2 *************************************************************************
4 * 5F., No.36, Taiyuan St., Jhubei City,
8 * (c) Copyright 2002-2007, Ralink Technology, Inc.
10 * This program is free software; you can redistribute it and/or modify *
11 * it under the terms of the GNU General Public License as published by *
12 * the Free Software Foundation; either version 2 of the License, or *
13 * (at your option) any later version. *
15 * This program is distributed in the hope that it will be useful, *
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of *
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
18 * GNU General Public License for more details. *
20 * You should have received a copy of the GNU General Public License *
21 * along with this program; if not, write to the *
22 * Free Software Foundation, Inc., *
23 * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. *
25 *************************************************************************
34 -------- ---------- ----------------------------------------------
35 Paul Wu 02-25-02 Initial
38 #include "../rt_config.h"
40 // Rotation functions on 32 bit values
41 #define ROL32( A, n ) \
42 ( ((A) << (n)) | ( ((A)>>(32-(n))) & ( (1UL << (n)) - 1 ) ) )
43 #define ROR32( A, n ) ROL32( (A), 32-(n) )
45 UINT Tkip_Sbox_Lower[256] =
47 0xA5,0x84,0x99,0x8D,0x0D,0xBD,0xB1,0x54,
48 0x50,0x03,0xA9,0x7D,0x19,0x62,0xE6,0x9A,
49 0x45,0x9D,0x40,0x87,0x15,0xEB,0xC9,0x0B,
50 0xEC,0x67,0xFD,0xEA,0xBF,0xF7,0x96,0x5B,
51 0xC2,0x1C,0xAE,0x6A,0x5A,0x41,0x02,0x4F,
52 0x5C,0xF4,0x34,0x08,0x93,0x73,0x53,0x3F,
53 0x0C,0x52,0x65,0x5E,0x28,0xA1,0x0F,0xB5,
54 0x09,0x36,0x9B,0x3D,0x26,0x69,0xCD,0x9F,
55 0x1B,0x9E,0x74,0x2E,0x2D,0xB2,0xEE,0xFB,
56 0xF6,0x4D,0x61,0xCE,0x7B,0x3E,0x71,0x97,
57 0xF5,0x68,0x00,0x2C,0x60,0x1F,0xC8,0xED,
58 0xBE,0x46,0xD9,0x4B,0xDE,0xD4,0xE8,0x4A,
59 0x6B,0x2A,0xE5,0x16,0xC5,0xD7,0x55,0x94,
60 0xCF,0x10,0x06,0x81,0xF0,0x44,0xBA,0xE3,
61 0xF3,0xFE,0xC0,0x8A,0xAD,0xBC,0x48,0x04,
62 0xDF,0xC1,0x75,0x63,0x30,0x1A,0x0E,0x6D,
63 0x4C,0x14,0x35,0x2F,0xE1,0xA2,0xCC,0x39,
64 0x57,0xF2,0x82,0x47,0xAC,0xE7,0x2B,0x95,
