34
35/*
36 * IEEE 802.11i AES-CCMP crypto support.
37 *
38 * Part of this module is derived from similar code in the Host
39 * AP driver. The code is used with the consent of the author and
40 * it's license is included below.
41 */
42#include <sys/param.h>
43#include <sys/systm.h>
44#include <sys/mbuf.h>
45#include <sys/malloc.h>
46#include <sys/kernel.h>
47#include <sys/module.h>
48
49#include <sys/socket.h>
50
51#include <net/if.h>
52#include <net/if_media.h>
53#include <net/ethernet.h>
54
55#include <net80211/ieee80211_var.h>
56
57#include <crypto/rijndael/rijndael.h>
58
59#define AES_BLOCK_LEN 16
60
61struct ccmp_ctx {
62 struct ieee80211com *cc_ic; /* for diagnostics */
63 rijndael_ctx cc_aes;
64};
65
66static void *ccmp_attach(struct ieee80211com *, struct ieee80211_key *);
67static void ccmp_detach(struct ieee80211_key *);
68static int ccmp_setkey(struct ieee80211_key *);
69static int ccmp_encap(struct ieee80211_key *k, struct mbuf *, u_int8_t keyid);
70static int ccmp_decap(struct ieee80211_key *, struct mbuf *);
71static int ccmp_enmic(struct ieee80211_key *, struct mbuf *);
72static int ccmp_demic(struct ieee80211_key *, struct mbuf *);
73
74static const struct ieee80211_cipher ccmp = {
75 .ic_name = "AES-CCM",
76 .ic_cipher = IEEE80211_CIPHER_AES_CCM,
77 .ic_header = IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN +
78 IEEE80211_WEP_EXTIVLEN,
79 .ic_trailer = IEEE80211_WEP_MICLEN,
80 .ic_miclen = 0,
81 .ic_attach = ccmp_attach,
82 .ic_detach = ccmp_detach,
83 .ic_setkey = ccmp_setkey,
84 .ic_encap = ccmp_encap,
85 .ic_decap = ccmp_decap,
86 .ic_enmic = ccmp_enmic,
87 .ic_demic = ccmp_demic,
88};
89
90static int ccmp_encrypt(struct ieee80211_key *, struct mbuf *, int hdrlen);
91static int ccmp_decrypt(struct ieee80211_key *, u_int64_t pn,
92 struct mbuf *, int hdrlen);
93
94static void *
95ccmp_attach(struct ieee80211com *ic, struct ieee80211_key *k)
96{
97 struct ccmp_ctx *ctx;
98
99 MALLOC(ctx, struct ccmp_ctx *, sizeof(struct ccmp_ctx),
100 M_DEVBUF, M_NOWAIT | M_ZERO);
101 if (ctx == NULL) {
102 ic->ic_stats.is_crypto_nomem++;
103 return NULL;
104 }
105 ctx->cc_ic = ic;
106 return ctx;
107}
108
109static void
110ccmp_detach(struct ieee80211_key *k)
111{
112 struct ccmp_ctx *ctx = k->wk_private;
113
114 FREE(ctx, M_DEVBUF);
115}
116
117static int
118ccmp_setkey(struct ieee80211_key *k)
119{
120 struct ccmp_ctx *ctx = k->wk_private;
121
122 if (k->wk_keylen != (128/NBBY)) {
123 IEEE80211_DPRINTF(ctx->cc_ic, IEEE80211_MSG_CRYPTO,
124 "%s: Invalid key length %u, expecting %u\n",
125 __func__, k->wk_keylen, 128/NBBY);
126 return 0;
127 }
128 if (k->wk_flags & IEEE80211_KEY_SWCRYPT)
129 rijndael_set_key(&ctx->cc_aes, k->wk_key, k->wk_keylen*NBBY);
130 return 1;
131}
132
133/*
134 * Add privacy headers appropriate for the specified key.
135 */
136static int
137ccmp_encap(struct ieee80211_key *k, struct mbuf *m, u_int8_t keyid)
138{
139 struct ccmp_ctx *ctx = k->wk_private;
140 struct ieee80211com *ic = ctx->cc_ic;
141 u_int8_t *ivp;
142 int hdrlen;
143
144 hdrlen = ieee80211_hdrspace(ic, mtod(m, void *));
145
146 /*
147 * Copy down 802.11 header and add the IV, KeyID, and ExtIV.
148 */
149 M_PREPEND(m, ccmp.ic_header, M_NOWAIT);
150 if (m == NULL)
151 return 0;
152 ivp = mtod(m, u_int8_t *);
153 ovbcopy(ivp + ccmp.ic_header, ivp, hdrlen);
154 ivp += hdrlen;
155
156 k->wk_keytsc++; /* XXX wrap at 48 bits */
157 ivp[0] = k->wk_keytsc >> 0; /* PN0 */
158 ivp[1] = k->wk_keytsc >> 8; /* PN1 */
159 ivp[2] = 0; /* Reserved */
160 ivp[3] = keyid | IEEE80211_WEP_EXTIV; /* KeyID | ExtID */
161 ivp[4] = k->wk_keytsc >> 16; /* PN2 */
162 ivp[5] = k->wk_keytsc >> 24; /* PN3 */
163 ivp[6] = k->wk_keytsc >> 32; /* PN4 */
164 ivp[7] = k->wk_keytsc >> 40; /* PN5 */
165
166 /*
167 * Finally, do software encrypt if neeed.
168 */
169 if ((k->wk_flags & IEEE80211_KEY_SWCRYPT) &&
170 !ccmp_encrypt(k, m, hdrlen))
171 return 0;
172
173 return 1;
174}
175
176/*
177 * Add MIC to the frame as needed.
