1 /*- 2 * Copyright (c) 2001 Atsushi Onoe 3 * Copyright (c) 2002-2005 Sam Leffler, Errno Consulting 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 3. The name of the author may not be used to endorse or promote products 15 * derived from this software without specific prior written permission. 16 * 17 * Alternatively, this software may be distributed under the terms of the 18 * GNU General Public License ("GPL") version 2 as published by the Free 19 * Software Foundation. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33 #include <sys/cdefs.h> 34 __FBSDID("$FreeBSD$"); 35 36 /* 37 * IEEE 802.11 generic crypto support. 38 */ 39 #include <sys/param.h> 40 #include <sys/mbuf.h> 41 42 #include <sys/socket.h> 43 44 #include <net/if.h> 45 #include <net/if_media.h> 46 #include <net/ethernet.h> /* XXX ETHER_HDR_LEN */ 47 48 #include <net80211/ieee80211_var.h> 49 50 /* 51 * Table of registered cipher modules. 52 */ 53 static const struct ieee80211_cipher *ciphers[IEEE80211_CIPHER_MAX]; 54 55 static int _ieee80211_crypto_delkey(struct ieee80211com *, 56 struct ieee80211_key *); 57 58 /* 59 * Default "null" key management routines. 60 */ 61 static int 62 null_key_alloc(struct ieee80211com *ic, const struct ieee80211_key *k) 63 { 64 return IEEE80211_KEYIX_NONE; 65 } 66 static int 67 null_key_delete(struct ieee80211com *ic, const struct ieee80211_key *k) 68 { 69 return 1; 70 } 71 static int 72 null_key_set(struct ieee80211com *ic, const struct ieee80211_key *k, 73 const u_int8_t mac[IEEE80211_ADDR_LEN]) 74 { 75 return 1; 76 } 77 static void null_key_update(struct ieee80211com *ic) {} 78 79 /* 80 * Write-arounds for common operations. 81 */ 82 static __inline void 83 cipher_detach(struct ieee80211_key *key) 84 { 85 key->wk_cipher->ic_detach(key); 86 } 87 88 static __inline void * 89 cipher_attach(struct ieee80211com *ic, struct ieee80211_key *key) 90 { 91 return key->wk_cipher->ic_attach(ic, key); 92 } 93 94 /* 95 * Wrappers for driver key management methods. 96 */ 97 static __inline int 98 dev_key_alloc(struct ieee80211com *ic, 99 const struct ieee80211_key *key) 100 { 101 return ic->ic_crypto.cs_key_alloc(ic, key); 102 } 103 104 static __inline int 105 dev_key_delete(struct ieee80211com *ic, 106 const struct ieee80211_key *key) 107 { 108 return ic->ic_crypto.cs_key_delete(ic, key); 109 } 110 111 static __inline int 112 dev_key_set(struct ieee80211com *ic, const struct ieee80211_key *key, 113 const u_int8_t mac[IEEE80211_ADDR_LEN]) 114 { 115 return ic->ic_crypto.cs_key_set(ic, key, mac); 116 } 117 118 /* 119 * Setup crypto support. 120 */ 121 void 122 ieee80211_crypto_attach(struct ieee80211com *ic) 123 { 124 struct ieee80211_crypto_state *cs = &ic->ic_crypto; 125 int i; 126 127 /* NB: we assume everything is pre-zero'd */ 128 cs->cs_def_txkey = IEEE80211_KEYIX_NONE; 129 ciphers[IEEE80211_CIPHER_NONE] = &ieee80211_cipher_none; 130 for (i = 0; i < IEEE80211_WEP_NKID; i++) 131 ieee80211_crypto_resetkey(ic, &cs->cs_nw_keys[i], i); 132 /* 133 * Initialize the driver key support routines to noop entries. 134 * This is useful especially for the cipher test modules. 135 */ 136 cs->cs_key_alloc = null_key_alloc; 137 cs->cs_key_set = null_key_set; 138 cs->cs_key_delete = null_key_delete; 139 cs->cs_key_update_begin = null_key_update; 140 cs->cs_key_update_end = null_key_update; 141 } 142 143 /* 144 * Teardown crypto support. 