1 // SPDX-License-Identifier: GPL-2.0 2 /* Host AP crypt: host-based CCMP encryption implementation for Host AP driver 3 * 4 * Copyright (c) 2003-2004, Jouni Malinen <jkmaline@cc.hut.fi> 5 */ 6 7 #include <linux/module.h> 8 #include <linux/init.h> 9 #include <linux/slab.h> 10 #include <linux/random.h> 11 #include <linux/skbuff.h> 12 #include <linux/netdevice.h> 13 #include <linux/if_ether.h> 14 #include <linux/if_arp.h> 15 #include <linux/string.h> 16 #include <linux/wireless.h> 17 #include "rtllib.h" 18 19 #include <linux/crypto.h> 20 21 #include <linux/scatterlist.h> 22 23 #define AES_BLOCK_LEN 16 24 #define CCMP_HDR_LEN 8 25 #define CCMP_MIC_LEN 8 26 #define CCMP_TK_LEN 16 27 #define CCMP_PN_LEN 6 28 29 struct rtllib_ccmp_data { 30 u8 key[CCMP_TK_LEN]; 31 int key_set; 32 33 u8 tx_pn[CCMP_PN_LEN]; 34 u8 rx_pn[CCMP_PN_LEN]; 35 36 u32 dot11RSNAStatsCCMPFormatErrors; 37 u32 dot11RSNAStatsCCMPReplays; 38 u32 dot11RSNAStatsCCMPDecryptErrors; 39 40 int key_idx; 41 42 struct crypto_tfm *tfm; 43 44 /* scratch buffers for virt_to_page() (crypto API) */ 45 u8 tx_b0[AES_BLOCK_LEN], tx_b[AES_BLOCK_LEN], 46 tx_e[AES_BLOCK_LEN], tx_s0[AES_BLOCK_LEN]; 47 u8 rx_b0[AES_BLOCK_LEN], rx_b[AES_BLOCK_LEN], rx_a[AES_BLOCK_LEN]; 48 }; 49 50 static void rtllib_ccmp_aes_encrypt(struct crypto_tfm *tfm, 51 const u8 pt[16], u8 ct[16]) 52 { 53 crypto_cipher_encrypt_one((void *)tfm, ct, pt); 54 } 55 56 static void *rtllib_ccmp_init(int key_idx) 57 { 58 struct rtllib_ccmp_data *priv; 59 60 priv = kzalloc(sizeof(*priv), GFP_ATOMIC); 61 if (priv == NULL) 62 goto fail; 63 priv->key_idx = key_idx; 64 65 priv->tfm = (void *)crypto_alloc_cipher("aes", 0, 0); 66 if (IS_ERR(priv->tfm)) { 67 pr_debug("Could not allocate crypto API aes\n"); 68 priv->tfm = NULL; 69 goto fail; 70 } 71 return priv; 72 73 fail: 74 if (priv) { 75 if (priv->tfm) 76 crypto_free_cipher((void *)priv->tfm); 77 kfree(priv); 78 } 79 80 return NULL; 81 } 82 83 84 static void rtllib_ccmp_deinit(void *priv) 85 { 86 struct rtllib_ccmp_data *_priv = priv; 87 88 if (_priv && _priv->tfm) 89 crypto_free_cipher((void *)_priv->tfm); 90 kfree(priv); 91 } 92 93 94 static inline void xor_block(u8 *b, u8 *a, size_t len) 95 { 96 int i; 97 98 for (i = 0; i < len; i++) 99 b[i] ^= a[i]; 100 } 101 102 103 104 static void ccmp_init_blocks(struct crypto_tfm *tfm, 105 struct rtllib_hdr_4addr *hdr, 106 u8 *pn, size_t dlen, u8 *b0, u8 *auth, 107 u8 *s0) 108 { 109 u8 *pos, qc = 0; 110 size_t aad_len; 111 u16 fc; 112 int a4_included, qc_included; 113 u8 aad[2 * AES_BLOCK_LEN]; 114 115 fc = le16_to_cpu(hdr->frame_ctl); 116 a4_included = ((fc & (RTLLIB_FCTL_TODS | RTLLIB_FCTL_FROMDS)) == 117 (RTLLIB_FCTL_TODS | RTLLIB_FCTL_FROMDS)); 118 119 qc_included = ((WLAN_FC_GET_TYPE(fc) == RTLLIB_FTYPE_DATA) && 120 (WLAN_FC_GET_STYPE(fc) & 0x80)); 121 aad_len = 22; 122 if (a4_included) 123 aad_len += 6; 124 if (qc_included) { 