1 // SPDX-License-Identifier: GPL-2.0
2 /******************************************************************************
3 *
4 * Copyright(c) 2007 - 2011 Realtek Corporation. All rights reserved.
5 *
6 ******************************************************************************/
7 #include <linux/crc32.h>
8 #include <linux/unaligned.h>
9 #include <drv_types.h>
10 #include <crypto/aes.h>
11 #include <crypto/utils.h>
12
13 static const char * const _security_type_str[] = {
14 "N/A",
15 "WEP40",
16 "TKIP",
17 "TKIP_WM",
18 "AES",
19 "WEP104",
20 "SMS4",
21 "WEP_WPA",
22 "BIP",
23 };
24
security_type_str(u8 value)25 const char *security_type_str(u8 value)
26 {
27 if (value <= _BIP_)
28 return _security_type_str[value];
29 return NULL;
30 }
31
32 /* WEP related ===== */
33
34 /* Need to consider the fragment situation */
rtw_wep_encrypt(struct adapter * padapter,u8 * pxmitframe)35 void rtw_wep_encrypt(struct adapter *padapter, u8 *pxmitframe)
36 { /* exclude ICV */
37 union {
38 __le32 f0;
39 unsigned char f1[4];
40 } crc;
41
42 signed int curfragnum, length;
43 u32 keylength;
44
45 u8 *pframe, *payload, *iv; /* wepkey */
46 u8 wepkey[16];
47 u8 hw_hdr_offset = 0;
48 struct pkt_attrib *pattrib = &((struct xmit_frame *)pxmitframe)->attrib;
49 struct security_priv *psecuritypriv = &padapter->securitypriv;
50 struct xmit_priv *pxmitpriv = &padapter->xmitpriv;
51 struct arc4_ctx *ctx = &psecuritypriv->xmit_arc4_ctx;
52
53 if (!((struct xmit_frame *)pxmitframe)->buf_addr)
54 return;
55
56 hw_hdr_offset = TXDESC_OFFSET;
57 pframe = ((struct xmit_frame *)pxmitframe)->buf_addr + hw_hdr_offset;
58
59 /* start to encrypt each fragment */
60 if ((pattrib->encrypt == _WEP40_) || (pattrib->encrypt == _WEP104_)) {
61 keylength = psecuritypriv->dot11DefKeylen[psecuritypriv->dot11PrivacyKeyIndex];
62
63 for (curfragnum = 0; curfragnum < pattrib->nr_frags; curfragnum++) {
64 iv = pframe + pattrib->hdrlen;
65 memcpy(&wepkey[0], iv, 3);
66 memcpy(&wepkey[3], &psecuritypriv->dot11DefKey[psecuritypriv->dot11PrivacyKeyIndex].skey[0], keylength);
67 payload = pframe + pattrib->iv_len + pattrib->hdrlen;
68
69 if ((curfragnum + 1) == pattrib->nr_frags) { /* the last fragment */
70
71 length = pattrib->last_txcmdsz - pattrib->hdrlen - pattrib->iv_len - pattrib->icv_len;
72
73 crc.f0 = cpu_to_le32(~crc32_le(~0, payload, length));
74
75 arc4_setkey(ctx, wepkey, 3 + keylength);
76 arc4_crypt(ctx, payload, payload, length);
77 arc4_crypt(ctx, payload + length, crc.f1, 4);
78
79 } else {
80 length = pxmitpriv->frag_len - pattrib->hdrlen - pattrib->iv_len - pattrib->icv_len;
81 crc.f0 = cpu_to_le32(~crc32_le(~0, payload, length));
82 arc4_setkey(ctx, wepkey, 3 + keylength);
83 arc4_crypt(ctx, payload, payload, length);
84 arc4_crypt(ctx, payload + length, crc.f1, 4);
85
86 pframe += pxmitpriv->frag_len;
87 pframe = (u8 *)round_up((SIZE_PTR)(pframe), 4);
88 }
89 }
90 }
91 }
92
rtw_wep_decrypt(struct adapter * padapter,u8 * precvframe)93 void rtw_wep_decrypt(struct adapter *padapter, u8 *precvframe)
94 {
95 /* exclude ICV */
96 u8 crc[4];
97 signed int length;
98 u32 keylength;
99 u8 *pframe, *payload, *iv, wepkey[16];
100 u8 keyindex;
101 struct rx_pkt_attrib *prxattrib = &(((union recv_frame *)precvframe)->u.hdr.attrib);
102 struct security_priv *psecuritypriv = &padapter->securitypriv;
103 struct arc4_ctx *ctx = &psecuritypriv->recv_arc4_ctx;
104
105 pframe = (unsigned char *)((union recv_frame *)precvframe)->u.hdr.rx_data;
106
107 /* start to decrypt recvframe */
108 if ((prxattrib->encrypt == _WEP40_) || (prxattrib->encrypt == _WEP104_)) {
109 iv = pframe + prxattrib->hdrlen;
110 /* keyindex =(iv[3]&0x3); */
111 keyindex = prxattrib->key_index;
112 keylength = psecuritypriv->dot11DefKeylen[keyindex];
113 memcpy(&wepkey[0], iv, 3);
114 /* memcpy(&wepkey[3], &psecuritypriv->dot11DefKey[psecuritypriv->dot11PrivacyKeyIndex].skey[0], keylength); */
115 memcpy(&wepkey[3], &psecuritypriv->dot11DefKey[keyindex].skey[0], keylength);
116 length = ((union recv_frame *)precvframe)->u.hdr.len - prxattrib->hdrlen - prxattrib->iv_len;
117
118 payload = pframe + prxattrib->iv_len + prxattrib->hdrlen;
119
120 /* decrypt payload include icv */
121 arc4_setkey(ctx, wepkey, 3 + keylength);
122 arc4_crypt(ctx, payload, payload, length);
123
124 /* calculate icv and compare the icv */
125 *((u32 *)crc) = ~crc32_le(~0, payload, length - 4);
126
127 }
128 }
129
130 /* 3 =====TKIP related ===== */
131
secmicclear(struct mic_data * pmicdata)132 static void secmicclear(struct mic_data *pmicdata)
133 {
134 /* Reset the state to the empty message. */
135 pmicdata->L = pmicdata->K0;
136 pmicdata->R = pmicdata->K1;
137 pmicdata->nBytesInM = 0;
138 pmicdata->M = 0;
139 }
140
rtw_secmicsetkey(struct mic_data * pmicdata,u8 * key)141 void rtw_secmicsetkey(struct mic_data *pmicdata, u8 *key)
142 {
143 /* Set the key */
144 pmicdata->K0 = get_unaligned_le32(key);
145 pmicdata->K1 = get_unaligned_le32(key + 4);
146 /* and reset the message */
147 secmicclear(pmicdata);
148 }
149
rtw_secmicappendbyte(struct mic_data * pmicdata,u8 b)150 void rtw_secmicappendbyte(struct mic_data *pmicdata, u8 b)
151 {
152 /* Append the byte to our word-sized buffer */
153 pmicdata->M |= ((unsigned long)b) << (8 * pmicdata->nBytesInM);
154 pmicdata->nBytesInM++;
155 /* Process the word if it is full. */
156 if (pmicdata->nBytesInM >= 4) {
157 pmicdata->L ^= pmicdata->M;
158 pmicdata->R ^= ROL32(pmicdata->L, 17);
159 pmicdata->L += pmicdata->R;
160 pmicdata->R ^= ((pmicdata->L & 0xff00ff00) >> 8) | ((pmicdata->L & 0x00ff00ff) << 8);
161 pmicdata->L += pmicdata->R;
162 pmicdata->R ^= ROL32(pmicdata->L, 3);
163 pmicdata->L += pmicdata->R;
164 pmicdata->R ^= ROR32(pmicdata->L, 2);
165 pmicdata->L += pmicdata->R;
166 /* Clear the buffer */
167 pmicdata->M = 0;
168 pmicdata->nBytesInM = 0;
169 }
170 }
171
rtw_secmicappend(struct mic_data * pmicdata,u8 * src,u32 nbytes)172 void rtw_secmicappend(struct mic_data *pmicdata, u8 *src, u32 nbytes)
173 {
174 /* This is simple */
175 while (nbytes > 0) {
176 rtw_secmicappendbyte(pmicdata, *src++);
177 nbytes--;
178 }
179 }
180
rtw_secgetmic(struct mic_data * pmicdata,u8 * dst)181 void rtw_secgetmic(struct mic_data *pmicdata, u8 *dst)
182 {
183 /* Append the minimum padding */
184 rtw_secmicappendbyte(pmicdata, 0x5a);
185 rtw_secmicappendbyte(pmicdata, 0);
186 rtw_secmicappendbyte(pmicdata, 0);
187 rtw_secmicappendbyte(pmicdata, 0);
188 rtw_secmicappendbyte(pmicdata, 0);
189 /* and then zeroes until the length is a multiple of 4 */
190 while (pmicdata->nBytesInM != 0)
191 rtw_secmicappendbyte(pmicdata, 0);
192 /* The appendByte function has already computed the result. */
193 put_unaligned_le32(pmicdata->L, dst);
194 put_unaligned_le32(pmicdata->R, dst + 4);
