1 /*
   2  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
   3  * Use is subject to license terms.
   4  */
   5 
   6 /*
   7  * Copyright (c) 2001 Atsushi Onoe
   8  * Copyright (c) 2002-2008 Sam Leffler, Errno Consulting
   9  * All rights reserved.
  10  *
  11  * Redistribution and use in source and binary forms, with or without
  12  * modification, are permitted provided that the following conditions
  13  * are met:
  14  * 1. Redistributions of source code must retain the above copyright
  15  *    notice, this list of conditions and the following disclaimer.
  16  * 2. Redistributions in binary form must reproduce the above copyright
  17  *    notice, this list of conditions and the following disclaimer in the
  18  *    documentation and/or other materials provided with the distribution.
  19  * 3. The name of the author may not be used to endorse or promote products
  20  *    derived from this software without specific prior written permission.
  21  *
  22  * Alternatively, this software may be distributed under the terms of the
  23  * GNU General Public License ("GPL") version 2 as published by the Free
  24  * Software Foundation.
  25  *
  26  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  27  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  28  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  29  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
  30  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  31  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  32  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  33  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  34  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  35  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  36  */
  37 
  38 /*
  39  * IEEE 802.11i TKIP crypto support.
  40  *
  41  * Part of this module is derived from similar code in the Host
  42  * AP driver. The code is used with the consent of the author and
  43  * it's license is included below.
  44  */
  45 
  46 #include <sys/byteorder.h>
  47 #include <sys/crypto/common.h>
  48 #include <sys/crypto/api.h>
  49 #include <sys/crc32.h>
  50 #include <sys/random.h>
  51 #include <sys/strsun.h>
  52 #include "net80211_impl.h"
  53 
  54 static void *tkip_attach(struct ieee80211com *, struct ieee80211_key *);
  55 static void tkip_detach(struct ieee80211_key *);
  56 static int tkip_setkey(struct ieee80211_key *);
  57 static int tkip_encap(struct ieee80211_key *, mblk_t *, uint8_t);
  58 static int tkip_decap(struct ieee80211_key *, mblk_t *, int);
  59 static int tkip_enmic(struct ieee80211_key *, mblk_t *, int);
  60 static int tkip_demic(struct ieee80211_key *, mblk_t *, int);
  61 
  62 const struct ieee80211_cipher tkip  = {
  63         "TKIP",
  64         IEEE80211_CIPHER_TKIP,
  65         IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN +
  66             IEEE80211_WEP_EXTIVLEN,
  67         IEEE80211_WEP_CRCLEN,
  68         IEEE80211_WEP_MICLEN,
  69         tkip_attach,
  70         tkip_detach,
  71         tkip_setkey,
  72         tkip_encap,
  73         tkip_decap,
  74         tkip_enmic,
  75         tkip_demic,
  76 };
  77 
  78 struct tkip_ctx {
  79         struct ieee80211com     *tc_ic;         /* for diagnostics */
  80         uint16_t                tx_ttak[5];
  81         int                     tx_phase1_done;
  82         uint8_t                 tx_rc4key[16];
  83         uint16_t                rx_ttak[5];
  84         int                     rx_phase1_done;
  85         uint8_t                 rx_rc4key[16];
  86         uint64_t                rx_rsc;         /* held until MIC verified */
  87 };
  88 
  89 static void michael_mic(struct tkip_ctx *, const uint8_t *,
  90     mblk_t *, uint_t, size_t, uint8_t[]);
  91 static int tkip_encrypt(struct tkip_ctx *, struct ieee80211_key *,
  92     mblk_t *, int);
  93 static int tkip_decrypt(struct tkip_ctx *, struct ieee80211_key *,
  94     mblk_t *, int);
  95 
  96 extern int rc4_init(crypto_context_t *, const uint8_t *, int);
  97 extern int rc4_crypt(crypto_context_t, const uint8_t *, uint8_t *, int);
  98 extern int rc4_final(crypto_context_t, uint8_t *, int);
  99 
 100 /* ARGSUSED */
 101 static void *
 102 tkip_attach(struct ieee80211com *ic, struct ieee80211_key *k)
 103 {
 104         struct tkip_ctx *ctx;
 105 
 106         ctx = kmem_zalloc(sizeof (struct tkip_ctx), KM_SLEEP);
 107 
 108         ctx->tc_ic = ic;
 109         return (ctx);
 110 }
 111 
 112 static void
 113 tkip_detach(struct ieee80211_key *k)
 114 {
 115         struct tkip_ctx *ctx = k->wk_private;
 116 
 117         if (ctx != NULL)
 118                 kmem_free(ctx, sizeof (struct tkip_ctx));
 119 }
 120 
 121 static int
 122 tkip_setkey(struct ieee80211_key *k)
 123 {
 124         if (k->wk_keylen != (128/NBBY))
 125                 return (0);
 126 
 127         k->wk_keytsc = 1;            /* TSC starts at 1 */
 128         return (1);
 129 }
 130 
 131 /*
 132  * Add privacy headers appropriate for the specified key.
