Page MenuHomeFreeBSD
Files F108311274

D45397.id139176.diff
No OneTemporary
Actions

D45397.id139176.diff
View Options

diff --git a/sys/conf/files b/sys/conf/files
--- a/sys/conf/files
+++ b/sys/conf/files
@@ -4210,6 +4210,7 @@
net80211/ieee80211_crypto.c optional wlan \
compile-with "${NORMAL_C} -Wno-unused-function"
net80211/ieee80211_crypto_ccmp.c optional wlan wlan_ccmp
+net80211/ieee80211_crypto_gcmp.c optional wlan wlan_gcmp
net80211/ieee80211_crypto_none.c optional wlan
net80211/ieee80211_crypto_tkip.c optional wlan wlan_tkip
net80211/ieee80211_crypto_wep.c optional wlan wlan_wep
diff --git a/sys/modules/Makefile b/sys/modules/Makefile
--- a/sys/modules/Makefile
+++ b/sys/modules/Makefile
@@ -418,6 +418,7 @@
wlan_acl \
wlan_amrr \
wlan_ccmp \
+ wlan_gcmp \
wlan_rssadapt \
wlan_tkip \
wlan_wep \
diff --git a/sys/net80211/ieee80211_crypto.c b/sys/net80211/ieee80211_crypto.c
--- a/sys/net80211/ieee80211_crypto.c
+++ b/sys/net80211/ieee80211_crypto.c
@@ -154,7 +154,8 @@
*/
ic->ic_sw_cryptocaps = IEEE80211_CRYPTO_WEP |
IEEE80211_CRYPTO_TKIP | IEEE80211_CRYPTO_AES_CCM |
- IEEE80211_CRYPTO_AES_CCM_256;
+ IEEE80211_CRYPTO_AES_CCM_256 | IEEE80211_CRYPTO_AES_GCM_128 |
+ IEEE80211_CRYPTO_AES_GCM_256;
/*
* Default set of key management types supported by net80211.
diff --git a/sys/net80211/ieee80211_crypto_ccmp.c b/sys/net80211/ieee80211_crypto_ccmp.c
--- a/sys/net80211/ieee80211_crypto_ccmp.c
+++ b/sys/net80211/ieee80211_crypto_ccmp.c
@@ -422,6 +422,7 @@
/* M=3, L=2, ADATA = 0x59 */
b0[0] = 0x40 | 0x01 | (m << 3);
/* NB: b0[1] set below */
+ /* b0[1] needs updating - 12.5.3.3.1 and 12.5.3.3.3 802.11-2016 */
IEEE80211_ADDR_COPY(b0 + 2, wh->i_addr2);
b0[8] = pn >> 40;
b0[9] = pn >> 32;
@@ -442,11 +443,16 @@
aad[0] = 0; /* AAD length >> 8 */
/* NB: aad[1] set below */
aad[2] = wh->i_fc[0] & 0x8f; /* XXX magic #s */
+ /* TODO: update against 12.5.3.3.3 - bit 15 masked to 0 for data frames + QoS control field, unmasked otherwise */
aad[3] = wh->i_fc[1] & 0xc7; /* XXX magic #s */
/* NB: we know 3 addresses are contiguous */
memcpy(aad + 4, wh->i_addr1, 3 * IEEE80211_ADDR_LEN);
aad[22] = wh->i_seq[0] & IEEE80211_SEQ_FRAG_MASK;
aad[23] = 0; /* all bits masked */
+
+ /* TODO: QC control field needs to take AMSDU SPP into account */
+ /* See: 802.11-2016 12.5.3.3.3 */
+
/*
* Construct variable-length portion of AAD based
* on whether this is a 4-address frame/QOS frame.
@@ -465,10 +471,12 @@
(struct ieee80211_qosframe_addr4 *) wh;
aad[30] = qwh4->i_qos[0] & 0x0f;/* just priority bits */
aad[31] = 0;
+ /* TODO: update b0[1] to include if MFP is negotiated and it's a management frame */
b0[1] = aad[30];
aad[1] = 22 + IEEE80211_ADDR_LEN + 2;
} else {
*(uint16_t *)&aad[30] = 0;
+ /* TODO: update b0[1] to include if MFP is negotiated and it's a management frame */
b0[1] = 0;
aad[1] = 22 + IEEE80211_ADDR_LEN;
}
@@ -478,10 +486,12 @@
(struct ieee80211_qosframe*) wh;
aad[24] = qwh->i_qos[0] & 0x0f; /* just priority bits */
aad[25] = 0;
+ /* TODO: update b0[1] to include if MFP is negotiated and it's a management frame */
b0[1] = aad[24];
aad[1] = 22 + 2;
} else {
*(uint16_t *)&aad[24] = 0;
+ /* TODO: update b0[1] to include if MFP is negotiated and it's a management frame */
b0[1] = 0;
aad[1] = 22;
}
diff --git a/sys/net80211/ieee80211_crypto_gcmp.c b/sys/net80211/ieee80211_crypto_gcmp.c
new file mode 100644
--- /dev/null
+++ b/sys/net80211/ieee80211_crypto_gcmp.c
@@ -0,0 +1,974 @@
+/*-
+ * SPDX-License-Identifier: BSD-2-Clause
+ *
+ * Copyright (c) 2002-2008 Sam Leffler, Errno Consulting
+ * Copyright (c) 2024 Adrian Chadd <adrian@FreeBSD.org>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+/*
+ * IEEE 802.11 AES-GCMP crypto support.
+ *
+ * Part of this module is derived from similar code in the Host
+ * AP driver. The code is used with the consent of the author and
+ * it's license is included below.