195 /* Reset to the empty message. */
196 secmicclear(pmicdata);
197 }
198
199
rtw_seccalctkipmic(u8 * key,u8 * header,u8 * data,u32 data_len,u8 * mic_code,u8 pri)200 void rtw_seccalctkipmic(u8 *key, u8 *header, u8 *data, u32 data_len, u8 *mic_code, u8 pri)
201 {
202
203 struct mic_data micdata;
204 u8 priority[4] = {0x0, 0x0, 0x0, 0x0};
205
206 rtw_secmicsetkey(&micdata, key);
207 priority[0] = pri;
208
209 /* Michael MIC pseudo header: DA, SA, 3 x 0, Priority */
210 if (header[1] & 1) { /* ToDS == 1 */
211 rtw_secmicappend(&micdata, &header[16], 6); /* DA */
212 if (header[1] & 2) /* From Ds == 1 */
213 rtw_secmicappend(&micdata, &header[24], 6);
214 else
215 rtw_secmicappend(&micdata, &header[10], 6);
216 } else { /* ToDS == 0 */
217 rtw_secmicappend(&micdata, &header[4], 6); /* DA */
218 if (header[1] & 2) /* From Ds == 1 */
219 rtw_secmicappend(&micdata, &header[16], 6);
220 else
221 rtw_secmicappend(&micdata, &header[10], 6);
222 }
223 rtw_secmicappend(&micdata, &priority[0], 4);
224
225
226 rtw_secmicappend(&micdata, data, data_len);
227
228 rtw_secgetmic(&micdata, mic_code);
229 }
230
231 /* macros for extraction/creation of unsigned char/unsigned short values */
232 #define RotR1(v16) ((((v16) >> 1) & 0x7FFF) ^ (((v16) & 1) << 15))
233 #define Lo8(v16) ((u8)((v16) & 0x00FF))
234 #define Hi8(v16) ((u8)(((v16) >> 8) & 0x00FF))
235 #define Lo16(v32) ((u16)((v32) & 0xFFFF))
236 #define Hi16(v32) ((u16)(((v32) >> 16) & 0xFFFF))
237 #define Mk16(hi, lo) ((lo) ^ (((u16)(hi)) << 8))
238
239 /* select the Nth 16-bit word of the temporal key unsigned char array TK[] */
240 #define TK16(N) Mk16(tk[2 * (N) + 1], tk[2 * (N)])
241
242 /* S-box lookup: 16 bits --> 16 bits */
243 #define _S_(v16) (Sbox1[0][Lo8(v16)] ^ Sbox1[1][Hi8(v16)])
244
245 /* fixed algorithm "parameters" */
246 #define PHASE1_LOOP_CNT 8 /* this needs to be "big enough" */
247
248 /* 2-unsigned char by 2-unsigned char subset of the full AES S-box table */
249 static const unsigned short Sbox1[2][256] = { /* Sbox for hash (can be in ROM) */
250 {
251 0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154,
252 0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A,
253 0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B,
254 0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B,
255 0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F,
256 0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F,
257 0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5,
258 0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F,
259 0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB,
260 0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397,
261 0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED,
262 0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A,
263 0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194,
264 0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3,
265 0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104,
266 0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D,
267 0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39,
268 0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695,
269 0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83,
270 0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76,
271 0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4,
272 0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B,
273 0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0,
274 0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018,
275 0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751,
276 0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85,
277 0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12,
278 0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9,
279 0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7,
280 0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A,
281 0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8,
282 0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A,
283 },
284
285
286 { /* second half of table is unsigned char-reversed version of first! */
287 0xA5C6, 0x84F8, 0x99EE, 0x8DF6, 0x0DFF, 0xBDD6, 0xB1DE, 0x5491,
288 0x5060, 0x0302, 0xA9CE, 0x7D56, 0x19E7, 0x62B5, 0xE64D, 0x9AEC,
289 0x458F, 0x9D1F, 0x4089, 0x87FA, 0x15EF, 0xEBB2, 0xC98E, 0x0BFB,
290 0xEC41, 0x67B3, 0xFD5F, 0xEA45, 0xBF23, 0xF753, 0x96E4, 0x5B9B,
291 0xC275, 0x1CE1, 0xAE3D, 0x6A4C, 0x5A6C, 0x417E, 0x02F5, 0x4F83,
292 0x5C68, 0xF451, 0x34D1, 0x08F9, 0x93E2, 0x73AB, 0x5362, 0x3F2A,
293 0x0C08, 0x5295, 0x6546, 0x5E9D, 0x2830, 0xA137, 0x0F0A, 0xB52F,
294 0x090E, 0x3624, 0x9B1B, 0x3DDF, 0x26CD, 0x694E, 0xCD7F, 0x9FEA,
295 0x1B12, 0x9E1D, 0x7458, 0x2E34, 0x2D36, 0xB2DC, 0xEEB4, 0xFB5B,
296 0xF6A4, 0x4D76, 0x61B7, 0xCE7D, 0x7B52, 0x3EDD, 0x715E, 0x9713,
297 0xF5A6, 0x68B9, 0x0000, 0x2CC1, 0x6040, 0x1FE3, 0xC879, 0xEDB6,
298 0xBED4, 0x468D, 0xD967, 0x4B72, 0xDE94, 0xD498, 0xE8B0, 0x4A85,
299 0x6BBB, 0x2AC5, 0xE54F, 0x16ED, 0xC586, 0xD79A, 0x5566, 0x9411,
300 0xCF8A, 0x10E9, 0x0604, 0x81FE, 0xF0A0, 0x4478, 0xBA25, 0xE34B,
301 0xF3A2, 0xFE5D, 0xC080, 0x8A05, 0xAD3F, 0xBC21, 0x4870, 0x04F1,
302 0xDF63, 0xC177, 0x75AF, 0x6342, 0x3020, 0x1AE5, 0x0EFD, 0x6DBF,
303 0x4C81, 0x1418, 0x3526, 0x2FC3, 0xE1BE, 0xA235, 0xCC88, 0x392E,
304 0x5793, 0xF255, 0x82FC, 0x477A, 0xACC8, 0xE7BA, 0x2B32, 0x95E6,
305 0xA0C0, 0x9819, 0xD19E, 0x7FA3, 0x6644, 0x7E54, 0xAB3B, 0x830B,
306 0xCA8C, 0x29C7, 0xD36B, 0x3C28, 0x79A7, 0xE2BC, 0x1D16, 0x76AD,
307 0x3BDB, 0x5664, 0x4E74, 0x1E14, 0xDB92, 0x0A0C, 0x6C48, 0xE4B8,
308 0x5D9F, 0x6EBD, 0xEF43, 0xA6C4, 0xA839, 0xA431, 0x37D3, 0x8BF2,
309 0x32D5, 0x438B, 0x596E, 0xB7DA, 0x8C01, 0x64B1, 0xD29C, 0xE049,
310 0xB4D8, 0xFAAC, 0x07F3, 0x25CF, 0xAFCA, 0x8EF4, 0xE947, 0x1810,
311 0xD56F, 0x88F0, 0x6F4A, 0x725C, 0x2438, 0xF157, 0xC773, 0x5197,
312 0x23CB, 0x7CA1, 0x9CE8, 0x213E, 0xDD96, 0xDC61, 0x860D, 0x850F,
313 0x90E0, 0x427C, 0xC471, 0xAACC, 0xD890, 0x0506, 0x01F7, 0x121C,
314 0xA3C2, 0x5F6A, 0xF9AE, 0xD069, 0x9117, 0x5899, 0x273A, 0xB927,
315 0x38D9, 0x13EB, 0xB32B, 0x3322, 0xBBD2, 0x70A9, 0x8907, 0xA733,
316 0xB62D, 0x223C, 0x9215, 0x20C9, 0x4987, 0xFFAA, 0x7850, 0x7AA5,
317 0x8F03, 0xF859, 0x8009, 0x171A, 0xDA65, 0x31D7, 0xC684, 0xB8D0,
318 0xC382, 0xB029, 0x775A, 0x111E, 0xCB7B, 0xFCA8, 0xD66D, 0x3A2C,
319 }
320 };
321
322 /*
323 * Routine: Phase 1 -- generate P1K, given TA, TK, IV32
324 *
325 * Inputs:
326 * tk[] = temporal key [128 bits]
327 * ta[] = transmitter's MAC address [ 48 bits]
328 * iv32 = upper 32 bits of IV [ 32 bits]
329 * Output:
330 * p1k[] = Phase 1 key [ 80 bits]
331 *
332 * Note:
333 * This function only needs to be called every 2**16 packets,
334 * although in theory it could be called every packet.
