![[BACK]](/cvsweb/icons/back.gif){kind=icon}
Return to wpa_ccmp.c CVS log ![[TXT]](/cvsweb/icons/text.gif){kind=icon}
![[DIR]](/cvsweb/icons/dir.gif){kind=icon}
Up to [Qemu by Fabrice Bellard] / qemu / roms / ipxe / src / net / 80211|
Return to wpa_ccmp.c CVS log | Up to [Qemu by Fabrice Bellard] / qemu / roms / ipxe / src / net / 80211 |
1.1 ! root 1: /* ! 2: * Copyright (c) 2009 Joshua Oreman <[email protected]>. ! 3: * ! 4: * This program is free software; you can redistribute it and/or ! 5: * modify it under the terms of the GNU General Public License as ! 6: * published by the Free Software Foundation; either version 2 of the ! 7: * License, or any later version. ! 8: * ! 9: * This program is distributed in the hope that it will be useful, but ! 10: * WITHOUT ANY WARRANTY; without even the implied warranty of ! 11: * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ! 12: * General Public License for more details. ! 13: * ! 14: * You should have received a copy of the GNU General Public License ! 15: * along with this program; if not, write to the Free Software ! 16: * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. ! 17: */ ! 18: ! 19: FILE_LICENCE ( GPL2_OR_LATER ); ! 20: ! 21: #include <ipxe/net80211.h> ! 22: #include <ipxe/crypto.h> ! 23: #include <ipxe/hmac.h> ! 24: #include <ipxe/sha1.h> ! 25: #include <ipxe/aes.h> ! 26: #include <ipxe/wpa.h> ! 27: #include <byteswap.h> ! 28: #include <errno.h> ! 29: ! 30: /** @file ! 31: * ! 32: * Backend for WPA using the CCMP encryption method ! 33: */ ! 34: ! 35: /** Context for CCMP encryption and decryption */ ! 36: struct ccmp_ctx ! 37: { ! 38: /** AES context - only ever used for encryption */ ! 39: u8 aes_ctx[AES_CTX_SIZE]; ! 40: ! 41: /** Most recently sent packet number */ ! 42: u64 tx_seq; ! 43: ! 44: /** Most recently received packet number */ ! 45: u64 rx_seq; ! 46: }; ! 47: ! 48: /** Header structure at the beginning of CCMP frame data */ ! 49: struct ccmp_head ! 50: { ! 51: u8 pn_lo[2]; /**< Bytes 0 and 1 of packet number */ ! 52: u8 _rsvd; /**< Reserved byte */ ! 53: u8 kid; /**< Key ID and ExtIV byte */ ! 54: u8 pn_hi[4]; /**< Bytes 2-5 (2 first) of packet number */ ! 55: } __attribute__ (( packed )); ! 56: ! 57: ! 58: /** CCMP header overhead */ ! 59: #define CCMP_HEAD_LEN 8 ! 60: ! 61: /** CCMP MIC trailer overhead */ ! 62: #define CCMP_MIC_LEN 8 ! 63: ! 64: /** CCMP nonce length */ ! 65: #define CCMP_NONCE_LEN 13 ! 66: ! 67: /** CCMP nonce structure */ ! 68: struct ccmp_nonce ! 69: { ! 70: u8 prio; /**< Packet priority, 0 for non-QoS */ ! 71: u8 a2[ETH_ALEN]; /**< Address 2 from packet header (sender) */ ! 72: u8 pn[6]; /**< Packet number */ ! 73: } __attribute__ (( packed )); ! 74: ! 75: /** CCMP additional authentication data length (for non-QoS, non-WDS frames) */ ! 76: #define CCMP_AAD_LEN 22 ! 