Commit 7ec7c4a9a686c608315739ab6a2b0527a240883c
Committed by
Johannes Berg
Johannes Berg
1 parent
fa1fb9cb1c
Exists in
smarc-imx_3.14.28_1.0.0_ga
and in
1 other branch
mac80211: port CCMP to cryptoapi's CCM driver
Use the generic CCM aead chaining mode driver rather than a local implementation that sits right on top of the core AES cipher. This allows the use of accelerated implementations of either CCM as a whole or the CTR mode which it encapsulates. Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Showing 5 changed files with 84 additions and 146 deletions Side-by-side Diff
net/mac80211/Kconfig
net/mac80211/aes_ccm.c
| ... | ... | @@ -2,6 +2,8 @@ |
| 2 | 2 | * Copyright 2003-2004, Instant802 Networks, Inc. |
| 3 | 3 | * Copyright 2005-2006, Devicescape Software, Inc. |
| 4 | 4 | * |
| 5 | + * Rewrite: Copyright (C) 2013 Linaro Ltd <ard.biesheuvel@linaro.org> | |
| 6 | + * | |
| 5 | 7 | * This program is free software; you can redistribute it and/or modify |
| 6 | 8 | * it under the terms of the GNU General Public License version 2 as |
| 7 | 9 | * published by the Free Software Foundation. |
| 8 | 10 | |
| 9 | 11 | |
| 10 | 12 | |
| 11 | 13 | |
| 12 | 14 | |
| 13 | 15 | |
| 14 | 16 | |
| 15 | 17 | |
| 16 | 18 | |
| 17 | 19 | |
| 18 | 20 | |
| 19 | 21 | |
| 20 | 22 | |
| 21 | 23 | |
| 22 | 24 | |
| 23 | 25 | |
| 24 | 26 | |
| 25 | 27 | |
| ... | ... | @@ -17,135 +19,76 @@ |
| 17 | 19 | #include "key.h" |
| 18 | 20 | #include "aes_ccm.h" |
| 19 | 21 | |
| 20 | -static void aes_ccm_prepare(struct crypto_cipher *tfm, u8 *scratch, u8 *a) | |
| 22 | +void ieee80211_aes_ccm_encrypt(struct crypto_aead *tfm, u8 *b_0, u8 *aad, | |
| 23 | + u8 *data, size_t data_len, u8 *mic) | |
| 21 | 24 | { |
| 22 | - int i; | |
| 23 | - u8 *b_0, *aad, *b, *s_0; | |
| 25 | + struct scatterlist assoc, pt, ct[2]; | |
| 26 | + struct { | |
| 27 | + struct aead_request req; | |
| 28 | + u8 priv[crypto_aead_reqsize(tfm)]; | |
| 29 | + } aead_req; | |
| 24 | 30 | |
| 25 | - b_0 = scratch + 3 * AES_BLOCK_SIZE; | |
| 26 | - aad = scratch + 4 * AES_BLOCK_SIZE; | |
| 27 | - b = scratch; | |
| 28 | - s_0 = scratch + AES_BLOCK_SIZE; | |
| 31 | + memset(&aead_req, 0, sizeof(aead_req)); | |
| 29 | 32 | |
| 30 | - crypto_cipher_encrypt_one(tfm, b, b_0); | |
| 33 | + sg_init_one(&pt, data, data_len); | |
| 34 | + sg_init_one(&assoc, &aad[2], be16_to_cpup((__be16 *)aad)); | |
| 35 | + sg_init_table(ct, 2); | |
| 36 | + sg_set_buf(&ct[0], data, data_len); | |
| 37 | + sg_set_buf(&ct[1], mic, IEEE80211_CCMP_MIC_LEN); | |
| 31 | 38 | |
| 32 | - /* Extra Authenticate-only data (always two AES blocks) */ | |
| 33 | - for (i = 0; i < AES_BLOCK_SIZE; i++) | |
| 34 | - aad[i] ^= b[i]; | |
| 35 | - crypto_cipher_encrypt_one(tfm, b, aad); | |
| 39 | + aead_request_set_tfm(&aead_req.req, tfm); | |