+ */
+#include "opt_wlan.h"
+
+#include <sys/param.h>
+#include <sys/systm.h>
+#include <sys/mbuf.h>
+#include <sys/malloc.h>
+#include <sys/kernel.h>
+#include <sys/module.h>
+
+#include <sys/socket.h>
+
+#include <net/if.h>
+#include <net/if_media.h>
+#include <net/ethernet.h>
+
+#include <net80211/ieee80211_var.h>
+
+#include <crypto/rijndael/rijndael.h>
+
+#define AES_BLOCK_LEN 16
+
+/*
+ * buffer is 2x the AES_BLOCK_LEN, but the AAD contents may be variable
+ * and are padded.
+ */
+#define GCM_AAD_LEN (AES_BLOCK_LEN * 2)
+
+/* GCMP is always 128 bit / 16 byte MIC */
+#define GCMP_MIC_LEN 16
+#define GCMP_PN_LEN 6
+#define GCMP_IV_LEN 12
+
+struct gcmp_ctx {
+ struct ieee80211vap *cc_vap; /* for diagnostics+statistics */
+ struct ieee80211com *cc_ic;
+ rijndael_ctx cc_aes;
+};
+
+static void *gcmp_attach(struct ieee80211vap *, struct ieee80211_key *);
+static void gcmp_detach(struct ieee80211_key *);
+static int gcmp_setkey(struct ieee80211_key *);
+static int gcmp_256_setkey(struct ieee80211_key *);
+static void gcmp_setiv(struct ieee80211_key *, uint8_t *);
+static int gcmp_encap(struct ieee80211_key *, struct mbuf *);
+static int gcmp_decap(struct ieee80211_key *, struct mbuf *, int);
+static int gcmp_enmic(struct ieee80211_key *, struct mbuf *, int);
+static int gcmp_demic(struct ieee80211_key *, struct mbuf *, int);
+
+static const struct ieee80211_cipher gcmp_128 = {
+ .ic_name = "AES-GCMP",
+ .ic_cipher = IEEE80211_CIPHER_AES_GCM_128,
+ .ic_header = IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN +
+ IEEE80211_WEP_EXTIVLEN,
+ .ic_trailer = GCMP_MIC_LEN,
+ .ic_miclen = 0,
+ .ic_attach = gcmp_attach,
+ .ic_detach = gcmp_detach,
+ .ic_setkey = gcmp_setkey,
+ .ic_setiv = gcmp_setiv,
+ .ic_encap = gcmp_encap,
+ .ic_decap = gcmp_decap,
+ .ic_enmic = gcmp_enmic,
+ .ic_demic = gcmp_demic,
+};
+
+static const struct ieee80211_cipher gcmp_256 = {
+ .ic_name = "AES-GCMP-256",
+ .ic_cipher = IEEE80211_CIPHER_AES_GCM_256,
+ .ic_header = IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN +
+ IEEE80211_WEP_EXTIVLEN,
+ .ic_trailer = GCMP_MIC_LEN,
+ .ic_miclen = 0,
+ .ic_attach = gcmp_attach,
+ .ic_detach = gcmp_detach,
+ .ic_setkey = gcmp_256_setkey,
+ .ic_setiv = gcmp_setiv,
+ .ic_encap = gcmp_encap,
+ .ic_decap = gcmp_decap,
+ .ic_enmic = gcmp_enmic,
+ .ic_demic = gcmp_demic,
+};
+
+
+static int gcmp_encrypt(struct ieee80211_key *, struct mbuf *, int hdrlen);
+static int gcmp_decrypt(struct ieee80211_key *, u_int64_t pn,
+ struct mbuf *, int hdrlen);
+
+/* number of references from net80211 layer */
+static int nrefs = 0;
+
+static void *
+gcmp_attach(struct ieee80211vap *vap, struct ieee80211_key *k)
+{
+ struct gcmp_ctx *ctx;
+
+ ctx = (struct gcmp_ctx *) IEEE80211_MALLOC(sizeof(struct gcmp_ctx),
+ M_80211_CRYPTO, IEEE80211_M_NOWAIT | IEEE80211_M_ZERO);
+ if (ctx == NULL) {
+ vap->iv_stats.is_crypto_nomem++;
+ return NULL;
+ }
+ ctx->cc_vap = vap;
+ ctx->cc_ic = vap->iv_ic;
+ nrefs++; /* NB: we assume caller locking */
+ return ctx;
+}
+
+static void
+gcmp_detach(struct ieee80211_key *k)
+{
+ struct gcmp_ctx *ctx = k->wk_private;
+
+ IEEE80211_FREE(ctx, M_80211_CRYPTO);
+ KASSERT(nrefs > 0, ("imbalanced attach/detach"));
+ nrefs--; /* NB: we assume caller locking */
+}
+
+static int
+gcmp_get_trailer_len(struct ieee80211_key *k)
+{
+ return k->wk_cipher->ic_trailer;
+}
+
+static int
+gcmp_get_header_len(struct ieee80211_key *k)
+{
+ return k->wk_cipher->ic_header;
+}
+
+static int
+gcmp_setkey(struct ieee80211_key *k)
+{
+ struct gcmp_ctx *ctx = k->wk_private;
+
+ if (k->wk_keylen != (128/NBBY)) {
+ IEEE80211_DPRINTF(ctx->cc_vap, IEEE80211_MSG_CRYPTO,
+ "%s: Invalid key length %u, expecting %u\n",
+ __func__, k->wk_keylen, 128/NBBY);
+ return 0;
+ }
+ if (k->wk_flags & IEEE80211_KEY_SWENCRYPT)
+ rijndael_set_key(&ctx->cc_aes, k->wk_key, k->wk_keylen*NBBY);
