xref: /freebsd/sys/net80211/ieee80211_crypto_gcmp.c (revision a54a240c1b579e2c30af125f3b1fdfd87f280078)

/*-
 * SPDX-License-Identifier: BSD-2-Clause
 *
 * Copyright (c) 2002-2008 Sam Leffler, Errno Consulting
 * All rights reserved.
 * Copyright (c) 2025 Adrian Chadd <adrian@FreeBSD.org>.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

/*
 * IEEE 802.11 AES-GCMP crypto support.
 *
 * The AES-GCM crypto routines in sys/net80211/ieee80211_crypto_gcm.[ch]
 * are derived from similar code in hostapd 2.11 (src/crypto/aes-gcm.c).
 * The code is used with the consent of the author and its licence is
 * included in the above source files.
 */
#include "opt_wlan.h"

#include <sys/param.h>
#include <sys/systm.h>
#include <sys/mbuf.h>
#include <sys/malloc.h>
#include <sys/kernel.h>
#include <sys/module.h>

#include <sys/socket.h>

#include <net/if.h>
#include <net/if_media.h>
#include <net/ethernet.h>

#include <net80211/ieee80211_var.h>
#include <net80211/ieee80211_crypto_gcm.h>

#include <crypto/rijndael/rijndael.h>

#define AES_BLOCK_LEN 16

/*
 * Note: GCMP_MIC_LEN defined in ieee80211_crypto_gcm.h, as it is also
 * used by the AES-GCM routines for sizing the S and T hashes which are
 * used by GCMP as the MIC.
 */
#define	GCMP_PN_LEN	6
#define	GCMP_IV_LEN	12

struct gcmp_ctx {
	struct ieee80211vap *cc_vap;	/* for diagnostics+statistics */
	struct ieee80211com *cc_ic;
	rijndael_ctx	     cc_aes;
};

static	void *gcmp_attach(struct ieee80211vap *, struct ieee80211_key *);
static	void gcmp_detach(struct ieee80211_key *);
static	int gcmp_setkey(struct ieee80211_key *);
static	void gcmp_setiv(struct ieee80211_key *, uint8_t *);
static	int gcmp_encap(struct ieee80211_key *, struct mbuf *);
static	int gcmp_decap(struct ieee80211_key *, struct mbuf *, int);
static	int gcmp_enmic(struct ieee80211_key *, struct mbuf *, int);
static	int gcmp_demic(struct ieee80211_key *, struct mbuf *, int);

static const struct ieee80211_cipher gcmp = {
	.ic_name	= "AES-GCMP",
	.ic_cipher	= IEEE80211_CIPHER_AES_GCM_128,
	.ic_header	= IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN +
			  IEEE80211_WEP_EXTIVLEN,
	.ic_trailer	= GCMP_MIC_LEN,
	.ic_miclen	= 0,
	.ic_attach	= gcmp_attach,
	.ic_detach	= gcmp_detach,
	.ic_setkey	= gcmp_setkey,
	.ic_setiv	= gcmp_setiv,
	.ic_encap	= gcmp_encap,
	.ic_decap	= gcmp_decap,
	.ic_enmic	= gcmp_enmic,
	.ic_demic	= gcmp_demic,
};

static const struct ieee80211_cipher gcmp_256 = {
	.ic_name	= "AES-GCMP-256",
	.ic_cipher	= IEEE80211_CIPHER_AES_GCM_256,
	.ic_header	= IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN +
			  IEEE80211_WEP_EXTIVLEN,
	.ic_trailer	= GCMP_MIC_LEN,
	.ic_miclen	= 0,
	.ic_attach	= gcmp_attach,
	.ic_detach	= gcmp_detach,
	.ic_setkey	= gcmp_setkey,
	.ic_setiv	= gcmp_setiv,
	.ic_encap	= gcmp_encap,
	.ic_decap	= gcmp_decap,
	.ic_enmic	= gcmp_enmic,
	.ic_demic	= gcmp_demic,
};


static	int gcmp_encrypt(struct ieee80211_key *, struct mbuf *, int hdrlen);
static	int gcmp_decrypt(struct ieee80211_key *, u_int64_t pn,
		struct mbuf *, int hdrlen);

