Commit | Line | Data |
---|---|---|
d2912cb1 | 1 | // SPDX-License-Identifier: GPL-2.0-only |
39404fee JM |
2 | /* |
3 | * FILS AEAD for (Re)Association Request/Response frames | |
4 | * Copyright 2016, Qualcomm Atheros, Inc. | |
39404fee JM |
5 | */ |
6 | ||
7 | #include <crypto/aes.h> | |
8 | #include <crypto/algapi.h> | |
fe8de3da | 9 | #include <crypto/hash.h> |
39404fee JM |
10 | #include <crypto/skcipher.h> |
11 | ||
12 | #include "ieee80211_i.h" | |
13 | #include "aes_cmac.h" | |
14 | #include "fils_aead.h" | |
15 | ||
fe8de3da AB |
16 | static void gf_mulx(u8 *pad) |
17 | { | |
18 | u64 a = get_unaligned_be64(pad); | |
19 | u64 b = get_unaligned_be64(pad + 8); | |
20 | ||
21 | put_unaligned_be64((a << 1) | (b >> 63), pad); | |
22 | put_unaligned_be64((b << 1) ^ ((a >> 63) ? 0x87 : 0), pad + 8); | |
23 | } | |
24 | ||
25 | static int aes_s2v(struct crypto_shash *tfm, | |
39404fee JM |
26 | size_t num_elem, const u8 *addr[], size_t len[], u8 *v) |
27 | { | |
fe8de3da AB |
28 | u8 d[AES_BLOCK_SIZE], tmp[AES_BLOCK_SIZE] = {}; |
29 | SHASH_DESC_ON_STACK(desc, tfm); | |
39404fee | 30 | size_t i; |
fe8de3da AB |
31 | |
32 | desc->tfm = tfm; | |
39404fee JM |
33 | |
34 | /* D = AES-CMAC(K, <zero>) */ | |
fe8de3da | 35 | crypto_shash_digest(desc, tmp, AES_BLOCK_SIZE, d); |
39404fee JM |
36 | |
37 | for (i = 0; i < num_elem - 1; i++) { | |
38 | /* D = dbl(D) xor AES_CMAC(K, Si) */ | |
39 | gf_mulx(d); /* dbl */ | |
fe8de3da | 40 | crypto_shash_digest(desc, addr[i], len[i], tmp); |
39404fee JM |
41 | crypto_xor(d, tmp, AES_BLOCK_SIZE); |
42 | } | |
43 | ||
fe8de3da AB |
44 | crypto_shash_init(desc); |
45 | ||
39404fee JM |
46 | if (len[i] >= AES_BLOCK_SIZE) { |
47 | /* len(Sn) >= 128 */ | |
39404fee | 48 | /* T = Sn xorend D */ |
fe8de3da AB |
49 | crypto_shash_update(desc, addr[i], len[i] - AES_BLOCK_SIZE); |
50 | crypto_xor(d, addr[i] + len[i] - AES_BLOCK_SIZE, | |
51 | AES_BLOCK_SIZE); | |
39404fee JM |
52 | } else { |
53 | /* len(Sn) < 128 */ | |
54 | /* T = dbl(D) xor pad(Sn) */ | |
55 | gf_mulx(d); /* dbl */ | |
fe8de3da AB |
56 | crypto_xor(d, addr[i], len[i]); |
57 | d[len[i]] ^= 0x80; | |
39404fee JM |
58 | } |
59 | /* V = AES-CMAC(K, T) */ | |
fe8de3da | 60 | crypto_shash_finup(desc, d, AES_BLOCK_SIZE, v); |
39404fee JM |
61 | |
62 | return 0; | |
63 | } | |
64 | ||
65 | /* Note: addr[] and len[] needs to have one extra slot at the end. */ | |
66 | static int aes_siv_encrypt(const u8 *key, size_t key_len, | |
67 | const u8 *plain, size_t plain_len, | |
68 | size_t num_elem, const u8 *addr[], | |
69 | size_t len[], u8 *out) | |
70 | { | |
71 | u8 v[AES_BLOCK_SIZE]; | |
fe8de3da | 72 | struct crypto_shash *tfm; |
39404fee JM |
73 | struct crypto_skcipher *tfm2; |
74 | struct skcipher_request *req; | |
75 | int res; | |
76 | struct scatterlist src[1], dst[1]; | |
77 | u8 *tmp; | |
78 | ||
79 | key_len /= 2; /* S2V key || CTR key */ | |
80 | ||
81 | addr[num_elem] = plain; | |
