Loading...
1/*
2 * Copyright 2002-2004, Instant802 Networks, Inc.
3 * Copyright 2008, Jouni Malinen <j@w1.fi>
4 * Copyright (C) 2016 Intel Deutschland GmbH
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 as
8 * published by the Free Software Foundation.
9 */
10
11#include <linux/netdevice.h>
12#include <linux/types.h>
13#include <linux/skbuff.h>
14#include <linux/compiler.h>
15#include <linux/ieee80211.h>
16#include <linux/gfp.h>
17#include <asm/unaligned.h>
18#include <net/mac80211.h>
19#include <crypto/aes.h>
20
21#include "ieee80211_i.h"
22#include "michael.h"
23#include "tkip.h"
24#include "aes_ccm.h"
25#include "aes_cmac.h"
26#include "aes_gmac.h"
27#include "aes_gcm.h"
28#include "wpa.h"
29
30ieee80211_tx_result
31ieee80211_tx_h_michael_mic_add(struct ieee80211_tx_data *tx)
32{
33 u8 *data, *key, *mic;
34 size_t data_len;
35 unsigned int hdrlen;
36 struct ieee80211_hdr *hdr;
37 struct sk_buff *skb = tx->skb;
38 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
39 int tail;
40
41 hdr = (struct ieee80211_hdr *)skb->data;
42 if (!tx->key || tx->key->conf.cipher != WLAN_CIPHER_SUITE_TKIP ||
43 skb->len < 24 || !ieee80211_is_data_present(hdr->frame_control))
44 return TX_CONTINUE;
45
46 hdrlen = ieee80211_hdrlen(hdr->frame_control);
47 if (skb->len < hdrlen)
48 return TX_DROP;
49
50 data = skb->data + hdrlen;
51 data_len = skb->len - hdrlen;
52
53 if (unlikely(info->flags & IEEE80211_TX_INTFL_TKIP_MIC_FAILURE)) {
54 /* Need to use software crypto for the test */
55 info->control.hw_key = NULL;
56 }
57
58 if (info->control.hw_key &&
59 (info->flags & IEEE80211_TX_CTL_DONTFRAG ||
60 ieee80211_hw_check(&tx->local->hw, SUPPORTS_TX_FRAG)) &&
61 !(tx->key->conf.flags & IEEE80211_KEY_FLAG_GENERATE_MMIC)) {
62 /* hwaccel - with no need for SW-generated MMIC */
63 return TX_CONTINUE;
64 }
65
66 tail = MICHAEL_MIC_LEN;
67 if (!info->control.hw_key)
68 tail += IEEE80211_TKIP_ICV_LEN;
69
70 if (WARN(skb_tailroom(skb) < tail ||
71 skb_headroom(skb) < IEEE80211_TKIP_IV_LEN,
72 "mmic: not enough head/tail (%d/%d,%d/%d)\n",
73 skb_headroom(skb), IEEE80211_TKIP_IV_LEN,
74 skb_tailroom(skb), tail))
75 return TX_DROP;
76
77 key = &tx->key->conf.key[NL80211_TKIP_DATA_OFFSET_TX_MIC_KEY];
78 mic = skb_put(skb, MICHAEL_MIC_LEN);
79 michael_mic(key, hdr, data, data_len, mic);
80 if (unlikely(info->flags & IEEE80211_TX_INTFL_TKIP_MIC_FAILURE))
81 mic[0]++;
82
83 return TX_CONTINUE;
84}
85
86
87ieee80211_rx_result
88ieee80211_rx_h_michael_mic_verify(struct ieee80211_rx_data *rx)
89{
90 u8 *data, *key = NULL;
91 size_t data_len;
92 unsigned int hdrlen;
93 u8 mic[MICHAEL_MIC_LEN];
94 struct sk_buff *skb = rx->skb;
95 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
96 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
97
98 /*
99 * it makes no sense to check for MIC errors on anything other
100 * than data frames.
101 */
102 if (!ieee80211_is_data_present(hdr->frame_control))
103 return RX_CONTINUE;
104
105 /*
106 * No way to verify the MIC if the hardware stripped it or
107 * the IV with the key index. In this case we have solely rely
108 * on the driver to set RX_FLAG_MMIC_ERROR in the event of a
109 * MIC failure report.
110 */
111 if (status->flag & (RX_FLAG_MMIC_STRIPPED | RX_FLAG_IV_STRIPPED)) {
112 if (status->flag & RX_FLAG_MMIC_ERROR)
113 goto mic_fail_no_key;
114
115 if (!(status->flag & RX_FLAG_IV_STRIPPED) && rx->key &&
116 rx->key->conf.cipher == WLAN_CIPHER_SUITE_TKIP)
117 goto update_iv;
118
119 return RX_CONTINUE;
120 }
121
122 /*
123 * Some hardware seems to generate Michael MIC failure reports; even
124 * though, the frame was not encrypted with TKIP and therefore has no
125 * MIC. Ignore the flag them to avoid triggering countermeasures.
126 */
127 if (!rx->key || rx->key->conf.cipher != WLAN_CIPHER_SUITE_TKIP ||
128 !(status->flag & RX_FLAG_DECRYPTED))
129 return RX_CONTINUE;
130
131 if (rx->sdata->vif.type == NL80211_IFTYPE_AP && rx->key->conf.keyidx) {
132 /*
133 * APs with pairwise keys should never receive Michael MIC
134 * errors for non-zero keyidx because these are reserved for
135 * group keys and only the AP is sending real multicast
136 * frames in the BSS.
137 */
138 return RX_DROP_UNUSABLE;
139 }
140
141 if (status->flag & RX_FLAG_MMIC_ERROR)
142 goto mic_fail;
143
144 hdrlen = ieee80211_hdrlen(hdr->frame_control);
145 if (skb->len < hdrlen + MICHAEL_MIC_LEN)
146 return RX_DROP_UNUSABLE;
147
148 if (skb_linearize(rx->skb))
149 return RX_DROP_UNUSABLE;
150 hdr = (void *)skb->data;
151
152 data = skb->data + hdrlen;
153 data_len = skb->len - hdrlen - MICHAEL_MIC_LEN;
154 key = &rx->key->conf.key[NL80211_TKIP_DATA_OFFSET_RX_MIC_KEY];
155 michael_mic(key, hdr, data, data_len, mic);
156 if (memcmp(mic, data + data_len, MICHAEL_MIC_LEN) != 0)
157 goto mic_fail;
158
159 /* remove Michael MIC from payload */
160 skb_trim(skb, skb->len - MICHAEL_MIC_LEN);
161
162update_iv:
163 /* update IV in key information to be able to detect replays */
164 rx->key->u.tkip.rx[rx->security_idx].iv32 = rx->tkip_iv32;
165 rx->key->u.tkip.rx[rx->security_idx].iv16 = rx->tkip_iv16;
166
167 return RX_CONTINUE;
168
169mic_fail:
170 rx->key->u.tkip.mic_failures++;
171
172mic_fail_no_key:
173 /*
174 * In some cases the key can be unset - e.g. a multicast packet, in
175 * a driver that supports HW encryption. Send up the key idx only if
176 * the key is set.
177 */
178 cfg80211_michael_mic_failure(rx->sdata->dev, hdr->addr2,
179 is_multicast_ether_addr(hdr->addr1) ?
180 NL80211_KEYTYPE_GROUP :
181 NL80211_KEYTYPE_PAIRWISE,
182 rx->key ? rx->key->conf.keyidx : -1,
183 NULL, GFP_ATOMIC);
184 return RX_DROP_UNUSABLE;
185}
186
187static int tkip_encrypt_skb(struct ieee80211_tx_data *tx, struct sk_buff *skb)
188{
189 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
190 struct ieee80211_key *key = tx->key;
191 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
192 unsigned int hdrlen;
193 int len, tail;
194 u64 pn;
195 u8 *pos;
196
197 if (info->control.hw_key &&
198 !(info->control.hw_key->flags & IEEE80211_KEY_FLAG_GENERATE_IV) &&
199 !(info->control.hw_key->flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE)) {
200 /* hwaccel - with no need for software-generated IV */
201 return 0;
202 }
203
204 hdrlen = ieee80211_hdrlen(hdr->frame_control);
205 len = skb->len - hdrlen;
206
207 if (info->control.hw_key)
208 tail = 0;
209 else
210 tail = IEEE80211_TKIP_ICV_LEN;
211
212 if (WARN_ON(skb_tailroom(skb) < tail ||
213 skb_headroom(skb) < IEEE80211_TKIP_IV_LEN))
214 return -1;
215
216 pos = skb_push(skb, IEEE80211_TKIP_IV_LEN);
217 memmove(pos, pos + IEEE80211_TKIP_IV_LEN, hdrlen);
218 pos += hdrlen;
219
220 /* the HW only needs room for the IV, but not the actual IV */
221 if (info->control.hw_key &&
222 (info->control.hw_key->flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE))
223 return 0;
224
225 /* Increase IV for the frame */
226 pn = atomic64_inc_return(&key->conf.tx_pn);
227 pos = ieee80211_tkip_add_iv(pos, &key->conf, pn);
228
229 /* hwaccel - with software IV */
230 if (info->control.hw_key)
231 return 0;
232
233 /* Add room for ICV */
234 skb_put(skb, IEEE80211_TKIP_ICV_LEN);
235
236 return ieee80211_tkip_encrypt_data(tx->local->wep_tx_tfm,
237 key, skb, pos, len);
238}
239
240
241ieee80211_tx_result
242ieee80211_crypto_tkip_encrypt(struct ieee80211_tx_data *tx)
243{
244 struct sk_buff *skb;
245
246 ieee80211_tx_set_protected(tx);
247
248 skb_queue_walk(&tx->skbs, skb) {
249 if (tkip_encrypt_skb(tx, skb) < 0)
250 return TX_DROP;
251 }
252
253 return TX_CONTINUE;
254}
255
256
257ieee80211_rx_result
258ieee80211_crypto_tkip_decrypt(struct ieee80211_rx_data *rx)
259{
260 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) rx->skb->data;
261 int hdrlen, res, hwaccel = 0;
262 struct ieee80211_key *key = rx->key;
263 struct sk_buff *skb = rx->skb;
264 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
265
266 hdrlen = ieee80211_hdrlen(hdr->frame_control);
267
268 if (!ieee80211_is_data(hdr->frame_control))
269 return RX_CONTINUE;
270
271 if (!rx->sta || skb->len - hdrlen < 12)
272 return RX_DROP_UNUSABLE;
273
274 /* it may be possible to optimize this a bit more */
275 if (skb_linearize(rx->skb))
276 return RX_DROP_UNUSABLE;
277 hdr = (void *)skb->data;
278
279 /*
280 * Let TKIP code verify IV, but skip decryption.
