xref: /freebsd/sys/net80211/ieee80211_crypto_wep.c (revision 1e413cf93298b5b97441a21d9a50fdcd0ee9945e)
1 /*-
2  * Copyright (c) 2002-2007 Sam Leffler, Errno Consulting
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24  */
25 
26 #include <sys/cdefs.h>
27 __FBSDID("$FreeBSD$");
28 
29 /*
30  * IEEE 802.11 WEP crypto support.
31  */
32 #include <sys/param.h>
33 #include <sys/systm.h>
34 #include <sys/mbuf.h>
35 #include <sys/malloc.h>
36 #include <sys/kernel.h>
37 #include <sys/module.h>
38 #include <sys/endian.h>
39 
40 #include <sys/socket.h>
41 
42 #include <net/if.h>
43 #include <net/if_media.h>
44 #include <net/ethernet.h>
45 
46 #include <net80211/ieee80211_var.h>
47 
48 static	void *wep_attach(struct ieee80211com *, struct ieee80211_key *);
49 static	void wep_detach(struct ieee80211_key *);
50 static	int wep_setkey(struct ieee80211_key *);
51 static	int wep_encap(struct ieee80211_key *, struct mbuf *, uint8_t keyid);
52 static	int wep_decap(struct ieee80211_key *, struct mbuf *, int hdrlen);
53 static	int wep_enmic(struct ieee80211_key *, struct mbuf *, int);
54 static	int wep_demic(struct ieee80211_key *, struct mbuf *, int);
55 
56 static const struct ieee80211_cipher wep = {
57 	.ic_name	= "WEP",
58 	.ic_cipher	= IEEE80211_CIPHER_WEP,
59 	.ic_header	= IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN,
60 	.ic_trailer	= IEEE80211_WEP_CRCLEN,
61 	.ic_miclen	= 0,
62 	.ic_attach	= wep_attach,
63 	.ic_detach	= wep_detach,
64 	.ic_setkey	= wep_setkey,
65 	.ic_encap	= wep_encap,
66 	.ic_decap	= wep_decap,
67 	.ic_enmic	= wep_enmic,
68 	.ic_demic	= wep_demic,
69 };
70 
71 static	int wep_encrypt(struct ieee80211_key *, struct mbuf *, int hdrlen);
72 static	int wep_decrypt(struct ieee80211_key *, struct mbuf *, int hdrlen);
73 
74 struct wep_ctx {
75 	struct ieee80211com *wc_ic;	/* for diagnostics */
76 	uint32_t	wc_iv;		/* initial vector for crypto */
77 };
78 
79 /* number of references from net80211 layer */
80 static	int nrefs = 0;
81 
82 static void *
83 wep_attach(struct ieee80211com *ic, struct ieee80211_key *k)
84 {
85 	struct wep_ctx *ctx;
86 
87 	MALLOC(ctx, struct wep_ctx *, sizeof(struct wep_ctx),
88 		M_DEVBUF, M_NOWAIT | M_ZERO);
89 	if (ctx == NULL) {
90 		ic->ic_stats.is_crypto_nomem++;
91 		return NULL;
92 	}
93 
94 	ctx->wc_ic = ic;
95 	get_random_bytes(&ctx->wc_iv, sizeof(ctx->wc_iv));
96 	nrefs++;			/* NB: we assume caller locking */
97 	return ctx;
98 }
99 
100 static void
101 wep_detach(struct ieee80211_key *k)
102 {
103 	struct wep_ctx *ctx = k->wk_private;
104 
105 	FREE(ctx, M_DEVBUF);
106 	KASSERT(nrefs > 0, ("imbalanced attach/detach"));
107 	nrefs--;			/* NB: we assume caller locking */
108 }
109 
110 static int
111 wep_setkey(struct ieee80211_key *k)
112 {
113 	return k->wk_keylen >= 40/NBBY;
114 }
115 
116 /*
117  * Add privacy headers appropriate for the specified key.
118  */
119 static int
120 wep_encap(struct ieee80211_key *k, struct mbuf *m, uint8_t keyid)
121 {
122 	struct wep_ctx *ctx = k->wk_private;
123 	struct ieee80211com *ic = ctx->wc_ic;
124 	uint32_t iv;
125 	uint8_t *ivp;
126 	int hdrlen;
127 
128 	hdrlen = ieee80211_hdrspace(ic, mtod(m, void *));
129 
130 	/*
131 	 * Copy down 802.11 header and add the IV + KeyID.
