Commit | Line | Data |
---|---|---|
d2912cb1 | 1 | // SPDX-License-Identifier: GPL-2.0-only |
39404fee JM |
2 | /* |
3 | * FILS AEAD for (Re)Association Request/Response frames | |
4 | * Copyright 2016, Qualcomm Atheros, Inc. | |
39404fee JM |
5 | */ |
6 | ||
7 | #include <crypto/aes.h> | |
fe8de3da | 8 | #include <crypto/hash.h> |
39404fee | 9 | #include <crypto/skcipher.h> |
8da1985f | 10 | #include <crypto/utils.h> |
39404fee JM |
11 | |
12 | #include "ieee80211_i.h" | |
13 | #include "aes_cmac.h" | |
14 | #include "fils_aead.h" | |
15 | ||
fe8de3da AB |
16 | static void gf_mulx(u8 *pad) |
17 | { | |
18 | u64 a = get_unaligned_be64(pad); | |
19 | u64 b = get_unaligned_be64(pad + 8); | |
20 | ||
21 | put_unaligned_be64((a << 1) | (b >> 63), pad); | |
22 | put_unaligned_be64((b << 1) ^ ((a >> 63) ? 0x87 : 0), pad + 8); | |
23 | } | |
24 | ||
25 | static int aes_s2v(struct crypto_shash *tfm, | |
39404fee JM |
26 | size_t num_elem, const u8 *addr[], size_t len[], u8 *v) |
27 | { | |
fe8de3da AB |
28 | u8 d[AES_BLOCK_SIZE], tmp[AES_BLOCK_SIZE] = {}; |
29 | SHASH_DESC_ON_STACK(desc, tfm); | |
39404fee | 30 | size_t i; |
fe8de3da AB |
31 | |
32 | desc->tfm = tfm; | |
39404fee JM |
33 | |
34 | /* D = AES-CMAC(K, <zero>) */ | |
fe8de3da | 35 | crypto_shash_digest(desc, tmp, AES_BLOCK_SIZE, d); |
39404fee JM |
36 | |
37 | for (i = 0; i < num_elem - 1; i++) { | |
38 | /* D = dbl(D) xor AES_CMAC(K, Si) */ | |
39 | gf_mulx(d); /* dbl */ | |
fe8de3da | 40 | crypto_shash_digest(desc, addr[i], len[i], tmp); |
39404fee JM |
41 | crypto_xor(d, tmp, AES_BLOCK_SIZE); |
42 | } | |
43 | ||
fe8de3da AB |
44 | crypto_shash_init(desc); |
45 | ||
39404fee JM |
46 | if (len[i] >= AES_BLOCK_SIZE) { |
47 | /* len(Sn) >= 128 */ | |
39404fee | 48 | /* T = Sn xorend D */ |
fe8de3da AB |
49 | crypto_shash_update(desc, addr[i], len[i] - AES_BLOCK_SIZE); |
50 | crypto_xor(d, addr[i] + len[i] - AES_BLOCK_SIZE, | |
51 | AES_BLOCK_SIZE); | |
39404fee JM |
52 | } else { |
53 | /* len(Sn) < 128 */ | |
54 | /* T = dbl(D) xor pad(Sn) */ | |
55 | gf_mulx(d); /* dbl */ | |
fe8de3da AB |
56 | crypto_xor(d, addr[i], len[i]); |
57 | d[len[i]] ^= 0x80; | |
39404fee JM |
58 | } |
59 | /* V = AES-CMAC(K, T) */ | |
fe8de3da | 60 | crypto_shash_finup(desc, d, AES_BLOCK_SIZE, v); |
39404fee JM |
61 | |
62 | return 0; | |
63 | } | |
64 | ||
65 | /* Note: addr[] and len[] needs to have one extra slot at the end. */ | |
66 | static int aes_siv_encrypt(const u8 *key, size_t key_len, | |
67 | const u8 *plain, size_t plain_len, | |
68 | size_t num_elem, const u8 *addr[], | |
69 | size_t len[], u8 *out) | |
70 | { | |
71 | u8 v[AES_BLOCK_SIZE]; | |
fe8de3da | 72 | struct crypto_shash *tfm; |
39404fee JM |
73 | struct crypto_skcipher *tfm2; |
74 | struct skcipher_request *req; | |
75 | int res; | |
76 | struct scatterlist src[1], dst[1]; | |
77 | u8 *tmp; | |
78 | ||
79 | key_len /= 2; /* S2V key || CTR key */ | |
80 | ||
81 | addr[num_elem] = plain; | |
82 | len[num_elem] = plain_len; | |
