Context Navigation

source: bootcd/isolinux/syslinux-6.03/gpxe/src/net/80211/wpa_ccmp.c

Last change on this file was e16e8f2, checked in by Edwin Eefting <edwin@datux.nl>, 3 years ago
bootstuff
Property mode set to `100644`
File size: 13.2 KB

Line
1	/*
2	* Copyright (c) 2009 Joshua Oreman <oremanj@rwcr.net>.
3	*
4	* This program is free software; you can redistribute it and/or
5	* modify it under the terms of the GNU General Public License as
6	* published by the Free Software Foundation; either version 2 of the
7	* License, or any later version.
8	*
9	* This program is distributed in the hope that it will be useful, but
10	* WITHOUT ANY WARRANTY; without even the implied warranty of
11	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12	* General Public License for more details.
13	*
14	* You should have received a copy of the GNU General Public License
15	* along with this program; if not, write to the Free Software
16	* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
17	*/
18
19	FILE_LICENCE ( GPL2_OR_LATER );
20
21	#include <gpxe/net80211.h>
22	#include <gpxe/crypto.h>
23	#include <gpxe/hmac.h>
24	#include <gpxe/sha1.h>
25	#include <gpxe/aes.h>
26	#include <gpxe/wpa.h>
27	#include <byteswap.h>
28	#include <errno.h>
29
30	/** @file
31	*
32	* Backend for WPA using the CCMP encryption method
33	*/
34
35	/** Context for CCMP encryption and decryption */
36	struct ccmp_ctx
37	{
38	/** AES context - only ever used for encryption */
39	u8 aes_ctx[AES_CTX_SIZE];
40
41	/** Most recently sent packet number */
42	u64 tx_seq;
43
44	/** Most recently received packet number */
45	u64 rx_seq;
46	};
47
48	/** Header structure at the beginning of CCMP frame data */
49	struct ccmp_head
50	{
51	u8 pn_lo[2]; /*< Bytes 0 and 1 of packet number /
52	u8 _rsvd; /*< Reserved byte /
53	u8 kid; /*< Key ID and ExtIV byte /
54	u8 pn_hi[4]; /*< Bytes 2-5 (2 first) of packet number /
55	} __attribute__ (( packed ));
56
57
58	/** CCMP header overhead */
59	#define CCMP_HEAD_LEN 8
60
61	/** CCMP MIC trailer overhead */
62	#define CCMP_MIC_LEN 8
63
64	/** CCMP nonce length */
65	#define CCMP_NONCE_LEN 13
66
67	/** CCMP nonce structure */
68	struct ccmp_nonce
69	{
70	u8 prio; /*< Packet priority, 0 for non-QoS /
71	u8 a2[ETH_ALEN]; /*< Address 2 from packet header (sender) /
72	u8 pn[6]; /*< Packet number /
73	} __attribute__ (( packed ));
74
75	/** CCMP additional authentication data length (for non-QoS, non-WDS frames) */
76	#define CCMP_AAD_LEN 22
77
78	/** CCMP additional authentication data structure */
79	struct ccmp_aad
80	{
81	u16 fc; /*< Frame Control field /
82	u8 a1[6]; /*< Address 1 /
83	u8 a2[6]; /*< Address 2 /
84	u8 a3[6]; /*< Address 3 /
85	u16 seq; /*< Sequence Control field /
86	/* Address 4 and QoS Control are included if present */
87	} __attribute__ (( packed ));
88
89	/** Mask for Frame Control field in AAD */
90	#define CCMP_AAD_FC_MASK 0xC38F
91
92	/** Mask for Sequence Control field in AAD */
93	#define CCMP_AAD_SEQ_MASK 0x000F
94
95
96	/**
97	* Convert 6-byte LSB packet number to 64-bit integer
98	*
99	* @v pn Pointer to 6-byte packet number
100	* @ret v 64-bit integer value of @a pn
101	*/
102	static u64 pn_to_u64 ( const u8 *pn )
103	{
104	int i;
105	u64 ret = 0;
106
107	for ( i = 5; i >= 0; i-- ) {
108	ret <<= 8;
109	ret \|= pn[i];
110	}
111
112	return ret;
113	}
114
115	/**
116	* Convert 64-bit integer to 6-byte packet number
117	*
118	* @v v 64-bit integer
119	* @v msb If TRUE, reverse the output PN to be in MSB order
120	* @ret pn 6-byte packet number
121	*
122	* The PN is stored in LSB order in the packet header and in MSB order
123	* in the nonce. WHYYYYY?
