1 /*- 2 * Copyright (c) 2002-2008 Sam Leffler, Errno Consulting 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 * 25 * $FreeBSD: head/sys/net80211/ieee80211_crypto_wep.c 186302 2008-12-18 23:00:09Z sam $ 26 */ 27 28 /* 29 * IEEE 802.11 WEP crypto support. 30 */ 31 #include "opt_wlan.h" 32 33 #include <sys/param.h> 34 #include <sys/systm.h> 35 #include <sys/mbuf.h> 36 #include <sys/malloc.h> 37 #include <sys/kernel.h> 38 #include <sys/module.h> 39 #include <sys/endian.h> 40 41 #include <sys/socket.h> 42 43 #include <net/if.h> 44 #include <net/if_media.h> 45 #include <net/ethernet.h> 46 #include <net/route.h> 47 48 #include <netproto/802_11/ieee80211_var.h> 49 50 static void *wep_attach(struct ieee80211vap *, struct ieee80211_key *); 51 static void wep_detach(struct ieee80211_key *); 52 static int wep_setkey(struct ieee80211_key *); 53 static int wep_encap(struct ieee80211_key *, struct mbuf *, uint8_t keyid); 54 static int wep_decap(struct ieee80211_key *, struct mbuf *, int hdrlen); 55 static int wep_enmic(struct ieee80211_key *, struct mbuf *, int); 56 static int wep_demic(struct ieee80211_key *, struct mbuf *, int); 57 58 static const struct ieee80211_cipher wep = { 59 .ic_name = "WEP", 60 .ic_cipher = IEEE80211_CIPHER_WEP, 61 .ic_header = IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN, 62 .ic_trailer = IEEE80211_WEP_CRCLEN, 63 .ic_miclen = 0, 64 .ic_attach = wep_attach, 65 .ic_detach = wep_detach, 66 .ic_setkey = wep_setkey, 67 .ic_encap = wep_encap, 68 .ic_decap = wep_decap, 69 .ic_enmic = wep_enmic, 70 .ic_demic = wep_demic, 71 }; 72 73 static int wep_encrypt(struct ieee80211_key *, struct mbuf *, int hdrlen); 74 static int wep_decrypt(struct ieee80211_key *, struct mbuf *, int hdrlen); 75 76 struct wep_ctx { 77 struct ieee80211vap *wc_vap; /* for diagnostics+statistics */ 78 struct ieee80211com *wc_ic; 79 uint32_t wc_iv; /* initial vector for crypto */ 80 }; 81 82 /* number of references from net80211 layer */ 83 static int nrefs = 0; 84 85 static void * 86 wep_attach(struct ieee80211vap *vap, struct ieee80211_key *k) 87 { 88 struct wep_ctx *ctx; 89 90 ctx = (struct wep_ctx *) kmalloc(sizeof(struct wep_ctx), 91 M_80211_CRYPTO, M_INTWAIT | M_ZERO); 92 if (ctx == NULL) { 93 vap->iv_stats.is_crypto_nomem++; 94 return NULL; 95 } 96 97 ctx->wc_vap = vap; 98 ctx->wc_ic = vap->iv_ic; 99 get_random_bytes(&ctx->wc_iv, sizeof(ctx->wc_iv)); 100 nrefs++; /* NB: we assume caller locking */ 101 return ctx; 102 } 103 104 static void 105 wep_detach(struct ieee80211_key *k) 106 { 107 struct wep_ctx *ctx = k->wk_private; 108 109 kfree(ctx, M_80211_CRYPTO); 110 KASSERT(nrefs > 0, ("imbalanced attach/detach")); 111 nrefs--; /* NB: we assume caller locking */ 112 } 113 114 static int 115 wep_setkey(struct ieee80211_key *k) 116 { 117 return k->wk_keylen >= 40/NBBY; 118 } 119 120 /* 121 * Add privacy headers appropriate for the specified key. 122 */ 123 static int 124 wep_encap(struct ieee80211_key *k, struct mbuf *m, uint8_t keyid) 125 { 126 struct wep_ctx *ctx = k->wk_private; 127 struct ieee80211com *ic = ctx->wc_ic; 128 uint32_t iv; 129 uint8_t *ivp; 130 int hdrlen; 131 132 hdrlen = ieee80211_hdrspace(ic, mtod(m, void *)); 133 134 /* 135 * Copy down 802.11 header and add the IV + KeyID. 