 133  */
 134 static int
 135 tkip_encap(struct ieee80211_key *k, mblk_t *mp, uint8_t keyid)
 136 {
 137         struct tkip_ctx *ctx = k->wk_private;
 138         struct ieee80211com *ic = ctx->tc_ic;
 139         uint8_t *ivp;
 140         int hdrlen;
 141 
 142         /*
 143          * Handle TKIP counter measures requirement.
 144          */
 145         if (ic->ic_flags & IEEE80211_F_COUNTERM)
 146                 return (0);
 147 
 148         hdrlen = ieee80211_hdrspace(ic, mp->b_rptr);
 149         /*
 150          * Copy down 802.11 header and add the IV, KeyID, and ExtIV.
 151          */
 152         ivp = mp->b_rptr;
 153         ivp += hdrlen;
 154 
 155         ivp[0] = k->wk_keytsc >> 8;            /* TSC1 */
 156         ivp[1] = (ivp[0] | 0x20) & 0x7f;    /* WEP seed */
 157         ivp[2] = k->wk_keytsc >> 0;            /* TSC0 */
 158         ivp[3] = keyid | IEEE80211_WEP_EXTIV;   /* KeyID | ExtID */
 159         ivp[4] = k->wk_keytsc >> 16;           /* TSC2 */
 160         ivp[5] = k->wk_keytsc >> 24;           /* TSC3 */
 161         ivp[6] = k->wk_keytsc >> 32;           /* TSC4 */
 162         ivp[7] = k->wk_keytsc >> 40;           /* TSC5 */
 163 
 164         /*
 165          * Finally, do software encrypt if neeed.
 166          */
 167         if (k->wk_flags & IEEE80211_KEY_SWCRYPT) {
 168                 if (!tkip_encrypt(ctx, k, mp, hdrlen))
 169                         return (0);
 170         } else
 171                 k->wk_keytsc++;              /* wrap at 48 bits */
 172 
 173         return (1);
 174 }
 175 
 176 uint64_t
 177 ieee80211_read_6(uint8_t b0, uint8_t b1, uint8_t b2,
 178     uint8_t b3, uint8_t b4, uint8_t b5)
 179 {
 180         uint32_t iv32 = (b0 << 0) | (b1 << 8) | (b2 << 16) | (b3 << 24);
 181         uint16_t iv16 = (b4 << 0) | (b5 << 8);
 182         return ((((uint64_t)iv16) << 32) | iv32);
 183 }
 184 
 185 /*
 186  * Validate and strip privacy headers (and trailer) for a
 187  * received frame.  If necessary, decrypt the frame using
 188  * the specified key.