132 	 */
133 	M_PREPEND(m, wep.ic_header, M_NOWAIT);
134 	if (m == NULL)
135 		return 0;
136 	ivp = mtod(m, uint8_t *);
137 	ovbcopy(ivp + wep.ic_header, ivp, hdrlen);
138 	ivp += hdrlen;
139 
140 	/*
141 	 * XXX
142 	 * IV must not duplicate during the lifetime of the key.
143 	 * But no mechanism to renew keys is defined in IEEE 802.11
144 	 * for WEP.  And the IV may be duplicated at other stations
145 	 * because the session key itself is shared.  So we use a
146 	 * pseudo random IV for now, though it is not the right way.
147 	 *
148 	 * NB: Rather than use a strictly random IV we select a
149 	 * random one to start and then increment the value for
150 	 * each frame.  This is an explicit tradeoff between
151 	 * overhead and security.  Given the basic insecurity of
152 	 * WEP this seems worthwhile.
153 	 */
154 
155 	/*
156 	 * Skip 'bad' IVs from Fluhrer/Mantin/Shamir:
157 	 * (B, 255, N) with 3 <= B < 16 and 0 <= N <= 255
158 	 */
159 	iv = ctx->wc_iv;
160 	if ((iv & 0xff00) == 0xff00) {
161 		int B = (iv & 0xff0000) >> 16;
162 		if (3 <= B && B < 16)
163 			iv += 0x0100;
164 	}
165 	ctx->wc_iv = iv + 1;
166 
167 	/*
168 	 * NB: Preserve byte order of IV for packet
169 	 *     sniffers; it doesn't matter otherwise.
170 	 */
171 #if _BYTE_ORDER == _BIG_ENDIAN
172 	ivp[0] = iv >> 0;
173 	ivp[1] = iv >> 8;
174 	ivp[2] = iv >> 16;
175 #else
176 	ivp[2] = iv >> 0;
177 	ivp[1] = iv >> 8;
178 	ivp[0] = iv >> 16;
179 #endif
180 	ivp[3] = keyid;
181 
182 	/*
183 	 * Finally, do software encrypt if neeed.
184 	 */
185 	if ((k->wk_flags & IEEE80211_KEY_SWCRYPT) &&
186 	    !wep_encrypt(k, m, hdrlen))
187 		return 0;
188 
189 	return 1;
190 }
191 
192 /*
193  * Add MIC to the frame as needed.
194  */
195 static int
196 wep_enmic(struct ieee80211_key *k, struct mbuf *m, int force)
197 {
198 
199 	return 1;
200 }
201 
202 /*
203  * Validate and strip privacy headers (and trailer) for a
204  * received frame.  If necessary, decrypt the frame using
205  * the specified key.
206  */
207 static int
208 wep_decap(struct ieee80211_key *k, struct mbuf *m, int hdrlen)
209 {
210 	struct wep_ctx *ctx = k->wk_private;
211 	struct ieee80211_frame *wh;
212 
213 	wh = mtod(m, struct ieee80211_frame *);
214 
215 	/*
216 	 * Check if the device handled the decrypt in hardware.
217 	 * If so we just strip the header; otherwise we need to
218 	 * handle the decrypt in software.
219 	 */
220 	if ((k->wk_flags & IEEE80211_KEY_SWCRYPT) &&
221 	    !wep_decrypt(k, m, hdrlen)) {
222 		IEEE80211_DPRINTF(ctx->wc_ic, IEEE80211_MSG_CRYPTO,
223 		    "[%s] WEP ICV mismatch on decrypt\n",
224 		    ether_sprintf(wh->i_addr2));
225 		ctx->wc_ic->ic_stats.is_rx_wepfail++;
226 		return 0;
227 	}
228 
229 	/*
230 	 * Copy up 802.11 header and strip crypto bits.
231 	 */
232 	ovbcopy(mtod(m, void *), mtod(m, uint8_t *) + wep.ic_header, hdrlen);
233 	m_adj(m, wep.ic_header);
234 	m_adj(m, -wep.ic_trailer);
235 
236 	return 1;
237 }
238 
239 /*
240  * Verify and strip MIC from the frame.
