• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * CTR with CBC-MAC Protocol (CCMP)
3  * Copyright (c) 2010-2012, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "rtw_crypto_wrap.h"
10 
11 #include "aes.h"
12 #include "aes_wrap.h"
13 #include "wlancrypto_wrap.h"
14 
15 
16 
ccmp_aad_nonce(_adapter * padapter,const struct ieee80211_hdr * hdr,const u8 * data,u8 * aad,size_t * aad_len,u8 * nonce)17 static void ccmp_aad_nonce(_adapter *padapter, const struct ieee80211_hdr *hdr, const u8 *data,
18 			   u8 *aad, size_t *aad_len, u8 *nonce)
19 {
20 	u16 fc, stype, seq;
21 	int qos = 0, addr4 = 0;
22 	u8 *pos;
23 
24 	nonce[0] = 0;
25 
26 	fc = le_to_host16(hdr->frame_control);
27 	stype = WLAN_FC_GET_STYPE(fc);
28 	if ((fc & (WLAN_FC_TODS | WLAN_FC_FROMDS)) ==
29 	    (WLAN_FC_TODS | WLAN_FC_FROMDS))
30 		addr4 = 1;
31 
32 	if (WLAN_FC_GET_TYPE(fc) == WLAN_FC_TYPE_DATA) {
33 		fc &= ~0x0070; /* Mask subtype bits */
34 		if (stype & WLAN_FC_STYPE_QOS_DATA) {
35 			const u8 *qc;
36 			qos = 1;
37 			fc &= ~WLAN_FC_ORDER;
38 			qc = (const u8 *)hdr + 24;
39 			if (addr4)
40 				qc += ETH_ALEN;
41 			nonce[0] = qc[0] & 0x0f;
42 		}
43 	} else if (WLAN_FC_GET_TYPE(fc) == WLAN_FC_TYPE_MGMT)
44 		nonce[0] |= 0x10; /* Management */
45 
46 	fc &= ~(WLAN_FC_RETRY | WLAN_FC_PWRMGT | WLAN_FC_MOREDATA);
47 	fc |= WLAN_FC_ISWEP;
48 	WPA_PUT_LE16(aad, fc);
49 	pos = aad + 2;
50 	os_memcpy(pos, GetAddr1Ptr((u8 *)hdr), 3 * ETH_ALEN);
51 	pos += 3 * ETH_ALEN;
52 	seq = le_to_host16(hdr->seq_ctrl);
53 	seq &= ~0xfff0; /* Mask Seq#; do not modify Frag# */
54 	WPA_PUT_LE16(pos, seq);
55 	pos += 2;
56 
57 	os_memcpy(pos, (u8 *)hdr + 24, addr4 * ETH_ALEN + qos * 2);
58 	pos += addr4 * ETH_ALEN;
59 	if (qos) {
60 		pos[0] &= ~0x70;
61 		/* only spp mode need to refer QoS bit7 */
62 		if (padapter->registrypriv.amsdu_mode != RTW_AMSDU_MODE_SPP)
63 			pos[0] &= ~0x80;
64 		pos++;
65 		*pos++ = 0x00;
66 	}
67 
68 	*aad_len = pos - aad;
69 
70 	os_memcpy(nonce + 1, hdr->addr2, ETH_ALEN);
71 	nonce[7] = data[7]; /* PN5 */
72 	nonce[8] = data[6]; /* PN4 */
73 	nonce[9] = data[5]; /* PN3 */
74 	nonce[10] = data[4]; /* PN2 */
75 	nonce[11] = data[1]; /* PN1 */
76 	nonce[12] = data[0]; /* PN0 */
77 }
78 
79 
ccmp_aad_nonce_pv1(const u8 * hdr,const u8 * a1,const u8 * a2,const u8 * a3,const u8 * pn,u8 * aad,size_t * aad_len,u8 * nonce)80 static void ccmp_aad_nonce_pv1(const u8 *hdr, const u8 *a1, const u8 *a2,
81 			       const u8 *a3, const u8 *pn,
82 			       u8 *aad, size_t *aad_len, u8 *nonce)
