1 /******************************************************************************
3 * Copyright(c) 2007 - 2011 Realtek Corporation. All rights reserved.
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of version 2 of the GNU General Public License as
7 * published by the Free Software Foundation.
9 * This program is distributed in the hope that it will be useful, but WITHOUT
10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
14 * You should have received a copy of the GNU General Public License along with
15 * this program; if not, write to the Free Software Foundation, Inc.,
16 * 51 Franklin Street, Fifth Floor, Boston, MA 02110, USA
19 ******************************************************************************/
20 #define _RTW_SECURITY_C_
23 #include <osdep_service.h>
24 #include <drv_types.h>
26 #include <osdep_intf.h>
29 //=====WEP related=====
31 #define CRC32_POLY 0x04c11db7
41 static void arcfour_init(struct arc4context *parc4ctx, u8 * key,u32 key_len)
49 state = parc4ctx->state;
52 for (counter = 0; counter < 256; counter++)
53 state[counter] = (u8)counter;
56 for (counter = 0; counter < 256; counter++)
59 stateindex = (stateindex + key[keyindex] + t) & 0xff;
60 u = state[stateindex];
61 state[stateindex] = (u8)t;
62 state[counter] = (u8)u;
63 if (++keyindex >= key_len)
68 static u32 arcfour_byte( struct arc4context *parc4ctx)
75 state = parc4ctx->state;
76 x = (parc4ctx->x + 1) & 0xff;
78 y = (sx + parc4ctx->y) & 0xff;
85 return state[(sx + sy) & 0xff];
89 static void arcfour_encrypt( struct arc4context *parc4ctx,
96 for (i = 0; i < len; i++)
97 dest[i] = src[i] ^ (unsigned char)arcfour_byte(parc4ctx);
101 static sint bcrc32initialized = 0;
102 static u32 crc32_table[256];
105 static u8 crc32_reverseBit( u8 data)
107 return( (u8)((data<<7)&0x80) | ((data<<5)&0x40) | ((data<<3)&0x20) | ((data<<1)&0x10) | ((data>>1)&0x08) | ((data>>3)&0x04) | ((data>>5)&0x02) | ((data>>7)&0x01) );
110 static void crc32_init(void)
113 if (bcrc32initialized == 1)
123 for (i = 0; i < 256; ++i)
125 k = crc32_reverseBit((u8)i);
126 for (c = ((u32)k) << 24, j = 8; j > 0; --j){
127 c = c & 0x80000000 ? (c << 1) ^ CRC32_POLY : (c << 1);
129 p1 = (u8 *)&crc32_table[i];
131 p1[0] = crc32_reverseBit(p[3]);
132 p1[1] = crc32_reverseBit(p[2]);
133 p1[2] = crc32_reverseBit(p[1]);
134 p1[3] = crc32_reverseBit(p[0]);
136 bcrc32initialized= 1;
142 static u32 getcrc32(u8 *buf, sint len)
147 if (bcrc32initialized == 0) crc32_init();
149 crc = 0xffffffff; /* preload shift register, per CRC-32 spec */
151 for (p = buf; len > 0; ++p, --len)
153 crc = crc32_table[ (crc ^ *p) & 0xff] ^ (crc >> 8);
156 return ~crc; /* transmit complement, per CRC-32 spec */
161 Need to consider the fragment situation
163 void rtw_wep_encrypt(_adapter *padapter, u8 *pxmitframe)
166 unsigned char crc[4];
167 struct arc4context mycontext;
169 sint curfragnum,length;
172 u8 *pframe, *payload,*iv; //,*wepkey
174 struct pkt_attrib *pattrib = &((struct xmit_frame*)pxmitframe)->attrib;
175 struct security_priv *psecuritypriv=&padapter->securitypriv;
176 struct xmit_priv *pxmitpriv=&padapter->xmitpriv;
181 if(((struct xmit_frame*)pxmitframe)->buf_addr==NULL)
184 #ifdef CONFIG_USB_TX_AGGREGATION
185 pframe = ((struct xmit_frame*)pxmitframe)->buf_addr + TXDESC_SIZE +
186 (((struct xmit_frame*)pxmitframe)->pkt_offset * PACKET_OFFSET_SZ);
188 pframe = ((struct xmit_frame*)pxmitframe)->buf_addr + TXDESC_OFFSET;
191 //start to encrypt each fragment
192 if((pattrib->encrypt==_WEP40_)||(pattrib->encrypt==_WEP104_))
194 keylength=psecuritypriv->dot11DefKeylen[psecuritypriv->dot11PrivacyKeyIndex];
196 for(curfragnum=0;curfragnum<pattrib->nr_frags;curfragnum++)
198 iv=pframe+pattrib->hdrlen;
199 _rtw_memcpy(&wepkey[0], iv, 3);
200 _rtw_memcpy(&wepkey[3], &psecuritypriv->dot11DefKey[psecuritypriv->dot11PrivacyKeyIndex].skey[0],keylength);
201 payload=pframe+pattrib->iv_len+pattrib->hdrlen;
203 if((curfragnum+1)==pattrib->nr_frags)
204 { //the last fragment
206 length=pattrib->last_txcmdsz-pattrib->hdrlen-pattrib->iv_len- pattrib->icv_len;
208 *((u32 *)crc)=cpu_to_le32(getcrc32(payload,length));
210 arcfour_init(&mycontext, wepkey,3+keylength);
211 arcfour_encrypt(&mycontext, payload, payload, length);
212 arcfour_encrypt(&mycontext, payload+length, crc, 4);
217 length=pxmitpriv->frag_len-pattrib->hdrlen-pattrib->iv_len-pattrib->icv_len ;
218 *((u32 *)crc)=cpu_to_le32(getcrc32(payload,length));
219 arcfour_init(&mycontext, wepkey,3+keylength);
220 arcfour_encrypt(&mycontext, payload, payload, length);
221 arcfour_encrypt(&mycontext, payload+length, crc, 4);
223 pframe+=pxmitpriv->frag_len;
224 pframe=(u8 *)RND4((SIZE_PTR)(pframe));
236 void rtw_wep_decrypt(_adapter *padapter, u8 *precvframe)
240 struct arc4context mycontext;
243 u8 *pframe, *payload,*iv,wepkey[16];
245 struct rx_pkt_attrib *prxattrib = &(((union recv_frame*)precvframe)->u.hdr.attrib);
246 struct security_priv *psecuritypriv=&padapter->securitypriv;
250 pframe=(unsigned char *)((union recv_frame*)precvframe)->u.hdr.rx_data;
252 //start to decrypt recvframe
253 if((prxattrib->encrypt==_WEP40_)||(prxattrib->encrypt==_WEP104_))
255 iv=pframe+prxattrib->hdrlen;
256 //keyindex=(iv[3]&0x3);
257 keyindex = prxattrib->key_index;
258 keylength=psecuritypriv->dot11DefKeylen[keyindex];
259 _rtw_memcpy(&wepkey[0], iv, 3);
260 //_rtw_memcpy(&wepkey[3], &psecuritypriv->dot11DefKey[psecuritypriv->dot11PrivacyKeyIndex].skey[0],keylength);
261 _rtw_memcpy(&wepkey[3], &psecuritypriv->dot11DefKey[keyindex].skey[0],keylength);
262 length= ((union recv_frame *)precvframe)->u.hdr.len-prxattrib->hdrlen-prxattrib->iv_len;
264 payload=pframe+prxattrib->iv_len+prxattrib->hdrlen;
266 //decrypt payload include icv
267 arcfour_init(&mycontext, wepkey,3+keylength);
268 arcfour_encrypt(&mycontext, payload, payload, length);
270 //calculate icv and compare the icv
271 *((u32 *)crc)=le32_to_cpu(getcrc32(payload,length-4));
273 if(crc[3]!=payload[length-1] || crc[2]!=payload[length-2] || crc[1]!=payload[length-3] || crc[0]!=payload[length-4])
275 RT_TRACE(_module_rtl871x_security_c_,_drv_err_,("rtw_wep_decrypt:icv error crc[3](%x)!=payload[length-1](%x) || crc[2](%x)!=payload[length-2](%x) || crc[1](%x)!=payload[length-3](%x) || crc[0](%x)!=payload[length-4](%x)\n",
276 crc[3],payload[length-1],crc[2],payload[length-2],crc[1],payload[length-3],crc[0],payload[length-4]));
287 //3 =====TKIP related=====
289 static u32 secmicgetuint32( u8 * p )
290 // Convert from Byte[] to Us4Byte32 in a portable way
297 res |= ((u32)(*p++)) << (8*i);
303 static void secmicputuint32( u8 * p, u32 val )
304 // Convert from Us4Byte32 to Byte[] in a portable way
310 *p++ = (u8) (val & 0xff);
316 static void secmicclear(struct mic_data *pmicdata)
318 // Reset the state to the empty message.
320 pmicdata->L = pmicdata->K0;
321 pmicdata->R = pmicdata->K1;
322 pmicdata->nBytesInM = 0;
327 void rtw_secmicsetkey(struct mic_data *pmicdata, u8 * key )
331 pmicdata->K0 = secmicgetuint32( key );
332 pmicdata->K1 = secmicgetuint32( key + 4 );
333 // and reset the message
334 secmicclear(pmicdata);
338 void rtw_secmicappendbyte(struct mic_data *pmicdata, u8 b )
341 // Append the byte to our word-sized buffer
342 pmicdata->M |= ((unsigned long)b) << (8*pmicdata->nBytesInM);
343 pmicdata->nBytesInM++;
344 // Process the word if it is full.
345 if( pmicdata->nBytesInM >= 4 )
347 pmicdata->L ^= pmicdata->M;
348 pmicdata->R ^= ROL32( pmicdata->L, 17 );
349 pmicdata->L += pmicdata->R;
350 pmicdata->R ^= ((pmicdata->L & 0xff00ff00) >> 8) | ((pmicdata->L & 0x00ff00ff) << 8);
351 pmicdata->L += pmicdata->R;
352 pmicdata->R ^= ROL32( pmicdata->L, 3 );
353 pmicdata->L += pmicdata->R;
354 pmicdata->R ^= ROR32( pmicdata->L, 2 );
355 pmicdata->L += pmicdata->R;
358 pmicdata->nBytesInM = 0;
363 void rtw_secmicappend(struct mic_data *pmicdata, u8 * src, u32 nbytes )
369 rtw_secmicappendbyte(pmicdata, *src++ );
375 void rtw_secgetmic(struct mic_data *pmicdata, u8 * dst )
378 // Append the minimum padding
379 rtw_secmicappendbyte(pmicdata, 0x5a );
380 rtw_secmicappendbyte(pmicdata, 0 );
381 rtw_secmicappendbyte(pmicdata, 0 );
382 rtw_secmicappendbyte(pmicdata, 0 );
383 rtw_secmicappendbyte(pmicdata, 0 );
384 // and then zeroes until the length is a multiple of 4
385 while( pmicdata->nBytesInM != 0 )
387 rtw_secmicappendbyte(pmicdata, 0 );
389 // The appendByte function has already computed the result.
390 secmicputuint32( dst, pmicdata->L );
391 secmicputuint32( dst+4, pmicdata->R );
392 // Reset to the empty message.
