1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause
4  * Copyright (c) 2002-2008 Sam Leffler, Errno Consulting
30  * IEEE 802.11 AES-GCMP crypto support.
32  * The AES-GCM crypto routines in sys/net80211/ieee80211_crypto_gcm.[ch]
33  * are derived from similar code in hostapd 2.11 (src/crypto/aes-gcm.c).
61  * used by the AES-GCM routines for sizing the S and T hashes which are
83 	.ic_name	= "AES-GCMP",
100 	.ic_name	= "AES-GCMP-256",
132 		vap->iv_stats.is_crypto_nomem++;  in gcmp_attach()
135 	ctx->cc_vap = vap;  in gcmp_attach()
136 	ctx->cc_ic = vap->iv_ic;  in gcmp_attach()
144 	struct gcmp_ctx *ctx = k->wk_private;  in gcmp_detach()
148 	nrefs--;			/* NB: we assume caller locking */  in gcmp_detach()
154 	return (k->wk_cipher->ic_trailer);  in gcmp_get_trailer_len()
160 	return (k->wk_cipher->ic_header);  in gcmp_get_header_len()
168 	struct gcmp_ctx *ctx = k->wk_private;  in gcmp_setkey()
170 	switch (k->wk_cipher->ic_cipher) {  in gcmp_setkey()
178 		IEEE80211_DPRINTF(ctx->cc_vap, IEEE80211_MSG_CRYPTO,  in gcmp_setkey()
180 			__func__, k->wk_cipher->ic_cipher);  in gcmp_setkey()
184 	if (k->wk_keylen != (keylen/NBBY)) {  in gcmp_setkey()
185 		IEEE80211_DPRINTF(ctx->cc_vap, IEEE80211_MSG_CRYPTO,  in gcmp_setkey()
187 			__func__, k->wk_keylen, keylen/NBBY);  in gcmp_setkey()
190 	if (k->wk_flags & IEEE80211_KEY_SWENCRYPT)  in gcmp_setkey()
191 		rijndael_set_key(&ctx->cc_aes, k->wk_key, k->wk_keylen*NBBY);  in gcmp_setkey()
198 	struct gcmp_ctx *ctx = k->wk_private;  in gcmp_setiv()
199 	struct ieee80211vap *vap = ctx->cc_vap;  in gcmp_setiv()
204 	k->wk_keytsc++;  in gcmp_setiv()
205 	ivp[0] = k->wk_keytsc >> 0;		/* PN0 */  in gcmp_setiv()
206 	ivp[1] = k->wk_keytsc >> 8;		/* PN1 */  in gcmp_setiv()
209 	ivp[4] = k->wk_keytsc >> 16;		/* PN2 */  in gcmp_setiv()
210 	ivp[5] = k->wk_keytsc >> 24;		/* PN3 */  in gcmp_setiv()
211 	ivp[6] = k->wk_keytsc >> 32;		/* PN4 */  in gcmp_setiv()
212 	ivp[7] = k->wk_keytsc >> 40;		/* PN5 */  in gcmp_setiv()
222 	struct gcmp_ctx *ctx = k->wk_private;  in gcmp_encap()
223 	struct ieee80211com *ic = ctx->cc_ic;  in gcmp_encap()
238 	if (is_mgmt && (k->wk_flags & IEEE80211_KEY_NOIVMGT))  in gcmp_encap()
240 	if (!is_mgmt && (k->wk_flags & IEEE80211_KEY_NOIV))  in gcmp_encap()
258 	if ((k->wk_flags & IEEE80211_KEY_SWENCRYPT) &&  in gcmp_encap()
291 	struct gcmp_ctx *ctx = k->wk_private;  in gcmp_decap()
292 	struct ieee80211vap *vap = ctx->cc_vap;  in gcmp_decap()
300 	if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_IV_STRIP) != 0)  in gcmp_decap()
313 		IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2,  in gcmp_decap()
314 			"%s", "missing ExtIV for AES-GCM cipher");  in gcmp_decap()
315 		vap->iv_stats.is_rx_gcmpformat++;  in gcmp_decap()
321 	noreplaycheck = (k->wk_flags & IEEE80211_KEY_NOREPLAY) != 0;  in gcmp_decap()
323 	    (rxs->c_pktflags & IEEE80211_RX_F_PN_VALIDATED) != 0;  in gcmp_decap()
