1 // SPDX-License-Identifier: GPL-2.0
2 /* Copyright(c) 2007 - 2011 Realtek Corporation. */
4 #define _RTW_SECURITY_C_
6 #include "../include/osdep_service.h"
7 #include "../include/drv_types.h"
8 #include "../include/wifi.h"
9 #include "../include/osdep_intf.h"
11 /* WEP related ===== */
14 Need to consider the fragment situation
16 void rtw_wep_encrypt(struct adapter *padapter, struct xmit_frame *pxmitframe)
23 int curfragnum, length;
26 u8 *pframe, *payload, *iv; /* wepkey */
29 struct pkt_attrib *pattrib = &pxmitframe->attrib;
30 struct security_priv *psecuritypriv = &padapter->securitypriv;
31 struct xmit_priv *pxmitpriv = &padapter->xmitpriv;
32 struct arc4_ctx *ctx = &psecuritypriv->xmit_arc4_ctx;
34 if (!pxmitframe->buf_addr)
37 hw_hdr_offset = TXDESC_SIZE + pxmitframe->pkt_offset * PACKET_OFFSET_SZ;
38 pframe = pxmitframe->buf_addr + hw_hdr_offset;
40 /* start to encrypt each fragment */
41 if ((pattrib->encrypt == _WEP40_) || (pattrib->encrypt == _WEP104_)) {
42 keylength = psecuritypriv->dot11DefKeylen[psecuritypriv->dot11PrivacyKeyIndex];
44 for (curfragnum = 0; curfragnum < pattrib->nr_frags; curfragnum++) {
45 iv = pframe + pattrib->hdrlen;
46 memcpy(&wepkey[0], iv, 3);
47 memcpy(&wepkey[3], &psecuritypriv->dot11DefKey[psecuritypriv->dot11PrivacyKeyIndex].skey[0], keylength);
48 payload = pframe + pattrib->iv_len + pattrib->hdrlen;
50 if ((curfragnum + 1) == pattrib->nr_frags) { /* the last fragment */
51 length = pattrib->last_txcmdsz - pattrib->hdrlen - pattrib->iv_len - pattrib->icv_len;
53 crc.f0 = cpu_to_le32(~crc32_le(~0, payload, length));
55 arc4_setkey(ctx, wepkey, 3 + keylength);
56 arc4_crypt(ctx, payload, payload, length);
57 arc4_crypt(ctx, payload + length, crc.f1, 4);
59 length = pxmitpriv->frag_len - pattrib->hdrlen - pattrib->iv_len - pattrib->icv_len;
60 crc.f0 = cpu_to_le32(~crc32_le(~0, payload, length));
61 arc4_setkey(ctx, wepkey, 3 + keylength);
62 arc4_crypt(ctx, payload, payload, length);
63 arc4_crypt(ctx, payload + length, crc.f1, 4);
65 pframe += pxmitpriv->frag_len;
66 pframe = (u8 *)RND4((size_t)(pframe));
73 void rtw_wep_decrypt(struct adapter *padapter, struct recv_frame *precvframe)
78 u8 *pframe, *payload, *iv, wepkey[16];
80 struct rx_pkt_attrib *prxattrib = &precvframe->attrib;
81 struct security_priv *psecuritypriv = &padapter->securitypriv;
82 struct arc4_ctx *ctx = &psecuritypriv->recv_arc4_ctx;
84 pframe = precvframe->rx_data;
86 /* start to decrypt recvframe */
87 if ((prxattrib->encrypt == _WEP40_) || (prxattrib->encrypt == _WEP104_)) {
88 iv = pframe + prxattrib->hdrlen;
89 keyindex = prxattrib->key_index;
90 keylength = psecuritypriv->dot11DefKeylen[keyindex];
91 memcpy(&wepkey[0], iv, 3);
92 memcpy(&wepkey[3], &psecuritypriv->dot11DefKey[keyindex].skey[0], keylength);
93 length = precvframe->len - prxattrib->hdrlen - prxattrib->iv_len;
95 payload = pframe + prxattrib->iv_len + prxattrib->hdrlen;
97 /* decrypt payload include icv */
98 arc4_setkey(ctx, wepkey, 3 + keylength);
99 arc4_crypt(ctx, payload, payload, length);
103 /* 3 ===== TKIP related ===== */
105 static u32 secmicgetuint32(u8 *p)
106 /* Convert from Byte[] to Us3232 in a portable way */
111 for (i = 0; i < 4; i++)
112 res |= ((u32)(*p++)) << (8 * i);
117 static void secmicputuint32(u8 *p, u32 val)
118 /* Convert from Us3232 to Byte[] in a portable way */
122 for (i = 0; i < 4; i++) {
123 *p++ = (u8)(val & 0xff);
129 static void secmicclear(struct mic_data *pmicdata)
131 /* Reset the state to the empty message. */
133 pmicdata->L = pmicdata->K0;
134 pmicdata->R = pmicdata->K1;
135 pmicdata->nBytesInM = 0;
140 void rtw_secmicsetkey(struct mic_data *pmicdata, u8 *key)
144 pmicdata->K0 = secmicgetuint32(key);
145 pmicdata->K1 = secmicgetuint32(key + 4);
146 /* and reset the message */
147 secmicclear(pmicdata);
151 void rtw_secmicappendbyte(struct mic_data *pmicdata, u8 b)
154 /* Append the byte to our word-sized buffer */
155 pmicdata->M |= ((unsigned long)b) << (8 * pmicdata->nBytesInM);
156 pmicdata->nBytesInM++;
157 /* Process the word if it is full. */
158 if (pmicdata->nBytesInM >= 4) {
159 pmicdata->L ^= pmicdata->M;
160 pmicdata->R ^= ROL32(pmicdata->L, 17);
161 pmicdata->L += pmicdata->R;
162 pmicdata->R ^= ((pmicdata->L & 0xff00ff00) >> 8) | ((pmicdata->L & 0x00ff00ff) << 8);
163 pmicdata->L += pmicdata->R;
164 pmicdata->R ^= ROL32(pmicdata->L, 3);
165 pmicdata->L += pmicdata->R;
166 pmicdata->R ^= ROR32(pmicdata->L, 2);
167 pmicdata->L += pmicdata->R;
168 /* Clear the buffer */
170 pmicdata->nBytesInM = 0;
175 void rtw_secmicappend(struct mic_data *pmicdata, u8 *src, u32 nbytes)
180 rtw_secmicappendbyte(pmicdata, *src++);
186 void rtw_secgetmic(struct mic_data *pmicdata, u8 *dst)
189 /* Append the minimum padding */
190 rtw_secmicappendbyte(pmicdata, 0x5a);
191 rtw_secmicappendbyte(pmicdata, 0);
192 rtw_secmicappendbyte(pmicdata, 0);
193 rtw_secmicappendbyte(pmicdata, 0);
194 rtw_secmicappendbyte(pmicdata, 0);
195 /* and then zeroes until the length is a multiple of 4 */
196 while (pmicdata->nBytesInM != 0)
197 rtw_secmicappendbyte(pmicdata, 0);
198 /* The appendByte function has already computed the result. */
199 secmicputuint32(dst, pmicdata->L);
200 secmicputuint32(dst + 4, pmicdata->R);
201 /* Reset to the empty message. */
202 secmicclear(pmicdata);
206 void rtw_seccalctkipmic(u8 *key, u8 *header, u8 *data, u32 data_len, u8 *mic_code, u8 pri)
208 struct mic_data micdata;
209 u8 priority[4] = {0x0, 0x0, 0x0, 0x0};
211 rtw_secmicsetkey(&micdata, key);
214 /* Michael MIC pseudo header: DA, SA, 3 x 0, Priority */
215 if (header[1] & 1) { /* ToDS == 1 */
216 rtw_secmicappend(&micdata, &header[16], 6); /* DA */
217 if (header[1] & 2) /* From Ds == 1 */
218 rtw_secmicappend(&micdata, &header[24], 6);
220 rtw_secmicappend(&micdata, &header[10], 6);
221 } else { /* ToDS == 0 */
222 rtw_secmicappend(&micdata, &header[4], 6); /* DA */
223 if (header[1] & 2) /* From Ds == 1 */
224 rtw_secmicappend(&micdata, &header[16], 6);
226 rtw_secmicappend(&micdata, &header[10], 6);
228 rtw_secmicappend(&micdata, &priority[0], 4);
