1 /* 2 * Copyright 2002-2004, Instant802 Networks, Inc. 3 * Copyright 2008, Jouni Malinen <j@w1.fi> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License version 2 as 7 * published by the Free Software Foundation. 8 */ 9 10 #include <linux/netdevice.h> 11 #include <linux/types.h> 12 #include <linux/skbuff.h> 13 #include <linux/compiler.h> 14 #include <linux/ieee80211.h> 15 #include <linux/gfp.h> 16 #include <asm/unaligned.h> 17 #include <net/mac80211.h> 18 #include <crypto/aes.h> 19 20 #include "ieee80211_i.h" 21 #include "michael.h" 22 #include "tkip.h" 23 #include "aes_ccm.h" 24 #include "aes_cmac.h" 25 #include "wpa.h" 26 27 ieee80211_tx_result 28 ieee80211_tx_h_michael_mic_add(struct ieee80211_tx_data *tx) 29 { 30 u8 *data, *key, *mic; 31 size_t data_len; 32 unsigned int hdrlen; 33 struct ieee80211_hdr *hdr; 34 struct sk_buff *skb = tx->skb; 35 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); 36 int tail; 37 38 hdr = (struct ieee80211_hdr *)skb->data; 39 if (!tx->key || tx->key->conf.cipher != WLAN_CIPHER_SUITE_TKIP || 40 skb->len < 24 || !ieee80211_is_data_present(hdr->frame_control)) 41 return TX_CONTINUE; 42 43 hdrlen = ieee80211_hdrlen(hdr->frame_control); 44 if (skb->len < hdrlen) 45 return TX_DROP; 46 47 data = skb->data + hdrlen; 48 data_len = skb->len - hdrlen; 49 50 if (unlikely(info->flags & IEEE80211_TX_INTFL_TKIP_MIC_FAILURE)) { 51 /* Need to use software crypto for the test */ 52 info->control.hw_key = NULL; 53 } 54 55 if (info->control.hw_key && 56 (info->flags & IEEE80211_TX_CTL_DONTFRAG || 57 tx->local->ops->set_frag_threshold) && 58 !(tx->key->conf.flags & IEEE80211_KEY_FLAG_GENERATE_MMIC)) { 59 /* hwaccel - with no need for SW-generated MMIC */ 60 return TX_CONTINUE; 61 } 62 63 tail = MICHAEL_MIC_LEN; 64 if (!info->control.hw_key) 65 tail += IEEE80211_TKIP_ICV_LEN; 66 67 if (WARN_ON(skb_tailroom(skb) < tail || 68 skb_headroom(skb) < IEEE80211_TKIP_IV_LEN)) 69 return TX_DROP; 70 71 key = &tx->key->conf.key[NL80211_TKIP_DATA_OFFSET_TX_MIC_KEY]; 72 mic = skb_put(skb, MICHAEL_MIC_LEN); 73 michael_mic(key, hdr, data, data_len, mic); 74 if (unlikely(info->flags & IEEE80211_TX_INTFL_TKIP_MIC_FAILURE)) 75 mic[0]++; 76 77 return TX_CONTINUE; 78 } 79 80 81 ieee80211_rx_result 82 ieee80211_rx_h_michael_mic_verify(struct ieee80211_rx_data *rx) 83 { 84 u8 *data, *key = NULL; 85 size_t data_len; 86 unsigned int hdrlen; 87 u8 mic[MICHAEL_MIC_LEN]; 88 struct sk_buff *skb = rx->skb; 89 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 90 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; 91 92 /* 93 * it makes no sense to check for MIC errors on anything other 94 * than data frames. 95 */ 96 if (!ieee80211_is_data_present(hdr->frame_control)) 97 return RX_CONTINUE; 98 99 /* 100 * No way to verify the MIC if the hardware stripped it or 101 * the IV with the key index. In this case we have solely rely 102 * on the driver to set RX_FLAG_MMIC_ERROR in the event of a 103 * MIC failure report. 