65 0xA0,0x98,0xD1,0x7F,0x66,0x7E,0xAB,0x83,
66 0xCA,0x29,0xD3,0x3C,0x79,0xE2,0x1D,0x76,
67 0x3B,0x56,0x4E,0x1E,0xDB,0x0A,0x6C,0xE4,
68 0x5D,0x6E,0xEF,0xA6,0xA8,0xA4,0x37,0x8B,
69 0x32,0x43,0x59,0xB7,0x8C,0x64,0xD2,0xE0,
70 0xB4,0xFA,0x07,0x25,0xAF,0x8E,0xE9,0x18,
71 0xD5,0x88,0x6F,0x72,0x24,0xF1,0xC7,0x51,
72 0x23,0x7C,0x9C,0x21,0xDD,0xDC,0x86,0x85,
73 0x90,0x42,0xC4,0xAA,0xD8,0x05,0x01,0x12,
74 0xA3,0x5F,0xF9,0xD0,0x91,0x58,0x27,0xB9,
75 0x38,0x13,0xB3,0x33,0xBB,0x70,0x89,0xA7,
76 0xB6,0x22,0x92,0x20,0x49,0xFF,0x78,0x7A,
77 0x8F,0xF8,0x80,0x17,0xDA,0x31,0xC6,0xB8,
78 0xC3,0xB0,0x77,0x11,0xCB,0xFC,0xD6,0x3A
81 UINT Tkip_Sbox_Upper[256] =
83 0xC6,0xF8,0xEE,0xF6,0xFF,0xD6,0xDE,0x91,
84 0x60,0x02,0xCE,0x56,0xE7,0xB5,0x4D,0xEC,
85 0x8F,0x1F,0x89,0xFA,0xEF,0xB2,0x8E,0xFB,
86 0x41,0xB3,0x5F,0x45,0x23,0x53,0xE4,0x9B,
87 0x75,0xE1,0x3D,0x4C,0x6C,0x7E,0xF5,0x83,
88 0x68,0x51,0xD1,0xF9,0xE2,0xAB,0x62,0x2A,
89 0x08,0x95,0x46,0x9D,0x30,0x37,0x0A,0x2F,
90 0x0E,0x24,0x1B,0xDF,0xCD,0x4E,0x7F,0xEA,
91 0x12,0x1D,0x58,0x34,0x36,0xDC,0xB4,0x5B,
92 0xA4,0x76,0xB7,0x7D,0x52,0xDD,0x5E,0x13,
93 0xA6,0xB9,0x00,0xC1,0x40,0xE3,0x79,0xB6,
94 0xD4,0x8D,0x67,0x72,0x94,0x98,0xB0,0x85,
95 0xBB,0xC5,0x4F,0xED,0x86,0x9A,0x66,0x11,
96 0x8A,0xE9,0x04,0xFE,0xA0,0x78,0x25,0x4B,
97 0xA2,0x5D,0x80,0x05,0x3F,0x21,0x70,0xF1,
98 0x63,0x77,0xAF,0x42,0x20,0xE5,0xFD,0xBF,
99 0x81,0x18,0x26,0xC3,0xBE,0x35,0x88,0x2E,
100 0x93,0x55,0xFC,0x7A,0xC8,0xBA,0x32,0xE6,
101 0xC0,0x19,0x9E,0xA3,0x44,0x54,0x3B,0x0B,
102 0x8C,0xC7,0x6B,0x28,0xA7,0xBC,0x16,0xAD,
103 0xDB,0x64,0x74,0x14,0x92,0x0C,0x48,0xB8,
104 0x9F,0xBD,0x43,0xC4,0x39,0x31,0xD3,0xF2,
105 0xD5,0x8B,0x6E,0xDA,0x01,0xB1,0x9C,0x49,
106 0xD8,0xAC,0xF3,0xCF,0xCA,0xF4,0x47,0x10,
107 0x6F,0xF0,0x4A,0x5C,0x38,0x57,0x73,0x97,
108 0xCB,0xA1,0xE8,0x3E,0x96,0x61,0x0D,0x0F,
109 0xE0,0x7C,0x71,0xCC,0x90,0x06,0xF7,0x1C,
110 0xC2,0x6A,0xAE,0x69,0x17,0x99,0x3A,0x27,
111 0xD9,0xEB,0x2B,0x22,0xD2,0xA9,0x07,0x33,
112 0x2D,0x3C,0x15,0xC9,0x87,0xAA,0x50,0xA5,
113 0x03,0x59,0x09,0x1A,0x65,0xD7,0x84,0xD0,
114 0x82,0x29,0x5A,0x1E,0x7B,0xA8,0x6D,0x2C
118 // Expanded IV for TKIP function.
