1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * FILS AEAD for (Re)Association Request/Response frames 4 * Copyright 2016, Qualcomm Atheros, Inc. 5 */ 6 7 #include <crypto/aes.h> 8 #include <crypto/hash.h> 9 #include <crypto/skcipher.h> 10 #include <crypto/utils.h> 11 12 #include "ieee80211_i.h" 13 #include "aes_cmac.h" 14 #include "fils_aead.h" 15 16 static void gf_mulx(u8 *pad) 17 { 18 u64 a = get_unaligned_be64(pad); 19 u64 b = get_unaligned_be64(pad + 8); 20 21 put_unaligned_be64((a << 1) | (b >> 63), pad); 22 put_unaligned_be64((b << 1) ^ ((a >> 63) ? 0x87 : 0), pad + 8); 23 } 24 25 static int aes_s2v(struct crypto_shash *tfm, 26 size_t num_elem, const u8 *addr[], size_t len[], u8 *v) 27 { 28 u8 d[AES_BLOCK_SIZE], tmp[AES_BLOCK_SIZE] = {}; 29 SHASH_DESC_ON_STACK(desc, tfm); 30 size_t i; 31 32 desc->tfm = tfm; 33 34 /* D = AES-CMAC(K, <zero>) */ 35 crypto_shash_digest(desc, tmp, AES_BLOCK_SIZE, d); 36 37 for (i = 0; i < num_elem - 1; i++) { 38 /* D = dbl(D) xor AES_CMAC(K, Si) */ 39 gf_mulx(d); /* dbl */ 40 crypto_shash_digest(desc, addr[i], len[i], tmp); 41 crypto_xor(d, tmp, AES_BLOCK_SIZE); 42 } 43 44 crypto_shash_init(desc); 45 46 if (len[i] >= AES_BLOCK_SIZE) { 47 /* len(Sn) >= 128 */ 48 /* T = Sn xorend D */ 49 crypto_shash_update(desc, addr[i], len[i] - AES_BLOCK_SIZE); 50 crypto_xor(d, addr[i] + len[i] - AES_BLOCK_SIZE, 51 AES_BLOCK_SIZE); 52 } else { 53 /* len(Sn) < 128 */ 54 /* T = dbl(D) xor pad(Sn) */ 55 gf_mulx(d); /* dbl */ 56 crypto_xor(d, addr[i], len[i]); 57 d[len[i]] ^= 0x80; 58 } 59 /* V = AES-CMAC(K, T) */ 60 crypto_shash_finup(desc, d, AES_BLOCK_SIZE, v); 61 62 return 0; 63 } 64 65 /* Note: addr[] and len[] needs to have one extra slot at the end. */ 66 static int aes_siv_encrypt(const u8 *key, size_t key_len, 67 const u8 *plain, size_t plain_len, 68 size_t num_elem, const u8 *addr[], 69 size_t len[], u8 *out) 70 { 71 u8 v[AES_BLOCK_SIZE]; 72 struct crypto_shash *tfm; 73 struct crypto_skcipher *tfm2; 74 struct skcipher_request *req; 75 int res; 76 struct scatterlist src[1], dst[1]; 77 u8 *tmp; 78 79 key_len /= 2; /* S2V key || CTR key */ 80 81 addr[num_elem] = plain; 82 len[num_elem] = plain_len; 83 num_elem++; 84 85 /* S2V */ 86 87 tfm = crypto_alloc_shash("cmac(aes)", 0, 0); 88 if (IS_ERR(tfm)) 89 return PTR_ERR(tfm); 90 /* K1 for S2V */ 91 res = crypto_shash_setkey(tfm, key, key_len); 92 if (!res) 93 res = aes_s2v(tfm, num_elem, addr, len, v); 94 crypto_free_shash(tfm); 95 if (res) 96 return res; 97 98 /* Use a temporary buffer of the plaintext to handle need for 99 * overwriting this during AES-CTR. 100 */ 101 tmp = kmemdup(plain, plain_len, GFP_KERNEL); 102 if (!tmp) 103 return -ENOMEM; 104 105 /* IV for CTR before encrypted data */ 106 memcpy(out, v, AES_BLOCK_SIZE); 107 108 /* Synthetic IV to be used as the initial counter in CTR: 109 * Q = V bitand (1^64 || 0^1 || 1^31 || 0^1 || 1^31) 110 */ 111 v[8] &= 0x7f; 112 v[12] &= 0x7f; 113 114 /* CTR */ 115 116 tfm2 = crypto_alloc_skcipher("ctr(aes)", 0, CRYPTO_ALG_ASYNC); 117 if (IS_ERR(tfm2)) { 118 kfree(tmp); 119 return PTR_ERR(tfm2); 120 } 121 /* K2 for CTR */ 122 