136 */ 137 M_PREPEND(m, wep.ic_header, MB_DONTWAIT); 138 if (m == NULL) 139 return 0; 140 ivp = mtod(m, uint8_t *); 141 ovbcopy(ivp + wep.ic_header, ivp, hdrlen); 142 ivp += hdrlen; 143 144 /* 145 * XXX 146 * IV must not duplicate during the lifetime of the key. 147 * But no mechanism to renew keys is defined in IEEE 802.11 148 * for WEP. And the IV may be duplicated at other stations 149 * because the session key itself is shared. So we use a 150 * pseudo random IV for now, though it is not the right way. 151 * 152 * NB: Rather than use a strictly random IV we select a 153 * random one to start and then increment the value for 154 * each frame. This is an explicit tradeoff between 155 * overhead and security. Given the basic insecurity of 156 * WEP this seems worthwhile. 157 */ 158 159 /* 160 * Skip 'bad' IVs from Fluhrer/Mantin/Shamir: 161 * (B, 255, N) with 3 <= B < 16 and 0 <= N <= 255 162 */ 163 iv = ctx->wc_iv; 164 if ((iv & 0xff00) == 0xff00) { 165 int B = (iv & 0xff0000) >> 16; 166 if (3 <= B && B < 16) 167 iv += 0x0100; 168 } 169 ctx->wc_iv = iv + 1; 170 171 /* 172 * NB: Preserve byte order of IV for packet 173 * sniffers; it doesn't matter otherwise. 174 */ 175 #if _BYTE_ORDER == _BIG_ENDIAN 176 ivp[0] = iv >> 0; 177 ivp[1] = iv >> 8; 178 ivp[2] = iv >> 16; 179 #else 180 ivp[2] = iv >> 0; 181 ivp[1] = iv >> 8; 182 ivp[0] = iv >> 16; 183 #endif 184 ivp[3] = keyid; 185 186 /* 187 * Finally, do software encrypt if neeed. 188 */ 189 if ((k->wk_flags & IEEE80211_KEY_SWENCRYPT) && 190 !wep_encrypt(k, m, hdrlen)) 191 return 0; 192 193 return 1; 194 } 195 196 /* 197 * Add MIC to the frame as needed. 198 */ 199 static int 200 wep_enmic(struct ieee80211_key *k, struct mbuf *m, int force) 201 { 202 203 return 1; 204 } 205 206 /* 207 * Validate and strip privacy headers (and trailer) for a 208 * received frame. If necessary, decrypt the frame using 209 * the specified key. 210 */ 211 static int 212 wep_decap(struct ieee80211_key *k, struct mbuf *m, int hdrlen) 213 { 214 struct wep_ctx *ctx = k->wk_private; 215 struct ieee80211vap *vap = ctx->wc_vap; 216 #ifdef IEEE80211_DEBUG 217 struct ieee80211_frame *wh; 218 #endif 219 220 #ifdef IEEE80211_DEBUG 221 wh = mtod(m, struct ieee80211_frame *); 222 #endif 223 224 /* 225 * Check if the device handled the decrypt in hardware. 226 * If so we just strip the header; otherwise we need to 227 * handle the decrypt in software. 