]>
Commit | Line | Data |
---|---|---|
b453872c JG |
1 | /* |
2 | * Host AP crypt: host-based CCMP encryption implementation for Host AP driver | |
3 | * | |
4 | * Copyright (c) 2003-2004, Jouni Malinen <jkmaline@cc.hut.fi> | |
5 | * | |
6 | * This program is free software; you can redistribute it and/or modify | |
7 | * it under the terms of the GNU General Public License version 2 as | |
8 | * published by the Free Software Foundation. See README and COPYING for | |
9 | * more details. | |
10 | */ | |
11 | ||
b453872c JG |
12 | #include <linux/module.h> |
13 | #include <linux/init.h> | |
14 | #include <linux/slab.h> | |
15 | #include <linux/random.h> | |
16 | #include <linux/skbuff.h> | |
17 | #include <linux/netdevice.h> | |
18 | #include <linux/if_ether.h> | |
19 | #include <linux/if_arp.h> | |
20 | #include <asm/string.h> | |
21 | #include <linux/wireless.h> | |
22 | ||
23 | #include <net/ieee80211.h> | |
24 | ||
b453872c JG |
25 | #include <linux/crypto.h> |
26 | #include <asm/scatterlist.h> | |
27 | ||
28 | MODULE_AUTHOR("Jouni Malinen"); | |
29 | MODULE_DESCRIPTION("Host AP crypt: CCMP"); | |
30 | MODULE_LICENSE("GPL"); | |
31 | ||
32 | #define AES_BLOCK_LEN 16 | |
33 | #define CCMP_HDR_LEN 8 | |
34 | #define CCMP_MIC_LEN 8 | |
35 | #define CCMP_TK_LEN 16 | |
36 | #define CCMP_PN_LEN 6 | |
37 | ||
38 | struct ieee80211_ccmp_data { | |
39 | u8 key[CCMP_TK_LEN]; | |
40 | int key_set; | |
41 | ||
42 | u8 tx_pn[CCMP_PN_LEN]; | |
43 | u8 rx_pn[CCMP_PN_LEN]; | |
44 | ||
45 | u32 dot11RSNAStatsCCMPFormatErrors; | |
46 | u32 dot11RSNAStatsCCMPReplays; | |
47 | u32 dot11RSNAStatsCCMPDecryptErrors; | |
48 | ||
49 | int key_idx; | |
50 | ||
51 | struct crypto_tfm *tfm; | |
52 | ||
53 | /* scratch buffers for virt_to_page() (crypto API) */ | |
54 | u8 tx_b0[AES_BLOCK_LEN], tx_b[AES_BLOCK_LEN], | |
0edd5b44 | 55 | tx_e[AES_BLOCK_LEN], tx_s0[AES_BLOCK_LEN]; |
b453872c JG |
56 | u8 rx_b0[AES_BLOCK_LEN], rx_b[AES_BLOCK_LEN], rx_a[AES_BLOCK_LEN]; |
57 | }; | |
58 | ||
e157249d AB |
59 | static void ieee80211_ccmp_aes_encrypt(struct crypto_tfm *tfm, |
60 | const u8 pt[16], u8 ct[16]) | |
b453872c JG |
61 | { |
62 | struct scatterlist src, dst; | |
63 | ||
64 | src.page = virt_to_page(pt); | |
65 | src.offset = offset_in_page(pt); | |
66 | src.length = AES_BLOCK_LEN; | |
67 | ||
68 | dst.page = virt_to_page(ct); | |
69 | dst.offset = offset_in_page(ct); | |
70 | dst.length = AES_BLOCK_LEN; | |
71 | ||
72 | crypto_cipher_encrypt(tfm, &dst, &src, AES_BLOCK_LEN); | |
73 | } | |
74 | ||
6eb6edf0 | 75 | static void *ieee80211_ccmp_init(int key_idx) |
b453872c JG |
76 | { |
77 | struct ieee80211_ccmp_data *priv; | |
78 | ||
0da974f4 | 79 | priv = kzalloc(sizeof(*priv), GFP_ATOMIC); |
b453872c JG |
