1 /*
2 * Copyright (c) 2009 Joshua Oreman <oremanj@rwcr.net>.
3 *
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License as
6 * published by the Free Software Foundation; either version 2 of the
7 * License, or any later version.
8 *
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write to the Free Software
16 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
17 */
18
19 FILE_LICENCE ( GPL2_OR_LATER );
20
21 #include <gpxe/net80211.h>
22 #include <gpxe/crypto.h>
23 #include <gpxe/hmac.h>
24 #include <gpxe/sha1.h>
25 #include <gpxe/aes.h>
26 #include <gpxe/wpa.h>
27 #include <byteswap.h>
28 #include <errno.h>
29
30 /** @file
31 *
32 * Backend for WPA using the CCMP encryption method
33 */
34
35 /** Context for CCMP encryption and decryption */
36 struct ccmp_ctx
37 {
38 /** AES context - only ever used for encryption */
39 u8 aes_ctx[AES_CTX_SIZE];
40
41 /** Most recently sent packet number */
42 u64 tx_seq;
43
44 /** Most recently received packet number */
45 u64 rx_seq;
46 };
47
48 /** Header structure at the beginning of CCMP frame data */
49 struct ccmp_head
50 {
51 u8 pn_lo[2]; /**< Bytes 0 and 1 of packet number */
52 u8 _rsvd; /**< Reserved byte */
53 u8 kid; /**< Key ID and ExtIV byte */
54 u8 pn_hi[4]; /**< Bytes 2-5 (2 first) of packet number */
55 } __attribute__ (( packed ));
56
57
58 /** CCMP header overhead */
59 #define CCMP_HEAD_LEN 8
60
61 /** CCMP MIC trailer overhead */
62 #define CCMP_MIC_LEN 8
63
64 /** CCMP nonce length */
65 #define CCMP_NONCE_LEN 13
66
67 /** CCMP nonce structure */
68 struct ccmp_nonce
69 {
70 u8 prio; /**< Packet priority, 0 for non-QoS */
71 u8 a2[ETH_ALEN]; /**< Address 2 from packet header (sender) */
72 u8 pn[6]; /**< Packet number */
73 } __attribute__ (( packed ));
74
75 /** CCMP additional authentication data length (for non-QoS, non-WDS frames) */
76 #define CCMP_AAD_LEN 22
77
78 /** CCMP additional authentication data structure */
79 struct ccmp_aad
80 {
81 u16 fc; /**< Frame Control field */
82 u8 a1[6]; /**< Address 1 */
83 u8 a2[6]; /**< Address 2 */
84 u8 a3[6]; /**< Address 3 */
85 u16 seq; /**< Sequence Control field */
86 /* Address 4 and QoS Control are included if present */
87 } __attribute__ (( packed ));
88
89 /** Mask for Frame Control field in AAD */
90 #define CCMP_AAD_FC_MASK 0xC38F
91
92 /** Mask for Sequence Control field in AAD */
93 #define CCMP_AAD_SEQ_MASK 0x000F
94
95
96 /**
97 * Convert 6-byte LSB packet number to 64-bit integer
98 *
99 * @v pn Pointer to 6-byte packet number
100 * @ret v 64-bit integer value of @a pn
101 */
pn_to_u64(const u8 * pn)102 static u64 pn_to_u64 ( const u8 *pn )
103 {
104 int i;
105 u64 ret = 0;
106
107 for ( i = 5; i >= 0; i-- ) {
108 ret <<= 8;
109 ret |= pn[i];
110 }
111
112 return ret;
113 }
114
115 /**
116 * Convert 64-bit integer to 6-byte packet number
117 *
118 * @v v 64-bit integer
119 * @v msb If TRUE, reverse the output PN to be in MSB order
120 * @ret pn 6-byte packet number
121 *
122 * The PN is stored in LSB order in the packet header and in MSB order
123 * in the nonce. WHYYYYY?