335 */
phase1(u16 * p1k,const u8 * tk,const u8 * ta,u32 iv32)336 static void phase1(u16 *p1k, const u8 *tk, const u8 *ta, u32 iv32)
337 {
338 signed int i;
339
340 /* Initialize the 80 bits of P1K[] from IV32 and TA[0..5] */
341 p1k[0] = Lo16(iv32);
342 p1k[1] = Hi16(iv32);
343 p1k[2] = Mk16(ta[1], ta[0]); /* use TA[] as little-endian */
344 p1k[3] = Mk16(ta[3], ta[2]);
345 p1k[4] = Mk16(ta[5], ta[4]);
346
347 /* Now compute an unbalanced Feistel cipher with 80-bit block */
348 /* size on the 80-bit block P1K[], using the 128-bit key TK[] */
349 for (i = 0; i < PHASE1_LOOP_CNT; i++) {
350 /* Each add operation here is mod 2**16 */
351 p1k[0] += _S_(p1k[4] ^ TK16((i & 1) + 0));
352 p1k[1] += _S_(p1k[0] ^ TK16((i & 1) + 2));
353 p1k[2] += _S_(p1k[1] ^ TK16((i & 1) + 4));
354 p1k[3] += _S_(p1k[2] ^ TK16((i & 1) + 6));
355 p1k[4] += _S_(p1k[3] ^ TK16((i & 1) + 0));
356 p1k[4] += (unsigned short)i; /* avoid "slide attacks" */
357 }
358 }
359
360
361 /*
362 * Routine: Phase 2 -- generate RC4KEY, given TK, P1K, IV16
363 *
364 * Inputs:
365 * tk[] = Temporal key [128 bits]
366 * p1k[] = Phase 1 output key [ 80 bits]
367 * iv16 = low 16 bits of IV counter [ 16 bits]
368 * Output:
369 * rc4key[] = the key used to encrypt the packet [128 bits]
370 *
371 * Note:
372 * The value {TA, IV32, IV16} for Phase1/Phase2 must be unique
373 * across all packets using the same key TK value. Then, for a
374 * given value of TK[], this TKIP48 construction guarantees that
375 * the final RC4KEY value is unique across all packets.
376 *
377 * Suggested implementation optimization: if PPK[] is "overlaid"
378 * appropriately on RC4KEY[], there is no need for the final
379 * for loop below that copies the PPK[] result into RC4KEY[].
380 */
phase2(u8 * rc4key,const u8 * tk,const u16 * p1k,u16 iv16)381 static void phase2(u8 *rc4key, const u8 *tk, const u16 *p1k, u16 iv16)
382 {
383 signed int i;
384 u16 PPK[6]; /* temporary key for mixing */
385
386 /* Note: all adds in the PPK[] equations below are mod 2**16 */
387 for (i = 0; i < 5; i++)
388 PPK[i] = p1k[i]; /* first, copy P1K to PPK */
389
390 PPK[5] = p1k[4] + iv16; /* next, add in IV16 */
391
392 /* Bijective non-linear mixing of the 96 bits of PPK[0..5] */
393 PPK[0] += _S_(PPK[5] ^ TK16(0)); /* Mix key in each "round" */
394 PPK[1] += _S_(PPK[0] ^ TK16(1));
395 PPK[2] += _S_(PPK[1] ^ TK16(2));
396 PPK[3] += _S_(PPK[2] ^ TK16(3));
397 PPK[4] += _S_(PPK[3] ^ TK16(4));
398 PPK[5] += _S_(PPK[4] ^ TK16(5)); /* Total # S-box lookups == 6 */
399
400 /* Final sweep: bijective, "linear". Rotates kill LSB correlations */
401 PPK[0] += RotR1(PPK[5] ^ TK16(6));
402 PPK[1] += RotR1(PPK[0] ^ TK16(7)); /* Use all of TK[] in Phase2 */
403 PPK[2] += RotR1(PPK[1]);
404 PPK[3] += RotR1(PPK[2]);
405 PPK[4] += RotR1(PPK[3]);
406 PPK[5] += RotR1(PPK[4]);
407 /* Note: At this point, for a given key TK[0..15], the 96-bit output */
408 /* value PPK[0..5] is guaranteed to be unique, as a function */
409 /* of the 96-bit "input" value {TA, IV32, IV16}. That is, P1K */
410 /* is now a keyed permutation of {TA, IV32, IV16}. */
411
412 /* Set RC4KEY[0..3], which includes "cleartext" portion of RC4 key */
413 rc4key[0] = Hi8(iv16); /* RC4KEY[0..2] is the WEP IV */
414 rc4key[1] = (Hi8(iv16) | 0x20) & 0x7F; /* Help avoid weak (FMS) keys */
415 rc4key[2] = Lo8(iv16);
416 rc4key[3] = Lo8((PPK[5] ^ TK16(0)) >> 1);
417
418
419 /* Copy 96 bits of PPK[0..5] to RC4KEY[4..15] (little-endian) */
420 for (i = 0; i < 6; i++) {
421 rc4key[4 + 2 * i] = Lo8(PPK[i]);
422 rc4key[5 + 2 * i] = Hi8(PPK[i]);
423 }
424 }
425
426
427 /* The hlen isn't include the IV */
rtw_tkip_encrypt(struct adapter * padapter,u8 * pxmitframe)428 u32 rtw_tkip_encrypt(struct adapter *padapter, u8 *pxmitframe)
429 { /* exclude ICV */
430 u16 pnl;
431 u32 pnh;
432 u8 rc4key[16];
433 u8 ttkey[16];
434 union {
435 __le32 f0;
436 u8 f1[4];
437 } crc;
438 u8 hw_hdr_offset = 0;
439 signed int curfragnum, length;
440
441 u8 *pframe, *payload, *iv, *prwskey;
442 union pn48 dot11txpn;
443 struct pkt_attrib *pattrib = &((struct xmit_frame *)pxmitframe)->attrib;
444 struct security_priv *psecuritypriv = &padapter->securitypriv;
445 struct xmit_priv *pxmitpriv = &padapter->xmitpriv;
446 struct arc4_ctx *ctx = &psecuritypriv->xmit_arc4_ctx;
447 u32 res = _SUCCESS;
448
449 if (!((struct xmit_frame *)pxmitframe)->buf_addr)
450 return _FAIL;
451
452 hw_hdr_offset = TXDESC_OFFSET;
453 pframe = ((struct xmit_frame *)pxmitframe)->buf_addr + hw_hdr_offset;
454
455 /* 4 start to encrypt each fragment */
456 if (pattrib->encrypt == _TKIP_) {
457
458 {
459 if (is_multicast_ether_addr(pattrib->ra))
460 prwskey = psecuritypriv->dot118021XGrpKey[psecuritypriv->dot118021XGrpKeyid].skey;
461 else
462 prwskey = pattrib->dot118021x_UncstKey.skey;
463
464 for (curfragnum = 0; curfragnum < pattrib->nr_frags; curfragnum++) {
465 iv = pframe + pattrib->hdrlen;
466 payload = pframe + pattrib->iv_len + pattrib->hdrlen;
467
468 GET_TKIP_PN(iv, dot11txpn);
469
470 pnl = (u16)(dot11txpn.val);
471 pnh = (u32)(dot11txpn.val >> 16);
472
473 phase1((u16 *)&ttkey[0], prwskey, &pattrib->ta[0], pnh);
474
475 phase2(&rc4key[0], prwskey, (u16 *)&ttkey[0], pnl);
476
477 if ((curfragnum + 1) == pattrib->nr_frags) { /* 4 the last fragment */
478 length = pattrib->last_txcmdsz - pattrib->hdrlen - pattrib->iv_len - pattrib->icv_len;
479 crc.f0 = cpu_to_le32(~crc32_le(~0, payload, length));
480
481 arc4_setkey(ctx, rc4key, 16);
482 arc4_crypt(ctx, payload, payload, length);
483 arc4_crypt(ctx, payload + length, crc.f1, 4);
484
485 } else {
486 length = pxmitpriv->frag_len - pattrib->hdrlen - pattrib->iv_len - pattrib->icv_len;
487 crc.f0 = cpu_to_le32(~crc32_le(~0, payload, length));
488
489 arc4_setkey(ctx, rc4key, 16);
490 arc4_crypt(ctx, payload, payload, length);
491 arc4_crypt(ctx, payload + length, crc.f1, 4);
492
493 pframe += pxmitpriv->frag_len;
494 pframe = (u8 *)round_up((SIZE_PTR)(pframe), 4);
495 }
496 }
497 }
498 }
499 return res;
500 }
501
502
503 /* The hlen isn't include the IV */
rtw_tkip_decrypt(struct adapter * padapter,u8 * precvframe)504 u32 rtw_tkip_decrypt(struct adapter *padapter, u8 *precvframe)
505 { /* exclude ICV */
506 u16 pnl;
507 u32 pnh;
508 u8 rc4key[16];
509 u8 ttkey[16];
510 u8 crc[4];
511 signed int length;
512
513 u8 *pframe, *payload, *iv, *prwskey;
514 union pn48 dot11txpn;
