Commit | Line | Data |
---|---|---|
b453872c JG |
1 | /* |
2 | * Host AP crypt: host-based CCMP encryption implementation for Host AP driver | |
3 | * | |
4 | * Copyright (c) 2003-2004, Jouni Malinen <jkmaline@cc.hut.fi> | |
5 | * | |
6 | * This program is free software; you can redistribute it and/or modify | |
7 | * it under the terms of the GNU General Public License version 2 as | |
8 | * published by the Free Software Foundation. See README and COPYING for | |
9 | * more details. | |
10 | */ | |
11 | ||
b453872c JG |
12 | #include <linux/module.h> |
13 | #include <linux/init.h> | |
14 | #include <linux/slab.h> | |
15 | #include <linux/random.h> | |
16 | #include <linux/skbuff.h> | |
17 | #include <linux/netdevice.h> | |
18 | #include <linux/if_ether.h> | |
19 | #include <linux/if_arp.h> | |
20 | #include <asm/string.h> | |
21 | #include <linux/wireless.h> | |
22 | ||
23 | #include <net/ieee80211.h> | |
24 | ||
b453872c JG |
25 | #include <linux/crypto.h> |
26 | #include <asm/scatterlist.h> | |
27 | ||
28 | MODULE_AUTHOR("Jouni Malinen"); | |
29 | MODULE_DESCRIPTION("Host AP crypt: CCMP"); | |
30 | MODULE_LICENSE("GPL"); | |
31 | ||
32 | #define AES_BLOCK_LEN 16 | |
33 | #define CCMP_HDR_LEN 8 | |
34 | #define CCMP_MIC_LEN 8 | |
35 | #define CCMP_TK_LEN 16 | |
36 | #define CCMP_PN_LEN 6 | |
37 | ||
38 | struct ieee80211_ccmp_data { | |
39 | u8 key[CCMP_TK_LEN]; | |
40 | int key_set; | |
41 | ||
42 | u8 tx_pn[CCMP_PN_LEN]; | |
43 | u8 rx_pn[CCMP_PN_LEN]; | |
44 | ||
45 | u32 dot11RSNAStatsCCMPFormatErrors; | |
46 | u32 dot11RSNAStatsCCMPReplays; | |
47 | u32 dot11RSNAStatsCCMPDecryptErrors; | |
48 | ||
49 | int key_idx; | |
50 | ||
51 | struct crypto_tfm *tfm; | |
52 | ||
53 | /* scratch buffers for virt_to_page() (crypto API) */ | |
54 | u8 tx_b0[AES_BLOCK_LEN], tx_b[AES_BLOCK_LEN], | |
0edd5b44 | 55 | tx_e[AES_BLOCK_LEN], tx_s0[AES_BLOCK_LEN]; |
b453872c JG |
56 | u8 rx_b0[AES_BLOCK_LEN], rx_b[AES_BLOCK_LEN], rx_a[AES_BLOCK_LEN]; |
57 | }; | |
58 | ||
e157249d AB |
59 | static void ieee80211_ccmp_aes_encrypt(struct crypto_tfm *tfm, |
60 | const u8 pt[16], u8 ct[16]) | |
b453872c JG |
61 | { |
62 | struct scatterlist src, dst; | |
63 | ||
64 | src.page = virt_to_page(pt); | |
65 | src.offset = offset_in_page(pt); | |
66 | src.length = AES_BLOCK_LEN; | |
67 | ||
68 | dst.page = virt_to_page(ct); | |
69 | dst.offset = offset_in_page(ct); | |
70 | dst.length = AES_BLOCK_LEN; | |
71 | ||
72 | crypto_cipher_encrypt(tfm, &dst, &src, AES_BLOCK_LEN); | |
73 | } | |
74 | ||
6eb6edf0 | 75 | static void *ieee80211_ccmp_init(int key_idx) |
b453872c JG |
76 | { |
77 | struct ieee80211_ccmp_data *priv; | |
78 | ||
79 | priv = kmalloc(sizeof(*priv), GFP_ATOMIC); | |
80 | if (priv == NULL) | |
