crypto.c 16 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519
  1. /*
  2. * Ultra Wide Band
  3. * AES-128 CCM Encryption
  4. *
  5. * Copyright (C) 2007 Intel Corporation
  6. * Inaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com>
  7. *
  8. * This program is free software; you can redistribute it and/or
  9. * modify it under the terms of the GNU General Public License version
  10. * 2 as published by the Free Software Foundation.
  11. *
  12. * This program is distributed in the hope that it will be useful,
  13. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  14. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  15. * GNU General Public License for more details.
  16. *
  17. * You should have received a copy of the GNU General Public License
  18. * along with this program; if not, write to the Free Software
  19. * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
  20. * 02110-1301, USA.
  21. *
  22. *
  23. * We don't do any encryption here; we use the Linux Kernel's AES-128
  24. * crypto modules to construct keys and payload blocks in a way
  25. * defined by WUSB1.0[6]. Check the erratas, as typos are are patched
  26. * there.
  27. *
  28. * Thanks a zillion to John Keys for his help and clarifications over
  29. * the designed-by-a-committee text.
  30. *
  31. * So the idea is that there is this basic Pseudo-Random-Function
  32. * defined in WUSB1.0[6.5] which is the core of everything. It works
  33. * by tweaking some blocks, AES crypting them and then xoring
  34. * something else with them (this seems to be called CBC(AES) -- can
  35. * you tell I know jack about crypto?). So we just funnel it into the
  36. * Linux Crypto API.
  37. *
  38. * We leave a crypto test module so we can verify that vectors match,
  39. * every now and then.
  40. *
  41. * Block size: 16 bytes -- AES seems to do things in 'block sizes'. I
  42. * am learning a lot...
  43. *
  44. * Conveniently, some data structures that need to be
  45. * funneled through AES are...16 bytes in size!
  46. */
  47. #include <linux/crypto.h>
  48. #include <linux/module.h>
  49. #include <linux/err.h>
  50. #include <linux/uwb.h>
  51. #include <linux/slab.h>
  52. #include <linux/usb/wusb.h>
  53. #include <linux/scatterlist.h>
  54. static int debug_crypto_verify = 0;
  55. module_param(debug_crypto_verify, int, 0);
  56. MODULE_PARM_DESC(debug_crypto_verify, "verify the key generation algorithms");
  57. static void wusb_key_dump(const void *buf, size_t len)
  58. {
  59. print_hex_dump(KERN_ERR, " ", DUMP_PREFIX_OFFSET, 16, 1,
  60. buf, len, 0);
  61. }
  62. /*
  63. * Block of data, as understood by AES-CCM
  64. *
  65. * The code assumes this structure is nothing but a 16 byte array
  66. * (packed in a struct to avoid common mess ups that I usually do with
  67. * arrays and enforcing type checking).
  68. */
  69. struct aes_ccm_block {
  70. u8 data[16];
  71. } __attribute__((packed));
  72. /*
  73. * Counter-mode Blocks (WUSB1.0[6.4])
  74. *
  75. * According to CCM (or so it seems), for the purpose of calculating
  76. * the MIC, the message is broken in N counter-mode blocks, B0, B1,
  77. * ... BN.
  78. *
  79. * B0 contains flags, the CCM nonce and l(m).
  80. *
  81. * B1 contains l(a), the MAC header, the encryption offset and padding.
  82. *
  83. * If EO is nonzero, additional blocks are built from payload bytes
  84. * until EO is exahusted (FIXME: padding to 16 bytes, I guess). The
  85. * padding is not xmitted.
