wpa.c 20.6 KB
Newer Older
1 2
/*
 * Copyright 2002-2004, Instant802 Networks, Inc.
3
 * Copyright 2008, Jouni Malinen <j@w1.fi>
4 5 6 7 8 9 10 11 12 13
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */

#include <linux/netdevice.h>
#include <linux/types.h>
#include <linux/skbuff.h>
#include <linux/compiler.h>
14
#include <linux/ieee80211.h>
15
#include <linux/gfp.h>
16
#include <asm/unaligned.h>
17
#include <net/mac80211.h>
J
Johannes Berg 已提交
18
#include <crypto/aes.h>
J
Johannes Berg 已提交
19

20 21 22 23
#include "ieee80211_i.h"
#include "michael.h"
#include "tkip.h"
#include "aes_ccm.h"
24
#include "aes_cmac.h"
25 26
#include "wpa.h"

27
ieee80211_tx_result
28
ieee80211_tx_h_michael_mic_add(struct ieee80211_tx_data *tx)
29
{
30
	u8 *data, *key, *mic;
31
	size_t data_len;
32 33
	unsigned int hdrlen;
	struct ieee80211_hdr *hdr;
34
	struct sk_buff *skb = tx->skb;
35
	struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
36
	int tail;
37

38
	hdr = (struct ieee80211_hdr *)skb->data;
39 40
	if (!tx->key || tx->key->conf.cipher != WLAN_CIPHER_SUITE_TKIP ||
	    skb->len < 24 || !ieee80211_is_data_present(hdr->frame_control))
41
		return TX_CONTINUE;
42

43 44
	hdrlen = ieee80211_hdrlen(hdr->frame_control);
	if (skb->len < hdrlen)
45
		return TX_DROP;
46

47 48 49
	data = skb->data + hdrlen;
	data_len = skb->len - hdrlen;

50 51 52 53 54
	if (unlikely(info->flags & IEEE80211_TX_INTFL_TKIP_MIC_FAILURE)) {
		/* Need to use software crypto for the test */
		info->control.hw_key = NULL;
	}

55
	if (info->control.hw_key &&
56 57
	    (info->flags & IEEE80211_TX_CTL_DONTFRAG ||
	     tx->local->ops->set_frag_threshold) &&
58 59
	    !(tx->key->conf.flags & IEEE80211_KEY_FLAG_GENERATE_MMIC)) {
		/* hwaccel - with no need for SW-generated MMIC */
60
		return TX_CONTINUE;
61 62
	}

63
	tail = MICHAEL_MIC_LEN;
64
	if (!info->control.hw_key)
65
		tail += IEEE80211_TKIP_ICV_LEN;
66 67

	if (WARN_ON(skb_tailroom(skb) < tail ||
68
		    skb_headroom(skb) < IEEE80211_TKIP_IV_LEN))
69
		return TX_DROP;
70

71
	key = &tx->key->conf.key[NL80211_TKIP_DATA_OFFSET_TX_MIC_KEY];
72
	mic = skb_put(skb, MICHAEL_MIC_LEN);
73
	michael_mic(key, hdr, data, data_len, mic);
74 75
	if (unlikely(info->flags & IEEE80211_TX_INTFL_TKIP_MIC_FAILURE))
		mic[0]++;
76

77
	return TX_CONTINUE;
78 79 80
}


81
ieee80211_rx_result
82
ieee80211_rx_h_michael_mic_verify(struct ieee80211_rx_data *rx)
83
{
84
	u8 *data, *key = NULL;
85
	size_t data_len;
86
	unsigned int hdrlen;
87 88
	u8 mic[MICHAEL_MIC_LEN];
	struct sk_buff *skb = rx->skb;
J
Johannes Berg 已提交
89 90
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
91

92 93 94 95 96
	/*
	 * it makes no sense to check for MIC errors on anything other
	 * than data frames.
	 */
	if (!ieee80211_is_data_present(hdr->frame_control))
97
		return RX_CONTINUE;
98

99 100 101 102 103 104 105 106
	/*
	 * No way to verify the MIC if the hardware stripped it or
	 * the IV with the key index. In this case we have solely rely
	 * on the driver to set RX_FLAG_MMIC_ERROR in the event of a
	 * MIC failure report.
	 */
	if (status->flag & (RX_FLAG_MMIC_STRIPPED | RX_FLAG_IV_STRIPPED)) {
		if (status->flag & RX_FLAG_MMIC_ERROR)
107
			goto mic_fail_no_key;
108