228 */ 229 if ((k->wk_flags & IEEE80211_KEY_SWDECRYPT) && 230 !wep_decrypt(k, m, hdrlen)) { 231 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2, 232 "%s", "WEP ICV mismatch on decrypt"); 233 vap->iv_stats.is_rx_wepfail++; 234 return 0; 235 } 236 237 /* 238 * Copy up 802.11 header and strip crypto bits. 239 */ 240 ovbcopy(mtod(m, void *), mtod(m, uint8_t *) + wep.ic_header, hdrlen); 241 m_adj(m, wep.ic_header); 242 m_adj(m, -wep.ic_trailer); 243 244 return 1; 245 } 246 247 /* 248 * Verify and strip MIC from the frame. 249 */ 250 static int 251 wep_demic(struct ieee80211_key *k, struct mbuf *skb, int force) 252 { 253 return 1; 254 } 255 256 static const uint32_t crc32_table[256] = { 257 0x00000000L, 0x77073096L, 0xee0e612cL, 0x990951baL, 0x076dc419L, 258 0x706af48fL, 0xe963a535L, 0x9e6495a3L, 0x0edb8832L, 0x79dcb8a4L, 259 0xe0d5e91eL, 0x97d2d988L, 0x09b64c2bL, 0x7eb17cbdL, 0xe7b82d07L, 260 0x90bf1d91L, 0x1db71064L, 0x6ab020f2L, 0xf3b97148L, 0x84be41deL, 261 0x1adad47dL, 0x6ddde4ebL, 0xf4d4b551L, 0x83d385c7L, 0x136c9856L, 262 0x646ba8c0L, 0xfd62f97aL, 0x8a65c9ecL, 0x14015c4fL, 0x63066cd9L, 263 0xfa0f3d63L, 0x8d080df5L, 0x3b6e20c8L, 0x4c69105eL, 0xd56041e4L, 264 0xa2677172L, 0x3c03e4d1L, 0x4b04d447L, 0xd20d85fdL, 0xa50ab56bL, 265 0x35b5a8faL, 0x42b2986cL, 0xdbbbc9d6L, 0xacbcf940L, 0x32d86ce3L, 266 0x45df5c75L, 0xdcd60dcfL, 0xabd13d59L, 0x26d930acL, 0x51de003aL, 267 0xc8d75180L, 0xbfd06116L, 0x21b4f4b5L, 0x56b3c423L, 0xcfba9599L, 268 0xb8bda50fL, 0x2802b89eL, 0x5f058808L, 0xc60cd9b2L, 0xb10be924L, 269 0x2f6f7c87L, 0x58684c11L, 0xc1611dabL, 0xb6662d3dL, 0x76dc4190L, 270 0x01db7106L, 0x98d220bcL, 0xefd5102aL, 0x71b18589L, 0x06b6b51fL, 271 0x9fbfe4a5L, 0xe8b8d433L, 0x7807c9a2L, 0x0f00f934L, 0x9609a88eL, 272 0xe10e9818L, 0x7f6a0dbbL, 0x086d3d2dL, 0x91646c97L, 0xe6635c01L, 273 0x6b6b51f4L, 0x1c6c6162L, 0x856530d8L, 0xf262004eL, 0x6c0695edL, 274 0x1b01a57bL, 0x8208f4c1L, 0xf50fc457L, 0x65b0d9c6L, 0x12b7e950L, 275 0x8bbeb8eaL, 0xfcb9887cL, 0x62dd1ddfL, 0x15da2d49L, 0x8cd37cf3L, 276 0xfbd44c65L, 0x4db26158L, 0x3ab551ceL, 0xa3bc0074L, 0xd4bb30e2L, 277 0x4adfa541L, 0x3dd895d7L, 0xa4d1c46dL, 0xd3d6f4fbL, 0x4369e96aL, 278 0x346ed9fcL, 0xad678846L, 0xda60b8d0L, 0x44042d73L, 0x33031de5L, 279 0xaa0a4c5fL, 0xdd0d7cc9L, 0x5005713cL, 0x270241aaL, 0xbe0b1010L, 280 0xc90c2086L, 0x5768b525L, 0x206f85b3L, 0xb966d409L, 0xce61e49fL, 281 0x5edef90eL, 0x29d9c998L, 0xb0d09822L, 0xc7d7a8b4L, 0x59b33d17L, 282 0x2eb40d81L, 0xb7bd5c3bL, 0xc0ba6cadL, 0xedb88320L, 0x9abfb3b6L, 283 0x03b6e20cL, 0x74b1d29aL, 0xead54739L, 0x9dd277afL, 0x04db2615L, 284 0x73dc1683L, 0xe3630b12L, 0x94643b84L, 0x0d6d6a3eL, 0x7a6a5aa8L, 285 0xe40ecf0bL, 0x9309ff9dL, 0x0a00ae27L, 0x7d079eb1L, 0xf00f9344L, 286 0x8708a3d2L, 0x1e01f268L, 0x6906c2feL, 0xf762575dL, 0x806567cbL, 287 0x196c3671L, 0x6e6b06e7L, 0xfed41b76L, 0x89d32be0L, 0x10da7a5aL, 288 0x67dd4accL, 0xf9b9df6fL, 0x8ebeeff9L, 0x17b7be43L, 0x60b08ed5L, 289 0xd6d6a3e8L, 0xa1d1937eL, 0x38d8c2c4L, 0x4fdff252L, 0xd1bb67f1L, 290 0xa6bc5767L, 0x3fb506ddL, 0x48b2364bL, 0xd80d2bdaL, 0xaf0a1b4cL, 291 0x36034af6L, 0x41047a60L, 0xdf60efc3L, 0xa867df55L, 0x316e8eefL, 292 0x4669be79L, 0xcb61b38cL, 0xbc66831aL, 0x256fd2a0L, 