1 /*- 2 * Copyright (c) 2002-2008 Sam Leffler, Errno Consulting 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 */ 25 26 #include <sys/cdefs.h> 27 __FBSDID("$FreeBSD$"); 28 29 /* 30 * IEEE 802.11 WEP crypto support. 31 */ 32 #include "opt_wlan.h" 33 34 #include <sys/param.h> 35 #include <sys/systm.h> 36 #include <sys/mbuf.h> 37 #include <sys/malloc.h> 38 #include <sys/kernel.h> 39 #include <sys/module.h> 40 #include <sys/endian.h> 41 42 #include <sys/socket.h> 43 44 #include <net/if.h> 45 #include <net/if_var.h> 46 #include <net/if_media.h> 47 #include <net/ethernet.h> 48 49 #include <netproto/802_11/ieee80211_var.h> 50 51 static void *wep_attach(struct ieee80211vap *, struct ieee80211_key *); 52 static void wep_detach(struct ieee80211_key *); 53 static int wep_setkey(struct ieee80211_key *); 54 static void wep_setiv(struct ieee80211_key *, uint8_t *); 55 static int wep_encap(struct ieee80211_key *, struct mbuf *); 56 static int wep_decap(struct ieee80211_key *, struct mbuf *, int); 57 static int wep_enmic(struct ieee80211_key *, struct mbuf *, int); 58 static int wep_demic(struct ieee80211_key *, struct mbuf *, int); 59 60 static const struct ieee80211_cipher wep = { 61 .ic_name = "WEP", 62 .ic_cipher = IEEE80211_CIPHER_WEP, 63 .ic_header = IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN, 64 .ic_trailer = IEEE80211_WEP_CRCLEN, 65 .ic_miclen = 0, 66 .ic_attach = wep_attach, 67 .ic_detach = wep_detach, 68 .ic_setkey = wep_setkey, 69 .ic_setiv = wep_setiv, 70 .ic_encap = wep_encap, 71 .ic_decap = wep_decap, 72 .ic_enmic = wep_enmic, 73 .ic_demic = wep_demic, 74 }; 75 76 static int wep_encrypt(struct ieee80211_key *, struct mbuf *, int hdrlen); 77 static int wep_decrypt(struct ieee80211_key *, struct mbuf *, int hdrlen); 78 79 struct wep_ctx { 80 struct ieee80211vap *wc_vap; /* for diagnostics+statistics */ 81 struct ieee80211com *wc_ic; 82 uint32_t wc_iv; /* initial vector for crypto */ 83 }; 84 85 /* number of references from net80211 layer */ 86 static int nrefs = 0; 87 88 static void * 89 wep_attach(struct ieee80211vap *vap, struct ieee80211_key *k) 90 { 91 struct wep_ctx *ctx; 92 93 #if defined(__DragonFly__) 94 ctx = (struct wep_ctx *) kmalloc(sizeof(struct wep_ctx), 95 M_80211_CRYPTO, M_INTWAIT | M_ZERO); 96 #else 97 ctx = (struct wep_ctx *) IEEE80211_MALLOC(sizeof(struct wep_ctx), 98 M_80211_CRYPTO, IEEE80211_M_NOWAIT | IEEE80211_M_ZERO); 99 #endif 100 if (ctx == NULL) { 101 vap->iv_stats.is_crypto_nomem++; 102 return NULL; 103 } 104 105 ctx->wc_vap = vap; 