  86. */
  87. /* WUSB1.0[T6.4] */
  88. struct aes_ccm_b0 {
  89. u8 flags; /* 0x59, per CCM spec */
  90. struct aes_ccm_nonce ccm_nonce;
  91. __be16 lm;
  92. } __attribute__((packed));
  93. /* WUSB1.0[T6.5] */
  94. struct aes_ccm_b1 {
  95. __be16 la;
  96. u8 mac_header[10];
  97. __le16 eo;
  98. u8 security_reserved; /* This is always zero */
  99. u8 padding; /* 0 */
  100. } __attribute__((packed));
  101. /*
  102. * Encryption Blocks (WUSB1.0[6.4.4])
  103. *
  104. * CCM uses Ax blocks to generate a keystream with which the MIC and
  105. * the message's payload are encoded. A0 always encrypts/decrypts the
  106. * MIC. Ax (x>0) are used for the successive payload blocks.
  107. *
  108. * The x is the counter, and is increased for each block.
  109. */
  110. struct aes_ccm_a {
  111. u8 flags; /* 0x01, per CCM spec */
  112. struct aes_ccm_nonce ccm_nonce;
  113. __be16 counter; /* Value of x */
  114. } __attribute__((packed));
  115. static void bytewise_xor(void *_bo, const void *_bi1, const void *_bi2,
  116. size_t size)
  117. {
  118. u8 *bo = _bo;
  119. const u8 *bi1 = _bi1, *bi2 = _bi2;
  120. size_t itr;
  121. for (itr = 0; itr < size; itr++)
  122. bo[itr] = bi1[itr] ^ bi2[itr];
  123. }
  124. /*
  125. * CC-MAC function WUSB1.0[6.5]
  126. *
  127. * Take a data string and produce the encrypted CBC Counter-mode MIC
  128. *
  129. * Note the names for most function arguments are made to (more or
  130. * less) match those used in the pseudo-function definition given in
  131. * WUSB1.0[6.5].
  132. *
  133. * @tfm_cbc: CBC(AES) blkcipher handle (initialized)
  134. *
  135. * @tfm_aes: AES cipher handle (initialized)
  136. *
  137. * @mic: buffer for placing the computed MIC (Message Integrity
  138. * Code). This is exactly 8 bytes, and we expect the buffer to
  139. * be at least eight bytes in length.
  140. *
  141. * @key: 128 bit symmetric key
  142. *
  143. * @n: CCM nonce
  144. *
  145. * @a: ASCII string, 14 bytes long (I guess zero padded if needed;
  146. * we use exactly 14 bytes).
  147. *
  148. * @b: data stream to be processed; cannot be a global or const local
  149. * (will confuse the scatterlists)
  150. *
  151. * @blen: size of b...
  152. *
  153. * Still not very clear how this is done, but looks like this: we
  154. * create block B0 (as WUSB1.0[6.5] says), then we AES-crypt it with
  155. * @key. We bytewise xor B0 with B1 (1) and AES-crypt that. Then we
  156. * take the payload and divide it in blocks (16 bytes), xor them with
  157. * the previous crypto result (16 bytes) and crypt it, repeat the next
  158. * block with the output of the previous one, rinse wash (I guess this
  159. * is what AES CBC mode means...but I truly have no idea). So we use
  160. * the CBC(AES) blkcipher, that does precisely that. The IV (Initial
  161. * Vector) is 16 bytes and is set to zero, so
  162. *
  163. * See rfc3610. Linux crypto has a CBC implementation, but the
  164. * documentation is scarce, to say the least, and the example code is
  165. * so intricated that is difficult to understand how things work. Most
  166. * of this is guess work -- bite me.
  167. *
  168. * (1) Created as 6.5 says, again, using as l(a) 'Blen + 14', and
  169. * using the 14 bytes of @a to fill up
  170. * b1.{mac_header,e0,security_reserved,padding}.
  171. *
  172. * NOTE: The definition of l(a) in WUSB1.0[6.5] vs the definition of
  173. * l(m) is orthogonal, they bear no relationship, so it is not
  174. * in conflict with the parameter's relation that
  175. * WUSB1.0[6.4.2]) defines.
  176. *
  177. * NOTE: WUSB1.0[A.1]: Host Nonce is missing a nibble? (1e); fixed in
  178. * first errata released on 2005/07.