178 */
179static int
180ccmp_enmic(struct ieee80211_key *k, struct mbuf *m)
181{
182
183 return 1;
184}
185
186static __inline uint64_t
187READ_6(uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3, uint8_t b4, uint8_t b5)
188{
189 uint32_t iv32 = (b0 << 0) | (b1 << 8) | (b2 << 16) | (b3 << 24);
190 uint16_t iv16 = (b4 << 0) | (b5 << 8);
191 return (((uint64_t)iv16) << 32) | iv32;
192}
193
194/*
195 * Validate and strip privacy headers (and trailer) for a
196 * received frame. The specified key should be correct but
197 * is also verified.
198 */
199static int
200ccmp_decap(struct ieee80211_key *k, struct mbuf *m)
201{
202 struct ccmp_ctx *ctx = k->wk_private;
203 struct ieee80211_frame *wh;
204 uint8_t *ivp;
205 uint64_t pn;
206 int hdrlen;
207
208 /*
209 * Header should have extended IV and sequence number;
210 * verify the former and validate the latter.
211 */
212 wh = mtod(m, struct ieee80211_frame *);
213 hdrlen = ieee80211_hdrsize(wh);
214 ivp = mtod(m, uint8_t *) + hdrlen;
215 if ((ivp[IEEE80211_WEP_IVLEN] & IEEE80211_WEP_EXTIV) == 0) {
216 /*
217 * No extended IV; discard frame.
218 */
219 IEEE80211_DPRINTF(ctx->cc_ic, IEEE80211_MSG_CRYPTO,
220 "[%s] Missing ExtIV for AES-CCM cipher\n",
221 ether_sprintf(wh->i_addr2));
222 ctx->cc_ic->ic_stats.is_rx_ccmpformat++;
223 return 0;
224 }
225 pn = READ_6(ivp[0], ivp[1], ivp[4], ivp[5], ivp[6], ivp[7]);
226 if (pn <= k->wk_keyrsc) {
227 /*
228 * Replay violation.
229 */
230 ieee80211_notify_replay_failure(ctx->cc_ic, wh, k, pn);
231 ctx->cc_ic->ic_stats.is_rx_ccmpreplay++;
232 return 0;
233 }
234
235 /*
236 * Check if the device handled the decrypt in hardware.
237 * If so we just strip the header; otherwise we need to
238 * handle the decrypt in software. Note that for the
239 * latter we leave the header in place for use in the
240 * decryption work.
241 */
242 if ((k->wk_flags & IEEE80211_KEY_SWCRYPT) &&
243 !ccmp_decrypt(k, pn, m, hdrlen))
244 return 0;
245
246 /*
247 * Copy up 802.11 header and strip crypto bits.
248 */
249 ovbcopy(mtod(m, void *), mtod(m, u_int8_t *) + ccmp.ic_header, hdrlen);
250 m_adj(m, ccmp.ic_header);
251 m_adj(m, -ccmp.ic_trailer);
252
253 /*
254 * Ok to update rsc now.
255 */
256 k->wk_keyrsc = pn;
257
258 return 1;
259}
260
261/*
262 * Verify and strip MIC from the frame.
263 */
264static int
265ccmp_demic(struct ieee80211_key *k, struct mbuf *m)
266{
267 return 1;
268}
269
270static __inline void
271xor_block(uint8_t *b, const uint8_t *a, size_t len)
272{
273 int i;
274 for (i = 0; i < len; i++)
275 b[i] ^= a[i];
276}
277
278/*
279 * Host AP crypt: host-based CCMP encryption implementation for Host AP driver
280 *
281 * Copyright (c) 2003-2004, Jouni Malinen <jkmaline@cc.hut.fi>
282 *
283 * This program is free software; you can redistribute it and/or modify
284 * it under the terms of the GNU General Public License version 2 as
285 * published by the Free Software Foundation. See README and COPYING for
286 * more details.
287 *
288 * Alternatively, this software may be distributed under the terms of BSD
289 * license.
290 */
291
292static void
293ccmp_init_blocks(rijndael_ctx *ctx, struct ieee80211_frame *wh,
294 u_int64_t pn, size_t dlen,
295 uint8_t b0[AES_BLOCK_LEN], uint8_t aad[2 * AES_BLOCK_LEN],
296 uint8_t auth[AES_BLOCK_LEN], uint8_t s0[AES_BLOCK_LEN])
297{
298#define IS_4ADDRESS(wh) \
299 ((wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) == IEEE80211_FC1_DIR_DSTODS)
300#define IS_QOS_DATA(wh) IEEE80211_QOS_HAS_SEQ(wh)
301
302 /* CCM Initial Block:
303 * Flag (Include authentication header, M=3 (8-octet MIC),
304 * L=1 (2-octet Dlen))
305 * Nonce: 0x00 | A2 | PN
306 * Dlen */
307 b0[0] = 0x59;
308 /* NB: b0[1] set below */
309 IEEE80211_ADDR_COPY(b0 + 2, wh->i_addr2);
310 b0[8] = pn >> 40;
311 b0[9] = pn >> 32;
312 b0[10] = pn >> 24;
313 b0[11] = pn >> 16;
314 b0[12] = pn >> 8;
315 b0[13] = pn >> 0;
316 b0[14] = (dlen >> 8) & 0xff;
317 b0[15] = dlen & 0xff;
318
319 /* AAD:
320 * FC with bits 4..6 and 11..13 masked to zero; 14 is always one
321 * A1 | A2 | A3
322 * SC with bits 4..15 (seq#) masked to zero
323 * A4 (if present)
324 * QC (if present)
325 */
326 aad[0] = 0; /* AAD length >> 8 */
327 /* NB: aad[1] set below */
328 aad[2] = wh->i_fc[0] & 0x8f; /* XXX magic #s */
329 aad[3] = wh->i_fc[1] & 0xc7; /* XXX magic #s */
330 /* NB: we know 3 addresses are contiguous */
331 memcpy(aad + 4, wh->i_addr1, 3 * IEEE80211_ADDR_LEN);
332 aad[22] = wh->i_seq[0] & IEEE80211_SEQ_FRAG_MASK;
333 aad[23] = 0; /* all bits masked */
334 /*
335 * Construct variable-length portion of AAD based
336 * on whether this is a 4-address frame/QOS frame.