393 secmicclear(pmicdata);
398 void rtw_seccalctkipmic(u8 * key,u8 *header,u8 *data,u32 data_len,u8 *mic_code, u8 pri)
401 struct mic_data micdata;
402 u8 priority[4]={0x0,0x0,0x0,0x0};
404 rtw_secmicsetkey(&micdata, key);
407 /* Michael MIC pseudo header: DA, SA, 3 x 0, Priority */
408 if(header[1]&1){ //ToDS==1
409 rtw_secmicappend(&micdata, &header[16], 6); //DA
410 if(header[1]&2) //From Ds==1
411 rtw_secmicappend(&micdata, &header[24], 6);
413 rtw_secmicappend(&micdata, &header[10], 6);
416 rtw_secmicappend(&micdata, &header[4], 6); //DA
417 if(header[1]&2) //From Ds==1
418 rtw_secmicappend(&micdata, &header[16], 6);
420 rtw_secmicappend(&micdata, &header[10], 6);
423 rtw_secmicappend(&micdata, &priority[0], 4);
426 rtw_secmicappend(&micdata, data, data_len);
428 rtw_secgetmic(&micdata,mic_code);
435 /* macros for extraction/creation of unsigned char/unsigned short values */
436 #define RotR1(v16) ((((v16) >> 1) & 0x7FFF) ^ (((v16) & 1) << 15))
437 #define Lo8(v16) ((u8)( (v16) & 0x00FF))
438 #define Hi8(v16) ((u8)(((v16) >> 8) & 0x00FF))
439 #define Lo16(v32) ((u16)( (v32) & 0xFFFF))
440 #define Hi16(v32) ((u16)(((v32) >>16) & 0xFFFF))
441 #define Mk16(hi,lo) ((lo) ^ (((u16)(hi)) << 8))
443 /* select the Nth 16-bit word of the temporal key unsigned char array TK[] */
444 #define TK16(N) Mk16(tk[2*(N)+1],tk[2*(N)])
446 /* S-box lookup: 16 bits --> 16 bits */
447 #define _S_(v16) (Sbox1[0][Lo8(v16)] ^ Sbox1[1][Hi8(v16)])
449 /* fixed algorithm "parameters" */
450 #define PHASE1_LOOP_CNT 8 /* this needs to be "big enough" */
451 #define TA_SIZE 6 /* 48-bit transmitter address */
452 #define TK_SIZE 16 /* 128-bit temporal key */
453 #define P1K_SIZE 10 /* 80-bit Phase1 key */
454 #define RC4_KEY_SIZE 16 /* 128-bit RC4KEY (104 bits unknown) */
457 /* 2-unsigned char by 2-unsigned char subset of the full AES S-box table */
458 static const unsigned short Sbox1[2][256]= /* Sbox for hash (can be in ROM) */
460 0xC6A5,0xF884,0xEE99,0xF68D,0xFF0D,0xD6BD,0xDEB1,0x9154,
461 0x6050,0x0203,0xCEA9,0x567D,0xE719,0xB562,0x4DE6,0xEC9A,
462 0x8F45,0x1F9D,0x8940,0xFA87,0xEF15,0xB2EB,0x8EC9,0xFB0B,
463 0x41EC,0xB367,0x5FFD,0x45EA,0x23BF,0x53F7,0xE496,0x9B5B,
464 0x75C2,0xE11C,0x3DAE,0x4C6A,0x6C5A,0x7E41,0xF502,0x834F,
465 0x685C,0x51F4,0xD134,0xF908,0xE293,0xAB73,0x6253,0x2A3F,
466 0x080C,0x9552,0x4665,0x9D5E,0x3028,0x37A1,0x0A0F,0x2FB5,
467 0x0E09,0x2436,0x1B9B,0xDF3D,0xCD26,0x4E69,0x7FCD,0xEA9F,
468 0x121B,0x1D9E,0x5874,0x342E,0x362D,0xDCB2,0xB4EE,0x5BFB,
469 0xA4F6,0x764D,0xB761,0x7DCE,0x527B,0xDD3E,0x5E71,0x1397,
470 0xA6F5,0xB968,0x0000,0xC12C,0x4060,0xE31F,0x79C8,0xB6ED,
471 0xD4BE,0x8D46,0x67D9,0x724B,0x94DE,0x98D4,0xB0E8,0x854A,
472 0xBB6B,0xC52A,0x4FE5,0xED16,0x86C5,0x9AD7,0x6655,0x1194,
473 0x8ACF,0xE910,0x0406,0xFE81,0xA0F0,0x7844,0x25BA,0x4BE3,
474 0xA2F3,0x5DFE,0x80C0,0x058A,0x3FAD,0x21BC,0x7048,0xF104,
475 0x63DF,0x77C1,0xAF75,0x4263,0x2030,0xE51A,0xFD0E,0xBF6D,
476 0x814C,0x1814,0x2635,0xC32F,0xBEE1,0x35A2,0x88CC,0x2E39,
477 0x9357,0x55F2,0xFC82,0x7A47,0xC8AC,0xBAE7,0x322B,0xE695,
478 0xC0A0,0x1998,0x9ED1,0xA37F,0x4466,0x547E,0x3BAB,0x0B83,
479 0x8CCA,0xC729,0x6BD3,0x283C,0xA779,0xBCE2,0x161D,0xAD76,
480 0xDB3B,0x6456,0x744E,0x141E,0x92DB,0x0C0A,0x486C,0xB8E4,
481 0x9F5D,0xBD6E,0x43EF,0xC4A6,0x39A8,0x31A4,0xD337,0xF28B,
482 0xD532,0x8B43,0x6E59,0xDAB7,0x018C,0xB164,0x9CD2,0x49E0,
483 0xD8B4,0xACFA,0xF307,0xCF25,0xCAAF,0xF48E,0x47E9,0x1018,
484 0x6FD5,0xF088,0x4A6F,0x5C72,0x3824,0x57F1,0x73C7,0x9751,
485 0xCB23,0xA17C,0xE89C,0x3E21,0x96DD,0x61DC,0x0D86,0x0F85,
486 0xE090,0x7C42,0x71C4,0xCCAA,0x90D8,0x0605,0xF701,0x1C12,
487 0xC2A3,0x6A5F,0xAEF9,0x69D0,0x1791,0x9958,0x3A27,0x27B9,
488 0xD938,0xEB13,0x2BB3,0x2233,0xD2BB,0xA970,0x0789,0x33A7,
489 0x2DB6,0x3C22,0x1592,0xC920,0x8749,0xAAFF,0x5078,0xA57A,
490 0x038F,0x59F8,0x0980,0x1A17,0x65DA,0xD731,0x84C6,0xD0B8,
491 0x82C3,0x29B0,0x5A77,0x1E11,0x7BCB,0xA8FC,0x6DD6,0x2C3A,
495 { /* second half of table is unsigned char-reversed version of first! */
496 0xA5C6,0x84F8,0x99EE,0x8DF6,0x0DFF,0xBDD6,0xB1DE,0x5491,
497 0x5060,0x0302,0xA9CE,0x7D56,0x19E7,0x62B5,0xE64D,0x9AEC,
498 0x458F,0x9D1F,0x4089,0x87FA,0x15EF,0xEBB2,0xC98E,0x0BFB,
499 0xEC41,0x67B3,0xFD5F,0xEA45,0xBF23,0xF753,0x96E4,0x5B9B,
500 0xC275,0x1CE1,0xAE3D,0x6A4C,0x5A6C,0x417E,0x02F5,0x4F83,
501 0x5C68,0xF451,0x34D1,0x08F9,0x93E2,0x73AB,0x5362,0x3F2A,
502 0x0C08,0x5295,0x6546,0x5E9D,0x2830,0xA137,0x0F0A,0xB52F,
503 0x090E,0x3624,0x9B1B,0x3DDF,0x26CD,0x694E,0xCD7F,0x9FEA,
504 0x1B12,0x9E1D,0x7458,0x2E34,0x2D36,0xB2DC,0xEEB4,0xFB5B,
505 0xF6A4,0x4D76,0x61B7,0xCE7D,0x7B52,0x3EDD,0x715E,0x9713,
506 0xF5A6,0x68B9,0x0000,0x2CC1,0x6040,0x1FE3,0xC879,0xEDB6,
507 0xBED4,0x468D,0xD967,0x4B72,0xDE94,0xD498,0xE8B0,0x4A85,
508 0x6BBB,0x2AC5,0xE54F,0x16ED,0xC586,0xD79A,0x5566,0x9411,
509 0xCF8A,0x10E9,0x0604,0x81FE,0xF0A0,0x4478,0xBA25,0xE34B,
510 0xF3A2,0xFE5D,0xC080,0x8A05,0xAD3F,0xBC21,0x4870,0x04F1,
511 0xDF63,0xC177,0x75AF,0x6342,0x3020,0x1AE5,0x0EFD,0x6DBF,
512 0x4C81,0x1418,0x3526,0x2FC3,0xE1BE,0xA235,0xCC88,0x392E,
513 0x5793,0xF255,0x82FC,0x477A,0xACC8,0xE7BA,0x2B32,0x95E6,
514 0xA0C0,0x9819,0xD19E,0x7FA3,0x6644,0x7E54,0xAB3B,0x830B,
515 0xCA8C,0x29C7,0xD36B,0x3C28,0x79A7,0xE2BC,0x1D16,0x76AD,
516 0x3BDB,0x5664,0x4E74,0x1E14,0xDB92,0x0A0C,0x6C48,0xE4B8,
517 0x5D9F,0x6EBD,0xEF43,0xA6C4,0xA839,0xA431,0x37D3,0x8BF2,
518 0x32D5,0x438B,0x596E,0xB7DA,0x8C01,0x64B1,0xD29C,0xE049,
519 0xB4D8,0xFAAC,0x07F3,0x25CF,0xAFCA,0x8EF4,0xE947,0x1810,
520 0xD56F,0x88F0,0x6F4A,0x725C,0x2438,0xF157,0xC773,0x5197,
521 0x23CB,0x7CA1,0x9CE8,0x213E,0xDD96,0xDC61,0x860D,0x850F,
522 0x90E0,0x427C,0xC471,0xAACC,0xD890,0x0506,0x01F7,0x121C,
523 0xA3C2,0x5F6A,0xF9AE,0xD069,0x9117,0x5899,0x273A,0xB927,
524 0x38D9,0x13EB,0xB32B,0x3322,0xBBD2,0x70A9,0x8907,0xA733,
525 0xB62D,0x223C,0x9215,0x20C9,0x4987,0xFFAA,0x7850,0x7AA5,
526 0x8F03,0xF859,0x8009,0x171A,0xDA65,0x31D7,0xC684,0xB8D0,
527 0xC382,0xB029,0x775A,0x111E,0xCB7B,0xFCA8,0xD66D,0x3A2C,
532 **********************************************************************
533 * Routine: Phase 1 -- generate P1K, given TA, TK, IV32
536 * tk[] = temporal key [128 bits]
537 * ta[] = transmitter's MAC address [ 48 bits]
538 * iv32 = upper 32 bits of IV [ 32 bits]
540 * p1k[] = Phase 1 key [ 80 bits]
543 * This function only needs to be called every 2**16 packets,
544 * although in theory it could be called every packet.
546 **********************************************************************
548 static void phase1(u16 *p1k,const u8 *tk,const u8 *ta,u32 iv32)
552 /* Initialize the 80 bits of P1K[] from IV32 and TA[0..5] */
555 p1k[2] = Mk16(ta[1],ta[0]); /* use TA[] as little-endian */
556 p1k[3] = Mk16(ta[3],ta[2]);
557 p1k[4] = Mk16(ta[5],ta[4]);
559 /* Now compute an unbalanced Feistel cipher with 80-bit block */
560 /* size on the 80-bit block P1K[], using the 128-bit key TK[] */
561 for (i=0; i < PHASE1_LOOP_CNT ;i++)
562 { /* Each add operation here is mod 2**16 */
563 p1k[0] += _S_(p1k[4] ^ TK16((i&1)+0));
564 p1k[1] += _S_(p1k[0] ^ TK16((i&1)+2));
565 p1k[2] += _S_(p1k[1] ^ TK16((i&1)+4));
566 p1k[3] += _S_(p1k[2] ^ TK16((i&1)+6));
567 p1k[4] += _S_(p1k[3] ^ TK16((i&1)+0));
568 p1k[4] += (unsigned short)i; /* avoid "slide attacks" */
575 **********************************************************************
576 * Routine: Phase 2 -- generate RC4KEY, given TK, P1K, IV16
579 * tk[] = Temporal key [128 bits]
580 * p1k[] = Phase 1 output key [ 80 bits]
581 * iv16 = low 16 bits of IV counter [ 16 bits]
583 * rc4key[] = the key used to encrypt the packet [128 bits]
586 * The value {TA,IV32,IV16} for Phase1/Phase2 must be unique
587 * across all packets using the same key TK value. Then, for a
588 * given value of TK[], this TKIP48 construction guarantees that
589 * the final RC4KEY value is unique across all packets.
591 * Suggested implementation optimization: if PPK[] is "overlaid"
592 * appropriately on RC4KEY[], there is no need for the final
593 * for loop below that copies the PPK[] result into RC4KEY[].
595 **********************************************************************
597 static void phase2(u8 *rc4key,const u8 *tk,const u16 *p1k,u16 iv16)
600 u16 PPK[6]; /* temporary key for mixing */
602 /* Note: all adds in the PPK[] equations below are mod 2**16 */
603 for (i=0;i<5;i++) PPK[i]=p1k[i]; /* first, copy P1K to PPK */
604 PPK[5] = p1k[4] +iv16; /* next, add in IV16 */
606 /* Bijective non-linear mixing of the 96 bits of PPK[0..5] */
607 PPK[0] += _S_(PPK[5] ^ TK16(0)); /* Mix key in each "round" */
608 PPK[1] += _S_(PPK[0] ^ TK16(1));
609 PPK[2] += _S_(PPK[1] ^ TK16(2));
610 PPK[3] += _S_(PPK[2] ^ TK16(3));
611 PPK[4] += _S_(PPK[3] ^ TK16(4));
612 PPK[5] += _S_(PPK[4] ^ TK16(5)); /* Total # S-box lookups == 6 */
614 /* Final sweep: bijective, "linear". Rotates kill LSB correlations */
615 PPK[0] += RotR1(PPK[5] ^ TK16(6));
616 PPK[1] += RotR1(PPK[0] ^ TK16(7)); /* Use all of TK[] in Phase2 */
617 PPK[2] += RotR1(PPK[1]);
618 PPK[3] += RotR1(PPK[2]);
619 PPK[4] += RotR1(PPK[3]);
620 PPK[5] += RotR1(PPK[4]);
621 /* Note: At this point, for a given key TK[0..15], the 96-bit output */
622 /* value PPK[0..5] is guaranteed to be unique, as a function */
623 /* of the 96-bit "input" value {TA,IV32,IV16}. That is, P1K */
624 /* is now a keyed permutation of {TA,IV32,IV16}. */
626 /* Set RC4KEY[0..3], which includes "cleartext" portion of RC4 key */
627 rc4key[0] = Hi8(iv16); /* RC4KEY[0..2] is the WEP IV */
628 rc4key[1] =(Hi8(iv16) | 0x20) & 0x7F; /* Help avoid weak (FMS) keys */
629 rc4key[2] = Lo8(iv16);
630 rc4key[3] = Lo8((PPK[5] ^ TK16(0)) >> 1);
633 /* Copy 96 bits of PPK[0..5] to RC4KEY[4..15] (little-endian) */
636 rc4key[4+2*i] = Lo8(PPK[i]);
637 rc4key[5+2*i] = Hi8(PPK[i]);
643 //The hlen isn't include the IV
644 u32 rtw_tkip_encrypt(_adapter *padapter, u8 *pxmitframe)
651 struct arc4context mycontext;
652 sint curfragnum,length;
655 u8 *pframe, *payload,*iv,*prwskey;
656 union pn48 dot11txpn;
657 struct sta_info *stainfo;
658 struct pkt_attrib *pattrib = &((struct xmit_frame *)pxmitframe)->attrib;
659 struct security_priv *psecuritypriv=&padapter->securitypriv;
660 struct xmit_priv *pxmitpriv=&padapter->xmitpriv;
664 if(((struct xmit_frame*)pxmitframe)->buf_addr==NULL)
667 #ifdef CONFIG_USB_TX_AGGREGATION
668 pframe = ((struct xmit_frame*)pxmitframe)->buf_addr + TXDESC_SIZE +
669 (((struct xmit_frame*)pxmitframe)->pkt_offset * PACKET_OFFSET_SZ);
671 pframe = ((struct xmit_frame*)pxmitframe)->buf_addr + TXDESC_OFFSET;
674 //4 start to encrypt each fragment
675 if(pattrib->encrypt==_TKIP_){
679 stainfo = pattrib->psta;
683 DBG_871X("%s, call rtw_get_stainfo()\n", __func__);
684 stainfo=rtw_get_stainfo(&padapter->stapriv ,&pattrib->ra[0] );
689 if(!(stainfo->state &_FW_LINKED))
691 DBG_871X("%s, psta->state(0x%x) != _FW_LINKED\n", __func__, stainfo->state);
695 RT_TRACE(_module_rtl871x_security_c_,_drv_err_,("rtw_tkip_encrypt: stainfo!=NULL!!!\n"));
697 if(IS_MCAST(pattrib->ra))
699 prwskey=psecuritypriv->dot118021XGrpKey[psecuritypriv->dot118021XGrpKeyid].skey;
703 prwskey=&stainfo->dot118021x_UncstKey.skey[0];
708 for(curfragnum=0;curfragnum<pattrib->nr_frags;curfragnum++){
709 iv=pframe+pattrib->hdrlen;
710 payload=pframe+pattrib->iv_len+pattrib->hdrlen;
712 GET_TKIP_PN(iv, dot11txpn);
714 pnl=(u16)(dot11txpn.val);
715 pnh=(u32)(dot11txpn.val>>16);
717 phase1((u16 *)&ttkey[0],prwskey,&pattrib->ta[0],pnh);
719 phase2(&rc4key[0],prwskey,(u16 *)&ttkey[0],pnl);
721 if((curfragnum+1)==pattrib->nr_frags){ //4 the last fragment
722 length=pattrib->last_txcmdsz-pattrib->hdrlen-pattrib->iv_len- pattrib->icv_len;