515 struct sta_info *stainfo;
516 struct rx_pkt_attrib *prxattrib = &((union recv_frame *)precvframe)->u.hdr.attrib;
517 struct security_priv *psecuritypriv = &padapter->securitypriv;
518 struct arc4_ctx *ctx = &psecuritypriv->recv_arc4_ctx;
519 u32 res = _SUCCESS;
520
521 pframe = (unsigned char *)((union recv_frame *)precvframe)->u.hdr.rx_data;
522
523 /* 4 start to decrypt recvframe */
524 if (prxattrib->encrypt == _TKIP_) {
525 stainfo = rtw_get_stainfo(&padapter->stapriv, &prxattrib->ta[0]);
526 if (stainfo) {
527 if (is_multicast_ether_addr(prxattrib->ra)) {
528 static unsigned long start;
529 static u32 no_gkey_bc_cnt;
530 static u32 no_gkey_mc_cnt;
531
532 if (!psecuritypriv->binstallGrpkey) {
533 res = _FAIL;
534
535 if (start == 0)
536 start = jiffies;
537
538 if (is_broadcast_mac_addr(prxattrib->ra))
539 no_gkey_bc_cnt++;
540 else
541 no_gkey_mc_cnt++;
542
543 if (jiffies_to_msecs(jiffies - start) > 1000) {
544 if (no_gkey_bc_cnt || no_gkey_mc_cnt) {
545 netdev_dbg(padapter->pnetdev,
546 FUNC_ADPT_FMT " no_gkey_bc_cnt:%u, no_gkey_mc_cnt:%u\n",
547 FUNC_ADPT_ARG(padapter),
548 no_gkey_bc_cnt,
549 no_gkey_mc_cnt);
550 }
551 start = jiffies;
552 no_gkey_bc_cnt = 0;
553 no_gkey_mc_cnt = 0;
554 }
555 goto exit;
556 }
557
558 if (no_gkey_bc_cnt || no_gkey_mc_cnt) {
559 netdev_dbg(padapter->pnetdev,
560 FUNC_ADPT_FMT " gkey installed. no_gkey_bc_cnt:%u, no_gkey_mc_cnt:%u\n",
561 FUNC_ADPT_ARG(padapter),
562 no_gkey_bc_cnt,
563 no_gkey_mc_cnt);
564 }
565 start = 0;
566 no_gkey_bc_cnt = 0;
567 no_gkey_mc_cnt = 0;
568
569 prwskey = psecuritypriv->dot118021XGrpKey[prxattrib->key_index].skey;
570 } else {
571 prwskey = &stainfo->dot118021x_UncstKey.skey[0];
572 }
573
574 iv = pframe + prxattrib->hdrlen;
575 payload = pframe + prxattrib->iv_len + prxattrib->hdrlen;
576 length = ((union recv_frame *)precvframe)->u.hdr.len - prxattrib->hdrlen - prxattrib->iv_len;
577
578 GET_TKIP_PN(iv, dot11txpn);
579
580 pnl = (u16)(dot11txpn.val);
581 pnh = (u32)(dot11txpn.val >> 16);
582
583 phase1((u16 *)&ttkey[0], prwskey, &prxattrib->ta[0], pnh);
584 phase2(&rc4key[0], prwskey, (unsigned short *)&ttkey[0], pnl);
585
586 /* 4 decrypt payload include icv */
587
588 arc4_setkey(ctx, rc4key, 16);
589 arc4_crypt(ctx, payload, payload, length);
590
591 *((u32 *)crc) = ~crc32_le(~0, payload, length - 4);
592
593 if (crc[3] != payload[length - 1] || crc[2] != payload[length - 2] ||
594 crc[1] != payload[length - 3] || crc[0] != payload[length - 4])
595 res = _FAIL;
596 } else {
597 res = _FAIL;
598 }
599 }
600 exit:
601 return res;
602 }
603
604
605 /* 3 =====AES related ===== */
606
607
608
609 #define MAX_MSG_SIZE 2048
610
611 /****************************************/
612 /* aes128k128d() */
613 /* Performs a 128 bit AES encrypt with */
614 /* 128 bit data. */
615 /****************************************/
aes128k128d(u8 * key,u8 * data,u8 * ciphertext)616 static void aes128k128d(u8 *key, u8 *data, u8 *ciphertext)
617 {
618 struct aes_enckey aes;
619
620 aes_prepareenckey(&aes, key, 16);
621 aes_encrypt(&aes, ciphertext, data);
622 memzero_explicit(&aes, sizeof(aes));
623 }
624
625 /************************************************/
626 /* construct_mic_iv() */
627 /* Builds the MIC IV from header fields and PN */
628 /* Baron think the function is construct CCM */
629 /* nonce */
630 /************************************************/
construct_mic_iv(u8 * mic_iv,signed int qc_exists,signed int a4_exists,u8 * mpdu,uint payload_length,u8 * pn_vector,uint frtype)631 static void construct_mic_iv(u8 *mic_iv,
632 signed int qc_exists,
633 signed int a4_exists,
634 u8 *mpdu,
635 uint payload_length,
636 u8 *pn_vector,
637 uint frtype) /* add for CONFIG_IEEE80211W, none 11w also can use */
638 {
639 signed int i;
640
641 mic_iv[0] = 0x59;
642
643 if (qc_exists && a4_exists)
644 mic_iv[1] = mpdu[30] & 0x0f; /* QoS_TC */
645
646 if (qc_exists && !a4_exists)
647 mic_iv[1] = mpdu[24] & 0x0f; /* mute bits 7-4 */
648
649 if (!qc_exists)
650 mic_iv[1] = 0x00;
651
652 /* 802.11w management frame should set management bit(4) */
653 if (frtype == WIFI_MGT_TYPE)
654 mic_iv[1] |= BIT(4);
655
656 for (i = 2; i < 8; i++)
657 mic_iv[i] = mpdu[i + 8]; /* mic_iv[2:7] = A2[0:5] = mpdu[10:15] */
658 #ifdef CONSISTENT_PN_ORDER
659 for (i = 8; i < 14; i++)
660 mic_iv[i] = pn_vector[i - 8]; /* mic_iv[8:13] = PN[0:5] */
661 #else
662 for (i = 8; i < 14; i++)
663 mic_iv[i] = pn_vector[13 - i]; /* mic_iv[8:13] = PN[5:0] */
664 #endif
665 mic_iv[14] = (unsigned char) (payload_length / 256);
666 mic_iv[15] = (unsigned char) (payload_length % 256);
667 }
668
669 /************************************************/
670 /* construct_mic_header1() */
671 /* Builds the first MIC header block from */
672 /* header fields. */
673 /* Build AAD SC, A1, A2 */
674 /************************************************/
construct_mic_header1(u8 * mic_header1,signed int header_length,u8 * mpdu,uint frtype)675 static void construct_mic_header1(u8 *mic_header1,
676 signed int header_length,
677 u8 *mpdu,
678 uint frtype) /* for CONFIG_IEEE80211W, none 11w also can use */
679 {
680 mic_header1[0] = (u8)((header_length - 2) / 256);
681 mic_header1[1] = (u8)((header_length - 2) % 256);
682
683 /* 802.11w management frame don't AND subtype bits 4, 5, 6 of frame control field */
684 if (frtype == WIFI_MGT_TYPE)
685 mic_header1[2] = mpdu[0];
686 else
687 mic_header1[2] = mpdu[0] & 0xcf; /* Mute CF poll & CF ack bits */
688
689 mic_header1[3] = mpdu[1] & 0xc7; /* Mute retry, more data and pwr mgt bits */
690 mic_header1[4] = mpdu[4]; /* A1 */
691 mic_header1[5] = mpdu[5];
692 mic_header1[6] = mpdu[6];
693 mic_header1[7] = mpdu[7];
694 mic_header1[8] = mpdu[8];
695 mic_header1[9] = mpdu[9];
696 mic_header1[10] = mpdu[10]; /* A2 */
697 mic_header1[11] = mpdu[11];
698 mic_header1[12] = mpdu[12];
699 mic_header1[13] = mpdu[13];
700 mic_header1[14] = mpdu[14];
701 mic_header1[15] = mpdu[15];
702 }
703
704 /************************************************/
705 /* construct_mic_header2() */
706 /* Builds the last MIC header block from */
707 /* header fields. */
708 /************************************************/
construct_mic_header2(u8 * mic_header2,u8 * mpdu,signed int a4_exists,signed int qc_exists)709 static void construct_mic_header2(u8 *mic_header2,
710 u8 *mpdu,
711 signed int a4_exists,
712 signed int qc_exists)