124 */
u64_to_pn(u64 v,u8 * pn,int msb)125 static void u64_to_pn ( u64 v, u8 *pn, int msb )
126 {
127 int i;
128 u8 *pnp = pn + ( msb ? 5 : 0 );
129 int delta = ( msb ? -1 : +1 );
130
131 for ( i = 0; i < 6; i++ ) {
132 *pnp = v & 0xFF;
133 pnp += delta;
134 v >>= 8;
135 }
136 }
137
138 /** Value for @a msb argument of u64_to_pn() for MSB output */
139 #define PN_MSB 1
140
141 /** Value for @a msb argument of u64_to_pn() for LSB output */
142 #define PN_LSB 0
143
144
145
146 /**
147 * Initialise CCMP state and install key
148 *
149 * @v crypto CCMP cryptosystem structure
150 * @v key Pointer to 16-byte temporal key to install
151 * @v keylen Length of key (16 bytes)
152 * @v rsc Initial receive sequence counter
153 */
ccmp_init(struct net80211_crypto * crypto,const void * key,int keylen,const void * rsc)154 static int ccmp_init ( struct net80211_crypto *crypto, const void *key,
155 int keylen, const void *rsc )
156 {
157 struct ccmp_ctx *ctx = crypto->priv;
158
159 if ( keylen != 16 )
160 return -EINVAL;
161
162 if ( rsc )
163 ctx->rx_seq = pn_to_u64 ( rsc );
164
165 cipher_setkey ( &aes_algorithm, ctx->aes_ctx, key, keylen );
166
167 return 0;
168 }
169
170
171 /**
172 * Encrypt or decrypt data stream using AES in Counter mode
173 *
174 * @v ctx CCMP cryptosystem context
175 * @v nonce Nonce value, 13 bytes
176 * @v srcv Data to encrypt or decrypt
177 * @v len Number of bytes pointed to by @a src
178 * @v msrcv MIC value to encrypt or decrypt (may be NULL)
179 * @ret destv Encrypted or decrypted data
180 * @ret mdestv Encrypted or decrypted MIC value
181 *
182 * This assumes CCMP parameters of L=2 and M=8. The algorithm is
183 * defined in RFC 3610.
184 */
ccmp_ctr_xor(struct ccmp_ctx * ctx,const void * nonce,const void * srcv,void * destv,int len,const void * msrcv,void * mdestv)185 static void ccmp_ctr_xor ( struct ccmp_ctx *ctx, const void *nonce,
186 const void *srcv, void *destv, int len,
187 const void *msrcv, void *mdestv )
188 {
189 u8 A[16], S[16];
190 u16 ctr;
191 int i;
192 const u8 *src = srcv, *msrc = msrcv;
193 u8 *dest = destv, *mdest = mdestv;
194
195 A[0] = 0x01; /* flags, L' = L - 1 = 1, other bits rsvd */
196 memcpy ( A + 1, nonce, CCMP_NONCE_LEN );
197
198 if ( msrcv ) {
199 A[14] = A[15] = 0;
200
201 cipher_encrypt ( &aes_algorithm, ctx->aes_ctx, A, S, 16 );
202
203 for ( i = 0; i < 8; i++ ) {
204 *mdest++ = *msrc++ ^ S[i];
205 }
206 }
207
208 for ( ctr = 1 ;; ctr++ ) {
209 A[14] = ctr >> 8;
210 A[15] = ctr & 0xFF;
211
212 cipher_encrypt ( &aes_algorithm, ctx->aes_ctx, A, S, 16 );
213
214 for ( i = 0; i < len && i < 16; i++ )
215 *dest++ = *src++ ^ S[i];
216
217 if ( len <= 16 )
218 break; /* we're done */
219
220 len -= 16;
221 }
222 }
223
224
225 /**
226 * Advance one block in CBC-MAC calculation
227 *
228 * @v aes_ctx AES encryption context with key set
229 * @v B Cleartext block to incorporate (16 bytes)
230 * @v X Previous ciphertext block (16 bytes)
231 * @ret B Clobbered
232 * @ret X New ciphertext block (16 bytes)
233 *
234 * This function does X := E[key] ( X ^ B ).