/* number of references from net80211 layer */
static	int nrefs = 0;

static void *
gcmp_attach(struct ieee80211vap *vap, struct ieee80211_key *k)
{
	struct gcmp_ctx *ctx;

	ctx = (struct gcmp_ctx *) IEEE80211_MALLOC(sizeof(struct gcmp_ctx),
		M_80211_CRYPTO, IEEE80211_M_NOWAIT | IEEE80211_M_ZERO);
	if (ctx == NULL) {
		vap->iv_stats.is_crypto_nomem++;
		return (NULL);
	}
	ctx->cc_vap = vap;
	ctx->cc_ic = vap->iv_ic;
	nrefs++;			/* NB: we assume caller locking */
	return (ctx);
}

static void
gcmp_detach(struct ieee80211_key *k)
{
	struct gcmp_ctx *ctx = k->wk_private;

	IEEE80211_FREE(ctx, M_80211_CRYPTO);
	KASSERT(nrefs > 0, ("imbalanced attach/detach"));
	nrefs--;			/* NB: we assume caller locking */
}

static int
gcmp_get_trailer_len(struct ieee80211_key *k)
{
	return (k->wk_cipher->ic_trailer);
}

static int
gcmp_get_header_len(struct ieee80211_key *k)
{
	return (k->wk_cipher->ic_header);
}

static int
gcmp_setkey(struct ieee80211_key *k)
{
	uint32_t keylen;

	struct gcmp_ctx *ctx = k->wk_private;

	switch (k->wk_cipher->ic_cipher) {
	case IEEE80211_CIPHER_AES_GCM_128:
		keylen = 128;
		break;
	case IEEE80211_CIPHER_AES_GCM_256:
		keylen = 256;
		break;
	default:
		IEEE80211_DPRINTF(ctx->cc_vap, IEEE80211_MSG_CRYPTO,
			"%s: Unexpected cipher (%u)",
			__func__, k->wk_cipher->ic_cipher);
		return (0);
	}

	if (k->wk_keylen != (keylen/NBBY)) {
		IEEE80211_DPRINTF(ctx->cc_vap, IEEE80211_MSG_CRYPTO,
			"%s: Invalid key length %u, expecting %u\n",
			__func__, k->wk_keylen, keylen/NBBY);
		return (0);
	}
	if (k->wk_flags & IEEE80211_KEY_SWENCRYPT)
		rijndael_set_key(&ctx->cc_aes, k->wk_key, k->wk_keylen*NBBY);
	return (1);
}

static void
gcmp_setiv(struct ieee80211_key *k, uint8_t *ivp)
{
	struct gcmp_ctx *ctx = k->wk_private;
	struct ieee80211vap *vap = ctx->cc_vap;
	uint8_t keyid;

	keyid = ieee80211_crypto_get_keyid(vap, k) << 6;

	k->wk_keytsc++;
	ivp[0] = k->wk_keytsc >> 0;		/* PN0 */
	ivp[1] = k->wk_keytsc >> 8;		/* PN1 */
	ivp[2] = 0;				/* Reserved */
	ivp[3] = keyid | IEEE80211_WEP_EXTIV;	/* KeyID | ExtID */
	ivp[4] = k->wk_keytsc >> 16;		/* PN2 */
	ivp[5] = k->wk_keytsc >> 24;		/* PN3 */
	ivp[6] = k->wk_keytsc >> 32;		/* PN4 */
	ivp[7] = k->wk_keytsc >> 40;		/* PN5 */
}

/*
 * Add privacy headers appropriate for the specified key.
 */
static int
gcmp_encap(struct ieee80211_key *k, struct mbuf *m)
{
	const struct ieee80211_frame *wh;
	struct gcmp_ctx *ctx = k->wk_private;
	struct ieee80211com *ic = ctx->cc_ic;
	uint8_t *ivp;
	int hdrlen;
	int is_mgmt;

	hdrlen = ieee80211_hdrspace(ic, mtod(m, void *));
	wh = mtod(m, const struct ieee80211_frame *);
	is_mgmt = IEEE80211_IS_MGMT(wh);

	/*
	 * Check to see if we need to insert IV/MIC.
	 *
	 * Some offload devices don't require the IV to be inserted
	 * as part of the hardware encryption.
	 */
	if (is_mgmt && (k->wk_flags & IEEE80211_KEY_NOIVMGT))
		return (1);
	if (!is_mgmt && (k->wk_flags & IEEE80211_KEY_NOIV))
		return (1);

