2
* Copyright (c) 2009 Joshua Oreman <oremanj@rwcr.net>.
4
* This program is free software; you can redistribute it and/or
5
* modify it under the terms of the GNU General Public License as
6
* published by the Free Software Foundation; either version 2 of the
7
* License, or any later version.
9
* This program is distributed in the hope that it will be useful, but
10
* WITHOUT ANY WARRANTY; without even the implied warranty of
11
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12
* General Public License for more details.
14
* You should have received a copy of the GNU General Public License
15
* along with this program; if not, write to the Free Software
16
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
20
FILE_LICENCE ( GPL2_OR_LATER );
23
#include <ipxe/net80211.h>
24
#include <ipxe/crypto.h>
25
#include <ipxe/hmac.h>
26
#include <ipxe/sha1.h>
34
* Backend for WPA using the CCMP encryption method
37
/** Context for CCMP encryption and decryption */
40
/** AES context - only ever used for encryption */
41
u8 aes_ctx[AES_CTX_SIZE];
43
/** Most recently sent packet number */
46
/** Most recently received packet number */
50
/** Header structure at the beginning of CCMP frame data */
53
u8 pn_lo[2]; /**< Bytes 0 and 1 of packet number */
54
u8 _rsvd; /**< Reserved byte */
55
u8 kid; /**< Key ID and ExtIV byte */
56
u8 pn_hi[4]; /**< Bytes 2-5 (2 first) of packet number */
57
} __attribute__ (( packed ));
60
/** CCMP header overhead */
61
#define CCMP_HEAD_LEN 8
63
/** CCMP MIC trailer overhead */
64
#define CCMP_MIC_LEN 8
66
/** CCMP nonce length */
67
#define CCMP_NONCE_LEN 13
69
/** CCMP nonce structure */
72
u8 prio; /**< Packet priority, 0 for non-QoS */
73
u8 a2[ETH_ALEN]; /**< Address 2 from packet header (sender) */
74
u8 pn[6]; /**< Packet number */
75
} __attribute__ (( packed ));
77
/** CCMP additional authentication data length (for non-QoS, non-WDS frames) */
78
#define CCMP_AAD_LEN 22
80
/** CCMP additional authentication data structure */
83
u16 fc; /**< Frame Control field */
84
u8 a1[6]; /**< Address 1 */
85
u8 a2[6]; /**< Address 2 */
86
u8 a3[6]; /**< Address 3 */
87
u16 seq; /**< Sequence Control field */
88
/* Address 4 and QoS Control are included if present */
89
} __attribute__ (( packed ));
91
/** Mask for Frame Control field in AAD */
92
#define CCMP_AAD_FC_MASK 0xC38F
94
/** Mask for Sequence Control field in AAD */
95
#define CCMP_AAD_SEQ_MASK 0x000F
99
* Convert 6-byte LSB packet number to 64-bit integer
101
* @v pn Pointer to 6-byte packet number
102
* @ret v 64-bit integer value of @a pn
104
static u64 pn_to_u64 ( const u8 *pn )
109
for ( i = 5; i >= 0; i-- ) {
118
* Convert 64-bit integer to 6-byte packet number
120
* @v v 64-bit integer
121
* @v msb If TRUE, reverse the output PN to be in MSB order
122
* @ret pn 6-byte packet number
124
* The PN is stored in LSB order in the packet header and in MSB order
125
* in the nonce. WHYYYYY?