 189  */
 190 static int
 191 tkip_decap(struct ieee80211_key *k, mblk_t *mp, int hdrlen)
 192 {
 193         struct tkip_ctx *ctx = k->wk_private;
 194         struct ieee80211com *ic = ctx->tc_ic;
 195         uint8_t *ivp;
 196         uint64_t pn;
 197 
 198         /*
 199          * Header should have extended IV and sequence number;
 200          * verify the former and validate the latter.
 201          */
 202         ivp = mp->b_rptr + hdrlen;
 203         if ((ivp[IEEE80211_WEP_IVLEN] & IEEE80211_WEP_EXTIV) == 0) {
 204                 /*
 205                  * No extended IV; discard frame.
 206                  */
 207                 return (0);
 208         }
 209         /*
 210          * Handle TKIP counter measures requirement.
 211          */
 212         if (ic->ic_flags & IEEE80211_F_COUNTERM)
 213                 return (0);
 214 
 215         /* NB: assume IEEEE80211_WEP_MINLEN covers the extended IV */
 216         pn = ieee80211_read_6(ivp[2], ivp[0], ivp[4], ivp[5], ivp[6], ivp[7]);
 217         ctx->rx_rsc = pn;
 218         if (ctx->rx_rsc <= k->wk_keyrsc)
 219                 return (0);
 220         /*
 221          * NB: We can't update the rsc in the key until MIC is verified.
 222          *
 223          * We assume we are not preempted between doing the check above
 224          * and updating wk_keyrsc when stripping the MIC in tkip_demic.
 225          * Otherwise we might process another packet and discard it as
 226          * a replay.
 227          */
 228 
 229         /*
 230          * Check if the device handled the decrypt in hardware.
 231          * If so we just strip the header; otherwise we need to
 232          * handle the decrypt in software.
 233          */
 234         if (k->wk_flags & IEEE80211_KEY_SWCRYPT) {
 235                 if (!tkip_decrypt(ctx, k, mp, hdrlen))
 236                         return (0);
 237         }
 238 
 239         /*
 240          * Copy up 802.11 header and strip crypto bits.
 241          */
 242         (void) memmove(mp->b_rptr + tkip.ic_header, mp->b_rptr, hdrlen);
 243         mp->b_rptr += tkip.ic_header;
 244         mp->b_wptr -= tkip.ic_trailer;
 245 
 246         return (1);
 247 }
 248 
 249 /*
 250  * Add MIC to the frame as needed.
 251  */
 252 static int
 253 tkip_enmic(struct ieee80211_key *k, mblk_t *mp, int force)
 254 {
 255         struct tkip_ctx *ctx = k->wk_private;
 256 
 257         if (force || (k->wk_flags & IEEE80211_KEY_SWMIC)) {
 258                 int hdrlen;
 259                 uint8_t *mic;
 260 
 261                 hdrlen = ieee80211_hdrspace(ctx->tc_ic, mp->b_rptr);
 262                 mic = mp->b_wptr;
 263                 mp->b_wptr += tkip.ic_miclen;
 264 
 265                 if ((int)(MBLKL(mp) -
 266                     (hdrlen + tkip.ic_header + tkip.ic_miclen)) < 0)
 267                         return (0);     /* dead packet */
 268 
 269                 michael_mic(ctx, k->wk_txmic, mp, (hdrlen + tkip.ic_header),
 270                     MBLKL(mp) -
 271                     (hdrlen + tkip.ic_header + tkip.ic_miclen), mic);
 272         }
 273         return (1);
 274 }
 275 
 276 /*
 277  * Verify and strip MIC from the frame.
 278  */
 279 /* ARGSUSED */
 280 static int
 281 tkip_demic(struct ieee80211_key *k, mblk_t *mp, int force)
 282 {
 283         struct tkip_ctx *ctx = k->wk_private;
 284 
 285         if (force || (k->wk_flags & IEEE80211_KEY_SWMIC)) {
 286                 int hdrlen = ieee80211_hdrspace(ctx->tc_ic, mp->b_rptr);
 287                 uint8_t mic[IEEE80211_WEP_MICLEN];
 288                 uint8_t mic0[IEEE80211_WEP_MICLEN];
 289 
 290                 michael_mic(ctx, k->wk_rxmic,
 291                     mp, hdrlen,
 292                     MBLKL(mp) - (hdrlen + tkip.ic_miclen),
 293                     mic);
 294                 bcopy(mp->b_wptr - tkip.ic_miclen, mic0, tkip.ic_miclen);
 295                 if (bcmp(mic, mic0, tkip.ic_miclen)) {
 296                         ieee80211_dbg(IEEE80211_MSG_CRYPTO,
 297                             "tkip_demic() mic mismatch\n");
 298                         return (0);
 299                 }
 300         }
 301         /*
 302          * Strip MIC from the tail.
 303          */
 304         mp->b_wptr -= tkip.ic_miclen;
 305         /*
 306          * Ok to update rsc now that MIC has been verified.
 307          */
 308         k->wk_keyrsc = ctx->rx_rsc;
 309         return (1);
 310 }
 311 
 312 /*
 313  * For the avoidance of doubt, except that if any license choice other
 314  * than GPL or LGPL is available it will apply instead, Sun elects to
 315  * use only the General Public License version 2 (GPLv2) at this time
 316  * for any software where a choice of GPL license versions is made
 317  * available with the language indicating that GPLv2 or any later
 318  * version may be used, or where a choice of which version of the GPL
 319  * is applied is otherwise unspecified.
 320  */
 321 
 322 /*
 323  * Host AP crypt: host-based TKIP encryption implementation for Host AP driver
 324  *
 325  * Copyright (c) 2003-2004, Jouni Malinen <jkmaline@cc.hut.fi>
 326  *
 327  * This program is free software; you can redistribute it and/or modify
 328  * it under the terms of the GNU General Public License version 2 as
 329  * published by the Free Software Foundation. See README and COPYING for
 330  * more details.
 331  *
 332  * Alternatively, this software may be distributed under the terms of BSD
 333  * license.
 334  */
 335 
 336 /* Table of CRCs of all 8-bit messages */
 337 static uint32_t crc_table[] = { CRC32_TABLE };
 338 
 339 static uint16_t
 340 RotR1(uint16_t val)
 341 {
 342         return ((val >> 1) | (val << 15));
 343 }
 344 
 345 static uint8_t
 346 Lo8(uint16_t val)
 347 {
 348         return (val & 0xff);
 349 }
 350 
 351 static uint8_t
 352 Hi8(uint16_t val)
 353 {
 354         return (val >> 8);
 355 }
 356 
 357 static uint16_t
 358 Lo16(uint32_t val)
 359 {
 360         return (val & 0xffff);
 361 }
 362 
 363 static uint16_t
 364 Hi16(uint32_t val)
 365 {
 366         return (val >> 16);
 367 }
 368 
 369 static uint16_t
 370 Mk16(uint8_t hi, uint8_t lo)
 371 {
 372         return (lo | (((uint16_t)hi) << 8));
 373 }
 374 
 375 static uint16_t
 376 Mk16_le(const uint16_t *v)
 377 {
 378         return (LE_16(*v));
 379 }
 380 
 381 static const uint16_t Sbox[256] = {
 382         0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154,
 383         0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A,
 384         0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B,
 385         0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B,
 386         0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F,
 387         0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F,
 388         0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5,
 389         0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F,
 390         0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB,
 391         0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397,
 392         0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED,
 393         0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A,
 394         0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194,
 395         0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3,
 396         0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104,
 397         0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D,
 398         0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39,
 399         0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695,
 400         0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83,
 401         0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76,
 402         0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4,
 403         0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B,
 404         0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0,
 405         0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018,
 406         0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751,
 407         0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85,
 408         0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12,
 409         0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9,
 410         0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7,
 411         0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A,
 412         0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8,
 413         0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A,
 414 };
 415 
 416 static uint16_t
 417 _S_(uint16_t v)
 418 {
 419         uint16_t t = Sbox[Hi8(v)];
 420         return (Sbox[Lo8(v)] ^ ((t << 8) | (t >> 8)));
 421 }
 422 
 423 #define PHASE1_LOOP_COUNT       8
 424 
 425 static void
 426 tkip_mixing_phase1(uint16_t *TTAK, const uint8_t *TK,
 427     const uint8_t *TA, uint32_t IV32)
 428 {
 429         int i, j;
 430 
 431         /* Initialize the 80-bit TTAK from TSC (IV32) and TA[0..5] */
 432         TTAK[0] = Lo16(IV32);
 433         TTAK[1] = Hi16(IV32);
 434         TTAK[2] = Mk16(TA[1], TA[0]);
 435         TTAK[3] = Mk16(TA[3], TA[2]);
 436         TTAK[4] = Mk16(TA[5], TA[4]);
 437 
 438         for (i = 0; i < PHASE1_LOOP_COUNT; i++) {
 439                 j = 2 * (i & 1);
 440                 TTAK[0] += _S_(TTAK[4] ^ Mk16(TK[1 + j], TK[0 + j]));
 441                 TTAK[1] += _S_(TTAK[0] ^ Mk16(TK[5 + j], TK[4 + j]));
 442                 TTAK[2] += _S_(TTAK[1] ^ Mk16(TK[9 + j], TK[8 + j]));
 443                 TTAK[3] += _S_(TTAK[2] ^ Mk16(TK[13 + j], TK[12 + j]));
 444                 TTAK[4] += _S_(TTAK[3] ^ Mk16(TK[1 + j], TK[0 + j])) + i;
 445         }
 446 }
 447 
 448 static void
 449 tkip_mixing_phase2(uint8_t *WEPSeed, const uint8_t *TK,
 450     const uint16_t *TTAK, uint16_t IV16)
 451 {
 452         /*
 453          * Make temporary area overlap WEP seed so that the final copy can be
 454          * avoided on little endian hosts.
 455          */
 456         uint16_t *PPK = (uint16_t *)&WEPSeed[4];
 457 
 458         /* Step 1 - make copy of TTAK and bring in TSC */
 459         PPK[0] = TTAK[0];
 460         PPK[1] = TTAK[1];
 461         PPK[2] = TTAK[2];
 462         PPK[3] = TTAK[3];
 463         PPK[4] = TTAK[4];
 464         PPK[5] = TTAK[4] + IV16;
 465 
 466         /* Step 2 - 96-bit bijective mixing using S-box */
 467         PPK[0] += _S_(PPK[5] ^ Mk16_le((const uint16_t *) &TK[0]));
 468         PPK[1] += _S_(PPK[0] ^ Mk16_le((const uint16_t *) &TK[2]));
 469         PPK[2] += _S_(PPK[1] ^ Mk16_le((const uint16_t *) &TK[4]));
 470         PPK[3] += _S_(PPK[2] ^ Mk16_le((const uint16_t *) &TK[6]));
 471         PPK[4] += _S_(PPK[3] ^ Mk16_le((const uint16_t *) &TK[8]));
 472         PPK[5] += _S_(PPK[4] ^ Mk16_le((const uint16_t *) &TK[10]));
 473 
 474         PPK[0] += RotR1(PPK[5] ^ Mk16_le((const uint16_t *) &TK[12]));
 475         PPK[1] += RotR1(PPK[0] ^ Mk16_le((const uint16_t *) &TK[14]));
 476         PPK[2] += RotR1(PPK[1]);
 477         PPK[3] += RotR1(PPK[2]);
 478         PPK[4] += RotR1(PPK[3]);
 479         PPK[5] += RotR1(PPK[4]);
 480 
 481         /*
 482          * Step 3 - bring in last of TK bits, assign 24-bit WEP IV value
 483          * WEPSeed[0..2] is transmitted as WEP IV
 484          */
 485         WEPSeed[0] = Hi8(IV16);
 486         WEPSeed[1] = (Hi8(IV16) | 0x20) & 0x7F;
 487         WEPSeed[2] = Lo8(IV16);
 488         WEPSeed[3] = Lo8((PPK[5] ^ Mk16_le((const uint16_t *) &TK[0])) >> 1);
 489 
 490 #ifdef _BIG_ENDIAN
 491         int i;
 492         for (i = 0; i < 6; i++)
 493                 PPK[i] = (PPK[i] << 8) | (PPK[i] >> 8);
 494 #endif
 495 }
 496 
 497 static int
 498 wep_encrypt(uint8_t *key, mblk_t *mp, uint_t off, size_t data_len,
 499     uint8_t icv[IEEE80211_WEP_CRCLEN])
 500 {
 501         uint8_t crcbuf[IEEE80211_WEP_CRCLEN];
 502         uint32_t crc;
 503         crypto_context_t ctx;
 504         int rv;
 505 
 506         ctx = NULL;
 507         rv = rc4_init(&ctx, (const uint8_t *)key, 16);
 508         if (rv != CRYPTO_SUCCESS)
 509                 return (0);
 510 
 511         /* calculate CRC over unencrypted data */
 512         CRC32(crc, mp->b_rptr + off, data_len, -1U, crc_table);
 513 
 514         /* encrypt data */
 515         (void) rc4_crypt(ctx, mp->b_rptr + off, mp->b_rptr + off, data_len);
 516 
 517         /* tack on ICV */
 518         *(uint32_t *)crcbuf = LE_32(~crc);
 519         (void) rc4_crypt(ctx, crcbuf, icv, IEEE80211_WEP_CRCLEN);
 520 
 521         (void) rc4_final(ctx, icv, IEEE80211_WEP_CRCLEN);
 522 
 523         return (1);
 524 }
 525 
 526 static int
 527 wep_decrypt(uint8_t *key, mblk_t *mp, uint_t off, size_t data_len)
 528 {
 529         uint8_t crcbuf[IEEE80211_WEP_CRCLEN];
 530         uint8_t *icv;
 531         uint32_t crc;
 532         crypto_context_t ctx;
 533         int rv;
 534 
 535         ctx = NULL;
 536         rv = rc4_init(&ctx, (const uint8_t *)key, 16);
 537         if (rv != CRYPTO_SUCCESS)
 538                 return (0);
 539 
 540         /* decrypt data */
 541         (void) rc4_crypt(ctx, mp->b_rptr + off, mp->b_rptr + off, data_len);
 542 
 543         /* calculate CRC over unencrypted data */
 544         CRC32(crc, mp->b_rptr + off, data_len, -1U, crc_table);
 545 
 546         /* decrypt ICV and compare to CRC */
 547         icv = mp->b_wptr - IEEE80211_WEP_CRCLEN;
 548         (void) rc4_crypt(ctx, icv, crcbuf, IEEE80211_WEP_CRCLEN);
 549         (void) rc4_final(ctx, crcbuf, IEEE80211_WEP_CRCLEN);
 550 
 551         return (crc == ~LE_32(*(uint32_t *)crcbuf));
 552 }
 553 
 554 static uint32_t
 555 rotl(uint32_t val, int bits)
 556 {
 557         return ((val << bits) | (val >> (32 - bits)));
 558 }
 559 
 560 
 561 static uint32_t
 562 rotr(uint32_t val, int bits)
 563 {
 564         return ((val >> bits) | (val << (32 - bits)));
 565 }
 566 
 567 
 568 static uint32_t
 569 xswap(uint32_t val)
 570 {
 571         return (((val & 0x00ff00ff) << 8) | ((val & 0xff00ff00) >> 8));
 572 }
 573 
 574 
 575 #define michael_block(l, r)     \
 576 do {                            \
 577         r ^= rotl(l, 17);       \
 578         l += r;                 \
 579         r ^= xswap(l);          \
 580         l += r;                 \
 581         r ^= rotl(l, 3);        \
 582         l += r;                 \
 583         r ^= rotr(l, 2);        \
 584         l += r;                 \
 585         _NOTE(CONSTANTCONDITION)\
 586 } while (0)
 587 
 588 
 589 static uint32_t
 590 get_le32_split(uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3)
 591 {
 592         return (b0 | (b1 << 8) | (b2 << 16) | (b3 << 24));
 593 }
 594 
 595 static uint32_t
 596 get_le32(const uint8_t *p)
 597 {
 598         return (get_le32_split(p[0], p[1], p[2], p[3]));
 599 }
 600 
 601 
 602 static void
 603 put_le32(uint8_t *p, uint32_t v)
 604 {
 605         p[0] = (uint8_t)v;
 606         p[1] = v >> 8;
 607         p[2] = v >> 16;
 608         p[3] = v >> 24;
 609 }
 610 
 611 /*
 612  * Craft pseudo header used to calculate the MIC.
 613  */
 614 static void
 615 michael_mic_hdr(const struct ieee80211_frame *wh0, uint8_t hdr[16])
 616 {
 617         const struct ieee80211_frame_addr4 *wh =
 618             (const struct ieee80211_frame_addr4 *)wh0;
 619 
 620         switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) {
 621         case IEEE80211_FC1_DIR_NODS:
 622                 IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */
 623                 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2);
 624                 break;
 625         case IEEE80211_FC1_DIR_TODS:
 626                 IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */
 627                 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr2);
 628                 break;
 629         case IEEE80211_FC1_DIR_FROMDS:
 630                 IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */
 631                 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr3);
 632                 break;
 633         case IEEE80211_FC1_DIR_DSTODS:
 634                 IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */
 635                 IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, wh->i_addr4);
 636                 break;
 637         }
 638 
 639         if (wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_QOS) {
 640                 const struct ieee80211_qosframe *qwh =
 641                     (const struct ieee80211_qosframe *)wh;
 642                 hdr[12] = qwh->i_qos[0] & IEEE80211_QOS_TID;
 643         } else
 644                 hdr[12] = 0;
 645         hdr[13] = hdr[14] = hdr[15] = 0; /* reserved */
 646 }
 647 
 648 /* ARGSUSED */
 649 static void
 650 michael_mic(struct tkip_ctx *ctx, const uint8_t *key,
 651     mblk_t *mp, uint_t off, size_t data_len,
 652     uint8_t mic[IEEE80211_WEP_MICLEN])
 653 {
 654         uint8_t hdr[16];
 655         uint32_t l, r;
 656         const uint8_t *data;
 657         int i, blocks, last;
 658 
 659         michael_mic_hdr((struct ieee80211_frame *)mp->b_rptr, hdr);
 660 
 661         l = get_le32(key);
 662         r = get_le32(key + 4);
 663 
 664         /* Michael MIC pseudo header: DA, SA, 3 x 0, Priority */
 665         l ^= get_le32(hdr);
 666         michael_block(l, r);
 667         l ^= get_le32(&hdr[4]);
 668         michael_block(l, r);
 669         l ^= get_le32(&hdr[8]);
 670         michael_block(l, r);
 671         l ^= get_le32(&hdr[12]);
 672         michael_block(l, r);
 673 
 674         /* first buffer has special handling */
 675         data = mp->b_rptr + off;
 676 
 677         blocks = data_len / 4;
 678         last = data_len % 4;
 679 
 680         for (i = 0; i < blocks; i++) {
 681                 l ^= get_le32(&data[4 * i]);
 682                 michael_block(l, r);
 683         }
 684 
 685         /* Last block and padding (0x5a, 4..7 x 0) */
 686         switch (last) {
 687         case 0:
 688                 l ^= 0x5a;
 689                 break;
 690         case 1:
 691                 l ^= data[4 * i] | 0x5a00;
 692                 break;
 693         case 2:
 694                 l ^= data[4 * i] | (data[4 * i + 1] << 8) | 0x5a0000;