713 {
714 signed int i;
715
716 for (i = 0; i < 16; i++)
717 mic_header2[i] = 0x00;
718
719 mic_header2[0] = mpdu[16]; /* A3 */
720 mic_header2[1] = mpdu[17];
721 mic_header2[2] = mpdu[18];
722 mic_header2[3] = mpdu[19];
723 mic_header2[4] = mpdu[20];
724 mic_header2[5] = mpdu[21];
725
726 mic_header2[6] = 0x00;
727 mic_header2[7] = 0x00; /* mpdu[23]; */
728
729 if (!qc_exists && a4_exists) {
730 for (i = 0; i < 6; i++)
731 mic_header2[8 + i] = mpdu[24 + i]; /* A4 */
732 }
733
734 if (qc_exists && !a4_exists) {
735 mic_header2[8] = mpdu[24] & 0x0f; /* mute bits 15 - 4 */
736 mic_header2[9] = mpdu[25] & 0x00;
737 }
738
739 if (qc_exists && a4_exists) {
740 for (i = 0; i < 6; i++)
741 mic_header2[8 + i] = mpdu[24 + i]; /* A4 */
742
743 mic_header2[14] = mpdu[30] & 0x0f;
744 mic_header2[15] = mpdu[31] & 0x00;
745 }
746 }
747
748 /************************************************/
749 /* construct_mic_header2() */
750 /* Builds the last MIC header block from */
751 /* header fields. */
752 /* Baron think the function is construct CCM */
753 /* nonce */
754 /************************************************/
construct_ctr_preload(u8 * ctr_preload,signed int a4_exists,signed int qc_exists,u8 * mpdu,u8 * pn_vector,signed int c,uint frtype)755 static void construct_ctr_preload(u8 *ctr_preload,
756 signed int a4_exists,
757 signed int qc_exists,
758 u8 *mpdu,
759 u8 *pn_vector,
760 signed int c,
761 uint frtype) /* for CONFIG_IEEE80211W, none 11w also can use */
762 {
763 signed int i = 0;
764
765 for (i = 0; i < 16; i++)
766 ctr_preload[i] = 0x00;
767 i = 0;
768
769 ctr_preload[0] = 0x01; /* flag */
770 if (qc_exists && a4_exists)
771 ctr_preload[1] = mpdu[30] & 0x0f; /* QoC_Control */
772 if (qc_exists && !a4_exists)
773 ctr_preload[1] = mpdu[24] & 0x0f;
774
775 /* 802.11w management frame should set management bit(4) */
776 if (frtype == WIFI_MGT_TYPE)
777 ctr_preload[1] |= BIT(4);
778
779 for (i = 2; i < 8; i++)
780 ctr_preload[i] = mpdu[i + 8]; /* ctr_preload[2:7] = A2[0:5] = mpdu[10:15] */
781 #ifdef CONSISTENT_PN_ORDER
782 for (i = 8; i < 14; i++)
783 ctr_preload[i] = pn_vector[i - 8]; /* ctr_preload[8:13] = PN[0:5] */
784 #else
785 for (i = 8; i < 14; i++)
786 ctr_preload[i] = pn_vector[13 - i]; /* ctr_preload[8:13] = PN[5:0] */
787 #endif
788 ctr_preload[14] = (unsigned char) (c / 256); /* Ctr */
789 ctr_preload[15] = (unsigned char) (c % 256);
790 }
791
aes_cipher(u8 * key,uint hdrlen,u8 * pframe,uint plen)792 static signed int aes_cipher(u8 *key, uint hdrlen,
793 u8 *pframe, uint plen)
794 {
795 uint qc_exists, a4_exists, i, j, payload_remainder,
796 num_blocks, payload_index;
797
798 u8 pn_vector[6];
799 u8 mic_iv[16] = {};
800 u8 mic_header1[16] = {};
801 u8 mic_header2[16] = {};
802 u8 ctr_preload[16] = {};
803
804 /* Intermediate Buffers */
805 u8 chain_buffer[16] = {};
806 u8 aes_out[16] = {};
807 u8 padded_buffer[16] = {};
808 u8 mic[8];
809 uint frtype = GetFrameType(pframe);
810 uint frsubtype = GetFrameSubType(pframe);
811
812 frsubtype = frsubtype >> 4;
813
814 if ((hdrlen == WLAN_HDR_A3_LEN) || (hdrlen == WLAN_HDR_A3_QOS_LEN))
815 a4_exists = 0;
816 else
817 a4_exists = 1;
818
819 if (((frtype | frsubtype) == WIFI_DATA_CFACK) ||
820 ((frtype | frsubtype) == WIFI_DATA_CFPOLL) ||
821 ((frtype | frsubtype) == WIFI_DATA_CFACKPOLL)) {
822 qc_exists = 1;
823 if (hdrlen != WLAN_HDR_A3_QOS_LEN)
824 hdrlen += 2;
825
826 } else if ((frtype == WIFI_DATA) && /* add for CONFIG_IEEE80211W, none 11w also can use */
827 ((frsubtype == 0x08) ||
828 (frsubtype == 0x09) ||
829 (frsubtype == 0x0a) ||
830 (frsubtype == 0x0b))) {
831 if (hdrlen != WLAN_HDR_A3_QOS_LEN)
832 hdrlen += 2;
833
834 qc_exists = 1;
835 } else {
836 qc_exists = 0;
837 }
838
839 pn_vector[0] = pframe[hdrlen];
840 pn_vector[1] = pframe[hdrlen + 1];
841 pn_vector[2] = pframe[hdrlen + 4];
842 pn_vector[3] = pframe[hdrlen + 5];
843 pn_vector[4] = pframe[hdrlen + 6];
844 pn_vector[5] = pframe[hdrlen + 7];
845
846 construct_mic_iv(mic_iv,
847 qc_exists,
848 a4_exists,
849 pframe, /* message, */
850 plen,
851 pn_vector,
852 frtype); /* add for CONFIG_IEEE80211W, none 11w also can use */
853
854 construct_mic_header1(mic_header1,
855 hdrlen,
856 pframe, /* message */
857 frtype); /* add for CONFIG_IEEE80211W, none 11w also can use */
858
859 construct_mic_header2(mic_header2,
860 pframe, /* message, */
861 a4_exists,
862 qc_exists);
863
864 payload_remainder = plen % 16;
865 num_blocks = plen / 16;
866
867 /* Find start of payload */
868 payload_index = (hdrlen + 8);
869
870 /* Calculate MIC */
871 aes128k128d(key, mic_iv, aes_out);
872 crypto_xor_cpy(chain_buffer, aes_out, mic_header1, 16);
873 aes128k128d(key, chain_buffer, aes_out);
874 crypto_xor_cpy(chain_buffer, aes_out, mic_header2, 16);
875 aes128k128d(key, chain_buffer, aes_out);
876
877 for (i = 0; i < num_blocks; i++) {
878 crypto_xor_cpy(chain_buffer, aes_out, &pframe[payload_index], 16);
879
880 payload_index += 16;
881 aes128k128d(key, chain_buffer, aes_out);
882 }
883
884 /* Add on the final payload block if it needs padding */
885 if (payload_remainder > 0) {
886 for (j = 0; j < 16; j++)
887 padded_buffer[j] = 0x00;
888 for (j = 0; j < payload_remainder; j++)
889 padded_buffer[j] = pframe[payload_index++];
890
891 crypto_xor_cpy(chain_buffer, aes_out, padded_buffer, 16);
892 aes128k128d(key, chain_buffer, aes_out);
893 }
894
895 for (j = 0 ; j < 8; j++)
896 mic[j] = aes_out[j];
897
898 /* Insert MIC into payload */
899 for (j = 0; j < 8; j++)
900 pframe[payload_index + j] = mic[j];
901
902 payload_index = hdrlen + 8;
903 for (i = 0; i < num_blocks; i++) {
904 construct_ctr_preload(ctr_preload, a4_exists, qc_exists, pframe, /* message, */
905 pn_vector, i + 1, frtype);
906 /* add for CONFIG_IEEE80211W, none 11w also can use */
907 aes128k128d(key, ctr_preload, aes_out);
908 crypto_xor_cpy(chain_buffer, aes_out, &pframe[payload_index], 16);
909 for (j = 0; j < 16; j++)
910 pframe[payload_index++] = chain_buffer[j];
911 }
912
913 if (payload_remainder > 0) {
914 /* If there is a short final block, then pad it,*/
915 /* encrypt it and copy the unpadded part back */
916 construct_ctr_preload(ctr_preload, a4_exists, qc_exists, pframe, /* message, */
917 pn_vector, num_blocks + 1, frtype);
918 /* add for CONFIG_IEEE80211W, none 11w also can use */
919
920 for (j = 0; j < 16; j++)
921 padded_buffer[j] = 0x00;