235 */
ccmp_feed_cbc_mac(void * aes_ctx,u8 * B,u8 * X)236 static void ccmp_feed_cbc_mac ( void *aes_ctx, u8 *B, u8 *X )
237 {
238 int i;
239 for ( i = 0; i < 16; i++ )
240 B[i] ^= X[i];
241 cipher_encrypt ( &aes_algorithm, aes_ctx, B, X, 16 );
242 }
243
244
245 /**
246 * Calculate MIC on plaintext data using CBC-MAC
247 *
248 * @v ctx CCMP cryptosystem context
249 * @v nonce Nonce value, 13 bytes
250 * @v data Data to calculate MIC over
251 * @v datalen Length of @a data
252 * @v aad Additional authentication data, for MIC but not encryption
253 * @ret mic MIC value (unencrypted), 8 bytes
254 *
255 * @a aadlen is assumed to be 22 bytes long, as it always is for
256 * 802.11 use when transmitting non-QoS, not-between-APs frames (the
257 * only type we deal with).
258 */
ccmp_cbc_mac(struct ccmp_ctx * ctx,const void * nonce,const void * data,u16 datalen,const void * aad,void * mic)259 static void ccmp_cbc_mac ( struct ccmp_ctx *ctx, const void *nonce,
260 const void *data, u16 datalen,
261 const void *aad, void *mic )
262 {
263 u8 X[16], B[16];
264
265 /* Zeroth block: flags, nonce, length */
266
267 /* Rsv AAD - M'- - L'-
268 * 0 1 0 1 1 0 0 1 for an 8-byte MAC and 2-byte message length
269 */
270 B[0] = 0x59;
271 memcpy ( B + 1, nonce, CCMP_NONCE_LEN );
272 B[14] = datalen >> 8;
273 B[15] = datalen & 0xFF;
274
275 cipher_encrypt ( &aes_algorithm, ctx->aes_ctx, B, X, 16 );
276
277 /* First block: AAD length field and 14 bytes of AAD */
278 B[0] = 0;
279 B[1] = CCMP_AAD_LEN;
280 memcpy ( B + 2, aad, 14 );
281
282 ccmp_feed_cbc_mac ( ctx->aes_ctx, B, X );
283
284 /* Second block: Remaining 8 bytes of AAD, 8 bytes zero pad */
285 memcpy ( B, aad + 14, 8 );
286 memset ( B + 8, 0, 8 );
287
288 ccmp_feed_cbc_mac ( ctx->aes_ctx, B, X );
289
290 /* Message blocks */
291 while ( datalen ) {
292 if ( datalen >= 16 ) {
293 memcpy ( B, data, 16 );
294 datalen -= 16;
295 } else {
296 memcpy ( B, data, datalen );
297 memset ( B + datalen, 0, 16 - datalen );
298 datalen = 0;
299 }
300
301 ccmp_feed_cbc_mac ( ctx->aes_ctx, B, X );
302
303 data += 16;
304 }
305
306 /* Get MIC from final value of X */
307 memcpy ( mic, X, 8 );
308 }
309
310
311 /**
312 * Encapsulate and encrypt a packet using CCMP
313 *
314 * @v crypto CCMP cryptosystem
315 * @v iob I/O buffer containing cleartext packet
316 * @ret eiob I/O buffer containing encrypted packet
317 */
ccmp_encrypt(struct net80211_crypto * crypto,struct io_buffer * iob)318 struct io_buffer * ccmp_encrypt ( struct net80211_crypto *crypto,
319 struct io_buffer *iob )
320 {
321 struct ccmp_ctx *ctx = crypto->priv;
322 struct ieee80211_frame *hdr = iob->data;
323 struct io_buffer *eiob;
324 const int hdrlen = IEEE80211_TYP_FRAME_HEADER_LEN;
325 int datalen = iob_len ( iob ) - hdrlen;
326 struct ccmp_head head;
327 struct ccmp_nonce nonce;
328 struct ccmp_aad aad;
329 u8 mic[8], tx_pn[6];
330 void *edata, *emic;
331
332 ctx->tx_seq++;
333 u64_to_pn ( ctx->tx_seq, tx_pn, PN_LSB );
334
335 /* Allocate memory */
336 eiob = alloc_iob ( iob_len ( iob ) + CCMP_HEAD_LEN + CCMP_MIC_LEN );