80 | if (priv == NULL) |
81 | goto fail; | |
b453872c JG |
82 | priv->key_idx = key_idx; |
83 | ||
84 | priv->tfm = crypto_alloc_tfm("aes", 0); | |
85 | if (priv->tfm == NULL) { | |
86 | printk(KERN_DEBUG "ieee80211_crypt_ccmp: could not allocate " | |
87 | "crypto API aes\n"); | |
88 | goto fail; | |
89 | } | |
90 | ||
91 | return priv; | |
92 | ||
0edd5b44 | 93 | fail: |
b453872c JG |
94 | if (priv) { |
95 | if (priv->tfm) | |
96 | crypto_free_tfm(priv->tfm); | |
97 | kfree(priv); | |
98 | } | |
99 | ||
100 | return NULL; | |
101 | } | |
102 | ||
b453872c JG |
103 | static void ieee80211_ccmp_deinit(void *priv) |
104 | { | |
105 | struct ieee80211_ccmp_data *_priv = priv; | |
106 | if (_priv && _priv->tfm) | |
107 | crypto_free_tfm(_priv->tfm); | |
108 | kfree(priv); | |
109 | } | |
110 | ||
0edd5b44 | 111 | static inline void xor_block(u8 * b, u8 * a, size_t len) |
b453872c JG |
112 | { |
113 | int i; | |
114 | for (i = 0; i < len; i++) | |
115 | b[i] ^= a[i]; | |
116 | } | |
117 | ||
b453872c | 118 | static void ccmp_init_blocks(struct crypto_tfm *tfm, |
ee34af37 | 119 | struct ieee80211_hdr_4addr *hdr, |
0edd5b44 | 120 | u8 * pn, size_t dlen, u8 * b0, u8 * auth, u8 * s0) |
b453872c JG |
121 | { |
122 | u8 *pos, qc = 0; | |
123 | size_t aad_len; | |
124 | u16 fc; | |
125 | int a4_included, qc_included; | |
126 | u8 aad[2 * AES_BLOCK_LEN]; | |
127 | ||
128 | fc = le16_to_cpu(hdr->frame_ctl); | |
129 | a4_included = ((fc & (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) == | |
130 | (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)); | |
131 | qc_included = ((WLAN_FC_GET_TYPE(fc) == IEEE80211_FTYPE_DATA) && | |
0df78612 | 132 | (WLAN_FC_GET_STYPE(fc) & IEEE80211_STYPE_QOS_DATA)); |
b453872c JG |
133 | aad_len = 22; |
134 | if (a4_included) | |
135 | aad_len += 6; | |
136 | if (qc_included) { | |
0edd5b44 | 137 | pos = (u8 *) & hdr->addr4; |
b453872c JG |
138 | if (a4_included) |
139 | pos += 6; | |
140 | qc = *pos & 0x0f; | |
141 | aad_len += 2; | |
142 | } | |
143 | ||
144 | /* CCM Initial Block: | |
145 | * Flag (Include authentication header, M=3 (8-octet MIC), | |
146 | * L=1 (2-octet Dlen)) | |
147 | * Nonce: 0x00 | A2 | PN | |
148 | * Dlen */ | |
149 | b0[0] = 0x59; | |
150 | b0[1] = qc; | |
151 | memcpy(b0 + 2, hdr->addr2, ETH_ALEN); | |
152 | memcpy(b0 + 8, pn, CCMP_PN_LEN); | |
153 | b0[14] = (dlen >> 8) & 0xff; | |
154 | b0[15] = dlen & 0xff; | |
155 | ||
156 | /* AAD: | |
157 | * FC with bits 4..6 and 11..13 masked to zero; 14 is always one | |
158 | * A1 | A2 | A3 | |
159 | * SC with bits 4..15 (seq#) masked to zero | |
160 | * A4 (if present) | |
161 | * QC (if present) | |
162 | */ | |
163 | pos = (u8 *) hdr; | |
0edd5b44 | 164 | aad[0] = 0; /* aad_len >> 8 */ |
