1 /*-
2 * Copyright (c) 2002-2007 Sam Leffler, Errno Consulting
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 */
25
26 #include <sys/cdefs.h>
27 __FBSDID("$FreeBSD: releng/7.4/sys/net80211/ieee80211_crypto_wep.c 170530 2007-06-11 03:36:55Z sam $");
28
29 /*
30 * IEEE 802.11 WEP crypto support.
31 */
32 #include <sys/param.h>
33 #include <sys/systm.h>
34 #include <sys/mbuf.h>
35 #include <sys/malloc.h>
36 #include <sys/kernel.h>
37 #include <sys/module.h>
38 #include <sys/endian.h>
39
40 #include <sys/socket.h>
41
42 #include <net/if.h>
43 #include <net/if_media.h>
44 #include <net/ethernet.h>
45
46 #include <net80211/ieee80211_var.h>
47
48 static void *wep_attach(struct ieee80211com *, struct ieee80211_key *);
49 static void wep_detach(struct ieee80211_key *);
50 static int wep_setkey(struct ieee80211_key *);
51 static int wep_encap(struct ieee80211_key *, struct mbuf *, uint8_t keyid);
52 static int wep_decap(struct ieee80211_key *, struct mbuf *, int hdrlen);
53 static int wep_enmic(struct ieee80211_key *, struct mbuf *, int);
54 static int wep_demic(struct ieee80211_key *, struct mbuf *, int);
55
56 static const struct ieee80211_cipher wep = {
57 .ic_name = "WEP",
58 .ic_cipher = IEEE80211_CIPHER_WEP,
59 .ic_header = IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN,
60 .ic_trailer = IEEE80211_WEP_CRCLEN,
61 .ic_miclen = 0,
62 .ic_attach = wep_attach,
63 .ic_detach = wep_detach,
64 .ic_setkey = wep_setkey,
65 .ic_encap = wep_encap,
66 .ic_decap = wep_decap,
67 .ic_enmic = wep_enmic,
68 .ic_demic = wep_demic,
69 };
70
71 static int wep_encrypt(struct ieee80211_key *, struct mbuf *, int hdrlen);
72 static int wep_decrypt(struct ieee80211_key *, struct mbuf *, int hdrlen);
73
74 struct wep_ctx {
75 struct ieee80211com *wc_ic; /* for diagnostics */
76 uint32_t wc_iv; /* initial vector for crypto */
77 };
78
79 /* number of references from net80211 layer */
80 static int nrefs = 0;
81
82 static void *
83 wep_attach(struct ieee80211com *ic, struct ieee80211_key *k)
84 {
85 struct wep_ctx *ctx;
86
87 MALLOC(ctx, struct wep_ctx *, sizeof(struct wep_ctx),
88 M_DEVBUF, M_NOWAIT | M_ZERO);
89 if (ctx == NULL) {
90 ic->ic_stats.is_crypto_nomem++;
91 return NULL;
92 }
93
94 ctx->wc_ic = ic;
95 get_random_bytes(&ctx->wc_iv, sizeof(ctx->wc_iv));
96 nrefs++; /* NB: we assume caller locking */
97 return ctx;
98 }
99
100 static void
101 wep_detach(struct ieee80211_key *k)
102 {
103 struct wep_ctx *ctx = k->wk_private;
104
105 FREE(ctx, M_DEVBUF);
106 KASSERT(nrefs > 0, ("imbalanced attach/detach"));
107 nrefs--; /* NB: we assume caller locking */
108 }
109
110 static int
111 wep_setkey(struct ieee80211_key *k)
112 {
113 return k->wk_keylen >= 40/NBBY;
114 }
115
116 /*
117 * Add privacy headers appropriate for the specified key.
118 */
119 static int
120 wep_encap(struct ieee80211_key *k, struct mbuf *m, uint8_t keyid)
121 {
122 struct wep_ctx *ctx = k->wk_private;
123 struct ieee80211com *ic = ctx->wc_ic;
124 uint32_t iv;
125 uint8_t *ivp;
126 int hdrlen;
127
128 hdrlen = ieee80211_hdrspace(ic, mtod(m, void *));
129
130 /*
131 * Copy down 802.11 header and add the IV + KeyID.
132 */
133 M_PREPEND(m, wep.ic_header, M_NOWAIT);
134 if (m == NULL)
135 return 0;
136 ivp = mtod(m, uint8_t *);
137 ovbcopy(ivp + wep.ic_header, ivp, hdrlen);
138 ivp += hdrlen;
139
140 /*
141 * XXX
142 * IV must not duplicate during the lifetime of the key.