104 */ 105 if (status->flag & (RX_FLAG_MMIC_STRIPPED | RX_FLAG_IV_STRIPPED)) { 106 if (status->flag & RX_FLAG_MMIC_ERROR) 107 goto mic_fail_no_key; 108 109 if (!(status->flag & RX_FLAG_IV_STRIPPED) && rx->key && 110 rx->key->conf.cipher == WLAN_CIPHER_SUITE_TKIP) 111 goto update_iv; 112 113 return RX_CONTINUE; 114 } 115 116 /* 117 * Some hardware seems to generate Michael MIC failure reports; even 118 * though, the frame was not encrypted with TKIP and therefore has no 119 * MIC. Ignore the flag them to avoid triggering countermeasures. 120 */ 121 if (!rx->key || rx->key->conf.cipher != WLAN_CIPHER_SUITE_TKIP || 122 !(status->flag & RX_FLAG_DECRYPTED)) 123 return RX_CONTINUE; 124 125 if (rx->sdata->vif.type == NL80211_IFTYPE_AP && rx->key->conf.keyidx) { 126 /* 127 * APs with pairwise keys should never receive Michael MIC 128 * errors for non-zero keyidx because these are reserved for 129 * group keys and only the AP is sending real multicast 130 * frames in the BSS. ( 131 */ 132 return RX_DROP_UNUSABLE; 133 } 134 135 if (status->flag & RX_FLAG_MMIC_ERROR) 136 goto mic_fail; 137 138 hdrlen = ieee80211_hdrlen(hdr->frame_control); 139 if (skb->len < hdrlen + MICHAEL_MIC_LEN) 140 return RX_DROP_UNUSABLE; 141 142 if (skb_linearize(rx->skb)) 143 return RX_DROP_UNUSABLE; 144 hdr = (void *)skb->data; 145 146 data = skb->data + hdrlen; 147 data_len = skb->len - hdrlen - MICHAEL_MIC_LEN; 148 key = &rx->key->conf.key[NL80211_TKIP_DATA_OFFSET_RX_MIC_KEY]; 149 michael_mic(key, hdr, data, data_len, mic); 150 if (memcmp(mic, data + data_len, MICHAEL_MIC_LEN) != 0) 151 goto mic_fail; 152 153 /* remove Michael MIC from payload */ 154 skb_trim(skb, skb->len - MICHAEL_MIC_LEN); 155 156 update_iv: 157 /* update IV in key information to be able to detect replays */ 158 rx->key->u.tkip.rx[rx->security_idx].iv32 = rx->tkip_iv32; 159 rx->key->u.tkip.rx[rx->security_idx].iv16 = rx->tkip_iv16; 160 161 return RX_CONTINUE; 162 163 mic_fail: 164 rx->key->u.tkip.mic_failures++; 165 166 mic_fail_no_key: 167 /* 168 * In some cases the key can be unset - e.g. a multicast packet, in 169 * a driver that supports HW encryption. Send up the key idx only if 170 * the key is set. 171 */ 172 mac80211_ev_michael_mic_failure(rx->sdata, 173 rx->key ? rx->key->conf.keyidx : -1, 174 (void *) skb->data, NULL, GFP_ATOMIC); 175 return RX_DROP_UNUSABLE; 176 } 177 178 179 static int tkip_encrypt_skb(struct ieee80211_tx_data *tx, struct sk_buff *skb) 180 { 181 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; 182 struct ieee80211_key *key = tx->key; 183 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); 184 unsigned int hdrlen; 185 int len, tail; 186 u8 *pos; 187 188 if (info->control.hw_key && 189 !(info->control.hw_key->flags & IEEE80211_KEY_FLAG_GENERATE_IV) && 190 !