1 | // SPDX-License-Identifier: GPL-2.0-only |
2 | /* |
3 | * lib80211 crypt: host-based CCMP encryption implementation for lib80211 |
4 | * |
5 | * Copyright (c) 2003-2004, Jouni Malinen <j@w1.fi> |
6 | * Copyright (c) 2008, John W. Linville <linville@tuxdriver.com> |
7 | */ |
8 | |
9 | #include <linux/kernel.h> |
10 | #include <linux/err.h> |
11 | #include <linux/module.h> |
12 | #include <linux/init.h> |
13 | #include <linux/slab.h> |
14 | #include <linux/random.h> |
15 | #include <linux/skbuff.h> |
16 | #include <linux/netdevice.h> |
17 | #include <linux/if_ether.h> |
18 | #include <linux/if_arp.h> |
19 | #include <asm/string.h> |
20 | #include <linux/wireless.h> |
21 | |
22 | #include <linux/ieee80211.h> |
23 | |
24 | #include <linux/crypto.h> |
25 | #include <crypto/aead.h> |
26 | |
27 | #include <net/lib80211.h> |
28 | |
29 | MODULE_AUTHOR("Jouni Malinen" ); |
30 | MODULE_DESCRIPTION("Host AP crypt: CCMP" ); |
31 | MODULE_LICENSE("GPL" ); |
32 | |
33 | #define AES_BLOCK_LEN 16 |
34 | #define CCMP_HDR_LEN 8 |
35 | #define CCMP_MIC_LEN 8 |
36 | #define CCMP_TK_LEN 16 |
37 | #define CCMP_PN_LEN 6 |
38 | |
39 | struct lib80211_ccmp_data { |
40 | u8 key[CCMP_TK_LEN]; |
41 | int key_set; |
42 | |
43 | u8 tx_pn[CCMP_PN_LEN]; |
44 | u8 rx_pn[CCMP_PN_LEN]; |
45 | |
46 | u32 dot11RSNAStatsCCMPFormatErrors; |
47 | u32 dot11RSNAStatsCCMPReplays; |
48 | u32 dot11RSNAStatsCCMPDecryptErrors; |
49 | |
50 | int key_idx; |
51 | |
52 | struct crypto_aead *tfm; |
53 | |
54 | /* scratch buffers for virt_to_page() (crypto API) */ |
55 | u8 tx_aad[2 * AES_BLOCK_LEN]; |
56 | u8 rx_aad[2 * AES_BLOCK_LEN]; |
57 | }; |
58 | |
59 | static void *lib80211_ccmp_init(int key_idx) |
60 | { |
61 | struct lib80211_ccmp_data *priv; |
62 | |
63 | priv = kzalloc(size: sizeof(*priv), GFP_ATOMIC); |
64 | if (priv == NULL) |
65 | goto fail; |
66 | priv->key_idx = key_idx; |
67 | |
68 | priv->tfm = crypto_alloc_aead(alg_name: "ccm(aes)" , type: 0, CRYPTO_ALG_ASYNC); |
69 | if (IS_ERR(ptr: priv->tfm)) { |
70 | priv->tfm = NULL; |
71 | goto fail; |
72 | } |
73 | |
74 | return priv; |
75 | |
76 | fail: |
77 | if (priv) { |
78 | if (priv->tfm) |
79 | crypto_free_aead(tfm: priv->tfm); |
80 | kfree(objp: priv); |
81 | } |
82 | |
83 | return NULL; |
84 | } |
85 | |
86 | static void lib80211_ccmp_deinit(void *priv) |
87 | { |
88 | struct lib80211_ccmp_data *_priv = priv; |
89 | if (_priv && _priv->tfm) |
90 | crypto_free_aead(tfm: _priv->tfm); |
91 | kfree(objp: priv); |
92 | } |
93 | |
94 | static int ccmp_init_iv_and_aad(const struct ieee80211_hdr *hdr, |
95 | const u8 *pn, u8 *iv, u8 *aad) |
96 | { |
97 | u8 *pos, qc = 0; |
98 | size_t aad_len; |
99 | int a4_included, qc_included; |
100 | |
101 | a4_included = ieee80211_has_a4(fc: hdr->frame_control); |
102 | qc_included = ieee80211_is_data_qos(fc: hdr->frame_control); |
