1 // SPDX-License-Identifier: GPL-2.0
2 /* Copyright(c) 2007 - 2011 Realtek Corporation. */
3
4 #define _RTW_SECURITY_C_
5
6 #include "../include/osdep_service.h"
7 #include "../include/drv_types.h"
8 #include "../include/wifi.h"
9 #include "../include/osdep_intf.h"
10
11 /* WEP related ===== */
12
13 /*
14 Need to consider the fragment situation
15 */
rtw_wep_encrypt(struct adapter * padapter,struct xmit_frame * pxmitframe)16 void rtw_wep_encrypt(struct adapter *padapter, struct xmit_frame *pxmitframe)
17 { /* exclude ICV */
18 union {
19 __le32 f0;
20 u8 f1[4];
21 } crc;
22
23 int curfragnum, length;
24 u32 keylength;
25
26 u8 *pframe, *payload, *iv; /* wepkey */
27 u8 wepkey[16];
28 u8 hw_hdr_offset = 0;
29 struct pkt_attrib *pattrib = &pxmitframe->attrib;
30 struct security_priv *psecuritypriv = &padapter->securitypriv;
31 struct xmit_priv *pxmitpriv = &padapter->xmitpriv;
32 struct arc4_ctx *ctx = &psecuritypriv->xmit_arc4_ctx;
33
34 if (!pxmitframe->buf_addr)
35 return;
36
37 hw_hdr_offset = TXDESC_SIZE + pxmitframe->pkt_offset * PACKET_OFFSET_SZ;
38 pframe = pxmitframe->buf_addr + hw_hdr_offset;
39
40 /* start to encrypt each fragment */
41 if ((pattrib->encrypt == _WEP40_) || (pattrib->encrypt == _WEP104_)) {
42 keylength = psecuritypriv->dot11DefKeylen[psecuritypriv->dot11PrivacyKeyIndex];
43
44 for (curfragnum = 0; curfragnum < pattrib->nr_frags; curfragnum++) {
45 iv = pframe + pattrib->hdrlen;
46 memcpy(&wepkey[0], iv, 3);
47 memcpy(&wepkey[3], &psecuritypriv->dot11DefKey[psecuritypriv->dot11PrivacyKeyIndex].skey[0], keylength);
48 payload = pframe + pattrib->iv_len + pattrib->hdrlen;
49
50 if ((curfragnum + 1) == pattrib->nr_frags) { /* the last fragment */
51 length = pattrib->last_txcmdsz - pattrib->hdrlen - pattrib->iv_len - pattrib->icv_len;
52
53 crc.f0 = cpu_to_le32(~crc32_le(~0, payload, length));
54
55 arc4_setkey(ctx, wepkey, 3 + keylength);
56 arc4_crypt(ctx, payload, payload, length);
57 arc4_crypt(ctx, payload + length, crc.f1, 4);
58 } else {
59 length = pxmitpriv->frag_len - pattrib->hdrlen - pattrib->iv_len - pattrib->icv_len;
60 crc.f0 = cpu_to_le32(~crc32_le(~0, payload, length));
61 arc4_setkey(ctx, wepkey, 3 + keylength);
62 arc4_crypt(ctx, payload, payload, length);
63 arc4_crypt(ctx, payload + length, crc.f1, 4);
64
65 pframe += pxmitpriv->frag_len;
66 pframe = (u8 *)RND4((size_t)(pframe));
67 }
68 }
69 }
70
71 }
72
rtw_wep_decrypt(struct adapter * padapter,struct recv_frame * precvframe)73 void rtw_wep_decrypt(struct adapter *padapter, struct recv_frame *precvframe)
74 {
75 /* exclude ICV */
76 int length;
77 u32 keylength;
78 u8 *pframe, *payload, *iv, wepkey[16];
79 u8 keyindex;
80 struct rx_pkt_attrib *prxattrib = &precvframe->attrib;
81 struct security_priv *psecuritypriv = &padapter->securitypriv;
82 struct arc4_ctx *ctx = &psecuritypriv->recv_arc4_ctx;
83
84 pframe = precvframe->rx_data;
85
86 /* start to decrypt recvframe */
87 if ((prxattrib->encrypt == _WEP40_) || (prxattrib->encrypt == _WEP104_)) {
88 iv = pframe + prxattrib->hdrlen;
89 keyindex = prxattrib->key_index;
90 keylength = psecuritypriv->dot11DefKeylen[keyindex];
91 memcpy(&wepkey[0], iv, 3);
92 memcpy(&wepkey[3], &psecuritypriv->dot11DefKey[keyindex].skey[0], keylength);
93 length = precvframe->len - prxattrib->hdrlen - prxattrib->iv_len;
94
95 payload = pframe + prxattrib->iv_len + prxattrib->hdrlen;
96
97 /* decrypt payload include icv */
98 arc4_setkey(ctx, wepkey, 3 + keylength);
99 arc4_crypt(ctx, payload, payload, length);
100 }
101 }
102
103 /* 3 ===== TKIP related ===== */
104
secmicgetuint32(u8 * p)105 static u32 secmicgetuint32(u8 *p)
106 /* Convert from Byte[] to Us3232 in a portable way */
107 {
108 s32 i;
109 u32 res = 0;
110
111 for (i = 0; i < 4; i++)
112 res |= ((u32)(*p++)) << (8 * i);
113
114 return res;
115 }
116
secmicputuint32(u8 * p,u32 val)117 static void secmicputuint32(u8 *p, u32 val)
118 /* Convert from Us3232 to Byte[] in a portable way */
119 {
120 long i;
121
122 for (i = 0; i < 4; i++) {
123 *p++ = (u8)(val & 0xff);
124 val >>= 8;
125 }
126
127 }
128
secmicclear(struct mic_data * pmicdata)129 static void secmicclear(struct mic_data *pmicdata)
130 {
131 /* Reset the state to the empty message. */
132
133 pmicdata->L = pmicdata->K0;
134 pmicdata->R = pmicdata->K1;
135 pmicdata->nBytesInM = 0;
136 pmicdata->M = 0;
137
138 }
139
rtw_secmicsetkey(struct mic_data * pmicdata,u8 * key)140 void rtw_secmicsetkey(struct mic_data *pmicdata, u8 *key)
141 {
142 /* Set the key */
143
144 pmicdata->K0 = secmicgetuint32(key);
145 pmicdata->K1 = secmicgetuint32(key + 4);
146 /* and reset the message */
147 secmicclear(pmicdata);
148
149 }
150
rtw_secmicappendbyte(struct mic_data * pmicdata,u8 b)151 void rtw_secmicappendbyte(struct mic_data *pmicdata, u8 b)
152 {
153
154 /* Append the byte to our word-sized buffer */
155 pmicdata->M |= ((unsigned long)b) << (8 * pmicdata->nBytesInM);
156 pmicdata->nBytesInM++;
157 /* Process the word if it is full. */
158 if (pmicdata->nBytesInM >= 4) {
159 pmicdata->L ^= pmicdata->M;
160 pmicdata->R ^= ROL32(pmicdata->L, 17);
161 pmicdata->L += pmicdata->R;
162 pmicdata->R ^= ((pmicdata->L & 0xff00ff00) >> 8) | ((pmicdata->L & 0x00ff00ff) << 8);
163 pmicdata->L += pmicdata->R;
164 pmicdata->R ^= ROL32(pmicdata->L, 3);
165 pmicdata->L += pmicdata->R;
166 pmicdata->R ^= ROR32(pmicdata->L, 2);
167 pmicdata->L += pmicdata->R;
168 /* Clear the buffer */
169 pmicdata->M = 0;
170 pmicdata->nBytesInM = 0;
171 }
172
173 }
174
rtw_secmicappend(struct mic_data * pmicdata,u8 * src,u32 nbytes)175 void rtw_secmicappend(struct mic_data *pmicdata, u8 *src, u32 nbytes)
176 {
177
178 /* This is simple */
179 while (nbytes > 0) {
180 rtw_secmicappendbyte(pmicdata, *src++);
181 nbytes--;
182 }
183
184 }
185
rtw_secgetmic(struct mic_data * pmicdata,u8 * dst)186 void rtw_secgetmic(struct mic_data *pmicdata, u8 *dst)
187 {
188
189 /* Append the minimum padding */
190 rtw_secmicappendbyte(pmicdata, 0x5a);
191 rtw_secmicappendbyte(pmicdata, 0);
192 rtw_secmicappendbyte(pmicdata, 0);
193 rtw_secmicappendbyte(pmicdata, 0);
194 rtw_secmicappendbyte(pmicdata, 0);
195 /* and then zeroes until the length is a multiple of 4 */
196 while (pmicdata->nBytesInM != 0)
197 rtw_secmicappendbyte(pmicdata, 0);
198 /* The appendByte function has already computed the result. */
199 secmicputuint32(dst, pmicdata->L);
200 secmicputuint32(dst + 4, pmicdata->R);
201 /* Reset to the empty message. */
202 secmicclear(pmicdata);
203
204 }
205
rtw_seccalctkipmic(u8 * key,u8 * header,u8 * data,u32 data_len,u8 * mic_code,u8 pri)206 void rtw_seccalctkipmic(u8 *key, u8 *header, u8 *data, u32 data_len, u8 *mic_code, u8 pri)
207 {
208 struct mic_data micdata;
209 u8 priority[4] = {0x0, 0x0, 0x0, 0x0};
210
211 rtw_secmicsetkey(&micdata, key);
212 priority[0] = pri;
213
214 /* Michael MIC pseudo header: DA, SA, 3 x 0, Priority */
215 if (header[1] & 1) { /* ToDS == 1 */
216 rtw_secmicappend(&micdata, &header[16], 6); /* DA */
217 if (header[1] & 2) /* From Ds == 1 */
218 rtw_secmicappend(&micdata, &header[24], 6);
219 else
220 rtw_secmicappend(&micdata, &header[10], 6);
221 } else { /* ToDS == 0 */
222 rtw_secmicappend(&micdata, &header[4], 6); /* DA */
223 if (header[1] & 2) /* From Ds == 1 */
224 rtw_secmicappend(&micdata, &header[16], 6);
225 else
226 rtw_secmicappend(&micdata, &header[10], 6);
227 }
228 rtw_secmicappend(&micdata, &priority[0], 4);
229
230 rtw_secmicappend(&micdata, data, data_len);
231
232 rtw_secgetmic(&micdata, mic_code);
233
234 }
235
236 /* macros for extraction/creation of unsigned char/unsigned short values */
237 #define RotR1(v16) ((((v16) >> 1) & 0x7FFF) ^ (((v16) & 1) << 15))