145 */ 146 void 147 ieee80211_crypto_detach(struct ieee80211com *ic) 148 { 149 ieee80211_crypto_delglobalkeys(ic); 150 } 151 152 /* 153 * Register a crypto cipher module. 154 */ 155 void 156 ieee80211_crypto_register(const struct ieee80211_cipher *cip) 157 { 158 if (cip->ic_cipher >= IEEE80211_CIPHER_MAX) { 159 printf("%s: cipher %s has an invalid cipher index %u\n", 160 __func__, cip->ic_name, cip->ic_cipher); 161 return; 162 } 163 if (ciphers[cip->ic_cipher] != NULL && ciphers[cip->ic_cipher] != cip) { 164 printf("%s: cipher %s registered with a different template\n", 165 __func__, cip->ic_name); 166 return; 167 } 168 ciphers[cip->ic_cipher] = cip; 169 } 170 171 /* 172 * Unregister a crypto cipher module. 173 */ 174 void 175 ieee80211_crypto_unregister(const struct ieee80211_cipher *cip) 176 { 177 if (cip->ic_cipher >= IEEE80211_CIPHER_MAX) { 178 printf("%s: cipher %s has an invalid cipher index %u\n", 179 __func__, cip->ic_name, cip->ic_cipher); 180 return; 181 } 182 if (ciphers[cip->ic_cipher] != NULL && ciphers[cip->ic_cipher] != cip) { 183 printf("%s: cipher %s registered with a different template\n", 184 __func__, cip->ic_name); 185 return; 186 } 187 /* NB: don't complain about not being registered */ 188 /* XXX disallow if references */ 189 ciphers[cip->ic_cipher] = NULL; 190 } 191 192 int 193 ieee80211_crypto_available(u_int cipher) 194 { 195 return cipher < IEEE80211_CIPHER_MAX && ciphers[cipher] != NULL; 196 } 197 198 /* XXX well-known names! */ 199 static const char *cipher_modnames[] = { 200 "wlan_wep", /* IEEE80211_CIPHER_WEP */ 201 "wlan_tkip", /* IEEE80211_CIPHER_TKIP */ 202 "wlan_aes_ocb", /* IEEE80211_CIPHER_AES_OCB */ 203 "wlan_ccmp", /* IEEE80211_CIPHER_AES_CCM */ 204 "wlan_ckip", /* IEEE80211_CIPHER_CKIP */ 205 }; 206 207 /* 208 * Establish a relationship between the specified key and cipher 209 * and, if not a global key, allocate a hardware index from the 210 * driver. Note that we may be called for global keys but they 211 * should have a key index already setup so the only work done 212 * is to setup the cipher reference. 213 * 214 * This must be the first call applied to a key; all the other key 215 * routines assume wk_cipher is setup. 216 * 217 * Locking must be handled by the caller using: 218 * ieee80211_key_update_begin(ic); 219 * ieee80211_key_update_end(ic); 220 */ 221 int 222 ieee80211_crypto_newkey(struct ieee80211com *ic, 223 int cipher, struct ieee80211_key *key) 224 { 225 #define N(a) (sizeof(a) / sizeof(a[0])) 226 const struct ieee80211_cipher *cip; 227 void *keyctx; 228 int oflags; 229 230 /* 231 * Validate cipher and set reference to cipher routines. 232 */ 233 if (cipher >= IEEE80211_CIPHER_MAX) { 234 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO, 235 "%s: invalid cipher %u\n", __func__, cipher); 236 ic->ic_stats.is_crypto_badcipher++; 237 return 0; 238 } 239 cip = ciphers[cipher]; 240 if (cip == NULL) { 241 /* 242 * Auto-load cipher module if we have a well-known name 243 * for it. It might be better to use string names rather 244 * than numbers and craft a module name based on the cipher 245 * name; e.g. wlan_cipher_<cipher-name>. 246 */ 247 if (cipher < N(cipher_modnames)) { 248 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO, 249 "%s: unregistered cipher %u, load module %s\n", 250 __func__, cipher, cipher_modnames[cipher]); 251 ieee80211_load_module(cipher_modnames[cipher]); 252 /* 253 * If cipher module loaded it should immediately 254 * call ieee80211_crypto_register which will fill 255 * in the entry in the ciphers array. 