1 /*- 2 * Copyright (c) 2002-2008 Sam Leffler, Errno Consulting 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 * 25 * $FreeBSD: head/sys/net80211/ieee80211_crypto_wep.c 186302 2008-12-18 23:00:09Z sam $ 26 * $DragonFly$ 27 */ 28 29 /* 30 * IEEE 802.11 WEP crypto support. 31 */ 32 #include "opt_wlan.h" 33 34 #include <sys/param.h> 35 #include <sys/systm.h> 36 #include <sys/mbuf.h> 37 #include <sys/malloc.h> 38 #include <sys/kernel.h> 39 #include <sys/module.h> 40 #include <sys/endian.h> 41 42 #include <sys/socket.h> 43 44 #include <net/if.h> 45 #include <net/if_media.h> 46 #include <net/ethernet.h> 47 #include <net/route.h> 48 49 #include <netproto/802_11/ieee80211_var.h> 50 51 static void *wep_attach(struct ieee80211vap *, struct ieee80211_key *); 52 static void wep_detach(struct ieee80211_key *); 53 static int wep_setkey(struct ieee80211_key *); 54 static int wep_encap(struct ieee80211_key *, struct mbuf *, uint8_t keyid); 55 static int wep_decap(struct ieee80211_key *, struct mbuf *, int hdrlen); 56 static int wep_enmic(struct ieee80211_key *, struct mbuf *, int); 57 static int wep_demic(struct ieee80211_key *, struct mbuf *, int); 58 59 static const struct ieee80211_cipher wep = { 60 .ic_name = "WEP", 61 .ic_cipher = IEEE80211_CIPHER_WEP, 62 .ic_header = IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN, 63 .ic_trailer = IEEE80211_WEP_CRCLEN, 64 .ic_miclen = 0, 65 .ic_attach = wep_attach, 66 .ic_detach = wep_detach, 67 .ic_setkey = wep_setkey, 68 .ic_encap = wep_encap, 69 .ic_decap = wep_decap, 70 .ic_enmic = wep_enmic, 71 .ic_demic = wep_demic, 72 }; 73 74 static int wep_encrypt(struct ieee80211_key *, struct mbuf *, int hdrlen); 75 static int wep_decrypt(struct ieee80211_key *, struct mbuf *, int hdrlen); 76 77 struct wep_ctx { 78 struct ieee80211vap *wc_vap; /* for diagnostics+statistics */ 79 struct ieee80211com *wc_ic; 80 uint32_t wc_iv; /* initial vector for crypto */ 81 }; 82 83 /* number of references from net80211 layer */ 84 static int nrefs = 0; 85 86 static void * 87 wep_attach(struct ieee80211vap *vap, struct ieee80211_key *k) 88 { 89 struct wep_ctx *ctx; 90 91 ctx = (struct wep_ctx *) kmalloc(sizeof(struct wep_ctx), 92 M_80211_CRYPTO, M_INTWAIT | M_ZERO); 93 if (ctx == NULL) { 94 vap->iv_stats.is_crypto_nomem++; 95 return NULL; 96 } 97 98 ctx->wc_vap = vap; 99 ctx->wc_ic = vap->iv_ic; 100 get_random_bytes(&ctx->wc_iv, sizeof(ctx->wc_iv)); 101 nrefs++; /* NB: we assume caller locking */ 102 return ctx; 103 } 104 105 static void 106 wep_detach(struct ieee80211_key *k) 107 { 108 struct wep_ctx *ctx = k->wk_private; 109 110 kfree(ctx, M_80211_CRYPTO); 111 KASSERT(nrefs > 0, ("imbalanced attach/detach")); 112 nrefs--; /* NB: we assume caller locking */ 113 } 114 115 static int 116 wep_setkey(struct ieee80211_key *k) 117 { 118 return k->wk_keylen >= 40/NBBY; 119 } 120 121 /* 122 * Add privacy headers appropriate for the specified key. 123 */ 124 static int 125 wep_encap(struct ieee80211_key *k, struct mbuf *m, uint8_t keyid) 126 { 127 struct wep_ctx *ctx = k->wk_private; 128 struct ieee80211com *ic = ctx->wc_ic; 129 uint32_t iv; 130 uint8_t *ivp; 131 int hdrlen; 132 133 hdrlen = ieee80211_hdrspace(ic, mtod(m, void *)); 134 135 /* 136 * Copy down 802.11 header and add the IV + KeyID. 