230 rtw_secmicappend(&micdata, data, data_len);
232 rtw_secgetmic(&micdata, mic_code);
236 /* macros for extraction/creation of unsigned char/unsigned short values */
237 #define RotR1(v16) ((((v16) >> 1) & 0x7FFF) ^ (((v16) & 1) << 15))
238 #define Lo8(v16) ((u8)((v16) & 0x00FF))
239 #define Hi8(v16) ((u8)(((v16) >> 8) & 0x00FF))
240 #define Lo16(v32) ((u16)((v32) & 0xFFFF))
241 #define Hi16(v32) ((u16)(((v32) >> 16) & 0xFFFF))
242 #define Mk16(hi, lo) ((lo) ^ (((u16)(hi)) << 8))
244 /* select the Nth 16-bit word of the temporal key unsigned char array TK[] */
245 #define TK16(N) Mk16(tk[2 * (N) + 1], tk[2 * (N)])
247 /* S-box lookup: 16 bits --> 16 bits */
248 #define _S_(v16) (Sbox1[0][Lo8(v16)] ^ Sbox1[1][Hi8(v16)])
250 /* fixed algorithm "parameters" */
251 #define PHASE1_LOOP_CNT 8 /* this needs to be "big enough" */
252 #define TA_SIZE 6 /* 48-bit transmitter address */
253 #define TK_SIZE 16 /* 128-bit temporal key */
254 #define P1K_SIZE 10 /* 80-bit Phase1 key */
255 #define RC4_KEY_SIZE 16 /* 128-bit RC4KEY (104 bits unknown) */
257 /* 2-unsigned char by 2-unsigned char subset of the full AES S-box table */
258 static const unsigned short Sbox1[2][256] = { /* Sbox for hash (can be in ROM) */
260 0xC6A5, 0xF884, 0xEE99, 0xF68D, 0xFF0D, 0xD6BD, 0xDEB1, 0x9154,
261 0x6050, 0x0203, 0xCEA9, 0x567D, 0xE719, 0xB562, 0x4DE6, 0xEC9A,
262 0x8F45, 0x1F9D, 0x8940, 0xFA87, 0xEF15, 0xB2EB, 0x8EC9, 0xFB0B,
263 0x41EC, 0xB367, 0x5FFD, 0x45EA, 0x23BF, 0x53F7, 0xE496, 0x9B5B,
264 0x75C2, 0xE11C, 0x3DAE, 0x4C6A, 0x6C5A, 0x7E41, 0xF502, 0x834F,
265 0x685C, 0x51F4, 0xD134, 0xF908, 0xE293, 0xAB73, 0x6253, 0x2A3F,
266 0x080C, 0x9552, 0x4665, 0x9D5E, 0x3028, 0x37A1, 0x0A0F, 0x2FB5,
267 0x0E09, 0x2436, 0x1B9B, 0xDF3D, 0xCD26, 0x4E69, 0x7FCD, 0xEA9F,
268 0x121B, 0x1D9E, 0x5874, 0x342E, 0x362D, 0xDCB2, 0xB4EE, 0x5BFB,
269 0xA4F6, 0x764D, 0xB761, 0x7DCE, 0x527B, 0xDD3E, 0x5E71, 0x1397,
270 0xA6F5, 0xB968, 0x0000, 0xC12C, 0x4060, 0xE31F, 0x79C8, 0xB6ED,
271 0xD4BE, 0x8D46, 0x67D9, 0x724B, 0x94DE, 0x98D4, 0xB0E8, 0x854A,
272 0xBB6B, 0xC52A, 0x4FE5, 0xED16, 0x86C5, 0x9AD7, 0x6655, 0x1194,
273 0x8ACF, 0xE910, 0x0406, 0xFE81, 0xA0F0, 0x7844, 0x25BA, 0x4BE3,
274 0xA2F3, 0x5DFE, 0x80C0, 0x058A, 0x3FAD, 0x21BC, 0x7048, 0xF104,
275 0x63DF, 0x77C1, 0xAF75, 0x4263, 0x2030, 0xE51A, 0xFD0E, 0xBF6D,
276 0x814C, 0x1814, 0x2635, 0xC32F, 0xBEE1, 0x35A2, 0x88CC, 0x2E39,
277 0x9357, 0x55F2, 0xFC82, 0x7A47, 0xC8AC, 0xBAE7, 0x322B, 0xE695,
278 0xC0A0, 0x1998, 0x9ED1, 0xA37F, 0x4466, 0x547E, 0x3BAB, 0x0B83,
279 0x8CCA, 0xC729, 0x6BD3, 0x283C, 0xA779, 0xBCE2, 0x161D, 0xAD76,
280 0xDB3B, 0x6456, 0x744E, 0x141E, 0x92DB, 0x0C0A, 0x486C, 0xB8E4,
281 0x9F5D, 0xBD6E, 0x43EF, 0xC4A6, 0x39A8, 0x31A4, 0xD337, 0xF28B,
282 0xD532, 0x8B43, 0x6E59, 0xDAB7, 0x018C, 0xB164, 0x9CD2, 0x49E0,
283 0xD8B4, 0xACFA, 0xF307, 0xCF25, 0xCAAF, 0xF48E, 0x47E9, 0x1018,
284 0x6FD5, 0xF088, 0x4A6F, 0x5C72, 0x3824, 0x57F1, 0x73C7, 0x9751,
285 0xCB23, 0xA17C, 0xE89C, 0x3E21, 0x96DD, 0x61DC, 0x0D86, 0x0F85,
286 0xE090, 0x7C42, 0x71C4, 0xCCAA, 0x90D8, 0x0605, 0xF701, 0x1C12,
287 0xC2A3, 0x6A5F, 0xAEF9, 0x69D0, 0x1791, 0x9958, 0x3A27, 0x27B9,
288 0xD938, 0xEB13, 0x2BB3, 0x2233, 0xD2BB, 0xA970, 0x0789, 0x33A7,
289 0x2DB6, 0x3C22, 0x1592, 0xC920, 0x8749, 0xAAFF, 0x5078, 0xA57A,
290 0x038F, 0x59F8, 0x0980, 0x1A17, 0x65DA, 0xD731, 0x84C6, 0xD0B8,
291 0x82C3, 0x29B0, 0x5A77, 0x1E11, 0x7BCB, 0xA8FC, 0x6DD6, 0x2C3A,
294 { /* second half of table is unsigned char-reversed version of first! */
295 0xA5C6, 0x84F8, 0x99EE, 0x8DF6, 0x0DFF, 0xBDD6, 0xB1DE, 0x5491,
296 0x5060, 0x0302, 0xA9CE, 0x7D56, 0x19E7, 0x62B5, 0xE64D, 0x9AEC,
297 0x458F, 0x9D1F, 0x4089, 0x87FA, 0x15EF, 0xEBB2, 0xC98E, 0x0BFB,
298 0xEC41, 0x67B3, 0xFD5F, 0xEA45, 0xBF23, 0xF753, 0x96E4, 0x5B9B,
299 0xC275, 0x1CE1, 0xAE3D, 0x6A4C, 0x5A6C, 0x417E, 0x02F5, 0x4F83,
300 0x5C68, 0xF451, 0x34D1, 0x08F9, 0x93E2, 0x73AB, 0x5362, 0x3F2A,
301 0x0C08, 0x5295, 0x6546, 0x5E9D, 0x2830, 0xA137, 0x0F0A, 0xB52F,
302 0x090E, 0x3624, 0x9B1B, 0x3DDF, 0x26CD, 0x694E, 0xCD7F, 0x9FEA,
303 0x1B12, 0x9E1D, 0x7458, 0x2E34, 0x2D36, 0xB2DC, 0xEEB4, 0xFB5B,
304 0xF6A4, 0x4D76, 0x61B7, 0xCE7D, 0x7B52, 0x3EDD, 0x715E, 0x9713,
305 0xF5A6, 0x68B9, 0x0000, 0x2CC1, 0x6040, 0x1FE3, 0xC879, 0xEDB6,
306 0xBED4, 0x468D, 0xD967, 0x4B72, 0xDE94, 0xD498, 0xE8B0, 0x4A85,
307 0x6BBB, 0x2AC5, 0xE54F, 0x16ED, 0xC586, 0xD79A, 0x5566, 0x9411,
308 0xCF8A, 0x10E9, 0x0604, 0x81FE, 0xF0A0, 0x4478, 0xBA25, 0xE34B,
309 0xF3A2, 0xFE5D, 0xC080, 0x8A05, 0xAD3F, 0xBC21, 0x4870, 0x04F1,
310 0xDF63, 0xC177, 0x75AF, 0x6342, 0x3020, 0x1AE5, 0x0EFD, 0x6DBF,
311 0x4C81, 0x1418, 0x3526, 0x2FC3, 0xE1BE, 0xA235, 0xCC88, 0x392E,
312 0x5793, 0xF255, 0x82FC, 0x477A, 0xACC8, 0xE7BA, 0x2B32, 0x95E6,
313 0xA0C0, 0x9819, 0xD19E, 0x7FA3, 0x6644, 0x7E54, 0xAB3B, 0x830B,
314 0xCA8C, 0x29C7, 0xD36B, 0x3C28, 0x79A7, 0xE2BC, 0x1D16, 0x76AD,
315 0x3BDB, 0x5664, 0x4E74, 0x1E14, 0xDB92, 0x0A0C, 0x6C48, 0xE4B8,
316 0x5D9F, 0x6EBD, 0xEF43, 0xA6C4, 0xA839, 0xA431, 0x37D3, 0x8BF2,
317 0x32D5, 0x438B, 0x596E, 0xB7DA, 0x8C01, 0x64B1, 0xD29C, 0xE049,
318 0xB4D8, 0xFAAC, 0x07F3, 0x25CF, 0xAFCA, 0x8EF4, 0xE947, 0x1810,
319 0xD56F, 0x88F0, 0x6F4A, 0x725C, 0x2438, 0xF157, 0xC773, 0x5197,
320 0x23CB, 0x7CA1, 0x9CE8, 0x213E, 0xDD96, 0xDC61, 0x860D, 0x850F,
321 0x90E0, 0x427C, 0xC471, 0xAACC, 0xD890, 0x0506, 0x01F7, 0x121C,
322 0xA3C2, 0x5F6A, 0xF9AE, 0xD069, 0x9117, 0x5899, 0x273A, 0xB927,
323 0x38D9, 0x13EB, 0xB32B, 0x3322, 0xBBD2, 0x70A9, 0x8907, 0xA733,
324 0xB62D, 0x223C, 0x9215, 0x20C9, 0x4987, 0xFFAA, 0x7850, 0x7AA5,
325 0x8F03, 0xF859, 0x8009, 0x171A, 0xDA65, 0x31D7, 0xC684, 0xB8D0,
326 0xC382, 0xB029, 0x775A, 0x111E, 0xCB7B, 0xFCA8, 0xD66D, 0x3A2C,
331 **********************************************************************
332 * Routine: Phase 1 -- generate P1K, given TA, TK, IV32
335 * tk[] = temporal key [128 bits]
336 * ta[] = transmitter's MAC address [ 48 bits]
337 * iv32 = upper 32 bits of IV [ 32 bits]
339 * p1k[] = Phase 1 key [ 80 bits]
342 * This function only needs to be called every 2**16 packets,
343 * although in theory it could be called every packet.
