You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

wpa_ccmp.c 13KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530
  1. /*
  2. * Copyright (c) 2009 Joshua Oreman <oremanj@rwcr.net>.
  3. *
  4. * This program is free software; you can redistribute it and/or
  5. * modify it under the terms of the GNU General Public License as
  6. * published by the Free Software Foundation; either version 2 of the
  7. * License, or any later version.
  8. *
  9. * This program is distributed in the hope that it will be useful, but
  10. * WITHOUT ANY WARRANTY; without even the implied warranty of
  11. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  12. * General Public License for more details.
  13. *
  14. * You should have received a copy of the GNU General Public License
  15. * along with this program; if not, write to the Free Software
  16. * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
  17. * 02110-1301, USA.
  18. */
  19. FILE_LICENCE ( GPL2_OR_LATER );
  20. #include <string.h>
  21. #include <ipxe/net80211.h>
  22. #include <ipxe/crypto.h>
  23. #include <ipxe/hmac.h>
  24. #include <ipxe/sha1.h>
  25. #include <ipxe/aes.h>
  26. #include <ipxe/wpa.h>
  27. #include <byteswap.h>
  28. #include <errno.h>
  29. /** @file
  30. *
  31. * Backend for WPA using the CCMP encryption method
  32. */
  33. /** Context for CCMP encryption and decryption */
  34. struct ccmp_ctx
  35. {
  36. /** AES context - only ever used for encryption */
  37. u8 aes_ctx[AES_CTX_SIZE];
  38. /** Most recently sent packet number */
  39. u64 tx_seq;
  40. /** Most recently received packet number */
  41. u64 rx_seq;
  42. };
  43. /** Header structure at the beginning of CCMP frame data */
  44. struct ccmp_head
  45. {
  46. u8 pn_lo[2]; /**< Bytes 0 and 1 of packet number */
  47. u8 _rsvd; /**< Reserved byte */
  48. u8 kid; /**< Key ID and ExtIV byte */
  49. u8 pn_hi[4]; /**< Bytes 2-5 (2 first) of packet number */
  50. } __attribute__ (( packed ));
  51. /** CCMP header overhead */
  52. #define CCMP_HEAD_LEN 8
  53. /** CCMP MIC trailer overhead */
  54. #define CCMP_MIC_LEN 8
  55. /** CCMP nonce length */
  56. #define CCMP_NONCE_LEN 13
  57. /** CCMP nonce structure */
  58. struct ccmp_nonce
  59. {
  60. u8 prio; /**< Packet priority, 0 for non-QoS */
  61. u8 a2[ETH_ALEN]; /**< Address 2 from packet header (sender) */
  62. u8 pn[6]; /**< Packet number */
  63. } __attribute__ (( packed ));
  64. /** CCMP additional authentication data length (for non-QoS, non-WDS frames) */
  65. #define CCMP_AAD_LEN 22
  66. /** CCMP additional authentication data structure */
  67. struct ccmp_aad
  68. {
  69. u16 fc; /**< Frame Control field */
  70. u8 a1[6]; /**< Address 1 */
  71. u8 a2[6]; /**< Address 2 */
  72. u8 a3[6]; /**< Address 3 */
  73. u16 seq; /**< Sequence Control field */
  74. /* Address 4 and QoS Control are included if present */
  75. } __attribute__ (( packed ));
  76. /** Mask for Frame Control field in AAD */
  77. #define CCMP_AAD_FC_MASK 0xC38F
  78. /** Mask for Sequence Control field in AAD */
  79. #define CCMP_AAD_SEQ_MASK 0x000F
  80. /**
  81. * Convert 6-byte LSB packet number to 64-bit integer
  82. *
  83. * @v pn Pointer to 6-byte packet number
  84. * @ret v 64-bit integer value of @a pn
  85. */
  86. static u64 pn_to_u64 ( const u8 *pn )
  87. {
  88. int i;
  89. u64 ret = 0;
  90. for ( i = 5; i >= 0; i-- ) {
  91. ret <<= 8;
  92. ret |= pn[i];
  93. }
  94. return ret;
  95. }
  96. /**
  97. * Convert 64-bit integer to 6-byte packet number
  98. *
  99. * @v v 64-bit integer
  100. * @v msb If TRUE, reverse the output PN to be in MSB order
  101. * @ret pn 6-byte packet number
  102. *
  103. * The PN is stored in LSB order in the packet header and in MSB order
  104. * in the nonce. WHYYYYY?
