1// SPDX-License-Identifier: GPL-2.0-only
2/*
3 * Copyright 2002-2004, Instant802 Networks, Inc.
4 * Copyright 2008, Jouni Malinen <j@w1.fi>
5 * Copyright (C) 2016-2017 Intel Deutschland GmbH
6 * Copyright (C) 2020-2023 Intel Corporation
7 */
8
9#include <linux/netdevice.h>
10#include <linux/types.h>
11#include <linux/skbuff.h>
12#include <linux/compiler.h>
13#include <linux/ieee80211.h>
14#include <linux/gfp.h>
15#include <asm/unaligned.h>
16#include <net/mac80211.h>
17#include <crypto/aes.h>
18#include <crypto/utils.h>
19
20#include "ieee80211_i.h"
21#include "michael.h"
22#include "tkip.h"
23#include "aes_ccm.h"
24#include "aes_cmac.h"
25#include "aes_gmac.h"
26#include "aes_gcm.h"
27#include "wpa.h"
28
29ieee80211_tx_result
30ieee80211_tx_h_michael_mic_add(struct ieee80211_tx_data *tx)
31{
32 u8 *data, *key, *mic;
33 size_t data_len;
34 unsigned int hdrlen;
35 struct ieee80211_hdr *hdr;
36 struct sk_buff *skb = tx->skb;
37 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
38 int tail;
39
40 hdr = (struct ieee80211_hdr *)skb->data;
41 if (!tx->key || tx->key->conf.cipher != WLAN_CIPHER_SUITE_TKIP ||
42 skb->len < 24 || !ieee80211_is_data_present(fc: hdr->frame_control))
43 return TX_CONTINUE;
44
45 hdrlen = ieee80211_hdrlen(fc: hdr->frame_control);
46 if (skb->len < hdrlen)
47 return TX_DROP;
48
49 data = skb->data + hdrlen;
50 data_len = skb->len - hdrlen;
51
52 if (unlikely(info->flags & IEEE80211_TX_INTFL_TKIP_MIC_FAILURE)) {
53 /* Need to use software crypto for the test */
54 info->control.hw_key = NULL;
55 }
56
57 if (info->control.hw_key &&
58 (info->flags & IEEE80211_TX_CTL_DONTFRAG ||
59 ieee80211_hw_check(&tx->local->hw, SUPPORTS_TX_FRAG)) &&
60 !(tx->key->conf.flags & (IEEE80211_KEY_FLAG_GENERATE_MMIC |
61 IEEE80211_KEY_FLAG_PUT_MIC_SPACE))) {
62 /* hwaccel - with no need for SW-generated MMIC or MIC space */
63 return TX_CONTINUE;
64 }
65
66 tail = MICHAEL_MIC_LEN;
67 if (!info->control.hw_key)
68 tail += IEEE80211_TKIP_ICV_LEN;
69
70 if (WARN(skb_tailroom(skb) < tail ||
71 skb_headroom(skb) < IEEE80211_TKIP_IV_LEN,
72 "mmic: not enough head/tail (%d/%d,%d/%d)\n",
73 skb_headroom(skb), IEEE80211_TKIP_IV_LEN,
74 skb_tailroom(skb), tail))
75 return TX_DROP;
76
77 mic = skb_put(skb, MICHAEL_MIC_LEN);
78
79 if (tx->key->conf.flags & IEEE80211_KEY_FLAG_PUT_MIC_SPACE) {
80 /* Zeroed MIC can help with debug */
81 memset(mic, 0, MICHAEL_MIC_LEN);
82 return TX_CONTINUE;
83 }
84
85 key = &tx->key->conf.key[NL80211_TKIP_DATA_OFFSET_TX_MIC_KEY];
86 michael_mic(key, hdr, data, data_len, mic);
87 if (unlikely(info->flags & IEEE80211_TX_INTFL_TKIP_MIC_FAILURE))
88 mic[0]++;
89
90 return TX_CONTINUE;
91}
92
93
94ieee80211_rx_result
95ieee80211_rx_h_michael_mic_verify(struct ieee80211_rx_data *rx)
96{
97 u8 *data, *key = NULL;
98 size_t data_len;
99 unsigned int hdrlen;
100 u8 mic[MICHAEL_MIC_LEN];
101 struct sk_buff *skb = rx->skb;
102 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
103 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
104
105 /*
106 * it makes no sense to check for MIC errors on anything other
107 * than data frames.
108 */
109 if (!ieee80211_is_data_present(fc: hdr->frame_control))
110 return RX_CONTINUE;
111
112 /*
113 * No way to verify the MIC if the hardware stripped it or
114 * the IV with the key index. In this case we have solely rely
115 * on the driver to set RX_FLAG_MMIC_ERROR in the event of a
116 * MIC failure report.
117 */
118 if (status->flag & (RX_FLAG_MMIC_STRIPPED | RX_FLAG_IV_STRIPPED)) {
119 if (status->flag & RX_FLAG_MMIC_ERROR)
120 goto mic_fail_no_key;
121
122 if (!(status->flag & RX_FLAG_IV_STRIPPED) && rx->key &&
123 rx->key->conf.cipher == WLAN_CIPHER_SUITE_TKIP)
124 goto update_iv;
125
126 return RX_CONTINUE;
127 }
128
129 /*
130 * Some hardware seems to generate Michael MIC failure reports; even
131 * though, the frame was not encrypted with TKIP and therefore has no
132 * MIC. Ignore the flag them to avoid triggering countermeasures.
133 */
134 if (!rx->key || rx->key->conf.cipher != WLAN_CIPHER_SUITE_TKIP ||
135 !(status->flag & RX_FLAG_DECRYPTED))
136 return RX_CONTINUE;
137
138 if (rx->sdata->vif.type == NL80211_IFTYPE_AP && rx->key->conf.keyidx) {
139 /*
140 * APs with pairwise keys should never receive Michael MIC
141 * errors for non-zero keyidx because these are reserved for
142 * group keys and only the AP is sending real multicast
143 * frames in the BSS.