  179. *
  180. * NOTE: we need to clean IV to zero at each invocation to make sure
  181. * we start with a fresh empty Initial Vector, so that the CBC
  182. * works ok.
  183. *
  184. * NOTE: blen is not aligned to a block size, we'll pad zeros, that's
  185. * what sg[4] is for. Maybe there is a smarter way to do this.
  186. */
  187. static int wusb_ccm_mac(struct crypto_blkcipher *tfm_cbc,
  188. struct crypto_cipher *tfm_aes, void *mic,
  189. const struct aes_ccm_nonce *n,
  190. const struct aes_ccm_label *a, const void *b,
  191. size_t blen)
  192. {
  193. int result = 0;
  194. struct blkcipher_desc desc;
  195. struct aes_ccm_b0 b0;
  196. struct aes_ccm_b1 b1;
  197. struct aes_ccm_a ax;
  198. struct scatterlist sg[4], sg_dst;
  199. void *iv, *dst_buf;
  200. size_t ivsize, dst_size;
  201. const u8 bzero[16] = { 0 };
  202. size_t zero_padding;
  203. /*
  204. * These checks should be compile time optimized out
  205. * ensure @a fills b1's mac_header and following fields
  206. */
  207. WARN_ON(sizeof(*a) != sizeof(b1) - sizeof(b1.la));
  208. WARN_ON(sizeof(b0) != sizeof(struct aes_ccm_block));
  209. WARN_ON(sizeof(b1) != sizeof(struct aes_ccm_block));
  210. WARN_ON(sizeof(ax) != sizeof(struct aes_ccm_block));
  211. result = -ENOMEM;
  212. zero_padding = sizeof(struct aes_ccm_block)
  213. - blen % sizeof(struct aes_ccm_block);
  214. zero_padding = blen % sizeof(struct aes_ccm_block);
  215. if (zero_padding)
  216. zero_padding = sizeof(struct aes_ccm_block) - zero_padding;
  217. dst_size = blen + sizeof(b0) + sizeof(b1) + zero_padding;
  218. dst_buf = kzalloc(dst_size, GFP_KERNEL);
  219. if (dst_buf == NULL) {
  220. printk(KERN_ERR "E: can't alloc destination buffer\n");
  221. goto error_dst_buf;
  222. }
  223. iv = crypto_blkcipher_crt(tfm_cbc)->iv;
  224. ivsize = crypto_blkcipher_ivsize(tfm_cbc);
  225. memset(iv, 0, ivsize);
  226. /* Setup B0 */
  227. b0.flags = 0x59; /* Format B0 */
  228. b0.ccm_nonce = *n;
  229. b0.lm = cpu_to_be16(0); /* WUSB1.0[6.5] sez l(m) is 0 */
  230. /* Setup B1
  231. *
  232. * The WUSB spec is anything but clear! WUSB1.0[6.5]
  233. * says that to initialize B1 from A with 'l(a) = blen +
  234. * 14'--after clarification, it means to use A's contents
  235. * for MAC Header, EO, sec reserved and padding.
  236. */
  237. b1.la = cpu_to_be16(blen + 14);
  238. memcpy(&b1.mac_header, a, sizeof(*a));
  239. sg_init_table(sg, ARRAY_SIZE(sg));
  240. sg_set_buf(&sg[0], &b0, sizeof(b0));
  241. sg_set_buf(&sg[1], &b1, sizeof(b1));
  242. sg_set_buf(&sg[2], b, blen);
  243. /* 0 if well behaved :) */
  244. sg_set_buf(&sg[3], bzero, zero_padding);
  245. sg_init_one(&sg_dst, dst_buf, dst_size);
  246. desc.tfm = tfm_cbc;
  247. desc.flags = 0;
  248. result = crypto_blkcipher_encrypt(&desc, &sg_dst, sg, dst_size);
  249. if (result < 0) {
  250. printk(KERN_ERR "E: can't compute CBC-MAC tag (MIC): %d\n",
  251. result);
  252. goto error_cbc_crypt;
  253. }
  254. /* Now we crypt the MIC Tag (*iv) with Ax -- values per WUSB1.0[6.5]
  255. * The procedure is to AES crypt the A0 block and XOR the MIC
  256. * Tag against it; we only do the first 8 bytes and place it
  257. * directly in the destination buffer.