337 * We always zero-pad to 32 bytes before running it
338 * through the cipher.
339 *
340 * We also fill in the priority bits of the CCM
341 * initial block as we know whether or not we have
342 * a QOS frame.
343 */
344 if (IS_4ADDRESS(wh)) {
345 IEEE80211_ADDR_COPY(aad + 24,
346 ((struct ieee80211_frame_addr4 *)wh)->i_addr4);
347 if (IS_QOS_DATA(wh)) {
348 struct ieee80211_qosframe_addr4 *qwh4 =
349 (struct ieee80211_qosframe_addr4 *) wh;
350 aad[30] = qwh4->i_qos[0] & 0x0f;/* just priority bits */
351 aad[31] = 0;
352 b0[1] = aad[30];
353 aad[1] = 22 + IEEE80211_ADDR_LEN + 2;
354 } else {
355 *(u_int16_t *)&aad[30] = 0;
356 b0[1] = 0;
357 aad[1] = 22 + IEEE80211_ADDR_LEN;
358 }
359 } else {
360 if (IS_QOS_DATA(wh)) {
361 struct ieee80211_qosframe *qwh =
362 (struct ieee80211_qosframe*) wh;
363 aad[24] = qwh->i_qos[0] & 0x0f; /* just priority bits */
364 aad[25] = 0;
365 b0[1] = aad[24];
366 aad[1] = 22 + 2;
367 } else {
368 *(u_int16_t *)&aad[24] = 0;
369 b0[1] = 0;
370 aad[1] = 22;
371 }
372 *(u_int16_t *)&aad[26] = 0;
373 *(u_int32_t *)&aad[28] = 0;
374 }
375
376 /* Start with the first block and AAD */
377 rijndael_encrypt(ctx, b0, auth);
378 xor_block(auth, aad, AES_BLOCK_LEN);
379 rijndael_encrypt(ctx, auth, auth);
380 xor_block(auth, &aad[AES_BLOCK_LEN], AES_BLOCK_LEN);
381 rijndael_encrypt(ctx, auth, auth);
382 b0[0] &= 0x07;
383 b0[14] = b0[15] = 0;
384 rijndael_encrypt(ctx, b0, s0);
385#undef IS_QOS_DATA
386#undef IS_4ADDRESS
387}
388
389#define CCMP_ENCRYPT(_i, _b, _b0, _pos, _e, _len) do { \
390 /* Authentication */ \
391 xor_block(_b, _pos, _len); \
392 rijndael_encrypt(&ctx->cc_aes, _b, _b); \
393 /* Encryption, with counter */ \
394 _b0[14] = (_i >> 8) & 0xff; \
395 _b0[15] = _i & 0xff; \
396 rijndael_encrypt(&ctx->cc_aes, _b0, _e); \
397 xor_block(_pos, _e, _len); \
398} while (0)
399
400static int
401ccmp_encrypt(struct ieee80211_key *key, struct mbuf *m0, int hdrlen)
402{
403 struct ccmp_ctx *ctx = key->wk_private;
404 struct ieee80211_frame *wh;
405 struct mbuf *m = m0;
406 int data_len, i;
407 uint8_t aad[2 * AES_BLOCK_LEN], b0[AES_BLOCK_LEN], b[AES_BLOCK_LEN],
408 e[AES_BLOCK_LEN], s0[AES_BLOCK_LEN];
409 uint8_t *pos;
410 u_int space;
411
412 ctx->cc_ic->ic_stats.is_crypto_ccmp++;
413
414 wh = mtod(m, struct ieee80211_frame *);
415 data_len = m->m_pkthdr.len - (hdrlen + ccmp.ic_header);
416 ccmp_init_blocks(&ctx->cc_aes, wh, key->wk_keytsc,
417 data_len, b0, aad, b, s0);
418
419 i = 1;
420 pos = mtod(m, uint8_t *) + hdrlen + ccmp.ic_header;
421 /* NB: assumes header is entirely in first mbuf */
422 space = m->m_len - (hdrlen + ccmp.ic_header);
423 for (;;) {
424 if (space > data_len)
425 space = data_len;
426 /*
427 * Do full blocks.
428 */
429 while (space >= AES_BLOCK_LEN) {
430 CCMP_ENCRYPT(i, b, b0, pos, e, AES_BLOCK_LEN);
431 pos += AES_BLOCK_LEN, space -= AES_BLOCK_LEN;
432 data_len -= AES_BLOCK_LEN;
433 i++;
434 }
435 if (data_len <= 0) /* no more data */
436 break;
437 m = m->m_next;
438 if (m == NULL) { /* last buffer */
439 if (space != 0) {
440 /*
441 * Short last block.
442 */
443 CCMP_ENCRYPT(i, b, b0, pos, e, space);
444 }
445 break;
446 }
447 if (space != 0) {
448 uint8_t *pos_next;
449 u_int space_next;
450 u_int len;
451
452 /*
453 * Block straddles buffers, split references. We
454 * do not handle splits that require >2 buffers.