83 {
84 	u16 fc, type;
85 	u8 *pos;
86 
87 	nonce[0] = BIT(5); /* PV1 */
88 	/* TODO: Priority for QMF; 0 is used for Data frames */
89 
90 	fc = WPA_GET_LE16(hdr);
91 	type = (fc & (BIT(2) | BIT(3) | BIT(4))) >> 2;
92 
93 	if (type == 1)
94 		nonce[0] |= 0x10; /* Management */
95 
96 	fc &= ~(BIT(10) | BIT(11) | BIT(13) | BIT(14) | BIT(15));
97 	fc |= BIT(12);
98 	WPA_PUT_LE16(aad, fc);
99 	pos = aad + 2;
100 	if (type == 0 || type == 3) {
101 		const u8 *sc;
102 
103 		os_memcpy(pos, a1, ETH_ALEN);
104 		pos += ETH_ALEN;
105 		os_memcpy(pos, a2, ETH_ALEN);
106 		pos += ETH_ALEN;
107 
108 		if (type == 0) {
109 			/* Either A1 or A2 contains SID */
110 			sc = hdr + 2 + 2 + ETH_ALEN;
111 		} else {
112 			/* Both A1 and A2 contain full addresses */
113 			sc = hdr + 2 + 2 * ETH_ALEN;
114 		}
115 		/* SC with Sequence Number subfield (bits 4-15 of the Sequence
116 		 * Control field) masked to 0. */
117 		*pos++ = *sc & 0x0f;
118 		*pos++ = 0;
119 
120 		if (a3) {
121 			os_memcpy(pos, a3, ETH_ALEN);
122 			pos += ETH_ALEN;
123 		}
124 	}
125 
126 	*aad_len = pos - aad;
127 
128 	os_memcpy(nonce + 1, a2, ETH_ALEN);
129 	nonce[7] = pn[5]; /* PN5 */
130 	nonce[8] = pn[4]; /* PN4 */
131 	nonce[9] = pn[3]; /* PN3 */
132 	nonce[10] = pn[2]; /* PN2 */
133 	nonce[11] = pn[1]; /* PN1 */
134 	nonce[12] = pn[0]; /* PN0 */
135 }
136 
137 
ccmp_decrypt(_adapter * padapter,const u8 * tk,const struct ieee80211_hdr * hdr,const u8 * data,size_t data_len,size_t * decrypted_len)138 u8 * ccmp_decrypt(_adapter *padapter, const u8 *tk, const struct ieee80211_hdr *hdr,
139 		  const u8 *data, size_t data_len, size_t *decrypted_len)
140 {
141 	u8 aad[30], nonce[13];
142 	size_t aad_len;
143 	size_t mlen;
144 	u8 *plain;
145 
146 	if (data_len < 8 + 8)
147 		return NULL;
148 
149 	plain = os_malloc(data_len + AES_BLOCK_SIZE);
150 	if (plain == NULL)
151 		return NULL;
152 
153 	mlen = data_len - 8 - 8;
154 
155 	os_memset(aad, 0, sizeof(aad));
156 	ccmp_aad_nonce(padapter, hdr, data, aad, &aad_len, nonce);
157 	wpa_hexdump(_MSG_EXCESSIVE_, "CCMP AAD", aad, aad_len);
158 	wpa_hexdump(_MSG_EXCESSIVE_, "CCMP nonce", nonce, 13);
159 
160 	if (aes_ccm_ad(tk, 16, nonce, 8, data + 8, mlen, aad, aad_len,
161 		       data + 8 + mlen, plain) < 0) {
162 		u16 seq_ctrl = le_to_host16(hdr->seq_ctrl);
163 		wpa_printf(_MSG_INFO_, "Invalid CCMP MIC in frame: A1=" MACSTR
164 			   " A2=" MACSTR " A3=" MACSTR " seq=%u frag=%u",
165 			   MAC2STR(hdr->addr1), MAC2STR(hdr->addr2),