256 */ 257 cip = ciphers[cipher]; 258 } 259 if (cip == NULL) { 260 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO, 261 "%s: unable to load cipher %u, module %s\n", 262 __func__, cipher, 263 cipher < N(cipher_modnames) ? 264 cipher_modnames[cipher] : "<unknown>"); 265 ic->ic_stats.is_crypto_nocipher++; 266 return 0; 267 } 268 } 269 270 oflags = key->wk_flags; 271 /* 272 * If the hardware does not support the cipher then 273 * fallback to a host-based implementation. 274 */ 275 key->wk_flags &= ~(IEEE80211_KEY_SWCRYPT|IEEE80211_KEY_SWMIC); 276 if ((ic->ic_caps & (1<<cipher)) == 0) { 277 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO, 278 "%s: no h/w support for cipher %s, falling back to s/w\n", 279 __func__, cip->ic_name); 280 key->wk_flags |= IEEE80211_KEY_SWCRYPT; 281 } 282 /* 283 * Hardware TKIP with software MIC is an important 284 * combination; we handle it by flagging each key, 285 * the cipher modules honor it. 286 */ 287 if (cipher == IEEE80211_CIPHER_TKIP && 288 (ic->ic_caps & IEEE80211_C_TKIPMIC) == 0) { 289 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO, 290 "%s: no h/w support for TKIP MIC, falling back to s/w\n", 291 __func__); 292 key->wk_flags |= IEEE80211_KEY_SWMIC; 293 } 294 295 /* 296 * Bind cipher to key instance. Note we do this 297 * after checking the device capabilities so the 298 * cipher module can optimize space usage based on 299 * whether or not it needs to do the cipher work. 300 */ 301 if (key->wk_cipher != cip || key->wk_flags != oflags) { 302 again: 303 keyctx = cip->ic_attach(ic, key); 304 if (keyctx == NULL) { 305 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO, 306 "%s: unable to attach cipher %s\n", 307 __func__, cip->ic_name); 308 key->wk_flags = oflags; /* restore old flags */ 309 ic->ic_stats.is_crypto_attachfail++; 310 return 0; 311 } 312 cipher_detach(key); 313 key->wk_cipher = cip; /* XXX refcnt? */ 314 key->wk_private = keyctx; 315 } 316 317 /* 318 * Ask the driver for a key index if we don't have one. 319 * Note that entries in the global key table always have 320 * an index; this means it's safe to call this routine 321 * for these entries just to setup the reference to the 322 * cipher template. Note also that when using software 323 * crypto we also call the driver to give us a key index. 324 */ 325 if (key->wk_keyix == IEEE80211_KEYIX_NONE) { 326 key->wk_keyix = dev_key_alloc(ic, key); 327 if (key->wk_keyix == IEEE80211_KEYIX_NONE) { 328 /* 329 * Driver has no room; fallback to doing crypto 330 * in the host. We change the flags and start the 331 * procedure over. If we get back here then there's 332 * no hope and we bail. Note that this can leave 333 * the key in a inconsistent state if the caller 334 * continues to use it. 335 */ 336 if ((key->wk_flags & IEEE80211_KEY_SWCRYPT) == 0) { 337 ic->ic_stats.is_crypto_swfallback++; 338 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO, 339 "%s: no h/w resources for cipher %s, " 340 "falling back to s/w\n", __func__, 341 cip->ic_name); 342 oflags = key->wk_flags; 343 key->wk_flags |= IEEE80211_KEY_SWCRYPT; 344 if (cipher == IEEE80211_CIPHER_TKIP) 345 key->wk_flags |= IEEE80211_KEY_SWMIC; 346 goto again; 347 } 348 ic->ic_stats.is_crypto_keyfail++; 349 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO, 350 "%s: unable to setup cipher %s\n", 351 __func__, cip->ic_name); 352 return 0; 353 } 354 } 355 return 1; 356 #undef N 357 } 358 359 /* 360 * Remove the key (no locking, for internal use). 