109 110
		if (!(status->flag & RX_FLAG_IV_STRIPPED) && rx->key &&
		    rx->key->conf.cipher == WLAN_CIPHER_SUITE_TKIP)
111 112 113 114 115 116 117 118 119 120
			goto update_iv;

		return RX_CONTINUE;
	}

	/*
	 * Some hardware seems to generate Michael MIC failure reports; even
	 * though, the frame was not encrypted with TKIP and therefore has no
	 * MIC. Ignore the flag them to avoid triggering countermeasures.
	 */
121
	if (!rx->key || rx->key->conf.cipher != WLAN_CIPHER_SUITE_TKIP ||
122
	    !(status->flag & RX_FLAG_DECRYPTED))
123
		return RX_CONTINUE;
124

125 126 127 128 129
	if (rx->sdata->vif.type == NL80211_IFTYPE_AP && rx->key->conf.keyidx) {
		/*
		 * APs with pairwise keys should never receive Michael MIC
		 * errors for non-zero keyidx because these are reserved for
		 * group keys and only the AP is sending real multicast
130
		 * frames in the BSS.
131 132 133 134 135 136 137
		 */
		return RX_DROP_UNUSABLE;
	}

	if (status->flag & RX_FLAG_MMIC_ERROR)
		goto mic_fail;

138 139
	hdrlen = ieee80211_hdrlen(hdr->frame_control);
	if (skb->len < hdrlen + MICHAEL_MIC_LEN)
J
Johannes Berg 已提交
140
		return RX_DROP_UNUSABLE;
141

142 143 144 145
	if (skb_linearize(rx->skb))
		return RX_DROP_UNUSABLE;
	hdr = (void *)skb->data;

146 147
	data = skb->data + hdrlen;
	data_len = skb->len - hdrlen - MICHAEL_MIC_LEN;
148
	key = &rx->key->conf.key[NL80211_TKIP_DATA_OFFSET_RX_MIC_KEY];
149
	michael_mic(key, hdr, data, data_len, mic);
150 151
	if (memcmp(mic, data + data_len, MICHAEL_MIC_LEN) != 0)
		goto mic_fail;
152 153 154 155

	/* remove Michael MIC from payload */
	skb_trim(skb, skb->len - MICHAEL_MIC_LEN);

156
update_iv:
157
	/* update IV in key information to be able to detect replays */
158 159
	rx->key->u.tkip.rx[rx->security_idx].iv32 = rx->tkip_iv32;
	rx->key->u.tkip.rx[rx->security_idx].iv16 = rx->tkip_iv16;
160

161
	return RX_CONTINUE;
162 163

mic_fail:
164 165 166
	rx->key->u.tkip.mic_failures++;

mic_fail_no_key:
167 168 169 170 171 172 173
	/*
	 * In some cases the key can be unset - e.g. a multicast packet, in
	 * a driver that supports HW encryption. Send up the key idx only if
	 * the key is set.
	 */
	mac80211_ev_michael_mic_failure(rx->sdata,
					rx->key ? rx->key->conf.keyidx : -1,
174 175
					(void *) skb->data, NULL, GFP_ATOMIC);
	return RX_DROP_UNUSABLE;
176 177 178
}


179
static int tkip_encrypt_skb(struct ieee80211_tx_data *tx, struct sk_buff *skb)
180 181 182
{
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
	struct ieee80211_key *key = tx->key;
183
	struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
184 185
	unsigned int hdrlen;
	int len, tail;
186 187
	u8 *pos;

188
	if (info->control.hw_key &&
189 190
	    !(info->control.hw_key->flags & IEEE80211_KEY_FLAG_GENERATE_IV) &&
	    !(info->control.hw_key->flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE)) {
191
		/* hwaccel - with no need for software-generated IV */
192
		return 0;
193 194
	}

195
	hdrlen = ieee80211_hdrlen(hdr->frame_control);
196 197
	len = skb->len - hdrlen;

