xref: /openbmc/linux/net/wireless/lib80211_crypt_tkip.c (revision 023e41632e065d49bcbe31b3c4b336217f96a271)
1 /*
2  * lib80211 crypt: host-based TKIP encryption implementation for lib80211
3  *
4  * Copyright (c) 2003-2004, Jouni Malinen <j@w1.fi>
5  * Copyright (c) 2008, John W. Linville <linville@tuxdriver.com>
6  *
7  * This program is free software; you can redistribute it and/or modify
8  * it under the terms of the GNU General Public License version 2 as
9  * published by the Free Software Foundation. See README and COPYING for
10  * more details.
11  */
12 
13 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
14 
15 #include <linux/err.h>
16 #include <linux/module.h>
17 #include <linux/init.h>
18 #include <linux/slab.h>
19 #include <linux/random.h>
20 #include <linux/scatterlist.h>
21 #include <linux/skbuff.h>
22 #include <linux/netdevice.h>
23 #include <linux/mm.h>
24 #include <linux/if_ether.h>
25 #include <linux/if_arp.h>
26 #include <asm/string.h>
27 
28 #include <linux/wireless.h>
29 #include <linux/ieee80211.h>
30 #include <net/iw_handler.h>
31 
32 #include <crypto/hash.h>
33 #include <linux/crypto.h>
34 #include <linux/crc32.h>
35 
36 #include <net/lib80211.h>
37 
38 MODULE_AUTHOR("Jouni Malinen");
39 MODULE_DESCRIPTION("lib80211 crypt: TKIP");
40 MODULE_LICENSE("GPL");
41 
42 #define TKIP_HDR_LEN 8
43 
44 struct lib80211_tkip_data {
45 #define TKIP_KEY_LEN 32
46 	u8 key[TKIP_KEY_LEN];
47 	int key_set;
48 
49 	u32 tx_iv32;
50 	u16 tx_iv16;
51 	u16 tx_ttak[5];
52 	int tx_phase1_done;
53 
54 	u32 rx_iv32;
55 	u16 rx_iv16;
56 	u16 rx_ttak[5];
57 	int rx_phase1_done;
58 	u32 rx_iv32_new;
59 	u16 rx_iv16_new;
60 
61 	u32 dot11RSNAStatsTKIPReplays;
62 	u32 dot11RSNAStatsTKIPICVErrors;
63 	u32 dot11RSNAStatsTKIPLocalMICFailures;
64 
65 	int key_idx;
66 
67 	struct crypto_cipher *rx_tfm_arc4;
68 	struct crypto_shash *rx_tfm_michael;
69 	struct crypto_cipher *tx_tfm_arc4;
70 	struct crypto_shash *tx_tfm_michael;
71 
72 	/* scratch buffers for virt_to_page() (crypto API) */
73 	u8 rx_hdr[16], tx_hdr[16];
74 
75 	unsigned long flags;
76 };
77 
78 static unsigned long lib80211_tkip_set_flags(unsigned long flags, void *priv)
79 {
80 	struct lib80211_tkip_data *_priv = priv;
81 	unsigned long old_flags = _priv->flags;
82 	_priv->flags = flags;
83 	return old_flags;
84 }
85 
86 static unsigned long lib80211_tkip_get_flags(void *priv)
87 {
88 	struct lib80211_tkip_data *_priv = priv;
89 	return _priv->flags;
90 }
91 
92 static void *lib80211_tkip_init(int key_idx)
93 {
94 	struct lib80211_tkip_data *priv;
95 
96 	priv = kzalloc(sizeof(*priv), GFP_ATOMIC);
97 	if (priv == NULL)
98 		goto fail;
99 
100 	priv->key_idx = key_idx;
101 
102 	priv->tx_tfm_arc4 = crypto_alloc_cipher("arc4", 0, 0);
103 	if (IS_ERR(priv->tx_tfm_arc4)) {
104 		priv->tx_tfm_arc4 = NULL;
105 		goto fail;
106 	}
107 