723 RT_TRACE(_module_rtl871x_security_c_,_drv_info_,("pattrib->iv_len =%x, pattrib->icv_len =%x\n", pattrib->iv_len,pattrib->icv_len));
724 *((u32 *)crc)=cpu_to_le32(getcrc32(payload,length));/* modified by Amy*/
726 arcfour_init(&mycontext, rc4key,16);
727 arcfour_encrypt(&mycontext, payload, payload, length);
728 arcfour_encrypt(&mycontext, payload+length, crc, 4);
732 length=pxmitpriv->frag_len-pattrib->hdrlen-pattrib->iv_len-pattrib->icv_len ;
733 *((u32 *)crc)=cpu_to_le32(getcrc32(payload,length));/* modified by Amy*/
734 arcfour_init(&mycontext,rc4key,16);
735 arcfour_encrypt(&mycontext, payload, payload, length);
736 arcfour_encrypt(&mycontext, payload+length, crc, 4);
738 pframe+=pxmitpriv->frag_len;
739 pframe=(u8 *)RND4((SIZE_PTR)(pframe));
747 RT_TRACE(_module_rtl871x_security_c_,_drv_err_,("rtw_tkip_encrypt: stainfo==NULL!!!\n"));
748 DBG_871X("%s, psta==NUL\n", __func__);
759 //The hlen isn't include the IV
760 u32 rtw_tkip_decrypt(_adapter *padapter, u8 *precvframe)
767 struct arc4context mycontext;
771 u8 *pframe, *payload,*iv,*prwskey;
772 union pn48 dot11txpn;
773 struct sta_info *stainfo;
774 struct rx_pkt_attrib *prxattrib = &((union recv_frame *)precvframe)->u.hdr.attrib;
775 struct security_priv *psecuritypriv=&padapter->securitypriv;
776 // struct recv_priv *precvpriv=&padapter->recvpriv;
781 pframe=(unsigned char *)((union recv_frame*)precvframe)->u.hdr.rx_data;
783 //4 start to decrypt recvframe
784 if(prxattrib->encrypt==_TKIP_){
786 stainfo=rtw_get_stainfo(&padapter->stapriv ,&prxattrib->ta[0] );
789 if(IS_MCAST(prxattrib->ra))
791 static u32 start = 0;
792 static u32 no_gkey_bc_cnt = 0;
793 static u32 no_gkey_mc_cnt = 0;
795 if(psecuritypriv->binstallGrpkey==_FALSE)
800 start = rtw_get_current_time();
802 if (is_broadcast_mac_addr(prxattrib->ra))
807 if (rtw_get_passing_time_ms(start) > 1000) {
808 if (no_gkey_bc_cnt || no_gkey_mc_cnt) {
809 DBG_871X_LEVEL(_drv_always_, FUNC_ADPT_FMT" no_gkey_bc_cnt:%u, no_gkey_mc_cnt:%u\n",
810 FUNC_ADPT_ARG(padapter), no_gkey_bc_cnt, no_gkey_mc_cnt);
812 start = rtw_get_current_time();
819 if (no_gkey_bc_cnt || no_gkey_mc_cnt) {
820 DBG_871X_LEVEL(_drv_always_, FUNC_ADPT_FMT" gkey installed. no_gkey_bc_cnt:%u, no_gkey_mc_cnt:%u\n",
821 FUNC_ADPT_ARG(padapter), no_gkey_bc_cnt, no_gkey_mc_cnt);
827 //DBG_871X("rx bc/mc packets, to perform sw rtw_tkip_decrypt\n");
828 //prwskey = psecuritypriv->dot118021XGrpKey[psecuritypriv->dot118021XGrpKeyid].skey;
829 prwskey = psecuritypriv->dot118021XGrpKey[prxattrib->key_index].skey;
834 RT_TRACE(_module_rtl871x_security_c_,_drv_err_,("rtw_tkip_decrypt: stainfo!=NULL!!!\n"));
835 prwskey=&stainfo->dot118021x_UncstKey.skey[0];
839 iv=pframe+prxattrib->hdrlen;
840 payload=pframe+prxattrib->iv_len+prxattrib->hdrlen;
841 length= ((union recv_frame *)precvframe)->u.hdr.len-prxattrib->hdrlen-prxattrib->iv_len;
843 GET_TKIP_PN(iv, dot11txpn);
845 pnl=(u16)(dot11txpn.val);
846 pnh=(u32)(dot11txpn.val>>16);
848 phase1((u16 *)&ttkey[0],prwskey,&prxattrib->ta[0],pnh);
849 phase2(&rc4key[0],prwskey,(unsigned short *)&ttkey[0],pnl);
851 //4 decrypt payload include icv
853 arcfour_init(&mycontext, rc4key,16);
854 arcfour_encrypt(&mycontext, payload, payload, length);
856 *((u32 *)crc)=le32_to_cpu(getcrc32(payload,length-4));
858 if(crc[3]!=payload[length-1] || crc[2]!=payload[length-2] || crc[1]!=payload[length-3] || crc[0]!=payload[length-4])
860 RT_TRACE(_module_rtl871x_security_c_,_drv_err_,("rtw_wep_decrypt:icv error crc[3](%x)!=payload[length-1](%x) || crc[2](%x)!=payload[length-2](%x) || crc[1](%x)!=payload[length-3](%x) || crc[0](%x)!=payload[length-4](%x)\n",
861 crc[3],payload[length-1],crc[2],payload[length-2],crc[1],payload[length-3],crc[0],payload[length-4]));
868 RT_TRACE(_module_rtl871x_security_c_,_drv_err_,("rtw_tkip_decrypt: stainfo==NULL!!!\n"));
880 //3 =====AES related=====
884 #define MAX_MSG_SIZE 2048
885 /*****************************/
886 /******** SBOX Table *********/
887 /*****************************/
889 static u8 sbox_table[256] =
891 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5,
892 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
893 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0,
894 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0,
895 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc,
896 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15,
897 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a,
898 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75,
899 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0,
900 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84,
901 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b,
902 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,
903 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85,
904 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8,
905 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5,
906 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2,
907 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17,
908 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73,
909 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88,
910 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb,
911 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c,
912 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79,
913 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9,
914 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08,
915 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6,
916 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a,
917 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e,
918 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e,
919 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94,
920 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
921 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68,
922 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16
925 /*****************************/
926 /**** Function Prototypes ****/
927 /*****************************/
929 static void bitwise_xor(u8 *ina, u8 *inb, u8 *out);
930 static void construct_mic_iv(
937 uint frtype);// add for CONFIG_IEEE80211W, none 11w also can use
938 static void construct_mic_header1(
942 uint frtype);// add for CONFIG_IEEE80211W, none 11w also can use
943 static void construct_mic_header2(
948 static void construct_ctr_preload(
955 uint frtype);// add for CONFIG_IEEE80211W, none 11w also can use
956 static void xor_128(u8 *a, u8 *b, u8 *out);
957 static void xor_32(u8 *a, u8 *b, u8 *out);
958 static u8 sbox(u8 a);
959 static void next_key(u8 *key, sint round);
960 static void byte_sub(u8 *in, u8 *out);
961 static void shift_row(u8 *in, u8 *out);
962 static void mix_column(u8 *in, u8 *out);
963 #ifndef PLATFORM_FREEBSD
964 static void add_round_key( u8 *shiftrow_in,
969 #endif //PLATFORM_FREEBSD
970 static void aes128k128d(u8 *key, u8 *data, u8 *ciphertext);
973 /****************************************/
975 /* Performs a 128 bit AES encrypt with */
977 /****************************************/
978 static void xor_128(u8 *a, u8 *b, u8 *out)
984 out[i] = a[i] ^ b[i];
990 static void xor_32(u8 *a, u8 *b, u8 *out)
996 out[i] = a[i] ^ b[i];
1002 static u8 sbox(u8 a)
1004 return sbox_table[(sint)a];
1008 static void next_key(u8 *key, sint round)
1014 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80,
1015 0x1b, 0x36, 0x36, 0x36
1018 sbox_key[0] = sbox(key[13]);
1019 sbox_key[1] = sbox(key[14]);
1020 sbox_key[2] = sbox(key[15]);
1021 sbox_key[3] = sbox(key[12]);
1023 rcon = rcon_table[round];
1025 xor_32(&key[0], sbox_key, &key[0]);
1026 key[0] = key[0] ^ rcon;
1028 xor_32(&key[4], &key[0], &key[4]);
1029 xor_32(&key[8], &key[4], &key[8]);
1030 xor_32(&key[12], &key[8], &key[12]);
1035 static void byte_sub(u8 *in, u8 *out)
1039 for (i=0; i< 16; i++)
1041 out[i] = sbox(in[i]);
1047 static void shift_row(u8 *in, u8 *out)
1070 static void mix_column(u8 *in, u8 *out)
1082 for (i=0 ; i<4; i++)
1084 if ((in[i] & 0x80)== 0x80)
1090 swap_halfs[0] = in[2]; /* Swap halfs */
1091 swap_halfs[1] = in[3];
1092 swap_halfs[2] = in[0];
1093 swap_halfs[3] = in[1];
1095 rotl[0] = in[3]; /* Rotate left 8 bits */
1100 andf7[0] = in[0] & 0x7f;
1101 andf7[1] = in[1] & 0x7f;
1102 andf7[2] = in[2] & 0x7f;
1103 andf7[3] = in[3] & 0x7f;
1105 for (i = 3; i>0; i--) /* logical shift left 1 bit */
1107 andf7[i] = andf7[i] << 1;
1108 if ((andf7[i-1] & 0x80) == 0x80)
1110 andf7[i] = (andf7[i] | 0x01);
1113 andf7[0] = andf7[0] << 1;
1114 andf7[0] = andf7[0] & 0xfe;
1116 xor_32(add1b, andf7, add1bf7);
1118 xor_32(in, add1bf7, rotr);
1120 temp[0] = rotr[0]; /* Rotate right 8 bits */
1126 xor_32(add1bf7, rotr, temp);
1127 xor_32(swap_halfs, rotl,tempb);
1128 xor_32(temp, tempb, out);
1133 static void aes128k128d(u8 *key, u8 *data, u8 *ciphertext)
1137 u8 intermediatea[16];
1138 u8 intermediateb[16];
1141 for(i=0; i<16; i++) round_key[i] = key[i];
1143 for (round = 0; round < 11; round++)
1147 xor_128(round_key, data, ciphertext);
1148 next_key(round_key, round);
1150 else if (round == 10)
1152 byte_sub(ciphertext, intermediatea);
1153 shift_row(intermediatea, intermediateb);
1154 xor_128(intermediateb, round_key, ciphertext);
1158 byte_sub(ciphertext, intermediatea);
1159 shift_row(intermediatea, intermediateb);
1160 mix_column(&intermediateb[0], &intermediatea[0]);
1161 mix_column(&intermediateb[4], &intermediatea[4]);
1162 mix_column(&intermediateb[8], &intermediatea[8]);
1163 mix_column(&intermediateb[12], &intermediatea[12]);
1164 xor_128(intermediatea, round_key, ciphertext);
1165 next_key(round_key, round);
1172 /************************************************/
1173 /* construct_mic_iv() */
1174 /* Builds the MIC IV from header fields and PN */
1175 /* Baron think the function is construct CCM */
1177 /************************************************/
1178 static void construct_mic_iv(
1183 uint payload_length,
1185 uint frtype// add for CONFIG_IEEE80211W, none 11w also can use
1191 if (qc_exists && a4_exists) mic_iv[1] = mpdu[30] & 0x0f; /* QoS_TC */
1192 if (qc_exists && !a4_exists) mic_iv[1] = mpdu[24] & 0x0f; /* mute bits 7-4 */
1193 if (!qc_exists) mic_iv[1] = 0x00;
1194 #ifdef CONFIG_IEEE80211W
1195 //802.11w management frame should set management bit(4)
1196 if(frtype == WIFI_MGT_TYPE)
1197 mic_iv[1] |= BIT(4);
1198 #endif //CONFIG_IEEE80211W
1199 for (i = 2; i < 8; i++)
1200 mic_iv[i] = mpdu[i + 8]; /* mic_iv[2:7] = A2[0:5] = mpdu[10:15] */
1201 #ifdef CONSISTENT_PN_ORDER
1202 for (i = 8; i < 14; i++)
1203 mic_iv[i] = pn_vector[i - 8]; /* mic_iv[8:13] = PN[0:5] */
1205 for (i = 8; i < 14; i++)
1206 mic_iv[i] = pn_vector[13 - i]; /* mic_iv[8:13] = PN[5:0] */
1208 mic_iv[14] = (unsigned char) (payload_length / 256);
1209 mic_iv[15] = (unsigned char) (payload_length % 256);
1214 /************************************************/
1215 /* construct_mic_header1() */
1216 /* Builds the first MIC header block from */
1217 /* header fields. */
1218 /* Build AAD SC,A1,A2 */
1219 /************************************************/
1220 static void construct_mic_header1(
1224 uint frtype// add for CONFIG_IEEE80211W, none 11w also can use
1228 mic_header1[0] = (u8)((header_length - 2) / 256);
1229 mic_header1[1] = (u8)((header_length - 2) % 256);
1230 #ifdef CONFIG_IEEE80211W
1231 //802.11w management frame don't AND subtype bits 4,5,6 of frame control field
1232 if(frtype == WIFI_MGT_TYPE)
1233 mic_header1[2] = mpdu[0];
1235 #endif //CONFIG_IEEE80211W
1236 mic_header1[2] = mpdu[0] & 0xcf; /* Mute CF poll & CF ack bits */