281 * In the case where hardware checks the IV as well,
282 * we don't even get here, see ieee80211_rx_h_decrypt()
283 */
284 if (status->flag & RX_FLAG_DECRYPTED)
285 hwaccel = 1;
286
287 res = ieee80211_tkip_decrypt_data(rx->local->wep_rx_tfm,
288 key, skb->data + hdrlen,
289 skb->len - hdrlen, rx->sta->sta.addr,
290 hdr->addr1, hwaccel, rx->security_idx,
291 &rx->tkip_iv32,
292 &rx->tkip_iv16);
293 if (res != TKIP_DECRYPT_OK)
294 return RX_DROP_UNUSABLE;
295
296 /* Trim ICV */
297 skb_trim(skb, skb->len - IEEE80211_TKIP_ICV_LEN);
298
299 /* Remove IV */
300 memmove(skb->data + IEEE80211_TKIP_IV_LEN, skb->data, hdrlen);
301 skb_pull(skb, IEEE80211_TKIP_IV_LEN);
302
303 return RX_CONTINUE;
304}
305
306
307static void ccmp_special_blocks(struct sk_buff *skb, u8 *pn, u8 *b_0, u8 *aad)
308{
309 __le16 mask_fc;
310 int a4_included, mgmt;
311 u8 qos_tid;
312 u16 len_a;
313 unsigned int hdrlen;
314 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
315
316 /*
317 * Mask FC: zero subtype b4 b5 b6 (if not mgmt)
318 * Retry, PwrMgt, MoreData; set Protected
319 */
320 mgmt = ieee80211_is_mgmt(hdr->frame_control);
321 mask_fc = hdr->frame_control;
322 mask_fc &= ~cpu_to_le16(IEEE80211_FCTL_RETRY |
323 IEEE80211_FCTL_PM | IEEE80211_FCTL_MOREDATA);
324 if (!mgmt)
325 mask_fc &= ~cpu_to_le16(0x0070);
326 mask_fc |= cpu_to_le16(IEEE80211_FCTL_PROTECTED);
327
328 hdrlen = ieee80211_hdrlen(hdr->frame_control);
329 len_a = hdrlen - 2;
330 a4_included = ieee80211_has_a4(hdr->frame_control);
331
332 if (ieee80211_is_data_qos(hdr->frame_control))
333 qos_tid = *ieee80211_get_qos_ctl(hdr) & IEEE80211_QOS_CTL_TID_MASK;
334 else
335 qos_tid = 0;
336
337 /* In CCM, the initial vectors (IV) used for CTR mode encryption and CBC
338 * mode authentication are not allowed to collide, yet both are derived
339 * from this vector b_0. We only set L := 1 here to indicate that the
340 * data size can be represented in (L+1) bytes. The CCM layer will take
341 * care of storing the data length in the top (L+1) bytes and setting
342 * and clearing the other bits as is required to derive the two IVs.
343 */
344 b_0[0] = 0x1;
345
346 /* Nonce: Nonce Flags | A2 | PN
347 * Nonce Flags: Priority (b0..b3) | Management (b4) | Reserved (b5..b7)
348 */
349 b_0[1] = qos_tid | (mgmt << 4);
350 memcpy(&b_0[2], hdr->addr2, ETH_ALEN);
351 memcpy(&b_0[8], pn, IEEE80211_CCMP_PN_LEN);
352
353 /* AAD (extra authenticate-only data) / masked 802.11 header
354 * FC | A1 | A2 | A3 | SC | [A4] | [QC] */
355 put_unaligned_be16(len_a, &aad[0]);
356 put_unaligned(mask_fc, (__le16 *)&aad[2]);
357 memcpy(&aad[4], &hdr->addr1, 3 * ETH_ALEN);
358
359 /* Mask Seq#, leave Frag# */
360 aad[22] = *((u8 *) &hdr->seq_ctrl) & 0x0f;
361 aad[23] = 0;
362
363 if (a4_included) {
364 memcpy(&aad[24], hdr->addr4, ETH_ALEN);
365 aad[30] = qos_tid;
366 aad[31] = 0;
367 } else {
368 memset(&aad[24], 0, ETH_ALEN + IEEE80211_QOS_CTL_LEN);
369 aad[24] = qos_tid;
370 }
371}
372
373
374static inline void ccmp_pn2hdr(u8 *hdr, u8 *pn, int key_id)
375{
376 hdr[0] = pn[5];
377 hdr[1] = pn[4];
378 hdr[2] = 0;
379 hdr[3] = 0x20 | (key_id << 6);
380 hdr[4] = pn[3];
381 hdr[5] = pn[2];
382 hdr[6] = pn[1];
383 hdr[7] = pn[0];
384}
385
386
387static inline void ccmp_hdr2pn(u8 *pn, u8 *hdr)
388{
389 pn[0] = hdr[7];
390 pn[1] = hdr[6];
391 pn[2] = hdr[5];
392 pn[3] = hdr[4];
393 pn[4] = hdr[1];
394 pn[5] = hdr[0];
395}
396
397
398static int ccmp_encrypt_skb(struct ieee80211_tx_data *tx, struct sk_buff *skb,
399 unsigned int mic_len)
400{
401 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
402 struct ieee80211_key *key = tx->key;
403 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
404 int hdrlen, len, tail;
405 u8 *pos;
406 u8 pn[6];
407 u64 pn64;
408 u8 aad[CCM_AAD_LEN];
409 u8 b_0[AES_BLOCK_SIZE];
410
411 if (info->control.hw_key &&
412 !(info->control.hw_key->flags & IEEE80211_KEY_FLAG_GENERATE_IV) &&
413 !(info->control.hw_key->flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE) &&
414 !((info->control.hw_key->flags &
415 IEEE80211_KEY_FLAG_GENERATE_IV_MGMT) &&
416 ieee80211_is_mgmt(hdr->frame_control))) {
417 /*
418 * hwaccel has no need for preallocated room for CCMP
419 * header or MIC fields
420 */
421 return 0;
422 }
423
424 hdrlen = ieee80211_hdrlen(hdr->frame_control);
425 len = skb->len - hdrlen;
426
427 if (info->control.hw_key)
428 tail = 0;
429 else
430 tail = mic_len;
431
432 if (WARN_ON(skb_tailroom(skb) < tail ||
433 skb_headroom(skb) < IEEE80211_CCMP_HDR_LEN))
434 return -1;
435
436 pos = skb_push(skb, IEEE80211_CCMP_HDR_LEN);
437 memmove(pos, pos + IEEE80211_CCMP_HDR_LEN, hdrlen);
438
439 /* the HW only needs room for the IV, but not the actual IV */
440 if (info->control.hw_key &&
441 (info->control.hw_key->flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE))
442 return 0;
443
444 hdr = (struct ieee80211_hdr *) pos;
445 pos += hdrlen;
446
447 pn64 = atomic64_inc_return(&key->conf.tx_pn);
448
449 pn[5] = pn64;
450 pn[4] = pn64 >> 8;
451 pn[3] = pn64 >> 16;
452 pn[2] = pn64 >> 24;
453 pn[1] = pn64 >> 32;
454 pn[0] = pn64 >> 40;
455
456 ccmp_pn2hdr(pos, pn, key->conf.keyidx);
457
458 /* hwaccel - with software CCMP header */
459 if (info->control.hw_key)
460 return 0;
461
462 pos += IEEE80211_CCMP_HDR_LEN;
463 ccmp_special_blocks(skb, pn, b_0, aad);
464 return ieee80211_aes_ccm_encrypt(key->u.ccmp.tfm, b_0, aad, pos, len,
465 skb_put(skb, mic_len), mic_len);
466}
467
468
469ieee80211_tx_result
470ieee80211_crypto_ccmp_encrypt(struct ieee80211_tx_data *tx,
471 unsigned int mic_len)
472{
473 struct sk_buff *skb;
474
475 ieee80211_tx_set_protected(tx);
476
477 skb_queue_walk(&tx->skbs, skb) {
478 if (ccmp_encrypt_skb(tx, skb, mic_len) < 0)
479 return TX_DROP;
480 }
481
482 return TX_CONTINUE;
483}
484
485
486ieee80211_rx_result
487ieee80211_crypto_ccmp_decrypt(struct ieee80211_rx_data *rx,
488 unsigned int mic_len)
489{
490 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
491 int hdrlen;
492 struct ieee80211_key *key = rx->key;
493 struct sk_buff *skb = rx->skb;
494 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
495 u8 pn[IEEE80211_CCMP_PN_LEN];
496 int data_len;
497 int queue;
498
499 hdrlen = ieee80211_hdrlen(hdr->frame_control);
500
501 if (!ieee80211_is_data(hdr->frame_control) &&
502 !ieee80211_is_robust_mgmt_frame(skb))
503 return RX_CONTINUE;
504
505 if (status->flag & RX_FLAG_DECRYPTED) {
506 if (!pskb_may_pull(rx->skb, hdrlen + IEEE80211_CCMP_HDR_LEN))
507 return RX_DROP_UNUSABLE;
508 if (status->flag & RX_FLAG_MIC_STRIPPED)
509 mic_len = 0;
510 } else {
511 if (skb_linearize(rx->skb))
512 return RX_DROP_UNUSABLE;
513 }
514
515 data_len = skb->len - hdrlen - IEEE80211_CCMP_HDR_LEN - mic_len;
516 if (!rx->sta || data_len < 0)
517 return RX_DROP_UNUSABLE;
518
519 if (!(status->flag & RX_FLAG_PN_VALIDATED)) {
520 int res;
521
522 ccmp_hdr2pn(pn, skb->data + hdrlen);
523
524 queue = rx->security_idx;
525
526 res = memcmp(pn, key->u.ccmp.rx_pn[queue],
527 IEEE80211_CCMP_PN_LEN);
528 if (res < 0 ||
529 (!res && !(status->flag & RX_FLAG_ALLOW_SAME_PN))) {
530 key->u.ccmp.replays++;
531 return RX_DROP_UNUSABLE;
532 }
533
534 if (!(status->flag & RX_FLAG_DECRYPTED)) {
535 u8 aad[2 * AES_BLOCK_SIZE];
536 u8 b_0[AES_BLOCK_SIZE];
537 /* hardware didn't decrypt/verify MIC */
538 ccmp_special_blocks(skb, pn, b_0, aad);
539
540 if (ieee80211_aes_ccm_decrypt(
541 key->u.ccmp.tfm, b_0, aad,
542 skb->data + hdrlen + IEEE80211_CCMP_HDR_LEN,
543 data_len,
544 skb->data + skb->len - mic_len, mic_len))
545 return RX_DROP_UNUSABLE;
546 }
547
548 memcpy(key->u.ccmp.rx_pn[queue], pn, IEEE80211_CCMP_PN_LEN);
549 }
550
551 /* Remove CCMP header and MIC */
552 if (pskb_trim(skb, skb->len - mic_len))
553 return RX_DROP_UNUSABLE;
554 memmove(skb->data + IEEE80211_CCMP_HDR_LEN, skb->data, hdrlen);
555 skb_pull(skb, IEEE80211_CCMP_HDR_LEN);
556
557 return RX_CONTINUE;
558}
559
560static void gcmp_special_blocks(struct sk_buff *skb, u8 *pn, u8 *j_0, u8 *aad)
561{
562 __le16 mask_fc;
563 u8 qos_tid;
564 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
565
566 memcpy(j_0, hdr->addr2, ETH_ALEN);
567 memcpy(&j_0[ETH_ALEN], pn, IEEE80211_GCMP_PN_LEN);
568 j_0[13] = 0;
569 j_0[14] = 0;
570 j_0[AES_BLOCK_SIZE - 1] = 0x01;
571
572 /* AAD (extra authenticate-only data) / masked 802.11 header
573 * FC | A1 | A2 | A3 | SC | [A4] | [QC]
574 */
575 put_unaligned_be16(ieee80211_hdrlen(hdr->frame_control) - 2, &aad[0]);
576 /* Mask FC: zero subtype b4 b5 b6 (if not mgmt)
577 * Retry, PwrMgt, MoreData; set Protected
578 */
579 mask_fc = hdr->frame_control;
580 mask_fc &= ~cpu_to_le16(IEEE80211_FCTL_RETRY |
581 IEEE80211_FCTL_PM | IEEE80211_FCTL_MOREDATA);
582 if (!ieee80211_is_mgmt(hdr->frame_control))
583 mask_fc &= ~cpu_to_le16(0x0070);
584 mask_fc |= cpu_to_le16(IEEE80211_FCTL_PROTECTED);
585
586 put_unaligned(mask_fc, (__le16 *)&aad[2]);
587 memcpy(&aad[4], &hdr->addr1, 3 * ETH_ALEN);
588
589 /* Mask Seq#, leave Frag# */
590 aad[22] = *((u8 *)&hdr->seq_ctrl) & 0x0f;
591 aad[23] = 0;
592
593 if (ieee80211_is_data_qos(hdr->frame_control))