+ return 1;
+}
+
+static int
+gcmp_256_setkey(struct ieee80211_key *k)
+{
+ struct gcmp_ctx *ctx = k->wk_private;
+
+ if (k->wk_keylen != (256/NBBY)) {
+ IEEE80211_DPRINTF(ctx->cc_vap, IEEE80211_MSG_CRYPTO,
+ "%s: Invalid key length %u, expecting %u\n",
+ __func__, k->wk_keylen, 256/NBBY);
+ return 0;
+ }
+ if (k->wk_flags & IEEE80211_KEY_SWENCRYPT)
+ rijndael_set_key(&ctx->cc_aes, k->wk_key, k->wk_keylen*NBBY);
+ return 1;
+}
+
+static void
+gcmp_setiv(struct ieee80211_key *k, uint8_t *ivp)
+{
+ struct gcmp_ctx *ctx = k->wk_private;
+ struct ieee80211vap *vap = ctx->cc_vap;
+ uint8_t keyid;
+
+ keyid = ieee80211_crypto_get_keyid(vap, k) << 6;
+
+ k->wk_keytsc++;
+ ivp[0] = k->wk_keytsc >> 0; /* PN0 */
+ ivp[1] = k->wk_keytsc >> 8; /* PN1 */
+ ivp[2] = 0; /* Reserved */
+ ivp[3] = keyid | IEEE80211_WEP_EXTIV; /* KeyID | ExtID */
+ ivp[4] = k->wk_keytsc >> 16; /* PN2 */
+ ivp[5] = k->wk_keytsc >> 24; /* PN3 */
+ ivp[6] = k->wk_keytsc >> 32; /* PN4 */
+ ivp[7] = k->wk_keytsc >> 40; /* PN5 */
+}
+
+/*
+ * Add privacy headers appropriate for the specified key.
+ */
+static int
+gcmp_encap(struct ieee80211_key *k, struct mbuf *m)
+{
+ const struct ieee80211_frame *wh;
+ struct gcmp_ctx *ctx = k->wk_private;
+ struct ieee80211com *ic = ctx->cc_ic;
+ uint8_t *ivp;
+ int hdrlen;
+ int is_mgmt;
+
+ hdrlen = ieee80211_hdrspace(ic, mtod(m, void *));
+ wh = mtod(m, const struct ieee80211_frame *);
+ is_mgmt = IEEE80211_IS_MGMT(wh);
+
+ /*
+ * Check to see if we need to insert IV/MIC.
+ *
+ * Some offload devices don't require the IV to be inserted
+ * as part of the hardware encryption.
+ */
+ if (is_mgmt && (k->wk_flags & IEEE80211_KEY_NOIVMGT))
+ return 1;
+ if ((! is_mgmt) && (k->wk_flags & IEEE80211_KEY_NOIV))
+ return 1;
+
+ /*
+ * Copy down 802.11 header and add the IV, KeyID, and ExtIV.
+ */
+ M_PREPEND(m, gcmp_get_header_len(k), IEEE80211_M_NOWAIT);
+ if (m == NULL)
+ return 0;
+ ivp = mtod(m, uint8_t *);
+ ovbcopy(ivp + gcmp_get_header_len(k), ivp, hdrlen);
+ ivp += hdrlen;
+
+ gcmp_setiv(k, ivp);
+
+ /*
+ * Finally, do software encrypt if needed.
+ */
+ if ((k->wk_flags & IEEE80211_KEY_SWENCRYPT) &&
+ !gcmp_encrypt(k, m, hdrlen))
+ return 0;
+
+ return 1;
+}
+
+/*
+ * Add MIC to the frame as needed.
+ */
+static int
+gcmp_enmic(struct ieee80211_key *k, struct mbuf *m, int force)
+{
+
+ return 1;
+}
+
+static __inline uint64_t
+READ_6(uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3, uint8_t b4, uint8_t b5)
+{
+ uint32_t iv32 = (b0 << 0) | (b1 << 8) | (b2 << 16) | (b3 << 24);
+ uint16_t iv16 = (b4 << 0) | (b5 << 8);
+ return (((uint64_t)iv16) << 32) | iv32;
+}
+
+/*
+ * Validate and strip privacy headers (and trailer) for a
+ * received frame. The specified key should be correct but
+ * is also verified.
+ */
+static int
+gcmp_decap(struct ieee80211_key *k, struct mbuf *m, int hdrlen)
+{
+ const struct ieee80211_rx_stats *rxs;
+ struct gcmp_ctx *ctx = k->wk_private;
+ struct ieee80211vap *vap = ctx->cc_vap;
+ struct ieee80211_frame *wh;
+ uint8_t *ivp, tid;
+ uint64_t pn;
+
+ rxs = ieee80211_get_rx_params_ptr(m);
+
+ if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_IV_STRIP))
+ goto finish;
+
+ /*
+ * Header should have extended IV and sequence number;
+ * verify the former and validate the latter.
+ */
+ wh = mtod(m, struct ieee80211_frame *);
+ ivp = mtod(m, uint8_t *) + hdrlen;
+ if ((ivp[IEEE80211_WEP_IVLEN] & IEEE80211_WEP_EXTIV) == 0) {
+ /*
+ * No extended IV; discard frame.
+ */
+ IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2,
+ "%s", "missing ExtIV for AES-GCM cipher");
+ vap->iv_stats.is_rx_gcmpformat++;
+ return 0;
+ }
+ tid = ieee80211_gettid(wh);
+ pn = READ_6(ivp[0], ivp[1], ivp[4], ivp[5], ivp[6], ivp[7]);
+ if (pn <= k->wk_keyrsc[tid] &&
+ (k->wk_flags & IEEE80211_KEY_NOREPLAY) == 0) {
+ /*
+ * Replay violation.