103 | |
104 | aad_len = 22; |
105 | if (a4_included) |
106 | aad_len += 6; |
107 | if (qc_included) { |
108 | pos = (u8 *) & hdr->addr4; |
109 | if (a4_included) |
110 | pos += 6; |
111 | qc = *pos & 0x0f; |
112 | aad_len += 2; |
113 | } |
114 | |
115 | /* In CCM, the initial vectors (IV) used for CTR mode encryption and CBC |
116 | * mode authentication are not allowed to collide, yet both are derived |
117 | * from the same vector. We only set L := 1 here to indicate that the |
118 | * data size can be represented in (L+1) bytes. The CCM layer will take |
119 | * care of storing the data length in the top (L+1) bytes and setting |
120 | * and clearing the other bits as is required to derive the two IVs. |
121 | */ |
122 | iv[0] = 0x1; |
123 | |
124 | /* Nonce: QC | A2 | PN */ |
125 | iv[1] = qc; |
126 | memcpy(iv + 2, hdr->addr2, ETH_ALEN); |
127 | memcpy(iv + 8, pn, CCMP_PN_LEN); |
128 | |
129 | /* AAD: |
130 | * FC with bits 4..6 and 11..13 masked to zero; 14 is always one |
131 | * A1 | A2 | A3 |
132 | * SC with bits 4..15 (seq#) masked to zero |
133 | * A4 (if present) |
134 | * QC (if present) |
135 | */ |
136 | pos = (u8 *) hdr; |
137 | aad[0] = pos[0] & 0x8f; |
138 | aad[1] = pos[1] & 0xc7; |
139 | memcpy(aad + 2, &hdr->addrs, 3 * ETH_ALEN); |
140 | pos = (u8 *) & hdr->seq_ctrl; |
141 | aad[20] = pos[0] & 0x0f; |
142 | aad[21] = 0; /* all bits masked */ |
143 | memset(aad + 22, 0, 8); |
144 | if (a4_included) |
145 | memcpy(aad + 22, hdr->addr4, ETH_ALEN); |
146 | if (qc_included) { |
147 | aad[a4_included ? 28 : 22] = qc; |
148 | /* rest of QC masked */ |
149 | } |
150 | return aad_len; |
151 | } |
152 | |
153 | static int lib80211_ccmp_hdr(struct sk_buff *skb, int hdr_len, |
154 | u8 *aeskey, int keylen, void *priv) |
155 | { |
156 | struct lib80211_ccmp_data *key = priv; |
157 | int i; |
158 | u8 *pos; |
159 | |
160 | if (skb_headroom(skb) < CCMP_HDR_LEN || skb->len < hdr_len) |
161 | return -1; |
162 | |
163 | if (aeskey != NULL && keylen >= CCMP_TK_LEN) |
164 | memcpy(aeskey, key->key, CCMP_TK_LEN); |
165 | |
166 | pos = skb_push(skb, CCMP_HDR_LEN); |
167 | memmove(pos, pos + CCMP_HDR_LEN, hdr_len); |
168 | pos += hdr_len; |
169 | |
170 | i = CCMP_PN_LEN - 1; |
171 | while (i >= 0) { |
172 | key->tx_pn[i]++; |
173 | if (key->tx_pn[i] != 0) |
174 | break; |
175 | i--; |
176 | } |
177 | |
178 | *pos++ = key->tx_pn[5]; |
179 | *pos++ = key->tx_pn[4]; |
180 | *pos++ = 0; |
181 | *pos++ = (key->key_idx << 6) | (1 << 5) /* Ext IV included */ ; |
182 | *pos++ = key->tx_pn[3]; |
183 | *pos++ = key->tx_pn[2]; |
184 | *pos++ = key->tx_pn[1]; |
185 | *pos++ = key->tx_pn[0]; |
186 | |
187 | return CCMP_HDR_LEN; |
188 | } |
189 | |
190 | static int lib80211_ccmp_encrypt(struct sk_buff *skb, int hdr_len, void *priv) |
191 | { |