82 | len[num_elem] = plain_len; | |
83 | num_elem++; | |
84 | ||
85 | /* S2V */ | |
86 | ||
fe8de3da | 87 | tfm = crypto_alloc_shash("cmac(aes)", 0, 0); |
39404fee JM |
88 | if (IS_ERR(tfm)) |
89 | return PTR_ERR(tfm); | |
90 | /* K1 for S2V */ | |
fe8de3da | 91 | res = crypto_shash_setkey(tfm, key, key_len); |
39404fee JM |
92 | if (!res) |
93 | res = aes_s2v(tfm, num_elem, addr, len, v); | |
fe8de3da | 94 | crypto_free_shash(tfm); |
39404fee JM |
95 | if (res) |
96 | return res; | |
97 | ||
98 | /* Use a temporary buffer of the plaintext to handle need for | |
99 | * overwriting this during AES-CTR. | |
100 | */ | |
101 | tmp = kmemdup(plain, plain_len, GFP_KERNEL); | |
51487718 AB |
102 | if (!tmp) |
103 | return -ENOMEM; | |
39404fee JM |
104 | |
105 | /* IV for CTR before encrypted data */ | |
106 | memcpy(out, v, AES_BLOCK_SIZE); | |
107 | ||
108 | /* Synthetic IV to be used as the initial counter in CTR: | |
109 | * Q = V bitand (1^64 || 0^1 || 1^31 || 0^1 || 1^31) | |
110 | */ | |
111 | v[8] &= 0x7f; | |
112 | v[12] &= 0x7f; | |
113 | ||
114 | /* CTR */ | |
115 | ||
01fba20b | 116 | tfm2 = crypto_alloc_skcipher("ctr(aes)", 0, CRYPTO_ALG_ASYNC); |
39404fee JM |
117 | if (IS_ERR(tfm2)) { |
118 | kfree(tmp); | |
119 | return PTR_ERR(tfm2); | |
120 | } | |
121 | /* K2 for CTR */ | |
122 | res = crypto_skcipher_setkey(tfm2, key + key_len, key_len); | |
123 | if (res) | |
124 | goto fail; | |
125 | ||
126 | req = skcipher_request_alloc(tfm2, GFP_KERNEL); | |
127 | if (!req) { | |
128 | res = -ENOMEM; | |
129 | goto fail; | |
130 | } | |
131 | ||
132 | sg_init_one(src, tmp, plain_len); | |
133 | sg_init_one(dst, out + AES_BLOCK_SIZE, plain_len); | |
134 | skcipher_request_set_crypt(req, src, dst, plain_len, v); | |
135 | res = crypto_skcipher_encrypt(req); | |
136 | skcipher_request_free(req); | |
137 | fail: | |
138 | kfree(tmp); | |
139 | crypto_free_skcipher(tfm2); | |
140 | return res; | |
141 | } | |
142 | ||
143 | /* Note: addr[] and len[] needs to have one extra slot at the end. */ | |
144 | static int aes_siv_decrypt(const u8 *key, size_t key_len, | |
145 | const u8 *iv_crypt, size_t iv_c_len, | |
146 | size_t num_elem, const u8 *addr[], size_t len[], | |
147 | u8 *out) | |
148 | { | |
fe8de3da | 149 | struct crypto_shash *tfm; |
39404fee JM |
150 | struct crypto_skcipher *tfm2; |
151 | struct skcipher_request *req; | |
152 | struct scatterlist src[1], dst[1]; | |
153 | size_t crypt_len; | |
154 | int res; | |
155 | u8 frame_iv[AES_BLOCK_SIZE], iv[AES_BLOCK_SIZE]; | |
156 | u8 check[AES_BLOCK_SIZE]; | |
157 | ||
158 | crypt_len = iv_c_len - AES_BLOCK_SIZE; | |
159 | key_len /= 2; /* S2V key || CTR key */ | |
160 | addr[num_elem] = out; | |
161 | len[num_elem] = crypt_len; | |
162 | num_elem++; | |
163 | ||
164 | memcpy(iv, iv_crypt, AES_BLOCK_SIZE); | |
165 | memcpy(frame_iv, iv_crypt, AES_BLOCK_SIZE); | |
166 | ||
167 | /* Synthetic IV to be used as the initial counter in CTR: | |