144 */
145 return RX_DROP_U_AP_RX_GROUPCAST;
146 }
147
148 if (status->flag & RX_FLAG_MMIC_ERROR)
149 goto mic_fail;
150
151 hdrlen = ieee80211_hdrlen(fc: hdr->frame_control);
152 if (skb->len < hdrlen + MICHAEL_MIC_LEN)
153 return RX_DROP_U_SHORT_MMIC;
154
155 if (skb_linearize(skb: rx->skb))
156 return RX_DROP_U_OOM;
157 hdr = (void *)skb->data;
158
159 data = skb->data + hdrlen;
160 data_len = skb->len - hdrlen - MICHAEL_MIC_LEN;
161 key = &rx->key->conf.key[NL80211_TKIP_DATA_OFFSET_RX_MIC_KEY];
162 michael_mic(key, hdr, data, data_len, mic);
163 if (crypto_memneq(a: mic, b: data + data_len, MICHAEL_MIC_LEN))
164 goto mic_fail;
165
166 /* remove Michael MIC from payload */
167 skb_trim(skb, len: skb->len - MICHAEL_MIC_LEN);
168
169update_iv:
170 /* update IV in key information to be able to detect replays */
171 rx->key->u.tkip.rx[rx->security_idx].iv32 = rx->tkip.iv32;
172 rx->key->u.tkip.rx[rx->security_idx].iv16 = rx->tkip.iv16;
173
174 return RX_CONTINUE;
175
176mic_fail:
177 rx->key->u.tkip.mic_failures++;
178
179mic_fail_no_key:
180 /*
181 * In some cases the key can be unset - e.g. a multicast packet, in
182 * a driver that supports HW encryption. Send up the key idx only if
183 * the key is set.
184 */
185 cfg80211_michael_mic_failure(dev: rx->sdata->dev, addr: hdr->addr2,
186 key_type: is_multicast_ether_addr(addr: hdr->addr1) ?
187 NL80211_KEYTYPE_GROUP :
188 NL80211_KEYTYPE_PAIRWISE,
189 key_id: rx->key ? rx->key->conf.keyidx : -1,
190 NULL, GFP_ATOMIC);
191 return RX_DROP_U_MMIC_FAIL;
192}
193
194static int tkip_encrypt_skb(struct ieee80211_tx_data *tx, struct sk_buff *skb)
195{
196 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
197 struct ieee80211_key *key = tx->key;
198 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
199 unsigned int hdrlen;
200 int len, tail;
201 u64 pn;
202 u8 *pos;
203
204 if (info->control.hw_key &&
205 !(info->control.hw_key->flags & IEEE80211_KEY_FLAG_GENERATE_IV) &&
206 !(info->control.hw_key->flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE)) {
207 /* hwaccel - with no need for software-generated IV */
208 return 0;
209 }
210
211 hdrlen = ieee80211_hdrlen(fc: hdr->frame_control);
212 len = skb->len - hdrlen;
213
214 if (info->control.hw_key)
215 tail = 0;
216 else
217 tail = IEEE80211_TKIP_ICV_LEN;
218
219 if (WARN_ON(skb_tailroom(skb) < tail ||
220 skb_headroom(skb) < IEEE80211_TKIP_IV_LEN))
221 return -1;
222
223 pos = skb_push(skb, IEEE80211_TKIP_IV_LEN);
224 memmove(pos, pos + IEEE80211_TKIP_IV_LEN, hdrlen);
225 pos += hdrlen;
226
227 /* the HW only needs room for the IV, but not the actual IV */
228 if (info->control.hw_key &&
229 (info->control.hw_key->flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE))
230 return 0;
231
232 /* Increase IV for the frame */
233 pn = atomic64_inc_return(v: &key->conf.tx_pn);
234 pos = ieee80211_tkip_add_iv(pos, keyconf: &key->conf, pn);
235
236 /* hwaccel - with software IV */
237 if (info->control.hw_key)
238 return 0;
239
240 /* Add room for ICV */
241 skb_put(skb, IEEE80211_TKIP_ICV_LEN);
242
243 return ieee80211_tkip_encrypt_data(ctx: &tx->local->wep_tx_ctx,
244 key, skb, payload: pos, payload_len: len);
245}
246
247
248ieee80211_tx_result
249ieee80211_crypto_tkip_encrypt(struct ieee80211_tx_data *tx)
250{
251 struct sk_buff *skb;
252
253 ieee80211_tx_set_protected(tx);
254
255 skb_queue_walk(&tx->skbs, skb) {
256 if (tkip_encrypt_skb(tx, skb) < 0)
257 return TX_DROP;
258 }
259
260 return TX_CONTINUE;
261}
262
263
264ieee80211_rx_result
265ieee80211_crypto_tkip_decrypt(struct ieee80211_rx_data *rx)
266{
267 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) rx->skb->data;
268 int hdrlen, res, hwaccel = 0;
269 struct ieee80211_key *key = rx->key;
270 struct sk_buff *skb = rx->skb;
271 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
272
273 hdrlen = ieee80211_hdrlen(fc: hdr->frame_control);
274
275 if (!ieee80211_is_data(fc: hdr->frame_control))
276 return RX_CONTINUE;
277
278 if (!rx->sta || skb->len - hdrlen < 12)
279 return RX_DROP_U_SHORT_TKIP;
280
281 /* it may be possible to optimize this a bit more */
282 if (skb_linearize(skb: rx->skb))
283 return RX_DROP_U_OOM;
284 hdr = (void *)skb->data;
285
286 /*
287 * Let TKIP code verify IV, but skip decryption.