120 typedef struct PACKED _IV_CONTROL_
146 } TKIP_IV, *PTKIP_IV;
150 ========================================================================
153 Convert from UCHAR[] to ULONG in a portable way
156 pMICKey pointer to MIC Key
163 ========================================================================
165 ULONG RTMPTkipGetUInt32(
171 for (i = 0; i < 4; i++)
173 res |= (*pMICKey++) << (8 * i);
180 ========================================================================
183 Convert from ULONG to UCHAR[] in a portable way
186 pDst pointer to destination for convert ULONG to UCHAR[]
187 val the value for convert
192 IRQL = DISPATCH_LEVEL
196 ========================================================================
198 VOID RTMPTkipPutUInt32(
204 for(i = 0; i < 4; i++)
206 *pDst++ = (UCHAR) (val & 0xff);
212 ========================================================================
218 pAd Pointer to our adapter
219 pMICKey pointer to MIC Key
224 IRQL = DISPATCH_LEVEL
228 ========================================================================
230 VOID RTMPTkipSetMICKey(
231 IN PTKIP_KEY_INFO pTkip,
235 pTkip->K0 = RTMPTkipGetUInt32(pMICKey);
236 pTkip->K1 = RTMPTkipGetUInt32(pMICKey + 4);
237 // and reset the message
238 pTkip->L = pTkip->K0;
239 pTkip->R = pTkip->K1;
240 pTkip->nBytesInM = 0;
245 ========================================================================
248 Calculate the MIC Value.
251 pAd Pointer to our adapter
252 uChar Append this uChar
257 IRQL = DISPATCH_LEVEL
261 ========================================================================
263 VOID RTMPTkipAppendByte(
264 IN PTKIP_KEY_INFO pTkip,
267 // Append the byte to our word-sized buffer
268 pTkip->M |= (uChar << (8* pTkip->nBytesInM));
270 // Process the word if it is full.
271 if( pTkip->nBytesInM >= 4 )
273 pTkip->L ^= pTkip->M;
274 pTkip->R ^= ROL32( pTkip->L, 17 );
275 pTkip->L += pTkip->R;
276 pTkip->R ^= ((pTkip->L & 0xff00ff00) >> 8) | ((pTkip->L & 0x00ff00ff) << 8);
277 pTkip->L += pTkip->R;
278 pTkip->R ^= ROL32( pTkip->L, 3 );
279 pTkip->L += pTkip->R;
280 pTkip->R ^= ROR32( pTkip->L, 2 );
281 pTkip->L += pTkip->R;
284 pTkip->nBytesInM = 0;
289 ========================================================================
292 Calculate the MIC Value.
295 pAd Pointer to our adapter
296 pSrc Pointer to source data for Calculate MIC Value
297 Len Indicate the length of the source data
302 IRQL = DISPATCH_LEVEL
306 ========================================================================
309 IN PTKIP_KEY_INFO pTkip,
316 RTMPTkipAppendByte(pTkip, *pSrc++);
322 ========================================================================
328 pAd Pointer to our adapter
333 IRQL = DISPATCH_LEVEL
336 the MIC Value is store in pAd->PrivateInfo.MIC
337 ========================================================================
340 IN PTKIP_KEY_INFO pTkip)
342 // Append the minimum padding
343 RTMPTkipAppendByte(pTkip, 0x5a );
344 RTMPTkipAppendByte(pTkip, 0 );
345 RTMPTkipAppendByte(pTkip, 0 );
346 RTMPTkipAppendByte(pTkip, 0 );
347 RTMPTkipAppendByte(pTkip, 0 );
348 // and then zeroes until the length is a multiple of 4
349 while( pTkip->nBytesInM != 0 )
351 RTMPTkipAppendByte(pTkip, 0 );
353 // The appendByte function has already computed the result.
354 RTMPTkipPutUInt32(pTkip->MIC, pTkip->L);
355 RTMPTkipPutUInt32(pTkip->MIC + 4, pTkip->R);
359 ========================================================================
365 pAd Pointer to our adapter
366 pTKey Pointer to the Temporal Key (TK), TK shall be 128bits.
