From 0df12cbddca7ee8ac12c6b20ca2f522fb5239058 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Tue, 26 Apr 2016 16:51:09 +0300 Subject: [PATCH] IEEE P802.11ah/D10.0 PV1 CCMP test vectors Extend wlantest test_vectors to calculate test vectors for P802.11ah Annex J.6.4. Signed-off-by: Jouni Malinen --- wlantest/ccmp.c | 100 +++++++++++++++++++ wlantest/test_vectors.c | 208 ++++++++++++++++++++++++++++++++++++++++ wlantest/wlantest.h | 4 + 3 files changed, 312 insertions(+) diff --git a/wlantest/ccmp.c b/wlantest/ccmp.c index ee1f1a67c..2a1ad83c9 100644 --- a/wlantest/ccmp.c +++ b/wlantest/ccmp.c @@ -77,6 +77,64 @@ static void ccmp_aad_nonce(const struct ieee80211_hdr *hdr, const u8 *data, } +static void ccmp_aad_nonce_pv1(const u8 *hdr, const u8 *a1, const u8 *a2, + const u8 *a3, const u8 *pn, + u8 *aad, size_t *aad_len, u8 *nonce) +{ + u16 fc, type; + u8 *pos; + + nonce[0] = BIT(5); /* PV1 */ + /* TODO: Priority for QMF; 0 is used for Data frames */ + + fc = WPA_GET_LE16(hdr); + type = (fc & (BIT(2) | BIT(3) | BIT(4))) >> 2; + + if (type == 1) + nonce[0] |= 0x10; /* Management */ + + fc &= ~(BIT(10) | BIT(11) | BIT(13) | BIT(14) | BIT(15)); + fc |= BIT(12); + WPA_PUT_LE16(aad, fc); + pos = aad + 2; + if (type == 0 || type == 3) { + const u8 *sc; + + os_memcpy(pos, a1, ETH_ALEN); + pos += ETH_ALEN; + os_memcpy(pos, a2, ETH_ALEN); + pos += ETH_ALEN; + + if (type == 0) { + /* Either A1 or A2 contains SID */ + sc = hdr + 2 + 2 + ETH_ALEN; + } else { + /* Both A1 and A2 contain full addresses */ + sc = hdr + 2 + 2 * ETH_ALEN; + } + /* SC with Sequence Number subfield (bits 4-15 of the Sequence + * Control field) masked to 0. */ + *pos++ = *sc & 0x0f; + *pos++ = 0; + + if (a3) { + os_memcpy(pos, a3, ETH_ALEN); + pos += ETH_ALEN; + } + } + + *aad_len = pos - aad; + + os_memcpy(nonce + 1, a2, ETH_ALEN); + nonce[7] = pn[5]; /* PN5 */ + nonce[8] = pn[4]; /* PN4 */ + nonce[9] = pn[3]; /* PN3 */ + nonce[10] = pn[2]; /* PN2 */ + nonce[11] = pn[1]; /* PN1 */ + nonce[12] = pn[0]; /* PN0 */ +} + + u8 * ccmp_decrypt(const u8 *tk, const struct ieee80211_hdr *hdr, const u8 *data, size_t data_len, size_t *decrypted_len) { @@ -177,6 +235,48 @@ u8 * ccmp_encrypt(const u8 *tk, u8 *frame, size_t len, size_t hdrlen, u8 *qos, } +u8 * ccmp_encrypt_pv1(const u8 *tk, const u8 *a1, const u8 *a2, const u8 *a3, + const u8 *frame, size_t len, + size_t hdrlen, const u8 *pn, int keyid, + size_t *encrypted_len) +{ + u8 aad[24], nonce[13]; + size_t