(info->control.hw_key->flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE)) { 191 /* hwaccel - with no need for software-generated IV */ 192 return 0; 193 } 194 195 hdrlen = ieee80211_hdrlen(hdr->frame_control); 196 len = skb->len - hdrlen; 197 198 if (info->control.hw_key) 199 tail = 0; 200 else 201 tail = IEEE80211_TKIP_ICV_LEN; 202 203 if (WARN_ON(skb_tailroom(skb) < tail || 204 skb_headroom(skb) < IEEE80211_TKIP_IV_LEN)) 205 return -1; 206 207 pos = skb_push(skb, IEEE80211_TKIP_IV_LEN); 208 memmove(pos, pos + IEEE80211_TKIP_IV_LEN, hdrlen); 209 skb_set_network_header(skb, skb_network_offset(skb) + 210 IEEE80211_TKIP_IV_LEN); 211 pos += hdrlen; 212 213 /* the HW only needs room for the IV, but not the actual IV */ 214 if (info->control.hw_key && 215 (info->control.hw_key->flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE)) 216 return 0; 217 218 /* Increase IV for the frame */ 219 spin_lock(&key->u.tkip.txlock); 220 key->u.tkip.tx.iv16++; 221 if (key->u.tkip.tx.iv16 == 0) 222 key->u.tkip.tx.iv32++; 223 pos = ieee80211_tkip_add_iv(pos, key); 224 spin_unlock(&key->u.tkip.txlock); 225 226 /* hwaccel - with software IV */ 227 if (info->control.hw_key) 228 return 0; 229 230 /* Add room for ICV */ 231 skb_put(skb, IEEE80211_TKIP_ICV_LEN); 232 233 return ieee80211_tkip_encrypt_data(tx->local->wep_tx_tfm, 234 key, skb, pos, len); 235 } 236 237 238 ieee80211_tx_result 239 ieee80211_crypto_tkip_encrypt(struct ieee80211_tx_data *tx) 240 { 241 struct sk_buff *skb; 242 243 ieee80211_tx_set_protected(tx); 244 245 skb_queue_walk(&tx->skbs, skb) { 246 if (tkip_encrypt_skb(tx, skb) < 0) 247 return TX_DROP; 248 } 249 250 return TX_CONTINUE; 251 } 252 253 254 ieee80211_rx_result 255 ieee80211_crypto_tkip_decrypt(struct ieee80211_rx_data *rx) 256 { 257 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) rx->skb->data; 258 int hdrlen, res, hwaccel = 0; 259 struct ieee80211_key *key = rx->key; 260 struct sk_buff *skb = rx->skb; 261 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 262 263 hdrlen = ieee80211_hdrlen(hdr->frame_control); 264 265 if (!ieee80211_is_data(hdr->frame_control)) 266 return RX_CONTINUE; 267 268 if (!rx->sta || skb->len - hdrlen < 12) 269 return RX_DROP_UNUSABLE; 270 271 /* it may be possible to optimize this a bit more */ 272 if (skb_linearize(rx->skb)) 273 return RX_DROP_UNUSABLE; 274 hdr = (void *)skb->data; 275 276 /* 277 * Let TKIP code verify IV, but skip decryption. 