192 | struct lib80211_ccmp_data *key = priv; |
193 | struct ieee80211_hdr *hdr; |
194 | struct aead_request *req; |
195 | struct scatterlist sg[2]; |
196 | u8 *aad = key->tx_aad; |
197 | u8 iv[AES_BLOCK_LEN]; |
198 | int len, data_len, aad_len; |
199 | int ret; |
200 | |
201 | if (skb_tailroom(skb) < CCMP_MIC_LEN || skb->len < hdr_len) |
202 | return -1; |
203 | |
204 | data_len = skb->len - hdr_len; |
205 | len = lib80211_ccmp_hdr(skb, hdr_len, NULL, keylen: 0, priv); |
206 | if (len < 0) |
207 | return -1; |
208 | |
209 | req = aead_request_alloc(tfm: key->tfm, GFP_ATOMIC); |
210 | if (!req) |
211 | return -ENOMEM; |
212 | |
213 | hdr = (struct ieee80211_hdr *)skb->data; |
214 | aad_len = ccmp_init_iv_and_aad(hdr, pn: key->tx_pn, iv, aad); |
215 | |
216 | skb_put(skb, CCMP_MIC_LEN); |
217 | |
218 | sg_init_table(sg, 2); |
219 | sg_set_buf(sg: &sg[0], buf: aad, buflen: aad_len); |
220 | sg_set_buf(sg: &sg[1], buf: skb->data + hdr_len + CCMP_HDR_LEN, |
221 | buflen: data_len + CCMP_MIC_LEN); |
222 | |
223 | aead_request_set_callback(req, flags: 0, NULL, NULL); |
224 | aead_request_set_ad(req, assoclen: aad_len); |
225 | aead_request_set_crypt(req, src: sg, dst: sg, cryptlen: data_len, iv); |
226 | |
227 | ret = crypto_aead_encrypt(req); |
228 | aead_request_free(req); |
229 | |
230 | return ret; |
231 | } |
232 | |
233 | /* |
234 | * deal with seq counter wrapping correctly. |
235 | * refer to timer_after() for jiffies wrapping handling |
236 | */ |
237 | static inline int ccmp_replay_check(u8 *pn_n, u8 *pn_o) |
238 | { |
239 | u32 iv32_n, iv16_n; |
240 | u32 iv32_o, iv16_o; |
241 | |
242 | iv32_n = (pn_n[0] << 24) | (pn_n[1] << 16) | (pn_n[2] << 8) | pn_n[3]; |
243 | iv16_n = (pn_n[4] << 8) | pn_n[5]; |
244 | |
245 | iv32_o = (pn_o[0] << 24) | (pn_o[1] << 16) | (pn_o[2] << 8) | pn_o[3]; |
246 | iv16_o = (pn_o[4] << 8) | pn_o[5]; |
247 | |
248 | if ((s32)iv32_n - (s32)iv32_o < 0 || |
249 | (iv32_n == iv32_o && iv16_n <= iv16_o)) |
250 | return 1; |
251 | return 0; |
252 | } |
253 | |
254 | static int lib80211_ccmp_decrypt(struct sk_buff *skb, int hdr_len, void *priv) |
255 | { |
256 | struct lib80211_ccmp_data *key = priv; |
257 | u8 keyidx, *pos; |
258 | struct ieee80211_hdr *hdr; |
259 | struct aead_request *req; |
260 | struct scatterlist sg[2]; |
261 | u8 *aad = key->rx_aad; |
262 | u8 iv[AES_BLOCK_LEN]; |
263 | u8 pn[6]; |
264 | int aad_len, ret; |
265 | size_t data_len = skb->len - hdr_len - CCMP_HDR_LEN; |
266 | |
267 | if (skb->len < hdr_len + CCMP_HDR_LEN + CCMP_MIC_LEN) { |
268 | key->dot11RSNAStatsCCMPFormatErrors++; |
269 | return -1; |
270 | } |
271 | |
272 | hdr = (struct ieee80211_hdr *)skb->data; |
273 | pos = skb->data + hdr_len; |
274 | keyidx = pos[3]; |
275 | if (!(keyidx & (1 << 5))) { |
276 | net_dbg_ratelimited("CCMP: received packet without ExtIV flag from %pM\n" , |