594 qos_tid = *ieee80211_get_qos_ctl(hdr) &
595 IEEE80211_QOS_CTL_TID_MASK;
596 else
597 qos_tid = 0;
598
599 if (ieee80211_has_a4(hdr->frame_control)) {
600 memcpy(&aad[24], hdr->addr4, ETH_ALEN);
601 aad[30] = qos_tid;
602 aad[31] = 0;
603 } else {
604 memset(&aad[24], 0, ETH_ALEN + IEEE80211_QOS_CTL_LEN);
605 aad[24] = qos_tid;
606 }
607}
608
609static inline void gcmp_pn2hdr(u8 *hdr, const u8 *pn, int key_id)
610{
611 hdr[0] = pn[5];
612 hdr[1] = pn[4];
613 hdr[2] = 0;
614 hdr[3] = 0x20 | (key_id << 6);
615 hdr[4] = pn[3];
616 hdr[5] = pn[2];
617 hdr[6] = pn[1];
618 hdr[7] = pn[0];
619}
620
621static inline void gcmp_hdr2pn(u8 *pn, const u8 *hdr)
622{
623 pn[0] = hdr[7];
624 pn[1] = hdr[6];
625 pn[2] = hdr[5];
626 pn[3] = hdr[4];
627 pn[4] = hdr[1];
628 pn[5] = hdr[0];
629}
630
631static int gcmp_encrypt_skb(struct ieee80211_tx_data *tx, struct sk_buff *skb)
632{
633 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
634 struct ieee80211_key *key = tx->key;
635 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
636 int hdrlen, len, tail;
637 u8 *pos;
638 u8 pn[6];
639 u64 pn64;
640 u8 aad[GCM_AAD_LEN];
641 u8 j_0[AES_BLOCK_SIZE];
642
643 if (info->control.hw_key &&
644 !(info->control.hw_key->flags & IEEE80211_KEY_FLAG_GENERATE_IV) &&
645 !(info->control.hw_key->flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE) &&
646 !((info->control.hw_key->flags &
647 IEEE80211_KEY_FLAG_GENERATE_IV_MGMT) &&
648 ieee80211_is_mgmt(hdr->frame_control))) {
649 /* hwaccel has no need for preallocated room for GCMP
650 * header or MIC fields
651 */
652 return 0;
653 }
654
655 hdrlen = ieee80211_hdrlen(hdr->frame_control);
656 len = skb->len - hdrlen;
657
658 if (info->control.hw_key)
659 tail = 0;
660 else
661 tail = IEEE80211_GCMP_MIC_LEN;
662
663 if (WARN_ON(skb_tailroom(skb) < tail ||
664 skb_headroom(skb) < IEEE80211_GCMP_HDR_LEN))
665 return -1;
666
667 pos = skb_push(skb, IEEE80211_GCMP_HDR_LEN);
668 memmove(pos, pos + IEEE80211_GCMP_HDR_LEN, hdrlen);
669 skb_set_network_header(skb, skb_network_offset(skb) +
670 IEEE80211_GCMP_HDR_LEN);
671
672 /* the HW only needs room for the IV, but not the actual IV */
673 if (info->control.hw_key &&
674 (info->control.hw_key->flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE))
675 return 0;
676
677 hdr = (struct ieee80211_hdr *)pos;
678 pos += hdrlen;
679
680 pn64 = atomic64_inc_return(&key->conf.tx_pn);
681
682 pn[5] = pn64;
683 pn[4] = pn64 >> 8;
684 pn[3] = pn64 >> 16;
685 pn[2] = pn64 >> 24;
686 pn[1] = pn64 >> 32;
687 pn[0] = pn64 >> 40;
688
689 gcmp_pn2hdr(pos, pn, key->conf.keyidx);
690
691 /* hwaccel - with software GCMP header */
692 if (info->control.hw_key)
693 return 0;
694
695 pos += IEEE80211_GCMP_HDR_LEN;
696 gcmp_special_blocks(skb, pn, j_0, aad);
697 return ieee80211_aes_gcm_encrypt(key->u.gcmp.tfm, j_0, aad, pos, len,
698 skb_put(skb, IEEE80211_GCMP_MIC_LEN));
699}
700
701ieee80211_tx_result
702ieee80211_crypto_gcmp_encrypt(struct ieee80211_tx_data *tx)
703{
704 struct sk_buff *skb;
705
706 ieee80211_tx_set_protected(tx);
707
708 skb_queue_walk(&tx->skbs, skb) {
709 if (gcmp_encrypt_skb(tx, skb) < 0)
710 return TX_DROP;
711 }
712
713 return TX_CONTINUE;
714}
715
716ieee80211_rx_result
717ieee80211_crypto_gcmp_decrypt(struct ieee80211_rx_data *rx)
718{
719 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
720 int hdrlen;
721 struct ieee80211_key *key = rx->key;
722 struct sk_buff *skb = rx->skb;
723 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
724 u8 pn[IEEE80211_GCMP_PN_LEN];
725 int data_len, queue, mic_len = IEEE80211_GCMP_MIC_LEN;
726
727 hdrlen = ieee80211_hdrlen(hdr->frame_control);
728
729 if (!ieee80211_is_data(hdr->frame_control) &&
730 !ieee80211_is_robust_mgmt_frame(skb))
731 return RX_CONTINUE;
732
733 if (status->flag & RX_FLAG_DECRYPTED) {
734 if (!pskb_may_pull(rx->skb, hdrlen + IEEE80211_GCMP_HDR_LEN))
735 return RX_DROP_UNUSABLE;
736 if (status->flag & RX_FLAG_MIC_STRIPPED)
737 mic_len = 0;
738 } else {
739 if (skb_linearize(rx->skb))
740 return RX_DROP_UNUSABLE;
741 }
742
743 data_len = skb->len - hdrlen - IEEE80211_GCMP_HDR_LEN - mic_len;
744 if (!rx->sta || data_len < 0)
745 return RX_DROP_UNUSABLE;
746
747 if (!(status->flag & RX_FLAG_PN_VALIDATED)) {
748 int res;
749
750 gcmp_hdr2pn(pn, skb->data + hdrlen);
751
752 queue = rx->security_idx;
753
754 res = memcmp(pn, key->u.gcmp.rx_pn[queue],
755 IEEE80211_GCMP_PN_LEN);
756 if (res < 0 ||
757 (!res && !(status->flag & RX_FLAG_ALLOW_SAME_PN))) {
758 key->u.gcmp.replays++;
759 return RX_DROP_UNUSABLE;
760 }
761
762 if (!(status->flag & RX_FLAG_DECRYPTED)) {
763 u8 aad[2 * AES_BLOCK_SIZE];
764 u8 j_0[AES_BLOCK_SIZE];
765 /* hardware didn't decrypt/verify MIC */
766 gcmp_special_blocks(skb, pn, j_0, aad);
767
768 if (ieee80211_aes_gcm_decrypt(
769 key->u.gcmp.tfm, j_0, aad,
770 skb->data + hdrlen + IEEE80211_GCMP_HDR_LEN,
771 data_len,
772 skb->data + skb->len -
773 IEEE80211_GCMP_MIC_LEN))
774 return RX_DROP_UNUSABLE;
775 }
776
777 memcpy(key->u.gcmp.rx_pn[queue], pn, IEEE80211_GCMP_PN_LEN);
778 }
779
780 /* Remove GCMP header and MIC */
781 if (pskb_trim(skb, skb->len - mic_len))
782 return RX_DROP_UNUSABLE;
783 memmove(skb->data + IEEE80211_GCMP_HDR_LEN, skb->data, hdrlen);
784 skb_pull(skb, IEEE80211_GCMP_HDR_LEN);
785
786 return RX_CONTINUE;
787}
788
789static ieee80211_tx_result
790ieee80211_crypto_cs_encrypt(struct ieee80211_tx_data *tx,
791 struct sk_buff *skb)
792{
793 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
794 struct ieee80211_key *key = tx->key;
795 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
796 int hdrlen;
797 u8 *pos, iv_len = key->conf.iv_len;
798
799 if (info->control.hw_key &&
800 !(info->control.hw_key->flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE)) {
801 /* hwaccel has no need for preallocated head room */
802 return TX_CONTINUE;
803 }
804
805 if (unlikely(skb_headroom(skb) < iv_len &&
806 pskb_expand_head(skb, iv_len, 0, GFP_ATOMIC)))
807 return TX_DROP;
808
809 hdrlen = ieee80211_hdrlen(hdr->frame_control);
810
811 pos = skb_push(skb, iv_len);
812 memmove(pos, pos + iv_len, hdrlen);
813
814 return TX_CONTINUE;
815}
816
817static inline int ieee80211_crypto_cs_pn_compare(u8 *pn1, u8 *pn2, int len)
818{
819 int i;
820
821 /* pn is little endian */
822 for (i = len - 1; i >= 0; i--) {
823 if (pn1[i] < pn2[i])
824 return -1;
825 else if (pn1[i] > pn2[i])
826 return 1;
827 }
828
829 return 0;
830}
831
832static ieee80211_rx_result
833ieee80211_crypto_cs_decrypt(struct ieee80211_rx_data *rx)
834{
835 struct ieee80211_key *key = rx->key;
836 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
837 const struct ieee80211_cipher_scheme *cs = NULL;
838 int hdrlen = ieee80211_hdrlen(hdr->frame_control);
839 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
840 int data_len;
841 u8 *rx_pn;
842 u8 *skb_pn;
843 u8 qos_tid;
844
845 if (!rx->sta || !rx->sta->cipher_scheme ||
846 !(status->flag & RX_FLAG_DECRYPTED))
847 return RX_DROP_UNUSABLE;
848
849 if (!ieee80211_is_data(hdr->frame_control))
850 return RX_CONTINUE;
851
852 cs = rx->sta->cipher_scheme;
853
854 data_len = rx->skb->len - hdrlen - cs->hdr_len;
855
856 if (data_len < 0)
857 return RX_DROP_UNUSABLE;
858
859 if (ieee80211_is_data_qos(hdr->frame_control))
860 qos_tid = *ieee80211_get_qos_ctl(hdr) &
861 IEEE80211_QOS_CTL_TID_MASK;
862 else
863 qos_tid = 0;
864
865 if (skb_linearize(rx->skb))
866 return RX_DROP_UNUSABLE;
867
868 hdr = (struct ieee80211_hdr *)rx->skb->data;
869
870 rx_pn = key->u.gen.rx_pn[qos_tid];
871 skb_pn = rx->skb->data + hdrlen + cs->pn_off;
872
873 if (ieee80211_crypto_cs_pn_compare(skb_pn, rx_pn, cs->pn_len) <= 0)
874 return RX_DROP_UNUSABLE;
875
876 memcpy(rx_pn, skb_pn, cs->pn_len);
877
878 /* remove security header and MIC */
879 if (pskb_trim(rx->skb, rx->skb->len - cs->mic_len))
880 return RX_DROP_UNUSABLE;
881
882 memmove(rx->skb->data + cs->hdr_len, rx->skb->data, hdrlen);
883 skb_pull(rx->skb, cs->hdr_len);
884
885 return RX_CONTINUE;
886}
887
888static void bip_aad(struct sk_buff *skb, u8 *aad)
889{
890 __le16 mask_fc;
891 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
892
893 /* BIP AAD: FC(masked) || A1 || A2 || A3 */
894
895 /* FC type/subtype */
896 /* Mask FC Retry, PwrMgt, MoreData flags to zero */
897 mask_fc = hdr->frame_control;
898 mask_fc &= ~cpu_to_le16(IEEE80211_FCTL_RETRY | IEEE80211_FCTL_PM |
899 IEEE80211_FCTL_MOREDATA);
900 put_unaligned(mask_fc, (__le16 *) &aad[0]);
901 /* A1 || A2 || A3 */
902 memcpy(aad + 2, &hdr->addr1, 3 * ETH_ALEN);
903}
904
905
906static inline void bip_ipn_set64(u8 *d, u64 pn)
907{
908 *d++ = pn;
909 *d++ = pn >> 8;
910 *d++ = pn >> 16;
911 *d++ = pn >> 24;
912 *d++ = pn >> 32;
913 *d = pn >> 40;
914}
915
916static inline void bip_ipn_swap(u8 *d, const u8 *s)
917{
918 *d++ = s[5];
919 *d++ = s[4];
920 *d++ = s[3];
921 *d++ = s[2];
922 *d++ = s[1];
923 *d = s[0];
924}
925
926
927ieee80211_tx_result
928ieee80211_crypto_aes_cmac_encrypt(struct ieee80211_tx_data *tx)
929{
930 struct sk_buff *skb;
931 struct ieee80211_tx_info *info;
932 struct ieee80211_key *key = tx->key;