241  */
242 static int
243 wep_demic(struct ieee80211_key *k, struct mbuf *skb, int force)
244 {
245 	return 1;
246 }
247 
248 static const uint32_t crc32_table[256] = {
249 	0x00000000L, 0x77073096L, 0xee0e612cL, 0x990951baL, 0x076dc419L,
250 	0x706af48fL, 0xe963a535L, 0x9e6495a3L, 0x0edb8832L, 0x79dcb8a4L,
251 	0xe0d5e91eL, 0x97d2d988L, 0x09b64c2bL, 0x7eb17cbdL, 0xe7b82d07L,
252 	0x90bf1d91L, 0x1db71064L, 0x6ab020f2L, 0xf3b97148L, 0x84be41deL,
253 	0x1adad47dL, 0x6ddde4ebL, 0xf4d4b551L, 0x83d385c7L, 0x136c9856L,
254 	0x646ba8c0L, 0xfd62f97aL, 0x8a65c9ecL, 0x14015c4fL, 0x63066cd9L,
255 	0xfa0f3d63L, 0x8d080df5L, 0x3b6e20c8L, 0x4c69105eL, 0xd56041e4L,
256 	0xa2677172L, 0x3c03e4d1L, 0x4b04d447L, 0xd20d85fdL, 0xa50ab56bL,
257 	0x35b5a8faL, 0x42b2986cL, 0xdbbbc9d6L, 0xacbcf940L, 0x32d86ce3L,
258 	0x45df5c75L, 0xdcd60dcfL, 0xabd13d59L, 0x26d930acL, 0x51de003aL,
259 	0xc8d75180L, 0xbfd06116L, 0x21b4f4b5L, 0x56b3c423L, 0xcfba9599L,
260 	0xb8bda50fL, 0x2802b89eL, 0x5f058808L, 0xc60cd9b2L, 0xb10be924L,
261 	0x2f6f7c87L, 0x58684c11L, 0xc1611dabL, 0xb6662d3dL, 0x76dc4190L,
262 	0x01db7106L, 0x98d220bcL, 0xefd5102aL, 0x71b18589L, 0x06b6b51fL,
263 	0x9fbfe4a5L, 0xe8b8d433L, 0x7807c9a2L, 0x0f00f934L, 0x9609a88eL,
264 	0xe10e9818L, 0x7f6a0dbbL, 0x086d3d2dL, 0x91646c97L, 0xe6635c01L,
265 	0x6b6b51f4L, 0x1c6c6162L, 0x856530d8L, 0xf262004eL, 0x6c0695edL,
266 	0x1b01a57bL, 0x8208f4c1L, 0xf50fc457L, 0x65b0d9c6L, 0x12b7e950L,
267 	0x8bbeb8eaL, 0xfcb9887cL, 0x62dd1ddfL, 0x15da2d49L, 0x8cd37cf3L,
268 	0xfbd44c65L, 0x4db26158L, 0x3ab551ceL, 0xa3bc0074L, 0xd4bb30e2L,
269 	0x4adfa541L, 0x3dd895d7L, 0xa4d1c46dL, 0xd3d6f4fbL, 0x4369e96aL,
270 	0x346ed9fcL, 0xad678846L, 0xda60b8d0L, 0x44042d73L, 0x33031de5L,
271 	0xaa0a4c5fL, 0xdd0d7cc9L, 0x5005713cL, 0x270241aaL, 0xbe0b1010L,
272 	0xc90c2086L, 0x5768b525L, 0x206f85b3L, 0xb966d409L, 0xce61e49fL,
273 	0x5edef90eL, 0x29d9c998L, 0xb0d09822L, 0xc7d7a8b4L, 0x59b33d17L,
274 	0x2eb40d81L, 0xb7bd5c3bL, 0xc0ba6cadL, 0xedb88320L, 0x9abfb3b6L,
275 	0x03b6e20cL, 0x74b1d29aL, 0xead54739L, 0x9dd277afL, 0x04db2615L,
276 	0x73dc1683L, 0xe3630b12L, 0x94643b84L, 0x0d6d6a3eL, 0x7a6a5aa8L,
277 	0xe40ecf0bL, 0x9309ff9dL, 0x0a00ae27L, 0x7d079eb1L, 0xf00f9344L,
278 	0x8708a3d2L, 0x1e01f268L, 0x6906c2feL, 0xf762575dL, 0x806567cbL,
279 	0x196c3671L, 0x6e6b06e7L, 0xfed41b76L, 0x89d32be0L, 0x10da7a5aL,
280 	0x67dd4accL, 0xf9b9df6fL, 0x8ebeeff9L, 0x17b7be43L, 0x60b08ed5L,
281 	0xd6d6a3e8L, 0xa1d1937eL, 0x38d8c2c4L, 0x4fdff252L, 0xd1bb67f1L,
282 	0xa6bc5767L, 0x3fb506ddL, 0x48b2364bL, 0xd80d2bdaL, 0xaf0a1b4cL,
283 	0x36034af6L, 0x41047a60L, 0xdf60efc3L, 0xa867df55L, 0x316e8eefL,
284 	0x4669be79L, 0xcb61b38cL, 0xbc66831aL, 0x256fd2a0L, 0x5268e236L,
285 	0xcc0c7795L, 0xbb0b4703L, 0x220216b9L, 0x5505262fL, 0xc5ba3bbeL,
286 	0xb2bd0b28L, 0x2bb45a92L, 0x5cb36a04L, 0xc2d7ffa7L, 0xb5d0cf31L,
