1 /* 2 * Copyright 2002-2004, Instant802 Networks, Inc. 3 * Copyright 2008, Jouni Malinen <j@w1.fi> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License version 2 as 7 * published by the Free Software Foundation. 8 */ 9 10 #include <linux/netdevice.h> 11 #include <linux/types.h> 12 #include <linux/skbuff.h> 13 #include <linux/compiler.h> 14 #include <linux/ieee80211.h> 15 #include <linux/gfp.h> 16 #include <asm/unaligned.h> 17 #include <net/mac80211.h> 18 19 #include "ieee80211_i.h" 20 #include "michael.h" 21 #include "tkip.h" 22 #include "aes_ccm.h" 23 #include "aes_cmac.h" 24 #include "wpa.h" 25 26 ieee80211_tx_result 27 ieee80211_tx_h_michael_mic_add(struct ieee80211_tx_data *tx) 28 { 29 u8 *data, *key, *mic, key_offset; 30 size_t data_len; 31 unsigned int hdrlen; 32 struct ieee80211_hdr *hdr; 33 struct sk_buff *skb = tx->skb; 34 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); 35 int authenticator; 36 int tail; 37 38 hdr = (struct ieee80211_hdr *)skb->data; 39 if (!tx->key || tx->key->conf.alg != ALG_TKIP || skb->len < 24 || 40 !ieee80211_is_data_present(hdr->frame_control)) 41 return TX_CONTINUE; 42 43 hdrlen = ieee80211_hdrlen(hdr->frame_control); 44 if (skb->len < hdrlen) 45 return TX_DROP; 46 47 data = skb->data + hdrlen; 48 data_len = skb->len - hdrlen; 49 50 if (info->control.hw_key && 51 !(tx->flags & IEEE80211_TX_FRAGMENTED) && 52 !(tx->key->conf.flags & IEEE80211_KEY_FLAG_GENERATE_MMIC)) { 53 /* hwaccel - with no need for SW-generated MMIC */ 54 return TX_CONTINUE; 55 } 56 57 tail = MICHAEL_MIC_LEN; 58 if (!info->control.hw_key) 59 tail += TKIP_ICV_LEN; 60 61 if (WARN_ON(skb_tailroom(skb) < tail || 62 skb_headroom(skb) < TKIP_IV_LEN)) 63 return TX_DROP; 64 65 #if 0 66 authenticator = fc & IEEE80211_FCTL_FROMDS; /* FIX */ 67 #else 68 authenticator = 1; 69 #endif 70 key_offset = authenticator ? 71 NL80211_TKIP_DATA_OFFSET_TX_MIC_KEY : 72 NL80211_TKIP_DATA_OFFSET_RX_MIC_KEY; 73 key = &tx->key->conf.key[key_offset]; 74 mic = skb_put(skb, MICHAEL_MIC_LEN); 75 michael_mic(key, hdr, data, data_len, mic); 76 77 return TX_CONTINUE; 78 } 79 80 81 ieee80211_rx_result 82 ieee80211_rx_h_michael_mic_verify(struct ieee80211_rx_data *rx) 83 { 84 u8 *data, *key = NULL, key_offset; 85 size_t data_len; 86 unsigned int hdrlen; 87 u8 mic[MICHAEL_MIC_LEN]; 88 struct sk_buff *skb = rx->skb; 89 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 90 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; 91 int authenticator = 1, wpa_test = 0; 92 93 /* No way to verify the MIC if the hardware stripped it */ 94 if (status->flag & RX_FLAG_MMIC_STRIPPED) 95 return RX_CONTINUE; 96 97 if (!rx->key || rx->key->conf.alg != ALG_TKIP || 98 !ieee80211_has_protected(hdr->frame_control) || 