288 * In the case where hardware checks the IV as well,
289 * we don't even get here, see ieee80211_rx_h_decrypt()
290 */
291 if (status->flag & RX_FLAG_DECRYPTED)
292 hwaccel = 1;
293
294 res = ieee80211_tkip_decrypt_data(ctx: &rx->local->wep_rx_ctx,
295 key, payload: skb->data + hdrlen,
296 payload_len: skb->len - hdrlen, ta: rx->sta->sta.addr,
297 ra: hdr->addr1, only_iv: hwaccel, queue: rx->security_idx,
298 out_iv32: &rx->tkip.iv32,
299 out_iv16: &rx->tkip.iv16);
300 if (res != TKIP_DECRYPT_OK)
301 return RX_DROP_U_TKIP_FAIL;
302
303 /* Trim ICV */
304 if (!(status->flag & RX_FLAG_ICV_STRIPPED))
305 skb_trim(skb, len: skb->len - IEEE80211_TKIP_ICV_LEN);
306
307 /* Remove IV */
308 memmove(skb->data + IEEE80211_TKIP_IV_LEN, skb->data, hdrlen);
309 skb_pull(skb, IEEE80211_TKIP_IV_LEN);
310
311 return RX_CONTINUE;
312}
313
314/*
315 * Calculate AAD for CCMP/GCMP, returning qos_tid since we
316 * need that in CCMP also for b_0.
317 */
318static u8 ccmp_gcmp_aad(struct sk_buff *skb, u8 *aad)
319{
320 struct ieee80211_hdr *hdr = (void *)skb->data;
321 __le16 mask_fc;
322 int a4_included, mgmt;
323 u8 qos_tid;
324 u16 len_a = 22;
325
326 /*
327 * Mask FC: zero subtype b4 b5 b6 (if not mgmt)
328 * Retry, PwrMgt, MoreData, Order (if Qos Data); set Protected
329 */
330 mgmt = ieee80211_is_mgmt(fc: hdr->frame_control);
331 mask_fc = hdr->frame_control;
332 mask_fc &= ~cpu_to_le16(IEEE80211_FCTL_RETRY |
333 IEEE80211_FCTL_PM | IEEE80211_FCTL_MOREDATA);
334 if (!mgmt)
335 mask_fc &= ~cpu_to_le16(0x0070);
336 mask_fc |= cpu_to_le16(IEEE80211_FCTL_PROTECTED);
337
338 a4_included = ieee80211_has_a4(fc: hdr->frame_control);
339 if (a4_included)
340 len_a += 6;
341
342 if (ieee80211_is_data_qos(fc: hdr->frame_control)) {
343 qos_tid = ieee80211_get_tid(hdr);
344 mask_fc &= ~cpu_to_le16(IEEE80211_FCTL_ORDER);
345 len_a += 2;
346 } else {
347 qos_tid = 0;
348 }
349
350 /* AAD (extra authenticate-only data) / masked 802.11 header
351 * FC | A1 | A2 | A3 | SC | [A4] | [QC] */
352 put_unaligned_be16(val: len_a, p: &aad[0]);
353 put_unaligned(mask_fc, (__le16 *)&aad[2]);
354 memcpy(&aad[4], &hdr->addrs, 3 * ETH_ALEN);
355
356 /* Mask Seq#, leave Frag# */
357 aad[22] = *((u8 *) &hdr->seq_ctrl) & 0x0f;
358 aad[23] = 0;
359
360 if (a4_included) {
361 memcpy(&aad[24], hdr->addr4, ETH_ALEN);
362 aad[30] = qos_tid;
363 aad[31] = 0;
364 } else {
365 memset(&aad[24], 0, ETH_ALEN + IEEE80211_QOS_CTL_LEN);
366 aad[24] = qos_tid;
367 }
368
369 return qos_tid;
370}
371
372static void ccmp_special_blocks(struct sk_buff *skb, u8 *pn, u8 *b_0, u8 *aad)
373{
374 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
375 u8 qos_tid = ccmp_gcmp_aad(skb, aad);
376
377 /* In CCM, the initial vectors (IV) used for CTR mode encryption and CBC
378 * mode authentication are not allowed to collide, yet both are derived
379 * from this vector b_0. We only set L := 1 here to indicate that the
380 * data size can be represented in (L+1) bytes. The CCM layer will take
381 * care of storing the data length in the top (L+1) bytes and setting
382 * and clearing the other bits as is required to derive the two IVs.
