net/mac80211/wpa.c

0001 // SPDX-License-Identifier: GPL-2.0-only
0002 /*
0003  * Copyright 2002-2004, Instant802 Networks, Inc.
0004  * Copyright 2008, Jouni Malinen <j@w1.fi>
0005  * Copyright (C) 2016-2017 Intel Deutschland GmbH
0006  * Copyright (C) 2020-2022 Intel Corporation
0007  */
0008
0009 #include <linux/netdevice.h>
0010 #include <linux/types.h>
0011 #include <linux/skbuff.h>
0012 #include <linux/compiler.h>
0013 #include <linux/ieee80211.h>
0014 #include <linux/gfp.h>
0015 #include <asm/unaligned.h>
0016 #include <net/mac80211.h>
0017 #include <crypto/aes.h>
0018 #include <crypto/algapi.h>
0019
0020 #include "ieee80211_i.h"
0021 #include "michael.h"
0022 #include "tkip.h"
0023 #include "aes_ccm.h"
0024 #include "aes_cmac.h"
0025 #include "aes_gmac.h"
0026 #include "aes_gcm.h"
0027 #include "wpa.h"
0028
0029 ieee80211_tx_result
0030 ieee80211_tx_h_michael_mic_add(struct ieee80211_tx_data *tx)
0031 {
0032     u8 *data, *key, *mic;
0033     size_t data_len;
0034     unsigned int hdrlen;
0035     struct ieee80211_hdr *hdr;
0036     struct sk_buff *skb = tx->skb;
0037     struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
0038     int tail;
0039
0040     hdr = (struct ieee80211_hdr *)skb->data;
0041     if (!tx->key || tx->key->conf.cipher != WLAN_CIPHER_SUITE_TKIP ||
0042         skb->len < 24 || !ieee80211_is_data_present(hdr->frame_control))
0043         return TX_CONTINUE;
0044
0045     hdrlen = ieee80211_hdrlen(hdr->frame_control);
0046     if (skb->len < hdrlen)
0047         return TX_DROP;
0048
0049     data = skb->data + hdrlen;
0050     data_len = skb->len - hdrlen;
0051
0052     if (unlikely(info->flags & IEEE80211_TX_INTFL_TKIP_MIC_FAILURE)) {
0053         /* Need to use software crypto for the test */
0054         info->control.hw_key = NULL;
0055     }
0056
0057     if (info->control.hw_key &&
0058         (info->flags & IEEE80211_TX_CTL_DONTFRAG ||
0059          ieee80211_hw_check(&tx->local->hw, SUPPORTS_TX_FRAG)) &&
0060         !(tx->key->conf.flags & (IEEE80211_KEY_FLAG_GENERATE_MMIC |
0061                      IEEE80211_KEY_FLAG_PUT_MIC_SPACE))) {
0062         /* hwaccel - with no need for SW-generated MMIC or MIC space */
0063         return TX_CONTINUE;
0064     }
0065
0066     tail = MICHAEL_MIC_LEN;
0067     if (!info->control.hw_key)
0068         tail += IEEE80211_TKIP_ICV_LEN;
0069
0070     if (WARN(skb_tailroom(skb) < tail ||
0071          skb_headroom(skb) < IEEE80211_TKIP_IV_LEN,
0072          "mmic: not enough head/tail (%d/%d,%d/%d)\n",
0073          skb_headroom(skb), IEEE80211_TKIP_IV_LEN,
0074          skb_tailroom(skb), tail))
0075         return TX_DROP;
0076
0077     mic = skb_put(skb, MICHAEL_MIC_LEN);
0078
0079     if (tx->key->conf.flags & IEEE80211_KEY_FLAG_PUT_MIC_SPACE) {
0080         /* Zeroed MIC can help with debug */
0081         memset(mic, 0, MICHAEL_MIC_LEN);
0082         return TX_CONTINUE;
0083     }
0084
0085     key = &tx->key->conf.key[NL80211_TKIP_DATA_OFFSET_TX_MIC_KEY];
0086     michael_mic(key, hdr, data, data_len, mic);
0087     if (unlikely(info->flags & IEEE80211_TX_INTFL_TKIP_MIC_FAILURE))
0088         mic[0]++;
0089
0090     return TX_CONTINUE;
0091 }
0092
0093
0094 ieee80211_rx_result
0095 ieee80211_rx_h_michael_mic_verify(struct ieee80211_rx_data *rx)
0096 {
0097     u8 *data, *key = NULL;
0098     size_t data_len;
0099     unsigned int hdrlen;
0100     u8 mic[MICHAEL_MIC_LEN];
0101     struct sk_buff *skb = rx->skb;
0102     struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
0103     struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
0104
0105     /*
0106      * it makes no sense to check for MIC errors on anything other
0107      * than data frames.
0108      */
0109     if (!ieee80211_is_data_present(hdr->frame_control))
0110         return RX_CONTINUE;
0111
0112     /*
0113      * No way to verify the MIC if the hardware stripped it or
0114      * the IV with the key index. In this case we have solely rely
0115      * on the driver to set RX_FLAG_MMIC_ERROR in the event of a
0116      * MIC failure report.
0117      */
0118     if (status->flag & (RX_FLAG_MMIC_STRIPPED | RX_FLAG_IV_STRIPPED)) {
0119         if (status->flag & RX_FLAG_MMIC_ERROR)
0120             goto mic_fail_no_key;
0121
0122         if (!(status->flag & RX_FLAG_IV_STRIPPED) && rx->key &&
0123             rx->key->conf.cipher == WLAN_CIPHER_SUITE_TKIP)
0124             goto update_iv;
0125
0126         return RX_CONTINUE;
0127     }
0128
0129     /*
0130      * Some hardware seems to generate Michael MIC failure reports; even
0131      * though, the frame was not encrypted with TKIP and therefore has no
0132      * MIC. Ignore the flag them to avoid triggering countermeasures.