337 if ( ! eiob )
338 return NULL;
339
340 /* Copy frame header */
341 memcpy ( iob_put ( eiob, hdrlen ), iob->data, hdrlen );
342 hdr = eiob->data;
343 hdr->fc |= IEEE80211_FC_PROTECTED;
344
345 /* Fill in packet number and extended IV */
346 memcpy ( head.pn_lo, tx_pn, 2 );
347 memcpy ( head.pn_hi, tx_pn + 2, 4 );
348 head.kid = 0x20; /* have Extended IV, key ID 0 */
349 head._rsvd = 0;
350 memcpy ( iob_put ( eiob, sizeof ( head ) ), &head, sizeof ( head ) );
351
352 /* Form nonce */
353 nonce.prio = 0;
354 memcpy ( nonce.a2, hdr->addr2, ETH_ALEN );
355 u64_to_pn ( ctx->tx_seq, nonce.pn, PN_MSB );
356
357 /* Form additional authentication data */
358 aad.fc = hdr->fc & CCMP_AAD_FC_MASK;
359 memcpy ( aad.a1, hdr->addr1, 3 * ETH_ALEN ); /* all 3 at once */
360 aad.seq = hdr->seq & CCMP_AAD_SEQ_MASK;
361
362 /* Calculate MIC over the data */
363 ccmp_cbc_mac ( ctx, &nonce, iob->data + hdrlen, datalen, &aad, mic );
364
365 /* Copy and encrypt data and MIC */
366 edata = iob_put ( eiob, datalen );
367 emic = iob_put ( eiob, CCMP_MIC_LEN );
368 ccmp_ctr_xor ( ctx, &nonce,
369 iob->data + hdrlen, edata, datalen,
370 mic, emic );
371
372 /* Done! */
373 DBGC2 ( ctx, "WPA-CCMP %p: encrypted packet %p -> %p\n", ctx,
374 iob, eiob );
375
376 return eiob;
377 }
378
379 /**
380 * Decrypt a packet using CCMP
381 *
382 * @v crypto CCMP cryptosystem
383 * @v eiob I/O buffer containing encrypted packet
384 * @ret iob I/O buffer containing cleartext packet
385 */
ccmp_decrypt(struct net80211_crypto * crypto,struct io_buffer * eiob)386 static struct io_buffer * ccmp_decrypt ( struct net80211_crypto *crypto,
387 struct io_buffer *eiob )
388 {
389 struct ccmp_ctx *ctx = crypto->priv;
390 struct ieee80211_frame *hdr;
391 struct io_buffer *iob;
392 const int hdrlen = IEEE80211_TYP_FRAME_HEADER_LEN;
393 int datalen = iob_len ( eiob ) - hdrlen - CCMP_HEAD_LEN - CCMP_MIC_LEN;
394 struct ccmp_head *head;
395 struct ccmp_nonce nonce;
396 struct ccmp_aad aad;
397 u8 rx_pn[6], their_mic[8], our_mic[8];
398
399 iob = alloc_iob ( hdrlen + datalen );
400 if ( ! iob )
401 return NULL;
402
403 /* Copy frame header */
404 memcpy ( iob_put ( iob, hdrlen ), eiob->data, hdrlen );
405 hdr = iob->data;
406 hdr->fc &= ~IEEE80211_FC_PROTECTED;
407
408 /* Check and update RX packet number */
409 head = eiob->data + hdrlen;
410 memcpy ( rx_pn, head->pn_lo, 2 );
411 memcpy ( rx_pn + 2, head->pn_hi, 4 );
412
413 if ( pn_to_u64 ( rx_pn ) <= ctx->rx_seq ) {
414 DBGC ( ctx, "WPA-CCMP %p: packet received out of order "
415 "(%012llx <= %012llx)\n", ctx, pn_to_u64 ( rx_pn ),
416 ctx->rx_seq );
417 free_iob ( iob );
418 return NULL;
419 }
420
421 ctx->rx_seq = pn_to_u64 ( rx_pn );
422 DBGC2 ( ctx, "WPA-CCMP %p: RX packet number %012llx\n", ctx, ctx->rx_seq );
423
424 /* Form nonce */
425 nonce.prio = 0;
426 memcpy ( nonce.a2, hdr->addr2, ETH_ALEN );
427 u64_to_pn ( ctx->rx_seq, nonce.pn, PN_MSB );
428
429 /* Form additional authentication data */
430 aad.fc = ( hdr->fc & CCMP_AAD_FC_MASK ) | IEEE80211_FC_PROTECTED;