0x5268e236L, 293 0xcc0c7795L, 0xbb0b4703L, 0x220216b9L, 0x5505262fL, 0xc5ba3bbeL, 294 0xb2bd0b28L, 0x2bb45a92L, 0x5cb36a04L, 0xc2d7ffa7L, 0xb5d0cf31L, 295 0x2cd99e8bL, 0x5bdeae1dL, 0x9b64c2b0L, 0xec63f226L, 0x756aa39cL, 296 0x026d930aL, 0x9c0906a9L, 0xeb0e363fL, 0x72076785L, 0x05005713L, 297 0x95bf4a82L, 0xe2b87a14L, 0x7bb12baeL, 0x0cb61b38L, 0x92d28e9bL, 298 0xe5d5be0dL, 0x7cdcefb7L, 0x0bdbdf21L, 0x86d3d2d4L, 0xf1d4e242L, 299 0x68ddb3f8L, 0x1fda836eL, 0x81be16cdL, 0xf6b9265bL, 0x6fb077e1L, 300 0x18b74777L, 0x88085ae6L, 0xff0f6a70L, 0x66063bcaL, 0x11010b5cL, 301 0x8f659effL, 0xf862ae69L, 0x616bffd3L, 0x166ccf45L, 0xa00ae278L, 302 0xd70dd2eeL, 0x4e048354L, 0x3903b3c2L, 0xa7672661L, 0xd06016f7L, 303 0x4969474dL, 0x3e6e77dbL, 0xaed16a4aL, 0xd9d65adcL, 0x40df0b66L, 304 0x37d83bf0L, 0xa9bcae53L, 0xdebb9ec5L, 0x47b2cf7fL, 0x30b5ffe9L, 305 0xbdbdf21cL, 0xcabac28aL, 0x53b39330L, 0x24b4a3a6L, 0xbad03605L, 306 0xcdd70693L, 0x54de5729L, 0x23d967bfL, 0xb3667a2eL, 0xc4614ab8L, 307 0x5d681b02L, 0x2a6f2b94L, 0xb40bbe37L, 0xc30c8ea1L, 0x5a05df1bL, 308 0x2d02ef8dL 309 }; 310 311 static int 312 wep_encrypt(struct ieee80211_key *key, struct mbuf *m0, int hdrlen) 313 { 314 #define S_SWAP(a,b) do { uint8_t t = S[a]; S[a] = S[b]; S[b] = t; } while(0) 315 struct wep_ctx *ctx = key->wk_private; 316 struct ieee80211vap *vap = ctx->wc_vap; 317 struct mbuf *m = m0; 318 uint8_t rc4key[IEEE80211_WEP_IVLEN + IEEE80211_KEYBUF_SIZE]; 319 uint8_t icv[IEEE80211_WEP_CRCLEN]; 320 uint32_t i, j, k, crc; 321 size_t buflen, data_len; 322 uint8_t S[256]; 323 uint8_t *pos; 324 u_int off, keylen; 325 326 vap->iv_stats.is_crypto_wep++; 327 328 /* NB: this assumes the header was pulled up */ 329 memcpy(rc4key, mtod(m, uint8_t *) + hdrlen, IEEE80211_WEP_IVLEN); 330 memcpy(rc4key + IEEE80211_WEP_IVLEN, key->wk_key, key->wk_keylen); 331 332 /* Setup RC4 state */ 333 for (i = 0; i < 256; i++) 334 S[i] = i; 335 j = 0; 336 keylen = key->wk_keylen + IEEE80211_WEP_IVLEN; 337 for (i = 0; i < 256; i++) { 338 j = (j + S[i] + rc4key[i % keylen]) & 0xff; 339 S_SWAP(i, j); 340 } 341 342 off = hdrlen + wep.ic_header; 343 data_len = m->m_pkthdr.len - off; 344 345 /* Compute CRC32 over unencrypted data and apply RC4 to data */ 346 crc = ~0; 347 i = j = 0; 348 pos = mtod(m, uint8_t *) + off; 349 buflen = m->m_len - off; 350 for (;;) { 351 if (buflen > data_len) 352 buflen = data_len; 353 data_len -= buflen; 354 for (k = 0; k < buflen; k++) { 355 crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8); 356 i = (i + 1) & 0xff; 357 j = (j + S[i]) & 0xff; 358 S_SWAP(i, j); 359 *pos++ ^= S[(S[i] + S[j]) & 0xff]; 360 } 361 if (m->m_next == NULL) { 362 if (data_len != 0) { /* out of data */ 363 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, 364 mtod(m0, 365 struct ieee80211_frame *)->i_addr2, 366 "out of data for WEP (data_len %zu)", 367 data_len); 368 /* XXX stat */ 369 return 0; 370 } 371 break; 372 } 373 m = m->m_next; 374 pos = mtod(m, uint8_t *); 375 buflen = m->m_len; 376 } 377 crc = ~crc; 378 379 /* Append little-endian CRC32 and encrypt it to produce ICV */ 380 icv[0] = crc; 381 icv[1] = crc >> 8; 382 icv[2] = crc >> 16; 383 icv[3] = crc >> 24; 384 for (k = 0; k < IEEE80211_WEP_CRCLEN; k++) { 385 i = (i + 1) & 0xff; 386 j = (j + S[i]) & 0xff; 387 S_SWAP(i, j); 388 icv[k] ^= S[(S[i] + S[j]) & 0xff]; 389 } 390 return m_append(m0, IEEE80211_WEP_CRCLEN, icv); 391 #undef S_SWAP 392 } 393 394 static int 395 wep_decrypt(struct ieee80211_key *key, struct mbuf *m0, int hdrlen) 396 { 397 #define S_SWAP(a,b) do { uint8_t t = S[a]; S[a] = S[b]; S[b] = t; } while(0) 398 struct wep_ctx *ctx = key->wk_private; 399 struct ieee80211vap *vap = ctx->wc_vap; 400 struct mbuf *m = m0; 401 uint8_t rc4key[IEEE80211_WEP_IVLEN + IEEE80211_KEYBUF_SIZE]; 402 uint8_t icv[IEEE80211_WEP_CRCLEN]; 403 uint32_t i, j, k, crc; 404 size_t buflen, data_len; 405 uint8_t S[256]; 406 uint8_t *pos; 407 u_int off, keylen; 408 409 vap->iv_stats.is_crypto_wep++; 410 411 /* NB: this assumes the header was pulled up */ 412 memcpy(rc4key, mtod(m, uint8_t *) + hdrlen, IEEE80211_WEP_IVLEN); 413 memcpy(rc4key + IEEE80211_WEP_IVLEN, key->wk_key, key->wk_keylen); 414 415 /* Setup RC4 state */ 416 for (i = 0; i < 256; i++) 417 S[i] = i; 418 j = 0; 419 keylen = key->wk_keylen + IEEE80211_WEP_IVLEN; 420 for (i = 0; i < 256; i++) { 421 j = (j + S[i] + rc4key[i % keylen]) & 0xff; 422 S_SWAP(i, j); 423 } 424 425 off = hdrlen + wep.ic_header; 426 data_len = m->m_pkthdr.len - (off + wep.ic_trailer), 427 428 /* Compute CRC32 over unencrypted data and apply RC4 to data */ 429 crc = ~0; 430 i = j = 0; 431 pos = mtod(m, uint8_t *) + off; 432 buflen = m->m_len - off; 433 for (;;) { 434 if (buflen > data_len) 435 buflen = data_len; 436 data_len -= buflen; 437 for (k = 0; k < buflen; k++) { 438 i = (i + 1) & 0xff; 439 j = (j + S[i]) & 0xff; 440 S_SWAP(i, j); 441 *pos ^= S[(S[i] + S[j]) & 0xff]; 442 crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8); 443 pos++; 444 } 445 m = m->m_next; 446 if (m == NULL) { 447 if (data_len != 0) { /* out of data */ 448 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, 449 mtod(m0, struct ieee80211_frame *)->i_addr2, 450 "out of data for WEP (data_len %zu)", 451 data_len); 452 return 0; 453 } 454 break; 455 } 456 pos = mtod(m, uint8_t *); 457 buflen = m->m_len; 458 } 459 crc = ~crc; 460 461 /* Encrypt little-endian CRC32 and verify that it matches with 462 * received ICV */ 463 icv[0] = crc; 464 icv[1] = crc >> 8; 465 icv[2] = crc >> 16; 466 icv[3] = crc >> 24; 467 for (k = 0; k < IEEE80211_WEP_CRCLEN; k++) { 468 i = (i + 1) & 0xff; 469 j = (j + S[i]) & 0xff; 470 S_SWAP(i, j); 471 /* XXX assumes ICV is contiguous in mbuf */ 472 if ((icv[k] ^ S[(S[i] + S[j]) & 0xff]) != *pos++) { 473 /* ICV mismatch - drop frame */ 474 return 0; 475 } 476 } 477 return 1; 478 #undef S_SWAP 479 } 480 481 /* 482 * Module glue. 483 */ 484 IEEE80211_CRYPTO_MODULE(wep, 1); 485