383 */
384 b_0[0] = 0x1;
385
386 /* Nonce: Nonce Flags | A2 | PN
387 * Nonce Flags: Priority (b0..b3) | Management (b4) | Reserved (b5..b7)
388 */
389 b_0[1] = qos_tid | (ieee80211_is_mgmt(fc: hdr->frame_control) << 4);
390 memcpy(&b_0[2], hdr->addr2, ETH_ALEN);
391 memcpy(&b_0[8], pn, IEEE80211_CCMP_PN_LEN);
392}
393
394static inline void ccmp_pn2hdr(u8 *hdr, u8 *pn, int key_id)
395{
396 hdr[0] = pn[5];
397 hdr[1] = pn[4];
398 hdr[2] = 0;
399 hdr[3] = 0x20 | (key_id << 6);
400 hdr[4] = pn[3];
401 hdr[5] = pn[2];
402 hdr[6] = pn[1];
403 hdr[7] = pn[0];
404}
405
406
407static inline void ccmp_hdr2pn(u8 *pn, u8 *hdr)
408{
409 pn[0] = hdr[7];
410 pn[1] = hdr[6];
411 pn[2] = hdr[5];
412 pn[3] = hdr[4];
413 pn[4] = hdr[1];
414 pn[5] = hdr[0];
415}
416
417
418static int ccmp_encrypt_skb(struct ieee80211_tx_data *tx, struct sk_buff *skb,
419 unsigned int mic_len)
420{
421 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
422 struct ieee80211_key *key = tx->key;
423 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
424 int hdrlen, len, tail;
425 u8 *pos;
426 u8 pn[6];
427 u64 pn64;
428 u8 aad[CCM_AAD_LEN];
429 u8 b_0[AES_BLOCK_SIZE];
430
431 if (info->control.hw_key &&
432 !(info->control.hw_key->flags & IEEE80211_KEY_FLAG_GENERATE_IV) &&
433 !(info->control.hw_key->flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE) &&
434 !((info->control.hw_key->flags &
435 IEEE80211_KEY_FLAG_GENERATE_IV_MGMT) &&
436 ieee80211_is_mgmt(fc: hdr->frame_control))) {
437 /*
438 * hwaccel has no need for preallocated room for CCMP
439 * header or MIC fields
440 */
441 return 0;
442 }
443
444 hdrlen = ieee80211_hdrlen(fc: hdr->frame_control);
445 len = skb->len - hdrlen;
446
447 if (info->control.hw_key)
448 tail = 0;
449 else
450 tail = mic_len;
451
452 if (WARN_ON(skb_tailroom(skb) < tail ||
453 skb_headroom(skb) < IEEE80211_CCMP_HDR_LEN))
454 return -1;
455
456 pos = skb_push(skb, IEEE80211_CCMP_HDR_LEN);
457 memmove(pos, pos + IEEE80211_CCMP_HDR_LEN, hdrlen);
458
459 /* the HW only needs room for the IV, but not the actual IV */
460 if (info->control.hw_key &&
461 (info->control.hw_key->flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE))
462 return 0;
463
464 pos += hdrlen;
465
466 pn64 = atomic64_inc_return(v: &key->conf.tx_pn);
467
468 pn[5] = pn64;
469 pn[4] = pn64 >> 8;
470 pn[3] = pn64 >> 16;
471 pn[2] = pn64 >> 24;
472 pn[1] = pn64 >> 32;
473 pn[0] = pn64 >> 40;
474
475 ccmp_pn2hdr(hdr: pos, pn, key_id: key->conf.keyidx);
476
477 /* hwaccel - with software CCMP header */
478 if (info->control.hw_key)
479 return 0;
480
481 pos += IEEE80211_CCMP_HDR_LEN;
482 ccmp_special_blocks(skb, pn, b_0, aad);
483 return ieee80211_aes_ccm_encrypt(tfm: key->u.ccmp.tfm, b_0, aad, data: pos, data_len: len,
484 mic: skb_put(skb, len: mic_len));
485}
486
487
488ieee80211_tx_result
489ieee80211_crypto_ccmp_encrypt(struct ieee80211_tx_data *tx,
490 unsigned int mic_len)
491{
492 struct sk_buff *skb;
493
494 ieee80211_tx_set_protected(tx);
495
496 skb_queue_walk(&tx->skbs, skb) {
497 if (ccmp_encrypt_skb(tx, skb, mic_len) < 0)
498 return TX_DROP;
499 }
500
501 return TX_CONTINUE;
502}
503
504
505ieee80211_rx_result
506ieee80211_crypto_ccmp_decrypt(struct ieee80211_rx_data *rx,
507 unsigned int mic_len)
508{
509 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
510 int hdrlen;
511 struct ieee80211_key *key = rx->key;
512 struct sk_buff *skb = rx->skb;
513 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
514 u8 pn[IEEE80211_CCMP_PN_LEN];
515 int data_len;
516 int queue;
517
518 hdrlen = ieee80211_hdrlen(fc: hdr->frame_control);
519
520 if (!ieee80211_is_data(fc: hdr->frame_control) &&
521 !ieee80211_is_robust_mgmt_frame(skb))
522 return RX_CONTINUE;
523
524 if (status->flag & RX_FLAG_DECRYPTED) {
525 if (!pskb_may_pull(skb: rx->skb, len: hdrlen + IEEE80211_CCMP_HDR_LEN))
526 return RX_DROP_U_SHORT_CCMP;
527 if (status->flag & RX_FLAG_MIC_STRIPPED)
528 mic_len = 0;
529 } else {
530 if (skb_linearize(skb: rx->skb))
531 return RX_DROP_U_OOM;
532 }
533
534 /* reload hdr - skb might have been reallocated */
535 hdr = (void *)rx->skb->data;
536
537 data_len = skb->len - hdrlen - IEEE80211_CCMP_HDR_LEN - mic_len;