| 40 | + aead_request_set_assoc(&aead_req.req, &assoc, assoc.length); | |
| 41 | + aead_request_set_crypt(&aead_req.req, &pt, ct, data_len, b_0); | |
| 36 | 42 | |
| 37 | - aad += AES_BLOCK_SIZE; | |
| 38 | - | |
| 39 | - for (i = 0; i < AES_BLOCK_SIZE; i++) | |
| 40 | - aad[i] ^= b[i]; | |
| 41 | - crypto_cipher_encrypt_one(tfm, a, aad); | |
| 42 | - | |
| 43 | - /* Mask out bits from auth-only-b_0 */ | |
| 44 | - b_0[0] &= 0x07; | |
| 45 | - | |
| 46 | - /* S_0 is used to encrypt T (= MIC) */ | |
| 47 | - b_0[14] = 0; | |
| 48 | - b_0[15] = 0; | |
| 49 | - crypto_cipher_encrypt_one(tfm, s_0, b_0); | |
| 43 | + crypto_aead_encrypt(&aead_req.req); | |
| 50 | 44 | } |
| 51 | 45 | |
| 52 | - | |
| 53 | -void ieee80211_aes_ccm_encrypt(struct crypto_cipher *tfm, u8 *scratch, | |
| 54 | - u8 *data, size_t data_len, | |
| 55 | - u8 *cdata, u8 *mic) | |
| 46 | +int ieee80211_aes_ccm_decrypt(struct crypto_aead *tfm, u8 *b_0, u8 *aad, | |
| 47 | + u8 *data, size_t data_len, u8 *mic) | |
| 56 | 48 | { |
| 57 | - int i, j, last_len, num_blocks; | |
| 58 | - u8 *pos, *cpos, *b, *s_0, *e, *b_0; | |
| 49 | + struct scatterlist assoc, pt, ct[2]; | |
| 50 | + struct { | |
| 51 | + struct aead_request req; | |
| 52 | + u8 priv[crypto_aead_reqsize(tfm)]; | |
| 53 | + } aead_req; | |
| 59 | 54 | |
| 60 | - b = scratch; | |
| 61 | - s_0 = scratch + AES_BLOCK_SIZE; | |
| 62 | - e = scratch + 2 * AES_BLOCK_SIZE; | |
| 63 | - b_0 = scratch + 3 * AES_BLOCK_SIZE; | |
| 55 | + memset(&aead_req, 0, sizeof(aead_req)); | |
| 64 | 56 | |
| 65 | - num_blocks = DIV_ROUND_UP(data_len, AES_BLOCK_SIZE); | |
| 66 | - last_len = data_len % AES_BLOCK_SIZE; | |
| 67 | - aes_ccm_prepare(tfm, scratch, b); | |
| 57 | + sg_init_one(&pt, data, data_len); | |
| 58 | + sg_init_one(&assoc, &aad[2], be16_to_cpup((__be16 *)aad)); | |
| 59 | + sg_init_table(ct, 2); | |
| 60 | + sg_set_buf(&ct[0], data, data_len); | |
| 61 | + sg_set_buf(&ct[1], mic, IEEE80211_CCMP_MIC_LEN); | |
| 68 | 62 | |
| 69 | - /* Process payload blocks */ | |
| 70 | - pos = data; | |
| 71 | - cpos = cdata; | |
| 72 | - for (j = 1; j <= num_blocks; j++) { | |
| 73 | - int blen = (j == num_blocks && last_len) ? | |
| 74 | - last_len : AES_BLOCK_SIZE; | |
| 63 | + aead_request_set_tfm(&aead_req.req, tfm); | |
| 64 | + aead_request_set_assoc(&aead_req.req, &assoc, assoc.length); | |
| 65 | + aead_request_set_crypt(&aead_req.req, ct, &pt, | |
| 66 | + data_len + IEEE80211_CCMP_MIC_LEN, b_0); | |
| 75 | 67 | |
| 76 | - /* Authentication followed by encryption */ | |
| 77 | - for (i = 0; i < blen; i++) | |
| 78 | - b[i] ^= pos[i]; | |
| 79 | - crypto_cipher_encrypt_one(tfm, b, b); | |
| 80 | - | |
| 81 | - b_0[14] = (j >> 8) & 0xff; | |
| 82 | - b_0[15] = j & 0xff; | |
| 83 | - crypto_cipher_encrypt_one(tfm, e, b_0); | |
| 84 | - for (i = 0; i < blen; i++) | |