238 #define Lo8(v16) ((u8)((v16) & 0x00FF))
239 #define Hi8(v16) ((u8)(((v16) >> 8) & 0x00FF))
240 #define Lo16(v32) ((u16)((v32) & 0xFFFF))
241 #define Hi16(v32) ((u16)(((v32) >> 16) & 0xFFFF))
242 #define Mk16(hi, lo) ((lo) ^ (((u16)(hi)) << 8))
243
244 /* select the Nth 16-bit word of the temporal key unsigned char array TK[] */
245 #define TK16(N) Mk16(tk[2 * (N) + 1], tk[2 * (N)])
246
247 /* S-box lookup: 16 bits --> 16 bits */
248 #define _S_(v16) (Sbox1[0][Lo8(v16)] ^ Sbox1[1][Hi8(v16)])
249
250 /* fixed algorithm "parameters" */
251 #define PHASE1_LOOP_CNT 8 /* this needs to be "big enough" */
252 #define TA_SIZE 6 /* 48-bit transmitter address */
253 #define TK_SIZE 16 /* 128-bit temporal key */
254 #define P1K_SIZE 10 /* 80-bit Phase1 key */
255 #define RC4_KEY_SIZE 16 /* 128-bit RC4KEY (104 bits unknown) */
256
257 /* 2-unsigned char by 2-unsigned char subset of the full AES S-box table */
258 static const unsigned short Sbox1[2][256] = { /* Sbox for hash (can be in ROM) */
259 {
260 0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154,
261 0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A,
262 0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B,
263 0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B,
264 0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F,
265 0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F,
266 0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5,
267 0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F,
268 0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB,
269 0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397,
270 0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED,
271 0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A,
272 0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194,
273 0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3,
274 0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104,
275 0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D,
276 0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39,
277 0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695,
278 0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83,
279 0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76,
280 0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4,
281 0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B,
282 0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0,
283 0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018,
284 0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751,
285 0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85,
286 0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12,
287 0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9,
288 0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7,
289 0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A,
290 0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8,
291 0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A,
292 },
293
294 { /* second half of table is unsigned char-reversed version of first! */
295 0xA5C6, 0x84F8, 0x99EE, 0x8DF6, 0x0DFF, 0xBDD6, 0xB1DE, 0x5491,
296 0x5060, 0x0302, 0xA9CE, 0x7D56, 0x19E7, 0x62B5, 0xE64D, 0x9AEC,
297 0x458F, 0x9D1F, 0x4089, 0x87FA, 0x15EF, 0xEBB2, 0xC98E, 0x0BFB,
298 0xEC41, 0x67B3, 0xFD5F, 0xEA45, 0xBF23, 0xF753, 0x96E4, 0x5B9B,
299 0xC275, 0x1CE1, 0xAE3D, 0x6A4C, 0x5A6C, 0x417E, 0x02F5, 0x4F83,
300 0x5C68, 0xF451, 0x34D1, 0x08F9, 0x93E2, 0x73AB, 0x5362, 0x3F2A,
301 0x0C08, 0x5295, 0x6546, 0x5E9D, 0x2830, 0xA137, 0x0F0A, 0xB52F,
302 0x090E, 0x3624, 0x9B1B, 0x3DDF, 0x26CD, 0x694E, 0xCD7F, 0x9FEA,
303 0x1B12, 0x9E1D, 0x7458, 0x2E34, 0x2D36, 0xB2DC, 0xEEB4, 0xFB5B,
304 0xF6A4, 0x4D76, 0x61B7, 0xCE7D, 0x7B52, 0x3EDD, 0x715E, 0x9713,
305 0xF5A6, 0x68B9, 0x0000, 0x2CC1, 0x6040, 0x1FE3, 0xC879, 0xEDB6,
306 0xBED4, 0x468D, 0xD967, 0x4B72, 0xDE94, 0xD498, 0xE8B0, 0x4A85,
307 0x6BBB, 0x2AC5, 0xE54F, 0x16ED, 0xC586, 0xD79A, 0x5566, 0x9411,
308 0xCF8A, 0x10E9, 0x0604, 0x81FE, 0xF0A0, 0x4478, 0xBA25, 0xE34B,
309 0xF3A2, 0xFE5D, 0xC080, 0x8A05, 0xAD3F, 0xBC21, 0x4870, 0x04F1,
310 0xDF63, 0xC177, 0x75AF, 0x6342, 0x3020, 0x1AE5, 0x0EFD, 0x6DBF,
311 0x4C81, 0x1418, 0x3526, 0x2FC3, 0xE1BE, 0xA235, 0xCC88, 0x392E,
312 0x5793, 0xF255, 0x82FC, 0x477A, 0xACC8, 0xE7BA, 0x2B32, 0x95E6,
313 0xA0C0, 0x9819, 0xD19E, 0x7FA3, 0x6644, 0x7E54, 0xAB3B, 0x830B,
314 0xCA8C, 0x29C7, 0xD36B, 0x3C28, 0x79A7, 0xE2BC, 0x1D16, 0x76AD,
315 0x3BDB, 0x5664, 0x4E74, 0x1E14, 0xDB92, 0x0A0C, 0x6C48, 0xE4B8,
316 0x5D9F, 0x6EBD, 0xEF43, 0xA6C4, 0xA839, 0xA431, 0x37D3, 0x8BF2,
317 0x32D5, 0x438B, 0x596E, 0xB7DA, 0x8C01, 0x64B1, 0xD29C, 0xE049,
318 0xB4D8, 0xFAAC, 0x07F3, 0x25CF, 0xAFCA, 0x8EF4, 0xE947, 0x1810,
319 0xD56F, 0x88F0, 0x6F4A, 0x725C, 0x2438, 0xF157, 0xC773, 0x5197,
320 0x23CB, 0x7CA1, 0x9CE8, 0x213E, 0xDD96, 0xDC61, 0x860D, 0x850F,
321 0x90E0, 0x427C, 0xC471, 0xAACC, 0xD890, 0x0506, 0x01F7, 0x121C,
322 0xA3C2, 0x5F6A, 0xF9AE, 0xD069, 0x9117, 0x5899, 0x273A, 0xB927,
323 0x38D9, 0x13EB, 0xB32B, 0x3322, 0xBBD2, 0x70A9, 0x8907, 0xA733,
324 0xB62D, 0x223C, 0x9215, 0x20C9, 0x4987, 0xFFAA, 0x7850, 0x7AA5,
325 0x8F03, 0xF859, 0x8009, 0x171A, 0xDA65, 0x31D7, 0xC684, 0xB8D0,
326 0xC382, 0xB029, 0x775A, 0x111E, 0xCB7B, 0xFCA8, 0xD66D, 0x3A2C,
327 }
328 };
329
330 /*
331 **********************************************************************
332 * Routine: Phase 1 -- generate P1K, given TA, TK, IV32
333 *
334 * Inputs:
335 * tk[] = temporal key [128 bits]
336 * ta[] = transmitter's MAC address [ 48 bits]
337 * iv32 = upper 32 bits of IV [ 32 bits]
338 * Output:
339 * p1k[] = Phase 1 key [ 80 bits]
340 *
341 * Note:
342 * This function only needs to be called every 2**16 packets,
343 * although in theory it could be called every packet.
344 *
345 **********************************************************************
346 */
phase1(u16 * p1k,const u8 * tk,const u8 * ta,u32 iv32)347 static void phase1(u16 *p1k, const u8 *tk, const u8 *ta, u32 iv32)
348 {
349 int i;
350
351 /* Initialize the 80 bits of P1K[] from IV32 and TA[0..5] */
352 p1k[0] = Lo16(iv32);
353 p1k[1] = Hi16(iv32);
354 p1k[2] = Mk16(ta[1], ta[0]); /* use TA[] as little-endian */
355 p1k[3] = Mk16(ta[3], ta[2]);
356 p1k[4] = Mk16(ta[5], ta[4]);
357
358 /* Now compute an unbalanced Feistel cipher with 80-bit block */
359 /* size on the 80-bit block P1K[], using the 128-bit key TK[] */
360 for (i = 0; i < PHASE1_LOOP_CNT; i++) { /* Each add operation here is mod 2**16 */
361 p1k[0] += _S_(p1k[4] ^ TK16((i & 1) + 0));
362 p1k[1] += _S_(p1k[0] ^ TK16((i & 1) + 2));
363 p1k[2] += _S_(p1k[1] ^ TK16((i & 1) + 4));
364 p1k[3] += _S_(p1k[2] ^ TK16((i & 1) + 6));
365 p1k[4] += _S_(p1k[3] ^ TK16((i & 1) + 0));
366 p1k[4] += (unsigned short)i; /* avoid "slide attacks" */
367 }
368
369 }
370
371 /*
372 **********************************************************************
373 * Routine: Phase 2 -- generate RC4KEY, given TK, P1K, IV16
374 *
375 * Inputs:
376 * tk[] = Temporal key [128 bits]
377 * p1k[] = Phase 1 output key [ 80 bits]
378 * iv16 = low 16 bits of IV counter [ 16 bits]
379 * Output:
380 * rc4key[] = the key used to encrypt the packet [128 bits]
381 *
382 * Note:
383 * The value {TA, IV32, IV16} for Phase1/Phase2 must be unique
384 * across all packets using the same key TK value. Then, for a
385 * given value of TK[], this TKIP48 construction guarantees that
386 * the final RC4KEY value is unique across all packets.
387 *
388 * Suggested implementation optimization: if PPK[] is "overlaid"
389 * appropriately on RC4KEY[], there is no need for the final
390 * for loop below that copies the PPK[] result into RC4KEY[].