143 * But no mechanism to renew keys is defined in IEEE 802.11
144 * for WEP. And the IV may be duplicated at other stations
145 * because the session key itself is shared. So we use a
146 * pseudo random IV for now, though it is not the right way.
147 *
148 * NB: Rather than use a strictly random IV we select a
149 * random one to start and then increment the value for
150 * each frame. This is an explicit tradeoff between
151 * overhead and security. Given the basic insecurity of
152 * WEP this seems worthwhile.
153 */
154
155 /*
156 * Skip 'bad' IVs from Fluhrer/Mantin/Shamir:
157 * (B, 255, N) with 3 <= B < 16 and 0 <= N <= 255
158 */
159 iv = ctx->wc_iv;
160 if ((iv & 0xff00) == 0xff00) {
161 int B = (iv & 0xff0000) >> 16;
162 if (3 <= B && B < 16)
163 iv += 0x0100;
164 }
165 ctx->wc_iv = iv + 1;
166
167 /*
168 * NB: Preserve byte order of IV for packet
169 * sniffers; it doesn't matter otherwise.
170 */
171 #if _BYTE_ORDER == _BIG_ENDIAN
172 ivp[0] = iv >> 0;
173 ivp[1] = iv >> 8;
174 ivp[2] = iv >> 16;
175 #else
176 ivp[2] = iv >> 0;
177 ivp[1] = iv >> 8;
178 ivp[0] = iv >> 16;
179 #endif
180 ivp[3] = keyid;
181
182 /*
183 * Finally, do software encrypt if neeed.
184 */
185 if ((k->wk_flags & IEEE80211_KEY_SWCRYPT) &&
186 !wep_encrypt(k, m, hdrlen))
187 return 0;
188
189 return 1;
190 }
191
192 /*
193 * Add MIC to the frame as needed.
194 */
195 static int
196 wep_enmic(struct ieee80211_key *k, struct mbuf *m, int force)
197 {
198
199 return 1;
200 }
201
202 /*
203 * Validate and strip privacy headers (and trailer) for a
204 * received frame. If necessary, decrypt the frame using
205 * the specified key.
206 */
207 static int
208 wep_decap(struct ieee80211_key *k, struct mbuf *m, int hdrlen)
209 {
210 struct wep_ctx *ctx = k->wk_private;
211 struct ieee80211_frame *wh;
212
213 wh = mtod(m, struct ieee80211_frame *);
214
215 /*
216 * Check if the device handled the decrypt in hardware.
217 * If so we just strip the header; otherwise we need to
218 * handle the decrypt in software.
219 */
220 if ((k->wk_flags & IEEE80211_KEY_SWCRYPT) &&
221 !wep_decrypt(k, m, hdrlen)) {
222 IEEE80211_DPRINTF(ctx->wc_ic, IEEE80211_MSG_CRYPTO,
223 "[%s] WEP ICV mismatch on decrypt\n",
224 ether_sprintf(wh->i_addr2));
225 ctx->wc_ic->ic_stats.is_rx_wepfail++;
226 return 0;
227 }
228
229 /*
230 * Copy up 802.11 header and strip crypto bits.
231 */
232 ovbcopy(mtod(m, void *), mtod(m, uint8_t *) + wep.ic_header, hdrlen);
233 m_adj(m, wep.ic_header);
234 m_adj(m, -wep.ic_trailer);
235
236 return 1;
237 }
238
239 /*
240 * Verify and strip MIC from the frame.