368 pTA Pointer to transmitter address
369 pMICKey pointer to MIC Key
374 IRQL = DISPATCH_LEVEL
378 ========================================================================
380 VOID RTMPInitTkipEngine(
381 IN PRTMP_ADAPTER pAd,
392 // Prepare 8 bytes TKIP encapsulation for MPDU
393 NdisZeroMemory(&tkipIv, sizeof(TKIP_IV));
394 tkipIv.IV16.field.rc0 = *(pTSC + 1);
395 tkipIv.IV16.field.rc1 = (tkipIv.IV16.field.rc0 | 0x20) & 0x7f;
396 tkipIv.IV16.field.rc2 = *pTSC;
397 tkipIv.IV16.field.CONTROL.field.ExtIV = 1; // 0: non-extended IV, 1: an extended IV
398 tkipIv.IV16.field.CONTROL.field.KeyID = KeyId;
399 // tkipIv.IV32 = *(PULONG)(pTSC + 2);
400 NdisMoveMemory(&tkipIv.IV32, (pTSC + 2), 4); // Copy IV
402 *pIV16 = tkipIv.IV16.word;
403 *pIV32 = tkipIv.IV32;
407 ========================================================================
410 Init MIC Value calculation function which include set MIC key &
411 calculate first 16 bytes (DA + SA + priority + 0)
414 pAd Pointer to our adapter
415 pTKey Pointer to the Temporal Key (TK), TK shall be 128bits.
416 pDA Pointer to DA address
417 pSA Pointer to SA address
418 pMICKey pointer to MIC Key
425 ========================================================================
427 VOID RTMPInitMICEngine(
428 IN PRTMP_ADAPTER pAd,
432 IN UCHAR UserPriority,
435 ULONG Priority = UserPriority;
437 // Init MIC value calculation
438 RTMPTkipSetMICKey(&pAd->PrivateInfo.Tx, pMICKey);
440 RTMPTkipAppend(&pAd->PrivateInfo.Tx, pDA, MAC_ADDR_LEN);
442 RTMPTkipAppend(&pAd->PrivateInfo.Tx, pSA, MAC_ADDR_LEN);
443 // Priority + 3 bytes of 0
444 RTMPTkipAppend(&pAd->PrivateInfo.Tx, (PUCHAR)&Priority, 4);
448 ========================================================================
451 Compare MIC value of received MSDU
454 pAd Pointer to our adapter
455 pSrc Pointer to the received Plain text data
456 pDA Pointer to DA address
457 pSA Pointer to SA address
458 pMICKey pointer to MIC Key
459 Len the length of the received plain text data exclude MIC value
462 TRUE MIC value matched
463 FALSE MIC value mismatched
465 IRQL = DISPATCH_LEVEL
469 ========================================================================
471 BOOLEAN RTMPTkipCompareMICValue(
472 IN PRTMP_ADAPTER pAd,
477 IN UCHAR UserPriority,
481 ULONG Priority = UserPriority;
483 // Init MIC value calculation
484 RTMPTkipSetMICKey(&pAd->PrivateInfo.Rx, pMICKey);
486 RTMPTkipAppend(&pAd->PrivateInfo.Rx, pDA, MAC_ADDR_LEN);
488 RTMPTkipAppend(&pAd->PrivateInfo.Rx, pSA, MAC_ADDR_LEN);
489 // Priority + 3 bytes of 0
490 RTMPTkipAppend(&pAd->PrivateInfo.Rx, (PUCHAR)&Priority, 4);
492 // Calculate MIC value from plain text data
493 RTMPTkipAppend(&pAd->PrivateInfo.Rx, pSrc, Len);
495 // Get MIC valude from received frame
496 NdisMoveMemory(OldMic, pSrc + Len, 8);
498 // Get MIC value from decrypted plain data
499 RTMPTkipGetMIC(&pAd->PrivateInfo.Rx);
501 // Move MIC value from MSDU, this steps should move to data path.
502 // Since the MIC value might cross MPDUs.
