1 /*	$OpenBSD: ieee80211_crypto_bip.c,v 1.3 2010/07/20 15:36:03 matthew Exp $	*/
2 
3 /*-
4  * Copyright (c) 2008 Damien Bergamini <damien.bergamini@free.fr>
5  *
6  * Permission to use, copy, modify, and distribute this software for any
7  * purpose with or without fee is hereby granted, provided that the above
8  * copyright notice and this permission notice appear in all copies.
9  *
10  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17  */
18 
19 /*
20  * This code implements the Broadcast/Multicast Integrity Protocol (BIP)
21  * defined in IEEE P802.11w/D7.0 section 8.3.4.
22  */
23 
24 #include <sys/param.h>
25 #include <sys/systm.h>
26 #include <sys/mbuf.h>
27 #include <sys/malloc.h>
28 #include <sys/kernel.h>
29 #include <sys/socket.h>
30 #include <sys/endian.h>
31 
32 #include <net/if.h>
33 #include <net/if_dl.h>
34 #include <net/if_media.h>
35 #include <net/if_arp.h>
36 #include <net/if_llc.h>
37 
38 #ifdef INET
39 #include <netinet/in.h>
40 #include <netinet/if_ether.h>
41 #endif
42 
43 #include <net80211/ieee80211_var.h>
44 #include <net80211/ieee80211_crypto.h>
45 #include <net80211/ieee80211_priv.h>
46 
47 #include <crypto/rijndael.h>
48 #include <crypto/cmac.h>
49 
50 /* BIP software crypto context */
51 struct ieee80211_bip_ctx {
52 	AES_CMAC_CTX	cmac;
53 };
54 
55 /*
56  * Initialize software crypto context.  This function can be overridden
57  * by drivers doing hardware crypto.
58  */
59 int
60 ieee80211_bip_set_key(struct ieee80211com *ic, struct ieee80211_key *k)
61 {
62 	struct ieee80211_bip_ctx *ctx;
63 
64 	ctx = malloc(sizeof(*ctx), M_DEVBUF, M_NOWAIT | M_ZERO);
65 	if (ctx == NULL)
66 		return ENOMEM;
67 	AES_CMAC_SetKey(&ctx->cmac, k->k_key);
68 	k->k_priv = ctx;
69 	return 0;
70 }
71 
72 void
73 ieee80211_bip_delete_key(struct ieee80211com *ic, struct ieee80211_key *k)
74 {
75 	if (k->k_priv != NULL)
76 		free(k->k_priv, M_DEVBUF);
77 	k->k_priv = NULL;
78 }
79 
80 /* pseudo-header used for BIP MIC computation */
81 struct ieee80211_bip_frame {
82 	u_int8_t	i_fc[2];
83 	u_int8_t	i_addr1[IEEE80211_ADDR_LEN];
84 	u_int8_t	i_addr2[IEEE80211_ADDR_LEN];
85 	u_int8_t	i_addr3[IEEE80211_ADDR_LEN];
86 } __packed;
87 
88 struct mbuf *
89 ieee80211_bip_encap(struct ieee80211com *ic, struct mbuf *m0,
90     struct ieee80211_key *k)
91 {
92 	struct ieee80211_bip_ctx *ctx = k->k_priv;
93 	struct ieee80211_bip_frame aad;
94 	struct ieee80211_frame *wh;
95 	u_int8_t *mmie, mic[AES_CMAC_DIGEST_LENGTH];
96 	struct mbuf *m;
97 
98 	wh = mtod(m0, struct ieee80211_frame *);
99 	KASSERT((wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) ==
100 	    IEEE80211_FC0_TYPE_MGT);
101 	/* clear Protected bit from group management frames */
102 	wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
103 
104 	/* construct AAD (additional authenticated data) */
105 	aad.i_fc[0] = wh->i_fc[0];
106 	aad.i_fc[1] = wh->i_fc[1] & ~(IEEE80211_FC1_RETRY |
107 	    IEEE80211_FC1_PWR_MGT | IEEE80211_FC1_MORE_DATA);
108 	/* XXX 11n may require clearing the Order bit too */
109 	IEEE80211_ADDR_COPY(aad.i_addr1, wh->i_addr1);
110 	IEEE80211_ADDR_COPY(aad.i_addr2, wh->i_addr2);
111 	IEEE80211_ADDR_COPY(aad.i_addr3, wh->i_addr3);
112 
113 	AES_CMAC_Init(&ctx->cmac);
114 	AES_CMAC_Update(&ctx->cmac, (u_int8_t *)&aad, sizeof aad);
115 	AES_CMAC_Update(&ctx->cmac, (u_int8_t *)&wh[1],
116 	    m0->m_len - sizeof(*wh));