108 	priv->tx_tfm_michael = crypto_alloc_shash("michael_mic", 0, 0);
109 	if (IS_ERR(priv->tx_tfm_michael)) {
110 		priv->tx_tfm_michael = NULL;
111 		goto fail;
112 	}
113 
114 	priv->rx_tfm_arc4 = crypto_alloc_cipher("arc4", 0, 0);
115 	if (IS_ERR(priv->rx_tfm_arc4)) {
116 		priv->rx_tfm_arc4 = NULL;
117 		goto fail;
118 	}
119 
120 	priv->rx_tfm_michael = crypto_alloc_shash("michael_mic", 0, 0);
121 	if (IS_ERR(priv->rx_tfm_michael)) {
122 		priv->rx_tfm_michael = NULL;
123 		goto fail;
124 	}
125 
126 	return priv;
127 
128       fail:
129 	if (priv) {
130 		crypto_free_shash(priv->tx_tfm_michael);
131 		crypto_free_cipher(priv->tx_tfm_arc4);
132 		crypto_free_shash(priv->rx_tfm_michael);
133 		crypto_free_cipher(priv->rx_tfm_arc4);
134 		kfree(priv);
135 	}
136 
137 	return NULL;
138 }
139 
140 static void lib80211_tkip_deinit(void *priv)
141 {
142 	struct lib80211_tkip_data *_priv = priv;
143 	if (_priv) {
144 		crypto_free_shash(_priv->tx_tfm_michael);
145 		crypto_free_cipher(_priv->tx_tfm_arc4);
146 		crypto_free_shash(_priv->rx_tfm_michael);
147 		crypto_free_cipher(_priv->rx_tfm_arc4);
148 	}
149 	kfree(priv);
150 }
151 
152 static inline u16 RotR1(u16 val)
153 {
154 	return (val >> 1) | (val << 15);
155 }
156 
157 static inline u8 Lo8(u16 val)
158 {
159 	return val & 0xff;
160 }
161 
162 static inline u8 Hi8(u16 val)
163 {
164 	return val >> 8;
165 }
166 
167 static inline u16 Lo16(u32 val)
168 {
169 	return val & 0xffff;
170 }
171 
172 static inline u16 Hi16(u32 val)
173 {
174 	return val >> 16;
175 }
176 
177 static inline u16 Mk16(u8 hi, u8 lo)
178 {
179 	return lo | (((u16) hi) << 8);
180 }
181 
182 static inline u16 Mk16_le(__le16 * v)
183 {
184 	return le16_to_cpu(*v);
185 }
186 
187 static const u16 Sbox[256] = {
188 	0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154,
189 	0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A,
190 	0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B,
191 	0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B,
192 	0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F,
193 	0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F,
194 	0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5,
195 	0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F,
196 	0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB,
197 	0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397,
198 	0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED,
199 	0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A,
200 	0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194,
201 	0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3,
202 	0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104,
203 	0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D,
204 	0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39,
205 	0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695,