77: ! 78: /** CCMP additional authentication data structure */ ! 79: struct ccmp_aad ! 80: { ! 81: u16 fc; /**< Frame Control field */ ! 82: u8 a1[6]; /**< Address 1 */ ! 83: u8 a2[6]; /**< Address 2 */ ! 84: u8 a3[6]; /**< Address 3 */ ! 85: u16 seq; /**< Sequence Control field */ ! 86: /* Address 4 and QoS Control are included if present */ ! 87: } __attribute__ (( packed )); ! 88: ! 89: /** Mask for Frame Control field in AAD */ ! 90: #define CCMP_AAD_FC_MASK 0xC38F ! 91: ! 92: /** Mask for Sequence Control field in AAD */ ! 93: #define CCMP_AAD_SEQ_MASK 0x000F ! 94: ! 95: ! 96: /** ! 97: * Convert 6-byte LSB packet number to 64-bit integer ! 98: * ! 99: * @v pn Pointer to 6-byte packet number ! 100: * @ret v 64-bit integer value of @a pn ! 101: */ ! 102: static u64 pn_to_u64 ( const u8 *pn ) ! 103: { ! 104: int i; ! 105: u64 ret = 0; ! 106: ! 107: for ( i = 5; i >= 0; i-- ) { ! 108: ret <<= 8; ! 109: ret |= pn[i]; ! 110: } ! 111: ! 112: return ret; ! 113: } ! 114: ! 115: /** ! 116: * Convert 64-bit integer to 6-byte packet number ! 117: * ! 118: * @v v 64-bit integer ! 119: * @v msb If TRUE, reverse the output PN to be in MSB order ! 120: * @ret pn 6-byte packet number ! 121: * ! 122: * The PN is stored in LSB order in the packet header and in MSB order ! 123: * in the nonce. WHYYYYY? ! 124: */ ! 125: static void u64_to_pn ( u64 v, u8 *pn, int msb ) ! 126: { ! 127: int i; ! 128: u8 *pnp = pn + ( msb ? 5 : 0 ); ! 129: int delta = ( msb ? -1 : +1 ); ! 130: ! 131: for ( i = 0; i < 6; i++ ) { ! 132: *pnp = v & 0xFF; ! 133: pnp += delta; ! 134: v >>= 8; ! 135: } ! 136: } ! 137: ! 138: /** Value for @a msb argument of u64_to_pn() for MSB output */ ! 139: #define PN_MSB 1 ! 140: ! 141: /** Value for @a msb argument of u64_to_pn() for LSB output */ ! 142: #define PN_LSB 0 ! 143: ! 144: ! 145: ! 146: /** ! 147: * Initialise CCMP state and install key ! 148: * ! 149: * @v crypto CCMP cryptosystem structure ! 150: * @v key Pointer to 16-byte temporal key to install ! 151: * @v keylen Length of key (16 bytes) ! 152: * @v rsc Initial receive sequence counter ! 153: */ ! 154: static int ccmp_init ( struct net80211_crypto *crypto, const void *key, ! 155: int keylen, const void *rsc ) ! 156: { ! 157: struct ccmp_ctx *ctx = crypto->priv; ! 158: ! 159: if ( keylen != 16 ) ! 160: return -EINVAL; ! 161: ! 162: if ( rsc ) ! 163: ctx->rx_seq = pn_to_u64 ( rsc ); ! 164: ! 165: cipher_setkey ( &aes_algorithm, ctx->aes_ctx, key, keylen ); ! 166: ! 167: return 0; ! 168: } ! 169: ! 170: ! 171: /** ! 172: * Encrypt or decrypt data stream using AES in Counter mode ! 173: * ! 174: * @v ctx CCMP cryptosystem context ! 175: * @v nonce Nonce value, 13 bytes ! 176: * @v srcv Data to encrypt or decrypt ! 177: * @v len Number of bytes pointed to by @a src ! 178: * @v msrcv MIC value to encrypt or decrypt (may be NULL) ! 