b453872c JG |
165 | aad[1] = aad_len & 0xff; |
166 | aad[2] = pos[0] & 0x8f; | |
167 | aad[3] = pos[1] & 0xc7; | |
168 | memcpy(aad + 4, hdr->addr1, 3 * ETH_ALEN); | |
0edd5b44 | 169 | pos = (u8 *) & hdr->seq_ctl; |
b453872c | 170 | aad[22] = pos[0] & 0x0f; |
0edd5b44 | 171 | aad[23] = 0; /* all bits masked */ |
b453872c JG |
172 | memset(aad + 24, 0, 8); |
173 | if (a4_included) | |
174 | memcpy(aad + 24, hdr->addr4, ETH_ALEN); | |
175 | if (qc_included) { | |
176 | aad[a4_included ? 30 : 24] = qc; | |
177 | /* rest of QC masked */ | |
178 | } | |
179 | ||
180 | /* Start with the first block and AAD */ | |
181 | ieee80211_ccmp_aes_encrypt(tfm, b0, auth); | |
182 | xor_block(auth, aad, AES_BLOCK_LEN); | |
183 | ieee80211_ccmp_aes_encrypt(tfm, auth, auth); | |
184 | xor_block(auth, &aad[AES_BLOCK_LEN], AES_BLOCK_LEN); | |
185 | ieee80211_ccmp_aes_encrypt(tfm, auth, auth); | |
186 | b0[0] &= 0x07; | |
187 | b0[14] = b0[15] = 0; | |
188 | ieee80211_ccmp_aes_encrypt(tfm, b0, s0); | |
189 | } | |
190 | ||
9184d934 ZY |
191 | static int ieee80211_ccmp_hdr(struct sk_buff *skb, int hdr_len, |
192 | u8 *aeskey, int keylen, void *priv) | |
b453872c JG |
193 | { |
194 | struct ieee80211_ccmp_data *key = priv; | |
31b59eae JK |
195 | int i; |
196 | u8 *pos; | |
b453872c | 197 | |
31b59eae | 198 | if (skb_headroom(skb) < CCMP_HDR_LEN || skb->len < hdr_len) |
b453872c JG |
199 | return -1; |
200 | ||
9184d934 ZY |
201 | if (aeskey != NULL && keylen >= CCMP_TK_LEN) |
202 | memcpy(aeskey, key->key, CCMP_TK_LEN); | |
203 | ||
b453872c JG |
204 | pos = skb_push(skb, CCMP_HDR_LEN); |
205 | memmove(pos, pos + CCMP_HDR_LEN, hdr_len); | |
206 | pos += hdr_len; | |
b453872c JG |
207 | |
208 | i = CCMP_PN_LEN - 1; | |
209 | while (i >= 0) { | |
210 | key->tx_pn[i]++; | |
211 | if (key->tx_pn[i] != 0) | |
212 | break; | |
213 | i--; | |
214 | } | |
215 | ||
216 | *pos++ = key->tx_pn[5]; | |
217 | *pos++ = key->tx_pn[4]; | |
218 | *pos++ = 0; | |
0edd5b44 | 219 | *pos++ = (key->key_idx << 6) | (1 << 5) /* Ext IV included */ ; |
b453872c JG |
220 | *pos++ = key->tx_pn[3]; |
221 | *pos++ = key->tx_pn[2]; | |
222 | *pos++ = key->tx_pn[1]; | |
223 | *pos++ = key->tx_pn[0]; | |
224 | ||
31b59eae JK |
225 | return CCMP_HDR_LEN; |
226 | } | |
227 | ||
228 | static int ieee80211_ccmp_encrypt(struct sk_buff *skb, int hdr_len, void *priv) | |
229 | { | |
230 | struct ieee80211_ccmp_data *key = priv; | |
231 | int data_len, i, blocks, last, len; | |
232 | u8 *pos, *mic; | |
233 | struct ieee80211_hdr_4addr *hdr; | |
234 | u8 *b0 = key->tx_b0; | |
235 | u8 *b = key->tx_b; | |
236 | u8 *e = key->tx_e; | |
237 | u8 *s0 = key->tx_s0; | |
238 | ||
239 | if (skb_tailroom(skb) < CCMP_MIC_LEN || skb->len < hdr_len) | |