0133      */
0134     if (!rx->key || rx->key->conf.cipher != WLAN_CIPHER_SUITE_TKIP ||
0135         !(status->flag & RX_FLAG_DECRYPTED))
0136         return RX_CONTINUE;
0137
0138     if (rx->sdata->vif.type == NL80211_IFTYPE_AP && rx->key->conf.keyidx) {
0139         /*
0140          * APs with pairwise keys should never receive Michael MIC
0141          * errors for non-zero keyidx because these are reserved for
0142          * group keys and only the AP is sending real multicast
0143          * frames in the BSS.
0144          */
0145         return RX_DROP_UNUSABLE;
0146     }
0147
0148     if (status->flag & RX_FLAG_MMIC_ERROR)
0149         goto mic_fail;
0150
0151     hdrlen = ieee80211_hdrlen(hdr->frame_control);
0152     if (skb->len < hdrlen + MICHAEL_MIC_LEN)
0153         return RX_DROP_UNUSABLE;
0154
0155     if (skb_linearize(rx->skb))
0156         return RX_DROP_UNUSABLE;
0157     hdr = (void *)skb->data;
0158
0159     data = skb->data + hdrlen;
0160     data_len = skb->len - hdrlen - MICHAEL_MIC_LEN;
0161     key = &rx->key->conf.key[NL80211_TKIP_DATA_OFFSET_RX_MIC_KEY];
0162     michael_mic(key, hdr, data, data_len, mic);
0163     if (crypto_memneq(mic, data + data_len, MICHAEL_MIC_LEN))
0164         goto mic_fail;
0165
0166     /* remove Michael MIC from payload */
0167     skb_trim(skb, skb->len - MICHAEL_MIC_LEN);
0168
0169 update_iv:
0170     /* update IV in key information to be able to detect replays */
0171     rx->key->u.tkip.rx[rx->security_idx].iv32 = rx->tkip.iv32;
0172     rx->key->u.tkip.rx[rx->security_idx].iv16 = rx->tkip.iv16;
0173
0174     return RX_CONTINUE;
0175
0176 mic_fail:
0177     rx->key->u.tkip.mic_failures++;
0178
0179 mic_fail_no_key:
0180     /*
0181      * In some cases the key can be unset - e.g. a multicast packet, in
0182      * a driver that supports HW encryption. Send up the key idx only if
0183      * the key is set.
0184      */
0185     cfg80211_michael_mic_failure(rx->sdata->dev, hdr->addr2,
0186                      is_multicast_ether_addr(hdr->addr1) ?
0187                      NL80211_KEYTYPE_GROUP :
0188                      NL80211_KEYTYPE_PAIRWISE,
0189                      rx->key ? rx->key->conf.keyidx : -1,
0190                      NULL, GFP_ATOMIC);
0191     return RX_DROP_UNUSABLE;
0192 }
0193
0194 static int tkip_encrypt_skb(struct ieee80211_tx_data *tx, struct sk_buff *skb)
0195 {
0196     struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
0197     struct ieee80211_key *key = tx->key;
0198     struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
0199     unsigned int hdrlen;
0200     int len, tail;
0201     u64 pn;
0202     u8 *pos;
0203
0204     if (info->control.hw_key &&
0205         !(info->control.hw_key->flags & IEEE80211_KEY_FLAG_GENERATE_IV) &&
0206         !(info->control.hw_key->flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE)) {
0207         /* hwaccel - with no need for software-generated IV */
0208         return 0;
0209     }
0210
0211     hdrlen = ieee80211_hdrlen(hdr->frame_control);
0212     len = skb->len - hdrlen;
0213
0214     if (info->control.hw_key)
0215         tail = 0;
0216     else
0217         tail = IEEE80211_TKIP_ICV_LEN;
0218
0219     if (WARN_ON(skb_tailroom(skb) < tail ||
0220             skb_headroom(skb) < IEEE80211_TKIP_IV_LEN))
0221         return -1;
0222
0223     pos = skb_push(skb, IEEE80211_TKIP_IV_LEN);
0224     memmove(pos, pos + IEEE80211_TKIP_IV_LEN, hdrlen);
0225     pos += hdrlen;
0226
0227     /* the HW only needs room for the IV, but not the actual IV */
0228     if (info->control.hw_key &&
0229         (info->control.hw_key->flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE))
0230         return 0;
0231
0232     /* Increase IV for the frame */
0233     pn = atomic64_inc_return(&key->conf.tx_pn);
0234     pos = ieee80211_tkip_add_iv(pos, &key->conf, pn);
0235
0236     /* hwaccel - with software IV */
0237     if (info->control.hw_key)
0238         return 0;
0239
0240     /* Add room for ICV */
0241     skb_put(skb, IEEE80211_TKIP_ICV_LEN);
0242
0243     return ieee80211_tkip_encrypt_data(&tx->local->wep_tx_ctx,
0244                        key, skb, pos, len);
0245 }
0246
0247
0248 ieee80211_tx_result
0249 ieee80211_crypto_tkip_encrypt(struct ieee80211_tx_data *tx)
0250 {
0251     struct sk_buff *skb;
0252
0253     ieee80211_tx_set_protected(tx);
0254
0255     skb_queue_walk(&tx->skbs, skb) {
0256         if (tkip_encrypt_skb(tx, skb) < 0)
0257             return TX_DROP;
0258     }
0259
0260     return TX_CONTINUE;
0261 }
0262
0263
0264 ieee80211_rx_result
0265 ieee80211_crypto_tkip_decrypt(struct ieee80211_rx_data *rx)
0266 {
0267     struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) rx->skb->data;
0268     int hdrlen, res, hwaccel = 0;
0269     struct ieee80211_key *key = rx->key;
0270     struct sk_buff *skb = rx->skb;
0271     struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
0272
0273     hdrlen = ieee80211_hdrlen(hdr->frame_control);
0274
0275     if (!ieee80211_is_data(hdr->frame_control))
0276         return RX_CONTINUE;
0277
0278     if (!rx->sta || skb->len - hdrlen < 12)
0279         return RX_DROP_UNUSABLE;
0280
0281     /* it may be possible to optimize this a bit more */
0282     if (skb_linearize(rx->skb))
0283         return RX_DROP_UNUSABLE;
0284     hdr = (void *)skb->data;
0285
0286     /*
0287      * Let TKIP code verify IV, but skip decryption.
