1 /*
2 * Copyright (c) 2009 Joshua Oreman <oremanj@rwcr.net>.
3 *
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License as
6 * published by the Free Software Foundation; either version 2 of the
7 * License, or any later version.
8 *
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write to the Free Software
16 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
17 * 02110-1301, USA.
18 */
19
20 FILE_LICENCE ( GPL2_OR_LATER );
21
22 #include <ipxe/net80211.h>
23 #include <ipxe/sec80211.h>
24 #include <ipxe/crypto.h>
25 #include <ipxe/arc4.h>
26 #include <ipxe/crc32.h>
27 #include <stdlib.h>
28 #include <string.h>
29 #include <errno.h>
30
31 /** @file
32 *
33 * The WEP wireless encryption method (insecure!)
34 *
35 * The data field in a WEP-encrypted packet contains a 3-byte
36 * initialisation vector, one-byte Key ID field (only the bottom two
37 * bits are ever used), encrypted data, and a 4-byte encrypted CRC of
38 * the plaintext data, called the ICV. To decrypt it, the IV is
39 * prepended to the shared key and the data stream (including ICV) is
40 * run through the ARC4 stream cipher; if the ICV matches a CRC32
41 * calculated on the plaintext, the packet is valid.
42 *
43 * For efficiency and code-size reasons, this file assumes it is
44 * running on a little-endian machine.
45 */
46
47 /** Length of WEP initialisation vector */
48 #define WEP_IV_LEN 3
49
50 /** Length of WEP key ID byte */
51 #define WEP_KID_LEN 1
52
53 /** Length of WEP ICV checksum */
54 #define WEP_ICV_LEN 4
55
56 /** Maximum length of WEP key */
57 #define WEP_MAX_KEY 16
58
59 /** Amount of data placed before the encrypted bytes */
60 #define WEP_HEADER_LEN 4
61
62 /** Amount of data placed after the encrypted bytes */
63 #define WEP_TRAILER_LEN 4
64
65 /** Total WEP overhead bytes */
66 #define WEP_OVERHEAD 8
67
68 /** Context for WEP encryption and decryption */
69 struct wep_ctx
70 {
71 /** Encoded WEP key
72 *
73 * The actual key bytes are stored beginning at offset 3, to
74 * leave room for easily inserting the IV before a particular
75 * operation.
76 */
77 u8 key[WEP_IV_LEN + WEP_MAX_KEY];
78
79 /** Length of WEP key (not including IV bytes) */
80 int keylen;
81
82 /** ARC4 context */
83 struct arc4_ctx arc4;
84 };
85
86 /**
87 * Initialize WEP algorithm
88 *
89 * @v crypto 802.11 cryptographic algorithm
90 * @v key WEP key to use
91 * @v keylen Length of WEP key
92 * @v rsc Initial receive sequence counter (unused)
93 * @ret rc Return status code
94 *
95 * Standard key lengths are 5 and 13 bytes; 16-byte keys are
96 * occasionally supported as an extension to the standard.
97 */
wep_init(struct net80211_crypto * crypto,const void * key,int keylen,const void * rsc __unused)98 static int wep_init ( struct net80211_crypto *crypto, const void *key,
99 int keylen, const void *rsc __unused )
100 {
101 struct wep_ctx *ctx = crypto->priv;
102
103 ctx->keylen = ( keylen > WEP_MAX_KEY ? WEP_MAX_KEY : keylen );
104 memcpy ( ctx->key + WEP_IV_LEN, key, ctx->keylen );
105
106 return 0;
107 }
108
109 /**
110 * Encrypt packet using WEP
111 *
112 * @v crypto 802.11 cryptographic algorithm
113 * @v iob I/O buffer of plaintext packet
114 * @ret eiob Newly allocated I/O buffer for encrypted packet, or NULL
115 *
116 * If memory allocation fails, @c NULL is returned.