503 if(!NdisEqualMemory(pAd->PrivateInfo.Rx.MIC, OldMic, 8))
505 DBGPRINT_RAW(RT_DEBUG_ERROR, ("RTMPTkipCompareMICValue(): TKIP MIC Error !\n")); //MIC error.
514 ========================================================================
517 Copy frame from waiting queue into relative ring buffer and set
518 appropriate ASIC register to kick hardware transmit function
521 pAd Pointer to our adapter
522 PNDIS_PACKET Pointer to Ndis Packet for MIC calculation
523 pEncap Pointer to LLC encap data
524 LenEncap Total encap length, might be 0 which indicates no encap
529 IRQL = DISPATCH_LEVEL
533 ========================================================================
535 VOID RTMPCalculateMICValue(
536 IN PRTMP_ADAPTER pAd,
537 IN PNDIS_PACKET pPacket,
542 PACKET_INFO PacketInfo;
547 UCHAR vlan_offset = 0;
549 RTMP_QueryPacketInfo(pPacket, &PacketInfo, &pSrcBufVA, &SrcBufLen);
551 UserPriority = RTMP_GET_PACKET_UP(pPacket);
554 // determine if this is a vlan packet
555 if (((*(pSrc + 12) << 8) + *(pSrc + 13)) == 0x8100)
572 RTMPTkipAppend(&pAd->PrivateInfo.Tx, pEncap, 6);
574 RTMPTkipAppend(&pAd->PrivateInfo.Tx, pSrc + 12 + vlan_offset, 2);
576 SrcBufLen -= (14 + vlan_offset);
577 pSrc += (14 + vlan_offset);
582 RTMPTkipAppend(&pAd->PrivateInfo.Tx, pSrc, SrcBufLen);
585 break; // No need handle next packet
587 } while (TRUE); // End of copying payload
589 // Compute the final MIC Value
590 RTMPTkipGetMIC(&pAd->PrivateInfo.Tx);
594 /************************************************************/
596 /* Returns a 16 bit value from a 64K entry table. The Table */
597 /* is synthesized from two 256 entry byte wide tables. */
598 /************************************************************/
600 UINT tkip_sbox(UINT index)
606 index_low = (index % 256);
607 index_high = ((index >> 8) % 256);
609 left = Tkip_Sbox_Lower[index_low] + (Tkip_Sbox_Upper[index_low] * 256);
610 right = Tkip_Sbox_Upper[index_high] + (Tkip_Sbox_Lower[index_high] * 256);
612 return (left ^ right);
619 if ((a & 0x01) == 0x01)
621 b = (a >> 1) | 0x8000;
625 b = (a >> 1) & 0x7fff;
634 ULONG pnl, /* Least significant 16 bits of PN */
635 ULONG pnh, /* Most significant 32 bits of PN */
654 tsc0 = (unsigned int)((pnh >> 16) % 65536); /* msb */
655 tsc1 = (unsigned int)(pnh % 65536);
656 tsc2 = (unsigned int)(pnl % 65536); /* lsb */
658 /* Phase 1, step 1 */
661 p1k[2] = (UINT)(ta[0] + (ta[1]*256));
662 p1k[3] = (UINT)(ta[2] + (ta[3]*256));
663 p1k[4] = (UINT)(ta[4] + (ta[5]*256));
665 /* Phase 1, step 2 */
669 p1k[0] = (p1k[0] + tkip_sbox( (p1k[4] ^ ((256*key[1+j]) + key[j])) % 65536 )) % 65536;
