3 * AES-128 CCM Encryption
5 * Copyright (C) 2007 Intel Corporation
6 * Inaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com>
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License version
10 * 2 as published by the Free Software Foundation.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
23 * We don't do any encryption here; we use the Linux Kernel's AES-128
24 * crypto modules to construct keys and payload blocks in a way
25 * defined by WUSB1.0[6]. Check the erratas, as typos are are patched
28 * Thanks a zillion to John Keys for his help and clarifications over
29 * the designed-by-a-committee text.
31 * So the idea is that there is this basic Pseudo-Random-Function
32 * defined in WUSB1.0[6.5] which is the core of everything. It works
33 * by tweaking some blocks, AES crypting them and then xoring
34 * something else with them (this seems to be called CBC(AES) -- can
35 * you tell I know jack about crypto?). So we just funnel it into the
38 * We leave a crypto test module so we can verify that vectors match,
41 * Block size: 16 bytes -- AES seems to do things in 'block sizes'. I
42 * am learning a lot...
44 * Conveniently, some data structures that need to be
45 * funneled through AES are...16 bytes in size!
48 #include <linux/crypto.h>
49 #include <linux/module.h>
50 #include <linux/err.h>
51 #include <linux/uwb.h>
52 #include <linux/usb/wusb.h>
53 #include <linux/scatterlist.h>
55 #include <linux/uwb/debug.h>
59 * Block of data, as understood by AES-CCM
61 * The code assumes this structure is nothing but a 16 byte array
62 * (packed in a struct to avoid common mess ups that I usually do with
63 * arrays and enforcing type checking).
65 struct aes_ccm_block {
67 } __attribute__((packed));
70 * Counter-mode Blocks (WUSB1.0[6.4])
72 * According to CCM (or so it seems), for the purpose of calculating
73 * the MIC, the message is broken in N counter-mode blocks, B0, B1,
76 * B0 contains flags, the CCM nonce and l(m).
78 * B1 contains l(a), the MAC header, the encryption offset and padding.
80 * If EO is nonzero, additional blocks are built from payload bytes
81 * until EO is exahusted (FIXME: padding to 16 bytes, I guess). The
82 * padding is not xmitted.
87 u8 flags; /* 0x59, per CCM spec */
88 struct aes_ccm_nonce ccm_nonce;
90 } __attribute__((packed));
97 u8 security_reserved; /* This is always zero */
99 } __attribute__((packed));
102 * Encryption Blocks (WUSB1.0[6.4.4])
104 * CCM uses Ax blocks to generate a keystream with which the MIC and
105 * the message's payload are encoded. A0 always encrypts/decrypts the
106 * MIC. Ax (x>0) are used for the sucesive payload blocks.
108 * The x is the counter, and is increased for each block.
111 u8 flags; /* 0x01, per CCM spec */
112 struct aes_ccm_nonce ccm_nonce;
113 __be16 counter; /* Value of x */
114 } __attribute__((packed));
116 static void bytewise_xor(void *_bo, const void *_bi1, const void *_bi2,
120 const u8 *bi1 = _bi1, *bi2 = _bi2;
122 for (itr = 0; itr < size; itr++)
123 bo[itr] = bi1[itr] ^ bi2[itr];
127 * CC-MAC function WUSB1.0[6.5]
129 * Take a data string and produce the encrypted CBC Counter-mode MIC
131 * Note the names for most function arguments are made to (more or
132 * less) match those used in the pseudo-function definition given in
135 * @tfm_cbc: CBC(AES) blkcipher handle (initialized)
137 * @tfm_aes: AES cipher handle (initialized)
139 * @mic: buffer for placing the computed MIC (Message Integrity
140 * Code). This is exactly 8 bytes, and we expect the buffer to
141 * be at least eight bytes in length.
143 * @key: 128 bit symmetric key
147 * @a: ASCII string, 14 bytes long (I guess zero padded if needed;
148 * we use exactly 14 bytes).
150 * @b: data stream to be processed; cannot be a global or const local
151 * (will confuse the scatterlists)
153 * @blen: size of b...