933 struct ieee80211_mmie *mmie;
934 u8 aad[20];
935 u64 pn64;
936
937 if (WARN_ON(skb_queue_len(&tx->skbs) != 1))
938 return TX_DROP;
939
940 skb = skb_peek(&tx->skbs);
941
942 info = IEEE80211_SKB_CB(skb);
943
944 if (info->control.hw_key)
945 return TX_CONTINUE;
946
947 if (WARN_ON(skb_tailroom(skb) < sizeof(*mmie)))
948 return TX_DROP;
949
950 mmie = (struct ieee80211_mmie *) skb_put(skb, sizeof(*mmie));
951 mmie->element_id = WLAN_EID_MMIE;
952 mmie->length = sizeof(*mmie) - 2;
953 mmie->key_id = cpu_to_le16(key->conf.keyidx);
954
955 /* PN = PN + 1 */
956 pn64 = atomic64_inc_return(&key->conf.tx_pn);
957
958 bip_ipn_set64(mmie->sequence_number, pn64);
959
960 bip_aad(skb, aad);
961
962 /*
963 * MIC = AES-128-CMAC(IGTK, AAD || Management Frame Body || MMIE, 64)
964 */
965 ieee80211_aes_cmac(key->u.aes_cmac.tfm, aad,
966 skb->data + 24, skb->len - 24, mmie->mic);
967
968 return TX_CONTINUE;
969}
970
971ieee80211_tx_result
972ieee80211_crypto_aes_cmac_256_encrypt(struct ieee80211_tx_data *tx)
973{
974 struct sk_buff *skb;
975 struct ieee80211_tx_info *info;
976 struct ieee80211_key *key = tx->key;
977 struct ieee80211_mmie_16 *mmie;
978 u8 aad[20];
979 u64 pn64;
980
981 if (WARN_ON(skb_queue_len(&tx->skbs) != 1))
982 return TX_DROP;
983
984 skb = skb_peek(&tx->skbs);
985
986 info = IEEE80211_SKB_CB(skb);
987
988 if (info->control.hw_key)
989 return TX_CONTINUE;
990
991 if (WARN_ON(skb_tailroom(skb) < sizeof(*mmie)))
992 return TX_DROP;
993
994 mmie = (struct ieee80211_mmie_16 *)skb_put(skb, sizeof(*mmie));
995 mmie->element_id = WLAN_EID_MMIE;
996 mmie->length = sizeof(*mmie) - 2;
997 mmie->key_id = cpu_to_le16(key->conf.keyidx);
998
999 /* PN = PN + 1 */
1000 pn64 = atomic64_inc_return(&key->conf.tx_pn);
1001
1002 bip_ipn_set64(mmie->sequence_number, pn64);
1003
1004 bip_aad(skb, aad);
1005
1006 /* MIC = AES-256-CMAC(IGTK, AAD || Management Frame Body || MMIE, 128)
1007 */
1008 ieee80211_aes_cmac_256(key->u.aes_cmac.tfm, aad,
1009 skb->data + 24, skb->len - 24, mmie->mic);
1010
1011 return TX_CONTINUE;
1012}
1013
1014ieee80211_rx_result
1015ieee80211_crypto_aes_cmac_decrypt(struct ieee80211_rx_data *rx)
1016{
1017 struct sk_buff *skb = rx->skb;
1018 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
1019 struct ieee80211_key *key = rx->key;
1020 struct ieee80211_mmie *mmie;
1021 u8 aad[20], mic[8], ipn[6];
1022 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
1023
1024 if (!ieee80211_is_mgmt(hdr->frame_control))
1025 return RX_CONTINUE;
1026
1027 /* management frames are already linear */
1028
1029 if (skb->len < 24 + sizeof(*mmie))
1030 return RX_DROP_UNUSABLE;
1031
1032 mmie = (struct ieee80211_mmie *)
1033 (skb->data + skb->len - sizeof(*mmie));
1034 if (mmie->element_id != WLAN_EID_MMIE ||
1035 mmie->length != sizeof(*mmie) - 2)
1036 return RX_DROP_UNUSABLE; /* Invalid MMIE */
1037
1038 bip_ipn_swap(ipn, mmie->sequence_number);
1039
1040 if (memcmp(ipn, key->u.aes_cmac.rx_pn, 6) <= 0) {
1041 key->u.aes_cmac.replays++;
1042 return RX_DROP_UNUSABLE;
1043 }
1044
1045 if (!(status->flag & RX_FLAG_DECRYPTED)) {
1046 /* hardware didn't decrypt/verify MIC */
1047 bip_aad(skb, aad);
1048 ieee80211_aes_cmac(key->u.aes_cmac.tfm, aad,
1049 skb->data + 24, skb->len - 24, mic);
1050 if (memcmp(mic, mmie->mic, sizeof(mmie->mic)) != 0) {
1051 key->u.aes_cmac.icverrors++;
1052 return RX_DROP_UNUSABLE;
1053 }
1054 }
1055
1056 memcpy(key->u.aes_cmac.rx_pn, ipn, 6);
1057
1058 /* Remove MMIE */
1059 skb_trim(skb, skb->len - sizeof(*mmie));
1060
1061 return RX_CONTINUE;
1062}
1063
1064ieee80211_rx_result
1065ieee80211_crypto_aes_cmac_256_decrypt(struct ieee80211_rx_data *rx)
1066{
1067 struct sk_buff *skb = rx->skb;
1068 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
1069 struct ieee80211_key *key = rx->key;
1070 struct ieee80211_mmie_16 *mmie;
1071 u8 aad[20], mic[16], ipn[6];
1072 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
1073
1074 if (!ieee80211_is_mgmt(hdr->frame_control))
1075 return RX_CONTINUE;
1076
1077 /* management frames are already linear */
1078
1079 if (skb->len < 24 + sizeof(*mmie))
1080 return RX_DROP_UNUSABLE;
1081
1082 mmie = (struct ieee80211_mmie_16 *)
1083 (skb->data + skb->len - sizeof(*mmie));
1084 if (mmie->element_id != WLAN_EID_MMIE ||
1085 mmie->length != sizeof(*mmie) - 2)
1086 return RX_DROP_UNUSABLE; /* Invalid MMIE */
1087
1088 bip_ipn_swap(ipn, mmie->sequence_number);
1089
1090 if (memcmp(ipn, key->u.aes_cmac.rx_pn, 6) <= 0) {
1091 key->u.aes_cmac.replays++;
1092 return RX_DROP_UNUSABLE;
1093 }
1094
1095 if (!(status->flag & RX_FLAG_DECRYPTED)) {
1096 /* hardware didn't decrypt/verify MIC */
1097 bip_aad(skb, aad);
1098 ieee80211_aes_cmac_256(key->u.aes_cmac.tfm, aad,
1099 skb->data + 24, skb->len - 24, mic);
1100 if (memcmp(mic, mmie->mic, sizeof(mmie->mic)) != 0) {
1101 key->u.aes_cmac.icverrors++;
1102 return RX_DROP_UNUSABLE;
1103 }
1104 }
1105
1106 memcpy(key->u.aes_cmac.rx_pn, ipn, 6);
1107
1108 /* Remove MMIE */
1109 skb_trim(skb, skb->len - sizeof(*mmie));
1110
1111 return RX_CONTINUE;
1112}
1113
1114ieee80211_tx_result
1115ieee80211_crypto_aes_gmac_encrypt(struct ieee80211_tx_data *tx)
1116{
1117 struct sk_buff *skb;
1118 struct ieee80211_tx_info *info;
1119 struct ieee80211_key *key = tx->key;
1120 struct ieee80211_mmie_16 *mmie;
1121 struct ieee80211_hdr *hdr;
1122 u8 aad[GMAC_AAD_LEN];
1123 u64 pn64;
1124 u8 nonce[GMAC_NONCE_LEN];
1125
1126 if (WARN_ON(skb_queue_len(&tx->skbs) != 1))
1127 return TX_DROP;
1128
1129 skb = skb_peek(&tx->skbs);
1130
1131 info = IEEE80211_SKB_CB(skb);
1132
1133 if (info->control.hw_key)
1134 return TX_CONTINUE;
1135
1136 if (WARN_ON(skb_tailroom(skb) < sizeof(*mmie)))
1137 return TX_DROP;
1138
1139 mmie = (struct ieee80211_mmie_16 *)skb_put(skb, sizeof(*mmie));
1140 mmie->element_id = WLAN_EID_MMIE;
1141 mmie->length = sizeof(*mmie) - 2;
1142 mmie->key_id = cpu_to_le16(key->conf.keyidx);
1143
1144 /* PN = PN + 1 */
1145 pn64 = atomic64_inc_return(&key->conf.tx_pn);
1146
1147 bip_ipn_set64(mmie->sequence_number, pn64);
1148
1149 bip_aad(skb, aad);
1150
1151 hdr = (struct ieee80211_hdr *)skb->data;
1152 memcpy(nonce, hdr->addr2, ETH_ALEN);
1153 bip_ipn_swap(nonce + ETH_ALEN, mmie->sequence_number);
1154
1155 /* MIC = AES-GMAC(IGTK, AAD || Management Frame Body || MMIE, 128) */
1156 if (ieee80211_aes_gmac(key->u.aes_gmac.tfm, aad, nonce,
1157 skb->data + 24, skb->len - 24, mmie->mic) < 0)
1158 return TX_DROP;
1159
1160 return TX_CONTINUE;
1161}
1162
1163ieee80211_rx_result
1164ieee80211_crypto_aes_gmac_decrypt(struct ieee80211_rx_data *rx)
1165{
1166 struct sk_buff *skb = rx->skb;
1167 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
1168 struct ieee80211_key *key = rx->key;
1169 struct ieee80211_mmie_16 *mmie;
1170 u8 aad[GMAC_AAD_LEN], mic[GMAC_MIC_LEN], ipn[6], nonce[GMAC_NONCE_LEN];
1171 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
1172
1173 if (!ieee80211_is_mgmt(hdr->frame_control))
1174 return RX_CONTINUE;
1175
1176 /* management frames are already linear */
1177
1178 if (skb->len < 24 + sizeof(*mmie))
1179 return RX_DROP_UNUSABLE;
1180
1181 mmie = (struct ieee80211_mmie_16 *)
1182 (skb->data + skb->len - sizeof(*mmie));
1183 if (mmie->element_id != WLAN_EID_MMIE ||
1184 mmie->length != sizeof(*mmie) - 2)
1185 return RX_DROP_UNUSABLE; /* Invalid MMIE */
1186
1187 bip_ipn_swap(ipn, mmie->sequence_number);
1188
1189 if (memcmp(ipn, key->u.aes_gmac.rx_pn, 6) <= 0) {
1190 key->u.aes_gmac.replays++;
1191 return RX_DROP_UNUSABLE;
1192 }
1193
1194 if (!(status->flag & RX_FLAG_DECRYPTED)) {
1195 /* hardware didn't decrypt/verify MIC */
1196 bip_aad(skb, aad);
1197
1198 memcpy(nonce, hdr->addr2, ETH_ALEN);
1199 memcpy(nonce + ETH_ALEN, ipn, 6);
1200
1201 if (ieee80211_aes_gmac(key->u.aes_gmac.tfm, aad, nonce,
1202 skb->data + 24, skb->len - 24,
1203 mic) < 0 ||
1204 memcmp(mic, mmie->mic, sizeof(mmie->mic)) != 0) {
1205 key->u.aes_gmac.icverrors++;
1206 return RX_DROP_UNUSABLE;
1207 }
1208 }
1209
1210 memcpy(key->u.aes_gmac.rx_pn, ipn, 6);
1211
1212 /* Remove MMIE */
1213 skb_trim(skb, skb->len - sizeof(*mmie));
1214
1215 return RX_CONTINUE;
1216}
1217
1218ieee80211_tx_result
1219ieee80211_crypto_hw_encrypt(struct ieee80211_tx_data *tx)
1220{
1221 struct sk_buff *skb;
1222 struct ieee80211_tx_info *info = NULL;
1223 ieee80211_tx_result res;
1224
1225 skb_queue_walk(&tx->skbs, skb) {
1226 info = IEEE80211_SKB_CB(skb);
1227
1228 /* handle hw-only algorithm */
1229 if (!info->control.hw_key)
1230 return TX_DROP;
1231
1232 if (tx->key->flags & KEY_FLAG_CIPHER_SCHEME) {
1233 res = ieee80211_crypto_cs_encrypt(tx, skb);
1234 if (res != TX_CONTINUE)
1235 return res;
1236 }
1237 }
1238
1239 ieee80211_tx_set_protected(tx);
1240
1241 return TX_CONTINUE;
1242}
1243
1244ieee80211_rx_result
1245ieee80211_crypto_hw_decrypt(struct ieee80211_rx_data *rx)
1246{
1247 if (rx->sta && rx->sta->cipher_scheme)
1248 return ieee80211_crypto_cs_decrypt(rx);
1249
1250 return RX_DROP_UNUSABLE;
1251}
1// SPDX-License-Identifier: GPL-2.0-only
2/*
3 * Copyright 2002-2004, Instant802 Networks, Inc.
