+1

net/mac80211/Makefile

reviewed

··· 19 19 aes_gcm.o \ 20 20 aes_cmac.o \ 21 21 aes_gmac.o \ 22 22 + fils_aead.o \ 22 23 cfg.o \ 23 24 ethtool.o \ 24 25 rx.o \

+4 -4

net/mac80211/aes_cmac.c

reviewed

··· 23 23 #define AAD_LEN 20 24 24 25 25 26 26 - static void gf_mulx(u8 *pad) 26 26 + void gf_mulx(u8 *pad) 27 27 { 28 28 int i, carry; 29 29 ··· 35 35 pad[AES_BLOCK_SIZE - 1] ^= 0x87; 36 36 } 37 37 38 38 - static void aes_cmac_vector(struct crypto_cipher *tfm, size_t num_elem, 39 39 - const u8 *addr[], const size_t *len, u8 *mac, 40 40 - size_t mac_len) 38 38 + void aes_cmac_vector(struct crypto_cipher *tfm, size_t num_elem, 39 39 + const u8 *addr[], const size_t *len, u8 *mac, 40 40 + size_t mac_len) 41 41 { 42 42 u8 cbc[AES_BLOCK_SIZE], pad[AES_BLOCK_SIZE]; 43 43 const u8 *pos, *end;

+4

net/mac80211/aes_cmac.h

reviewed

··· 11 11 12 12 #include <linux/crypto.h> 13 13 14 14 + void gf_mulx(u8 *pad); 15 15 + void aes_cmac_vector(struct crypto_cipher *tfm, size_t num_elem, 16 16 + const u8 *addr[], const size_t *len, u8 *mac, 17 17 + size_t mac_len); 14 18 struct crypto_cipher *ieee80211_aes_cmac_key_setup(const u8 key[], 15 19 size_t key_len); 16 20 void ieee80211_aes_cmac(struct crypto_cipher *tfm, const u8 *aad,