106 ctx->wc_ic = vap->iv_ic; 107 get_random_bytes(&ctx->wc_iv, sizeof(ctx->wc_iv)); 108 nrefs++; /* NB: we assume caller locking */ 109 return ctx; 110 } 111 112 static void 113 wep_detach(struct ieee80211_key *k) 114 { 115 struct wep_ctx *ctx = k->wk_private; 116 117 IEEE80211_FREE(ctx, M_80211_CRYPTO); 118 KASSERT(nrefs > 0, ("imbalanced attach/detach")); 119 nrefs--; /* NB: we assume caller locking */ 120 } 121 122 static int 123 wep_setkey(struct ieee80211_key *k) 124 { 125 return k->wk_keylen >= 40/NBBY; 126 } 127 128 static void 129 wep_setiv(struct ieee80211_key *k, uint8_t *ivp) 130 { 131 struct wep_ctx *ctx = k->wk_private; 132 struct ieee80211vap *vap = ctx->wc_vap; 133 uint32_t iv; 134 uint8_t keyid; 135 136 keyid = ieee80211_crypto_get_keyid(vap, k) << 6; 137 138 /* 139 * XXX 140 * IV must not duplicate during the lifetime of the key. 141 * But no mechanism to renew keys is defined in IEEE 802.11 142 * for WEP. And the IV may be duplicated at other stations 143 * because the session key itself is shared. So we use a 144 * pseudo random IV for now, though it is not the right way. 145 * 146 * NB: Rather than use a strictly random IV we select a 147 * random one to start and then increment the value for 148 * each frame. This is an explicit tradeoff between 149 * overhead and security. Given the basic insecurity of 150 * WEP this seems worthwhile. 151 */ 152 153 /* 154 * Skip 'bad' IVs from Fluhrer/Mantin/Shamir: 155 * (B, 255, N) with 3 <= B < 16 and 0 <= N <= 255 156 */ 157 iv = ctx->wc_iv; 158 if ((iv & 0xff00) == 0xff00) { 159 int B = (iv & 0xff0000) >> 16; 160 if (3 <= B && B < 16) 161 iv += 0x0100; 162 } 163 ctx->wc_iv = iv + 1; 164 165 /* 166 * NB: Preserve byte order of IV for packet 167 * sniffers; it doesn't matter otherwise. 168 */ 169 #if _BYTE_ORDER == _BIG_ENDIAN 170 ivp[0] = iv >> 0; 171 ivp[1] = iv >> 8; 172 ivp[2] = iv >> 16; 173 #else 174 ivp[2] = iv >> 0; 175 ivp[1] = iv >> 8; 176 ivp[0] = iv >> 16; 177 #endif 178 ivp[3] = keyid; 179 } 180 181 /* 182 * Add privacy headers appropriate for the specified key. 183 */ 184 static int 185 wep_encap(struct ieee80211_key *k, struct mbuf *m) 186 { 187 struct wep_ctx *ctx = k->wk_private; 188 struct ieee80211com *ic = ctx->wc_ic; 189 uint8_t *ivp; 190 int hdrlen; 191 192 hdrlen = ieee80211_hdrspace(ic, mtod(m, void *)); 193 194 /* 195 * Copy down 802.11 header and add the IV + KeyID. 