287 	0x2cd99e8bL, 0x5bdeae1dL, 0x9b64c2b0L, 0xec63f226L, 0x756aa39cL,
288 	0x026d930aL, 0x9c0906a9L, 0xeb0e363fL, 0x72076785L, 0x05005713L,
289 	0x95bf4a82L, 0xe2b87a14L, 0x7bb12baeL, 0x0cb61b38L, 0x92d28e9bL,
290 	0xe5d5be0dL, 0x7cdcefb7L, 0x0bdbdf21L, 0x86d3d2d4L, 0xf1d4e242L,
291 	0x68ddb3f8L, 0x1fda836eL, 0x81be16cdL, 0xf6b9265bL, 0x6fb077e1L,
292 	0x18b74777L, 0x88085ae6L, 0xff0f6a70L, 0x66063bcaL, 0x11010b5cL,
293 	0x8f659effL, 0xf862ae69L, 0x616bffd3L, 0x166ccf45L, 0xa00ae278L,
294 	0xd70dd2eeL, 0x4e048354L, 0x3903b3c2L, 0xa7672661L, 0xd06016f7L,
295 	0x4969474dL, 0x3e6e77dbL, 0xaed16a4aL, 0xd9d65adcL, 0x40df0b66L,
296 	0x37d83bf0L, 0xa9bcae53L, 0xdebb9ec5L, 0x47b2cf7fL, 0x30b5ffe9L,
297 	0xbdbdf21cL, 0xcabac28aL, 0x53b39330L, 0x24b4a3a6L, 0xbad03605L,
298 	0xcdd70693L, 0x54de5729L, 0x23d967bfL, 0xb3667a2eL, 0xc4614ab8L,
299 	0x5d681b02L, 0x2a6f2b94L, 0xb40bbe37L, 0xc30c8ea1L, 0x5a05df1bL,
300 	0x2d02ef8dL
301 };
302 
303 static int
304 wep_encrypt(struct ieee80211_key *key, struct mbuf *m0, int hdrlen)
305 {
306 #define S_SWAP(a,b) do { uint8_t t = S[a]; S[a] = S[b]; S[b] = t; } while(0)
307 	struct wep_ctx *ctx = key->wk_private;
308 	struct mbuf *m = m0;
309 	uint8_t rc4key[IEEE80211_WEP_IVLEN + IEEE80211_KEYBUF_SIZE];
310 	uint8_t icv[IEEE80211_WEP_CRCLEN];
311 	uint32_t i, j, k, crc;
312 	size_t buflen, data_len;
313 	uint8_t S[256];
314 	uint8_t *pos;
315 	u_int off, keylen;
316 
317 	ctx->wc_ic->ic_stats.is_crypto_wep++;
318 
319 	/* NB: this assumes the header was pulled up */
320 	memcpy(rc4key, mtod(m, uint8_t *) + hdrlen, IEEE80211_WEP_IVLEN);
321 	memcpy(rc4key + IEEE80211_WEP_IVLEN, key->wk_key, key->wk_keylen);
322 
323 	/* Setup RC4 state */
324 	for (i = 0; i < 256; i++)
325 		S[i] = i;
326 	j = 0;
327 	keylen = key->wk_keylen + IEEE80211_WEP_IVLEN;
328 	for (i = 0; i < 256; i++) {
329 		j = (j + S[i] + rc4key[i % keylen]) & 0xff;
330 		S_SWAP(i, j);
331 	}
332 
333 	off = hdrlen + wep.ic_header;
334 	data_len = m->m_pkthdr.len - off;
335 
336 	/* Compute CRC32 over unencrypted data and apply RC4 to data */
337 	crc = ~0;
338 	i = j = 0;
339 	pos = mtod(m, uint8_t *) + off;
340 	buflen = m->m_len - off;
341 	for (;;) {
342 		if (buflen > data_len)
343 			buflen = data_len;
344 		data_len -= buflen;
345 		for (k = 0; k < buflen; k++) {
346 			crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8);
347 			i = (i + 1) & 0xff;
348 			j = (j + S[i]) & 0xff;
349 			S_SWAP(i, j);
350 			*pos++ ^= S[(S[i] + S[j]) & 0xff];
351 		}
352 		if (m->m_next == NULL) {
353 			if (data_len != 0) {		/* out of data */
354 				IEEE80211_DPRINTF(ctx->wc_ic,
355 				    IEEE80211_MSG_CRYPTO,
356 				    "[%s] out of data for WEP (data_len %zu)\n",
357 				    ether_sprintf(mtod(m0,
358 					struct ieee80211_frame *)->i_addr2),
359 				    data_len);
360 				return 0;
361 			}
362 			break;
363 		}