	/*
	 * Copy down 802.11 header and add the IV, KeyID, and ExtIV.
	 */
	M_PREPEND(m, gcmp_get_header_len(k), IEEE80211_M_NOWAIT);
	if (m == NULL)
		return (0);
	ivp = mtod(m, uint8_t *);
	ovbcopy(ivp + gcmp_get_header_len(k), ivp, hdrlen);
	ivp += hdrlen;

	gcmp_setiv(k, ivp);

	/*
	 * Finally, do software encrypt if needed.
	 */
	if ((k->wk_flags & IEEE80211_KEY_SWENCRYPT) &&
	    !gcmp_encrypt(k, m, hdrlen))
		return (0);

	return (1);
}

/*
 * Add MIC to the frame as needed.
 */
static int
gcmp_enmic(struct ieee80211_key *k, struct mbuf *m, int force)
{
	return (1);
}

static __inline uint64_t
READ_6(uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3, uint8_t b4, uint8_t b5)
{
	uint32_t iv32 = (b0 << 0) | (b1 << 8) | (b2 << 16) | (b3 << 24);
	uint16_t iv16 = (b4 << 0) | (b5 << 8);
	return ((((uint64_t)iv16) << 32) | iv32);
}

/*
 * Validate and strip privacy headers (and trailer) for a
 * received frame. The specified key should be correct but
 * is also verified.
 */
static int
gcmp_decap(struct ieee80211_key *k, struct mbuf *m, int hdrlen)
{
	const struct ieee80211_rx_stats *rxs;
	struct gcmp_ctx *ctx = k->wk_private;
	struct ieee80211vap *vap = ctx->cc_vap;
	struct ieee80211_frame *wh;
	uint8_t *ivp, tid;
	uint64_t pn;
	bool noreplaycheck;

	rxs = ieee80211_get_rx_params_ptr(m);

	if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_IV_STRIP) != 0)
		goto finish;

	/*
	 * Header should have extended IV and sequence number;
	 * verify the former and validate the latter.
	 */
	wh = mtod(m, struct ieee80211_frame *);
	ivp = mtod(m, uint8_t *) + hdrlen;
	if ((ivp[IEEE80211_WEP_IVLEN] & IEEE80211_WEP_EXTIV) == 0) {
		/*
		 * No extended IV; discard frame.
		 */
		IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2,
			"%s", "missing ExtIV for AES-GCM cipher");
		vap->iv_stats.is_rx_gcmpformat++;
		return (0);
	}
	tid = ieee80211_gettid(wh);
	pn = READ_6(ivp[0], ivp[1], ivp[4], ivp[5], ivp[6], ivp[7]);

	noreplaycheck = (k->wk_flags & IEEE80211_KEY_NOREPLAY) != 0;
	noreplaycheck |= (rxs != NULL) &&
	    (rxs->c_pktflags & IEEE80211_RX_F_PN_VALIDATED) != 0;
	if (pn <= k->wk_keyrsc[tid] && !noreplaycheck) {
		/*
		 * Replay violation.
		 */
		ieee80211_notify_replay_failure(vap, wh, k, pn, tid);
		vap->iv_stats.is_rx_gcmpreplay++;
		return (0);
	}

	/*
	 * Check if the device handled the decrypt in hardware.
	 * If so we just strip the header; otherwise we need to
	 * handle the decrypt in software.  Note that for the
	 * latter we leave the header in place for use in the
	 * decryption work.
	 */
	if ((k->wk_flags & IEEE80211_KEY_SWDECRYPT) &&
	    !gcmp_decrypt(k, pn, m, hdrlen))
		return (0);

finish:
	/*
	 * Copy up 802.11 header and strip crypto bits.
	 */
	if ((rxs == NULL) || (rxs->c_pktflags & IEEE80211_RX_F_IV_STRIP) == 0) {
		ovbcopy(mtod(m, void *), mtod(m, uint8_t *) +
		    gcmp_get_header_len(k), hdrlen);
		m_adj(m, gcmp_get_header_len(k));
	}

	if ((rxs == NULL) || (rxs->c_pktflags & IEEE80211_RX_F_MIC_STRIP) == 0)
		m_adj(m, -gcmp_get_trailer_len(k));

