2 *************************************************************************
4 * 5F., No.36, Taiyuan St., Jhubei City,
8 * (c) Copyright 2002-2007, Ralink Technology, Inc.
10 * This program is free software; you can redistribute it and/or modify *
11 * it under the terms of the GNU General Public License as published by *
12 * the Free Software Foundation; either version 2 of the License, or *
13 * (at your option) any later version. *
15 * This program is distributed in the hope that it will be useful, *
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of *
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
18 * GNU General Public License for more details. *
20 * You should have received a copy of the GNU General Public License *
21 * along with this program; if not, write to the *
22 * Free Software Foundation, Inc., *
23 * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. *
25 *************************************************************************
34 -------- ---------- ----------------------------------------------
35 Paul Wu 02-25-02 Initial
38 #include "../rt_config.h"
40 /* Rotation functions on 32 bit values */
41 #define ROL32( A, n ) \
42 ( ((A) << (n)) | ( ((A)>>(32-(n))) & ( (1UL << (n)) - 1 ) ) )
43 #define ROR32( A, n ) ROL32( (A), 32-(n) )
45 u32 Tkip_Sbox_Lower[256] = {
46 0xA5, 0x84, 0x99, 0x8D, 0x0D, 0xBD, 0xB1, 0x54,
47 0x50, 0x03, 0xA9, 0x7D, 0x19, 0x62, 0xE6, 0x9A,
48 0x45, 0x9D, 0x40, 0x87, 0x15, 0xEB, 0xC9, 0x0B,
49 0xEC, 0x67, 0xFD, 0xEA, 0xBF, 0xF7, 0x96, 0x5B,
50 0xC2, 0x1C, 0xAE, 0x6A, 0x5A, 0x41, 0x02, 0x4F,
51 0x5C, 0xF4, 0x34, 0x08, 0x93, 0x73, 0x53, 0x3F,
52 0x0C, 0x52, 0x65, 0x5E, 0x28, 0xA1, 0x0F, 0xB5,
53 0x09, 0x36, 0x9B, 0x3D, 0x26, 0x69, 0xCD, 0x9F,
54 0x1B, 0x9E, 0x74, 0x2E, 0x2D, 0xB2, 0xEE, 0xFB,
55 0xF6, 0x4D, 0x61, 0xCE, 0x7B, 0x3E, 0x71, 0x97,
56 0xF5, 0x68, 0x00, 0x2C, 0x60, 0x1F, 0xC8, 0xED,
57 0xBE, 0x46, 0xD9, 0x4B, 0xDE, 0xD4, 0xE8, 0x4A,
58 0x6B, 0x2A, 0xE5, 0x16, 0xC5, 0xD7, 0x55, 0x94,
59 0xCF, 0x10, 0x06, 0x81, 0xF0, 0x44, 0xBA, 0xE3,
60 0xF3, 0xFE, 0xC0, 0x8A, 0xAD, 0xBC, 0x48, 0x04,
61 0xDF, 0xC1, 0x75, 0x63, 0x30, 0x1A, 0x0E, 0x6D,
62 0x4C, 0x14, 0x35, 0x2F, 0xE1, 0xA2, 0xCC, 0x39,
63 0x57, 0xF2, 0x82, 0x47, 0xAC, 0xE7, 0x2B, 0x95,
64 0xA0, 0x98, 0xD1, 0x7F, 0x66, 0x7E, 0xAB, 0x83,
65 0xCA, 0x29, 0xD3, 0x3C, 0x79, 0xE2, 0x1D, 0x76,
66 0x3B, 0x56, 0x4E, 0x1E, 0xDB, 0x0A, 0x6C, 0xE4,
67 0x5D, 0x6E, 0xEF, 0xA6, 0xA8, 0xA4, 0x37, 0x8B,
68 0x32, 0x43, 0x59, 0xB7, 0x8C, 0x64, 0xD2, 0xE0,
69 0xB4, 0xFA, 0x07, 0x25, 0xAF, 0x8E, 0xE9, 0x18,
70 0xD5, 0x88, 0x6F, 0x72, 0x24, 0xF1, 0xC7, 0x51,
71 0x23, 0x7C, 0x9C, 0x21, 0xDD, 0xDC, 0x86, 0x85,
72 0x90, 0x42, 0xC4, 0xAA, 0xD8, 0x05, 0x01, 0x12,
73 0xA3, 0x5F, 0xF9, 0xD0, 0x91, 0x58, 0x27, 0xB9,
74 0x38, 0x13, 0xB3, 0x33, 0xBB, 0x70, 0x89, 0xA7,