81 | goto fail; | |
82 | memset(priv, 0, sizeof(*priv)); | |
83 | priv->key_idx = key_idx; | |
84 | ||
85 | priv->tfm = crypto_alloc_tfm("aes", 0); | |
86 | if (priv->tfm == NULL) { | |
87 | printk(KERN_DEBUG "ieee80211_crypt_ccmp: could not allocate " | |
88 | "crypto API aes\n"); | |
89 | goto fail; | |
90 | } | |
91 | ||
92 | return priv; | |
93 | ||
0edd5b44 | 94 | fail: |
b453872c JG |
95 | if (priv) { |
96 | if (priv->tfm) | |
97 | crypto_free_tfm(priv->tfm); | |
98 | kfree(priv); | |
99 | } | |
100 | ||
101 | return NULL; | |
102 | } | |
103 | ||
b453872c JG |
104 | static void ieee80211_ccmp_deinit(void *priv) |
105 | { | |
106 | struct ieee80211_ccmp_data *_priv = priv; | |
107 | if (_priv && _priv->tfm) | |
108 | crypto_free_tfm(_priv->tfm); | |
109 | kfree(priv); | |
110 | } | |
111 | ||
0edd5b44 | 112 | static inline void xor_block(u8 * b, u8 * a, size_t len) |
b453872c JG |
113 | { |
114 | int i; | |
115 | for (i = 0; i < len; i++) | |
116 | b[i] ^= a[i]; | |
117 | } | |
118 | ||
b453872c | 119 | static void ccmp_init_blocks(struct crypto_tfm *tfm, |
ee34af37 | 120 | struct ieee80211_hdr_4addr *hdr, |
0edd5b44 | 121 | u8 * pn, size_t dlen, u8 * b0, u8 * auth, u8 * s0) |
b453872c JG |
122 | { |
123 | u8 *pos, qc = 0; | |
124 | size_t aad_len; | |
125 | u16 fc; | |
126 | int a4_included, qc_included; | |
127 | u8 aad[2 * AES_BLOCK_LEN]; | |
128 | ||
129 | fc = le16_to_cpu(hdr->frame_ctl); | |
130 | a4_included = ((fc & (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) == | |
131 | (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)); | |
132 | qc_included = ((WLAN_FC_GET_TYPE(fc) == IEEE80211_FTYPE_DATA) && | |
0df78612 | 133 | (WLAN_FC_GET_STYPE(fc) & IEEE80211_STYPE_QOS_DATA)); |
b453872c JG |
134 | aad_len = 22; |
135 | if (a4_included) | |
136 | aad_len += 6; | |
137 | if (qc_included) { | |
0edd5b44 | 138 | pos = (u8 *) & hdr->addr4; |
b453872c JG |
139 | if (a4_included) |
140 | pos += 6; | |
141 | qc = *pos & 0x0f; | |
142 | aad_len += 2; | |
143 | } | |
144 | ||
145 | /* CCM Initial Block: | |
146 | * Flag (Include authentication header, M=3 (8-octet MIC), | |
147 | * L=1 (2-octet Dlen)) | |
148 | * Nonce: 0x00 | A2 | PN | |
149 | * Dlen */ | |
150 | b0[0] = 0x59; | |
151 | b0[1] = qc; | |
152 | memcpy(b0 + 2, hdr->addr2, ETH_ALEN); | |
153 | memcpy(b0 + 8, pn, CCMP_PN_LEN); | |
154 | b0[14] = (dlen >> 8) & 0xff; | |
155 | b0[15] = dlen & 0xff; | |
156 | ||
157 | /* AAD: | |
158 | * FC with bits 4..6 and 11..13 masked to zero; 14 is always one | |
159 | * A1 | A2 | A3 | |
160 | * SC with bits 4..15 (seq#) masked to zero | |
161 | * A4 (if present) | |
162 | * QC (if present) | |
163 | */ | |
164 | pos = (u8 *) hdr; | |
0edd5b44 | 165 | aad[0] = 0; /* aad_len >> 8 */ |