391 *
392 **********************************************************************
393 */
phase2(u8 * rc4key,const u8 * tk,const u16 * p1k,u16 iv16)394 static void phase2(u8 *rc4key, const u8 *tk, const u16 *p1k, u16 iv16)
395 {
396 int i;
397 u16 PPK[6]; /* temporary key for mixing */
398
399 /* Note: all adds in the PPK[] equations below are mod 2**16 */
400 for (i = 0; i < 5; i++)
401 PPK[i] = p1k[i]; /* first, copy P1K to PPK */
402 PPK[5] = p1k[4] + iv16; /* next, add in IV16 */
403
404 /* Bijective non-linear mixing of the 96 bits of PPK[0..5] */
405 PPK[0] += _S_(PPK[5] ^ TK16(0)); /* Mix key in each "round" */
406 PPK[1] += _S_(PPK[0] ^ TK16(1));
407 PPK[2] += _S_(PPK[1] ^ TK16(2));
408 PPK[3] += _S_(PPK[2] ^ TK16(3));
409 PPK[4] += _S_(PPK[3] ^ TK16(4));
410 PPK[5] += _S_(PPK[4] ^ TK16(5)); /* Total # S-box lookups == 6 */
411
412 /* Final sweep: bijective, "linear". Rotates kill LSB correlations */
413 PPK[0] += RotR1(PPK[5] ^ TK16(6));
414 PPK[1] += RotR1(PPK[0] ^ TK16(7)); /* Use all of TK[] in Phase2 */
415 PPK[2] += RotR1(PPK[1]);
416 PPK[3] += RotR1(PPK[2]);
417 PPK[4] += RotR1(PPK[3]);
418 PPK[5] += RotR1(PPK[4]);
419 /* Note: At this point, for a given key TK[0..15], the 96-bit output */
420 /* value PPK[0..5] is guaranteed to be unique, as a function */
421 /* of the 96-bit "input" value {TA, IV32, IV16}. That is, P1K */
422 /* is now a keyed permutation of {TA, IV32, IV16}. */
423
424 /* Set RC4KEY[0..3], which includes "cleartext" portion of RC4 key */
425 rc4key[0] = Hi8(iv16); /* RC4KEY[0..2] is the WEP IV */
426 rc4key[1] = (Hi8(iv16) | 0x20) & 0x7F; /* Help avoid weak (FMS) keys */
427 rc4key[2] = Lo8(iv16);
428 rc4key[3] = Lo8((PPK[5] ^ TK16(0)) >> 1);
429
430 /* Copy 96 bits of PPK[0..5] to RC4KEY[4..15] (little-endian) */
431 for (i = 0; i < 6; i++) {
432 rc4key[4 + 2 * i] = Lo8(PPK[i]);
433 rc4key[5 + 2 * i] = Hi8(PPK[i]);
434 }
435
436 }
437
438 /* The hlen isn't include the IV */
rtw_tkip_encrypt(struct adapter * padapter,struct xmit_frame * pxmitframe)439 u32 rtw_tkip_encrypt(struct adapter *padapter, struct xmit_frame *pxmitframe)
440 { /* exclude ICV */
441 u16 pnl;
442 u32 pnh;
443 u8 rc4key[16];
444 u8 ttkey[16];
445 union {
446 __le32 f0;
447 u8 f1[4];
448 } crc;
449 u8 hw_hdr_offset = 0;
450 int curfragnum, length;
451
452 u8 *pframe, *payload, *iv, *prwskey;
453 union pn48 dot11txpn;
454 struct sta_info *stainfo;
455 struct pkt_attrib *pattrib = &pxmitframe->attrib;
456 struct security_priv *psecuritypriv = &padapter->securitypriv;
457 struct xmit_priv *pxmitpriv = &padapter->xmitpriv;
458 struct arc4_ctx *ctx = &psecuritypriv->xmit_arc4_ctx;
459 u32 res = _SUCCESS;
460
461 if (!pxmitframe->buf_addr)
462 return _FAIL;
463
464 hw_hdr_offset = TXDESC_SIZE + pxmitframe->pkt_offset * PACKET_OFFSET_SZ;
465 pframe = pxmitframe->buf_addr + hw_hdr_offset;
466
467 /* 4 start to encrypt each fragment */
468 if (pattrib->encrypt == _TKIP_) {
469 if (pattrib->psta)
470 stainfo = pattrib->psta;
471 else
472 stainfo = rtw_get_stainfo(&padapter->stapriv, &pattrib->ra[0]);
473
474 if (stainfo) {
475 if (is_multicast_ether_addr(pattrib->ra))
476 prwskey = psecuritypriv->dot118021XGrpKey[psecuritypriv->dot118021XGrpKeyid].skey;
477 else
478 prwskey = &stainfo->dot118021x_UncstKey.skey[0];
479
480 for (curfragnum = 0; curfragnum < pattrib->nr_frags; curfragnum++) {
481 iv = pframe + pattrib->hdrlen;
482 payload = pframe + pattrib->iv_len + pattrib->hdrlen;
483
484 GET_TKIP_PN(iv, dot11txpn);
485
486 pnl = (u16)(dot11txpn.val);
487 pnh = (u32)(dot11txpn.val >> 16);
488 phase1((u16 *)&ttkey[0], prwskey, &pattrib->ta[0], pnh);
489 phase2(&rc4key[0], prwskey, (u16 *)&ttkey[0], pnl);
490
491 if ((curfragnum + 1) == pattrib->nr_frags) { /* 4 the last fragment */
492 length = pattrib->last_txcmdsz - pattrib->hdrlen - pattrib->iv_len - pattrib->icv_len;
493 crc.f0 = cpu_to_le32(~crc32_le(~0, payload, length));
494
495 arc4_setkey(ctx, rc4key, 16);
496 arc4_crypt(ctx, payload, payload, length);
497 arc4_crypt(ctx, payload + length, crc.f1, 4);
498 } else {
499 length = pxmitpriv->frag_len - pattrib->hdrlen - pattrib->iv_len - pattrib->icv_len;
500 crc.f0 = cpu_to_le32(~crc32_le(~0, payload, length));
501
502 arc4_setkey(ctx, rc4key, 16);
503 arc4_crypt(ctx, payload, payload, length);
504 arc4_crypt(ctx, payload + length, crc.f1, 4);
505
506 pframe += pxmitpriv->frag_len;
507 pframe = (u8 *)RND4((size_t)(pframe));
508 }
509 }
510 } else {
511 res = _FAIL;
512 }
513 }
514
515 return res;
516 }
517
518 /* The hlen isn't include the IV */
rtw_tkip_decrypt(struct adapter * padapter,struct recv_frame * precvframe)519 u32 rtw_tkip_decrypt(struct adapter *padapter, struct recv_frame *precvframe)
520 { /* exclude ICV */
521 u16 pnl;
522 u32 pnh;
523 u8 rc4key[16];
524 u8 ttkey[16];
525 union {
526 __le32 f0;
527 u8 f1[4];
528 } crc;
529 int length;
530
531 u8 *pframe, *payload, *iv, *prwskey;
532 union pn48 dot11txpn;
533 struct sta_info *stainfo;
534 struct rx_pkt_attrib *prxattrib = &precvframe->attrib;
535 struct security_priv *psecuritypriv = &padapter->securitypriv;
536 struct arc4_ctx *ctx = &psecuritypriv->recv_arc4_ctx;
537 u32 res = _SUCCESS;
538
539 pframe = precvframe->rx_data;
540
541 /* 4 start to decrypt recvframe */
542 if (prxattrib->encrypt == _TKIP_) {
543 stainfo = rtw_get_stainfo(&padapter->stapriv, &prxattrib->ta[0]);
544 if (stainfo) {
545 if (is_multicast_ether_addr(prxattrib->ra)) {
546 if (!psecuritypriv->binstallGrpkey) {
547 res = _FAIL;
548 DBG_88E("%s:rx bc/mc packets, but didn't install group key!!!!!!!!!!\n", __func__);
549 goto exit;
550 }
551 prwskey = psecuritypriv->dot118021XGrpKey[prxattrib->key_index].skey;
552 } else {
553 prwskey = &stainfo->dot118021x_UncstKey.skey[0];
554 }
555
556 iv = pframe + prxattrib->hdrlen;
557 payload = pframe + prxattrib->iv_len + prxattrib->hdrlen;
558 length = precvframe->len - prxattrib->hdrlen - prxattrib->iv_len;
559
560 GET_TKIP_PN(iv, dot11txpn);
561
562 pnl = (u16)(dot11txpn.val);
563 pnh = (u32)(dot11txpn.val >> 16);
564
565 phase1((u16 *)&ttkey[0], prwskey, &prxattrib->ta[0], pnh);
566 phase2(&rc4key[0], prwskey, (unsigned short *)&ttkey[0], pnl);
567
568 /* 4 decrypt payload include icv */
569
570 arc4_setkey(ctx, rc4key, 16);
571 arc4_crypt(ctx, payload, payload, length);
572
573 crc.f0 = cpu_to_le32(~crc32_le(~0, payload, length));
574
575 if (crc.f1[3] != payload[length - 1] ||
576 crc.f1[2] != payload[length - 2] ||
577 crc.f1[1] != payload[length - 3] ||
578 crc.f1[0] != payload[length - 4])
579 res = _FAIL;
580 } else {
581 res = _FAIL;
582 }
583 }
584
585 exit:
586 return res;
587 }
588
589 /* 3 ===== AES related ===== */
590
591 #define MAX_MSG_SIZE 2048
592 /*****************************/
593 /******** SBOX Table *********/
594 /*****************************/
595
596 static u8 sbox_table[256] = {
597 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5,
598 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
599 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0,
600 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0,
601 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc,