75 0xB6, 0x22, 0x92, 0x20, 0x49, 0xFF, 0x78, 0x7A,
76 0x8F, 0xF8, 0x80, 0x17, 0xDA, 0x31, 0xC6, 0xB8,
77 0xC3, 0xB0, 0x77, 0x11, 0xCB, 0xFC, 0xD6, 0x3A
80 u32 Tkip_Sbox_Upper[256] = {
81 0xC6, 0xF8, 0xEE, 0xF6, 0xFF, 0xD6, 0xDE, 0x91,
82 0x60, 0x02, 0xCE, 0x56, 0xE7, 0xB5, 0x4D, 0xEC,
83 0x8F, 0x1F, 0x89, 0xFA, 0xEF, 0xB2, 0x8E, 0xFB,
84 0x41, 0xB3, 0x5F, 0x45, 0x23, 0x53, 0xE4, 0x9B,
85 0x75, 0xE1, 0x3D, 0x4C, 0x6C, 0x7E, 0xF5, 0x83,
86 0x68, 0x51, 0xD1, 0xF9, 0xE2, 0xAB, 0x62, 0x2A,
87 0x08, 0x95, 0x46, 0x9D, 0x30, 0x37, 0x0A, 0x2F,
88 0x0E, 0x24, 0x1B, 0xDF, 0xCD, 0x4E, 0x7F, 0xEA,
89 0x12, 0x1D, 0x58, 0x34, 0x36, 0xDC, 0xB4, 0x5B,
90 0xA4, 0x76, 0xB7, 0x7D, 0x52, 0xDD, 0x5E, 0x13,
91 0xA6, 0xB9, 0x00, 0xC1, 0x40, 0xE3, 0x79, 0xB6,
92 0xD4, 0x8D, 0x67, 0x72, 0x94, 0x98, 0xB0, 0x85,
93 0xBB, 0xC5, 0x4F, 0xED, 0x86, 0x9A, 0x66, 0x11,
94 0x8A, 0xE9, 0x04, 0xFE, 0xA0, 0x78, 0x25, 0x4B,
95 0xA2, 0x5D, 0x80, 0x05, 0x3F, 0x21, 0x70, 0xF1,
96 0x63, 0x77, 0xAF, 0x42, 0x20, 0xE5, 0xFD, 0xBF,
97 0x81, 0x18, 0x26, 0xC3, 0xBE, 0x35, 0x88, 0x2E,
98 0x93, 0x55, 0xFC, 0x7A, 0xC8, 0xBA, 0x32, 0xE6,
99 0xC0, 0x19, 0x9E, 0xA3, 0x44, 0x54, 0x3B, 0x0B,
100 0x8C, 0xC7, 0x6B, 0x28, 0xA7, 0xBC, 0x16, 0xAD,
101 0xDB, 0x64, 0x74, 0x14, 0x92, 0x0C, 0x48, 0xB8,
102 0x9F, 0xBD, 0x43, 0xC4, 0x39, 0x31, 0xD3, 0xF2,
103 0xD5, 0x8B, 0x6E, 0xDA, 0x01, 0xB1, 0x9C, 0x49,
104 0xD8, 0xAC, 0xF3, 0xCF, 0xCA, 0xF4, 0x47, 0x10,
105 0x6F, 0xF0, 0x4A, 0x5C, 0x38, 0x57, 0x73, 0x97,
106 0xCB, 0xA1, 0xE8, 0x3E, 0x96, 0x61, 0x0D, 0x0F,
107 0xE0, 0x7C, 0x71, 0xCC, 0x90, 0x06, 0xF7, 0x1C,
108 0xC2, 0x6A, 0xAE, 0x69, 0x17, 0x99, 0x3A, 0x27,
109 0xD9, 0xEB, 0x2B, 0x22, 0xD2, 0xA9, 0x07, 0x33,
110 0x2D, 0x3C, 0x15, 0xC9, 0x87, 0xAA, 0x50, 0xA5,
111 0x03, 0x59, 0x09, 0x1A, 0x65, 0xD7, 0x84, 0xD0,
112 0x82, 0x29, 0x5A, 0x1E, 0x7B, 0xA8, 0x6D, 0x2C
116 /* Expanded IV for TKIP function. */
118 struct PACKED rt_tkip_iv {
142 ========================================================================
145 Convert from u8[] to unsigned long in a portable way
148 pMICKey pointer to MIC Key
155 ========================================================================
157 unsigned long RTMPTkipGetUInt32(u8 *pMICKey)
159 unsigned long res = 0;
162 for (i = 0; i < 4; i++) {
163 res |= (*pMICKey++) << (8 * i);
170 ========================================================================
173 Convert from unsigned long to u8[] in a portable way
176 pDst pointer to destination for convert unsigned long to u8[]
177 val the value for convert
182 IRQL = DISPATCH_LEVEL
186 ========================================================================
188 void RTMPTkipPutUInt32(IN u8 *pDst, unsigned long val)
192 for (i = 0; i < 4; i++) {
193 *pDst++ = (u8)(val & 0xff);
199 ========================================================================
