1 | // SPDX-License-Identifier: GPL-2.0-only |
2 | /* |
3 | * FILS AEAD for (Re)Association Request/Response frames |
4 | * Copyright 2016, Qualcomm Atheros, Inc. |
5 | */ |
6 | |
7 | #include <crypto/aes.h> |
8 | #include <crypto/hash.h> |
9 | #include <crypto/skcipher.h> |
10 | #include <crypto/utils.h> |
11 | |
12 | #include "ieee80211_i.h" |
13 | #include "aes_cmac.h" |
14 | #include "fils_aead.h" |
15 | |
16 | static void gf_mulx(u8 *pad) |
17 | { |
18 | u64 a = get_unaligned_be64(p: pad); |
19 | u64 b = get_unaligned_be64(p: pad + 8); |
20 | |
21 | put_unaligned_be64(val: (a << 1) | (b >> 63), p: pad); |
22 | put_unaligned_be64(val: (b << 1) ^ ((a >> 63) ? 0x87 : 0), p: pad + 8); |
23 | } |
24 | |
25 | static int aes_s2v(struct crypto_shash *tfm, |
26 | size_t num_elem, const u8 *addr[], size_t len[], u8 *v) |
27 | { |
28 | u8 d[AES_BLOCK_SIZE], tmp[AES_BLOCK_SIZE] = {}; |
29 | SHASH_DESC_ON_STACK(desc, tfm); |
30 | size_t i; |
31 | |
32 | desc->tfm = tfm; |
33 | |
34 | /* D = AES-CMAC(K, <zero>) */ |
35 | crypto_shash_digest(desc, data: tmp, AES_BLOCK_SIZE, out: d); |
36 | |
37 | for (i = 0; i < num_elem - 1; i++) { |
38 | /* D = dbl(D) xor AES_CMAC(K, Si) */ |
39 | gf_mulx(pad: d); /* dbl */ |
40 | crypto_shash_digest(desc, data: addr[i], len: len[i], out: tmp); |
41 | crypto_xor(dst: d, src: tmp, AES_BLOCK_SIZE); |
42 | } |
43 | |
44 | crypto_shash_init(desc); |
45 | |
46 | if (len[i] >= AES_BLOCK_SIZE) { |
47 | /* len(Sn) >= 128 */ |
48 | /* T = Sn xorend D */ |
49 | crypto_shash_update(desc, data: addr[i], len: len[i] - AES_BLOCK_SIZE); |
50 | crypto_xor(dst: d, src: addr[i] + len[i] - AES_BLOCK_SIZE, |
51 | AES_BLOCK_SIZE); |
52 | } else { |
53 | /* len(Sn) < 128 */ |
54 | /* T = dbl(D) xor pad(Sn) */ |
55 | gf_mulx(pad: d); /* dbl */ |
56 | crypto_xor(dst: d, src: addr[i], size: len[i]); |
57 | d[len[i]] ^= 0x80; |
58 | } |
59 | /* V = AES-CMAC(K, T) */ |
60 | crypto_shash_finup(desc, data: d, AES_BLOCK_SIZE, out: v); |
61 | |
62 | return 0; |
63 | } |
64 | |
65 | /* Note: addr[] and len[] needs to have one extra slot at the end. */ |
66 | static int aes_siv_encrypt(const u8 *key, size_t key_len, |
67 | const u8 *plain, size_t plain_len, |
68 | size_t num_elem, const u8 *addr[], |
69 | size_t len[], u8 *out) |
70 | { |
71 | u8 v[AES_BLOCK_SIZE]; |
72 | struct crypto_shash *tfm; |
73 | struct crypto_skcipher *tfm2; |
74 | struct skcipher_request *req; |
75 | int res; |
76 | struct scatterlist src[1], dst[1]; |
77 | u8 *tmp; |
78 | |
79 | key_len /= 2; /* S2V key || CTR key */ |
80 | |
81 | addr[num_elem] = plain; |
82 | len[num_elem] = plain_len; |
83 | num_elem++; |
84 | |
85 | /* S2V */ |
86 | |
87 | tfm = crypto_alloc_shash(alg_name: "cmac(aes)" , type: 0, mask: 0); |
88 | if (IS_ERR(ptr: tfm)) |
89 | return PTR_ERR(ptr: tfm); |
