IEEE P802.11ah/D10.0 PV1 CCMP test vectors

Extend wlantest test_vectors to calculate test vectors for P802.11ah
Annex J.6.4.

Signed-off-by: Jouni Malinen <j@w1.fi>

wlantest/ccmp.c

@@ -77,6 +77,64 @@ static void ccmp_aad_nonce(const struct ieee80211_hdr *hdr, const u8 *data,
 }
 
 
+static void ccmp_aad_nonce_pv1(const u8 *hdr, const u8 *a1, const u8 *a2,
+			       const u8 *a3, const u8 *pn,
+			       u8 *aad, size_t *aad_len, u8 *nonce)
+{
+	u16 fc, type;
+	u8 *pos;
+
+	nonce[0] = BIT(5); /* PV1 */
+	/* TODO: Priority for QMF; 0 is used for Data frames */
+
+	fc = WPA_GET_LE16(hdr);
+	type = (fc & (BIT(2) | BIT(3) | BIT(4))) >> 2;
+
+	if (type == 1)
+		nonce[0] |= 0x10; /* Management */
+
+	fc &= ~(BIT(10) | BIT(11) | BIT(13) | BIT(14) | BIT(15));
+	fc |= BIT(12);
+	WPA_PUT_LE16(aad, fc);
+	pos = aad + 2;
+	if (type == 0 || type == 3) {
+		const u8 *sc;
+
+		os_memcpy(pos, a1, ETH_ALEN);
+		pos += ETH_ALEN;
+		os_memcpy(pos, a2, ETH_ALEN);
+		pos += ETH_ALEN;
+
+		if (type == 0) {
+			/* Either A1 or A2 contains SID */
+			sc = hdr + 2 + 2 + ETH_ALEN;
+		} else {
+			/* Both A1 and A2 contain full addresses */
+			sc = hdr + 2 + 2 * ETH_ALEN;
+		}
+		/* SC with Sequence Number subfield (bits 4-15 of the Sequence
+		 * Control field) masked to 0. */
+		*pos++ = *sc & 0x0f;
+		*pos++ = 0;
+
+		if (a3) {
+			os_memcpy(pos, a3, ETH_ALEN);
+			pos += ETH_ALEN;
+		}
+	}
+
+	*aad_len = pos - aad;
+
+	os_memcpy(nonce + 1, a2, ETH_ALEN);
+	nonce[7] = pn[5]; /* PN5 */
+	nonce[8] = pn[4]; /* PN4 */
+	nonce[9] = pn[3]; /* PN3 */
+	nonce[10] = pn[2]; /* PN2 */
+	nonce[11] = pn[1]; /* PN1 */
+	nonce[12] = pn[0]; /* PN0 */
+}
+
+
 u8 * ccmp_decrypt(const u8 *tk, const struct ieee80211_hdr *hdr,
 		  const u8 *data, size_t data_len, size_t *decrypted_len)
 {
@@ -177,6 +235,48 @@ u8 * ccmp_encrypt(const u8 *tk, u8 *frame, size_t len, size_t hdrlen, u8 *qos,
 }
 