205 pAd Pointer to our adapter
206 pMICKey pointer to MIC Key
211 IRQL = DISPATCH_LEVEL
215 ========================================================================
217 void RTMPTkipSetMICKey(struct rt_tkip_key_info *pTkip, u8 *pMICKey)
220 pTkip->K0 = RTMPTkipGetUInt32(pMICKey);
221 pTkip->K1 = RTMPTkipGetUInt32(pMICKey + 4);
222 /* and reset the message */
223 pTkip->L = pTkip->K0;
224 pTkip->R = pTkip->K1;
225 pTkip->nBytesInM = 0;
230 ========================================================================
233 Calculate the MIC Value.
236 pAd Pointer to our adapter
237 uChar Append this uChar
242 IRQL = DISPATCH_LEVEL
246 ========================================================================
248 void RTMPTkipAppendByte(struct rt_tkip_key_info *pTkip, u8 uChar)
250 /* Append the byte to our word-sized buffer */
251 pTkip->M |= (uChar << (8 * pTkip->nBytesInM));
253 /* Process the word if it is full. */
254 if (pTkip->nBytesInM >= 4) {
255 pTkip->L ^= pTkip->M;
256 pTkip->R ^= ROL32(pTkip->L, 17);
257 pTkip->L += pTkip->R;
259 ((pTkip->L & 0xff00ff00) >> 8) | ((pTkip->
260 L & 0x00ff00ff) << 8);
261 pTkip->L += pTkip->R;
262 pTkip->R ^= ROL32(pTkip->L, 3);
263 pTkip->L += pTkip->R;
264 pTkip->R ^= ROR32(pTkip->L, 2);
265 pTkip->L += pTkip->R;
266 /* Clear the buffer */
268 pTkip->nBytesInM = 0;
273 ========================================================================
276 Calculate the MIC Value.
279 pAd Pointer to our adapter
280 pSrc Pointer to source data for Calculate MIC Value
281 Len Indicate the length of the source data
286 IRQL = DISPATCH_LEVEL
290 ========================================================================
292 void RTMPTkipAppend(struct rt_tkip_key_info *pTkip, u8 *pSrc, u32 nBytes)
296 RTMPTkipAppendByte(pTkip, *pSrc++);
302 ========================================================================
308 pAd Pointer to our adapter
313 IRQL = DISPATCH_LEVEL
316 the MIC Value is store in pAd->PrivateInfo.MIC
317 ========================================================================
319 void RTMPTkipGetMIC(struct rt_tkip_key_info *pTkip)
321 /* Append the minimum padding */
322 RTMPTkipAppendByte(pTkip, 0x5a);
323 RTMPTkipAppendByte(pTkip, 0);
324 RTMPTkipAppendByte(pTkip, 0);
325 RTMPTkipAppendByte(pTkip, 0);
326 RTMPTkipAppendByte(pTkip, 0);
327 /* and then zeroes until the length is a multiple of 4 */
328 while (pTkip->nBytesInM != 0) {
329 RTMPTkipAppendByte(pTkip, 0);
331 /* The appendByte function has already computed the result. */
332 RTMPTkipPutUInt32(pTkip->MIC, pTkip->L);
333 RTMPTkipPutUInt32(pTkip->MIC + 4, pTkip->R);
337 ========================================================================
343 pAd Pointer to our adapter
344 pTKey Pointer to the Temporal Key (TK), TK shall be 128bits.