206 	0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83,
207 	0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76,
208 	0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4,
209 	0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B,
210 	0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0,
211 	0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018,
212 	0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751,
213 	0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85,
214 	0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12,
215 	0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9,
216 	0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7,
217 	0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A,
218 	0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8,
219 	0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A,
220 };
221 
222 static inline u16 _S_(u16 v)
223 {
224 	u16 t = Sbox[Hi8(v)];
225 	return Sbox[Lo8(v)] ^ ((t << 8) | (t >> 8));
226 }
227 
228 #define PHASE1_LOOP_COUNT 8
229 
230 static void tkip_mixing_phase1(u16 * TTAK, const u8 * TK, const u8 * TA,
231 			       u32 IV32)
232 {
233 	int i, j;
234 
235 	/* Initialize the 80-bit TTAK from TSC (IV32) and TA[0..5] */
236 	TTAK[0] = Lo16(IV32);
237 	TTAK[1] = Hi16(IV32);
238 	TTAK[2] = Mk16(TA[1], TA[0]);
239 	TTAK[3] = Mk16(TA[3], TA[2]);
240 	TTAK[4] = Mk16(TA[5], TA[4]);
241 
242 	for (i = 0; i < PHASE1_LOOP_COUNT; i++) {
243 		j = 2 * (i & 1);
244 		TTAK[0] += _S_(TTAK[4] ^ Mk16(TK[1 + j], TK[0 + j]));
245 		TTAK[1] += _S_(TTAK[0] ^ Mk16(TK[5 + j], TK[4 + j]));
246 		TTAK[2] += _S_(TTAK[1] ^ Mk16(TK[9 + j], TK[8 + j]));
247 		TTAK[3] += _S_(TTAK[2] ^ Mk16(TK[13 + j], TK[12 + j]));
248 		TTAK[4] += _S_(TTAK[3] ^ Mk16(TK[1 + j], TK[0 + j])) + i;
249 	}
250 }
251 
252 static void tkip_mixing_phase2(u8 * WEPSeed, const u8 * TK, const u16 * TTAK,
253 			       u16 IV16)
254 {
255 	/* Make temporary area overlap WEP seed so that the final copy can be
256 	 * avoided on little endian hosts. */
257 	u16 *PPK = (u16 *) & WEPSeed[4];
258 
259 	/* Step 1 - make copy of TTAK and bring in TSC */
260 	PPK[0] = TTAK[0];
261 	PPK[1] = TTAK[1];
262 	PPK[2] = TTAK[2];
263 	PPK[3] = TTAK[3];
264 	PPK[4] = TTAK[4];
265 	PPK[5] = TTAK[4] + IV16;
266 
267 	/* Step 2 - 96-bit bijective mixing using S-box */
268 	PPK[0] += _S_(PPK[5] ^ Mk16_le((__le16 *) & TK[0]));
269 	PPK[1] += _S_(PPK[0] ^ Mk16_le((__le16 *) & TK[2]));
270 	PPK[2] += _S_(PPK[1] ^ Mk16_le((__le16 *) & TK[4]));
271 	PPK[3] += _S_(PPK[2] ^ Mk16_le((__le16 *) & TK[6]));
272 	PPK[4] += _S_(PPK[3] ^ Mk16_le((__le16 *) & TK[8]));
273 	PPK[5] += _S_(PPK[4] ^ Mk16_le((__le16 *) & TK[10]));
274 
275 	PPK[0] += RotR1(PPK[5] ^ Mk16_le((__le16 *) & TK[12]));
276 	PPK[1] += RotR1(PPK[0] ^ Mk16_le((__le16 *) & TK[14]));
277 	PPK[2] += RotR1(PPK[1]);
278 	PPK[3] += RotR1(PPK[2]);