179: * @ret destv Encrypted or decrypted data ! 180: * @ret mdestv Encrypted or decrypted MIC value ! 181: * ! 182: * This assumes CCMP parameters of L=2 and M=8. The algorithm is ! 183: * defined in RFC 3610. ! 184: */ ! 185: static void ccmp_ctr_xor ( struct ccmp_ctx *ctx, const void *nonce, ! 186: const void *srcv, void *destv, int len, ! 187: const void *msrcv, void *mdestv ) ! 188: { ! 189: u8 A[16], S[16]; ! 190: u16 ctr; ! 191: int i; ! 192: const u8 *src = srcv, *msrc = msrcv; ! 193: u8 *dest = destv, *mdest = mdestv; ! 194: ! 195: A[0] = 0x01; /* flags, L' = L - 1 = 1, other bits rsvd */ ! 196: memcpy ( A + 1, nonce, CCMP_NONCE_LEN ); ! 197: ! 198: if ( msrcv ) { ! 199: A[14] = A[15] = 0; ! 200: ! 201: cipher_encrypt ( &aes_algorithm, ctx->aes_ctx, A, S, 16 ); ! 202: ! 203: for ( i = 0; i < 8; i++ ) { ! 204: *mdest++ = *msrc++ ^ S[i]; ! 205: } ! 206: } ! 207: ! 208: for ( ctr = 1 ;; ctr++ ) { ! 209: A[14] = ctr >> 8; ! 210: A[15] = ctr & 0xFF; ! 211: ! 212: cipher_encrypt ( &aes_algorithm, ctx->aes_ctx, A, S, 16 ); ! 213: ! 214: for ( i = 0; i < len && i < 16; i++ ) ! 215: *dest++ = *src++ ^ S[i]; ! 216: ! 217: if ( len <= 16 ) ! 218: break; /* we're done */ ! 219: ! 220: len -= 16; ! 221: } ! 222: } ! 223: ! 224: ! 225: /** ! 226: * Advance one block in CBC-MAC calculation ! 227: * ! 228: * @v aes_ctx AES encryption context with key set ! 229: * @v B Cleartext block to incorporate (16 bytes) ! 230: * @v X Previous ciphertext block (16 bytes) ! 231: * @ret B Clobbered ! 232: * @ret X New ciphertext block (16 bytes) ! 233: * ! 234: * This function does X := E[key] ( X ^ B ). ! 235: */ ! 236: static void ccmp_feed_cbc_mac ( void *aes_ctx, u8 *B, u8 *X ) ! 237: { ! 238: int i; ! 239: for ( i = 0; i < 16; i++ ) ! 240: B[i] ^= X[i]; ! 241: cipher_encrypt ( &aes_algorithm, aes_ctx, B, X, 16 ); ! 242: } ! 243: ! 244: ! 245: /** ! 246: * Calculate MIC on plaintext data using CBC-MAC ! 247: * ! 248: * @v ctx CCMP cryptosystem context ! 249: * @v nonce Nonce value, 13 bytes ! 250: * @v data Data to calculate MIC over ! 251: * @v datalen Length of @a data ! 252: * @v aad Additional authentication data, for MIC but not encryption ! 253: * @ret mic MIC value (unencrypted), 8 bytes ! 254: * ! 255: * @a aadlen is assumed to be 22 bytes long, as it always is for ! 256: * 802.11 use when transmitting non-QoS, not-between-APs frames (the ! 257: * only type we deal with). ! 258: */ ! 259: static void ccmp_cbc_mac ( struct ccmp_ctx *ctx, const void *nonce, ! 260: const void *data, u16 datalen, ! 261: const void *aad, void *mic ) ! 262: { ! 263: u8 X[16], B[16]; ! 264: ! 265: /* Zeroth block: flags, nonce, length */ ! 266: ! 267: /* Rsv AAD - M'- - L'- ! 268: * 0 1 0 1 1 0 0 1 for an 8-byte MAC and 2-byte message length ! 269: */ ! 270: B[0] = 0x59; ! 