346 pTA Pointer to transmitter address
347 pMICKey pointer to MIC Key
352 IRQL = DISPATCH_LEVEL
356 ========================================================================
358 void RTMPInitTkipEngine(struct rt_rtmp_adapter *pAd,
363 u8 *pTSC, unsigned long *pIV16, unsigned long *pIV32)
365 struct rt_tkip_iv tkipIv;
367 /* Prepare 8 bytes TKIP encapsulation for MPDU */
368 NdisZeroMemory(&tkipIv, sizeof(struct rt_tkip_iv));
369 tkipIv.IV16.field.rc0 = *(pTSC + 1);
370 tkipIv.IV16.field.rc1 = (tkipIv.IV16.field.rc0 | 0x20) & 0x7f;
371 tkipIv.IV16.field.rc2 = *pTSC;
372 tkipIv.IV16.field.CONTROL.field.ExtIV = 1; /* 0: non-extended IV, 1: an extended IV */
373 tkipIv.IV16.field.CONTROL.field.KeyID = KeyId;
374 /* tkipIv.IV32 = *(unsigned long *)(pTSC + 2); */
375 NdisMoveMemory(&tkipIv.IV32, (pTSC + 2), 4); /* Copy IV */
377 *pIV16 = tkipIv.IV16.word;
378 *pIV32 = tkipIv.IV32;
382 ========================================================================
385 Init MIC Value calculation function which include set MIC key &
386 calculate first 16 bytes (DA + SA + priority + 0)
389 pAd Pointer to our adapter
390 pTKey Pointer to the Temporal Key (TK), TK shall be 128bits.
391 pDA Pointer to DA address
392 pSA Pointer to SA address
393 pMICKey pointer to MIC Key
400 ========================================================================
402 void RTMPInitMICEngine(struct rt_rtmp_adapter *pAd,
405 u8 *pSA, u8 UserPriority, u8 *pMICKey)
407 unsigned long Priority = UserPriority;
409 /* Init MIC value calculation */
410 RTMPTkipSetMICKey(&pAd->PrivateInfo.Tx, pMICKey);
412 RTMPTkipAppend(&pAd->PrivateInfo.Tx, pDA, MAC_ADDR_LEN);
414 RTMPTkipAppend(&pAd->PrivateInfo.Tx, pSA, MAC_ADDR_LEN);
415 /* Priority + 3 bytes of 0 */
416 RTMPTkipAppend(&pAd->PrivateInfo.Tx, (u8 *)& Priority, 4);
420 ========================================================================
423 Compare MIC value of received MSDU
426 pAd Pointer to our adapter
427 pSrc Pointer to the received Plain text data
428 pDA Pointer to DA address
429 pSA Pointer to SA address
430 pMICKey pointer to MIC Key
431 Len the length of the received plain text data exclude MIC value
434 TRUE MIC value matched
435 FALSE MIC value mismatched
437 IRQL = DISPATCH_LEVEL
441 ========================================================================
443 BOOLEAN RTMPTkipCompareMICValue(struct rt_rtmp_adapter *pAd,
448 u8 UserPriority, u32 Len)
451 unsigned long Priority = UserPriority;
453 /* Init MIC value calculation */
454 RTMPTkipSetMICKey(&pAd->PrivateInfo.Rx, pMICKey);
456 RTMPTkipAppend(&pAd->PrivateInfo.Rx, pDA, MAC_ADDR_LEN);
458 RTMPTkipAppend(&pAd->PrivateInfo.Rx, pSA, MAC_ADDR_LEN);
459 /* Priority + 3 bytes of 0 */
460 RTMPTkipAppend(&pAd->PrivateInfo.Rx, (u8 *)& Priority, 4);