166 			   MAC2STR(hdr->addr3),
167 			   WLAN_GET_SEQ_SEQ(seq_ctrl),
168 			   WLAN_GET_SEQ_FRAG(seq_ctrl));
169 		rtw_mfree(plain, data_len + AES_BLOCK_SIZE);
170 		return NULL;
171 	}
172 	wpa_hexdump(_MSG_EXCESSIVE_, "CCMP decrypted", plain, mlen);
173 
174 	*decrypted_len = mlen;
175 	return plain;
176 }
177 
178 
ccmp_get_pn(u8 * pn,const u8 * data)179 void ccmp_get_pn(u8 *pn, const u8 *data)
180 {
181 	pn[0] = data[7]; /* PN5 */
182 	pn[1] = data[6]; /* PN4 */
183 	pn[2] = data[5]; /* PN3 */
184 	pn[3] = data[4]; /* PN2 */
185 	pn[4] = data[1]; /* PN1 */
186 	pn[5] = data[0]; /* PN0 */
187 }
188 
189 
ccmp_encrypt(_adapter * padapter,const u8 * tk,u8 * frame,size_t len,size_t hdrlen,u8 * qos,u8 * pn,int keyid,size_t * encrypted_len)190 u8 * ccmp_encrypt(_adapter *padapter, const u8 *tk, u8 *frame, size_t len, size_t hdrlen, u8 *qos,
191 		  u8 *pn, int keyid, size_t *encrypted_len)
192 {
193 	u8 aad[30], nonce[13];
194 	size_t aad_len, plen;
195 	u8 *crypt, *pos, *pdata;
196 	struct ieee80211_hdr *hdr;
197 
198 	if (len < hdrlen || hdrlen < 24)
199 		return NULL;
200 	plen = len - hdrlen;
201 
202 	crypt = os_malloc(hdrlen + 8 + plen + 8 + AES_BLOCK_SIZE);
203 	if (crypt == NULL)
204 		return NULL;
205 
206 	if (pn == NULL) {
207 		os_memcpy(crypt, frame, hdrlen + 8);
208 		hdr = (struct ieee80211_hdr *) crypt;
209 		hdr->frame_control |= host_to_le16(WLAN_FC_ISWEP);
210 		pos = crypt + hdrlen + 8;
211 		pdata = frame + hdrlen + 8;
212 	} else {
213 		os_memcpy(crypt, frame, hdrlen);
214 		hdr = (struct ieee80211_hdr *) crypt;
215 		hdr->frame_control |= host_to_le16(WLAN_FC_ISWEP);
216 		pos = crypt + hdrlen;
217 		*pos++ = pn[5]; /* PN0 */
218 		*pos++ = pn[4]; /* PN1 */
219 		*pos++ = 0x00; /* Rsvd */
220 		*pos++ = 0x20 | (keyid << 6);
221 		*pos++ = pn[3]; /* PN2 */
222 		*pos++ = pn[2]; /* PN3 */
223 		*pos++ = pn[1]; /* PN4 */
224 		*pos++ = pn[0]; /* PN5 */
225 		pdata = frame + hdrlen;
226 	}
227 
228 	os_memset(aad, 0, sizeof(aad));
229 	ccmp_aad_nonce(padapter, hdr, crypt + hdrlen, aad, &aad_len, nonce);
230 	wpa_hexdump(_MSG_EXCESSIVE_, "CCMP AAD", aad, aad_len);
231 	wpa_hexdump(_MSG_EXCESSIVE_, "CCMP nonce", nonce, 13);
232 
233 	if (aes_ccm_ae(tk, 16, nonce, 8, pdata, plen, aad, aad_len,
234 		       pos, pos + plen) < 0) {
235 		rtw_mfree(crypt, hdrlen + 8 + plen + 8 + AES_BLOCK_SIZE);
236 		return NULL;
237 	}
238 
239 	wpa_hexdump(_MSG_EXCESSIVE_, "CCMP encrypted", crypt + hdrlen + 8, plen);
240 
241 	*encrypted_len = hdrlen + 8 + plen + 8;