922 for (j = 0; j < payload_remainder; j++)
923 padded_buffer[j] = pframe[payload_index + j];
924
925 aes128k128d(key, ctr_preload, aes_out);
926 crypto_xor_cpy(chain_buffer, aes_out, padded_buffer, 16);
927 for (j = 0; j < payload_remainder; j++)
928 pframe[payload_index++] = chain_buffer[j];
929 }
930
931 /* Encrypt the MIC */
932 construct_ctr_preload(ctr_preload, a4_exists, qc_exists, pframe, /* message, */
933 pn_vector, 0, frtype);
934 /* add for CONFIG_IEEE80211W, none 11w also can use */
935
936 for (j = 0; j < 16; j++)
937 padded_buffer[j] = 0x00;
938 for (j = 0; j < 8; j++)
939 padded_buffer[j] = pframe[j + hdrlen + 8 + plen];
940
941 aes128k128d(key, ctr_preload, aes_out);
942 crypto_xor_cpy(chain_buffer, aes_out, padded_buffer, 16);
943 for (j = 0; j < 8; j++)
944 pframe[payload_index++] = chain_buffer[j];
945
946 return _SUCCESS;
947 }
948
rtw_aes_encrypt(struct adapter * padapter,u8 * pxmitframe)949 u32 rtw_aes_encrypt(struct adapter *padapter, u8 *pxmitframe)
950 { /* exclude ICV */
951
952 /*static*/
953 /* unsigned char message[MAX_MSG_SIZE]; */
954
955 /* Intermediate Buffers */
956 signed int curfragnum, length;
957 u8 *pframe, *prwskey; /* *payload,*iv */
958 u8 hw_hdr_offset = 0;
959 struct pkt_attrib *pattrib = &((struct xmit_frame *)pxmitframe)->attrib;
960 struct security_priv *psecuritypriv = &padapter->securitypriv;
961 struct xmit_priv *pxmitpriv = &padapter->xmitpriv;
962
963 u32 res = _SUCCESS;
964
965 if (!((struct xmit_frame *)pxmitframe)->buf_addr)
966 return _FAIL;
967
968 hw_hdr_offset = TXDESC_OFFSET;
969 pframe = ((struct xmit_frame *)pxmitframe)->buf_addr + hw_hdr_offset;
970
971 /* 4 start to encrypt each fragment */
972 if (pattrib->encrypt == _AES_) {
973 if (is_multicast_ether_addr(pattrib->ra))
974 prwskey = psecuritypriv->dot118021XGrpKey[psecuritypriv->dot118021XGrpKeyid].skey;
975 else
976 prwskey = pattrib->dot118021x_UncstKey.skey;
977
978 for (curfragnum = 0; curfragnum < pattrib->nr_frags; curfragnum++) {
979 if ((curfragnum + 1) == pattrib->nr_frags) { /* 4 the last fragment */
980 length = pattrib->last_txcmdsz - pattrib->hdrlen - pattrib->iv_len - pattrib->icv_len;
981
982 aes_cipher(prwskey, pattrib->hdrlen, pframe, length);
983 } else {
984 length = pxmitpriv->frag_len - pattrib->hdrlen - pattrib->iv_len - pattrib->icv_len;
985
986 aes_cipher(prwskey, pattrib->hdrlen, pframe, length);
987 pframe += pxmitpriv->frag_len;
988 pframe = (u8 *)round_up((SIZE_PTR)(pframe), 4);
989 }
990 }
991 }
992 return res;
993 }
994
aes_decipher(u8 * key,uint hdrlen,u8 * pframe,uint plen)995 static signed int aes_decipher(u8 *key, uint hdrlen,
996 u8 *pframe, uint plen)
997 {
998 static u8 message[MAX_MSG_SIZE];
999 uint qc_exists, a4_exists, i, j, payload_remainder,
1000 num_blocks, payload_index;
1001 signed int res = _SUCCESS;
1002 u8 pn_vector[6];
1003 u8 mic_iv[16] = {};
1004 u8 mic_header1[16] = {};
1005 u8 mic_header2[16] = {};
1006 u8 ctr_preload[16] = {};
1007
1008 /* Intermediate Buffers */
1009 u8 chain_buffer[16] = {};
1010 u8 aes_out[16] = {};
1011 u8 padded_buffer[16] = {};
1012 u8 mic[8];
1013
1014 uint frtype = GetFrameType(pframe);
1015 uint frsubtype = GetFrameSubType(pframe);
1016
1017 frsubtype = frsubtype >> 4;
1018
1019 /* start to decrypt the payload */
1020
1021 num_blocks = (plen - 8) / 16; /* plen including LLC, payload_length and mic) */
1022
1023 payload_remainder = (plen - 8) % 16;
1024
1025 pn_vector[0] = pframe[hdrlen];
1026 pn_vector[1] = pframe[hdrlen + 1];
1027 pn_vector[2] = pframe[hdrlen + 4];
1028 pn_vector[3] = pframe[hdrlen + 5];
1029 pn_vector[4] = pframe[hdrlen + 6];
1030 pn_vector[5] = pframe[hdrlen + 7];
1031
1032 if ((hdrlen == WLAN_HDR_A3_LEN) || (hdrlen == WLAN_HDR_A3_QOS_LEN))
1033 a4_exists = 0;
1034 else
1035 a4_exists = 1;
1036
1037 if (((frtype | frsubtype) == WIFI_DATA_CFACK) ||
1038 ((frtype | frsubtype) == WIFI_DATA_CFPOLL) ||
1039 ((frtype | frsubtype) == WIFI_DATA_CFACKPOLL)) {
1040 qc_exists = 1;
1041 if (hdrlen != WLAN_HDR_A3_QOS_LEN)
1042 hdrlen += 2;
1043
1044 } else if ((frtype == WIFI_DATA) && /* only for data packet . add for CONFIG_IEEE80211W, none 11w also can use */
1045 ((frsubtype == 0x08) ||
1046 (frsubtype == 0x09) ||
1047 (frsubtype == 0x0a) ||
1048 (frsubtype == 0x0b))) {
1049 if (hdrlen != WLAN_HDR_A3_QOS_LEN)
1050 hdrlen += 2;
1051
1052 qc_exists = 1;
1053 } else {
1054 qc_exists = 0;
1055 }
1056
1057 /* now, decrypt pframe with hdrlen offset and plen long */
1058
1059 payload_index = hdrlen + 8; /* 8 is for extiv */
1060
1061 for (i = 0; i < num_blocks; i++) {
1062 construct_ctr_preload(ctr_preload, a4_exists,
1063 qc_exists, pframe,
1064 pn_vector, i + 1,
1065 frtype); /* add for CONFIG_IEEE80211W, none 11w also can use */
1066
1067 aes128k128d(key, ctr_preload, aes_out);
1068 crypto_xor_cpy(chain_buffer, aes_out, &pframe[payload_index], 16);
1069
1070 for (j = 0; j < 16; j++)
1071 pframe[payload_index++] = chain_buffer[j];
1072 }
1073
1074 if (payload_remainder > 0) {
1075 /* If there is a short final block, then pad it,*/
1076 /* encrypt it and copy the unpadded part back */
1077 construct_ctr_preload(ctr_preload, a4_exists, qc_exists, pframe, pn_vector,
1078 num_blocks + 1, frtype);
1079 /* add for CONFIG_IEEE80211W, none 11w also can use */
1080
1081 for (j = 0; j < 16; j++)
1082 padded_buffer[j] = 0x00;
1083 for (j = 0; j < payload_remainder; j++)
1084 padded_buffer[j] = pframe[payload_index + j];
1085
1086 aes128k128d(key, ctr_preload, aes_out);
1087 crypto_xor_cpy(chain_buffer, aes_out, padded_buffer, 16);
1088 for (j = 0; j < payload_remainder; j++)
1089 pframe[payload_index++] = chain_buffer[j];
1090 }
1091
1092 /* start to calculate the mic */
1093 if ((hdrlen + plen + 8) <= MAX_MSG_SIZE)
1094 memcpy((void *)message, pframe, (hdrlen + plen + 8)); /* 8 is for ext iv len */
1095
1096 pn_vector[0] = pframe[hdrlen];
1097 pn_vector[1] = pframe[hdrlen + 1];
1098 pn_vector[2] = pframe[hdrlen + 4];
1099 pn_vector[3] = pframe[hdrlen + 5];
1100 pn_vector[4] = pframe[hdrlen + 6];
1101 pn_vector[5] = pframe[hdrlen + 7];
1102
1103 construct_mic_iv(mic_iv, qc_exists, a4_exists, message, plen - 8, pn_vector, frtype);
1104 /* add for CONFIG_IEEE80211W, none 11w also can use */
1105
1106 construct_mic_header1(mic_header1, hdrlen, message, frtype);
1107 /* add for CONFIG_IEEE80211W, none 11w also can use */