124	*/
125	static void u64_to_pn ( u64 v, u8 *pn, int msb )
126	{
127	int i;
128	u8 *pnp = pn + ( msb ? 5 : 0 );
129	int delta = ( msb ? -1 : +1 );
130
131	for ( i = 0; i < 6; i++ ) {
132	*pnp = v & 0xFF;
133	pnp += delta;
134	v >>= 8;
135	}
136	}
137
138	/** Value for @a msb argument of u64_to_pn() for MSB output */
139	#define PN_MSB 1
140
141	/** Value for @a msb argument of u64_to_pn() for LSB output */
142	#define PN_LSB 0
143
144
145
146	/**
147	* Initialise CCMP state and install key
148	*
149	* @v crypto CCMP cryptosystem structure
150	* @v key Pointer to 16-byte temporal key to install
151	* @v keylen Length of key (16 bytes)
152	* @v rsc Initial receive sequence counter
153	*/
154	static int ccmp_init ( struct net80211_crypto crypto, const void key,
155	int keylen, const void *rsc )
156	{
157	struct ccmp_ctx *ctx = crypto->priv;
158
159	if ( keylen != 16 )
160	return -EINVAL;
161
162	if ( rsc )
163	ctx->rx_seq = pn_to_u64 ( rsc );
164
165	cipher_setkey ( &aes_algorithm, ctx->aes_ctx, key, keylen );
166
167	return 0;
168	}
169
170
171	/**
172	* Encrypt or decrypt data stream using AES in Counter mode
173	*
174	* @v ctx CCMP cryptosystem context
175	* @v nonce Nonce value, 13 bytes
176	* @v srcv Data to encrypt or decrypt
177	* @v len Number of bytes pointed to by @a src
178	* @v msrcv MIC value to encrypt or decrypt (may be NULL)
179	* @ret destv Encrypted or decrypted data
180	* @ret mdestv Encrypted or decrypted MIC value
181	*
182	* This assumes CCMP parameters of L=2 and M=8. The algorithm is
183	* defined in RFC 3610.
184	*/
185	static void ccmp_ctr_xor ( struct ccmp_ctx ctx, const void nonce,
186	const void srcv, void destv, int len,
187	const void msrcv, void mdestv )
188	{
189	u8 A[16], S[16];
190	u16 ctr;
191	int i;
192	const u8 src = srcv, msrc = msrcv;
193	u8 dest = destv, mdest = mdestv;
194
195	A[0] = 0x01; /* flags, L' = L - 1 = 1, other bits rsvd */
196	memcpy ( A + 1, nonce, CCMP_NONCE_LEN );
197
198	if ( msrcv ) {
199	A[14] = A[15] = 0;
200
201	cipher_encrypt ( &aes_algorithm, ctx->aes_ctx, A, S, 16 );
202
203	for ( i = 0; i < 8; i++ ) {
204	mdest++ = msrc++ ^ S[i];
205	}
206	}
207
208	for ( ctr = 1 ;; ctr++ ) {
209	A[14] = ctr >> 8;
210	A[15] = ctr & 0xFF;
211
212	cipher_encrypt ( &aes_algorithm, ctx->aes_ctx, A, S, 16 );
213
214	for ( i = 0; i < len && i < 16; i++ )
215	dest++ = src++ ^ S[i];
216
217	if ( len <= 16 )
218	break; /* we're done */
219
220	len -= 16;
221	}
222	}
223
224
225	/**
226	* Advance one block in CBC-MAC calculation
227	*
228	* @v aes_ctx AES encryption context with key set
229	* @v B Cleartext block to incorporate (16 bytes)
230	* @v X Previous ciphertext block (16 bytes)
231	* @ret B Clobbered
232	* @ret X New ciphertext block (16 bytes)
233	*
234	* This function does X := E[key] ( X ^ B ).