277 | hdr->addr2); |
278 | key->dot11RSNAStatsCCMPFormatErrors++; |
279 | return -2; |
280 | } |
281 | keyidx >>= 6; |
282 | if (key->key_idx != keyidx) { |
283 | net_dbg_ratelimited("CCMP: RX tkey->key_idx=%d frame keyidx=%d\n" , |
284 | key->key_idx, keyidx); |
285 | return -6; |
286 | } |
287 | if (!key->key_set) { |
288 | net_dbg_ratelimited("CCMP: received packet from %pM with keyid=%d that does not have a configured key\n" , |
289 | hdr->addr2, keyidx); |
290 | return -3; |
291 | } |
292 | |
293 | pn[0] = pos[7]; |
294 | pn[1] = pos[6]; |
295 | pn[2] = pos[5]; |
296 | pn[3] = pos[4]; |
297 | pn[4] = pos[1]; |
298 | pn[5] = pos[0]; |
299 | pos += 8; |
300 | |
301 | if (ccmp_replay_check(pn_n: pn, pn_o: key->rx_pn)) { |
302 | #ifdef CONFIG_LIB80211_DEBUG |
303 | net_dbg_ratelimited("CCMP: replay detected: STA=%pM previous PN %02x%02x%02x%02x%02x%02x received PN %02x%02x%02x%02x%02x%02x\n" , |
304 | hdr->addr2, |
305 | key->rx_pn[0], key->rx_pn[1], key->rx_pn[2], |
306 | key->rx_pn[3], key->rx_pn[4], key->rx_pn[5], |
307 | pn[0], pn[1], pn[2], pn[3], pn[4], pn[5]); |
308 | #endif |
309 | key->dot11RSNAStatsCCMPReplays++; |
310 | return -4; |
311 | } |
312 | |
313 | req = aead_request_alloc(tfm: key->tfm, GFP_ATOMIC); |
314 | if (!req) |
315 | return -ENOMEM; |
316 | |
317 | aad_len = ccmp_init_iv_and_aad(hdr, pn, iv, aad); |
318 | |
319 | sg_init_table(sg, 2); |
320 | sg_set_buf(sg: &sg[0], buf: aad, buflen: aad_len); |
321 | sg_set_buf(sg: &sg[1], buf: pos, buflen: data_len); |
322 | |
323 | aead_request_set_callback(req, flags: 0, NULL, NULL); |
324 | aead_request_set_ad(req, assoclen: aad_len); |
325 | aead_request_set_crypt(req, src: sg, dst: sg, cryptlen: data_len, iv); |
326 | |
327 | ret = crypto_aead_decrypt(req); |
328 | aead_request_free(req); |
329 | |
330 | if (ret) { |
331 | net_dbg_ratelimited("CCMP: decrypt failed: STA=%pM (%d)\n" , |
332 | hdr->addr2, ret); |
333 | key->dot11RSNAStatsCCMPDecryptErrors++; |
334 | return -5; |
335 | } |
336 | |
337 | memcpy(key->rx_pn, pn, CCMP_PN_LEN); |
338 | |
339 | /* Remove hdr and MIC */ |
340 | memmove(skb->data + CCMP_HDR_LEN, skb->data, hdr_len); |
341 | skb_pull(skb, CCMP_HDR_LEN); |
342 | skb_trim(skb, len: skb->len - CCMP_MIC_LEN); |
343 | |
344 | return keyidx; |
345 | } |
346 | |
347 | static int lib80211_ccmp_set_key(void *key, int len, u8 * seq, void *priv) |
348 | { |
349 | struct lib80211_ccmp_data *data = priv; |
350 | int keyidx; |
351 | struct crypto_aead *tfm = data->tfm; |
352 | |
353 | keyidx = data->key_idx; |
354 | memset(data, 0, sizeof(*data)); |
355 | data->key_idx = keyidx; |
356 | data->tfm = tfm; |
357 | if (len == CCMP_TK_LEN) { |
358 | memcpy(data->key, key, CCMP_TK_LEN); |
359 | data->key_set = 1; |
360 | if (seq) { |
361 | data->rx_pn[0] = seq[5]; |
362 | data->rx_pn[1] = seq[4]; |