345 **********************************************************************
347 static void phase1(u16 *p1k, const u8 *tk, const u8 *ta, u32 iv32)
351 /* Initialize the 80 bits of P1K[] from IV32 and TA[0..5] */
354 p1k[2] = Mk16(ta[1], ta[0]); /* use TA[] as little-endian */
355 p1k[3] = Mk16(ta[3], ta[2]);
356 p1k[4] = Mk16(ta[5], ta[4]);
358 /* Now compute an unbalanced Feistel cipher with 80-bit block */
359 /* size on the 80-bit block P1K[], using the 128-bit key TK[] */
360 for (i = 0; i < PHASE1_LOOP_CNT; i++) { /* Each add operation here is mod 2**16 */
361 p1k[0] += _S_(p1k[4] ^ TK16((i & 1) + 0));
362 p1k[1] += _S_(p1k[0] ^ TK16((i & 1) + 2));
363 p1k[2] += _S_(p1k[1] ^ TK16((i & 1) + 4));
364 p1k[3] += _S_(p1k[2] ^ TK16((i & 1) + 6));
365 p1k[4] += _S_(p1k[3] ^ TK16((i & 1) + 0));
366 p1k[4] += (unsigned short)i; /* avoid "slide attacks" */
372 **********************************************************************
373 * Routine: Phase 2 -- generate RC4KEY, given TK, P1K, IV16
376 * tk[] = Temporal key [128 bits]
377 * p1k[] = Phase 1 output key [ 80 bits]
378 * iv16 = low 16 bits of IV counter [ 16 bits]
380 * rc4key[] = the key used to encrypt the packet [128 bits]
383 * The value {TA, IV32, IV16} for Phase1/Phase2 must be unique
384 * across all packets using the same key TK value. Then, for a
385 * given value of TK[], this TKIP48 construction guarantees that
386 * the final RC4KEY value is unique across all packets.
388 * Suggested implementation optimization: if PPK[] is "overlaid"
389 * appropriately on RC4KEY[], there is no need for the final
390 * for loop below that copies the PPK[] result into RC4KEY[].
392 **********************************************************************
394 static void phase2(u8 *rc4key, const u8 *tk, const u16 *p1k, u16 iv16)
397 u16 PPK[6]; /* temporary key for mixing */
399 /* Note: all adds in the PPK[] equations below are mod 2**16 */
400 for (i = 0; i < 5; i++)
401 PPK[i] = p1k[i]; /* first, copy P1K to PPK */
402 PPK[5] = p1k[4] + iv16; /* next, add in IV16 */
404 /* Bijective non-linear mixing of the 96 bits of PPK[0..5] */
405 PPK[0] += _S_(PPK[5] ^ TK16(0)); /* Mix key in each "round" */
406 PPK[1] += _S_(PPK[0] ^ TK16(1));
407 PPK[2] += _S_(PPK[1] ^ TK16(2));
408 PPK[3] += _S_(PPK[2] ^ TK16(3));
409 PPK[4] += _S_(PPK[3] ^ TK16(4));
410 PPK[5] += _S_(PPK[4] ^ TK16(5)); /* Total # S-box lookups == 6 */
412 /* Final sweep: bijective, "linear". Rotates kill LSB correlations */
413 PPK[0] += RotR1(PPK[5] ^ TK16(6));
414 PPK[1] += RotR1(PPK[0] ^ TK16(7)); /* Use all of TK[] in Phase2 */
415 PPK[2] += RotR1(PPK[1]);
416 PPK[3] += RotR1(PPK[2]);
417 PPK[4] += RotR1(PPK[3]);
418 PPK[5] += RotR1(PPK[4]);
419 /* Note: At this point, for a given key TK[0..15], the 96-bit output */
420 /* value PPK[0..5] is guaranteed to be unique, as a function */
421 /* of the 96-bit "input" value {TA, IV32, IV16}. That is, P1K */
422 /* is now a keyed permutation of {TA, IV32, IV16}. */
424 /* Set RC4KEY[0..3], which includes "cleartext" portion of RC4 key */
425 rc4key[0] = Hi8(iv16); /* RC4KEY[0..2] is the WEP IV */
426 rc4key[1] = (Hi8(iv16) | 0x20) & 0x7F; /* Help avoid weak (FMS) keys */
427 rc4key[2] = Lo8(iv16);
428 rc4key[3] = Lo8((PPK[5] ^ TK16(0)) >> 1);
430 /* Copy 96 bits of PPK[0..5] to RC4KEY[4..15] (little-endian) */
431 for (i = 0; i < 6; i++) {
432 rc4key[4 + 2 * i] = Lo8(PPK[i]);
433 rc4key[5 + 2 * i] = Hi8(PPK[i]);
438 /* The hlen isn't include the IV */
439 u32 rtw_tkip_encrypt(struct adapter *padapter, struct xmit_frame *pxmitframe)
449 u8 hw_hdr_offset = 0;
450 int curfragnum, length;
452 u8 *pframe, *payload, *iv, *prwskey;
453 union pn48 dot11txpn;
454 struct sta_info *stainfo;
455 struct pkt_attrib *pattrib = &pxmitframe->attrib;
456 struct security_priv *psecuritypriv = &padapter->securitypriv;
457 struct xmit_priv *pxmitpriv = &padapter->xmitpriv;
458 struct arc4_ctx *ctx = &psecuritypriv->xmit_arc4_ctx;
461 if (!pxmitframe->buf_addr)
464 hw_hdr_offset = TXDESC_SIZE + pxmitframe->pkt_offset * PACKET_OFFSET_SZ;
465 pframe = pxmitframe->buf_addr + hw_hdr_offset;
467 /* 4 start to encrypt each fragment */
468 if (pattrib->encrypt == _TKIP_) {
470 stainfo = pattrib->psta;
472 stainfo = rtw_get_stainfo(&padapter->stapriv, &pattrib->ra[0]);
475 if (is_multicast_ether_addr(pattrib->ra))
476 prwskey = psecuritypriv->dot118021XGrpKey[psecuritypriv->dot118021XGrpKeyid].skey;
478 prwskey = &stainfo->dot118021x_UncstKey.skey[0];
480 for (curfragnum = 0; curfragnum < pattrib->nr_frags; curfragnum++) {
481 iv = pframe + pattrib->hdrlen;
482 payload = pframe + pattrib->iv_len + pattrib->hdrlen;
484 GET_TKIP_PN(iv, dot11txpn);
486 pnl = (u16)(dot11txpn.val);
487 pnh = (u32)(dot11txpn.val >> 16);
488 phase1((u16 *)&ttkey[0], prwskey, &pattrib->ta[0], pnh);
489 phase2(&rc4key[0], prwskey, (u16 *)&ttkey[0], pnl);
491 if ((curfragnum + 1) == pattrib->nr_frags) { /* 4 the last fragment */
492 length = pattrib->last_txcmdsz - pattrib->hdrlen - pattrib->iv_len - pattrib->icv_len;
493 crc.f0 = cpu_to_le32(~crc32_le(~0, payload, length));
495 arc4_setkey(ctx, rc4key, 16);
496 arc4_crypt(ctx, payload, payload, length);
497 arc4_crypt(ctx, payload + length, crc.f1, 4);
499 length = pxmitpriv->frag_len - pattrib->hdrlen - pattrib->iv_len - pattrib->icv_len;
500 crc.f0 = cpu_to_le32(~crc32_le(~0, payload, length));
502 arc4_setkey(ctx, rc4key, 16);
503 arc4_crypt(ctx, payload, payload, length);
504 arc4_crypt(ctx, payload + length, crc.f1, 4);
506 pframe += pxmitpriv->frag_len;
507 pframe = (u8 *)RND4((size_t)(pframe));
518 /* The hlen isn't include the IV */
519 u32 rtw_tkip_decrypt(struct adapter *padapter, struct recv_frame *precvframe)
531 u8 *pframe, *payload, *iv, *prwskey;
532 union pn48 dot11txpn;
533 struct sta_info *stainfo;
534 struct rx_pkt_attrib *prxattrib = &precvframe->attrib;
535 struct security_priv *psecuritypriv = &padapter->securitypriv;
536 struct arc4_ctx *ctx = &psecuritypriv->recv_arc4_ctx;
539 pframe = precvframe->rx_data;
541 /* 4 start to decrypt recvframe */
542 if (prxattrib->encrypt == _TKIP_) {
543 stainfo = rtw_get_stainfo(&padapter->stapriv, &prxattrib->ta[0]);
545 if (is_multicast_ether_addr(prxattrib->ra)) {
546 if (!psecuritypriv->binstallGrpkey) {
548 netdev_dbg(padapter->pnetdev,
549 "rx bc/mc packets, but didn't install group key!\n");
552 prwskey = psecuritypriv->dot118021XGrpKey[prxattrib->key_index].skey;
554 prwskey = &stainfo->dot118021x_UncstKey.skey[0];
557 iv = pframe + prxattrib->hdrlen;
558 payload = pframe + prxattrib->iv_len + prxattrib->hdrlen;