83 | num_elem++; | |
84 | ||
85 | /* S2V */ | |
86 | ||
fe8de3da | 87 | tfm = crypto_alloc_shash("cmac(aes)", 0, 0); |
39404fee JM |
88 | if (IS_ERR(tfm)) |
89 | return PTR_ERR(tfm); | |
90 | /* K1 for S2V */ | |
fe8de3da | 91 | res = crypto_shash_setkey(tfm, key, key_len); |
39404fee JM |
92 | if (!res) |
93 | res = aes_s2v(tfm, num_elem, addr, len, v); | |
fe8de3da | 94 | crypto_free_shash(tfm); |
39404fee JM |
95 | if (res) |
96 | return res; | |
97 | ||
98 | /* Use a temporary buffer of the plaintext to handle need for | |
99 | * overwriting this during AES-CTR. | |
100 | */ | |
101 | tmp = kmemdup(plain, plain_len, GFP_KERNEL); | |
51487718 AB |
102 | if (!tmp) |
103 | return -ENOMEM; | |
39404fee JM |
104 | |
105 | /* IV for CTR before encrypted data */ | |
106 | memcpy(out, v, AES_BLOCK_SIZE); | |
107 | ||
108 | /* Synthetic IV to be used as the initial counter in CTR: | |
109 | * Q = V bitand (1^64 || 0^1 || 1^31 || 0^1 || 1^31) | |
110 | */ | |
111 | v[8] &= 0x7f; | |
112 | v[12] &= 0x7f; | |
113 | ||
114 | /* CTR */ | |
115 | ||
01fba20b | 116 | tfm2 = crypto_alloc_skcipher("ctr(aes)", 0, CRYPTO_ALG_ASYNC); |
39404fee JM |
117 | if (IS_ERR(tfm2)) { |
118 | kfree(tmp); | |
119 | return PTR_ERR(tfm2); | |
120 | } | |
121 | /* K2 for CTR */ | |
122 | res = crypto_skcipher_setkey(tfm2, key + key_len, key_len); | |
123 | if (res) | |
124 | goto fail; | |
125 | ||
126 | req = skcipher_request_alloc(tfm2, GFP_KERNEL); | |
127 | if (!req) { | |
128 | res = -ENOMEM; | |
129 | goto fail; | |
130 | } | |
131 | ||
132 | sg_init_one(src, tmp, plain_len); | |
133 | sg_init_one(dst, out + AES_BLOCK_SIZE, plain_len); | |
134 | skcipher_request_set_crypt(req, src, dst, plain_len, v); | |
135 | res = crypto_skcipher_encrypt(req); | |
136 | skcipher_request_free(req); | |
137 | fail: | |
138 | kfree(tmp); | |
139 | crypto_free_skcipher(tfm2); | |
140 | return res; | |
141 | } | |
142 | ||
143 | /* Note: addr[] and len[] needs to have one extra slot at the end. */ | |
144 | static int aes_siv_decrypt(const u8 *key, size_t key_len, | |
145 | const u8 *iv_crypt, size_t iv_c_len, | |
146 | size_t num_elem, const u8 *addr[], size_t len[], | |
147 | u8 *out) | |
148 | { | |
fe8de3da | 149 | struct crypto_shash *tfm; |
39404fee JM |
150 | struct crypto_skcipher *tfm2; |
151 | struct skcipher_request *req; | |
152 | struct scatterlist src[1], dst[1]; | |
153 | size_t crypt_len; | |
154 | int res; | |
155 | u8 frame_iv[AES_BLOCK_SIZE], iv[AES_BLOCK_SIZE]; | |
156 | u8 check[AES_BLOCK_SIZE]; | |
157 | ||
158 | crypt_len = iv_c_len - AES_BLOCK_SIZE; | |
159 | key_len /= 2; /* S2V key || CTR key */ | |
160 | addr[num_elem] = out; | |
161 | len[num_elem] = crypt_len; | |
162 | num_elem++; | |
163 | ||
164 | memcpy(iv, iv_crypt, AES_BLOCK_SIZE); | |
165 | memcpy(frame_iv, iv_crypt, AES_BLOCK_SIZE); | |
166 | ||
167 | /* Synthetic IV to be used as the initial counter in CTR: | |
168 | * Q = V bitand (1^64 || 0^1 || 1^31 || 0^1 || 1^31) | |
169 | */ | |
170 | iv[8] &= 0x7f; | |