99 !ieee80211_is_data_present(hdr->frame_control)) 100 return RX_CONTINUE; 101 102 hdrlen = ieee80211_hdrlen(hdr->frame_control); 103 if (skb->len < hdrlen + MICHAEL_MIC_LEN) 104 return RX_DROP_UNUSABLE; 105 106 data = skb->data + hdrlen; 107 data_len = skb->len - hdrlen - MICHAEL_MIC_LEN; 108 109 #if 0 110 authenticator = fc & IEEE80211_FCTL_TODS; /* FIX */ 111 #else 112 authenticator = 1; 113 #endif 114 key_offset = authenticator ? 115 NL80211_TKIP_DATA_OFFSET_RX_MIC_KEY : 116 NL80211_TKIP_DATA_OFFSET_TX_MIC_KEY; 117 key = &rx->key->conf.key[key_offset]; 118 michael_mic(key, hdr, data, data_len, mic); 119 if (memcmp(mic, data + data_len, MICHAEL_MIC_LEN) != 0 || wpa_test) { 120 if (!(rx->flags & IEEE80211_RX_RA_MATCH)) 121 return RX_DROP_UNUSABLE; 122 123 mac80211_ev_michael_mic_failure(rx->sdata, rx->key->conf.keyidx, 124 (void *) skb->data, NULL, 125 GFP_ATOMIC); 126 return RX_DROP_UNUSABLE; 127 } 128 129 /* remove Michael MIC from payload */ 130 skb_trim(skb, skb->len - MICHAEL_MIC_LEN); 131 132 /* update IV in key information to be able to detect replays */ 133 rx->key->u.tkip.rx[rx->queue].iv32 = rx->tkip_iv32; 134 rx->key->u.tkip.rx[rx->queue].iv16 = rx->tkip_iv16; 135 136 return RX_CONTINUE; 137 } 138 139 140 static int tkip_encrypt_skb(struct ieee80211_tx_data *tx, struct sk_buff *skb) 141 { 142 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; 143 struct ieee80211_key *key = tx->key; 144 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); 145 unsigned int hdrlen; 146 int len, tail; 147 u8 *pos; 148 149 if (info->control.hw_key && 150 !(info->control.hw_key->flags & IEEE80211_KEY_FLAG_GENERATE_IV)) { 151 /* hwaccel - with no need for software-generated IV */ 152 return 0; 153 } 154 155 hdrlen = ieee80211_hdrlen(hdr->frame_control); 156 len = skb->len - hdrlen; 157 158 if (info->control.hw_key) 159 tail = 0; 160 else 161 tail = TKIP_ICV_LEN; 162 163 if (WARN_ON(skb_tailroom(skb) < tail || 164 skb_headroom(skb) < TKIP_IV_LEN)) 165 return -1; 166 167 pos = skb_push(skb, TKIP_IV_LEN); 168 memmove(pos, pos + TKIP_IV_LEN, hdrlen); 169 pos += hdrlen; 170 171 /* Increase IV for the frame */ 172 key->u.tkip.tx.iv16++; 173 if (key->u.tkip.tx.iv16 == 0) 174 key->u.tkip.tx.iv32++; 175 176 pos = ieee80211_tkip_add_iv(pos, key, key->u.tkip.tx.iv16); 177 178 /* hwaccel - with software IV */ 179 if (info->control.hw_key) 180 return 0; 181 182 /* Add room for ICV */ 183 skb_put(skb, TKIP_ICV_LEN); 184 185 hdr = (struct ieee80211_hdr *) skb->data; 186 ieee80211_tkip_encrypt_data(tx->local->wep_tx_tfm, 187 key, pos, len, hdr->addr2); 188 return 0; 189 } 190 191 192 ieee80211_tx_result 193 ieee80211_crypto_tkip_encrypt(struct ieee80211_tx_data *tx) 194 { 195 