4 * Copyright 2008, Jouni Malinen <j@w1.fi>
5 * Copyright (C) 2016-2017 Intel Deutschland GmbH
6 * Copyright (C) 2020-2023 Intel Corporation
7 */
8
9#include <linux/netdevice.h>
10#include <linux/types.h>
11#include <linux/skbuff.h>
12#include <linux/compiler.h>
13#include <linux/ieee80211.h>
14#include <linux/gfp.h>
15#include <asm/unaligned.h>
16#include <net/mac80211.h>
17#include <crypto/aes.h>
18#include <crypto/utils.h>
19
20#include "ieee80211_i.h"
21#include "michael.h"
22#include "tkip.h"
23#include "aes_ccm.h"
24#include "aes_cmac.h"
25#include "aes_gmac.h"
26#include "aes_gcm.h"
27#include "wpa.h"
28
29ieee80211_tx_result
30ieee80211_tx_h_michael_mic_add(struct ieee80211_tx_data *tx)
31{
32 u8 *data, *key, *mic;
33 size_t data_len;
34 unsigned int hdrlen;
35 struct ieee80211_hdr *hdr;
36 struct sk_buff *skb = tx->skb;
37 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
38 int tail;
39
40 hdr = (struct ieee80211_hdr *)skb->data;
41 if (!tx->key || tx->key->conf.cipher != WLAN_CIPHER_SUITE_TKIP ||
42 skb->len < 24 || !ieee80211_is_data_present(hdr->frame_control))
43 return TX_CONTINUE;
44
45 hdrlen = ieee80211_hdrlen(hdr->frame_control);
46 if (skb->len < hdrlen)
47 return TX_DROP;
48
49 data = skb->data + hdrlen;
50 data_len = skb->len - hdrlen;
51
52 if (unlikely(info->flags & IEEE80211_TX_INTFL_TKIP_MIC_FAILURE)) {
53 /* Need to use software crypto for the test */
54 info->control.hw_key = NULL;
55 }
56
57 if (info->control.hw_key &&
58 (info->flags & IEEE80211_TX_CTL_DONTFRAG ||
59 ieee80211_hw_check(&tx->local->hw, SUPPORTS_TX_FRAG)) &&
60 !(tx->key->conf.flags & (IEEE80211_KEY_FLAG_GENERATE_MMIC |
61 IEEE80211_KEY_FLAG_PUT_MIC_SPACE))) {
62 /* hwaccel - with no need for SW-generated MMIC or MIC space */
63 return TX_CONTINUE;
64 }
65
66 tail = MICHAEL_MIC_LEN;
67 if (!info->control.hw_key)
68 tail += IEEE80211_TKIP_ICV_LEN;
69
70 if (WARN(skb_tailroom(skb) < tail ||
71 skb_headroom(skb) < IEEE80211_TKIP_IV_LEN,
72 "mmic: not enough head/tail (%d/%d,%d/%d)\n",
73 skb_headroom(skb), IEEE80211_TKIP_IV_LEN,
74 skb_tailroom(skb), tail))
75 return TX_DROP;
76
77 mic = skb_put(skb, MICHAEL_MIC_LEN);
78
79 if (tx->key->conf.flags & IEEE80211_KEY_FLAG_PUT_MIC_SPACE) {
80 /* Zeroed MIC can help with debug */
81 memset(mic, 0, MICHAEL_MIC_LEN);
82 return TX_CONTINUE;
83 }
84
85 key = &tx->key->conf.key[NL80211_TKIP_DATA_OFFSET_TX_MIC_KEY];
86 michael_mic(key, hdr, data, data_len, mic);
87 if (unlikely(info->flags & IEEE80211_TX_INTFL_TKIP_MIC_FAILURE))
88 mic[0]++;
89
90 return TX_CONTINUE;
91}
92
93
94ieee80211_rx_result
95ieee80211_rx_h_michael_mic_verify(struct ieee80211_rx_data *rx)
96{
97 u8 *data, *key = NULL;
98 size_t data_len;
99 unsigned int hdrlen;
100 u8 mic[MICHAEL_MIC_LEN];
101 struct sk_buff *skb = rx->skb;
102 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
103 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
104
105 /*
106 * it makes no sense to check for MIC errors on anything other
107 * than data frames.
108 */
109 if (!ieee80211_is_data_present(hdr->frame_control))
110 return RX_CONTINUE;
111
112 /*
113 * No way to verify the MIC if the hardware stripped it or
114 * the IV with the key index. In this case we have solely rely
115 * on the driver to set RX_FLAG_MMIC_ERROR in the event of a
116 * MIC failure report.
117 */
118 if (status->flag & (RX_FLAG_MMIC_STRIPPED | RX_FLAG_IV_STRIPPED)) {
119 if (status->flag & RX_FLAG_MMIC_ERROR)
120 goto mic_fail_no_key;
121
122 if (!(status->flag & RX_FLAG_IV_STRIPPED) && rx->key &&
123 rx->key->conf.cipher == WLAN_CIPHER_SUITE_TKIP)
124 goto update_iv;
125
126 return RX_CONTINUE;
127 }
128
129 /*
130 * Some hardware seems to generate Michael MIC failure reports; even
131 * though, the frame was not encrypted with TKIP and therefore has no
132 * MIC. Ignore the flag them to avoid triggering countermeasures.
133 */
134 if (!rx->key || rx->key->conf.cipher != WLAN_CIPHER_SUITE_TKIP ||
135 !(status->flag & RX_FLAG_DECRYPTED))
136 return RX_CONTINUE;
137
138 if (rx->sdata->vif.type == NL80211_IFTYPE_AP && rx->key->conf.keyidx) {
139 /*
140 * APs with pairwise keys should never receive Michael MIC
141 * errors for non-zero keyidx because these are reserved for
142 * group keys and only the AP is sending real multicast
143 * frames in the BSS.
144 */
145 return RX_DROP_U_AP_RX_GROUPCAST;
146 }
147
148 if (status->flag & RX_FLAG_MMIC_ERROR)
149 goto mic_fail;
150
151 hdrlen = ieee80211_hdrlen(hdr->frame_control);
152 if (skb->len < hdrlen + MICHAEL_MIC_LEN)
153 return RX_DROP_U_SHORT_MMIC;
154
155 if (skb_linearize(rx->skb))
156 return RX_DROP_U_OOM;
157 hdr = (void *)skb->data;
158
159 data = skb->data + hdrlen;
160 data_len = skb->len - hdrlen - MICHAEL_MIC_LEN;
161 key = &rx->key->conf.key[NL80211_TKIP_DATA_OFFSET_RX_MIC_KEY];
162 michael_mic(key, hdr, data, data_len, mic);
163 if (crypto_memneq(mic, data + data_len, MICHAEL_MIC_LEN))
164 goto mic_fail;
165
166 /* remove Michael MIC from payload */
167 skb_trim(skb, skb->len - MICHAEL_MIC_LEN);
168
169update_iv:
170 /* update IV in key information to be able to detect replays */
171 rx->key->u.tkip.rx[rx->security_idx].iv32 = rx->tkip.iv32;
172 rx->key->u.tkip.rx[rx->security_idx].iv16 = rx->tkip.iv16;
173
174 return RX_CONTINUE;
175
176mic_fail:
177 rx->key->u.tkip.mic_failures++;
178
179mic_fail_no_key:
180 /*
181 * In some cases the key can be unset - e.g. a multicast packet, in
182 * a driver that supports HW encryption. Send up the key idx only if
183 * the key is set.
184 */
185 cfg80211_michael_mic_failure(rx->sdata->dev, hdr->addr2,
186 is_multicast_ether_addr(hdr->addr1) ?