559 length = precvframe->len - prxattrib->hdrlen - prxattrib->iv_len;
561 GET_TKIP_PN(iv, dot11txpn);
563 pnl = (u16)(dot11txpn.val);
564 pnh = (u32)(dot11txpn.val >> 16);
566 phase1((u16 *)&ttkey[0], prwskey, &prxattrib->ta[0], pnh);
567 phase2(&rc4key[0], prwskey, (unsigned short *)&ttkey[0], pnl);
569 /* 4 decrypt payload include icv */
571 arc4_setkey(ctx, rc4key, 16);
572 arc4_crypt(ctx, payload, payload, length);
574 crc.f0 = cpu_to_le32(~crc32_le(~0, payload, length));
576 if (crc.f1[3] != payload[length - 1] ||
577 crc.f1[2] != payload[length - 2] ||
578 crc.f1[1] != payload[length - 3] ||
579 crc.f1[0] != payload[length - 4])
590 /* 3 ===== AES related ===== */
592 #define MAX_MSG_SIZE 2048
593 /*****************************/
594 /******** SBOX Table *********/
595 /*****************************/
597 static u8 sbox_table[256] = {
598 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5,
599 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
600 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0,
601 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0,
602 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc,
603 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15,
604 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a,
605 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75,
606 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0,
607 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84,
608 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b,
609 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,
610 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85,
611 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8,
612 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5,
613 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2,
614 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17,
615 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73,
616 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88,
617 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb,
618 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c,
619 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79,
620 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9,
621 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08,
622 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6,
623 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a,
624 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e,
625 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e,
626 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94,
627 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
628 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68,
629 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16
632 /*****************************/
633 /**** Function Prototypes ****/
634 /*****************************/
636 static void bitwise_xor(u8 *ina, u8 *inb, u8 *out);
637 static void construct_mic_iv(u8 *mic_header1, int qc_exists, int a4_exists, u8 *mpdu, uint payload_length, u8 *pn_vector);
638 static void construct_mic_header1(u8 *mic_header1, int header_length, u8 *mpdu);
639 static void construct_mic_header2(u8 *mic_header2, u8 *mpdu, int a4_exists, int qc_exists);
640 static void construct_ctr_preload(u8 *ctr_preload, int a4_exists, int qc_exists, u8 *mpdu, u8 *pn_vector, int c);
641 static void xor_128(u8 *a, u8 *b, u8 *out);
642 static void xor_32(u8 *a, u8 *b, u8 *out);
643 static u8 sbox(u8 a);
644 static void next_key(u8 *key, int round);
645 static void byte_sub(u8 *in, u8 *out);
646 static void shift_row(u8 *in, u8 *out);
647 static void mix_column(u8 *in, u8 *out);
648 static void aes128k128d(u8 *key, u8 *data, u8 *ciphertext);
650 /****************************************/
652 /* Performs a 128 bit AES encrypt with */
654 /****************************************/
655 static void xor_128(u8 *a, u8 *b, u8 *out)
659 for (i = 0; i < 16; i++)
660 out[i] = a[i] ^ b[i];
664 static void xor_32(u8 *a, u8 *b, u8 *out)
668 for (i = 0; i < 4; i++)
669 out[i] = a[i] ^ b[i];
675 return sbox_table[(int)a];
678 static void next_key(u8 *key, int round)
682 u8 rcon_table[12] = {
683 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80,
684 0x1b, 0x36, 0x36, 0x36
687 sbox_key[0] = sbox(key[13]);
688 sbox_key[1] = sbox(key[14]);
689 sbox_key[2] = sbox(key[15]);
690 sbox_key[3] = sbox(key[12]);
692 rcon = rcon_table[round];
694 xor_32(&key[0], sbox_key, &key[0]);
695 key[0] = key[0] ^ rcon;
697 xor_32(&key[4], &key[0], &key[4]);
698 xor_32(&key[8], &key[4], &key[8]);
699 xor_32(&key[12], &key[8], &key[12]);
703 static void byte_sub(u8 *in, u8 *out)
707 for (i = 0; i < 16; i++)
708 out[i] = sbox(in[i]);
712 static void shift_row(u8 *in, u8 *out)
734 static void mix_column(u8 *in, u8 *out)
746 for (i = 0 ; i < 4; i++) {
747 if ((in[i] & 0x80) == 0x80)
753 swap_halfs[0] = in[2]; /* Swap halves */
754 swap_halfs[1] = in[3];
755 swap_halfs[2] = in[0];
756 swap_halfs[3] = in[1];
758 rotl[0] = in[3]; /* Rotate left 8 bits */
763 andf7[0] = in[0] & 0x7f;
764 andf7[1] = in[1] & 0x7f;
765 andf7[2] = in[2] & 0x7f;
766 andf7[3] = in[3] & 0x7f;
768 for (i = 3; i > 0; i--) { /* logical shift left 1 bit */
769 andf7[i] = andf7[i] << 1;
770 if ((andf7[i - 1] & 0x80) == 0x80)
771 andf7[i] = (andf7[i] | 0x01);
773 andf7[0] = andf7[0] << 1;
774 andf7[0] = andf7[0] & 0xfe;
776 xor_32(add1b, andf7, add1bf7);
778 xor_32(in, add1bf7, rotr);
780 temp[0] = rotr[0]; /* Rotate right 8 bits */
786 xor_32(add1bf7, rotr, temp);
787 xor_32(swap_halfs, rotl, tempb);
788 xor_32(temp, tempb, out);
792 static void aes128k128d(u8 *key, u8 *data, u8 *ciphertext)
796 u8 intermediatea[16];
797 u8 intermediateb[16];
800 for (i = 0; i < 16; i++)
801 round_key[i] = key[i];
802 for (round = 0; round < 11; round++) {
804 xor_128(round_key, data, ciphertext);
805 next_key(round_key, round);
806 } else if (round == 10) {
807 byte_sub(ciphertext, intermediatea);
808 shift_row(intermediatea, intermediateb);
809 xor_128(intermediateb, round_key, ciphertext);
811 byte_sub(ciphertext, intermediatea);
812 shift_row(intermediatea, intermediateb);
813 mix_column(&intermediateb[0], &intermediatea[0]);
814 mix_column(&intermediateb[4], &intermediatea[4]);
815 mix_column(&intermediateb[8], &intermediatea[8]);
816 mix_column(&intermediateb[12], &intermediatea[12]);
817 xor_128(intermediatea, round_key, ciphertext);
818 next_key(round_key, round);
824 /************************************************/
825 /* construct_mic_iv() */