1108 construct_mic_header2(mic_header2, message, a4_exists, qc_exists);
1109
1110 payload_remainder = (plen - 8) % 16;
1111 num_blocks = (plen - 8) / 16;
1112
1113 /* Find start of payload */
1114 payload_index = (hdrlen + 8);
1115
1116 /* Calculate MIC */
1117 aes128k128d(key, mic_iv, aes_out);
1118 crypto_xor_cpy(chain_buffer, aes_out, mic_header1, 16);
1119 aes128k128d(key, chain_buffer, aes_out);
1120 crypto_xor_cpy(chain_buffer, aes_out, mic_header2, 16);
1121 aes128k128d(key, chain_buffer, aes_out);
1122
1123 for (i = 0; i < num_blocks; i++) {
1124 crypto_xor_cpy(chain_buffer, aes_out, &message[payload_index], 16);
1125
1126 payload_index += 16;
1127 aes128k128d(key, chain_buffer, aes_out);
1128 }
1129
1130 /* Add on the final payload block if it needs padding */
1131 if (payload_remainder > 0) {
1132 for (j = 0; j < 16; j++)
1133 padded_buffer[j] = 0x00;
1134 for (j = 0; j < payload_remainder; j++)
1135 padded_buffer[j] = message[payload_index++];
1136
1137 crypto_xor_cpy(chain_buffer, aes_out, padded_buffer, 16);
1138 aes128k128d(key, chain_buffer, aes_out);
1139 }
1140
1141 for (j = 0; j < 8; j++)
1142 mic[j] = aes_out[j];
1143
1144 /* Insert MIC into payload */
1145 for (j = 0; j < 8; j++)
1146 message[payload_index + j] = mic[j];
1147
1148 payload_index = hdrlen + 8;
1149 for (i = 0; i < num_blocks; i++) {
1150 construct_ctr_preload(ctr_preload, a4_exists, qc_exists, message, pn_vector, i + 1,
1151 frtype);
1152 /* add for CONFIG_IEEE80211W, none 11w also can use */
1153 aes128k128d(key, ctr_preload, aes_out);
1154 crypto_xor_cpy(chain_buffer, aes_out, &message[payload_index], 16);
1155 for (j = 0; j < 16; j++)
1156 message[payload_index++] = chain_buffer[j];
1157 }
1158
1159 if (payload_remainder > 0) {
1160 /* If there is a short final block, then pad it,*/
1161 /* encrypt it and copy the unpadded part back */
1162 construct_ctr_preload(ctr_preload, a4_exists, qc_exists, message, pn_vector,
1163 num_blocks + 1, frtype);
1164 /* add for CONFIG_IEEE80211W, none 11w also can use */
1165
1166 for (j = 0; j < 16; j++)
1167 padded_buffer[j] = 0x00;
1168 for (j = 0; j < payload_remainder; j++)
1169 padded_buffer[j] = message[payload_index + j];
1170
1171 aes128k128d(key, ctr_preload, aes_out);
1172 crypto_xor_cpy(chain_buffer, aes_out, padded_buffer, 16);
1173 for (j = 0; j < payload_remainder; j++)
1174 message[payload_index++] = chain_buffer[j];
1175 }
1176
1177 /* Encrypt the MIC */
1178 construct_ctr_preload(ctr_preload, a4_exists, qc_exists, message, pn_vector, 0, frtype);
1179 /* add for CONFIG_IEEE80211W, none 11w also can use */
1180
1181 for (j = 0; j < 16; j++)
1182 padded_buffer[j] = 0x00;
1183 for (j = 0; j < 8; j++)
1184 padded_buffer[j] = message[j + hdrlen + 8 + plen - 8];
1185
1186 aes128k128d(key, ctr_preload, aes_out);
1187 crypto_xor_cpy(chain_buffer, aes_out, padded_buffer, 16);
1188 for (j = 0; j < 8; j++)
1189 message[payload_index++] = chain_buffer[j];
1190
1191 /* compare the mic */
1192 for (i = 0; i < 8; i++) {
1193 if (pframe[hdrlen + 8 + plen - 8 + i] != message[hdrlen + 8 + plen - 8 + i])
1194 res = _FAIL;
1195 }
1196 return res;
1197 }
1198
rtw_aes_decrypt(struct adapter * padapter,u8 * precvframe)1199 u32 rtw_aes_decrypt(struct adapter *padapter, u8 *precvframe)
1200 { /* exclude ICV */
1201
1202 /*static*/
1203 /* unsigned char message[MAX_MSG_SIZE]; */
1204
1205 /* Intermediate Buffers */
1206
1207 signed int length;
1208 u8 *pframe, *prwskey; /* *payload,*iv */
1209 struct sta_info *stainfo;
1210 struct rx_pkt_attrib *prxattrib = &((union recv_frame *)precvframe)->u.hdr.attrib;
1211 struct security_priv *psecuritypriv = &padapter->securitypriv;
1212 u32 res = _SUCCESS;
1213
1214 pframe = (unsigned char *)((union recv_frame *)precvframe)->u.hdr.rx_data;
1215 /* 4 start to encrypt each fragment */
1216 if (prxattrib->encrypt == _AES_) {
1217 stainfo = rtw_get_stainfo(&padapter->stapriv, &prxattrib->ta[0]);
1218 if (stainfo) {
1219 if (is_multicast_ether_addr(prxattrib->ra)) {
1220 static unsigned long start;
1221 static u32 no_gkey_bc_cnt;
1222 static u32 no_gkey_mc_cnt;
1223
1224 if (!psecuritypriv->binstallGrpkey) {
1225 res = _FAIL;
1226
1227 if (start == 0)
1228 start = jiffies;
1229
1230 if (is_broadcast_mac_addr(prxattrib->ra))
1231 no_gkey_bc_cnt++;
1232 else
1233 no_gkey_mc_cnt++;
1234
1235 if (jiffies_to_msecs(jiffies - start) > 1000) {
1236 if (no_gkey_bc_cnt || no_gkey_mc_cnt) {
1237 netdev_dbg(padapter->pnetdev,
1238 FUNC_ADPT_FMT " no_gkey_bc_cnt:%u, no_gkey_mc_cnt:%u\n",
1239 FUNC_ADPT_ARG(padapter),
1240 no_gkey_bc_cnt,
1241 no_gkey_mc_cnt);
1242 }
1243 start = jiffies;
1244 no_gkey_bc_cnt = 0;
1245 no_gkey_mc_cnt = 0;
1246 }
1247
1248 goto exit;
1249 }
1250
1251 if (no_gkey_bc_cnt || no_gkey_mc_cnt) {
1252 netdev_dbg(padapter->pnetdev,
1253 FUNC_ADPT_FMT " gkey installed. no_gkey_bc_cnt:%u, no_gkey_mc_cnt:%u\n",
1254 FUNC_ADPT_ARG(padapter),
1255 no_gkey_bc_cnt,
1256 no_gkey_mc_cnt);
1257 }
1258 start = 0;
1259 no_gkey_bc_cnt = 0;
1260 no_gkey_mc_cnt = 0;
1261
1262 prwskey = psecuritypriv->dot118021XGrpKey[prxattrib->key_index].skey;
1263 if (psecuritypriv->dot118021XGrpKeyid != prxattrib->key_index) {
1264 res = _FAIL;
1265 goto exit;
1266 }
1267 } else {
1268 prwskey = &stainfo->dot118021x_UncstKey.skey[0];
1269 }
1270
1271 length = ((union recv_frame *)precvframe)->u.hdr.len - prxattrib->hdrlen - prxattrib->iv_len;
1272
1273 res = aes_decipher(prwskey, prxattrib->hdrlen, pframe, length);
1274
1275 } else {
1276 res = _FAIL;
1277 }
1278 }
1279 exit:
1280 return res;
1281 }
1282
rtw_BIP_verify(struct adapter * padapter,u8 * precvframe)1283 u32 rtw_BIP_verify(struct adapter *padapter, u8 *precvframe)
1284 {
1285 struct rx_pkt_attrib *pattrib = &((union recv_frame *)precvframe)->u.hdr.attrib;
1286 u8 *pframe;
1287 u8 *BIP_AAD, *p;
1288 u32 res = _FAIL;
1289 uint len, ori_len;
1290 struct ieee80211_hdr *pwlanhdr;
1291 u8 mic[16];
1292 struct mlme_ext_priv *pmlmeext = &padapter->mlmeextpriv;
1293 __le16 le_tmp;
1294 __le64 le_tmp64;
1295
1296 ori_len = pattrib->pkt_len - WLAN_HDR_A3_LEN + BIP_AAD_SIZE;
1297 BIP_AAD = kzalloc(ori_len, GFP_KERNEL);
1298 if (!BIP_AAD)
1299 return _FAIL;
1300
1301 /* PKT start */
1302 pframe = (unsigned char *)((union recv_frame *)precvframe)->u.hdr.rx_data;
1303 /* mapping to wlan header */
1304 pwlanhdr = (struct ieee80211_hdr *)pframe;
1305 /* save the frame body + MME */
