xref: /haiku/src/libs/compat/openbsd_wlan/net80211/ieee80211_crypto_bip.c (revision 388d91a7b829b91b95abd2505437d431c468ce7d) 
1 /*	$OpenBSD: ieee80211_crypto_bip.c,v 1.10 2018/11/09 14:14:31 claudio Exp $	*/
2 
3 /*-
4  * Copyright (c) 2008 Damien Bergamini <damien.bergamini@free.fr>
5  *
6  * Permission to use, copy, modify, and distribute this software for any
7  * purpose with or without fee is hereby granted, provided that the above
8  * copyright notice and this permission notice appear in all copies.
9  *
10  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17  */
18 
19 /*
20  * This code implements the Broadcast/Multicast Integrity Protocol (BIP)
21  * defined in IEEE P802.11w/D7.0 section 8.3.4.
22  */
23 
24 #include <sys/param.h>
25 #include <sys/systm.h>
26 #include <sys/mbuf.h>
27 #include <sys/malloc.h>
28 #include <sys/kernel.h>
29 #include <sys/socket.h>
30 #include <sys/endian.h>
31 
32 #include <net/if.h>
33 #include <net/if_dl.h>
34 #include <net/if_media.h>
35 
36 #include <netinet/in.h>
37 #include <netinet/if_ether.h>
38 
39 #include <net80211/ieee80211_var.h>
40 #include <net80211/ieee80211_crypto.h>
41 #include <net80211/ieee80211_priv.h>
42 
43 #include <crypto/aes.h>
44 #include <crypto/cmac.h>
45 
46 /* BIP software crypto context */
47 struct ieee80211_bip_ctx {
48 	AES_CMAC_CTX	cmac;
49 };
50 
51 /*
52  * Initialize software crypto context.  This function can be overridden
53  * by drivers doing hardware crypto.
54  */
55 int
56 ieee80211_bip_set_key(struct ieee80211com *ic, struct ieee80211_key *k)
57 {
58 	struct ieee80211_bip_ctx *ctx;
59 
60 	ctx = malloc(sizeof(*ctx), M_DEVBUF, M_NOWAIT | M_ZERO);
61 	if (ctx == NULL)
62 		return ENOMEM;
63 	AES_CMAC_SetKey(&ctx->cmac, k->k_key);
64 	k->k_priv = ctx;
65 	return 0;
66 }
67 
68 void
69 ieee80211_bip_delete_key(struct ieee80211com *ic, struct ieee80211_key *k)
70 {
71 	if (k->k_priv != NULL) {
72 		explicit_bzero(k->k_priv, sizeof(struct ieee80211_bip_ctx));
73 		free(k->k_priv, M_DEVBUF, sizeof(struct ieee80211_bip_ctx));
74 	}
75 	k->k_priv = NULL;
76 }
77 
78 /* pseudo-header used for BIP MIC computation */
79 struct ieee80211_bip_frame {
80 	u_int8_t	i_fc[2];
81 	u_int8_t	i_addr1[IEEE80211_ADDR_LEN];
82 	u_int8_t	i_addr2[IEEE80211_ADDR_LEN];
83 	u_int8_t	i_addr3[IEEE80211_ADDR_LEN];
84 } __packed;
85 
86 struct mbuf *
87 ieee80211_bip_encap(struct ieee80211com *ic, struct mbuf *m0,
88     struct ieee80211_key *k)
89 {
90 	struct ieee80211_bip_ctx *ctx = k->k_priv;
91 	struct ieee80211_bip_frame aad;
92 	struct ieee80211_frame *wh;
93 	u_int8_t *mmie, mic[AES_CMAC_DIGEST_LENGTH];
94 	struct mbuf *m;
95 
96 	wh = mtod(m0, struct ieee80211_frame *);
97 	KASSERT((wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) ==
98 	    IEEE80211_FC0_TYPE_MGT);
99 	/* clear Protected bit from group management frames */
100 	wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
101 
102 	/* construct AAD (additional authenticated data) */
103 	aad.i_fc[0] = wh->i_fc[0];
104 	aad.i_fc[1] = wh->i_fc[1] & ~(IEEE80211_FC1_RETRY |
105 	    IEEE80211_FC1_PWR_MGT | IEEE80211_FC1_MORE_DATA);
106 	/* XXX 11n may require clearing the Order bit too */
107 	IEEE80211_ADDR_COPY(aad.i_addr1, wh->i_addr1);
108 	IEEE80211_ADDR_COPY(aad.i_addr2, wh->i_addr2);
109 	IEEE80211_ADDR_COPY(aad.i_addr3, wh->i_addr3);
110 
111 	AES_CMAC_Init(&ctx->cmac);
112 	AES_CMAC_Update(&ctx->cmac, (u_int8_t *)&aad, sizeof aad);