198
	if (info->control.hw_key)
199
		tail = 0;
J
Johannes Berg 已提交
200
	else
201
		tail = IEEE80211_TKIP_ICV_LEN;
202 203

	if (WARN_ON(skb_tailroom(skb) < tail ||
204
		    skb_headroom(skb) < IEEE80211_TKIP_IV_LEN))
205
		return -1;
206

207 208 209 210
	pos = skb_push(skb, IEEE80211_TKIP_IV_LEN);
	memmove(pos, pos + IEEE80211_TKIP_IV_LEN, hdrlen);
	skb_set_network_header(skb, skb_network_offset(skb) +
				    IEEE80211_TKIP_IV_LEN);
211 212
	pos += hdrlen;

213 214 215 216 217
	/* the HW only needs room for the IV, but not the actual IV */
	if (info->control.hw_key &&
	    (info->control.hw_key->flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE))
		return 0;

218
	/* Increase IV for the frame */
219
	spin_lock(&key->u.tkip.txlock);
220 221 222
	key->u.tkip.tx.iv16++;
	if (key->u.tkip.tx.iv16 == 0)
		key->u.tkip.tx.iv32++;
223
	pos = ieee80211_tkip_add_iv(pos, key);
224
	spin_unlock(&key->u.tkip.txlock);
225

226 227
	/* hwaccel - with software IV */
	if (info->control.hw_key)
228 229 230
		return 0;

	/* Add room for ICV */
231
	skb_put(skb, IEEE80211_TKIP_ICV_LEN);
232

233
	return ieee80211_tkip_encrypt_data(tx->local->wep_tx_tfm,
234
					   key, skb, pos, len);
235 236 237
}


238
ieee80211_tx_result
239
ieee80211_crypto_tkip_encrypt(struct ieee80211_tx_data *tx)
240
{
241
	struct sk_buff *skb;
242

243
	ieee80211_tx_set_protected(tx);
244

245
	skb_queue_walk(&tx->skbs, skb) {
J
Johannes Berg 已提交
246 247
		if (tkip_encrypt_skb(tx, skb) < 0)
			return TX_DROP;
248
	}
249

250
	return TX_CONTINUE;
251 252 253
}


254
ieee80211_rx_result
255
ieee80211_crypto_tkip_decrypt(struct ieee80211_rx_data *rx)
256 257
{
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) rx->skb->data;
258
	int hdrlen, res, hwaccel = 0;
259 260
	struct ieee80211_key *key = rx->key;
	struct sk_buff *skb = rx->skb;
J
Johannes Berg 已提交
261
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
262

263
	hdrlen = ieee80211_hdrlen(hdr->frame_control);
264

265
	if (!ieee80211_is_data(hdr->frame_control))
266
		return RX_CONTINUE;
267 268

	if (!rx->sta || skb->len - hdrlen < 12)
J
Johannes Berg 已提交
269
		return RX_DROP_UNUSABLE;
270

271 272 273 274 275
	/* it may be possible to optimize this a bit more */
	if (skb_linearize(rx->skb))
		return RX_DROP_UNUSABLE;
	hdr = (void *)skb->data;

276 277 278 279 280 281
	/*
	 * Let TKIP code verify IV, but skip decryption.
	 * In the case where hardware checks the IV as well,
	 * we don't even get here, see ieee80211_rx_h_decrypt()
	 */
	if (status->flag & RX_FLAG_DECRYPTED)
282 283 284 285
		hwaccel = 1;

	res = ieee80211_tkip_decrypt_data(rx->local->wep_rx_tfm,
					  key, skb->data + hdrlen,
286
					  skb->len - hdrlen, rx->sta->sta.addr,
287
					  hdr->addr1, hwaccel, rx->security_idx,
288 289
					  &rx->tkip_iv32,
					  &rx->tkip_iv16);
290
	if (res != TKIP_DECRYPT_OK)
J
Johannes Berg 已提交
291
		return RX_DROP_UNUSABLE;
292 293

	/* Trim ICV */
294
	skb_trim(skb, skb->len - IEEE80211_TKIP_ICV_LEN);
295 296

	/* Remove IV */
297 298
	memmove(skb->data + IEEE80211_TKIP_IV_LEN, skb->data, hdrlen);
	skb_pull(skb, IEEE80211_TKIP_IV_LEN);
299