196 */ 197 M_PREPEND(m, wep.ic_header, M_NOWAIT); 198 if (m == NULL) 199 return 0; 200 ivp = mtod(m, uint8_t *); 201 bcopy(ivp + wep.ic_header, ivp, hdrlen); 202 ivp += hdrlen; 203 204 wep_setiv(k, ivp); 205 206 /* 207 * Finally, do software encrypt if needed. 208 */ 209 if ((k->wk_flags & IEEE80211_KEY_SWENCRYPT) && 210 !wep_encrypt(k, m, hdrlen)) 211 return 0; 212 213 return 1; 214 } 215 216 /* 217 * Add MIC to the frame as needed. 218 */ 219 static int 220 wep_enmic(struct ieee80211_key *k, struct mbuf *m, int force) 221 { 222 223 return 1; 224 } 225 226 /* 227 * Validate and strip privacy headers (and trailer) for a 228 * received frame. If necessary, decrypt the frame using 229 * the specified key. 230 */ 231 static int 232 wep_decap(struct ieee80211_key *k, struct mbuf *m, int hdrlen) 233 { 234 struct wep_ctx *ctx = k->wk_private; 235 struct ieee80211vap *vap = ctx->wc_vap; 236 struct ieee80211_frame *wh; 237 238 wh = mtod(m, struct ieee80211_frame *); 239 240 /* 241 * Check if the device handled the decrypt in hardware. 242 * If so we just strip the header; otherwise we need to 243 * handle the decrypt in software. 244 */ 245 if ((k->wk_flags & IEEE80211_KEY_SWDECRYPT) && 246 !wep_decrypt(k, m, hdrlen)) { 247 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2, 248 "%s", "WEP ICV mismatch on decrypt"); 249 vap->iv_stats.is_rx_wepfail++; 250 return 0; 251 } 252 253 /* 254 * Copy up 802.11 header and strip crypto bits. 255 */ 256 bcopy(mtod(m, void *), mtod(m, uint8_t *) + wep.ic_header, hdrlen); 257 m_adj(m, wep.ic_header); 258 m_adj(m, -wep.ic_trailer); 259 260 return 1; 261 } 262 263 /* 264 * Verify and strip MIC from the frame. 265 */ 266 static int 267 wep_demic(struct ieee80211_key *k, struct mbuf *skb, int force) 268 { 269 return 1; 270 } 271 272 static const uint32_t crc32_table[256] = { 273 0x00000000L, 0x77073096L, 0xee0e612cL, 0x990951baL, 0x076dc419L, 274 0x706af48fL, 0xe963a535L, 0x9e6495a3L, 0x0edb8832L, 0x79dcb8a4L, 275 0xe0d5e91eL, 0x97d2d988L, 0x09b64c2bL, 0x7eb17cbdL, 0xe7b82d07L, 276 0x90bf1d91L, 0x1db71064L, 0x6ab020f2L, 0xf3b97148L, 0x84be41deL, 277 0x1adad47dL, 0x6ddde4ebL, 0xf4d4b551L, 0x83d385c7L, 0x136c9856L, 278 0x646ba8c0L, 0xfd62f97aL, 0x8a65c9ecL, 0x14015c4fL, 0x63066cd9L, 279 0xfa0f3d63L, 0x8d080df5L, 0x3b6e20c8L, 0x4c69105eL, 0xd56041e4L, 280 0xa2677172L, 0x3c03e4d1L, 0x4b04d447L, 0xd20d85fdL, 0xa50ab56bL, 281 0x35b5a8faL, 0x42b2986cL, 0xdbbbc9d6L, 0xacbcf940L, 0x32d86ce3L, 282 0x45df5c75L, 0xdcd60dcfL, 0xabd13d59L, 0x26d930acL, 0x51de003aL, 283 0xc8d75180L, 0xbfd06116L, 0x21b4f4b5L, 0x56b3c423L, 0xcfba9599L, 284 0xb8bda50fL, 0x2802b89eL, 0x5f058808L, 0xc60cd9b2L, 