324 	if (pn <= k->wk_keyrsc[tid] && !noreplaycheck) {  in gcmp_decap()
329 		vap->iv_stats.is_rx_gcmpreplay++;  in gcmp_decap()
340 	if ((k->wk_flags & IEEE80211_KEY_SWDECRYPT) &&  in gcmp_decap()
348 	if ((rxs == NULL) || (rxs->c_pktflags & IEEE80211_RX_F_IV_STRIP) == 0) {  in gcmp_decap()
354 	if ((rxs == NULL) || (rxs->c_pktflags & IEEE80211_RX_F_MIC_STRIP) == 0)  in gcmp_decap()
355 		m_adj(m, -gcmp_get_trailer_len(k));  in gcmp_decap()
360 	if ((rxs == NULL) || (rxs->c_pktflags & IEEE80211_RX_F_IV_STRIP) == 0) {  in gcmp_decap()
367 		if (pn > k->wk_keyrsc[tid])  in gcmp_decap()
368 			k->wk_keyrsc[tid] = pn;  in gcmp_decap()
399 	memcpy(iv, wh->i_addr2, IEEE80211_ADDR_LEN);  in gcmp_init_iv()
409  * current AES-GCM code expects things in a contiguous buffer
421 	struct gcmp_ctx *ctx = key->wk_private;  in gcmp_encrypt()
432 	data_len = m->m_pkthdr.len - (hdrlen + gcmp_get_header_len(key));  in gcmp_encrypt()
434 	ctx->cc_vap->iv_stats.is_crypto_gcmp++;  in gcmp_encrypt()
439 		IEEE80211_NOTE_MAC(ctx->cc_vap, IEEE80211_MSG_CRYPTO,  in gcmp_encrypt()
440 		    wh->i_addr2, "%s",  in gcmp_encrypt()
441 		    "AES-GCM encrypt failed; couldn't allocate buffer");  in gcmp_encrypt()
442 		ctx->cc_vap->iv_stats.is_crypto_gcmp_nomem++;  in gcmp_encrypt()
448 		IEEE80211_NOTE_MAC(ctx->cc_vap, IEEE80211_MSG_CRYPTO,  in gcmp_encrypt()
449 		    wh->i_addr2, "%s",  in gcmp_encrypt()
450 		    "AES-GCM encrypt failed; couldn't allocate buffer");  in gcmp_encrypt()
451 		ctx->cc_vap->iv_stats.is_crypto_gcmp_nomem++;  in gcmp_encrypt()
461 	iv_len = gcmp_init_iv(iv, wh, key->wk_keytsc);  in gcmp_encrypt()
472 	ieee80211_crypto_aes_gcm_ae(&ctx->cc_aes, iv, iv_len,  in gcmp_encrypt()
482 		IEEE80211_NOTE_MAC(ctx->cc_vap, IEEE80211_MSG_CRYPTO,  in gcmp_encrypt()
483 		    wh->i_addr2, "%s",  in gcmp_encrypt()
484 		    "AES-GCM encrypt failed; couldn't append T");  in gcmp_encrypt()
485 		ctx->cc_vap->iv_stats.is_crypto_gcmp_nospc++;  in gcmp_encrypt()
498  * current AES-GCM code expects things in a contiguous buffer
512 	struct gcmp_ctx *ctx = key->wk_private;  in gcmp_decrypt()
522 	if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_DECRYPTED) != 0)  in gcmp_decrypt()
528 	data_len = m->m_pkthdr.len -  in gcmp_decrypt()
531 	ctx->cc_vap->iv_stats.is_crypto_gcmp++;  in gcmp_decrypt()
536 		ctx->cc_vap->iv_stats.is_crypto_gcmp_nomem++;  in gcmp_decrypt()
542 		ctx->cc_vap->iv_stats.is_crypto_gcmp_nomem++;  in gcmp_decrypt()
566 	ret = ieee80211_crypto_aes_gcm_ad(&ctx->cc_aes, iv, iv_len,  in gcmp_decrypt()
570 	if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_MIC_STRIP) != 0)  in gcmp_decrypt()
575 		ctx->cc_vap->iv_stats.is_rx_gcmpmic++;  in gcmp_decrypt()
576 		IEEE80211_NOTE_MAC(ctx->cc_vap, IEEE80211_MSG_CRYPTO,  in gcmp_decrypt()
577 		    wh->i_addr2, "%s", "AES-GCM decrypt failed; MIC mismatch");  in gcmp_decrypt()