235	*/
236	static void ccmp_feed_cbc_mac ( void aes_ctx, u8 B, u8 *X )
237	{
238	int i;
239	for ( i = 0; i < 16; i++ )
240	B[i] ^= X[i];
241	cipher_encrypt ( &aes_algorithm, aes_ctx, B, X, 16 );
242	}
243
244
245	/**
246	* Calculate MIC on plaintext data using CBC-MAC
247	*
248	* @v ctx CCMP cryptosystem context
249	* @v nonce Nonce value, 13 bytes
250	* @v data Data to calculate MIC over
251	* @v datalen Length of @a data
252	* @v aad Additional authentication data, for MIC but not encryption
253	* @ret mic MIC value (unencrypted), 8 bytes
254	*
255	* @a aadlen is assumed to be 22 bytes long, as it always is for
256	* 802.11 use when transmitting non-QoS, not-between-APs frames (the
257	* only type we deal with).
258	*/
259	static void ccmp_cbc_mac ( struct ccmp_ctx ctx, const void nonce,
260	const void *data, u16 datalen,
261	const void aad, void mic )
262	{
263	u8 X[16], B[16];
264
265	/* Zeroth block: flags, nonce, length */
266
267	/* Rsv AAD - M'- - L'-
268	* 0 1 0 1 1 0 0 1 for an 8-byte MAC and 2-byte message length
269	*/
270	B[0] = 0x59;
271	memcpy ( B + 1, nonce, CCMP_NONCE_LEN );
272	B[14] = datalen >> 8;
273	B[15] = datalen & 0xFF;
274
275	cipher_encrypt ( &aes_algorithm, ctx->aes_ctx, B, X, 16 );
276
277	/* First block: AAD length field and 14 bytes of AAD */
278	B[0] = 0;
279	B[1] = CCMP_AAD_LEN;
280	memcpy ( B + 2, aad, 14 );
281
282	ccmp_feed_cbc_mac ( ctx->aes_ctx, B, X );
283
284	/* Second block: Remaining 8 bytes of AAD, 8 bytes zero pad */
285	memcpy ( B, aad + 14, 8 );
286	memset ( B + 8, 0, 8 );
287
288	ccmp_feed_cbc_mac ( ctx->aes_ctx, B, X );
289
290	/* Message blocks */
291	while ( datalen ) {
292	if ( datalen >= 16 ) {
293	memcpy ( B, data, 16 );
294	datalen -= 16;
295	} else {
296	memcpy ( B, data, datalen );
297	memset ( B + datalen, 0, 16 - datalen );
298	datalen = 0;
299	}
300
301	ccmp_feed_cbc_mac ( ctx->aes_ctx, B, X );
302
303	data += 16;
304	}
305
306	/* Get MIC from final value of X */
307	memcpy ( mic, X, 8 );
308	}
309
310
311	/**
312	* Encapsulate and encrypt a packet using CCMP
313	*
314	* @v crypto CCMP cryptosystem
315	* @v iob I/O buffer containing cleartext packet
316	* @ret eiob I/O buffer containing encrypted packet
317	*/
318	struct io_buffer * ccmp_encrypt ( struct net80211_crypto *crypto,
319	struct io_buffer *iob )
320	{
321	struct ccmp_ctx *ctx = crypto->priv;
322	struct ieee80211_frame *hdr = iob->data;
323	struct io_buffer *eiob;
324	const int hdrlen = IEEE80211_TYP_FRAME_HEADER_LEN;
325	int datalen = iob_len ( iob ) - hdrlen;
326	struct ccmp_head head;
327	struct ccmp_nonce nonce;
328	struct ccmp_aad aad;
329	u8 mic[8], tx_pn[6];
330	void edata, emic;
331
332	ctx->tx_seq++;
333	u64_to_pn ( ctx->tx_seq, tx_pn, PN_LSB );
334
335	/* Allocate memory */
336	eiob = alloc_iob ( iob_len ( iob ) + CCMP_HEAD_LEN + CCMP_MIC_LEN );
337	if ( ! eiob )
338	return NULL;
339
340	/* Copy frame header */