b453872c JG |
166 | aad[1] = aad_len & 0xff; |
167 | aad[2] = pos[0] & 0x8f; | |
168 | aad[3] = pos[1] & 0xc7; | |
169 | memcpy(aad + 4, hdr->addr1, 3 * ETH_ALEN); | |
0edd5b44 | 170 | pos = (u8 *) & hdr->seq_ctl; |
b453872c | 171 | aad[22] = pos[0] & 0x0f; |
0edd5b44 | 172 | aad[23] = 0; /* all bits masked */ |
b453872c JG |
173 | memset(aad + 24, 0, 8); |
174 | if (a4_included) | |
175 | memcpy(aad + 24, hdr->addr4, ETH_ALEN); | |
176 | if (qc_included) { | |
177 | aad[a4_included ? 30 : 24] = qc; | |
178 | /* rest of QC masked */ | |
179 | } | |
180 | ||
181 | /* Start with the first block and AAD */ | |
182 | ieee80211_ccmp_aes_encrypt(tfm, b0, auth); | |
183 | xor_block(auth, aad, AES_BLOCK_LEN); | |
184 | ieee80211_ccmp_aes_encrypt(tfm, auth, auth); | |
185 | xor_block(auth, &aad[AES_BLOCK_LEN], AES_BLOCK_LEN); | |
186 | ieee80211_ccmp_aes_encrypt(tfm, auth, auth); | |
187 | b0[0] &= 0x07; | |
188 | b0[14] = b0[15] = 0; | |
189 | ieee80211_ccmp_aes_encrypt(tfm, b0, s0); | |
190 | } | |
191 | ||
9184d934 ZY |
192 | static int ieee80211_ccmp_hdr(struct sk_buff *skb, int hdr_len, |
193 | u8 *aeskey, int keylen, void *priv) | |
b453872c JG |
194 | { |
195 | struct ieee80211_ccmp_data *key = priv; | |
31b59eae JK |
196 | int i; |
197 | u8 *pos; | |
b453872c | 198 | |
31b59eae | 199 | if (skb_headroom(skb) < CCMP_HDR_LEN || skb->len < hdr_len) |
b453872c JG |
200 | return -1; |
201 | ||
9184d934 ZY |
202 | if (aeskey != NULL && keylen >= CCMP_TK_LEN) |
203 | memcpy(aeskey, key->key, CCMP_TK_LEN); | |
204 | ||
b453872c JG |
205 | pos = skb_push(skb, CCMP_HDR_LEN); |
206 | memmove(pos, pos + CCMP_HDR_LEN, hdr_len); | |
207 | pos += hdr_len; | |
b453872c JG |
208 | |
209 | i = CCMP_PN_LEN - 1; | |
210 | while (i >= 0) { | |
211 | key->tx_pn[i]++; | |
212 | if (key->tx_pn[i] != 0) | |
213 | break; | |
214 | i--; | |
215 | } | |
216 | ||
217 | *pos++ = key->tx_pn[5]; | |
218 | *pos++ = key->tx_pn[4]; | |
219 | *pos++ = 0; | |
0edd5b44 | 220 | *pos++ = (key->key_idx << 6) | (1 << 5) /* Ext IV included */ ; |
b453872c JG |
221 | *pos++ = key->tx_pn[3]; |
222 | *pos++ = key->tx_pn[2]; | |
223 | *pos++ = key->tx_pn[1]; | |
224 | *pos++ = key->tx_pn[0]; | |
225 | ||
31b59eae JK |
226 | return CCMP_HDR_LEN; |
227 | } | |
228 | ||
229 | static int ieee80211_ccmp_encrypt(struct sk_buff *skb, int hdr_len, void *priv) | |
230 | { | |
231 | struct ieee80211_ccmp_data *key = priv; | |
232 | int data_len, i, blocks, last, len; | |
233 | u8 *pos, *mic; | |
234 | struct ieee80211_hdr_4addr *hdr; | |
235 | u8 *b0 = key->tx_b0; | |
236 | u8 *b = key->tx_b; | |
237 | u8 *e = key->tx_e; | |
238 | u8 *s0 = key->tx_s0; | |
239 | ||
240 | if (skb_tailroom(skb) < CCMP_MIC_LEN || skb->len < hdr_len) | |