279 	PPK[4] += RotR1(PPK[3]);
280 	PPK[5] += RotR1(PPK[4]);
281 
282 	/* Step 3 - bring in last of TK bits, assign 24-bit WEP IV value
283 	 * WEPSeed[0..2] is transmitted as WEP IV */
284 	WEPSeed[0] = Hi8(IV16);
285 	WEPSeed[1] = (Hi8(IV16) | 0x20) & 0x7F;
286 	WEPSeed[2] = Lo8(IV16);
287 	WEPSeed[3] = Lo8((PPK[5] ^ Mk16_le((__le16 *) & TK[0])) >> 1);
288 
289 #ifdef __BIG_ENDIAN
290 	{
291 		int i;
292 		for (i = 0; i < 6; i++)
293 			PPK[i] = (PPK[i] << 8) | (PPK[i] >> 8);
294 	}
295 #endif
296 }
297 
298 static int lib80211_tkip_hdr(struct sk_buff *skb, int hdr_len,
299 			      u8 * rc4key, int keylen, void *priv)
300 {
301 	struct lib80211_tkip_data *tkey = priv;
302 	u8 *pos;
303 	struct ieee80211_hdr *hdr;
304 
305 	hdr = (struct ieee80211_hdr *)skb->data;
306 
307 	if (skb_headroom(skb) < TKIP_HDR_LEN || skb->len < hdr_len)
308 		return -1;
309 
310 	if (rc4key == NULL || keylen < 16)
311 		return -1;
312 
313 	if (!tkey->tx_phase1_done) {
314 		tkip_mixing_phase1(tkey->tx_ttak, tkey->key, hdr->addr2,
315 				   tkey->tx_iv32);
316 		tkey->tx_phase1_done = 1;
317 	}
318 	tkip_mixing_phase2(rc4key, tkey->key, tkey->tx_ttak, tkey->tx_iv16);
319 
320 	pos = skb_push(skb, TKIP_HDR_LEN);
321 	memmove(pos, pos + TKIP_HDR_LEN, hdr_len);
322 	pos += hdr_len;
323 
324 	*pos++ = *rc4key;
325 	*pos++ = *(rc4key + 1);
326 	*pos++ = *(rc4key + 2);
327 	*pos++ = (tkey->key_idx << 6) | (1 << 5) /* Ext IV included */ ;
328 	*pos++ = tkey->tx_iv32 & 0xff;
329 	*pos++ = (tkey->tx_iv32 >> 8) & 0xff;
330 	*pos++ = (tkey->tx_iv32 >> 16) & 0xff;
331 	*pos++ = (tkey->tx_iv32 >> 24) & 0xff;
332 
333 	tkey->tx_iv16++;
334 	if (tkey->tx_iv16 == 0) {
335 		tkey->tx_phase1_done = 0;
336 		tkey->tx_iv32++;
337 	}
338 
339 	return TKIP_HDR_LEN;
340 }
341 
342 static int lib80211_tkip_encrypt(struct sk_buff *skb, int hdr_len, void *priv)
343 {
344 	struct lib80211_tkip_data *tkey = priv;
345 	int len;
346 	u8 rc4key[16], *pos, *icv;
347 	u32 crc;
348 	int i;
349 
350 	if (tkey->flags & IEEE80211_CRYPTO_TKIP_COUNTERMEASURES) {
351 		struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
352 		net_dbg_ratelimited("TKIP countermeasures: dropped TX packet to %pM\n",
353 				    hdr->addr1);
354 		return -1;
355 	}
356 
357 	if (skb_tailroom(skb) < 4 || skb->len < hdr_len)
358 		return -1;
359 
360 	len = skb->len - hdr_len;
361 	pos = skb->data + hdr_len;
362 
363 	if ((lib80211_tkip_hdr(skb, hdr_len, rc4key, 16, priv)) < 0)
364 		return -1;
365 
366 	crc = ~crc32_le(~0, pos, len);
367 	icv = skb_put(skb, 4);
368 	icv[0] = crc;
369 	icv[1] = crc >> 8;
370 	icv[2] = crc >> 16;
371 	icv[3] = crc >> 24;
372 
373 	crypto_cipher_setkey(tkey->tx_tfm_arc4, rc4key, 16);
374 	for (i = 0; i < len + 4; i++)
375 		crypto_cipher_encrypt_one(tkey->tx_tfm_arc4, pos + i, pos + i);
376 	return 0;
377 }
378 
379 /*
380  * deal with seq counter wrapping correctly.