127
static void u64_to_pn ( u64 v, u8 *pn, int msb )
130
u8 *pnp = pn + ( msb ? 5 : 0 );
131
int delta = ( msb ? -1 : +1 );
133
for ( i = 0; i < 6; i++ ) {
140
/** Value for @a msb argument of u64_to_pn() for MSB output */
143
/** Value for @a msb argument of u64_to_pn() for LSB output */
149
* Initialise CCMP state and install key
151
* @v crypto CCMP cryptosystem structure
152
* @v key Pointer to 16-byte temporal key to install
153
* @v keylen Length of key (16 bytes)
154
* @v rsc Initial receive sequence counter
156
static int ccmp_init ( struct net80211_crypto *crypto, const void *key,
157
int keylen, const void *rsc )
159
struct ccmp_ctx *ctx = crypto->priv;
165
ctx->rx_seq = pn_to_u64 ( rsc );
167
cipher_setkey ( &aes_algorithm, ctx->aes_ctx, key, keylen );
174
* Encrypt or decrypt data stream using AES in Counter mode
176
* @v ctx CCMP cryptosystem context
177
* @v nonce Nonce value, 13 bytes
178
* @v srcv Data to encrypt or decrypt
179
* @v len Number of bytes pointed to by @a src
180
* @v msrcv MIC value to encrypt or decrypt (may be NULL)
181
* @ret destv Encrypted or decrypted data
182
* @ret mdestv Encrypted or decrypted MIC value
184
* This assumes CCMP parameters of L=2 and M=8. The algorithm is
185
* defined in RFC 3610.
187
static void ccmp_ctr_xor ( struct ccmp_ctx *ctx, const void *nonce,
188
const void *srcv, void *destv, int len,
189
const void *msrcv, void *mdestv )
194
const u8 *src = srcv, *msrc = msrcv;
195
u8 *dest = destv, *mdest = mdestv;
197
A[0] = 0x01; /* flags, L' = L - 1 = 1, other bits rsvd */
198
memcpy ( A + 1, nonce, CCMP_NONCE_LEN );
203
cipher_encrypt ( &aes_algorithm, ctx->aes_ctx, A, S, 16 );
205
for ( i = 0; i < 8; i++ ) {
206
*mdest++ = *msrc++ ^ S[i];
210
for ( ctr = 1 ;; ctr++ ) {
214
cipher_encrypt ( &aes_algorithm, ctx->aes_ctx, A, S, 16 );
216
for ( i = 0; i < len && i < 16; i++ )
217
*dest++ = *src++ ^ S[i];
220
break; /* we're done */
228
* Advance one block in CBC-MAC calculation
230
* @v aes_ctx AES encryption context with key set
231
* @v B Cleartext block to incorporate (16 bytes)
232
* @v X Previous ciphertext block (16 bytes)
234
* @ret X New ciphertext block (16 bytes)
236
* This function does X := E[key] ( X ^ B ).
238
static void ccmp_feed_cbc_mac ( void *aes_ctx, u8 *B, u8 *X )
241
for ( i = 0; i < 16; i++ )
243
cipher_encrypt ( &aes_algorithm, aes_ctx, B, X, 16 );
248
* Calculate MIC on plaintext data using CBC-MAC
250
* @v ctx CCMP cryptosystem context
251
* @v nonce Nonce value, 13 bytes
252
* @v data Data to calculate MIC over
253
* @v datalen Length of @a data
254
* @v aad Additional authentication data, for MIC but not encryption
255
* @ret mic MIC value (unencrypted), 8 bytes
257
* @a aadlen is assumed to be 22 bytes long, as it always is for
258
* 802.11 use when transmitting non-QoS, not-between-APs frames (the
259
* only type we deal with).
261
static void ccmp_cbc_mac ( struct ccmp_ctx *ctx, const void *nonce,
262
const void *data, u16 datalen,
263
const void *aad, void *mic )
267
/* Zeroth block: flags, nonce, length */
269
/* Rsv AAD - M'- - L'-
270
* 0 1 0 1 1 0 0 1 for an 8-byte MAC and 2-byte message length
273
memcpy ( B + 1, nonce, CCMP_NONCE_LEN );
274
B[14] = datalen >> 8;
275
B[15] = datalen & 0xFF;
277
cipher_encrypt ( &aes_algorithm, ctx->aes_ctx, B, X, 16 );
279
/* First block: AAD length field and 14 bytes of AAD */
282
memcpy ( B + 2, aad, 14 );
284
ccmp_feed_cbc_mac ( ctx->aes_ctx, B, X );
286
/* Second block: Remaining 8 bytes of AAD, 8 bytes zero pad */
287
memcpy ( B, aad + 14, 8 );
288
memset ( B + 8, 0, 8 );
290
ccmp_feed_cbc_mac ( ctx->aes_ctx, B, X );
294
if ( datalen >= 16 ) {
295
memcpy ( B, data, 16 );
298
memcpy ( B, data, datalen );
299
memset ( B + datalen, 0, 16 - datalen );
303
ccmp_feed_cbc_mac ( ctx->aes_ctx, B, X );
308
/* Get MIC from final value of X */
309
memcpy ( mic, X, 8 );
314
* Encapsulate and encrypt a packet using CCMP
316
* @v crypto CCMP cryptosystem
317
* @v iob I/O buffer containing cleartext packet
318
* @ret eiob I/O buffer containing encrypted packet
320
struct io_buffer * ccmp_encrypt ( struct net80211_crypto *crypto,
321
struct io_buffer *iob )
323
struct ccmp_ctx *ctx = crypto->priv;
324
struct ieee80211_frame *hdr = iob->data;
325
struct io_buffer *eiob;
326
const int hdrlen = IEEE80211_TYP_FRAME_HEADER_LEN;
327
int datalen = iob_len ( iob ) - hdrlen;
328
struct ccmp_head head;
329
struct ccmp_nonce nonce;
335
u64_to_pn ( ctx->tx_seq, tx_pn, PN_LSB );
337
/* Allocate memory */
338
eiob = alloc_iob ( iob_len ( iob ) + CCMP_HEAD_LEN + CCMP_MIC_LEN );
342
/* Copy frame header */
343
memcpy ( iob_put ( eiob, hdrlen ), iob->data, hdrlen );
345
hdr->fc |= IEEE80211_FC_PROTECTED;
347
/* Fill in packet number and extended IV */
348
memcpy ( head.pn_lo, tx_pn, 2 );
349
memcpy ( head.pn_hi, tx_pn + 2, 4 );
350
head.kid = 0x20; /* have Extended IV, key ID 0 */
352
memcpy ( iob_put ( eiob, sizeof ( head ) ), &head, sizeof ( head ) );
356
memcpy ( nonce.a2, hdr->addr2, ETH_ALEN );
357
u64_to_pn ( ctx->tx_seq, nonce.pn, PN_MSB );
359
/* Form additional authentication data */
360
aad.fc = hdr->fc & CCMP_AAD_FC_MASK;
361
memcpy ( aad.a1, hdr->addr1, 3 * ETH_ALEN ); /* all 3 at once */
362
aad.seq = hdr->seq & CCMP_AAD_SEQ_MASK;
364
/* Calculate MIC over the data */
365
ccmp_cbc_mac ( ctx, &nonce, iob->data + hdrlen, datalen, &aad, mic );
367
/* Copy and encrypt data and MIC */
368
edata = iob_put ( eiob, datalen );
369
emic = iob_put ( eiob, CCMP_MIC_LEN );
370
ccmp_ctr_xor ( ctx, &nonce,
371
iob->data + hdrlen, edata, datalen,
375
DBGC2 ( ctx, "WPA-CCMP %p: encrypted packet %p -> %p\n", ctx,
382
* Decrypt a packet using CCMP
384
* @v crypto CCMP cryptosystem
385
* @v eiob I/O buffer containing encrypted packet
386
* @ret iob I/O buffer containing cleartext packet
388
static struct io_buffer * ccmp_decrypt ( struct net80211_crypto *crypto,
389
struct io_buffer *eiob )
391
struct ccmp_ctx *ctx = crypto->priv;
392
struct ieee80211_frame *hdr;
393
struct io_buffer *iob;
394
const int hdrlen = IEEE80211_TYP_FRAME_HEADER_LEN;
395
int datalen = iob_len ( eiob ) - hdrlen - CCMP_HEAD_LEN - CCMP_MIC_LEN;
396
struct ccmp_head *head;