242 
243 	return crypt;
244 }
245 
246 
ccmp_encrypt_pv1(const u8 * tk,const u8 * a1,const u8 * a2,const u8 * a3,const u8 * frame,size_t len,size_t hdrlen,const u8 * pn,int keyid,size_t * encrypted_len)247 u8 * ccmp_encrypt_pv1(const u8 *tk, const u8 *a1, const u8 *a2, const u8 *a3,
248 		      const u8 *frame, size_t len,
249 		      size_t hdrlen, const u8 *pn, int keyid,
250 		      size_t *encrypted_len)
251 {
252 	u8 aad[24], nonce[13];
253 	size_t aad_len, plen;
254 	u8 *crypt, *pos;
255 	struct ieee80211_hdr *hdr;
256 
257 	if (len < hdrlen || hdrlen < 12)
258 		return NULL;
259 	plen = len - hdrlen;
260 
261 	crypt = os_malloc(hdrlen + plen + 8 + AES_BLOCK_SIZE);
262 	if (crypt == NULL)
263 		return NULL;
264 
265 	os_memcpy(crypt, frame, hdrlen);
266 	hdr = (struct ieee80211_hdr *) crypt;
267 	hdr->frame_control |= host_to_le16(BIT(12)); /* Protected Frame */
268 	pos = crypt + hdrlen;
269 
270 	os_memset(aad, 0, sizeof(aad));
271 	ccmp_aad_nonce_pv1(crypt, a1, a2, a3, pn, aad, &aad_len, nonce);
272 	wpa_hexdump(_MSG_EXCESSIVE_, "CCMP AAD", aad, aad_len);
273 	wpa_hexdump(_MSG_EXCESSIVE_, "CCMP nonce", nonce, sizeof(nonce));
274 
275 	if (aes_ccm_ae(tk, 16, nonce, 8, frame + hdrlen, plen, aad, aad_len,
276 		       pos, pos + plen) < 0) {
277 		rtw_mfree(crypt, hdrlen + plen + 8 + AES_BLOCK_SIZE);
278 		return NULL;
279 	}
280 
281 	wpa_hexdump(_MSG_EXCESSIVE_, "CCMP encrypted", crypt + hdrlen, plen);
282 
283 	*encrypted_len = hdrlen + plen + 8;
284 
285 	return crypt;
286 }
287 
288 
ccmp_256_decrypt(_adapter * padapter,const u8 * tk,const struct ieee80211_hdr * hdr,const u8 * data,size_t data_len,size_t * decrypted_len)289 u8 * ccmp_256_decrypt(_adapter *padapter, const u8 *tk, const struct ieee80211_hdr *hdr,
290 		      const u8 *data, size_t data_len, size_t *decrypted_len)
291 {
292 	u8 aad[30], nonce[13];
293 	size_t aad_len;
294 	size_t mlen;
295 	u8 *plain;
296 
297 	if (data_len < 8 + 16)
298 		return NULL;
299 
300 	plain = os_malloc(data_len + AES_BLOCK_SIZE);
301 	if (plain == NULL)
302 		return NULL;
303 
304 	mlen = data_len - 8 - 16;
305 
306 	os_memset(aad, 0, sizeof(aad));
307 	ccmp_aad_nonce(padapter, hdr, data, aad, &aad_len, nonce);
308 	wpa_hexdump(_MSG_EXCESSIVE_, "CCMP-256 AAD", aad, aad_len);
309 	wpa_hexdump(_MSG_EXCESSIVE_, "CCMP-256 nonce", nonce, 13);
310 
311 	if (aes_ccm_ad(tk, 32, nonce, 16, data + 8, mlen, aad, aad_len,
312 		       data + 8 + mlen, plain) < 0) {
313 		u16 seq_ctrl = le_to_host16(hdr->seq_ctrl);