455 */
456 pos_next = mtod(m, uint8_t *);
457 len = min(data_len, AES_BLOCK_LEN);
458 space_next = len > space ? len - space : 0;
459 KASSERT(m->m_len >= space_next,
460 ("not enough data in following buffer, "
461 "m_len %u need %u\n", m->m_len, space_next));
462
463 xor_block(b+space, pos_next, space_next);
464 CCMP_ENCRYPT(i, b, b0, pos, e, space);
465 xor_block(pos_next, e+space, space_next);
466 data_len -= len;
467 /* XXX could check for data_len <= 0 */
468 i++;
469
470 pos = pos_next + space_next;
471 space = m->m_len - space_next;
472 } else {
473 /*
474 * Setup for next buffer.
475 */
476 pos = mtod(m, uint8_t *);
477 space = m->m_len;
478 }
479 }
480 /* tack on MIC */
481 xor_block(b, s0, ccmp.ic_trailer);
482 return m_append(m0, ccmp.ic_trailer, b);
483}
484#undef CCMP_ENCRYPT
485
486#define CCMP_DECRYPT(_i, _b, _b0, _pos, _a, _len) do { \
487 /* Decrypt, with counter */ \
488 _b0[14] = (_i >> 8) & 0xff; \
489 _b0[15] = _i & 0xff; \
490 rijndael_encrypt(&ctx->cc_aes, _b0, _b); \
491 xor_block(_pos, _b, _len); \
492 /* Authentication */ \
493 xor_block(_a, _pos, _len); \
494 rijndael_encrypt(&ctx->cc_aes, _a, _a); \
495} while (0)
496
497static int
498ccmp_decrypt(struct ieee80211_key *key, u_int64_t pn, struct mbuf *m, int hdrlen)
499{
500 struct ccmp_ctx *ctx = key->wk_private;
501 struct ieee80211_frame *wh;
502 uint8_t aad[2 * AES_BLOCK_LEN];
503 uint8_t b0[AES_BLOCK_LEN], b[AES_BLOCK_LEN], a[AES_BLOCK_LEN];
504 uint8_t mic[AES_BLOCK_LEN];
505 size_t data_len;
506 int i;
507 uint8_t *pos;
508 u_int space;
509
510 ctx->cc_ic->ic_stats.is_crypto_ccmp++;
511
512 wh = mtod(m, struct ieee80211_frame *);
513 data_len = m->m_pkthdr.len - (hdrlen + ccmp.ic_header + ccmp.ic_trailer);
514 ccmp_init_blocks(&ctx->cc_aes, wh, pn, data_len, b0, aad, a, b);
515 m_copydata(m, m->m_pkthdr.len - ccmp.ic_trailer, ccmp.ic_trailer, mic);
516 xor_block(mic, b, ccmp.ic_trailer);
517
518 i = 1;
519 pos = mtod(m, uint8_t *) + hdrlen + ccmp.ic_header;
520 space = m->m_len - (hdrlen + ccmp.ic_header);
521 for (;;) {
522 if (space > data_len)
523 space = data_len;
524 while (space >= AES_BLOCK_LEN) {
525 CCMP_DECRYPT(i, b, b0, pos, a, AES_BLOCK_LEN);
526 pos += AES_BLOCK_LEN, space -= AES_BLOCK_LEN;
527 data_len -= AES_BLOCK_LEN;
528 i++;
529 }
530 if (data_len <= 0) /* no more data */
531 break;
532 m = m->m_next;
533 if (m == NULL) { /* last buffer */
534 if (space != 0) /* short last block */
535 CCMP_DECRYPT(i, b, b0, pos, a, space);
536 break;
537 }
538 if (space != 0) {
539 uint8_t *pos_next;
540 u_int space_next;
541 u_int len;
542
543 /*
544 * Block straddles buffers, split references. We
545 * do not handle splits that require >2 buffers.
546 */
547 pos_next = mtod(m, uint8_t *);
548 len = min(data_len, AES_BLOCK_LEN);
549 space_next = len > space ? len - space : 0;
550 KASSERT(m->m_len >= space_next,
551 ("not enough data in following buffer, "
552 "m_len %u need %u\n", m->m_len, space_next));
553
554 xor_block(b+space, pos_next, space_next);
555 CCMP_DECRYPT(i, b, b0, pos, a, space);
556 xor_block(pos_next, b+space, space_next);
557 data_len -= len;
558 i++;
559
560 pos = pos_next + space_next;
561 space = m->m_len - space_next;
562 } else {
563 /*
564 * Setup for next buffer.
565 */
566 pos = mtod(m, uint8_t *);
567 space = m->m_len;
568 }
569 }
570 if (memcmp(mic, a, ccmp.ic_trailer) != 0) {
571 IEEE80211_DPRINTF(ctx->cc_ic, IEEE80211_MSG_CRYPTO,
572 "[%s] AES-CCM decrypt failed; MIC mismatch\n",
573 ether_sprintf(wh->i_addr2));
574 ctx->cc_ic->ic_stats.is_rx_ccmpmic++;
575 return 0;
576 }
577 return 1;
578}
579#undef CCMP_DECRYPT
580
581/*
582 * Module glue.
583 */
584static int
585ccmp_modevent(module_t mod, int type, void *unused)
586{
587 switch (type) {
588 case MOD_LOAD:
589 ieee80211_crypto_register(&ccmp);
590 return 0;
591 case MOD_UNLOAD:
592 ieee80211_crypto_unregister(&ccmp);
593 return 0;
594 }
595 return EINVAL;
596}
597
598static moduledata_t ccmp_mod = {
599 "wlan_ccmp",
600 ccmp_modevent,
601 0
602};
603DECLARE_MODULE(wlan_ccmp, ccmp_mod, SI_SUB_DRIVERS, SI_ORDER_FIRST);
604MODULE_VERSION(wlan_ccmp, 1);
605MODULE_DEPEND(wlan_ccmp, wlan, 1, 1, 1);
| 34
35/*
36 * IEEE 802.11i AES-CCMP crypto support.