0xb10be924L, 285 0x2f6f7c87L, 0x58684c11L, 0xc1611dabL, 0xb6662d3dL, 0x76dc4190L, 286 0x01db7106L, 0x98d220bcL, 0xefd5102aL, 0x71b18589L, 0x06b6b51fL, 287 0x9fbfe4a5L, 0xe8b8d433L, 0x7807c9a2L, 0x0f00f934L, 0x9609a88eL, 288 0xe10e9818L, 0x7f6a0dbbL, 0x086d3d2dL, 0x91646c97L, 0xe6635c01L, 289 0x6b6b51f4L, 0x1c6c6162L, 0x856530d8L, 0xf262004eL, 0x6c0695edL, 290 0x1b01a57bL, 0x8208f4c1L, 0xf50fc457L, 0x65b0d9c6L, 0x12b7e950L, 291 0x8bbeb8eaL, 0xfcb9887cL, 0x62dd1ddfL, 0x15da2d49L, 0x8cd37cf3L, 292 0xfbd44c65L, 0x4db26158L, 0x3ab551ceL, 0xa3bc0074L, 0xd4bb30e2L, 293 0x4adfa541L, 0x3dd895d7L, 0xa4d1c46dL, 0xd3d6f4fbL, 0x4369e96aL, 294 0x346ed9fcL, 0xad678846L, 0xda60b8d0L, 0x44042d73L, 0x33031de5L, 295 0xaa0a4c5fL, 0xdd0d7cc9L, 0x5005713cL, 0x270241aaL, 0xbe0b1010L, 296 0xc90c2086L, 0x5768b525L, 0x206f85b3L, 0xb966d409L, 0xce61e49fL, 297 0x5edef90eL, 0x29d9c998L, 0xb0d09822L, 0xc7d7a8b4L, 0x59b33d17L, 298 0x2eb40d81L, 0xb7bd5c3bL, 0xc0ba6cadL, 0xedb88320L, 0x9abfb3b6L, 299 0x03b6e20cL, 0x74b1d29aL, 0xead54739L, 0x9dd277afL, 0x04db2615L, 300 0x73dc1683L, 0xe3630b12L, 0x94643b84L, 0x0d6d6a3eL, 0x7a6a5aa8L, 301 0xe40ecf0bL, 0x9309ff9dL, 0x0a00ae27L, 0x7d079eb1L, 0xf00f9344L, 302 0x8708a3d2L, 0x1e01f268L, 0x6906c2feL, 0xf762575dL, 0x806567cbL, 303 0x196c3671L, 0x6e6b06e7L, 0xfed41b76L, 0x89d32be0L, 0x10da7a5aL, 304 0x67dd4accL, 0xf9b9df6fL, 0x8ebeeff9L, 0x17b7be43L, 0x60b08ed5L, 305 0xd6d6a3e8L, 0xa1d1937eL, 0x38d8c2c4L, 0x4fdff252L, 0xd1bb67f1L, 306 0xa6bc5767L, 0x3fb506ddL, 0x48b2364bL, 0xd80d2bdaL, 0xaf0a1b4cL, 307 0x36034af6L, 0x41047a60L, 0xdf60efc3L, 0xa867df55L, 0x316e8eefL, 308 0x4669be79L, 0xcb61b38cL, 0xbc66831aL, 0x256fd2a0L, 0x5268e236L, 309 0xcc0c7795L, 0xbb0b4703L, 0x220216b9L, 0x5505262fL, 0xc5ba3bbeL, 310 0xb2bd0b28L, 0x2bb45a92L, 0x5cb36a04L, 0xc2d7ffa7L, 0xb5d0cf31L, 311 0x2cd99e8bL, 0x5bdeae1dL, 0x9b64c2b0L, 0xec63f226L, 0x756aa39cL, 312 0x026d930aL, 0x9c0906a9L, 0xeb0e363fL, 0x72076785L, 0x05005713L, 313 0x95bf4a82L, 0xe2b87a14L, 0x7bb12baeL, 0x0cb61b38L, 0x92d28e9bL, 314 0xe5d5be0dL, 0x7cdcefb7L, 0x0bdbdf21L, 0x86d3d2d4L, 0xf1d4e242L, 315 0x68ddb3f8L, 0x1fda836eL, 0x81be16cdL, 0xf6b9265bL, 0x6fb077e1L, 316 0x18b74777L, 0x88085ae6L, 0xff0f6a70L, 0x66063bcaL, 0x11010b5cL, 317 0x8f659effL, 0xf862ae69L, 0x616bffd3L, 0x166ccf45L, 0xa00ae278L, 318 0xd70dd2eeL, 0x4e048354L, 0x3903b3c2L, 0xa7672661L, 0xd06016f7L, 319 0x4969474dL, 0x3e6e77dbL, 0xaed16a4aL, 0xd9d65adcL, 0x40df0b66L, 320 0x37d83bf0L, 0xa9bcae53L, 0xdebb9ec5L, 0x47b2cf7fL, 0x30b5ffe9L, 321 0xbdbdf21cL, 