314 		wpa_printf(_MSG_INFO_, "Invalid CCMP-256 MIC in frame: A1=" MACSTR
315 			   " A2=" MACSTR " A3=" MACSTR " seq=%u frag=%u",
316 			   MAC2STR(hdr->addr1), MAC2STR(hdr->addr2),
317 			   MAC2STR(hdr->addr3),
318 			   WLAN_GET_SEQ_SEQ(seq_ctrl),
319 			   WLAN_GET_SEQ_FRAG(seq_ctrl));
320 		rtw_mfree(plain, data_len + AES_BLOCK_SIZE);
321 		return NULL;
322 	}
323 	wpa_hexdump(_MSG_EXCESSIVE_, "CCMP-256 decrypted", plain, mlen);
324 
325 	*decrypted_len = mlen;
326 	return plain;
327 }
328 
329 
ccmp_256_encrypt(_adapter * padapter,const u8 * tk,u8 * frame,size_t len,size_t hdrlen,u8 * qos,u8 * pn,int keyid,size_t * encrypted_len)330 u8 * ccmp_256_encrypt(_adapter *padapter, const u8 *tk, u8 *frame, size_t len, size_t hdrlen,
331 		      u8 *qos, u8 *pn, int keyid, size_t *encrypted_len)
332 {
333 	u8 aad[30], nonce[13];
334 	size_t aad_len, plen;
335 	u8 *crypt, *pos, *pdata;
336 	struct ieee80211_hdr *hdr;
337 
338 	if (len < hdrlen || hdrlen < 24)
339 		return NULL;
340 	plen = len - hdrlen;
341 
342 	crypt = os_malloc(hdrlen + 8 + plen + 16 + AES_BLOCK_SIZE);
343 	if (crypt == NULL)
344 		return NULL;
345 
346 	if (pn == NULL) {
347 		os_memcpy(crypt, frame, hdrlen + 8);
348 		hdr = (struct ieee80211_hdr *) crypt;
349 		hdr->frame_control |= host_to_le16(WLAN_FC_ISWEP);
350 		pos = crypt + hdrlen + 8;
351 		pdata = frame + hdrlen + 8;
352 	} else {
353 		os_memcpy(crypt, frame, hdrlen);
354 		hdr = (struct ieee80211_hdr *) crypt;
355 		hdr->frame_control |= host_to_le16(WLAN_FC_ISWEP);
356 		pos = crypt + hdrlen;
357 		*pos++ = pn[5]; /* PN0 */
358 		*pos++ = pn[4]; /* PN1 */
359 		*pos++ = 0x00; /* Rsvd */
360 		*pos++ = 0x20 | (keyid << 6);
361 		*pos++ = pn[3]; /* PN2 */
362 		*pos++ = pn[2]; /* PN3 */
363 		*pos++ = pn[1]; /* PN4 */
364 		*pos++ = pn[0]; /* PN5 */
365 		pdata = frame + hdrlen;
366 	}
367 
368 	os_memset(aad, 0, sizeof(aad));
369 	ccmp_aad_nonce(padapter, hdr, crypt + hdrlen, aad, &aad_len, nonce);
370 	wpa_hexdump(_MSG_EXCESSIVE_, "CCMP-256 AAD", aad, aad_len);
371 	wpa_hexdump(_MSG_EXCESSIVE_, "CCMP-256 nonce", nonce, 13);
372 
373 	if (aes_ccm_ae(tk, 32, nonce, 16, pdata, plen, aad, aad_len,
374 		       pos, pos + plen) < 0) {
375 		rtw_mfree(crypt, hdrlen + 8 + plen + 16 + AES_BLOCK_SIZE);
376 		return NULL;
377 	}
378 
379 	wpa_hexdump(_MSG_EXCESSIVE_, "CCMP-256 encrypted", crypt + hdrlen + 8,
380 		    plen);
381 
382 	*encrypted_len = hdrlen + 8 + plen + 16;
383 
384 	return crypt;
385 }
386