aad_len, plen; + u8 *crypt, *pos; + struct ieee80211_hdr *hdr; + + if (len < hdrlen || hdrlen < 12) + return NULL; + plen = len - hdrlen; + + crypt = os_malloc(hdrlen + plen + 8 + AES_BLOCK_SIZE); + if (crypt == NULL) + return NULL; + + os_memcpy(crypt, frame, hdrlen); + hdr = (struct ieee80211_hdr *) crypt; + hdr->frame_control |= host_to_le16(BIT(12)); /* Protected Frame */ + pos = crypt + hdrlen; + + os_memset(aad, 0, sizeof(aad)); + ccmp_aad_nonce_pv1(crypt, a1, a2, a3, pn, aad, &aad_len, nonce); + wpa_hexdump(MSG_EXCESSIVE, "CCMP AAD", aad, aad_len); + wpa_hexdump(MSG_EXCESSIVE, "CCMP nonce", nonce, sizeof(nonce)); + + if (aes_ccm_ae(tk, 16, nonce, 8, frame + hdrlen, plen, aad, aad_len, + pos, pos + plen) < 0) { + os_free(crypt); + return NULL; + } + + wpa_hexdump(MSG_EXCESSIVE, "CCMP encrypted", crypt + hdrlen, plen); + + *encrypted_len = hdrlen + plen + 8; + + return crypt; +} + + u8 * ccmp_256_decrypt(const u8 *tk, const struct ieee80211_hdr *hdr, const u8 *data, size_t data_len, size_t *decrypted_len) { diff --git a/wlantest/test_vectors.c b/wlantest/test_vectors.c index 36f2f5dbb..b15e5b399 100644 --- a/wlantest/test_vectors.c +++ b/wlantest/test_vectors.c @@ -10,6 +10,7 @@ #include "utils/common.h" #include "utils/eloop.h" +#include "common/ieee802_11_defs.h" #include "wlantest.h" @@ -136,6 +137,212 @@ static void test_vector_ccmp(void) } +static void test_vector_ccmp_pv1(void) +{ + u8 tk[] = { 0xc9, 0x7c, 0x1f, 0x67, 0xce, 0x37, 0x11, 0x85, + 0x51, 0x4a, 0x8a, 0x19, 0xf2, 0xbd, 0xd5, 0x2f }; + u8 pn[8]; + u8 frame1[] = { + 0x61, 0x00, 0xa2, 0xae, 0xa5, 0xb8, 0xfc, 0xba, + 0x07, 0x00, 0x80, 0x33, + 0xf8, 0xba, 0x1a, 0x55, 0xd0, 0x2f, 0x85, 0xae, + 0x96, 0x7b, 0xb6, 0x2f, 0xb6, 0xcd, 0xa8, 0xeb, + 0x7e, 0x78, 0xa0, 0x50 + }; + u8 frame2[] = { + 0x61, 0x00, 0xa2, 0xae, 0xa5, 0xb8, 0xfc, 0xba, + 0x07, 0x20, 0x80, 0x33, 0x02, 0xd2, 0xe1, 0x28, + 0xa5, 0x7c, + 0xf8, 0xba, 0x1a, 0x55, 0xd0, 0x2f, 0x85, 0xae, + 0x96, 0x7b, 0xb6, 0x2f, 0xb6, 0xcd, 0xa8, 0xeb, + 0x7e, 0x78, 0xa0, 0x50 + }; + u8 frame3[] = { + 0x6d, 0x00, 0xa2, 0xae, 0xa5, 0xb8, 0xfc, 0xba, + 0x52, 0x30, 0xf1, 0x84, 0x44, 0x08, 0x80, 0x33, + 0xf8, 0xba, 0x1a, 0x55, 0xd0, 0x2f, 0x85, 0xae, + 0x96, 0x7b, 0xb6, 0x2f, 0xb6, 0xcd, 0xa8, 0xeb, + 0x7e, 0x78, 0xa0, 0x50 + }; + u8 *enc; + size_t enc_len; + u8 fcs[4]; + u8 bssid[ETH_ALEN] = { 0xa2, 0xae, 0xa5, 0xb8, 0xfc, 0xba }; + u8 da[ETH_ALEN] = { 0x02, 0xd2, 0xe1, 0x28, 0xa5, 0x7c }; + u8 sa[ETH_ALEN] = { 