 
+u8 * ccmp_encrypt_pv1(const u8 *tk, const u8 *a1, const u8 *a2, const u8 *a3,
+		      const u8 *frame, size_t len,
+		      size_t hdrlen, const u8 *pn, int keyid,
+		      size_t *encrypted_len)
+{
+	u8 aad[24], nonce[13];
+	size_t aad_len, plen;
+	u8 *crypt, *pos;
+	struct ieee80211_hdr *hdr;
+
+	if (len < hdrlen || hdrlen < 12)
+		return NULL;
+	plen = len - hdrlen;
+
+	crypt = os_malloc(hdrlen + plen + 8 + AES_BLOCK_SIZE);
+	if (crypt == NULL)
+		return NULL;
+
+	os_memcpy(crypt, frame, hdrlen);
+	hdr = (struct ieee80211_hdr *) crypt;
+	hdr->frame_control |= host_to_le16(BIT(12)); /* Protected Frame */
+	pos = crypt + hdrlen;
+
+	os_memset(aad, 0, sizeof(aad));
+	ccmp_aad_nonce_pv1(crypt, a1, a2, a3, pn, aad, &aad_len, nonce);
+	wpa_hexdump(MSG_EXCESSIVE, "CCMP AAD", aad, aad_len);
+	wpa_hexdump(MSG_EXCESSIVE, "CCMP nonce", nonce, sizeof(nonce));
+
+	if (aes_ccm_ae(tk, 16, nonce, 8, frame + hdrlen, plen, aad, aad_len,
+		       pos, pos + plen) < 0) {
+		os_free(crypt);
+		return NULL;
+	}
+
+	wpa_hexdump(MSG_EXCESSIVE, "CCMP encrypted", crypt + hdrlen, plen);
+
+	*encrypted_len = hdrlen + plen + 8;
+
+	return crypt;
+}
+
+
 u8 * ccmp_256_decrypt(const u8 *tk, const struct ieee80211_hdr *hdr,
 		      const u8 *data, size_t data_len, size_t *decrypted_len)
 {

wlantest/test_vectors.c

@@ -10,6 +10,7 @@
 
 #include "utils/common.h"
 #include "utils/eloop.h"
+#include "common/ieee802_11_defs.h"
 #include "wlantest.h"
 