	/*
	 * Ok to update rsc now.
	 */
	if ((rxs == NULL) || (rxs->c_pktflags & IEEE80211_RX_F_IV_STRIP) == 0) {
		/*
		 * Do not go backwards in the IEEE80211_KEY_NOREPLAY cases
		 * or in case hardware has checked but frames are arriving
		 * reordered (e.g., LinuxKPI drivers doing RSS which we are
		 * not prepared for at all).
		 */
		if (pn > k->wk_keyrsc[tid])
			k->wk_keyrsc[tid] = pn;
	}

	return (1);
}

/*
 * Verify and strip MIC from the frame.
 */
static int
gcmp_demic(struct ieee80211_key *k, struct mbuf *m, int force)
{
	return (1);
}

/**
 * @brief Calculate the AAD required for this frame for AES-GCM.
 *
 * Note: This code was first copied over from ieee80211_crypto_ccmp.c, so
 * it has some CCMP-isms.
 *
 * NOTE: the first two bytes are a 16 bit big-endian length, which are used
 * by AES-CCM.  AES-GCM doesn't require the length at the beginning.
 *
 * @param wh	802.11 frame to calculate the AAD over
 * @param aad	AAD buffer, GCM_AAD_LEN bytes
 * @param The AAD length in bytes.
 */
static int
gcmp_init_aad(const struct ieee80211_frame *wh, uint8_t *aad)
{
	int aad_len;

	memset(aad, 0, GCM_AAD_LEN);

#define	IS_QOS_DATA(wh)	IEEE80211_QOS_HAS_SEQ(wh)
	/* AAD:
	 * FC with bits 4..6 and 11..13 masked to zero; 14 is always one
	 * A1 | A2 | A3
	 * SC with bits 4..15 (seq#) masked to zero
	 * A4 (if present)
	 * QC (if present)
	 */
	aad[0] = 0;	/* AAD length >> 8 */
	/* NB: aad[1] set below */

	/*
	 * TODO: go back over this in 802.11-2020 and triple check
	 * the AAD assembly with regards to packet flags.
	 */

	aad[2] = wh->i_fc[0] & 0x8f;	/* XXX magic #s */
	/*
	 * TODO: 12.5.3.3.3 - bit 14 should always be set; bit 15 masked to 0
	 * if QoS control field, unmasked otherwise
	 */
	aad[3] = wh->i_fc[1] & 0xc7;	/* XXX magic #s */
	/* NB: we know 3 addresses are contiguous */
	memcpy(aad + 4, wh->i_addr1, 3 * IEEE80211_ADDR_LEN);
	aad[22] = wh->i_seq[0] & IEEE80211_SEQ_FRAG_MASK;
	aad[23] = 0; /* all bits masked */
	/*
	 * Construct variable-length portion of AAD based
	 * on whether this is a 4-address frame/QOS frame.
	 * We always zero-pad to 32 bytes before running it
	 * through the cipher.
	 */
	if (IEEE80211_IS_DSTODS(wh)) {
		IEEE80211_ADDR_COPY(aad + 24,
			((const struct ieee80211_frame_addr4 *)wh)->i_addr4);
		if (IS_QOS_DATA(wh)) {
			const struct ieee80211_qosframe_addr4 *qwh4 =
				(const struct ieee80211_qosframe_addr4 *) wh;
			aad[30] = qwh4->i_qos[0] & 0x0f;/* just priority bits */
			aad[31] = 0;
			aad_len = aad[1] = 22 + IEEE80211_ADDR_LEN + 2;
		} else {
			*(uint16_t *)&aad[30] = 0;
			aad_len = aad[1] = 22 + IEEE80211_ADDR_LEN;
		}
	} else {
		if (IS_QOS_DATA(wh)) {
			const struct ieee80211_qosframe *qwh =
				(const struct ieee80211_qosframe*) wh;
			aad[24] = qwh->i_qos[0] & 0x0f;	/* just priority bits */
			aad[25] = 0;
			aad_len = aad[1] = 22 + 2;
		} else {
			*(uint16_t *)&aad[24] = 0;
			aad_len = aad[1] = 22;
		}
		*(uint16_t *)&aad[26] = 0;
		*(uint32_t *)&aad[28] = 0;
	}
#undef	IS_QOS_DATA

	return (aad_len);
}

/*
 * Populate the 12 byte / 96 bit IV buffer.
 */
static int
gcmp_init_iv(uint8_t *iv, const struct ieee80211_frame *wh, u_int64_t pn)
{
	uint8_t j_pn[GCMP_PN_LEN];