278 * In the case where hardware checks the IV as well, 279 * we don't even get here, see ieee80211_rx_h_decrypt() 280 */ 281 if (status->flag & RX_FLAG_DECRYPTED) 282 hwaccel = 1; 283 284 res = ieee80211_tkip_decrypt_data(rx->local->wep_rx_tfm, 285 key, skb->data + hdrlen, 286 skb->len - hdrlen, rx->sta->sta.addr, 287 hdr->addr1, hwaccel, rx->security_idx, 288 &rx->tkip_iv32, 289 &rx->tkip_iv16); 290 if (res != TKIP_DECRYPT_OK) 291 return RX_DROP_UNUSABLE; 292 293 /* Trim ICV */ 294 skb_trim(skb, skb->len - IEEE80211_TKIP_ICV_LEN); 295 296 /* Remove IV */ 297 memmove(skb->data + IEEE80211_TKIP_IV_LEN, skb->data, hdrlen); 298 skb_pull(skb, IEEE80211_TKIP_IV_LEN); 299 300 return RX_CONTINUE; 301 } 302 303 304 static void ccmp_special_blocks(struct sk_buff *skb, u8 *pn, u8 *b_0, u8 *aad, 305 int encrypted) 306 { 307 __le16 mask_fc; 308 int a4_included, mgmt; 309 u8 qos_tid; 310 u16 len_a; 311 unsigned int hdrlen; 312 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; 313 314 /* 315 * Mask FC: zero subtype b4 b5 b6 (if not mgmt) 316 * Retry, PwrMgt, MoreData; set Protected 317 */ 318 mgmt = ieee80211_is_mgmt(hdr->frame_control); 319 mask_fc = hdr->frame_control; 320 mask_fc &= ~cpu_to_le16(IEEE80211_FCTL_RETRY | 321 IEEE80211_FCTL_PM | IEEE80211_FCTL_MOREDATA); 322 if (!mgmt) 323 mask_fc &= ~cpu_to_le16(0x0070); 324 mask_fc |= cpu_to_le16(IEEE80211_FCTL_PROTECTED); 325 326 hdrlen = ieee80211_hdrlen(hdr->frame_control); 327 len_a = hdrlen - 2; 328 a4_included = ieee80211_has_a4(hdr->frame_control); 329 330 if (ieee80211_is_data_qos(hdr->frame_control)) 331 qos_tid = *ieee80211_get_qos_ctl(hdr) & IEEE80211_QOS_CTL_TID_MASK; 332 else 333 qos_tid = 0; 334 335 /* In CCM, the initial vectors (IV) used for CTR mode encryption and CBC 336 * mode authentication are not allowed to collide, yet both are derived 337 * from this vector b_0. We only set L := 1 here to indicate that the 338 * data size can be represented in (L+1) bytes. The CCM layer will take 339 * care of storing the data length in the top (L+1) bytes and setting 340 * and clearing the other bits as is required to derive the two IVs. 341 */ 342 b_0[0] = 0x1; 343 344 /* Nonce: Nonce Flags | A2 | PN 345 * Nonce Flags: Priority (b0..b3) | Management (b4) | Reserved (b5..b7) 346 */ 347 b_0[1] = qos_tid | (mgmt << 4); 348 memcpy(&b_0[2], hdr->addr2, ETH_ALEN); 349 memcpy(&b_0[8], pn, IEEE80211_CCMP_PN_LEN); 350 351 /* AAD (extra authenticate-only data) / masked 802.11 header 352 * FC | A1 | A2 | A3 | SC | [A4] | [QC] */ 353 put_unaligned_be16(len_a, &aad[0]); 354 put_unaligned(mask_fc, (__le16 *)&aad[2]); 355 memcpy(&aad[4], &hdr->addr1, 3 * ETH_ALEN); 356 357 /* Mask Seq#, leave Frag# */ 358 aad[22] = *((u8 *) &hdr->seq_ctrl) & 0x0f; 359 aad[23] = 0; 360 361 if (a4_included) { 362 memcpy(&aad[24], hdr->addr4, ETH_ALEN); 363 aad[30] = qos_tid; 364 aad[31] = 0; 365 } else { 366 memset(&aad[24], 0, ETH_ALEN + IEEE80211_QOS_CTL_LEN); 367 aad[24] = qos_tid; 368 } 369 } 370 371 372 static inline void ccmp_pn2hdr(u8 *hdr, u8 *pn, int key_id) 373 { 374 hdr[0] = pn[5]; 375 hdr[1] = pn[4]; 376 hdr[2] = 0; 377 hdr[3] = 0x20 | (key_id << 6); 378 hdr[4] = pn[3]; 379 hdr[5] = pn[2]; 380 hdr[6] = pn[1]; 381 hdr[7] = pn[0]; 382 } 383 384 385 static inline void ccmp_hdr2pn(u8 *pn, u8 *hdr) 