 
@@ -136,6 +137,212 @@ static void test_vector_ccmp(void)
 }
 
 
+static void test_vector_ccmp_pv1(void)
+{
+	u8 tk[] = { 0xc9, 0x7c, 0x1f, 0x67, 0xce, 0x37, 0x11, 0x85,
+		    0x51, 0x4a, 0x8a, 0x19, 0xf2, 0xbd, 0xd5, 0x2f };
+	u8 pn[8];
+	u8 frame1[] = {
+		0x61, 0x00, 0xa2, 0xae, 0xa5, 0xb8, 0xfc, 0xba,
+		0x07, 0x00, 0x80, 0x33,
+		0xf8, 0xba, 0x1a, 0x55, 0xd0, 0x2f, 0x85, 0xae,
+		0x96, 0x7b, 0xb6, 0x2f, 0xb6, 0xcd, 0xa8, 0xeb,
+		0x7e, 0x78, 0xa0, 0x50
+	};
+	u8 frame2[] = {
+		0x61, 0x00, 0xa2, 0xae, 0xa5, 0xb8, 0xfc, 0xba,
+		0x07, 0x20, 0x80, 0x33, 0x02, 0xd2, 0xe1, 0x28,
+		0xa5, 0x7c,
+		0xf8, 0xba, 0x1a, 0x55, 0xd0, 0x2f, 0x85, 0xae,
+		0x96, 0x7b, 0xb6, 0x2f, 0xb6, 0xcd, 0xa8, 0xeb,
+		0x7e, 0x78, 0xa0, 0x50
+	};
+	u8 frame3[] = {
+		0x6d, 0x00, 0xa2, 0xae, 0xa5, 0xb8, 0xfc, 0xba,
+		0x52, 0x30, 0xf1, 0x84, 0x44, 0x08, 0x80, 0x33,
+		0xf8, 0xba, 0x1a, 0x55, 0xd0, 0x2f, 0x85, 0xae,
+		0x96, 0x7b, 0xb6, 0x2f, 0xb6, 0xcd, 0xa8, 0xeb,
+		0x7e, 0x78, 0xa0, 0x50
+	};
+	u8 *enc;
+	size_t enc_len;
+	u8 fcs[4];
+	u8 bssid[ETH_ALEN] = { 0xa2, 0xae, 0xa5, 0xb8, 0xfc, 0xba };
+	u8 da[ETH_ALEN] = { 0x02, 0xd2, 0xe1, 0x28, 0xa5, 0x7c };
+	u8 sa[ETH_ALEN] = { 0x52, 0x30, 0xf1, 0x84, 0x44, 0x08 };
+	u16 aid = 7;
+	u32 bpn = 123;
+	u16 sc = 0x3380;
+	int key_id = 0;
+	u16 fc;
+	int tid = 3;
+	u16 sid;
+
+	wpa_printf(MSG_INFO,
+		   "\nIEEE P802.11ah/D10.0, J.6.4 CCMP PV1 test vectors\n");
+
+	wpa_printf(MSG_INFO, "BSSID: " MACSTR, MAC2STR(bssid));
+	wpa_printf(MSG_INFO, "DA: " MACSTR, MAC2STR(da));
+	wpa_printf(MSG_INFO, "SA: " MACSTR, MAC2STR(sa));
+	wpa_printf(MSG_INFO, "Association ID: %u", aid);
+	wpa_printf(MSG_INFO, "Base PN: %u (0x%08x)", bpn, bpn);
+	wpa_printf(MSG_INFO, "SC = 0x%04x (FragNum=%u SeqNum=%u)",
+		   sc, WLAN_GET_SEQ_FRAG(sc), WLAN_GET_SEQ_SEQ(sc));
+	wpa_printf(MSG_INFO, "TID = %u", tid);
+	wpa_printf(MSG_INFO, "Key ID: %u", key_id);
+	wpa_hexdump(MSG_INFO, "TK", tk, sizeof(tk));
+	wpa_printf(MSG_INFO, "PN = SC||BPN");
+	WPA_PUT_LE16(&pn[0], sc);
+	WPA_PUT_LE32(&pn[2], bpn);
+	wpa_hexdump(MSG_INFO, "PN (PN0..PN5)", pn, sizeof(pn));
+
+	wpa_printf(MSG_INFO,
+		   "\nPV1 test vector #1:\nHeader compression used and A3 was previously stored at the receiver\n");
+	fc = WPA_GET_LE16(frame1);
+	wpa_printf(MSG_INFO,
+		   "FC=0x%04x (PV=%u Type=%u PTID/Subtype=%u From_DS=%u More_Fragments=%u Power_Management=%u More_Data=%u Protected_Frame=%u End_of_SP=%u Relayed_Frame=%u Ack_Policy=%u)",
+		   fc,
+		   fc & WLAN_FC_PVER,
+		   (fc & (BIT(2) | BIT(3) | BIT(4))) >> 2,
+		   (fc & (BIT(5) | BIT(6) | BIT(7))) >> 5,
+		   !!(fc & BIT(8)),
+		   !!(fc & BIT(9)),
+		   !!(fc & BIT(10)),
+		   !!(fc & BIT(11)),
+		   !!(fc & BIT(12)),
+		   !!(fc & BIT(13)),
+		   !!(fc & BIT(14)),
+		   !!(fc & BIT(15)));
+	wpa_printf(MSG_INFO, "A1=" MACSTR, MAC2STR(&frame1[2]));
+	sid = WPA_GET_LE16(&frame1[8]);
+	wpa_printf(MSG_INFO,