241 */
242 static int
243 wep_demic(struct ieee80211_key *k, struct mbuf *skb, int force)
244 {
245 return 1;
246 }
247
248 static const uint32_t crc32_table[256] = {
249 0x00000000L, 0x77073096L, 0xee0e612cL, 0x990951baL, 0x076dc419L,
250 0x706af48fL, 0xe963a535L, 0x9e6495a3L, 0x0edb8832L, 0x79dcb8a4L,
251 0xe0d5e91eL, 0x97d2d988L, 0x09b64c2bL, 0x7eb17cbdL, 0xe7b82d07L,
252 0x90bf1d91L, 0x1db71064L, 0x6ab020f2L, 0xf3b97148L, 0x84be41deL,
253 0x1adad47dL, 0x6ddde4ebL, 0xf4d4b551L, 0x83d385c7L, 0x136c9856L,
254 0x646ba8c0L, 0xfd62f97aL, 0x8a65c9ecL, 0x14015c4fL, 0x63066cd9L,
255 0xfa0f3d63L, 0x8d080df5L, 0x3b6e20c8L, 0x4c69105eL, 0xd56041e4L,
256 0xa2677172L, 0x3c03e4d1L, 0x4b04d447L, 0xd20d85fdL, 0xa50ab56bL,
257 0x35b5a8faL, 0x42b2986cL, 0xdbbbc9d6L, 0xacbcf940L, 0x32d86ce3L,
258 0x45df5c75L, 0xdcd60dcfL, 0xabd13d59L, 0x26d930acL, 0x51de003aL,
259 0xc8d75180L, 0xbfd06116L, 0x21b4f4b5L, 0x56b3c423L, 0xcfba9599L,
260 0xb8bda50fL, 0x2802b89eL, 0x5f058808L, 0xc60cd9b2L, 0xb10be924L,
261 0x2f6f7c87L, 0x58684c11L, 0xc1611dabL, 0xb6662d3dL, 0x76dc4190L,
262 0x01db7106L, 0x98d220bcL, 0xefd5102aL, 0x71b18589L, 0x06b6b51fL,
263 0x9fbfe4a5L, 0xe8b8d433L, 0x7807c9a2L, 0x0f00f934L, 0x9609a88eL,
264 0xe10e9818L, 0x7f6a0dbbL, 0x086d3d2dL, 0x91646c97L, 0xe6635c01L,
265 0x6b6b51f4L, 0x1c6c6162L, 0x856530d8L, 0xf262004eL, 0x6c0695edL,
266 0x1b01a57bL, 0x8208f4c1L, 0xf50fc457L, 0x65b0d9c6L, 0x12b7e950L,
267 0x8bbeb8eaL, 0xfcb9887cL, 0x62dd1ddfL, 0x15da2d49L, 0x8cd37cf3L,
268 0xfbd44c65L, 0x4db26158L, 0x3ab551ceL, 0xa3bc0074L, 0xd4bb30e2L,
269 0x4adfa541L, 0x3dd895d7L, 0xa4d1c46dL, 0xd3d6f4fbL, 0x4369e96aL,
270 0x346ed9fcL, 0xad678846L, 0xda60b8d0L, 0x44042d73L, 0x33031de5L,
271 0xaa0a4c5fL, 0xdd0d7cc9L, 0x5005713cL, 0x270241aaL, 0xbe0b1010L,
272 0xc90c2086L, 0x5768b525L, 0x206f85b3L, 0xb966d409L, 0xce61e49fL,
273 0x5edef90eL, 0x29d9c998L, 0xb0d09822L, 0xc7d7a8b4L, 0x59b33d17L,
274 0x2eb40d81L, 0xb7bd5c3bL, 0xc0ba6cadL, 0xedb88320L, 0x9abfb3b6L,
275 0x03b6e20cL, 0x74b1d29aL, 0xead54739L, 0x9dd277afL, 0x04db2615L,
276 0x73dc1683L, 0xe3630b12L, 0x94643b84L, 0x0d6d6a3eL, 0x7a6a5aa8L,
277 0xe40ecf0bL, 0x9309ff9dL, 0x0a00ae27L, 0x7d079eb1L, 0xf00f9344L,
278 0x8708a3d2L, 0x1e01f268L, 0x6906c2feL, 0xf762575dL, 0x806567cbL,
279 0x196c3671L, 0x6e6b06e7L, 0xfed41b76L, 0x89d32be0L, 0x10da7a5aL,
280 0x67dd4accL, 0xf9b9df6fL, 0x8ebeeff9L, 0x17b7be43L, 0x60b08ed5L,
281 0xd6d6a3e8L, 0xa1d1937eL, 0x38d8c2c4L, 0x4fdff252L, 0xd1bb67f1L,
282 0xa6bc5767L, 0x3fb506ddL, 0x48b2364bL, 0xd80d2bdaL, 0xaf0a1b4cL,
283 0x36034af6L, 0x41047a60L, 0xdf60efc3L, 0xa867df55L, 0x316e8eefL,
284 0x4669be79L, 0xcb61b38cL, 0xbc66831aL, 0x256fd2a0L, 0x5268e236L,
285 0xcc0c7795L, 0xbb0b4703L, 0x220216b9L, 0x5505262fL, 0xc5ba3bbeL,
286 0xb2bd0b28L, 0x2bb45a92L, 0x5cb36a04L, 0xc2d7ffa7L, 0xb5d0cf31L,
287 0x2cd99e8bL, 0x5bdeae1dL, 0x9b64c2b0L, 0xec63f226L, 0x756aa39cL,