538 if (!rx->sta || data_len < 0)
539 return RX_DROP_U_SHORT_CCMP;
540
541 if (!(status->flag & RX_FLAG_PN_VALIDATED)) {
542 int res;
543
544 ccmp_hdr2pn(pn, hdr: skb->data + hdrlen);
545
546 queue = rx->security_idx;
547
548 res = memcmp(p: pn, q: key->u.ccmp.rx_pn[queue],
549 IEEE80211_CCMP_PN_LEN);
550 if (res < 0 ||
551 (!res && !(status->flag & RX_FLAG_ALLOW_SAME_PN))) {
552 key->u.ccmp.replays++;
553 return RX_DROP_U_REPLAY;
554 }
555
556 if (!(status->flag & RX_FLAG_DECRYPTED)) {
557 u8 aad[2 * AES_BLOCK_SIZE];
558 u8 b_0[AES_BLOCK_SIZE];
559 /* hardware didn't decrypt/verify MIC */
560 ccmp_special_blocks(skb, pn, b_0, aad);
561
562 if (ieee80211_aes_ccm_decrypt(
563 tfm: key->u.ccmp.tfm, b_0, aad,
564 data: skb->data + hdrlen + IEEE80211_CCMP_HDR_LEN,
565 data_len,
566 mic: skb->data + skb->len - mic_len))
567 return RX_DROP_U_MIC_FAIL;
568 }
569
570 memcpy(key->u.ccmp.rx_pn[queue], pn, IEEE80211_CCMP_PN_LEN);
571 if (unlikely(ieee80211_is_frag(hdr)))
572 memcpy(rx->ccm_gcm.pn, pn, IEEE80211_CCMP_PN_LEN);
573 }
574
575 /* Remove CCMP header and MIC */
576 if (pskb_trim(skb, len: skb->len - mic_len))
577 return RX_DROP_U_SHORT_CCMP_MIC;
578 memmove(skb->data + IEEE80211_CCMP_HDR_LEN, skb->data, hdrlen);
579 skb_pull(skb, IEEE80211_CCMP_HDR_LEN);
580
581 return RX_CONTINUE;
582}
583
584static void gcmp_special_blocks(struct sk_buff *skb, u8 *pn, u8 *j_0, u8 *aad)
585{
586 struct ieee80211_hdr *hdr = (void *)skb->data;
587
588 memcpy(j_0, hdr->addr2, ETH_ALEN);
589 memcpy(&j_0[ETH_ALEN], pn, IEEE80211_GCMP_PN_LEN);
590 j_0[13] = 0;
591 j_0[14] = 0;
592 j_0[AES_BLOCK_SIZE - 1] = 0x01;
593
594 ccmp_gcmp_aad(skb, aad);
595}
596
597static inline void gcmp_pn2hdr(u8 *hdr, const u8 *pn, int key_id)
598{
599 hdr[0] = pn[5];
600 hdr[1] = pn[4];
601 hdr[2] = 0;
602 hdr[3] = 0x20 | (key_id << 6);
603 hdr[4] = pn[3];
604 hdr[5] = pn[2];
605 hdr[6] = pn[1];
606 hdr[7] = pn[0];
607}
608
609static inline void gcmp_hdr2pn(u8 *pn, const u8 *hdr)
610{
611 pn[0] = hdr[7];
612 pn[1] = hdr[6];
613 pn[2] = hdr[5];
614 pn[3] = hdr[4];
615 pn[4] = hdr[1];
616 pn[5] = hdr[0];
617}
618
619static int gcmp_encrypt_skb(struct ieee80211_tx_data *tx, struct sk_buff *skb)
620{
621 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
622 struct ieee80211_key *key = tx->key;
623 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
624 int hdrlen, len, tail;
625 u8 *pos;
626 u8 pn[6];
627 u64 pn64;
628 u8 aad[GCM_AAD_LEN];
629 u8 j_0[AES_BLOCK_SIZE];
630
631 if (info->control.hw_key &&
632 !(info->control.hw_key->flags & IEEE80211_KEY_FLAG_GENERATE_IV) &&
633 !(info->control.hw_key->flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE) &&
634 !((info->control.hw_key->flags &
635 IEEE80211_KEY_FLAG_GENERATE_IV_MGMT) &&
636 ieee80211_is_mgmt(fc: hdr->frame_control))) {
637 /* hwaccel has no need for preallocated room for GCMP
638 * header or MIC fields
639 */
640 return 0;
641 }
642
643 hdrlen = ieee80211_hdrlen(fc: hdr->frame_control);
644 len = skb->len - hdrlen;
645
646 if (info->control.hw_key)
647 tail = 0;
648 else
649 tail = IEEE80211_GCMP_MIC_LEN;
650
651 if (WARN_ON(skb_tailroom(skb) < tail ||
652 skb_headroom(skb) < IEEE80211_GCMP_HDR_LEN))
653 return -1;
654
655 pos = skb_push(skb, IEEE80211_GCMP_HDR_LEN);
656 memmove(pos, pos + IEEE80211_GCMP_HDR_LEN, hdrlen);
657 skb_set_network_header(skb, offset: skb_network_offset(skb) +
658 IEEE80211_GCMP_HDR_LEN);
659
660 /* the HW only needs room for the IV, but not the actual IV */
661 if (info->control.hw_key &&
662 (info->control.hw_key->flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE))
663 return 0;
664
665 pos += hdrlen;
666
667 pn64 = atomic64_inc_return(v: &key->conf.tx_pn);
668
669 pn[5] = pn64;
670 pn[4] = pn64 >> 8;
671 pn[3] = pn64 >> 16;
672 pn[2] = pn64 >> 24;
673 pn[1] = pn64 >> 32;
674 pn[0] = pn64 >> 40;
675
676 gcmp_pn2hdr(hdr: pos, pn, key_id: key->conf.keyidx);
677
678 /* hwaccel - with software GCMP header */
679 if (info->control.hw_key)
680 return 0;
681
682 pos += IEEE80211_GCMP_HDR_LEN;
683 gcmp_special_blocks(skb, pn, j_0, aad);
684 return ieee80211_aes_gcm_encrypt(tfm: key->u.gcmp.tfm, j_0, aad, data: pos, data_len: len,
685 mic: skb_put(skb, IEEE80211_GCMP_MIC_LEN));
686}
687
688ieee80211_tx_result
689ieee80211_crypto_gcmp_encrypt(struct ieee80211_tx_data *tx)
690{
691 struct sk_buff *skb;
692
693 ieee80211_tx_set_protected(tx);
694
695 skb_queue_walk(&tx->skbs, skb) {
696 if (gcmp_encrypt_skb(tx, skb) < 0)
697 return TX_DROP;
698 }
699
700 return TX_CONTINUE;
701}
702
703ieee80211_rx_result
704ieee80211_crypto_gcmp_decrypt(struct ieee80211_rx_data *rx)
705{
706 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
707 int hdrlen;
708 struct ieee80211_key *key = rx->key;
709 struct sk_buff *skb = rx->skb;
710 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
711 u8 pn[IEEE80211_GCMP_PN_LEN];
712 int data_len, queue, mic_len = IEEE80211_GCMP_MIC_LEN;
713
714 hdrlen = ieee80211_hdrlen(fc: hdr->frame_control);
715
716 if (!ieee80211_is_data(fc: hdr->frame_control) &&
717 !ieee80211_is_robust_mgmt_frame(skb))
718 return RX_CONTINUE;
719
720 if (status->flag & RX_FLAG_DECRYPTED) {
721 if (!pskb_may_pull(skb: rx->skb, len: hdrlen + IEEE80211_GCMP_HDR_LEN))
722 return RX_DROP_U_SHORT_GCMP;
723 if (status->flag & RX_FLAG_MIC_STRIPPED)
724 mic_len = 0;
725 } else {
726 if (skb_linearize(skb: rx->skb))
727 return RX_DROP_U_OOM;
728 }
729
730 /* reload hdr - skb might have been reallocated */
731 hdr = (void *)rx->skb->data;
732
733 data_len = skb->len - hdrlen - IEEE80211_GCMP_HDR_LEN - mic_len;
734 if (!rx->sta || data_len < 0)
735 return RX_DROP_U_SHORT_GCMP;
736
737 if (!(status->flag & RX_FLAG_PN_VALIDATED)) {
738 int res;
739
740 gcmp_hdr2pn(pn, hdr: skb->data + hdrlen);
741
742 queue = rx->security_idx;
743
744 res = memcmp(p: pn, q: key->u.gcmp.rx_pn[queue],
745 IEEE80211_GCMP_PN_LEN);
746 if (res < 0 ||
747 (!res && !(status->flag & RX_FLAG_ALLOW_SAME_PN))) {
748 key->u.gcmp.replays++;
749 return RX_DROP_U_REPLAY;
750 }
751
752 if (!(status->flag & RX_FLAG_DECRYPTED)) {
753 u8 aad[2 * AES_BLOCK_SIZE];
754 u8 j_0[AES_BLOCK_SIZE];
755 /* hardware didn't decrypt/verify MIC */
756 gcmp_special_blocks(skb, pn, j_0, aad);
757
758 if (ieee80211_aes_gcm_decrypt(
759 tfm: key->u.gcmp.tfm, j_0, aad,
760 data: skb->data + hdrlen + IEEE80211_GCMP_HDR_LEN,
761 data_len,
762 mic: skb->data + skb->len -
763 IEEE80211_GCMP_MIC_LEN))
764 return RX_DROP_U_MIC_FAIL;
765 }
766
767 memcpy(key->u.gcmp.rx_pn[queue], pn, IEEE80211_GCMP_PN_LEN);
768 if (unlikely(ieee80211_is_frag(hdr)))
769 memcpy(rx->ccm_gcm.pn, pn, IEEE80211_CCMP_PN_LEN);
770 }
771
772 /* Remove GCMP header and MIC */
773 if (pskb_trim(skb, len: skb->len - mic_len))
774 return RX_DROP_U_SHORT_GCMP_MIC;
775 memmove(skb->data + IEEE80211_GCMP_HDR_LEN, skb->data, hdrlen);
776 skb_pull(skb, IEEE80211_GCMP_HDR_LEN);
777
778 return RX_CONTINUE;
779}
780
781static void bip_aad(struct sk_buff *skb, u8 *aad)
782{
783 __le16 mask_fc;
784 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
785
786 /* BIP AAD: FC(masked) || A1 || A2 || A3 */
787
788 /* FC type/subtype */
789 /* Mask FC Retry, PwrMgt, MoreData flags to zero */
790 mask_fc = hdr->frame_control;
791 mask_fc &= ~cpu_to_le16(IEEE80211_FCTL_RETRY | IEEE80211_FCTL_PM |
792 IEEE80211_FCTL_MOREDATA);
793 put_unaligned(mask_fc, (__le16 *) &aad[0]);
794 /* A1 || A2 || A3 */
795 memcpy(aad + 2, &hdr->addrs, 3 * ETH_ALEN);
796}
797
798
799static inline void bip_ipn_set64(u8 *d, u64 pn)
800{
801 *d++ = pn;
802 *d++ = pn >> 8;
803 *d++ = pn >> 16;
804 *d++ = pn >> 24;
805 *d++ = pn >> 32;
806 *d = pn >> 40;
807}
808
809static inline void bip_ipn_swap(u8 *d, const u8 *s)
810{
811 *d++ = s[5];
812 *d++ = s[4];
813 *d++ = s[3];
814 *d++ = s[2];
815 *d++ = s[1];
816 *d = s[0];
817}
818
819
820ieee80211_tx_result
821ieee80211_crypto_aes_cmac_encrypt(struct ieee80211_tx_data *tx)
822{
823 struct sk_buff *skb;
824 struct ieee80211_tx_info *info;
825 struct ieee80211_key *key = tx->key;
826 struct ieee80211_mmie *mmie;
827 u8 aad[20];
828 u64 pn64;
829
830 if (WARN_ON(skb_queue_len(&tx->skbs) != 1))
831 return TX_DROP;
832
833 skb = skb_peek(list_: &tx->skbs);
834
835 info = IEEE80211_SKB_CB(skb);
836
837 if (info->control.hw_key &&
838 !(key->conf.flags & IEEE80211_KEY_FLAG_GENERATE_MMIE))
839 return TX_CONTINUE;
840
841 if (WARN_ON(skb_tailroom(skb) < sizeof(*mmie)))
842 return TX_DROP;
843
844 mmie = skb_put(skb, len: sizeof(*mmie));
845 mmie->element_id = WLAN_EID_MMIE;
846 mmie->length = sizeof(*mmie) - 2;
847 mmie->key_id = cpu_to_le16(key->conf.keyidx);
848
849 /* PN = PN + 1 */
850 pn64 = atomic64_inc_return(v: &key->conf.tx_pn);
851
852 bip_ipn_set64(d: mmie->sequence_number, pn: pn64);
853
854 if (info->control.hw_key)
855 return TX_CONTINUE;
856
857 bip_aad(skb, aad);
858
859 /*
860 * MIC = AES-128-CMAC(IGTK, AAD || Management Frame Body || MMIE, 64)
861 */
862 ieee80211_aes_cmac(tfm: key->u.aes_cmac.tfm, aad,
863 data: skb->data + 24, data_len: skb->len - 24, mic: mmie->mic);
864
865 return TX_CONTINUE;
866}
867
868ieee80211_tx_result
869ieee80211_crypto_aes_cmac_256_encrypt(struct ieee80211_tx_data *tx)
870{
871 struct sk_buff *skb;
872 struct ieee80211_tx_info *info;
873 struct ieee80211_key *key = tx->key;
874 struct ieee80211_mmie_16 *mmie;
875 u8 aad[20];
876 u64 pn64;
877
878 if (WARN_ON(skb_queue_len(&tx->skbs) != 1))
879 return TX_DROP;
880
881 skb = skb_peek(list_: &tx->skbs);
882
883 info = IEEE80211_SKB_CB(skb);
884
885 if (info->control.hw_key)
886 return TX_CONTINUE;
887
888 if (WARN_ON(skb_tailroom(skb) < sizeof(*mmie)))
889 return TX_DROP;
890
891 mmie = skb_put(skb, len: sizeof(*mmie));
892 mmie->element_id = WLAN_EID_MMIE;
893 mmie->length = sizeof(*mmie) - 2;
894 mmie->key_id = cpu_to_le16(key->conf.keyidx);
895
896 /* PN = PN + 1 */
897 pn64 = atomic64_inc_return(v: &key->conf.tx_pn);
898
899 bip_ipn_set64(d: mmie->sequence_number, pn: pn64);
900
901 bip_aad(skb, aad);
902
903 /* MIC = AES-256-CMAC(IGTK, AAD || Management Frame Body || MMIE, 128)
904 */
905 ieee80211_aes_cmac_256(tfm: key->u.aes_cmac.tfm, aad,
906 data: skb->data + 24, data_len: skb->len - 24, mic: mmie->mic);
907
908 return TX_CONTINUE;
909}
910
911ieee80211_rx_result
912ieee80211_crypto_aes_cmac_decrypt(struct ieee80211_rx_data *rx)
913{
914 struct sk_buff *skb = rx->skb;
915 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
916 struct ieee80211_key *key = rx->key;
917 struct ieee80211_mmie *mmie;
918 u8 aad[20], mic[8], ipn[6];
919 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
920
921 if (!ieee80211_is_mgmt(fc: hdr->frame_control))
922 return RX_CONTINUE;
923
924 /* management frames are already linear */
925
926 if (skb->len < 24 + sizeof(*mmie))
927 return RX_DROP_U_SHORT_CMAC;
928
929 mmie = (struct ieee80211_mmie *)
930 (skb->data + skb->len - sizeof(*mmie));
931 if (mmie->element_id != WLAN_EID_MMIE ||
932 mmie->length != sizeof(*mmie) - 2)
933 return RX_DROP_U_BAD_MMIE; /* Invalid MMIE */
934
935 bip_ipn_swap(d: ipn, s: mmie->sequence_number);
936
937 if (memcmp(p: ipn, q: key->u.aes_cmac.rx_pn, size: 6) <= 0) {
938 key->u.aes_cmac.replays++;
939 return RX_DROP_U_REPLAY;
940 }
941
942 if (!(status->flag & RX_FLAG_DECRYPTED)) {
943 /* hardware didn't decrypt/verify MIC */
944 bip_aad(skb, aad);
945 ieee80211_aes_cmac(tfm: key->u.aes_cmac.tfm, aad,
946 data: skb->data + 24, data_len: skb->len - 24, mic);
947 if (crypto_memneq(a: mic, b: mmie->mic, size: sizeof(mmie->mic))) {
948 key->u.aes_cmac.icverrors++;
949 return RX_DROP_U_MIC_FAIL;
950 }
951 }
952
953 memcpy(key->u.aes_cmac.rx_pn, ipn, 6);
954
955 /* Remove MMIE */
956 skb_trim(skb, len: skb->len - sizeof(*mmie));
957
958 return RX_CONTINUE;
959}
960
961ieee80211_rx_result
962ieee80211_crypto_aes_cmac_256_decrypt(struct ieee80211_rx_data *rx)
963{
964 struct sk_buff *skb = rx->skb;
965 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
966 struct ieee80211_key *key = rx->key;
967 struct ieee80211_mmie_16 *mmie;
968 u8 aad[20], mic[16], ipn[6];
969 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
970
971 if (!ieee80211_is_mgmt(fc: hdr->frame_control))
972 return RX_CONTINUE;
973
974 /* management frames are already linear */
975
976 if (skb->len < 24 + sizeof(*mmie))
977 return RX_DROP_U_SHORT_CMAC256;
978
979 mmie = (struct ieee80211_mmie_16 *)
980 (skb->data + skb->len - sizeof(*mmie));
981 if (mmie->element_id != WLAN_EID_MMIE ||
982 mmie->length != sizeof(*mmie) - 2)
983 return RX_DROP_U_BAD_MMIE; /* Invalid MMIE */
984
985 bip_ipn_swap(d: ipn, s: mmie->sequence_number);
986
987 if (memcmp(p: ipn, q: key->u.aes_cmac.rx_pn, size: 6) <= 0) {
988 key->u.aes_cmac.replays++;
989 return RX_DROP_U_REPLAY;
990 }
991
992 if (!(status->flag & RX_FLAG_DECRYPTED)) {
993 /* hardware didn't decrypt/verify MIC */
994 bip_aad(skb, aad);
995 ieee80211_aes_cmac_256(tfm: key->u.aes_cmac.tfm, aad,
996 data: skb->data + 24, data_len: skb->len - 24, mic);
997 if (crypto_memneq(a: mic, b: mmie->mic, size: sizeof(mmie->mic))) {
998 key->u.aes_cmac.icverrors++;
999 return RX_DROP_U_MIC_FAIL;
1000 }
1001 }
1002
1003 memcpy(key->u.aes_cmac.rx_pn, ipn, 6);
1004
1005 /* Remove MMIE */
1006 skb_trim(skb, len: skb->len - sizeof(*mmie));
1007
1008 return RX_CONTINUE;
1009}
1010
1011ieee80211_tx_result
1012ieee80211_crypto_aes_gmac_encrypt(struct ieee80211_tx_data *tx)
1013{
1014 struct sk_buff *skb;
1015 struct ieee80211_tx_info *info;
1016 struct ieee80211_key *key = tx->key;
1017 struct ieee80211_mmie_16 *mmie;
1018 struct ieee80211_hdr *hdr;
1019 u8 aad[GMAC_AAD_LEN];
1020 u64 pn64;
1021 u8 nonce[GMAC_NONCE_LEN];
1022
1023 if (WARN_ON(skb_queue_len(&tx->skbs) != 1))
1024 return TX_DROP;
1025
1026 skb = skb_peek(list_: &tx->skbs);
1027
1028 info = IEEE80211_SKB_CB(skb);
1029
1030 if (info->control.hw_key)
1031 return TX_CONTINUE;
1032
1033 if (WARN_ON(skb_tailroom(skb) < sizeof(*mmie)))
1034 return TX_DROP;
1035
1036 mmie = skb_put(skb, len: sizeof(*mmie));
1037 mmie->element_id = WLAN_EID_MMIE;
1038 mmie->length = sizeof(*mmie) - 2;
1039 mmie->key_id = cpu_to_le16(key->conf.keyidx);
1040
1041 /* PN = PN + 1 */
1042 pn64 = atomic64_inc_return(v: &key->conf.tx_pn);
1043
1044 bip_ipn_set64(d: mmie->sequence_number, pn: pn64);
1045
1046 bip_aad(skb, aad);
1047
1048 hdr = (struct ieee80211_hdr *)skb->data;
1049 memcpy(nonce, hdr->addr2, ETH_ALEN);
1050 bip_ipn_swap(d: nonce + ETH_ALEN, s: mmie->sequence_number);
1051
1052 /* MIC = AES-GMAC(IGTK, AAD || Management Frame Body || MMIE, 128) */
1053 if (ieee80211_aes_gmac(tfm: key->u.aes_gmac.tfm, aad, nonce,
1054 data: skb->data + 24, data_len: skb->len - 24, mic: mmie->mic) < 0)
1055 return TX_DROP;
1056
1057 return TX_CONTINUE;
1058}
1059
1060ieee80211_rx_result
1061ieee80211_crypto_aes_gmac_decrypt(struct ieee80211_rx_data *rx)
1062{
1063 struct sk_buff *skb = rx->skb;
1064 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
1065 struct ieee80211_key *key = rx->key;
1066 struct ieee80211_mmie_16 *mmie;
1067 u8 aad[GMAC_AAD_LEN], *mic, ipn[6], nonce[GMAC_NONCE_LEN];
1068 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
1069
1070 if (!ieee80211_is_mgmt(fc: hdr->frame_control))
1071 return RX_CONTINUE;
1072
1073 /* management frames are already linear */
1074
1075 if (skb->len < 24 + sizeof(*mmie))
1076 return RX_DROP_U_SHORT_GMAC;
1077
1078 mmie = (struct ieee80211_mmie_16 *)
1079 (skb->data + skb->len - sizeof(*mmie));
1080 if (mmie->element_id != WLAN_EID_MMIE ||
1081 mmie->length != sizeof(*mmie) - 2)
1082 return RX_DROP_U_BAD_MMIE; /* Invalid MMIE */
1083
1084 bip_ipn_swap(d: ipn, s: mmie->sequence_number);
1085
1086 if (memcmp(p: ipn, q: key->u.aes_gmac.rx_pn, size: 6) <= 0) {
1087 key->u.aes_gmac.replays++;
1088 return RX_DROP_U_REPLAY;
1089 }
1090
1091 if (!(status->flag & RX_FLAG_DECRYPTED)) {
1092 /* hardware didn't decrypt/verify MIC */
1093 bip_aad(skb, aad);
1094
1095 memcpy(nonce, hdr->addr2, ETH_ALEN);
1096 memcpy(nonce + ETH_ALEN, ipn, 6);
1097
1098 mic = kmalloc(GMAC_MIC_LEN, GFP_ATOMIC);
1099 if (!mic)
1100 return RX_DROP_U_OOM;
1101 if (ieee80211_aes_gmac(tfm: key->u.aes_gmac.tfm, aad, nonce,
1102 data: skb->data + 24, data_len: skb->len - 24,
1103 mic) < 0 ||
1104 crypto_memneq(a: mic, b: mmie->mic, size: sizeof(mmie->mic))) {
1105 key->u.aes_gmac.icverrors++;
1106 kfree(objp: mic);
1107 return RX_DROP_U_MIC_FAIL;
1108 }
1109 kfree(objp: mic);
1110 }
1111
1112 memcpy(key->u.aes_gmac.rx_pn, ipn, 6);
1113
1114 /* Remove MMIE */
1115 skb_trim(skb, len: skb->len - sizeof(*mmie));
1116
1117 return RX_CONTINUE;
1118}
1119

source code of linux/net/mac80211/wpa.c