117 
118 	m = m0;
119 	/* reserve trailing space for MMIE */
120 	if (M_TRAILINGSPACE(m) < IEEE80211_MMIE_LEN) {
121 		MGET(m->m_next, M_DONTWAIT, m->m_type);
122 		if (m->m_next == NULL)
123 			goto nospace;
124 		m = m->m_next;
125 		m->m_len = 0;
126 	}
127 
128 	/* construct Management MIC IE */
129 	mmie = mtod(m, u_int8_t *) + m->m_len;
130 	mmie[0] = IEEE80211_ELEMID_MMIE;
131 	mmie[1] = 16;
132 	LE_WRITE_2(&mmie[2], k->k_id);
133 	LE_WRITE_6(&mmie[4], k->k_tsc);
134 	memset(&mmie[10], 0, 8);	/* MMIE MIC field set to 0 */
135 
136 	AES_CMAC_Update(&ctx->cmac, mmie, IEEE80211_MMIE_LEN);
137 	AES_CMAC_Final(mic, &ctx->cmac);
138 	/* truncate AES-128-CMAC to 64-bit */
139 	memcpy(&mmie[10], mic, 8);
140 
141 	m->m_len += IEEE80211_MMIE_LEN;
142 	m0->m_pkthdr.len += IEEE80211_MMIE_LEN;
143 
144 	k->k_tsc++;
145 
146 	return m0;
147  nospace:
148 	ic->ic_stats.is_tx_nombuf++;
149 	m_freem(m0);
150 	return NULL;
151 }
152 
153 struct mbuf *
154 ieee80211_bip_decap(struct ieee80211com *ic, struct mbuf *m0,
155     struct ieee80211_key *k)
156 {
157 	struct ieee80211_bip_ctx *ctx = k->k_priv;
158 	struct ieee80211_frame *wh;
159 	struct ieee80211_bip_frame aad;
160 	u_int8_t *mmie, mic0[8], mic[AES_CMAC_DIGEST_LENGTH];
161 	u_int64_t ipn;
162 
163 	wh = mtod(m0, struct ieee80211_frame *);
164 	KASSERT((wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) ==
165 	    IEEE80211_FC0_TYPE_MGT);
166 
167 	/*
168 	 * It is assumed that management frames are contiguous and that
169 	 * the mbuf length has already been checked to contain at least
170 	 * a header and a MMIE (checked in ieee80211_decrypt()).
171 	 */
172 	KASSERT(m0->m_len >= sizeof(*wh) + IEEE80211_MMIE_LEN);
173 	mmie = mtod(m0, u_int8_t *) + m0->m_len - IEEE80211_MMIE_LEN;
174 
175 	ipn = LE_READ_6(&mmie[4]);
176 	if (ipn <= k->k_mgmt_rsc) {
177 		/* replayed frame, discard */
178 		ic->ic_stats.is_cmac_replays++;
179 		m_freem(m0);
180 		return NULL;
181 	}
182 
183 	/* save and mask MMIE MIC field to 0 */
184 	memcpy(mic0, &mmie[10], 8);
185 	memset(&mmie[10], 0, 8);
186 
187 	/* construct AAD (additional authenticated data) */
188 	aad.i_fc[0] = wh->i_fc[0];
189 	aad.i_fc[1] = wh->i_fc[1] & ~(IEEE80211_FC1_RETRY |
190 	    IEEE80211_FC1_PWR_MGT | IEEE80211_FC1_MORE_DATA);
191 	/* XXX 11n may require clearing the Order bit too */
192 	IEEE80211_ADDR_COPY(aad.i_addr1, wh->i_addr1);
193 	IEEE80211_ADDR_COPY(aad.i_addr2, wh->i_addr2);
194 	IEEE80211_ADDR_COPY(aad.i_addr3, wh->i_addr3);
195 
196 	/* compute MIC */
197 	AES_CMAC_Init(&ctx->cmac);
198 	AES_CMAC_Update(&ctx->cmac, (u_int8_t *)&aad, sizeof aad);
199 	AES_CMAC_Update(&ctx->cmac, (u_int8_t *)&wh[1],
200 	    m0->m_len - sizeof(*wh));
201 	AES_CMAC_Final(mic, &ctx->cmac);
202 
203 	/* check that MIC matches the one in MMIE */
204 	if (timingsafe_bcmp(mic, mic0, 8) != 0) {
205 		ic->ic_stats.is_cmac_icv_errs++;
206 		m_freem(m0);
207 		return NULL;
208 	}
209 	/*
210 	 * There is no need to trim the MMIE from the mbuf since it is
211 	 * an information element and will be ignored by upper layers.
212 	 * We do it anyway as it is cheap to do it here and because it
213 	 * may be confused with fixed fields by upper layers.
214 	 */
215 	m_adj(m0, -IEEE80211_MMIE_LEN);
216 
217 	/* update last seen packet number (MIC is validated) */
218 	k->k_mgmt_rsc = ipn;
219 
220 	return m0;
221 }
222