+ */
+ ieee80211_notify_replay_failure(vap, wh, k, pn, tid);
+ vap->iv_stats.is_rx_gcmpreplay++;
+ return 0;
+ }
+
+ /*
+ * Check if the device handled the decrypt in hardware.
+ * If so we just strip the header; otherwise we need to
+ * handle the decrypt in software. Note that for the
+ * latter we leave the header in place for use in the
+ * decryption work.
+ */
+ if ((k->wk_flags & IEEE80211_KEY_SWDECRYPT) &&
+ !gcmp_decrypt(k, pn, m, hdrlen))
+ return 0;
+
+finish:
+ /*
+ * Copy up 802.11 header and strip crypto bits.
+ */
+ if (! ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_IV_STRIP))) {
+ ovbcopy(mtod(m, void *), mtod(m, uint8_t *) + gcmp_get_header_len(k),
+ hdrlen);
+ m_adj(m, gcmp_get_header_len(k));
+ }
+
+ /*
+ * XXX TODO: see if MMIC_STRIP also covers CCMP MIC trailer.
+ */
+ if (! ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_MMIC_STRIP)))
+ m_adj(m, -gcmp_get_trailer_len(k));
+
+ /*
+ * Ok to update rsc now.
+ */
+ if (! ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_IV_STRIP))) {
+ k->wk_keyrsc[tid] = pn;
+ }
+
+ return 1;
+}
+
+/*
+ * Verify and strip MIC from the frame.
+ */
+static int
+gcmp_demic(struct ieee80211_key *k, struct mbuf *m, int force)
+{
+ return 1;
+}
+
+static __inline void
+xor_block(uint8_t *b, const uint8_t *a, size_t len)
+{
+ int i;
+ for (i = 0; i < len; i++)
+ b[i] ^= a[i];
+}
+
+/*
+ * Galois/Counter Mode (GCM) and GMAC with AES
+ *
+ * Copyright (c) 2012, Jouni Malinen <j@w1.fi>
+ *
+ * This software may be distributed under the terms of the BSD license.
+ * See README for more details.
+ */
+
+#define BIT(x) (1U << (x))
+
+static inline void WPA_PUT_BE64(uint8_t *a, uint64_t val)
+{
+ a[0] = val >> 56;
+ a[1] = val >> 48;
+ a[2] = val >> 40;
+ a[3] = val >> 32;
+ a[4] = val >> 24;
+ a[5] = val >> 16;
+ a[6] = val >> 8;
+ a[7] = val & 0xff;
+}
+
+static inline void WPA_PUT_BE32(uint8_t *a, uint32_t val)
+{
+ a[0] = (val >> 24) & 0xff;
+ a[1] = (val >> 16) & 0xff;
+ a[2] = (val >> 8) & 0xff;
+ a[3] = val & 0xff;
+}
+
+static inline uint32_t WPA_GET_BE32(const uint8_t *a)
+{
+ return ((uint32_t) a[0] << 24) | (a[1] << 16) | (a[2] << 8) | a[3];
+}
+
+static void inc32(uint8_t *block)
+{
+ uint32_t val;
+ val = WPA_GET_BE32(block + AES_BLOCK_LEN - 4);
+ val++;
+ WPA_PUT_BE32(block + AES_BLOCK_LEN - 4, val);
+}
+
+static void shift_right_block(uint8_t *v)
+{
+ uint32_t val;
+
+ val = WPA_GET_BE32(v + 12);
+ val >>= 1;
+ if (v[11] & 0x01)
+ val |= 0x80000000;
+ WPA_PUT_BE32(v + 12, val);
+
+ val = WPA_GET_BE32(v + 8);
+ val >>= 1;
+ if (v[7] & 0x01)
+ val |= 0x80000000;
+ WPA_PUT_BE32(v + 8, val);
+
+ val = WPA_GET_BE32(v + 4);
+ val >>= 1;
+ if (v[3] & 0x01)
+ val |= 0x80000000;
+ WPA_PUT_BE32(v + 4, val);
+
+ val = WPA_GET_BE32(v);
+ val >>= 1;
+ WPA_PUT_BE32(v, val);
+}
+
+
+/* Multiplication in GF(2^128) */
+static void gf_mult(const uint8_t *x, const uint8_t *y, uint8_t *z)
+{
+ uint8_t v[16];
+ int i, j;
+
+ memset(z, 0, 16); /* Z_0 = 0^128 */
+ memcpy(v, y, 16); /* V_0 = Y */
+
+ for (i = 0; i < 16; i++) {
+ for (j = 0; j < 8; j++) {
+ if (x[i] & BIT(7 - j)) {
+ /* Z_(i + 1) = Z_i XOR V_i */
+ xor_block(z, v, AES_BLOCK_LEN);
+ } else {
+ /* Z_(i + 1) = Z_i */
+ }
+
+ if (v[15] & 0x01) {
+ /* V_(i + 1) = (V_i >> 1) XOR R */
+ shift_right_block(v);
+ /* R = 11100001 || 0^120 */
+ v[0] ^= 0xe1;
+ } else {
+ /* V_(i + 1) = V_i >> 1 */
+ shift_right_block(v);
+ }
+ }
+ }
+}
+
+
+static void ghash_start(uint8_t *y)
+{
+ /* Y_0 = 0^128 */
+ memset(y, 0, 16);
+}
+
+
+static void ghash(const uint8_t *h, const uint8_t *x, size_t xlen, uint8_t *y)
+{
+ size_t m, i;
+ const uint8_t *xpos = x;
+ uint8_t tmp[16];
+
+ m = xlen / 16;
+
+ for (i = 0; i < m; i++) {
+ /* Y_i = (Y^(i-1) XOR X_i) dot H */
+ xor_block(y, xpos, AES_BLOCK_LEN);
+ xpos += 16;
+
+ /* dot operation:
+ * multiplication operation for binary Galois (finite) field of
+ * 2^128 elements */
+ gf_mult(y, h, tmp);
+ memcpy(y, tmp, 16);
+ }
+
+ if (x + xlen > xpos) {
+ /* Add zero padded last block */
+ size_t last = x + xlen - xpos;
+ memcpy(tmp, xpos, last);
+ memset(tmp + last, 0, sizeof(tmp) - last);
+
+ /* Y_i = (Y^(i-1) XOR X_i) dot H */
+ xor_block(y, tmp, AES_BLOCK_LEN);
+
+ /* dot operation:
+ * multiplication operation for binary Galois (finite) field of
+ * 2^128 elements */
+ gf_mult(y, h, tmp);
+ memcpy(y, tmp, 16);
+ }
+
+ /* Return Y_m */
+}
+
+
+/*
+ * Execute the GCTR call with the counter block icb
+ * on payload x (size len), output into y.