137 */ 138 M_PREPEND(m, wep.ic_header, MB_DONTWAIT); 139 if (m == NULL) 140 return 0; 141 ivp = mtod(m, uint8_t *); 142 ovbcopy(ivp + wep.ic_header, ivp, hdrlen); 143 ivp += hdrlen; 144 145 /* 146 * XXX 147 * IV must not duplicate during the lifetime of the key. 148 * But no mechanism to renew keys is defined in IEEE 802.11 149 * for WEP. And the IV may be duplicated at other stations 150 * because the session key itself is shared. So we use a 151 * pseudo random IV for now, though it is not the right way. 152 * 153 * NB: Rather than use a strictly random IV we select a 154 * random one to start and then increment the value for 155 * each frame. This is an explicit tradeoff between 156 * overhead and security. Given the basic insecurity of 157 * WEP this seems worthwhile. 158 */ 159 160 /* 161 * Skip 'bad' IVs from Fluhrer/Mantin/Shamir: 162 * (B, 255, N) with 3 <= B < 16 and 0 <= N <= 255 163 */ 164 iv = ctx->wc_iv; 165 if ((iv & 0xff00) == 0xff00) { 166 int B = (iv & 0xff0000) >> 16; 167 if (3 <= B && B < 16) 168 iv += 0x0100; 169 } 170 ctx->wc_iv = iv + 1; 171 172 /* 173 * NB: Preserve byte order of IV for packet 174 * sniffers; it doesn't matter otherwise. 175 */ 176 #if _BYTE_ORDER == _BIG_ENDIAN 177 ivp[0] = iv >> 0; 178 ivp[1] = iv >> 8; 179 ivp[2] = iv >> 16; 180 #else 181 ivp[2] = iv >> 0; 182 ivp[1] = iv >> 8; 183 ivp[0] = iv >> 16; 184 #endif 185 ivp[3] = keyid; 186 187 /* 188 * Finally, do software encrypt if neeed. 189 */ 190 if ((k->wk_flags & IEEE80211_KEY_SWENCRYPT) && 191 !wep_encrypt(k, m, hdrlen)) 192 return 0; 193 194 return 1; 195 } 196 197 /* 198 * Add MIC to the frame as needed. 199 */ 200 static int 201 wep_enmic(struct ieee80211_key *k, struct mbuf *m, int force) 202 { 203 204 return 1; 205 } 206 207 /* 208 * Validate and strip privacy headers (and trailer) for a 209 * received frame. If necessary, decrypt the frame using 210 * the specified key. 211 */ 212 static int 213 wep_decap(struct ieee80211_key *k, struct mbuf *m, int hdrlen) 214 { 215 struct wep_ctx *ctx = k->wk_private; 216 struct ieee80211vap *vap = ctx->wc_vap; 217 struct ieee80211_frame *wh; 218 219 wh = mtod(m, struct ieee80211_frame *); 220 221 /* 222 * Check if the device handled the decrypt in hardware. 223 * If so we just strip the header; otherwise we need to 224 * handle the decrypt in software. 