241 | return -1; | |
242 | ||
243 | data_len = skb->len - hdr_len; | |
9184d934 | 244 | len = ieee80211_ccmp_hdr(skb, hdr_len, NULL, 0, priv); |
31b59eae JK |
245 | if (len < 0) |
246 | return -1; | |
247 | ||
248 | pos = skb->data + hdr_len + CCMP_HDR_LEN; | |
249 | mic = skb_put(skb, CCMP_MIC_LEN); | |
ee34af37 | 250 | hdr = (struct ieee80211_hdr_4addr *)skb->data; |
b453872c JG |
251 | ccmp_init_blocks(key->tfm, hdr, key->tx_pn, data_len, b0, b, s0); |
252 | ||
253 | blocks = (data_len + AES_BLOCK_LEN - 1) / AES_BLOCK_LEN; | |
254 | last = data_len % AES_BLOCK_LEN; | |
255 | ||
256 | for (i = 1; i <= blocks; i++) { | |
257 | len = (i == blocks && last) ? last : AES_BLOCK_LEN; | |
258 | /* Authentication */ | |
259 | xor_block(b, pos, len); | |
260 | ieee80211_ccmp_aes_encrypt(key->tfm, b, b); | |
261 | /* Encryption, with counter */ | |
262 | b0[14] = (i >> 8) & 0xff; | |
263 | b0[15] = i & 0xff; | |
264 | ieee80211_ccmp_aes_encrypt(key->tfm, b0, e); | |
265 | xor_block(pos, e, len); | |
266 | pos += len; | |
267 | } | |
268 | ||
269 | for (i = 0; i < CCMP_MIC_LEN; i++) | |
270 | mic[i] = b[i] ^ s0[i]; | |
271 | ||
272 | return 0; | |
273 | } | |
274 | ||
b453872c JG |
275 | static int ieee80211_ccmp_decrypt(struct sk_buff *skb, int hdr_len, void *priv) |
276 | { | |
277 | struct ieee80211_ccmp_data *key = priv; | |
278 | u8 keyidx, *pos; | |
ee34af37 | 279 | struct ieee80211_hdr_4addr *hdr; |
b453872c JG |
280 | u8 *b0 = key->rx_b0; |
281 | u8 *b = key->rx_b; | |
282 | u8 *a = key->rx_a; | |
283 | u8 pn[6]; | |
284 | int i, blocks, last, len; | |
285 | size_t data_len = skb->len - hdr_len - CCMP_HDR_LEN - CCMP_MIC_LEN; | |
286 | u8 *mic = skb->data + skb->len - CCMP_MIC_LEN; | |
287 | ||
288 | if (skb->len < hdr_len + CCMP_HDR_LEN + CCMP_MIC_LEN) { | |
289 | key->dot11RSNAStatsCCMPFormatErrors++; | |
290 | return -1; | |
291 | } | |
292 | ||
ee34af37 | 293 | hdr = (struct ieee80211_hdr_4addr *)skb->data; |
b453872c JG |
294 | pos = skb->data + hdr_len; |
295 | keyidx = pos[3]; | |
296 | if (!(keyidx & (1 << 5))) { | |
297 | if (net_ratelimit()) { | |
298 | printk(KERN_DEBUG "CCMP: received packet without ExtIV" | |
299 | " flag from " MAC_FMT "\n", MAC_ARG(hdr->addr2)); | |
300 | } | |
301 | key->dot11RSNAStatsCCMPFormatErrors++; | |
302 | return -2; | |
303 | } | |
304 | keyidx >>= 6; | |
305 | if (key->key_idx != keyidx) { | |
306 | printk(KERN_DEBUG "CCMP: RX tkey->key_idx=%d frame " | |
307 | "keyidx=%d priv=%p\n", key->key_idx, keyidx, priv); | |
308 | return -6; | |
309 | } | |
310 | if (!key->key_set) { | |
311 | if (net_ratelimit()) { | |
312 | printk(KERN_DEBUG "CCMP: received packet from " MAC_FMT | |
313 | " with keyid=%d that does not have a configured" | |