288 0x026d930aL, 0x9c0906a9L, 0xeb0e363fL, 0x72076785L, 0x05005713L,
289 0x95bf4a82L, 0xe2b87a14L, 0x7bb12baeL, 0x0cb61b38L, 0x92d28e9bL,
290 0xe5d5be0dL, 0x7cdcefb7L, 0x0bdbdf21L, 0x86d3d2d4L, 0xf1d4e242L,
291 0x68ddb3f8L, 0x1fda836eL, 0x81be16cdL, 0xf6b9265bL, 0x6fb077e1L,
292 0x18b74777L, 0x88085ae6L, 0xff0f6a70L, 0x66063bcaL, 0x11010b5cL,
293 0x8f659effL, 0xf862ae69L, 0x616bffd3L, 0x166ccf45L, 0xa00ae278L,
294 0xd70dd2eeL, 0x4e048354L, 0x3903b3c2L, 0xa7672661L, 0xd06016f7L,
295 0x4969474dL, 0x3e6e77dbL, 0xaed16a4aL, 0xd9d65adcL, 0x40df0b66L,
296 0x37d83bf0L, 0xa9bcae53L, 0xdebb9ec5L, 0x47b2cf7fL, 0x30b5ffe9L,
297 0xbdbdf21cL, 0xcabac28aL, 0x53b39330L, 0x24b4a3a6L, 0xbad03605L,
298 0xcdd70693L, 0x54de5729L, 0x23d967bfL, 0xb3667a2eL, 0xc4614ab8L,
299 0x5d681b02L, 0x2a6f2b94L, 0xb40bbe37L, 0xc30c8ea1L, 0x5a05df1bL,
300 0x2d02ef8dL
301 };
302
303 static int
304 wep_encrypt(struct ieee80211_key *key, struct mbuf *m0, int hdrlen)
305 {
306 #define S_SWAP(a,b) do { uint8_t t = S[a]; S[a] = S[b]; S[b] = t; } while(0)
307 struct wep_ctx *ctx = key->wk_private;
308 struct mbuf *m = m0;
309 uint8_t rc4key[IEEE80211_WEP_IVLEN + IEEE80211_KEYBUF_SIZE];
310 uint8_t icv[IEEE80211_WEP_CRCLEN];
311 uint32_t i, j, k, crc;
312 size_t buflen, data_len;
313 uint8_t S[256];
314 uint8_t *pos;
315 u_int off, keylen;
316
317 ctx->wc_ic->ic_stats.is_crypto_wep++;
318
319 /* NB: this assumes the header was pulled up */
320 memcpy(rc4key, mtod(m, uint8_t *) + hdrlen, IEEE80211_WEP_IVLEN);
321 memcpy(rc4key + IEEE80211_WEP_IVLEN, key->wk_key, key->wk_keylen);
322
323 /* Setup RC4 state */
324 for (i = 0; i < 256; i++)
325 S[i] = i;
326 j = 0;
327 keylen = key->wk_keylen + IEEE80211_WEP_IVLEN;
328 for (i = 0; i < 256; i++) {
329 j = (j + S[i] + rc4key[i % keylen]) & 0xff;
330 S_SWAP(i, j);
331 }
332
333 off = hdrlen + wep.ic_header;
334 data_len = m->m_pkthdr.len - off;
335
336 /* Compute CRC32 over unencrypted data and apply RC4 to data */
337 crc = ~0;
338 i = j = 0;
339 pos = mtod(m, uint8_t *) + off;
340 buflen = m->m_len - off;
341 for (;;) {
342 if (buflen > data_len)
343 buflen = data_len;
344 data_len -= buflen;
345 for (k = 0; k < buflen; k++) {
346 crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8);
347 i = (i + 1) & 0xff;
348 j = (j + S[i]) & 0xff;
349 S_SWAP(i, j);
350 *pos++ ^= S[(S[i] + S[j]) & 0xff];
351 }
352 if (m->m_next == NULL) {
353 if (data_len != 0) { /* out of data */
354 IEEE80211_DPRINTF(ctx->wc_ic,
355 IEEE80211_MSG_CRYPTO,
356 "[%s] out of data for WEP (data_len %zu)\n",
357 ether_sprintf(mtod(m0,
358 struct ieee80211_frame *)->i_addr2),
359 data_len);
360 return 0;
361 }
362 break;
363 }
364 m = m->m_next;
365 pos = mtod(m, uint8_t *);
366 buflen = m->m_len;
367 }
368 crc = ~crc;
369
370 /* Append little-endian CRC32 and encrypt it to produce ICV */
371 icv[0] = crc;
