3 * AES-128 CCM Encryption
5 * Copyright (C) 2007 Intel Corporation
6 * Inaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com>
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License version
10 * 2 as published by the Free Software Foundation.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
23 * We don't do any encryption here; we use the Linux Kernel's AES-128
24 * crypto modules to construct keys and payload blocks in a way
25 * defined by WUSB1.0[6]. Check the erratas, as typos are are patched
28 * Thanks a zillion to John Keys for his help and clarifications over
29 * the designed-by-a-committee text.
31 * So the idea is that there is this basic Pseudo-Random-Function
32 * defined in WUSB1.0[6.5] which is the core of everything. It works
33 * by tweaking some blocks, AES crypting them and then xoring
34 * something else with them (this seems to be called CBC(AES) -- can
35 * you tell I know jack about crypto?). So we just funnel it into the
38 * We leave a crypto test module so we can verify that vectors match,
41 * Block size: 16 bytes -- AES seems to do things in 'block sizes'. I
42 * am learning a lot...
44 * Conveniently, some data structures that need to be
45 * funneled through AES are...16 bytes in size!
48 #include <crypto/skcipher.h>
49 #include <linux/crypto.h>
50 #include <linux/module.h>
51 #include <linux/err.h>
52 #include <linux/uwb.h>
53 #include <linux/slab.h>
54 #include <linux/usb/wusb.h>
55 #include <linux/scatterlist.h>
57 static int debug_crypto_verify;
59 module_param(debug_crypto_verify, int, 0);
60 MODULE_PARM_DESC(debug_crypto_verify, "verify the key generation algorithms");
62 static void wusb_key_dump(const void *buf, size_t len)
64 print_hex_dump(KERN_ERR, " ", DUMP_PREFIX_OFFSET, 16, 1,
69 * Block of data, as understood by AES-CCM
71 * The code assumes this structure is nothing but a 16 byte array
72 * (packed in a struct to avoid common mess ups that I usually do with
73 * arrays and enforcing type checking).
75 struct aes_ccm_block {
77 } __attribute__((packed));
80 * Counter-mode Blocks (WUSB1.0[6.4])
82 * According to CCM (or so it seems), for the purpose of calculating
83 * the MIC, the message is broken in N counter-mode blocks, B0, B1,
86 * B0 contains flags, the CCM nonce and l(m).
88 * B1 contains l(a), the MAC header, the encryption offset and padding.
90 * If EO is nonzero, additional blocks are built from payload bytes
91 * until EO is exhausted (FIXME: padding to 16 bytes, I guess). The
92 * padding is not xmitted.
97 u8 flags; /* 0x59, per CCM spec */
98 struct aes_ccm_nonce ccm_nonce;
100 } __attribute__((packed));
107 u8 security_reserved; /* This is always zero */
109 } __attribute__((packed));
112 * Encryption Blocks (WUSB1.0[6.4.4])
114 * CCM uses Ax blocks to generate a keystream with which the MIC and
115 * the message's payload are encoded. A0 always encrypts/decrypts the
116 * MIC. Ax (x>0) are used for the successive payload blocks.
118 * The x is the counter, and is increased for each block.
121 u8 flags; /* 0x01, per CCM spec */
122 struct aes_ccm_nonce ccm_nonce;
123 __be16 counter; /* Value of x */
124 } __attribute__((packed));
126 static void bytewise_xor(void *_bo, const void *_bi1, const void *_bi2,
130 const u8 *bi1 = _bi1, *bi2 = _bi2;
132 for (itr = 0; itr < size; itr++)
133 bo[itr] = bi1[itr] ^ bi2[itr];
137 * CC-MAC function WUSB1.0[6.5]
139 * Take a data string and produce the encrypted CBC Counter-mode MIC
141 * Note the names for most function arguments are made to (more or
142 * less) match those used in the pseudo-function definition given in
145 * @tfm_cbc: CBC(AES) blkcipher handle (initialized)
147 * @tfm_aes: AES cipher handle (initialized)
149 * @mic: buffer for placing the computed MIC (Message Integrity
150 * Code). This is exactly 8 bytes, and we expect the buffer to
151 * be at least eight bytes in length.
153 * @key: 128 bit symmetric key
157 * @a: ASCII string, 14 bytes long (I guess zero padded if needed;
158 * we use exactly 14 bytes).
160 * @b: data stream to be processed; cannot be a global or const local
161 * (will confuse the scatterlists)
163 * @blen: size of b...
