/*- * Counter with CBC-MAC (CCM) - see RFC3610. * CCMP uses the following CCM parameters: M = 8, L = 2 */ static void ieee80211_ccmp_phase1(rijndael_ctx *ctx, const struct ieee80211_frame *wh, u_int64_t pn, int lm, u_int8_t b[16], u_int8_t a[16], u_int8_t s0[16]) { u_int8_t auth[32], nonce[13]; u_int8_t *aad; u_int8_t tid = 0; int la, i; /* construct AAD (additional authenticated data) */ aad = &auth[2]; /* skip l(a), will be filled later */ *aad = wh->i_fc[0]; /* 11w: conditionnally mask subtype field */ if ((wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) == IEEE80211_FC0_TYPE_DATA) *aad &= ~IEEE80211_FC0_SUBTYPE_MASK; aad++; /* protected bit is already set in wh */ *aad = wh->i_fc[1]; *aad &= ~(IEEE80211_FC1_RETRY | IEEE80211_FC1_PWR_MGT | IEEE80211_FC1_MORE_DATA); /* 11n: conditionnally mask order bit */ if (ieee80211_has_htc(wh)) *aad &= ~IEEE80211_FC1_ORDER; aad++; IEEE80211_ADDR_COPY(aad, wh->i_addr1); aad += IEEE80211_ADDR_LEN; IEEE80211_ADDR_COPY(aad, wh->i_addr2); aad += IEEE80211_ADDR_LEN; IEEE80211_ADDR_COPY(aad, wh->i_addr3); aad += IEEE80211_ADDR_LEN; *aad++ = wh->i_seq[0] & ~0xf0; *aad++ = 0; if (ieee80211_has_addr4(wh)) { IEEE80211_ADDR_COPY(aad, ((const struct ieee80211_frame_addr4 *)wh)->i_addr4); aad += IEEE80211_ADDR_LEN; } if (ieee80211_has_qos(wh)) { *aad++ = tid = ieee80211_get_qos(wh) & IEEE80211_QOS_TID; *aad++ = 0; } /* construct CCM nonce */ nonce[ 0] = tid; if ((wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) == IEEE80211_FC0_TYPE_MGT) nonce[0] |= 1 << 4; /* 11w: set management bit */ IEEE80211_ADDR_COPY(&nonce[1], wh->i_addr2); nonce[ 7] = pn >> 40; /* PN5 */ nonce[ 8] = pn >> 32; /* PN4 */ nonce[ 9] = pn >> 24; /* PN3 */ nonce[10] = pn >> 16; /* PN2 */ nonce[11] = pn >> 8; /* PN1 */ nonce[12] = pn; /* PN0 */ /* add 2 authentication blocks (including l(a) and padded AAD) */ la = aad - &auth[2]; /* fill l(a) */ auth[0] = la >> 8; auth[1] = la & 0xff; memset(aad, 0, 30 - la); /* pad AAD with zeros */ /* construct first block B_0 */ b[ 0] = 89; /* Flags = 64*Adata + 8*((M-2)/2) + (L-1) */ memcpy(&b[1], nonce, 13); b[14] = lm >> 8; b[15] = lm & 0xff; rijndael_encrypt(ctx, b, b); for (i = 0; i < 16; i++) b[i] ^= auth[i]; rijndael_encrypt(ctx, b, b); for (i = 0; i < 16; i++) b[i] ^= auth[16 + i]; rijndael_encrypt(ctx, b, b); /* construct S_0 */ a[ 0] = 1; /* Flags = L' = (L-1) */ memcpy(&a[1], nonce, 13); a[14] = a[15] = 0; rijndael_encrypt(ctx, a, s0); }
struct iob_s *ieee80211_ccmp_decrypt(struct ieee80211_s *ic, struct iob_s *iob0, struct ieee80211_key *k) { struct ieee80211_ccmp_ctx *ctx = k->k_priv; struct ieee80211_frame *wh; uint64_t pn, *prsc; const uint8_t *ivp; const uint8_t *src; uint8_t *dst; uint8_t mic0[IEEE80211_CCMP_MICLEN]; uint8_t a[16]; uint8_t b[16]; uint8_t s0[16]; uint8_t s[16]; struct iob_s *next0; struct iob_s *iob; struct iob_s *next; int hdrlen; int left; int moff; int noff; int len; uint16_t ctr; int i; int j; wh = (FAR struct ieee80211_frame *)IOB_DATA(iob0); hdrlen = ieee80211_get_hdrlen(wh); ivp = (uint8_t *) wh + hdrlen; if (iob0->io_pktlen < hdrlen + IEEE80211_CCMP_HDRLEN + IEEE80211_CCMP_MICLEN) { iob_free_chain(iob0); return NULL; } /* Check that ExtIV bit is set */ if (!