struct sk_buff *skb = tx->skb; 196 197 ieee80211_tx_set_protected(tx); 198 199 do { 200 if (tkip_encrypt_skb(tx, skb) < 0) 201 return TX_DROP; 202 } while ((skb = skb->next)); 203 204 return TX_CONTINUE; 205 } 206 207 208 ieee80211_rx_result 209 ieee80211_crypto_tkip_decrypt(struct ieee80211_rx_data *rx) 210 { 211 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) rx->skb->data; 212 int hdrlen, res, hwaccel = 0, wpa_test = 0; 213 struct ieee80211_key *key = rx->key; 214 struct sk_buff *skb = rx->skb; 215 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 216 217 hdrlen = ieee80211_hdrlen(hdr->frame_control); 218 219 if (!ieee80211_is_data(hdr->frame_control)) 220 return RX_CONTINUE; 221 222 if (!rx->sta || skb->len - hdrlen < 12) 223 return RX_DROP_UNUSABLE; 224 225 if (status->flag & RX_FLAG_DECRYPTED) { 226 if (status->flag & RX_FLAG_IV_STRIPPED) { 227 /* 228 * Hardware took care of all processing, including 229 * replay protection, and stripped the ICV/IV so 230 * we cannot do any checks here. 231 */ 232 return RX_CONTINUE; 233 } 234 235 /* let TKIP code verify IV, but skip decryption */ 236 hwaccel = 1; 237 } 238 239 res = ieee80211_tkip_decrypt_data(rx->local->wep_rx_tfm, 240 key, skb->data + hdrlen, 241 skb->len - hdrlen, rx->sta->sta.addr, 242 hdr->addr1, hwaccel, rx->queue, 243 &rx->tkip_iv32, 244 &rx->tkip_iv16); 245 if (res != TKIP_DECRYPT_OK || wpa_test) 246 return RX_DROP_UNUSABLE; 247 248 /* Trim ICV */ 249 skb_trim(skb, skb->len - TKIP_ICV_LEN); 250 251 /* Remove IV */ 252 memmove(skb->data + TKIP_IV_LEN, skb->data, hdrlen); 253 skb_pull(skb, TKIP_IV_LEN); 254 255 return RX_CONTINUE; 256 } 257 258 259 static void ccmp_special_blocks(struct sk_buff *skb, u8 *pn, u8 *scratch, 260 int encrypted) 261 { 262 __le16 mask_fc; 263 int a4_included, mgmt; 264 u8 qos_tid; 265 u8 *b_0, *aad; 266 u16 data_len, len_a; 267 unsigned int hdrlen; 268 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; 269 270 b_0 = scratch + 3 * AES_BLOCK_LEN; 271 aad = scratch + 4 * AES_BLOCK_LEN; 272 273 /* 274 * Mask FC: zero subtype b4 b5 b6 (if not mgmt) 275 * Retry, PwrMgt, MoreData; set Protected 276 */ 277 mgmt = ieee80211_is_mgmt(hdr->frame_control); 278 mask_fc = hdr->frame_control; 279 mask_fc &= ~cpu_to_le16(IEEE80211_FCTL_RETRY | 280 IEEE80211_FCTL_PM | IEEE80211_FCTL_MOREDATA); 281 if (!mgmt) 282 mask_fc &= ~cpu_to_le16(0x0070); 283 mask_fc |= cpu_to_le16(IEEE80211_FCTL_PROTECTED); 284 285 hdrlen = ieee80211_hdrlen(hdr->frame_control); 286 len_a = hdrlen - 2; 287 a4_included = ieee80211_has_a4(hdr->frame_control); 288 289 if (ieee80211_is_data_qos(hdr->frame_control)) 290 qos_tid = *ieee80211_get_qos_ctl(hdr) & IEEE80211_QOS_CTL_TID_MASK; 291 else 292 qos_tid = 0; 