1238 mic_header1[3] = mpdu[1] & 0xc7; /* Mute retry, more data and pwr mgt bits */
1239 mic_header1[4] = mpdu[4]; /* A1 */
1240 mic_header1[5] = mpdu[5];
1241 mic_header1[6] = mpdu[6];
1242 mic_header1[7] = mpdu[7];
1243 mic_header1[8] = mpdu[8];
1244 mic_header1[9] = mpdu[9];
1245 mic_header1[10] = mpdu[10]; /* A2 */
1246 mic_header1[11] = mpdu[11];
1247 mic_header1[12] = mpdu[12];
1248 mic_header1[13] = mpdu[13];
1249 mic_header1[14] = mpdu[14];
1250 mic_header1[15] = mpdu[15];
1255 /************************************************/
1256 /* construct_mic_header2() */
1257 /* Builds the last MIC header block from */
1258 /* header fields. */
1259 /************************************************/
1260 static void construct_mic_header2(
1269 for (i = 0; i<16; i++) mic_header2[i]=0x00;
1271 mic_header2[0] = mpdu[16]; /* A3 */
1272 mic_header2[1] = mpdu[17];
1273 mic_header2[2] = mpdu[18];
1274 mic_header2[3] = mpdu[19];
1275 mic_header2[4] = mpdu[20];
1276 mic_header2[5] = mpdu[21];
1278 //mic_header2[6] = mpdu[22] & 0xf0; /* SC */
1279 mic_header2[6] = 0x00;
1280 mic_header2[7] = 0x00; /* mpdu[23]; */
1283 if (!qc_exists && a4_exists)
1285 for (i=0;i<6;i++) mic_header2[8+i] = mpdu[24+i]; /* A4 */
1289 if (qc_exists && !a4_exists)
1291 mic_header2[8] = mpdu[24] & 0x0f; /* mute bits 15 - 4 */
1292 mic_header2[9] = mpdu[25] & 0x00;
1295 if (qc_exists && a4_exists)
1297 for (i=0;i<6;i++) mic_header2[8+i] = mpdu[24+i]; /* A4 */
1299 mic_header2[14] = mpdu[30] & 0x0f;
1300 mic_header2[15] = mpdu[31] & 0x00;
1307 /************************************************/
1308 /* construct_mic_header2() */
1309 /* Builds the last MIC header block from */
1310 /* header fields. */
1311 /* Baron think the function is construct CCM */
1313 /************************************************/
1314 static void construct_ctr_preload(
1321 uint frtype // add for CONFIG_IEEE80211W, none 11w also can use
1326 for (i=0; i<16; i++) ctr_preload[i] = 0x00;
1329 ctr_preload[0] = 0x01; /* flag */
1330 if (qc_exists && a4_exists)
1331 ctr_preload[1] = mpdu[30] & 0x0f; /* QoC_Control */
1332 if (qc_exists && !a4_exists)
1333 ctr_preload[1] = mpdu[24] & 0x0f;
1334 #ifdef CONFIG_IEEE80211W
1335 //802.11w management frame should set management bit(4)
1336 if(frtype == WIFI_MGT_TYPE)
1337 ctr_preload[1] |= BIT(4);
1338 #endif //CONFIG_IEEE80211W
1339 for (i = 2; i < 8; i++)
1340 ctr_preload[i] = mpdu[i + 8]; /* ctr_preload[2:7] = A2[0:5] = mpdu[10:15] */
1341 #ifdef CONSISTENT_PN_ORDER
1342 for (i = 8; i < 14; i++)
1343 ctr_preload[i] = pn_vector[i - 8]; /* ctr_preload[8:13] = PN[0:5] */
1345 for (i = 8; i < 14; i++)
1346 ctr_preload[i] = pn_vector[13 - i]; /* ctr_preload[8:13] = PN[5:0] */
1348 ctr_preload[14] = (unsigned char) (c / 256); /* Ctr */
1349 ctr_preload[15] = (unsigned char) (c % 256);
1354 /************************************/
1356 /* A 128 bit, bitwise exclusive or */
1357 /************************************/
1358 static void bitwise_xor(u8 *ina, u8 *inb, u8 *out)
1362 for (i=0; i<16; i++)
1364 out[i] = ina[i] ^ inb[i];
1370 static sint aes_cipher(u8 *key, uint hdrlen,
1371 u8 *pframe, uint plen)
1373 // /*static*/ unsigned char message[MAX_MSG_SIZE];
1374 uint qc_exists, a4_exists, i, j, payload_remainder,
1375 num_blocks, payload_index;
1383 /* Intermediate Buffers */
1384 u8 chain_buffer[16];
1386 u8 padded_buffer[16];
1389 uint frtype = GetFrameType(pframe);
1390 uint frsubtype = GetFrameSubType(pframe);
1393 frsubtype=frsubtype>>4;
1396 _rtw_memset((void *)mic_iv, 0, 16);
1397 _rtw_memset((void *)mic_header1, 0, 16);
1398 _rtw_memset((void *)mic_header2, 0, 16);
1399 _rtw_memset((void *)ctr_preload, 0, 16);
1400 _rtw_memset((void *)chain_buffer, 0, 16);
1401 _rtw_memset((void *)aes_out, 0, 16);
1402 _rtw_memset((void *)padded_buffer, 0, 16);
1404 if ((hdrlen == WLAN_HDR_A3_LEN )||(hdrlen == WLAN_HDR_A3_QOS_LEN))
1410 ((frtype|frsubtype) == WIFI_DATA_CFACK) ||
1411 ((frtype|frsubtype) == WIFI_DATA_CFPOLL)||
1412 ((frtype|frsubtype) == WIFI_DATA_CFACKPOLL))
1415 if(hdrlen != WLAN_HDR_A3_QOS_LEN){
1420 // add for CONFIG_IEEE80211W, none 11w also can use
1421 else if ((frtype == WIFI_DATA) &&
1422 ((frsubtype == 0x08) ||
1423 (frsubtype == 0x09)||
1424 (frsubtype == 0x0a)||
1425 (frsubtype == 0x0b)))
1427 if(hdrlen != WLAN_HDR_A3_QOS_LEN){
1436 pn_vector[0]=pframe[hdrlen];
1437 pn_vector[1]=pframe[hdrlen+1];
1438 pn_vector[2]=pframe[hdrlen+4];
1439 pn_vector[3]=pframe[hdrlen+5];
1440 pn_vector[4]=pframe[hdrlen+6];
1441 pn_vector[5]=pframe[hdrlen+7];
1450 frtype // add for CONFIG_IEEE80211W, none 11w also can use
1453 construct_mic_header1(
1457 frtype // add for CONFIG_IEEE80211W, none 11w also can use
1459 construct_mic_header2(
1467 payload_remainder = plen % 16;
1468 num_blocks = plen / 16;
1470 /* Find start of payload */
1471 payload_index = (hdrlen + 8);
1474 aes128k128d(key, mic_iv, aes_out);
1475 bitwise_xor(aes_out, mic_header1, chain_buffer);
1476 aes128k128d(key, chain_buffer, aes_out);
1477 bitwise_xor(aes_out, mic_header2, chain_buffer);
1478 aes128k128d(key, chain_buffer, aes_out);
1480 for (i = 0; i < num_blocks; i++)
1482 bitwise_xor(aes_out, &pframe[payload_index], chain_buffer);//bitwise_xor(aes_out, &message[payload_index], chain_buffer);
1484 payload_index += 16;
1485 aes128k128d(key, chain_buffer, aes_out);
1488 /* Add on the final payload block if it needs padding */
1489 if (payload_remainder > 0)
1491 for (j = 0; j < 16; j++) padded_buffer[j] = 0x00;
1492 for (j = 0; j < payload_remainder; j++)
1494 padded_buffer[j] = pframe[payload_index++];//padded_buffer[j] = message[payload_index++];
1496 bitwise_xor(aes_out, padded_buffer, chain_buffer);
1497 aes128k128d(key, chain_buffer, aes_out);
1501 for (j = 0 ; j < 8; j++) mic[j] = aes_out[j];
1503 /* Insert MIC into payload */
1504 for (j = 0; j < 8; j++)
1505 pframe[payload_index+j] = mic[j]; //message[payload_index+j] = mic[j];
1507 payload_index = hdrlen + 8;
1508 for (i=0; i< num_blocks; i++)
1510 construct_ctr_preload(
1517 frtype); // add for CONFIG_IEEE80211W, none 11w also can use
1518 aes128k128d(key, ctr_preload, aes_out);
1519 bitwise_xor(aes_out, &pframe[payload_index], chain_buffer);//bitwise_xor(aes_out, &message[payload_index], chain_buffer);
1520 for (j=0; j<16;j++) pframe[payload_index++] = chain_buffer[j];//for (j=0; j<16;j++) message[payload_index++] = chain_buffer[j];
1523 if (payload_remainder > 0) /* If there is a short final block, then pad it,*/
1524 { /* encrypt it and copy the unpadded part back */
1525 construct_ctr_preload(
1532 frtype); // add for CONFIG_IEEE80211W, none 11w also can use
1534 for (j = 0; j < 16; j++) padded_buffer[j] = 0x00;
1535 for (j = 0; j < payload_remainder; j++)
1537 padded_buffer[j] = pframe[payload_index+j];//padded_buffer[j] = message[payload_index+j];
1539 aes128k128d(key, ctr_preload, aes_out);
1540 bitwise_xor(aes_out, padded_buffer, chain_buffer);
1541 for (j=0; j<payload_remainder;j++) pframe[payload_index++] = chain_buffer[j];//for (j=0; j<payload_remainder;j++) message[payload_index++] = chain_buffer[j];
1544 /* Encrypt the MIC */
1545 construct_ctr_preload(
1552 frtype); // add for CONFIG_IEEE80211W, none 11w also can use
1554 for (j = 0; j < 16; j++) padded_buffer[j] = 0x00;
1555 for (j = 0; j < 8; j++)
1557 padded_buffer[j] = pframe[j+hdrlen+8+plen];//padded_buffer[j] = message[j+hdrlen+8+plen];
1560 aes128k128d(key, ctr_preload, aes_out);
1561 bitwise_xor(aes_out, padded_buffer, chain_buffer);
1562 for (j=0; j<8;j++) pframe[payload_index++] = chain_buffer[j];//for (j=0; j<8;j++) message[payload_index++] = chain_buffer[j];
1570 u32 rtw_aes_encrypt(_adapter *padapter, u8 *pxmitframe)
1575 // unsigned char message[MAX_MSG_SIZE];
1577 /* Intermediate Buffers */
1578 sint curfragnum,length;
1580 u8 *pframe,*prwskey; //, *payload,*iv
1581 struct sta_info *stainfo=NULL;
1582 struct pkt_attrib *pattrib = &((struct xmit_frame *)pxmitframe)->attrib;
1583 struct security_priv *psecuritypriv=&padapter->securitypriv;
1584 struct xmit_priv *pxmitpriv=&padapter->xmitpriv;
1590 if(((struct xmit_frame*)pxmitframe)->buf_addr==NULL)
1593 #ifdef CONFIG_USB_TX_AGGREGATION
1594 pframe = ((struct xmit_frame*)pxmitframe)->buf_addr + TXDESC_SIZE +
1595 (((struct xmit_frame*)pxmitframe)->pkt_offset * PACKET_OFFSET_SZ);
1597 pframe = ((struct xmit_frame*)pxmitframe)->buf_addr + TXDESC_OFFSET;
1600 //4 start to encrypt each fragment
1601 if((pattrib->encrypt==_AES_)){
1605 stainfo = pattrib->psta;
1609 DBG_871X("%s, call rtw_get_stainfo()\n", __func__);
1610 stainfo=rtw_get_stainfo(&padapter->stapriv ,&pattrib->ra[0] );
1615 if(!(stainfo->state &_FW_LINKED))
1617 DBG_871X("%s, psta->state(0x%x) != _FW_LINKED\n", __func__, stainfo->state);
1621 RT_TRACE(_module_rtl871x_security_c_,_drv_err_,("rtw_aes_encrypt: stainfo!=NULL!!!\n"));
1623 if(IS_MCAST(pattrib->ra))
1625 prwskey=psecuritypriv->dot118021XGrpKey[psecuritypriv->dot118021XGrpKeyid].skey;
1629 prwskey=&stainfo->dot118021x_UncstKey.skey[0];
1632 #ifdef CONFIG_TDLS //swencryption
1634 struct sta_info *ptdls_sta;
1635 ptdls_sta=rtw_get_stainfo(&padapter->stapriv ,&pattrib->dst[0] );
1636 if((ptdls_sta != NULL) && (ptdls_sta->tdls_sta_state & TDLS_LINKED_STATE) )
1638 DBG_871X("[%s] for tdls link\n", __FUNCTION__);
1639 prwskey=&ptdls_sta->tpk.tk[0];
1642 #endif //CONFIG_TDLS
1646 for(curfragnum=0;curfragnum<pattrib->nr_frags;curfragnum++){
1648 if((curfragnum+1)==pattrib->nr_frags){ //4 the last fragment
1649 length=pattrib->last_txcmdsz-pattrib->hdrlen-pattrib->iv_len- pattrib->icv_len;
1651 aes_cipher(prwskey,pattrib->hdrlen,pframe, length);
1654 length=pxmitpriv->frag_len-pattrib->hdrlen-pattrib->iv_len-pattrib->icv_len ;
1656 aes_cipher(prwskey,pattrib->hdrlen,pframe, length);
1657 pframe+=pxmitpriv->frag_len;
1658 pframe=(u8*)RND4((SIZE_PTR)(pframe));
1666 RT_TRACE(_module_rtl871x_security_c_,_drv_err_,("rtw_aes_encrypt: stainfo==NULL!!!\n"));
1667 DBG_871X("%s, psta==NUL\n", __func__);
1679 static sint aes_decipher(u8 *key, uint hdrlen,
1680 u8 *pframe, uint plen)
1682 static u8 message[MAX_MSG_SIZE];
1683 uint qc_exists, a4_exists, i, j, payload_remainder,
1684 num_blocks, payload_index;
1685 sint res = _SUCCESS;
1692 /* Intermediate Buffers */
1693 u8 chain_buffer[16];
1695 u8 padded_buffer[16];
1700 uint frtype = GetFrameType(pframe);
1701 uint frsubtype = GetFrameSubType(pframe);
1703 frsubtype=frsubtype>>4;
1706 _rtw_memset((void *)mic_iv, 0, 16);
1707 _rtw_memset((void *)mic_header1, 0, 16);
1708 _rtw_memset((void *)mic_header2, 0, 16);
1709 _rtw_memset((void *)ctr_preload, 0, 16);
1710 _rtw_memset((void *)chain_buffer, 0, 16);
1711 _rtw_memset((void *)aes_out, 0, 16);
1712 _rtw_memset((void *)padded_buffer, 0, 16);
1714 //start to decrypt the payload
1716 num_blocks = (plen-8) / 16; //(plen including LLC, payload_length and mic )
1718 payload_remainder = (plen-8) % 16;
1720 pn_vector[0] = pframe[hdrlen];
1721 pn_vector[1] = pframe[hdrlen+1];
1722 pn_vector[2] = pframe[hdrlen+4];
1723 pn_vector[3] = pframe[hdrlen+5];
1724 pn_vector[4] = pframe[hdrlen+6];
1725 pn_vector[5] = pframe[hdrlen+7];
1727 if ((hdrlen == WLAN_HDR_A3_LEN )||(hdrlen == WLAN_HDR_A3_QOS_LEN))
1733 ((frtype|frsubtype) == WIFI_DATA_CFACK) ||
1734 ((frtype|frsubtype) == WIFI_DATA_CFPOLL)||
1735 ((frtype|frsubtype) == WIFI_DATA_CFACKPOLL))
1738 if(hdrlen != WLAN_HDR_A3_QOS_LEN){
1742 }//only for data packet . add for CONFIG_IEEE80211W, none 11w also can use
1743 else if ((frtype == WIFI_DATA) &&
1744 ((frsubtype == 0x08) ||
1745 (frsubtype == 0x09)||
1746 (frsubtype == 0x0a)||
1747 (frsubtype == 0x0b)))