  105. */
  106. static void u64_to_pn ( u64 v, u8 *pn, int msb )
  107. {
  108. int i;
  109. u8 *pnp = pn + ( msb ? 5 : 0 );
  110. int delta = ( msb ? -1 : +1 );
  111. for ( i = 0; i < 6; i++ ) {
  112. *pnp = v & 0xFF;
  113. pnp += delta;
  114. v >>= 8;
  115. }
  116. }
  117. /** Value for @a msb argument of u64_to_pn() for MSB output */
  118. #define PN_MSB 1
  119. /** Value for @a msb argument of u64_to_pn() for LSB output */
  120. #define PN_LSB 0
  121. /**
  122. * Initialise CCMP state and install key
  123. *
  124. * @v crypto CCMP cryptosystem structure
  125. * @v key Pointer to 16-byte temporal key to install
  126. * @v keylen Length of key (16 bytes)
  127. * @v rsc Initial receive sequence counter
  128. */
  129. static int ccmp_init ( struct net80211_crypto *crypto, const void *key,
  130. int keylen, const void *rsc )
  131. {
  132. struct ccmp_ctx *ctx = crypto->priv;
  133. if ( keylen != 16 )
  134. return -EINVAL;
  135. if ( rsc )
  136. ctx->rx_seq = pn_to_u64 ( rsc );
  137. cipher_setkey ( &aes_algorithm, ctx->aes_ctx, key, keylen );
  138. return 0;
  139. }
  140. /**
  141. * Encrypt or decrypt data stream using AES in Counter mode
  142. *
  143. * @v ctx CCMP cryptosystem context
  144. * @v nonce Nonce value, 13 bytes
  145. * @v srcv Data to encrypt or decrypt
  146. * @v len Number of bytes pointed to by @a src
  147. * @v msrcv MIC value to encrypt or decrypt (may be NULL)
  148. * @ret destv Encrypted or decrypted data
  149. * @ret mdestv Encrypted or decrypted MIC value
  150. *
  151. * This assumes CCMP parameters of L=2 and M=8. The algorithm is
  152. * defined in RFC 3610.
  153. */
  154. static void ccmp_ctr_xor ( struct ccmp_ctx *ctx, const void *nonce,
  155. const void *srcv, void *destv, int len,
  156. const void *msrcv, void *mdestv )
  157. {
  158. u8 A[16], S[16];
  159. u16 ctr;
  160. int i;
  161. const u8 *src = srcv, *msrc = msrcv;
  162. u8 *dest = destv, *mdest = mdestv;
  163. A[0] = 0x01; /* flags, L' = L - 1 = 1, other bits rsvd */
  164. memcpy ( A + 1, nonce, CCMP_NONCE_LEN );
  165. if ( msrcv ) {
  166. A[14] = A[15] = 0;
  167. cipher_encrypt ( &aes_algorithm, ctx->aes_ctx, A, S, 16 );
  168. for ( i = 0; i < 8; i++ ) {
  169. *mdest++ = *msrc++ ^ S[i];
  170. }
  171. }
  172. for ( ctr = 1 ;; ctr++ ) {
  173. A[14] = ctr >> 8;
  174. A[15] = ctr & 0xFF;
  175. cipher_encrypt ( &aes_algorithm, ctx->aes_ctx, A, S, 16 );
  176. for ( i = 0; i < len && i < 16; i++ )
  177. *dest++ = *src++ ^ S[i];
  178. if ( len <= 16 )
  179. break; /* we're done */
  180. len -= 16;
  181. }
  182. }
  183. /**
  184. * Advance one block in CBC-MAC calculation
  185. *
  186. * @v aes_ctx AES encryption context with key set
  187. * @v B Cleartext block to incorporate (16 bytes)
  188. * @v X Previous ciphertext block (16 bytes)
  189. * @ret B Clobbered
  190. * @ret X New ciphertext block (16 bytes)
  191. *
  192. * This function does X := E[key] ( X ^ B ).