386 { 387 pn[0] = hdr[7]; 388 pn[1] = hdr[6]; 389 pn[2] = hdr[5]; 390 pn[3] = hdr[4]; 391 pn[4] = hdr[1]; 392 pn[5] = hdr[0]; 393 } 394 395 396 static int ccmp_encrypt_skb(struct ieee80211_tx_data *tx, struct sk_buff *skb) 397 { 398 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; 399 struct ieee80211_key *key = tx->key; 400 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); 401 int hdrlen, len, tail; 402 u8 *pos; 403 u8 pn[6]; 404 u64 pn64; 405 u8 aad[2 * AES_BLOCK_SIZE]; 406 u8 b_0[AES_BLOCK_SIZE]; 407 408 if (info->control.hw_key && 409 !(info->control.hw_key->flags & IEEE80211_KEY_FLAG_GENERATE_IV) && 410 !(info->control.hw_key->flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE)) { 411 /* 412 * hwaccel has no need for preallocated room for CCMP 413 * header or MIC fields 414 */ 415 return 0; 416 } 417 418 hdrlen = ieee80211_hdrlen(hdr->frame_control); 419 len = skb->len - hdrlen; 420 421 if (info->control.hw_key) 422 tail = 0; 423 else 424 tail = IEEE80211_CCMP_MIC_LEN; 425 426 if (WARN_ON(skb_tailroom(skb) < tail || 427 skb_headroom(skb) < IEEE80211_CCMP_HDR_LEN)) 428 return -1; 429 430 pos = skb_push(skb, IEEE80211_CCMP_HDR_LEN); 431 memmove(pos, pos + IEEE80211_CCMP_HDR_LEN, hdrlen); 432 skb_set_network_header(skb, skb_network_offset(skb) + 433 IEEE80211_CCMP_HDR_LEN); 434 435 /* the HW only needs room for the IV, but not the actual IV */ 436 if (info->control.hw_key && 437 (info->control.hw_key->flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE)) 438 return 0; 439 440 hdr = (struct ieee80211_hdr *) pos; 441 pos += hdrlen; 442 443 pn64 = atomic64_inc_return(&key->u.ccmp.tx_pn); 444 445 pn[5] = pn64; 446 pn[4] = pn64 >> 8; 447 pn[3] = pn64 >> 16; 448 pn[2] = pn64 >> 24; 449 pn[1] = pn64 >> 32; 450 pn[0] = pn64 >> 40; 451 452 ccmp_pn2hdr(pos, pn, key->conf.keyidx); 453 454 /* hwaccel - with software CCMP header */ 455 if (info->control.hw_key) 456 return 0; 457 458 pos += IEEE80211_CCMP_HDR_LEN; 459 ccmp_special_blocks(skb, pn, b_0, aad, 0); 460 ieee80211_aes_ccm_encrypt(key->u.ccmp.tfm, b_0, aad, pos, len, 461 skb_put(skb, IEEE80211_CCMP_MIC_LEN)); 462 463 return 0; 464 } 465 466 467 ieee80211_tx_result 468 ieee80211_crypto_ccmp_encrypt(struct ieee80211_tx_data *tx) 469 { 470 struct sk_buff *skb; 471 472 ieee80211_tx_set_protected(tx); 473 474 skb_queue_walk(&tx->skbs, skb) { 475 if (ccmp_encrypt_skb(tx, skb) < 0) 476 return TX_DROP; 477 } 478 479 return TX_CONTINUE; 480 } 481 482 483 ieee80211_rx_result 484 ieee80211_crypto_ccmp_decrypt(struct ieee80211_rx_data *rx) 485 { 486 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 487 int hdrlen; 488 struct ieee80211_key *key = rx->key; 489 struct sk_buff *skb = rx->skb; 490 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 491 u8 pn[IEEE80211_CCMP_PN_LEN]; 492 int data_len; 493 int queue; 494 495 hdrlen = ieee80211_hdrlen(hdr->frame_control); 