1306 memcpy(BIP_AAD + BIP_AAD_SIZE, pframe + WLAN_HDR_A3_LEN, pattrib->pkt_len - WLAN_HDR_A3_LEN);
1307 /* find MME IE pointer */
1308 p = rtw_get_ie(BIP_AAD + BIP_AAD_SIZE, WLAN_EID_MMIE, &len, pattrib->pkt_len - WLAN_HDR_A3_LEN);
1309 /* Baron */
1310 if (p) {
1311 u16 keyid = 0;
1312 u64 temp_ipn = 0;
1313 /* save packet number */
1314 memcpy(&le_tmp64, p + 4, 6);
1315 temp_ipn = le64_to_cpu(le_tmp64);
1316 /* BIP packet number should bigger than previous BIP packet */
1317 if (temp_ipn <= pmlmeext->mgnt_80211w_IPN_rx)
1318 goto BIP_exit;
1319
1320 /* copy key index */
1321 memcpy(&le_tmp, p + 2, 2);
1322 keyid = le16_to_cpu(le_tmp);
1323 if (keyid != padapter->securitypriv.dot11wBIPKeyid)
1324 goto BIP_exit;
1325
1326 /* clear the MIC field of MME to zero */
1327 memset(p + 2 + len - 8, 0, 8);
1328
1329 /* conscruct AAD, copy frame control field */
1330 memcpy(BIP_AAD, &pwlanhdr->frame_control, 2);
1331 ClearRetry(BIP_AAD);
1332 ClearPwrMgt(BIP_AAD);
1333 ClearMData(BIP_AAD);
1334 /* conscruct AAD, copy address 1 to address 3 */
1335 memcpy(BIP_AAD + 2, &pwlanhdr->addrs, sizeof(pwlanhdr->addrs));
1336
1337 if (omac1_aes_128(padapter->securitypriv.dot11wBIPKey[padapter->securitypriv.dot11wBIPKeyid].skey
1338 , BIP_AAD, ori_len, mic))
1339 goto BIP_exit;
1340
1341 /* MIC field should be last 8 bytes of packet (packet without FCS) */
1342 if (!memcmp(mic, pframe+pattrib->pkt_len-8, 8)) {
1343 pmlmeext->mgnt_80211w_IPN_rx = temp_ipn;
1344 res = _SUCCESS;
1345 } else {
1346 }
1347
1348 } else {
1349 res = RTW_RX_HANDLED;
1350 }
1351 BIP_exit:
1352
1353 kfree(BIP_AAD);
1354 return res;
1355 }
1356
gf_mulx(u8 * pad)1357 static void gf_mulx(u8 *pad)
1358 {
1359 int i, carry;
1360
1361 carry = pad[0] & 0x80;
1362 for (i = 0; i < AES_BLOCK_SIZE - 1; i++)
1363 pad[i] = (pad[i] << 1) | (pad[i + 1] >> 7);
1364
1365 pad[AES_BLOCK_SIZE - 1] <<= 1;
1366 if (carry)
1367 pad[AES_BLOCK_SIZE - 1] ^= 0x87;
1368 }
1369
1370 /**
1371 * omac1_aes_128_vector - One-Key CBC MAC (OMAC1) hash with AES-128
1372 * @key: 128-bit key for the hash operation
1373 * @num_elem: Number of elements in the data vector
1374 * @addr: Pointers to the data areas
1375 * @len: Lengths of the data blocks
1376 * @mac: Buffer for MAC (128 bits, i.e., 16 bytes)
1377 * Returns: 0 on success, -1 on failure
1378 *
1379 * This is a mode for using block cipher (AES in this case) for authentication.
1380 * OMAC1 was standardized with the name CMAC by NIST in a Special Publication
1381 * (SP) 800-38B.
1382 */
omac1_aes_128_vector(u8 * key,size_t num_elem,u8 * addr[],size_t * len,u8 * mac)1383 static int omac1_aes_128_vector(u8 *key, size_t num_elem,
1384 u8 *addr[], size_t *len, u8 *mac)
1385 {
1386 struct aes_enckey aes;
1387 u8 cbc[AES_BLOCK_SIZE], pad[AES_BLOCK_SIZE];
1388 u8 *pos, *end;
1389 size_t i, e, left, total_len;
1390 int ret;
1391
1392 ret = aes_prepareenckey(&aes, key, 16);
1393 if (ret)
1394 return -1;
1395 memset(cbc, 0, AES_BLOCK_SIZE);
1396
1397 total_len = 0;
1398 for (e = 0; e < num_elem; e++)
1399 total_len += len[e];
1400 left = total_len;
1401
1402 e = 0;
1403 pos = addr[0];
1404 end = pos + len[0];
1405
1406 while (left >= AES_BLOCK_SIZE) {
1407 for (i = 0; i < AES_BLOCK_SIZE; i++) {
1408 cbc[i] ^= *pos++;
1409 if (pos >= end) {
1410 e++;
1411 pos = addr[e];
1412 end = pos + len[e];
1413 }
1414 }
1415 if (left > AES_BLOCK_SIZE)
1416 aes_encrypt(&aes, cbc, cbc);
1417 left -= AES_BLOCK_SIZE;
1418 }
1419
1420 memset(pad, 0, AES_BLOCK_SIZE);
1421 aes_encrypt(&aes, pad, pad);
1422 gf_mulx(pad);
1423
1424 if (left || total_len == 0) {
1425 for (i = 0; i < left; i++) {
1426 cbc[i] ^= *pos++;
1427 if (pos >= end) {
1428 e++;
1429 pos = addr[e];
1430 end = pos + len[e];
1431 }
1432 }
1433 cbc[left] ^= 0x80;
1434 gf_mulx(pad);
1435 }
1436
1437 for (i = 0; i < AES_BLOCK_SIZE; i++)
1438 pad[i] ^= cbc[i];
1439 aes_encrypt(&aes, pad, mac);
1440 memzero_explicit(&aes, sizeof(aes));
1441 return 0;
1442 }
1443
1444 /**
1445 * omac1_aes_128 - One-Key CBC MAC (OMAC1) hash with AES-128 (aka AES-CMAC)
1446 * @key: 128-bit key for the hash operation
1447 * @data: Data buffer for which a MAC is determined
1448 * @data_len: Length of data buffer in bytes
1449 * @mac: Buffer for MAC (128 bits, i.e., 16 bytes)
1450 * Returns: 0 on success, -1 on failure
1451 *
1452 * This is a mode for using block cipher (AES in this case) for authentication.
1453 * OMAC1 was standardized with the name CMAC by NIST in a Special Publication
1454 * (SP) 800-38B.
1455 * modify for CONFIG_IEEE80211W
1456 */
omac1_aes_128(u8 * key,u8 * data,size_t data_len,u8 * mac)1457 int omac1_aes_128(u8 *key, u8 *data, size_t data_len, u8 *mac)
1458 {
1459 return omac1_aes_128_vector(key, 1, &data, &data_len, mac);
1460 }
1461
1462 /* Restore HW wep key setting according to key_mask */
rtw_sec_restore_wep_key(struct adapter * adapter)1463 void rtw_sec_restore_wep_key(struct adapter *adapter)
1464 {
1465 struct security_priv *securitypriv = &(adapter->securitypriv);
1466 signed int keyid;
1467
1468 if ((securitypriv->dot11PrivacyAlgrthm == _WEP40_) || (securitypriv->dot11PrivacyAlgrthm == _WEP104_)) {
1469 for (keyid = 0; keyid < 4; keyid++) {
1470 if (securitypriv->key_mask & BIT(keyid)) {
1471 if (keyid == securitypriv->dot11PrivacyKeyIndex)
1472 rtw_set_key(adapter, securitypriv, keyid, 1, false);
1473 else
1474 rtw_set_key(adapter, securitypriv, keyid, 0, false);
1475 }
1476 }
1477 }
1478 }
1479
rtw_handle_tkip_countermeasure(struct adapter * adapter,const char * caller)1480 u8 rtw_handle_tkip_countermeasure(struct adapter *adapter, const char *caller)
1481 {
1482 struct security_priv *securitypriv = &(adapter->securitypriv);
1483 u8 status = _SUCCESS;
1484
1485 if (securitypriv->btkip_countermeasure) {
1486 unsigned long passing_ms = jiffies_to_msecs(jiffies - securitypriv->btkip_countermeasure_time);
1487
1488 if (passing_ms > 60 * 1000) {
1489 netdev_dbg(adapter->pnetdev,
1490 "%s(%s) countermeasure time:%lus > 60s\n",
1491 caller, ADPT_ARG(adapter),
1492 passing_ms / 1000);
1493 securitypriv->btkip_countermeasure = false;
1494 securitypriv->btkip_countermeasure_time = 0;
1495 } else {
1496 netdev_dbg(adapter->pnetdev,
1497 "%s(%s) countermeasure time:%lus < 60s\n",
1498 caller, ADPT_ARG(adapter),
1499 passing_ms / 1000);
1500 status = _FAIL;
1501 }
1502 }
1503
1504 return status;
1505 }
1506