155 * Still not very clear how this is done, but looks like this: we
156 * create block B0 (as WUSB1.0[6.5] says), then we AES-crypt it with
157 * @key. We bytewise xor B0 with B1 (1) and AES-crypt that. Then we
158 * take the payload and divide it in blocks (16 bytes), xor them with
159 * the previous crypto result (16 bytes) and crypt it, repeat the next
160 * block with the output of the previous one, rinse wash (I guess this
161 * is what AES CBC mode means...but I truly have no idea). So we use
162 * the CBC(AES) blkcipher, that does precisely that. The IV (Initial
163 * Vector) is 16 bytes and is set to zero, so
165 * See rfc3610. Linux crypto has a CBC implementation, but the
166 * documentation is scarce, to say the least, and the example code is
167 * so intricated that is difficult to understand how things work. Most
168 * of this is guess work -- bite me.
170 * (1) Created as 6.5 says, again, using as l(a) 'Blen + 14', and
171 * using the 14 bytes of @a to fill up
172 * b1.{mac_header,e0,security_reserved,padding}.
174 * NOTE: The definiton of l(a) in WUSB1.0[6.5] vs the definition of
175 * l(m) is orthogonal, they bear no relationship, so it is not
176 * in conflict with the parameter's relation that
177 * WUSB1.0[6.4.2]) defines.
179 * NOTE: WUSB1.0[A.1]: Host Nonce is missing a nibble? (1e); fixed in
180 * first errata released on 2005/07.
182 * NOTE: we need to clean IV to zero at each invocation to make sure
183 * we start with a fresh empty Initial Vector, so that the CBC
186 * NOTE: blen is not aligned to a block size, we'll pad zeros, that's
187 * what sg[4] is for. Maybe there is a smarter way to do this.
189 static int wusb_ccm_mac(struct crypto_blkcipher *tfm_cbc,
190 struct crypto_cipher *tfm_aes, void *mic,
191 const struct aes_ccm_nonce *n,
192 const struct aes_ccm_label *a, const void *b,
196 struct blkcipher_desc desc;
197 struct aes_ccm_b0 b0;
198 struct aes_ccm_b1 b1;
200 struct scatterlist sg[4], sg_dst;
202 size_t ivsize, dst_size;
203 const u8 bzero[16] = { 0 };
206 d_fnstart(3, NULL, "(tfm_cbc %p, tfm_aes %p, mic %p, "
207 "n %p, a %p, b %p, blen %zu)\n",
208 tfm_cbc, tfm_aes, mic, n, a, b, blen);
210 * These checks should be compile time optimized out
211 * ensure @a fills b1's mac_header and following fields
213 WARN_ON(sizeof(*a) != sizeof(b1) - sizeof(b1.la));
214 WARN_ON(sizeof(b0) != sizeof(struct aes_ccm_block));
215 WARN_ON(sizeof(b1) != sizeof(struct aes_ccm_block));
216 WARN_ON(sizeof(ax) != sizeof(struct aes_ccm_block));
219 zero_padding = sizeof(struct aes_ccm_block)
220 - blen % sizeof(struct aes_ccm_block);
221 zero_padding = blen % sizeof(struct aes_ccm_block);
223 zero_padding = sizeof(struct aes_ccm_block) - zero_padding;
224 dst_size = blen + sizeof(b0) + sizeof(b1) + zero_padding;
225 dst_buf = kzalloc(dst_size, GFP_KERNEL);
226 if (dst_buf == NULL) {
227 printk(KERN_ERR "E: can't alloc destination buffer\n");
231 iv = crypto_blkcipher_crt(tfm_cbc)->iv;
232 ivsize = crypto_blkcipher_ivsize(tfm_cbc);
233 memset(iv, 0, ivsize);
236 b0.flags = 0x59; /* Format B0 */
238 b0.lm = cpu_to_be16(0); /* WUSB1.0[6.5] sez l(m) is 0 */
242 * The WUSB spec is anything but clear! WUSB1.0[6.5]
243 * says that to initialize B1 from A with 'l(a) = blen +
244 * 14'--after clarification, it means to use A's contents
245 * for MAC Header, EO, sec reserved and padding.