381  * refer to timer_after() for jiffies wrapping handling
382  */
383 static inline int tkip_replay_check(u32 iv32_n, u16 iv16_n,
384 				    u32 iv32_o, u16 iv16_o)
385 {
386 	if ((s32)iv32_n - (s32)iv32_o < 0 ||
387 	    (iv32_n == iv32_o && iv16_n <= iv16_o))
388 		return 1;
389 	return 0;
390 }
391 
392 static int lib80211_tkip_decrypt(struct sk_buff *skb, int hdr_len, void *priv)
393 {
394 	struct lib80211_tkip_data *tkey = priv;
395 	u8 rc4key[16];
396 	u8 keyidx, *pos;
397 	u32 iv32;
398 	u16 iv16;
399 	struct ieee80211_hdr *hdr;
400 	u8 icv[4];
401 	u32 crc;
402 	int plen;
403 	int i;
404 
405 	hdr = (struct ieee80211_hdr *)skb->data;
406 
407 	if (tkey->flags & IEEE80211_CRYPTO_TKIP_COUNTERMEASURES) {
408 		net_dbg_ratelimited("TKIP countermeasures: dropped received packet from %pM\n",
409 				    hdr->addr2);
410 		return -1;
411 	}
412 
413 	if (skb->len < hdr_len + TKIP_HDR_LEN + 4)
414 		return -1;
415 
416 	pos = skb->data + hdr_len;
417 	keyidx = pos[3];
418 	if (!(keyidx & (1 << 5))) {
419 		net_dbg_ratelimited("TKIP: received packet without ExtIV flag from %pM\n",
420 				    hdr->addr2);
421 		return -2;
422 	}
423 	keyidx >>= 6;
424 	if (tkey->key_idx != keyidx) {
425 		net_dbg_ratelimited("TKIP: RX tkey->key_idx=%d frame keyidx=%d\n",
426 				    tkey->key_idx, keyidx);
427 		return -6;
428 	}
429 	if (!tkey->key_set) {
430 		net_dbg_ratelimited("TKIP: received packet from %pM with keyid=%d that does not have a configured key\n",
431 				    hdr->addr2, keyidx);
432 		return -3;
433 	}
434 	iv16 = (pos[0] << 8) | pos[2];
435 	iv32 = pos[4] | (pos[5] << 8) | (pos[6] << 16) | (pos[7] << 24);
436 	pos += TKIP_HDR_LEN;
437 
438 	if (tkip_replay_check(iv32, iv16, tkey->rx_iv32, tkey->rx_iv16)) {
439 #ifdef CONFIG_LIB80211_DEBUG
440 		net_dbg_ratelimited("TKIP: replay detected: STA=%pM previous TSC %08x%04x received TSC %08x%04x\n",
441 				    hdr->addr2, tkey->rx_iv32, tkey->rx_iv16,
442 				    iv32, iv16);
443 #endif
444 		tkey->dot11RSNAStatsTKIPReplays++;
445 		return -4;
446 	}
447 
448 	if (iv32 != tkey->rx_iv32 || !tkey->rx_phase1_done) {
449 		tkip_mixing_phase1(tkey->rx_ttak, tkey->key, hdr->addr2, iv32);
450 		tkey->rx_phase1_done = 1;
451 	}
452 	tkip_mixing_phase2(rc4key, tkey->key, tkey->rx_ttak, iv16);
453 
454 	plen = skb->len - hdr_len - 12;
455 
456 	crypto_cipher_setkey(tkey->rx_tfm_arc4, rc4key, 16);
457 	for (i = 0; i < plen + 4; i++)
458 		crypto_cipher_decrypt_one(tkey->rx_tfm_arc4, pos + i, pos + i);
459 
460 	crc = ~crc32_le(~0, pos, plen);
461 	icv[0] = crc;
462 	icv[1] = crc >> 8;
463 	icv[2] = crc >> 16;
464 	icv[3] = crc >> 24;
465 	if (memcmp(icv, pos + plen, 4) != 0) {
466 		if (iv32 != tkey->rx_iv32) {
467 			/* Previously cached Phase1 result was already lost, so
468 			 * it needs to be recalculated for the next packet. */
469 			tkey->rx_phase1_done = 0;
470 		}
471 #ifdef CONFIG_LIB80211_DEBUG
472 		net_dbg_ratelimited("TKIP: ICV error detected: STA=%pM\n",