+344

net/mac80211/fils_aead.c

reviewed

··· 1 1 + /* 2 2 + * FILS AEAD for (Re)Association Request/Response frames 3 3 + * Copyright 2016, Qualcomm Atheros, Inc. 4 4 + * 5 5 + * This program is free software; you can redistribute it and/or modify 6 6 + * it under the terms of the GNU General Public License version 2 as 7 7 + * published by the Free Software Foundation. 8 8 + */ 9 9 + 10 10 + #include <crypto/aes.h> 11 11 + #include <crypto/algapi.h> 12 12 + #include <crypto/skcipher.h> 13 13 + 14 14 + #include "ieee80211_i.h" 15 15 + #include "aes_cmac.h" 16 16 + #include "fils_aead.h" 17 17 + 18 18 + static int aes_s2v(struct crypto_cipher *tfm, 19 19 + size_t num_elem, const u8 *addr[], size_t len[], u8 *v) 20 20 + { 21 21 + u8 d[AES_BLOCK_SIZE], tmp[AES_BLOCK_SIZE]; 22 22 + size_t i; 23 23 + const u8 *data[2]; 24 24 + size_t data_len[2], data_elems; 25 25 + 26 26 + /* D = AES-CMAC(K, <zero>) */ 27 27 + memset(tmp, 0, AES_BLOCK_SIZE); 28 28 + data[0] = tmp; 29 29 + data_len[0] = AES_BLOCK_SIZE; 30 30 + aes_cmac_vector(tfm, 1, data, data_len, d, AES_BLOCK_SIZE); 31 31 + 32 32 + for (i = 0; i < num_elem - 1; i++) { 33 33 + /* D = dbl(D) xor AES_CMAC(K, Si) */ 34 34 + gf_mulx(d); /* dbl */ 35 35 + aes_cmac_vector(tfm, 1, &addr[i], &len[i], tmp, 36 36 + AES_BLOCK_SIZE); 37 37 + crypto_xor(d, tmp, AES_BLOCK_SIZE); 38 38 + } 39 39 + 40 40 + if (len[i] >= AES_BLOCK_SIZE) { 41 41 + /* len(Sn) >= 128 */ 42 42 + size_t j; 43 43 + const u8 *pos; 44 44 + 45 45 + /* T = Sn xorend D */ 46 46 + 47 47 + /* Use a temporary buffer to perform xorend on Sn (addr[i]) to 48 48 + * avoid modifying the const input argument. 49 49 + */ 50 50 + data[0] = addr[i]; 51 51 + data_len[0] = len[i] - AES_BLOCK_SIZE; 52 52 + pos = addr[i] + data_len[0]; 53 53 + for (j = 0; j < AES_BLOCK_SIZE; j++) 54 54 + tmp[j] = pos[j] ^ d[j]; 55 55 + data[1] = tmp; 56 56 + data_len[1] = AES_BLOCK_SIZE; 57 57 + data_elems = 2; 58 58 + } else { 59 59 + /* len(Sn) < 128 */ 60 60 + /* T = dbl(D) xor pad(Sn) */ 61 61 + gf_mulx(d); /* dbl */ 62 62 + memset(tmp, 0, AES_BLOCK_SIZE); 63 63 + memcpy(tmp, addr[i], len[i]); 64 64 + tmp[len[i]] = 0x80; 65 65 + crypto_xor(d, tmp, AES_BLOCK_SIZE); 66 66 + data[0] = d; 67 67 + data_len[0] = sizeof(d); 68 68 + data_elems = 1; 69 69 + } 70 70 + /* V = AES-CMAC(K, T) */ 71 71 + aes_cmac_vector(tfm, data_elems, data, data_len, v, AES_BLOCK_SIZE); 72 72 + 73 73 + return 0; 74 74 + } 75 75 + 76 76 + /* Note: addr[] and len[] needs to have one extra slot at the end. */ 77 77 + static int aes_siv_encrypt(const u8 *key, size_t key_len, 78 78 + const u8 *plain, size_t plain_len, 79 79 + size_t num_elem, const u8 *addr[], 80 80 + size_t len[], u8 *out) 81 81 + { 82 82 + u8 v[AES_BLOCK_SIZE]; 83 83 + struct crypto_cipher *tfm; 84 84 + struct crypto_skcipher *tfm2; 85 85 + struct skcipher_request *req; 86 86 + int res; 87 87 + struct scatterlist src[1], dst[1]; 88 88 + u8 *tmp; 89 89 + 90 90 + key_len /= 2; /* S2V key || CTR key */ 91 91 + 92 92 + addr[num_elem] = plain; 93 93 + len[num_elem] = plain_len; 94 94 + num_elem++; 95 95 + 96 96 + /* S2V */ 97 97 + 98 98 + tfm = crypto_alloc_cipher("aes", 0, 0); 99 99 + if (IS_ERR(tfm)) 100 100 + return PTR_ERR(tfm); 101 101 + /* K1 for S2V */ 102 102 + res = crypto_cipher_setkey(tfm, key, key_len); 103 103 + if (!res) 104 104 + res = aes_s2v(tfm, num_elem, addr, len, v); 105 105 + crypto_free_cipher(tfm); 106 106 + if (res) 107 107 + return res; 108 108 + 109 109 + /* Use a temporary buffer of the plaintext to handle need for 110 110 + * overwriting this during AES-CTR. 111 111 + */ 112 112 + tmp = kmemdup(plain, plain_len, GFP_KERNEL); 113 113 + if (!tmp) { 114 114 + res = -ENOMEM; 115 115 + goto fail; 116 116 + } 117 117 + 118 118 + /* IV for CTR before encrypted data */ 119 119 + memcpy(out, v, AES_BLOCK_SIZE); 120 120 + 121 121 + /* Synthetic IV to be used as the initial counter in CTR: 122 122 + * Q = V bitand (1^64 || 0^1 || 1^31 || 0^1 || 1^31) 123 123 + */ 124 124 + v[8] &= 0x7f; 125 125 + v[12] &= 0x7f; 126 126 + 127 127 + /* CTR */ 128 128 + 129 129 + tfm2 = crypto_alloc_skcipher("ctr(aes)", 0, 0); 130 130 + if (IS_ERR(tfm2)) { 131 131 + kfree(tmp); 132 132 + return PTR_ERR(tfm2); 133 133 + } 134 134 + /* K2 for CTR */ 135 135 + res = crypto_skcipher_setkey(tfm2, key + key_len, key_len); 136 136 + if (res) 137 137 + goto fail; 138 138 + 139 139 + req = skcipher_request_alloc(tfm2, GFP_KERNEL); 140 140 + if (!req) { 141 141 + res = -ENOMEM; 142 142 + goto fail; 143 143 + } 144 144 + 145 145 + sg_init_one(src, tmp, plain_len); 146 146 + sg_init_one(dst, out + AES_BLOCK_SIZE, plain_len); 147 147 + skcipher_request_set_crypt(req, src, dst, plain_len, v); 148 148 + res = crypto_skcipher_encrypt(req); 149 149 + skcipher_request_free(req); 150 150 + fail: 151 151 + kfree(tmp); 152 152 + crypto_free_skcipher(tfm2); 153 153 + return res; 154 154 + } 155 155 + 156 156 + /* Note: addr[] and len[] needs to have one extra slot at the end. */ 157 157 + static int aes_siv_decrypt(const u8 *key, size_t key_len, 158 158 + const u8 *iv_crypt, size_t iv_c_len, 159 159 + size_t num_elem, const u8 *addr[], size_t len[], 160 160 + u8 *out) 161 161 + { 162 162 + struct crypto_cipher *tfm; 163 163 + struct crypto_skcipher *tfm2; 164 164 + struct skcipher_request *req; 165 165 + struct scatterlist src[1], dst[1]; 166 166 + size_t crypt_len; 167 167 + int res; 168 168 + u8 frame_iv[AES_BLOCK_SIZE], iv[AES_BLOCK_SIZE]; 169 169 + u8 check[AES_BLOCK_SIZE]; 170 170 + 171 171 + crypt_len = iv_c_len - AES_BLOCK_SIZE; 172 172 + key_len /= 2; /* S2V key || CTR key */ 173 173 + addr[num_elem] = out; 174 174 + len[num_elem] = crypt_len; 175 175 + num_elem++; 176 176 + 177 177 + memcpy(iv, iv_crypt, AES_BLOCK_SIZE); 178 178 + memcpy(frame_iv, iv_crypt, AES_BLOCK_SIZE); 179 179 + 180 180 + /* Synthetic