247 b1.la = cpu_to_be16(blen + 14);
248 memcpy(&b1.mac_header, a, sizeof(*a));
250 d_printf(4, NULL, "I: B0 (%zu bytes)\n", sizeof(b0));
251 d_dump(4, NULL, &b0, sizeof(b0));
252 d_printf(4, NULL, "I: B1 (%zu bytes)\n", sizeof(b1));
253 d_dump(4, NULL, &b1, sizeof(b1));
254 d_printf(4, NULL, "I: B (%zu bytes)\n", blen);
255 d_dump(4, NULL, b, blen);
256 d_printf(4, NULL, "I: B 0-padding (%zu bytes)\n", zero_padding);
257 d_printf(4, NULL, "D: IV before crypto (%zu)\n", ivsize);
258 d_dump(4, NULL, iv, ivsize);
260 sg_init_table(sg, ARRAY_SIZE(sg));
261 sg_set_buf(&sg[0], &b0, sizeof(b0));
262 sg_set_buf(&sg[1], &b1, sizeof(b1));
263 sg_set_buf(&sg[2], b, blen);
264 /* 0 if well behaved :) */
265 sg_set_buf(&sg[3], bzero, zero_padding);
266 sg_init_one(&sg_dst, dst_buf, dst_size);
270 result = crypto_blkcipher_encrypt(&desc, &sg_dst, sg, dst_size);
272 printk(KERN_ERR "E: can't compute CBC-MAC tag (MIC): %d\n",
274 goto error_cbc_crypt;
276 d_printf(4, NULL, "D: MIC tag\n");
277 d_dump(4, NULL, iv, ivsize);
279 /* Now we crypt the MIC Tag (*iv) with Ax -- values per WUSB1.0[6.5]
280 * The procedure is to AES crypt the A0 block and XOR the MIC
281 * Tag agains it; we only do the first 8 bytes and place it
282 * directly in the destination buffer.
284 * POS Crypto API: size is assumed to be AES's block size.
285 * Thanks for documenting it -- tip taken from airo.c
287 ax.flags = 0x01; /* as per WUSB 1.0 spec */
290 crypto_cipher_encrypt_one(tfm_aes, (void *)&ax, (void *)&ax);
291 bytewise_xor(mic, &ax, iv, 8);
292 d_printf(4, NULL, "D: CTR[MIC]\n");
293 d_dump(4, NULL, &ax, 8);
294 d_printf(4, NULL, "D: CCM-MIC tag\n");
295 d_dump(4, NULL, mic, 8);
300 d_fnend(3, NULL, "(tfm_cbc %p, tfm_aes %p, mic %p, "
301 "n %p, a %p, b %p, blen %zu)\n",
302 tfm_cbc, tfm_aes, mic, n, a, b, blen);
307 * WUSB Pseudo Random Function (WUSB1.0[6.5])
309 * @b: buffer to the source data; cannot be a global or const local
310 * (will confuse the scatterlists)
312 ssize_t wusb_prf(void *out, size_t out_size,
313 const u8 key[16], const struct aes_ccm_nonce *_n,
314 const struct aes_ccm_label *a,
315 const void *b, size_t blen, size_t len)
317 ssize_t result, bytes = 0, bitr;
318 struct aes_ccm_nonce n = *_n;
319 struct crypto_blkcipher *tfm_cbc;
320 struct crypto_cipher *tfm_aes;
324 d_fnstart(3, NULL, "(out %p, out_size %zu, key %p, _n %p, "
325 "a %p, b %p, blen %zu, len %zu)\n", out, out_size,
326 key, _n, a, b, blen, len);
328 tfm_cbc = crypto_alloc_blkcipher("cbc(aes)", 0, CRYPTO_ALG_ASYNC);
329 if (IS_ERR(tfm_cbc)) {
330 result = PTR_ERR(tfm_cbc);
331 printk(KERN_ERR "E: can't load CBC(AES): %d\n", (int)result);
332 goto error_alloc_cbc;
334 result = crypto_blkcipher_setkey(tfm_cbc, key, 16);
336 printk(KERN_ERR "E: can't set CBC key: %d\n", (int)result);