826 /* Builds the MIC IV from header fields and PN */
827 /************************************************/
828 static void construct_mic_iv(u8 *mic_iv, int qc_exists, int a4_exists, u8 *mpdu,
829 uint payload_length, u8 *pn_vector)
834 if (qc_exists && a4_exists)
835 mic_iv[1] = mpdu[30] & 0x0f; /* QoS_TC */
836 if (qc_exists && !a4_exists)
837 mic_iv[1] = mpdu[24] & 0x0f; /* mute bits 7-4 */
840 for (i = 2; i < 8; i++)
841 mic_iv[i] = mpdu[i + 8]; /* mic_iv[2:7] = A2[0:5] = mpdu[10:15] */
842 for (i = 8; i < 14; i++)
843 mic_iv[i] = pn_vector[13 - i]; /* mic_iv[8:13] = PN[5:0] */
844 mic_iv[14] = (unsigned char)(payload_length / 256);
845 mic_iv[15] = (unsigned char)(payload_length % 256);
849 /************************************************/
850 /* construct_mic_header1() */
851 /* Builds the first MIC header block from */
853 /************************************************/
854 static void construct_mic_header1(u8 *mic_header1, int header_length, u8 *mpdu)
857 mic_header1[0] = (u8)((header_length - 2) / 256);
858 mic_header1[1] = (u8)((header_length - 2) % 256);
859 mic_header1[2] = mpdu[0] & 0xcf; /* Mute CF poll & CF ack bits */
860 mic_header1[3] = mpdu[1] & 0xc7; /* Mute retry, more data and pwr mgt bits */
861 mic_header1[4] = mpdu[4]; /* A1 */
862 mic_header1[5] = mpdu[5];
863 mic_header1[6] = mpdu[6];
864 mic_header1[7] = mpdu[7];
865 mic_header1[8] = mpdu[8];
866 mic_header1[9] = mpdu[9];
867 mic_header1[10] = mpdu[10]; /* A2 */
868 mic_header1[11] = mpdu[11];
869 mic_header1[12] = mpdu[12];
870 mic_header1[13] = mpdu[13];
871 mic_header1[14] = mpdu[14];
872 mic_header1[15] = mpdu[15];
876 /************************************************/
877 /* construct_mic_header2() */
878 /* Builds the last MIC header block from */
880 /************************************************/
881 static void construct_mic_header2(u8 *mic_header2, u8 *mpdu, int a4_exists, int qc_exists)
885 for (i = 0; i < 16; i++)
886 mic_header2[i] = 0x00;
888 mic_header2[0] = mpdu[16]; /* A3 */
889 mic_header2[1] = mpdu[17];
890 mic_header2[2] = mpdu[18];
891 mic_header2[3] = mpdu[19];
892 mic_header2[4] = mpdu[20];
893 mic_header2[5] = mpdu[21];
895 mic_header2[6] = 0x00;
896 mic_header2[7] = 0x00; /* mpdu[23]; */
898 if (!qc_exists && a4_exists) {
899 for (i = 0; i < 6; i++)
900 mic_header2[8 + i] = mpdu[24 + i]; /* A4 */
903 if (qc_exists && !a4_exists) {
904 mic_header2[8] = mpdu[24] & 0x0f; /* mute bits 15 - 4 */
905 mic_header2[9] = mpdu[25] & 0x00;
908 if (qc_exists && a4_exists) {
909 for (i = 0; i < 6; i++)
910 mic_header2[8 + i] = mpdu[24 + i]; /* A4 */
912 mic_header2[14] = mpdu[30] & 0x0f;
913 mic_header2[15] = mpdu[31] & 0x00;
918 /************************************************/
919 /* construct_mic_header2() */
920 /* Builds the last MIC header block from */
922 /************************************************/
923 static void construct_ctr_preload(u8 *ctr_preload, int a4_exists, int qc_exists, u8 *mpdu, u8 *pn_vector, int c)
927 for (i = 0; i < 16; i++)
928 ctr_preload[i] = 0x00;
931 ctr_preload[0] = 0x01; /* flag */
932 if (qc_exists && a4_exists)
933 ctr_preload[1] = mpdu[30] & 0x0f; /* QoC_Control */
934 if (qc_exists && !a4_exists)
935 ctr_preload[1] = mpdu[24] & 0x0f;
937 for (i = 2; i < 8; i++)
938 ctr_preload[i] = mpdu[i + 8]; /* ctr_preload[2:7] = A2[0:5] = mpdu[10:15] */
939 for (i = 8; i < 14; i++)
940 ctr_preload[i] = pn_vector[13 - i]; /* ctr_preload[8:13] = PN[5:0] */
941 ctr_preload[14] = (unsigned char)(c / 256); /* Ctr */
942 ctr_preload[15] = (unsigned char)(c % 256);
946 /************************************/
948 /* A 128 bit, bitwise exclusive or */
949 /************************************/
950 static void bitwise_xor(u8 *ina, u8 *inb, u8 *out)
954 for (i = 0; i < 16; i++)
955 out[i] = ina[i] ^ inb[i];
959 static int aes_cipher(u8 *key, uint hdrlen, u8 *pframe, uint plen)
961 uint qc_exists, a4_exists, i, j, payload_remainder,
962 num_blocks, payload_index;
970 /* Intermediate Buffers */
973 u8 padded_buffer[16];
975 uint frtype = GetFrameType(pframe);
976 uint frsubtype = GetFrameSubType(pframe);
978 frsubtype = frsubtype >> 4;
980 memset((void *)mic_iv, 0, 16);
981 memset((void *)mic_header1, 0, 16);
982 memset((void *)mic_header2, 0, 16);
983 memset((void *)ctr_preload, 0, 16);
984 memset((void *)chain_buffer, 0, 16);
985 memset((void *)aes_out, 0, 16);
986 memset((void *)padded_buffer, 0, 16);
988 if ((hdrlen == WLAN_HDR_A3_LEN) || (hdrlen == WLAN_HDR_A3_QOS_LEN))
993 if ((frtype == WIFI_DATA_CFACK) || (frtype == WIFI_DATA_CFPOLL) || (frtype == WIFI_DATA_CFACKPOLL)) {
995 if (hdrlen != WLAN_HDR_A3_QOS_LEN)
997 } else if ((frsubtype == 0x08) || (frsubtype == 0x09) || (frsubtype == 0x0a) || (frsubtype == 0x0b)) {
998 if (hdrlen != WLAN_HDR_A3_QOS_LEN)
1005 pn_vector[0] = pframe[hdrlen];
1006 pn_vector[1] = pframe[hdrlen + 1];
1007 pn_vector[2] = pframe[hdrlen + 4];
1008 pn_vector[3] = pframe[hdrlen + 5];
1009 pn_vector[4] = pframe[hdrlen + 6];
1010 pn_vector[5] = pframe[hdrlen + 7];
1012 construct_mic_iv(mic_iv, qc_exists, a4_exists, pframe, plen, pn_vector);
1014 construct_mic_header1(mic_header1, hdrlen, pframe);
1015 construct_mic_header2(mic_header2, pframe, a4_exists, qc_exists);
1017 payload_remainder = plen % 16;
1018 num_blocks = plen / 16;
1020 /* Find start of payload */
1021 payload_index = (hdrlen + 8);
1024 aes128k128d(key, mic_iv, aes_out);
1025 bitwise_xor(aes_out, mic_header1, chain_buffer);
1026 aes128k128d(key, chain_buffer, aes_out);
1027 bitwise_xor(aes_out, mic_header2, chain_buffer);
1028 aes128k128d(key, chain_buffer, aes_out);
1030 for (i = 0; i < num_blocks; i++) {
1031 bitwise_xor(aes_out, &pframe[payload_index], chain_buffer);/* bitwise_xor(aes_out, &message[payload_index], chain_buffer); */
1033 payload_index += 16;
1034 aes128k128d(key, chain_buffer, aes_out);
1037 /* Add on the final payload block if it needs padding */
1038 if (payload_remainder > 0) {
1039 for (j = 0; j < 16; j++)
1040 padded_buffer[j] = 0x00;
1041 for (j = 0; j < payload_remainder; j++)
1042 padded_buffer[j] = pframe[payload_index++];/* padded_buffer[j] = message[payload_index++]; */
1043 bitwise_xor(aes_out, padded_buffer, chain_buffer);
1044 aes128k128d(key, chain_buffer, aes_out);
1047 for (j = 0; j < 8; j++)
1048 mic[j] = aes_out[j];
1050 /* Insert MIC into payload */
1051 for (j = 0; j < 8; j++)
1052 pframe[payload_index + j] = mic[j]; /* message[payload_index+j] = mic[j]; */
1054 payload_index = hdrlen + 8;
1055 for (i = 0; i < num_blocks; i++) {