IV to be used as the initial counter in CTR: 181 181 + * Q = V bitand (1^64 || 0^1 || 1^31 || 0^1 || 1^31) 182 182 + */ 183 183 + iv[8] &= 0x7f; 184 184 + iv[12] &= 0x7f; 185 185 + 186 186 + /* CTR */ 187 187 + 188 188 + tfm2 = crypto_alloc_skcipher("ctr(aes)", 0, 0); 189 189 + if (IS_ERR(tfm2)) 190 190 + return PTR_ERR(tfm2); 191 191 + /* K2 for CTR */ 192 192 + res = crypto_skcipher_setkey(tfm2, key + key_len, key_len); 193 193 + if (res) { 194 194 + crypto_free_skcipher(tfm2); 195 195 + return res; 196 196 + } 197 197 + 198 198 + req = skcipher_request_alloc(tfm2, GFP_KERNEL); 199 199 + if (!req) { 200 200 + crypto_free_skcipher(tfm2); 201 201 + return -ENOMEM; 202 202 + } 203 203 + 204 204 + sg_init_one(src, iv_crypt + AES_BLOCK_SIZE, crypt_len); 205 205 + sg_init_one(dst, out, crypt_len); 206 206 + skcipher_request_set_crypt(req, src, dst, crypt_len, iv); 207 207 + res = crypto_skcipher_decrypt(req); 208 208 + skcipher_request_free(req); 209 209 + crypto_free_skcipher(tfm2); 210 210 + if (res) 211 211 + return res; 212 212 + 213 213 + /* S2V */ 214 214 + 215 215 + tfm = crypto_alloc_cipher("aes", 0, 0); 216 216 + if (IS_ERR(tfm)) 217 217 + return PTR_ERR(tfm); 218 218 + /* K1 for S2V */ 219 219 + res = crypto_cipher_setkey(tfm, key, key_len); 220 220 + if (!res) 221 221 + res = aes_s2v(tfm, num_elem, addr, len, check); 222 222 + crypto_free_cipher(tfm); 223 223 + if (res) 224 224 + return res; 225 225 + if (memcmp(check, frame_iv, AES_BLOCK_SIZE) != 0) 226 226 + return -EINVAL; 227 227 + return 0; 228 228 + } 229 229 + 230 230 + int fils_encrypt_assoc_req(struct sk_buff *skb, 231 231 + struct ieee80211_mgd_assoc_data *assoc_data) 232 232 + { 233 233 + struct ieee80211_mgmt *mgmt = (void *)skb->data; 234 234 + u8 *capab, *ies, *encr; 235 235 + const u8 *addr[5 + 1], *session; 236 236 + size_t len[5 + 1]; 237 237 + size_t crypt_len; 238 238 + 239 239 + if (ieee80211_is_reassoc_req(mgmt->frame_control)) { 240 240 + capab = (u8 *)&mgmt->u.reassoc_req.capab_info; 241 241 + ies = mgmt->u.reassoc_req.variable; 242 242 + } else { 243 243 + capab = (u8 *)&mgmt->u.assoc_req.capab_info; 244 244 + ies = mgmt->u.assoc_req.variable; 245 245 + } 246 246 + 247 247 + session = cfg80211_find_ext_ie(WLAN_EID_EXT_FILS_SESSION, 248 248 + ies, skb->data + skb->len - ies); 249 249 + if (!session || session[1] != 1 + 8) 250 250 + return -EINVAL; 251 251 + /* encrypt after FILS Session element */ 252 252 + encr = (u8 *)session + 2 + 1 + 8; 253 253 + 254 254 + /* AES-SIV AAD vectors */ 255 255 + 256 256 + /* The STA's MAC address */ 257 257 + addr[0] = mgmt->sa; 258 258 + len[0] = ETH_ALEN; 259 259 + /* The AP's BSSID */ 260 260 + addr[1] = mgmt->da; 261 261 + len[1] = ETH_ALEN; 262 262 + /* The STA's nonce */ 263 263 + addr[2] = assoc_data->fils_nonces; 264 264 + len[2] = FILS_NONCE_LEN; 265 265 + /* The AP's nonce */ 266 266 + addr[3] = &assoc_data->fils_nonces[FILS_NONCE_LEN]; 267 267 + len[3] = FILS_NONCE_LEN; 268 268 + /* The (Re)Association Request frame from the Capability Information 269 269 + * field to the FILS Session element (both inclusive). 