+		   "A2=%02x %02x (SID: AID=%u A3_Present=%u A4_Present=%u A-MSDU=%u); corresponds to 52:30:f1:84:44:08 in uncompressed header",
+		   frame1[8], frame1[9],
+		   sid & ~(BIT(13) | BIT(14) | BIT(15)),
+		   !!(sid & BIT(13)),
+		   !!(sid & BIT(14)),
+		   !!(sid & BIT(15)));
+	sc = WPA_GET_LE16(&frame1[10]);
+	wpa_printf(MSG_INFO, "Sequence Control: %02x %02x (FN=%u SN=%u)",
+		   frame1[10], frame1[11],
+		   WLAN_GET_SEQ_FRAG(sc), WLAN_GET_SEQ_SEQ(sc));
+	wpa_printf(MSG_INFO, "A3 not present; corresponds to 02:d2:e1:28:a5:7c in uncompressed header");
+	wpa_printf(MSG_INFO, "A4 not present");
+	wpa_hexdump(MSG_INFO, "Plaintext Frame Header", frame1, 12);
+	wpa_hexdump(MSG_INFO, "Plaintext Frame Body",
+		    frame1 + 12, sizeof(frame1) - 12);
+
+	enc = ccmp_encrypt_pv1(tk, &frame1[2], sa, da, frame1, sizeof(frame1),
+			       12, pn, key_id, &enc_len);
+	if (enc == NULL) {
+		wpa_printf(MSG_ERROR, "Failed to encrypt CCMP frame");
+		return;
+	}
+
+	wpa_hexdump(MSG_INFO, "Encrypted Frame Header", enc, 12);
+	wpa_hexdump(MSG_INFO, "Encrypted Frame Frame Body",
+		    enc + 12, enc_len - 12);
+	WPA_PUT_LE32(fcs, crc32(enc, enc_len));
+	wpa_hexdump(MSG_INFO, "Encrypted Frame FCS", fcs, sizeof(fcs));
+
+	wpa_printf(MSG_INFO,
+		   "\nPV1 test vector #2:\nHeader compression used and A3 was not previously stored at the receiver\n");
+	fc = WPA_GET_LE16(frame2);
+	wpa_printf(MSG_INFO,
+		   "FC=0x%04x (PV=%u Type=%u PTID/Subtype=%u From_DS=%u More_Fragments=%u Power_Management=%u More_Data=%u Protected_Frame=%u End_of_SP=%u Relayed_Frame=%u Ack_Policy=%u)",
+		   fc,
+		   fc & WLAN_FC_PVER,
+		   (fc & (BIT(2) | BIT(3) | BIT(4))) >> 2,
+		   (fc & (BIT(5) | BIT(6) | BIT(7))) >> 5,
+		   !!(fc & BIT(8)),
+		   !!(fc & BIT(9)),
+		   !!(fc & BIT(10)),
+		   !!(fc & BIT(11)),
+		   !!(fc & BIT(12)),
+		   !!(fc & BIT(13)),
+		   !!(fc & BIT(14)),
+		   !!(fc & BIT(15)));
+	wpa_printf(MSG_INFO, "A1=" MACSTR, MAC2STR(&frame2[2]));
+	sid = WPA_GET_LE16(&frame2[8]);
+	wpa_printf(MSG_INFO,
+		   "A2=%02x %02x (SID: AID=%u A3_Present=%u A4_Present=%u A-MSDU=%u); corresponds to 52:30:f1:84:44:08 in uncompressed header",
+		   frame2[8], frame2[9],
+		   sid & ~(BIT(13) | BIT(14) | BIT(15)),
+		   !!(sid & BIT(13)),
+		   !!(sid & BIT(14)),
+		   !!(sid & BIT(15)));
+	sc = WPA_GET_LE16(&frame2[10]);
+	wpa_printf(MSG_INFO, "Sequence Control: %02x %02x (FN=%u SN=%u)",
+		   frame2[10], frame2[11],
+		   WLAN_GET_SEQ_FRAG(sc), WLAN_GET_SEQ_SEQ(sc));
+	wpa_printf(MSG_INFO, "A3=" MACSTR, MAC2STR(&frame2[12]));
+	wpa_printf(MSG_INFO, "A4 not present");
+	wpa_hexdump(MSG_INFO, "Plaintext Frame Header", frame2, 18);
+	wpa_hexdump(MSG_INFO, "Plaintext Frame Body",
+		    frame2 + 18, sizeof(frame2) - 18);
+
+	enc = ccmp_encrypt_pv1(tk, &frame2[2], sa, &frame2[12],
+			       frame2, sizeof(frame2), 18, pn, key_id,
+			       &enc_len);
+	if (enc == NULL) {
+		wpa_printf(MSG_ERROR, "Failed to encrypt CCMP frame");
+		return;
+	}
+
+	wpa_hexdump(MSG_INFO, "Encrypted Frame Header", enc, 18);