240 | return -1; | |
241 | ||
242 | data_len = skb->len - hdr_len; | |
9184d934 | 243 | len = ieee80211_ccmp_hdr(skb, hdr_len, NULL, 0, priv); |
31b59eae JK |
244 | if (len < 0) |
245 | return -1; | |
246 | ||
247 | pos = skb->data + hdr_len + CCMP_HDR_LEN; | |
248 | mic = skb_put(skb, CCMP_MIC_LEN); | |
ee34af37 | 249 | hdr = (struct ieee80211_hdr_4addr *)skb->data; |
b453872c JG |
250 | ccmp_init_blocks(key->tfm, hdr, key->tx_pn, data_len, b0, b, s0); |
251 | ||
252 | blocks = (data_len + AES_BLOCK_LEN - 1) / AES_BLOCK_LEN; | |
253 | last = data_len % AES_BLOCK_LEN; | |
254 | ||
255 | for (i = 1; i <= blocks; i++) { | |
256 | len = (i == blocks && last) ? last : AES_BLOCK_LEN; | |
257 | /* Authentication */ | |
258 | xor_block(b, pos, len); | |
259 | ieee80211_ccmp_aes_encrypt(key->tfm, b, b); | |
260 | /* Encryption, with counter */ | |
261 | b0[14] = (i >> 8) & 0xff; | |
262 | b0[15] = i & 0xff; | |
263 | ieee80211_ccmp_aes_encrypt(key->tfm, b0, e); | |
264 | xor_block(pos, e, len); | |
265 | pos += len; | |
266 | } | |
267 | ||
268 | for (i = 0; i < CCMP_MIC_LEN; i++) | |
269 | mic[i] = b[i] ^ s0[i]; | |
270 | ||
271 | return 0; | |
272 | } | |
273 | ||
b453872c JG |
274 | static int ieee80211_ccmp_decrypt(struct sk_buff *skb, int hdr_len, void *priv) |
275 | { | |
276 | struct ieee80211_ccmp_data *key = priv; | |
277 | u8 keyidx, *pos; | |
ee34af37 | 278 | struct ieee80211_hdr_4addr *hdr; |
b453872c JG |
279 | u8 *b0 = key->rx_b0; |
280 | u8 *b = key->rx_b; | |
281 | u8 *a = key->rx_a; | |
282 | u8 pn[6]; | |
283 | int i, blocks, last, len; | |
284 | size_t data_len = skb->len - hdr_len - CCMP_HDR_LEN - CCMP_MIC_LEN; | |
285 | u8 *mic = skb->data + skb->len - CCMP_MIC_LEN; | |
286 | ||
287 | if (skb->len < hdr_len + CCMP_HDR_LEN + CCMP_MIC_LEN) { | |
288 | key->dot11RSNAStatsCCMPFormatErrors++; | |
289 | return -1; | |
290 | } | |
291 | ||
ee34af37 | 292 | hdr = (struct ieee80211_hdr_4addr *)skb->data; |
b453872c JG |
293 | pos = skb->data + hdr_len; |
294 | keyidx = pos[3]; | |
295 | if (!(keyidx & (1 << 5))) { | |
296 | if (net_ratelimit()) { | |
297 | printk(KERN_DEBUG "CCMP: received packet without ExtIV" | |
298 | " flag from " MAC_FMT "\n", MAC_ARG(hdr->addr2)); | |
299 | } | |
300 | key->dot11RSNAStatsCCMPFormatErrors++; | |
301 | return -2; | |
302 | } | |
303 | keyidx >>= 6; | |
304 | if (key->key_idx != keyidx) { | |
305 | printk(KERN_DEBUG "CCMP: RX tkey->key_idx=%d frame " | |
306 | "keyidx=%d priv=%p\n", key->key_idx, keyidx, priv); | |
307 | return -6; | |
308 | } | |
309 | if (!key->key_set) { | |
310 | if (net_ratelimit()) { | |
311 | printk(KERN_DEBUG "CCMP: received packet from " MAC_FMT | |
312 | " with keyid=%d that does not have a configured" | |