0x52, 0x30, 0xf1, 0x84, 0x44, 0x08 }; + u16 aid = 7; + u32 bpn = 123; + u16 sc = 0x3380; + int key_id = 0; + u16 fc; + int tid = 3; + u16 sid; + + wpa_printf(MSG_INFO, + "\nIEEE P802.11ah/D10.0, J.6.4 CCMP PV1 test vectors\n"); + + wpa_printf(MSG_INFO, "BSSID: " MACSTR, MAC2STR(bssid)); + wpa_printf(MSG_INFO, "DA: " MACSTR, MAC2STR(da)); + wpa_printf(MSG_INFO, "SA: " MACSTR, MAC2STR(sa)); + wpa_printf(MSG_INFO, "Association ID: %u", aid); + wpa_printf(MSG_INFO, "Base PN: %u (0x%08x)", bpn, bpn); + wpa_printf(MSG_INFO, "SC = 0x%04x (FragNum=%u SeqNum=%u)", + sc, WLAN_GET_SEQ_FRAG(sc), WLAN_GET_SEQ_SEQ(sc)); + wpa_printf(MSG_INFO, "TID = %u", tid); + wpa_printf(MSG_INFO, "Key ID: %u", key_id); + wpa_hexdump(MSG_INFO, "TK", tk, sizeof(tk)); + wpa_printf(MSG_INFO, "PN = SC||BPN"); + WPA_PUT_LE16(&pn[0], sc); + WPA_PUT_LE32(&pn[2], bpn); + wpa_hexdump(MSG_INFO, "PN (PN0..PN5)", pn, sizeof(pn)); + + wpa_printf(MSG_INFO, + "\nPV1 test vector #1:\nHeader compression used and A3 was previously stored at the receiver\n"); + fc = WPA_GET_LE16(frame1); + wpa_printf(MSG_INFO, + "FC=0x%04x (PV=%u Type=%u PTID/Subtype=%u From_DS=%u More_Fragments=%u Power_Management=%u More_Data=%u Protected_Frame=%u End_of_SP=%u Relayed_Frame=%u Ack_Policy=%u)", + fc, + fc & WLAN_FC_PVER, + (fc & (BIT(2) | BIT(3) | BIT(4))) >> 2, + (fc & (BIT(5) | BIT(6) | BIT(7))) >> 5, + !!(fc & BIT(8)), + !!(fc & BIT(9)), + !!(fc & BIT(10)), + !!(fc & BIT(11)), + !!(fc & BIT(12)), + !!(fc & BIT(13)), + !!(fc & BIT(14)), + !!(fc & BIT(15))); + wpa_printf(MSG_INFO, "A1=" MACSTR, MAC2STR(&frame1[2])); + sid = WPA_GET_LE16(&frame1[8]); + wpa_printf(MSG_INFO, + "A2=%02x %02x (SID: AID=%u A3_Present=%u A4_Present=%u A-MSDU=%u); corresponds to 52:30:f1:84:44:08 in uncompressed header", + frame1[8], frame1[9], + sid & ~(BIT(13) | BIT(14) | BIT(15)), + !!(sid & BIT(13)), + !!(sid & BIT(14)), + !!(sid & BIT(15))); + sc = WPA_GET_LE16(&frame1[10]); + wpa_printf(MSG_INFO, "Sequence Control: %02x %02x (FN=%u SN=%u)", + frame1[10], frame1[11], + WLAN_GET_SEQ_FRAG(sc), WLAN_GET_SEQ_SEQ(sc)); + wpa_printf(MSG_INFO, "A3 not present; corresponds to 02:d2:e1:28:a5:7c in uncompressed header"); + wpa_printf(MSG_INFO, "A4 not present"); + wpa_hexdump(MSG_INFO, "Plaintext Frame Header", frame1, 12); + wpa_hexdump(MSG_INFO, "Plaintext Frame Body", + frame1 + 12, sizeof(frame1) - 12); + + enc = ccmp_encrypt_pv1(tk, &frame1[2], sa, da, frame1, sizeof(frame1), + 12, pn, key_id, &enc_len); + if (enc == NULL) { + wpa_printf(MSG_ERROR, "Failed to encrypt CCMP frame"); + return; + } + + wpa_hexdump(MSG_INFO, "Encrypted Frame Header", enc, 12); + wpa_hexdump(MSG_INFO, "Encrypted Frame Frame Body", + enc + 12, enc_len - 12); + WPA_PUT_LE32(fcs, crc32(enc, enc_len)); + wpa_hexdump(MSG_INFO, "Encrypted Frame FCS", fcs, sizeof(fcs)); + + wpa_printf(MSG_INFO, + "\nPV1 test vector #2:\nHeader compression used and A3 was not previously stored at the receiver\n"); + fc = WPA_GET_LE16(frame2); + wpa_printf(MSG_INFO, + "FC=0x%04x (PV=%u Type=%u PTID/Subtype=%u From_DS=%u More_Fragments=%u Power_Management=%u More_Data=%u Protected_Frame=%u End_of_SP=%u Relayed_Frame=%u Ack_Policy=%u)", + fc, + fc & WLAN_FC_PVER, + (fc & (BIT(2) | BIT(3) | BIT(4))) >> 2, + (fc & (BIT(5) | BIT(6) | BIT(7))) >> 5, + !!(fc & BIT(8)), + !!(fc & BIT(9)), + !!(fc & BIT(10)), + !!(fc & BIT(11)), + !!(fc & BIT(12)), + !!(fc & BIT(13)), + !!(fc & BIT(14)), + !!(fc & BIT(15))); + wpa_printf(MSG_INFO, "A1=" MACSTR, MAC2STR(&frame2[2])); + sid = WPA_GET_LE16(&frame2[8]); + wpa_printf(MSG_INFO, + "A2=%02x %02x (SID: AID=%u A3_Present=%u A4_Present=%u A-MSDU=%u); corresponds to 52:30:f1:84:44:08 in uncompressed header", + frame2[8], frame2[9], + sid & ~(BIT(13) | BIT(14) | BIT(15)), + !!(sid & BIT(13)), + !!(sid & BIT(14)), + !!(sid & BIT(15))); + sc = WPA_GET_LE16(&frame2[10]); + wpa_printf(MSG_INFO, "Sequence Control: %02x %02x (FN=%u SN=%u)", + frame2[10], frame2[11], + WLAN_GET_SEQ_FRAG(sc), WLAN_GET_SEQ_SEQ(sc)); + wpa_printf(MSG_INFO, "A3=" MACSTR, MAC2STR(&frame2[12])); + wpa_printf(MSG_INFO, "A4 not present"); + wpa_hexdump(MSG_INFO, "Plaintext Frame Header", frame2, 18); + wpa_hexdump(MSG_INFO, "Plaintext Frame Body", + frame2 + 18, sizeof(frame2) - 18); + + enc = ccmp_encrypt_pv1(tk, &frame2[2], sa, &frame2[12], + frame2, sizeof(frame2), 18, pn, key_id, + &enc_len); + if (enc == NULL) { + wpa_printf(MSG_ERROR, "Failed to encrypt CCMP frame"); + return; + } + + wpa_hexdump(MSG_INFO, "Encrypted Frame Header", enc, 18); + wpa_hexdump(MSG_INFO, "Encrypted Frame Frame Body", + enc + 18, enc_len - 18); + WPA_PUT_LE32(fcs, crc32(enc, enc_len)); + wpa_hexdump(MSG_INFO, "Encrypted Frame FCS", fcs, sizeof(fcs)); + + wpa_printf(MSG_INFO, + "\nPV1 test vector #3:\nType 3 frame from SA to DA(=BSSID) (i.e., no separate DA in this example)\n"); + fc = WPA_GET_LE16(frame3); + wpa_printf(MSG_INFO, + "FC=0x%04x (PV=%u Type=%u PTID/Subtype=%u From_DS=%u More_Fragments=%u Power_Management=%u More_Data=%u Protected_Frame=%u End_of_SP=%u Relayed_Frame=%u Ack_Policy=%u)", + fc, + fc & WLAN_FC_PVER, + (fc & (BIT(2) | BIT(3) | BIT(4))) >> 2, + (fc & (BIT(5) | BIT(6) | BIT(7))) >> 5, + !!