| 85 | - *cpos++ = *pos++ ^ e[i]; | |
| 86 | - } | |
| 87 | - | |
| 88 | - for (i = 0; i < IEEE80211_CCMP_MIC_LEN; i++) | |
| 89 | - mic[i] = b[i] ^ s_0[i]; | |
| 68 | + return crypto_aead_decrypt(&aead_req.req); | |
| 90 | 69 | } |
| 91 | 70 | |
| 92 | - | |
| 93 | -int ieee80211_aes_ccm_decrypt(struct crypto_cipher *tfm, u8 *scratch, | |
| 94 | - u8 *cdata, size_t data_len, u8 *mic, u8 *data) | |
| 71 | +struct crypto_aead *ieee80211_aes_key_setup_encrypt(const u8 key[]) | |
| 95 | 72 | { |
| 96 | - int i, j, last_len, num_blocks; | |
| 97 | - u8 *pos, *cpos, *b, *s_0, *a, *b_0; | |
| 73 | + struct crypto_aead *tfm; | |
| 74 | + int err; | |
| 98 | 75 | |
| 99 | - b = scratch; | |
| 100 | - s_0 = scratch + AES_BLOCK_SIZE; | |
| 101 | - a = scratch + 2 * AES_BLOCK_SIZE; | |
| 102 | - b_0 = scratch + 3 * AES_BLOCK_SIZE; | |
| 76 | + tfm = crypto_alloc_aead("ccm(aes)", 0, CRYPTO_ALG_ASYNC); | |
| 77 | + if (IS_ERR(tfm)) | |
| 78 | + return tfm; | |
| 103 | 79 | |
| 104 | - num_blocks = DIV_ROUND_UP(data_len, AES_BLOCK_SIZE); | |
| 105 | - last_len = data_len % AES_BLOCK_SIZE; | |
| 106 | - aes_ccm_prepare(tfm, scratch, a); | |
| 80 | + err = crypto_aead_setkey(tfm, key, WLAN_KEY_LEN_CCMP); | |
| 81 | + if (!err) | |
| 82 | + err = crypto_aead_setauthsize(tfm, IEEE80211_CCMP_MIC_LEN); | |
| 83 | + if (!err) | |
| 84 | + return tfm; | |
| 107 | 85 | |
| 108 | - /* Process payload blocks */ | |
| 109 | - cpos = cdata; | |
| 110 | - pos = data; | |
| 111 | - for (j = 1; j <= num_blocks; j++) { | |
| 112 | - int blen = (j == num_blocks && last_len) ? | |
| 113 | - last_len : AES_BLOCK_SIZE; | |
| 114 | - | |
| 115 | - /* Decryption followed by authentication */ | |
| 116 | - b_0[14] = (j >> 8) & 0xff; | |
| 117 | - b_0[15] = j & 0xff; | |
| 118 | - crypto_cipher_encrypt_one(tfm, b, b_0); | |
| 119 | - for (i = 0; i < blen; i++) { | |
| 120 | - *pos = *cpos++ ^ b[i]; | |
| 121 | - a[i] ^= *pos++; | |
| 122 | - } | |
| 123 | - crypto_cipher_encrypt_one(tfm, a, a); | |
| 124 | - } | |
| 125 | - | |
| 126 | - for (i = 0; i < IEEE80211_CCMP_MIC_LEN; i++) { | |
| 127 | - if ((mic[i] ^ s_0[i]) != a[i]) | |
| 128 | - return -1; | |
| 129 | - } | |
| 130 | - | |
| 131 | - return 0; | |
| 86 | + crypto_free_aead(tfm); | |
| 87 | + return ERR_PTR(err); | |
| 132 | 88 | } |
| 133 | 89 | |
| 134 | - | |
| 135 | -struct crypto_cipher *ieee80211_aes_key_setup_encrypt(const u8 key[]) | |
| 90 | +void ieee80211_aes_key_free(struct crypto_aead *tfm) | |
| 136 | 91 | { |
| 137 | - struct crypto_cipher *tfm; | |
| 138 | - | |
| 139 | - tfm = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC); | |
| 140 | - if (!IS_ERR(tfm)) | |
| 141 | - crypto_cipher_setkey(tfm, key, WLAN_KEY_LEN_CCMP); | |
| 142 | - | |
| 143 | - return tfm; | |
| 144 | -} | |
| 145 | - | |
| 146 | - | |