  193. */
  194. static void ccmp_feed_cbc_mac ( void *aes_ctx, u8 *B, u8 *X )
  195. {
  196. int i;
  197. for ( i = 0; i < 16; i++ )
  198. B[i] ^= X[i];
  199. cipher_encrypt ( &aes_algorithm, aes_ctx, B, X, 16 );
  200. }
  201. /**
  202. * Calculate MIC on plaintext data using CBC-MAC
  203. *
  204. * @v ctx CCMP cryptosystem context
  205. * @v nonce Nonce value, 13 bytes
  206. * @v data Data to calculate MIC over
  207. * @v datalen Length of @a data
  208. * @v aad Additional authentication data, for MIC but not encryption
  209. * @ret mic MIC value (unencrypted), 8 bytes
  210. *
  211. * @a aadlen is assumed to be 22 bytes long, as it always is for
  212. * 802.11 use when transmitting non-QoS, not-between-APs frames (the
  213. * only type we deal with).
  214. */
  215. static void ccmp_cbc_mac ( struct ccmp_ctx *ctx, const void *nonce,
  216. const void *data, u16 datalen,
  217. const void *aad, void *mic )
  218. {
  219. u8 X[16], B[16];
  220. /* Zeroth block: flags, nonce, length */
  221. /* Rsv AAD - M'- - L'-
  222. * 0 1 0 1 1 0 0 1 for an 8-byte MAC and 2-byte message length
  223. */
  224. B[0] = 0x59;
  225. memcpy ( B + 1, nonce, CCMP_NONCE_LEN );
  226. B[14] = datalen >> 8;
  227. B[15] = datalen & 0xFF;
  228. cipher_encrypt ( &aes_algorithm, ctx->aes_ctx, B, X, 16 );
  229. /* First block: AAD length field and 14 bytes of AAD */
  230. B[0] = 0;
  231. B[1] = CCMP_AAD_LEN;
  232. memcpy ( B + 2, aad, 14 );
  233. ccmp_feed_cbc_mac ( ctx->aes_ctx, B, X );
  234. /* Second block: Remaining 8 bytes of AAD, 8 bytes zero pad */
  235. memcpy ( B, aad + 14, 8 );
  236. memset ( B + 8, 0, 8 );
  237. ccmp_feed_cbc_mac ( ctx->aes_ctx, B, X );
  238. /* Message blocks */
  239. while ( datalen ) {
  240. if ( datalen >= 16 ) {
  241. memcpy ( B, data, 16 );
  242. datalen -= 16;
  243. } else {
  244. memcpy ( B, data, datalen );
  245. memset ( B + datalen, 0, 16 - datalen );
  246. datalen = 0;
  247. }
  248. ccmp_feed_cbc_mac ( ctx->aes_ctx, B, X );
  249. data += 16;
  250. }
  251. /* Get MIC from final value of X */
  252. memcpy ( mic, X, 8 );
  253. }
  254. /**
  255. * Encapsulate and encrypt a packet using CCMP
  256. *
  257. * @v crypto CCMP cryptosystem
  258. * @v iob I/O buffer containing cleartext packet
  259. * @ret eiob I/O buffer containing encrypted packet
  260. */
  261. struct io_buffer * ccmp_encrypt ( struct net80211_crypto *crypto,
  262. struct io_buffer *iob )
  263. {
  264. struct ccmp_ctx *ctx = crypto->priv;
  265. struct ieee80211_frame *hdr = iob->data;
  266. struct io_buffer *eiob;
  267. const int hdrlen = IEEE80211_TYP_FRAME_HEADER_LEN;
  268. int datalen = iob_len ( iob ) - hdrlen;
  269. struct ccmp_head head;
  270. struct ccmp_nonce nonce;
  271. struct ccmp_aad aad;
  272. u8 mic[8], tx_pn[6];
  273. void *edata, *emic;
  274. ctx->tx_seq++;
  275. u64_to_pn ( ctx->tx_seq, tx_pn, PN_LSB );
  276. /* Allocate memory */
  277. eiob = alloc_iob ( iob_len ( iob ) + CCMP_HEAD_LEN + CCMP_MIC_LEN );
  278. if ( ! eiob )
  279. return NULL;
  280. /* Copy frame header */
  281. memcpy ( iob_put ( eiob, hdrlen ), iob->data, hdrlen );
  282. hdr = eiob->data;
  283. hdr->fc |= IEEE80211_FC_PROTECTED;
  284. /* Fill in packet number and extended IV */
  285. memcpy ( head.pn_lo, tx_pn, 2 );
  286. memcpy ( head.pn_hi, tx_pn + 2, 4 );
  287. head.kid = 0x20; /* have Extended IV, key ID 0 */
  288. head._rsvd = 0;
  289. memcpy ( iob_put ( eiob, sizeof ( head ) ), &head, sizeof ( head ) );
  290. /* Form nonce */
  291. nonce.prio = 0;
  292. memcpy ( nonce.a2, hdr->addr2, ETH_ALEN );
  293. u64_to_pn ( ctx->tx_seq, nonce.pn, PN_MSB );
  294. /* Form additional authentication data */
  295. aad.fc = hdr->fc & CCMP_AAD_FC_MASK;
  296. memcpy ( aad.a1, hdr->addr1, 3 * ETH_ALEN ); /* all 3 at once */
  297. aad.seq = hdr->seq & CCMP_AAD_SEQ_MASK;
  298. /* Calculate MIC over the data */
  299. ccmp_cbc_mac ( ctx, &nonce, iob->data + hdrlen, datalen, &aad, mic );
  300. /* Copy and encrypt data and MIC */
  301. edata = iob_put ( eiob, datalen );
  302. emic = iob_put ( eiob, CCMP_MIC_LEN );
  303. ccmp_ctr_xor ( ctx, &nonce,
  304. iob->data + hdrlen, edata, datalen,
  305. mic, emic );
  306. /* Done! */
  307. DBGC2 ( ctx, "WPA-CCMP %p: encrypted packet %p -> %p\n", ctx,
  308. iob, eiob );
  309. return eiob;
  310. }
  311. /**
  312. * Decrypt a packet using CCMP
  313. *
  314. * @v crypto CCMP cryptosystem
  315. * @v eiob I/O buffer containing encrypted packet
  316. * @ret iob I/O buffer containing cleartext packet
  317. */
  318. static struct io_buffer * ccmp_decrypt ( struct net80211_crypto *crypto,
  319. struct io_buffer *eiob )
  320. {
  321. struct ccmp_ctx *ctx = crypto->priv;
  322. struct ieee80211_frame *hdr;
  323. struct io_buffer *iob;
  324. const int hdrlen = IEEE80211_TYP_FRAME_HEADER_LEN;
  325. int datalen = iob_len ( eiob ) - hdrlen - CCMP_HEAD_LEN - CCMP_MIC_LEN;
  326. struct ccmp_head *head;
  327. struct ccmp_nonce nonce;
  328. struct ccmp_aad aad;
  329. u8 rx_pn[6], their_mic[8], our_mic[8];
  330. iob = alloc_iob ( hdrlen + datalen );
  331. if ( ! iob )
  332. return NULL;
  333. /* Copy frame header */
  334. memcpy ( iob_put ( iob, hdrlen ), eiob->data, hdrlen );
  335. hdr = iob->data;
  336. hdr->fc &= ~IEEE80211_FC_PROTECTED;
  337. /* Check and update RX packet number */
  338. head = eiob->data + hdrlen;
  339. memcpy ( rx_pn, head->pn_lo, 2 );
  340. memcpy ( rx_pn + 2, head->pn_hi, 4 );
  341. if ( pn_to_u64 ( rx_pn ) <= ctx->rx_seq ) {
  342. DBGC ( ctx, "WPA-CCMP %p: packet received out of order "
  343. "(%012llx <= %012llx)\n", ctx, pn_to_u64 ( rx_pn ),
  344. ctx->rx_seq );
  345. free_iob ( iob );
  346. return NULL;
  347. }
  348. ctx->rx_seq = pn_to_u64 ( rx_pn );
  349. DBGC2 ( ctx, "WPA-CCMP %p: RX packet number %012llx\n", ctx, ctx->rx_seq );
  350. /* Form nonce */
  351. nonce.prio = 0;
  352. memcpy ( nonce.a2, hdr->addr2, ETH_ALEN );
  353. u64_to_pn ( ctx->rx_seq, nonce.pn, PN_MSB );
  354. /* Form additional authentication data */
  355. aad.fc = ( hdr->fc & CCMP_AAD_FC_MASK ) | IEEE80211_FC_PROTECTED;
  356. memcpy ( aad.a1, hdr->addr1, 3 * ETH_ALEN ); /* all 3 at once */
  357. aad.seq = hdr->seq & CCMP_AAD_SEQ_MASK;
  358. /* Copy-decrypt data and MIC */
  359. ccmp_ctr_xor ( ctx, &nonce, eiob->data + hdrlen + sizeof ( *head ),
  360. iob_put ( iob, datalen ), datalen,
  361. eiob->tail - CCMP_MIC_LEN, their_mic );
  362. /* Check MIC */
  363. ccmp_cbc_mac ( ctx, &nonce, iob->data + hdrlen, datalen, &aad,
  364. our_mic );
  365. if ( memcmp ( their_mic, our_mic, CCMP_MIC_LEN ) != 0 ) {
  366. DBGC2 ( ctx, "WPA-CCMP %p: MIC failure\n", ctx );
  367. free_iob ( iob );
  368. return NULL;
  369. }
  370. DBGC2 ( ctx, "WPA-CCMP %p: decrypted packet %p -> %p\n", ctx,
  371. eiob, iob );
  372. return iob;
  373. }
  374. /** CCMP cryptosystem */
  375. struct net80211_crypto ccmp_crypto __net80211_crypto = {
  376. .algorithm = NET80211_CRYPT_CCMP,
  377. .init = ccmp_init,
  378. .encrypt = ccmp_encrypt,
  379. .decrypt = ccmp_decrypt,
  380. .priv_len = sizeof ( struct ccmp_ctx ),
  381. };
  382. /**
  383. * Calculate HMAC-SHA1 MIC for EAPOL-Key frame
  384. *
  385. * @v kck Key Confirmation Key, 16 bytes
  386. * @v msg Message to calculate MIC over
  387. * @v len Number of bytes to calculate MIC over
  388. * @ret mic Calculated MIC, 16 bytes long
  389. */
  390. static void ccmp_kie_mic ( const void *kck, const void *msg, size_t len,
  391. void *mic )
  392. {
  393. u8 sha1_ctx[SHA1_CTX_SIZE];
  394. u8 kckb[16];
  395. u8 hash[SHA1_SIZE];
  396. size_t kck_len = 16;
  397. memcpy ( kckb, kck, kck_len );
  398. hmac_init ( &sha1_algorithm, sha1_ctx, kckb, &kck_len );
  399. hmac_update ( &sha1_algorithm, sha1_ctx, msg, len );
  400. hmac_final ( &sha1_algorithm, sha1_ctx, kckb, &kck_len, hash );
  401. memcpy ( mic, hash, 16 );
  402. }
  403. /**
  404. * Decrypt key data in EAPOL-Key frame
  405. *
  406. * @v kek Key Encryption Key, 16 bytes
  407. * @v iv Initialisation vector, 16 bytes (unused)
  408. * @v msg Message to decrypt
  409. * @v len Length of message
  410. * @ret msg Decrypted message in place of original
  411. * @ret len Adjusted downward for 8 bytes of overhead
  412. * @ret rc Return status code
  413. *
  414. * The returned message may still contain padding of 0xDD followed by
  415. * zero or more 0x00 octets. It is impossible to remove the padding
  416. * without parsing the IEs in the packet (another design decision that
  417. * tends to make one question the 802.11i committee's intelligence...)
  418. */
  419. static int ccmp_kie_decrypt ( const void *kek, const void *iv __unused,
  420. void *msg, u16 *len )
  421. {
  422. if ( *len % 8 != 0 )
  423. return -EINVAL;
  424. if ( aes_unwrap ( kek, msg, msg, *len / 8 - 1 ) != 0 )
  425. return -EINVAL;
  426. *len -= 8;
  427. return 0;
  428. }
  429. /** CCMP-style key integrity and encryption handler */
  430. struct wpa_kie ccmp_kie __wpa_kie = {
  431. .version = EAPOL_KEY_VERSION_WPA2,
  432. .mic = ccmp_kie_mic,
  433. .decrypt = ccmp_kie_decrypt,
  434. };