300
	return RX_CONTINUE;
301 302 303
}


304
static void ccmp_special_blocks(struct sk_buff *skb, u8 *pn, u8 *b_0, u8 *aad)
305
{
306
	__le16 mask_fc;
307
	int a4_included, mgmt;
308
	u8 qos_tid;
309
	u16 len_a;
310 311
	unsigned int hdrlen;
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
312

313
	/*
314
	 * Mask FC: zero subtype b4 b5 b6 (if not mgmt)
315 316
	 * Retry, PwrMgt, MoreData; set Protected
	 */
317
	mgmt = ieee80211_is_mgmt(hdr->frame_control);
318
	mask_fc = hdr->frame_control;
319
	mask_fc &= ~cpu_to_le16(IEEE80211_FCTL_RETRY |
320
				IEEE80211_FCTL_PM | IEEE80211_FCTL_MOREDATA);
321 322
	if (!mgmt)
		mask_fc &= ~cpu_to_le16(0x0070);
323 324 325 326 327
	mask_fc |= cpu_to_le16(IEEE80211_FCTL_PROTECTED);

	hdrlen = ieee80211_hdrlen(hdr->frame_control);
	len_a = hdrlen - 2;
	a4_included = ieee80211_has_a4(hdr->frame_control);
328

329 330 331 332 333
	if (ieee80211_is_data_qos(hdr->frame_control))
		qos_tid = *ieee80211_get_qos_ctl(hdr) & IEEE80211_QOS_CTL_TID_MASK;
	else
		qos_tid = 0;

334 335 336 337 338 339 340 341
	/* In CCM, the initial vectors (IV) used for CTR mode encryption and CBC
	 * mode authentication are not allowed to collide, yet both are derived
	 * from this vector b_0. We only set L := 1 here to indicate that the
	 * data size can be represented in (L+1) bytes. The CCM layer will take
	 * care of storing the data length in the top (L+1) bytes and setting
	 * and clearing the other bits as is required to derive the two IVs.
	 */
	b_0[0] = 0x1;
342

343 344 345 346
	/* Nonce: Nonce Flags | A2 | PN
	 * Nonce Flags: Priority (b0..b3) | Management (b4) | Reserved (b5..b7)
	 */
	b_0[1] = qos_tid | (mgmt << 4);
347
	memcpy(&b_0[2], hdr->addr2, ETH_ALEN);
348
	memcpy(&b_0[8], pn, IEEE80211_CCMP_PN_LEN);
349 350 351

	/* AAD (extra authenticate-only data) / masked 802.11 header
	 * FC | A1 | A2 | A3 | SC | [A4] | [QC] */
352 353
	put_unaligned_be16(len_a, &aad[0]);
	put_unaligned(mask_fc, (__le16 *)&aad[2]);
354
	memcpy(&aad[4], &hdr->addr1, 3 * ETH_ALEN);
355 356 357 358

	/* Mask Seq#, leave Frag# */
	aad[22] = *((u8 *) &hdr->seq_ctrl) & 0x0f;
	aad[23] = 0;
359

360
	if (a4_included) {
361
		memcpy(&aad[24], hdr->addr4, ETH_ALEN);
362
		aad[30] = qos_tid;
363
		aad[31] = 0;
364
	} else {
365
		memset(&aad[24], 0, ETH_ALEN + IEEE80211_QOS_CTL_LEN);
366
		aad[24] = qos_tid;
367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383
	}
}


static inline void ccmp_pn2hdr(u8 *hdr, u8 *pn, int key_id)
{
	hdr[0] = pn[5];
	hdr[1] = pn[4];
	hdr[2] = 0;
	hdr[3] = 0x20 | (key_id << 6);
	hdr[4] = pn[3];
	hdr[5] = pn[2];
	hdr[6] = pn[1];
	hdr[7] = pn[0];
}


J
Johannes Berg 已提交
384
static inline void ccmp_hdr2pn(u8 *pn, u8 *hdr)
385 386 387 388 389 390 391 392 393 394
{
	pn[0] = hdr[7];
	pn[1] = hdr[6];
	pn[2] = hdr[5];
	pn[3] = hdr[4];
	pn[4] = hdr[1];
	pn[5] = hdr[0];
}