372 icv[1] = crc >> 8;
373 icv[2] = crc >> 16;
374 icv[3] = crc >> 24;
375 for (k = 0; k < IEEE80211_WEP_CRCLEN; k++) {
376 i = (i + 1) & 0xff;
377 j = (j + S[i]) & 0xff;
378 S_SWAP(i, j);
379 icv[k] ^= S[(S[i] + S[j]) & 0xff];
380 }
381 return m_append(m0, IEEE80211_WEP_CRCLEN, icv);
382 #undef S_SWAP
383 }
384
385 static int
386 wep_decrypt(struct ieee80211_key *key, struct mbuf *m0, int hdrlen)
387 {
388 #define S_SWAP(a,b) do { uint8_t t = S[a]; S[a] = S[b]; S[b] = t; } while(0)
389 struct wep_ctx *ctx = key->wk_private;
390 struct mbuf *m = m0;
391 uint8_t rc4key[IEEE80211_WEP_IVLEN + IEEE80211_KEYBUF_SIZE];
392 uint8_t icv[IEEE80211_WEP_CRCLEN];
393 uint32_t i, j, k, crc;
394 size_t buflen, data_len;
395 uint8_t S[256];
396 uint8_t *pos;
397 u_int off, keylen;
398
399 ctx->wc_ic->ic_stats.is_crypto_wep++;
400
401 /* NB: this assumes the header was pulled up */
402 memcpy(rc4key, mtod(m, uint8_t *) + hdrlen, IEEE80211_WEP_IVLEN);
403 memcpy(rc4key + IEEE80211_WEP_IVLEN, key->wk_key, key->wk_keylen);
404
405 /* Setup RC4 state */
406 for (i = 0; i < 256; i++)
407 S[i] = i;
408 j = 0;
409 keylen = key->wk_keylen + IEEE80211_WEP_IVLEN;
410 for (i = 0; i < 256; i++) {
411 j = (j + S[i] + rc4key[i % keylen]) & 0xff;
412 S_SWAP(i, j);
413 }
414
415 off = hdrlen + wep.ic_header;
416 data_len = m->m_pkthdr.len - (off + wep.ic_trailer),
417
418 /* Compute CRC32 over unencrypted data and apply RC4 to data */
419 crc = ~0;
420 i = j = 0;
421 pos = mtod(m, uint8_t *) + off;
422 buflen = m->m_len - off;
423 for (;;) {
424 if (buflen > data_len)
425 buflen = data_len;
426 data_len -= buflen;
427 for (k = 0; k < buflen; k++) {
428 i = (i + 1) & 0xff;
429 j = (j + S[i]) & 0xff;
430 S_SWAP(i, j);
431 *pos ^= S[(S[i] + S[j]) & 0xff];
432 crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8);
433 pos++;
434 }
435 m = m->m_next;
436 if (m == NULL) {
437 if (data_len != 0) { /* out of data */
438 IEEE80211_DPRINTF(ctx->wc_ic,
439 IEEE80211_MSG_CRYPTO,
440 "[%s] out of data for WEP (data_len %zu)\n",
441 ether_sprintf(mtod(m0,
442 struct ieee80211_frame *)->i_addr2),
443 data_len);
444 return 0;
445 }
446 break;
447 }
448 pos = mtod(m, uint8_t *);
449 buflen = m->m_len;
450 }
451 crc = ~crc;
452
453 /* Encrypt little-endian CRC32 and verify that it matches with
454 * received ICV */
455 icv[0] = crc;
456 icv[1] = crc >> 8;
457 icv[2] = crc >> 16;
458 icv[3] = crc >> 24;
459 for (k = 0; k < IEEE80211_WEP_CRCLEN; k++) {
460 i = (i + 1) & 0xff;
461 j = (j + S[i]) & 0xff;
462 S_SWAP(i, j);
463 /* XXX assumes ICV is contiguous in mbuf */
464 if ((icv[k] ^ S[(S[i] + S[j]) & 0xff]) != *pos++) {
465 /* ICV mismatch - drop frame */
466 return 0;
467 }
468 }
469 return 1;
470 #undef S_SWAP
471 }
472
473 /*
474 * Module glue.
475 */
476 IEEE80211_CRYPTO_MODULE(wep, 1);
Cache object: 15f055fdd8ac163c36fef77db5835181
|