431 memcpy ( aad.a1, hdr->addr1, 3 * ETH_ALEN ); /* all 3 at once */
432 aad.seq = hdr->seq & CCMP_AAD_SEQ_MASK;
433
434 /* Copy-decrypt data and MIC */
435 ccmp_ctr_xor ( ctx, &nonce, eiob->data + hdrlen + sizeof ( *head ),
436 iob_put ( iob, datalen ), datalen,
437 eiob->tail - CCMP_MIC_LEN, their_mic );
438
439 /* Check MIC */
440 ccmp_cbc_mac ( ctx, &nonce, iob->data + hdrlen, datalen, &aad,
441 our_mic );
442
443 if ( memcmp ( their_mic, our_mic, CCMP_MIC_LEN ) != 0 ) {
444 DBGC2 ( ctx, "WPA-CCMP %p: MIC failure\n", ctx );
445 free_iob ( iob );
446 return NULL;
447 }
448
449 DBGC2 ( ctx, "WPA-CCMP %p: decrypted packet %p -> %p\n", ctx,
450 eiob, iob );
451
452 return iob;
453 }
454
455
456 /** CCMP cryptosystem */
457 struct net80211_crypto ccmp_crypto __net80211_crypto = {
458 .algorithm = NET80211_CRYPT_CCMP,
459 .init = ccmp_init,
460 .encrypt = ccmp_encrypt,
461 .decrypt = ccmp_decrypt,
462 .priv_len = sizeof ( struct ccmp_ctx ),
463 };
464
465
466
467
468 /**
469 * Calculate HMAC-SHA1 MIC for EAPOL-Key frame
470 *
471 * @v kck Key Confirmation Key, 16 bytes
472 * @v msg Message to calculate MIC over
473 * @v len Number of bytes to calculate MIC over
474 * @ret mic Calculated MIC, 16 bytes long
475 */
ccmp_kie_mic(const void * kck,const void * msg,size_t len,void * mic)476 static void ccmp_kie_mic ( const void *kck, const void *msg, size_t len,
477 void *mic )
478 {
479 u8 sha1_ctx[SHA1_CTX_SIZE];
480 u8 kckb[16];
481 u8 hash[SHA1_SIZE];
482 size_t kck_len = 16;
483
484 memcpy ( kckb, kck, kck_len );
485
486 hmac_init ( &sha1_algorithm, sha1_ctx, kckb, &kck_len );
487 hmac_update ( &sha1_algorithm, sha1_ctx, msg, len );
488 hmac_final ( &sha1_algorithm, sha1_ctx, kckb, &kck_len, hash );
489
490 memcpy ( mic, hash, 16 );
491 }
492
493 /**
494 * Decrypt key data in EAPOL-Key frame
495 *
496 * @v kek Key Encryption Key, 16 bytes
497 * @v iv Initialisation vector, 16 bytes (unused)
498 * @v msg Message to decrypt
499 * @v len Length of message
500 * @ret msg Decrypted message in place of original
501 * @ret len Adjusted downward for 8 bytes of overhead
502 * @ret rc Return status code
503 *
504 * The returned message may still contain padding of 0xDD followed by
505 * zero or more 0x00 octets. It is impossible to remove the padding
506 * without parsing the IEs in the packet (another design decision that
507 * tends to make one question the 802.11i committee's intelligence...)
508 */
ccmp_kie_decrypt(const void * kek,const void * iv __unused,void * msg,u16 * len)509 static int ccmp_kie_decrypt ( const void *kek, const void *iv __unused,
510 void *msg, u16 *len )
511 {
512 if ( *len % 8 != 0 )
513 return -EINVAL;
514
515 if ( aes_unwrap ( kek, msg, msg, *len / 8 - 1 ) != 0 )
516 return -EINVAL;
517
518 *len -= 8;
519
520 return 0;
521 }
522
523 /** CCMP-style key integrity and encryption handler */
524 struct wpa_kie ccmp_kie __wpa_kie = {
525 .version = EAPOL_KEY_VERSION_WPA2,
526 .mic = ccmp_kie_mic,
527 .decrypt = ccmp_kie_decrypt,
528 };
529