1749 if(hdrlen != WLAN_HDR_A3_QOS_LEN){
1759 // now, decrypt pframe with hdrlen offset and plen long
1761 payload_index = hdrlen + 8; // 8 is for extiv
1763 for (i=0; i< num_blocks; i++)
1765 construct_ctr_preload(
1772 frtype // add for CONFIG_IEEE80211W, none 11w also can use
1775 aes128k128d(key, ctr_preload, aes_out);
1776 bitwise_xor(aes_out, &pframe[payload_index], chain_buffer);
1778 for (j=0; j<16;j++) pframe[payload_index++] = chain_buffer[j];
1781 if (payload_remainder > 0) /* If there is a short final block, then pad it,*/
1782 { /* encrypt it and copy the unpadded part back */
1783 construct_ctr_preload(
1790 frtype // add for CONFIG_IEEE80211W, none 11w also can use
1793 for (j = 0; j < 16; j++) padded_buffer[j] = 0x00;
1794 for (j = 0; j < payload_remainder; j++)
1796 padded_buffer[j] = pframe[payload_index+j];
1798 aes128k128d(key, ctr_preload, aes_out);
1799 bitwise_xor(aes_out, padded_buffer, chain_buffer);
1800 for (j=0; j<payload_remainder;j++) pframe[payload_index++] = chain_buffer[j];
1803 //start to calculate the mic
1805 _rtw_memcpy((void *)message, pframe, (hdrlen +plen+8)); //8 is for ext iv len
1808 pn_vector[0]=pframe[hdrlen];
1809 pn_vector[1]=pframe[hdrlen+1];
1810 pn_vector[2]=pframe[hdrlen+4];
1811 pn_vector[3]=pframe[hdrlen+5];
1812 pn_vector[4]=pframe[hdrlen+6];
1813 pn_vector[5]=pframe[hdrlen+7];
1824 frtype // add for CONFIG_IEEE80211W, none 11w also can use
1827 construct_mic_header1(
1831 frtype // add for CONFIG_IEEE80211W, none 11w also can use
1833 construct_mic_header2(
1841 payload_remainder = (plen-8) % 16;
1842 num_blocks = (plen-8) / 16;
1844 /* Find start of payload */
1845 payload_index = (hdrlen + 8);
1848 aes128k128d(key, mic_iv, aes_out);
1849 bitwise_xor(aes_out, mic_header1, chain_buffer);
1850 aes128k128d(key, chain_buffer, aes_out);
1851 bitwise_xor(aes_out, mic_header2, chain_buffer);
1852 aes128k128d(key, chain_buffer, aes_out);
1854 for (i = 0; i < num_blocks; i++)
1856 bitwise_xor(aes_out, &message[payload_index], chain_buffer);
1858 payload_index += 16;
1859 aes128k128d(key, chain_buffer, aes_out);
1862 /* Add on the final payload block if it needs padding */
1863 if (payload_remainder > 0)
1865 for (j = 0; j < 16; j++) padded_buffer[j] = 0x00;
1866 for (j = 0; j < payload_remainder; j++)
1868 padded_buffer[j] = message[payload_index++];
1870 bitwise_xor(aes_out, padded_buffer, chain_buffer);
1871 aes128k128d(key, chain_buffer, aes_out);
1875 for (j = 0 ; j < 8; j++) mic[j] = aes_out[j];
1877 /* Insert MIC into payload */
1878 for (j = 0; j < 8; j++)
1879 message[payload_index+j] = mic[j];
1881 payload_index = hdrlen + 8;
1882 for (i=0; i< num_blocks; i++)
1884 construct_ctr_preload(
1891 frtype); // add for CONFIG_IEEE80211W, none 11w also can use
1892 aes128k128d(key, ctr_preload, aes_out);
1893 bitwise_xor(aes_out, &message[payload_index], chain_buffer);
1894 for (j=0; j<16;j++) message[payload_index++] = chain_buffer[j];
1897 if (payload_remainder > 0) /* If there is a short final block, then pad it,*/
1898 { /* encrypt it and copy the unpadded part back */
1899 construct_ctr_preload(
1906 frtype); // add for CONFIG_IEEE80211W, none 11w also can use
1908 for (j = 0; j < 16; j++) padded_buffer[j] = 0x00;
1909 for (j = 0; j < payload_remainder; j++)
1911 padded_buffer[j] = message[payload_index+j];
1913 aes128k128d(key, ctr_preload, aes_out);
1914 bitwise_xor(aes_out, padded_buffer, chain_buffer);
1915 for (j=0; j<payload_remainder;j++) message[payload_index++] = chain_buffer[j];
1918 /* Encrypt the MIC */
1919 construct_ctr_preload(
1926 frtype); // add for CONFIG_IEEE80211W, none 11w also can use
1928 for (j = 0; j < 16; j++) padded_buffer[j] = 0x00;
1929 for (j = 0; j < 8; j++)
1931 padded_buffer[j] = message[j+hdrlen+8+plen-8];
1934 aes128k128d(key, ctr_preload, aes_out);
1935 bitwise_xor(aes_out, padded_buffer, chain_buffer);
1936 for (j=0; j<8;j++) message[payload_index++] = chain_buffer[j];
1940 if(pframe[hdrlen+8+plen-8+i] != message[hdrlen+8+plen-8+i])
1942 RT_TRACE(_module_rtl871x_security_c_,_drv_err_,("aes_decipher:mic check error mic[%d]: pframe(%x) != message(%x) \n",
1943 i,pframe[hdrlen+8+plen-8+i],message[hdrlen+8+plen-8+i]));
1944 DBG_871X("aes_decipher:mic check error mic[%d]: pframe(%x) != message(%x) \n",
1945 i,pframe[hdrlen+8+plen-8+i],message[hdrlen+8+plen-8+i]);
1953 for(gg=0; gg < 32; gg++)
1954 DBG_871X(" [%d]=%02x ", gg, pframe[gg]);
1955 DBG_871X("error packet header \n");
1962 u32 rtw_aes_decrypt(_adapter *padapter, u8 *precvframe)
1967 // unsigned char message[MAX_MSG_SIZE];
1970 /* Intermediate Buffers */
1974 u8 *pframe,*prwskey; //, *payload,*iv
1975 struct sta_info *stainfo;
1976 struct rx_pkt_attrib *prxattrib = &((union recv_frame *)precvframe)->u.hdr.attrib;
1977 struct security_priv *psecuritypriv=&padapter->securitypriv;
1978 // struct recv_priv *precvpriv=&padapter->recvpriv;
1981 pframe=(unsigned char *)((union recv_frame*)precvframe)->u.hdr.rx_data;
1982 //4 start to encrypt each fragment
1983 if((prxattrib->encrypt==_AES_)){
1985 stainfo=rtw_get_stainfo(&padapter->stapriv ,&prxattrib->ta[0] );
1987 RT_TRACE(_module_rtl871x_security_c_,_drv_err_,("rtw_aes_decrypt: stainfo!=NULL!!!\n"));
1989 if(IS_MCAST(prxattrib->ra))
1991 //in concurrent we should use sw descrypt in group key, so we remove this message
1992 //DBG_871X("rx bc/mc packets, to perform sw rtw_aes_decrypt\n");
1993 //prwskey = psecuritypriv->dot118021XGrpKey[psecuritypriv->dot118021XGrpKeyid].skey;
1994 if(psecuritypriv->binstallGrpkey==_FALSE)
1997 DBG_8192C("%s:rx bc/mc packets,but didn't install group key!!!!!!!!!!\n",__FUNCTION__);
2000 prwskey = psecuritypriv->dot118021XGrpKey[prxattrib->key_index].skey;
2002 if(psecuritypriv->dot118021XGrpKeyid != prxattrib->key_index)
2004 DBG_871X("not match packet_index=%d, install_index=%d \n"
2005 , prxattrib->key_index, psecuritypriv->dot118021XGrpKeyid);
2012 prwskey=&stainfo->dot118021x_UncstKey.skey[0];
2015 length= ((union recv_frame *)precvframe)->u.hdr.len-prxattrib->hdrlen-prxattrib->iv_len;
2016 /*// add for CONFIG_IEEE80211W, debug
2018 printk("@@@@@@@@@@@@@@@@@@ length=%d, prxattrib->hdrlen=%d, prxattrib->pkt_len=%d \n"
2019 , length, prxattrib->hdrlen, prxattrib->pkt_len);
2024 printk("PSK key below:\n");
2025 for(no=0;no<16;no++)
2026 printk(" %02x ", prwskey[no]);
2034 for(no=0;no<prxattrib->pkt_len;no++)
2035 printk(" %02x ", pframe[no]);
2039 res= aes_decipher(prwskey,prxattrib->hdrlen,pframe, length);
2042 RT_TRACE(_module_rtl871x_security_c_,_drv_err_,("rtw_aes_encrypt: stainfo==NULL!!!\n"));
2052 #ifdef CONFIG_IEEE80211W
2053 u32 rtw_BIP_verify(_adapter *padapter, u8 *precvframe)
2055 struct rx_pkt_attrib *pattrib = &((union recv_frame *)precvframe)->u.hdr.attrib;
2060 struct rtw_ieee80211_hdr *pwlanhdr;
2062 struct mlme_ext_priv *pmlmeext = &padapter->mlmeextpriv;
2063 ori_len = pattrib->pkt_len-WLAN_HDR_A3_LEN+BIP_AAD_SIZE;
2064 BIP_AAD = rtw_zmalloc(ori_len);
2068 DBG_871X("BIP AAD allocate fail\n");
2072 pframe=(unsigned char *)((union recv_frame*)precvframe)->u.hdr.rx_data;
2073 //mapping to wlan header
2074 pwlanhdr = (struct rtw_ieee80211_hdr *)pframe;
2075 //save the frame body + MME
2076 _rtw_memcpy(BIP_AAD+BIP_AAD_SIZE, pframe+WLAN_HDR_A3_LEN, pattrib->pkt_len-WLAN_HDR_A3_LEN);
2077 //find MME IE pointer
2078 p = rtw_get_ie(BIP_AAD+BIP_AAD_SIZE, _MME_IE_, &len, pattrib->pkt_len-WLAN_HDR_A3_LEN);
2084 //save packet number
2085 _rtw_memcpy(&temp_ipn, p+4, 6);
2086 temp_ipn = le64_to_cpu(temp_ipn);
2087 //BIP packet number should bigger than previous BIP packet
2088 if(temp_ipn <= pmlmeext->mgnt_80211w_IPN_rx)
2090 DBG_871X("replay BIP packet\n");
2094 _rtw_memcpy(&keyid, p+2, 2);
2095 keyid = le16_to_cpu(keyid);
2096 if(keyid != padapter->securitypriv.dot11wBIPKeyid)
2098 DBG_871X("BIP key index error!\n");
2101 //clear the MIC field of MME to zero
2102 _rtw_memset(p+2+len-8, 0, 8);
2104 //conscruct AAD, copy frame control field
2105 _rtw_memcpy(BIP_AAD, &pwlanhdr->frame_ctl, 2);
2106 ClearRetry(BIP_AAD);
2107 ClearPwrMgt(BIP_AAD);
2108 ClearMData(BIP_AAD);
2109 //conscruct AAD, copy address 1 to address 3
2110 _rtw_memcpy(BIP_AAD+2, pwlanhdr->addr1, 18);
2112 if(omac1_aes_128(padapter->securitypriv.dot11wBIPKey[padapter->securitypriv.dot11wBIPKeyid].skey
2113 , BIP_AAD, ori_len, mic))
2116 /*//management packet content
2120 for(pp=0;pp< pattrib->pkt_len; pp++)
2121 printk(" %02x ", pframe[pp]);
2123 //BIP AAD + management frame body + MME(MIC is zero)
2124 DBG_871X("AAD+PKT: ");
2125 for(pp=0;pp< ori_len; pp++)
2126 DBG_871X(" %02x ", BIP_AAD[pp]);
2128 //show the MIC result
2130 for(pp=0;pp<16; pp++)
2131 DBG_871X(" %02x ", mic[pp]);
2135 //MIC field should be last 8 bytes of packet (packet without FCS)
2136 if(_rtw_memcmp(mic, pframe+pattrib->pkt_len-8, 8))
2138 pmlmeext->mgnt_80211w_IPN_rx = temp_ipn;
2142 DBG_871X("BIP MIC error!\n");
2146 res = RTW_RX_HANDLED;
2149 rtw_mfree(BIP_AAD, ori_len);
2152 #endif //CONFIG_IEEE80211W
2154 #ifndef PLATFORM_FREEBSD
2155 /* compress 512-bits */
2156 static int sha256_compress(struct sha256_state *md, unsigned char *buf)
2158 u32 S[8], W[64], t0, t1;
2162 /* copy state into S */
2163 for (i = 0; i < 8; i++) {
2164 S[i] = md->state[i];
2167 /* copy the state into 512-bits into W[0..15] */
2168 for (i = 0; i < 16; i++)
2169 W[i] = WPA_GET_BE32(buf + (4 * i));
2171 /* fill W[16..63] */
2172 for (i = 16; i < 64; i++) {
2173 W[i] = Gamma1(W[i - 2]) + W[i - 7] + Gamma0(W[i - 15]) +
2178 #define RND(a,b,c,d,e,f,g,h,i) \
2179 t0 = h + Sigma1(e) + Ch(e, f, g) + K[i] + W[i]; \
2180 t1 = Sigma0(a) + Maj(a, b, c); \
2184 for (i = 0; i < 64; ++i) {
2185 RND(S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], i);
2186 t = S[7]; S[7] = S[6]; S[6] = S[5]; S[5] = S[4];
2187 S[4] = S[3]; S[3] = S[2]; S[2] = S[1]; S[1] = S[0]; S[0] = t;
2191 for (i = 0; i < 8; i++) {
2192 md->state[i] = md->state[i] + S[i];
2197 /* Initialize the hash state */
2198 static void sha256_init(struct sha256_state *md)
2202 md->state[0] = 0x6A09E667UL;
2203 md->state[1] = 0xBB67AE85UL;
2204 md->state[2] = 0x3C6EF372UL;
2205 md->state[3] = 0xA54FF53AUL;
2206 md->state[4] = 0x510E527FUL;
2207 md->state[5] = 0x9B05688CUL;
2208 md->state[6] = 0x1F83D9ABUL;
2209 md->state[7] = 0x5BE0CD19UL;
2213 Process a block of memory though the hash
2214 @param md The hash state
2215 @param in The data to hash
2216 @param inlen The length of the data (octets)
2217 @return CRYPT_OK if successful
2219 static int sha256_process(struct sha256_state *md, unsigned char *in,
2220 unsigned long inlen)
2223 #define block_size 64
2225 if (md->curlen > sizeof(md->buf))
2229 if (md->curlen == 0 && inlen >= block_size) {
2230 if (sha256_compress(md, (unsigned char *) in) < 0)
2232 md->length += block_size * 8;
2234 inlen -= block_size;
2236 n = MIN(inlen, (block_size - md->curlen));
2237 _rtw_memcpy(md->buf + md->curlen, in, n);
2241 if (md->curlen == block_size) {
2242 if (sha256_compress(md, md->buf) < 0)
2244 md->length += 8 * block_size;
2255 Terminate the hash to get the digest
2256 @param md The hash state
2257 @param out [out] The destination of the hash (32 bytes)
2258 @return CRYPT_OK if successful
2260 static int sha256_done(struct sha256_state *md, unsigned char *out)
2264 if (md->curlen >= sizeof(md->buf))
2267 /* increase the length of the message */
2268 md->length += md->curlen * 8;
2270 /* append the '1' bit */
2271 md->buf[md->curlen++] = (unsigned char) 0x80;
2273 /* if the length is currently above 56 bytes we append zeros
2274 * then compress. Then we can fall back to padding zeros and length
2275 * encoding like normal.