(fc & BIT(8)), + !!(fc & BIT(9)), + !!(fc & BIT(10)), + !!(fc & BIT(11)), + !!(fc & BIT(12)), + !!(fc & BIT(13)), + !!(fc & BIT(14)), + !!(fc & BIT(15))); + wpa_printf(MSG_INFO, "A1=" MACSTR, MAC2STR(&frame3[2])); + wpa_printf(MSG_INFO, "A2=" MACSTR, MAC2STR(&frame3[8])); + sc = WPA_GET_LE16(&frame3[14]); + wpa_printf(MSG_INFO, "Sequence Control: %02x %02x (FN=%u SN=%u)", + frame3[14], frame3[15], + WLAN_GET_SEQ_FRAG(sc), WLAN_GET_SEQ_SEQ(sc)); + wpa_printf(MSG_INFO, + "A3 not present; corresponds to 02:d2:e1:28:a5:7c in uncompressed header"); + wpa_printf(MSG_INFO, "A4 not present"); + wpa_hexdump(MSG_INFO, "Plaintext Frame Header", frame3, 16); + wpa_hexdump(MSG_INFO, "Plaintext Frame Body", + frame3 + 16, sizeof(frame3) - 16); + + enc = ccmp_encrypt_pv1(tk, &frame3[2], &frame3[8], da, + frame3, sizeof(frame3), 16, pn, key_id, + &enc_len); + if (enc == NULL) { + wpa_printf(MSG_ERROR, "Failed to encrypt CCMP frame"); + return; + } + + wpa_hexdump(MSG_INFO, "Encrypted Frame Header", enc, 16); + wpa_hexdump(MSG_INFO, "Encrypted Frame Frame Body", + enc + 16, enc_len - 16); + WPA_PUT_LE32(fcs, crc32(enc, enc_len)); + wpa_hexdump(MSG_INFO, "Encrypted Frame FCS", fcs, sizeof(fcs)); + + wpa_debug_level = MSG_INFO; +} + + static void test_vector_bip(void) { u8 igtk[] = { @@ -712,6 +919,7 @@ int main(int argc, char *argv[]) test_vector_tkip(); test_vector_ccmp(); + test_vector_ccmp_pv1(); test_vector_bip(); test_vector_ccmp_mgmt(); errors += test_vector_gcmp(); diff --git a/wlantest/wlantest.h b/wlantest/wlantest.h index 530accc3b..1ff579ffa 100644 --- a/wlantest/wlantest.h +++ b/wlantest/wlantest.h @@ -274,6 +274,10 @@ u8 * ccmp_decrypt(const u8 *tk, const struct ieee80211_hdr *hdr, const u8 *data, size_t data_len, size_t *decrypted_len); u8 * ccmp_encrypt(const u8 *tk, u8 *frame, size_t len, size_t hdrlen, u8 *qos, u8 *pn, int keyid, size_t *encrypted_len); +u8 * ccmp_encrypt_pv1(const u8 *tk, const u8 *a1, const u8 *a2, const u8 *a3, + const u8 *frame, size_t len, + size_t hdrlen, const u8 *pn, int keyid, + size_t *encrypted_len); void ccmp_get_pn(u8 *pn, const u8 *data); u8 * ccmp_256_decrypt(const u8 *tk, const struct ieee80211_hdr *hdr, const u8 *data, size_t data_len, size_t *decrypted_len);