313 | " key\n", MAC_ARG(hdr->addr2), keyidx); | |
314 | } | |
315 | return -3; | |
316 | } | |
317 | ||
318 | pn[0] = pos[7]; | |
319 | pn[1] = pos[6]; | |
320 | pn[2] = pos[5]; | |
321 | pn[3] = pos[4]; | |
322 | pn[4] = pos[1]; | |
323 | pn[5] = pos[0]; | |
324 | pos += 8; | |
325 | ||
326 | if (memcmp(pn, key->rx_pn, CCMP_PN_LEN) <= 0) { | |
327 | if (net_ratelimit()) { | |
328 | printk(KERN_DEBUG "CCMP: replay detected: STA=" MAC_FMT | |
329 | " previous PN %02x%02x%02x%02x%02x%02x " | |
330 | "received PN %02x%02x%02x%02x%02x%02x\n", | |
331 | MAC_ARG(hdr->addr2), MAC_ARG(key->rx_pn), | |
332 | MAC_ARG(pn)); | |
333 | } | |
334 | key->dot11RSNAStatsCCMPReplays++; | |
335 | return -4; | |
336 | } | |
337 | ||
338 | ccmp_init_blocks(key->tfm, hdr, pn, data_len, b0, a, b); | |
339 | xor_block(mic, b, CCMP_MIC_LEN); | |
340 | ||
341 | blocks = (data_len + AES_BLOCK_LEN - 1) / AES_BLOCK_LEN; | |
342 | last = data_len % AES_BLOCK_LEN; | |
343 | ||
344 | for (i = 1; i <= blocks; i++) { | |
345 | len = (i == blocks && last) ? last : AES_BLOCK_LEN; | |
346 | /* Decrypt, with counter */ | |
347 | b0[14] = (i >> 8) & 0xff; | |
348 | b0[15] = i & 0xff; | |
349 | ieee80211_ccmp_aes_encrypt(key->tfm, b0, b); | |
350 | xor_block(pos, b, len); | |
351 | /* Authentication */ | |
352 | xor_block(a, pos, len); | |
353 | ieee80211_ccmp_aes_encrypt(key->tfm, a, a); | |
354 | pos += len; | |
355 | } | |
356 | ||
357 | if (memcmp(mic, a, CCMP_MIC_LEN) != 0) { | |
358 | if (net_ratelimit()) { | |
359 | printk(KERN_DEBUG "CCMP: decrypt failed: STA=" | |
360 | MAC_FMT "\n", MAC_ARG(hdr->addr2)); | |
361 | } | |
362 | key->dot11RSNAStatsCCMPDecryptErrors++; | |
363 | return -5; | |
364 | } | |
365 | ||
366 | memcpy(key->rx_pn, pn, CCMP_PN_LEN); | |
367 | ||
368 | /* Remove hdr and MIC */ | |
369 | memmove(skb->data + CCMP_HDR_LEN, skb->data, hdr_len); | |
370 | skb_pull(skb, CCMP_HDR_LEN); | |
371 | skb_trim(skb, skb->len - CCMP_MIC_LEN); | |
372 | ||
373 | return keyidx; | |
374 | } | |
375 | ||
0edd5b44 | 376 | static int ieee80211_ccmp_set_key(void *key, int len, u8 * seq, void *priv) |
b453872c JG |
377 | { |
378 | struct ieee80211_ccmp_data *data = priv; | |
379 | int keyidx; | |
380 | struct crypto_tfm *tfm = data->tfm; | |
381 | ||
382 | keyidx = data->key_idx; | |
383 | memset(data, 0, sizeof(*data)); | |
384 | data->key_idx = keyidx; | |
385 | data->tfm = tfm; | |
386 | if (len == CCMP_TK_LEN) { | |
387 | memcpy(data->key, key, CCMP_TK_LEN); | |
388 | data->key_set = 1; | |
389 | if (seq) { | |
390 | data->rx_pn[0] = seq[5]; | |
391 | data->rx_pn[1] = seq[4]; | |
392 | data->rx_pn[2] = seq[3]; | |
393 | data->rx_pn[3] = seq[2]; | |
394 | data->rx_pn[4] = seq[1]; | |
395 | data->rx_pn[5] = seq[0]; | |