314 | " key\n", MAC_ARG(hdr->addr2), keyidx); | |
315 | } | |
316 | return -3; | |
317 | } | |
318 | ||
319 | pn[0] = pos[7]; | |
320 | pn[1] = pos[6]; | |
321 | pn[2] = pos[5]; | |
322 | pn[3] = pos[4]; | |
323 | pn[4] = pos[1]; | |
324 | pn[5] = pos[0]; | |
325 | pos += 8; | |
326 | ||
327 | if (memcmp(pn, key->rx_pn, CCMP_PN_LEN) <= 0) { | |
328 | if (net_ratelimit()) { | |
329 | printk(KERN_DEBUG "CCMP: replay detected: STA=" MAC_FMT | |
330 | " previous PN %02x%02x%02x%02x%02x%02x " | |
331 | "received PN %02x%02x%02x%02x%02x%02x\n", | |
332 | MAC_ARG(hdr->addr2), MAC_ARG(key->rx_pn), | |
333 | MAC_ARG(pn)); | |
334 | } | |
335 | key->dot11RSNAStatsCCMPReplays++; | |
336 | return -4; | |
337 | } | |
338 | ||
339 | ccmp_init_blocks(key->tfm, hdr, pn, data_len, b0, a, b); | |
340 | xor_block(mic, b, CCMP_MIC_LEN); | |
341 | ||
342 | blocks = (data_len + AES_BLOCK_LEN - 1) / AES_BLOCK_LEN; | |
343 | last = data_len % AES_BLOCK_LEN; | |
344 | ||
345 | for (i = 1; i <= blocks; i++) { | |
346 | len = (i == blocks && last) ? last : AES_BLOCK_LEN; | |
347 | /* Decrypt, with counter */ | |
348 | b0[14] = (i >> 8) & 0xff; | |
349 | b0[15] = i & 0xff; | |
350 | ieee80211_ccmp_aes_encrypt(key->tfm, b0, b); | |
351 | xor_block(pos, b, len); | |
352 | /* Authentication */ | |
353 | xor_block(a, pos, len); | |
354 | ieee80211_ccmp_aes_encrypt(key->tfm, a, a); | |
355 | pos += len; | |
356 | } | |
357 | ||
358 | if (memcmp(mic, a, CCMP_MIC_LEN) != 0) { | |
359 | if (net_ratelimit()) { | |
360 | printk(KERN_DEBUG "CCMP: decrypt failed: STA=" | |
361 | MAC_FMT "\n", MAC_ARG(hdr->addr2)); | |
362 | } | |
363 | key->dot11RSNAStatsCCMPDecryptErrors++; | |
364 | return -5; | |
365 | } | |
366 | ||
367 | memcpy(key->rx_pn, pn, CCMP_PN_LEN); | |
368 | ||
369 | /* Remove hdr and MIC */ | |
370 | memmove(skb->data + CCMP_HDR_LEN, skb->data, hdr_len); | |
371 | skb_pull(skb, CCMP_HDR_LEN); | |
372 | skb_trim(skb, skb->len - CCMP_MIC_LEN); | |
373 | ||
374 | return keyidx; | |
375 | } | |
376 | ||
0edd5b44 | 377 | static int ieee80211_ccmp_set_key(void *key, int len, u8 * seq, void *priv) |
b453872c JG |
378 | { |
379 | struct ieee80211_ccmp_data *data = priv; | |
380 | int keyidx; | |
381 | struct crypto_tfm *tfm = data->tfm; | |
382 | ||
383 | keyidx = data->key_idx; | |
384 | memset(data, 0, sizeof(*data)); | |
385 | data->key_idx = keyidx; | |
386 | data->tfm = tfm; | |
387 | if (len == CCMP_TK_LEN) { | |
388 | memcpy(data->key, key, CCMP_TK_LEN); | |
389 | data->key_set = 1; | |
390 | if (seq) { | |
391 | data->rx_pn[0] = seq[5]; | |
392 | data->rx_pn[1] = seq[4]; | |
393 | data->rx_pn[2] = seq[3]; | |
394 | data->rx_pn[3] = seq[2]; | |
395 | data->rx_pn[4] = seq[1]; | |
396 | data->rx_pn[5] = seq[0]; | |