| 147 | -void ieee80211_aes_key_free(struct crypto_cipher *tfm) | |
| 148 | -{ | |
| 149 | - crypto_free_cipher(tfm); | |
| 92 | + crypto_free_aead(tfm); | |
| 150 | 93 | } |
net/mac80211/aes_ccm.h
| ... | ... | @@ -12,14 +12,12 @@ |
| 12 | 12 | |
| 13 | 13 | #include <linux/crypto.h> |
| 14 | 14 | |
| 15 | -struct crypto_cipher *ieee80211_aes_key_setup_encrypt(const u8 key[]); | |
| 16 | -void ieee80211_aes_ccm_encrypt(struct crypto_cipher *tfm, u8 *scratch, | |
| 17 | - u8 *data, size_t data_len, | |
| 18 | - u8 *cdata, u8 *mic); | |
| 19 | -int ieee80211_aes_ccm_decrypt(struct crypto_cipher *tfm, u8 *scratch, | |
| 20 | - u8 *cdata, size_t data_len, | |
| 21 | - u8 *mic, u8 *data); | |
| 22 | -void ieee80211_aes_key_free(struct crypto_cipher *tfm); | |
| 15 | +struct crypto_aead *ieee80211_aes_key_setup_encrypt(const u8 key[]); | |
| 16 | +void ieee80211_aes_ccm_encrypt(struct crypto_aead *tfm, u8 *b_0, u8 *aad, | |
| 17 | + u8 *data, size_t data_len, u8 *mic); | |
| 18 | +int ieee80211_aes_ccm_decrypt(struct crypto_aead *tfm, u8 *b_0, u8 *aad, | |
| 19 | + u8 *data, size_t data_len, u8 *mic); | |
| 20 | +void ieee80211_aes_key_free(struct crypto_aead *tfm); | |
| 23 | 21 | |
| 24 | 22 | #endif /* AES_CCM_H */ |
net/mac80211/key.h
net/mac80211/wpa.c
| ... | ... | @@ -301,22 +301,16 @@ |
| 301 | 301 | } |
| 302 | 302 | |
| 303 | 303 | |
| 304 | -static void ccmp_special_blocks(struct sk_buff *skb, u8 *pn, u8 *scratch, | |
| 304 | +static void ccmp_special_blocks(struct sk_buff *skb, u8 *pn, u8 *b_0, u8 *aad, | |
| 305 | 305 | int encrypted) |
| 306 | 306 | { |
| 307 | 307 | __le16 mask_fc; |
| 308 | 308 | int a4_included, mgmt; |
| 309 | 309 | u8 qos_tid; |
| 310 | - u8 *b_0, *aad; | |
| 311 | - u16 data_len, len_a; | |
| 310 | + u16 len_a; | |
| 312 | 311 | unsigned int hdrlen; |
| 313 | 312 | struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; |
| 314 | 313 | |
| 315 | - memset(scratch, 0, 6 * AES_BLOCK_SIZE); | |
| 316 | - | |
| 317 | - b_0 = scratch + 3 * AES_BLOCK_SIZE; | |
| 318 | - aad = scratch + 4 * AES_BLOCK_SIZE; | |
| 319 | - | |
| 320 | 314 | /* |
| 321 | 315 | * Mask FC: zero subtype b4 b5 b6 (if not mgmt) |
| 322 | 316 | * Retry, PwrMgt, MoreData; set Protected |
| 323 | 317 | |
| 324 | 318 | |
| ... | ... | @@ -338,20 +332,21 @@ |
| 338 | 332 | else |
| 339 | 333 | qos_tid = 0; |
| 340 | 334 | |
| 341 | - data_len = skb->len - hdrlen - IEEE80211_CCMP_HDR_LEN; | |
| 342 | - if (encrypted) | |
| 343 | - data_len -= IEEE80211_CCMP_MIC_LEN; | |
| 335 | + /* In CCM, the initial vectors (IV) used for CTR mode encryption and CBC | |
| 336 | + * mode authentication are not allowed to collide, yet both are derived | |
| 337 | + * from this vector b_0. We only set L := 1 here to indicate that the | |
| 338 | + * data size can be represented in (L+1) bytes. The CCM layer will take | |