396 | } | |
397 | crypto_cipher_setkey(data->tfm, data->key, CCMP_TK_LEN); | |
398 | } else if (len == 0) | |
399 | data->key_set = 0; | |
400 | else | |
401 | return -1; | |
402 | ||
403 | return 0; | |
404 | } | |
405 | ||
0edd5b44 | 406 | static int ieee80211_ccmp_get_key(void *key, int len, u8 * seq, void *priv) |
b453872c JG |
407 | { |
408 | struct ieee80211_ccmp_data *data = priv; | |
409 | ||
410 | if (len < CCMP_TK_LEN) | |
411 | return -1; | |
412 | ||
413 | if (!data->key_set) | |
414 | return 0; | |
415 | memcpy(key, data->key, CCMP_TK_LEN); | |
416 | ||
417 | if (seq) { | |
418 | seq[0] = data->tx_pn[5]; | |
419 | seq[1] = data->tx_pn[4]; | |
420 | seq[2] = data->tx_pn[3]; | |
421 | seq[3] = data->tx_pn[2]; | |
422 | seq[4] = data->tx_pn[1]; | |
423 | seq[5] = data->tx_pn[0]; | |
424 | } | |
425 | ||
426 | return CCMP_TK_LEN; | |
427 | } | |
428 | ||
0edd5b44 | 429 | static char *ieee80211_ccmp_print_stats(char *p, void *priv) |
b453872c JG |
430 | { |
431 | struct ieee80211_ccmp_data *ccmp = priv; | |
432 | p += sprintf(p, "key[%d] alg=CCMP key_set=%d " | |
433 | "tx_pn=%02x%02x%02x%02x%02x%02x " | |
434 | "rx_pn=%02x%02x%02x%02x%02x%02x " | |
435 | "format_errors=%d replays=%d decrypt_errors=%d\n", | |
436 | ccmp->key_idx, ccmp->key_set, | |
437 | MAC_ARG(ccmp->tx_pn), MAC_ARG(ccmp->rx_pn), | |
438 | ccmp->dot11RSNAStatsCCMPFormatErrors, | |
439 | ccmp->dot11RSNAStatsCCMPReplays, | |
440 | ccmp->dot11RSNAStatsCCMPDecryptErrors); | |
441 | ||
442 | return p; | |
443 | } | |
444 | ||
b453872c | 445 | static struct ieee80211_crypto_ops ieee80211_crypt_ccmp = { |
74079fdc JK |
446 | .name = "CCMP", |
447 | .init = ieee80211_ccmp_init, | |
448 | .deinit = ieee80211_ccmp_deinit, | |
31b59eae | 449 | .build_iv = ieee80211_ccmp_hdr, |
74079fdc JK |
450 | .encrypt_mpdu = ieee80211_ccmp_encrypt, |
451 | .decrypt_mpdu = ieee80211_ccmp_decrypt, | |
452 | .encrypt_msdu = NULL, | |
453 | .decrypt_msdu = NULL, | |
454 | .set_key = ieee80211_ccmp_set_key, | |
455 | .get_key = ieee80211_ccmp_get_key, | |
456 | .print_stats = ieee80211_ccmp_print_stats, | |
1264fc04 JK |
457 | .extra_mpdu_prefix_len = CCMP_HDR_LEN, |
458 | .extra_mpdu_postfix_len = CCMP_MIC_LEN, | |
74079fdc | 459 | .owner = THIS_MODULE, |
b453872c JG |
460 | }; |
461 | ||
b453872c JG |
462 | static int __init ieee80211_crypto_ccmp_init(void) |
463 | { | |
464 | return ieee80211_register_crypto_ops(&ieee80211_crypt_ccmp); | |
465 | } | |
466 | ||
b453872c JG |
467 | static void __exit ieee80211_crypto_ccmp_exit(void) |
468 | { | |
469 | ieee80211_unregister_crypto_ops(&ieee80211_crypt_ccmp); | |
470 | } | |
471 | ||
b453872c JG |
472 | module_init(ieee80211_crypto_ccmp_init); |
473 | module_exit(ieee80211_crypto_ccmp_exit); |