125 pos = (u8 *) &hdr->addr4; 126 if (a4_included) 127 pos += 6; 128 qc = *pos & 0x0f; 129 aad_len += 2; 130 } 131 /* CCM Initial Block: 132 * Flag (Include authentication header, M=3 (8-octet MIC), 133 * L=1 (2-octet Dlen)) 134 * Nonce: 0x00 | A2 | PN 135 * Dlen 136 */ 137 b0[0] = 0x59; 138 b0[1] = qc; 139 memcpy(b0 + 2, hdr->addr2, ETH_ALEN); 140 memcpy(b0 + 8, pn, CCMP_PN_LEN); 141 b0[14] = (dlen >> 8) & 0xff; 142 b0[15] = dlen & 0xff; 143 144 /* AAD: 145 * FC with bits 4..6 and 11..13 masked to zero; 14 is always one 146 * A1 | A2 | A3 147 * SC with bits 4..15 (seq#) masked to zero 148 * A4 (if present) 149 * QC (if present) 150 */ 151 pos = (u8 *) hdr; 152 aad[0] = 0; /* aad_len >> 8 */ 153 aad[1] = aad_len & 0xff; 154 aad[2] = pos[0] & 0x8f; 155 aad[3] = pos[1] & 0xc7; 156 memcpy(aad + 4, hdr->addr1, 3 * ETH_ALEN); 157 pos = (u8 *) &hdr->seq_ctl; 158 aad[22] = pos[0] & 0x0f; 159 aad[23] = 0; /* all bits masked */ 160 memset(aad + 24, 0, 8); 161 if (a4_included) 162 memcpy(aad + 24, hdr->addr4, ETH_ALEN); 163 if (qc_included) { 164 aad[a4_included ? 30 : 24] = qc; 165 /* rest of QC masked */ 166 } 167 168 /* Start with the first block and AAD */ 169 rtllib_ccmp_aes_encrypt(tfm, b0, auth); 170 xor_block(auth, aad, AES_BLOCK_LEN); 171 rtllib_ccmp_aes_encrypt(tfm, auth, auth); 172 xor_block(auth, &aad[AES_BLOCK_LEN], AES_BLOCK_LEN); 173 rtllib_ccmp_aes_encrypt(tfm, auth, auth); 174 b0[0] &= 0x07; 175 b0[14] = b0[15] = 0; 176 rtllib_ccmp_aes_encrypt(tfm, b0, s0); 177 } 178 179 180 181 static int rtllib_ccmp_encrypt(struct sk_buff *skb, int hdr_len, void *priv) 182 { 183 struct rtllib_ccmp_data *key = priv; 184 int data_len, i; 185 u8 *pos; 186 struct rtllib_hdr_4addr *hdr; 187 struct cb_desc *tcb_desc = (struct cb_desc *)(skb->cb + 188 MAX_DEV_ADDR_SIZE); 189 if (skb_headroom(skb) < CCMP_HDR_LEN || 190 skb_tailroom(skb) < CCMP_MIC_LEN || 191 skb->len < hdr_len) 192 return -1; 193 194 data_len = skb->len - hdr_len; 195 pos = skb_push(skb, CCMP_HDR_LEN); 196 memmove(pos, pos + CCMP_HDR_LEN, hdr_len); 197 pos += hdr_len; 198 199 i = CCMP_PN_LEN - 1; 200 while (i >= 0) { 201 key->tx_pn[i]++; 202 if (key->tx_pn[i] != 0) 203 break; 204 i--; 205 } 206 207 *pos++ = key->tx_pn[5]; 208 *pos++ = key->tx_pn[4]; 209 *pos++ = 0; 210 *pos++ = (key->key_idx << 6) | (1 << 5) /* Ext IV included */; 211 *pos++ = key->tx_pn[3]; 212 *pos++ = key->tx_pn[2]; 213 *pos++ = key->tx_pn[1]; 214 *pos++ = key->tx_pn[0]; 215 216 217 hdr = (struct rtllib_hdr_4addr *) skb->data; 218 if (!tcb_desc->bHwSec) { 219 int blocks, last, len; 220 u8 *mic; 221 u8 *b0 = key->tx_b0; 222 u8 *b = key->tx_b; 223 u8 *e = key->tx_e; 224 u8 *s0 = key->tx_s0; 225 226 mic = skb_put(skb, CCMP_MIC_LEN); 227 228 ccmp_init_blocks(key->tfm, hdr, key->tx_pn, data_len, 229 b0, b, s0); 230 231 blocks = DIV_ROUND_UP(data_len, AES_BLOCK_LEN); 232 last = data_len % AES_BLOCK_LEN; 