473 				    hdr->addr2);
474 #endif
475 		tkey->dot11RSNAStatsTKIPICVErrors++;
476 		return -5;
477 	}
478 
479 	/* Update real counters only after Michael MIC verification has
480 	 * completed */
481 	tkey->rx_iv32_new = iv32;
482 	tkey->rx_iv16_new = iv16;
483 
484 	/* Remove IV and ICV */
485 	memmove(skb->data + TKIP_HDR_LEN, skb->data, hdr_len);
486 	skb_pull(skb, TKIP_HDR_LEN);
487 	skb_trim(skb, skb->len - 4);
488 
489 	return keyidx;
490 }
491 
492 static int michael_mic(struct crypto_shash *tfm_michael, u8 *key, u8 *hdr,
493 		       u8 *data, size_t data_len, u8 *mic)
494 {
495 	SHASH_DESC_ON_STACK(desc, tfm_michael);
496 	int err;
497 
498 	if (tfm_michael == NULL) {
499 		pr_warn("%s(): tfm_michael == NULL\n", __func__);
500 		return -1;
501 	}
502 
503 	desc->tfm = tfm_michael;
504 	desc->flags = 0;
505 
506 	if (crypto_shash_setkey(tfm_michael, key, 8))
507 		return -1;
508 
509 	err = crypto_shash_init(desc);
510 	if (err)
511 		goto out;
512 	err = crypto_shash_update(desc, hdr, 16);
513 	if (err)
514 		goto out;
515 	err = crypto_shash_update(desc, data, data_len);
516 	if (err)
517 		goto out;
518 	err = crypto_shash_final(desc, mic);
519 
520 out:
521 	shash_desc_zero(desc);
522 	return err;
523 }
524 
525 static void michael_mic_hdr(struct sk_buff *skb, u8 * hdr)
526 {
527 	struct ieee80211_hdr *hdr11;
528 
529 	hdr11 = (struct ieee80211_hdr *)skb->data;
530 
531 	switch (le16_to_cpu(hdr11->frame_control) &
532 		(IEEE80211_FCTL_FROMDS | IEEE80211_FCTL_TODS)) {
533 	case IEEE80211_FCTL_TODS:
534 		memcpy(hdr, hdr11->addr3, ETH_ALEN);	/* DA */
535 		memcpy(hdr + ETH_ALEN, hdr11->addr2, ETH_ALEN);	/* SA */
536 		break;
537 	case IEEE80211_FCTL_FROMDS:
538 		memcpy(hdr, hdr11->addr1, ETH_ALEN);	/* DA */
539 		memcpy(hdr + ETH_ALEN, hdr11->addr3, ETH_ALEN);	/* SA */
540 		break;
541 	case IEEE80211_FCTL_FROMDS | IEEE80211_FCTL_TODS:
542 		memcpy(hdr, hdr11->addr3, ETH_ALEN);	/* DA */
543 		memcpy(hdr + ETH_ALEN, hdr11->addr4, ETH_ALEN);	/* SA */
544 		break;
545 	default:
546 		memcpy(hdr, hdr11->addr1, ETH_ALEN);	/* DA */
547 		memcpy(hdr + ETH_ALEN, hdr11->addr2, ETH_ALEN);	/* SA */
548 		break;
549 	}
550 
551 	if (ieee80211_is_data_qos(hdr11->frame_control)) {
552 		hdr[12] = le16_to_cpu(*((__le16 *)ieee80211_get_qos_ctl(hdr11)))
553 			& IEEE80211_QOS_CTL_TID_MASK;
554 	} else
555 		hdr[12] = 0;		/* priority */
556 
557 	hdr[13] = hdr[14] = hdr[15] = 0;	/* reserved */
558 }
559 
560 static int lib80211_michael_mic_add(struct sk_buff *skb, int hdr_len,
561 				     void *priv)
562 {
563 	struct lib80211_tkip_data *tkey = priv;
564 	u8 *pos;
565 
566 	if (skb_tailroom(skb) < 8 || skb->len < hdr_len) {
567 		printk(KERN_DEBUG "Invalid packet for Michael MIC add "
568 		       "(tailroom=%d hdr_len=%d skb->len=%d)\n",
569 		       skb_tailroom(skb), hdr_len, skb->len);
570 		return -1;
571 	}
572 
573 	michael_mic_hdr(skb, tkey->tx_hdr);