  258. *
  259. * POS Crypto API: size is assumed to be AES's block size.
  260. * Thanks for documenting it -- tip taken from airo.c
  261. */
  262. ax.flags = 0x01; /* as per WUSB 1.0 spec */
  263. ax.ccm_nonce = *n;
  264. ax.counter = 0;
  265. crypto_cipher_encrypt_one(tfm_aes, (void *)&ax, (void *)&ax);
  266. bytewise_xor(mic, &ax, iv, 8);
  267. result = 8;
  268. error_cbc_crypt:
  269. kfree(dst_buf);
  270. error_dst_buf:
  271. return result;
  272. }
  273. /*
  274. * WUSB Pseudo Random Function (WUSB1.0[6.5])
  275. *
  276. * @b: buffer to the source data; cannot be a global or const local
  277. * (will confuse the scatterlists)
  278. */
  279. ssize_t wusb_prf(void *out, size_t out_size,
  280. const u8 key[16], const struct aes_ccm_nonce *_n,
  281. const struct aes_ccm_label *a,
  282. const void *b, size_t blen, size_t len)
  283. {
  284. ssize_t result, bytes = 0, bitr;
  285. struct aes_ccm_nonce n = *_n;
  286. struct crypto_blkcipher *tfm_cbc;
  287. struct crypto_cipher *tfm_aes;
  288. u64 sfn = 0;
  289. __le64 sfn_le;
  290. tfm_cbc = crypto_alloc_blkcipher("cbc(aes)", 0, CRYPTO_ALG_ASYNC);
  291. if (IS_ERR(tfm_cbc)) {
  292. result = PTR_ERR(tfm_cbc);
  293. printk(KERN_ERR "E: can't load CBC(AES): %d\n", (int)result);
  294. goto error_alloc_cbc;
  295. }
  296. result = crypto_blkcipher_setkey(tfm_cbc, key, 16);
  297. if (result < 0) {
  298. printk(KERN_ERR "E: can't set CBC key: %d\n", (int)result);
  299. goto error_setkey_cbc;
  300. }
  301. tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC);
  302. if (IS_ERR(tfm_aes)) {
  303. result = PTR_ERR(tfm_aes);
  304. printk(KERN_ERR "E: can't load AES: %d\n", (int)result);
  305. goto error_alloc_aes;
  306. }
  307. result = crypto_cipher_setkey(tfm_aes, key, 16);
  308. if (result < 0) {
  309. printk(KERN_ERR "E: can't set AES key: %d\n", (int)result);
  310. goto error_setkey_aes;
  311. }
  312. for (bitr = 0; bitr < (len + 63) / 64; bitr++) {
  313. sfn_le = cpu_to_le64(sfn++);
  314. memcpy(&n.sfn, &sfn_le, sizeof(n.sfn)); /* n.sfn++... */
  315. result = wusb_ccm_mac(tfm_cbc, tfm_aes, out + bytes,
  316. &n, a, b, blen);
  317. if (result < 0)
  318. goto error_ccm_mac;
  319. bytes += result;
  320. }
  321. result = bytes;
  322. error_ccm_mac:
  323. error_setkey_aes:
  324. crypto_free_cipher(tfm_aes);
  325. error_alloc_aes:
  326. error_setkey_cbc:
  327. crypto_free_blkcipher(tfm_cbc);
  328. error_alloc_cbc:
  329. return result;
  330. }
  331. /* WUSB1.0[A.2] test vectors */
  332. static const u8 stv_hsmic_key[16] = {
  333. 0x4b, 0x79, 0xa3, 0xcf, 0xe5, 0x53, 0x23, 0x9d,
  334. 0xd7, 0xc1, 0x6d, 0x1c, 0x2d, 0xab, 0x6d, 0x3f
  335. };
  336. static const struct aes_ccm_nonce stv_hsmic_n = {
  337. .sfn = { 0 },
  338. .tkid = { 0x76, 0x98, 0x01, },
  339. .dest_addr = { .data = { 0xbe, 0x00 } },
  340. .src_addr = { .data = { 0x76, 0x98 } },
  341. };
  342. /*
  343. * Out-of-band MIC Generation verification code
  344. *
  345. */
  346. static int wusb_oob_mic_verify(void)
  347. {
  348. int result;
  349. u8 mic[8];
  350. /* WUSB1.0[A.2] test vectors
  351. *
  352. * Need to keep it in the local stack as GCC 4.1.3something
  353. * messes up and generates noise.