670 p1k[1] = (p1k[1] + tkip_sbox( (p1k[0] ^ ((256*key[5+j]) + key[4+j])) % 65536 )) % 65536;
671 p1k[2] = (p1k[2] + tkip_sbox( (p1k[1] ^ ((256*key[9+j]) + key[8+j])) % 65536 )) % 65536;
672 p1k[3] = (p1k[3] + tkip_sbox( (p1k[2] ^ ((256*key[13+j]) + key[12+j])) % 65536 )) % 65536;
673 p1k[4] = (p1k[4] + tkip_sbox( (p1k[3] ^ (((256*key[1+j]) + key[j]))) % 65536 )) % 65536;
674 p1k[4] = (p1k[4] + i) % 65536;
677 /* Phase 2, Step 1 */
683 ppk5 = (p1k[4] + tsc2) % 65536;
686 ppk0 = ppk0 + tkip_sbox( (ppk5 ^ ((256*key[1]) + key[0])) % 65536);
687 ppk1 = ppk1 + tkip_sbox( (ppk0 ^ ((256*key[3]) + key[2])) % 65536);
688 ppk2 = ppk2 + tkip_sbox( (ppk1 ^ ((256*key[5]) + key[4])) % 65536);
689 ppk3 = ppk3 + tkip_sbox( (ppk2 ^ ((256*key[7]) + key[6])) % 65536);
690 ppk4 = ppk4 + tkip_sbox( (ppk3 ^ ((256*key[9]) + key[8])) % 65536);
691 ppk5 = ppk5 + tkip_sbox( (ppk4 ^ ((256*key[11]) + key[10])) % 65536);
693 ppk0 = ppk0 + rotr1(ppk5 ^ ((256*key[13]) + key[12]));
694 ppk1 = ppk1 + rotr1(ppk0 ^ ((256*key[15]) + key[14]));
695 ppk2 = ppk2 + rotr1(ppk1);
696 ppk3 = ppk3 + rotr1(ppk2);
697 ppk4 = ppk4 + rotr1(ppk3);
698 ppk5 = ppk5 + rotr1(ppk4);
700 /* Phase 2, Step 3 */
701 /* Phase 2, Step 3 */
703 tsc0 = (unsigned int)((pnh >> 16) % 65536); /* msb */
704 tsc1 = (unsigned int)(pnh % 65536);
705 tsc2 = (unsigned int)(pnl % 65536); /* lsb */
707 rc4key[0] = (tsc2 >> 8) % 256;
708 rc4key[1] = (((tsc2 >> 8) % 256) | 0x20) & 0x7f;
709 rc4key[2] = tsc2 % 256;
710 rc4key[3] = ((ppk5 ^ ((256*key[1]) + key[0])) >> 1) % 256;
712 rc4key[4] = ppk0 % 256;
713 rc4key[5] = (ppk0 >> 8) % 256;
715 rc4key[6] = ppk1 % 256;
716 rc4key[7] = (ppk1 >> 8) % 256;
718 rc4key[8] = ppk2 % 256;
719 rc4key[9] = (ppk2 >> 8) % 256;
721 rc4key[10] = ppk3 % 256;
722 rc4key[11] = (ppk3 >> 8) % 256;
724 rc4key[12] = ppk4 % 256;
725 rc4key[13] = (ppk4 >> 8) % 256;
727 rc4key[14] = ppk5 % 256;
728 rc4key[15] = (ppk5 >> 8) % 256;
734 // FALSE: Decrypt Error!
736 BOOLEAN RTMPSoftDecryptTKIP(
737 IN PRTMP_ADAPTER pAd,
739 IN ULONG DataByteCnt,
740 IN UCHAR UserPriority,
741 IN PCIPHER_KEY pWpaKey)
757 UCHAR TA[MAC_ADDR_LEN];
758 UCHAR DA[MAC_ADDR_LEN];
759 UCHAR SA[MAC_ADDR_LEN];
761 UINT p1k[5]; //for mix_key;
762 ULONG pnl;/* Least significant 16 bits of PN */
763 ULONG pnh;/* Most significant 32 bits of PN */
765 UINT payload_remainder;
766 ARCFOURCONTEXT ArcFourContext;
776 fc = *((PUSHORT)pData);
778 frame_type = ((fc0 >> 2) & 0x03);
779 frame_subtype = ((fc0 >> 4) & 0x0f);
781 from_ds = (fc1 & 0x2) >> 1;
784 a4_exists = (from_ds & to_ds);
785 qc_exists = ((frame_subtype == 0x08) || /* Assumed QoS subtypes */
786 (frame_subtype == 0x09) || /* Likely to change. */