361 */ 362 static int 363 _ieee80211_crypto_delkey(struct ieee80211com *ic, struct ieee80211_key *key) 364 { 365 u_int16_t keyix; 366 367 KASSERT(key->wk_cipher != NULL, ("No cipher!")); 368 369 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO, 370 "%s: %s keyix %u flags 0x%x rsc %ju tsc %ju len %u\n", 371 __func__, key->wk_cipher->ic_name, 372 key->wk_keyix, key->wk_flags, 373 key->wk_keyrsc, key->wk_keytsc, key->wk_keylen); 374 375 keyix = key->wk_keyix; 376 if (keyix != IEEE80211_KEYIX_NONE) { 377 /* 378 * Remove hardware entry. 379 */ 380 /* XXX key cache */ 381 if (!dev_key_delete(ic, key)) { 382 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO, 383 "%s: driver did not delete key index %u\n", 384 __func__, keyix); 385 ic->ic_stats.is_crypto_delkey++; 386 /* XXX recovery? */ 387 } 388 } 389 cipher_detach(key); 390 memset(key, 0, sizeof(*key)); 391 key->wk_cipher = &ieee80211_cipher_none; 392 key->wk_private = cipher_attach(ic, key); 393 /* NB: cannot depend on key index to decide this */ 394 if (&ic->ic_nw_keys[0] <= key && 395 key < &ic->ic_nw_keys[IEEE80211_WEP_NKID]) 396 key->wk_keyix = keyix; /* preserve shared key state */ 397 else 398 key->wk_keyix = IEEE80211_KEYIX_NONE; 399 return 1; 400 } 401 402 /* 403 * Remove the specified key. 404 */ 405 int 406 ieee80211_crypto_delkey(struct ieee80211com *ic, struct ieee80211_key *key) 407 { 408 int status; 409 410 ieee80211_key_update_begin(ic); 411 status = _ieee80211_crypto_delkey(ic, key); 412 ieee80211_key_update_end(ic); 413 return status; 414 } 415 416 /* 417 * Clear the global key table. 418 */ 419 void 420 ieee80211_crypto_delglobalkeys(struct ieee80211com *ic) 421 { 422 int i; 423 424 ieee80211_key_update_begin(ic); 425 for (i = 0; i < IEEE80211_WEP_NKID; i++) 426 (void) _ieee80211_crypto_delkey(ic, &ic->ic_nw_keys[i]); 427 ieee80211_key_update_end(ic); 428 } 429 430 /* 431 * Set the contents of the specified key. 432 * 433 * Locking must be handled by the caller using: 434 * ieee80211_key_update_begin(ic); 435 * ieee80211_key_update_end(ic); 436 */ 437 int 438 ieee80211_crypto_setkey(struct ieee80211com *ic, struct ieee80211_key *key, 439 const u_int8_t macaddr[IEEE80211_ADDR_LEN]) 440 { 441 const struct ieee80211_cipher *cip = key->wk_cipher; 442 443 KASSERT(cip != NULL, ("No cipher!")); 444 445 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO, 446 "%s: %s keyix %u flags 0x%x mac %s rsc %ju tsc %ju len %u\n", 447 __func__, cip->ic_name, key->wk_keyix, 448 key->wk_flags, ether_sprintf(macaddr), 449 key->wk_keyrsc, key->wk_keytsc, key->wk_keylen); 450 451 /* 452 * Give cipher a chance to validate key contents. 453 * XXX should happen before modifying state. 454 */ 455 if (!cip->ic_setkey(key)) { 456 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO, 457 "%s: cipher %s rejected key index %u len %u flags 0x%x\n", 458 __func__, cip->ic_name, key->wk_keyix, 459 key->wk_keylen, key->wk_flags); 460 ic->ic_stats.is_crypto_setkey_cipher++; 461 return 0; 462 } 463 if (key->wk_keyix == IEEE80211_KEYIX_NONE) { 464 /* XXX nothing allocated, should not happen */ 465 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO, 466 "%s: no key index; should not happen!