1/* $OpenBSD: ieee80211_crypto_bip.c,v 1.10 2018/11/09 14:14:31 claudio Exp $ */ 2 3/*- 4 * Copyright (c) 2008 Damien Bergamini <damien.bergamini@free.fr> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19/* 20 * This code implements the Broadcast/Multicast Integrity Protocol (BIP) 21 * defined in IEEE P802.11w/D7.0 section 8.3.4. 22 */ 23 24#include <sys/param.h> 25#include <sys/systm.h> 26#include <sys/mbuf.h> 27#include <sys/malloc.h> 28#include <sys/kernel.h> 29#include <sys/socket.h> 30#include <sys/endian.h> 31 32#include <net/if.h> 33#include <net/if_dl.h> 34#include <net/if_media.h> 35 36#include <netinet/in.h> 37#include <netinet/if_ether.h> 38 39#include <net80211/ieee80211_var.h> 40#include <net80211/ieee80211_crypto.h> 41#include <net80211/ieee80211_priv.h> 42 43#include <crypto/aes.h> 44#include <crypto/cmac.h> 45 46/* BIP software crypto context */ 47struct ieee80211_bip_ctx { 48 AES_CMAC_CTX cmac; 49}; 50 51/* 52 * Initialize software crypto context. This function can be overridden 53 * by drivers doing hardware crypto. 54 */ 55int 56ieee80211_bip_set_key(struct ieee80211com *ic, struct ieee80211_key *k) 57{ 58 struct ieee80211_bip_ctx *ctx; 59 60 ctx = malloc(sizeof(*ctx), M_DEVBUF, M_NOWAIT | M_ZERO); 61 if (ctx == NULL) 62 return ENOMEM; 63 AES_CMAC_SetKey(&ctx->cmac, k->k_key); 64 k->k_priv = ctx; 65 return 0; 66} 67 68void 69ieee80211_bip_delete_key(struct ieee80211com *ic, struct ieee80211_key *k) 70{ 71 if (k->k_priv != NULL) { 72 explicit_bzero(k->k_priv, sizeof(struct ieee80211_bip_ctx)); 73 free(k->k_priv, M_DEVBUF, sizeof(struct ieee80211_bip_ctx)); 74 } 75 k->k_priv = NULL; 76} 77 78/* pseudo-header used for BIP MIC computation */ 79struct ieee80211_bip_frame { 80 u_int8_t i_fc[2]; 81 u_int8_t i_addr1[IEEE80211_ADDR_LEN]; 82 u_int8_t i_addr2[IEEE80211_ADDR_LEN]; 83 u_int8_t i_addr3[IEEE80211_ADDR_LEN]; 84} __packed; 85 86struct mbuf * 87ieee80211_bip_encap(struct ieee80211com *ic, struct mbuf *m0, 88 struct ieee80211_key *k) 89{ 90 struct ieee80211_bip_ctx *ctx = k->k_priv; 91 struct ieee80211_bip_frame aad; 92 struct ieee80211_frame *wh; 93 u_int8_t *mmie, mic[AES_CMAC_DIGEST_LENGTH]; 94 struct mbuf *m; 95 96 wh = mtod(m0, struct ieee80211_frame *); 97 KASSERT((wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) == 98 IEEE80211_FC0_TYPE_MGT); 99 /* clear Protected bit from group management frames */ 100 wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; 101 102 /* construct AAD (additional authenticated data) */ 103 aad.i_fc[0] = wh->i_fc[0]; 104 aad.i_fc[1] = wh->i_fc[1] & ~(IEEE80211_FC1_RETRY | 105 IEEE80211_FC1_PWR_MGT | IEEE80211_FC1_MORE_DATA); 106 /* XXX 11n may require clearing the Order bit too */ 107 IEEE80211_ADDR_COPY(aad.i_addr1, wh->i_addr1); 108 IEEE80211_ADDR_COPY(aad.i_addr2, wh->i_addr2); 109 IEEE80211_ADDR_COPY(aad.i_addr3, wh->i_addr3); 110 111 AES_CMAC_Init(&ctx->cmac); 112 AES_CMAC_Update(&ctx->cmac, (u_int8_t *)&aad, sizeof aad); 113 AES_CMAC_Update(&ctx->cmac, (u_int8_t *)&wh[1], 114 m0->m_len - sizeof(*wh)); 115 116 m = m0; 117 /* reserve trailing space for MMIE */ 118 if (m_trailingspace(m) < IEEE80211_MMIE_LEN) { 