462 /* Calculate MIC value from plain text data */
463 RTMPTkipAppend(&pAd->PrivateInfo.Rx, pSrc, Len);
465 /* Get MIC valude from received frame */
466 NdisMoveMemory(OldMic, pSrc + Len, 8);
468 /* Get MIC value from decrypted plain data */
469 RTMPTkipGetMIC(&pAd->PrivateInfo.Rx);
471 /* Move MIC value from MSDU, this steps should move to data path. */
472 /* Since the MIC value might cross MPDUs. */
473 if (!NdisEqualMemory(pAd->PrivateInfo.Rx.MIC, OldMic, 8)) {
474 DBGPRINT_RAW(RT_DEBUG_ERROR, ("RTMPTkipCompareMICValue(): TKIP MIC Error !\n")); /*MIC error. */
482 ========================================================================
485 Copy frame from waiting queue into relative ring buffer and set
486 appropriate ASIC register to kick hardware transmit function
489 pAd Pointer to our adapter
490 void * Pointer to Ndis Packet for MIC calculation
491 pEncap Pointer to LLC encap data
492 LenEncap Total encap length, might be 0 which indicates no encap
497 IRQL = DISPATCH_LEVEL
501 ========================================================================
503 void RTMPCalculateMICValue(struct rt_rtmp_adapter *pAd,
506 struct rt_cipher_key *pKey, u8 apidx)
508 struct rt_packet_info PacketInfo;
515 RTMP_QueryPacketInfo(pPacket, &PacketInfo, &pSrcBufVA, &SrcBufLen);
517 UserPriority = RTMP_GET_PACKET_UP(pPacket);
520 /* determine if this is a vlan packet */
521 if (((*(pSrc + 12) << 8) + *(pSrc + 13)) == 0x8100)
525 RTMPInitMICEngine(pAd,
527 pSrc, pSrc + 6, UserPriority, pKey->TxMic);
530 if (pEncap != NULL) {
531 /* LLC encapsulation */
532 RTMPTkipAppend(&pAd->PrivateInfo.Tx, pEncap, 6);
534 RTMPTkipAppend(&pAd->PrivateInfo.Tx, pSrc + 12 + vlan_offset,
537 SrcBufLen -= (14 + vlan_offset);
538 pSrc += (14 + vlan_offset);
541 RTMPTkipAppend(&pAd->PrivateInfo.Tx, pSrc, SrcBufLen);
544 break; /* No need handle next packet */
546 } while (TRUE); /* End of copying payload */
548 /* Compute the final MIC Value */
549 RTMPTkipGetMIC(&pAd->PrivateInfo.Tx);
552 /************************************************************/
554 /* Returns a 16 bit value from a 64K entry table. The Table */
555 /* is synthesized from two 256 entry byte wide tables. */
556 /************************************************************/
558 u32 tkip_sbox(u32 index)
564 index_low = (index % 256);
565 index_high = ((index >> 8) % 256);
567 left = Tkip_Sbox_Lower[index_low] + (Tkip_Sbox_Upper[index_low] * 256);
569 Tkip_Sbox_Upper[index_high] + (Tkip_Sbox_Lower[index_high] * 256);
571 return (left ^ right);
578 if ((a & 0x01) == 0x01) {
579 b = (a >> 1) | 0x8000;
581 b = (a >> 1) & 0x7fff;
587 void RTMPTkipMixKey(u8 * key, u8 * ta, unsigned long pnl, /* Least significant 16 bits of PN */
588 unsigned long pnh, /* Most significant 32 bits of PN */
589 u8 * rc4key, u32 * p1k)