2277 if (md->curlen > 56) {
2278 while (md->curlen < 64) {
2279 md->buf[md->curlen++] = (unsigned char) 0;
2281 sha256_compress(md, md->buf);
2285 /* pad upto 56 bytes of zeroes */
2286 while (md->curlen < 56) {
2287 md->buf[md->curlen++] = (unsigned char) 0;
2291 WPA_PUT_BE64(md->buf + 56, md->length);
2292 sha256_compress(md, md->buf);
2295 for (i = 0; i < 8; i++)
2296 WPA_PUT_BE32(out + (4 * i), md->state[i]);
2302 * sha256_vector - SHA256 hash for data vector
2303 * @num_elem: Number of elements in the data vector
2304 * @addr: Pointers to the data areas
2305 * @len: Lengths of the data blocks
2306 * @mac: Buffer for the hash
2307 * Returns: 0 on success, -1 of failure
2309 static int sha256_vector(size_t num_elem, u8 *addr[], size_t *len,
2312 struct sha256_state ctx;
2316 for (i = 0; i < num_elem; i++)
2317 if (sha256_process(&ctx, addr[i], len[i]))
2319 if (sha256_done(&ctx, mac))
2324 static u8 os_strlen(const char *s)
2332 static int os_memcmp(void *s1, void *s2, u8 n)
2334 unsigned char *p1 = s1, *p2 = s2;
2339 while (*p1 == *p2) {
2351 * hmac_sha256_vector - HMAC-SHA256 over data vector (RFC 2104)
2352 * @key: Key for HMAC operations
2353 * @key_len: Length of the key in bytes
2354 * @num_elem: Number of elements in the data vector
2355 * @addr: Pointers to the data areas
2356 * @len: Lengths of the data blocks
2357 * @mac: Buffer for the hash (32 bytes)
2359 static void hmac_sha256_vector(u8 *key, size_t key_len, size_t num_elem,
2360 u8 *addr[], size_t *len, u8 *mac)
2362 unsigned char k_pad[64]; /* padding - key XORd with ipad/opad */
2363 unsigned char tk[32];
2369 * Fixed limit on the number of fragments to avoid having to
2370 * allocate memory (which could fail).
2375 /* if key is longer than 64 bytes reset it to key = SHA256(key) */
2377 sha256_vector(1, &key, &key_len, tk);
2382 /* the HMAC_SHA256 transform looks like:
2384 * SHA256(K XOR opad, SHA256(K XOR ipad, text))
2386 * where K is an n byte key
2387 * ipad is the byte 0x36 repeated 64 times
2388 * opad is the byte 0x5c repeated 64 times
2389 * and text is the data being protected */
2391 /* start out by storing key in ipad */
2392 _rtw_memset(k_pad, 0, sizeof(k_pad));
2393 _rtw_memcpy(k_pad, key, key_len);
2394 /* XOR key with ipad values */
2395 for (i = 0; i < 64; i++)
2398 /* perform inner SHA256 */
2401 for (i = 0; i < num_elem; i++) {
2402 _addr[i + 1] = addr[i];
2403 _len[i + 1] = len[i];
2405 sha256_vector(1 + num_elem, _addr, _len, mac);
2407 _rtw_memset(k_pad, 0, sizeof(k_pad));
2408 _rtw_memcpy(k_pad, key, key_len);
2409 /* XOR key with opad values */
2410 for (i = 0; i < 64; i++)
2413 /* perform outer SHA256 */
2418 sha256_vector(2, _addr, _len, mac);
2420 #endif //PLATFORM_FREEBSD
2422 * sha256_prf - SHA256-based Pseudo-Random Function (IEEE 802.11r, 8.5.1.5.2)
2424 * @key_len: Length of the key in bytes
2425 * @label: A unique label for each purpose of the PRF
2426 * @data: Extra data to bind into the key
2427 * @data_len: Length of the data
2428 * @buf: Buffer for the generated pseudo-random key
2429 * @buf_len: Number of bytes of key to generate
2431 * This function is used to derive new, cryptographically separate keys from a
2434 #ifndef PLATFORM_FREEBSD //Baron
2435 static void sha256_prf(u8 *key, size_t key_len, char *label,
2436 u8 *data, size_t data_len, u8 *buf, size_t buf_len)
2440 u8 hash[SHA256_MAC_LEN];
2443 u8 counter_le[2], length_le[2];
2445 addr[0] = counter_le;
2447 addr[1] = (u8 *) label;
2448 len[1] = os_strlen(label);
2451 addr[3] = length_le;
2452 len[3] = sizeof(length_le);
2454 WPA_PUT_LE16(length_le, buf_len * 8);
2456 while (pos < buf_len) {
2457 plen = buf_len - pos;
2458 WPA_PUT_LE16(counter_le, counter);
2459 if (plen >= SHA256_MAC_LEN) {
2460 hmac_sha256_vector(key, key_len, 4, addr, len,
2462 pos += SHA256_MAC_LEN;
2464 hmac_sha256_vector(key, key_len, 4, addr, len, hash);
2465 _rtw_memcpy(&buf[pos], hash, plen);
2471 #endif //PLATFORM_FREEBSD Baron
2474 const u32 Te0[256] = {
2475 0xc66363a5U, 0xf87c7c84U, 0xee777799U, 0xf67b7b8dU,
2476 0xfff2f20dU, 0xd66b6bbdU, 0xde6f6fb1U, 0x91c5c554U,
2477 0x60303050U, 0x02010103U, 0xce6767a9U, 0x562b2b7dU,
2478 0xe7fefe19U, 0xb5d7d762U, 0x4dababe6U, 0xec76769aU,
2479 0x8fcaca45U, 0x1f82829dU, 0x89c9c940U, 0xfa7d7d87U,
2480 0xeffafa15U, 0xb25959ebU, 0x8e4747c9U, 0xfbf0f00bU,
2481 0x41adadecU, 0xb3d4d467U, 0x5fa2a2fdU, 0x45afafeaU,
2482 0x239c9cbfU, 0x53a4a4f7U, 0xe4727296U, 0x9bc0c05bU,
2483 0x75b7b7c2U, 0xe1fdfd1cU, 0x3d9393aeU, 0x4c26266aU,
2484 0x6c36365aU, 0x7e3f3f41U, 0xf5f7f702U, 0x83cccc4fU,
2485 0x6834345cU, 0x51a5a5f4U, 0xd1e5e534U, 0xf9f1f108U,
2486 0xe2717193U, 0xabd8d873U, 0x62313153U, 0x2a15153fU,
2487 0x0804040cU, 0x95c7c752U, 0x46232365U, 0x9dc3c35eU,
2488 0x30181828U, 0x379696a1U, 0x0a05050fU, 0x2f9a9ab5U,
2489 0x0e070709U, 0x24121236U, 0x1b80809bU, 0xdfe2e23dU,
2490 0xcdebeb26U, 0x4e272769U, 0x7fb2b2cdU, 0xea75759fU,
2491 0x1209091bU, 0x1d83839eU, 0x582c2c74U, 0x341a1a2eU,
2492 0x361b1b2dU, 0xdc6e6eb2U, 0xb45a5aeeU, 0x5ba0a0fbU,
2493 0xa45252f6U, 0x763b3b4dU, 0xb7d6d661U, 0x7db3b3ceU,
2494 0x5229297bU, 0xdde3e33eU, 0x5e2f2f71U, 0x13848497U,
2495 0xa65353f5U, 0xb9d1d168U, 0x00000000U, 0xc1eded2cU,
2496 0x40202060U, 0xe3fcfc1fU, 0x79b1b1c8U, 0xb65b5bedU,
2497 0xd46a6abeU, 0x8dcbcb46U, 0x67bebed9U, 0x7239394bU,
2498 0x944a4adeU, 0x984c4cd4U, 0xb05858e8U, 0x85cfcf4aU,
2499 0xbbd0d06bU, 0xc5efef2aU, 0x4faaaae5U, 0xedfbfb16U,
2500 0x864343c5U, 0x9a4d4dd7U, 0x66333355U, 0x11858594U,
2501 0x8a4545cfU, 0xe9f9f910U, 0x04020206U, 0xfe7f7f81U,
2502 0xa05050f0U, 0x783c3c44U, 0x259f9fbaU, 0x4ba8a8e3U,
2503 0xa25151f3U, 0x5da3a3feU, 0x804040c0U, 0x058f8f8aU,
2504 0x3f9292adU, 0x219d9dbcU, 0x70383848U, 0xf1f5f504U,
2505 0x63bcbcdfU, 0x77b6b6c1U, 0xafdada75U, 0x42212163U,
2506 0x20101030U, 0xe5ffff1aU, 0xfdf3f30eU, 0xbfd2d26dU,
2507 0x81cdcd4cU, 0x180c0c14U, 0x26131335U, 0xc3ecec2fU,
2508 0xbe5f5fe1U, 0x359797a2U, 0x884444ccU, 0x2e171739U,
2509 0x93c4c457U, 0x55a7a7f2U, 0xfc7e7e82U, 0x7a3d3d47U,
2510 0xc86464acU, 0xba5d5de7U, 0x3219192bU, 0xe6737395U,
2511 0xc06060a0U, 0x19818198U, 0x9e4f4fd1U, 0xa3dcdc7fU,
2512 0x44222266U, 0x542a2a7eU, 0x3b9090abU, 0x0b888883U,
2513 0x8c4646caU, 0xc7eeee29U, 0x6bb8b8d3U, 0x2814143cU,
2514 0xa7dede79U, 0xbc5e5ee2U, 0x160b0b1dU, 0xaddbdb76U,
2515 0xdbe0e03bU, 0x64323256U, 0x743a3a4eU, 0x140a0a1eU,
2516 0x924949dbU, 0x0c06060aU, 0x4824246cU, 0xb85c5ce4U,
2517 0x9fc2c25dU, 0xbdd3d36eU, 0x43acacefU, 0xc46262a6U,
2518 0x399191a8U, 0x319595a4U, 0xd3e4e437U, 0xf279798bU,
2519 0xd5e7e732U, 0x8bc8c843U, 0x6e373759U, 0xda6d6db7U,
2520 0x018d8d8cU, 0xb1d5d564U, 0x9c4e4ed2U, 0x49a9a9e0U,
2521 0xd86c6cb4U, 0xac5656faU, 0xf3f4f407U, 0xcfeaea25U,
2522 0xca6565afU, 0xf47a7a8eU, 0x47aeaee9U, 0x10080818U,
2523 0x6fbabad5U, 0xf0787888U, 0x4a25256fU, 0x5c2e2e72U,