602 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15,
603 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a,
604 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75,
605 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0,
606 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84,
607 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b,
608 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,
609 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85,
610 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8,
611 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5,
612 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2,
613 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17,
614 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73,
615 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88,
616 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb,
617 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c,
618 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79,
619 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9,
620 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08,
621 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6,
622 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a,
623 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e,
624 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e,
625 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94,
626 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
627 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68,
628 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16
629 };
630
631 /*****************************/
632 /**** Function Prototypes ****/
633 /*****************************/
634
635 static void bitwise_xor(u8 *ina, u8 *inb, u8 *out);
636 static void construct_mic_iv(u8 *mic_header1, int qc_exists, int a4_exists, u8 *mpdu, uint payload_length, u8 *pn_vector);
637 static void construct_mic_header1(u8 *mic_header1, int header_length, u8 *mpdu);
638 static void construct_mic_header2(u8 *mic_header2, u8 *mpdu, int a4_exists, int qc_exists);
639 static void construct_ctr_preload(u8 *ctr_preload, int a4_exists, int qc_exists, u8 *mpdu, u8 *pn_vector, int c);
640 static void xor_128(u8 *a, u8 *b, u8 *out);
641 static void xor_32(u8 *a, u8 *b, u8 *out);
642 static u8 sbox(u8 a);
643 static void next_key(u8 *key, int round);
644 static void byte_sub(u8 *in, u8 *out);
645 static void shift_row(u8 *in, u8 *out);
646 static void mix_column(u8 *in, u8 *out);
647 static void aes128k128d(u8 *key, u8 *data, u8 *ciphertext);
648
649 /****************************************/
650 /* aes128k128d() */
651 /* Performs a 128 bit AES encrypt with */
652 /* 128 bit data. */
653 /****************************************/
xor_128(u8 * a,u8 * b,u8 * out)654 static void xor_128(u8 *a, u8 *b, u8 *out)
655 {
656 int i;
657
658 for (i = 0; i < 16; i++)
659 out[i] = a[i] ^ b[i];
660
661 }
662
xor_32(u8 * a,u8 * b,u8 * out)663 static void xor_32(u8 *a, u8 *b, u8 *out)
664 {
665 int i;
666
667 for (i = 0; i < 4; i++)
668 out[i] = a[i] ^ b[i];
669
670 }
671
sbox(u8 a)672 static u8 sbox(u8 a)
673 {
674 return sbox_table[(int)a];
675 }
676
next_key(u8 * key,int round)677 static void next_key(u8 *key, int round)
678 {
679 u8 rcon;
680 u8 sbox_key[4];
681 u8 rcon_table[12] = {
682 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80,
683 0x1b, 0x36, 0x36, 0x36
684 };
685
686 sbox_key[0] = sbox(key[13]);
687 sbox_key[1] = sbox(key[14]);
688 sbox_key[2] = sbox(key[15]);
689 sbox_key[3] = sbox(key[12]);
690
691 rcon = rcon_table[round];
692
693 xor_32(&key[0], sbox_key, &key[0]);
694 key[0] = key[0] ^ rcon;
695
696 xor_32(&key[4], &key[0], &key[4]);
697 xor_32(&key[8], &key[4], &key[8]);
698 xor_32(&key[12], &key[8], &key[12]);
699
700 }
701
byte_sub(u8 * in,u8 * out)702 static void byte_sub(u8 *in, u8 *out)
703 {
704 int i;
705
706 for (i = 0; i < 16; i++)
707 out[i] = sbox(in[i]);
708
709 }
710
shift_row(u8 * in,u8 * out)711 static void shift_row(u8 *in, u8 *out)
712 {
713
714 out[0] = in[0];
715 out[1] = in[5];
716 out[2] = in[10];
717 out[3] = in[15];
718 out[4] = in[4];
719 out[5] = in[9];
720 out[6] = in[14];
721 out[7] = in[3];
722 out[8] = in[8];
723 out[9] = in[13];
724 out[10] = in[2];
725 out[11] = in[7];
726 out[12] = in[12];
727 out[13] = in[1];
728 out[14] = in[6];
729 out[15] = in[11];
730
731 }
732
mix_column(u8 * in,u8 * out)733 static void mix_column(u8 *in, u8 *out)
734 {
735 int i;
736 u8 add1b[4];
737 u8 add1bf7[4];
738 u8 rotl[4];
739 u8 swap_halfs[4];
740 u8 andf7[4];
741 u8 rotr[4];
742 u8 temp[4];
743 u8 tempb[4];
744
745 for (i = 0 ; i < 4; i++) {
746 if ((in[i] & 0x80) == 0x80)
747 add1b[i] = 0x1b;
748 else
749 add1b[i] = 0x00;
750 }
751
752 swap_halfs[0] = in[2]; /* Swap halves */
753 swap_halfs[1] = in[3];
754 swap_halfs[2] = in[0];
755 swap_halfs[3] = in[1];
756
757 rotl[0] = in[3]; /* Rotate left 8 bits */
758 rotl[1] = in[0];
759 rotl[2] = in[1];
760 rotl[3] = in[2];
761
762 andf7[0] = in[0] & 0x7f;
763 andf7[1] = in[1] & 0x7f;
764 andf7[2] = in[2] & 0x7f;
765 andf7[3] = in[3] & 0x7f;
766
767 for (i = 3; i > 0; i--) { /* logical shift left 1 bit */
768 andf7[i] = andf7[i] << 1;
769 if ((andf7[i - 1] & 0x80) == 0x80)
770 andf7[i] = (andf7[i] | 0x01);
771 }
772 andf7[0] = andf7[0] << 1;
773 andf7[0] = andf7[0] & 0xfe;
774
775 xor_32(add1b, andf7, add1bf7);
776
777 xor_32(in, add1bf7, rotr);
778
779 temp[0] = rotr[0]; /* Rotate right 8 bits */
780 rotr[0] = rotr[1];
781 rotr[1] = rotr[2];
782 rotr[2] = rotr[3];
783 rotr[3] = temp[0];
784
785 xor_32(add1bf7, rotr, temp);
786 xor_32(swap_halfs, rotl, tempb);
787 xor_32(temp, tempb, out);
788
789 }
790
aes128k128d(u8 * key,u8 * data,u8 * ciphertext)791 static void aes128k128d(u8 *key, u8 *data, u8 *ciphertext)
792 {
793 int round;
794 int i;
795 u8 intermediatea[16];
796 u8 intermediateb[16];
797 u8 round_key[16];
798
799 for (i = 0; i < 16; i++)
800 round_key[i] = key[i];
801 for (round = 0; round < 11; round++) {
802 if (round == 0) {
803 xor_128(round_key, data, ciphertext);
804 next_key(round_key, round);
805 } else if (round == 10) {
806 byte_sub(ciphertext, intermediatea);
807 shift_row(intermediatea, intermediateb);
808 xor_128(intermediateb, round_key, ciphertext);
809 } else { /* 1 - 9 */
810 byte_sub(ciphertext, intermediatea);
811 shift_row(intermediatea, intermediateb);
812 mix_column(&intermediateb[0], &intermediatea[0]);
813 mix_column(&intermediateb[4], &intermediatea[4]);
814 mix_column(&intermediateb[8], &intermediatea[8]);
815 mix_column(&intermediateb[12], &intermediatea[12]);
816 xor_128(intermediatea, round_key, ciphertext);
817 next_key(round_key, round);
818 }
819 }
820
821 }
822
823 /************************************************/
824 /* construct_mic_iv() */
825 /* Builds the MIC IV from header fields and PN */
826 /************************************************/
construct_mic_iv(u8 * mic_iv,int qc_exists,int a4_exists,u8 * mpdu,uint payload_length,u8 * pn_vector)827 static void construct_mic_iv(u8 *mic_iv, int qc_exists, int a4_exists, u8 *mpdu,
828 uint payload_length, u8 *pn_vector)
829 {
830 int i;
831
832 mic_iv[0] = 0x59;
833 if (qc_exists && a4_exists)
834 mic_iv[1] = mpdu[30] & 0x0f; /* QoS_TC */
835 if (qc_exists && !a4_exists)
836 mic_iv[1] = mpdu[24] & 0x0f; /* mute bits 7-4 */
837 if (!qc_exists)
838 mic_iv[1] = 0x00;
839 for (i = 2; i < 8; i++)
840 mic_iv[i] = mpdu[i + 8]; /* mic_iv[2:7] = A2[0:5] = mpdu[10:15] */
841 for (i = 8; i < 14; i++)
842 mic_iv[i] = pn_vector[13 - i]; /* mic_iv[8:13] = PN[5:0] */
843 mic_iv[14] = (unsigned char)(payload_length / 256);
844 mic_iv[15] = (unsigned char)(payload_length % 256);
845
846 }
847
848 /************************************************/
849 /* construct_mic_header1() */
850 /* Builds the first MIC header block from */
851 /* header fields. */
852 /************************************************/
construct_mic_header1(u8 * mic_header1,int header_length,u8 * mpdu)853 static void construct_mic_header1(u8 *mic_header1, int header_length, u8 *mpdu)
854 {
855
856 mic_header1[0] = (u8)((header_length - 2) / 256);
857 mic_header1[1] = (u8)((header_length - 2) % 256);
858 mic_header1[2] = mpdu[0] & 0xcf; /* Mute CF poll & CF ack bits */
859 mic_header1[3] = mpdu[1] & 0xc7; /* Mute retry, more data and pwr mgt bits */
860 mic_header1[4] = mpdu[4]; /* A1 */
861 mic_header1[5] = mpdu[5];
862 mic_header1[6] = mpdu[6];
863 mic_header1[7] = mpdu[7];
864 mic_header1[8] = mpdu[8];
865 mic_header1[9] = mpdu[9];
866 mic_header1[10] = mpdu[10]; /* A2 */
867 mic_header1[11] = mpdu[11];
868 mic_header1[12] = mpdu[12];
869 mic_header1[13] = mpdu[13];
870 mic_header1[14] = mpdu[14];
871 mic_header1[15] = mpdu[15];
872
873 }
874
875 /************************************************/
876 /* construct_mic_header2() */
877 /* Builds the last MIC header block from */
878 /* header fields. */
879 /************************************************/
construct_mic_header2(u8 * mic_header2,u8 * mpdu,int a4_exists,int qc_exists)880 static void construct_mic_header2(u8 *mic_header2, u8 *mpdu, int a4_exists, int qc_exists)
881 {
882 int i;
883
884 for (i = 0; i < 16; i++)
885 mic_header2[i] = 0x00;
886
887 mic_header2[0] = mpdu[16]; /* A3 */
888 mic_header2[1] = mpdu[17];
889 mic_header2[2] = mpdu[18];
890 mic_header2[3] = mpdu[19];
891 mic_header2[4] = mpdu[20];
892 mic_header2[5] = mpdu[21];
893
894 mic_header2[6] = 0x00;
895 mic_header2[7] = 0x00; /* mpdu[23]; */
896
897 if (!qc_exists && a4_exists) {
898 for (i = 0; i < 6; i++)
899 mic_header2[8 + i] = mpdu[24 + i]; /* A4 */
900 }
901
902 if (qc_exists && !a4_exists) {
903 mic_header2[8] = mpdu[24] & 0x0f; /* mute bits 15 - 4 */
904 mic_header2[9] = mpdu[25] & 0x00;
905 }
906
907 if (qc_exists && a4_exists) {
908 for (i = 0; i < 6; i++)
909 mic_header2[8 + i] = mpdu[24 + i]; /* A4 */
910
911 mic_header2[14] = mpdu[30] & 0x0f;
912 mic_header2[15] = mpdu[31] & 0x00;
913 }
914
915 }
916
917 /************************************************/
918 /* construct_mic_header2() */
919 /* Builds the last MIC header block from */
920 /* header fields. */
921 /************************************************/
construct_ctr_preload(u8 * ctr_preload,int a4_exists,int qc_exists,u8 * mpdu,u8 * pn_vector,int c)922 static void construct_ctr_preload(u8 *ctr_preload, int a4_exists, int qc_exists, u8 *mpdu, u8 *pn_vector, int c)
923 {
924 int i;
925
926 for (i = 0; i < 16; i++)
927 ctr_preload[i] = 0x00;
928 i = 0;
929
930 ctr_preload[0] = 0x01; /* flag */
931 if (qc_exists && a4_exists)
932 ctr_preload[1] = mpdu[30] & 0x0f; /* QoC_Control */
933 if (qc_exists && !a4_exists)
934 ctr_preload[1] = mpdu[24] & 0x0f;
935
936 for (i = 2; i < 8; i++)
937 ctr_preload[i] = mpdu[i + 8]; /* ctr_preload[2:7] = A2[0:5] = mpdu[10:15] */
938 for (i = 8; i < 14; i++)
939 ctr_preload[i] = pn_vector[13 - i]; /* ctr_preload[8:13] = PN[5:0] */
940 ctr_preload[14] = (unsigned char)(c / 256); /* Ctr */
941 ctr_preload[15] = (unsigned char)(c % 256);
942
943 }
944
945 /************************************/
946 /* bitwise_xor() */
947 /* A 128 bit, bitwise exclusive or */
948 /************************************/
bitwise_xor(u8 * ina,u8 * inb,u8 * out)949 static void bitwise_xor(u8 *ina, u8 *inb, u8 *out)
950 {
951 int i;
952
953 for (i = 0; i < 16; i++)
954 out[i] = ina[i] ^ inb[i];
955
956 }
957
aes_cipher(u8 * key,uint hdrlen,u8 * pframe,uint plen)958 static int aes_cipher(u8 *key, uint hdrlen, u8 *pframe, uint plen)
959 {
960 uint qc_exists, a4_exists, i, j, payload_remainder,
961 num_blocks, payload_index;
962
963 u8 pn_vector[6];
964 u8 mic_iv[16];
965 u8 mic_header1[16];
966 u8 mic_header2[16];
967 u8 ctr_preload[16];
968
969 /* Intermediate Buffers */
970 u8 chain_buffer[16];
971 u8 aes_out[16];
972 u8 padded_buffer[16];
973 u8 mic[8];
974 uint frtype = GetFrameType(pframe);
975 uint frsubtype = GetFrameSubType(pframe);
976
977 frsubtype = frsubtype >> 4;
978
979 memset((void *)mic_iv, 0, 16);
980 memset((void *)mic_header1, 0, 16);
981 memset((void *)mic_header2, 0, 16);
982 memset((void *)ctr_preload, 0, 16);
983 memset((void *)chain_buffer, 0, 16);
984 memset((void *)aes_out, 0, 16);
985 memset((void *)padded_buffer, 0, 16);
986
987 if ((hdrlen == WLAN_HDR_A3_LEN) || (hdrlen == WLAN_HDR_A3_QOS_LEN))
988 a4_exists = 0;
989 else
990 a4_exists = 1;
991
992 if ((frtype == WIFI_DATA_CFACK) || (frtype == WIFI_DATA_CFPOLL) || (frtype == WIFI_DATA_CFACKPOLL)) {
993 qc_exists = 1;
994 if (hdrlen != WLAN_HDR_A3_QOS_LEN)
995 hdrlen += 2;
996 } else if ((frsubtype == 0x08) || (frsubtype == 0x09) || (frsubtype == 0x0a) || (frsubtype == 0x0b)) {
997 if (hdrlen != WLAN_HDR_A3_QOS_LEN)
998 hdrlen += 2;
999 qc_exists = 1;
1000 } else {
1001 qc_exists = 0;
1002 }
1003
1004 pn_vector[0] = pframe[hdrlen];
1005 pn_vector[1] = pframe[hdrlen + 1];
1006 pn_vector[2] = pframe[hdrlen + 4];
1007 pn_vector[3] = pframe[hdrlen + 5];
1008 pn_vector[4] = pframe[hdrlen + 6];
1009 pn_vector[5] = pframe[hdrlen + 7];
1010
1011 construct_mic_iv(mic_iv, qc_exists, a4_exists, pframe, plen, pn_vector);
1012
1013 construct_mic_header1(mic_header1, hdrlen, pframe);
1014 construct_mic_header2(mic_header2, pframe, a4_exists, qc_exists);
1015
1016 payload_remainder = plen % 16;
1017 num_blocks = plen / 16;
1018
1019 /* Find start of payload */
1020 payload_index = (hdrlen + 8);
1021
1022 /* Calculate MIC */
1023 aes128k128d(key, mic_iv, aes_out);
1024 bitwise_xor(aes_out, mic_header1, chain_buffer);
1025 aes128k128d(key, chain_buffer, aes_out);
1026 bitwise_xor(aes_out, mic_header2, chain_buffer);
1027 aes128k128d(key, chain_buffer, aes_out);
1028
1029 for (i = 0; i < num_blocks; i++) {
1030 bitwise_xor(aes_out, &pframe[payload_index], chain_buffer);/* bitwise_xor(aes_out, &message[payload_index], chain_buffer); */
1031
1032 payload_index += 16;
1033 aes128k128d(key, chain_buffer, aes_out);
1034 }
1035
1036 /* Add on the final payload block if it needs padding */
1037 if (payload_remainder > 0) {
1038 for (j = 0; j < 16; j++)
1039 padded_buffer[j] = 0x00;
1040 for (j = 0; j < payload_remainder; j++)
1041 padded_buffer[j] = pframe[payload_index++];/* padded_buffer[j] = message[payload_index++]; */
1042 bitwise_xor(aes_out, padded_buffer, chain_buffer);
1043 aes128k128d(key, chain_buffer, aes_out);
1044 }