1056 construct_ctr_preload(ctr_preload, a4_exists, qc_exists, pframe, pn_vector, i + 1);
1057 aes128k128d(key, ctr_preload, aes_out);
1058 bitwise_xor(aes_out, &pframe[payload_index], chain_buffer);
1059 for (j = 0; j < 16; j++)
1060 pframe[payload_index++] = chain_buffer[j];
1063 if (payload_remainder > 0) { /* If there is a short final block, then pad it,*/
1064 /* encrypt it and copy the unpadded part back */
1065 construct_ctr_preload(ctr_preload, a4_exists, qc_exists, pframe, pn_vector, num_blocks + 1);
1067 for (j = 0; j < 16; j++)
1068 padded_buffer[j] = 0x00;
1069 for (j = 0; j < payload_remainder; j++)
1070 padded_buffer[j] = pframe[payload_index + j];
1071 aes128k128d(key, ctr_preload, aes_out);
1072 bitwise_xor(aes_out, padded_buffer, chain_buffer);
1073 for (j = 0; j < payload_remainder; j++)
1074 pframe[payload_index++] = chain_buffer[j];
1076 /* Encrypt the MIC */
1077 construct_ctr_preload(ctr_preload, a4_exists, qc_exists, pframe, pn_vector, 0);
1079 for (j = 0; j < 16; j++)
1080 padded_buffer[j] = 0x00;
1081 for (j = 0; j < 8; j++)
1082 padded_buffer[j] = pframe[j + hdrlen + 8 + plen];
1084 aes128k128d(key, ctr_preload, aes_out);
1085 bitwise_xor(aes_out, padded_buffer, chain_buffer);
1086 for (j = 0; j < 8; j++)
1087 pframe[payload_index++] = chain_buffer[j];
1092 u32 rtw_aes_encrypt(struct adapter *padapter, struct xmit_frame *pxmitframe)
1096 /* unsigned char message[MAX_MSG_SIZE]; */
1098 /* Intermediate Buffers */
1099 int curfragnum, length;
1100 u8 *pframe, *prwskey; /* *payload,*iv */
1101 u8 hw_hdr_offset = 0;
1102 struct sta_info *stainfo;
1103 struct pkt_attrib *pattrib = &pxmitframe->attrib;
1104 struct security_priv *psecuritypriv = &padapter->securitypriv;
1105 struct xmit_priv *pxmitpriv = &padapter->xmitpriv;
1107 /* uint offset = 0; */
1110 if (!pxmitframe->buf_addr)
1113 hw_hdr_offset = TXDESC_SIZE + pxmitframe->pkt_offset * PACKET_OFFSET_SZ;
1114 pframe = pxmitframe->buf_addr + hw_hdr_offset;
1116 /* 4 start to encrypt each fragment */
1117 if (pattrib->encrypt == _AES_) {
1119 stainfo = pattrib->psta;
1121 stainfo = rtw_get_stainfo(&padapter->stapriv, &pattrib->ra[0]);
1124 if (is_multicast_ether_addr(pattrib->ra))
1125 prwskey = psecuritypriv->dot118021XGrpKey[psecuritypriv->dot118021XGrpKeyid].skey;
1127 prwskey = &stainfo->dot118021x_UncstKey.skey[0];
1128 for (curfragnum = 0; curfragnum < pattrib->nr_frags; curfragnum++) {
1129 if ((curfragnum + 1) == pattrib->nr_frags) { /* 4 the last fragment */
1130 length = pattrib->last_txcmdsz - pattrib->hdrlen - pattrib->iv_len - pattrib->icv_len;
1132 aes_cipher(prwskey, pattrib->hdrlen, pframe, length);
1134 length = pxmitpriv->frag_len - pattrib->hdrlen - pattrib->iv_len - pattrib->icv_len;
1136 aes_cipher(prwskey, pattrib->hdrlen, pframe, length);
1137 pframe += pxmitpriv->frag_len;
1138 pframe = (u8 *)RND4((size_t)(pframe));
1149 static int aes_decipher(struct adapter *padapter, u8 *key, uint hdrlen,
1150 u8 *pframe, uint plen)
1152 static u8 message[MAX_MSG_SIZE];
1153 uint qc_exists, a4_exists, i, j, payload_remainder,
1154 num_blocks, payload_index;
1162 /* Intermediate Buffers */
1163 u8 chain_buffer[16];
1165 u8 padded_buffer[16];
1168 /* uint offset = 0; */
1169 uint frtype = GetFrameType(pframe);
1170 uint frsubtype = GetFrameSubType(pframe);
1172 frsubtype = frsubtype >> 4;
1174 memset((void *)mic_iv, 0, 16);
1175 memset((void *)mic_header1, 0, 16);
1176 memset((void *)mic_header2, 0, 16);
1177 memset((void *)ctr_preload, 0, 16);
1178 memset((void *)chain_buffer, 0, 16);
1179 memset((void *)aes_out, 0, 16);
1180 memset((void *)padded_buffer, 0, 16);
1182 /* start to decrypt the payload */
1184 num_blocks = (plen - 8) / 16; /* plen including llc, payload_length and mic) */
1186 payload_remainder = (plen - 8) % 16;
1188 pn_vector[0] = pframe[hdrlen];
1189 pn_vector[1] = pframe[hdrlen + 1];
1190 pn_vector[2] = pframe[hdrlen + 4];
1191 pn_vector[3] = pframe[hdrlen + 5];
1192 pn_vector[4] = pframe[hdrlen + 6];
1193 pn_vector[5] = pframe[hdrlen + 7];
1195 if ((hdrlen == WLAN_HDR_A3_LEN) || (hdrlen == WLAN_HDR_A3_QOS_LEN))
1200 if ((frtype == WIFI_DATA_CFACK) || (frtype == WIFI_DATA_CFPOLL) ||
1201 (frtype == WIFI_DATA_CFACKPOLL)) {
1203 if (hdrlen != WLAN_HDR_A3_QOS_LEN)
1205 } else if ((frsubtype == 0x08) || (frsubtype == 0x09) ||
1206 (frsubtype == 0x0a) || (frsubtype == 0x0b)) {
1207 if (hdrlen != WLAN_HDR_A3_QOS_LEN)
1214 /* now, decrypt pframe with hdrlen offset and plen long */
1216 payload_index = hdrlen + 8; /* 8 is for extiv */
1218 for (i = 0; i < num_blocks; i++) {
1219 construct_ctr_preload(ctr_preload, a4_exists, qc_exists, pframe, pn_vector, i + 1);
1221 aes128k128d(key, ctr_preload, aes_out);
1222 bitwise_xor(aes_out, &pframe[payload_index], chain_buffer);
1224 for (j = 0; j < 16; j++)
1225 pframe[payload_index++] = chain_buffer[j];
1228 if (payload_remainder > 0) { /* If there is a short final block, then pad it,*/
1229 /* encrypt it and copy the unpadded part back */
1230 construct_ctr_preload(ctr_preload, a4_exists, qc_exists, pframe, pn_vector, num_blocks + 1);
1232 for (j = 0; j < 16; j++)
1233 padded_buffer[j] = 0x00;
1234 for (j = 0; j < payload_remainder; j++)
1235 padded_buffer[j] = pframe[payload_index + j];
1236 aes128k128d(key, ctr_preload, aes_out);
1237 bitwise_xor(aes_out, padded_buffer, chain_buffer);
1238 for (j = 0; j < payload_remainder; j++)
1239 pframe[payload_index++] = chain_buffer[j];
1242 /* start to calculate the mic */
1243 if ((hdrlen + plen + 8) <= MAX_MSG_SIZE)
1244 memcpy(message, pframe, (hdrlen + plen + 8)); /* 8 is for ext iv len */
1246 pn_vector[0] = pframe[hdrlen];
1247 pn_vector[1] = pframe[hdrlen + 1];
1248 pn_vector[2] = pframe[hdrlen + 4];
1249 pn_vector[3] = pframe[hdrlen + 5];
1250 pn_vector[4] = pframe[hdrlen + 6];
1251 pn_vector[5] = pframe[hdrlen + 7];
1252 construct_mic_iv(mic_iv, qc_exists, a4_exists, message, plen - 8, pn_vector);
1254 construct_mic_header1(mic_header1, hdrlen, message);
1255 construct_mic_header2(mic_header2, message, a4_exists, qc_exists);
1257 payload_remainder = (plen - 8) % 16;
1258 num_blocks = (plen - 8) / 16;
1260 /* Find start of payload */
1261 payload_index = (hdrlen + 8);
1264 aes128k128d(key, mic_iv, aes_out);
1265 bitwise_xor(aes_out, mic_header1, chain_buffer);
1266 aes128k128d(key, chain_buffer, aes_out);
1267 bitwise_xor(aes_out, mic_header2, chain_buffer);
1268 aes128k128d(key, chain_buffer, aes_out);
1270 for (i = 0; i < num_blocks; i++) {
1271 bitwise_xor(aes_out, &message[payload_index], chain_buffer);
1273 payload_index += 16;