171 | iv[12] &= 0x7f; | |
172 | ||
173 | /* CTR */ | |
174 | ||
01fba20b | 175 | tfm2 = crypto_alloc_skcipher("ctr(aes)", 0, CRYPTO_ALG_ASYNC); |
39404fee JM |
176 | if (IS_ERR(tfm2)) |
177 | return PTR_ERR(tfm2); | |
178 | /* K2 for CTR */ | |
179 | res = crypto_skcipher_setkey(tfm2, key + key_len, key_len); | |
180 | if (res) { | |
181 | crypto_free_skcipher(tfm2); | |
182 | return res; | |
183 | } | |
184 | ||
185 | req = skcipher_request_alloc(tfm2, GFP_KERNEL); | |
186 | if (!req) { | |
187 | crypto_free_skcipher(tfm2); | |
188 | return -ENOMEM; | |
189 | } | |
190 | ||
191 | sg_init_one(src, iv_crypt + AES_BLOCK_SIZE, crypt_len); | |
192 | sg_init_one(dst, out, crypt_len); | |
193 | skcipher_request_set_crypt(req, src, dst, crypt_len, iv); | |
194 | res = crypto_skcipher_decrypt(req); | |
195 | skcipher_request_free(req); | |
196 | crypto_free_skcipher(tfm2); | |
197 | if (res) | |
198 | return res; | |
199 | ||
200 | /* S2V */ | |
201 | ||
fe8de3da | 202 | tfm = crypto_alloc_shash("cmac(aes)", 0, 0); |
39404fee JM |
203 | if (IS_ERR(tfm)) |
204 | return PTR_ERR(tfm); | |
205 | /* K1 for S2V */ | |
fe8de3da | 206 | res = crypto_shash_setkey(tfm, key, key_len); |
39404fee JM |
207 | if (!res) |
208 | res = aes_s2v(tfm, num_elem, addr, len, check); | |
fe8de3da | 209 | crypto_free_shash(tfm); |
39404fee JM |
210 | if (res) |
211 | return res; | |
212 | if (memcmp(check, frame_iv, AES_BLOCK_SIZE) != 0) | |
213 | return -EINVAL; | |
214 | return 0; | |
215 | } | |
216 | ||
217 | int fils_encrypt_assoc_req(struct sk_buff *skb, | |
218 | struct ieee80211_mgd_assoc_data *assoc_data) | |
219 | { | |
220 | struct ieee80211_mgmt *mgmt = (void *)skb->data; | |
221 | u8 *capab, *ies, *encr; | |
ba9d0db9 JB |
222 | const u8 *addr[5 + 1]; |
223 | const struct element *session; | |
39404fee JM |
224 | size_t len[5 + 1]; |
225 | size_t crypt_len; | |
226 | ||
227 | if (ieee80211_is_reassoc_req(mgmt->frame_control)) { | |
228 | capab = (u8 *)&mgmt->u.reassoc_req.capab_info; | |
229 | ies = mgmt->u.reassoc_req.variable; | |
230 | } else { | |
231 | capab = (u8 *)&mgmt->u.assoc_req.capab_info; | |
232 | ies = mgmt->u.assoc_req.variable; | |
233 | } | |
234 | ||
ba9d0db9 JB |
235 | session = cfg80211_find_ext_elem(WLAN_EID_EXT_FILS_SESSION, |
236 | ies, skb->data + skb->len - ies); | |
237 | if (!session || session->datalen != 1 + 8) | |
39404fee JM |
238 | return -EINVAL; |
239 | /* encrypt after FILS Session element */ | |
ba9d0db9 | 240 | encr = (u8 *)session->data + 1 + 8; |
39404fee JM |
241 | |
242 | /* AES-SIV AAD vectors */ | |
243 | ||
244 | /* The STA's MAC address */ | |
245 | addr[0] = mgmt->sa; | |
246 | len[0] = ETH_ALEN; | |
247 | /* The AP's BSSID */ | |
248 | addr[1] = mgmt->da; | |
249 | len[1] = ETH_ALEN; | |
250 | /* The STA's nonce */ | |
251 | addr[2] = assoc_data->fils_nonces; | |
252 | len[2] = FILS_NONCE_LEN; | |
253 | /* The AP's nonce */ | |
254 | addr[3] = &assoc_data->fils_nonces[FILS_NONCE_LEN]; | |
255 | len[3] = FILS_NONCE_LEN; | |
256 | /* The (Re)Association Request frame from the Capability Information | |
257 | * field to the FILS Session element (both inclusive). | |
258 | */ | |
259 | addr[4] = capab; | |
260 | len[4] = encr - capab; | |
261 | ||
262 | crypt_len = skb->data + skb->len - encr; | |
263 | skb_put(skb, AES_BLOCK_SIZE); | |
264 | return aes_siv_encrypt(assoc_data->fils_kek, assoc_data->fils_kek_len, | |
e479ab65 | 265 | encr, crypt_len, 5, addr, len, encr); |
39404fee JM |
266 | } |
267 | ||
268 | int fils_decrypt_assoc_resp(struct ieee80211_sub_if_data *sdata, | |
269 | u8 *frame, size_t *frame_len, | |
270 | struct ieee80211_mgd_assoc_data *assoc_data) | |
271 | { | |
272 | struct ieee80211_mgmt *mgmt = (void *)frame; | |
273 | u8 *capab, *ies, *encr; | |
ba9d0db9 JB |
274 | const u8 *addr[5 + 1]; |
275 | const struct element *session; | |
39404fee JM |
276 | size_t len[5 + 1]; |
277 | int res; | |
278 | size_t crypt_len; | |
279 | ||
280 | if (*frame_len < 24 + 6) | |
281 | return -EINVAL; | |
282 | ||
283 | capab = (u8 *)&mgmt->u.assoc_resp.capab_info; | |
284 | ies = mgmt->u.assoc_resp.variable; | |
ba9d0db9 JB |
285 | session = cfg80211_find_ext_elem(WLAN_EID_EXT_FILS_SESSION, |
286 | ies, frame + *frame_len - ies); | |
287 | if (!session || session->datalen != 1 + 8) { | |
39404fee JM |
288 | mlme_dbg(sdata, |
289 | "No (valid) FILS Session element in (Re)Association Response frame from %pM", | |
290 | mgmt->sa); | |
291 | return -EINVAL; | |
292 | } | |
293 | /* decrypt after FILS Session element */ | |
ba9d0db9 | 294 | encr = (u8 *)session->data + 1 + 8; |
39404fee JM |
295 | |
296 | /* AES-SIV AAD vectors */ | |
297 | ||
298 | /* The AP's BSSID */ | |
299 | addr[0] = mgmt->sa; | |
300 | len[0] = ETH_ALEN; | |
301 | /* The STA's MAC address */ | |
302 | addr[1] = mgmt->da; | |
303 | len[1] = ETH_ALEN; | |
304 | /* The AP's nonce */ | |
305 | addr[2] = &assoc_data->fils_nonces[FILS_NONCE_LEN]; | |
306 | len[2] = FILS_NONCE_LEN; | |
307 | /* The STA's nonce */ | |
308 | addr[3] = assoc_data->fils_nonces; | |
309 | len[3] = FILS_NONCE_LEN; | |
310 | /* The (Re)Association Response frame from the Capability Information | |
311 | * field to the FILS Session element (both inclusive). | |
312 | */ | |
313 | addr[4] = capab; | |
314 | len[4] = encr - capab; | |
315 | ||
316 | crypt_len = frame + *frame_len - encr; | |
317 | if (crypt_len < AES_BLOCK_SIZE) { | |
318 | mlme_dbg(sdata, | |
319 | "Not enough room for AES-SIV data after FILS Session element in (Re)Association Response frame from %pM", | |
320 | mgmt->sa); | |
321 | return -EINVAL; | |
322 | } | |
323 | res = aes_siv_decrypt(assoc_data->fils_kek, assoc_data->fils_kek_len, | |
324 | encr, crypt_len, 5, addr, len, encr); | |
325 | if (res != 0) { | |
326 | mlme_dbg(sdata, | |
327 | "AES-SIV decryption of (Re)Association Response frame from %pM failed", | |
328 | mgmt->sa); | |
329 | return res; | |
330 | } | |
331 | *frame_len -= AES_BLOCK_SIZE; | |
332 | return 0; | |
333 | } |