+	wpa_hexdump(MSG_INFO, "Encrypted Frame Frame Body",
+		    enc + 18, enc_len - 18);
+	WPA_PUT_LE32(fcs, crc32(enc, enc_len));
+	wpa_hexdump(MSG_INFO, "Encrypted Frame FCS", fcs, sizeof(fcs));
+
+	wpa_printf(MSG_INFO,
+		   "\nPV1 test vector #3:\nType 3 frame from SA to DA(=BSSID) (i.e., no separate DA in this example)\n");
+	fc = WPA_GET_LE16(frame3);
+	wpa_printf(MSG_INFO,
+		   "FC=0x%04x (PV=%u Type=%u PTID/Subtype=%u From_DS=%u More_Fragments=%u Power_Management=%u More_Data=%u Protected_Frame=%u End_of_SP=%u Relayed_Frame=%u Ack_Policy=%u)",
+		   fc,
+		   fc & WLAN_FC_PVER,
+		   (fc & (BIT(2) | BIT(3) | BIT(4))) >> 2,
+		   (fc & (BIT(5) | BIT(6) | BIT(7))) >> 5,
+		   !!(fc & BIT(8)),
+		   !!(fc & BIT(9)),
+		   !!(fc & BIT(10)),
+		   !!(fc & BIT(11)),
+		   !!(fc & BIT(12)),
+		   !!(fc & BIT(13)),
+		   !!(fc & BIT(14)),
+		   !!(fc & BIT(15)));
+	wpa_printf(MSG_INFO, "A1=" MACSTR, MAC2STR(&frame3[2]));
+	wpa_printf(MSG_INFO, "A2=" MACSTR, MAC2STR(&frame3[8]));
+	sc = WPA_GET_LE16(&frame3[14]);
+	wpa_printf(MSG_INFO, "Sequence Control: %02x %02x (FN=%u SN=%u)",
+		   frame3[14], frame3[15],
+		   WLAN_GET_SEQ_FRAG(sc), WLAN_GET_SEQ_SEQ(sc));
+	wpa_printf(MSG_INFO,
+		   "A3 not present; corresponds to 02:d2:e1:28:a5:7c in uncompressed header");
+	wpa_printf(MSG_INFO, "A4 not present");
+	wpa_hexdump(MSG_INFO, "Plaintext Frame Header", frame3, 16);
+	wpa_hexdump(MSG_INFO, "Plaintext Frame Body",
+		    frame3 + 16, sizeof(frame3) - 16);
+
+	enc = ccmp_encrypt_pv1(tk, &frame3[2], &frame3[8], da,
+			       frame3, sizeof(frame3), 16, pn, key_id,
+			       &enc_len);
+	if (enc == NULL) {
+		wpa_printf(MSG_ERROR, "Failed to encrypt CCMP frame");
+		return;
+	}
+
+	wpa_hexdump(MSG_INFO, "Encrypted Frame Header", enc, 16);
+	wpa_hexdump(MSG_INFO, "Encrypted Frame Frame Body",
+		    enc + 16, enc_len - 16);
+	WPA_PUT_LE32(fcs, crc32(enc, enc_len));
+	wpa_hexdump(MSG_INFO, "Encrypted Frame FCS", fcs, sizeof(fcs));
+
+	wpa_debug_level = MSG_INFO;
+}
+
+
 static void test_vector_bip(void)
 {
 	u8 igtk[] = {
@@ -712,6 +919,7 @@ int main(int argc, char *argv[])
 
 	test_vector_tkip();
 	test_vector_ccmp();
+	test_vector_ccmp_pv1();
 	test_vector_bip();
 	test_vector_ccmp_mgmt();
 	errors += test_vector_gcmp();

wlantest/wlantest.h

@@ -274,6 +274,10 @@ u8 * ccmp_decrypt(const u8 *tk, const struct ieee80211_hdr *hdr,
 		  const u8 *data, size_t data_len, size_t *decrypted_len);
 u8 * ccmp_encrypt(const u8 *tk, u8 *frame, size_t len, size_t hdrlen, u8 *qos,
 		  u8 *pn, int keyid, size_t *encrypted_len);
+u8 * ccmp_encrypt_pv1(const u8 *tk, const u8 *a1, const u8 *a2, const u8 *a3,
+		      const u8 *frame, size_t len,
+		      size_t hdrlen, const u8 *pn, int keyid,
+		      size_t *encrypted_len);
 void ccmp_get_pn(u8 *pn, const u8 *data);
 u8 * ccmp_256_decrypt(const u8 *tk, const struct ieee80211_hdr *hdr,
 		      const u8 *data, size_t data_len, size_t *decrypted_len);