119 MGET(m->m_next, M_DONTWAIT, m->m_type); 120 if (m->m_next == NULL) 121 goto nospace; 122 m = m->m_next; 123 m->m_len = 0; 124 } 125 126 /* construct Management MIC IE */ 127 mmie = mtod(m, u_int8_t *) + m->m_len; 128 mmie[0] = IEEE80211_ELEMID_MMIE; 129 mmie[1] = 16; 130 LE_WRITE_2(&mmie[2], k->k_id); 131 LE_WRITE_6(&mmie[4], k->k_tsc); 132 memset(&mmie[10], 0, 8); /* MMIE MIC field set to 0 */ 133 134 AES_CMAC_Update(&ctx->cmac, mmie, IEEE80211_MMIE_LEN); 135 AES_CMAC_Final(mic, &ctx->cmac); 136 /* truncate AES-128-CMAC to 64-bit */ 137 memcpy(&mmie[10], mic, 8); 138 139 m->m_len += IEEE80211_MMIE_LEN; 140 m0->m_pkthdr.len += IEEE80211_MMIE_LEN; 141 142 k->k_tsc++; 143 144 return m0; 145 nospace: 146 ic->ic_stats.is_tx_nombuf++; 147 m_freem(m0); 148 return NULL; 149} 150 151struct mbuf * 152ieee80211_bip_decap(struct ieee80211com *ic, struct mbuf *m0, 153 struct ieee80211_key *k) 154{ 155 struct ieee80211_bip_ctx *ctx = k->k_priv; 156 struct ieee80211_frame *wh; 157 struct ieee80211_bip_frame aad; 158 u_int8_t *mmie, mic0[8], mic[AES_CMAC_DIGEST_LENGTH]; 159 u_int64_t ipn; 160 161 wh = mtod(m0, struct ieee80211_frame *); 162 KASSERT((wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) == 163 IEEE80211_FC0_TYPE_MGT); 164 165 /* 166 * It is assumed that management frames are contiguous and that 167 * the mbuf length has already been checked to contain at least 168 * a header and a MMIE (checked in ieee80211_decrypt()). 169 */ 170 KASSERT(m0->m_len >= sizeof(*wh) + IEEE80211_MMIE_LEN); 171 mmie = mtod(m0, u_int8_t *) + m0->m_len - IEEE80211_MMIE_LEN; 172 173 ipn = LE_READ_6(&mmie[4]); 174 if (ipn <= k->k_mgmt_rsc) { 175 /* replayed frame, discard */ 176 ic->ic_stats.is_cmac_replays++; 177 m_freem(m0); 178 return NULL; 179 } 180 181 /* save and mask MMIE MIC field to 0 */ 182 memcpy(mic0, &mmie[10], 8); 183 memset(&mmie[10], 0, 8); 184 185 /* construct AAD (additional authenticated data) */ 186 aad.i_fc[0] = wh->i_fc[0]; 187 aad.i_fc[1] = wh->i_fc[1] & ~(IEEE80211_FC1_RETRY | 188 IEEE80211_FC1_PWR_MGT | IEEE80211_FC1_MORE_DATA); 189 /* XXX 11n may require clearing the Order bit too */ 190 IEEE80211_ADDR_COPY(aad.i_addr1, wh->i_addr1); 191 IEEE80211_ADDR_COPY(aad.i_addr2, wh->i_addr2); 192 IEEE80211_ADDR_COPY(aad.i_addr3, wh->i_addr3); 193 194 /* compute MIC */ 195 AES_CMAC_Init(&ctx->cmac); 196 AES_CMAC_Update(&ctx->cmac, (u_int8_t *)&aad, sizeof aad); 197 AES_CMAC_Update(&ctx->cmac, (u_int8_t *)&wh[1], 198 m0->m_len - sizeof(*wh)); 199 AES_CMAC_Final(mic, &ctx->cmac); 200 201 /* check that MIC matches the one in MMIE */ 202 if (timingsafe_bcmp(mic, mic0, 8) != 0) { 203 ic->ic_stats.is_cmac_icv_errs++; 204 m_freem(m0); 205 return NULL; 206 } 207 /* 208 * There is no need to trim the MMIE from the mbuf since it is 209 * an information element and will be ignored by upper layers. 210 * We do it anyway as it is cheap to do it here and because it 211 * may be confused with fixed fields by upper layers. 212 */ 213 m_adj(m0, -IEEE80211_MMIE_LEN); 214 215 /* update last seen packet number (MIC is validated) */ 216 k->k_mgmt_rsc = ipn; 217 218 return m0; 219} 220