1274 aes128k128d(key, chain_buffer, aes_out);
1277 /* Add on the final payload block if it needs padding */
1278 if (payload_remainder > 0) {
1279 for (j = 0; j < 16; j++)
1280 padded_buffer[j] = 0x00;
1281 for (j = 0; j < payload_remainder; j++)
1282 padded_buffer[j] = message[payload_index++];
1283 bitwise_xor(aes_out, padded_buffer, chain_buffer);
1284 aes128k128d(key, chain_buffer, aes_out);
1287 for (j = 0 ; j < 8; j++)
1288 mic[j] = aes_out[j];
1290 /* Insert MIC into payload */
1291 for (j = 0; j < 8; j++)
1292 message[payload_index + j] = mic[j];
1294 payload_index = hdrlen + 8;
1295 for (i = 0; i < num_blocks; i++) {
1296 construct_ctr_preload(ctr_preload, a4_exists, qc_exists, message, pn_vector, i + 1);
1297 aes128k128d(key, ctr_preload, aes_out);
1298 bitwise_xor(aes_out, &message[payload_index], chain_buffer);
1299 for (j = 0; j < 16; j++)
1300 message[payload_index++] = chain_buffer[j];
1303 if (payload_remainder > 0) { /* If there is a short final block, then pad it,*/
1304 /* encrypt it and copy the unpadded part back */
1305 construct_ctr_preload(ctr_preload, a4_exists, qc_exists, message, pn_vector, num_blocks + 1);
1307 for (j = 0; j < 16; j++)
1308 padded_buffer[j] = 0x00;
1309 for (j = 0; j < payload_remainder; j++)
1310 padded_buffer[j] = message[payload_index + j];
1311 aes128k128d(key, ctr_preload, aes_out);
1312 bitwise_xor(aes_out, padded_buffer, chain_buffer);
1313 for (j = 0; j < payload_remainder; j++)
1314 message[payload_index++] = chain_buffer[j];
1317 /* Encrypt the MIC */
1318 construct_ctr_preload(ctr_preload, a4_exists, qc_exists, message, pn_vector, 0);
1320 for (j = 0; j < 16; j++)
1321 padded_buffer[j] = 0x00;
1322 for (j = 0; j < 8; j++)
1323 padded_buffer[j] = message[j + hdrlen + 8 + plen - 8];
1325 aes128k128d(key, ctr_preload, aes_out);
1326 bitwise_xor(aes_out, padded_buffer, chain_buffer);
1327 for (j = 0; j < 8; j++)
1328 message[payload_index++] = chain_buffer[j];
1330 /* compare the mic */
1331 for (i = 0; i < 8; i++) {
1332 if (pframe[hdrlen + 8 + plen - 8 + i] != message[hdrlen + 8 + plen - 8 + i]) {
1333 netdev_dbg(padapter->pnetdev,
1334 "mic check error mic[%d]: pframe(%x)!=message(%x)\n",
1335 i, pframe[hdrlen + 8 + plen - 8 + i],
1336 message[hdrlen + 8 + plen - 8 + i]);
1344 u32 rtw_aes_decrypt(struct adapter *padapter, struct recv_frame *precvframe)
1346 /* Intermediate Buffers */
1348 u8 *pframe, *prwskey; /* *payload,*iv */
1349 struct sta_info *stainfo;
1350 struct rx_pkt_attrib *prxattrib = &precvframe->attrib;
1351 struct security_priv *psecuritypriv = &padapter->securitypriv;
1354 pframe = precvframe->rx_data;
1356 /* 4 start to encrypt each fragment */
1357 if (prxattrib->encrypt == _AES_) {
1358 stainfo = rtw_get_stainfo(&padapter->stapriv, &prxattrib->ta[0]);
1360 if (is_multicast_ether_addr(prxattrib->ra)) {
1361 /* in concurrent we should use sw descrypt in group key, so we remove this message */
1362 if (!psecuritypriv->binstallGrpkey) {
1364 netdev_dbg(padapter->pnetdev,
1365 "rx bc/mc packets, but didn't install group key!\n");
1368 prwskey = psecuritypriv->dot118021XGrpKey[prxattrib->key_index].skey;
1369 if (psecuritypriv->dot118021XGrpKeyid != prxattrib->key_index) {
1370 netdev_dbg(padapter->pnetdev,
1371 "not match packet_index=%d, install_index=%d\n",
1372 prxattrib->key_index,
1373 psecuritypriv->dot118021XGrpKeyid);
1378 prwskey = &stainfo->dot118021x_UncstKey.skey[0];
1380 length = precvframe->len - prxattrib->hdrlen - prxattrib->iv_len;
1381 res = aes_decipher(padapter, prwskey, prxattrib->hdrlen, pframe, length);
1392 const u32 Te0[256] = {
1393 0xc66363a5U, 0xf87c7c84U, 0xee777799U, 0xf67b7b8dU,
1394 0xfff2f20dU, 0xd66b6bbdU, 0xde6f6fb1U, 0x91c5c554U,
1395 0x60303050U, 0x02010103U, 0xce6767a9U, 0x562b2b7dU,
1396 0xe7fefe19U, 0xb5d7d762U, 0x4dababe6U, 0xec76769aU,
1397 0x8fcaca45U, 0x1f82829dU, 0x89c9c940U, 0xfa7d7d87U,
1398 0xeffafa15U, 0xb25959ebU, 0x8e4747c9U, 0xfbf0f00bU,
1399 0x41adadecU, 0xb3d4d467U, 0x5fa2a2fdU, 0x45afafeaU,
1400 0x239c9cbfU, 0x53a4a4f7U, 0xe4727296U, 0x9bc0c05bU,
1401 0x75b7b7c2U, 0xe1fdfd1cU, 0x3d9393aeU, 0x4c26266aU,
1402 0x6c36365aU, 0x7e3f3f41U, 0xf5f7f702U, 0x83cccc4fU,
1403 0x6834345cU, 0x51a5a5f4U, 0xd1e5e534U, 0xf9f1f108U,
1404 0xe2717193U, 0xabd8d873U, 0x62313153U, 0x2a15153fU,
1405 0x0804040cU, 0x95c7c752U, 0x46232365U, 0x9dc3c35eU,
1406 0x30181828U, 0x379696a1U, 0x0a05050fU, 0x2f9a9ab5U,
1407 0x0e070709U, 0x24121236U, 0x1b80809bU, 0xdfe2e23dU,
1408 0xcdebeb26U, 0x4e272769U, 0x7fb2b2cdU, 0xea75759fU,
1409 0x1209091bU, 0x1d83839eU, 0x582c2c74U, 0x341a1a2eU,
1410 0x361b1b2dU, 0xdc6e6eb2U, 0xb45a5aeeU, 0x5ba0a0fbU,
1411 0xa45252f6U, 0x763b3b4dU, 0xb7d6d661U, 0x7db3b3ceU,
1412 0x5229297bU, 0xdde3e33eU, 0x5e2f2f71U, 0x13848497U,
1413 0xa65353f5U, 0xb9d1d168U, 0x00000000U, 0xc1eded2cU,
1414 0x40202060U, 0xe3fcfc1fU, 0x79b1b1c8U, 0xb65b5bedU,
1415 0xd46a6abeU, 0x8dcbcb46U, 0x67bebed9U, 0x7239394bU,
1416 0x944a4adeU, 0x984c4cd4U, 0xb05858e8U, 0x85cfcf4aU,
1417 0xbbd0d06bU, 0xc5efef2aU, 0x4faaaae5U, 0xedfbfb16U,
1418 0x864343c5U, 0x9a4d4dd7U, 0x66333355U, 0x11858594U,
1419 0x8a4545cfU, 0xe9f9f910U, 0x04020206U, 0xfe7f7f81U,
1420 0xa05050f0U, 0x783c3c44U, 0x259f9fbaU, 0x4ba8a8e3U,
1421 0xa25151f3U, 0x5da3a3feU, 0x804040c0U, 0x058f8f8aU,
1422 0x3f9292adU, 0x219d9dbcU, 0x70383848U, 0xf1f5f504U,
1423 0x63bcbcdfU, 0x77b6b6c1U, 0xafdada75U, 0x42212163U,
1424 0x20101030U, 0xe5ffff1aU, 0xfdf3f30eU, 0xbfd2d26dU,
1425 0x81cdcd4cU, 0x180c0c14U, 0x26131335U, 0xc3ecec2fU,
1426 0xbe5f5fe1U, 0x359797a2U, 0x884444ccU, 0x2e171739U,
1427 0x93c4c457U, 0x55a7a7f2U, 0xfc7e7e82U, 0x7a3d3d47U,
1428 0xc86464acU, 0xba5d5de7U, 0x3219192bU, 0xe6737395U,
1429 0xc06060a0U, 0x19818198U, 0x9e4f4fd1U, 0xa3dcdc7fU,
1430 0x44222266U, 0x542a2a7eU, 0x3b9090abU, 0x0b888883U,
1431 0x8c4646caU, 0xc7eeee29U, 0x6bb8b8d3U, 0x2814143cU,
1432 0xa7dede79U, 0xbc5e5ee2U, 0x160b0b1dU, 0xaddbdb76U,
1433 0xdbe0e03bU, 0x64323256U, 0x743a3a4eU, 0x140a0a1eU,
1434 0x924949dbU, 0x0c06060aU, 0x4824246cU, 0xb85c5ce4U,
1435 0x9fc2c25dU, 0xbdd3d36eU, 0x43acacefU, 0xc46262a6U,
1436 0x399191a8U, 0x319595a4U, 0xd3e4e437U, 0xf279798bU,
1437 0xd5e7e732U, 0x8bc8c843U, 0x6e373759U, 0xda6d6db7U,
1438 0x018d8d8cU, 0xb1d5d564U, 0x9c4e4ed2U, 0x49a9a9e0U,
1439 0xd86c6cb4U, 0xac5656faU, 0xf3f4f407U, 0xcfeaea25U,
1440 0xca6565afU, 0xf47a7a8eU, 0x47aeaee9U, 0x10080818U,
1441 0x6fbabad5U, 0xf0787888U, 0x4a25256fU, 0x5c2e2e72U,
1442 0x381c1c24U, 0x57a6a6f1U, 0x73b4b4c7U, 0x97c6c651U,
1443 0xcbe8e823U, 0xa1dddd7cU, 0xe874749cU, 0x3e1f1f21U,
1444 0x964b4bddU, 0x61bdbddcU, 0x0d8b8b86U, 0x0f8a8a85U,