225 */ 226 if ((k->wk_flags & IEEE80211_KEY_SWDECRYPT) && 227 !wep_decrypt(k, m, hdrlen)) { 228 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2, 229 "%s", "WEP ICV mismatch on decrypt"); 230 vap->iv_stats.is_rx_wepfail++; 231 return 0; 232 } 233 234 /* 235 * Copy up 802.11 header and strip crypto bits. 236 */ 237 ovbcopy(mtod(m, void *), mtod(m, uint8_t *) + wep.ic_header, hdrlen); 238 m_adj(m, wep.ic_header); 239 m_adj(m, -wep.ic_trailer); 240 241 return 1; 242 } 243 244 /* 245 * Verify and strip MIC from the frame. 246 */ 247 static int 248 wep_demic(struct ieee80211_key *k, struct mbuf *skb, int force) 249 { 250 return 1; 251 } 252 253 static const uint32_t crc32_table[256] = { 254 0x00000000L, 0x77073096L, 0xee0e612cL, 0x990951baL, 0x076dc419L, 255 0x706af48fL, 0xe963a535L, 0x9e6495a3L, 0x0edb8832L, 0x79dcb8a4L, 256 0xe0d5e91eL, 0x97d2d988L, 0x09b64c2bL, 0x7eb17cbdL, 0xe7b82d07L, 257 0x90bf1d91L, 0x1db71064L, 0x6ab020f2L, 0xf3b97148L, 0x84be41deL, 258 0x1adad47dL, 0x6ddde4ebL, 0xf4d4b551L, 0x83d385c7L, 0x136c9856L, 259 0x646ba8c0L, 0xfd62f97aL, 0x8a65c9ecL, 0x14015c4fL, 0x63066cd9L, 260 0xfa0f3d63L, 0x8d080df5L, 0x3b6e20c8L, 0x4c69105eL, 0xd56041e4L, 261 0xa2677172L, 0x3c03e4d1L, 0x4b04d447L, 0xd20d85fdL, 0xa50ab56bL, 262 0x35b5a8faL, 0x42b2986cL, 0xdbbbc9d6L, 0xacbcf940L, 0x32d86ce3L, 263 0x45df5c75L, 0xdcd60dcfL, 0xabd13d59L, 0x26d930acL, 0x51de003aL, 264 0xc8d75180L, 0xbfd06116L, 0x21b4f4b5L, 0x56b3c423L, 0xcfba9599L, 265 0xb8bda50fL, 0x2802b89eL, 0x5f058808L, 0xc60cd9b2L, 0xb10be924L, 266 0x2f6f7c87L, 0x58684c11L, 0xc1611dabL, 0xb6662d3dL, 0x76dc4190L, 267 0x01db7106L, 0x98d220bcL, 0xefd5102aL, 0x71b18589L, 0x06b6b51fL, 268 0x9fbfe4a5L, 0xe8b8d433L, 0x7807c9a2L, 0x0f00f934L, 0x9609a88eL, 269 0xe10e9818L, 0x7f6a0dbbL, 0x086d3d2dL, 0x91646c97L, 0xe6635c01L, 270 0x6b6b51f4L, 0x1c6c6162L, 0x856530d8L, 0xf262004eL, 0x6c0695edL, 271 0x1b01a57bL, 0x8208f4c1L, 0xf50fc457L, 0x65b0d9c6L, 0x12b7e950L, 272 0x8bbeb8eaL, 0xfcb9887cL, 0x62dd1ddfL, 0x15da2d49L, 0x8cd37cf3L, 273 0xfbd44c65L, 0x4db26158L, 0x3ab551ceL, 0xa3bc0074L, 0xd4bb30e2L, 274 0x4adfa541L, 0x3dd895d7L, 0xa4d1c46dL, 0xd3d6f4fbL, 0x4369e96aL, 275 0x346ed9fcL, 0xad678846L, 0xda60b8d0L, 0x44042d73L, 0x33031de5L, 276 0xaa0a4c5fL, 0xdd0d7cc9L, 0x5005713cL, 0x270241aaL, 0xbe0b1010L, 277 0xc90c2086L, 0x5768b525L, 0x206f85b3L, 0xb966d409L, 0xce61e49fL, 278 0x5edef90eL, 0x29d9c998L, 0xb0d09822L, 0xc7d7a8b4L, 0x59b33d17L, 279 0x2eb40d81L, 0xb7bd5c3bL, 0xc0ba6cadL, 0xedb88320L, 0x9abfb3b6L, 280 0x03b6e20cL, 0x74b1d29aL, 0xead54739L, 0x9dd277afL, 0x04db2615L, 281 0x73dc1683L, 0xe3630b12L, 0x94643b84L, 0x0d6d6a3eL, 0x7a6a5aa8L, 282 0xe40ecf0bL, 0x9309ff9dL, 0x0a00ae27L, 0x7d079eb1L, 0xf00f9344L, 283 0x8708a3d2L, 0x1e01f268L, 0x6906c2feL, 0xf762575dL, 0x806567cbL, 284 0x196c3671L, 0x6e6b06e7L, 0xfed41b76L, 0x89d32be0L, 0x10da7a5aL, 285 0x67dd4accL, 0xf9b9df6fL, 0x8ebeeff9L, 0x17b7be43L, 0x60b08ed5L, 286 0xd6d6a3e8L, 0xa1d1937eL, 0x38d8c2c4L, 0x4fdff252L, 0xd1bb67f1L, 287 0xa6bc5767L, 0x3fb506ddL, 0x48b2364bL, 0xd80d2bdaL, 0xaf0a1b4cL, 288 0x36034af6L, 0x41047a60L, 0xdf60efc3L, 0xa867df55L, 0x316e8eefL, 289 0x4669be79L, 0xcb61b38cL, 0xbc66831aL, 0x256fd2a0L, 0x5268e236L, 290 0xcc0c7795L, 0xbb0b4703L, 0x220216b9L, 0x5505262fL, 0xc5ba3bbeL, 291 0xb2bd0b28L, 0x2bb45a92L, 0x5cb36a04L, 0xc2d7ffa7L, 0xb5d0cf31L, 292 0x2cd99e8bL, 0x5bdeae1dL, 0x9b64c2b0L, 0xec63f226L, 0x756aa39cL, 293 0x026d930aL, 0x9c0906a9L, 0xeb0e363fL, 0x72076785L, 0x05005713L, 294 0x95bf4a82L, 0xe2b87a14L, 0x7bb12baeL, 0x0cb61b38L, 0x92d28e9bL, 295 0xe5d5be0dL, 0x7cdcefb7L, 0x0bdbdf21L, 0x86d3d2d4L, 0xf1d4e242L, 296 0x68ddb3f8L, 0x1fda836eL, 0x81be16cdL, 0xf6b9265bL, 0x6fb077e1L, 297 0x18b74777L, 0x88085ae6L, 0xff0f6a70L, 0x66063bcaL, 0x11010b5cL, 298 0x8f659effL, 0xf862ae69L, 0x616bffd3L, 0x166ccf45L, 0xa00ae278L, 299 0xd70dd2eeL, 0x4e048354L, 0x3903b3c2L, 0xa7672661L, 0xd06016f7L, 300 0x4969474dL, 0x3e6e77dbL, 0xaed16a4aL, 0xd9d65adcL, 0x40df0b66L, 301 0x37d83bf0L, 0xa9bcae53L, 0xdebb9ec5L, 0x47b2cf7fL, 0x30b5ffe9L, 302 0xbdbdf21cL, 0xcabac28aL, 0x53b39330L, 0x24b4a3a6L, 0xbad03605L, 303 0xcdd70693L, 0x54de5729L, 0x23d967bfL, 0xb3667a2eL, 0xc4614ab8L, 304 0x5d681b02L, 0x2a6f2b94L, 0xb40bbe37L, 0xc30c8ea1L, 0x5a05df1bL, 305 0x2d02ef8dL 306 }; 307 308 static int 309 wep_encrypt(struct ieee80211_key *key, struct mbuf *m0, int hdrlen) 310 { 311 #define S_SWAP(a,b) do { uint8_t t = S[a]; S[a] = S[b]; S[b] = t; } while(0) 312 struct wep_ctx *ctx = key->wk_private; 313 struct ieee80211vap *vap = ctx->wc_vap; 314 struct mbuf *m = m0; 315 uint8_t rc4key[IEEE80211_WEP_IVLEN + IEEE80211_KEYBUF_SIZE]; 316 uint8_t icv[IEEE80211_WEP_CRCLEN]; 317 uint32_t i, j, k, crc; 318 size_t buflen, data_len; 319 uint8_t S[256]; 320 uint8_t *pos; 321 u_int off, keylen; 322 323 vap->iv_stats.is_crypto_wep++; 324 325 /* NB: this assumes the header was pulled up */ 326 memcpy(rc4key, mtod(m, uint8_t *) + hdrlen, IEEE80211_WEP_IVLEN); 327 memcpy(rc4key + IEEE80211_WEP_IVLEN, key->wk_key, key->wk_keylen); 328 329 /* Setup RC4 state */ 330 for (i = 0; i < 256; i++) 331 S[i] = i; 332 j = 0; 333 keylen = key->wk_keylen + IEEE80211_WEP_IVLEN; 334 for (i = 0; i < 256; i++) { 335 j = (j + S[i] + rc4key[i % keylen]) & 0xff; 336 S_SWAP(i, j); 337 } 338 339 off = hdrlen + wep.ic_header; 340 data_len = m->m_pkthdr.len - off; 341 342 /* Compute CRC32 over unencrypted data and apply RC4 to data */ 343 crc = ~0; 344 i = j = 0; 345 pos = mtod(m, uint8_t *) + off; 346 buflen = m->m_len - off; 347 for (;;) { 348 if (buflen > data_len) 349 buflen = data_len; 350 data_len -= buflen; 351 for (k = 0; k < buflen; k++) { 352 crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8); 353 i = (i + 1) & 0xff; 354 j = (j + S[i]) & 0xff; 355 S_SWAP(i, j); 356 *pos++ ^= S[(S[i] + S[j]) & 0xff]; 357 } 358 if (m->m_next == NULL) { 359 if (data_len != 0) { /* out of data */ 360 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, 361 mtod(m0, 362 struct ieee80211_frame *)->i_addr2, 363 "out of data for WEP (data_len %zu)", 364 data_len); 365 /* XXX stat */ 366 return 0; 367 } 368 break; 369 } 370 m = m->m_next; 371 pos = mtod(m, uint8_t *); 372 buflen = m->m_len; 373 } 374 crc = ~crc; 375 376 /* Append little-endian CRC32 and encrypt it to produce ICV */ 377 icv[0] = crc; 378 icv[1] = crc >> 8; 379 icv[2] = crc >> 16; 380 icv[3] = crc >> 24; 381 for (k = 0; k < IEEE80211_WEP_CRCLEN; k++) { 382 i = (i + 1) & 0xff; 383 j = (j + S[i]) & 0xff; 384 S_SWAP(i, j); 385 icv[k] ^= S[(S[i] + S[j]) & 0xff]; 386 } 387 return m_append(m0, IEEE80211_WEP_CRCLEN, icv); 388 #undef S_SWAP 389 } 390 391 static int 392 wep_decrypt(struct ieee80211_key *key, struct mbuf *m0, int hdrlen) 393 { 394 #define S_SWAP(a,b) do { uint8_t t = S[a]; S[a] = S[b]; S[b] = t; } while(0) 395 struct wep_ctx *ctx = key->wk_private; 396 struct ieee80211vap *vap = ctx->wc_vap; 397 struct mbuf *m = m0; 398 uint8_t rc4key[IEEE80211_WEP_IVLEN + IEEE80211_KEYBUF_SIZE]; 399 uint8_t icv[IEEE80211_WEP_CRCLEN]; 400 uint32_t i, j, k, crc; 401 size_t buflen, data_len; 402 uint8_t S[256]; 403 uint8_t *pos; 404 u_int off, keylen; 405 406 vap->iv_stats.is_crypto_wep++; 407 408 /* NB: this assumes the header was pulled up */ 409 memcpy(rc4key, mtod(m, uint8_t *) + hdrlen, IEEE80211_WEP_IVLEN); 410 memcpy(rc4key + IEEE80211_WEP_IVLEN, key->wk_key, key->wk_keylen); 411 412 /* Setup RC4 state */ 413 for (i = 0; i < 256; i++) 414 S[i] = i; 415 j = 0; 416 keylen = key->wk_keylen + IEEE80211_WEP_IVLEN; 417 for (i = 0; i < 256; i++) { 418 j = (j + S[i] + rc4key[i % keylen]) & 0xff; 419 S_SWAP(i, j); 420 } 421 422 off = hdrlen + wep.ic_header; 423 data_len = m->m_pkthdr.len - (off + wep.ic_trailer), 424 425 /* Compute CRC32 over unencrypted data and apply RC4 to data */ 426 crc = ~0; 427 i = j = 0; 428 pos = mtod(m, uint8_t *) + off; 429 buflen = m->m_len - off; 430 for (;;) { 431 if (buflen > data_len) 432 buflen = data_len; 433 data_len -= buflen; 434 for (k = 0; k < buflen; k++) { 435 i = (i + 1) & 0xff; 436 j = (j + S[i]) & 0xff; 437 S_SWAP(i, j); 438 *pos ^= S[(S[i] + S[j]) & 0xff]; 439 crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8); 440 pos++; 441 } 442 m = m->m_next; 443 if (m == NULL) { 444 if (data_len != 0) { /* out of data */ 445 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, 446 mtod(m0, struct ieee80211_frame *)->i_addr2, 447 "out of data for WEP (data_len %zu)", 448 data_len); 449 return 0; 450 } 451 break; 452 } 453 pos = mtod(m, uint8_t *); 454 buflen = m->m_len; 455 } 456 crc = ~crc; 457 458 /* Encrypt little-endian CRC32 and verify that it matches with 459 * received ICV */ 460 icv[0] = crc; 461 icv[1] = crc >> 8; 462 icv[2] = crc >> 16; 463 icv[3] = crc >> 24; 464 for (k = 0; k < IEEE80211_WEP_CRCLEN; k++) { 465 i = (i + 1) & 0xff; 466 j = (j + S[i]) & 0xff; 467 S_SWAP(i, j); 468 /* XXX assumes ICV is contiguous in mbuf */ 469 if ((icv[k] ^ S[(S[i] + S[j]) & 0xff]) != *pos++) { 470 /* ICV mismatch - drop frame */ 471 return 0; 472 } 473 } 474 return 1; 475 #undef S_SWAP 476 } 477 478 /* 479 * Module glue. 480 */ 481 IEEE80211_CRYPTO_MODULE(wep, 1); 482