787 (frame_subtype == 0x0a) ||
788 (frame_subtype == 0x0b)
795 KeyID = *((PUCHAR)(pData+ HeaderLen + 3));
798 if (pWpaKey[KeyID].KeyLen == 0)
800 DBGPRINT(RT_DEBUG_TRACE, ("RTMPSoftDecryptTKIP failed!(KeyID[%d] Length can not be 0)\n", KeyID));
804 duration = *((PUSHORT)(pData+2));
806 seq_control = *((PUSHORT)(pData+22));
812 qos_control = *((PUSHORT)(pData+30));
816 qos_control = *((PUSHORT)(pData+24));
820 if (to_ds == 0 && from_ds == 1)
822 NdisMoveMemory(DA, pData+4, MAC_ADDR_LEN);
823 NdisMoveMemory(SA, pData+16, MAC_ADDR_LEN);
824 NdisMoveMemory(TA, pData+10, MAC_ADDR_LEN); //BSSID
826 else if (to_ds == 0 && from_ds == 0 )
828 NdisMoveMemory(TA, pData+10, MAC_ADDR_LEN);
829 NdisMoveMemory(DA, pData+4, MAC_ADDR_LEN);
830 NdisMoveMemory(SA, pData+10, MAC_ADDR_LEN);
832 else if (to_ds == 1 && from_ds == 0)
834 NdisMoveMemory(SA, pData+10, MAC_ADDR_LEN);
835 NdisMoveMemory(TA, pData+10, MAC_ADDR_LEN);
836 NdisMoveMemory(DA, pData+16, MAC_ADDR_LEN);
838 else if (to_ds == 1 && from_ds == 1)
840 NdisMoveMemory(TA, pData+10, MAC_ADDR_LEN);
841 NdisMoveMemory(DA, pData+16, MAC_ADDR_LEN);
842 NdisMoveMemory(SA, pData+22, MAC_ADDR_LEN);
845 num_blocks = (DataByteCnt - 16) / 16;
846 payload_remainder = (DataByteCnt - 16) % 16;
848 pnl = (*(pData + HeaderLen)) * 256 + *(pData + HeaderLen + 2);
849 pnh = *((PULONG)(pData + HeaderLen + 4));
851 RTMPTkipMixKey(pWpaKey[KeyID].Key, TA, pnl, pnh, RC4Key, p1k);
853 ARCFOUR_INIT(&ArcFourContext, RC4Key, 16);
855 ARCFOUR_DECRYPT(&ArcFourContext, pData + HeaderLen, pData + HeaderLen + 8, DataByteCnt - HeaderLen - 8);
856 NdisMoveMemory(&trailfcs, pData + DataByteCnt - 8 - 4, 4);
857 crc32 = RTMP_CALC_FCS32(PPPINITFCS32, pData + HeaderLen, DataByteCnt - HeaderLen - 8 - 4); //Skip IV+EIV 8 bytes & Skip last 4 bytes(FCS).
858 crc32 ^= 0xffffffff; /* complement */
860 if(crc32 != cpu2le32(trailfcs))
862 DBGPRINT(RT_DEBUG_TRACE, ("RTMPSoftDecryptTKIP, WEP Data ICV Error !\n")); //ICV error.
867 NdisMoveMemory(TrailMIC, pData + DataByteCnt - 8 - 8 - 4, 8);
868 RTMPInitMICEngine(pAd, pWpaKey[KeyID].Key, DA, SA, UserPriority, pWpaKey[KeyID].RxMic);
869 RTMPTkipAppend(&pAd->PrivateInfo.Tx, pData + HeaderLen, DataByteCnt - HeaderLen - 8 - 12);
870 RTMPTkipGetMIC(&pAd->PrivateInfo.Tx);
871 NdisMoveMemory(MIC, pAd->PrivateInfo.Tx.MIC, 8);
873 if (!NdisEqualMemory(MIC, TrailMIC, 8))
875 DBGPRINT(RT_DEBUG_ERROR, ("RTMPSoftDecryptTKIP, WEP Data MIC Error !\n")); //MIC error.
876 //RTMPReportMicError(pAd, &pWpaKey[KeyID]); // marked by AlbertY @ 20060630
880 //DBGPRINT(RT_DEBUG_TRACE, "RTMPSoftDecryptTKIP Decript done!!\n");