0288      * In the case where hardware checks the IV as well,
0289      * we don't even get here, see ieee80211_rx_h_decrypt()
0290      */
0291     if (status->flag & RX_FLAG_DECRYPTED)
0292         hwaccel = 1;
0293
0294     res = ieee80211_tkip_decrypt_data(&rx->local->wep_rx_ctx,
0295                       key, skb->data + hdrlen,
0296                       skb->len - hdrlen, rx->sta->sta.addr,
0297                       hdr->addr1, hwaccel, rx->security_idx,
0298                       &rx->tkip.iv32,
0299                       &rx->tkip.iv16);
0300     if (res != TKIP_DECRYPT_OK)
0301         return RX_DROP_UNUSABLE;
0302
0303     /* Trim ICV */
0304     if (!(status->flag & RX_FLAG_ICV_STRIPPED))
0305         skb_trim(skb, skb->len - IEEE80211_TKIP_ICV_LEN);
0306
0307     /* Remove IV */
0308     memmove(skb->data + IEEE80211_TKIP_IV_LEN, skb->data, hdrlen);
0309     skb_pull(skb, IEEE80211_TKIP_IV_LEN);
0310
0311     return RX_CONTINUE;
0312 }
0313
0314 /*
0315  * Calculate AAD for CCMP/GCMP, returning qos_tid since we
0316  * need that in CCMP also for b_0.
0317  */
0318 static u8 ccmp_gcmp_aad(struct sk_buff *skb, u8 *aad)
0319 {
0320     struct ieee80211_hdr *hdr = (void *)skb->data;
0321     __le16 mask_fc;
0322     int a4_included, mgmt;
0323     u8 qos_tid;
0324     u16 len_a = 22;
0325
0326     /*
0327      * Mask FC: zero subtype b4 b5 b6 (if not mgmt)
0328      * Retry, PwrMgt, MoreData, Order (if Qos Data); set Protected
0329      */
0330     mgmt = ieee80211_is_mgmt(hdr->frame_control);
0331     mask_fc = hdr->frame_control;
0332     mask_fc &= ~cpu_to_le16(IEEE80211_FCTL_RETRY |
0333                 IEEE80211_FCTL_PM | IEEE80211_FCTL_MOREDATA);
0334     if (!mgmt)
0335         mask_fc &= ~cpu_to_le16(0x0070);
0336     mask_fc |= cpu_to_le16(IEEE80211_FCTL_PROTECTED);
0337
0338     a4_included = ieee80211_has_a4(hdr->frame_control);
0339     if (a4_included)
0340         len_a += 6;
0341
0342     if (ieee80211_is_data_qos(hdr->frame_control)) {
0343         qos_tid = ieee80211_get_tid(hdr);
0344         mask_fc &= ~cpu_to_le16(IEEE80211_FCTL_ORDER);
0345         len_a += 2;
0346     } else {
0347         qos_tid = 0;
0348     }
0349
0350     /* AAD (extra authenticate-only data) / masked 802.11 header
0351      * FC | A1 | A2 | A3 | SC | [A4] | [QC] */
0352     put_unaligned_be16(len_a, &aad[0]);
0353     put_unaligned(mask_fc, (__le16 *)&aad[2]);
0354     memcpy(&aad[4], &hdr->addrs, 3 * ETH_ALEN);
0355
0356     /* Mask Seq#, leave Frag# */
0357     aad[22] = *((u8 *) &hdr->seq_ctrl) & 0x0f;
0358     aad[23] = 0;
0359
0360     if (a4_included) {
0361         memcpy(&aad[24], hdr->addr4, ETH_ALEN);
0362         aad[30] = qos_tid;
0363         aad[31] = 0;
0364     } else {
0365         memset(&aad[24], 0, ETH_ALEN + IEEE80211_QOS_CTL_LEN);
0366         aad[24] = qos_tid;
0367     }
0368
0369     return qos_tid;
0370 }
0371
0372 static void ccmp_special_blocks(struct sk_buff *skb, u8 *pn, u8 *b_0, u8 *aad)
0373 {
0374     struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
0375     u8 qos_tid = ccmp_gcmp_aad(skb, aad);
0376
0377     /* In CCM, the initial vectors (IV) used for CTR mode encryption and CBC
0378      * mode authentication are not allowed to collide, yet both are derived
0379      * from this vector b_0. We only set L := 1 here to indicate that the
0380      * data size can be represented in (L+1) bytes. The CCM layer will take
0381      * care of storing the data length in the top (L+1) bytes and setting
0382      * and clearing the other bits as is required to derive the two IVs.
0383      */
0384     b_0[0] = 0x1;
0385
0386     /* Nonce: Nonce Flags | A2 | PN
0387      * Nonce Flags: Priority (b0..b3) | Management (b4) | Reserved (b5..b7)
0388      */
0389     b_0[1] = qos_tid | (ieee80211_is_mgmt(hdr->frame_control) << 4);
0390     memcpy(&b_0[2], hdr->addr2, ETH_ALEN);
0391     memcpy(&b_0[8], pn, IEEE80211_CCMP_PN_LEN);
0392 }
0393
0394 static inline void ccmp_pn2hdr(u8 *hdr, u8 *pn, int key_id)
0395 {
0396     hdr[0] = pn[5];
0397     hdr[1] = pn[4];
0398     hdr[2] = 0;
0399     hdr[3] = 0x20 | (key_id << 6);
0400     hdr[4] = pn[3];
0401     hdr[5] = pn[2];
0402     hdr[6] = pn[1];
0403     hdr[7] = pn[0];
0404 }
0405
0406
0407 static inline void ccmp_hdr2pn(u8 *pn, u8 *hdr)
0408 {
0409     pn[0] = hdr[7];
0410     pn[1] = hdr[6];
0411     pn[2] = hdr[5];
0412     pn[3] = hdr[4];
0413     pn[4] = hdr[1];
0414     pn[5] = hdr[0];
0415 }
0416
0417
0418 static int ccmp_encrypt_skb(struct ieee80211_tx_data *tx, struct sk_buff *skb,
0419                 unsigned int mic_len)
0420 {
0421     struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
0422     struct ieee80211_key *key = tx->key;
0423     struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
0424     int hdrlen, len, tail;
0425     u8 *pos;
0426     u8 pn[6];
0427     u64 pn64;
0428     u8 aad[CCM_AAD_LEN];
0429     u8 b_0[AES_BLOCK_SIZE];
0430
0431     if (info->control.hw_key &&
0432         !(info->control.hw_key->flags & IEEE80211_KEY_FLAG_GENERATE_IV) &&
0433         !(info->control.hw_key->flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE) &&
0434         !((info->control.hw_key->flags &
0435            IEEE80211_KEY_FLAG_GENERATE_IV_MGMT) &&
0436           ieee80211_is_mgmt(hdr->frame_control))) {
0437         /*
0438          * hwaccel has no need for preallocated room for CCMP
0439          * header or MIC fields
0440          */
0441         return 0;
0442     }
0443
0444     hdrlen = ieee80211_hdrlen(hdr->frame_control);
0445     len = skb->len - hdrlen;
0446
0447     if (info->control.hw_key)
0448         tail = 0;
0449     else
0450         tail = mic_len;
0451
0452     if (WARN_ON(skb_tailroom(skb) < tail ||
0453             skb_headroom(skb) < IEEE80211_CCMP_HDR_LEN))
0454         return -1;
0455
0456     pos = skb_push(skb, IEEE80211_CCMP_HDR_LEN);
0457     memmove(pos, pos + IEEE80211_CCMP_HDR_LEN, hdrlen);
0458
0459     /* the HW only needs room for the IV, but not the actual IV */
0460     if (info->control.hw_key &&
0461         (info->control.hw_key->flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE))
0462         return 0;
0463
0464     pos += hdrlen;
0465
0466     pn64 = atomic64_inc_return(&key->conf.tx_pn);
0467
0468     pn[5] = pn64;
0469     pn[4] = pn64 >> 8;
0470     pn[3] = pn64 >> 16;
0471     pn[2] = pn64 >> 24;
0472     pn[1] = pn64 >> 32;
0473     pn[0] = pn64 >> 40;
0474
0475     ccmp_pn2hdr(pos, pn, key->conf.keyidx);
0476
0477     /* hwaccel - with software CCMP header */
0478     if (info->control.hw_key)
0479         return 0;
0480
0481     pos += IEEE80211_CCMP_HDR_LEN;
0482     ccmp_special_blocks(skb, pn, b_0, aad);
0483     return ieee80211_aes_ccm_encrypt(key->u.ccmp.tfm, b_0, aad, pos, len,
0484                      skb_put(skb, mic_len));
0485 }
0486
0487
0488 ieee80211_tx_result
0489 ieee80211_crypto_ccmp_encrypt(struct ieee80211_tx_data *tx,
0490                   unsigned int mic_len)
0491 {
0492     struct sk_buff *skb;
0493
0494     ieee80211_tx_set_protected(tx);
0495
0496     skb_queue_walk(&tx->skbs, skb) {
0497         if (ccmp_encrypt_skb(tx, skb, mic_len) < 0)
0498             return TX_DROP;
0499     }
0500
0501     return TX_CONTINUE;
0502 }
0503
0504
0505 ieee80211_rx_result
0506 ieee80211_crypto_ccmp_decrypt(struct ieee80211_rx_data *rx,
0507                   unsigned int mic_len)
0508 {
0509     struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
0510     int hdrlen;
0511     struct ieee80211_key *key = rx->key;
0512     struct sk_buff *skb = rx->skb;
0513     struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
0514     u8 pn[IEEE80211_CCMP_PN_LEN];
0515     int data_len;
0516     int queue;
0517
0518     hdrlen = ieee80211_hdrlen(hdr->frame_control);
0519
0520     if (!ieee80211_is_data(hdr->frame_control) &&
0521         !ieee80211_is_robust_mgmt_frame(skb))
0522         return RX_CONTINUE;
0523
0524     if (status->flag & RX_FLAG_DECRYPTED) {
0525         if (!pskb_may_pull(rx->skb, hdrlen + IEEE80211_CCMP_HDR_LEN))
0526             return RX_DROP_UNUSABLE;
0527         if (status->flag & RX_FLAG_MIC_STRIPPED)
0528             mic_len = 0;
0529     } else {
0530         if (skb_linearize(rx->skb))
0531             return RX_DROP_UNUSABLE;
0532     }
0533
0534     /* reload hdr - skb might have been reallocated */
0535     hdr = (void *)rx->skb->data;
0536
0537     data_len = skb->len - hdrlen - IEEE80211_CCMP_HDR_LEN - mic_len;
0538     if (!rx->sta || data_len < 0)
0539         return RX_DROP_UNUSABLE;
0540
0541     if (!(status->flag & RX_FLAG_PN_VALIDATED)) {
0542         int res;
0543
0544         ccmp_hdr2pn(pn, skb->data + hdrlen);
0545
0546         queue = rx->security_idx;
0547
0548         res = memcmp(pn, key->u.ccmp.rx_pn[queue],
0549                  IEEE80211_CCMP_PN_LEN);
0550         if (res < 0 ||
0551             (!res && !(status->flag & RX_FLAG_ALLOW_SAME_PN))) {
0552             key->u.ccmp.replays++;
0553             return RX_DROP_UNUSABLE;
0554         }
0555
0556         if (!(status->flag & RX_FLAG_DECRYPTED)) {
0557             u8 aad[2 * AES_BLOCK_SIZE];
0558             u8 b_0[AES_BLOCK_SIZE];
0559             /* hardware didn't decrypt/verify MIC */
0560             ccmp_special_blocks(skb, pn, b_0, aad);
0561
0562             if (ieee80211_aes_ccm_decrypt(
0563                     key->u.ccmp.tfm, b_0, aad,
0564                     skb->data + hdrlen + IEEE80211_CCMP_HDR_LEN,
0565                     data_len,
0566                     skb->data + skb->len - mic_len))
0567                 return RX_DROP_UNUSABLE;
0568         }
0569
0570         memcpy(key->u.ccmp.rx_pn[queue], pn, IEEE80211_CCMP_PN_LEN);
0571         if (unlikely(ieee80211_is_frag(hdr)))
0572             memcpy(rx->ccm_gcm.pn, pn, IEEE80211_CCMP_PN_LEN);
0573     }
0574
0575     /* Remove CCMP header and MIC */
0576     if (pskb_trim(skb, skb->len - mic_len))
0577         return RX_DROP_UNUSABLE;
0578     memmove(skb->data + IEEE80211_CCMP_HDR_LEN, skb->data, hdrlen);
0579     skb_pull(skb, IEEE80211_CCMP_HDR_LEN);
0580
0581     return RX_CONTINUE;
0582 }
0583
0584 static void gcmp_special_blocks(struct sk_buff *skb, u8 *pn, u8 *j_0, u8 *aad)
0585 {
0586     struct ieee80211_hdr *hdr = (void *)skb->data;
0587
0588     memcpy(j_0, hdr->addr2, ETH_ALEN);
0589     memcpy(&j_0[ETH_ALEN], pn, IEEE80211_GCMP_PN_LEN);
0590     j_0[13] = 0;
0591     j_0[14] = 0;
0592     j_0[AES_BLOCK_SIZE - 1] = 0x01;
0593
0594     ccmp_gcmp_aad(skb, aad);
0595 }
0596
0597 static inline void gcmp_pn2hdr(u8 *hdr, const u8 *pn, int key_id)
0598 {
0599     hdr[0] = pn[5];
0600     hdr[1] = pn[4];
0601     hdr[2] = 0;
0602     hdr[3] = 0x20 | (key_id << 6);
0603     hdr[4] = pn[3];
0604     hdr[5] = pn[2];
0605     hdr[6] = pn[1];
0606     hdr[7] = pn[0];
0607 }
0608
0609 static inline void gcmp_hdr2pn(u8 *pn, const u8 *hdr)
0610 {
0611     pn[0] = hdr[7];
0612     pn[1] = hdr[6];
0613     pn[2] = hdr[5];
0614     pn[3] = hdr[4];
0615     pn[4] = hdr[1];
0616     pn[5] = hdr[0];
0617 }
0618
0619 static int gcmp_encrypt_skb(struct ieee80211_tx_data *tx, struct sk_buff *skb)
0620 {
0621     struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
0622     struct ieee80211_key *key = tx->key;
0623     struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
0624     int hdrlen, len, tail;
0625     u8 *pos;
0626     u8 pn[6];
0627     u64 pn64;
0628     u8 aad[GCM_AAD_LEN];
0629     u8 j_0[AES_BLOCK_SIZE];
0630
0631     if (info->control.hw_key &&
0632         !(info->control.hw_key->flags & IEEE80211_KEY_FLAG_GENERATE_IV) &&
0633         !(info->control.hw_key->flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE) &&
0634         !((info->control.hw_key->flags &
0635            IEEE80211_KEY_FLAG_GENERATE_IV_MGMT) &&
0636           ieee80211_is_mgmt(hdr->frame_control))) {
0637         /* hwaccel has no need for preallocated room for GCMP
0638          * header or MIC fields
0639          */
0640         return 0;
0641     }
0642
0643     hdrlen = ieee80211_hdrlen(hdr->frame_control);
0644     len = skb->len - hdrlen;
0645
0646     if (info->control.hw_key)
0647         tail = 0;
0648     else
0649         tail = IEEE80211_GCMP_MIC_LEN;
0650
0651     if (WARN_ON(skb_tailroom(skb) < tail ||
0652             skb_headroom(skb) < IEEE80211_GCMP_HDR_LEN))
0653         return -1;
0654
0655     pos = skb_push(skb, IEEE80211_GCMP_HDR_LEN);
0656     memmove(pos, pos + IEEE80211_GCMP_HDR_LEN, hdrlen);
0657     skb_set_network_header(skb, skb_network_offset(skb) +
0658                     IEEE80211_GCMP_HDR_LEN);
0659
0660     /* the HW only needs room for the IV, but not the actual IV */
0661     if (info->control.hw_key &&
0662         (info->control.hw_key->flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE))
0663         return 0;
0664
0665     pos += hdrlen;
0666
0667     pn64 = atomic64_inc_return(&key->conf.tx_pn);
0668
0669     pn[5] = pn64;
0670     pn[4] = pn64 >> 8;
0671     pn[3] = pn64 >> 16;
0672     pn[2] = pn64 >> 24;
0673     pn[1] = pn64 >> 32;
0674     pn[0] = pn64 >> 40;
0675
0676     gcmp_pn2hdr(pos, pn, key->conf.keyidx);
0677
0678     /* hwaccel - with software GCMP header */
0679     if (info->control.hw_key)
0680         return 0;
0681
0682     pos += IEEE80211_GCMP_HDR_LEN;
0683     gcmp_special_blocks(skb, pn, j_0, aad);
0684     return ieee80211_aes_gcm_encrypt(key->u.gcmp.tfm, j_0, aad, pos, len,
0685                      skb_put(skb, IEEE80211_GCMP_MIC_LEN));
0686 }
0687
0688 ieee80211_tx_result
0689 ieee80211_crypto_gcmp_encrypt(struct ieee80211_tx_data *tx)
0690 {
0691     struct sk_buff *skb;
0692
0693     ieee80211_tx_set_protected(tx);
0694
0695     skb_queue_walk(&tx->skbs, skb) {
0696         if (gcmp_encrypt_skb(tx, skb) < 0)
0697             return TX_DROP;
0698     }
0699
0700     return TX_CONTINUE;
0701 }
0702
0703 ieee80211_rx_result
0704 ieee80211_crypto_gcmp_decrypt(struct ieee80211_rx_data *rx)
0705 {
0706     struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
0707     int hdrlen;
0708     struct ieee80211_key *key = rx->key;
0709     struct sk_buff *skb = rx->skb;
0710     struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
0711     u8 pn[IEEE80211_GCMP_PN_LEN];
0712     int data_len, queue, mic_len = IEEE80211_GCMP_MIC_LEN;
0713
0714     hdrlen = ieee80211_hdrlen(hdr->frame_control);
0715
0716     if (!ieee80211_is_data(hdr->frame_control) &&
0717         !ieee80211_is_robust_mgmt_frame(skb))
0718         return RX_CONTINUE;
0719
0720     if (status->flag & RX_FLAG_DECRYPTED) {
0721         if (!pskb_may_pull(rx->skb, hdrlen + IEEE80211_GCMP_HDR_LEN))
0722             return RX_DROP_UNUSABLE;
0723         if (status->flag & RX_FLAG_MIC_STRIPPED)
0724             mic_len = 0;
0725     } else {
0726         if (skb_linearize(rx->skb))
0727             return RX_DROP_UNUSABLE;
0728     }
0729
0730     /* reload hdr - skb might have been reallocated */
0731     hdr = (void *)rx->skb->data;
0732
0733     data_len = skb->len - hdrlen - IEEE80211_GCMP_HDR_LEN - mic_len;
0734     if (!rx->sta || data_len < 0)
0735         return RX_DROP_UNUSABLE;
0736
0737     if (!(status->flag & RX_FLAG_PN_VALIDATED)) {
0738         int res;
0739
0740         gcmp_hdr2pn(pn, skb->data + hdrlen);
0741
0742         queue = rx->security_idx;
0743
0744         res = memcmp(pn, key->u.gcmp.rx_pn[queue],
0745                  IEEE80211_GCMP_PN_LEN);
0746         if (res < 0 ||
0747             (!res && !(status->flag & RX_FLAG_ALLOW_SAME_PN))) {
0748             key->u.gcmp.replays++;
0749             return RX_DROP_UNUSABLE;
0750         }
0751
0752         if (!(status->flag & RX_FLAG_DECRYPTED)) {
0753             u8 aad[2 * AES_BLOCK_SIZE];
0754             u8 j_0[AES_BLOCK_SIZE];
0755             /* hardware didn't decrypt/verify MIC */
0756             gcmp_special_blocks(skb, pn, j_0, aad);
0757
0758             if (ieee80211_aes_gcm_decrypt(
0759                     key->u.gcmp.tfm, j_0, aad,
0760                     skb->data + hdrlen + IEEE80211_GCMP_HDR_LEN,
0761                     data_len,
0762                     skb->data + skb->len -
0763                     IEEE80211_GCMP_MIC_LEN))
0764                 return RX_DROP_UNUSABLE;
0765         }
0766
0767         memcpy(key->u.gcmp.rx_pn[queue], pn, IEEE80211_GCMP_PN_LEN);
0768         if (unlikely(ieee80211_is_frag(hdr)))
0769             memcpy(rx->ccm_gcm.pn, pn, IEEE80211_CCMP_PN_LEN);
0770     }
0771
0772     /* Remove GCMP header and MIC */
0773     if (pskb_trim(skb, skb->len - mic_len))
0774         return RX_DROP_UNUSABLE;
0775     memmove(skb->data + IEEE80211_GCMP_HDR_LEN, skb->data, hdrlen);
0776     skb_pull(skb, IEEE80211_GCMP_HDR_LEN);
0777
0778     return RX_CONTINUE;
0779 }
0780
0781 static void bip_aad(struct sk_buff *skb, u8 *aad)
0782 {
0783     __le16 mask_fc;
0784     struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
0785
0786     /* BIP AAD: FC(masked) || A1 || A2 || A3 */
0787
0788     /* FC type/subtype */
0789     /* Mask FC Retry, PwrMgt, MoreData flags to zero */
0790     mask_fc = hdr->frame_control;
0791     mask_fc &= ~cpu_to_le16(IEEE80211_FCTL_RETRY | IEEE80211_FCTL_PM |
0792                 IEEE80211_FCTL_MOREDATA);
0793     put_unaligned(mask_fc, (__le16 *) &aad[0]);
0794     /* A1 || A2 || A3 */
0795     memcpy(aad + 2, &hdr->addrs, 3 * ETH_ALEN);
0796 }
0797
0798
0799 static inline void bip_ipn_set64(u8 *d, u64 pn)
0800 {
0801     *d++ = pn;
0802     *d++ = pn >> 8;
0803     *d++ = pn >> 16;
0804     *d++ = pn >> 24;
0805     *d++ = pn >> 32;
0806     *d = pn >> 40;
0807 }
0808
0809 static inline void bip_ipn_swap(u8 *d, const u8 *s)
0810 {
0811     *d++ = s[5];
0812     *d++ = s[4];
0813     *d++ = s[3];
0814     *d++ = s[2];
0815     *d++ = s[1];
0816     *d = s[0];
0817 }
0818
0819
0820 ieee80211_tx_result
0821 ieee80211_crypto_aes_cmac_encrypt(struct ieee80211_tx_data *tx)
0822 {
0823     struct sk_buff *skb;
0824     struct ieee80211_tx_info *info;