187 NL80211_KEYTYPE_GROUP :
188 NL80211_KEYTYPE_PAIRWISE,
189 rx->key ? rx->key->conf.keyidx : -1,
190 NULL, GFP_ATOMIC);
191 return RX_DROP_U_MMIC_FAIL;
192}
193
194static int tkip_encrypt_skb(struct ieee80211_tx_data *tx, struct sk_buff *skb)
195{
196 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
197 struct ieee80211_key *key = tx->key;
198 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
199 unsigned int hdrlen;
200 int len, tail;
201 u64 pn;
202 u8 *pos;
203
204 if (info->control.hw_key &&
205 !(info->control.hw_key->flags & IEEE80211_KEY_FLAG_GENERATE_IV) &&
206 !(info->control.hw_key->flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE)) {
207 /* hwaccel - with no need for software-generated IV */
208 return 0;
209 }
210
211 hdrlen = ieee80211_hdrlen(hdr->frame_control);
212 len = skb->len - hdrlen;
213
214 if (info->control.hw_key)
215 tail = 0;
216 else
217 tail = IEEE80211_TKIP_ICV_LEN;
218
219 if (WARN_ON(skb_tailroom(skb) < tail ||
220 skb_headroom(skb) < IEEE80211_TKIP_IV_LEN))
221 return -1;
222
223 pos = skb_push(skb, IEEE80211_TKIP_IV_LEN);
224 memmove(pos, pos + IEEE80211_TKIP_IV_LEN, hdrlen);
225 pos += hdrlen;
226
227 /* the HW only needs room for the IV, but not the actual IV */
228 if (info->control.hw_key &&
229 (info->control.hw_key->flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE))
230 return 0;
231
232 /* Increase IV for the frame */
233 pn = atomic64_inc_return(&key->conf.tx_pn);
234 pos = ieee80211_tkip_add_iv(pos, &key->conf, pn);
235
236 /* hwaccel - with software IV */
237 if (info->control.hw_key)
238 return 0;
239
240 /* Add room for ICV */
241 skb_put(skb, IEEE80211_TKIP_ICV_LEN);
242
243 return ieee80211_tkip_encrypt_data(&tx->local->wep_tx_ctx,
244 key, skb, pos, len);
245}
246
247
248ieee80211_tx_result
249ieee80211_crypto_tkip_encrypt(struct ieee80211_tx_data *tx)
250{
251 struct sk_buff *skb;
252
253 ieee80211_tx_set_protected(tx);
254
255 skb_queue_walk(&tx->skbs, skb) {
256 if (tkip_encrypt_skb(tx, skb) < 0)
257 return TX_DROP;
258 }
259
260 return TX_CONTINUE;
261}
262
263
264ieee80211_rx_result
265ieee80211_crypto_tkip_decrypt(struct ieee80211_rx_data *rx)
266{
267 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) rx->skb->data;
268 int hdrlen, res, hwaccel = 0;
269 struct ieee80211_key *key = rx->key;
270 struct sk_buff *skb = rx->skb;
271 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
272
273 hdrlen = ieee80211_hdrlen(hdr->frame_control);
274
275 if (!ieee80211_is_data(hdr->frame_control))
276 return RX_CONTINUE;
277
278 if (!rx->sta || skb->len - hdrlen < 12)
279 return RX_DROP_U_SHORT_TKIP;
280
281 /* it may be possible to optimize this a bit more */
282 if (skb_linearize(rx->skb))
283 return RX_DROP_U_OOM;
284 hdr = (void *)skb->data;
285
286 /*
287 * Let TKIP code verify IV, but skip decryption.
288 * In the case where hardware checks the IV as well,
289 * we don't even get here, see ieee80211_rx_h_decrypt()
290 */
291 if (status->flag & RX_FLAG_DECRYPTED)
292 hwaccel = 1;
293
294 res = ieee80211_tkip_decrypt_data(&rx->local->wep_rx_ctx,
295 key, skb->data + hdrlen,
296 skb->len - hdrlen, rx->sta->sta.addr,
297 hdr->addr1, hwaccel, rx->security_idx,
298 &rx->tkip.iv32,
299 &rx->tkip.iv16);
300 if (res != TKIP_DECRYPT_OK)
301 return RX_DROP_U_TKIP_FAIL;
302
303 /* Trim ICV */
304 if (!(status->flag & RX_FLAG_ICV_STRIPPED))
305 skb_trim(skb, skb->len - IEEE80211_TKIP_ICV_LEN);
306
307 /* Remove IV */
308 memmove(skb->data + IEEE80211_TKIP_IV_LEN, skb->data, hdrlen);
309 skb_pull(skb, IEEE80211_TKIP_IV_LEN);
310
311 return RX_CONTINUE;
312}
313
314/*
315 * Calculate AAD for CCMP/GCMP, returning qos_tid since we
316 * need that in CCMP also for b_0.
317 */
318static u8 ccmp_gcmp_aad(struct sk_buff *skb, u8 *aad)
319{
320 struct ieee80211_hdr *hdr = (void *)skb->data;
321 __le16 mask_fc;
322 int a4_included, mgmt;
323 u8 qos_tid;
324 u16 len_a = 22;
325
326 /*
327 * Mask FC: zero subtype b4 b5 b6 (if not mgmt)
328 * Retry, PwrMgt, MoreData, Order (if Qos Data); set Protected
329 */
330 mgmt = ieee80211_is_mgmt(hdr->frame_control);
331 mask_fc = hdr->frame_control;
332 mask_fc &= ~cpu_to_le16(IEEE80211_FCTL_RETRY |
333 IEEE80211_FCTL_PM | IEEE80211_FCTL_MOREDATA);
334 if (!mgmt)
335 mask_fc &= ~cpu_to_le16(0x0070);
336 mask_fc |= cpu_to_le16(IEEE80211_FCTL_PROTECTED);
337
338 a4_included = ieee80211_has_a4(hdr->frame_control);
339 if (a4_included)
340 len_a += 6;
341
342 if (ieee80211_is_data_qos(hdr->frame_control)) {
343 qos_tid = ieee80211_get_tid(hdr);
344 mask_fc &= ~cpu_to_le16(IEEE80211_FCTL_ORDER);
345 len_a += 2;
346 } else {
347 qos_tid = 0;
348 }
349
350 /* AAD (extra authenticate-only data) / masked 802.11 header
351 * FC | A1 | A2 | A3 | SC | [A4] | [QC] */
352 put_unaligned_be16(len_a, &aad[0]);
353 put_unaligned(mask_fc, (__le16 *)&aad[2]);
354 memcpy(&aad[4], &hdr->addrs, 3 * ETH_ALEN);
355
356 /* Mask Seq#, leave Frag# */
357 aad[22] = *((u8 *) &hdr->seq_ctrl) & 0x0f;
358 aad[23] = 0;
359
360 if (a4_included) {
361 memcpy(&aad[24], hdr->addr4, ETH_ALEN);
362 aad[30] = qos_tid;
363 aad[31] = 0;
364 } else {
365 memset(&aad[24], 0, ETH_ALEN + IEEE80211_QOS_CTL_LEN);
366 aad[24] = qos_tid;
367 }
368
369 return qos_tid;
370}
371
372static void ccmp_special_blocks(struct sk_buff *skb, u8 *pn, u8 *b_0, u8 *aad)
373{
374 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
375 u8 qos_tid = ccmp_gcmp_aad(skb, aad);
376
377 /* In CCM, the initial vectors (IV) used for CTR mode encryption and CBC
378 * mode authentication are not allowed to collide, yet both are derived
379 * from this vector b_0. We only set L := 1 here to indicate that the
380 * data size can be represented in (L+1) bytes. The CCM layer will take
381 * care of storing the data length in the top (L+1) bytes and setting
382 * and clearing the other bits as is required to derive the two IVs.
383 */
384 b_0[0] = 0x1;
385
386 /* Nonce: Nonce Flags | A2 | PN
387 * Nonce Flags: Priority (b0..b3) | Management (b4) | Reserved (b5..b7)
388 */
389 b_0[1] = qos_tid | (ieee80211_is_mgmt(hdr->frame_control) << 4);
390 memcpy(&b_0[2], hdr->addr2, ETH_ALEN);
391 memcpy(&b_0[8], pn, IEEE80211_CCMP_PN_LEN);
392}
393
394static inline void ccmp_pn2hdr(u8 *hdr, u8 *pn, int key_id)
395{
396 hdr[0] = pn[5];
397 hdr[1] = pn[4];
398 hdr[2] = 0;
399 hdr[3] = 0x20 | (key_id << 6);
400 hdr[4] = pn[3];
401 hdr[5] = pn[2];
402 hdr[6] = pn[1];
403 hdr[7] = pn[0];
404}
405
406
407static inline void ccmp_hdr2pn(u8 *pn, u8 *hdr)
408{
409 pn[0] = hdr[7];
410 pn[1] = hdr[6];
411 pn[2] = hdr[5];
412 pn[3] = hdr[4];
413 pn[4] = hdr[1];
414 pn[5] = hdr[0];
415}
416
417
418static int ccmp_encrypt_skb(struct ieee80211_tx_data *tx, struct sk_buff *skb,
419 unsigned int mic_len)
420{
421 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
422 struct ieee80211_key *key = tx->key;
423 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
424 int hdrlen, len, tail;
425 u8 *pos;
426 u8 pn[6];
427 u64 pn64;
428 u8 aad[CCM_AAD_LEN];
429 u8 b_0[AES_BLOCK_SIZE];
430
431 if (info->control.hw_key &&
432 !(info->control.hw_key->flags & IEEE80211_KEY_FLAG_GENERATE_IV) &&
433 !(info->control.hw_key->flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE) &&
434 !((info->control.hw_key->flags &
435 IEEE80211_KEY_FLAG_GENERATE_IV_MGMT) &&
436 ieee80211_is_mgmt(hdr->frame_control))) {
437 /*
438 * hwaccel has no need for preallocated room for CCMP
439 * header or MIC fields
440 */
441 return 0;
442 }
443
444 hdrlen = ieee80211_hdrlen(hdr->frame_control);
445 len = skb->len - hdrlen;
446
447 if (info->control.hw_key)
448 tail = 0;
449 else
450 tail = mic_len;
451
452 if (WARN_ON(skb_tailroom(skb) < tail ||
453 skb_headroom(skb) < IEEE80211_CCMP_HDR_LEN))
454 return -1;
455
456 pos = skb_push(skb, IEEE80211_CCMP_HDR_LEN);
457 memmove(pos, pos + IEEE80211_CCMP_HDR_LEN, hdrlen);
458
459 /* the HW only needs room for the IV, but not the actual IV */
460 if (info->control.hw_key &&
461 (info->control.hw_key->flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE))
462 return 0;
463
464 pos += hdrlen;
465
466 pn64 = atomic64_inc_return(&key->conf.tx_pn);
467
468 pn[5] = pn64;
469 pn[4] = pn64 >> 8;
470 pn[3] = pn64 >> 16;
471 pn[2] = pn64 >> 24;
472 pn[1] = pn64 >> 32;
473 pn[0] = pn64 >> 40;
474
475 ccmp_pn2hdr(pos, pn, key->conf.keyidx);
476
477 /* hwaccel - with software CCMP header */
478 if (info->control.hw_key)
479 return 0;
480
481 pos += IEEE80211_CCMP_HDR_LEN;
482 ccmp_special_blocks(skb, pn, b_0, aad);
483 return ieee80211_aes_ccm_encrypt(key->u.ccmp.tfm, b_0, aad, pos, len,
484 skb_put(skb, mic_len));
485}
486
487
488ieee80211_tx_result
489ieee80211_crypto_ccmp_encrypt(struct ieee80211_tx_data *tx,
490 unsigned int mic_len)
491{
492 struct sk_buff *skb;
493
494 ieee80211_tx_set_protected(tx);
495
496 skb_queue_walk(&tx->skbs, skb) {
497 if (ccmp_encrypt_skb(tx, skb, mic_len) < 0)
498 return TX_DROP;
499 }
500
501 return TX_CONTINUE;
502}
503
504
505ieee80211_rx_result
506ieee80211_crypto_ccmp_decrypt(struct ieee80211_rx_data *rx,
507 unsigned int mic_len)
508{
509 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
510 int hdrlen;
511 struct ieee80211_key *key = rx->key;
512 struct sk_buff *skb = rx->skb;
513 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
514 u8 pn[IEEE80211_CCMP_PN_LEN];
515 int data_len;
516 int queue;
517
518 hdrlen = ieee80211_hdrlen(hdr->frame_control);
519
520 if (!ieee80211_is_data(hdr->frame_control) &&
521 !ieee80211_is_robust_mgmt_frame(skb))
522 return RX_CONTINUE;
523
524 if (status->flag & RX_FLAG_DECRYPTED) {
525 if (!pskb_may_pull(rx->skb, hdrlen + IEEE80211_CCMP_HDR_LEN))
526 return RX_DROP_U_SHORT_CCMP;
527 if (status->flag & RX_FLAG_MIC_STRIPPED)
528 mic_len = 0;
529 } else {
530 if (skb_linearize(rx->skb))
531 return RX_DROP_U_OOM;
532 }
533
534 /* reload hdr - skb might have been reallocated */
535 hdr = (void *)rx->skb->data;
536
537 data_len = skb->len - hdrlen - IEEE80211_CCMP_HDR_LEN - mic_len;
538 if (!rx->sta || data_len < 0)
539 return RX_DROP_U_SHORT_CCMP;
540
541 if (!(status->flag & RX_FLAG_PN_VALIDATED)) {
542 int res;
543
544 ccmp_hdr2pn(pn, skb->data + hdrlen);
545
546 queue = rx->security_idx;
547
548 res = memcmp(pn, key->u.ccmp.rx_pn[queue],
549 IEEE80211_CCMP_PN_LEN);
550 if (res < 0 ||
551 (!res && !(status->flag & RX_FLAG_ALLOW_SAME_PN))) {
552 key->u.ccmp.replays++;
553 return RX_DROP_U_REPLAY;
554 }
555
556 if (!(status->flag & RX_FLAG_DECRYPTED)) {
557 u8 aad[2 * AES_BLOCK_SIZE];
558 u8 b_0[AES_BLOCK_SIZE];
559 /* hardware didn't decrypt/verify MIC */
560 ccmp_special_blocks(skb, pn, b_0, aad);
561
562 if (ieee80211_aes_ccm_decrypt(
563 key->u.ccmp.tfm, b_0, aad,
564 skb->data + hdrlen + IEEE80211_CCMP_HDR_LEN,
565 data_len,
566 skb->data + skb->len - mic_len))
567 return RX_DROP_U_MIC_FAIL;
568 }
569
570 memcpy(key->u.ccmp.rx_pn[queue], pn, IEEE80211_CCMP_PN_LEN);
571 if (unlikely(ieee80211_is_frag(hdr)))
572 memcpy(rx->ccm_gcm.pn, pn, IEEE80211_CCMP_PN_LEN);
573 }
574
575 /* Remove CCMP header and MIC */
576 if (pskb_trim(skb, skb->len - mic_len))
577 return RX_DROP_U_SHORT_CCMP_MIC;
578 memmove(skb->data + IEEE80211_CCMP_HDR_LEN, skb->data, hdrlen);
579 skb_pull(skb, IEEE80211_CCMP_HDR_LEN);
580
581 return RX_CONTINUE;
582}
583
584static void gcmp_special_blocks(struct sk_buff *skb, u8 *pn, u8 *j_0, u8 *aad)
585{
586 struct ieee80211_hdr *hdr = (void *)skb->data;
587
588 memcpy(j_0, hdr->addr2, ETH_ALEN);
589 memcpy(&j_0[ETH_ALEN], pn, IEEE80211_GCMP_PN_LEN);
590 j_0[13] = 0;
591 j_0[14] = 0;
592 j_0[AES_BLOCK_SIZE - 1] = 0x01;
593
594 ccmp_gcmp_aad(skb, aad);
595}
596
597static inline void gcmp_pn2hdr(u8 *hdr, const u8 *pn, int key_id)
598{
599 hdr[0] = pn[5];
600 hdr[1] = pn[4];
601 hdr[2] = 0;
602 hdr[3] = 0x20 | (key_id << 6);
603 hdr[4] = pn[3];
604 hdr[5] = pn[2];
605 hdr[6] = pn[1];
606 hdr[7] = pn[0];
607}
608
609static inline void gcmp_hdr2pn(u8 *pn, const u8 *hdr)
610{
611 pn[0] = hdr[7];
612 pn[1] = hdr[6];
613 pn[2] = hdr[5];
614 pn[3] = hdr[4];
615 pn[4] = hdr[1];
616 pn[5] = hdr[0];
617}
618
619static int gcmp_encrypt_skb(struct ieee80211_tx_data *tx, struct sk_buff *skb)
620{
621 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
622 struct ieee80211_key *key = tx->key;
623 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
624 int hdrlen, len, tail;
625 u8 *pos;
626 u8 pn[6];
627 u64 pn64;
628 u8 aad[GCM_AAD_LEN];
629 u8 j_0[AES_BLOCK_SIZE];
630
631 if (info->control.hw_key &&
632 !(info->control.hw_key->flags & IEEE80211_KEY_FLAG_GENERATE_IV) &&
633 !(info->control.hw_key->flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE) &&
634 !((info->control.hw_key->flags &
635 IEEE80211_KEY_FLAG_GENERATE_IV_MGMT) &&
636 ieee80211_is_mgmt(hdr->frame_control))) {
637 /* hwaccel has no need for preallocated room for GCMP
638 * header or MIC fields
639 */
640 return 0;
641 }
642
643 hdrlen = ieee80211_hdrlen(hdr->frame_control);
644 len = skb->len - hdrlen;
645
646 if (info->control.hw_key)
647 tail = 0;
648 else
649 tail = IEEE80211_GCMP_MIC_LEN;
650
651 if (WARN_ON(skb_tailroom(skb) < tail ||
652 skb_headroom(skb) < IEEE80211_GCMP_HDR_LEN))
653 return -1;
654
655 pos = skb_push(skb, IEEE80211_GCMP_HDR_LEN);
656 memmove(pos, pos + IEEE80211_GCMP_HDR_LEN, hdrlen);
657 skb_set_network_header(skb, skb_network_offset(skb) +
658 IEEE80211_GCMP_HDR_LEN);
659
660 /* the HW only needs room for the IV, but not the actual IV */
661 if (info->control.hw_key &&
662 (info->control.hw_key->flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE))
663 return 0;
664
665 pos += hdrlen;
666
667 pn64 = atomic64_inc_return(&key->conf.tx_pn);
668
669 pn[5] = pn64;
670 pn[4] = pn64 >> 8;
671 pn[3] = pn64 >> 16;
672 pn[2] = pn64 >> 24;
673 pn[1] = pn64 >> 32;
674 pn[0] = pn64 >> 40;
675
676 gcmp_pn2hdr(pos, pn, key->conf.keyidx);
677
678 /* hwaccel - with software GCMP header */
679 if (info->control.hw_key)
680 return 0;
681
682 pos += IEEE80211_GCMP_HDR_LEN;
683 gcmp_special_blocks(skb, pn, j_0, aad);
684 return ieee80211_aes_gcm_encrypt(key->u.gcmp.tfm, j_0, aad, pos, len,
685 skb_put(skb, IEEE80211_GCMP_MIC_LEN));
686}
687
688ieee80211_tx_result
689ieee80211_crypto_gcmp_encrypt(struct ieee80211_tx_data *tx)
690{
691 struct sk_buff *skb;
692
693 ieee80211_tx_set_protected(tx);
694
695 skb_queue_walk(&tx->skbs, skb) {
696 if (gcmp_encrypt_skb(tx, skb) < 0)
697 return TX_DROP;
698 }
699
700 return TX_CONTINUE;
701}
702
703ieee80211_rx_result
704ieee80211_crypto_gcmp_decrypt(struct ieee80211_rx_data *rx)
705{
706 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
707 int hdrlen;
708 struct ieee80211_key *key = rx->key;
709 struct sk_buff *skb = rx->skb;
710 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
711 u8 pn[IEEE80211_GCMP_PN_LEN];
712 int data_len, queue, mic_len = IEEE80211_GCMP_MIC_LEN;
713
714 hdrlen = ieee80211_hdrlen(hdr->frame_control);
715
716 if (!ieee80211_is_data(hdr->frame_control) &&
717 !ieee80211_is_robust_mgmt_frame(skb))
718 return RX_CONTINUE;
719
720 if (status->flag & RX_FLAG_DECRYPTED) {
721 if (!pskb_may_pull(rx->skb, hdrlen + IEEE80211_GCMP_HDR_LEN))
722 return RX_DROP_U_SHORT_GCMP;
723 if (status->flag & RX_FLAG_MIC_STRIPPED)
724 mic_len = 0;
725 } else {
726 if (skb_linearize(rx->skb))
727 return RX_DROP_U_OOM;
728 }
729
730 /* reload hdr - skb might have been reallocated */
731 hdr = (void *)rx->skb->data;
732
733 data_len = skb->len - hdrlen - IEEE80211_GCMP_HDR_LEN - mic_len;
734 if (!rx->sta || data_len < 0)
735 return RX_DROP_U_SHORT_GCMP;
736
737 if (!(status->flag & RX_FLAG_PN_VALIDATED)) {
738 int res;
739
740 gcmp_hdr2pn(pn, skb->data + hdrlen);
741
742 queue = rx->security_idx;
743
744 res = memcmp(pn, key->u.gcmp.rx_pn[queue],
745 IEEE80211_GCMP_PN_LEN);
746 if (res < 0 ||
747 (!res && !(status->flag & RX_FLAG_ALLOW_SAME_PN))) {
748 key->u.gcmp.replays++;
749 return RX_DROP_U_REPLAY;
750 }
751
752 if (!(status->flag & RX_FLAG_DECRYPTED)) {
753 u8 aad[2 * AES_BLOCK_SIZE];
754 u8 j_0[AES_BLOCK_SIZE];
755 /* hardware didn't decrypt/verify MIC */
756 gcmp_special_blocks(skb, pn, j_0, aad);
757
758 if (ieee80211_aes_gcm_decrypt(
759 key->u.gcmp.tfm, j_0, aad,
760 skb->data + hdrlen + IEEE80211_GCMP_HDR_LEN,
761 data_len,
762 skb->data + skb->len -
763 IEEE80211_GCMP_MIC_LEN))
764 return RX_DROP_U_MIC_FAIL;
765 }
766
767 memcpy(key->u.gcmp.rx_pn[queue], pn, IEEE80211_GCMP_PN_LEN);
768 if (unlikely(ieee80211_is_frag(hdr)))
769 memcpy(rx->ccm_gcm.pn, pn, IEEE80211_CCMP_PN_LEN);
770 }
771
772 /* Remove GCMP header and MIC */
773 if (pskb_trim(skb, skb->len - mic_len))
774 return RX_DROP_U_SHORT_GCMP_MIC;
775 memmove(skb->data + IEEE80211_GCMP_HDR_LEN, skb->data, hdrlen);
776 skb_pull(skb, IEEE80211_GCMP_HDR_LEN);
777
778 return RX_CONTINUE;
779}
780
781static void bip_aad(struct sk_buff *skb, u8 *aad)
782{
783 __le16 mask_fc;
784 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
785
786 /* BIP AAD: FC(masked) || A1 || A2 || A3 */
787
788 /* FC type/subtype */
789 /* Mask FC Retry, PwrMgt, MoreData flags to zero */
790 mask_fc = hdr->frame_control;
791 mask_fc &= ~cpu_to_le16(IEEE80211_FCTL_RETRY | IEEE80211_FCTL_PM |
792 IEEE80211_FCTL_MOREDATA);
793 put_unaligned(mask_fc, (__le16 *) &aad[0]);
794 /* A1 || A2 || A3 */
795 memcpy(aad + 2, &hdr->addrs, 3 * ETH_ALEN);
796}
797
798
799static inline void bip_ipn_set64(u8 *d, u64 pn)
800{
801 *d++ = pn;