270 270 + */ 271 271 + addr[4] = capab; 272 272 + len[4] = encr - capab; 273 273 + 274 274 + crypt_len = skb->data + skb->len - encr; 275 275 + skb_put(skb, AES_BLOCK_SIZE); 276 276 + return aes_siv_encrypt(assoc_data->fils_kek, assoc_data->fils_kek_len, 277 277 + encr, crypt_len, 1, addr, len, encr); 278 278 + } 279 279 + 280 280 + int fils_decrypt_assoc_resp(struct ieee80211_sub_if_data *sdata, 281 281 + u8 *frame, size_t *frame_len, 282 282 + struct ieee80211_mgd_assoc_data *assoc_data) 283 283 + { 284 284 + struct ieee80211_mgmt *mgmt = (void *)frame; 285 285 + u8 *capab, *ies, *encr; 286 286 + const u8 *addr[5 + 1], *session; 287 287 + size_t len[5 + 1]; 288 288 + int res; 289 289 + size_t crypt_len; 290 290 + 291 291 + if (*frame_len < 24 + 6) 292 292 + return -EINVAL; 293 293 + 294 294 + capab = (u8 *)&mgmt->u.assoc_resp.capab_info; 295 295 + ies = mgmt->u.assoc_resp.variable; 296 296 + session = cfg80211_find_ext_ie(WLAN_EID_EXT_FILS_SESSION, 297 297 + ies, frame + *frame_len - ies); 298 298 + if (!session || session[1] != 1 + 8) { 299 299 + mlme_dbg(sdata, 300 300 + "No (valid) FILS Session element in (Re)Association Response frame from %pM", 301 301 + mgmt->sa); 302 302 + return -EINVAL; 303 303 + } 304 304 + /* decrypt after FILS Session element */ 305 305 + encr = (u8 *)session + 2 + 1 + 8; 306 306 + 307 307 + /* AES-SIV AAD vectors */ 308 308 + 309 309 + /* The AP's BSSID */ 310 310 + addr[0] = mgmt->sa; 311 311 + len[0] = ETH_ALEN; 312 312 + /* The STA's MAC address */ 313 313 + addr[1] = mgmt->da; 314 314 + len[1] = ETH_ALEN; 315 315 + /* The AP's nonce */ 316 316 + addr[2] = &assoc_data->fils_nonces[FILS_NONCE_LEN]; 317 317 + len[2] = FILS_NONCE_LEN; 318 318 + /* The STA's nonce */ 319 319 + addr[3] = assoc_data->fils_nonces; 320 320 + len[3] = FILS_NONCE_LEN; 321 321 + /* The (Re)Association Response frame from the Capability Information 322 322 + * field to the FILS Session element (both inclusive). 323 323 + */ 324 324 + addr[4] = capab; 325 325 + len[4] = encr - capab; 326 326 + 327 327 + crypt_len = frame + *frame_len - encr; 328 328 + if (crypt_len < AES_BLOCK_SIZE) { 329 329 + mlme_dbg(sdata, 330 330 + "Not enough room for AES-SIV data after FILS Session element in (Re)Association Response frame from %pM", 331 331 + mgmt->sa); 332 332 + return -EINVAL; 333 333 + } 334 334 + res = aes_siv_decrypt(assoc_data->fils_kek, assoc_data->fils_kek_len, 335 335 + encr, crypt_len, 5, addr, len, encr); 336 336 + if (res != 0) { 337 337 + mlme_dbg(sdata, 338 338 + "AES-SIV decryption of (Re)Association Response frame from %pM failed", 339 339 + mgmt->sa); 340 340 + return res; 341 341 + } 342 342 + *frame_len -= AES_BLOCK_SIZE; 343 343 + return 0; 344 344 + }