233 234 for (i = 1; i <= blocks; i++) { 235 len = (i == blocks && last) ? last : AES_BLOCK_LEN; 236 /* Authentication */ 237 xor_block(b, pos, len); 238 rtllib_ccmp_aes_encrypt(key->tfm, b, b); 239 /* Encryption, with counter */ 240 b0[14] = (i >> 8) & 0xff; 241 b0[15] = i & 0xff; 242 rtllib_ccmp_aes_encrypt(key->tfm, b0, e); 243 xor_block(pos, e, len); 244 pos += len; 245 } 246 247 for (i = 0; i < CCMP_MIC_LEN; i++) 248 mic[i] = b[i] ^ s0[i]; 249 } 250 return 0; 251 } 252 253 254 static int rtllib_ccmp_decrypt(struct sk_buff *skb, int hdr_len, void *priv) 255 { 256 struct rtllib_ccmp_data *key = priv; 257 u8 keyidx, *pos; 258 struct rtllib_hdr_4addr *hdr; 259 struct cb_desc *tcb_desc = (struct cb_desc *)(skb->cb + 260 MAX_DEV_ADDR_SIZE); 261 u8 pn[6]; 262 263 if (skb->len < hdr_len + CCMP_HDR_LEN + CCMP_MIC_LEN) { 264 key->dot11RSNAStatsCCMPFormatErrors++; 265 return -1; 266 } 267 268 hdr = (struct rtllib_hdr_4addr *) skb->data; 269 pos = skb->data + hdr_len; 270 keyidx = pos[3]; 271 if (!(keyidx & (1 << 5))) { 272 if (net_ratelimit()) { 273 pr_debug("CCMP: received packet without ExtIV flag from %pM\n", 274 hdr->addr2); 275 } 276 key->dot11RSNAStatsCCMPFormatErrors++; 277 return -2; 278 } 279 keyidx >>= 6; 280 if (key->key_idx != keyidx) { 281 pr_debug("CCMP: RX tkey->key_idx=%d frame keyidx=%d priv=%p\n", 282 key->key_idx, keyidx, priv); 283 return -6; 284 } 285 if (!key->key_set) { 286 if (net_ratelimit()) { 287 pr_debug("CCMP: received packet from %pM with keyid=%d that does not have a configured key\n", 288 hdr->addr2, keyidx); 289 } 290 return -3; 291 } 292 293 pn[0] = pos[7]; 294 pn[1] = pos[6]; 295 pn[2] = pos[5]; 296 pn[3] = pos[4]; 297 pn[4] = pos[1]; 298 pn[5] = pos[0]; 299 pos += 8; 300 if (memcmp(pn, key->rx_pn, CCMP_PN_LEN) <= 0) { 301 key->dot11RSNAStatsCCMPReplays++; 302 return -4; 303 } 304 if (!tcb_desc->bHwSec) { 305 size_t data_len = skb->len - hdr_len - CCMP_HDR_LEN - 306 CCMP_MIC_LEN; 307 u8 *mic = skb->data + skb->len - CCMP_MIC_LEN; 308 u8 *b0 = key->rx_b0; 309 u8 *b = key->rx_b; 310 u8 *a = key->rx_a; 311 int i, blocks, last, len; 312 313 314 ccmp_init_blocks(key->tfm, hdr, pn, data_len, b0, a, b); 315 xor_block(mic, b, CCMP_MIC_LEN); 316 317 blocks = DIV_ROUND_UP(data_len, AES_BLOCK_LEN); 318 last = data_len % AES_BLOCK_LEN; 319 320 for (i = 1; i <= blocks; i++) { 321 len = (i == blocks && last) ? last : AES_BLOCK_LEN; 322 /* Decrypt, with counter */ 323 b0[14] = (i >> 8) & 0xff; 324 b0[15] = i & 0xff; 325 rtllib_ccmp_aes_encrypt(key->tfm, b0, b); 326 xor_block(pos, b, len); 327 /* Authentication */ 328 xor_block(a, pos, len); 329 rtllib_ccmp_aes_encrypt(key->tfm, a, a); 330 pos += len; 331 } 332 333 if (memcmp(mic, a, CCMP_MIC_LEN) != 0) { 334 if (net_ratelimit()) { 335 pr_debug("CCMP: decrypt failed: STA= %pM\n", 336 hdr->addr2); 337 } 338 key->dot11RSNAStatsCCMPDecryptErrors++; 339 return -5; 340 } 341 342 memcpy(key->rx_pn, pn, CCMP_PN_LEN); 343 } 344 /* Remove hdr and MIC */ 345 memmove(skb->data + CCMP_HDR_LEN, skb->data, hdr_len); 346 skb_pull(skb, CCMP_HDR_LEN); 347 skb_trim(skb, skb->len - CCMP_MIC_LEN); 348 349 return keyidx; 350 } 351 352 353 static int rtllib_ccmp_set_key(void *key, int len, u8 *seq, void *priv) 354 { 355 struct rtllib_ccmp_data *data = priv; 356 int keyidx; 357 struct crypto_tfm *tfm = data->tfm; 358 359 keyidx = data->key_idx; 360 memset(data, 0, sizeof(*data)); 361 data->key_idx = keyidx; 362 data->tfm = tfm; 363 if (len == CCMP_TK_LEN) { 364 memcpy(data->key, key, CCMP_TK_LEN); 365 data->key_set = 1; 366 if (seq) { 367 data->rx_pn[0] = seq[5]; 368 data->rx_pn[1] = seq[4]; 369 data->rx_pn[2] = seq[3]; 370 data->rx_pn[3] = seq[2]; 371 data->rx_pn[4] = seq[1]; 372 data->rx_pn[5] = seq[0]; 373 } 374 crypto_cipher_setkey((void *)data->tfm, data->key, CCMP_TK_LEN); 375 } else if (len == 0) { 376 data->key_set = 0; 377 } else { 378 return -1; 379 } 380 381 return 0; 382 } 383 384 385 static int rtllib_ccmp_get_key(void *key, int len, u8 *seq, void *priv) 386 { 387 struct rtllib_ccmp_data *data = priv; 388 389 if (len < CCMP_TK_LEN) 390 return -1; 391 392 if (!data->key_set) 393 return 0; 394 memcpy(key, data->key, CCMP_TK_LEN); 395 396 if (seq) { 397 seq[0] = data->tx_pn[5]; 398 seq[1] = data->tx_pn[4]; 399 seq[2] = data->tx_pn[3]; 400 seq[3] = data->tx_pn[2]; 401 seq[4] = data->tx_pn[1]; 402 seq[5] = data->tx_pn[0]; 403 } 404 405 return CCMP_TK_LEN; 406 } 407 408 409 static void rtllib_ccmp_print_stats(struct seq_file *m, void *priv) 410 { 411 struct rtllib_ccmp_data *ccmp = priv; 412 413 seq_printf(m, 414 "key[%d] alg=CCMP key_set=%d tx_pn=%pM rx_pn=%pM format_errors=%d replays=%d decrypt_errors=%d\n", 415 ccmp->key_idx, ccmp->key_set, 416 ccmp->tx_pn, ccmp->rx_pn, 417 ccmp->dot11RSNAStatsCCMPFormatErrors, 418 ccmp->dot11RSNAStatsCCMPReplays, 419 ccmp->dot11RSNAStatsCCMPDecryptErrors); 420 } 421 422 static struct lib80211_crypto_ops rtllib_crypt_ccmp = { 423 .name = "R-CCMP", 424 .init = rtllib_ccmp_init, 425 .deinit = rtllib_ccmp_deinit, 426 .encrypt_mpdu = rtllib_ccmp_encrypt, 427 .decrypt_mpdu = rtllib_ccmp_decrypt, 428 .encrypt_msdu = NULL, 429 .decrypt_msdu = NULL, 430 .set_key = rtllib_ccmp_set_key, 431 .get_key = rtllib_ccmp_get_key, 432 .print_stats = rtllib_ccmp_print_stats, 433 .extra_mpdu_prefix_len = CCMP_HDR_LEN, 434 .extra_mpdu_postfix_len = CCMP_MIC_LEN, 435 .owner = THIS_MODULE, 436 }; 437 438 439 static int __init rtllib_crypto_ccmp_init(void) 440 { 441 return lib80211_register_crypto_ops(&rtllib_crypt_ccmp); 442 } 443 444 445 static void __exit rtllib_crypto_ccmp_exit(void) 446 { 447 lib80211_unregister_crypto_ops(&rtllib_crypt_ccmp); 448 } 449 450 module_init(rtllib_crypto_ccmp_init); 451 module_exit(rtllib_crypto_ccmp_exit); 452 453 MODULE_LICENSE("GPL"); 454