117 */
wep_encrypt(struct net80211_crypto * crypto,struct io_buffer * iob)118 static struct io_buffer * wep_encrypt ( struct net80211_crypto *crypto,
119 struct io_buffer *iob )
120 {
121 struct wep_ctx *ctx = crypto->priv;
122 struct io_buffer *eiob;
123 struct ieee80211_frame *hdr;
124 const int hdrlen = IEEE80211_TYP_FRAME_HEADER_LEN;
125 int datalen = iob_len ( iob ) - hdrlen;
126 int newlen = hdrlen + datalen + WEP_OVERHEAD;
127 u32 iv, icv;
128
129 eiob = alloc_iob ( newlen );
130 if ( ! eiob )
131 return NULL;
132
133 memcpy ( iob_put ( eiob, hdrlen ), iob->data, hdrlen );
134 hdr = eiob->data;
135 hdr->fc |= IEEE80211_FC_PROTECTED;
136
137 /* Calculate IV, put it in the header (with key ID byte = 0), and
138 set it up at the start of the encryption key. */
139 iv = random() & 0xffffff; /* IV in bottom 3 bytes, top byte = KID = 0 */
140 memcpy ( iob_put ( eiob, WEP_HEADER_LEN ), &iv, WEP_HEADER_LEN );
141 memcpy ( ctx->key, &iv, WEP_IV_LEN );
142
143 /* Encrypt the data using RC4 */
144 cipher_setkey ( &arc4_algorithm, &ctx->arc4, ctx->key,
145 ctx->keylen + WEP_IV_LEN );
146 cipher_encrypt ( &arc4_algorithm, &ctx->arc4, iob->data + hdrlen,
147 iob_put ( eiob, datalen ), datalen );
148
149 /* Add ICV */
150 icv = ~crc32_le ( ~0, iob->data + hdrlen, datalen );
151 cipher_encrypt ( &arc4_algorithm, &ctx->arc4, &icv,
152 iob_put ( eiob, WEP_ICV_LEN ), WEP_ICV_LEN );
153
154 return eiob;
155 }
156
157 /**
158 * Decrypt packet using WEP
159 *
160 * @v crypto 802.11 cryptographic algorithm
161 * @v eiob I/O buffer of encrypted packet
162 * @ret iob Newly allocated I/O buffer for plaintext packet, or NULL
163 *
164 * If a consistency check for the decryption fails (usually indicating
165 * an invalid key), @c NULL is returned.
166 */
wep_decrypt(struct net80211_crypto * crypto,struct io_buffer * eiob)167 static struct io_buffer * wep_decrypt ( struct net80211_crypto *crypto,
168 struct io_buffer *eiob )
169 {
170 struct wep_ctx *ctx = crypto->priv;
171 struct io_buffer *iob;
172 struct ieee80211_frame *hdr;
173 const int hdrlen = IEEE80211_TYP_FRAME_HEADER_LEN;
174 int datalen = iob_len ( eiob ) - hdrlen - WEP_OVERHEAD;
175 int newlen = hdrlen + datalen;
176 u32 iv, icv, crc;
177
178 iob = alloc_iob ( newlen );
179 if ( ! iob )
180 return NULL;
181
182 memcpy ( iob_put ( iob, hdrlen ), eiob->data, hdrlen );
183 hdr = iob->data;
184 hdr->fc &= ~IEEE80211_FC_PROTECTED;
185
186 /* Strip off IV and use it to initialize cryptosystem */
187 memcpy ( &iv, eiob->data + hdrlen, 4 );
188 iv &= 0xffffff; /* ignore key ID byte */
189 memcpy ( ctx->key, &iv, WEP_IV_LEN );
190
191 /* Decrypt the data using RC4 */
192 cipher_setkey ( &arc4_algorithm, &ctx->arc4, ctx->key,
193 ctx->keylen + WEP_IV_LEN );
194 cipher_decrypt ( &arc4_algorithm, &ctx->arc4, eiob->data + hdrlen +
195 WEP_HEADER_LEN, iob_put ( iob, datalen ), datalen );
196
197 /* Strip off ICV and verify it */
198 cipher_decrypt ( &arc4_algorithm, &ctx->arc4, eiob->data + hdrlen +
199 WEP_HEADER_LEN + datalen, &icv, WEP_ICV_LEN );
200 crc = ~crc32_le ( ~0, iob->data + hdrlen, datalen );
201 if ( crc != icv ) {
202 DBGC ( crypto, "WEP %p CRC mismatch: expect %08x, get %08x\n",
203 crypto, icv, crc );
204 free_iob ( iob );
205 return NULL;
206 }
207 return iob;
208 }
209
210 /** WEP cryptosystem for 802.11 */
211 struct net80211_crypto wep_crypto __net80211_crypto = {
212 .algorithm = NET80211_CRYPT_WEP,
213 .init = wep_init,
214 .encrypt = wep_encrypt,
215 .decrypt = wep_decrypt,
216 .priv_len = sizeof ( struct wep_ctx ),
217 };
218
219 /**
220 * Initialize trivial 802.11 security handshaker
221 *
222 * @v dev 802.11 device
223 * @v ctx Security handshaker
224 *
225 * This simply fetches a WEP key from netX/key, and if it exists,
226 * installs WEP cryptography on the 802.11 device. No real handshaking
227 * is performed.