341	memcpy ( iob_put ( eiob, hdrlen ), iob->data, hdrlen );
342	hdr = eiob->data;
343	hdr->fc \|= IEEE80211_FC_PROTECTED;
344
345	/* Fill in packet number and extended IV */
346	memcpy ( head.pn_lo, tx_pn, 2 );
347	memcpy ( head.pn_hi, tx_pn + 2, 4 );
348	head.kid = 0x20; /* have Extended IV, key ID 0 */
349	head._rsvd = 0;
350	memcpy ( iob_put ( eiob, sizeof ( head ) ), &head, sizeof ( head ) );
351
352	/* Form nonce */
353	nonce.prio = 0;
354	memcpy ( nonce.a2, hdr->addr2, ETH_ALEN );
355	u64_to_pn ( ctx->tx_seq, nonce.pn, PN_MSB );
356
357	/* Form additional authentication data */
358	aad.fc = hdr->fc & CCMP_AAD_FC_MASK;
359	memcpy ( aad.a1, hdr->addr1, 3 * ETH_ALEN ); /* all 3 at once */
360	aad.seq = hdr->seq & CCMP_AAD_SEQ_MASK;
361
362	/* Calculate MIC over the data */
363	ccmp_cbc_mac ( ctx, &nonce, iob->data + hdrlen, datalen, &aad, mic );
364
365	/* Copy and encrypt data and MIC */
366	edata = iob_put ( eiob, datalen );
367	emic = iob_put ( eiob, CCMP_MIC_LEN );
368	ccmp_ctr_xor ( ctx, &nonce,
369	iob->data + hdrlen, edata, datalen,
370	mic, emic );
371
372	/* Done! */
373	DBGC2 ( ctx, "WPA-CCMP %p: encrypted packet %p -> %p\n", ctx,
374	iob, eiob );
375
376	return eiob;
377	}
378
379	/**
380	* Decrypt a packet using CCMP
381	*
382	* @v crypto CCMP cryptosystem
383	* @v eiob I/O buffer containing encrypted packet
384	* @ret iob I/O buffer containing cleartext packet
385	*/
386	static struct io_buffer * ccmp_decrypt ( struct net80211_crypto *crypto,
387	struct io_buffer *eiob )
388	{
389	struct ccmp_ctx *ctx = crypto->priv;
390	struct ieee80211_frame *hdr;
391	struct io_buffer *iob;
392	const int hdrlen = IEEE80211_TYP_FRAME_HEADER_LEN;
393	int datalen = iob_len ( eiob ) - hdrlen - CCMP_HEAD_LEN - CCMP_MIC_LEN;
394	struct ccmp_head *head;
395	struct ccmp_nonce nonce;
396	struct ccmp_aad aad;
397	u8 rx_pn[6], their_mic[8], our_mic[8];
398
399	iob = alloc_iob ( hdrlen + datalen );
400	if ( ! iob )
401	return NULL;
402
403	/* Copy frame header */
404	memcpy ( iob_put ( iob, hdrlen ), eiob->data, hdrlen );
405	hdr = iob->data;
406	hdr->fc &= ~IEEE80211_FC_PROTECTED;
407
408	/* Check and update RX packet number */
409	head = eiob->data + hdrlen;
410	memcpy ( rx_pn, head->pn_lo, 2 );
411	memcpy ( rx_pn + 2, head->pn_hi, 4 );
412
413	if ( pn_to_u64 ( rx_pn ) <= ctx->rx_seq ) {
414	DBGC ( ctx, "WPA-CCMP %p: packet received out of order "
415	"(%012llx <= %012llx)\n", ctx, pn_to_u64 ( rx_pn ),
416	ctx->rx_seq );
417	free_iob ( iob );
418	return NULL;
419	}
420
421	ctx->rx_seq = pn_to_u64 ( rx_pn );
422	DBGC2 ( ctx, "WPA-CCMP %p: RX packet number %012llx\n", ctx, ctx->rx_seq );
423
424	/* Form nonce */
425	nonce.prio = 0;
426	memcpy ( nonce.a2, hdr->addr2, ETH_ALEN );
427	u64_to_pn ( ctx->rx_seq, nonce.pn, PN_MSB );
428
429	/* Form additional authentication data */
430	aad.fc = ( hdr->fc & CCMP_AAD_FC_MASK ) \| IEEE80211_FC_PROTECTED;