397
struct ccmp_nonce nonce;
399
u8 rx_pn[6], their_mic[8], our_mic[8];
401
iob = alloc_iob ( hdrlen + datalen );
405
/* Copy frame header */
406
memcpy ( iob_put ( iob, hdrlen ), eiob->data, hdrlen );
408
hdr->fc &= ~IEEE80211_FC_PROTECTED;
410
/* Check and update RX packet number */
411
head = eiob->data + hdrlen;
412
memcpy ( rx_pn, head->pn_lo, 2 );
413
memcpy ( rx_pn + 2, head->pn_hi, 4 );
415
if ( pn_to_u64 ( rx_pn ) <= ctx->rx_seq ) {
416
DBGC ( ctx, "WPA-CCMP %p: packet received out of order "
417
"(%012llx <= %012llx)\n", ctx, pn_to_u64 ( rx_pn ),
423
ctx->rx_seq = pn_to_u64 ( rx_pn );
424
DBGC2 ( ctx, "WPA-CCMP %p: RX packet number %012llx\n", ctx, ctx->rx_seq );
428
memcpy ( nonce.a2, hdr->addr2, ETH_ALEN );
429
u64_to_pn ( ctx->rx_seq, nonce.pn, PN_MSB );
431
/* Form additional authentication data */
432
aad.fc = ( hdr->fc & CCMP_AAD_FC_MASK ) | IEEE80211_FC_PROTECTED;
433
memcpy ( aad.a1, hdr->addr1, 3 * ETH_ALEN ); /* all 3 at once */
434
aad.seq = hdr->seq & CCMP_AAD_SEQ_MASK;
436
/* Copy-decrypt data and MIC */
437
ccmp_ctr_xor ( ctx, &nonce, eiob->data + hdrlen + sizeof ( *head ),
438
iob_put ( iob, datalen ), datalen,
439
eiob->tail - CCMP_MIC_LEN, their_mic );
442
ccmp_cbc_mac ( ctx, &nonce, iob->data + hdrlen, datalen, &aad,
445
if ( memcmp ( their_mic, our_mic, CCMP_MIC_LEN ) != 0 ) {
446
DBGC2 ( ctx, "WPA-CCMP %p: MIC failure\n", ctx );
451
DBGC2 ( ctx, "WPA-CCMP %p: decrypted packet %p -> %p\n", ctx,
458
/** CCMP cryptosystem */
459
struct net80211_crypto ccmp_crypto __net80211_crypto = {
460
.algorithm = NET80211_CRYPT_CCMP,
462
.encrypt = ccmp_encrypt,
463
.decrypt = ccmp_decrypt,
464
.priv_len = sizeof ( struct ccmp_ctx ),
471
* Calculate HMAC-SHA1 MIC for EAPOL-Key frame
473
* @v kck Key Confirmation Key, 16 bytes
474
* @v msg Message to calculate MIC over
475
* @v len Number of bytes to calculate MIC over
476
* @ret mic Calculated MIC, 16 bytes long
478
static void ccmp_kie_mic ( const void *kck, const void *msg, size_t len,
481
u8 sha1_ctx[SHA1_CTX_SIZE];
483
u8 hash[SHA1_DIGEST_SIZE];
486
memcpy ( kckb, kck, kck_len );
488
hmac_init ( &sha1_algorithm, sha1_ctx, kckb, &kck_len );
489
hmac_update ( &sha1_algorithm, sha1_ctx, msg, len );
490
hmac_final ( &sha1_algorithm, sha1_ctx, kckb, &kck_len, hash );
492
memcpy ( mic, hash, 16 );
496
* Decrypt key data in EAPOL-Key frame
498
* @v kek Key Encryption Key, 16 bytes
499
* @v iv Initialisation vector, 16 bytes (unused)
500
* @v msg Message to decrypt
501
* @v len Length of message
502
* @ret msg Decrypted message in place of original
503
* @ret len Adjusted downward for 8 bytes of overhead
504
* @ret rc Return status code
506
* The returned message may still contain padding of 0xDD followed by
507
* zero or more 0x00 octets. It is impossible to remove the padding
508
* without parsing the IEs in the packet (another design decision that
509
* tends to make one question the 802.11i committee's intelligence...)
511
static int ccmp_kie_decrypt ( const void *kek, const void *iv __unused,
512
void *msg, u16 *len )
517
if ( aes_unwrap ( kek, msg, msg, *len / 8 - 1 ) != 0 )
525
/** CCMP-style key integrity and encryption handler */
526
struct wpa_kie ccmp_kie __wpa_kie = {
527
.version = EAPOL_KEY_VERSION_WPA2,
529
.decrypt = ccmp_kie_decrypt,