res = crypto_skcipher_setkey(tfm2, key + key_len, key_len); 123 if (res) 124 goto fail; 125 126 req = skcipher_request_alloc(tfm2, GFP_KERNEL); 127 if (!req) { 128 res = -ENOMEM; 129 goto fail; 130 } 131 132 sg_init_one(src, tmp, plain_len); 133 sg_init_one(dst, out + AES_BLOCK_SIZE, plain_len); 134 skcipher_request_set_crypt(req, src, dst, plain_len, v); 135 res = crypto_skcipher_encrypt(req); 136 skcipher_request_free(req); 137 fail: 138 kfree(tmp); 139 crypto_free_skcipher(tfm2); 140 return res; 141 } 142 143 /* Note: addr[] and len[] needs to have one extra slot at the end. */ 144 static int aes_siv_decrypt(const u8 *key, size_t key_len, 145 const u8 *iv_crypt, size_t iv_c_len, 146 size_t num_elem, const u8 *addr[], size_t len[], 147 u8 *out) 148 { 149 struct crypto_shash *tfm; 150 struct crypto_skcipher *tfm2; 151 struct skcipher_request *req; 152 struct scatterlist src[1], dst[1]; 153 size_t crypt_len; 154 int res; 155 u8 frame_iv[AES_BLOCK_SIZE], iv[AES_BLOCK_SIZE]; 156 u8 check[AES_BLOCK_SIZE]; 157 158 crypt_len = iv_c_len - AES_BLOCK_SIZE; 159 key_len /= 2; /* S2V key || CTR key */ 160 addr[num_elem] = out; 161 len[num_elem] = crypt_len; 162 num_elem++; 163 164 memcpy(iv, iv_crypt, AES_BLOCK_SIZE); 165 memcpy(frame_iv, iv_crypt, AES_BLOCK_SIZE); 166 167 /* Synthetic IV to be used as the initial counter in CTR: 168 * Q = V bitand (1^64 || 0^1 || 1^31 || 0^1 || 1^31) 169 */ 170 iv[8] &= 0x7f; 171 iv[12] &= 0x7f; 172 173 /* CTR */ 174 175 tfm2 = crypto_alloc_skcipher("ctr(aes)", 0, CRYPTO_ALG_ASYNC); 176 if (IS_ERR(tfm2)) 177 return PTR_ERR(tfm2); 178 /* K2 for CTR */ 179 res = crypto_skcipher_setkey(tfm2, key + key_len, key_len); 180 if (res) { 181 crypto_free_skcipher(tfm2); 182 return res; 183 } 184 185 req = skcipher_request_alloc(tfm2, GFP_KERNEL); 186 if (!req) { 187 crypto_free_skcipher(tfm2); 188 return -ENOMEM; 189 } 190 191 sg_init_one(src, iv_crypt + AES_BLOCK_SIZE, crypt_len); 192 sg_init_one(dst, out, crypt_len); 193 skcipher_request_set_crypt(req, src, dst, crypt_len, iv); 194 res = crypto_skcipher_decrypt(req); 195 skcipher_request_free(req); 196 crypto_free_skcipher(tfm2); 197 if (res) 198 return res; 199 200 /* S2V */ 201 202 tfm = crypto_alloc_shash("cmac(aes)", 0, 0); 203 if (IS_ERR(tfm)) 204 return PTR_ERR(tfm); 205 /* K1 for S2V */ 206 res = crypto_shash_setkey(tfm, key, key_len); 207 if (!res) 208 res = aes_s2v(tfm, num_elem, addr, len, check); 209 crypto_free_shash(tfm); 210 if (res) 211 return res; 212 if (memcmp(check, frame_iv, AES_BLOCK_SIZE) != 0) 213 return -EINVAL; 214 return 0; 215 } 216 217 int fils_encrypt_assoc_req(struct sk_buff *skb, 218 struct ieee80211_mgd_assoc_data *assoc_data) 219 { 220 struct ieee80211_mgmt *mgmt = (void *)skb->data; 221 u8 *capab, *ies, *encr; 222 const u8 *addr[5 + 1]; 223 const struct element *session; 224 size_t len[5 + 1]; 225 size_t crypt_len; 226 227 if (ieee80211_is_reassoc_req(mgmt->frame_control)) { 228 capab = (u8 *)&mgmt->u.reassoc_req.capab_info; 229 ies = mgmt->u.reassoc_req.variable; 230 } else { 231 capab = (u8 *)&mgmt->u.assoc_req.capab_info; 232 ies = mgmt->u.assoc_req.variable; 