496 497 if (!ieee80211_is_data(hdr->frame_control) && 498 !ieee80211_is_robust_mgmt_frame(hdr)) 499 return RX_CONTINUE; 500 501 data_len = skb->len - hdrlen - IEEE80211_CCMP_HDR_LEN - 502 IEEE80211_CCMP_MIC_LEN; 503 if (!rx->sta || data_len < 0) 504 return RX_DROP_UNUSABLE; 505 506 if (status->flag & RX_FLAG_DECRYPTED) { 507 if (!pskb_may_pull(rx->skb, hdrlen + IEEE80211_CCMP_HDR_LEN)) 508 return RX_DROP_UNUSABLE; 509 } else { 510 if (skb_linearize(rx->skb)) 511 return RX_DROP_UNUSABLE; 512 } 513 514 ccmp_hdr2pn(pn, skb->data + hdrlen); 515 516 queue = rx->security_idx; 517 518 if (memcmp(pn, key->u.ccmp.rx_pn[queue], IEEE80211_CCMP_PN_LEN) <= 0) { 519 key->u.ccmp.replays++; 520 return RX_DROP_UNUSABLE; 521 } 522 523 if (!(status->flag & RX_FLAG_DECRYPTED)) { 524 u8 aad[2 * AES_BLOCK_SIZE]; 525 u8 b_0[AES_BLOCK_SIZE]; 526 /* hardware didn't decrypt/verify MIC */ 527 ccmp_special_blocks(skb, pn, b_0, aad, 1); 528 529 if (ieee80211_aes_ccm_decrypt( 530 key->u.ccmp.tfm, b_0, aad, 531 skb->data + hdrlen + IEEE80211_CCMP_HDR_LEN, 532 data_len, 533 skb->data + skb->len - IEEE80211_CCMP_MIC_LEN)) 534 return RX_DROP_UNUSABLE; 535 } 536 537 memcpy(key->u.ccmp.rx_pn[queue], pn, IEEE80211_CCMP_PN_LEN); 538 539 /* Remove CCMP header and MIC */ 540 if (pskb_trim(skb, skb->len - IEEE80211_CCMP_MIC_LEN)) 541 return RX_DROP_UNUSABLE; 542 memmove(skb->data + IEEE80211_CCMP_HDR_LEN, skb->data, hdrlen); 543 skb_pull(skb, IEEE80211_CCMP_HDR_LEN); 544 545 return RX_CONTINUE; 546 } 547 548 static ieee80211_tx_result 549 ieee80211_crypto_cs_encrypt(struct ieee80211_tx_data *tx, 550 struct sk_buff *skb) 551 { 552 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; 553 struct ieee80211_key *key = tx->key; 554 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); 555 const struct ieee80211_cipher_scheme *cs = key->sta->cipher_scheme; 556 int hdrlen; 557 u8 *pos; 558 559 if (info->control.hw_key && 560 !(info->control.hw_key->flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE)) { 561 /* hwaccel has no need for preallocated head room */ 562 return TX_CONTINUE; 563 } 564 565 if (unlikely(skb_headroom(skb) < cs->hdr_len && 566 pskb_expand_head(skb, cs->hdr_len, 0, GFP_ATOMIC))) 567 return TX_DROP; 568 569 hdrlen = ieee80211_hdrlen(hdr->frame_control); 570 571 pos = skb_push(skb, cs->hdr_len); 572 memmove(pos, pos + cs->hdr_len, hdrlen); 573 skb_set_network_header(skb, skb_network_offset(skb) + cs->hdr_len); 574 575 return TX_CONTINUE; 576 } 577 578 static inline int ieee80211_crypto_cs_pn_compare(u8 *pn1, u8 *pn2, int len) 579 { 580 int i; 581 582 /* pn is little endian */ 583 for (i = len - 1; i >= 0; i--) { 584 if (pn1[i] < pn2[i]) 585 return -1; 586 else if (pn1[i] > pn2[i]) 587 return 1; 588 } 589 590 return 0; 591 } 592 593 static ieee80211_rx_result 594 ieee80211_crypto_cs_decrypt(struct ieee80211_rx_data *rx) 595 { 596 struct ieee80211_key *key = rx->key; 597 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 598 const struct ieee80211_cipher_scheme *cs = NULL; 599 int hdrlen = ieee80211_hdrlen(hdr->frame_control); 600 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb); 601 int data_len; 602 u8 *rx_pn; 603 u8 *skb_pn; 604 u8 qos_tid; 605 606 if (!rx->sta || !rx->sta->cipher_scheme || 607 !