168 | * Q = V bitand (1^64 || 0^1 || 1^31 || 0^1 || 1^31) | |
169 | */ | |
170 | iv[8] &= 0x7f; | |
171 | iv[12] &= 0x7f; | |
172 | ||
173 | /* CTR */ | |
174 | ||
01fba20b | 175 | tfm2 = crypto_alloc_skcipher("ctr(aes)", 0, CRYPTO_ALG_ASYNC); |
39404fee JM |
176 | if (IS_ERR(tfm2)) |
177 | return PTR_ERR(tfm2); | |
178 | /* K2 for CTR */ | |
179 | res = crypto_skcipher_setkey(tfm2, key + key_len, key_len); | |
180 | if (res) { | |
181 | crypto_free_skcipher(tfm2); | |
182 | return res; | |
183 | } | |
184 | ||
185 | req = skcipher_request_alloc(tfm2, GFP_KERNEL); | |
186 | if (!req) { | |
187 | crypto_free_skcipher(tfm2); | |
188 | return -ENOMEM; | |
189 | } | |
190 | ||
191 | sg_init_one(src, iv_crypt + AES_BLOCK_SIZE, crypt_len); | |
192 | sg_init_one(dst, out, crypt_len); | |
193 | skcipher_request_set_crypt(req, src, dst, crypt_len, iv); | |
194 | res = crypto_skcipher_decrypt(req); | |
195 | skcipher_request_free(req); | |
196 | crypto_free_skcipher(tfm2); | |
197 | if (res) | |
198 | return res; | |
199 | ||
200 | /* S2V */ | |
201 | ||
fe8de3da | 202 | tfm = crypto_alloc_shash("cmac(aes)", 0, 0); |
39404fee JM |
203 | if (IS_ERR(tfm)) |
204 | return PTR_ERR(tfm); | |
205 | /* K1 for S2V */ | |
fe8de3da | 206 | res = crypto_shash_setkey(tfm, key, key_len); |
39404fee JM |
207 | if (!res) |
208 | res = aes_s2v(tfm, num_elem, addr, len, check); | |
fe8de3da | 209 | crypto_free_shash(tfm); |
39404fee JM |
210 | if (res) |
211 | return res; | |
212 | if (memcmp(check, frame_iv, AES_BLOCK_SIZE) != 0) | |
213 | return -EINVAL; | |
214 | return 0; | |
215 | } | |
216 | ||
217 | int fils_encrypt_assoc_req(struct sk_buff *skb, | |
218 | struct ieee80211_mgd_assoc_data *assoc_data) | |
219 | { | |
220 | struct ieee80211_mgmt *mgmt = (void *)skb->data; | |
221 | u8 *capab, *ies, *encr; | |
222 | const u8 *addr[5 + 1], *session; | |
223 | size_t len[5 + 1]; | |
224 | size_t crypt_len; | |
225 | ||
226 | if (ieee80211_is_reassoc_req(mgmt->frame_control)) { | |
227 | capab = (u8 *)&mgmt->u.reassoc_req.capab_info; | |
228 | ies = mgmt->u.reassoc_req.variable; | |
229 | } else { | |
230 | capab = (u8 *)&mgmt->u.assoc_req.capab_info; | |
231 | ies = mgmt->u.assoc_req.variable; | |
232 | } | |
233 | ||
234 | session = cfg80211_find_ext_ie(WLAN_EID_EXT_FILS_SESSION, | |
235 | ies, skb->data + skb->len - ies); | |
236 | if (!session || session[1] != 1 + 8) | |
237 | return -EINVAL; | |
238 | /* encrypt after FILS Session element */ | |
239 | encr = (u8 *)session + 2 + 1 + 8; | |
240 | ||
241 | /* AES-SIV AAD vectors */ | |
242 | ||
243 | /* The STA's MAC address */ | |
244 | addr[0] = mgmt->sa; | |
245 | len[0] = ETH_ALEN; | |
246 | /* The AP's BSSID */ | |
247 | addr[1] = mgmt->da; | |
248 | len[1] = ETH_ALEN; | |
249 | /* The STA's nonce */ | |
250 | addr[2] = assoc_data->fils_nonces; | |
251 | len[2] = FILS_NONCE_LEN; | |
252 | /* The AP's nonce */ | |
253 | addr[3] = &assoc_data->fils_nonces[FILS_NONCE_LEN]; | |