337 goto error_setkey_cbc;
340 tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC);
341 if (IS_ERR(tfm_aes)) {
342 result = PTR_ERR(tfm_aes);
343 printk(KERN_ERR "E: can't load AES: %d\n", (int)result);
344 goto error_alloc_aes;
346 result = crypto_cipher_setkey(tfm_aes, key, 16);
348 printk(KERN_ERR "E: can't set AES key: %d\n", (int)result);
349 goto error_setkey_aes;
352 for (bitr = 0; bitr < (len + 63) / 64; bitr++) {
353 sfn_le = cpu_to_le64(sfn++);
354 memcpy(&n.sfn, &sfn_le, sizeof(n.sfn)); /* n.sfn++... */
355 result = wusb_ccm_mac(tfm_cbc, tfm_aes, out + bytes,
364 crypto_free_cipher(tfm_aes);
367 crypto_free_blkcipher(tfm_cbc);
369 d_fnend(3, NULL, "(out %p, out_size %zu, key %p, _n %p, "
370 "a %p, b %p, blen %zu, len %zu) = %d\n", out, out_size,
371 key, _n, a, b, blen, len, (int)bytes);
375 /* WUSB1.0[A.2] test vectors */
376 static const u8 stv_hsmic_key[16] = {
377 0x4b, 0x79, 0xa3, 0xcf, 0xe5, 0x53, 0x23, 0x9d,
378 0xd7, 0xc1, 0x6d, 0x1c, 0x2d, 0xab, 0x6d, 0x3f
381 static const struct aes_ccm_nonce stv_hsmic_n = {
383 .tkid = { 0x76, 0x98, 0x01, },
384 .dest_addr = { .data = { 0xbe, 0x00 } },
385 .src_addr = { .data = { 0x76, 0x98 } },
389 * Out-of-band MIC Generation verification code
392 static int wusb_oob_mic_verify(void)
396 /* WUSB1.0[A.2] test vectors
398 * Need to keep it in the local stack as GCC 4.1.3something
399 * messes up and generates noise.
401 struct usb_handshake stv_hsmic_hs = {
404 .tTKID = { 0x76, 0x98, 0x01 },
406 .CDID = { 0x30, 0x31, 0x32, 0x33, 0x34, 0x35,
407 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b,
408 0x3c, 0x3d, 0x3e, 0x3f },
409 .nonce = { 0x20, 0x21, 0x22, 0x23, 0x24, 0x25,
410 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
411 0x2c, 0x2d, 0x2e, 0x2f },
412 .MIC = { 0x75, 0x6a, 0x97, 0x51, 0x0c, 0x8c,
417 result = wusb_oob_mic(mic, stv_hsmic_key, &stv_hsmic_n, &stv_hsmic_hs);
419 printk(KERN_ERR "E: WUSB OOB MIC test: failed: %d\n", result);
420 else if (memcmp(stv_hsmic_hs.MIC, mic, sizeof(mic))) {
421 printk(KERN_ERR "E: OOB MIC test: "
422 "mismatch between MIC result and WUSB1.0[A2]\n");
423 hs_size = sizeof(stv_hsmic_hs) - sizeof(stv_hsmic_hs.MIC);
424 printk(KERN_ERR "E: Handshake2 in: (%zu bytes)\n", hs_size);
425 dump_bytes(NULL, &stv_hsmic_hs, hs_size);
426 printk(KERN_ERR "E: CCM Nonce in: (%zu bytes)\n",
427 sizeof(stv_hsmic_n));
428 dump_bytes(NULL, &stv_hsmic_n, sizeof(stv_hsmic_n));
429 printk(KERN_ERR "E: MIC out:\n");
430 dump_bytes(NULL, mic, sizeof(mic));
431 printk(KERN_ERR "E: MIC out (from WUSB1.0[A.2]):\n");
432 dump_bytes(NULL, stv_hsmic_hs.MIC, sizeof(stv_hsmic_hs.MIC));
440 * Test vectors for Key derivation
442 * These come from WUSB1.0[6.5.1], the vectors in WUSB1.0[A.1]
443 * (errata corrected in 2005/07).