395
static int ccmp_encrypt_skb(struct ieee80211_tx_data *tx, struct sk_buff *skb)
396 397 398
{
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
	struct ieee80211_key *key = tx->key;
399
	struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
400
	int hdrlen, len, tail;
J
Johannes Berg 已提交
401 402 403
	u8 *pos;
	u8 pn[6];
	u64 pn64;
404 405
	u8 aad[2 * AES_BLOCK_SIZE];
	u8 b_0[AES_BLOCK_SIZE];
406

407
	if (info->control.hw_key &&
408
	    !(info->control.hw_key->flags & IEEE80211_KEY_FLAG_GENERATE_IV) &&
409 410 411 412
	    !(info->control.hw_key->flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE) &&
	    !((info->control.hw_key->flags &
	       IEEE80211_KEY_FLAG_GENERATE_IV_MGMT) &&
	      ieee80211_is_mgmt(hdr->frame_control))) {
413 414 415 416
		/*
		 * hwaccel has no need for preallocated room for CCMP
		 * header or MIC fields
		 */
417
		return 0;
418 419
	}

420
	hdrlen = ieee80211_hdrlen(hdr->frame_control);
421 422
	len = skb->len - hdrlen;

423
	if (info->control.hw_key)
424
		tail = 0;
J
Johannes Berg 已提交
425
	else
426
		tail = IEEE80211_CCMP_MIC_LEN;
427 428

	if (WARN_ON(skb_tailroom(skb) < tail ||
429
		    skb_headroom(skb) < IEEE80211_CCMP_HDR_LEN))
430
		return -1;
431

432 433 434 435
	pos = skb_push(skb, IEEE80211_CCMP_HDR_LEN);
	memmove(pos, pos + IEEE80211_CCMP_HDR_LEN, hdrlen);
	skb_set_network_header(skb, skb_network_offset(skb) +
				    IEEE80211_CCMP_HDR_LEN);
436 437

	/* the HW only needs room for the IV, but not the actual IV */
438 439
	if (info->control.hw_key &&
	    (info->control.hw_key->flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE))
440 441
		return 0;

442 443 444
	hdr = (struct ieee80211_hdr *) pos;
	pos += hdrlen;

J
Johannes Berg 已提交
445
	pn64 = atomic64_inc_return(&key->u.ccmp.tx_pn);
446

J
Johannes Berg 已提交
447 448 449 450 451 452
	pn[5] = pn64;
	pn[4] = pn64 >> 8;
	pn[3] = pn64 >> 16;
	pn[2] = pn64 >> 24;
	pn[1] = pn64 >> 32;
	pn[0] = pn64 >> 40;
453

454
	ccmp_pn2hdr(pos, pn, key->conf.keyidx);
455

456 457
	/* hwaccel - with software CCMP header */
	if (info->control.hw_key)
458 459
		return 0;

460
	pos += IEEE80211_CCMP_HDR_LEN;
461
	ccmp_special_blocks(skb, pn, b_0, aad);
462 463
	ieee80211_aes_ccm_encrypt(key->u.ccmp.tfm, b_0, aad, pos, len,
				  skb_put(skb, IEEE80211_CCMP_MIC_LEN));
464 465 466 467 468

	return 0;
}


469
ieee80211_tx_result
470
ieee80211_crypto_ccmp_encrypt(struct ieee80211_tx_data *tx)
471
{
472
	struct sk_buff *skb;
473

474
	ieee80211_tx_set_protected(tx);
475

476
	skb_queue_walk(&tx->skbs, skb) {
J
Johannes Berg 已提交
477 478
		if (ccmp_encrypt_skb(tx, skb) < 0)
			return TX_DROP;
479
	}
480

481
	return TX_CONTINUE;
482 483 484
}


485
ieee80211_rx_result
486
ieee80211_crypto_ccmp_decrypt(struct ieee80211_rx_data *rx)
487
{
488
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
489 490 491
	int hdrlen;
	struct ieee80211_key *key = rx->key;
	struct sk_buff *skb = rx->skb;
J
Johannes Berg 已提交
492
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
493
	u8 pn[IEEE80211_CCMP_PN_LEN];
494
	int data_len;
495
	int queue;
496

497
	hdrlen = ieee80211_hdrlen(hdr->frame_control);
498

499
	if (!ieee80211_is_data(hdr->frame_control) &&
500
	    !ieee80211_is_robust_mgmt_frame(skb))
501
		return RX_CONTINUE;
502