(ivp[3] & IEEE80211_WEP_EXTIV)) { iob_free_chain(iob0); return NULL; } /* Retrieve last seen packet number for this frame type/priority */ if ((wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) == IEEE80211_FC0_TYPE_DATA) { uint8_t tid = ieee80211_has_qos(wh) ? ieee80211_get_qos(wh) & IEEE80211_QOS_TID : 0; prsc = &k->k_rsc[tid]; } else { /* 11w: management frames have their own counters */ prsc = &k->k_mgmt_rsc; } /* Extract the 48-bit PN from the CCMP header */ pn = (uint64_t) ivp[0] | (uint64_t) ivp[1] << 8 | (uint64_t) ivp[4] << 16 | (uint64_t) ivp[5] << 24 | (uint64_t) ivp[6] << 32 | (uint64_t) ivp[7] << 40; if (pn <= *prsc) { /* Replayed frame, discard */ iob_free_chain(iob0); return NULL; } next0 = iob_alloc(false); if (next0 == NULL) { goto nospace; } if (iob_clone(next0, iob0) < 0) { goto nospace; } next0->io_pktlen -= IEEE80211_CCMP_HDRLEN + IEEE80211_CCMP_MICLEN; next0->io_len = CONFIG_IEEE80211_BUFSIZE; if (next0->io_len > next0->io_pktlen) { next0->io_len = next0->io_pktlen; } /* Construct initial B, A and S_0 blocks */ ieee80211_ccmp_phase1(&ctx->rijndael, wh, pn, next0->io_pktlen - hdrlen, b, a, s0); /* Copy 802.11 header and clear protected bit */ memcpy(IOB_DATA(next0), wh, hdrlen); wh = (FAR struct ieee80211_frame *)IOB_DATA(next0); wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; /* construct S_1 */ ctr = 1; a[14] = ctr >> 8; a[15] = ctr & 0xff; rijndael_encrypt(&ctx->rijndael, a, s); /* decrypt frame body and compute MIC */ j = 0; iob = iob0; next = next0; moff = hdrlen + IEEE80211_CCMP_HDRLEN; noff = hdrlen; left = next0->io_pktlen - noff; while (left > 0) { if (moff == iob->io_len) { /* Nothing left to copy from iob */ iob = iob->io_flink; moff = 0; } if (noff == next->io_len) { struct iob_s *newbuf; /* next is full and there's more data to copy */ newbuf = iob_alloc(false); if (newbuf == NULL) { goto nospace; } next->io_flink = newbuf; next = newbuf; next->io_len = 0; if (next->io_len > left) { next->io_len = left; } noff = 0; } len = MIN(iob->io_len - moff, next->io_len - noff); src = (FAR uint8_t *) IOB_DATA(iob) + moff; dst = (FAR uint8_t *) IOB_DATA(next) + noff; for (i = 0; i < len; i++) { /* decrypt message */ dst[i] = src[i] ^ s[j]; /* update MIC with clear text */ b[j] ^= dst[i]; if (++j < 16) continue; /* we have a full block, encrypt MIC */ rijndael_encrypt(&ctx->rijndael, b, b); /* construct a new S_ctr block */ ctr++; a[14] = ctr >> 8; a[15] = ctr & 0xff; rijndael_encrypt(&ctx->rijndael, a, s); j = 0; } moff += len; noff += len; left -= len; } if (j != 0) { /* Partial block, encrypt MIC */ rijndael_encrypt(&ctx->rijndael, b, b); } /* Finalize MIC, U := T XOR first-M-bytes( S_0 ) */ for (i = 0; i < IEEE80211_CCMP_MICLEN; i++) b[i] ^= s0[i]; /* Check that it matches the MIC in received frame */ iob_copyout(mic0, iob, moff, IEEE80211_CCMP_MICLEN); if (memcmp(mic0, b, IEEE80211_CCMP_MICLEN) != 0) { iob_free_chain(iob0); iob_free_chain(next0); return NULL; } /* update last seen packet number (MIC is validated) */ *prsc = pn; iob_free_chain(iob0); return next0; nospace: iob_free_chain(iob0); if (next0 != NULL) { iob_free_chain(next0); } return NULL; }
struct mbuf * ieee80211_ccmp_decrypt(struct ieee80211com *ic, struct mbuf *m0, struct ieee80211_key *k) { struct ieee80211_ccmp_ctx *ctx = k->k_priv; struct ieee80211_frame *wh; u_int64_t pn, *prsc; const u_int8_t *ivp, *src; u_int8_t *dst; u_int8_t mic0[IEEE80211_CCMP_MICLEN]; u_int8_t a[16], b[16], s0[16], s[16]; struct mbuf *n0, *m, *n; int hdrlen, left, moff, noff, len; u_int16_t ctr; int i, j; wh = mtod(m0, struct ieee80211_frame *); hdrlen = ieee80211_get_hdrlen(wh); ivp = (u_int8_t *)wh + hdrlen; if (m0->m_pkthdr.len < hdrlen + IEEE80211_CCMP_HDRLEN + IEEE80211_CCMP_MICLEN) { m_freem(m0); return NULL; } /* check that ExtIV bit is set */ if (!(ivp[3] & IEEE80211_WEP_EXTIV)) { m_freem(m0); return NULL; } /* retrieve last seen packet number for this frame type/priority */ if ((wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) == IEEE80211_FC0_TYPE_DATA) { u_int8_t tid = ieee80211_has_qos(wh) ? ieee80211_get_qos(wh) & IEEE80211_QOS_TID : 0; prsc = &k->k_rsc[tid]; } else /* 11w: management frames have their own counters */ prsc = &k->k_mgmt_rsc; /* extract the 48-bit PN from the CCMP header */ pn = (u_int64_t)ivp[0] | (u_int64_t)ivp[1] << 8 | (u_int64_t)ivp[4] << 16 | (u_int64_t)ivp[5] << 24 | (u_int64_t)ivp[6] << 32 | (u_int64_t)ivp[7] << 40; if (pn <= *prsc) { /* replayed frame, discard */ ic->ic_stats.is_ccmp_replays++; m_freem(m0); return NULL; } MGET(n0, M_DONTWAIT, m0->m_type); if (n0 == NULL) goto nospace; if (m_dup_pkthdr(n0, m0, M_DONTWAIT)) goto nospace; n0->m_pkthdr.len -= IEEE80211_CCMP_HDRLEN + IEEE80211_CCMP_MICLEN; n0->m_len = MHLEN; if (n0->m_pkthdr.len >= MINCLSIZE) { MCLGET(n0, M_DONTWAIT); if (n0->m_flags & M_EXT) n0->m_len = n0->m_ext.ext_size; } if (n0->m_len > n0->m_pkthdr.len) n0->m_len = n0->m_pkthdr.len; /* construct initial B, A and S_0 blocks */ ieee80211_ccmp_phase1(&ctx->rijndael, wh, pn, n0->m_pkthdr.len - hdrlen, b, a, s0); /* copy 802.11 header and clear protected bit */ memcpy(mtod(n0, caddr_t), wh, hdrlen); wh = mtod(n0, struct ieee80211_frame *); wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED; /* construct S_1 */ ctr = 1; a[14] = ctr >> 8; a[15] = ctr & 0xff; rijndael_encrypt(&ctx->rijndael, a, s); /* decrypt frame body and compute MIC */ j = 0; m = m0; n = n0; moff = hdrlen + IEEE80211_CCMP_HDRLEN; noff = hdrlen; left = n0->m_pkthdr.len - noff; while (left > 0) { if (moff == m->m_len) { /* nothing left to copy from m */ m = m->m_next; moff = 0; } if (noff == n->m_len) { /* n is full and there's more data to copy */ MGET(n->m_next, M_DONTWAIT, n->m_type); if (n->m_next == NULL) goto nospace; n = n->m_next; n->m_len = MLEN; if (left >= MINCLSIZE) { MCLGET(n, M_DONTWAIT); if (n->m_flags & M_EXT) n->m_len = n->m_ext.ext_size; } if (n->m_len > left) n->m_len = left; noff = 0; } len = min(m->m_len - moff, n->m_len - noff); src = mtod(m, u_int8_t *) + moff; dst = mtod(n, u_int8_t *) + noff; for (i = 0; i < len; i++) { /* decrypt message */ dst[i] = src[i] ^ s[j]; /* update MIC with clear text */ b[j] ^= dst[i]; if (++j < 16) continue; /* we have a full block, encrypt MIC */ rijndael_encrypt(&ctx->rijndael, b, b); /* construct a new S_ctr block */ ctr++; a[14] = ctr >> 8; a[15] = ctr & 0xff; rijndael_encrypt(&ctx->rijndael, a, s); j = 0; } moff += len; noff += len; left -= len; } if (j != 0) /* partial block, encrypt MIC */ rijndael_encrypt(&ctx->rijndael, b, b); /* finalize MIC, U := T XOR first-M-bytes( S_0 ) */ for (i = 0; i < IEEE80211_CCMP_MICLEN; i++) b[i] ^= s0[i]; /* check that it matches the MIC in received frame */ m_copydata(m, moff, IEEE80211_CCMP_MICLEN, mic0); if (timingsafe_bcmp(mic0, b, IEEE80211_CCMP_MICLEN) != 0) { ic->ic_stats.is_ccmp_dec_errs++; m_freem(m0); m_freem(n0); return NULL; } /* update last seen packet number (MIC is validated) */ *prsc = pn; m_freem(m0); return n0; nospace: ic->ic_stats.is_rx_nombuf++; m_freem(m0); if (n0 != NULL) m_freem(n0); return NULL; }
void ieee80211_input(struct ieee80211_s *ic, struct iob_s *iob, struct ieee80211_node *ni, struct ieee80211_rxinfo *rxi) { struct ieee80211_frame *wh; uint16_t *orxseq, nrxseq, qos; uint8_t dir, type, subtype, tid; int hdrlen, hasqos; DEBUGASSERT(ni != NULL); /* in monitor mode, send everything directly to bpf */ if (ic->ic_opmode == IEEE80211_M_MONITOR) goto out; /* Do not process frames without an Address 2 field any further. * Only CTS and ACK control frames do not have this field. */ if (iob->io_len < sizeof(struct ieee80211_frame_min)) { ndbg("ERROR: frame too short, len %u\n", iob->io_len); goto out; } wh = (FAR struct ieee80211_frame *)IOB_DATA(iob); if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) != IEEE80211_FC0_VERSION_0) { ndbg("ERROR: frame with wrong version: %x\n", wh->i_fc[0]); goto err; } dir = wh->i_fc[1] & IEEE80211_FC1_DIR_MASK; type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK; if (type != IEEE80211_FC0_TYPE_CTL) { hdrlen = ieee80211_get_hdrlen(wh); if (iob->io_len < hdrlen) { ndbg("ERROR: frame too short, len %u\n", iob->io_len); goto err; } } if ((hasqos = ieee80211_has_qos(wh))) { qos = ieee80211_get_qos(wh); tid = qos & IEEE80211_QOS_TID; } else { qos = 0; tid = 0; } /* duplicate detection (see 9.2.9) */ if (ieee80211_has_seq(wh) && ic->ic_state != IEEE80211_S_SCAN) { nrxseq = letoh16(*(uint16_t *) wh->i_seq) >> IEEE80211_SEQ_SEQ_SHIFT; if (hasqos) orxseq = &ni->ni_qos_rxseqs[tid]; else orxseq = &ni->ni_rxseq; if ((wh->i_fc[1] & IEEE80211_FC1_RETRY) && nrxseq == *orxseq) { /* duplicate, silently discarded */ goto out; } *orxseq = nrxseq; }