254 | len[3] = FILS_NONCE_LEN; | |
255 | /* The (Re)Association Request frame from the Capability Information | |
256 | * field to the FILS Session element (both inclusive). | |
257 | */ | |
258 | addr[4] = capab; | |
259 | len[4] = encr - capab; | |
260 | ||
261 | crypt_len = skb->data + skb->len - encr; | |
262 | skb_put(skb, AES_BLOCK_SIZE); | |
263 | return aes_siv_encrypt(assoc_data->fils_kek, assoc_data->fils_kek_len, | |
e479ab65 | 264 | encr, crypt_len, 5, addr, len, encr); |
39404fee JM |
265 | } |
266 | ||
267 | int fils_decrypt_assoc_resp(struct ieee80211_sub_if_data *sdata, | |
268 | u8 *frame, size_t *frame_len, | |
269 | struct ieee80211_mgd_assoc_data *assoc_data) | |
270 | { | |
271 | struct ieee80211_mgmt *mgmt = (void *)frame; | |
272 | u8 *capab, *ies, *encr; | |
273 | const u8 *addr[5 + 1], *session; | |
274 | size_t len[5 + 1]; | |
275 | int res; | |
276 | size_t crypt_len; | |
277 | ||
278 | if (*frame_len < 24 + 6) | |
279 | return -EINVAL; | |
280 | ||
281 | capab = (u8 *)&mgmt->u.assoc_resp.capab_info; | |
282 | ies = mgmt->u.assoc_resp.variable; | |
283 | session = cfg80211_find_ext_ie(WLAN_EID_EXT_FILS_SESSION, | |
284 | ies, frame + *frame_len - ies); | |
285 | if (!session || session[1] != 1 + 8) { | |
286 | mlme_dbg(sdata, | |
287 | "No (valid) FILS Session element in (Re)Association Response frame from %pM", | |
288 | mgmt->sa); | |
289 | return -EINVAL; | |
290 | } | |
291 | /* decrypt after FILS Session element */ | |
292 | encr = (u8 *)session + 2 + 1 + 8; | |
293 | ||
294 | /* AES-SIV AAD vectors */ | |
295 | ||
296 | /* The AP's BSSID */ | |
297 | addr[0] = mgmt->sa; | |
298 | len[0] = ETH_ALEN; | |
299 | /* The STA's MAC address */ | |
300 | addr[1] = mgmt->da; | |
301 | len[1] = ETH_ALEN; | |
302 | /* The AP's nonce */ | |
303 | addr[2] = &assoc_data->fils_nonces[FILS_NONCE_LEN]; | |
304 | len[2] = FILS_NONCE_LEN; | |
305 | /* The STA's nonce */ | |
306 | addr[3] = assoc_data->fils_nonces; | |
307 | len[3] = FILS_NONCE_LEN; | |
308 | /* The (Re)Association Response frame from the Capability Information | |
309 | * field to the FILS Session element (both inclusive). | |
310 | */ | |
311 | addr[4] = capab; | |
312 | len[4] = encr - capab; | |
313 | ||
314 | crypt_len = frame + *frame_len - encr; | |
315 | if (crypt_len < AES_BLOCK_SIZE) { | |
316 | mlme_dbg(sdata, | |
317 | "Not enough room for AES-SIV data after FILS Session element in (Re)Association Response frame from %pM", | |
318 | mgmt->sa); | |
319 | return -EINVAL; | |
320 | } | |
321 | res = aes_siv_decrypt(assoc_data->fils_kek, assoc_data->fils_kek_len, | |
322 | encr, crypt_len, 5, addr, len, encr); | |
323 | if (res != 0) { | |
324 | mlme_dbg(sdata, | |
325 | "AES-SIV decryption of (Re)Association Response frame from %pM failed", | |
326 | mgmt->sa); | |
327 | return res; | |
328 | } | |
329 | *frame_len -= AES_BLOCK_SIZE; | |
330 | return 0; | |
331 | } |