397 | } | |
398 | crypto_cipher_setkey(data->tfm, data->key, CCMP_TK_LEN); | |
399 | } else if (len == 0) | |
400 | data->key_set = 0; | |
401 | else | |
402 | return -1; | |
403 | ||
404 | return 0; | |
405 | } | |
406 | ||
0edd5b44 | 407 | static int ieee80211_ccmp_get_key(void *key, int len, u8 * seq, void *priv) |
b453872c JG |
408 | { |
409 | struct ieee80211_ccmp_data *data = priv; | |
410 | ||
411 | if (len < CCMP_TK_LEN) | |
412 | return -1; | |
413 | ||
414 | if (!data->key_set) | |
415 | return 0; | |
416 | memcpy(key, data->key, CCMP_TK_LEN); | |
417 | ||
418 | if (seq) { | |
419 | seq[0] = data->tx_pn[5]; | |
420 | seq[1] = data->tx_pn[4]; | |
421 | seq[2] = data->tx_pn[3]; | |
422 | seq[3] = data->tx_pn[2]; | |
423 | seq[4] = data->tx_pn[1]; | |
424 | seq[5] = data->tx_pn[0]; | |
425 | } | |
426 | ||
427 | return CCMP_TK_LEN; | |
428 | } | |
429 | ||
0edd5b44 | 430 | static char *ieee80211_ccmp_print_stats(char *p, void *priv) |
b453872c JG |
431 | { |
432 | struct ieee80211_ccmp_data *ccmp = priv; | |
433 | p += sprintf(p, "key[%d] alg=CCMP key_set=%d " | |
434 | "tx_pn=%02x%02x%02x%02x%02x%02x " | |
435 | "rx_pn=%02x%02x%02x%02x%02x%02x " | |
436 | "format_errors=%d replays=%d decrypt_errors=%d\n", | |
437 | ccmp->key_idx, ccmp->key_set, | |
438 | MAC_ARG(ccmp->tx_pn), MAC_ARG(ccmp->rx_pn), | |
439 | ccmp->dot11RSNAStatsCCMPFormatErrors, | |
440 | ccmp->dot11RSNAStatsCCMPReplays, | |
441 | ccmp->dot11RSNAStatsCCMPDecryptErrors); | |
442 | ||
443 | return p; | |
444 | } | |
445 | ||
b453872c | 446 | static struct ieee80211_crypto_ops ieee80211_crypt_ccmp = { |
74079fdc JK |
447 | .name = "CCMP", |
448 | .init = ieee80211_ccmp_init, | |
449 | .deinit = ieee80211_ccmp_deinit, | |
31b59eae | 450 | .build_iv = ieee80211_ccmp_hdr, |
74079fdc JK |
451 | .encrypt_mpdu = ieee80211_ccmp_encrypt, |
452 | .decrypt_mpdu = ieee80211_ccmp_decrypt, | |
453 | .encrypt_msdu = NULL, | |
454 | .decrypt_msdu = NULL, | |
455 | .set_key = ieee80211_ccmp_set_key, | |
456 | .get_key = ieee80211_ccmp_get_key, | |
457 | .print_stats = ieee80211_ccmp_print_stats, | |
1264fc04 JK |
458 | .extra_mpdu_prefix_len = CCMP_HDR_LEN, |
459 | .extra_mpdu_postfix_len = CCMP_MIC_LEN, | |
74079fdc | 460 | .owner = THIS_MODULE, |
b453872c JG |
461 | }; |
462 | ||
b453872c JG |
463 | static int __init ieee80211_crypto_ccmp_init(void) |
464 | { | |
465 | return ieee80211_register_crypto_ops(&ieee80211_crypt_ccmp); | |
466 | } | |
467 | ||
b453872c JG |
468 | static void __exit ieee80211_crypto_ccmp_exit(void) |
469 | { | |
470 | ieee80211_unregister_crypto_ops(&ieee80211_crypt_ccmp); | |
471 | } | |
472 | ||
b453872c JG |
473 | module_init(ieee80211_crypto_ccmp_init); |
474 | module_exit(ieee80211_crypto_ccmp_exit); |