363 | data->rx_pn[2] = seq[3]; |
364 | data->rx_pn[3] = seq[2]; |
365 | data->rx_pn[4] = seq[1]; |
366 | data->rx_pn[5] = seq[0]; |
367 | } |
368 | if (crypto_aead_setauthsize(tfm: data->tfm, CCMP_MIC_LEN) || |
369 | crypto_aead_setkey(tfm: data->tfm, key: data->key, CCMP_TK_LEN)) |
370 | return -1; |
371 | } else if (len == 0) |
372 | data->key_set = 0; |
373 | else |
374 | return -1; |
375 | |
376 | return 0; |
377 | } |
378 | |
379 | static int lib80211_ccmp_get_key(void *key, int len, u8 * seq, void *priv) |
380 | { |
381 | struct lib80211_ccmp_data *data = priv; |
382 | |
383 | if (len < CCMP_TK_LEN) |
384 | return -1; |
385 | |
386 | if (!data->key_set) |
387 | return 0; |
388 | memcpy(key, data->key, CCMP_TK_LEN); |
389 | |
390 | if (seq) { |
391 | seq[0] = data->tx_pn[5]; |
392 | seq[1] = data->tx_pn[4]; |
393 | seq[2] = data->tx_pn[3]; |
394 | seq[3] = data->tx_pn[2]; |
395 | seq[4] = data->tx_pn[1]; |
396 | seq[5] = data->tx_pn[0]; |
397 | } |
398 | |
399 | return CCMP_TK_LEN; |
400 | } |
401 | |
402 | static void lib80211_ccmp_print_stats(struct seq_file *m, void *priv) |
403 | { |
404 | struct lib80211_ccmp_data *ccmp = priv; |
405 | |
406 | seq_printf(m, |
407 | fmt: "key[%d] alg=CCMP key_set=%d " |
408 | "tx_pn=%02x%02x%02x%02x%02x%02x " |
409 | "rx_pn=%02x%02x%02x%02x%02x%02x " |
410 | "format_errors=%d replays=%d decrypt_errors=%d\n" , |
411 | ccmp->key_idx, ccmp->key_set, |
412 | ccmp->tx_pn[0], ccmp->tx_pn[1], ccmp->tx_pn[2], |
413 | ccmp->tx_pn[3], ccmp->tx_pn[4], ccmp->tx_pn[5], |
414 | ccmp->rx_pn[0], ccmp->rx_pn[1], ccmp->rx_pn[2], |
415 | ccmp->rx_pn[3], ccmp->rx_pn[4], ccmp->rx_pn[5], |
416 | ccmp->dot11RSNAStatsCCMPFormatErrors, |
417 | ccmp->dot11RSNAStatsCCMPReplays, |
418 | ccmp->dot11RSNAStatsCCMPDecryptErrors); |
419 | } |
420 | |
421 | static struct lib80211_crypto_ops lib80211_crypt_ccmp = { |
422 | .name = "CCMP" , |
423 | .init = lib80211_ccmp_init, |
424 | .deinit = lib80211_ccmp_deinit, |
425 | .encrypt_mpdu = lib80211_ccmp_encrypt, |
426 | .decrypt_mpdu = lib80211_ccmp_decrypt, |
427 | .encrypt_msdu = NULL, |
428 | .decrypt_msdu = NULL, |
429 | .set_key = lib80211_ccmp_set_key, |
430 | .get_key = lib80211_ccmp_get_key, |
431 | .print_stats = lib80211_ccmp_print_stats, |
432 | .extra_mpdu_prefix_len = CCMP_HDR_LEN, |
433 | .extra_mpdu_postfix_len = CCMP_MIC_LEN, |
434 | .owner = THIS_MODULE, |
435 | }; |
436 | |
437 | static int __init lib80211_crypto_ccmp_init(void) |
438 | { |
439 | return lib80211_register_crypto_ops(ops: &lib80211_crypt_ccmp); |
440 | } |
441 | |
442 | static void __exit lib80211_crypto_ccmp_exit(void) |
443 | { |
444 | lib80211_unregister_crypto_ops(ops: &lib80211_crypt_ccmp); |
445 | } |
446 | |
447 | module_init(lib80211_crypto_ccmp_init); |
448 | module_exit(lib80211_crypto_ccmp_exit); |
449 | |