1045
1046 for (j = 0; j < 8; j++)
1047 mic[j] = aes_out[j];
1048
1049 /* Insert MIC into payload */
1050 for (j = 0; j < 8; j++)
1051 pframe[payload_index + j] = mic[j]; /* message[payload_index+j] = mic[j]; */
1052
1053 payload_index = hdrlen + 8;
1054 for (i = 0; i < num_blocks; i++) {
1055 construct_ctr_preload(ctr_preload, a4_exists, qc_exists, pframe, pn_vector, i + 1);
1056 aes128k128d(key, ctr_preload, aes_out);
1057 bitwise_xor(aes_out, &pframe[payload_index], chain_buffer);
1058 for (j = 0; j < 16; j++)
1059 pframe[payload_index++] = chain_buffer[j];
1060 }
1061
1062 if (payload_remainder > 0) { /* If there is a short final block, then pad it,*/
1063 /* encrypt it and copy the unpadded part back */
1064 construct_ctr_preload(ctr_preload, a4_exists, qc_exists, pframe, pn_vector, num_blocks + 1);
1065
1066 for (j = 0; j < 16; j++)
1067 padded_buffer[j] = 0x00;
1068 for (j = 0; j < payload_remainder; j++)
1069 padded_buffer[j] = pframe[payload_index + j];
1070 aes128k128d(key, ctr_preload, aes_out);
1071 bitwise_xor(aes_out, padded_buffer, chain_buffer);
1072 for (j = 0; j < payload_remainder; j++)
1073 pframe[payload_index++] = chain_buffer[j];
1074 }
1075 /* Encrypt the MIC */
1076 construct_ctr_preload(ctr_preload, a4_exists, qc_exists, pframe, pn_vector, 0);
1077
1078 for (j = 0; j < 16; j++)
1079 padded_buffer[j] = 0x00;
1080 for (j = 0; j < 8; j++)
1081 padded_buffer[j] = pframe[j + hdrlen + 8 + plen];
1082
1083 aes128k128d(key, ctr_preload, aes_out);
1084 bitwise_xor(aes_out, padded_buffer, chain_buffer);
1085 for (j = 0; j < 8; j++)
1086 pframe[payload_index++] = chain_buffer[j];
1087
1088 return _SUCCESS;
1089 }
1090
rtw_aes_encrypt(struct adapter * padapter,struct xmit_frame * pxmitframe)1091 u32 rtw_aes_encrypt(struct adapter *padapter, struct xmit_frame *pxmitframe)
1092 { /* exclude ICV */
1093
1094 /*static*/
1095 /* unsigned char message[MAX_MSG_SIZE]; */
1096
1097 /* Intermediate Buffers */
1098 int curfragnum, length;
1099 u8 *pframe, *prwskey; /* *payload,*iv */
1100 u8 hw_hdr_offset = 0;
1101 struct sta_info *stainfo;
1102 struct pkt_attrib *pattrib = &pxmitframe->attrib;
1103 struct security_priv *psecuritypriv = &padapter->securitypriv;
1104 struct xmit_priv *pxmitpriv = &padapter->xmitpriv;
1105
1106 /* uint offset = 0; */
1107 u32 res = _SUCCESS;
1108
1109 if (!pxmitframe->buf_addr)
1110 return _FAIL;
1111
1112 hw_hdr_offset = TXDESC_SIZE + pxmitframe->pkt_offset * PACKET_OFFSET_SZ;
1113 pframe = pxmitframe->buf_addr + hw_hdr_offset;
1114
1115 /* 4 start to encrypt each fragment */
1116 if (pattrib->encrypt == _AES_) {
1117 if (pattrib->psta)
1118 stainfo = pattrib->psta;
1119 else
1120 stainfo = rtw_get_stainfo(&padapter->stapriv, &pattrib->ra[0]);
1121
1122 if (stainfo) {
1123 if (is_multicast_ether_addr(pattrib->ra))
1124 prwskey = psecuritypriv->dot118021XGrpKey[psecuritypriv->dot118021XGrpKeyid].skey;
1125 else
1126 prwskey = &stainfo->dot118021x_UncstKey.skey[0];
1127 for (curfragnum = 0; curfragnum < pattrib->nr_frags; curfragnum++) {
1128 if ((curfragnum + 1) == pattrib->nr_frags) { /* 4 the last fragment */
1129 length = pattrib->last_txcmdsz - pattrib->hdrlen - pattrib->iv_len - pattrib->icv_len;
1130
1131 aes_cipher(prwskey, pattrib->hdrlen, pframe, length);
1132 } else {
1133 length = pxmitpriv->frag_len - pattrib->hdrlen - pattrib->iv_len - pattrib->icv_len;
1134
1135 aes_cipher(prwskey, pattrib->hdrlen, pframe, length);
1136 pframe += pxmitpriv->frag_len;
1137 pframe = (u8 *)RND4((size_t)(pframe));
1138 }
1139 }
1140 } else {
1141 res = _FAIL;
1142 }
1143 }
1144
1145 return res;
1146 }
1147
aes_decipher(u8 * key,uint hdrlen,u8 * pframe,uint plen)1148 static int aes_decipher(u8 *key, uint hdrlen,
1149 u8 *pframe, uint plen)
1150 {
1151 static u8 message[MAX_MSG_SIZE];
1152 uint qc_exists, a4_exists, i, j, payload_remainder,
1153 num_blocks, payload_index;
1154 int res = _SUCCESS;
1155 u8 pn_vector[6];
1156 u8 mic_iv[16];
1157 u8 mic_header1[16];
1158 u8 mic_header2[16];
1159 u8 ctr_preload[16];
1160
1161 /* Intermediate Buffers */
1162 u8 chain_buffer[16];
1163 u8 aes_out[16];
1164 u8 padded_buffer[16];
1165 u8 mic[8];
1166
1167 /* uint offset = 0; */
1168 uint frtype = GetFrameType(pframe);
1169 uint frsubtype = GetFrameSubType(pframe);
1170
1171 frsubtype = frsubtype >> 4;
1172
1173 memset((void *)mic_iv, 0, 16);
1174 memset((void *)mic_header1, 0, 16);
1175 memset((void *)mic_header2, 0, 16);
1176 memset((void *)ctr_preload, 0, 16);
1177 memset((void *)chain_buffer, 0, 16);
1178 memset((void *)aes_out, 0, 16);
1179 memset((void *)padded_buffer, 0, 16);
1180
1181 /* start to decrypt the payload */
1182
1183 num_blocks = (plen - 8) / 16; /* plen including llc, payload_length and mic) */
1184
1185 payload_remainder = (plen - 8) % 16;
1186
1187 pn_vector[0] = pframe[hdrlen];
1188 pn_vector[1] = pframe[hdrlen + 1];
1189 pn_vector[2] = pframe[hdrlen + 4];
1190 pn_vector[3] = pframe[hdrlen + 5];
1191 pn_vector[4] = pframe[hdrlen + 6];
1192 pn_vector[5] = pframe[hdrlen + 7];
1193
1194 if ((hdrlen == WLAN_HDR_A3_LEN) || (hdrlen == WLAN_HDR_A3_QOS_LEN))
1195 a4_exists = 0;
1196 else
1197 a4_exists = 1;
1198
1199 if ((frtype == WIFI_DATA_CFACK) || (frtype == WIFI_DATA_CFPOLL) ||
1200 (frtype == WIFI_DATA_CFACKPOLL)) {
1201 qc_exists = 1;
1202 if (hdrlen != WLAN_HDR_A3_QOS_LEN)
1203 hdrlen += 2;
1204 } else if ((frsubtype == 0x08) || (frsubtype == 0x09) ||
1205 (frsubtype == 0x0a) || (frsubtype == 0x0b)) {
1206 if (hdrlen != WLAN_HDR_A3_QOS_LEN)
1207 hdrlen += 2;
1208 qc_exists = 1;
1209 } else {
1210 qc_exists = 0;
1211 }
1212
1213 /* now, decrypt pframe with hdrlen offset and plen long */
1214
1215 payload_index = hdrlen + 8; /* 8 is for extiv */
1216
1217 for (i = 0; i < num_blocks; i++) {
1218 construct_ctr_preload(ctr_preload, a4_exists, qc_exists, pframe, pn_vector, i + 1);
1219
1220 aes128k128d(key, ctr_preload, aes_out);
1221 bitwise_xor(aes_out, &pframe[payload_index], chain_buffer);
1222
1223 for (j = 0; j < 16; j++)
1224 pframe[payload_index++] = chain_buffer[j];
1225 }
1226
1227 if (payload_remainder > 0) { /* If there is a short final block, then pad it,*/
1228 /* encrypt it and copy the unpadded part back */
1229 construct_ctr_preload(ctr_preload, a4_exists, qc_exists, pframe, pn_vector, num_blocks + 1);
1230
1231 for (j = 0; j < 16; j++)
1232 padded_buffer[j] = 0x00;
1233 for (j = 0; j < payload_remainder; j++)
1234 padded_buffer[j] = pframe[payload_index + j];
1235 aes128k128d(key, ctr_preload, aes_out);
1236 bitwise_xor(aes_out, padded_buffer, chain_buffer);
1237 for (j = 0; j < payload_remainder; j++)
1238 pframe[payload_index++] = chain_buffer[j];
1239 }
1240
1241 /* start to calculate the mic */
1242 if ((hdrlen + plen + 8) <= MAX_MSG_SIZE)
1243 memcpy(message, pframe, (hdrlen + plen + 8)); /* 8 is for ext iv len */
1244
1245 pn_vector[0] = pframe[hdrlen];
1246 pn_vector[1] = pframe[hdrlen + 1];
1247 pn_vector[2] = pframe[hdrlen + 4];
1248 pn_vector[3] = pframe[hdrlen + 5];
1249 pn_vector[4] = pframe[hdrlen + 6];
1250 pn_vector[5] = pframe[hdrlen + 7];
1251 construct_mic_iv(mic_iv, qc_exists, a4_exists, message, plen - 8, pn_vector);
1252
1253 construct_mic_header1(mic_header1, hdrlen, message);
1254 construct_mic_header2(mic_header2, message, a4_exists, qc_exists);
1255
1256 payload_remainder = (plen - 8) % 16;
1257 num_blocks = (plen - 8) / 16;
1258
1259 /* Find start of payload */
1260 payload_index = (hdrlen + 8);
1261
1262 /* Calculate MIC */
1263 aes128k128d(key, mic_iv, aes_out);
1264 bitwise_xor(aes_out, mic_header1, chain_buffer);
1265 aes128k128d(key, chain_buffer, aes_out);
1266 bitwise_xor(aes_out, mic_header2, chain_buffer);
1267 aes128k128d(key, chain_buffer, aes_out);
1268
1269 for (i = 0; i < num_blocks; i++) {
1270 bitwise_xor(aes_out, &message[payload_index], chain_buffer);
1271
1272 payload_index += 16;
1273 aes128k128d(key, chain_buffer, aes_out);
1274 }
1275
1276 /* Add on the final payload block if it needs padding */
1277 if (payload_remainder > 0) {
1278 for (j = 0; j < 16; j++)
1279 padded_buffer[j] = 0x00;
1280 for (j = 0; j < payload_remainder; j++)
1281 padded_buffer[j] = message[payload_index++];
1282 bitwise_xor(aes_out, padded_buffer, chain_buffer);
1283 aes128k128d(key, chain_buffer, aes_out);
1284 }
1285
1286 for (j = 0 ; j < 8; j++)
1287 mic[j] = aes_out[j];
1288
1289 /* Insert MIC into payload */
1290 for (j = 0; j < 8; j++)
1291 message[payload_index + j] = mic[j];
1292
1293 payload_index = hdrlen + 8;
1294 for (i = 0; i < num_blocks; i++) {
1295 construct_ctr_preload(ctr_preload, a4_exists, qc_exists, message, pn_vector, i + 1);
1296 aes128k128d(key, ctr_preload, aes_out);
1297 bitwise_xor(aes_out, &message[payload_index], chain_buffer);
1298 for (j = 0; j < 16; j++)
1299 message[payload_index++] = chain_buffer[j];
1300 }
1301
1302 if (payload_remainder > 0) { /* If there is a short final block, then pad it,*/
1303 /* encrypt it and copy the unpadded part back */
1304 construct_ctr_preload(ctr_preload, a4_exists, qc_exists, message, pn_vector, num_blocks + 1);
1305
1306 for (j = 0; j < 16; j++)
1307 padded_buffer[j] = 0x00;
1308 for (j = 0; j < payload_remainder; j++)
1309 padded_buffer[j] = message[payload_index + j];
1310 aes128k128d(key, ctr_preload, aes_out);
1311 bitwise_xor(aes_out, padded_buffer, chain_buffer);
1312 for (j = 0; j < payload_remainder; j++)
1313 message[payload_index++] = chain_buffer[j];
1314 }
1315
1316 /* Encrypt the MIC */
1317 construct_ctr_preload(ctr_preload, a4_exists, qc_exists, message, pn_vector, 0);
1318
1319 for (j = 0; j < 16; j++)
1320 padded_buffer[j] = 0x00;
1321 for (j = 0; j < 8; j++)
1322 padded_buffer[j] = message[j + hdrlen + 8 + plen - 8];
1323
1324 aes128k128d(key, ctr_preload, aes_out);
1325 bitwise_xor(aes_out, padded_buffer, chain_buffer);
1326 for (j = 0; j < 8; j++)
1327 message[payload_index++] = chain_buffer[j];
1328
1329 /* compare the mic */
1330 for (i = 0; i < 8; i++) {
1331 if (pframe[hdrlen + 8 + plen - 8 + i] != message[hdrlen + 8 + plen - 8 + i]) {
1332 DBG_88E("aes_decipher:mic check error mic[%d]: pframe(%x)!=message(%x)\n",
1333 i, pframe[hdrlen + 8 + plen - 8 + i], message[hdrlen + 8 + plen - 8 + i]);
1334 res = _FAIL;
1335 }
1336 }
1337
1338 return res;
1339 }
1340
rtw_aes_decrypt(struct adapter * padapter,struct recv_frame * precvframe)1341 u32 rtw_aes_decrypt(struct adapter *padapter, struct recv_frame *precvframe)
1342 { /* exclude ICV */
1343 /* Intermediate Buffers */
1344 int length;
1345 u8 *pframe, *prwskey; /* *payload,*iv */
1346 struct sta_info *stainfo;
1347 struct rx_pkt_attrib *prxattrib = &precvframe->attrib;
1348 struct security_priv *psecuritypriv = &padapter->securitypriv;
1349 u32 res = _SUCCESS;
1350
1351 pframe = precvframe->rx_data;
1352
1353 /* 4 start to encrypt each fragment */
1354 if (prxattrib->encrypt == _AES_) {
1355 stainfo = rtw_get_stainfo(&padapter->stapriv, &prxattrib->ta[0]);
1356 if (stainfo) {
1357 if (is_multicast_ether_addr(prxattrib->ra)) {
1358 /* in concurrent we should use sw descrypt in group key, so we remove this message */
1359 if (!psecuritypriv->binstallGrpkey) {
1360 res = _FAIL;
1361 DBG_88E("%s:rx bc/mc packets, but didn't install group key!!!!!!!!!!\n", __func__);
1362 goto exit;
1363 }
1364 prwskey = psecuritypriv->dot118021XGrpKey[prxattrib->key_index].skey;
1365 if (psecuritypriv->dot118021XGrpKeyid != prxattrib->key_index) {
1366 DBG_88E("not match packet_index=%d, install_index=%d\n",
1367 prxattrib->key_index, psecuritypriv->dot118021XGrpKeyid);
1368 res = _FAIL;
1369 goto exit;
1370 }
1371 } else {
1372 prwskey = &stainfo->dot118021x_UncstKey.skey[0];
1373 }
1374 length = precvframe->len - prxattrib->hdrlen - prxattrib->iv_len;
1375 res = aes_decipher(prwskey, prxattrib->hdrlen, pframe, length);
1376 } else {
1377 res = _FAIL;
1378 }
1379 }
1380
1381 exit:
1382 return res;
1383 }
1384
1385 /* AES tables*/
1386 const u32 Te0[256] = {
1387 0xc66363a5U, 0xf87c7c84U, 0xee777799U, 0xf67b7b8dU,
1388 0xfff2f20dU, 0xd66b6bbdU, 0xde6f6fb1U, 0x91c5c554U,
1389 0x60303050U, 0x02010103U, 0xce6767a9U, 0x562b2b7dU,
1390 0xe7fefe19U, 0xb5d7d762U, 0x4dababe6U, 0xec76769aU,
1391 0x8fcaca45U, 0x1f82829dU, 0x89c9c940U, 0xfa7d7d87U,
1392 0xeffafa15U, 0xb25959ebU, 0x8e4747c9U, 0xfbf0f00bU,
1393 0x41adadecU, 0xb3d4d467U, 0x5fa2a2fdU, 0x45afafeaU,
1394 0x239c9cbfU, 0x53a4a4f7U, 0xe4727296U, 0x9bc0c05bU,
1395 0x75b7b7c2U, 0xe1fdfd1cU, 0x3d9393aeU, 0x4c26266aU,
1396 0x6c36365aU, 0x7e3f3f41U, 0xf5f7f702U, 0x83cccc4fU,
1397 0x6834345cU, 0x51a5a5f4U, 0xd1e5e534U, 0xf9f1f108U,
1398 0xe2717193U, 0xabd8d873U, 0x62313153U, 0x2a15153fU,
1399 0x0804040cU, 0x95c7c752U, 0x46232365U, 0x9dc3c35eU,
1400 0x30181828U, 0x379696a1U, 0x0a05050fU, 0x2f9a9ab5U,
1401 0x0e070709U, 0x24121236U, 0x1b80809bU, 0xdfe2e23dU,
1402 0xcdebeb26U, 0x4e272769U, 0x7fb2b2cdU, 0xea75759fU,
1403 0x1209091bU, 0x1d83839eU, 0x582c2c74U, 0x341a1a2eU,
1404 0x361b1b2dU, 0xdc6e6eb2U, 0xb45a5aeeU, 0x5ba0a0fbU,
1405 0xa45252f6U, 0x763b3b4dU, 0xb7d6d661U, 0x7db3b3ceU,
1406 0x5229297bU, 0xdde3e33eU, 0x5e2f2f71U, 0x13848497U,
1407 0xa65353f5U, 0xb9d1d168U, 0x00000000U, 0xc1eded2cU,
1408 0x40202060U, 0xe3fcfc1fU, 0x79b1b1c8U, 0xb65b5bedU,
1409 0xd46a6abeU, 0x8dcbcb46U, 0x67bebed9U, 0x7239394bU,
1410 0x944a4adeU, 0x984c4cd4U, 0xb05858e8U, 0x85cfcf4aU,
1411 0xbbd0d06bU, 0xc5efef2aU, 0x4faaaae5U, 0xedfbfb16U,
1412 0x864343c5U, 0x9a4d4dd7U, 0x66333355U, 0x11858594U,
1413 0x8a4545cfU, 0xe9f9f910U, 0x04020206U, 0xfe7f7f81U,
1414 0xa05050f0U, 0x783c3c44U, 0x259f9fbaU, 0x4ba8a8e3U,
1415 0xa25151f3U, 0x5da3a3feU, 0x804040c0U, 0x058f8f8aU,
1416 0x3f9292adU, 0x219d9dbcU, 0x70383848U, 0xf1f5f504U,
1417 0x63bcbcdfU, 0x77b6b6c1U, 0xafdada75U, 0x42212163U,
1418 0x20101030U, 0xe5ffff1aU, 0xfdf3f30eU, 0xbfd2d26dU,
1419 0x81cdcd4cU, 0x180c0c14U, 0x26131335U, 0xc3ecec2fU,
1420 0xbe5f5fe1U, 0x359797a2U, 0x884444ccU, 0x2e171739U,
1421 0x93c4c457U, 0x55a7a7f2U, 0xfc7e7e82U, 0x7a3d3d47U,
1422 0xc86464acU, 0xba5d5de7U, 0x3219192bU, 0xe6737395U,
1423 0xc06060a0U, 0x19818198U, 0x9e4f4fd1U, 0xa3dcdc7fU,
1424 0x44222266U, 0x542a2a7eU, 0x3b9090abU, 0x0b888883U,
1425 0x8c4646caU, 0xc7eeee29U, 0x6bb8b8d3U, 0x2814143cU,
1426 0xa7dede79U, 0xbc5e5ee2U, 0x160b0b1dU, 0xaddbdb76U,
1427 0xdbe0e03bU, 0x64323256U, 0x743a3a4eU, 0x140a0a1eU,
1428 0x924949dbU, 0x0c06060aU, 0x4824246cU, 0xb85c5ce4U,
1429 0x9fc2c25dU, 0xbdd3d36eU, 0x43acacefU, 0xc46262a6U,
1430 0x399191a8U, 0x319595a4U, 0xd3e4e437U, 0xf279798bU,
1431 0xd5e7e732U, 0x8bc8c843U, 0x6e373759U, 0xda6d6db7U,
1432 0x018d8d8cU, 0xb1d5d564U, 0x9c4e4ed2U, 0x49a9a9e0U,
1433 0xd86c6cb4U, 0xac5656faU, 0xf3f4f407U, 0xcfeaea25U,
1434 0xca6565afU, 0xf47a7a8eU, 0x47aeaee9U, 0x10080818U,
1435 0x6fbabad5U, 0xf0787888U, 0x4a25256fU, 0x5c2e2e72U,
1436 0x381c1c24U, 0x57a6a6f1U, 0x73b4b4c7U, 0x97c6c651U,
1437 0xcbe8e823U, 0xa1dddd7cU, 0xe874749cU, 0x3e1f1f21U,
1438 0x964b4bddU, 0x61bdbddcU, 0x0d8b8b86U, 0x0f8a8a85U,
1439 0xe0707090U, 0x7c3e3e42U, 0x71b5b5c4U, 0xcc6666aaU,
1440 0x904848d8U, 0x06030305U, 0xf7f6f601U, 0x1c0e0e12U,
1441 0xc26161a3U, 0x6a35355fU, 0xae5757f9U, 0x69b9b9d0U,
1442 0x17868691U, 0x99c1c158U, 0x3a1d1d27U, 0x279e9eb9U,
1443 0xd9e1e138U, 0xebf8f813U, 0x2b9898b3U, 0x22111133U,
1444 0xd26969bbU, 0xa9d9d970U, 0x078e8e89U, 0x339494a7U,
1445 0x2d9b9bb6U, 0x3c1e1e22U, 0x15878792U, 0xc9e9e920U,
1446 0x87cece49U, 0xaa5555ffU, 0x50282878U, 0xa5dfdf7aU,
1447 0x038c8c8fU, 0x59a1a1f8U, 0x09898980U, 0x1a0d0d17U,
1448 0x65bfbfdaU, 0xd7e6e631U, 0x844242c6U, 0xd06868b8U,
1449 0x824141c3U, 0x299999b0U, 0x5a2d2d77U, 0x1e0f0f11U,
1450 0x7bb0b0cbU, 0xa85454fcU, 0x6dbbbbd6U, 0x2c16163aU,
1451 };
1452
1453 const u32 Td0[256] = {
1454 0x51f4a750U, 0x7e416553U, 0x1a17a4c3U, 0x3a275e96U,
1455 0x3bab6bcbU, 0x1f9d45f1U, 0xacfa58abU, 0x4be30393U,
1456 0x2030fa55U, 0xad766df6U, 0x88cc7691U, 0xf5024c25U,
1457 0x4fe5d7fcU, 0xc52acbd7U, 0x26354480U, 0xb562a38fU,
1458 0xdeb15a49U, 0x25ba1b67U, 0x45ea0e98U, 0x5dfec0e1U,
1459 0xc32f7502U, 0x814cf012U, 0x8d4697a3U, 0x6bd3f9c6U,
1460 0x038f5fe7U, 0x15929c95U, 0xbf6d7aebU, 0x955259daU,
1461 0xd4be832dU, 0x587421d3U, 0x49e06929U, 0x8ec9c844U,
1462 0x75c2896aU, 0xf48e7978U, 0x99583e6bU, 0x27b971ddU,
1463 0xbee14fb6U, 0xf088ad17U, 0xc920ac66U, 0x7dce3ab4U,
1464 0x63df4a18U, 0xe51a3182U, 0x97513360U, 0x62537f45U,
1465 0xb16477e0U, 0xbb6bae84U, 0xfe81a01cU, 0xf9082b94U,
1466 0x70486858U, 0x8f45fd19U, 0x94de6c87U, 0x527bf8b7U,
1467 0xab73d323U, 0x724b02e2U, 0xe31f8f57U, 0x6655ab2aU,
1468 0xb2eb2807U, 0x2fb5c203U, 0x86c57b9aU, 0xd33708a5U,
1469 0x302887f2U, 0x23bfa5b2U, 0x02036abaU, 0xed16825cU,
1470 0x8acf1c2bU, 0xa779b492U, 0xf307f2f0U, 0x4e69e2a1U,
1471 0x65daf4cdU, 0x0605bed5U, 0xd134621fU, 0xc4a6fe8aU,
1472 0x342e539dU, 0xa2f355a0U, 0x058ae132U, 0xa4f6eb75U,
1473 0x0b83ec39U, 0x4060efaaU, 0x5e719f06U, 0xbd6e1051U,
1474 0x3e218af9U, 0x96dd063dU, 0xdd3e05aeU, 0x4de6bd46U,
1475 0x91548db5U, 0x71c45d05U, 0x0406d46fU, 0x605015ffU,
1476 0x1998fb24U, 0xd6bde997U, 0x894043ccU, 0x67d99e77U,
1477 0xb0e842bdU, 0x07898b88U, 0xe7195b38U, 0x79c8eedbU,
1478 0xa17c0a47U, 0x7c420fe9U, 0xf8841ec9U, 0x00000000U,
1479 0x09808683U, 0x322bed48U, 0x1e1170acU, 0x6c5a724eU,
1480 0xfd0efffbU, 0x0f853856U, 0x3daed51eU, 0x362d3927U,
1481 0x0a0fd964U, 0x685ca621U, 0x9b5b54d1U, 0x24362e3aU,
1482 0x0c0a67b1U, 0x9357e70fU, 0xb4ee96d2U, 0x1b9b919eU,
1483 0x80c0c54fU, 0x61dc20a2U, 0x5a774b69U, 0x1c121a16U,
1484 0xe293ba0aU, 0xc0a02ae5U, 0x3c22e043U, 0x121b171dU,
1485 0x0e090d0bU, 0xf28bc7adU, 0x2db6a8b9U, 0x141ea9c8U,
1486 0x57f11985U, 0xaf75074cU, 0xee99ddbbU, 0xa37f60fdU,
1487 0xf701269fU, 0x5c72f5bcU, 0x44663bc5U, 0x5bfb7e34U,
1488 0x8b432976U, 0xcb23c6dcU, 0xb6edfc68U, 0xb8e4f163U,
1489 0xd731dccaU, 0x42638510U, 0x13972240U, 0x84c61120U,
1490 0x854a247dU, 0xd2bb3df8U, 0xaef93211U, 0xc729a16dU,
1491 0x1d9e2f4bU, 0xdcb230f3U, 0x0d8652ecU, 0x77c1e3d0U,
1492 0x2bb3166cU, 0xa970b999U, 0x119448faU, 0x47e96422U,
1493 0xa8fc8cc4U, 0xa0f03f1aU, 0x567d2cd8U, 0x223390efU,
1494 0x87494ec7U, 0xd938d1c1U, 0x8ccaa2feU, 0x98d40b36U,
1495 0xa6f581cfU, 0xa57ade28U, 0xdab78e26U, 0x3fadbfa4U,
1496 0x2c3a9de4U, 0x5078920dU, 0x6a5fcc9bU, 0x547e4662U,
1497 0xf68d13c2U, 0x90d8b8e8U, 0x2e39f75eU, 0x82c3aff5U,
1498 0x9f5d80beU, 0x69d0937cU, 0x6fd52da9U, 0xcf2512b3U,
1499 0xc8ac993bU, 0x10187da7U, 0xe89c636eU, 0xdb3bbb7bU,
1500 0xcd267809U, 0x6e5918f4U, 0xec9ab701U, 0x834f9aa8U,
1501 0xe6956e65U, 0xaaffe67eU, 0x21bccf08U, 0xef15e8e6U,
1502 0xbae79bd9U, 0x4a6f36ceU, 0xea9f09d4U, 0x29b07cd6U,
1503 0x31a4b2afU, 0x2a3f2331U, 0xc6a59430U, 0x35a266c0U,
1504 0x744ebc37U, 0xfc82caa6U, 0xe090d0b0U, 0x33a7d815U,
1505 0xf104984aU, 0x41ecdaf7U, 0x7fcd500eU, 0x1791f62fU,
1506 0x764dd68dU, 0x43efb04dU, 0xccaa4d54U, 0xe49604dfU,
1507 0x9ed1b5e3U, 0x4c6a881bU, 0xc12c1fb8U, 0x4665517fU,
1508 0x9d5eea04U, 0x018c355dU, 0xfa877473U, 0xfb0b412eU,
1509 0xb3671d5aU, 0x92dbd252U, 0xe9105633U, 0x6dd64713U,
1510 0x9ad7618cU, 0x37a10c7aU, 0x59f8148eU, 0xeb133c89U,
1511 0xcea927eeU, 0xb761c935U, 0xe11ce5edU, 0x7a47b13cU,
1512 0x9cd2df59U, 0x55f2733fU, 0x1814ce79U, 0x73c737bfU,
1513 0x53f7cdeaU, 0x5ffdaa5bU, 0xdf3d6f14U, 0x7844db86U,
1514 0xcaaff381U, 0xb968c43eU, 0x3824342cU, 0xc2a3405fU,
1515 0x161dc372U, 0xbce2250cU, 0x283c498bU, 0xff0d9541U,
1516 0x39a80171U, 0x080cb3deU, 0xd8b4e49cU, 0x6456c190U,
1517 0x7bcb8461U, 0xd532b670U, 0x486c5c74U, 0xd0b85742U,
1518 };
1519
1520 const u8 Td4s[256] = {
1521 0x52U, 0x09U, 0x6aU, 0xd5U, 0x30U, 0x36U, 0xa5U, 0x38U,
1522 0xbfU, 0x40U, 0xa3U, 0x9eU, 0x81U, 0xf3U, 0xd7U, 0xfbU,
1523 0x7cU, 0xe3U, 0x39U, 0x82U, 0x9bU, 0x2fU, 0xffU, 0x87U,
1524 0x34U, 0x8eU, 0x43U, 0x44U, 0xc4U, 0xdeU, 0xe9U, 0xcbU,
1525 0x54U, 0x7bU, 0x94U, 0x32U, 0xa6U, 0xc2U, 0x23U, 0x3dU,
1526 0xeeU, 0x4cU, 0x95U, 0x0bU, 0x42U, 0xfaU, 0xc3U, 0x4eU,
1527 0x08U, 0x2eU, 0xa1U, 0x66U, 0x28U, 0xd9U, 0x24U, 0xb2U,
1528 0x76U, 0x5bU, 0xa2U, 0x49U, 0x6dU, 0x8bU, 0xd1U, 0x25U,
1529 0x72U, 0xf8U, 0xf6U, 0x64U, 0x86U, 0x68U, 0x98U, 0x16U,
1530 0xd4U, 0xa4U, 0x5cU, 0xccU, 0x5dU, 0x65U, 0xb6U, 0x92U,
1531 0x6cU, 0x70U, 0x48U, 0x50U, 0xfdU, 0xedU, 0xb9U, 0xdaU,
1532 0x5eU, 0x15U, 0x46U, 0x57U, 0xa7U, 0x8dU, 0x9dU, 0x84U,
1533 0x90U, 0xd8U, 0xabU, 0x00U, 0x8cU, 0xbcU, 0xd3U, 0x0aU,
1534 0xf7U, 0xe4U, 0x58U, 0x05U, 0xb8U, 0xb3U, 0x45U, 0x06U,
1535 0xd0U, 0x2cU, 0x1eU, 0x8fU, 0xcaU, 0x3fU, 0x0fU, 0x02U,
1536 0xc1U, 0xafU, 0xbdU, 0x03U, 0x01U, 0x13U, 0x8aU, 0x6bU,
1537 0x3aU, 0x91U, 0x11U, 0x41U, 0x4fU, 0x67U, 0xdcU, 0xeaU,
1538 0x97U, 0xf2U, 0xcfU, 0xceU, 0xf0U, 0xb4U, 0xe6U, 0x73U,
1539 0x96U, 0xacU, 0x74U, 0x22U, 0xe7U, 0xadU, 0x35U, 0x85U,
1540 0xe2U, 0xf9U, 0x37U, 0xe8U, 0x1cU, 0x75U, 0xdfU, 0x6eU,
1541 0x47U, 0xf1U, 0x1aU, 0x71U, 0x1dU, 0x29U, 0xc5U, 0x89U,
1542 0x6fU, 0xb7U, 0x62U, 0x0eU, 0xaaU, 0x18U, 0xbeU, 0x1bU,
1543 0xfcU, 0x56U, 0x3eU, 0x4bU, 0xc6U, 0xd2U, 0x79U, 0x20U,
1544 0x9aU, 0xdbU, 0xc0U, 0xfeU, 0x78U, 0xcdU, 0x5aU, 0xf4U,
1545 0x1fU, 0xddU, 0xa8U, 0x33U, 0x88U, 0x07U, 0xc7U, 0x31U,
1546 0xb1U, 0x12U, 0x10U, 0x59U, 0x27U, 0x80U, 0xecU, 0x5fU,
1547 0x60U, 0x51U, 0x7fU, 0xa9U, 0x19U, 0xb5U, 0x4aU, 0x0dU,
1548 0x2dU, 0xe5U, 0x7aU, 0x9fU, 0x93U, 0xc9U, 0x9cU, 0xefU,
1549 0xa0U, 0xe0U, 0x3bU, 0x4dU, 0xaeU, 0x2aU, 0xf5U, 0xb0U,
1550 0xc8U, 0xebU, 0xbbU, 0x3cU, 0x83U, 0x53U, 0x99U, 0x61U,
1551 0x17U, 0x2bU, 0x04U, 0x7eU, 0xbaU, 0x77U, 0xd6U, 0x26U,
1552 0xe1U, 0x69U, 0x14U, 0x63U, 0x55U, 0x21U, 0x0cU, 0x7dU,
1553 };
1554 const u8 rcons[] = {
1555 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1B, 0x36
1556 /* for 128-bit blocks, Rijndael never uses more than 10 rcon values */
1557 };
1558