\n", __func__); 467 ic->ic_stats.is_crypto_setkey_nokey++; 468 return 0; 469 } 470 return dev_key_set(ic, key, macaddr); 471 } 472 473 /* 474 * Add privacy headers appropriate for the specified key. 475 */ 476 struct ieee80211_key * 477 ieee80211_crypto_encap(struct ieee80211com *ic, 478 struct ieee80211_node *ni, struct mbuf *m) 479 { 480 struct ieee80211_key *k; 481 struct ieee80211_frame *wh; 482 const struct ieee80211_cipher *cip; 483 u_int8_t keyix; 484 485 /* 486 * Multicast traffic always uses the multicast key. 487 * Otherwise if a unicast key is set we use that and 488 * it is always key index 0. When no unicast key is 489 * set we fall back to the default transmit key. 490 */ 491 wh = mtod(m, struct ieee80211_frame *); 492 if (IEEE80211_IS_MULTICAST(wh->i_addr1) || 493 ni->ni_ucastkey.wk_cipher == &ieee80211_cipher_none) { 494 if (ic->ic_def_txkey == IEEE80211_KEYIX_NONE) { 495 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO, 496 "[%s] no default transmit key (%s) deftxkey %u\n", 497 ether_sprintf(wh->i_addr1), __func__, 498 ic->ic_def_txkey); 499 ic->ic_stats.is_tx_nodefkey++; 500 return NULL; 501 } 502 keyix = ic->ic_def_txkey; 503 k = &ic->ic_nw_keys[ic->ic_def_txkey]; 504 } else { 505 keyix = 0; 506 k = &ni->ni_ucastkey; 507 } 508 cip = k->wk_cipher; 509 return (cip->ic_encap(k, m, keyix<<6) ? k : NULL); 510 } 511 512 /* 513 * Validate and strip privacy headers (and trailer) for a 514 * received frame that has the WEP/Privacy bit set. 515 */ 516 struct ieee80211_key * 517 ieee80211_crypto_decap(struct ieee80211com *ic, 518 struct ieee80211_node *ni, struct mbuf *m) 519 { 520 #define IEEE80211_WEP_HDRLEN (IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN) 521 #define IEEE80211_WEP_MINLEN \ 522 (sizeof(struct ieee80211_frame) + ETHER_HDR_LEN + \ 523 IEEE80211_WEP_HDRLEN + IEEE80211_WEP_CRCLEN) 524 struct ieee80211_key *k; 525 struct ieee80211_frame *wh; 526 const struct ieee80211_cipher *cip; 527 const u_int8_t *ivp; 528 u_int8_t keyid; 529 int hdrlen; 530 531 /* NB: this minimum size data frame could be bigger */ 532 if (m->m_pkthdr.len < IEEE80211_WEP_MINLEN) { 533 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 534 "%s: WEP data frame too short, len %u\n", 535 __func__, m->m_pkthdr.len); 536 ic->ic_stats.is_rx_tooshort++; /* XXX need unique stat? */ 537 return NULL; 538 } 539 540 /* 541 * Locate the key. If unicast and there is no unicast 542 * key then we fall back to the key id in the header. 543 * This assumes unicast keys are only configured when 544 * the key id in the header is meaningless (typically 0). 545 */ 546 wh = mtod(m, struct ieee80211_frame *); 547 hdrlen = ieee80211_hdrsize(wh); 548 ivp = mtod(m, const u_int8_t *) + hdrlen; /* XXX contig */ 549 keyid = ivp[IEEE80211_WEP_IVLEN]; 550 if (IEEE80211_IS_MULTICAST(wh->i_addr1) || 551 ni->ni_ucastkey.wk_cipher == &ieee80211_cipher_none) 552 k = &ic->ic_nw_keys[keyid >> 6]; 553 else 554 k = &ni->ni_ucastkey; 555 556 /* 557 * Insure crypto header is contiguous for all decap work. 558 */ 559 cip = k->wk_cipher; 560 if (m->m_len < hdrlen + cip->ic_header && 561 (m = m_pullup(m, hdrlen + cip->ic_header)) == NULL) { 562 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO, 563 "[%s] unable to pullup %s header\n", 564 ether_sprintf(wh->i_addr2), cip->ic_name); 565 ic->ic_stats.is_rx_wepfail++; /* XXX */ 566 return 0; 567 } 568 569 return (cip->ic_decap(k, m) ? k : NULL); 570 #undef IEEE80211_WEP_MINLEN 571 #undef IEEE80211_WEP_HDRLEN 572 } 573