431	memcpy ( aad.a1, hdr->addr1, 3 * ETH_ALEN ); /* all 3 at once */
432	aad.seq = hdr->seq & CCMP_AAD_SEQ_MASK;
433
434	/* Copy-decrypt data and MIC */
435	ccmp_ctr_xor ( ctx, &nonce, eiob->data + hdrlen + sizeof ( *head ),
436	iob_put ( iob, datalen ), datalen,
437	eiob->tail - CCMP_MIC_LEN, their_mic );
438
439	/* Check MIC */
440	ccmp_cbc_mac ( ctx, &nonce, iob->data + hdrlen, datalen, &aad,
441	our_mic );
442
443	if ( memcmp ( their_mic, our_mic, CCMP_MIC_LEN ) != 0 ) {
444	DBGC2 ( ctx, "WPA-CCMP %p: MIC failure\n", ctx );
445	free_iob ( iob );
446	return NULL;
447	}
448
449	DBGC2 ( ctx, "WPA-CCMP %p: decrypted packet %p -> %p\n", ctx,
450	eiob, iob );
451
452	return iob;
453	}
454
455
456	/** CCMP cryptosystem */
457	struct net80211_crypto ccmp_crypto __net80211_crypto = {
458	.algorithm = NET80211_CRYPT_CCMP,
459	.init = ccmp_init,
460	.encrypt = ccmp_encrypt,
461	.decrypt = ccmp_decrypt,
462	.priv_len = sizeof ( struct ccmp_ctx ),
463	};
464
465
466
467
468	/**
469	* Calculate HMAC-SHA1 MIC for EAPOL-Key frame
470	*
471	* @v kck Key Confirmation Key, 16 bytes
472	* @v msg Message to calculate MIC over
473	* @v len Number of bytes to calculate MIC over
474	* @ret mic Calculated MIC, 16 bytes long
475	*/
476	static void ccmp_kie_mic ( const void kck, const void msg, size_t len,
477	void *mic )
478	{
479	u8 sha1_ctx[SHA1_CTX_SIZE];
480	u8 kckb[16];
481	u8 hash[SHA1_SIZE];
482	size_t kck_len = 16;
483
484	memcpy ( kckb, kck, kck_len );
485
486	hmac_init ( &sha1_algorithm, sha1_ctx, kckb, &kck_len );
487	hmac_update ( &sha1_algorithm, sha1_ctx, msg, len );
488	hmac_final ( &sha1_algorithm, sha1_ctx, kckb, &kck_len, hash );
489
490	memcpy ( mic, hash, 16 );
491	}
492
493	/**
494	* Decrypt key data in EAPOL-Key frame
495	*
496	* @v kek Key Encryption Key, 16 bytes
497	* @v iv Initialisation vector, 16 bytes (unused)
498	* @v msg Message to decrypt
499	* @v len Length of message
500	* @ret msg Decrypted message in place of original
501	* @ret len Adjusted downward for 8 bytes of overhead
502	* @ret rc Return status code
503	*
504	* The returned message may still contain padding of 0xDD followed by
505	* zero or more 0x00 octets. It is impossible to remove the padding
506	* without parsing the IEs in the packet (another design decision that
507	* tends to make one question the 802.11i committee's intelligence...)
508	*/
509	static int ccmp_kie_decrypt ( const void kek, const void iv __unused,
510	void msg, u16 len )
511	{
512	if ( *len % 8 != 0 )
513	return -EINVAL;
514
515	if ( aes_unwrap ( kek, msg, msg, *len / 8 - 1 ) != 0 )
516	return -EINVAL;
517
518	*len -= 8;
519
520	return 0;
521	}
522
523	/** CCMP-style key integrity and encryption handler */
524	struct wpa_kie ccmp_kie __wpa_kie = {
525	.version = EAPOL_KEY_VERSION_WPA2,
526	.mic = ccmp_kie_mic,
527	.decrypt = ccmp_kie_decrypt,
528	};

Note: See TracBrowser for help on using the repository browser.

Download in other formats: