From: damien Date: Tue, 12 Aug 2008 16:45:44 +0000 (+0000) Subject: maintain a count of TKIP and CCMP replayed frames. X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=2e8aae21f6ac6928f9460fd6369bb8aea816a799;p=openbsd maintain a count of TKIP and CCMP replayed frames. some cleanup while i'm here. --- diff --git a/sys/net80211/ieee80211_crypto_ccmp.c b/sys/net80211/ieee80211_crypto_ccmp.c index 61be6c7168e..2dab94a1949 100644 --- a/sys/net80211/ieee80211_crypto_ccmp.c +++ b/sys/net80211/ieee80211_crypto_ccmp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ieee80211_crypto_ccmp.c,v 1.4 2008/08/12 16:21:46 damien Exp $ */ +/* $OpenBSD: ieee80211_crypto_ccmp.c,v 1.5 2008/08/12 16:45:44 damien Exp $ */ /*- * Copyright (c) 2008 Damien Bergamini @@ -16,13 +16,17 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ +/* + * This code implements the CTR with CBC-MAC protocol (CCMP) defined in + * IEEE Std 802.11-2007 section 8.3.3. + */ + #include #include #include #include #include #include -#include #include #include @@ -84,7 +88,7 @@ ieee80211_ccmp_phase1(rijndael_ctx *ctx, const struct ieee80211_frame *wh, u_int8_t tid = 0; int la, i; - /* construct AAD (additional authentication data) */ + /* construct AAD (additional authenticated data) */ aad = &auth[2]; /* skip l(a), will be filled later */ *aad = wh->i_fc[0]; /* 11w: conditionnally mask subtype field */ @@ -367,6 +371,7 @@ ieee80211_ccmp_decrypt(struct ieee80211com *ic, struct mbuf *m0, (u_int64_t)ivp[7] << 40; if (pn <= *prsc) { /* replayed frame, discard */ + ic->ic_stats.is_ccmp_replays++; m_freem(m0); return NULL; } @@ -464,15 +469,13 @@ ieee80211_ccmp_decrypt(struct ieee80211com *ic, struct mbuf *m0, /* check that it matches the MIC in received frame */ m_copydata(m, moff, IEEE80211_CCMP_MICLEN, mic0); if (memcmp(mic0, b, IEEE80211_CCMP_MICLEN) != 0) { + ic->ic_stats.is_ccmp_dec_errs++; m_freem(m0); m_freem(n0); return NULL; } - /* - * Update last seen packet number (note that it must be done - * after MIC is validated.) - */ + /* update last seen packet number (MIC is validated) */ *prsc = pn; m_freem(m0); diff --git a/sys/net80211/ieee80211_crypto_tkip.c b/sys/net80211/ieee80211_crypto_tkip.c index 80db449f563..4f1fdde18e9 100644 --- a/sys/net80211/ieee80211_crypto_tkip.c +++ b/sys/net80211/ieee80211_crypto_tkip.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ieee80211_crypto_tkip.c,v 1.6 2008/08/12 16:21:46 damien Exp $ */ +/* $OpenBSD: ieee80211_crypto_tkip.c,v 1.7 2008/08/12 16:45:44 damien Exp $ */ /*- * Copyright (c) 2008 Damien Bergamini @@ -16,6 +16,11 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ +/* + * This code implements the Temporal Key Integrity Protocol (TKIP) defined + * in IEEE Std 802.11-2007 section 8.3.2. + */ + #include #include #include @@ -155,7 +160,7 @@ ieee80211_tkip_mic(struct mbuf *m0, int off, const u_int8_t *key, (const struct ieee80211_qosframe *)wh; wht.i_pri = qwh->i_qos[0] & 0xf; } - } else + } else wht.i_pri = 0; wht.i_pad[0] = wht.i_pad[1] = wht.i_pad[2] = 0; @@ -370,9 +375,9 @@ ieee80211_tkip_decrypt(struct ieee80211com *ic, struct mbuf *m0, (u_int64_t)ivp[5] << 24 | (u_int64_t)ivp[6] << 32 | (u_int64_t)ivp[7] << 40; - /* NB: the keys are refreshed, we'll never overflow the 48 bits */ if (tsc <= *prsc) { /* replayed frame, discard */ + ic->ic_stats.is_tkip_replays++; m_freem(m0); return NULL; } @@ -456,7 +461,7 @@ ieee80211_tkip_decrypt(struct ieee80211com *ic, struct mbuf *m0, /* decrypt ICV and compare it with calculated ICV */ crc0 = *(u_int32_t *)(buf + IEEE80211_TKIP_MICLEN); if (crc != letoh32(crc0)) { - ic->ic_stats.is_rx_decryptcrc++; + ic->ic_stats.is_tkip_icv_errs++; m_freem(m0); m_freem(n0); return NULL; @@ -473,10 +478,7 @@ ieee80211_tkip_decrypt(struct ieee80211com *ic, struct mbuf *m0, return NULL; } - /* - * Update last seen packet number (note that it must be done - * after MIC is validated.) - */ + /* update last seen packet number (MIC is validated) */ *prsc = tsc; m_freem(m0); diff --git a/sys/net80211/ieee80211_crypto_wep.c b/sys/net80211/ieee80211_crypto_wep.c index f94dcfc8673..ccd08067f4a 100644 --- a/sys/net80211/ieee80211_crypto_wep.c +++ b/sys/net80211/ieee80211_crypto_wep.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ieee80211_crypto_wep.c,v 1.4 2008/08/12 16:14:45 henning Exp $ */ +/* $OpenBSD: ieee80211_crypto_wep.c,v 1.5 2008/08/12 16:45:44 damien Exp $ */ /*- * Copyright (c) 2008 Damien Bergamini @@ -16,13 +16,17 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ +/* + * This code implements Wired Equivalent Privacy (WEP) defined in + * IEEE Std 802.11-2007 section 8.2.1. + */ + #include #include #include #include #include #include -#include #include #include diff --git a/sys/net80211/ieee80211_ioctl.h b/sys/net80211/ieee80211_ioctl.h index 8541ac556a0..b9e16728e49 100644 --- a/sys/net80211/ieee80211_ioctl.h +++ b/sys/net80211/ieee80211_ioctl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ieee80211_ioctl.h,v 1.11 2008/04/16 18:32:15 damien Exp $ */ +/* $OpenBSD: ieee80211_ioctl.h,v 1.12 2008/08/12 16:45:44 damien Exp $ */ /* $NetBSD: ieee80211_ioctl.h,v 1.7 2004/04/30 22:51:04 dyoung Exp $ */ /*- @@ -89,6 +89,10 @@ struct ieee80211_stats { u_int32_t is_rx_eapol_badmic; /* rx eapol frames w/ bad mic */ u_int32_t is_rx_remmicfail; /* rx tkip remote mic fails */ u_int32_t is_rx_locmicfail; /* rx tkip local mic fails */ + u_int32_t is_tkip_replays; + u_int32_t is_tkip_icv_errs; + u_int32_t is_ccmp_replays; + u_int32_t is_ccmp_dec_errs; }; #define SIOCG80211STATS _IOWR('i', 242, struct ifreq)