0825     struct ieee80211_key *key = tx->key;
0826     struct ieee80211_mmie *mmie;
0827     u8 aad[20];
0828     u64 pn64;
0829
0830     if (WARN_ON(skb_queue_len(&tx->skbs) != 1))
0831         return TX_DROP;
0832
0833     skb = skb_peek(&tx->skbs);
0834
0835     info = IEEE80211_SKB_CB(skb);
0836
0837     if (info->control.hw_key &&
0838         !(key->conf.flags & IEEE80211_KEY_FLAG_GENERATE_MMIE))
0839         return TX_CONTINUE;
0840
0841     if (WARN_ON(skb_tailroom(skb) < sizeof(*mmie)))
0842         return TX_DROP;
0843
0844     mmie = skb_put(skb, sizeof(*mmie));
0845     mmie->element_id = WLAN_EID_MMIE;
0846     mmie->length = sizeof(*mmie) - 2;
0847     mmie->key_id = cpu_to_le16(key->conf.keyidx);
0848
0849     /* PN = PN + 1 */
0850     pn64 = atomic64_inc_return(&key->conf.tx_pn);
0851
0852     bip_ipn_set64(mmie->sequence_number, pn64);
0853
0854     if (info->control.hw_key)
0855         return TX_CONTINUE;
0856
0857     bip_aad(skb, aad);
0858
0859     /*
0860      * MIC = AES-128-CMAC(IGTK, AAD || Management Frame Body || MMIE, 64)
0861      */
0862     ieee80211_aes_cmac(key->u.aes_cmac.tfm, aad,
0863                skb->data + 24, skb->len - 24, mmie->mic);
0864
0865     return TX_CONTINUE;
0866 }
0867
0868 ieee80211_tx_result
0869 ieee80211_crypto_aes_cmac_256_encrypt(struct ieee80211_tx_data *tx)
0870 {
0871     struct sk_buff *skb;
0872     struct ieee80211_tx_info *info;
0873     struct ieee80211_key *key = tx->key;
0874     struct ieee80211_mmie_16 *mmie;
0875     u8 aad[20];
0876     u64 pn64;
0877
0878     if (WARN_ON(skb_queue_len(&tx->skbs) != 1))
0879         return TX_DROP;
0880
0881     skb = skb_peek(&tx->skbs);
0882
0883     info = IEEE80211_SKB_CB(skb);
0884
0885     if (info->control.hw_key)
0886         return TX_CONTINUE;
0887
0888     if (WARN_ON(skb_tailroom(skb) < sizeof(*mmie)))
0889         return TX_DROP;
0890
0891     mmie = skb_put(skb, sizeof(*mmie));
0892     mmie->element_id = WLAN_EID_MMIE;
0893     mmie->length = sizeof(*mmie) - 2;
0894     mmie->key_id = cpu_to_le16(key->conf.keyidx);
0895
0896     /* PN = PN + 1 */
0897     pn64 = atomic64_inc_return(&key->conf.tx_pn);
0898
0899     bip_ipn_set64(mmie->sequence_number, pn64);
0900
0901     bip_aad(skb, aad);
0902
0903     /* MIC = AES-256-CMAC(IGTK, AAD || Management Frame Body || MMIE, 128)
0904      */
0905     ieee80211_aes_cmac_256(key->u.aes_cmac.tfm, aad,
0906                    skb->data + 24, skb->len - 24, mmie->mic);
0907
0908     return TX_CONTINUE;
0909 }
0910
0911 ieee80211_rx_result
0912 ieee80211_crypto_aes_cmac_decrypt(struct ieee80211_rx_data *rx)
0913 {
0914     struct sk_buff *skb = rx->skb;
0915     struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
0916     struct ieee80211_key *key = rx->key;
0917     struct ieee80211_mmie *mmie;
0918     u8 aad[20], mic[8], ipn[6];
0919     struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
0920
0921     if (!ieee80211_is_mgmt(hdr->frame_control))
0922         return RX_CONTINUE;
0923
0924     /* management frames are already linear */
0925
0926     if (skb->len < 24 + sizeof(*mmie))
0927         return RX_DROP_UNUSABLE;
0928
0929     mmie = (struct ieee80211_mmie *)
0930         (skb->data + skb->len - sizeof(*mmie));
0931     if (mmie->element_id != WLAN_EID_MMIE ||
0932         mmie->length != sizeof(*mmie) - 2)
0933         return RX_DROP_UNUSABLE; /* Invalid MMIE */
0934
0935     bip_ipn_swap(ipn, mmie->sequence_number);
0936
0937     if (memcmp(ipn, key->u.aes_cmac.rx_pn, 6) <= 0) {
0938         key->u.aes_cmac.replays++;
0939         return RX_DROP_UNUSABLE;
0940     }
0941
0942     if (!(status->flag & RX_FLAG_DECRYPTED)) {
0943         /* hardware didn't decrypt/verify MIC */
0944         bip_aad(skb, aad);
0945         ieee80211_aes_cmac(key->u.aes_cmac.tfm, aad,
0946                    skb->data + 24, skb->len - 24, mic);
0947         if (crypto_memneq(mic, mmie->mic, sizeof(mmie->mic))) {
0948             key->u.aes_cmac.icverrors++;
0949             return RX_DROP_UNUSABLE;
0950         }
0951     }
0952
0953     memcpy(key->u.aes_cmac.rx_pn, ipn, 6);
0954
0955     /* Remove MMIE */
0956     skb_trim(skb, skb->len - sizeof(*mmie));
0957
0958     return RX_CONTINUE;
0959 }
0960
0961 ieee80211_rx_result
0962 ieee80211_crypto_aes_cmac_256_decrypt(struct ieee80211_rx_data *rx)
0963 {
0964     struct sk_buff *skb = rx->skb;
0965     struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
0966     struct ieee80211_key *key = rx->key;
0967     struct ieee80211_mmie_16 *mmie;
0968     u8 aad[20], mic[16], ipn[6];
0969     struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
0970
0971     if (!ieee80211_is_mgmt(hdr->frame_control))
0972         return RX_CONTINUE;
0973
0974     /* management frames are already linear */
0975