2524 0x381c1c24U, 0x57a6a6f1U, 0x73b4b4c7U, 0x97c6c651U,
2525 0xcbe8e823U, 0xa1dddd7cU, 0xe874749cU, 0x3e1f1f21U,
2526 0x964b4bddU, 0x61bdbddcU, 0x0d8b8b86U, 0x0f8a8a85U,
2527 0xe0707090U, 0x7c3e3e42U, 0x71b5b5c4U, 0xcc6666aaU,
2528 0x904848d8U, 0x06030305U, 0xf7f6f601U, 0x1c0e0e12U,
2529 0xc26161a3U, 0x6a35355fU, 0xae5757f9U, 0x69b9b9d0U,
2530 0x17868691U, 0x99c1c158U, 0x3a1d1d27U, 0x279e9eb9U,
2531 0xd9e1e138U, 0xebf8f813U, 0x2b9898b3U, 0x22111133U,
2532 0xd26969bbU, 0xa9d9d970U, 0x078e8e89U, 0x339494a7U,
2533 0x2d9b9bb6U, 0x3c1e1e22U, 0x15878792U, 0xc9e9e920U,
2534 0x87cece49U, 0xaa5555ffU, 0x50282878U, 0xa5dfdf7aU,
2535 0x038c8c8fU, 0x59a1a1f8U, 0x09898980U, 0x1a0d0d17U,
2536 0x65bfbfdaU, 0xd7e6e631U, 0x844242c6U, 0xd06868b8U,
2537 0x824141c3U, 0x299999b0U, 0x5a2d2d77U, 0x1e0f0f11U,
2538 0x7bb0b0cbU, 0xa85454fcU, 0x6dbbbbd6U, 0x2c16163aU,
2540 const u32 Td0[256] = {
2541 0x51f4a750U, 0x7e416553U, 0x1a17a4c3U, 0x3a275e96U,
2542 0x3bab6bcbU, 0x1f9d45f1U, 0xacfa58abU, 0x4be30393U,
2543 0x2030fa55U, 0xad766df6U, 0x88cc7691U, 0xf5024c25U,
2544 0x4fe5d7fcU, 0xc52acbd7U, 0x26354480U, 0xb562a38fU,
2545 0xdeb15a49U, 0x25ba1b67U, 0x45ea0e98U, 0x5dfec0e1U,
2546 0xc32f7502U, 0x814cf012U, 0x8d4697a3U, 0x6bd3f9c6U,
2547 0x038f5fe7U, 0x15929c95U, 0xbf6d7aebU, 0x955259daU,
2548 0xd4be832dU, 0x587421d3U, 0x49e06929U, 0x8ec9c844U,
2549 0x75c2896aU, 0xf48e7978U, 0x99583e6bU, 0x27b971ddU,
2550 0xbee14fb6U, 0xf088ad17U, 0xc920ac66U, 0x7dce3ab4U,
2551 0x63df4a18U, 0xe51a3182U, 0x97513360U, 0x62537f45U,
2552 0xb16477e0U, 0xbb6bae84U, 0xfe81a01cU, 0xf9082b94U,
2553 0x70486858U, 0x8f45fd19U, 0x94de6c87U, 0x527bf8b7U,
2554 0xab73d323U, 0x724b02e2U, 0xe31f8f57U, 0x6655ab2aU,
2555 0xb2eb2807U, 0x2fb5c203U, 0x86c57b9aU, 0xd33708a5U,
2556 0x302887f2U, 0x23bfa5b2U, 0x02036abaU, 0xed16825cU,
2557 0x8acf1c2bU, 0xa779b492U, 0xf307f2f0U, 0x4e69e2a1U,
2558 0x65daf4cdU, 0x0605bed5U, 0xd134621fU, 0xc4a6fe8aU,
2559 0x342e539dU, 0xa2f355a0U, 0x058ae132U, 0xa4f6eb75U,
2560 0x0b83ec39U, 0x4060efaaU, 0x5e719f06U, 0xbd6e1051U,
2561 0x3e218af9U, 0x96dd063dU, 0xdd3e05aeU, 0x4de6bd46U,
2562 0x91548db5U, 0x71c45d05U, 0x0406d46fU, 0x605015ffU,
2563 0x1998fb24U, 0xd6bde997U, 0x894043ccU, 0x67d99e77U,
2564 0xb0e842bdU, 0x07898b88U, 0xe7195b38U, 0x79c8eedbU,
2565 0xa17c0a47U, 0x7c420fe9U, 0xf8841ec9U, 0x00000000U,
2566 0x09808683U, 0x322bed48U, 0x1e1170acU, 0x6c5a724eU,
2567 0xfd0efffbU, 0x0f853856U, 0x3daed51eU, 0x362d3927U,
2568 0x0a0fd964U, 0x685ca621U, 0x9b5b54d1U, 0x24362e3aU,
2569 0x0c0a67b1U, 0x9357e70fU, 0xb4ee96d2U, 0x1b9b919eU,
2570 0x80c0c54fU, 0x61dc20a2U, 0x5a774b69U, 0x1c121a16U,
2571 0xe293ba0aU, 0xc0a02ae5U, 0x3c22e043U, 0x121b171dU,
2572 0x0e090d0bU, 0xf28bc7adU, 0x2db6a8b9U, 0x141ea9c8U,
2573 0x57f11985U, 0xaf75074cU, 0xee99ddbbU, 0xa37f60fdU,
2574 0xf701269fU, 0x5c72f5bcU, 0x44663bc5U, 0x5bfb7e34U,
2575 0x8b432976U, 0xcb23c6dcU, 0xb6edfc68U, 0xb8e4f163U,
2576 0xd731dccaU, 0x42638510U, 0x13972240U, 0x84c61120U,
2577 0x854a247dU, 0xd2bb3df8U, 0xaef93211U, 0xc729a16dU,
2578 0x1d9e2f4bU, 0xdcb230f3U, 0x0d8652ecU, 0x77c1e3d0U,
2579 0x2bb3166cU, 0xa970b999U, 0x119448faU, 0x47e96422U,
2580 0xa8fc8cc4U, 0xa0f03f1aU, 0x567d2cd8U, 0x223390efU,
2581 0x87494ec7U, 0xd938d1c1U, 0x8ccaa2feU, 0x98d40b36U,
2582 0xa6f581cfU, 0xa57ade28U, 0xdab78e26U, 0x3fadbfa4U,
2583 0x2c3a9de4U, 0x5078920dU, 0x6a5fcc9bU, 0x547e4662U,
2584 0xf68d13c2U, 0x90d8b8e8U, 0x2e39f75eU, 0x82c3aff5U,
2585 0x9f5d80beU, 0x69d0937cU, 0x6fd52da9U, 0xcf2512b3U,
2586 0xc8ac993bU, 0x10187da7U, 0xe89c636eU, 0xdb3bbb7bU,
2587 0xcd267809U, 0x6e5918f4U, 0xec9ab701U, 0x834f9aa8U,
2588 0xe6956e65U, 0xaaffe67eU, 0x21bccf08U, 0xef15e8e6U,
2589 0xbae79bd9U, 0x4a6f36ceU, 0xea9f09d4U, 0x29b07cd6U,
2590 0x31a4b2afU, 0x2a3f2331U, 0xc6a59430U, 0x35a266c0U,
2591 0x744ebc37U, 0xfc82caa6U, 0xe090d0b0U, 0x33a7d815U,
2592 0xf104984aU, 0x41ecdaf7U, 0x7fcd500eU, 0x1791f62fU,
2593 0x764dd68dU, 0x43efb04dU, 0xccaa4d54U, 0xe49604dfU,
2594 0x9ed1b5e3U, 0x4c6a881bU, 0xc12c1fb8U, 0x4665517fU,
2595 0x9d5eea04U, 0x018c355dU, 0xfa877473U, 0xfb0b412eU,
2596 0xb3671d5aU, 0x92dbd252U, 0xe9105633U, 0x6dd64713U,
2597 0x9ad7618cU, 0x37a10c7aU, 0x59f8148eU, 0xeb133c89U,
2598 0xcea927eeU, 0xb761c935U, 0xe11ce5edU, 0x7a47b13cU,
2599 0x9cd2df59U, 0x55f2733fU, 0x1814ce79U, 0x73c737bfU,
2600 0x53f7cdeaU, 0x5ffdaa5bU, 0xdf3d6f14U, 0x7844db86U,
2601 0xcaaff381U, 0xb968c43eU, 0x3824342cU, 0xc2a3405fU,
2602 0x161dc372U, 0xbce2250cU, 0x283c498bU, 0xff0d9541U,
2603 0x39a80171U, 0x080cb3deU, 0xd8b4e49cU, 0x6456c190U,
2604 0x7bcb8461U, 0xd532b670U, 0x486c5c74U, 0xd0b85742U,
2606 const u8 Td4s[256] = {
2607 0x52U, 0x09U, 0x6aU, 0xd5U, 0x30U, 0x36U, 0xa5U, 0x38U,
2608 0xbfU, 0x40U, 0xa3U, 0x9eU, 0x81U, 0xf3U, 0xd7U, 0xfbU,
2609 0x7cU, 0xe3U, 0x39U, 0x82U, 0x9bU, 0x2fU, 0xffU, 0x87U,
2610 0x34U, 0x8eU, 0x43U, 0x44U, 0xc4U, 0xdeU, 0xe9U, 0xcbU,
2611 0x54U, 0x7bU, 0x94U, 0x32U, 0xa6U, 0xc2U, 0x23U, 0x3dU,
2612 0xeeU, 0x4cU, 0x95U, 0x0bU, 0x42U, 0xfaU, 0xc3U, 0x4eU,
2613 0x08U, 0x2eU, 0xa1U, 0x66U, 0x28U, 0xd9U, 0x24U, 0xb2U,
2614 0x76U, 0x5bU, 0xa2U, 0x49U, 0x6dU, 0x8bU, 0xd1U, 0x25U,
2615 0x72U, 0xf8U, 0xf6U, 0x64U, 0x86U, 0x68U, 0x98U, 0x16U,
2616 0xd4U, 0xa4U, 0x5cU, 0xccU, 0x5dU, 0x65U, 0xb6U, 0x92U,
2617 0x6cU, 0x70U, 0x48U, 0x50U, 0xfdU, 0xedU, 0xb9U, 0xdaU,
2618 0x5eU, 0x15U, 0x46U, 0x57U, 0xa7U, 0x8dU, 0x9dU, 0x84U,
2619 0x90U, 0xd8U, 0xabU, 0x00U, 0x8cU, 0xbcU, 0xd3U, 0x0aU,
2620 0xf7U, 0xe4U, 0x58U, 0x05U, 0xb8U, 0xb3U, 0x45U, 0x06U,
2621 0xd0U, 0x2cU, 0x1eU, 0x8fU, 0xcaU, 0x3fU, 0x0fU, 0x02U,
2622 0xc1U, 0xafU, 0xbdU, 0x03U, 0x01U, 0x13U, 0x8aU, 0x6bU,
2623 0x3aU, 0x91U, 0x11U, 0x41U, 0x4fU, 0x67U, 0xdcU, 0xeaU,
2624 0x97U, 0xf2U, 0xcfU, 0xceU, 0xf0U, 0xb4U, 0xe6U, 0x73U,
2625 0x96U, 0xacU, 0x74U, 0x22U, 0xe7U, 0xadU, 0x35U, 0x85U,
2626 0xe2U, 0xf9U, 0x37U, 0xe8U, 0x1cU, 0x75U, 0xdfU, 0x6eU,
2627 0x47U, 0xf1U, 0x1aU, 0x71U, 0x1dU, 0x29U, 0xc5U, 0x89U,
2628 0x6fU, 0xb7U, 0x62U, 0x0eU, 0xaaU, 0x18U, 0xbeU, 0x1bU,
2629 0xfcU, 0x56U, 0x3eU, 0x4bU, 0xc6U, 0xd2U, 0x79U, 0x20U,
2630 0x9aU, 0xdbU, 0xc0U, 0xfeU, 0x78U, 0xcdU, 0x5aU, 0xf4U,
2631 0x1fU, 0xddU, 0xa8U, 0x33U, 0x88U, 0x07U, 0xc7U, 0x31U,
2632 0xb1U, 0x12U, 0x10U, 0x59U, 0x27U, 0x80U, 0xecU, 0x5fU,
2633 0x60U, 0x51U, 0x7fU, 0xa9U, 0x19U, 0xb5U, 0x4aU, 0x0dU,
2634 0x2dU, 0xe5U, 0x7aU, 0x9fU, 0x93U, 0xc9U, 0x9cU, 0xefU,
2635 0xa0U, 0xe0U, 0x3bU, 0x4dU, 0xaeU, 0x2aU, 0xf5U, 0xb0U,
2636 0xc8U, 0xebU, 0xbbU, 0x3cU, 0x83U, 0x53U, 0x99U, 0x61U,
2637 0x17U, 0x2bU, 0x04U, 0x7eU, 0xbaU, 0x77U, 0xd6U, 0x26U,
2638 0xe1U, 0x69U, 0x14U, 0x63U, 0x55U, 0x21U, 0x0cU, 0x7dU,
2640 const u8 rcons[] = {
2641 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1B, 0x36
2642 /* for 128-bit blocks, Rijndael never uses more than 10 rcon values */
2646 * Expand the cipher key into the encryption key schedule.
2648 * @return the number of rounds for the given cipher key size.