(status->flag & RX_FLAG_DECRYPTED)) 608 return RX_DROP_UNUSABLE; 609 610 if (!ieee80211_is_data(hdr->frame_control)) 611 return RX_CONTINUE; 612 613 cs = rx->sta->cipher_scheme; 614 615 data_len = rx->skb->len - hdrlen - cs->hdr_len; 616 617 if (data_len < 0) 618 return RX_DROP_UNUSABLE; 619 620 if (ieee80211_is_data_qos(hdr->frame_control)) 621 qos_tid = *ieee80211_get_qos_ctl(hdr) & 622 IEEE80211_QOS_CTL_TID_MASK; 623 else 624 qos_tid = 0; 625 626 if (skb_linearize(rx->skb)) 627 return RX_DROP_UNUSABLE; 628 629 hdr = (struct ieee80211_hdr *)rx->skb->data; 630 631 rx_pn = key->u.gen.rx_pn[qos_tid]; 632 skb_pn = rx->skb->data + hdrlen + cs->pn_off; 633 634 if (ieee80211_crypto_cs_pn_compare(skb_pn, rx_pn, cs->pn_len) <= 0) 635 return RX_DROP_UNUSABLE; 636 637 memcpy(rx_pn, skb_pn, cs->pn_len); 638 639 /* remove security header and MIC */ 640 if (pskb_trim(rx->skb, rx->skb->len - cs->mic_len)) 641 return RX_DROP_UNUSABLE; 642 643 memmove(rx->skb->data + cs->hdr_len, rx->skb->data, hdrlen); 644 skb_pull(rx->skb, cs->hdr_len); 645 646 return RX_CONTINUE; 647 } 648 649 static void bip_aad(struct sk_buff *skb, u8 *aad) 650 { 651 __le16 mask_fc; 652 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; 653 654 /* BIP AAD: FC(masked) || A1 || A2 || A3 */ 655 656 /* FC type/subtype */ 657 /* Mask FC Retry, PwrMgt, MoreData flags to zero */ 658 mask_fc = hdr->frame_control; 659 mask_fc &= ~cpu_to_le16(IEEE80211_FCTL_RETRY | IEEE80211_FCTL_PM | 660 IEEE80211_FCTL_MOREDATA); 661 put_unaligned(mask_fc, (__le16 *) &aad[0]); 662 /* A1 || A2 || A3 */ 663 memcpy(aad + 2, &hdr->addr1, 3 * ETH_ALEN); 664 } 665 666 667 static inline void bip_ipn_set64(u8 *d, u64 pn) 668 { 669 *d++ = pn; 670 *d++ = pn >> 8; 671 *d++ = pn >> 16; 672 *d++ = pn >> 24; 673 *d++ = pn >> 32; 674 *d = pn >> 40; 675 } 676 677 static inline void bip_ipn_swap(u8 *d, const u8 *s) 678 { 679 *d++ = s[5]; 680 *d++ = s[4]; 681 *d++ = s[3]; 682 *d++ = s[2]; 683 *d++ = s[1]; 684 *d = s[0]; 685 } 686 687 688 ieee80211_tx_result 689 ieee80211_crypto_aes_cmac_encrypt(struct ieee80211_tx_data *tx) 690 { 691 struct sk_buff *skb; 692 struct ieee80211_tx_info *info; 693 struct ieee80211_key *key = tx->key; 694 struct ieee80211_mmie *mmie; 695 u8 aad[20]; 696 u64 pn64; 697 698 if (WARN_ON(skb_queue_len(&tx->skbs) != 1)) 699 return TX_DROP; 700 701 skb = skb_peek(&tx->skbs); 702 703 info = IEEE80211_SKB_CB(skb); 704 705 if (info->control.hw_key) 706 return TX_CONTINUE; 707 708 if (WARN_ON(skb_tailroom(skb) < sizeof(*mmie))) 709 return TX_DROP; 710 711 mmie = (struct ieee80211_mmie *) skb_put(skb, sizeof(*mmie)); 712 mmie->element_id = WLAN_EID_MMIE; 713 mmie->length = sizeof(*mmie) - 2; 714 mmie->key_id = cpu_to_le16(key->conf.keyidx); 715 716 /* PN = PN + 1 */ 717 pn64 = atomic64_inc_return(&key->u.aes_cmac.tx_pn); 718 719 bip_ipn_set64(mmie->sequence_number, pn64); 720 721 bip_aad(skb, aad); 722 723 /* 724 * MIC = AES-128-CMAC(IGTK, AAD || Management Frame Body || MMIE, 64) 725 */ 726 ieee80211_aes_cmac(key->u.aes_cmac.tfm, aad, 727 skb->data + 24, skb->len - 24, mmie->mic); 728 729 return TX_CONTINUE; 730 } 731 732 733 ieee80211_rx_result 734 ieee80211_crypto_aes_cmac_decrypt(struct ieee80211_rx_data *rx) 735 { 736 struct sk_buff *skb = rx->skb; 737 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 738 struct ieee80211_key *key = rx->key; 739 struct ieee80211_mmie *mmie; 740 u8 aad[20], mic[8], ipn[6]; 741 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; 742 743 if (!ieee80211_is_mgmt(hdr->frame_control)) 744 return RX_CONTINUE; 745 746 /* management frames are already linear */ 747 748 if (skb->len < 24 + sizeof(*mmie)) 749 return RX_DROP_UNUSABLE; 750 751 mmie = (struct ieee80211_mmie *) 752 (skb->data + skb->len - sizeof(*mmie)); 753 if (mmie->element_id != WLAN_EID_MMIE || 754 mmie->length != sizeof(*mmie) - 2) 755 return RX_DROP_UNUSABLE; /* Invalid MMIE */ 756 757 bip_ipn_swap(ipn, mmie->sequence_number); 758 759 if (memcmp(ipn, key->u.aes_cmac.rx_pn, 6) <= 0) { 760 key->u.aes_cmac.replays++; 761 return RX_DROP_UNUSABLE; 762 } 763 764 if (!(status->flag & RX_FLAG_DECRYPTED)) { 765 /* hardware didn't decrypt/verify MIC */ 766 bip_aad(skb, aad); 767 ieee80211_aes_cmac(key->u.aes_cmac.tfm, aad, 768 skb->data + 24, skb->len - 24, mic); 769 if (memcmp(mic, mmie->mic, sizeof(mmie->mic)) != 0) { 770 key->u.aes_cmac.icverrors++; 771 return RX_DROP_UNUSABLE; 772 } 773 } 774 775 memcpy(key->u.aes_cmac.rx_pn, ipn, 6); 776 777 /* Remove MMIE */ 778 skb_trim(skb, skb->len - sizeof(*mmie)); 779 780 return RX_CONTINUE; 781 } 782 783 ieee80211_tx_result 784 ieee80211_crypto_hw_encrypt(struct ieee80211_tx_data *tx) 785 { 786 struct sk_buff *skb; 787 struct ieee80211_tx_info *info = NULL; 788 ieee80211_tx_result res; 789 790 skb_queue_walk(&tx->skbs, skb) { 791 info = IEEE80211_SKB_CB(skb); 792 793 /* handle hw-only algorithm */ 794 if (!info->control.hw_key) 795 return TX_DROP; 796 797 if (tx->key->sta->cipher_scheme) { 798 res = ieee80211_crypto_cs_encrypt(tx, skb); 799 if (res != TX_CONTINUE) 800 return res; 801 } 802 } 803 804 ieee80211_tx_set_protected(tx); 805 806 return TX_CONTINUE; 807 } 808 809 ieee80211_rx_result 810 ieee80211_crypto_hw_decrypt(struct ieee80211_rx_data *rx) 811 { 812 if (rx->sta->cipher_scheme) 813 return ieee80211_crypto_cs_decrypt(rx); 814 815 return RX_DROP_UNUSABLE; 816 } 817