gcmp.c 4.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160
  1. /*
  2. * GCM with GMAC Protocol (GCMP)
  3. * Copyright (c) 2012, Jouni Malinen <j@w1.fi>
  4. *
  5. * This software may be distributed under the terms of the BSD license.
  6. * See README for more details.
  7. */
  8. #include "utils/includes.h"
  9. #include "utils/common.h"
  10. #include "common/ieee802_11_defs.h"
  11. #include "crypto/aes.h"
  12. #include "crypto/aes_wrap.h"
  13. #include "wlantest.h"
  14. static void gcmp_aad_nonce(const struct ieee80211_hdr *hdr, const u8 *data,
  15. u8 *aad, size_t *aad_len, u8 *nonce)
  16. {
  17. u16 fc, stype, seq;
  18. int qos = 0, addr4 = 0;
  19. u8 *pos;
  20. fc = le_to_host16(hdr->frame_control);
  21. stype = WLAN_FC_GET_STYPE(fc);
  22. if ((fc & (WLAN_FC_TODS | WLAN_FC_FROMDS)) ==
  23. (WLAN_FC_TODS | WLAN_FC_FROMDS))
  24. addr4 = 1;
  25. if (WLAN_FC_GET_TYPE(fc) == WLAN_FC_TYPE_DATA) {
  26. fc &= ~0x0070; /* Mask subtype bits */
  27. if (stype & 0x08) {
  28. const u8 *qc;
  29. qos = 1;
  30. fc &= ~WLAN_FC_ORDER;
  31. qc = (const u8 *) (hdr + 1);
  32. if (addr4)
  33. qc += ETH_ALEN;
  34. }
  35. }
  36. fc &= ~(WLAN_FC_RETRY | WLAN_FC_PWRMGT | WLAN_FC_MOREDATA);
  37. WPA_PUT_LE16(aad, fc);
  38. pos = aad + 2;
  39. os_memcpy(pos, hdr->addr1, 3 * ETH_ALEN);
  40. pos += 3 * ETH_ALEN;
  41. seq = le_to_host16(hdr->seq_ctrl);
  42. seq &= ~0xfff0; /* Mask Seq#; do not modify Frag# */
  43. WPA_PUT_LE16(pos, seq);
  44. pos += 2;
  45. os_memcpy(pos, hdr + 1, addr4 * ETH_ALEN + qos * 2);
  46. pos += addr4 * ETH_ALEN;
  47. if (qos) {
  48. pos[0] &= ~0x70;
  49. if (1 /* FIX: either device has SPP A-MSDU Capab = 0 */)
  50. pos[0] &= ~0x80;
  51. pos++;
  52. *pos++ = 0x00;
  53. }
  54. *aad_len = pos - aad;
  55. os_memcpy(nonce, hdr->addr2, ETH_ALEN);
  56. nonce[6] = data[7]; /* PN5 */
  57. nonce[7] = data[6]; /* PN4 */
  58. nonce[8] = data[5]; /* PN3 */
  59. nonce[9] = data[4]; /* PN2 */
  60. nonce[10] = data[1]; /* PN1 */
  61. nonce[11] = data[0]; /* PN0 */
  62. }
  63. u8 * gcmp_decrypt(const u8 *tk, size_t tk_len, const struct ieee80211_hdr *hdr,
  64. const u8 *data, size_t data_len, size_t *decrypted_len)
  65. {
  66. u8 aad[30], nonce[12], *plain;
  67. size_t aad_len, mlen;
  68. const u8 *m;
  69. if (data_len < 8 + 16)
  70. return NULL;
  71. plain = os_malloc(data_len + AES_BLOCK_SIZE);
  72. if (plain == NULL)
  73. return NULL;
  74. m = data + 8;
  75. mlen = data_len - 8 - 16;
  76. os_memset(aad, 0, sizeof(aad));
  77. gcmp_aad_nonce(hdr, data, aad, &aad_len, nonce);
  78. wpa_hexdump(MSG_EXCESSIVE, "GCMP AAD", aad, aad_len);
  79. wpa_hexdump(MSG_EXCESSIVE, "GCMP nonce", nonce, sizeof(nonce));
  80. if (aes_gcm_ad(tk, tk_len, nonce, sizeof(nonce), m, mlen, aad, aad_len,
  81. m + mlen, plain) < 0) {
  82. u16 seq_ctrl = le_to_host16(hdr->seq_ctrl);
  83. wpa_printf(MSG_INFO, "Invalid GCMP frame: A1=" MACSTR
  84. " A2=" MACSTR " A3=" MACSTR " seq=%u frag=%u",
  85. MAC2STR(hdr->addr1), MAC2STR(hdr->addr2),
  86. MAC2STR(hdr->addr3),
  87. WLAN_GET_SEQ_SEQ(seq_ctrl),
  88. WLAN_GET_SEQ_FRAG(seq_ctrl));
  89. os_free(plain);
  90. return NULL;
  91. }
  92. *decrypted_len = mlen;
  93. return plain;
  94. }
  95. u8 * gcmp_encrypt(const u8 *tk, size_t tk_len, const u8 *frame, size_t len,
  96. size_t hdrlen, const u8 *qos,
  97. const u8 *pn, int keyid, size_t *encrypted_len)
  98. {
  99. u8 aad[30], nonce[12], *crypt, *pos;
  100. size_t aad_len, plen;
  101. struct ieee80211_hdr *hdr;
  102. if (len < hdrlen || hdrlen < 24)
  103. return NULL;
  104. plen = len - hdrlen;
  105. crypt = os_malloc(hdrlen + 8 + plen + 16 + AES_BLOCK_SIZE);
  106. if (crypt == NULL)
  107. return NULL;
  108. os_memcpy(crypt, frame, hdrlen);
  109. hdr = (struct ieee80211_hdr *) crypt;
  110. pos = crypt + hdrlen;
  111. *pos++ = pn[5]; /* PN0 */
  112. *pos++ = pn[4]; /* PN1 */
  113. *pos++ = 0x00; /* Rsvd */
  114. *pos++ = 0x20 | (keyid << 6);
  115. *pos++ = pn[3]; /* PN2 */
  116. *pos++ = pn[2]; /* PN3 */
  117. *pos++ = pn[1]; /* PN4 */
  118. *pos++ = pn[0]; /* PN5 */
  119. os_memset(aad, 0, sizeof(aad));
  120. gcmp_aad_nonce(hdr, crypt + hdrlen, aad, &aad_len, nonce);
  121. wpa_hexdump(MSG_EXCESSIVE, "GCMP AAD", aad, aad_len);
  122. wpa_hexdump(MSG_EXCESSIVE, "GCMP nonce", nonce, sizeof(nonce));
  123. if (aes_gcm_ae(tk, tk_len, nonce, sizeof(nonce), frame + hdrlen, plen,
  124. aad, aad_len, pos, pos + plen) < 0) {
  125. os_free(crypt);
  126. return NULL;
  127. }
  128. wpa_hexdump(MSG_EXCESSIVE, "GCMP MIC", pos + plen, 16);
  129. wpa_hexdump(MSG_EXCESSIVE, "GCMP encrypted", pos, plen);
  130. *encrypted_len = hdrlen + 8 + plen + 16;
  131. return crypt;
  132. }