802 *d++ = pn >> 8;
803 *d++ = pn >> 16;
804 *d++ = pn >> 24;
805 *d++ = pn >> 32;
806 *d = pn >> 40;
807}
808
809static inline void bip_ipn_swap(u8 *d, const u8 *s)
810{
811 *d++ = s[5];
812 *d++ = s[4];
813 *d++ = s[3];
814 *d++ = s[2];
815 *d++ = s[1];
816 *d = s[0];
817}
818
819
820ieee80211_tx_result
821ieee80211_crypto_aes_cmac_encrypt(struct ieee80211_tx_data *tx)
822{
823 struct sk_buff *skb;
824 struct ieee80211_tx_info *info;
825 struct ieee80211_key *key = tx->key;
826 struct ieee80211_mmie *mmie;
827 u8 aad[20];
828 u64 pn64;
829
830 if (WARN_ON(skb_queue_len(&tx->skbs) != 1))
831 return TX_DROP;
832
833 skb = skb_peek(&tx->skbs);
834
835 info = IEEE80211_SKB_CB(skb);
836
837 if (info->control.hw_key &&
838 !(key->conf.flags & IEEE80211_KEY_FLAG_GENERATE_MMIE))
839 return TX_CONTINUE;
840
841 if (WARN_ON(skb_tailroom(skb) < sizeof(*mmie)))
842 return TX_DROP;
843
844 mmie = skb_put(skb, sizeof(*mmie));
845 mmie->element_id = WLAN_EID_MMIE;
846 mmie->length = sizeof(*mmie) - 2;
847 mmie->key_id = cpu_to_le16(key->conf.keyidx);
848
849 /* PN = PN + 1 */
850 pn64 = atomic64_inc_return(&key->conf.tx_pn);
851
852 bip_ipn_set64(mmie->sequence_number, pn64);
853
854 if (info->control.hw_key)
855 return TX_CONTINUE;
856
857 bip_aad(skb, aad);
858
859 /*
860 * MIC = AES-128-CMAC(IGTK, AAD || Management Frame Body || MMIE, 64)
861 */
862 ieee80211_aes_cmac(key->u.aes_cmac.tfm, aad,
863 skb->data + 24, skb->len - 24, mmie->mic);
864
865 return TX_CONTINUE;
866}
867
868ieee80211_tx_result
869ieee80211_crypto_aes_cmac_256_encrypt(struct ieee80211_tx_data *tx)
870{
871 struct sk_buff *skb;
872 struct ieee80211_tx_info *info;
873 struct ieee80211_key *key = tx->key;
874 struct ieee80211_mmie_16 *mmie;
875 u8 aad[20];
876 u64 pn64;
877
878 if (WARN_ON(skb_queue_len(&tx->skbs) != 1))
879 return TX_DROP;
880
881 skb = skb_peek(&tx->skbs);
882
883 info = IEEE80211_SKB_CB(skb);
884
885 if (info->control.hw_key)
886 return TX_CONTINUE;
887
888 if (WARN_ON(skb_tailroom(skb) < sizeof(*mmie)))
889 return TX_DROP;
890
891 mmie = skb_put(skb, sizeof(*mmie));
892 mmie->element_id = WLAN_EID_MMIE;
893 mmie->length = sizeof(*mmie) - 2;
894 mmie->key_id = cpu_to_le16(key->conf.keyidx);
895
896 /* PN = PN + 1 */
897 pn64 = atomic64_inc_return(&key->conf.tx_pn);
898
899 bip_ipn_set64(mmie->sequence_number, pn64);
900
901 bip_aad(skb, aad);
902
903 /* MIC = AES-256-CMAC(IGTK, AAD || Management Frame Body || MMIE, 128)
904 */
905 ieee80211_aes_cmac_256(key->u.aes_cmac.tfm, aad,
906 skb->data + 24, skb->len - 24, mmie->mic);
907
908 return TX_CONTINUE;
909}
910
911ieee80211_rx_result
912ieee80211_crypto_aes_cmac_decrypt(struct ieee80211_rx_data *rx)
913{
914 struct sk_buff *skb = rx->skb;
915 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
916 struct ieee80211_key *key = rx->key;
917 struct ieee80211_mmie *mmie;
918 u8 aad[20], mic[8], ipn[6];
919 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
920
921 if (!ieee80211_is_mgmt(hdr->frame_control))
922 return RX_CONTINUE;
923
924 /* management frames are already linear */
925
926 if (skb->len < 24 + sizeof(*mmie))
927 return RX_DROP_U_SHORT_CMAC;
928
929 mmie = (struct ieee80211_mmie *)
930 (skb->data + skb->len - sizeof(*mmie));
931 if (mmie->element_id != WLAN_EID_MMIE ||
932 mmie->length != sizeof(*mmie) - 2)
933 return RX_DROP_U_BAD_MMIE; /* Invalid MMIE */
934
935 bip_ipn_swap(ipn, mmie->sequence_number);
936
937 if (memcmp(ipn, key->u.aes_cmac.rx_pn, 6) <= 0) {
938 key->u.aes_cmac.replays++;
939 return RX_DROP_U_REPLAY;
940 }
941
942 if (!(status->flag & RX_FLAG_DECRYPTED)) {
943 /* hardware didn't decrypt/verify MIC */
944 bip_aad(skb, aad);
945 ieee80211_aes_cmac(key->u.aes_cmac.tfm, aad,
946 skb->data + 24, skb->len - 24, mic);
947 if (crypto_memneq(mic, mmie->mic, sizeof(mmie->mic))) {
948 key->u.aes_cmac.icverrors++;
949 return RX_DROP_U_MIC_FAIL;
950 }
951 }
952
953 memcpy(key->u.aes_cmac.rx_pn, ipn, 6);
954
955 /* Remove MMIE */
956 skb_trim(skb, skb->len - sizeof(*mmie));
957
958 return RX_CONTINUE;
959}
960
961ieee80211_rx_result
962ieee80211_crypto_aes_cmac_256_decrypt(struct ieee80211_rx_data *rx)
963{
964 struct sk_buff *skb = rx->skb;
965 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
966 struct ieee80211_key *key = rx->key;
967 struct ieee80211_mmie_16 *mmie;
968 u8 aad[20], mic[16], ipn[6];
969 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
970
971 if (!ieee80211_is_mgmt(hdr->frame_control))
972 return RX_CONTINUE;
973
974 /* management frames are already linear */
975
976 if (skb->len < 24 + sizeof(*mmie))
977 return RX_DROP_U_SHORT_CMAC256;
978
979 mmie = (struct ieee80211_mmie_16 *)
980 (skb->data + skb->len - sizeof(*mmie));
981 if (mmie->element_id != WLAN_EID_MMIE ||
982 mmie->length != sizeof(*mmie) - 2)
983 return RX_DROP_U_BAD_MMIE; /* Invalid MMIE */
984
985 bip_ipn_swap(ipn, mmie->sequence_number);
986
987 if (memcmp(ipn, key->u.aes_cmac.rx_pn, 6) <= 0) {
988 key->u.aes_cmac.replays++;
989 return RX_DROP_U_REPLAY;
990 }
991
992 if (!(status->flag & RX_FLAG_DECRYPTED)) {
993 /* hardware didn't decrypt/verify MIC */
994 bip_aad(skb, aad);
995 ieee80211_aes_cmac_256(key->u.aes_cmac.tfm, aad,
996 skb->data + 24, skb->len - 24, mic);
997 if (crypto_memneq(mic, mmie->mic, sizeof(mmie->mic))) {
998 key->u.aes_cmac.icverrors++;
999 return RX_DROP_U_MIC_FAIL;
1000 }
1001 }
1002
1003 memcpy(key->u.aes_cmac.rx_pn, ipn, 6);
1004
1005 /* Remove MMIE */
1006 skb_trim(skb, skb->len - sizeof(*mmie));
1007
1008 return RX_CONTINUE;
1009}
1010
1011ieee80211_tx_result
1012ieee80211_crypto_aes_gmac_encrypt(struct ieee80211_tx_data *tx)
1013{
1014 struct sk_buff *skb;
1015 struct ieee80211_tx_info *info;
1016 struct ieee80211_key *key = tx->key;
1017 struct ieee80211_mmie_16 *mmie;
1018 struct ieee80211_hdr *hdr;
1019 u8 aad[GMAC_AAD_LEN];
1020 u64 pn64;
1021 u8 nonce[GMAC_NONCE_LEN];
1022
1023 if (WARN_ON(skb_queue_len(&tx->skbs) != 1))
1024 return TX_DROP;
1025
1026 skb = skb_peek(&tx->skbs);
1027
1028 info = IEEE80211_SKB_CB(skb);
1029
1030 if (info->control.hw_key)
1031 return TX_CONTINUE;
1032
1033 if (WARN_ON(skb_tailroom(skb) < sizeof(*mmie)))
1034 return TX_DROP;
1035
1036 mmie = skb_put(skb, sizeof(*mmie));
1037 mmie->element_id = WLAN_EID_MMIE;
1038 mmie->length = sizeof(*mmie) - 2;
1039 mmie->key_id = cpu_to_le16(key->conf.keyidx);
1040
1041 /* PN = PN + 1 */
1042 pn64 = atomic64_inc_return(&key->conf.tx_pn);
1043
1044 bip_ipn_set64(mmie->sequence_number, pn64);
1045
1046 bip_aad(skb, aad);
1047
1048 hdr = (struct ieee80211_hdr *)skb->data;
1049 memcpy(nonce, hdr->addr2, ETH_ALEN);
1050 bip_ipn_swap(nonce + ETH_ALEN, mmie->sequence_number);
1051
1052 /* MIC = AES-GMAC(IGTK, AAD || Management Frame Body || MMIE, 128) */
1053 if (ieee80211_aes_gmac(key->u.aes_gmac.tfm, aad, nonce,
1054 skb->data + 24, skb->len - 24, mmie->mic) < 0)
1055 return TX_DROP;
1056
1057 return TX_CONTINUE;
1058}
1059
1060ieee80211_rx_result
1061ieee80211_crypto_aes_gmac_decrypt(struct ieee80211_rx_data *rx)
1062{
1063 struct sk_buff *skb = rx->skb;
1064 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
1065 struct ieee80211_key *key = rx->key;
1066 struct ieee80211_mmie_16 *mmie;
1067 u8 aad[GMAC_AAD_LEN], *mic, ipn[6], nonce[GMAC_NONCE_LEN];
1068 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
1069
1070 if (!ieee80211_is_mgmt(hdr->frame_control))
1071 return RX_CONTINUE;
1072
1073 /* management frames are already linear */
1074
1075 if (skb->len < 24 + sizeof(*mmie))
1076 return RX_DROP_U_SHORT_GMAC;
1077
1078 mmie = (struct ieee80211_mmie_16 *)
1079 (skb->data + skb->len - sizeof(*mmie));
1080 if (mmie->element_id != WLAN_EID_MMIE ||
1081 mmie->length != sizeof(*mmie) - 2)
1082 return RX_DROP_U_BAD_MMIE; /* Invalid MMIE */
1083
1084 bip_ipn_swap(ipn, mmie->sequence_number);
1085
1086 if (memcmp(ipn, key->u.aes_gmac.rx_pn, 6) <= 0) {
1087 key->u.aes_gmac.replays++;
1088 return RX_DROP_U_REPLAY;
1089 }
1090
1091 if (!(status->flag & RX_FLAG_DECRYPTED)) {
1092 /* hardware didn't decrypt/verify MIC */
1093 bip_aad(skb, aad);
1094
1095 memcpy(nonce, hdr->addr2, ETH_ALEN);
1096 memcpy(nonce + ETH_ALEN, ipn, 6);
1097
1098 mic = kmalloc(GMAC_MIC_LEN, GFP_ATOMIC);
1099 if (!mic)
1100 return RX_DROP_U_OOM;
1101 if (ieee80211_aes_gmac(key->u.aes_gmac.tfm, aad, nonce,
1102 skb->data + 24, skb->len - 24,
1103 mic) < 0 ||
1104 crypto_memneq(mic, mmie->mic, sizeof(mmie->mic))) {
1105 key->u.aes_gmac.icverrors++;
1106 kfree(mic);
1107 return RX_DROP_U_MIC_FAIL;
1108 }
1109 kfree(mic);
1110 }
1111
1112 memcpy(key->u.aes_gmac.rx_pn, ipn, 6);
1113
1114 /* Remove MMIE */
1115 skb_trim(skb, skb->len - sizeof(*mmie));
1116
1117 return RX_CONTINUE;
1118}