606 tsc0 = (unsigned int)((pnh >> 16) % 65536); /* msb */
607 tsc1 = (unsigned int)(pnh % 65536);
608 tsc2 = (unsigned int)(pnl % 65536); /* lsb */
610 /* Phase 1, step 1 */
613 p1k[2] = (u32)(ta[0] + (ta[1] * 256));
614 p1k[3] = (u32)(ta[2] + (ta[3] * 256));
615 p1k[4] = (u32)(ta[4] + (ta[5] * 256));
617 /* Phase 1, step 2 */
618 for (i = 0; i < 8; i++) {
622 tkip_sbox((p1k[4] ^ ((256 * key[1 + j]) + key[j])) %
626 tkip_sbox((p1k[0] ^ ((256 * key[5 + j]) + key[4 + j])) %
630 tkip_sbox((p1k[1] ^ ((256 * key[9 + j]) + key[8 + j])) %
634 tkip_sbox((p1k[2] ^ ((256 * key[13 + j]) + key[12 + j])) %
638 tkip_sbox((p1k[3] ^ (((256 * key[1 + j]) + key[j]))) %
640 p1k[4] = (p1k[4] + i) % 65536;
643 /* Phase 2, Step 1 */
649 ppk5 = (p1k[4] + tsc2) % 65536;
652 ppk0 = ppk0 + tkip_sbox((ppk5 ^ ((256 * key[1]) + key[0])) % 65536);
653 ppk1 = ppk1 + tkip_sbox((ppk0 ^ ((256 * key[3]) + key[2])) % 65536);
654 ppk2 = ppk2 + tkip_sbox((ppk1 ^ ((256 * key[5]) + key[4])) % 65536);
655 ppk3 = ppk3 + tkip_sbox((ppk2 ^ ((256 * key[7]) + key[6])) % 65536);
656 ppk4 = ppk4 + tkip_sbox((ppk3 ^ ((256 * key[9]) + key[8])) % 65536);
657 ppk5 = ppk5 + tkip_sbox((ppk4 ^ ((256 * key[11]) + key[10])) % 65536);
659 ppk0 = ppk0 + rotr1(ppk5 ^ ((256 * key[13]) + key[12]));
660 ppk1 = ppk1 + rotr1(ppk0 ^ ((256 * key[15]) + key[14]));
661 ppk2 = ppk2 + rotr1(ppk1);
662 ppk3 = ppk3 + rotr1(ppk2);
663 ppk4 = ppk4 + rotr1(ppk3);
664 ppk5 = ppk5 + rotr1(ppk4);
666 /* Phase 2, Step 3 */
667 /* Phase 2, Step 3 */
669 tsc0 = (unsigned int)((pnh >> 16) % 65536); /* msb */
670 tsc1 = (unsigned int)(pnh % 65536);
671 tsc2 = (unsigned int)(pnl % 65536); /* lsb */
673 rc4key[0] = (tsc2 >> 8) % 256;
674 rc4key[1] = (((tsc2 >> 8) % 256) | 0x20) & 0x7f;
675 rc4key[2] = tsc2 % 256;
676 rc4key[3] = ((ppk5 ^ ((256 * key[1]) + key[0])) >> 1) % 256;
678 rc4key[4] = ppk0 % 256;
679 rc4key[5] = (ppk0 >> 8) % 256;
681 rc4key[6] = ppk1 % 256;
682 rc4key[7] = (ppk1 >> 8) % 256;
684 rc4key[8] = ppk2 % 256;
685 rc4key[9] = (ppk2 >> 8) % 256;
687 rc4key[10] = ppk3 % 256;
688 rc4key[11] = (ppk3 >> 8) % 256;
690 rc4key[12] = ppk4 % 256;
691 rc4key[13] = (ppk4 >> 8) % 256;
693 rc4key[14] = ppk5 % 256;
694 rc4key[15] = (ppk5 >> 8) % 256;
699 /* FALSE: Decrypt Error! */
701 BOOLEAN RTMPSoftDecryptTKIP(struct rt_rtmp_adapter *pAd,
703 unsigned long DataByteCnt,
704 u8 UserPriority, struct rt_cipher_key *pWpaKey)
724 u32 p1k[5]; /*for mix_key; */
725 unsigned long pnl; /* Least significant 16 bits of PN */
726 unsigned long pnh; /* Most significant 32 bits of PN */
728 u32 payload_remainder;
729 struct rt_arcfourcontext ArcFourContext;
738 fc = *((u16 *)pData);
740 frame_type = ((fc0 >> 2) & 0x03);
741 frame_subtype = ((fc0 >> 4) & 0x0f);
743 from_ds = (fc1 & 0x2) >> 1;
746 a4_exists = (from_ds & to_ds);