	/* Construct the pn buffer */
	j_pn[0] = pn >> 40;
	j_pn[1] = pn >> 32;
	j_pn[2] = pn >> 24;
	j_pn[3] = pn >> 16;
	j_pn[4] = pn >> 8;
	j_pn[5] = pn >> 0;

	memcpy(iv, wh->i_addr2, IEEE80211_ADDR_LEN);
	memcpy(iv + IEEE80211_ADDR_LEN, j_pn, GCMP_PN_LEN);

	return (GCMP_IV_LEN); /* 96 bits */
}

/*
 * @brief Encrypt an mbuf.
 *
 * This uses a temporary memory buffer to encrypt; the
 * current AES-GCM code expects things in a contiguous buffer
 * and this avoids the need of breaking out the GCTR and
 * GHASH routines into using mbuf iterators.
 *
 * @param key	ieee80211_key to use
 * @param mbuf	802.11 frame to encrypt
 * @param hdrlen	the length of the 802.11 header, including any padding
 * @returns 0 if error, > 0 if OK.
 */
static int
gcmp_encrypt(struct ieee80211_key *key, struct mbuf *m0, int hdrlen)
{
	struct gcmp_ctx *ctx = key->wk_private;
	struct ieee80211_frame *wh;
	struct mbuf *m = m0;
	int data_len, aad_len, iv_len, ret;
	uint8_t aad[GCM_AAD_LEN];
	uint8_t T[GCMP_MIC_LEN];
	uint8_t iv[GCMP_IV_LEN];
	uint8_t *p_pktbuf = NULL;
	uint8_t *c_pktbuf = NULL;

	wh = mtod(m, struct ieee80211_frame *);
	data_len = m->m_pkthdr.len - (hdrlen + gcmp_get_header_len(key));

	ctx->cc_vap->iv_stats.is_crypto_gcmp++;

	p_pktbuf = IEEE80211_MALLOC(data_len, M_TEMP,
	    IEEE80211_M_NOWAIT | IEEE80211_M_ZERO);
	if (p_pktbuf == NULL) {
		IEEE80211_NOTE_MAC(ctx->cc_vap, IEEE80211_MSG_CRYPTO,
		    wh->i_addr2, "%s",
		    "AES-GCM encrypt failed; couldn't allocate buffer");
		ctx->cc_vap->iv_stats.is_crypto_gcmp_nomem++;
		return (0);
	}
	c_pktbuf = IEEE80211_MALLOC(data_len, M_TEMP,
	    IEEE80211_M_NOWAIT | IEEE80211_M_ZERO);
	if (c_pktbuf == NULL) {
		IEEE80211_NOTE_MAC(ctx->cc_vap, IEEE80211_MSG_CRYPTO,
		    wh->i_addr2, "%s",
		    "AES-GCM encrypt failed; couldn't allocate buffer");
		ctx->cc_vap->iv_stats.is_crypto_gcmp_nomem++;
		IEEE80211_FREE(p_pktbuf, M_TEMP);
		return (0);
	}

	/* Initialise AAD */
	aad_len = gcmp_init_aad(wh, aad);

	/* Initialise local Nonce to work on */
	/* TODO: rename iv stuff here to nonce */
	iv_len = gcmp_init_iv(iv, wh, key->wk_keytsc);

	/* Copy mbuf data part into plaintext pktbuf */
	m_copydata(m0, hdrlen + gcmp_get_header_len(key), data_len,
	    p_pktbuf);

	/* Run encrypt */
	/*
	 * Note: aad + 2 to skip over the 2 byte length populated
	 * at the beginning, since it's based on the AAD code in CCMP.
	 */
	ieee80211_crypto_aes_gcm_ae(&ctx->cc_aes, iv, iv_len,
	    p_pktbuf, data_len, aad + 2, aad_len, c_pktbuf, T);

	/* Copy data back over mbuf */
	m_copyback(m0, hdrlen + gcmp_get_header_len(key), data_len,
	    c_pktbuf);

	/* Append MIC */
	ret = m_append(m0, gcmp_get_trailer_len(key), T);
	if (ret == 0) {
		IEEE80211_NOTE_MAC(ctx->cc_vap, IEEE80211_MSG_CRYPTO,
		    wh->i_addr2, "%s",
		    "AES-GCM encrypt failed; couldn't append T");
		ctx->cc_vap->iv_stats.is_crypto_gcmp_nospc++;
	}