574 	pos = skb_put(skb, 8);
575 	if (michael_mic(tkey->tx_tfm_michael, &tkey->key[16], tkey->tx_hdr,
576 			skb->data + hdr_len, skb->len - 8 - hdr_len, pos))
577 		return -1;
578 
579 	return 0;
580 }
581 
582 static void lib80211_michael_mic_failure(struct net_device *dev,
583 					  struct ieee80211_hdr *hdr,
584 					  int keyidx)
585 {
586 	union iwreq_data wrqu;
587 	struct iw_michaelmicfailure ev;
588 
589 	/* TODO: needed parameters: count, keyid, key type, TSC */
590 	memset(&ev, 0, sizeof(ev));
591 	ev.flags = keyidx & IW_MICFAILURE_KEY_ID;
592 	if (hdr->addr1[0] & 0x01)
593 		ev.flags |= IW_MICFAILURE_GROUP;
594 	else
595 		ev.flags |= IW_MICFAILURE_PAIRWISE;
596 	ev.src_addr.sa_family = ARPHRD_ETHER;
597 	memcpy(ev.src_addr.sa_data, hdr->addr2, ETH_ALEN);
598 	memset(&wrqu, 0, sizeof(wrqu));
599 	wrqu.data.length = sizeof(ev);
600 	wireless_send_event(dev, IWEVMICHAELMICFAILURE, &wrqu, (char *)&ev);
601 }
602 
603 static int lib80211_michael_mic_verify(struct sk_buff *skb, int keyidx,
604 					int hdr_len, void *priv)
605 {
606 	struct lib80211_tkip_data *tkey = priv;
607 	u8 mic[8];
608 
609 	if (!tkey->key_set)
610 		return -1;
611 
612 	michael_mic_hdr(skb, tkey->rx_hdr);
613 	if (michael_mic(tkey->rx_tfm_michael, &tkey->key[24], tkey->rx_hdr,
614 			skb->data + hdr_len, skb->len - 8 - hdr_len, mic))
615 		return -1;
616 	if (memcmp(mic, skb->data + skb->len - 8, 8) != 0) {
617 		struct ieee80211_hdr *hdr;
618 		hdr = (struct ieee80211_hdr *)skb->data;
619 		printk(KERN_DEBUG "%s: Michael MIC verification failed for "
620 		       "MSDU from %pM keyidx=%d\n",
621 		       skb->dev ? skb->dev->name : "N/A", hdr->addr2,
622 		       keyidx);
623 		if (skb->dev)
624 			lib80211_michael_mic_failure(skb->dev, hdr, keyidx);
625 		tkey->dot11RSNAStatsTKIPLocalMICFailures++;
626 		return -1;
627 	}
628 
629 	/* Update TSC counters for RX now that the packet verification has
630 	 * completed. */
631 	tkey->rx_iv32 = tkey->rx_iv32_new;
632 	tkey->rx_iv16 = tkey->rx_iv16_new;
633 
634 	skb_trim(skb, skb->len - 8);
635 
636 	return 0;
637 }
638 
639 static int lib80211_tkip_set_key(void *key, int len, u8 * seq, void *priv)
640 {
641 	struct lib80211_tkip_data *tkey = priv;
642 	int keyidx;
643 	struct crypto_shash *tfm = tkey->tx_tfm_michael;
644 	struct crypto_cipher *tfm2 = tkey->tx_tfm_arc4;
645 	struct crypto_shash *tfm3 = tkey->rx_tfm_michael;
646 	struct crypto_cipher *tfm4 = tkey->rx_tfm_arc4;
647 
648 	keyidx = tkey->key_idx;
649 	memset(tkey, 0, sizeof(*tkey));
650 	tkey->key_idx = keyidx;
651 	tkey->tx_tfm_michael = tfm;
652 	tkey->tx_tfm_arc4 = tfm2;
653 	tkey->rx_tfm_michael = tfm3;
654 	tkey->rx_tfm_arc4 = tfm4;
655 	if (len == TKIP_KEY_LEN) {
656 		memcpy(tkey->key, key, TKIP_KEY_LEN);
657 		tkey->key_set = 1;
658 		tkey->tx_iv16 = 1;	/* TSC is initialized to 1 */
659 		if (seq) {
660 			tkey->rx_iv32 = (seq[5] << 24) | (seq[4] << 16) |
661 			    (seq[3] << 8) | seq[2];
