));
709	break;
710	}
711	pos = mtod(m, uint8_t *);
712	buflen = m->m_len;
713	}
714	crc = ~crc;
715
716	/* Append little-endian CRC32 and encrypt it to produce ICV */
717	icv[0] = crc;
718	icv[1] = crc >> 8;
719	icv[2] = crc >> 16;
720	icv[3] = crc >> 24;
721	for (k = 0; k < IEEE80211_WEP_CRCLEN; k++) {
722	i = (i + 1) & 0xff;
723	j = (j + S[i]) & 0xff;
724	S_SWAP(i, j);
725	icv[k] ^= S[(S[i] + S[j]) & 0xff];
726	}
727	}
728
729	static int
730	wep_decrypt(u8 key, struct mbuf m, u_int off, size_t data_len)
731	{
732	u32 i, j, k, crc;
733	u8 S[256];
734	u8 *pos, icv[4];
735	size_t buflen;
736
737	/* Setup RC4 state */
738	for (i = 0; i < 256; i++)
739	S[i] = i;
740	j = 0;
741	for (i = 0; i < 256; i++) {
742	j = (j + S[i] + key[i & 0x0f]) & 0xff;
743	S_SWAP(i, j);
744	}
745
746	/* Apply RC4 to data and compute CRC32 over decrypted data */
747	crc = ~0;
748	i = j = 0;
749	pos = mtod(m, uint8_t *) + off;
750	buflen = m->m_len - off;
751	for (;;) {
752	if (buflen > data_len)
753	buflen = data_len;
754	data_len -= buflen;
755	for (k = 0; k < buflen; k++) {
756	i = (i + 1) & 0xff;
757	j = (j + S[i]) & 0xff;
758	S_SWAP(i, j);
759	*pos ^= S[(S[i] + S[j]) & 0xff];
760	crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8);
761	pos++;
762	}
763	m = m->m_next;
764	if (m == NULL) {
765	KASSERT(data_len == 0,
766	("out of buffers with data_len %zu\n", data_len));
767	break;
768	}
769	pos = mtod(m, uint8_t *);
770	buflen = m->m_len;
771	}
772	crc = ~crc;
773
774	/* Encrypt little-endian CRC32 and verify that it matches with the
775	* received ICV */
776	icv[0] = crc;
777	icv[1] = crc >> 8;
778	icv[2] = crc >> 16;
779	icv[3] = crc >> 24;
780	for (k = 0; k < 4; k++) {
781	i = (i + 1) & 0xff;
782	j = (j + S[i]) & 0xff;
783	S_SWAP(i, j);
784	if ((icv[k] ^ S[(S[i] + S[j]) & 0xff]) != *pos++) {
785	/* ICV mismatch - drop frame */
786	return -1;
787	}
788	}
789
790	return 0;
791	}
792
793
794	static __inline u32 rotl(u32 val, int bits)
795	{
796	return (val << bits) \| (val >> (32 - bits));
797	}
798
799
800	static __inline u32 rotr(u32 val, int bits)
801	{
802	return (val >> bits) \| (val << (32 - bits));
803	}
804
805
806	static __inline u32 xswap(u32 val)
807	{
808	return ((val & 0x00ff00ff) << 8) \| ((val & 0xff00ff00) >> 8);
809	}
810
811
812	#define michael_block(l, r) \
813	do { \
814	r ^= rotl(l, 17); \
815	l += r; \
816	r ^= xswap(l); \
817	l += r; \
818	r ^= rotl(l, 3); \
819	l += r; \
820	r ^= rotr(l, 2); \
821	l += r; \
822	} while (0)
823
824
825	static __inline u32 get_le32_split(u8 b0, u8 b1, u8 b2, u8 b3)
826	{
827	return b0 \| (b1 << 8) \| (b2 << 16) \| (b3 << 24);
828	}
829
830	static __inline u32 get_le32(const u8 *p)
831	{
832	return get_le32_split(p[0], p[1], p[2], p[3]);
833	}
834
835
836	static __inline void put_le32(u8 *p, u32 v)
837	{
838	p[0] = v;
839	p[1] = v >> 8;
840	p[2] = v >> 16;
841	p[3] = v >> 24;
842	}
843
844	/*
845	* Craft pseudo header used to calculate the MIC.