| 339 | + * care of storing the data length in the top (L+1) bytes and setting | |
| 340 | + * and clearing the other bits as is required to derive the two IVs. | |
| 341 | + */ | |
| 342 | + b_0[0] = 0x1; | |
| 344 | 343 | |
| 345 | - /* First block, b_0 */ | |
| 346 | - b_0[0] = 0x59; /* flags: Adata: 1, M: 011, L: 001 */ | |
| 347 | 344 | /* Nonce: Nonce Flags | A2 | PN |
| 348 | 345 | * Nonce Flags: Priority (b0..b3) | Management (b4) | Reserved (b5..b7) |
| 349 | 346 | */ |
| 350 | 347 | b_0[1] = qos_tid | (mgmt << 4); |
| 351 | 348 | memcpy(&b_0[2], hdr->addr2, ETH_ALEN); |
| 352 | 349 | memcpy(&b_0[8], pn, IEEE80211_CCMP_PN_LEN); |
| 353 | - /* l(m) */ | |
| 354 | - put_unaligned_be16(data_len, &b_0[14]); | |
| 355 | 350 | |
| 356 | 351 | /* AAD (extra authenticate-only data) / masked 802.11 header |
| 357 | 352 | * FC | A1 | A2 | A3 | SC | [A4] | [QC] */ |
| ... | ... | @@ -407,7 +402,8 @@ |
| 407 | 402 | u8 *pos; |
| 408 | 403 | u8 pn[6]; |
| 409 | 404 | u64 pn64; |
| 410 | - u8 scratch[6 * AES_BLOCK_SIZE]; | |
| 405 | + u8 aad[2 * AES_BLOCK_SIZE]; | |
| 406 | + u8 b_0[AES_BLOCK_SIZE]; | |
| 411 | 407 | |
| 412 | 408 | if (info->control.hw_key && |
| 413 | 409 | !(info->control.hw_key->flags & IEEE80211_KEY_FLAG_GENERATE_IV) && |
| ... | ... | @@ -460,9 +456,9 @@ |
| 460 | 456 | return 0; |
| 461 | 457 | |
| 462 | 458 | pos += IEEE80211_CCMP_HDR_LEN; |
| 463 | - ccmp_special_blocks(skb, pn, scratch, 0); | |
| 464 | - ieee80211_aes_ccm_encrypt(key->u.ccmp.tfm, scratch, pos, len, | |
| 465 | - pos, skb_put(skb, IEEE80211_CCMP_MIC_LEN)); | |
| 459 | + ccmp_special_blocks(skb, pn, b_0, aad, 0); | |
| 460 | + ieee80211_aes_ccm_encrypt(key->u.ccmp.tfm, b_0, aad, pos, len, | |
| 461 | + skb_put(skb, IEEE80211_CCMP_MIC_LEN)); | |
| 466 | 462 | |
| 467 | 463 | return 0; |
| 468 | 464 | } |
| 469 | 465 | |
| 470 | 466 | |
| 471 | 467 | |
| ... | ... | @@ -525,16 +521,16 @@ |
| 525 | 521 | } |
| 526 | 522 | |
| 527 | 523 | if (!(status->flag & RX_FLAG_DECRYPTED)) { |
| 528 | - u8 scratch[6 * AES_BLOCK_SIZE]; | |
| 524 | + u8 aad[2 * AES_BLOCK_SIZE]; | |
| 525 | + u8 b_0[AES_BLOCK_SIZE]; | |
| 529 | 526 | /* hardware didn't decrypt/verify MIC */ |
| 530 | - ccmp_special_blocks(skb, pn, scratch, 1); | |
| 527 | + ccmp_special_blocks(skb, pn, b_0, aad, 1); | |
| 531 | 528 | |
| 532 | 529 | if (ieee80211_aes_ccm_decrypt( |
| 533 | - key->u.ccmp.tfm, scratch, | |
| 530 | + key->u.ccmp.tfm, b_0, aad, | |
| 534 | 531 | skb->data + hdrlen + IEEE80211_CCMP_HDR_LEN, |
| 535 | 532 | data_len, |
| 536 | - skb->data + skb->len - IEEE80211_CCMP_MIC_LEN, | |
| 537 | - skb->data + hdrlen + IEEE80211_CCMP_HDR_LEN)) | |
| 533 | + skb->data + skb->len - IEEE80211_CCMP_MIC_LEN)) | |
| 538 | 534 | return RX_DROP_UNUSABLE; |
| 539 | 535 | } |
| 540 | 536 |