1445 0xe0707090U, 0x7c3e3e42U, 0x71b5b5c4U, 0xcc6666aaU,
1446 0x904848d8U, 0x06030305U, 0xf7f6f601U, 0x1c0e0e12U,
1447 0xc26161a3U, 0x6a35355fU, 0xae5757f9U, 0x69b9b9d0U,
1448 0x17868691U, 0x99c1c158U, 0x3a1d1d27U, 0x279e9eb9U,
1449 0xd9e1e138U, 0xebf8f813U, 0x2b9898b3U, 0x22111133U,
1450 0xd26969bbU, 0xa9d9d970U, 0x078e8e89U, 0x339494a7U,
1451 0x2d9b9bb6U, 0x3c1e1e22U, 0x15878792U, 0xc9e9e920U,
1452 0x87cece49U, 0xaa5555ffU, 0x50282878U, 0xa5dfdf7aU,
1453 0x038c8c8fU, 0x59a1a1f8U, 0x09898980U, 0x1a0d0d17U,
1454 0x65bfbfdaU, 0xd7e6e631U, 0x844242c6U, 0xd06868b8U,
1455 0x824141c3U, 0x299999b0U, 0x5a2d2d77U, 0x1e0f0f11U,
1456 0x7bb0b0cbU, 0xa85454fcU, 0x6dbbbbd6U, 0x2c16163aU,
1459 const u32 Td0[256] = {
1460 0x51f4a750U, 0x7e416553U, 0x1a17a4c3U, 0x3a275e96U,
1461 0x3bab6bcbU, 0x1f9d45f1U, 0xacfa58abU, 0x4be30393U,
1462 0x2030fa55U, 0xad766df6U, 0x88cc7691U, 0xf5024c25U,
1463 0x4fe5d7fcU, 0xc52acbd7U, 0x26354480U, 0xb562a38fU,
1464 0xdeb15a49U, 0x25ba1b67U, 0x45ea0e98U, 0x5dfec0e1U,
1465 0xc32f7502U, 0x814cf012U, 0x8d4697a3U, 0x6bd3f9c6U,
1466 0x038f5fe7U, 0x15929c95U, 0xbf6d7aebU, 0x955259daU,
1467 0xd4be832dU, 0x587421d3U, 0x49e06929U, 0x8ec9c844U,
1468 0x75c2896aU, 0xf48e7978U, 0x99583e6bU, 0x27b971ddU,
1469 0xbee14fb6U, 0xf088ad17U, 0xc920ac66U, 0x7dce3ab4U,
1470 0x63df4a18U, 0xe51a3182U, 0x97513360U, 0x62537f45U,
1471 0xb16477e0U, 0xbb6bae84U, 0xfe81a01cU, 0xf9082b94U,
1472 0x70486858U, 0x8f45fd19U, 0x94de6c87U, 0x527bf8b7U,
1473 0xab73d323U, 0x724b02e2U, 0xe31f8f57U, 0x6655ab2aU,
1474 0xb2eb2807U, 0x2fb5c203U, 0x86c57b9aU, 0xd33708a5U,
1475 0x302887f2U, 0x23bfa5b2U, 0x02036abaU, 0xed16825cU,
1476 0x8acf1c2bU, 0xa779b492U, 0xf307f2f0U, 0x4e69e2a1U,
1477 0x65daf4cdU, 0x0605bed5U, 0xd134621fU, 0xc4a6fe8aU,
1478 0x342e539dU, 0xa2f355a0U, 0x058ae132U, 0xa4f6eb75U,
1479 0x0b83ec39U, 0x4060efaaU, 0x5e719f06U, 0xbd6e1051U,
1480 0x3e218af9U, 0x96dd063dU, 0xdd3e05aeU, 0x4de6bd46U,
1481 0x91548db5U, 0x71c45d05U, 0x0406d46fU, 0x605015ffU,
1482 0x1998fb24U, 0xd6bde997U, 0x894043ccU, 0x67d99e77U,
1483 0xb0e842bdU, 0x07898b88U, 0xe7195b38U, 0x79c8eedbU,
1484 0xa17c0a47U, 0x7c420fe9U, 0xf8841ec9U, 0x00000000U,
1485 0x09808683U, 0x322bed48U, 0x1e1170acU, 0x6c5a724eU,
1486 0xfd0efffbU, 0x0f853856U, 0x3daed51eU, 0x362d3927U,
1487 0x0a0fd964U, 0x685ca621U, 0x9b5b54d1U, 0x24362e3aU,
1488 0x0c0a67b1U, 0x9357e70fU, 0xb4ee96d2U, 0x1b9b919eU,
1489 0x80c0c54fU, 0x61dc20a2U, 0x5a774b69U, 0x1c121a16U,
1490 0xe293ba0aU, 0xc0a02ae5U, 0x3c22e043U, 0x121b171dU,
1491 0x0e090d0bU, 0xf28bc7adU, 0x2db6a8b9U, 0x141ea9c8U,
1492 0x57f11985U, 0xaf75074cU, 0xee99ddbbU, 0xa37f60fdU,
1493 0xf701269fU, 0x5c72f5bcU, 0x44663bc5U, 0x5bfb7e34U,
1494 0x8b432976U, 0xcb23c6dcU, 0xb6edfc68U, 0xb8e4f163U,
1495 0xd731dccaU, 0x42638510U, 0x13972240U, 0x84c61120U,
1496 0x854a247dU, 0xd2bb3df8U, 0xaef93211U, 0xc729a16dU,
1497 0x1d9e2f4bU, 0xdcb230f3U, 0x0d8652ecU, 0x77c1e3d0U,
1498 0x2bb3166cU, 0xa970b999U, 0x119448faU, 0x47e96422U,
1499 0xa8fc8cc4U, 0xa0f03f1aU, 0x567d2cd8U, 0x223390efU,
1500 0x87494ec7U, 0xd938d1c1U, 0x8ccaa2feU, 0x98d40b36U,
1501 0xa6f581cfU, 0xa57ade28U, 0xdab78e26U, 0x3fadbfa4U,
1502 0x2c3a9de4U, 0x5078920dU, 0x6a5fcc9bU, 0x547e4662U,
1503 0xf68d13c2U, 0x90d8b8e8U, 0x2e39f75eU, 0x82c3aff5U,
1504 0x9f5d80beU, 0x69d0937cU, 0x6fd52da9U, 0xcf2512b3U,
1505 0xc8ac993bU, 0x10187da7U, 0xe89c636eU, 0xdb3bbb7bU,
1506 0xcd267809U, 0x6e5918f4U, 0xec9ab701U, 0x834f9aa8U,
1507 0xe6956e65U, 0xaaffe67eU, 0x21bccf08U, 0xef15e8e6U,
1508 0xbae79bd9U, 0x4a6f36ceU, 0xea9f09d4U, 0x29b07cd6U,
1509 0x31a4b2afU, 0x2a3f2331U, 0xc6a59430U, 0x35a266c0U,
1510 0x744ebc37U, 0xfc82caa6U, 0xe090d0b0U, 0x33a7d815U,
1511 0xf104984aU, 0x41ecdaf7U, 0x7fcd500eU, 0x1791f62fU,
1512 0x764dd68dU, 0x43efb04dU, 0xccaa4d54U, 0xe49604dfU,
1513 0x9ed1b5e3U, 0x4c6a881bU, 0xc12c1fb8U, 0x4665517fU,
1514 0x9d5eea04U, 0x018c355dU, 0xfa877473U, 0xfb0b412eU,
1515 0xb3671d5aU, 0x92dbd252U, 0xe9105633U, 0x6dd64713U,
1516 0x9ad7618cU, 0x37a10c7aU, 0x59f8148eU, 0xeb133c89U,
1517 0xcea927eeU, 0xb761c935U, 0xe11ce5edU, 0x7a47b13cU,
1518 0x9cd2df59U, 0x55f2733fU, 0x1814ce79U, 0x73c737bfU,
1519 0x53f7cdeaU, 0x5ffdaa5bU, 0xdf3d6f14U, 0x7844db86U,
1520 0xcaaff381U, 0xb968c43eU, 0x3824342cU, 0xc2a3405fU,
1521 0x161dc372U, 0xbce2250cU, 0x283c498bU, 0xff0d9541U,
1522 0x39a80171U, 0x080cb3deU, 0xd8b4e49cU, 0x6456c190U,
1523 0x7bcb8461U, 0xd532b670U, 0x486c5c74U, 0xd0b85742U,
1526 const u8 Td4s[256] = {
1527 0x52U, 0x09U, 0x6aU, 0xd5U, 0x30U, 0x36U, 0xa5U, 0x38U,
1528 0xbfU, 0x40U, 0xa3U, 0x9eU, 0x81U, 0xf3U, 0xd7U, 0xfbU,
1529 0x7cU, 0xe3U, 0x39U, 0x82U, 0x9bU, 0x2fU, 0xffU, 0x87U,
1530 0x34U, 0x8eU, 0x43U, 0x44U, 0xc4U, 0xdeU, 0xe9U, 0xcbU,
1531 0x54U, 0x7bU, 0x94U, 0x32U, 0xa6U, 0xc2U, 0x23U, 0x3dU,
1532 0xeeU, 0x4cU, 0x95U, 0x0bU, 0x42U, 0xfaU, 0xc3U, 0x4eU,
1533 0x08U, 0x2eU, 0xa1U, 0x66U, 0x28U, 0xd9U, 0x24U, 0xb2U,
1534 0x76U, 0x5bU, 0xa2U, 0x49U, 0x6dU, 0x8bU, 0xd1U, 0x25U,
1535 0x72U, 0xf8U, 0xf6U, 0x64U, 0x86U, 0x68U, 0x98U, 0x16U,
1536 0xd4U, 0xa4U, 0x5cU, 0xccU, 0x5dU, 0x65U, 0xb6U, 0x92U,
1537 0x6cU, 0x70U, 0x48U, 0x50U, 0xfdU, 0xedU, 0xb9U, 0xdaU,
1538 0x5eU, 0x15U, 0x46U, 0x57U, 0xa7U, 0x8dU, 0x9dU, 0x84U,
1539 0x90U, 0xd8U, 0xabU, 0x00U, 0x8cU, 0xbcU, 0xd3U, 0x0aU,
1540 0xf7U, 0xe4U, 0x58U, 0x05U, 0xb8U, 0xb3U, 0x45U, 0x06U,
1541 0xd0U, 0x2cU, 0x1eU, 0x8fU, 0xcaU, 0x3fU, 0x0fU, 0x02U,
1542 0xc1U, 0xafU, 0xbdU, 0x03U, 0x01U, 0x13U, 0x8aU, 0x6bU,
1543 0x3aU, 0x91U, 0x11U, 0x41U, 0x4fU, 0x67U, 0xdcU, 0xeaU,
1544 0x97U, 0xf2U, 0xcfU, 0xceU, 0xf0U, 0xb4U, 0xe6U, 0x73U,
1545 0x96U, 0xacU, 0x74U, 0x22U, 0xe7U, 0xadU, 0x35U, 0x85U,
1546 0xe2U, 0xf9U, 0x37U, 0xe8U, 0x1cU, 0x75U, 0xdfU, 0x6eU,
1547 0x47U, 0xf1U, 0x1aU, 0x71U, 0x1dU, 0x29U, 0xc5U, 0x89U,
1548 0x6fU, 0xb7U, 0x62U, 0x0eU, 0xaaU, 0x18U, 0xbeU, 0x1bU,
1549 0xfcU, 0x56U, 0x3eU, 0x4bU, 0xc6U, 0xd2U, 0x79U, 0x20U,
1550 0x9aU, 0xdbU, 0xc0U, 0xfeU, 0x78U, 0xcdU, 0x5aU, 0xf4U,
1551 0x1fU, 0xddU, 0xa8U, 0x33U, 0x88U, 0x07U, 0xc7U, 0x31U,
1552 0xb1U, 0x12U, 0x10U, 0x59U, 0x27U, 0x80U, 0xecU, 0x5fU,
1553 0x60U, 0x51U, 0x7fU, 0xa9U, 0x19U, 0xb5U, 0x4aU, 0x0dU,
1554 0x2dU, 0xe5U, 0x7aU, 0x9fU, 0x93U, 0xc9U, 0x9cU, 0xefU,
1555 0xa0U, 0xe0U, 0x3bU, 0x4dU, 0xaeU, 0x2aU, 0xf5U, 0xb0U,
1556 0xc8U, 0xebU, 0xbbU, 0x3cU, 0x83U, 0x53U, 0x99U, 0x61U,
1557 0x17U, 0x2bU, 0x04U, 0x7eU, 0xbaU, 0x77U, 0xd6U, 0x26U,
1558 0xe1U, 0x69U, 0x14U, 0x63U, 0x55U, 0x21U, 0x0cU, 0x7dU,
1560 const u8 rcons[] = {
1561 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1B, 0x36
1562 /* for 128-bit blocks, Rijndael never uses more than 10 rcon values */