271: memcpy ( B + 1, nonce, CCMP_NONCE_LEN ); ! 272: B[14] = datalen >> 8; ! 273: B[15] = datalen & 0xFF; ! 274: ! 275: cipher_encrypt ( &aes_algorithm, ctx->aes_ctx, B, X, 16 ); ! 276: ! 277: /* First block: AAD length field and 14 bytes of AAD */ ! 278: B[0] = 0; ! 279: B[1] = CCMP_AAD_LEN; ! 280: memcpy ( B + 2, aad, 14 ); ! 281: ! 282: ccmp_feed_cbc_mac ( ctx->aes_ctx, B, X ); ! 283: ! 284: /* Second block: Remaining 8 bytes of AAD, 8 bytes zero pad */ ! 285: memcpy ( B, aad + 14, 8 ); ! 286: memset ( B + 8, 0, 8 ); ! 287: ! 288: ccmp_feed_cbc_mac ( ctx->aes_ctx, B, X ); ! 289: ! 290: /* Message blocks */ ! 291: while ( datalen ) { ! 292: if ( datalen >= 16 ) { ! 293: memcpy ( B, data, 16 ); ! 294: datalen -= 16; ! 295: } else { ! 296: memcpy ( B, data, datalen ); ! 297: memset ( B + datalen, 0, 16 - datalen ); ! 298: datalen = 0; ! 299: } ! 300: ! 301: ccmp_feed_cbc_mac ( ctx->aes_ctx, B, X ); ! 302: ! 303: data += 16; ! 304: } ! 305: ! 306: /* Get MIC from final value of X */ ! 307: memcpy ( mic, X, 8 ); ! 308: } ! 309: ! 310: ! 311: /** ! 312: * Encapsulate and encrypt a packet using CCMP ! 313: * ! 314: * @v crypto CCMP cryptosystem ! 315: * @v iob I/O buffer containing cleartext packet ! 316: * @ret eiob I/O buffer containing encrypted packet ! 317: */ ! 318: struct io_buffer * ccmp_encrypt ( struct net80211_crypto *crypto, ! 319: struct io_buffer *iob ) ! 320: { ! 321: struct ccmp_ctx *ctx = crypto->priv; ! 322: struct ieee80211_frame *hdr = iob->data; ! 323: struct io_buffer *eiob; ! 324: const int hdrlen = IEEE80211_TYP_FRAME_HEADER_LEN; ! 325: int datalen = iob_len ( iob ) - hdrlen; ! 326: struct ccmp_head head; ! 327: struct ccmp_nonce nonce; ! 328: struct ccmp_aad aad; ! 329: u8 mic[8], tx_pn[6]; ! 330: void *edata, *emic; ! 331: ! 332: ctx->tx_seq++; ! 333: u64_to_pn ( ctx->tx_seq, tx_pn, PN_LSB ); ! 334: ! 335: /* Allocate memory */ ! 336: eiob = alloc_iob ( iob_len ( iob ) + CCMP_HEAD_LEN + CCMP_MIC_LEN ); ! 337: if ( ! eiob ) ! 338: return NULL; ! 339: ! 340: /* Copy frame header */ ! 341: memcpy ( iob_put ( eiob, hdrlen ), iob->data, hdrlen ); ! 342: hdr = eiob->data; ! 343: hdr->fc |= IEEE80211_FC_PROTECTED; ! 344: ! 345: /* Fill in packet number and extended IV */ ! 346: memcpy ( head.pn_lo, tx_pn, 2 ); ! 347: memcpy ( head.pn_hi, tx_pn + 2, 4 ); ! 348: head.kid = 0x20; /* have Extended IV, key ID 0 */ ! 349: head._rsvd = 0; ! 350: memcpy ( iob_put ( eiob, sizeof ( head ) ), &head, sizeof ( head ) ); ! 351: ! 352: /* Form nonce */ ! 353: nonce.prio = 0; ! 354: memcpy ( nonce.a2, hdr->addr2, ETH_ALEN ); ! 355: u64_to_pn ( ctx->tx_seq, nonce.pn, PN_MSB ); ! 356: ! 357: /* Form additional authentication data */ ! 358: aad.fc = hdr->fc & CCMP_AAD_FC_MASK; ! 359: memcpy ( aad.a1, hdr->addr1, 3 * ETH_ALEN ); /* all 3 at once */ ! 360: aad.seq = hdr->seq & CCMP_AAD_SEQ_MASK; ! 