747 qc_exists = ((frame_subtype == 0x08) || /* Assumed QoS subtypes */
748 (frame_subtype == 0x09) || /* Likely to change. */
749 (frame_subtype == 0x0a) || (frame_subtype == 0x0b)
756 KeyID = *((u8 *)(pData + HeaderLen + 3));
759 if (pWpaKey[KeyID].KeyLen == 0) {
760 DBGPRINT(RT_DEBUG_TRACE,
761 ("RTMPSoftDecryptTKIP failed!(KeyID[%d] Length can not be 0)\n",
766 duration = *((u16 *)(pData + 2));
768 seq_control = *((u16 *)(pData + 22));
772 qos_control = *((u16 *)(pData + 30));
774 qos_control = *((u16 *)(pData + 24));
778 if (to_ds == 0 && from_ds == 1) {
779 NdisMoveMemory(DA, pData + 4, MAC_ADDR_LEN);
780 NdisMoveMemory(SA, pData + 16, MAC_ADDR_LEN);
781 NdisMoveMemory(TA, pData + 10, MAC_ADDR_LEN); /*BSSID */
782 } else if (to_ds == 0 && from_ds == 0) {
783 NdisMoveMemory(TA, pData + 10, MAC_ADDR_LEN);
784 NdisMoveMemory(DA, pData + 4, MAC_ADDR_LEN);
785 NdisMoveMemory(SA, pData + 10, MAC_ADDR_LEN);
786 } else if (to_ds == 1 && from_ds == 0) {
787 NdisMoveMemory(SA, pData + 10, MAC_ADDR_LEN);
788 NdisMoveMemory(TA, pData + 10, MAC_ADDR_LEN);
789 NdisMoveMemory(DA, pData + 16, MAC_ADDR_LEN);
790 } else if (to_ds == 1 && from_ds == 1) {
791 NdisMoveMemory(TA, pData + 10, MAC_ADDR_LEN);
792 NdisMoveMemory(DA, pData + 16, MAC_ADDR_LEN);
793 NdisMoveMemory(SA, pData + 22, MAC_ADDR_LEN);
796 num_blocks = (DataByteCnt - 16) / 16;
797 payload_remainder = (DataByteCnt - 16) % 16;
799 pnl = (*(pData + HeaderLen)) * 256 + *(pData + HeaderLen + 2);
800 pnh = *((unsigned long *)(pData + HeaderLen + 4));
802 RTMPTkipMixKey(pWpaKey[KeyID].Key, TA, pnl, pnh, RC4Key, p1k);
804 ARCFOUR_INIT(&ArcFourContext, RC4Key, 16);
806 ARCFOUR_DECRYPT(&ArcFourContext, pData + HeaderLen,
807 pData + HeaderLen + 8, DataByteCnt - HeaderLen - 8);
808 NdisMoveMemory(&trailfcs, pData + DataByteCnt - 8 - 4, 4);
809 crc32 = RTMP_CALC_FCS32(PPPINITFCS32, pData + HeaderLen, DataByteCnt - HeaderLen - 8 - 4); /*Skip IV+EIV 8 bytes & Skip last 4 bytes(FCS). */
810 crc32 ^= 0xffffffff; /* complement */
812 if (crc32 != cpu2le32(trailfcs)) {
813 DBGPRINT(RT_DEBUG_TRACE, ("RTMPSoftDecryptTKIP, WEP Data ICV Error !\n")); /*ICV error. */
818 NdisMoveMemory(TrailMIC, pData + DataByteCnt - 8 - 8 - 4, 8);
819 RTMPInitMICEngine(pAd, pWpaKey[KeyID].Key, DA, SA, UserPriority,
820 pWpaKey[KeyID].RxMic);
821 RTMPTkipAppend(&pAd->PrivateInfo.Tx, pData + HeaderLen,
822 DataByteCnt - HeaderLen - 8 - 12);
823 RTMPTkipGetMIC(&pAd->PrivateInfo.Tx);
824 NdisMoveMemory(MIC, pAd->PrivateInfo.Tx.MIC, 8);
826 if (!NdisEqualMemory(MIC, TrailMIC, 8)) {
827 DBGPRINT(RT_DEBUG_ERROR, ("RTMPSoftDecryptTKIP, WEP Data MIC Error !\n")); /*MIC error. */
828 /*RTMPReportMicError(pAd, &pWpaKey[KeyID]); // marked by AlbertY @ 20060630 */
831 /*DBGPRINT(RT_DEBUG_TRACE, "RTMPSoftDecryptTKIP Decript done!!\n"); */