 695                 break;
 696         case 3:
 697                 l ^= data[4 * i] | (data[4 * i + 1] << 8) |
 698                     (data[4 * i + 2] << 16) | 0x5a000000;
 699                 break;
 700         }
 701         michael_block(l, r);
 702         /* l ^= 0; */
 703         michael_block(l, r);
 704 
 705         put_le32(mic, l);
 706         put_le32(mic + 4, r);
 707 }
 708 
 709 static int
 710 tkip_encrypt(struct tkip_ctx *ctx, struct ieee80211_key *key,
 711     mblk_t *mp, int hdrlen)
 712 {
 713         struct ieee80211_frame *wh;
 714         uint8_t *icv;
 715 
 716         wh = (struct ieee80211_frame *)mp->b_rptr;
 717         if (!ctx->tx_phase1_done) {
 718                 tkip_mixing_phase1(ctx->tx_ttak, key->wk_key, wh->i_addr2,
 719                     (uint32_t)(key->wk_keytsc >> 16));
 720                 ctx->tx_phase1_done = 1;
 721         }
 722         tkip_mixing_phase2(ctx->tx_rc4key, key->wk_key, ctx->tx_ttak,
 723             (uint16_t)key->wk_keytsc);
 724 
 725         icv = mp->b_wptr;
 726         mp->b_wptr += tkip.ic_trailer;
 727 
 728         (void) wep_encrypt(ctx->tx_rc4key,
 729             mp, hdrlen + tkip.ic_header,
 730             MBLKL(mp) -
 731             (hdrlen + tkip.ic_header + tkip.ic_trailer),
 732             icv);
 733 
 734         key->wk_keytsc++;
 735         if ((uint16_t)(key->wk_keytsc) == 0)
 736                 ctx->tx_phase1_done = 0;
 737         return (1);
 738 }
 739 
 740 static int
 741 tkip_decrypt(struct tkip_ctx *ctx, struct ieee80211_key *key,
 742     mblk_t *mp, int hdrlen)
 743 {
 744         struct ieee80211_frame *wh;
 745         uint32_t iv32;
 746         uint16_t iv16;
 747 
 748         wh = (struct ieee80211_frame *)mp->b_rptr;
 749         /* tkip_decap already verified header and left seq in rx_rsc */
 750         iv16 = (uint16_t)ctx->rx_rsc;
 751         iv32 = (uint32_t)(ctx->rx_rsc >> 16);
 752 
 753         if (iv32 != (uint32_t)(key->wk_keyrsc >> 16) || !ctx->rx_phase1_done) {
 754                 tkip_mixing_phase1(ctx->rx_ttak, key->wk_key,
 755                     wh->i_addr2, iv32);
 756                 ctx->rx_phase1_done = 0;     /* DHCP */
 757         }
 758         tkip_mixing_phase2(ctx->rx_rc4key, key->wk_key, ctx->rx_ttak, iv16);
 759 
 760         /* m is unstripped; deduct headers + ICV to get payload */
 761         if (!wep_decrypt(ctx->rx_rc4key,
 762             mp, hdrlen + tkip.ic_header,
 763             MBLKL(mp) -
 764             (hdrlen + tkip.ic_header + tkip.ic_trailer))) {
 765                 if (iv32 != (uint32_t)(key->wk_keyrsc >> 16)) {
 766                         /*
 767                          * Previously cached Phase1 result was already lost, so
 768                          * it needs to be recalculated for the next packet.
 769                          */
 770                         ctx->rx_phase1_done = 0;
 771                 }
 772                 ieee80211_dbg(IEEE80211_MSG_CRYPTO, "tkip_decrypt() error\n");
 773                 return (0);
 774         }
 775         return (1);
 776 }