503 504
	data_len = skb->len - hdrlen - IEEE80211_CCMP_HDR_LEN -
		   IEEE80211_CCMP_MIC_LEN;
505
	if (!rx->sta || data_len < 0)
J
Johannes Berg 已提交
506
		return RX_DROP_UNUSABLE;
507

508
	if (status->flag & RX_FLAG_DECRYPTED) {
509
		if (!pskb_may_pull(rx->skb, hdrlen + IEEE80211_CCMP_HDR_LEN))
510 511 512 513 514 515
			return RX_DROP_UNUSABLE;
	} else {
		if (skb_linearize(rx->skb))
			return RX_DROP_UNUSABLE;
	}

J
Johannes Berg 已提交
516
	ccmp_hdr2pn(pn, skb->data + hdrlen);
517

518
	queue = rx->security_idx;
519

520
	if (memcmp(pn, key->u.ccmp.rx_pn[queue], IEEE80211_CCMP_PN_LEN) <= 0) {
521
		key->u.ccmp.replays++;
J
Johannes Berg 已提交
522
		return RX_DROP_UNUSABLE;
523 524
	}

J
Johannes Berg 已提交
525
	if (!(status->flag & RX_FLAG_DECRYPTED)) {
526 527
		u8 aad[2 * AES_BLOCK_SIZE];
		u8 b_0[AES_BLOCK_SIZE];
528
		/* hardware didn't decrypt/verify MIC */
529
		ccmp_special_blocks(skb, pn, b_0, aad);
530 531

		if (ieee80211_aes_ccm_decrypt(
532
			    key->u.ccmp.tfm, b_0, aad,
533 534
			    skb->data + hdrlen + IEEE80211_CCMP_HDR_LEN,
			    data_len,
535
			    skb->data + skb->len - IEEE80211_CCMP_MIC_LEN))
J
Johannes Berg 已提交
536
			return RX_DROP_UNUSABLE;
537 538
	}

539
	memcpy(key->u.ccmp.rx_pn[queue], pn, IEEE80211_CCMP_PN_LEN);
540 541

	/* Remove CCMP header and MIC */
542
	if (pskb_trim(skb, skb->len - IEEE80211_CCMP_MIC_LEN))
543
		return RX_DROP_UNUSABLE;
544 545
	memmove(skb->data + IEEE80211_CCMP_HDR_LEN, skb->data, hdrlen);
	skb_pull(skb, IEEE80211_CCMP_HDR_LEN);
546

547
	return RX_CONTINUE;
548
}
549

550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649
static ieee80211_tx_result
ieee80211_crypto_cs_encrypt(struct ieee80211_tx_data *tx,
			    struct sk_buff *skb)
{
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
	struct ieee80211_key *key = tx->key;
	struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
	const struct ieee80211_cipher_scheme *cs = key->sta->cipher_scheme;
	int hdrlen;
	u8 *pos;

	if (info->control.hw_key &&
	    !(info->control.hw_key->flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE)) {
		/* hwaccel has no need for preallocated head room */
		return TX_CONTINUE;
	}

	if (unlikely(skb_headroom(skb) < cs->hdr_len &&
		     pskb_expand_head(skb, cs->hdr_len, 0, GFP_ATOMIC)))
		return TX_DROP;

	hdrlen = ieee80211_hdrlen(hdr->frame_control);

	pos = skb_push(skb, cs->hdr_len);
	memmove(pos, pos + cs->hdr_len, hdrlen);
	skb_set_network_header(skb, skb_network_offset(skb) + cs->hdr_len);

	return TX_CONTINUE;
}

static inline int ieee80211_crypto_cs_pn_compare(u8 *pn1, u8 *pn2, int len)
{
	int i;

	/* pn is little endian */
	for (i = len - 1; i >= 0; i--) {
		if (pn1[i] < pn2[i])
			return -1;
		else if (pn1[i] > pn2[i])
			return 1;
	}

	return 0;
}

static ieee80211_rx_result
ieee80211_crypto_cs_decrypt(struct ieee80211_rx_data *rx)
{
	struct ieee80211_key *key = rx->key;
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
	const struct ieee80211_cipher_scheme *cs = NULL;
	int hdrlen = ieee80211_hdrlen(hdr->frame_control);
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
	int data_len;
	u8 *rx_pn;
	u8 *skb_pn;
	u8 qos_tid;

	if (!rx->sta || !rx->sta->cipher_scheme ||
	    !(status->flag & RX_FLAG_DECRYPTED))
		return RX_DROP_UNUSABLE;

	if (!ieee80211_is_data(hdr->frame_control))
		return RX_CONTINUE;

	cs = rx->sta->cipher_scheme;

	data_len = rx->skb->len - hdrlen - cs->hdr_len;

	if (data_len < 0)
		return RX_DROP_UNUSABLE;

	if (ieee80211_is_data_qos(hdr->frame_control))
		qos_tid = *ieee80211_get_qos_ctl(hdr) &
				IEEE80211_QOS_CTL_TID_MASK;
	else
		qos_tid = 0;

	if (skb_linearize(rx->skb))
		return RX_DROP_UNUSABLE;

	hdr = (struct ieee80211_hdr *)rx->skb->data;

	rx_pn = key->u.gen.rx_pn[qos_tid];
	skb_pn = rx->skb->data + hdrlen + cs->pn_off;

	if (ieee80211_crypto_cs_pn_compare(skb_pn, rx_pn, cs->pn_len) <= 0)
		return RX_DROP_UNUSABLE;

	memcpy(rx_pn, skb_pn, cs->pn_len);

	/* remove security header and MIC */
	if (pskb_trim(rx->skb, rx->skb->len - cs->mic_len))
		return RX_DROP_UNUSABLE;

	memmove(rx->skb->data + cs->hdr_len, rx->skb->data, hdrlen);
	skb_pull(rx->skb, cs->hdr_len);

	return RX_CONTINUE;
}
650 651 652

static void bip_aad(struct sk_buff *skb, u8 *aad)
{
653 654 655
	__le16 mask_fc;
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;

656 657 658 659
	/* BIP AAD: FC(masked) || A1 || A2 || A3 */

	/* FC type/subtype */
	/* Mask FC Retry, PwrMgt, MoreData flags to zero */
660 661 662 663
	mask_fc = hdr->frame_control;
	mask_fc &= ~cpu_to_le16(IEEE80211_FCTL_RETRY | IEEE80211_FCTL_PM |
				IEEE80211_FCTL_MOREDATA);
	put_unaligned(mask_fc, (__le16 *) &aad[0]);
664
	/* A1 || A2 || A3 */
665
	memcpy(aad + 2, &hdr->addr1, 3 * ETH_ALEN);
666 667 668
}


J
Johannes Berg 已提交
669 670 671 672 673 674 675 676 677 678
static inline void bip_ipn_set64(u8 *d, u64 pn)
{
	*d++ = pn;
	*d++ = pn >> 8;
	*d++ = pn >> 16;
	*d++ = pn >> 24;
	*d++ = pn >> 32;
	*d = pn >> 40;
}

679 680 681 682 683 684 685 686 687 688 689 690 691 692
static inline void bip_ipn_swap(u8 *d, const u8 *s)
{
	*d++ = s[5];
	*d++ = s[4];
	*d++ = s[3];
	*d++ = s[2];
	*d++ = s[1];
	*d = s[0];
}


ieee80211_tx_result
ieee80211_crypto_aes_cmac_encrypt(struct ieee80211_tx_data *tx)
{
693 694
	struct sk_buff *skb;
	struct ieee80211_tx_info *info;
695 696
	struct ieee80211_key *key = tx->key;
	struct ieee80211_mmie *mmie;
J
Johannes Berg 已提交
697 698
	u8 aad[20];
	u64 pn64;
699

700 701 702 703 704 705 706
	if (WARN_ON(skb_queue_len(&tx->skbs) != 1))
		return TX_DROP;

	skb = skb_peek(&tx->skbs);

	info = IEEE80211_SKB_CB(skb);

707
	if (info->control.hw_key)
708
		return TX_CONTINUE;
709 710 711 712 713 714 715 716 717 718

	if (WARN_ON(skb_tailroom(skb) < sizeof(*mmie)))
		return TX_DROP;

	mmie = (struct ieee80211_mmie *) skb_put(skb, sizeof(*mmie));
	mmie->element_id = WLAN_EID_MMIE;
	mmie->length = sizeof(*mmie) - 2;
	mmie->key_id = cpu_to_le16(key->conf.keyidx);