165 * Still not very clear how this is done, but looks like this: we
166 * create block B0 (as WUSB1.0[6.5] says), then we AES-crypt it with
167 * @key. We bytewise xor B0 with B1 (1) and AES-crypt that. Then we
168 * take the payload and divide it in blocks (16 bytes), xor them with
169 * the previous crypto result (16 bytes) and crypt it, repeat the next
170 * block with the output of the previous one, rinse wash (I guess this
171 * is what AES CBC mode means...but I truly have no idea). So we use
172 * the CBC(AES) blkcipher, that does precisely that. The IV (Initial
173 * Vector) is 16 bytes and is set to zero, so
175 * See rfc3610. Linux crypto has a CBC implementation, but the
176 * documentation is scarce, to say the least, and the example code is
177 * so intricated that is difficult to understand how things work. Most
178 * of this is guess work -- bite me.
180 * (1) Created as 6.5 says, again, using as l(a) 'Blen + 14', and
181 * using the 14 bytes of @a to fill up
182 * b1.{mac_header,e0,security_reserved,padding}.
184 * NOTE: The definition of l(a) in WUSB1.0[6.5] vs the definition of
185 * l(m) is orthogonal, they bear no relationship, so it is not
186 * in conflict with the parameter's relation that
187 * WUSB1.0[6.4.2]) defines.
189 * NOTE: WUSB1.0[A.1]: Host Nonce is missing a nibble? (1e); fixed in
190 * first errata released on 2005/07.
192 * NOTE: we need to clean IV to zero at each invocation to make sure
193 * we start with a fresh empty Initial Vector, so that the CBC
196 * NOTE: blen is not aligned to a block size, we'll pad zeros, that's
197 * what sg[4] is for. Maybe there is a smarter way to do this.
199 static int wusb_ccm_mac(struct crypto_skcipher *tfm_cbc,
200 struct crypto_cipher *tfm_aes, void *mic,
201 const struct aes_ccm_nonce *n,
202 const struct aes_ccm_label *a, const void *b,
206 SKCIPHER_REQUEST_ON_STACK(req, tfm_cbc);
207 struct aes_ccm_b0 b0;
208 struct aes_ccm_b1 b1;
210 struct scatterlist sg[4], sg_dst;
213 const u8 bzero[16] = { 0 };
214 u8 iv[crypto_skcipher_ivsize(tfm_cbc)];
218 * These checks should be compile time optimized out
219 * ensure @a fills b1's mac_header and following fields
221 WARN_ON(sizeof(*a) != sizeof(b1) - sizeof(b1.la));
222 WARN_ON(sizeof(b0) != sizeof(struct aes_ccm_block));
223 WARN_ON(sizeof(b1) != sizeof(struct aes_ccm_block));
224 WARN_ON(sizeof(ax) != sizeof(struct aes_ccm_block));
227 zero_padding = blen % sizeof(struct aes_ccm_block);
229 zero_padding = sizeof(struct aes_ccm_block) - zero_padding;
230 dst_size = blen + sizeof(b0) + sizeof(b1) + zero_padding;
231 dst_buf = kzalloc(dst_size, GFP_KERNEL);
235 memset(iv, 0, sizeof(iv));
238 b0.flags = 0x59; /* Format B0 */
240 b0.lm = cpu_to_be16(0); /* WUSB1.0[6.5] sez l(m) is 0 */
244 * The WUSB spec is anything but clear! WUSB1.0[6.5]
245 * says that to initialize B1 from A with 'l(a) = blen +
246 * 14'--after clarification, it means to use A's contents
247 * for MAC Header, EO, sec reserved and padding.
249 b1.la = cpu_to_be16(blen + 14);
250 memcpy(&b1.mac_header, a, sizeof(*a));
252 sg_init_table(sg, ARRAY_SIZE(sg));
253 sg_set_buf(&sg[0], &b0, sizeof(b0));
254 sg_set_buf(&sg[1], &b1, sizeof(b1));
255 sg_set_buf(&sg[2], b, blen);
256 /* 0 if well behaved :) */
257 sg_set_buf(&sg[3], bzero, zero_padding);
258 sg_init_one(&sg_dst, dst_buf, dst_size);
260 skcipher_request_set_tfm(req, tfm_cbc);
261 skcipher_request_set_callback(req, 0, NULL, NULL);
262 skcipher_request_set_crypt(req, sg, &sg_dst, dst_size, iv);
263 result = crypto_skcipher_encrypt(req);
264 skcipher_request_zero(req);
266 printk(KERN_ERR "E: can't compute CBC-MAC tag (MIC): %d\n",
268 goto error_cbc_crypt;
271 /* Now we crypt the MIC Tag (*iv) with Ax -- values per WUSB1.0[6.5]
272 * The procedure is to AES crypt the A0 block and XOR the MIC
273 * Tag against it; we only do the first 8 bytes and place it
274 * directly in the destination buffer.
276 * POS Crypto API: size is assumed to be AES's block size.
277 * Thanks for documenting it -- tip taken from airo.c
279 ax.flags = 0x01; /* as per WUSB 1.0 spec */
282 crypto_cipher_encrypt_one(tfm_aes, (void *)&ax, (void *)&ax);
283 bytewise_xor(mic, &ax, iv, 8);
292 * WUSB Pseudo Random Function (WUSB1.0[6.5])
294 * @b: buffer to the source data; cannot be a global or const local
295 * (will confuse the scatterlists)
297 ssize_t wusb_prf(void *out, size_t out_size,
298 const u8 key[16], const struct aes_ccm_nonce *_n,
299 const struct aes_ccm_label *a,
300 const void *b, size_t blen, size_t len)
302 ssize_t result, bytes = 0, bitr;
303 struct aes_ccm_nonce n = *_n;
304 struct crypto_skcipher *tfm_cbc;
305 struct crypto_cipher *tfm_aes;
309 tfm_cbc = crypto_alloc_skcipher("cbc(aes)", 0, CRYPTO_ALG_ASYNC);
310 if (IS_ERR(tfm_cbc)) {
311 result = PTR_ERR(tfm_cbc);
312 printk(KERN_ERR "E: can't load CBC(AES): %d\n", (int)result);
313 goto error_alloc_cbc;
315 result = crypto_skcipher_setkey(tfm_cbc, key, 16);
317 printk(KERN_ERR "E: can't set CBC key: %d\n", (int)result);
318 goto error_setkey_cbc;
321 tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC);
322 if (IS_ERR(tfm_aes)) {
323 result = PTR_ERR(tfm_aes);
324 printk(KERN_ERR "E: can't load AES: %d\n", (int)result);
325 goto error_alloc_aes;
327 result = crypto_cipher_setkey(tfm_aes, key, 16);
329 printk(KERN_ERR "E: can't set AES key: %d\n", (int)result);
330 goto error_setkey_aes;
333 for (bitr = 0; bitr < (len + 63) / 64; bitr++) {
334 sfn_le = cpu_to_le64(sfn++);
335 memcpy(&n.sfn, &sfn_le, sizeof(n.sfn)); /* n.sfn++... */
336 result = wusb_ccm_mac(tfm_cbc, tfm_aes, out + bytes,
345 crypto_free_cipher(tfm_aes);
348 crypto_free_skcipher(tfm_cbc);
353 /* WUSB1.0[A.2] test vectors */
354 static const u8 stv_hsmic_key[16] = {
355 0x4b, 0x79, 0xa3, 0xcf, 0xe5, 0x53, 0x23, 0x9d,
356 0xd7, 0xc1, 0x6d, 0x1c, 0x2d, 0xab, 0x6d, 0x3f
359 static const struct aes_ccm_nonce stv_hsmic_n = {
361 .tkid = { 0x76, 0x98, 0x01, },
362 .dest_addr = { .data = { 0xbe, 0x00 } },
363 .src_addr = { .data = { 0x76, 0x98 } },
367 * Out-of-band MIC Generation verification code
370 static int wusb_oob_mic_verify(void)
374 /* WUSB1.0[A.2] test vectors
376 * Need to keep it in the local stack as GCC 4.1.3something
377 * messes up and generates noise.
379 struct usb_handshake stv_hsmic_hs = {
382 .tTKID = { 0x76, 0x98, 0x01 },
384 .CDID = { 0x30, 0x31, 0x32, 0x33, 0x34, 0x35,
385 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b,
386 0x3c, 0x3d, 0x3e, 0x3f },
387 .nonce = { 0x20, 0x21, 0x22, 0x23, 0x24, 0x25,
388 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
389 0x2c, 0x2d, 0x2e, 0x2f },
390 .MIC = { 0x75, 0x6a, 0x97, 0x51, 0x0c, 0x8c,
395 result = wusb_oob_mic(mic, stv_hsmic_key, &stv_hsmic_n, &stv_hsmic_hs);
397 printk(KERN_ERR "E: WUSB OOB MIC test: failed: %d\n", result);
398 else if (memcmp(stv_hsmic_hs.MIC, mic, sizeof(mic))) {
399 printk(KERN_ERR "E: OOB MIC test: "
400 "mismatch between MIC result and WUSB1.0[A2]\n");
401 hs_size = sizeof(stv_hsmic_hs) - sizeof(stv_hsmic_hs.MIC);
402 printk(KERN_ERR "E: Handshake2 in: (%zu bytes)\n", hs_size);
403 wusb_key_dump(&stv_hsmic_hs, hs_size);
404 printk(KERN_ERR "E: CCM Nonce in: (%zu bytes)\n",
405 sizeof(stv_hsmic_n));
406 wusb_key_dump(&stv_hsmic_n, sizeof(stv_hsmic_n));
407 printk(KERN_ERR "E: MIC out:\n");
408 wusb_key_dump(mic, sizeof(mic));
409 printk(KERN_ERR "E: MIC out (from WUSB1.0[A.2]):\n");
410 wusb_key_dump(stv_hsmic_hs.MIC, sizeof(stv_hsmic_hs.MIC));
418 * Test vectors for Key derivation
420 * These come from WUSB1.0[6.5.1], the vectors in WUSB1.0[A.1]
421 * (errata corrected in 2005/07).
423 static const u8 stv_key_a1[16] __attribute__ ((__aligned__(4))) = {
424 0xf0, 0xe1, 0xd2, 0xc3, 0xb4, 0xa5, 0x96, 0x87,
425 0x78, 0x69, 0x5a, 0x4b, 0x3c, 0x2d, 0x1e, 0x0f
428 static const struct aes_ccm_nonce stv_keydvt_n_a1 = {
430 .tkid = { 0x76, 0x98, 0x01, },
431 .dest_addr = { .data = { 0xbe, 0x00 } },
432 .src_addr = { .data = { 0x76, 0x98 } },
435 static const struct wusb_keydvt_out stv_keydvt_out_a1 = {
437 0x4b, 0x79, 0xa3, 0xcf, 0xe5, 0x53, 0x23, 0x9d,
438 0xd7, 0xc1, 0x6d, 0x1c, 0x2d, 0xab, 0x6d, 0x3f
441 0xc8, 0x70, 0x62, 0x82, 0xb6, 0x7c, 0xe9, 0x06,
442 0x7b, 0xc5, 0x25, 0x69, 0xf2, 0x36, 0x61, 0x2d
447 * Performa a test to make sure we match the vectors defined in
448 * WUSB1.0[A.1](Errata2006/12)
450 static int wusb_key_derive_verify(void)
453 struct wusb_keydvt_out keydvt_out;
454 /* These come from WUSB1.0[A.1] + 2006/12 errata
455 * NOTE: can't make this const or global -- somehow it seems
456 * the scatterlists for crypto get confused and we get
457 * bad data. There is no doc on this... */
458 struct wusb_keydvt_in stv_keydvt_in_a1 = {
460 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
461 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
464 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
465 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
469 result = wusb_key_derive(&keydvt_out, stv_key_a1, &stv_keydvt_n_a1,
472 printk(KERN_ERR "E: WUSB key derivation test: "
473 "derivation failed: %d\n", result);
474 if (memcmp(&stv_keydvt_out_a1, &keydvt_out, sizeof(keydvt_out))) {
475 printk(KERN_ERR "E: WUSB key derivation test: "
476 "mismatch between key derivation result "
477 "and WUSB1.0[A1] Errata 2006/12\n");
478 printk(KERN_ERR "E: keydvt in: key\n");
479 wusb_key_dump(stv_key_a1, sizeof(stv_key_a1));
480 printk(KERN_ERR "E: keydvt in: nonce\n");
481 wusb_key_dump(&stv_keydvt_n_a1, sizeof(stv_keydvt_n_a1));
482 printk(KERN_ERR "E: keydvt in: hnonce & dnonce\n");
483 wusb_key_dump(&stv_keydvt_in_a1, sizeof(stv_keydvt_in_a1));
484 printk(KERN_ERR "E: keydvt out: KCK\n");
485 wusb_key_dump(&keydvt_out.kck, sizeof(keydvt_out.kck));
486 printk(KERN_ERR "E: keydvt out: PTK\n");
487 wusb_key_dump(&keydvt_out.ptk, sizeof(keydvt_out.ptk));
495 * Initialize crypto system
497 * FIXME: we do nothing now, other than verifying. Later on we'll
498 * cache the encryption stuff, so that's why we have a separate init.
500 int wusb_crypto_init(void)
504 if (debug_crypto_verify) {
505 result = wusb_key_derive_verify();
508 return wusb_oob_mic_verify();
513 void wusb_crypto_exit(void)
515 /* FIXME: free cached crypto transforms */