3 * AES-128 CCM Encryption
5 * Copyright (C) 2007 Intel Corporation
6 * Inaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com>
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License version
10 * 2 as published by the Free Software Foundation.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
23 * We don't do any encryption here; we use the Linux Kernel's AES-128
24 * crypto modules to construct keys and payload blocks in a way
25 * defined by WUSB1.0[6]. Check the erratas, as typos are are patched
28 * Thanks a zillion to John Keys for his help and clarifications over
29 * the designed-by-a-committee text.
31 * So the idea is that there is this basic Pseudo-Random-Function
32 * defined in WUSB1.0[6.5] which is the core of everything. It works
33 * by tweaking some blocks, AES crypting them and then xoring
34 * something else with them (this seems to be called CBC(AES) -- can
35 * you tell I know jack about crypto?). So we just funnel it into the
38 * We leave a crypto test module so we can verify that vectors match,
41 * Block size: 16 bytes -- AES seems to do things in 'block sizes'. I
42 * am learning a lot...
44 * Conveniently, some data structures that need to be
45 * funneled through AES are...16 bytes in size!
48 #include <crypto/skcipher.h>
49 #include <linux/crypto.h>
50 #include <linux/module.h>
51 #include <linux/err.h>
52 #include <linux/uwb.h>
53 #include <linux/slab.h>
54 #include <linux/usb/wusb.h>
55 #include <linux/scatterlist.h>
57 static int debug_crypto_verify;
59 module_param(debug_crypto_verify, int, 0);
60 MODULE_PARM_DESC(debug_crypto_verify, "verify the key generation algorithms");
62 static void wusb_key_dump(const void *buf, size_t len)
64 print_hex_dump(KERN_ERR, " ", DUMP_PREFIX_OFFSET, 16, 1,
69 * Block of data, as understood by AES-CCM
71 * The code assumes this structure is nothing but a 16 byte array
72 * (packed in a struct to avoid common mess ups that I usually do with
73 * arrays and enforcing type checking).
75 struct aes_ccm_block {
77 } __attribute__((packed));
80 * Counter-mode Blocks (WUSB1.0[6.4])
82 * According to CCM (or so it seems), for the purpose of calculating
83 * the MIC, the message is broken in N counter-mode blocks, B0, B1,
86 * B0 contains flags, the CCM nonce and l(m).
88 * B1 contains l(a), the MAC header, the encryption offset and padding.
90 * If EO is nonzero, additional blocks are built from payload bytes
91 * until EO is exhausted (FIXME: padding to 16 bytes, I guess). The
92 * padding is not xmitted.
97 u8 flags; /* 0x59, per CCM spec */
98 struct aes_ccm_nonce ccm_nonce;
100 } __attribute__((packed));
107 u8 security_reserved; /* This is always zero */
109 } __attribute__((packed));
112 * Encryption Blocks (WUSB1.0[6.4.4])
114 * CCM uses Ax blocks to generate a keystream with which the MIC and
115 * the message's payload are encoded. A0 always encrypts/decrypts the
116 * MIC. Ax (x>0) are used for the successive payload blocks.
118 * The x is the counter, and is increased for each block.
121 u8 flags; /* 0x01, per CCM spec */
122 struct aes_ccm_nonce ccm_nonce;
123 __be16 counter; /* Value of x */
124 } __attribute__((packed));
126 static void bytewise_xor(void *_bo, const void *_bi1, const void *_bi2,
130 const u8 *bi1 = _bi1, *bi2 = _bi2;
132 for (itr = 0; itr < size; itr++)
133 bo[itr] = bi1[itr] ^ bi2[itr];
136 /* Scratch space for MAC calculations. */
137 struct wusb_mac_scratch {
138 struct aes_ccm_b0 b0;
139 struct aes_ccm_b1 b1;
144 * CC-MAC function WUSB1.0[6.5]
146 * Take a data string and produce the encrypted CBC Counter-mode MIC
148 * Note the names for most function arguments are made to (more or
149 * less) match those used in the pseudo-function definition given in
152 * @tfm_cbc: CBC(AES) blkcipher handle (initialized)
154 * @tfm_aes: AES cipher handle (initialized)
156 * @mic: buffer for placing the computed MIC (Message Integrity
157 * Code). This is exactly 8 bytes, and we expect the buffer to
158 * be at least eight bytes in length.
160 * @key: 128 bit symmetric key
164 * @a: ASCII string, 14 bytes long (I guess zero padded if needed;
165 * we use exactly 14 bytes).
167 * @b: data stream to be processed; cannot be a global or const local
168 * (will confuse the scatterlists)
170 * @blen: size of b...