90 | /* K1 for S2V */ |
91 | res = crypto_shash_setkey(tfm, key, keylen: key_len); |
92 | if (!res) |
93 | res = aes_s2v(tfm, num_elem, addr, len, v); |
94 | crypto_free_shash(tfm); |
95 | if (res) |
96 | return res; |
97 | |
98 | /* Use a temporary buffer of the plaintext to handle need for |
99 | * overwriting this during AES-CTR. |
100 | */ |
101 | tmp = kmemdup(p: plain, size: plain_len, GFP_KERNEL); |
102 | if (!tmp) |
103 | return -ENOMEM; |
104 | |
105 | /* IV for CTR before encrypted data */ |
106 | memcpy(out, v, AES_BLOCK_SIZE); |
107 | |
108 | /* Synthetic IV to be used as the initial counter in CTR: |
109 | * Q = V bitand (1^64 || 0^1 || 1^31 || 0^1 || 1^31) |
110 | */ |
111 | v[8] &= 0x7f; |
112 | v[12] &= 0x7f; |
113 | |
114 | /* CTR */ |
115 | |
116 | tfm2 = crypto_alloc_skcipher(alg_name: "ctr(aes)" , type: 0, CRYPTO_ALG_ASYNC); |
117 | if (IS_ERR(ptr: tfm2)) { |
118 | kfree(objp: tmp); |
119 | return PTR_ERR(ptr: tfm2); |
120 | } |
121 | /* K2 for CTR */ |
122 | res = crypto_skcipher_setkey(tfm: tfm2, key: key + key_len, keylen: key_len); |
123 | if (res) |
124 | goto fail; |
125 | |
126 | req = skcipher_request_alloc(tfm: tfm2, GFP_KERNEL); |
127 | if (!req) { |
128 | res = -ENOMEM; |
129 | goto fail; |
130 | } |
131 | |
132 | sg_init_one(src, tmp, plain_len); |
133 | sg_init_one(dst, out + AES_BLOCK_SIZE, plain_len); |
134 | skcipher_request_set_crypt(req, src, dst, cryptlen: plain_len, iv: v); |
135 | res = crypto_skcipher_encrypt(req); |
136 | skcipher_request_free(req); |
137 | fail: |
138 | kfree(objp: tmp); |
139 | crypto_free_skcipher(tfm: tfm2); |
140 | return res; |
141 | } |
142 | |
143 | /* Note: addr[] and len[] needs to have one extra slot at the end. */ |
144 | static int aes_siv_decrypt(const u8 *key, size_t key_len, |
145 | const u8 *iv_crypt, size_t iv_c_len, |
146 | size_t num_elem, const u8 *addr[], size_t len[], |
147 | u8 *out) |
148 | { |
149 | struct crypto_shash *tfm; |
150 | struct crypto_skcipher *tfm2; |
151 | struct skcipher_request *req; |
152 | struct scatterlist src[1], dst[1]; |
153 | size_t crypt_len; |
154 | int res; |
155 | u8 frame_iv[AES_BLOCK_SIZE], iv[AES_BLOCK_SIZE]; |
156 | u8 check[AES_BLOCK_SIZE]; |
157 | |
158 | crypt_len = iv_c_len - AES_BLOCK_SIZE; |
159 | key_len /= 2; /* S2V key || CTR key */ |
160 | addr[num_elem] = out; |
161 | len[num_elem] = crypt_len; |
162 | num_elem++; |
163 | |
164 | memcpy(iv, iv_crypt, AES_BLOCK_SIZE); |
165 | memcpy(frame_iv, iv_crypt, AES_BLOCK_SIZE); |
166 | |
167 | /* Synthetic IV to be used as the initial counter in CTR: |
168 | * Q = V bitand (1^64 || 0^1 || 1^31 || 0^1 || 1^31) |
169 | */ |
170 | iv[8] &= 0x7f; |
171 | iv[12] &= 0x7f; |
172 | |
173 | /* CTR */ |
174 | |
175 | tfm2 = crypto_alloc_skcipher(alg_name: "ctr(aes)" , type: 0, CRYPTO_ALG_ASYNC); |
176 | if (IS_ERR(ptr: tfm2)) |
177 | return PTR_ERR(ptr: tfm2); |
178 | /* K2 for CTR */ |
179 | res = crypto_skcipher_setkey(tfm: tfm2, key: key + key_len, keylen: key_len); |
180 | if (res) { |
181 | crypto_free_skcipher(tfm: tfm2); |
182 | return res; |
183 | } |
184 | |
185 | req = skcipher_request_alloc(tfm: tfm2, GFP_KERNEL); |
186 | if (!req) { |
187 | crypto_free_skcipher(tfm: tfm2); |
188 | return -ENOMEM; |
189 | } |
190 | |
191 | sg_init_one(src, iv_crypt + AES_BLOCK_SIZE, crypt_len); |
192 | sg_init_one(dst, out, crypt_len); |
193 | skcipher_request_set_crypt(req, src, dst, cryptlen: crypt_len, iv); |
194 | res = crypto_skcipher_decrypt(req); |
195 | skcipher_request_free(req); |
196 | crypto_free_skcipher(tfm: tfm2); |
197 | if (res) |
198 | return res; |
199 | |
200 | /* S2V */ |
201 | |
202 | tfm = crypto_alloc_shash(alg_name: "cmac(aes)" , type: 0, mask: 0); |
203 | if (IS_ERR(ptr: tfm)) |
204 | return PTR_ERR(ptr: tfm); |
205 | /* K1 for S2V */ |
206 | res = crypto_shash_setkey(tfm, key, keylen: key_len); |
207 | if (!res) |
208 | res = aes_s2v(tfm, num_elem, addr, len, v: check); |
209 | crypto_free_shash(tfm); |
210 | if (res) |
211 | return res; |
212 | if (memcmp(p: check, q: frame_iv, AES_BLOCK_SIZE) != 0) |
213 | return -EINVAL; |
214 | return 0; |
215 | } |
216 | |
217 | int fils_encrypt_assoc_req(struct sk_buff *skb, |
218 | struct ieee80211_mgd_assoc_data *assoc_data) |
219 | { |
220 | struct ieee80211_mgmt *mgmt = (void *)skb->data; |
221 | u8 *capab, *ies, *encr; |
222 | const u8 *addr[5 + 1]; |
223 | const struct element *session; |
224 | size_t len[5 + 1]; |
225 | size_t crypt_len; |
226 | |
227 | if (ieee80211_is_reassoc_req(fc: mgmt->frame_control)) { |
228 | capab = (u8 *)&mgmt->u.reassoc_req.capab_info; |
229 | ies = mgmt->u.reassoc_req.variable; |
230 | } else { |
231 | capab = (u8 *)&mgmt->u.assoc_req.capab_info; |
232 | ies = mgmt->u.assoc_req.variable; |
233 | } |
234 | |
235 | session = cfg80211_find_ext_elem(ext_eid: WLAN_EID_EXT_FILS_SESSION, |
236 | ies, len: skb->data + skb->len - ies); |
237 | if (!session || session->datalen != 1 + 8) |
238 | return -EINVAL; |
239 | /* encrypt after FILS Session element */ |
240 | encr = (u8 *)session->data + 1 + 8; |
241 | |
242 | /* AES-SIV AAD vectors */ |
243 | |
244 | /* The STA's MAC address */ |
245 | addr[0] = mgmt->sa; |
246 | len[0] = ETH_ALEN; |
247 | /* The AP's BSSID */ |
248 | addr[1] = mgmt->da; |
249 | len[1] = ETH_ALEN; |
250 | /* The STA's nonce */ |
251 | addr[2] = assoc_data->fils_nonces; |
252 | len[2] = FILS_NONCE_LEN; |
253 | /* The AP's nonce */ |
254 | addr[3] = &assoc_data->fils_nonces[FILS_NONCE_LEN]; |
255 | len[3] = FILS_NONCE_LEN; |
256 | /* The (Re)Association Request frame from the Capability Information |
257 | * field to the FILS Session element (both inclusive). |
258 | */ |
259 | addr[4] = capab; |
260 | len[4] = encr - capab; |
261 | |
262 | crypt_len = skb->data + skb->len - encr; |
263 | skb_put(skb, AES_BLOCK_SIZE); |
264 | return aes_siv_encrypt(key: assoc_data->fils_kek, key_len: assoc_data->fils_kek_len, |
265 | plain: encr, plain_len: crypt_len, num_elem: 5, addr, len, out: encr); |
266 | } |
267 | |
268 | int fils_decrypt_assoc_resp(struct ieee80211_sub_if_data *sdata, |
269 | u8 *frame, size_t *frame_len, |
270 | struct ieee80211_mgd_assoc_data *assoc_data) |
271 | { |
272 | struct ieee80211_mgmt *mgmt = (void *)frame; |
273 | u8 *capab, *ies, *encr; |
274 | const u8 *addr[5 + 1]; |
275 | const struct element *session; |
276 | size_t len[5 + 1]; |
277 | int res; |
278 | size_t crypt_len; |
279 | |
280 | if (*frame_len < 24 + 6) |
281 | return -EINVAL; |
282 | |
283 | capab = (u8 *)&mgmt->u.assoc_resp.capab_info; |
284 | ies = mgmt->u.assoc_resp.variable; |
285 | session = cfg80211_find_ext_elem(ext_eid: WLAN_EID_EXT_FILS_SESSION, |
286 | ies, len: frame + *frame_len - ies); |
287 | if (!session || session->datalen != 1 + 8) { |
288 | mlme_dbg(sdata, |
289 | "No (valid) FILS Session element in (Re)Association Response frame from %pM" , |
290 | mgmt->sa); |
291 | return -EINVAL; |
292 | } |
293 | /* decrypt after FILS Session element */ |
294 | encr = (u8 *)session->data + 1 + 8; |
295 | |
296 | /* AES-SIV AAD vectors */ |
297 | |
298 | /* The AP's BSSID */ |
299 | addr[0] = mgmt->sa; |
300 | len[0] = ETH_ALEN; |
301 | /* The STA's MAC address */ |
302 | addr[1] = mgmt->da; |
303 | len[1] = ETH_ALEN; |
304 | /* The AP's nonce */ |
305 | addr[2] = &assoc_data->fils_nonces[FILS_NONCE_LEN]; |
306 | len[2] = FILS_NONCE_LEN; |
307 | /* The STA's nonce */ |
308 | addr[3] = assoc_data->fils_nonces; |
309 | len[3] = FILS_NONCE_LEN; |
310 | /* The (Re)Association Response frame from the Capability Information |
311 | * field to the FILS Session element (both inclusive). |
312 | */ |
313 | addr[4] = capab; |
314 | len[4] = encr - capab; |
315 | |
316 | crypt_len = frame + *frame_len - encr; |
317 | if (crypt_len < AES_BLOCK_SIZE) { |
318 | mlme_dbg(sdata, |
319 | "Not enough room for AES-SIV data after FILS Session element in (Re)Association Response frame from %pM" , |
320 | mgmt->sa); |
321 | return -EINVAL; |
322 | } |
323 | res = aes_siv_decrypt(key: assoc_data->fils_kek, key_len: assoc_data->fils_kek_len, |
324 | iv_crypt: encr, iv_c_len: crypt_len, num_elem: 5, addr, len, out: encr); |
325 | if (res != 0) { |
326 | mlme_dbg(sdata, |
327 | "AES-SIV decryption of (Re)Association Response frame from %pM failed" , |
328 | mgmt->sa); |
329 | return res; |
330 | } |
331 | *frame_len -= AES_BLOCK_SIZE; |
332 | return 0; |
333 | } |
334 | |