37 *
38 * Part of this module is derived from similar code in the Host
39 * AP driver. The code is used with the consent of the author and
40 * it's license is included below.
41 */
42#include <sys/param.h>
43#include <sys/systm.h>
44#include <sys/mbuf.h>
45#include <sys/malloc.h>
46#include <sys/kernel.h>
47#include <sys/module.h>
48
49#include <sys/socket.h>
50
51#include <net/if.h>
52#include <net/if_media.h>
53#include <net/ethernet.h>
54
55#include <net80211/ieee80211_var.h>
56
57#include <crypto/rijndael/rijndael.h>
58
59#define AES_BLOCK_LEN 16
60
61struct ccmp_ctx {
62 struct ieee80211com *cc_ic; /* for diagnostics */
63 rijndael_ctx cc_aes;
64};
65
66static void *ccmp_attach(struct ieee80211com *, struct ieee80211_key *);
67static void ccmp_detach(struct ieee80211_key *);
68static int ccmp_setkey(struct ieee80211_key *);
69static int ccmp_encap(struct ieee80211_key *k, struct mbuf *, u_int8_t keyid);
70static int ccmp_decap(struct ieee80211_key *, struct mbuf *);
71static int ccmp_enmic(struct ieee80211_key *, struct mbuf *);
72static int ccmp_demic(struct ieee80211_key *, struct mbuf *);
73
74static const struct ieee80211_cipher ccmp = {
75 .ic_name = "AES-CCM",
76 .ic_cipher = IEEE80211_CIPHER_AES_CCM,
77 .ic_header = IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN +
78 IEEE80211_WEP_EXTIVLEN,
79 .ic_trailer = IEEE80211_WEP_MICLEN,
80 .ic_miclen = 0,
81 .ic_attach = ccmp_attach,
82 .ic_detach = ccmp_detach,
83 .ic_setkey = ccmp_setkey,
84 .ic_encap = ccmp_encap,
85 .ic_decap = ccmp_decap,
86 .ic_enmic = ccmp_enmic,
87 .ic_demic = ccmp_demic,
88};
89
90static int ccmp_encrypt(struct ieee80211_key *, struct mbuf *, int hdrlen);
91static int ccmp_decrypt(struct ieee80211_key *, u_int64_t pn,
92 struct mbuf *, int hdrlen);
93
94static void *
95ccmp_attach(struct ieee80211com *ic, struct ieee80211_key *k)
96{
97 struct ccmp_ctx *ctx;
98
99 MALLOC(ctx, struct ccmp_ctx *, sizeof(struct ccmp_ctx),
100 M_DEVBUF, M_NOWAIT | M_ZERO);
101 if (ctx == NULL) {
102 ic->ic_stats.is_crypto_nomem++;
103 return NULL;
104 }
105 ctx->cc_ic = ic;
106 return ctx;
107}
108
109static void
110ccmp_detach(struct ieee80211_key *k)
111{
112 struct ccmp_ctx *ctx = k->wk_private;
113
114 FREE(ctx, M_DEVBUF);
115}
116
117static int
118ccmp_setkey(struct ieee80211_key *k)
119{
120 struct ccmp_ctx *ctx = k->wk_private;
121
122 if (k->wk_keylen != (128/NBBY)) {
123 IEEE80211_DPRINTF(ctx->cc_ic, IEEE80211_MSG_CRYPTO,
124 "%s: Invalid key length %u, expecting %u\n",
125 __func__, k->wk_keylen, 128/NBBY);
126 return 0;
127 }
128 if (k->wk_flags & IEEE80211_KEY_SWCRYPT)
129 rijndael_set_key(&ctx->cc_aes, k->wk_key, k->wk_keylen*NBBY);
130 return 1;
131}
132
133/*
134 * Add privacy headers appropriate for the specified key.
135 */
136static int
137ccmp_encap(struct ieee80211_key *k, struct mbuf *m, u_int8_t keyid)
138{
139 struct ccmp_ctx *ctx = k->wk_private;
140 struct ieee80211com *ic = ctx->cc_ic;
141 u_int8_t *ivp;
142 int hdrlen;
143
144 hdrlen = ieee80211_hdrspace(ic, mtod(m, void *));
145
146 /*
147 * Copy down 802.11 header and add the IV, KeyID, and ExtIV.
148 */
149 M_PREPEND(m, ccmp.ic_header, M_NOWAIT);
150 if (m == NULL)
151 return 0;
152 ivp = mtod(m, u_int8_t *);
153 ovbcopy(ivp + ccmp.ic_header, ivp, hdrlen);
154 ivp += hdrlen;
155
156 k->wk_keytsc++; /* XXX wrap at 48 bits */
157 ivp[0] = k->wk_keytsc >> 0; /* PN0 */
158 ivp[1] = k->wk_keytsc >> 8; /* PN1 */
159 ivp[2] = 0; /* Reserved */
160 ivp[3] = keyid | IEEE80211_WEP_EXTIV; /* KeyID | ExtID */
161 ivp[4] = k->wk_keytsc >> 16; /* PN2 */
162 ivp[5] = k->wk_keytsc >> 24; /* PN3 */
163 ivp[6] = k->wk_keytsc >> 32; /* PN4 */
164 ivp[7] = k->wk_keytsc >> 40; /* PN5 */
165
166 /*
167 * Finally, do software encrypt if neeed.
168 */
169 if ((k->wk_flags & IEEE80211_KEY_SWCRYPT) &&
170 !ccmp_encrypt(k, m, hdrlen))
171 return 0;
172
173 return 1;
174}
175
176/*
177 * Add MIC to the frame as needed.