846	*/
847	static void
848	michael_mic_hdr(const struct ieee80211_frame *wh0, uint8_t hdr[16])
849	{
850	const struct ieee80211_frame_addr4 *wh =
851	(const struct ieee80211_frame_addr4 *) wh0;
852
853	switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) {
854	case IEEE80211_FC1_DIR_NODS:
855	IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */
856	IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2);
857	break;
858	case IEEE80211_FC1_DIR_TODS:
859	IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */
860	IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2);
861	break;
862	case IEEE80211_FC1_DIR_FROMDS:
863	IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */
864	IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr3);
865	break;
866	case IEEE80211_FC1_DIR_DSTODS:
867	IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */
868	IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr4);
869	break;
870	}
871
872	if (wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_QOS) {
873	const struct ieee80211_qosframe *qwh =
874	(const struct ieee80211_qosframe *) wh;
875	hdr[12] = qwh->i_qos[0] & IEEE80211_QOS_TID;
876	} else
877	hdr[12] = 0;
878	hdr[13] = hdr[14] = hdr[15] = 0; /* reserved */
879	}
880
881	static void
882	michael_mic(struct tkip_ctx ctx, const u8 key,
883	struct mbuf *m, u_int off, size_t data_len,
884	u8 mic[IEEE80211_WEP_MICLEN])
885	{
886	uint8_t hdr[16];
887	u32 l, r;
888	const uint8_t *data;
889	u_int space;
890
891	michael_mic_hdr(mtod(m, struct ieee80211_frame *), hdr);
892
893	l = get_le32(key);
894	r = get_le32(key + 4);
895
896	/* Michael MIC pseudo header: DA, SA, 3 x 0, Priority */
897	l ^= get_le32(hdr);
898	michael_block(l, r);
899	l ^= get_le32(&hdr[4]);
900	michael_block(l, r);
901	l ^= get_le32(&hdr[8]);
902	michael_block(l, r);
903	l ^= get_le32(&hdr[12]);
904	michael_block(l, r);
905
906	/* first buffer has special handling */
907	data = mtod(m, const uint8_t *) + off;
908	space = m->m_len - off;
909	for (;;) {
910	if (space > data_len)
911	space = data_len;
912	/* collect 32-bit blocks from current buffer */
913	while (space >= sizeof(uint32_t)) {
914	l ^= get_le32(data);
915	michael_block(l, r);
916	data += sizeof(uint32_t), space -= sizeof(uint32_t);
917	data_len -= sizeof(uint32_t);
918	}
919	/*
920	* NB: when space is zero we make one more trip around
921	* the loop to advance to the next mbuf where there is
922	* data. This handles the case where there are 4*n
923	* bytes in an mbuf followed by <4 bytes in a later mbuf.
924	* By making an extra trip we'll drop out of the loop
925	* with m pointing at the mbuf with 3 bytes and space
926	* set as required by the remainder handling below.
927	*/
928	if (data_len == 0 \|\|
929	(data_len < sizeof(uint32_t) && space != 0))
930	break;
931	m = m->m_next;
932	if (m == NULL) {
933	KASSERT(0, ("out of data, data_len %zu\n", data_len));
934	break;
935	}
936	if (space != 0) {
937	const uint8_t *data_next;
938	/*
939	* Block straddles buffers, split references.
940	*/
941	data_next = mtod(m, const uint8_t *);
942	KASSERT(m->m_len >= sizeof(uint32_t) - space,
943	("not enough data in following buffer, "
944	"m_len %u need %zu\n", m->m_len,
945	sizeof(uint32_t) - space));
946	switch (space) {
947	case 1:
948	l ^= get_le32_split(data[0], data_next[0],
949	data_next[1], data_next[2]);
950	data = data_next + 3;
951	space = m->m_len - 3;
952	break;
953	case 2:
954	l ^= get_le32_split(data[0], data[1],
955	data_next[0], data_next[1]);
956	data = data_next + 2;
957	space = m->m_len - 2;
958	break;
959	case 3:
960	l ^= get_le32_split(data[0], data[1],
961	data[2], data_next[0]);
962	data = data_next + 1;
963	space = m->m_len - 1;
964	break;
965	}
966	michael_block(l, r);
967	data_len -= sizeof(uint32_t);
968	} else {
969	/*
970	* Setup for next buffer.
971	*/
972	data = mtod(m, const uint8_t *);
973	space = m->m_len;
974	}
975	}
976	/*
977	* Catch degenerate cases like mbuf[4*n+1 bytes] followed by
978	* mbuf[2 bytes]. I don't believe these should happen; if they
979	* do then we'll need more involved logic.