+ */
+static void
+aes_gctr(rijndael_ctx *aes, const uint8_t *icb,
+ const uint8_t *x, size_t xlen, uint8_t *y)
+{
+ size_t i, n, last;
+ uint8_t cb[AES_BLOCK_LEN], tmp[AES_BLOCK_LEN];
+ const uint8_t *xpos = x;
+ uint8_t *ypos = y;
+
+ if (xlen == 0)
+ return;
+
+ n = xlen / 16;
+
+ memcpy(cb, icb, AES_BLOCK_LEN);
+
+ /* Full blocks */
+ for (i = 0; i < n; i++) {
+ rijndael_encrypt(aes, cb, ypos);
+ xor_block(ypos, xpos, AES_BLOCK_LEN);
+ xpos += AES_BLOCK_LEN;
+ ypos += AES_BLOCK_LEN;
+ inc32(cb);
+ }
+
+ last = x + xlen - xpos;
+ if (last) {
+ /* Last, partial block */
+ rijndael_encrypt(aes, cb, tmp);
+ for (i = 0; i < last; i++)
+ *ypos++ = *xpos++ ^ tmp[i];
+ }
+}
+
+static void
+aes_gcm_init_hash_subkey(rijndael_ctx *aes, uint8_t *H)
+{
+ /* Generate hash subkey H = AES_K(0^128) */
+ memset(H, 0, AES_BLOCK_LEN);
+
+ rijndael_encrypt(aes, H, H);
+}
+
+static void
+aes_gcm_prepare_j0(const uint8_t *iv, size_t iv_len, const uint8_t *H,
+ uint8_t *J0)
+{
+ uint8_t len_buf[16];
+
+ if (iv_len == 12) {
+ /* Prepare block J_0 = IV || 0^31 || 1 [len(IV) = 96] */
+ memcpy(J0, iv, iv_len);
+ memset(J0 + iv_len, 0, AES_BLOCK_LEN - iv_len);
+ J0[AES_BLOCK_LEN - 1] = 0x01;
+ } else {
+ /*
+ * s = 128 * ceil(len(IV)/128) - len(IV)
+ * J_0 = GHASH_H(IV || 0^(s+64) || [len(IV)]_64)
+ */
+ ghash_start(J0);
+ ghash(H, iv, iv_len, J0);
+ WPA_PUT_BE64(len_buf, 0);
+ WPA_PUT_BE64(len_buf + 8, iv_len * 8);
+ ghash(H, len_buf, sizeof(len_buf), J0);
+ }
+}
+
+
+static void
+aes_gcm_gctr(rijndael_ctx *aes, const uint8_t *J0, const uint8_t *in,
+ size_t len, uint8_t *out)
+{
+ uint8_t J0inc[AES_BLOCK_LEN];
+
+ if (len == 0)
+ return;
+
+ memcpy(J0inc, J0, AES_BLOCK_LEN);
+ inc32(J0inc);
+
+ aes_gctr(aes, J0inc, in, len, out);
+}
+
+static void
+aes_gcm_ghash(const uint8_t *H, const uint8_t *aad, size_t aad_len,
+ const uint8_t *crypt, size_t crypt_len, uint8_t *S)
+{
+ uint8_t len_buf[16];
+
+ /*
+ * u = 128 * ceil[len(C)/128] - len(C)
+ * v = 128 * ceil[len(A)/128] - len(A)
+ * S = GHASH_H(A || 0^v || C || 0^u || [len(A)]64 || [len(C)]64)
+ * (i.e., zero padded to block size A || C and lengths of each in bits)
+ */
+ ghash_start(S);
+ ghash(H, aad, aad_len, S);
+ ghash(H, crypt, crypt_len, S);
+ WPA_PUT_BE64(len_buf, aad_len * 8);
+ WPA_PUT_BE64(len_buf + 8, crypt_len * 8);
+ ghash(H, len_buf, sizeof(len_buf), S);
+#if 0
+ wpa_hexdump_key(MSG_EXCESSIVE, "S = GHASH_H(...)", S, 16);
+#endif
+}
+
+/**
+ * aes_gcm_ae - GCM-AE_K(IV, P, A)
+ */
+static void
+aes_gcm_ae(rijndael_ctx *aes, const uint8_t *iv, size_t iv_len,
+ const uint8_t *plain, size_t plain_len,
+ const uint8_t *aad, size_t aad_len, uint8_t *crypt, uint8_t *tag)
+{
+ uint8_t H[AES_BLOCK_LEN];
+ uint8_t J0[AES_BLOCK_LEN];
+ uint8_t S[GCMP_MIC_LEN];
+
+ aes_gcm_init_hash_subkey(aes, H);
+
+ aes_gcm_prepare_j0(iv, iv_len, H, J0);
+
+ /* C = GCTR_K(inc_32(J_0), P) */
+ aes_gcm_gctr(aes, J0, plain, plain_len, crypt);
+
+ aes_gcm_ghash(H, aad, aad_len, crypt, plain_len, S);
+
+ /* T = MSB_t(GCTR_K(J_0, S)) */
+ aes_gctr(aes, J0, S, sizeof(S), tag);
+
+ /* Return (C, T) */
+}
+
+
+/**
+ * aes_gcm_ad - GCM-AD_K(IV, C, A, T)
+ *
+ * Return 0 if OK, -1 if decrypt failure.
+ */
+static int
+aes_gcm_ad(rijndael_ctx *aes, const uint8_t *iv, size_t iv_len,
+ const uint8_t *crypt, size_t crypt_len,
+ const uint8_t *aad, size_t aad_len, const uint8_t *tag, uint8_t *plain)
+{
+ uint8_t H[AES_BLOCK_LEN];
+ uint8_t J0[AES_BLOCK_LEN];
+ uint8_t S[16], T[GCMP_MIC_LEN];
+
+ aes_gcm_init_hash_subkey(aes, H);
+
+ aes_gcm_prepare_j0(iv, iv_len, H, J0);
+
+ /* P = GCTR_K(inc_32(J_0), C) */
+ aes_gcm_gctr(aes, J0, crypt, crypt_len, plain);
+
+ aes_gcm_ghash(H, aad, aad_len, crypt, crypt_len, S);
+
+ /* T' = MSB_t(GCTR_K(J_0, S)) */
+ aes_gctr(aes, J0, S, sizeof(S), T);
+
+ if (memcmp(tag, T, 16) != 0) {
+ return -1;
+ }
+
+ return 0;
+}
+
+#if 0
+int
+aes_gmac(const uint8_t *key, size_t key_len, const uint8_t *iv, size_t iv_len,
+ const uint8_t *aad, size_t aad_len, uint8_t *tag)
+{
+ return aes_gcm_ae(key, key_len, iv, iv_len, NULL, 0, aad, aad_len,
+ NULL, tag);
+}
+#endif
+
+/* Back to FreeBSD ... */
+
+/*
+ * TODO: eventually refactor this out as shared between CCM and GCM
+ *
+ * NOTE: the first two bytes are a 16 bit big-endian length, likely for CCM.
+ * This isn't required for GCM.
+ */
+static int
+gcmp_init_aad(const struct ieee80211_frame *wh, uint8_t *aad)
+{
+ int aad_len;
+
+ memset(aad, 0, GCM_AAD_LEN);
+
+#define IS_QOS_DATA(wh) IEEE80211_QOS_HAS_SEQ(wh)
+ /* AAD:
+ * FC with bits 4..6 and 11..13 masked to zero; 14 is always one
+ * A1 | A2 | A3
+ * SC with bits 4..15 (seq#) masked to zero
+ * A4 (if present)
+ * QC (if present)
+ */
+ aad[0] = 0; /* AAD length >> 8 */
+ /* NB: aad[1] set below */
+
+ aad[2] = wh->i_fc[0] & 0x8f; /* XXX magic #s */
+ /* TODO: 12.5.3.3.3 - bit 14 should always be set; bit 15 masked to 0 if QoS control field, unmasked otherwise */
+ aad[3] = wh->i_fc[1] & 0xc7; /* XXX magic #s */
+ /* NB: we know 3 addresses are contiguous */
+ memcpy(aad + 4, wh->i_addr1, 3 * IEEE80211_ADDR_LEN);
+ aad[22] = wh->i_seq[0] & IEEE80211_SEQ_FRAG_MASK;
+ aad[23] = 0; /* all bits masked */
+ /*
+ * Construct variable-length portion of AAD based
+ * on whether this is a 4-address frame/QOS frame.
+ * We always zero-pad to 32 bytes before running it
+ * through the cipher.
+ */
+ if (IEEE80211_IS_DSTODS(wh)) {
+ IEEE80211_ADDR_COPY(aad + 24,
+ ((const struct ieee80211_frame_addr4 *)wh)->i_addr4);
+ if (IS_QOS_DATA(wh)) {
+ const struct ieee80211_qosframe_addr4 *qwh4 =
+ (const struct ieee80211_qosframe_addr4 *) wh;
+ aad[30] = qwh4->i_qos[0] & 0x0f;/* just priority bits */
+ aad[31] = 0;
+ aad_len = aad[1] = 22 + IEEE80211_ADDR_LEN + 2;
+ } else {
+ *(uint16_t *)&aad[30] = 0;
+ aad_len = aad[1] = 22 + IEEE80211_ADDR_LEN;
+ }
+ } else {
+ if (IS_QOS_DATA(wh)) {
+ const struct ieee80211_qosframe *qwh =
+ (const struct ieee80211_qosframe*) wh;
+ aad[24] = qwh->i_qos[0] & 0x0f; /* just priority bits */
+ aad[25] = 0;
+ aad_len = aad[1] = 22 + 2;
+ } else {
+ *(uint16_t *)&aad[24] = 0;
+ aad_len = aad[1] = 22;
+ }
+ *(uint16_t *)&aad[26] = 0;
+ *(uint32_t *)&aad[28] = 0;
+ }
+#undef IS_QOS_DATA
+
+ return aad_len;
+}
+
+/*
+ * Populate the 12 byte / 96 bit IV buffer.
+ */
+static int
+gcmp_init_iv(uint8_t *iv, const struct ieee80211_frame *wh, u_int64_t pn)
+{
+ uint8_t j_pn[GCMP_PN_LEN];
+
+ /* Construct the pn buffer */
+ j_pn[0] = pn >> 40;
+ j_pn[1] = pn >> 32;
+ j_pn[2] = pn >> 24;
+ j_pn[3] = pn >> 16;
+ j_pn[4] = pn >> 8;
+ j_pn[5] = pn >> 0;
+
+ memcpy(iv, wh->i_addr2, IEEE80211_ADDR_LEN);
+ memcpy(iv + IEEE80211_ADDR_LEN, j_pn, GCMP_PN_LEN);
+
+ return GCMP_IV_LEN; /* 96 bits */
+}
+
+
+/*
+ * Encrypt an mbuf.
+ *
+ * This uses a temporary memory buffer to encrypt; the
+ * current AES-GCM code expects things in a contiguous buffer
+ * and this avoids the need of breaking out the GCTR and
+ * GHASH routines into using mbuf iterators.
+ */
+
+static int
+gcmp_encrypt(struct ieee80211_key *key, struct mbuf *m0, int hdrlen)
+{
+ struct gcmp_ctx *ctx = key->wk_private;
+ struct ieee80211_frame *wh;
+ struct ieee80211vap *vap = ctx->cc_vap;
+ struct mbuf *m = m0;
+ int data_len, aad_len, iv_len, ret;
+ uint8_t aad[GCM_AAD_LEN];
+ uint8_t T[GCMP_MIC_LEN];
+ uint8_t iv[GCMP_IV_LEN];
+ uint8_t *p_pktbuf = NULL;
+ uint8_t *c_pktbuf = NULL;
+
+ wh = mtod(m, struct ieee80211_frame *);
+ data_len = m->m_pkthdr.len - (hdrlen + gcmp_get_header_len(key));
+
+ ctx->cc_vap->iv_stats.is_crypto_gcmp++;
+
+ p_pktbuf = IEEE80211_MALLOC(data_len, M_TEMP,
+ IEEE80211_M_NOWAIT | IEEE80211_M_ZERO);
+ if (p_pktbuf == NULL) {
+ IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2,
+ "%s", "AES-GCM encrypt failed; couldn't allocate buffer");
+ /* XXX counter */
+ return 0;
+ }
+ c_pktbuf = IEEE80211_MALLOC(data_len, M_TEMP,
+ IEEE80211_M_NOWAIT | IEEE80211_M_ZERO);
+ if (c_pktbuf == NULL) {
+ IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2,
+ "%s", "AES-GCM encrypt failed; couldn't allocate buffer");
+ /* XXX counter */
+ IEEE80211_FREE(p_pktbuf, M_TEMP);
+ return 0;
+ }
+
+ /* Initialise AAD */
+ aad_len = gcmp_init_aad(wh, aad);
+
+ /* Initialise local Nonce to work on */
+ /* TODO: rename iv stuff here to nonce */
+ iv_len = gcmp_init_iv(iv, wh, key->wk_keytsc);
+
+ /* Copy mbuf data part into plaintext pktbuf */
+ m_copydata(m0, hdrlen + gcmp_get_header_len(key), data_len,
+ p_pktbuf);
+
+ /* Run encrypt */
+ aes_gcm_ae(&ctx->cc_aes, iv, iv_len,
+ p_pktbuf, data_len,
+ aad + 2, aad_len,
+ c_pktbuf,
+ T);
+
+ /* Copy data back over mbuf */
+ m_copyback(m0, hdrlen + gcmp_get_header_len(key), data_len,
+ c_pktbuf);
+
+ /* Append MIC */
+ ret = m_append(m0, gcmp_get_trailer_len(key), T);
+ if (ret == 0) {
+ IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2,
+ "%s", "AES-GCM encrypt failed; couldn't append T");
+ /* XXX counter on error */
+ }
+
+ IEEE80211_FREE(p_pktbuf, M_TEMP);
+ IEEE80211_FREE(c_pktbuf, M_TEMP);
+
+ return ret;
+}
+
+static int
+gcmp_decrypt(struct ieee80211_key *key, u_int64_t pn, struct mbuf *m, int hdrlen)
+{
+ struct gcmp_ctx *ctx = key->wk_private;
+ struct ieee80211vap *vap = ctx->cc_vap;
+ struct ieee80211_frame *wh;
+ int data_len, aad_len, iv_len, ret;
+ uint8_t aad[GCM_AAD_LEN];
+ uint8_t T[GCMP_MIC_LEN];
+ uint8_t iv[GCMP_IV_LEN];
+ uint8_t *p_pktbuf = NULL;
+ uint8_t *c_pktbuf = NULL;
+
+ wh = mtod(m, struct ieee80211_frame *);
+
+ /* Data length doesn't include the MIC at the end */
+ data_len = m->m_pkthdr.len -
+ (hdrlen + gcmp_get_header_len(key) + GCMP_MIC_LEN);
+
+ ctx->cc_vap->iv_stats.is_crypto_gcmp++;
+
+ p_pktbuf = IEEE80211_MALLOC(data_len, M_TEMP,
+ IEEE80211_M_NOWAIT | IEEE80211_M_ZERO);
+ if (p_pktbuf == NULL) {
+ /* XXX counter */
+ return 0;
+ }
+ c_pktbuf = IEEE80211_MALLOC(data_len, M_TEMP,
+ IEEE80211_M_NOWAIT | IEEE80211_M_ZERO);
+ if (c_pktbuf == NULL) {
+ /* XXX counter */
+ IEEE80211_FREE(p_pktbuf, M_TEMP);
+ return 0;
+ }
+
+ /* Initialise AAD */
+ aad_len = gcmp_init_aad(wh, aad);
+
+ /* Initialise local IV copy to work on */
+ iv_len = gcmp_init_iv(iv, wh, pn);
+
+ /* Copy mbuf into ciphertext pktbuf */
+ m_copydata(m, hdrlen + gcmp_get_header_len(key), data_len,
+ c_pktbuf);
+
+ /* Copy the MIC into the tag buffer */
+ m_copydata(m, hdrlen + gcmp_get_header_len(key) + data_len,
+ GCMP_MIC_LEN, T);
+
+ /* Run decrypt */
+ ret = aes_gcm_ad(&ctx->cc_aes, iv, iv_len,
+ c_pktbuf, data_len,
+ aad + 2, aad_len,
+ T, p_pktbuf);
+
+ if (ret != 0) {
+ /* Decrypt failure */
+ ctx->cc_vap->iv_stats.is_rx_gcmpmic++;
+ IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2,
+ "%s", "AES-GCM decrypt failed; MIC mismatch");
+ IEEE80211_FREE(p_pktbuf, M_TEMP);
+ IEEE80211_FREE(c_pktbuf, M_TEMP);
+ return 0;
+ }
+
+ /* Copy data back over mbuf */
+ m_copyback(m, hdrlen + gcmp_get_header_len(key), data_len,
+ p_pktbuf);
+
+ IEEE80211_FREE(p_pktbuf, M_TEMP);
+ IEEE80211_FREE(c_pktbuf, M_TEMP);
+
+ return 1;
+}
+
+/*
+ * Module glue.