  354. */
  355. struct usb_handshake stv_hsmic_hs = {
  356. .bMessageNumber = 2,
  357. .bStatus = 00,
  358. .tTKID = { 0x76, 0x98, 0x01 },
  359. .bReserved = 00,
  360. .CDID = { 0x30, 0x31, 0x32, 0x33, 0x34, 0x35,
  361. 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b,
  362. 0x3c, 0x3d, 0x3e, 0x3f },
  363. .nonce = { 0x20, 0x21, 0x22, 0x23, 0x24, 0x25,
  364. 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
  365. 0x2c, 0x2d, 0x2e, 0x2f },
  366. .MIC = { 0x75, 0x6a, 0x97, 0x51, 0x0c, 0x8c,
  367. 0x14, 0x7b } ,
  368. };
  369. size_t hs_size;
  370. result = wusb_oob_mic(mic, stv_hsmic_key, &stv_hsmic_n, &stv_hsmic_hs);
  371. if (result < 0)
  372. printk(KERN_ERR "E: WUSB OOB MIC test: failed: %d\n", result);
  373. else if (memcmp(stv_hsmic_hs.MIC, mic, sizeof(mic))) {
  374. printk(KERN_ERR "E: OOB MIC test: "
  375. "mismatch between MIC result and WUSB1.0[A2]\n");
  376. hs_size = sizeof(stv_hsmic_hs) - sizeof(stv_hsmic_hs.MIC);
  377. printk(KERN_ERR "E: Handshake2 in: (%zu bytes)\n", hs_size);
  378. wusb_key_dump(&stv_hsmic_hs, hs_size);
  379. printk(KERN_ERR "E: CCM Nonce in: (%zu bytes)\n",
  380. sizeof(stv_hsmic_n));
  381. wusb_key_dump(&stv_hsmic_n, sizeof(stv_hsmic_n));
  382. printk(KERN_ERR "E: MIC out:\n");
  383. wusb_key_dump(mic, sizeof(mic));
  384. printk(KERN_ERR "E: MIC out (from WUSB1.0[A.2]):\n");
  385. wusb_key_dump(stv_hsmic_hs.MIC, sizeof(stv_hsmic_hs.MIC));
  386. result = -EINVAL;
  387. } else
  388. result = 0;
  389. return result;
  390. }
  391. /*
  392. * Test vectors for Key derivation
  393. *
  394. * These come from WUSB1.0[6.5.1], the vectors in WUSB1.0[A.1]
  395. * (errata corrected in 2005/07).