+19

net/mac80211/fils_aead.h

reviewed

··· 1 1 + /* 2 2 + * FILS AEAD for (Re)Association Request/Response frames 3 3 + * Copyright 2016, Qualcomm Atheros, Inc. 4 4 + * 5 5 + * This program is free software; you can redistribute it and/or modify 6 6 + * it under the terms of the GNU General Public License version 2 as 7 7 + * published by the Free Software Foundation. 8 8 + */ 9 9 + 10 10 + #ifndef FILS_AEAD_H 11 11 + #define FILS_AEAD_H 12 12 + 13 13 + int fils_encrypt_assoc_req(struct sk_buff *skb, 14 14 + struct ieee80211_mgd_assoc_data *assoc_data); 15 15 + int fils_decrypt_assoc_resp(struct ieee80211_sub_if_data *sdata, 16 16 + u8 *frame, size_t *frame_len, 17 17 + struct ieee80211_mgd_assoc_data *assoc_data); 18 18 + 19 19 + #endif /* FILS_AEAD_H */

+4

net/mac80211/ieee80211_i.h

reviewed

··· 401 401 402 402 struct ieee80211_vht_cap ap_vht_cap; 403 403 404 404 + u8 fils_nonces[2 * FILS_NONCE_LEN]; 405 405 + u8 fils_kek[FILS_MAX_KEK_LEN]; 406 406 + size_t fils_kek_len; 407 407 + 404 408 size_t ie_len; 405 409 u8 ie[]; 406 410 };

+27

net/mac80211/mlme.c

reviewed

··· 30 30 #include "driver-ops.h" 31 31 #include "rate.h" 32 32 #include "led.h" 33 33 + #include "fils_aead.h" 33 34 34 35 #define IEEE80211_AUTH_TIMEOUT (HZ / 5) 35 36 #define IEEE80211_AUTH_TIMEOUT_LONG (HZ / 2) ··· 653 652 2 + sizeof(struct ieee80211_ht_cap) + /* HT */ 654 653 2 + sizeof(struct ieee80211_vht_cap) + /* VHT */ 655 654 assoc_data->ie_len + /* extra IEs */ 655 655 + (assoc_data->fils_kek_len ? 16 /* AES-SIV */ : 0) + 656 656 9, /* WMM */ 657 657 GFP_KERNEL); 658 658 if (!skb) ··· 875 873 noffset = assoc_data->ie_len; 876 874 pos = skb_put(skb, noffset - offset); 877 875 memcpy(pos, assoc_data->ie + offset, noffset - offset); 876 876 + } 877 877 + 878 878 + if (assoc_data->fils_kek_len && 879 879 + fils_encrypt_assoc_req(skb, assoc_data) < 0) { 880 880 + dev_kfree_skb(skb); 881 881 + return; 878 882 } 879 883 880 884 drv_mgd_prepare_tx(local, sdata); ··· 3154 3146 reassoc ? "Rea" : "A", mgmt->sa, 3155 3147 capab_info, status_code, (u16)(aid & ~(BIT(15) | BIT(14)))); 3156 3148 3149 3149 + if (assoc_data->fils_kek_len && 3150 3150 + fils_decrypt_assoc_resp(sdata, (u8 *)mgmt, &len, assoc_data) < 0) 3151 3151 + return; 3152 3152 + 3157 3153 pos = mgmt->u.assoc_resp.variable; 3158 3154 ieee802_11_parse_elems(pos, len - (pos - (u8 *) mgmt), false, &elems); 3159 3155 ··· 4718 4706 memcpy(assoc_data->ie, req->ie, req->ie_len); 4719 4707 assoc_data->ie_len = req->ie_len; 4720 4708 } 4709 4709 + 4710 4710 + if (req->fils_kek) { 4711 4711 + /* should already be checked in cfg80211 - so warn */ 4712 4712 + if (WARN_ON(req->fils_kek_len > FILS_MAX_KEK_LEN)) { 4713 4713 + err = -EINVAL; 4714 4714 + goto err_free; 4715 4715 + } 4716 4716 + memcpy(assoc_data->fils_kek, req->fils_kek, 4717 4717 + req->fils_kek_len); 4718 4718 + assoc_data->fils_kek_len = req->fils_kek_len; 4719 4719 + } 4720 4720 + 4721 4721 + if (req->fils_nonces) 4722 4722 + memcpy(assoc_data->fils_nonces, req->fils_nonces, 4723 4723 + 2 * FILS_NONCE_LEN); 4721 4724 4722 4725 assoc_data->bss = req->bss; 4723 4726