113 	AES_CMAC_Update(&ctx->cmac, (u_int8_t *)&wh[1],
114 	    m0->m_len - sizeof(*wh));
115 
116 	m = m0;
117 	/* reserve trailing space for MMIE */
118 	if (m_trailingspace(m) < IEEE80211_MMIE_LEN) {
119 		MGET(m->m_next, M_DONTWAIT, m->m_type);
120 		if (m->m_next == NULL)
121 			goto nospace;
122 		m = m->m_next;
123 		m->m_len = 0;
124 	}
125 
126 	/* construct Management MIC IE */
127 	mmie = mtod(m, u_int8_t *) + m->m_len;
128 	mmie[0] = IEEE80211_ELEMID_MMIE;
129 	mmie[1] = 16;
130 	LE_WRITE_2(&mmie[2], k->k_id);
131 	LE_WRITE_6(&mmie[4], k->k_tsc);
132 	memset(&mmie[10], 0, 8);	/* MMIE MIC field set to 0 */
133 
134 	AES_CMAC_Update(&ctx->cmac, mmie, IEEE80211_MMIE_LEN);
135 	AES_CMAC_Final(mic, &ctx->cmac);
136 	/* truncate AES-128-CMAC to 64-bit */
137 	memcpy(&mmie[10], mic, 8);
138 
139 	m->m_len += IEEE80211_MMIE_LEN;
140 	m0->m_pkthdr.len += IEEE80211_MMIE_LEN;
141 
142 	k->k_tsc++;
143 
144 	return m0;
145  nospace:
146 	ic->ic_stats.is_tx_nombuf++;
147 	m_freem(m0);
148 	return NULL;
149 }
150 
151 struct mbuf *
152 ieee80211_bip_decap(struct ieee80211com *ic, struct mbuf *m0,
153     struct ieee80211_key *k)
154 {
155 	struct ieee80211_bip_ctx *ctx = k->k_priv;
156 	struct ieee80211_frame *wh;
157 	struct ieee80211_bip_frame aad;
158 	u_int8_t *mmie, mic0[8], mic[AES_CMAC_DIGEST_LENGTH];
159 	u_int64_t ipn;
160 
161 	wh = mtod(m0, struct ieee80211_frame *);
162 	KASSERT((wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) ==
163 	    IEEE80211_FC0_TYPE_MGT);
164 
165 	/*
166 	 * It is assumed that management frames are contiguous and that
167 	 * the mbuf length has already been checked to contain at least
168 	 * a header and a MMIE (checked in ieee80211_decrypt()).
169 	 */
170 	KASSERT(m0->m_len >= sizeof(*wh) + IEEE80211_MMIE_LEN);
171 	mmie = mtod(m0, u_int8_t *) + m0->m_len - IEEE80211_MMIE_LEN;
172 
173 	ipn = LE_READ_6(&mmie[4]);
174 	if (ipn <= k->k_mgmt_rsc) {
175 		/* replayed frame, discard */
176 		ic->ic_stats.is_cmac_replays++;
177 		m_freem(m0);
178 		return NULL;
179 	}
180 
181 	/* save and mask MMIE MIC field to 0 */
182 	memcpy(mic0, &mmie[10], 8);
183 	memset(&mmie[10], 0, 8);
184 
185 	/* construct AAD (additional authenticated data) */
186 	aad.i_fc[0] = wh->i_fc[0];
187 	aad.i_fc[1] = wh->i_fc[1] & ~(IEEE80211_FC1_RETRY |
188 	    IEEE80211_FC1_PWR_MGT | IEEE80211_FC1_MORE_DATA);
189 	/* XXX 11n may require clearing the Order bit too */
190 	IEEE80211_ADDR_COPY(aad.i_addr1, wh->i_addr1);
191 	IEEE80211_ADDR_COPY(aad.i_addr2, wh->i_addr2);
192 	IEEE80211_ADDR_COPY(aad.i_addr3, wh->i_addr3);
193 
194 	/* compute MIC */
195 	AES_CMAC_Init(&ctx->cmac);
196 	AES_CMAC_Update(&ctx->cmac, (u_int8_t *)&aad, sizeof aad);
197 	AES_CMAC_Update(&ctx->cmac, (u_int8_t *)&wh[1],
198 	    m0->m_len - sizeof(*wh));
199 	AES_CMAC_Final(mic, &ctx->cmac);
200 
201 	/* check that MIC matches the one in MMIE */
202 	if (timingsafe_bcmp(mic, mic0, 8) != 0) {
203 		ic->ic_stats.is_cmac_icv_errs++;
204 		m_freem(m0);
205 		return NULL;
206 	}
207 	/*
208 	 * There is no need to trim the MMIE from the mbuf since it is
209 	 * an information element and will be ignored by upper layers.
210 	 * We do it anyway as it is cheap to do it here and because it
211 	 * may be confused with fixed fields by upper layers.
212 	 */
213 	m_adj(m0, -IEEE80211_MMIE_LEN);
214 
215 	/* update last seen packet number (MIC is validated) */
216 	k->k_mgmt_rsc = ipn;
217 
218 	return m0;
219 }
220