980	*/
981	KASSERT(data_len <= space,
982	("not enough data, data_len %zu space %u\n", data_len, space));
983
984	/* Last block and padding (0x5a, 4..7 x 0) */
985	switch (data_len) {
986	case 0:
987	l ^= get_le32_split(0x5a, 0, 0, 0);
988	break;
989	case 1:
990	l ^= get_le32_split(data[0], 0x5a, 0, 0);
991	break;
992	case 2:
993	l ^= get_le32_split(data[0], data[1], 0x5a, 0);
994	break;
995	case 3:
996	l ^= get_le32_split(data[0], data[1], data[2], 0x5a);
997	break;
998	}
999	michael_block(l, r);
1000	/* l ^= 0; */
1001	michael_block(l, r);
1002
1003	put_le32(mic, l);
1004	put_le32(mic + 4, r);
1005	}
1006
1007	static int
1008	tkip_encrypt(struct tkip_ctx ctx, struct ieee80211_key key,
1009	struct mbuf *m, int hdrlen)
1010	{
1011	struct ieee80211_frame *wh;
1012	uint8_t icv[IEEE80211_WEP_CRCLEN];
1013
1014	ctx->tc_vap->iv_stats.is_crypto_tkip++;
1015
1016	wh = mtod(m, struct ieee80211_frame *);
1017	if ((u16)(key->wk_keytsc) == 0 \|\| key->wk_keytsc == 1) {
1018	tkip_mixing_phase1(ctx->tx_ttak, key->wk_key, wh->i_addr2,
1019	(u32)(key->wk_keytsc >> 16));
1020	}
1021	tkip_mixing_phase2(ctx->tx_rc4key, key->wk_key, ctx->tx_ttak,
1022	(u16) key->wk_keytsc);
1023
1024	wep_encrypt(ctx->tx_rc4key,
1025	m, hdrlen + tkip.ic_header,
1026	m->m_pkthdr.len - (hdrlen + tkip.ic_header),
1027	icv);
1028	(void) m_append(m, IEEE80211_WEP_CRCLEN, icv); /* XXX check return */
1029
1030	return 1;
1031	}
1032
1033	static int
1034	tkip_decrypt(struct tkip_ctx ctx, struct ieee80211_key key,
1035	struct mbuf *m, int hdrlen)
1036	{
1037	struct ieee80211_frame *wh;
1038	struct ieee80211vap *vap = ctx->tc_vap;
1039	u32 iv32;
1040	u16 iv16;
1041	u8 tid;
1042
1043	vap->iv_stats.is_crypto_tkip++;
1044
1045	wh = mtod(m, struct ieee80211_frame *);
1046	/* NB: tkip_decap already verified header and left seq in rx_rsc */
1047	iv16 = (u16) ctx->rx_rsc;
1048	iv32 = (u32) (ctx->rx_rsc >> 16);
1049
1050	tid = ieee80211_gettid(wh);
1051	if (iv32 != (u32)(key->wk_keyrsc[tid] >> 16) \|\| !ctx->rx_phase1_done) {
1052	tkip_mixing_phase1(ctx->rx_ttak, key->wk_key,
1053	wh->i_addr2, iv32);
1054	ctx->rx_phase1_done = 1;
1055	}
1056	tkip_mixing_phase2(ctx->rx_rc4key, key->wk_key, ctx->rx_ttak, iv16);
1057
1058	/* NB: m is unstripped; deduct headers + ICV to get payload */
1059	if (wep_decrypt(ctx->rx_rc4key,
1060	m, hdrlen + tkip.ic_header,
1061	m->m_pkthdr.len - (hdrlen + tkip.ic_header + tkip.ic_trailer))) {
1062	if (iv32 != (u32)(key->wk_keyrsc[tid] >> 16)) {
1063	/* Previously cached Phase1 result was already lost, so
1064	* it needs to be recalculated for the next packet. */
1065	ctx->rx_phase1_done = 0;
1066	}
1067	IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2,
1068	"%s", "TKIP ICV mismatch on decrypt");
1069	vap->iv_stats.is_rx_tkipicv++;
1070	return 0;
1071	}
1072	return 1;
1073	}
1074
1075	/*
1076	* Module glue.
1077	*/
1078	IEEE80211_CRYPTO_MODULE(tkip, 1);

Note: See TracBrowser for help on using the repository browser.

Download in other formats: