1/*- 2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD 3 * 4 * Copyright (c) 2002-2008 Sam Leffler, Errno Consulting 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28#include <sys/cdefs.h> 29__FBSDID("$FreeBSD: releng/12.0/sys/net80211/ieee80211_crypto_tkip.c 326272 2017-11-27 15:23:17Z pfg $"); 30 31/* 32 * IEEE 802.11i TKIP crypto support. 33 * 34 * Part of this module is derived from similar code in the Host 35 * AP driver. The code is used with the consent of the author and 36 * it's license is included below. 37 */ 38#include "opt_wlan.h" 39 40#include <sys/param.h> 41#include <sys/systm.h> 42#include <sys/mbuf.h> 43#include <sys/malloc.h> 44#include <sys/kernel.h> 45#include <sys/module.h> 46#include <sys/endian.h> 47 48#include <sys/socket.h> 49 50#include <net/if.h> 51#include <net/if_media.h> 52#include <net/ethernet.h> 53 54#include <net80211/ieee80211_var.h> 55 56static void *tkip_attach(struct ieee80211vap *, struct ieee80211_key *); 57static void tkip_detach(struct ieee80211_key *); 58static int tkip_setkey(struct ieee80211_key *); 59static void tkip_setiv(struct ieee80211_key *, uint8_t *); 60static int tkip_encap(struct ieee80211_key *, struct mbuf *); 61static int tkip_enmic(struct ieee80211_key *, struct mbuf *, int); 62static int tkip_decap(struct ieee80211_key *, struct mbuf *, int); 63static int tkip_demic(struct ieee80211_key *, struct mbuf *, int); 64 65static const struct ieee80211_cipher tkip = { 66 .ic_name = "TKIP", 67 .ic_cipher = IEEE80211_CIPHER_TKIP, 68 .ic_header = IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN + 69 IEEE80211_WEP_EXTIVLEN, 70 .ic_trailer = IEEE80211_WEP_CRCLEN, 71 .ic_miclen = IEEE80211_WEP_MICLEN, 72 .ic_attach = tkip_attach, 73 .ic_detach = tkip_detach, 74 .ic_setkey = tkip_setkey, 75 .ic_setiv = tkip_setiv, 76 .ic_encap = tkip_encap, 77 .ic_decap = tkip_decap, 78 .ic_enmic = tkip_enmic, 79 .ic_demic = tkip_demic, 80}; 81 82typedef uint8_t u8; 83typedef uint16_t u16; 84typedef uint32_t __u32; 85typedef uint32_t u32; 86 87struct tkip_ctx { 88 struct ieee80211vap *tc_vap; /* for diagnostics+statistics */ 89 90 u16 tx_ttak[5]; 91 u8 tx_rc4key[16]; /* XXX for test module; make locals? */ 92 93 u16 rx_ttak[5]; 94 int rx_phase1_done; 95 u8 rx_rc4key[16]; /* XXX for test module; make locals? */ 96 uint64_t rx_rsc; /* held until MIC verified */ 97}; 98 99static void michael_mic(struct tkip_ctx *, const u8 *key, 100 struct mbuf *m, u_int off, size_t data_len, 101 u8 mic[IEEE80211_WEP_MICLEN]); 102static int tkip_encrypt(struct tkip_ctx *, struct ieee80211_key *, 103 struct mbuf *, int hdr_len); 104static int tkip_decrypt(struct tkip_ctx *, struct ieee80211_key *, 105 struct mbuf *, int hdr_len); 106 107/* number of references from net80211 layer */ 108static int nrefs = 0; 109 110static void * 111tkip_attach(struct ieee80211vap *vap, struct ieee80211_key *k) 112{ 113 struct tkip_ctx *ctx; 114 115 ctx = (struct tkip_ctx *) IEEE80211_MALLOC(sizeof(struct tkip_ctx), 116 M_80211_CRYPTO, IEEE80211_M_NOWAIT | IEEE80211_M_ZERO); 117 if (ctx == NULL) { 118 vap->iv_stats.is_crypto_nomem++; 119 return NULL; 120 } 121 122 ctx->tc_vap = vap; 123 nrefs++; /* NB: we assume caller locking */ 124 return ctx; 125} 126 127static void 128tkip_detach(struct ieee80211_key *k) 129{ 130 struct tkip_ctx *ctx = k->wk_private; 131 132 IEEE80211_FREE(ctx, M_80211_CRYPTO); 133 KASSERT(nrefs > 0, ("imbalanced attach/detach")); 134 nrefs--; /* NB: we assume caller locking */ 135} 136 137static int 138tkip_setkey(struct ieee80211_key *k) 139{ 140 struct tkip_ctx *ctx = k->wk_private; 141 142 if (k->wk_keylen != (128/NBBY)) { 143 (void) ctx; /* XXX */ 144 IEEE80211_DPRINTF(ctx->tc_vap, IEEE80211_MSG_CRYPTO, 145 "%s: Invalid key length %u, expecting %u\n", 146 __func__, k->wk_keylen, 128/NBBY); 147 return 0; 148 } 149 ctx->rx_phase1_done = 0; 150 return 1; 151} 152 153static void 154tkip_setiv(struct ieee80211_key *k, uint8_t *ivp) 155{ 156 struct tkip_ctx *ctx = k->wk_private; 157 struct ieee80211vap *vap = ctx->tc_vap; 158 uint8_t keyid; 159 160 keyid = ieee80211_crypto_get_keyid(vap, k) << 6; 161 162 k->wk_keytsc++; 163 ivp[0] = k->wk_keytsc >> 8; /* TSC1 */ 164 ivp[1] = (ivp[0] | 0x20) & 0x7f; /* WEP seed */ 165 ivp[2] = k->wk_keytsc >> 0; /* TSC0 */ 166 ivp[3] = keyid | IEEE80211_WEP_EXTIV; /* KeyID | ExtID */ 167 ivp[4] = k->wk_keytsc >> 16; /* TSC2 */ 168 ivp[5] = k->wk_keytsc >> 24; /* TSC3 */ 169 ivp[6] = k->wk_keytsc >> 32; /* TSC4 */ 170 ivp[7] = k->wk_keytsc >> 40; /* TSC5 */ 171} 172 173/* 174 * Add privacy headers and do any s/w encryption required. 175 */ 176static int 177tkip_encap(struct ieee80211_key *k, struct mbuf *m) 178{ 179 struct tkip_ctx *ctx = k->wk_private; 180 struct ieee80211vap *vap = ctx->tc_vap; 181 struct ieee80211com *ic = vap->iv_ic; 182 struct ieee80211_frame *wh; 183 uint8_t *ivp; 184 int hdrlen; 185 int is_mgmt; 186 187 wh = mtod(m, struct ieee80211_frame *); 188 is_mgmt = IEEE80211_IS_MGMT(wh); 189 190 /* 191 * Handle TKIP counter measures requirement. 192 */ 193 if (vap->iv_flags & IEEE80211_F_COUNTERM) { 194#ifdef IEEE80211_DEBUG 195 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 196#endif 197 198 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2, 199 "discard frame due to countermeasures (%s)", __func__); 200 vap->iv_stats.is_crypto_tkipcm++; 201 return 0; 202 } 203 204 /* 205 * Check to see whether IV needs to be included. 206 */ 207 if (is_mgmt && (k->wk_flags & IEEE80211_KEY_NOIVMGT)) 208 return 1; 209 if ((! is_mgmt) && (k->wk_flags & IEEE80211_KEY_NOIV)) 210 return 1; 211 212 hdrlen = ieee80211_hdrspace(ic, mtod(m, void *)); 213 214 /* 215 * Copy down 802.11 header and add the IV, KeyID, and ExtIV. 216 */ 217 M_PREPEND(m, tkip.ic_header, M_NOWAIT); 218 if (m == NULL) 219 return 0; 220 ivp = mtod(m, uint8_t *); 221 memmove(ivp, ivp + tkip.ic_header, hdrlen); 222 ivp += hdrlen; 223 224 tkip_setiv(k, ivp); 225 226 /* 227 * Finally, do software encrypt if needed. 228 */ 229 if ((k->wk_flags & IEEE80211_KEY_SWENCRYPT) && 230 !tkip_encrypt(ctx, k, m, hdrlen)) 231 return 0; 232 233 return 1; 234} 235 236/* 237 * Add MIC to the frame as needed. 238 */ 239static int 240tkip_enmic(struct ieee80211_key *k, struct mbuf *m, int force) 241{ 242 struct tkip_ctx *ctx = k->wk_private; 243 struct ieee80211_frame *wh; 244 int is_mgmt; 245 246 wh = mtod(m, struct ieee80211_frame *); 247 is_mgmt = IEEE80211_IS_MGMT(wh); 248 249 /* 250 * Check to see whether MIC needs to be included. 251 */ 252 if (is_mgmt && (k->wk_flags & IEEE80211_KEY_NOMICMGT)) 253 return 1; 254 if ((! is_mgmt) && (k->wk_flags & IEEE80211_KEY_NOMIC)) 255 return 1; 256 257 if (force || (k->wk_flags & IEEE80211_KEY_SWENMIC)) { 258 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *); 259 struct ieee80211vap *vap = ctx->tc_vap; 260 struct ieee80211com *ic = vap->iv_ic; 261 int hdrlen; 262 uint8_t mic[IEEE80211_WEP_MICLEN]; 263 264 vap->iv_stats.is_crypto_tkipenmic++; 265 266 hdrlen = ieee80211_hdrspace(ic, wh); 267 268 michael_mic(ctx, k->wk_txmic, 269 m, hdrlen, m->m_pkthdr.len - hdrlen, mic); 270 return m_append(m, tkip.ic_miclen, mic); 271 } 272 return 1; 273} 274 275static __inline uint64_t 276READ_6(uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3, uint8_t b4, uint8_t b5) 277{ 278 uint32_t iv32 = (b0 << 0) | (b1 << 8) | (b2 << 16) | (b3 << 24); 279 uint16_t iv16 = (b4 << 0) | (b5 << 8); 280 return (((uint64_t)iv16) << 32) | iv32; 281} 282 283/* 284 * Validate and strip privacy headers (and trailer) for a 285 * received frame. If necessary, decrypt the frame using 286 * the specified key. 287 */ 288static int 289tkip_decap(struct ieee80211_key *k, struct mbuf *m, int hdrlen) 290{ 291 const struct ieee80211_rx_stats *rxs; 292 struct tkip_ctx *ctx = k->wk_private; 293 struct ieee80211vap *vap = ctx->tc_vap; 294 struct ieee80211_frame *wh; 295 uint8_t *ivp, tid; 296 297 rxs = ieee80211_get_rx_params_ptr(m); 298 299 /* 300 * If IV has been stripped, we skip most of the below. 301 */ 302 if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_IV_STRIP)) 303 goto finish; 304 305 /* 306 * Header should have extended IV and sequence number; 307 * verify the former and validate the latter. 308 */ 309 wh = mtod(m, struct ieee80211_frame *); 310 ivp = mtod(m, uint8_t *) + hdrlen; 311 if ((ivp[IEEE80211_WEP_IVLEN] & IEEE80211_WEP_EXTIV) == 0) { 312 /* 313 * No extended IV; discard frame. 314 */ 315 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2, 316 "%s", "missing ExtIV for TKIP cipher"); 317 vap->iv_stats.is_rx_tkipformat++; 318 return 0; 319 } 320 /* 321 * Handle TKIP counter measures requirement. 322 */ 323 if (vap->iv_flags & IEEE80211_F_COUNTERM) { 324 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2, 325 "discard frame due to countermeasures (%s)", __func__); 326 vap->iv_stats.is_crypto_tkipcm++; 327 return 0; 328 } 329 330 tid = ieee80211_gettid(wh); 331 ctx->rx_rsc = READ_6(ivp[2], ivp[0], ivp[4], ivp[5], ivp[6], ivp[7]); 332 if (ctx->rx_rsc <= k->wk_keyrsc[tid] && 333 (k->wk_flags & IEEE80211_KEY_NOREPLAY) == 0) { 334 /* 335 * Replay violation; notify upper layer. 336 */ 337 ieee80211_notify_replay_failure(vap, wh, k, ctx->rx_rsc, tid); 338 vap->iv_stats.is_rx_tkipreplay++; 339 return 0; 340 } 341 /* 342 * NB: We can't update the rsc in the key until MIC is verified. 343 * 344 * We assume we are not preempted between doing the check above 345 * and updating wk_keyrsc when stripping the MIC in tkip_demic. 346 * Otherwise we might process another packet and discard it as 347 * a replay. 348 */ 349 350 /* 351 * Check if the device handled the decrypt in hardware. 352 * If so we just strip the header; otherwise we need to 353 * handle the decrypt in software. 354 */ 355 if ((k->wk_flags & IEEE80211_KEY_SWDECRYPT) && 356 !tkip_decrypt(ctx, k, m, hdrlen)) 357 return 0; 358 359finish: 360 361 /* 362 * Copy up 802.11 header and strip crypto bits - but only if we 363 * are required to. 364 */ 365 if (! ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_IV_STRIP))) { 366 memmove(mtod(m, uint8_t *) + tkip.ic_header, mtod(m, void *), 367 hdrlen); 368 m_adj(m, tkip.ic_header); 369 } 370 371 /* 372 * XXX TODO: do we need an option to potentially not strip the 373 * WEP trailer? Does "MMIC_STRIP" also mean this? Or? 374 */ 375 m_adj(m, -tkip.ic_trailer); 376 377 return 1; 378} 379 380/* 381 * Verify and strip MIC from the frame. 382 */ 383static int 384tkip_demic(struct ieee80211_key *k, struct mbuf *m, int force) 385{ 386 const struct ieee80211_rx_stats *rxs; 387 struct tkip_ctx *ctx = k->wk_private; 388 struct ieee80211_frame *wh; 389 uint8_t tid; 390 391 wh = mtod(m, struct ieee80211_frame *); 392 rxs = ieee80211_get_rx_params_ptr(m); 393 394 /* 395 * If we are told about a MIC failure from the driver, 396 * directly notify as a michael failure to the upper 397 * layers. 398 */ 399 if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_FAIL_MIC)) { 400 struct ieee80211vap *vap = ctx->tc_vap; 401 ieee80211_notify_michael_failure(vap, wh, 402 k->wk_rxkeyix != IEEE80211_KEYIX_NONE ? 403 k->wk_rxkeyix : k->wk_keyix); 404 return 0; 405 } 406 407 /* 408 * If IV has been stripped, we skip most of the below. 409 */ 410 if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_MMIC_STRIP)) 411 goto finish; 412 413 if ((k->wk_flags & IEEE80211_KEY_SWDEMIC) || force) { 414 struct ieee80211vap *vap = ctx->tc_vap; 415 int hdrlen = ieee80211_hdrspace(vap->iv_ic, wh); 416 u8 mic[IEEE80211_WEP_MICLEN]; 417 u8 mic0[IEEE80211_WEP_MICLEN]; 418 419 vap->iv_stats.is_crypto_tkipdemic++; 420 421 michael_mic(ctx, k->wk_rxmic, 422 m, hdrlen, m->m_pkthdr.len - (hdrlen + tkip.ic_miclen), 423 mic); 424 m_copydata(m, m->m_pkthdr.len - tkip.ic_miclen, 425 tkip.ic_miclen, mic0); 426 if (memcmp(mic, mic0, tkip.ic_miclen)) { 427 /* NB: 802.11 layer handles statistic and debug msg */ 428 ieee80211_notify_michael_failure(vap, wh, 429 k->wk_rxkeyix != IEEE80211_KEYIX_NONE ? 430 k->wk_rxkeyix : k->wk_keyix); 431 return 0; 432 } 433 } 434 /* 435 * Strip MIC from the tail. 436 */ 437 m_adj(m, -tkip.ic_miclen); 438 439 /* 440 * Ok to update rsc now that MIC has been verified. 441 */ 442 tid = ieee80211_gettid(wh); 443 k->wk_keyrsc[tid] = ctx->rx_rsc; 444 445finish: 446 return 1; 447} 448 449/* 450 * Host AP crypt: host-based TKIP encryption implementation for Host AP driver 451 * 452 * Copyright (c) 2003-2004, Jouni Malinen <jkmaline@cc.hut.fi> 453 * 454 * This program is free software; you can redistribute it and/or modify 455 * it under the terms of the GNU General Public License version 2 as 456 * published by the Free Software Foundation. See README and COPYING for 457 * more details. 458 * 459 * Alternatively, this software may be distributed under the terms of BSD 460 * license. 461 */ 462 463static const __u32 crc32_table[256] = { 464 0x00000000L, 0x77073096L, 0xee0e612cL, 0x990951baL, 0x076dc419L, 465 0x706af48fL, 0xe963a535L, 0x9e6495a3L, 0x0edb8832L, 0x79dcb8a4L, 466 0xe0d5e91eL, 0x97d2d988L, 0x09b64c2bL, 0x7eb17cbdL, 0xe7b82d07L, 467 0x90bf1d91L, 0x1db71064L, 0x6ab020f2L, 0xf3b97148L, 0x84be41deL, 468 0x1adad47dL, 0x6ddde4ebL, 0xf4d4b551L, 0x83d385c7L, 0x136c9856L, 469 0x646ba8c0L, 0xfd62f97aL, 0x8a65c9ecL, 0x14015c4fL, 0x63066cd9L, 470 0xfa0f3d63L, 0x8d080df5L, 0x3b6e20c8L, 0x4c69105eL, 0xd56041e4L, 471 0xa2677172L, 0x3c03e4d1L, 0x4b04d447L, 0xd20d85fdL, 0xa50ab56bL, 472 0x35b5a8faL, 0x42b2986cL, 0xdbbbc9d6L, 0xacbcf940L, 0x32d86ce3L, 473 0x45df5c75L, 0xdcd60dcfL, 0xabd13d59L, 0x26d930acL, 0x51de003aL, 474 0xc8d75180L, 0xbfd06116L, 0x21b4f4b5L, 0x56b3c423L, 0xcfba9599L, 475 0xb8bda50fL, 0x2802b89eL, 0x5f058808L, 0xc60cd9b2L, 0xb10be924L, 476 0x2f6f7c87L, 0x58684c11L, 0xc1611dabL, 0xb6662d3dL, 0x76dc4190L, 477 0x01db7106L, 0x98d220bcL, 0xefd5102aL, 0x71b18589L, 0x06b6b51fL, 478 0x9fbfe4a5L, 0xe8b8d433L, 0x7807c9a2L, 0x0f00f934L, 0x9609a88eL, 479 0xe10e9818L, 0x7f6a0dbbL, 0x086d3d2dL, 0x91646c97L, 0xe6635c01L, 480 0x6b6b51f4L, 0x1c6c6162L, 0x856530d8L, 0xf262004eL, 0x6c0695edL, 481 0x1b01a57bL, 0x8208f4c1L, 0xf50fc457L, 0x65b0d9c6L, 0x12b7e950L, 482 0x8bbeb8eaL, 0xfcb9887cL, 0x62dd1ddfL, 0x15da2d49L, 0x8cd37cf3L, 483 0xfbd44c65L, 0x4db26158L, 0x3ab551ceL, 0xa3bc0074L, 0xd4bb30e2L, 484 0x4adfa541L, 0x3dd895d7L, 0xa4d1c46dL, 0xd3d6f4fbL, 0x4369e96aL, 485 0x346ed9fcL, 0xad678846L, 0xda60b8d0L, 0x44042d73L, 0x33031de5L, 486 0xaa0a4c5fL, 0xdd0d7cc9L, 0x5005713cL, 0x270241aaL, 0xbe0b1010L, 487 0xc90c2086L, 0x5768b525L, 0x206f85b3L, 0xb966d409L, 0xce61e49fL, 488 0x5edef90eL, 0x29d9c998L, 0xb0d09822L, 0xc7d7a8b4L, 0x59b33d17L, 489 0x2eb40d81L, 0xb7bd5c3bL, 0xc0ba6cadL, 0xedb88320L, 0x9abfb3b6L, 490 0x03b6e20cL, 0x74b1d29aL, 0xead54739L, 0x9dd277afL, 0x04db2615L, 491 0x73dc1683L, 0xe3630b12L, 0x94643b84L, 0x0d6d6a3eL, 0x7a6a5aa8L, 492 0xe40ecf0bL, 0x9309ff9dL, 0x0a00ae27L, 0x7d079eb1L, 0xf00f9344L, 493 0x8708a3d2L, 0x1e01f268L, 0x6906c2feL, 0xf762575dL, 0x806567cbL, 494 0x196c3671L, 0x6e6b06e7L, 0xfed41b76L, 0x89d32be0L, 0x10da7a5aL, 495 0x67dd4accL, 0xf9b9df6fL, 0x8ebeeff9L, 0x17b7be43L, 0x60b08ed5L, 496 0xd6d6a3e8L, 0xa1d1937eL, 0x38d8c2c4L, 0x4fdff252L, 0xd1bb67f1L, 497 0xa6bc5767L, 0x3fb506ddL, 0x48b2364bL, 0xd80d2bdaL, 0xaf0a1b4cL, 498 0x36034af6L, 0x41047a60L, 0xdf60efc3L, 0xa867df55L, 0x316e8eefL, 499 0x4669be79L, 0xcb61b38cL, 0xbc66831aL, 0x256fd2a0L, 0x5268e236L, 500 0xcc0c7795L, 0xbb0b4703L, 0x220216b9L, 0x5505262fL, 0xc5ba3bbeL, 501 0xb2bd0b28L, 0x2bb45a92L, 0x5cb36a04L, 0xc2d7ffa7L, 0xb5d0cf31L, 502 0x2cd99e8bL, 0x5bdeae1dL, 0x9b64c2b0L, 0xec63f226L, 0x756aa39cL, 503 0x026d930aL, 0x9c0906a9L, 0xeb0e363fL, 0x72076785L, 0x05005713L, 504 0x95bf4a82L, 0xe2b87a14L, 0x7bb12baeL, 0x0cb61b38L, 0x92d28e9bL, 505 0xe5d5be0dL, 0x7cdcefb7L, 0x0bdbdf21L, 0x86d3d2d4L, 0xf1d4e242L, 506 0x68ddb3f8L, 0x1fda836eL, 0x81be16cdL, 0xf6b9265bL, 0x6fb077e1L, 507 0x18b74777L, 0x88085ae6L, 0xff0f6a70L, 0x66063bcaL, 0x11010b5cL, 508 0x8f659effL, 0xf862ae69L, 0x616bffd3L, 0x166ccf45L, 0xa00ae278L, 509 0xd70dd2eeL, 0x4e048354L, 0x3903b3c2L, 0xa7672661L, 0xd06016f7L, 510 0x4969474dL, 0x3e6e77dbL, 0xaed16a4aL, 0xd9d65adcL, 0x40df0b66L, 511 0x37d83bf0L, 0xa9bcae53L, 0xdebb9ec5L, 0x47b2cf7fL, 0x30b5ffe9L, 512 0xbdbdf21cL, 0xcabac28aL, 0x53b39330L, 0x24b4a3a6L, 0xbad03605L, 513 0xcdd70693L, 0x54de5729L, 0x23d967bfL, 0xb3667a2eL, 0xc4614ab8L, 514 0x5d681b02L, 0x2a6f2b94L, 0xb40bbe37L, 0xc30c8ea1L, 0x5a05df1bL, 515 0x2d02ef8dL 516}; 517 518static __inline u16 RotR1(u16 val) 519{ 520 return (val >> 1) | (val << 15); 521} 522 523static __inline u8 Lo8(u16 val) 524{ 525 return val & 0xff; 526} 527 528static __inline u8 Hi8(u16 val) 529{ 530 return val >> 8; 531} 532 533static __inline u16 Lo16(u32 val) 534{ 535 return val & 0xffff; 536} 537 538static __inline u16 Hi16(u32 val) 539{ 540 return val >> 16; 541} 542 543static __inline u16 Mk16(u8 hi, u8 lo) 544{ 545 return lo | (((u16) hi) << 8); 546} 547 548static __inline u16 Mk16_le(const u16 *v) 549{ 550 return le16toh(*v); 551} 552 553static const u16 Sbox[256] = { 554 0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154, 555 0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A, 556 0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B, 557 0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B, 558 0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F, 559 0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F, 560 0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5, 561 0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F, 562 0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB, 563 0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397, 564 0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED, 565 0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A, 566 0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194, 567 0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3, 568 0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104, 569 0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D, 570 0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39, 571 0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695, 572 0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83, 573 0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76, 574 0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4, 575 0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B, 576 0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0, 577 0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018, 578 0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751, 579 0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85, 580 0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12, 581 0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9, 582 0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7, 583 0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A, 584 0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8, 585 0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A, 586}; 587 588static __inline u16 _S_(u16 v) 589{ 590 u16 t = Sbox[Hi8(v)]; 591 return Sbox[Lo8(v)] ^ ((t << 8) | (t >> 8)); 592} 593 594#define PHASE1_LOOP_COUNT 8 595 596static void tkip_mixing_phase1(u16 *TTAK, const u8 *TK, const u8 *TA, u32 IV32) 597{ 598 int i, j; 599 600 /* Initialize the 80-bit TTAK from TSC (IV32) and TA[0..5] */ 601 TTAK[0] = Lo16(IV32); 602 TTAK[1] = Hi16(IV32); 603 TTAK[2] = Mk16(TA[1], TA[0]); 604 TTAK[3] = Mk16(TA[3], TA[2]); 605 TTAK[4] = Mk16(TA[5], TA[4]); 606 607 for (i = 0; i < PHASE1_LOOP_COUNT; i++) { 608 j = 2 * (i & 1); 609 TTAK[0] += _S_(TTAK[4] ^ Mk16(TK[1 + j], TK[0 + j])); 610 TTAK[1] += _S_(TTAK[0] ^ Mk16(TK[5 + j], TK[4 + j])); 611 TTAK[2] += _S_(TTAK[1] ^ Mk16(TK[9 + j], TK[8 + j])); 612 TTAK[3] += _S_(TTAK[2] ^ Mk16(TK[13 + j], TK[12 + j])); 613 TTAK[4] += _S_(TTAK[3] ^ Mk16(TK[1 + j], TK[0 + j])) + i; 614 } 615} 616 617#ifndef _BYTE_ORDER 618#error "Don't know native byte order" 619#endif 620 621static void tkip_mixing_phase2(u8 *WEPSeed, const u8 *TK, const u16 *TTAK, 622 u16 IV16) 623{ 624 /* Make temporary area overlap WEP seed so that the final copy can be 625 * avoided on little endian hosts. */ 626 u16 *PPK = (u16 *) &WEPSeed[4]; 627 628 /* Step 1 - make copy of TTAK and bring in TSC */ 629 PPK[0] = TTAK[0]; 630 PPK[1] = TTAK[1]; 631 PPK[2] = TTAK[2]; 632 PPK[3] = TTAK[3]; 633 PPK[4] = TTAK[4]; 634 PPK[5] = TTAK[4] + IV16; 635 636 /* Step 2 - 96-bit bijective mixing using S-box */ 637 PPK[0] += _S_(PPK[5] ^ Mk16_le((const u16 *) &TK[0])); 638 PPK[1] += _S_(PPK[0] ^ Mk16_le((const u16 *) &TK[2])); 639 PPK[2] += _S_(PPK[1] ^ Mk16_le((const u16 *) &TK[4])); 640 PPK[3] += _S_(PPK[2] ^ Mk16_le((const u16 *) &TK[6])); 641 PPK[4] += _S_(PPK[3] ^ Mk16_le((const u16 *) &TK[8])); 642 PPK[5] += _S_(PPK[4] ^ Mk16_le((const u16 *) &TK[10])); 643 644 PPK[0] += RotR1(PPK[5] ^ Mk16_le((const u16 *) &TK[12])); 645 PPK[1] += RotR1(PPK[0] ^ Mk16_le((const u16 *) &TK[14])); 646 PPK[2] += RotR1(PPK[1]); 647 PPK[3] += RotR1(PPK[2]); 648 PPK[4] += RotR1(PPK[3]); 649 PPK[5] += RotR1(PPK[4]); 650 651 /* Step 3 - bring in last of TK bits, assign 24-bit WEP IV value 652 * WEPSeed[0..2] is transmitted as WEP IV */ 653 WEPSeed[0] = Hi8(IV16); 654 WEPSeed[1] = (Hi8(IV16) | 0x20) & 0x7F; 655 WEPSeed[2] = Lo8(IV16); 656 WEPSeed[3] = Lo8((PPK[5] ^ Mk16_le((const u16 *) &TK[0])) >> 1); 657 658#if _BYTE_ORDER == _BIG_ENDIAN 659 { 660 int i; 661 for (i = 0; i < 6; i++) 662 PPK[i] = (PPK[i] << 8) | (PPK[i] >> 8); 663 } 664#endif 665} 666 667static void 668wep_encrypt(u8 *key, struct mbuf *m0, u_int off, size_t data_len, 669 uint8_t icv[IEEE80211_WEP_CRCLEN]) 670{ 671 u32 i, j, k, crc; 672 size_t buflen; 673 u8 S[256]; 674 u8 *pos; 675 struct mbuf *m; 676#define S_SWAP(a,b) do { u8 t = S[a]; S[a] = S[b]; S[b] = t; } while(0) 677 678 /* Setup RC4 state */ 679 for (i = 0; i < 256; i++) 680 S[i] = i; 681 j = 0; 682 for (i = 0; i < 256; i++) { 683 j = (j + S[i] + key[i & 0x0f]) & 0xff; 684 S_SWAP(i, j); 685 } 686 687 /* Compute CRC32 over unencrypted data and apply RC4 to data */ 688 crc = ~0; 689 i = j = 0; 690 m = m0; 691 pos = mtod(m, uint8_t *) + off; 692 buflen = m->m_len - off; 693 for (;;) { 694 if (buflen > data_len) 695 buflen = data_len; 696 data_len -= buflen; 697 for (k = 0; k < buflen; k++) { 698 crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8); 699 i = (i + 1) & 0xff; 700 j = (j + S[i]) & 0xff; 701 S_SWAP(i, j); 702 *pos++ ^= S[(S[i] + S[j]) & 0xff]; 703 } 704 m = m->m_next; 705 if (m == NULL) { 706 KASSERT(data_len == 0, 707 ("out of buffers with data_len %zu\n", data_len)); 708 break; 709 } 710 pos = mtod(m, uint8_t *); 711 buflen = m->m_len; 712 } 713 crc = ~crc; 714 715 /* Append little-endian CRC32 and encrypt it to produce ICV */ 716 icv[0] = crc; 717 icv[1] = crc >> 8; 718 icv[2] = crc >> 16; 719 icv[3] = crc >> 24; 720 for (k = 0; k < IEEE80211_WEP_CRCLEN; k++) { 721 i = (i + 1) & 0xff; 722 j = (j + S[i]) & 0xff; 723 S_SWAP(i, j); 724 icv[k] ^= S[(S[i] + S[j]) & 0xff]; 725 } 726} 727 728static int 729wep_decrypt(u8 *key, struct mbuf *m, u_int off, size_t data_len) 730{ 731 u32 i, j, k, crc; 732 u8 S[256]; 733 u8 *pos, icv[4]; 734 size_t buflen; 735 736 /* Setup RC4 state */ 737 for (i = 0; i < 256; i++) 738 S[i] = i; 739 j = 0; 740 for (i = 0; i < 256; i++) { 741 j = (j + S[i] + key[i & 0x0f]) & 0xff; 742 S_SWAP(i, j); 743 } 744 745 /* Apply RC4 to data and compute CRC32 over decrypted data */ 746 crc = ~0; 747 i = j = 0; 748 pos = mtod(m, uint8_t *) + off; 749 buflen = m->m_len - off; 750 for (;;) { 751 if (buflen > data_len) 752 buflen = data_len; 753 data_len -= buflen; 754 for (k = 0; k < buflen; k++) { 755 i = (i + 1) & 0xff; 756 j = (j + S[i]) & 0xff; 757 S_SWAP(i, j); 758 *pos ^= S[(S[i] + S[j]) & 0xff]; 759 crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8); 760 pos++; 761 } 762 m = m->m_next; 763 if (m == NULL) { 764 KASSERT(data_len == 0, 765 ("out of buffers with data_len %zu\n", data_len)); 766 break; 767 } 768 pos = mtod(m, uint8_t *); 769 buflen = m->m_len; 770 } 771 crc = ~crc; 772 773 /* Encrypt little-endian CRC32 and verify that it matches with the 774 * received ICV */ 775 icv[0] = crc; 776 icv[1] = crc >> 8; 777 icv[2] = crc >> 16; 778 icv[3] = crc >> 24; 779 for (k = 0; k < 4; k++) { 780 i = (i + 1) & 0xff; 781 j = (j + S[i]) & 0xff; 782 S_SWAP(i, j); 783 if ((icv[k] ^ S[(S[i] + S[j]) & 0xff]) != *pos++) { 784 /* ICV mismatch - drop frame */ 785 return -1; 786 } 787 } 788 789 return 0; 790} 791 792static __inline u32 rotl(u32 val, int bits) 793{ 794 return (val << bits) | (val >> (32 - bits)); 795} 796 797static __inline u32 rotr(u32 val, int bits) 798{ 799 return (val >> bits) | (val << (32 - bits)); 800} 801 802static __inline u32 xswap(u32 val) 803{ 804 return ((val & 0x00ff00ff) << 8) | ((val & 0xff00ff00) >> 8); 805} 806 807#define michael_block(l, r) \ 808do { \ 809 r ^= rotl(l, 17); \ 810 l += r; \ 811 r ^= xswap(l); \ 812 l += r; \ 813 r ^= rotl(l, 3); \ 814 l += r; \ 815 r ^= rotr(l, 2); \ 816 l += r; \ 817} while (0) 818 819static __inline u32 get_le32_split(u8 b0, u8 b1, u8 b2, u8 b3) 820{ 821 return b0 | (b1 << 8) | (b2 << 16) | (b3 << 24); 822} 823 824static __inline u32 get_le32(const u8 *p) 825{ 826 return get_le32_split(p[0], p[1], p[2], p[3]); 827} 828 829static __inline void put_le32(u8 *p, u32 v) 830{ 831 p[0] = v; 832 p[1] = v >> 8; 833 p[2] = v >> 16; 834 p[3] = v >> 24; 835} 836 837/* 838 * Craft pseudo header used to calculate the MIC. 839 */ 840static void 841michael_mic_hdr(const struct ieee80211_frame *wh0, uint8_t hdr[16]) 842{ 843 const struct ieee80211_frame_addr4 *wh = 844 (const struct ieee80211_frame_addr4 *) wh0; 845 846 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 847 case IEEE80211_FC1_DIR_NODS: 848 IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */ 849 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2); 850 break; 851 case IEEE80211_FC1_DIR_TODS: 852 IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */ 853 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2); 854 break; 855 case IEEE80211_FC1_DIR_FROMDS: 856 IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */ 857 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr3); 858 break; 859 case IEEE80211_FC1_DIR_DSTODS: 860 IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */ 861 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr4); 862 break; 863 } 864 865 if (wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_QOS) { 866 const struct ieee80211_qosframe *qwh = 867 (const struct ieee80211_qosframe *) wh; 868 hdr[12] = qwh->i_qos[0] & IEEE80211_QOS_TID; 869 } else 870 hdr[12] = 0; 871 hdr[13] = hdr[14] = hdr[15] = 0; /* reserved */ 872} 873 874static void 875michael_mic(struct tkip_ctx *ctx, const u8 *key, 876 struct mbuf *m, u_int off, size_t data_len, 877 u8 mic[IEEE80211_WEP_MICLEN]) 878{ 879 uint8_t hdr[16]; 880 u32 l, r; 881 const uint8_t *data; 882 u_int space; 883 884 michael_mic_hdr(mtod(m, struct ieee80211_frame *), hdr); 885 886 l = get_le32(key); 887 r = get_le32(key + 4); 888 889 /* Michael MIC pseudo header: DA, SA, 3 x 0, Priority */ 890 l ^= get_le32(hdr); 891 michael_block(l, r); 892 l ^= get_le32(&hdr[4]); 893 michael_block(l, r); 894 l ^= get_le32(&hdr[8]); 895 michael_block(l, r); 896 l ^= get_le32(&hdr[12]); 897 michael_block(l, r); 898 899 /* first buffer has special handling */ 900 data = mtod(m, const uint8_t *) + off; 901 space = m->m_len - off; 902 for (;;) { 903 if (space > data_len) 904 space = data_len; 905 /* collect 32-bit blocks from current buffer */ 906 while (space >= sizeof(uint32_t)) { 907 l ^= get_le32(data); 908 michael_block(l, r); 909 data += sizeof(uint32_t), space -= sizeof(uint32_t); 910 data_len -= sizeof(uint32_t); 911 } 912 /* 913 * NB: when space is zero we make one more trip around 914 * the loop to advance to the next mbuf where there is 915 * data. This handles the case where there are 4*n 916 * bytes in an mbuf followed by <4 bytes in a later mbuf. 917 * By making an extra trip we'll drop out of the loop 918 * with m pointing at the mbuf with 3 bytes and space 919 * set as required by the remainder handling below. 920 */ 921 if (data_len == 0 || 922 (data_len < sizeof(uint32_t) && space != 0)) 923 break; 924 m = m->m_next; 925 if (m == NULL) { 926 KASSERT(0, ("out of data, data_len %zu\n", data_len)); 927 break; 928 } 929 if (space != 0) { 930 const uint8_t *data_next; 931 /* 932 * Block straddles buffers, split references. 