  396. */
  397. static const u8 stv_key_a1[16] __attribute__ ((__aligned__(4))) = {
  398. 0xf0, 0xe1, 0xd2, 0xc3, 0xb4, 0xa5, 0x96, 0x87,
  399. 0x78, 0x69, 0x5a, 0x4b, 0x3c, 0x2d, 0x1e, 0x0f
  400. };
  401. static const struct aes_ccm_nonce stv_keydvt_n_a1 = {
  402. .sfn = { 0 },
  403. .tkid = { 0x76, 0x98, 0x01, },
  404. .dest_addr = { .data = { 0xbe, 0x00 } },
  405. .src_addr = { .data = { 0x76, 0x98 } },
  406. };
  407. static const struct wusb_keydvt_out stv_keydvt_out_a1 = {
  408. .kck = {
  409. 0x4b, 0x79, 0xa3, 0xcf, 0xe5, 0x53, 0x23, 0x9d,
  410. 0xd7, 0xc1, 0x6d, 0x1c, 0x2d, 0xab, 0x6d, 0x3f
  411. },
  412. .ptk = {
  413. 0xc8, 0x70, 0x62, 0x82, 0xb6, 0x7c, 0xe9, 0x06,
  414. 0x7b, 0xc5, 0x25, 0x69, 0xf2, 0x36, 0x61, 0x2d
  415. }
  416. };
  417. /*
  418. * Performa a test to make sure we match the vectors defined in
  419. * WUSB1.0[A.1](Errata2006/12)
  420. */
  421. static int wusb_key_derive_verify(void)
  422. {
  423. int result = 0;
  424. struct wusb_keydvt_out keydvt_out;
  425. /* These come from WUSB1.0[A.1] + 2006/12 errata
  426. * NOTE: can't make this const or global -- somehow it seems
  427. * the scatterlists for crypto get confused and we get
  428. * bad data. There is no doc on this... */
  429. struct wusb_keydvt_in stv_keydvt_in_a1 = {
  430. .hnonce = {
  431. 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
  432. 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
  433. },
  434. .dnonce = {
  435. 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
  436. 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
  437. }
  438. };
  439. result = wusb_key_derive(&keydvt_out, stv_key_a1, &stv_keydvt_n_a1,
  440. &stv_keydvt_in_a1);
  441. if (result < 0)
  442. printk(KERN_ERR "E: WUSB key derivation test: "
  443. "derivation failed: %d\n", result);
  444. if (memcmp(&stv_keydvt_out_a1, &keydvt_out, sizeof(keydvt_out))) {
  445. printk(KERN_ERR "E: WUSB key derivation test: "
  446. "mismatch between key derivation result "
  447. "and WUSB1.0[A1] Errata 2006/12\n");
  448. printk(KERN_ERR "E: keydvt in: key\n");
  449. wusb_key_dump(stv_key_a1, sizeof(stv_key_a1));
  450. printk(KERN_ERR "E: keydvt in: nonce\n");
  451. wusb_key_dump( &stv_keydvt_n_a1, sizeof(stv_keydvt_n_a1));
  452. printk(KERN_ERR "E: keydvt in: hnonce & dnonce\n");
  453. wusb_key_dump(&stv_keydvt_in_a1, sizeof(stv_keydvt_in_a1));
  454. printk(KERN_ERR "E: keydvt out: KCK\n");
  455. wusb_key_dump(&keydvt_out.kck, sizeof(keydvt_out.kck));
  456. printk(KERN_ERR "E: keydvt out: PTK\n");
  457. wusb_key_dump(&keydvt_out.ptk, sizeof(keydvt_out.ptk));
  458. result = -EINVAL;
  459. } else
  460. result = 0;
  461. return result;
  462. }
  463. /*
  464. * Initialize crypto system
  465. *
  466. * FIXME: we do nothing now, other than verifying. Later on we'll
  467. * cache the encryption stuff, so that's why we have a separate init.
  468. */
  469. int wusb_crypto_init(void)
  470. {
  471. int result;
  472. if (debug_crypto_verify) {
  473. result = wusb_key_derive_verify();
  474. if (result < 0)
  475. return result;
  476. return wusb_oob_mic_verify();
  477. }
  478. return 0;
  479. }
  480. void wusb_crypto_exit(void)
  481. {
  482. /* FIXME: free cached crypto transforms */
  483. }