	/* PN = PN + 1 */
J
Johannes Berg 已提交
719
	pn64 = atomic64_inc_return(&key->u.aes_cmac.tx_pn);
720

J
Johannes Berg 已提交
721
	bip_ipn_set64(mmie->sequence_number, pn64);
722 723 724 725 726 727

	bip_aad(skb, aad);

	/*
	 * MIC = AES-128-CMAC(IGTK, AAD || Management Frame Body || MMIE, 64)
	 */
J
Johannes Berg 已提交
728 729
	ieee80211_aes_cmac(key->u.aes_cmac.tfm, aad,
			   skb->data + 24, skb->len - 24, mmie->mic);
730 731 732 733 734 735 736 737 738

	return TX_CONTINUE;
}


ieee80211_rx_result
ieee80211_crypto_aes_cmac_decrypt(struct ieee80211_rx_data *rx)
{
	struct sk_buff *skb = rx->skb;
J
Johannes Berg 已提交
739
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
740 741 742 743 744 745 746 747
	struct ieee80211_key *key = rx->key;
	struct ieee80211_mmie *mmie;
	u8 aad[20], mic[8], ipn[6];
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;

	if (!ieee80211_is_mgmt(hdr->frame_control))
		return RX_CONTINUE;

748 749
	/* management frames are already linear */

750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765
	if (skb->len < 24 + sizeof(*mmie))
		return RX_DROP_UNUSABLE;

	mmie = (struct ieee80211_mmie *)
		(skb->data + skb->len - sizeof(*mmie));
	if (mmie->element_id != WLAN_EID_MMIE ||
	    mmie->length != sizeof(*mmie) - 2)
		return RX_DROP_UNUSABLE; /* Invalid MMIE */

	bip_ipn_swap(ipn, mmie->sequence_number);

	if (memcmp(ipn, key->u.aes_cmac.rx_pn, 6) <= 0) {
		key->u.aes_cmac.replays++;
		return RX_DROP_UNUSABLE;
	}

J
Johannes Berg 已提交
766
	if (!(status->flag & RX_FLAG_DECRYPTED)) {
767 768
		/* hardware didn't decrypt/verify MIC */
		bip_aad(skb, aad);
J
Johannes Berg 已提交
769
		ieee80211_aes_cmac(key->u.aes_cmac.tfm, aad,
770 771 772 773 774 775 776 777 778 779 780 781 782 783
				   skb->data + 24, skb->len - 24, mic);
		if (memcmp(mic, mmie->mic, sizeof(mmie->mic)) != 0) {
			key->u.aes_cmac.icverrors++;
			return RX_DROP_UNUSABLE;
		}
	}

	memcpy(key->u.aes_cmac.rx_pn, ipn, 6);

	/* Remove MMIE */
	skb_trim(skb, skb->len - sizeof(*mmie));

	return RX_CONTINUE;
}
784 785 786 787 788 789

ieee80211_tx_result
ieee80211_crypto_hw_encrypt(struct ieee80211_tx_data *tx)
{
	struct sk_buff *skb;
	struct ieee80211_tx_info *info = NULL;
790
	ieee80211_tx_result res;
791 792 793 794 795 796 797

	skb_queue_walk(&tx->skbs, skb) {
		info  = IEEE80211_SKB_CB(skb);

		/* handle hw-only algorithm */
		if (!info->control.hw_key)
			return TX_DROP;
798 799 800 801 802 803

		if (tx->key->sta->cipher_scheme) {
			res = ieee80211_crypto_cs_encrypt(tx, skb);
			if (res != TX_CONTINUE)
				return res;
		}
804 805 806 807 808 809
	}

	ieee80211_tx_set_protected(tx);

	return TX_CONTINUE;
}
810 811 812 813

ieee80211_rx_result
ieee80211_crypto_hw_decrypt(struct ieee80211_rx_data *rx)
{
814
	if (rx->sta && rx->sta->cipher_scheme)
815 816 817 818
		return ieee80211_crypto_cs_decrypt(rx);

	return RX_DROP_UNUSABLE;
}