933 */ 934 data_next = mtod(m, const uint8_t *); 935 KASSERT(m->m_len >= sizeof(uint32_t) - space, 936 ("not enough data in following buffer, " 937 "m_len %u need %zu\n", m->m_len, 938 sizeof(uint32_t) - space)); 939 switch (space) { 940 case 1: 941 l ^= get_le32_split(data[0], data_next[0], 942 data_next[1], data_next[2]); 943 data = data_next + 3; 944 space = m->m_len - 3; 945 break; 946 case 2: 947 l ^= get_le32_split(data[0], data[1], 948 data_next[0], data_next[1]); 949 data = data_next + 2; 950 space = m->m_len - 2; 951 break; 952 case 3: 953 l ^= get_le32_split(data[0], data[1], 954 data[2], data_next[0]); 955 data = data_next + 1; 956 space = m->m_len - 1; 957 break; 958 } 959 michael_block(l, r); 960 data_len -= sizeof(uint32_t); 961 } else { 962 /* 963 * Setup for next buffer. 964 */ 965 data = mtod(m, const uint8_t *); 966 space = m->m_len; 967 } 968 } 969 /* 970 * Catch degenerate cases like mbuf[4*n+1 bytes] followed by 971 * mbuf[2 bytes]. I don't believe these should happen; if they 972 * do then we'll need more involved logic. 973 */ 974 KASSERT(data_len <= space, 975 ("not enough data, data_len %zu space %u\n", data_len, space)); 976 977 /* Last block and padding (0x5a, 4..7 x 0) */ 978 switch (data_len) { 979 case 0: 980 l ^= get_le32_split(0x5a, 0, 0, 0); 981 break; 982 case 1: 983 l ^= get_le32_split(data[0], 0x5a, 0, 0); 984 break; 985 case 2: 986 l ^= get_le32_split(data[0], data[1], 0x5a, 0); 987 break; 988 case 3: 989 l ^= get_le32_split(data[0], data[1], data[2], 0x5a); 990 break; 991 } 992 michael_block(l, r); 993 /* l ^= 0; */ 994 michael_block(l, r); 995 996 put_le32(mic, l); 997 put_le32(mic + 4, r); 998} 999 1000static int 1001tkip_encrypt(struct tkip_ctx *ctx, struct ieee80211_key *key, 1002 struct mbuf *m, int hdrlen) 1003{ 1004 struct ieee80211_frame *wh; 1005 uint8_t icv[IEEE80211_WEP_CRCLEN]; 1006 1007 ctx->tc_vap->iv_stats.is_crypto_tkip++; 1008 1009 wh = mtod(m, struct ieee80211_frame *); 1010 if ((u16)(key->wk_keytsc) == 0 || key->wk_keytsc == 1) { 1011 tkip_mixing_phase1(ctx->tx_ttak, key->wk_key, wh->i_addr2, 1012 (u32)(key->wk_keytsc >> 16)); 1013 } 1014 tkip_mixing_phase2(ctx->tx_rc4key, key->wk_key, ctx->tx_ttak, 1015 (u16) key->wk_keytsc); 1016 1017 wep_encrypt(ctx->tx_rc4key, 1018 m, hdrlen + tkip.ic_header, 1019 m->m_pkthdr.len - (hdrlen + tkip.ic_header), 1020 icv); 1021 (void) m_append(m, IEEE80211_WEP_CRCLEN, icv); /* XXX check return */ 1022 1023 return 1; 1024} 1025 1026static int 1027tkip_decrypt(struct tkip_ctx *ctx, struct ieee80211_key *key, 1028 struct mbuf *m, int hdrlen) 1029{ 1030 struct ieee80211_frame *wh; 1031 struct ieee80211vap *vap = ctx->tc_vap; 1032 u32 iv32; 1033 u16 iv16; 1034 u8 tid; 1035 1036 vap->iv_stats.is_crypto_tkip++; 1037 1038 wh = mtod(m, struct ieee80211_frame *); 1039 /* NB: tkip_decap already verified header and left seq in rx_rsc */ 1040 iv16 = (u16) ctx->rx_rsc; 1041 iv32 = (u32) (ctx->rx_rsc >> 16); 1042 1043 tid = ieee80211_gettid(wh); 1044 if (iv32 != (u32)(key->wk_keyrsc[tid] >> 16) || !ctx->rx_phase1_done) { 1045 tkip_mixing_phase1(ctx->rx_ttak, key->wk_key, 1046 wh->i_addr2, iv32); 1047 ctx->rx_phase1_done = 1; 1048 } 1049 tkip_mixing_phase2(ctx->rx_rc4key, key->wk_key, ctx->rx_ttak, iv16); 1050 1051 /* NB: m is unstripped; deduct headers + ICV to get payload */ 1052 if (wep_decrypt(ctx->rx_rc4key, 1053 m, hdrlen + tkip.ic_header, 1054 m->m_pkthdr.len - (hdrlen + tkip.ic_header + tkip.ic_trailer))) { 1055 if (iv32 != (u32)(key->wk_keyrsc[tid] >> 16)) { 1056 /* Previously cached Phase1 result was already lost, so 1057 * it needs to be recalculated for the next packet. */ 1058 ctx->rx_phase1_done = 0; 1059 } 1060 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2, 1061 "%s", "TKIP ICV mismatch on decrypt"); 1062 vap->iv_stats.is_rx_tkipicv++; 1063 return 0; 1064 } 1065 return 1; 1066} 1067 1068/* 1069 * Module glue. 1070 */ 1071IEEE80211_CRYPTO_MODULE(tkip, 1); 1072