172 * Still not very clear how this is done, but looks like this: we
173 * create block B0 (as WUSB1.0[6.5] says), then we AES-crypt it with
174 * @key. We bytewise xor B0 with B1 (1) and AES-crypt that. Then we
175 * take the payload and divide it in blocks (16 bytes), xor them with
176 * the previous crypto result (16 bytes) and crypt it, repeat the next
177 * block with the output of the previous one, rinse wash (I guess this
178 * is what AES CBC mode means...but I truly have no idea). So we use
179 * the CBC(AES) blkcipher, that does precisely that. The IV (Initial
180 * Vector) is 16 bytes and is set to zero, so
182 * See rfc3610. Linux crypto has a CBC implementation, but the
183 * documentation is scarce, to say the least, and the example code is
184 * so intricated that is difficult to understand how things work. Most
185 * of this is guess work -- bite me.
187 * (1) Created as 6.5 says, again, using as l(a) 'Blen + 14', and
188 * using the 14 bytes of @a to fill up
189 * b1.{mac_header,e0,security_reserved,padding}.
191 * NOTE: The definition of l(a) in WUSB1.0[6.5] vs the definition of
192 * l(m) is orthogonal, they bear no relationship, so it is not
193 * in conflict with the parameter's relation that
194 * WUSB1.0[6.4.2]) defines.
196 * NOTE: WUSB1.0[A.1]: Host Nonce is missing a nibble? (1e); fixed in
197 * first errata released on 2005/07.
199 * NOTE: we need to clean IV to zero at each invocation to make sure
200 * we start with a fresh empty Initial Vector, so that the CBC
203 * NOTE: blen is not aligned to a block size, we'll pad zeros, that's
204 * what sg[4] is for. Maybe there is a smarter way to do this.
206 static int wusb_ccm_mac(struct crypto_skcipher *tfm_cbc,
207 struct crypto_cipher *tfm_aes,
208 struct wusb_mac_scratch *scratch,
210 const struct aes_ccm_nonce *n,
211 const struct aes_ccm_label *a, const void *b,
215 SKCIPHER_REQUEST_ON_STACK(req, tfm_cbc);
216 struct scatterlist sg[4], sg_dst;
219 u8 iv[crypto_skcipher_ivsize(tfm_cbc)];
223 * These checks should be compile time optimized out
224 * ensure @a fills b1's mac_header and following fields
226 WARN_ON(sizeof(*a) != sizeof(scratch->b1) - sizeof(scratch->b1.la));
227 WARN_ON(sizeof(scratch->b0) != sizeof(struct aes_ccm_block));
228 WARN_ON(sizeof(scratch->b1) != sizeof(struct aes_ccm_block));
229 WARN_ON(sizeof(scratch->ax) != sizeof(struct aes_ccm_block));
232 zero_padding = blen % sizeof(struct aes_ccm_block);
234 zero_padding = sizeof(struct aes_ccm_block) - zero_padding;
235 dst_size = blen + sizeof(scratch->b0) + sizeof(scratch->b1) +
237 dst_buf = kzalloc(dst_size, GFP_KERNEL);
241 memset(iv, 0, sizeof(iv));
244 scratch->b0.flags = 0x59; /* Format B0 */
245 scratch->b0.ccm_nonce = *n;
246 scratch->b0.lm = cpu_to_be16(0); /* WUSB1.0[6.5] sez l(m) is 0 */
250 * The WUSB spec is anything but clear! WUSB1.0[6.5]
251 * says that to initialize B1 from A with 'l(a) = blen +
252 * 14'--after clarification, it means to use A's contents
253 * for MAC Header, EO, sec reserved and padding.
255 scratch->b1.la = cpu_to_be16(blen + 14);
256 memcpy(&scratch->b1.mac_header, a, sizeof(*a));
258 sg_init_table(sg, ARRAY_SIZE(sg));
259 sg_set_buf(&sg[0], &scratch->b0, sizeof(scratch->b0));
260 sg_set_buf(&sg[1], &scratch->b1, sizeof(scratch->b1));
261 sg_set_buf(&sg[2], b, blen);
262 /* 0 if well behaved :) */
263 sg_set_page(&sg[3], ZERO_PAGE(0), zero_padding, 0);
264 sg_init_one(&sg_dst, dst_buf, dst_size);
266 skcipher_request_set_tfm(req, tfm_cbc);
267 skcipher_request_set_callback(req, 0, NULL, NULL);
268 skcipher_request_set_crypt(req, sg, &sg_dst, dst_size, iv);
269 result = crypto_skcipher_encrypt(req);
270 skcipher_request_zero(req);
272 printk(KERN_ERR "E: can't compute CBC-MAC tag (MIC): %d\n",
274 goto error_cbc_crypt;
277 /* Now we crypt the MIC Tag (*iv) with Ax -- values per WUSB1.0[6.5]
278 * The procedure is to AES crypt the A0 block and XOR the MIC
279 * Tag against it; we only do the first 8 bytes and place it
280 * directly in the destination buffer.
282 * POS Crypto API: size is assumed to be AES's block size.
283 * Thanks for documenting it -- tip taken from airo.c
285 scratch->ax.flags = 0x01; /* as per WUSB 1.0 spec */
286 scratch->ax.ccm_nonce = *n;
287 scratch->ax.counter = 0;
288 crypto_cipher_encrypt_one(tfm_aes, (void *)&scratch->ax,
289 (void *)&scratch->ax);
290 bytewise_xor(mic, &scratch->ax, iv, 8);
299 * WUSB Pseudo Random Function (WUSB1.0[6.5])
301 * @b: buffer to the source data; cannot be a global or const local
302 * (will confuse the scatterlists)
304 ssize_t wusb_prf(void *out, size_t out_size,
305 const u8 key[16], const struct aes_ccm_nonce *_n,
306 const struct aes_ccm_label *a,
307 const void *b, size_t blen, size_t len)
309 ssize_t result, bytes = 0, bitr;
310 struct aes_ccm_nonce n = *_n;
311 struct crypto_skcipher *tfm_cbc;
312 struct crypto_cipher *tfm_aes;
313 struct wusb_mac_scratch *scratch;
317 tfm_cbc = crypto_alloc_skcipher("cbc(aes)", 0, CRYPTO_ALG_ASYNC);
318 if (IS_ERR(tfm_cbc)) {
319 result = PTR_ERR(tfm_cbc);
320 printk(KERN_ERR "E: can't load CBC(AES): %d\n", (int)result);
321 goto error_alloc_cbc;
323 result = crypto_skcipher_setkey(tfm_cbc, key, 16);
325 printk(KERN_ERR "E: can't set CBC key: %d\n", (int)result);
326 goto error_setkey_cbc;
329 tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC);
330 if (IS_ERR(tfm_aes)) {
331 result = PTR_ERR(tfm_aes);
332 printk(KERN_ERR "E: can't load AES: %d\n", (int)result);
333 goto error_alloc_aes;
335 result = crypto_cipher_setkey(tfm_aes, key, 16);
337 printk(KERN_ERR "E: can't set AES key: %d\n", (int)result);
338 goto error_setkey_aes;
340 scratch = kmalloc(sizeof(*scratch), GFP_KERNEL);
343 goto error_alloc_scratch;
346 for (bitr = 0; bitr < (len + 63) / 64; bitr++) {
347 sfn_le = cpu_to_le64(sfn++);
348 memcpy(&n.sfn, &sfn_le, sizeof(n.sfn)); /* n.sfn++... */
349 result = wusb_ccm_mac(tfm_cbc, tfm_aes, scratch, out + bytes,
361 crypto_free_cipher(tfm_aes);
364 crypto_free_skcipher(tfm_cbc);
369 /* WUSB1.0[A.2] test vectors */
370 static const u8 stv_hsmic_key[16] = {
371 0x4b, 0x79, 0xa3, 0xcf, 0xe5, 0x53, 0x23, 0x9d,
372 0xd7, 0xc1, 0x6d, 0x1c, 0x2d, 0xab, 0x6d, 0x3f
375 static const struct aes_ccm_nonce stv_hsmic_n = {
377 .tkid = { 0x76, 0x98, 0x01, },
378 .dest_addr = { .data = { 0xbe, 0x00 } },
379 .src_addr = { .data = { 0x76, 0x98 } },
383 * Out-of-band MIC Generation verification code
386 static int wusb_oob_mic_verify(void)
390 /* WUSB1.0[A.2] test vectors
392 * Need to keep it in the local stack as GCC 4.1.3something
393 * messes up and generates noise.
395 struct usb_handshake stv_hsmic_hs = {
398 .tTKID = { 0x76, 0x98, 0x01 },
400 .CDID = { 0x30, 0x31, 0x32, 0x33, 0x34, 0x35,
401 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b,
402 0x3c, 0x3d, 0x3e, 0x3f },
403 .nonce = { 0x20, 0x21, 0x22, 0x23, 0x24, 0x25,
404 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
405 0x2c, 0x2d, 0x2e, 0x2f },
406 .MIC = { 0x75, 0x6a, 0x97, 0x51, 0x0c, 0x8c,
411 result = wusb_oob_mic(mic, stv_hsmic_key, &stv_hsmic_n, &stv_hsmic_hs);
413 printk(KERN_ERR "E: WUSB OOB MIC test: failed: %d\n", result);
414 else if (memcmp(stv_hsmic_hs.MIC, mic, sizeof(mic))) {
415 printk(KERN_ERR "E: OOB MIC test: "
416 "mismatch between MIC result and WUSB1.0[A2]\n");
417 hs_size = sizeof(stv_hsmic_hs) - sizeof(stv_hsmic_hs.MIC);
418 printk(KERN_ERR "E: Handshake2 in: (%zu bytes)\n", hs_size);
419 wusb_key_dump(&stv_hsmic_hs, hs_size);
420 printk(KERN_ERR "E: CCM Nonce in: (%zu bytes)\n",
421 sizeof(stv_hsmic_n));
422 wusb_key_dump(&stv_hsmic_n, sizeof(stv_hsmic_n));
423 printk(KERN_ERR "E: MIC out:\n");
424 wusb_key_dump(mic, sizeof(mic));
425 printk(KERN_ERR "E: MIC out (from WUSB1.0[A.2]):\n");
426 wusb_key_dump(stv_hsmic_hs.MIC, sizeof(stv_hsmic_hs.MIC));
434 * Test vectors for Key derivation
436 * These come from WUSB1.0[6.5.1], the vectors in WUSB1.0[A.1]
437 * (errata corrected in 2005/07).
439 static const u8 stv_key_a1[16] __attribute__ ((__aligned__(4))) = {
440 0xf0, 0xe1, 0xd2, 0xc3, 0xb4, 0xa5, 0x96, 0x87,
441 0x78, 0x69, 0x5a, 0x4b, 0x3c, 0x2d, 0x1e, 0x0f
444 static const struct aes_ccm_nonce stv_keydvt_n_a1 = {
446 .tkid = { 0x76, 0x98, 0x01, },
447 .dest_addr = { .data = { 0xbe, 0x00 } },
448 .src_addr = { .data = { 0x76, 0x98 } },
451 static const struct wusb_keydvt_out stv_keydvt_out_a1 = {
453 0x4b, 0x79, 0xa3, 0xcf, 0xe5, 0x53, 0x23, 0x9d,
454 0xd7, 0xc1, 0x6d, 0x1c, 0x2d, 0xab, 0x6d, 0x3f
457 0xc8, 0x70, 0x62, 0x82, 0xb6, 0x7c, 0xe9, 0x06,
458 0x7b, 0xc5, 0x25, 0x69, 0xf2, 0x36, 0x61, 0x2d
463 * Performa a test to make sure we match the vectors defined in
464 * WUSB1.0[A.1](Errata2006/12)
466 static int wusb_key_derive_verify(void)
469 struct wusb_keydvt_out keydvt_out;
470 /* These come from WUSB1.0[A.1] + 2006/12 errata
471 * NOTE: can't make this const or global -- somehow it seems
472 * the scatterlists for crypto get confused and we get
473 * bad data. There is no doc on this... */
474 struct wusb_keydvt_in stv_keydvt_in_a1 = {
476 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
477 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
480 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
481 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
485 result = wusb_key_derive(&keydvt_out, stv_key_a1, &stv_keydvt_n_a1,
488 printk(KERN_ERR "E: WUSB key derivation test: "
489 "derivation failed: %d\n", result);
490 if (memcmp(&stv_keydvt_out_a1, &keydvt_out, sizeof(keydvt_out))) {
491 printk(KERN_ERR "E: WUSB key derivation test: "
492 "mismatch between key derivation result "
493 "and WUSB1.0[A1] Errata 2006/12\n");
494 printk(KERN_ERR "E: keydvt in: key\n");
495 wusb_key_dump(stv_key_a1, sizeof(stv_key_a1));
496 printk(KERN_ERR "E: keydvt in: nonce\n");
497 wusb_key_dump(&stv_keydvt_n_a1, sizeof(stv_keydvt_n_a1));
498 printk(KERN_ERR "E: keydvt in: hnonce & dnonce\n");
499 wusb_key_dump(&stv_keydvt_in_a1, sizeof(stv_keydvt_in_a1));
500 printk(KERN_ERR "E: keydvt out: KCK\n");
501 wusb_key_dump(&keydvt_out.kck, sizeof(keydvt_out.kck));
502 printk(KERN_ERR "E: keydvt out: PTK\n");
503 wusb_key_dump(&keydvt_out.ptk, sizeof(keydvt_out.ptk));
511 * Initialize crypto system
513 * FIXME: we do nothing now, other than verifying. Later on we'll
514 * cache the encryption stuff, so that's why we have a separate init.
516 int wusb_crypto_init(void)
520 if (debug_crypto_verify) {
521 result = wusb_key_derive_verify();
524 return wusb_oob_mic_verify();
529 void wusb_crypto_exit(void)
531 /* FIXME: free cached crypto transforms */