233 } 234 235 session = cfg80211_find_ext_elem(WLAN_EID_EXT_FILS_SESSION, 236 ies, skb->data + skb->len - ies); 237 if (!session || session->datalen != 1 + 8) 238 return -EINVAL; 239 /* encrypt after FILS Session element */ 240 encr = (u8 *)session->data + 1 + 8; 241 242 /* AES-SIV AAD vectors */ 243 244 /* The STA's MAC address */ 245 addr[0] = mgmt->sa; 246 len[0] = ETH_ALEN; 247 /* The AP's BSSID */ 248 addr[1] = mgmt->da; 249 len[1] = ETH_ALEN; 250 /* The STA's nonce */ 251 addr[2] = assoc_data->fils_nonces; 252 len[2] = FILS_NONCE_LEN; 253 /* The AP's nonce */ 254 addr[3] = &assoc_data->fils_nonces[FILS_NONCE_LEN]; 255 len[3] = FILS_NONCE_LEN; 256 /* The (Re)Association Request frame from the Capability Information 257 * field to the FILS Session element (both inclusive). 258 */ 259 addr[4] = capab; 260 len[4] = encr - capab; 261 262 crypt_len = skb->data + skb->len - encr; 263 skb_put(skb, AES_BLOCK_SIZE); 264 return aes_siv_encrypt(assoc_data->fils_kek, assoc_data->fils_kek_len, 265 encr, crypt_len, 5, addr, len, encr); 266 } 267 268 int fils_decrypt_assoc_resp(struct ieee80211_sub_if_data *sdata, 269 u8 *frame, size_t *frame_len, 270 struct ieee80211_mgd_assoc_data *assoc_data) 271 { 272 struct ieee80211_mgmt *mgmt = (void *)frame; 273 u8 *capab, *ies, *encr; 274 const u8 *addr[5 + 1]; 275 const struct element *session; 276 size_t len[5 + 1]; 277 int res; 278 size_t crypt_len; 279 280 if (*frame_len < 24 + 6) 281 return -EINVAL; 282 283 capab = (u8 *)&mgmt->u.assoc_resp.capab_info; 284 ies = mgmt->u.assoc_resp.variable; 285 session = cfg80211_find_ext_elem(WLAN_EID_EXT_FILS_SESSION, 286 ies, frame + *frame_len - ies); 287 if (!session || session->datalen != 1 + 8) { 288 mlme_dbg(sdata, 289 "No (valid) FILS Session element in (Re)Association Response frame from %pM", 290 mgmt->sa); 291 return -EINVAL; 292 } 293 /* decrypt after FILS Session element */ 294 encr = (u8 *)session->data + 1 + 8; 295 296 /* AES-SIV AAD vectors */ 297 298 /* The AP's BSSID */ 299 addr[0] = mgmt->sa; 300 len[0] = ETH_ALEN; 301 /* The STA's MAC address */ 302 addr[1] = mgmt->da; 303 len[1] = ETH_ALEN; 304 /* The AP's nonce */ 305 addr[2] = &assoc_data->fils_nonces[FILS_NONCE_LEN]; 306 len[2] = FILS_NONCE_LEN; 307 /* The STA's nonce */ 308 addr[3] = assoc_data->fils_nonces; 309 len[3] = FILS_NONCE_LEN; 310 /* The (Re)Association Response frame from the Capability Information 311 * field to the FILS Session element (both inclusive). 312 */ 313 addr[4] = capab; 314 len[4] = encr - capab; 315 316 crypt_len = frame + *frame_len - encr; 317 if (crypt_len < AES_BLOCK_SIZE) { 318 mlme_dbg(sdata, 319 "Not enough room for AES-SIV data after FILS Session element in (Re)Association Response frame from %pM", 320 mgmt->sa); 321 return -EINVAL; 322 } 323 res = aes_siv_decrypt(assoc_data->fils_kek, assoc_data->fils_kek_len, 324 encr, crypt_len, 5, addr, len, encr); 325 if (res != 0) { 326 mlme_dbg(sdata, 327 "AES-SIV decryption of (Re)Association Response frame from %pM failed", 328 mgmt->sa); 329 return res; 330 } 331 *frame_len -= AES_BLOCK_SIZE; 332 return 0; 333 } 334