228 */
trivial_init(struct net80211_device * dev)229 static int trivial_init ( struct net80211_device *dev )
230 {
231 u8 key[WEP_MAX_KEY]; /* support up to 128-bit keys */
232 int len;
233 int rc;
234
235 if ( dev->associating &&
236 dev->associating->crypto == NET80211_CRYPT_NONE )
237 return 0; /* no crypto? OK. */
238
239 len = fetch_raw_setting ( netdev_settings ( dev->netdev ),
240 &net80211_key_setting, key, WEP_MAX_KEY );
241
242 if ( len <= 0 ) {
243 DBGC ( dev, "802.11 %p cannot do WEP without a key\n", dev );
244 return -EACCES;
245 }
246
247 /* Full 128-bit keys are a nonstandard extension, but they're
248 utterly trivial to support, so we do. */
249 if ( len != 5 && len != 13 && len != 16 ) {
250 DBGC ( dev, "802.11 %p invalid WEP key length %d\n",
251 dev, len );
252 return -EINVAL;
253 }
254
255 DBGC ( dev, "802.11 %p installing %d-bit WEP\n", dev, len * 8 );
256
257 rc = sec80211_install ( &dev->crypto, NET80211_CRYPT_WEP, key, len,
258 NULL );
259 if ( rc < 0 )
260 return rc;
261
262 return 0;
263 }
264
265 /**
266 * Check for key change on trivial 802.11 security handshaker
267 *
268 * @v dev 802.11 device
269 * @v ctx Security handshaker
270 */
trivial_change_key(struct net80211_device * dev)271 static int trivial_change_key ( struct net80211_device *dev )
272 {
273 u8 key[WEP_MAX_KEY];
274 int len;
275 int change = 0;
276
277 /* If going from WEP to clear, or something else to WEP, reassociate. */
278 if ( ! dev->crypto || ( dev->crypto->init != wep_init ) )
279 change ^= 1;
280
281 len = fetch_raw_setting ( netdev_settings ( dev->netdev ),
282 &net80211_key_setting, key, WEP_MAX_KEY );
283 if ( len <= 0 )
284 change ^= 1;
285
286 /* Changing crypto type => return nonzero to reassociate. */
287 if ( change )
288 return -EINVAL;
289
290 /* Going from no crypto to still no crypto => nothing to do. */
291 if ( len <= 0 )
292 return 0;
293
294 /* Otherwise, reinitialise WEP with new key. */
295 return wep_init ( dev->crypto, key, len, NULL );
296 }
297
298 /** Trivial 802.11 security handshaker */
299 struct net80211_handshaker trivial_handshaker __net80211_handshaker = {
300 .protocol = NET80211_SECPROT_NONE,
301 .init = trivial_init,
302 .change_key = trivial_change_key,
303 .priv_len = 0,
304 };
305