178 */
179static int
180ccmp_enmic(struct ieee80211_key *k, struct mbuf *m)
181{
182
183 return 1;
184}
185
186static __inline uint64_t
187READ_6(uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3, uint8_t b4, uint8_t b5)
188{
189 uint32_t iv32 = (b0 << 0) | (b1 << 8) | (b2 << 16) | (b3 << 24);
190 uint16_t iv16 = (b4 << 0) | (b5 << 8);
191 return (((uint64_t)iv16) << 32) | iv32;
192}
193
194/*
195 * Validate and strip privacy headers (and trailer) for a
196 * received frame. The specified key should be correct but
197 * is also verified.
198 */
199static int
200ccmp_decap(struct ieee80211_key *k, struct mbuf *m)
201{
202 struct ccmp_ctx *ctx = k->wk_private;
203 struct ieee80211_frame *wh;
204 uint8_t *ivp;
205 uint64_t pn;
206 int hdrlen;
207
208 /*
209 * Header should have extended IV and sequence number;
210 * verify the former and validate the latter.
211 */
212 wh = mtod(m, struct ieee80211_frame *);
213 hdrlen = ieee80211_hdrsize(wh);
214 ivp = mtod(m, uint8_t *) + hdrlen;
215 if ((ivp[IEEE80211_WEP_IVLEN] & IEEE80211_WEP_EXTIV) == 0) {
216 /*
217 * No extended IV; discard frame.
218 */
219 IEEE80211_DPRINTF(ctx->cc_ic, IEEE80211_MSG_CRYPTO,
220 "[%s] Missing ExtIV for AES-CCM cipher\n",
221 ether_sprintf(wh->i_addr2));
222 ctx->cc_ic->ic_stats.is_rx_ccmpformat++;
223 return 0;
224 }
225 pn = READ_6(ivp[0], ivp[1], ivp[4], ivp[5], ivp[6], ivp[7]);
226 if (pn <= k->wk_keyrsc) {
227 /*
228 * Replay violation.
229 */
230 ieee80211_notify_replay_failure(ctx->cc_ic, wh, k, pn);
231 ctx->cc_ic->ic_stats.is_rx_ccmpreplay++;
232 return 0;
233 }
234
235 /*
236 * Check if the device handled the decrypt in hardware.
237 * If so we just strip the header; otherwise we need to
238 * handle the decrypt in software. Note that for the
239 * latter we leave the header in place for use in the
240 * decryption work.
241 */
242 if ((k->wk_flags & IEEE80211_KEY_SWCRYPT) &&
243 !ccmp_decrypt(k, pn, m, hdrlen))
244 return 0;
245
246 /*
247 * Copy up 802.11 header and strip crypto bits.
248 */
249 ovbcopy(mtod(m, void *), mtod(m, u_int8_t *) + ccmp.ic_header, hdrlen);
250 m_adj(m, ccmp.ic_header);
251 m_adj(m, -ccmp.ic_trailer);
252
253 /*
254 * Ok to update rsc now.
255 */
256 k->wk_keyrsc = pn;
257
258 return 1;
259}
260
261/*
262 * Verify and strip MIC from the frame.
263 */
264static int
265ccmp_demic(struct ieee80211_key *k, struct mbuf *m)
266{
267 return 1;
268}
269
270static __inline void
271xor_block(uint8_t *b, const uint8_t *a, size_t len)
272{
273 int i;
274 for (i = 0; i < len; i++)
275 b[i] ^= a[i];
276}
277
278/*
279 * Host AP crypt: host-based CCMP encryption implementation for Host AP driver
280 *
281 * Copyright (c) 2003-2004, Jouni Malinen <jkmaline@cc.hut.fi>
282 *
283 * This program is free software; you can redistribute it and/or modify
284 * it under the terms of the GNU General Public License version 2 as
285 * published by the Free Software Foundation. See README and COPYING for
286 * more details.
287 *
288 * Alternatively, this software may be distributed under the terms of BSD
289 * license.
290 */
291
292static void
293ccmp_init_blocks(rijndael_ctx *ctx, struct ieee80211_frame *wh,
294 u_int64_t pn, size_t dlen,
295 uint8_t b0[AES_BLOCK_LEN], uint8_t aad[2 * AES_BLOCK_LEN],
296 uint8_t auth[AES_BLOCK_LEN], uint8_t s0[AES_BLOCK_LEN])
297{
298#define IS_4ADDRESS(wh) \
299 ((wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) == IEEE80211_FC1_DIR_DSTODS)
300#define IS_QOS_DATA(wh) IEEE80211_QOS_HAS_SEQ(wh)
301
302 /* CCM Initial Block:
303 * Flag (Include authentication header, M=3 (8-octet MIC),
304 * L=1 (2-octet Dlen))
305 * Nonce: 0x00 | A2 | PN
306 * Dlen */
307 b0[0] = 0x59;
308 /* NB: b0[1] set below */
309 IEEE80211_ADDR_COPY(b0 + 2, wh->i_addr2);
310 b0[8] = pn >> 40;
311 b0[9] = pn >> 32;
312 b0[10] = pn >> 24;
313 b0[11] = pn >> 16;
314 b0[12] = pn >> 8;
315 b0[13] = pn >> 0;
316 b0[14] = (dlen >> 8) & 0xff;
317 b0[15] = dlen & 0xff;
318
319 /* AAD:
320 * FC with bits 4..6 and 11..13 masked to zero; 14 is always one
321 * A1 | A2 | A3
322 * SC with bits 4..15 (seq#) masked to zero
323 * A4 (if present)
324 * QC (if present)
325 */
326 aad[0] = 0; /* AAD length >> 8 */
327 /* NB: aad[1] set below */
328 aad[2] = wh->i_fc[0] & 0x8f; /* XXX magic #s */
329 aad[3] = wh->i_fc[1] & 0xc7; /* XXX magic #s */
330 /* NB: we know 3 addresses are contiguous */
331 memcpy(aad + 4, wh->i_addr1, 3 * IEEE80211_ADDR_LEN);
332 aad[22] = wh->i_seq[0] & IEEE80211_SEQ_FRAG_MASK;
333 aad[23] = 0; /* all bits masked */
334 /*
335 * Construct variable-length portion of AAD based
336 * on whether this is a 4-address frame/QOS frame.
337 * We always zero-pad to 32 bytes before running it
338 * through the cipher.
339 *
340 * We also fill in the priority bits of the CCM
341 * initial block as we know whether or not we have
342 * a QOS frame.
343 */
344 if (IS_4ADDRESS(wh)) {
345 IEEE80211_ADDR_COPY(aad + 24,
346 ((struct ieee80211_frame_addr4 *)wh)->i_addr4);
347 if (IS_QOS_DATA(wh)) {
348 struct ieee80211_qosframe_addr4 *qwh4 =
349 (struct ieee80211_qosframe_addr4 *) wh;
350 aad[30] = qwh4->i_qos[0] & 0x0f;/* just priority bits */
351 aad[31] = 0;
352 b0[1] = aad[30];
353 aad[1] = 22 + IEEE80211_ADDR_LEN + 2;
354 } else {
355 *(u_int16_t *)&aad[30] = 0;
356 b0[1] = 0;
357 aad[1] = 22 + IEEE80211_ADDR_LEN;
358 }
359 } else {
360 if (IS_QOS_DATA(wh)) {
361 struct ieee80211_qosframe *qwh =
362 (struct ieee80211_qosframe*) wh;
363 aad[24] = qwh->i_qos[0] & 0x0f; /* just priority bits */
364 aad[25] = 0;
365 b0[1] = aad[24];
366 aad[1] = 22 + 2;
367 } else {
368 *(u_int16_t *)&aad[24] = 0;
369 b0[1] = 0;
370 aad[1] = 22;
371 }
372 *(u_int16_t *)&aad[26] = 0;
373 *(u_int32_t *)&aad[28] = 0;
374 }
375
376 /* Start with the first block and AAD */
377 rijndael_encrypt(ctx, b0, auth);
378 xor_block(auth, aad, AES_BLOCK_LEN);
379 rijndael_encrypt(ctx, auth, auth);
380 xor_block(auth, &aad[AES_BLOCK_LEN], AES_BLOCK_LEN);
381 rijndael_encrypt(ctx, auth, auth);
382 b0[0] &= 0x07;
383 b0[14] = b0[15] = 0;
384 rijndael_encrypt(ctx, b0, s0);
385#undef IS_QOS_DATA
386#undef IS_4ADDRESS
387}
388
389#define CCMP_ENCRYPT(_i, _b, _b0, _pos, _e, _len) do { \
390 /* Authentication */ \
391 xor_block(_b, _pos, _len); \
392 rijndael_encrypt(&ctx->cc_aes, _b, _b); \
393 /* Encryption, with counter */ \
394 _b0[14] = (_i >> 8) & 0xff; \
395 _b0[15] = _i & 0xff; \
396 rijndael_encrypt(&ctx->cc_aes, _b0, _e); \
397 xor_block(_pos, _e, _len); \
398} while (0)
399
400static int
401ccmp_encrypt(struct ieee80211_key *key, struct mbuf *m0, int hdrlen)
402{
403 struct ccmp_ctx *ctx = key->wk_private;
404 struct ieee80211_frame *wh;
405 struct mbuf *m = m0;
406 int data_len, i;
407 uint8_t aad[2 * AES_BLOCK_LEN], b0[AES_BLOCK_LEN], b[AES_BLOCK_LEN],
408 e[AES_BLOCK_LEN], s0[AES_BLOCK_LEN];
409 uint8_t *pos;
410 u_int space;
411
412 ctx->cc_ic->ic_stats.is_crypto_ccmp++;
413
414 wh = mtod(m, struct ieee80211_frame *);
415 data_len = m->m_pkthdr.len - (hdrlen + ccmp.ic_header);
416 ccmp_init_blocks(&ctx->cc_aes, wh, key->wk_keytsc,
417 data_len, b0, aad, b, s0);
418
419 i = 1;
420 pos = mtod(m, uint8_t *) + hdrlen + ccmp.ic_header;
421 /* NB: assumes header is entirely in first mbuf */
422 space = m->m_len - (hdrlen + ccmp.ic_header);
423 for (;;) {
424 if (space > data_len)
425 space = data_len;
426 /*
427 * Do full blocks.
428 */
429 while (space >= AES_BLOCK_LEN) {
430 CCMP_ENCRYPT(i, b, b0, pos, e, AES_BLOCK_LEN);
431 pos += AES_BLOCK_LEN, space -= AES_BLOCK_LEN;
432 data_len -= AES_BLOCK_LEN;
433 i++;
434 }
435 if (data_len <= 0) /* no more data */
436 break;
437 m = m->m_next;
438 if (m == NULL) { /* last buffer */
439 if (space != 0) {
440 /*
441 * Short last block.
442 */
443 CCMP_ENCRYPT(i, b, b0, pos, e, space);
444 }
445 break;
446 }
447 if (space != 0) {
448 uint8_t *pos_next;
449 u_int space_next;
450 u_int len;
451
452 /*
453 * Block straddles buffers, split references. We
454 * do not handle splits that require >2 buffers.