361: ! 362: /* Calculate MIC over the data */ ! 363: ccmp_cbc_mac ( ctx, &nonce, iob->data + hdrlen, datalen, &aad, mic ); ! 364: ! 365: /* Copy and encrypt data and MIC */ ! 366: edata = iob_put ( eiob, datalen ); ! 367: emic = iob_put ( eiob, CCMP_MIC_LEN ); ! 368: ccmp_ctr_xor ( ctx, &nonce, ! 369: iob->data + hdrlen, edata, datalen, ! 370: mic, emic ); ! 371: ! 372: /* Done! */ ! 373: DBGC2 ( ctx, "WPA-CCMP %p: encrypted packet %p -> %p\n", ctx, ! 374: iob, eiob ); ! 375: ! 376: return eiob; ! 377: } ! 378: ! 379: /** ! 380: * Decrypt a packet using CCMP ! 381: * ! 382: * @v crypto CCMP cryptosystem ! 383: * @v eiob I/O buffer containing encrypted packet ! 384: * @ret iob I/O buffer containing cleartext packet ! 385: */ ! 386: static struct io_buffer * ccmp_decrypt ( struct net80211_crypto *crypto, ! 387: struct io_buffer *eiob ) ! 388: { ! 389: struct ccmp_ctx *ctx = crypto->priv; ! 390: struct ieee80211_frame *hdr; ! 391: struct io_buffer *iob; ! 392: const int hdrlen = IEEE80211_TYP_FRAME_HEADER_LEN; ! 393: int datalen = iob_len ( eiob ) - hdrlen - CCMP_HEAD_LEN - CCMP_MIC_LEN; ! 394: struct ccmp_head *head; ! 395: struct ccmp_nonce nonce; ! 396: struct ccmp_aad aad; ! 397: u8 rx_pn[6], their_mic[8], our_mic[8]; ! 398: ! 399: iob = alloc_iob ( hdrlen + datalen ); ! 400: if ( ! iob ) ! 401: return NULL; ! 402: ! 403: /* Copy frame header */ ! 404: memcpy ( iob_put ( iob, hdrlen ), eiob->data, hdrlen ); ! 405: hdr = iob->data; ! 406: hdr->fc &= ~IEEE80211_FC_PROTECTED; ! 407: ! 408: /* Check and update RX packet number */ ! 409: head = eiob->data + hdrlen; ! 410: memcpy ( rx_pn, head->pn_lo, 2 ); ! 411: memcpy ( rx_pn + 2, head->pn_hi, 4 ); ! 412: ! 413: if ( pn_to_u64 ( rx_pn ) <= ctx->rx_seq ) { ! 414: DBGC ( ctx, "WPA-CCMP %p: packet received out of order " ! 415: "(%012llx <= %012llx)\n", ctx, pn_to_u64 ( rx_pn ), ! 416: ctx->rx_seq ); ! 417: free_iob ( iob ); ! 418: return NULL; ! 419: } ! 420: ! 421: ctx->rx_seq = pn_to_u64 ( rx_pn ); ! 422: DBGC2 ( ctx, "WPA-CCMP %p: RX packet number %012llx\n", ctx, ctx->rx_seq ); ! 423: ! 424: /* Form nonce */ ! 425: nonce.prio = 0; ! 426: memcpy ( nonce.a2, hdr->addr2, ETH_ALEN ); ! 427: u64_to_pn ( ctx->rx_seq, nonce.pn, PN_MSB ); ! 428: ! 429: /* Form additional authentication data */ ! 430: aad.fc = ( hdr->fc & CCMP_AAD_FC_MASK ) | IEEE80211_FC_PROTECTED; ! 431: memcpy ( aad.a1, hdr->addr1, 3 * ETH_ALEN ); /* all 3 at once */ ! 432: aad.seq = hdr->seq & CCMP_AAD_SEQ_MASK; ! 433: ! 434: /* Copy-decrypt data and MIC */ ! 435: ccmp_ctr_xor ( ctx, &nonce, eiob->data + hdrlen + sizeof ( *head ), ! 436: iob_put ( iob, datalen ), datalen, ! 437: eiob->tail - CCMP_MIC_LEN, their_mic ); ! 438: ! 439: /* Check MIC */ ! 440: ccmp_cbc_mac ( ctx, &nonce, iob->data + hdrlen, datalen, &aad, ! 441: our_mic ); ! 442: ! 