	IEEE80211_FREE(p_pktbuf, M_TEMP);
	IEEE80211_FREE(c_pktbuf, M_TEMP);

	return (ret);
}

/*
 * @brief Decrypt an mbuf.
 *
 * This uses a temporary memory buffer to decrypt; the
 * current AES-GCM code expects things in a contiguous buffer
 * and this avoids the need of breaking out the GCTR and
 * GHASH routines into using mbuf iterators.
 *
 * @param key	ieee80211_key to use
 * @param mbuf	802.11 frame to decrypt
 * @param hdrlen	the length of the 802.11 header, including any padding
 * @returns 0 if error, > 0 if OK.
 */
static int
gcmp_decrypt(struct ieee80211_key *key, u_int64_t pn, struct mbuf *m,
    int hdrlen)
{
	const struct ieee80211_rx_stats *rxs;
	struct gcmp_ctx *ctx = key->wk_private;
	struct ieee80211_frame *wh;
	int data_len, aad_len, iv_len, ret;
	uint8_t aad[GCM_AAD_LEN];
	uint8_t T[GCMP_MIC_LEN];
	uint8_t iv[GCMP_IV_LEN];
	uint8_t *p_pktbuf = NULL;
	uint8_t *c_pktbuf = NULL;

	rxs = ieee80211_get_rx_params_ptr(m);
	if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_DECRYPTED) != 0)
		return (1);

	wh = mtod(m, struct ieee80211_frame *);

	/* Data length doesn't include the MIC at the end */
	data_len = m->m_pkthdr.len -
	    (hdrlen + gcmp_get_header_len(key) + GCMP_MIC_LEN);

	ctx->cc_vap->iv_stats.is_crypto_gcmp++;

	p_pktbuf = IEEE80211_MALLOC(data_len, M_TEMP,
	    IEEE80211_M_NOWAIT | IEEE80211_M_ZERO);
	if (p_pktbuf == NULL) {
		ctx->cc_vap->iv_stats.is_crypto_gcmp_nomem++;
		return (0);
	}
	c_pktbuf = IEEE80211_MALLOC(data_len, M_TEMP,
	    IEEE80211_M_NOWAIT | IEEE80211_M_ZERO);
	if (c_pktbuf == NULL) {
		ctx->cc_vap->iv_stats.is_crypto_gcmp_nomem++;
		IEEE80211_FREE(p_pktbuf, M_TEMP);
		return (0);
	}

	/* Initialise AAD */
	aad_len = gcmp_init_aad(wh, aad);

	/* Initialise local IV copy to work on */
	iv_len = gcmp_init_iv(iv, wh, pn);

	/* Copy mbuf into ciphertext pktbuf */
	m_copydata(m, hdrlen + gcmp_get_header_len(key), data_len,
	    c_pktbuf);

	/* Copy the MIC into the tag buffer */
	m_copydata(m, hdrlen + gcmp_get_header_len(key) + data_len,
	    GCMP_MIC_LEN, T);

	/* Run decrypt */
	/*
	 * Note: aad + 2 to skip over the 2 byte length populated
	 * at the beginning, since it's based on the AAD code in CCMP.
	 */
	ret = ieee80211_crypto_aes_gcm_ad(&ctx->cc_aes, iv, iv_len,
	    c_pktbuf, data_len, aad + 2, aad_len, T, p_pktbuf);

	/* If the MIC was stripped by HW/driver we are done. */
	if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_MIC_STRIP) != 0)
		goto skip_ok;

	if (ret != 0) {
		/* Decrypt failure */
		ctx->cc_vap->iv_stats.is_rx_gcmpmic++;
		IEEE80211_NOTE_MAC(ctx->cc_vap, IEEE80211_MSG_CRYPTO,
		    wh->i_addr2, "%s", "AES-GCM decrypt failed; MIC mismatch");
		IEEE80211_FREE(p_pktbuf, M_TEMP);
		IEEE80211_FREE(c_pktbuf, M_TEMP);
		return (0);
	}

skip_ok:
	/* Copy data back over mbuf */
	m_copyback(m, hdrlen + gcmp_get_header_len(key), data_len,
	    p_pktbuf);

	IEEE80211_FREE(p_pktbuf, M_TEMP);
	IEEE80211_FREE(c_pktbuf, M_TEMP);

	return (1);
}

/*
 * Module glue.
 */
IEEE80211_CRYPTO_MODULE(gcmp, 1);
IEEE80211_CRYPTO_MODULE_ADD(gcmp_256);