293 294 data_len = skb->len - hdrlen - CCMP_HDR_LEN; 295 if (encrypted) 296 data_len -= CCMP_MIC_LEN; 297 298 /* First block, b_0 */ 299 b_0[0] = 0x59; /* flags: Adata: 1, M: 011, L: 001 */ 300 /* Nonce: Nonce Flags | A2 | PN 301 * Nonce Flags: Priority (b0..b3) | Management (b4) | Reserved (b5..b7) 302 */ 303 b_0[1] = qos_tid | (mgmt << 4); 304 memcpy(&b_0[2], hdr->addr2, ETH_ALEN); 305 memcpy(&b_0[8], pn, CCMP_PN_LEN); 306 /* l(m) */ 307 put_unaligned_be16(data_len, &b_0[14]); 308 309 /* AAD (extra authenticate-only data) / masked 802.11 header 310 * FC | A1 | A2 | A3 | SC | [A4] | [QC] */ 311 put_unaligned_be16(len_a, &aad[0]); 312 put_unaligned(mask_fc, (__le16 *)&aad[2]); 313 memcpy(&aad[4], &hdr->addr1, 3 * ETH_ALEN); 314 315 /* Mask Seq#, leave Frag# */ 316 aad[22] = *((u8 *) &hdr->seq_ctrl) & 0x0f; 317 aad[23] = 0; 318 319 if (a4_included) { 320 memcpy(&aad[24], hdr->addr4, ETH_ALEN); 321 aad[30] = qos_tid; 322 aad[31] = 0; 323 } else { 324 memset(&aad[24], 0, ETH_ALEN + IEEE80211_QOS_CTL_LEN); 325 aad[24] = qos_tid; 326 } 327 } 328 329 330 static inline void ccmp_pn2hdr(u8 *hdr, u8 *pn, int key_id) 331 { 332 hdr[0] = pn[5]; 333 hdr[1] = pn[4]; 334 hdr[2] = 0; 335 hdr[3] = 0x20 | (key_id << 6); 336 hdr[4] = pn[3]; 337 hdr[5] = pn[2]; 338 hdr[6] = pn[1]; 339 hdr[7] = pn[0]; 340 } 341 342 343 static inline void ccmp_hdr2pn(u8 *pn, u8 *hdr) 344 { 345 pn[0] = hdr[7]; 346 pn[1] = hdr[6]; 347 pn[2] = hdr[5]; 348 pn[3] = hdr[4]; 349 pn[4] = hdr[1]; 350 pn[5] = hdr[0]; 351 } 352 353 354 static int ccmp_encrypt_skb(struct ieee80211_tx_data *tx, struct sk_buff *skb) 355 { 356 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; 357 struct ieee80211_key *key = tx->key; 358 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); 359 int hdrlen, len, tail; 360 u8 *pos, *pn; 361 int i; 362 363 if (info->control.hw_key && 364 !(info->control.hw_key->flags & IEEE80211_KEY_FLAG_GENERATE_IV)) { 365 /* 366 * hwaccel has no need for preallocated room for CCMP 367 * header or MIC fields 368 */ 369 return 0; 370 } 371 372 hdrlen = ieee80211_hdrlen(hdr->frame_control); 373 len = skb->len - hdrlen; 374 375 if (info->control.hw_key) 376 tail = 0; 377 else 378 tail = CCMP_MIC_LEN; 379 380 if (WARN_ON(skb_tailroom(skb) < tail || 381 skb_headroom(skb) < CCMP_HDR_LEN)) 382 return -1; 383 384 pos = skb_push(skb, CCMP_HDR_LEN); 385 memmove(pos, pos + CCMP_HDR_LEN, hdrlen); 386 hdr = (struct ieee80211_hdr *) pos; 387 pos += hdrlen; 388 389 /* PN = PN + 1 */ 390 pn = key->u.ccmp.tx_pn; 391 392 for (i = CCMP_PN_LEN - 1; i >= 0; i--) { 393 pn[i]++; 394 if (pn[i]) 395 break; 396 } 397 398 ccmp_pn2hdr(pos, pn, key->conf.keyidx); 399 400 /* hwaccel - with software CCMP header */ 401 if (info->control.hw_key) 402 return 0; 403 404 pos += CCMP_HDR_LEN; 405 ccmp_special_blocks(skb, pn, key->u.ccmp.tx_crypto_buf, 0); 406 ieee80211_aes_ccm_encrypt(key->u.ccmp.tfm, key->u.ccmp.tx_crypto_buf, pos, len, 407 pos, skb_put(skb, CCMP_MIC_LEN)); 408 409 return 0; 410 } 411 412 413 ieee80211_tx_result 414 ieee80211_crypto_ccmp_encrypt(struct ieee80211_tx_data *tx) 415 { 416 struct sk_buff *skb = tx->skb; 417 418 ieee80211_tx_set_protected(tx); 419 420 do { 421 if (ccmp_encrypt_skb(tx, skb) < 0) 422 return TX_DROP; 423 } while ((skb = skb->next)); 424 425 return TX_CONTINUE; 426 } 427 428 429 ieee80211_rx_result 430 ieee80211_crypto_ccmp_decrypt(struct ieee80211_rx_data *rx) 431 { 432 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 433 int hdrlen; 434 struct ieee80211_key *key = rx->key; 435 struct sk_buff *skb = rx->skb; 436 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 437 u8 pn[CCMP_PN_LEN]; 438 int data_len; 439 440 hdrlen = ieee80211_hdrlen(hdr->frame_control); 441 442 if (!ieee80211_is_data(hdr->frame_control) && 443 !ieee80211_is_robust_mgmt_frame(hdr)) 444 return RX_CONTINUE; 445 446 data_len = skb->len - hdrlen - CCMP_HDR_LEN - CCMP_MIC_LEN; 447 if (!rx->sta || data_len < 0) 448 return RX_DROP_UNUSABLE; 449 450 if ((status->flag & RX_FLAG_DECRYPTED) && 451 (status->flag & RX_FLAG_IV_STRIPPED)) 452 return RX_CONTINUE; 453 454 ccmp_hdr2pn(pn, skb->data + hdrlen); 455 456 if (memcmp(pn, key->u.ccmp.rx_pn[rx->queue], CCMP_PN_LEN) <= 0) { 457 key->u.ccmp.replays++; 458 return RX_DROP_UNUSABLE; 459 } 460 461 if (!(status->flag & RX_FLAG_DECRYPTED)) { 462 /* hardware didn't decrypt/verify MIC */ 463 ccmp_special_blocks(skb, pn, key->u.ccmp.rx_crypto_buf, 1); 464 465 if (ieee80211_aes_ccm_decrypt( 466 key->u.ccmp.tfm, key->u.ccmp.rx_crypto_buf, 467 skb->data + hdrlen + CCMP_HDR_LEN, data_len, 468 skb->data + skb->len - CCMP_MIC_LEN, 469 skb->data + hdrlen + CCMP_HDR_LEN)) 470 return RX_DROP_UNUSABLE; 471 } 472 473 memcpy(key->u.ccmp.rx_pn[rx->queue], pn, CCMP_PN_LEN); 474 475 /* Remove CCMP header and MIC */ 476 skb_trim(skb, skb->len - CCMP_MIC_LEN); 477 memmove(skb->data + CCMP_HDR_LEN, skb->data, hdrlen); 478 skb_pull(skb, CCMP_HDR_LEN); 479 480 return RX_CONTINUE; 481 } 482 483 484 static void bip_aad(struct sk_buff *skb, u8 *aad) 485 { 486 /* BIP AAD: FC(masked) || A1 || A2 || A3 */ 487 488 /* FC type/subtype */ 489 aad[0] = skb->data[0]; 490 /* Mask FC Retry, PwrMgt, MoreData flags to zero */ 491 aad[1] = skb->data[1] & ~(BIT(4) | BIT(5) | BIT(6)); 492 /* A1 || A2 || A3 */ 493 memcpy(aad + 2, skb->data + 4, 3 * ETH_ALEN); 494 } 495 496 497 static inline void bip_ipn_swap(u8 *d, const u8 *s) 498 { 499 *d++ = s[5]; 500 *d++ = s[4]; 501 *d++ = s[3]; 502 *d++ = s[2]; 503 *d++ = s[1]; 504 *d = s[0]; 505 } 506 507 508 ieee80211_tx_result 509 ieee80211_crypto_aes_cmac_encrypt(struct ieee80211_tx_data *tx) 510 { 511 struct sk_buff *skb = tx->skb; 512 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); 513 struct ieee80211_key *key = tx->key; 514 struct ieee80211_mmie *mmie; 515 u8 *pn, aad[20]; 516 int i; 517 518 if (info->control.hw_key) 519 return 0; 520 521 if (WARN_ON(skb_tailroom(skb) < sizeof(*mmie))) 522 return TX_DROP; 523 524 mmie = (struct ieee80211_mmie *) skb_put(skb, sizeof(*mmie)); 525 mmie->element_id = WLAN_EID_MMIE; 526 mmie->length = sizeof(*mmie) - 2; 527 mmie->key_id = cpu_to_le16(key->conf.keyidx); 528 529 /* PN = PN + 1 */ 530 pn = key->u.aes_cmac.tx_pn; 531 532 for (i = sizeof(key->u.aes_cmac.tx_pn) - 1; i >= 0; i--) { 533 pn[i]++; 534 if (pn[i]) 535 break; 536 } 537 bip_ipn_swap(mmie->sequence_number, pn); 538 539 bip_aad(skb, aad); 540 541 /* 542 * MIC = AES-128-CMAC(IGTK, AAD || Management Frame Body || MMIE, 64) 543 */ 544 ieee80211_aes_cmac(key->u.aes_cmac.tfm, key->u.aes_cmac.tx_crypto_buf, 545 aad, skb->data + 24, skb->len - 24, mmie->mic); 546 547 return TX_CONTINUE; 548 } 549 550 551 ieee80211_rx_result 552 ieee80211_crypto_aes_cmac_decrypt(struct ieee80211_rx_data *rx) 553 { 554 struct sk_buff *skb = rx->skb; 555 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 556 struct ieee80211_key *key = rx->key; 557 struct ieee80211_mmie *mmie; 558 u8 aad[20], mic[8], ipn[6]; 559 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; 560 561 if (!ieee80211_is_mgmt(hdr->frame_control)) 562 return RX_CONTINUE; 563 564 if ((status->flag & RX_FLAG_DECRYPTED) && 565 (status->flag & RX_FLAG_IV_STRIPPED)) 566 return RX_CONTINUE; 567 568 if (skb->len < 24 + sizeof(*mmie)) 569 return RX_DROP_UNUSABLE; 570 571 mmie = (struct ieee80211_mmie *) 572 (skb->data + skb->len - sizeof(*mmie)); 573 if (mmie->element_id != WLAN_EID_MMIE || 574 mmie->length != sizeof(*mmie) - 2) 575 return RX_DROP_UNUSABLE; /* Invalid MMIE */ 576 577 bip_ipn_swap(ipn, mmie->sequence_number); 578 579 if (memcmp(ipn, key->u.aes_cmac.rx_pn, 6) <= 0) { 580 key->u.aes_cmac.replays++; 581 return RX_DROP_UNUSABLE; 582 } 583 584 if (!(status->flag & RX_FLAG_DECRYPTED)) { 585 /* hardware didn't decrypt/verify MIC */ 586 bip_aad(skb, aad); 587 ieee80211_aes_cmac(key->u.aes_cmac.tfm, 588 key->u.aes_cmac.rx_crypto_buf, aad, 589 skb->data + 24, skb->len - 24, mic); 590 if (memcmp(mic, mmie->mic, sizeof(mmie->mic)) != 0) { 591 key->u.aes_cmac.icverrors++; 592 return RX_DROP_UNUSABLE; 593 } 594 } 595 596 memcpy(key->u.aes_cmac.rx_pn, ipn, 6); 597 598 /* Remove MMIE */ 599 skb_trim(skb, skb->len - sizeof(*mmie)); 600 601 return RX_CONTINUE; 602 } 603