443: if ( memcmp ( their_mic, our_mic, CCMP_MIC_LEN ) != 0 ) { ! 444: DBGC2 ( ctx, "WPA-CCMP %p: MIC failure\n", ctx ); ! 445: free_iob ( iob ); ! 446: return NULL; ! 447: } ! 448: ! 449: DBGC2 ( ctx, "WPA-CCMP %p: decrypted packet %p -> %p\n", ctx, ! 450: eiob, iob ); ! 451: ! 452: return iob; ! 453: } ! 454: ! 455: ! 456: /** CCMP cryptosystem */ ! 457: struct net80211_crypto ccmp_crypto __net80211_crypto = { ! 458: .algorithm = NET80211_CRYPT_CCMP, ! 459: .init = ccmp_init, ! 460: .encrypt = ccmp_encrypt, ! 461: .decrypt = ccmp_decrypt, ! 462: .priv_len = sizeof ( struct ccmp_ctx ), ! 463: }; ! 464: ! 465: ! 466: ! 467: ! 468: /** ! 469: * Calculate HMAC-SHA1 MIC for EAPOL-Key frame ! 470: * ! 471: * @v kck Key Confirmation Key, 16 bytes ! 472: * @v msg Message to calculate MIC over ! 473: * @v len Number of bytes to calculate MIC over ! 474: * @ret mic Calculated MIC, 16 bytes long ! 475: */ ! 476: static void ccmp_kie_mic ( const void *kck, const void *msg, size_t len, ! 477: void *mic ) ! 478: { ! 479: u8 sha1_ctx[SHA1_CTX_SIZE]; ! 480: u8 kckb[16]; ! 481: u8 hash[SHA1_SIZE]; ! 482: size_t kck_len = 16; ! 483: ! 484: memcpy ( kckb, kck, kck_len ); ! 485: ! 486: hmac_init ( &sha1_algorithm, sha1_ctx, kckb, &kck_len ); ! 487: hmac_update ( &sha1_algorithm, sha1_ctx, msg, len ); ! 488: hmac_final ( &sha1_algorithm, sha1_ctx, kckb, &kck_len, hash ); ! 489: ! 490: memcpy ( mic, hash, 16 ); ! 491: } ! 492: ! 493: /** ! 494: * Decrypt key data in EAPOL-Key frame ! 495: * ! 496: * @v kek Key Encryption Key, 16 bytes ! 497: * @v iv Initialisation vector, 16 bytes (unused) ! 498: * @v msg Message to decrypt ! 499: * @v len Length of message ! 500: * @ret msg Decrypted message in place of original ! 501: * @ret len Adjusted downward for 8 bytes of overhead ! 502: * @ret rc Return status code ! 503: * ! 504: * The returned message may still contain padding of 0xDD followed by ! 505: * zero or more 0x00 octets. It is impossible to remove the padding ! 506: * without parsing the IEs in the packet (another design decision that ! 507: * tends to make one question the 802.11i committee's intelligence...) ! 508: */ ! 509: static int ccmp_kie_decrypt ( const void *kek, const void *iv __unused, ! 510: void *msg, u16 *len ) ! 511: { ! 512: if ( *len % 8 != 0 ) ! 513: return -EINVAL; ! 514: ! 515: if ( aes_unwrap ( kek, msg, msg, *len / 8 - 1 ) != 0 ) ! 516: return -EINVAL; ! 517: ! 518: *len -= 8; ! 519: ! 520: return 0; ! 521: } ! 522: ! 523: /** CCMP-style key integrity and encryption handler */ ! 524: struct wpa_kie ccmp_kie __wpa_kie = { ! 525: .version = EAPOL_KEY_VERSION_WPA2, ! 526: .mic = ccmp_kie_mic, ! 527: .decrypt = ccmp_kie_decrypt, ! 528: };
This archive runs on limited infrastructure. Preserving old code on modern bandwidth. Automated agents are requested to crawl responsibly.