2650 #ifndef PLATFORM_FREEBSD //Baron
2651 static void rijndaelKeySetupEnc(u32 rk[/*44*/], const u8 cipherKey[])
2656 rk[0] = GETU32(cipherKey );
2657 rk[1] = GETU32(cipherKey + 4);
2658 rk[2] = GETU32(cipherKey + 8);
2659 rk[3] = GETU32(cipherKey + 12);
2660 for (i = 0; i < 10; i++) {
2663 TE421(temp) ^ TE432(temp) ^ TE443(temp) ^ TE414(temp) ^
2665 rk[5] = rk[1] ^ rk[4];
2666 rk[6] = rk[2] ^ rk[5];
2667 rk[7] = rk[3] ^ rk[6];
2672 static void rijndaelEncrypt(u32 rk[/*44*/], u8 pt[16], u8 ct[16])
2674 u32 s0, s1, s2, s3, t0, t1, t2, t3;
2678 #endif /* ?FULL_UNROLL */
2681 * map byte array block to cipher state
2682 * and add initial round key:
2684 s0 = GETU32(pt ) ^ rk[0];
2685 s1 = GETU32(pt + 4) ^ rk[1];
2686 s2 = GETU32(pt + 8) ^ rk[2];
2687 s3 = GETU32(pt + 12) ^ rk[3];
2689 #define ROUND(i,d,s) \
2690 d##0 = TE0(s##0) ^ TE1(s##1) ^ TE2(s##2) ^ TE3(s##3) ^ rk[4 * i]; \
2691 d##1 = TE0(s##1) ^ TE1(s##2) ^ TE2(s##3) ^ TE3(s##0) ^ rk[4 * i + 1]; \
2692 d##2 = TE0(s##2) ^ TE1(s##3) ^ TE2(s##0) ^ TE3(s##1) ^ rk[4 * i + 2]; \
2693 d##3 = TE0(s##3) ^ TE1(s##0) ^ TE2(s##1) ^ TE3(s##2) ^ rk[4 * i + 3]
2709 #else /* !FULL_UNROLL */
2711 /* Nr - 1 full rounds: */
2721 #endif /* ?FULL_UNROLL */
2726 * apply last round and
2727 * map cipher state to byte array block:
2729 s0 = TE41(t0) ^ TE42(t1) ^ TE43(t2) ^ TE44(t3) ^ rk[0];
2731 s1 = TE41(t1) ^ TE42(t2) ^ TE43(t3) ^ TE44(t0) ^ rk[1];
2733 s2 = TE41(t2) ^ TE42(t3) ^ TE43(t0) ^ TE44(t1) ^ rk[2];
2735 s3 = TE41(t3) ^ TE42(t0) ^ TE43(t1) ^ TE44(t2) ^ rk[3];
2736 PUTU32(ct + 12, s3);
2739 static void * aes_encrypt_init(u8 *key, size_t len)
2744 rk = (u32*)rtw_malloc(AES_PRIV_SIZE);
2747 rijndaelKeySetupEnc(rk, key);
2751 static void aes_128_encrypt(void *ctx, u8 *plain, u8 *crypt)
2753 rijndaelEncrypt(ctx, plain, crypt);
2757 static void gf_mulx(u8 *pad)
2761 carry = pad[0] & 0x80;
2762 for (i = 0; i < AES_BLOCK_SIZE - 1; i++)
2763 pad[i] = (pad[i] << 1) | (pad[i + 1] >> 7);
2764 pad[AES_BLOCK_SIZE - 1] <<= 1;
2766 pad[AES_BLOCK_SIZE - 1] ^= 0x87;
2769 static void aes_encrypt_deinit(void *ctx)
2771 _rtw_memset(ctx, 0, AES_PRIV_SIZE);
2772 rtw_mfree(ctx, AES_PRIV_SIZE);
2777 * omac1_aes_128_vector - One-Key CBC MAC (OMAC1) hash with AES-128
2778 * @key: 128-bit key for the hash operation
2779 * @num_elem: Number of elements in the data vector
2780 * @addr: Pointers to the data areas
2781 * @len: Lengths of the data blocks
2782 * @mac: Buffer for MAC (128 bits, i.e., 16 bytes)
2783 * Returns: 0 on success, -1 on failure
2785 * This is a mode for using block cipher (AES in this case) for authentication.
2786 * OMAC1 was standardized with the name CMAC by NIST in a Special Publication
2789 static int omac1_aes_128_vector(u8 *key, size_t num_elem,
2790 u8 *addr[], size_t *len, u8 *mac)
2793 u8 cbc[AES_BLOCK_SIZE], pad[AES_BLOCK_SIZE];
2795 size_t i, e, left, total_len;
2797 ctx = aes_encrypt_init(key, 16);
2800 _rtw_memset(cbc, 0, AES_BLOCK_SIZE);
2803 for (e = 0; e < num_elem; e++)
2804 total_len += len[e];
2811 while (left >= AES_BLOCK_SIZE) {
2812 for (i = 0; i < AES_BLOCK_SIZE; i++) {
2820 if (left > AES_BLOCK_SIZE)
2821 aes_128_encrypt(ctx, cbc, cbc);
2822 left -= AES_BLOCK_SIZE;
2825 _rtw_memset(pad, 0, AES_BLOCK_SIZE);
2826 aes_128_encrypt(ctx, pad, pad);
2829 if (left || total_len == 0) {
2830 for (i = 0; i < left; i++) {
2842 for (i = 0; i < AES_BLOCK_SIZE; i++)
2844 aes_128_encrypt(ctx, pad, mac);
2845 aes_encrypt_deinit(ctx);
2851 * omac1_aes_128 - One-Key CBC MAC (OMAC1) hash with AES-128 (aka AES-CMAC)
2852 * @key: 128-bit key for the hash operation
2853 * @data: Data buffer for which a MAC is determined
2854 * @data_len: Length of data buffer in bytes
2855 * @mac: Buffer for MAC (128 bits, i.e., 16 bytes)
2856 * Returns: 0 on success, -1 on failure
2858 * This is a mode for using block cipher (AES in this case) for authentication.
2859 * OMAC1 was standardized with the name CMAC by NIST in a Special Publication
2861 */ //modify for CONFIG_IEEE80211W
2862 int omac1_aes_128(u8 *key, u8 *data, size_t data_len, u8 *mac)
2864 return omac1_aes_128_vector(key, 1, &data, &data_len, mac);
2866 #endif //PLATFORM_FREEBSD Baron
2869 void wpa_tdls_generate_tpk(_adapter *padapter, struct sta_info *psta)
2871 struct mlme_priv *pmlmepriv = &padapter->mlmepriv;
2872 u8 *SNonce = psta->SNonce;
2873 u8 *ANonce = psta->ANonce;
2875 u8 key_input[SHA256_MAC_LEN];
2878 u8 data[3 * ETH_ALEN];
2880 /* IEEE Std 802.11z-2010 8.5.9.1:
2881 * TPK-Key-Input = SHA-256(min(SNonce, ANonce) || max(SNonce, ANonce))
2885 if (os_memcmp(SNonce, ANonce, 32) < 0) {
2893 sha256_vector(2, nonce, len, key_input);
2896 * TPK-Key-Data = KDF-N_KEY(TPK-Key-Input, "TDLS PMK",
2897 * min(MAC_I, MAC_R) || max(MAC_I, MAC_R) || BSSID || N_KEY)
2898 * TODO: is N_KEY really included in KDF Context and if so, in which
2899 * presentation format (little endian 16-bit?) is it used? It gets
2900 * added by the KDF anyway..
2903 if (os_memcmp(myid(&(padapter->eeprompriv)), psta->hwaddr, ETH_ALEN) < 0) {
2904 _rtw_memcpy(data, myid(&(padapter->eeprompriv)), ETH_ALEN);
2905 _rtw_memcpy(data + ETH_ALEN, psta->hwaddr, ETH_ALEN);
2907 _rtw_memcpy(data, psta->hwaddr, ETH_ALEN);
2908 _rtw_memcpy(data + ETH_ALEN, myid(&(padapter->eeprompriv)), ETH_ALEN);
2910 _rtw_memcpy(data + 2 * ETH_ALEN, get_bssid(pmlmepriv), ETH_ALEN);
2912 sha256_prf(key_input, SHA256_MAC_LEN, "TDLS PMK", data, sizeof(data), (u8 *) &psta->tpk, sizeof(psta->tpk));
2918 * wpa_tdls_ftie_mic - Calculate TDLS FTIE MIC
2920 * @lnkid: Pointer to the beginning of Link Identifier IE
2921 * @rsnie: Pointer to the beginning of RSN IE used for handshake
2922 * @timeoutie: Pointer to the beginning of Timeout IE used for handshake
2923 * @ftie: Pointer to the beginning of FT IE
2924 * @mic: Pointer for writing MIC
2926 * Calculate MIC for TDLS frame.
2928 int wpa_tdls_ftie_mic(u8 *kck, u8 trans_seq,
2929 u8 *lnkid, u8 *rsnie, u8 *timeoutie, u8 *ftie,
2933 struct wpa_tdls_ftie *_ftie;
2934 struct wpa_tdls_lnkid *_lnkid;
2936 int len = 2 * ETH_ALEN + 1 + 2 + lnkid[1] + 2 + rsnie[1] +
2937 2 + timeoutie[1] + 2 + ftie[1];
2938 buf = rtw_zmalloc(len);
2940 DBG_871X("TDLS: No memory for MIC calculation\n");
2945 _lnkid = (struct wpa_tdls_lnkid *) lnkid;
2946 /* 1) TDLS initiator STA MAC address */
2947 _rtw_memcpy(pos, _lnkid->init_sta, ETH_ALEN);
2949 /* 2) TDLS responder STA MAC address */
2950 _rtw_memcpy(pos, _lnkid->resp_sta, ETH_ALEN);
2952 /* 3) Transaction Sequence number */
2954 /* 4) Link Identifier IE */
2955 _rtw_memcpy(pos, lnkid, 2 + lnkid[1]);
2956 pos += 2 + lnkid[1];
2958 _rtw_memcpy(pos, rsnie, 2 + rsnie[1]);
2959 pos += 2 + rsnie[1];
2960 /* 6) Timeout Interval IE */
2961 _rtw_memcpy(pos, timeoutie, 2 + timeoutie[1]);
2962 pos += 2 + timeoutie[1];
2963 /* 7) FTIE, with the MIC field of the FTIE set to 0 */
2964 _rtw_memcpy(pos, ftie, 2 + ftie[1]);
2965 _ftie = (struct wpa_tdls_ftie *) pos;
2966 _rtw_memset(_ftie->mic, 0, TDLS_MIC_LEN);
2969 ret = omac1_aes_128(kck, buf, pos - buf, mic);
2970 rtw_mfree(buf, len);
2975 int tdls_verify_mic(u8 *kck, u8 trans_seq,
2976 u8 *lnkid, u8 *rsnie, u8 *timeoutie, u8 *ftie)
2982 u8 *rx_ftie, *tmp_ftie;
2984 if (lnkid == NULL || rsnie == NULL ||
2985 timeoutie == NULL || ftie == NULL){
2989 len = 2 * ETH_ALEN + 1 + 2 + 18 + 2 + *(rsnie+1) + 2 + *(timeoutie+1) + 2 + *(ftie+1);
2991 buf = rtw_zmalloc(len);
2996 /* 1) TDLS initiator STA MAC address */
2997 _rtw_memcpy(pos, lnkid + ETH_ALEN + 2, ETH_ALEN);
2999 /* 2) TDLS responder STA MAC address */
3000 _rtw_memcpy(pos, lnkid + 2 * ETH_ALEN + 2, ETH_ALEN);
3002 /* 3) Transaction Sequence number */
3004 /* 4) Link Identifier IE */
3005 _rtw_memcpy(pos, lnkid, 2 + 18);
3008 _rtw_memcpy(pos, rsnie, 2 + *(rsnie+1));
3009 pos += 2 + *(rsnie+1);
3010 /* 6) Timeout Interval IE */
3011 _rtw_memcpy(pos, timeoutie, 2 + *(timeoutie+1));
3012 pos += 2 + *(timeoutie+1);
3013 /* 7) FTIE, with the MIC field of the FTIE set to 0 */
3014 _rtw_memcpy(pos, ftie, 2 + *(ftie+1));
3016 tmp_ftie = (u8 *) (pos+2);
3017 _rtw_memset(tmp_ftie, 0, 16);
3020 ret = omac1_aes_128(kck, buf, pos - buf, mic);
3021 rtw_mfree(buf, len);
3026 if (os_memcmp(mic, rx_ftie, 16) == 0) {
3032 DBG_871X( "[%s] Invalid MIC\n", __FUNCTION__);
3036 #endif //CONFIG_TDLS
3038 #ifdef PLATFORM_WINDOWS
3039 void rtw_use_tkipkey_handler (
3040 IN PVOID SystemSpecific1,
3041 IN PVOID FunctionContext,
3042 IN PVOID SystemSpecific2,
3043 IN PVOID SystemSpecific3
3046 #ifdef PLATFORM_LINUX
3047 void rtw_use_tkipkey_handler(void *FunctionContext)
3049 #ifdef PLATFORM_FREEBSD
3050 void rtw_use_tkipkey_handler(void *FunctionContext)
3053 _adapter *padapter = (_adapter *)FunctionContext;
3058 RT_TRACE(_module_rtl871x_security_c_,_drv_err_,("^^^rtw_use_tkipkey_handler ^^^\n"));
3061 if(padapter->bDriverStopped ||padapter->bSurpriseRemoved){
3062 RT_TRACE(_module_rtl871x_security_c_,_drv_err_,("^^^rtw_use_tkipkey_handler (padapter->bDriverStopped %d)(padapter->bSurpriseRemoved %d)^^^\n",padapter->bDriverStopped,padapter->bSurpriseRemoved));
3068 padapter->securitypriv.busetkipkey=_TRUE;
3070 RT_TRACE(_module_rtl871x_security_c_,_drv_err_,("^^^rtw_use_tkipkey_handler padapter->securitypriv.busetkipkey=%d^^^\n",padapter->securitypriv.busetkipkey));
3076 /* Restore HW wep key setting according to key_mask */
3077 void rtw_sec_restore_wep_key(_adapter *adapter)
3079 struct security_priv* securitypriv=&(adapter->securitypriv);
3082 if((_WEP40_ == securitypriv->dot11PrivacyAlgrthm) ||(_WEP104_ == securitypriv->dot11PrivacyAlgrthm)) {
3083 for(keyid=0;keyid<4;keyid++){
3084 if(securitypriv->key_mask & BIT(keyid)){
3085 if(keyid == securitypriv->dot11PrivacyKeyIndex)
3086 rtw_set_key(adapter,securitypriv, keyid, 1);
3088 rtw_set_key(adapter,securitypriv, keyid, 0);
3094 u8 rtw_handle_tkip_countermeasure(_adapter* adapter, const char *caller)
3096 struct security_priv* securitypriv=&(adapter->securitypriv);
3097 u8 status = _SUCCESS;
3099 if (securitypriv->btkip_countermeasure == _TRUE) {
3100 u32 passing_ms = rtw_get_passing_time_ms(securitypriv->btkip_countermeasure_time);
3101 if (passing_ms > 60*1000) {
3102 LOG_LEVEL(_drv_info_, "%s("ADPT_FMT") countermeasure time:%ds > 60s \n",
3103 caller, ADPT_ARG(adapter), passing_ms/1000);
3104 securitypriv->btkip_countermeasure = _FALSE;
3105 securitypriv->btkip_countermeasure_time = 0;
3107 LOG_LEVEL(_drv_warning_, "%s("ADPT_FMT") countermeasure time:%ds < 60s \n",
3108 caller, ADPT_ARG(adapter), passing_ms/1000);