455 */
456 pos_next = mtod(m, uint8_t *);
457 len = min(data_len, AES_BLOCK_LEN);
458 space_next = len > space ? len - space : 0;
459 KASSERT(m->m_len >= space_next,
460 ("not enough data in following buffer, "
461 "m_len %u need %u\n", m->m_len, space_next));
462
463 xor_block(b+space, pos_next, space_next);
464 CCMP_ENCRYPT(i, b, b0, pos, e, space);
465 xor_block(pos_next, e+space, space_next);
466 data_len -= len;
467 /* XXX could check for data_len <= 0 */
468 i++;
469
470 pos = pos_next + space_next;
471 space = m->m_len - space_next;
472 } else {
473 /*
474 * Setup for next buffer.
475 */
476 pos = mtod(m, uint8_t *);
477 space = m->m_len;
478 }
479 }
480 /* tack on MIC */
481 xor_block(b, s0, ccmp.ic_trailer);
482 return m_append(m0, ccmp.ic_trailer, b);
483}
484#undef CCMP_ENCRYPT
485
486#define CCMP_DECRYPT(_i, _b, _b0, _pos, _a, _len) do { \
487 /* Decrypt, with counter */ \
488 _b0[14] = (_i >> 8) & 0xff; \
489 _b0[15] = _i & 0xff; \
490 rijndael_encrypt(&ctx->cc_aes, _b0, _b); \
491 xor_block(_pos, _b, _len); \
492 /* Authentication */ \
493 xor_block(_a, _pos, _len); \
494 rijndael_encrypt(&ctx->cc_aes, _a, _a); \
495} while (0)
496
497static int
498ccmp_decrypt(struct ieee80211_key *key, u_int64_t pn, struct mbuf *m, int hdrlen)
499{
500 struct ccmp_ctx *ctx = key->wk_private;
501 struct ieee80211_frame *wh;
502 uint8_t aad[2 * AES_BLOCK_LEN];
503 uint8_t b0[AES_BLOCK_LEN], b[AES_BLOCK_LEN], a[AES_BLOCK_LEN];
504 uint8_t mic[AES_BLOCK_LEN];
505 size_t data_len;
506 int i;
507 uint8_t *pos;
508 u_int space;
509
510 ctx->cc_ic->ic_stats.is_crypto_ccmp++;
511
512 wh = mtod(m, struct ieee80211_frame *);
513 data_len = m->m_pkthdr.len - (hdrlen + ccmp.ic_header + ccmp.ic_trailer);
514 ccmp_init_blocks(&ctx->cc_aes, wh, pn, data_len, b0, aad, a, b);
515 m_copydata(m, m->m_pkthdr.len - ccmp.ic_trailer, ccmp.ic_trailer, mic);
516 xor_block(mic, b, ccmp.ic_trailer);
517
518 i = 1;
519 pos = mtod(m, uint8_t *) + hdrlen + ccmp.ic_header;
520 space = m->m_len - (hdrlen + ccmp.ic_header);
521 for (;;) {
522 if (space > data_len)
523 space = data_len;
524 while (space >= AES_BLOCK_LEN) {
525 CCMP_DECRYPT(i, b, b0, pos, a, AES_BLOCK_LEN);
526 pos += AES_BLOCK_LEN, space -= AES_BLOCK_LEN;
527 data_len -= AES_BLOCK_LEN;
528 i++;
529 }
530 if (data_len <= 0) /* no more data */
531 break;
532 m = m->m_next;
533 if (m == NULL) { /* last buffer */
534 if (space != 0) /* short last block */
535 CCMP_DECRYPT(i, b, b0, pos, a, space);
536 break;
537 }
538 if (space != 0) {
539 uint8_t *pos_next;
540 u_int space_next;
541 u_int len;
542
543 /*
544 * Block straddles buffers, split references. We
545 * do not handle splits that require >2 buffers.
546 */
547 pos_next = mtod(m, uint8_t *);
548 len = min(data_len, AES_BLOCK_LEN);
549 space_next = len > space ? len - space : 0;
550 KASSERT(m->m_len >= space_next,
551 ("not enough data in following buffer, "
552 "m_len %u need %u\n", m->m_len, space_next));
553
554 xor_block(b+space, pos_next, space_next);
555 CCMP_DECRYPT(i, b, b0, pos, a, space);
556 xor_block(pos_next, b+space, space_next);
557 data_len -= len;
558 i++;
559
560 pos = pos_next + space_next;
561 space = m->m_len - space_next;
562 } else {
563 /*
564 * Setup for next buffer.
565 */
566 pos = mtod(m, uint8_t *);
567 space = m->m_len;
568 }
569 }
570 if (memcmp(mic, a, ccmp.ic_trailer) != 0) {
571 IEEE80211_DPRINTF(ctx->cc_ic, IEEE80211_MSG_CRYPTO,
572 "[%s] AES-CCM decrypt failed; MIC mismatch\n",
573 ether_sprintf(wh->i_addr2));
574 ctx->cc_ic->ic_stats.is_rx_ccmpmic++;
575 return 0;
576 }
577 return 1;
578}
579#undef CCMP_DECRYPT
580
581/*
582 * Module glue.
583 */
584static int
585ccmp_modevent(module_t mod, int type, void *unused)
586{
587 switch (type) {
588 case MOD_LOAD:
589 ieee80211_crypto_register(&ccmp);
590 return 0;
591 case MOD_UNLOAD:
592 ieee80211_crypto_unregister(&ccmp);
593 return 0;
594 }
595 return EINVAL;
596}
597
598static moduledata_t ccmp_mod = {
599 "wlan_ccmp",
600 ccmp_modevent,
601 0
602};
603DECLARE_MODULE(wlan_ccmp, ccmp_mod, SI_SUB_DRIVERS, SI_ORDER_FIRST);
604MODULE_VERSION(wlan_ccmp, 1);
605MODULE_DEPEND(wlan_ccmp, wlan, 1, 1, 1);
|