662 			tkey->rx_iv16 = (seq[1] << 8) | seq[0];
663 		}
664 	} else if (len == 0)
665 		tkey->key_set = 0;
666 	else
667 		return -1;
668 
669 	return 0;
670 }
671 
672 static int lib80211_tkip_get_key(void *key, int len, u8 * seq, void *priv)
673 {
674 	struct lib80211_tkip_data *tkey = priv;
675 
676 	if (len < TKIP_KEY_LEN)
677 		return -1;
678 
679 	if (!tkey->key_set)
680 		return 0;
681 	memcpy(key, tkey->key, TKIP_KEY_LEN);
682 
683 	if (seq) {
684 		/* Return the sequence number of the last transmitted frame. */
685 		u16 iv16 = tkey->tx_iv16;
686 		u32 iv32 = tkey->tx_iv32;
687 		if (iv16 == 0)
688 			iv32--;
689 		iv16--;
690 		seq[0] = tkey->tx_iv16;
691 		seq[1] = tkey->tx_iv16 >> 8;
692 		seq[2] = tkey->tx_iv32;
693 		seq[3] = tkey->tx_iv32 >> 8;
694 		seq[4] = tkey->tx_iv32 >> 16;
695 		seq[5] = tkey->tx_iv32 >> 24;
696 	}
697 
698 	return TKIP_KEY_LEN;
699 }
700 
701 static void lib80211_tkip_print_stats(struct seq_file *m, void *priv)
702 {
703 	struct lib80211_tkip_data *tkip = priv;
704 	seq_printf(m,
705 		   "key[%d] alg=TKIP key_set=%d "
706 		   "tx_pn=%02x%02x%02x%02x%02x%02x "
707 		   "rx_pn=%02x%02x%02x%02x%02x%02x "
708 		   "replays=%d icv_errors=%d local_mic_failures=%d\n",
709 		   tkip->key_idx, tkip->key_set,
710 		   (tkip->tx_iv32 >> 24) & 0xff,
711 		   (tkip->tx_iv32 >> 16) & 0xff,
712 		   (tkip->tx_iv32 >> 8) & 0xff,
713 		   tkip->tx_iv32 & 0xff,
714 		   (tkip->tx_iv16 >> 8) & 0xff,
715 		   tkip->tx_iv16 & 0xff,
716 		   (tkip->rx_iv32 >> 24) & 0xff,
717 		   (tkip->rx_iv32 >> 16) & 0xff,
718 		   (tkip->rx_iv32 >> 8) & 0xff,
719 		   tkip->rx_iv32 & 0xff,
720 		   (tkip->rx_iv16 >> 8) & 0xff,
721 		   tkip->rx_iv16 & 0xff,
722 		   tkip->dot11RSNAStatsTKIPReplays,
723 		   tkip->dot11RSNAStatsTKIPICVErrors,
724 		   tkip->dot11RSNAStatsTKIPLocalMICFailures);
725 }
726 
727 static struct lib80211_crypto_ops lib80211_crypt_tkip = {
728 	.name = "TKIP",
729 	.init = lib80211_tkip_init,
730 	.deinit = lib80211_tkip_deinit,
731 	.encrypt_mpdu = lib80211_tkip_encrypt,
732 	.decrypt_mpdu = lib80211_tkip_decrypt,
733 	.encrypt_msdu = lib80211_michael_mic_add,
734 	.decrypt_msdu = lib80211_michael_mic_verify,
735 	.set_key = lib80211_tkip_set_key,
736 	.get_key = lib80211_tkip_get_key,
737 	.print_stats = lib80211_tkip_print_stats,
738 	.extra_mpdu_prefix_len = 4 + 4,	/* IV + ExtIV */
739 	.extra_mpdu_postfix_len = 4,	/* ICV */
740 	.extra_msdu_postfix_len = 8,	/* MIC */
741 	.get_flags = lib80211_tkip_get_flags,
742 	.set_flags = lib80211_tkip_set_flags,
743 	.owner = THIS_MODULE,
744 };
745 
746 static int __init lib80211_crypto_tkip_init(void)
747 {
748 	return lib80211_register_crypto_ops(&lib80211_crypt_tkip);
749 }
750 
751 static void __exit lib80211_crypto_tkip_exit(void)
752 {
753 	lib80211_unregister_crypto_ops(&lib80211_crypt_tkip);
754 }
755 
756 module_init(lib80211_crypto_tkip_init);
757 module_exit(lib80211_crypto_tkip_exit);
758