0976     if (skb->len < 24 + sizeof(*mmie))
0977         return RX_DROP_UNUSABLE;
0978
0979     mmie = (struct ieee80211_mmie_16 *)
0980         (skb->data + skb->len - sizeof(*mmie));
0981     if (mmie->element_id != WLAN_EID_MMIE ||
0982         mmie->length != sizeof(*mmie) - 2)
0983         return RX_DROP_UNUSABLE; /* Invalid MMIE */
0984
0985     bip_ipn_swap(ipn, mmie->sequence_number);
0986
0987     if (memcmp(ipn, key->u.aes_cmac.rx_pn, 6) <= 0) {
0988         key->u.aes_cmac.replays++;
0989         return RX_DROP_UNUSABLE;
0990     }
0991
0992     if (!(status->flag & RX_FLAG_DECRYPTED)) {
0993         /* hardware didn't decrypt/verify MIC */
0994         bip_aad(skb, aad);
0995         ieee80211_aes_cmac_256(key->u.aes_cmac.tfm, aad,
0996                        skb->data + 24, skb->len - 24, mic);
0997         if (crypto_memneq(mic, mmie->mic, sizeof(mmie->mic))) {
0998             key->u.aes_cmac.icverrors++;
0999             return RX_DROP_UNUSABLE;
1000         }
1001     }
1002
1003     memcpy(key->u.aes_cmac.rx_pn, ipn, 6);
1004
1005     /* Remove MMIE */
1006     skb_trim(skb, skb->len - sizeof(*mmie));
1007
1008     return RX_CONTINUE;
1009 }
1010
1011 ieee80211_tx_result
1012 ieee80211_crypto_aes_gmac_encrypt(struct ieee80211_tx_data *tx)
1013 {
1014     struct sk_buff *skb;
1015     struct ieee80211_tx_info *info;
1016     struct ieee80211_key *key = tx->key;
1017     struct ieee80211_mmie_16 *mmie;
1018     struct ieee80211_hdr *hdr;
1019     u8 aad[GMAC_AAD_LEN];
1020     u64 pn64;
1021     u8 nonce[GMAC_NONCE_LEN];
1022
1023     if (WARN_ON(skb_queue_len(&tx->skbs) != 1))
1024         return TX_DROP;
1025
1026     skb = skb_peek(&tx->skbs);
1027
1028     info = IEEE80211_SKB_CB(skb);
1029
1030     if (info->control.hw_key)
1031         return TX_CONTINUE;
1032
1033     if (WARN_ON(skb_tailroom(skb) < sizeof(*mmie)))
1034         return TX_DROP;
1035
1036     mmie = skb_put(skb, sizeof(*mmie));
1037     mmie->element_id = WLAN_EID_MMIE;
1038     mmie->length = sizeof(*mmie) - 2;
1039     mmie->key_id = cpu_to_le16(key->conf.keyidx);
1040
1041     /* PN = PN + 1 */
1042     pn64 = atomic64_inc_return(&key->conf.tx_pn);
1043
1044     bip_ipn_set64(mmie->sequence_number, pn64);
1045
1046     bip_aad(skb, aad);
1047
1048     hdr = (struct ieee80211_hdr *)skb->data;
1049     memcpy(nonce, hdr->addr2, ETH_ALEN);
1050     bip_ipn_swap(nonce + ETH_ALEN, mmie->sequence_number);
1051
1052     /* MIC = AES-GMAC(IGTK, AAD || Management Frame Body || MMIE, 128) */
1053     if (ieee80211_aes_gmac(key->u.aes_gmac.tfm, aad, nonce,
1054                    skb->data + 24, skb->len - 24, mmie->mic) < 0)
1055         return TX_DROP;
1056
1057     return TX_CONTINUE;
1058 }
1059
1060 ieee80211_rx_result
1061 ieee80211_crypto_aes_gmac_decrypt(struct ieee80211_rx_data *rx)
1062 {
1063     struct sk_buff *skb = rx->skb;
1064     struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
1065     struct ieee80211_key *key = rx->key;
1066     struct ieee80211_mmie_16 *mmie;
1067     u8 aad[GMAC_AAD_LEN], *mic, ipn[6], nonce[GMAC_NONCE_LEN];
1068     struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
1069
1070     if (!ieee80211_is_mgmt(hdr->frame_control))
1071         return RX_CONTINUE;
1072
1073     /* management frames are already linear */
1074
1075     if (skb->len < 24 + sizeof(*mmie))
1076         return RX_DROP_UNUSABLE;
1077
1078     mmie = (struct ieee80211_mmie_16 *)
1079         (skb->data + skb->len - sizeof(*mmie));
1080     if (mmie->element_id != WLAN_EID_MMIE ||
1081         mmie->length != sizeof(*mmie) - 2)
1082         return RX_DROP_UNUSABLE; /* Invalid MMIE */
1083
1084     bip_ipn_swap(ipn, mmie->sequence_number);
1085
1086     if (memcmp(ipn, key->u.aes_gmac.rx_pn, 6) <= 0) {
1087         key->u.aes_gmac.replays++;
1088         return RX_DROP_UNUSABLE;
1089     }
1090
1091     if (!(status->flag & RX_FLAG_DECRYPTED)) {
1092         /* hardware didn't decrypt/verify MIC */
1093         bip_aad(skb, aad);
1094
1095         memcpy(nonce, hdr->addr2, ETH_ALEN);
1096         memcpy(nonce + ETH_ALEN, ipn, 6);
1097
1098         mic = kmalloc(GMAC_MIC_LEN, GFP_ATOMIC);
1099         if (!mic)
1100             return RX_DROP_UNUSABLE;
1101         if (ieee80211_aes_gmac(key->u.aes_gmac.tfm, aad, nonce,
1102                        skb->data + 24, skb->len - 24,
1103                        mic) < 0 ||
1104             crypto_memneq(mic, mmie->mic, sizeof(mmie->mic))) {
1105             key->u.aes_gmac.icverrors++;
1106             kfree(mic);
1107             return RX_DROP_UNUSABLE;
1108         }
1109         kfree(mic);
1110     }
1111
1112     memcpy(key->u.aes_gmac.rx_pn, ipn, 6);
1113
1114     /* Remove MMIE */
1115     skb_trim(skb, skb->len - sizeof(*mmie));
1116
1117     return RX_CONTINUE;
1118 }