0xcabac28aL, 0x53b39330L, 0x24b4a3a6L, 0xbad03605L, 322 0xcdd70693L, 0x54de5729L, 0x23d967bfL, 0xb3667a2eL, 0xc4614ab8L, 323 0x5d681b02L, 0x2a6f2b94L, 0xb40bbe37L, 0xc30c8ea1L, 0x5a05df1bL, 324 0x2d02ef8dL 325 }; 326 327 static int 328 wep_encrypt(struct ieee80211_key *key, struct mbuf *m0, int hdrlen) 329 { 330 #define S_SWAP(a,b) do { uint8_t t = S[a]; S[a] = S[b]; S[b] = t; } while(0) 331 struct wep_ctx *ctx = key->wk_private; 332 struct ieee80211vap *vap = ctx->wc_vap; 333 struct mbuf *m = m0; 334 uint8_t rc4key[IEEE80211_WEP_IVLEN + IEEE80211_KEYBUF_SIZE]; 335 uint8_t icv[IEEE80211_WEP_CRCLEN]; 336 uint32_t i, j, k, crc; 337 size_t buflen, data_len; 338 uint8_t S[256]; 339 uint8_t *pos; 340 u_int off, keylen; 341 342 vap->iv_stats.is_crypto_wep++; 343 344 /* NB: this assumes the header was pulled up */ 345 memcpy(rc4key, mtod(m, uint8_t *) + hdrlen, IEEE80211_WEP_IVLEN); 346 memcpy(rc4key + IEEE80211_WEP_IVLEN, key->wk_key, key->wk_keylen); 347 348 /* Setup RC4 state */ 349 for (i = 0; i < 256; i++) 350 S[i] = i; 351 j = 0; 352 keylen = key->wk_keylen + IEEE80211_WEP_IVLEN; 353 for (i = 0; i < 256; i++) { 354 j = (j + S[i] + rc4key[i % keylen]) & 0xff; 355 S_SWAP(i, j); 356 } 357 358 off = hdrlen + wep.ic_header; 359 data_len = m->m_pkthdr.len - off; 360 361 /* Compute CRC32 over unencrypted data and apply RC4 to data */ 362 crc = ~0; 363 i = j = 0; 364 pos = mtod(m, uint8_t *) + off; 365 buflen = m->m_len - off; 366 for (;;) { 367 if (buflen > data_len) 368 buflen = data_len; 369 data_len -= buflen; 370 for (k = 0; k < buflen; k++) { 371 crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8); 372 i = (i + 1) & 0xff; 373 j = (j + S[i]) & 0xff; 374 S_SWAP(i, j); 375 *pos++ ^= S[(S[i] + S[j]) & 0xff]; 376 } 377 if (m->m_next == NULL) { 378 if (data_len != 0) { /* out of data */ 379 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, 380 ether_sprintf(mtod(m0, 381 struct ieee80211_frame *)->i_addr2), 382 "out of data for WEP (data_len %zu)", 383 data_len); 384 /* XXX stat */ 385 return 0; 386 } 387 break; 388 } 389 m = m->m_next; 390 pos = mtod(m, uint8_t *); 391 buflen = m->m_len; 392 } 393 crc = ~crc; 394 395 /* Append little-endian CRC32 and encrypt it to produce ICV */ 396 icv[0] = crc; 397 icv[1] = crc >> 8; 398 icv[2] = crc >> 16; 399 icv[3] = crc >> 24; 400 for (k = 0; k < IEEE80211_WEP_CRCLEN; k++) { 401 i = (i + 1) & 0xff; 402 j = (j + S[i]) & 0xff; 403 S_SWAP(i, j); 404 icv[k] ^= S[(S[i] + S[j]) & 0xff]; 405 } 406 return m_append(m0, IEEE80211_WEP_CRCLEN, icv); 407 #undef S_SWAP 408 } 409 410 static int 411 wep_decrypt(struct ieee80211_key *key, struct mbuf *m0, int hdrlen) 412 { 413 #define S_SWAP(a,b) do { uint8_t t = S[a]; S[a] = S[b]; S[b] = t; } while(0) 414 struct wep_ctx *ctx = key->wk_private; 415 struct ieee80211vap *vap = ctx->wc_vap; 416 struct mbuf *m = m0; 417 uint8_t rc4key[IEEE80211_WEP_IVLEN + IEEE80211_KEYBUF_SIZE]; 418 uint8_t icv[IEEE80211_WEP_CRCLEN]; 419 uint32_t i, j, k, crc; 420 size_t buflen, data_len; 421 uint8_t S[256]; 422 uint8_t *pos; 423 u_int off, keylen; 424 425 vap->iv_stats.is_crypto_wep++; 426 427 /* NB: this assumes the header was pulled up */ 428 memcpy(rc4key, mtod(m, uint8_t *) + hdrlen, IEEE80211_WEP_IVLEN); 429 memcpy(rc4key + IEEE80211_WEP_IVLEN, key->wk_key, key->wk_keylen); 430 431 /* Setup RC4 state */ 432 for (i = 0; i < 256; i++) 433 S[i] = i; 434 j = 0; 435 keylen = key->wk_keylen + IEEE80211_WEP_IVLEN; 436 for (i = 0; i < 256; i++) { 437 j = (j + S[i] + rc4key[i % keylen]) & 0xff; 438 S_SWAP(i, j); 439 } 440 441 off = hdrlen + wep.ic_header; 442 data_len = m->m_pkthdr.len - (off + wep.ic_trailer); 443 444 /* Compute CRC32 over unencrypted data and apply RC4 to data */ 445 crc = ~0; 446 i = j = 0; 447 pos = mtod(m, uint8_t *) + off; 448 buflen = m->m_len - off; 449 for (;;) { 450 if (buflen > data_len) 451 buflen = data_len; 452 data_len -= buflen; 453 for (k = 0; k < buflen; k++) { 454 i = (i + 1) & 0xff; 455 j = (j + S[i]) & 0xff; 456 S_SWAP(i, j); 457 *pos ^= S[(S[i] + S[j]) & 0xff]; 458 crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8); 459 pos++; 460 } 461 m = m->m_next; 462 if (m == NULL) { 463 if (data_len != 0) { /* out of data */ 464 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, 465 mtod(m0, struct ieee80211_frame *)->i_addr2, 466 "out of data for WEP (data_len %zu)", 467 data_len); 468 return 0; 469 } 470 break; 471 } 472 pos = mtod(m, uint8_t *); 473 buflen = m->m_len; 474 } 475 crc = ~crc; 476 477 /* Encrypt little-endian CRC32 and verify that it matches with 478 * received ICV */ 479 icv[0] = crc; 480 icv[1] = crc >> 8; 481 icv[2] = crc >> 16; 482 icv[3] = crc >> 24; 483 for (k = 0; k < IEEE80211_WEP_CRCLEN; k++) { 484 i = (i + 1) & 0xff; 485 j = (j + S[i]) & 0xff; 486 S_SWAP(i, j); 487 /* XXX assumes ICV is contiguous in mbuf */ 488 if ((icv[k] ^ S[(S[i] + S[j]) & 0xff]) != *pos++) { 489 /* ICV mismatch - drop frame */ 490 return 0; 491 } 492 } 493 return 1; 494 #undef S_SWAP 495 } 496 497 /* 498 * Module glue. 499 */ 500 IEEE80211_CRYPTO_MODULE(wep, 1); 501