445 static const u8 stv_key_a1[16] __attribute__ ((__aligned__(4))) = {
446 0xf0, 0xe1, 0xd2, 0xc3, 0xb4, 0xa5, 0x96, 0x87,
447 0x78, 0x69, 0x5a, 0x4b, 0x3c, 0x2d, 0x1e, 0x0f
450 static const struct aes_ccm_nonce stv_keydvt_n_a1 = {
452 .tkid = { 0x76, 0x98, 0x01, },
453 .dest_addr = { .data = { 0xbe, 0x00 } },
454 .src_addr = { .data = { 0x76, 0x98 } },
457 static const struct wusb_keydvt_out stv_keydvt_out_a1 = {
459 0x4b, 0x79, 0xa3, 0xcf, 0xe5, 0x53, 0x23, 0x9d,
460 0xd7, 0xc1, 0x6d, 0x1c, 0x2d, 0xab, 0x6d, 0x3f
463 0xc8, 0x70, 0x62, 0x82, 0xb6, 0x7c, 0xe9, 0x06,
464 0x7b, 0xc5, 0x25, 0x69, 0xf2, 0x36, 0x61, 0x2d
469 * Performa a test to make sure we match the vectors defined in
470 * WUSB1.0[A.1](Errata2006/12)
472 static int wusb_key_derive_verify(void)
475 struct wusb_keydvt_out keydvt_out;
476 /* These come from WUSB1.0[A.1] + 2006/12 errata
477 * NOTE: can't make this const or global -- somehow it seems
478 * the scatterlists for crypto get confused and we get
479 * bad data. There is no doc on this... */
480 struct wusb_keydvt_in stv_keydvt_in_a1 = {
482 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
483 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
486 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
487 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f
491 result = wusb_key_derive(&keydvt_out, stv_key_a1, &stv_keydvt_n_a1,
494 printk(KERN_ERR "E: WUSB key derivation test: "
495 "derivation failed: %d\n", result);
496 if (memcmp(&stv_keydvt_out_a1, &keydvt_out, sizeof(keydvt_out))) {
497 printk(KERN_ERR "E: WUSB key derivation test: "
498 "mismatch between key derivation result "
499 "and WUSB1.0[A1] Errata 2006/12\n");
500 printk(KERN_ERR "E: keydvt in: key (%zu bytes)\n",
502 dump_bytes(NULL, stv_key_a1, sizeof(stv_key_a1));
503 printk(KERN_ERR "E: keydvt in: nonce (%zu bytes)\n",
504 sizeof(stv_keydvt_n_a1));
505 dump_bytes(NULL, &stv_keydvt_n_a1, sizeof(stv_keydvt_n_a1));
506 printk(KERN_ERR "E: keydvt in: hnonce & dnonce (%zu bytes)\n",
507 sizeof(stv_keydvt_in_a1));
508 dump_bytes(NULL, &stv_keydvt_in_a1, sizeof(stv_keydvt_in_a1));
509 printk(KERN_ERR "E: keydvt out: KCK\n");
510 dump_bytes(NULL, &keydvt_out.kck, sizeof(keydvt_out.kck));
511 printk(KERN_ERR "E: keydvt out: PTK\n");
512 dump_bytes(NULL, &keydvt_out.ptk, sizeof(keydvt_out.ptk));
520 * Initialize crypto system
522 * FIXME: we do nothing now, other than verifying. Later on we'll
523 * cache the encryption stuff, so that's why we have a separate init.
525 int wusb_crypto_init(void)
529 result = wusb_key_derive_verify();
532 return wusb_oob_mic_verify();
535 void wusb_crypto_exit(void)
537 /* FIXME: free cached crypto transforms */
projects / linux-2.6 / blob