+ */
+IEEE80211_CRYPTO_MODULE(gcmp_128, 1);
+IEEE80211_CRYPTO_MODULE_ADD(gcmp_256);
diff --git a/sys/net80211/ieee80211_ioctl.h b/sys/net80211/ieee80211_ioctl.h
--- a/sys/net80211/ieee80211_ioctl.h
+++ b/sys/net80211/ieee80211_ioctl.h
@@ -253,6 +253,11 @@
uint32_t is_ff_encapfail; /* failed FF encap */
uint32_t is_amsdu_encapfail; /* failed A-MSDU encap */
+ uint32_t is_crypto_gcmp; /* gcmp crypto done in s/w */
+ uint32_t is_rx_gcmpreplay; /* rx seq# violation (GCMP) */
+ uint32_t is_rx_gcmpformat; /* rx format bad (GCMP) */
+ uint32_t is_rx_gcmpmic; /* rx MIC check failed (GCMP) */
+
uint32_t is_spare[5];
};
diff --git a/tools/tools/net80211/wlanstats/wlanstats.c b/tools/tools/net80211/wlanstats/wlanstats.c
--- a/tools/tools/net80211/wlanstats/wlanstats.c
+++ b/tools/tools/net80211/wlanstats/wlanstats.c
@@ -382,6 +382,14 @@
{ 9, "ampdu_bartxfail", "bartx_fail", "BAR frames failed to send" },
#define S_AMPDU_BARTX_RETRY AFTER(S_AMPDU_BARTX_FAIL)
{ 10, "ampdu_bartxretry", "bartx_retry", "BAR frames retried" },
+#define S_CRYPTO_GCMP AFTER(S_AMPDU_BARTX_RETRY)
+ { 5, "crypto_gcmp", "crypto_gcmp", "gcmp crypto done in s/w" },
+#define S_RX_GCMPREPLAY AFTER(S_CRYPTO_GCMP)
+ { 5, "rx_gcmpreplay", "gcmpreplay", "rx seq# violation (GCMP)" },
+#define S_RX_GCMPFORMAT AFTER(S_RX_GCMPREPLAY)
+ { 5, "rx_gcmpformat", "gcmpformat", "rx format bad (GCMP)" },
+#define S_RX_GCMPMIC AFTER(S_RX_GCMPFORMAT)
+ { 5, "rx_gcmpmic", "gcmpmic", "rx MIC check failed (GCMP)" },
};
struct wlanstatfoo_p {
@@ -830,6 +838,10 @@
case S_AMPDU_BARTX: STAT(ampdu_bar_tx);
case S_AMPDU_BARTX_RETRY: STAT(ampdu_bar_tx_retry);
case S_AMPDU_BARTX_FAIL: STAT(ampdu_bar_tx_fail);
+ case S_CRYPTO_GCMP: STAT(crypto_gcmp);
+ case S_RX_GCMPREPLAY: STAT(rx_gcmpreplay);
+ case S_RX_GCMPFORMAT: STAT(rx_gcmpformat);
+ case S_RX_GCMPMIC: STAT(rx_gcmpmic);
}
return wlan_getinfo(wf, s, b, bs);
#undef NSTAT
@@ -995,6 +1007,10 @@
case S_AMPDU_BARTX: STAT(ampdu_bar_tx);
case S_AMPDU_BARTX_RETRY: STAT(ampdu_bar_tx_retry);
case S_AMPDU_BARTX_FAIL: STAT(ampdu_bar_tx_fail);
+ case S_CRYPTO_GCMP: STAT(crypto_gcmp);
+ case S_RX_GCMPREPLAY: STAT(rx_gcmpreplay);
+ case S_RX_GCMPFORMAT: STAT(rx_gcmpformat);
+ case S_RX_GCMPMIC: STAT(rx_gcmpmic);
}
return wlan_getinfo(wf, s, b, bs);
#undef NSTAT

File Metadata

Mime Type
text/plain
Expires
Fri, Jan 24, 6:45 PM (4 h, 9 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
16097144
Default Alt Text
D45397.id139176.diff (30 KB)

Event Timeline