364 		m = m->m_next;
365 		pos = mtod(m, uint8_t *);
366 		buflen = m->m_len;
367 	}
368 	crc = ~crc;
369 
370 	/* Append little-endian CRC32 and encrypt it to produce ICV */
371 	icv[0] = crc;
372 	icv[1] = crc >> 8;
373 	icv[2] = crc >> 16;
374 	icv[3] = crc >> 24;
375 	for (k = 0; k < IEEE80211_WEP_CRCLEN; k++) {
376 		i = (i + 1) & 0xff;
377 		j = (j + S[i]) & 0xff;
378 		S_SWAP(i, j);
379 		icv[k] ^= S[(S[i] + S[j]) & 0xff];
380 	}
381 	return m_append(m0, IEEE80211_WEP_CRCLEN, icv);
382 #undef S_SWAP
383 }
384 
385 static int
386 wep_decrypt(struct ieee80211_key *key, struct mbuf *m0, int hdrlen)
387 {
388 #define S_SWAP(a,b) do { uint8_t t = S[a]; S[a] = S[b]; S[b] = t; } while(0)
389 	struct wep_ctx *ctx = key->wk_private;
390 	struct mbuf *m = m0;
391 	uint8_t rc4key[IEEE80211_WEP_IVLEN + IEEE80211_KEYBUF_SIZE];
392 	uint8_t icv[IEEE80211_WEP_CRCLEN];
393 	uint32_t i, j, k, crc;
394 	size_t buflen, data_len;
395 	uint8_t S[256];
396 	uint8_t *pos;
397 	u_int off, keylen;
398 
399 	ctx->wc_ic->ic_stats.is_crypto_wep++;
400 
401 	/* NB: this assumes the header was pulled up */
402 	memcpy(rc4key, mtod(m, uint8_t *) + hdrlen, IEEE80211_WEP_IVLEN);
403 	memcpy(rc4key + IEEE80211_WEP_IVLEN, key->wk_key, key->wk_keylen);
404 
405 	/* Setup RC4 state */
406 	for (i = 0; i < 256; i++)
407 		S[i] = i;
408 	j = 0;
409 	keylen = key->wk_keylen + IEEE80211_WEP_IVLEN;
410 	for (i = 0; i < 256; i++) {
411 		j = (j + S[i] + rc4key[i % keylen]) & 0xff;
412 		S_SWAP(i, j);
413 	}
414 
415 	off = hdrlen + wep.ic_header;
416 	data_len = m->m_pkthdr.len - (off + wep.ic_trailer),
417 
418 	/* Compute CRC32 over unencrypted data and apply RC4 to data */
419 	crc = ~0;
420 	i = j = 0;
421 	pos = mtod(m, uint8_t *) + off;
422 	buflen = m->m_len - off;
423 	for (;;) {
424 		if (buflen > data_len)
425 			buflen = data_len;
426 		data_len -= buflen;
427 		for (k = 0; k < buflen; k++) {
428 			i = (i + 1) & 0xff;
429 			j = (j + S[i]) & 0xff;
430 			S_SWAP(i, j);
431 			*pos ^= S[(S[i] + S[j]) & 0xff];
432 			crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8);
433 			pos++;
434 		}
435 		m = m->m_next;
436 		if (m == NULL) {
437 			if (data_len != 0) {		/* out of data */
438 				IEEE80211_DPRINTF(ctx->wc_ic,
439 				    IEEE80211_MSG_CRYPTO,
440 				    "[%s] out of data for WEP (data_len %zu)\n",
441 				    ether_sprintf(mtod(m0,
442 					struct ieee80211_frame *)->i_addr2),
443 				    data_len);
444 				return 0;
445 			}
446 			break;
447 		}
448 		pos = mtod(m, uint8_t *);
449 		buflen = m->m_len;
450 	}
451 	crc = ~crc;
452 
453 	/* Encrypt little-endian CRC32 and verify that it matches with
454 	 * received ICV */
455 	icv[0] = crc;
456 	icv[1] = crc >> 8;
457 	icv[2] = crc >> 16;
458 	icv[3] = crc >> 24;
459 	for (k = 0; k < IEEE80211_WEP_CRCLEN; k++) {
460 		i = (i + 1) & 0xff;
461 		j = (j + S[i]) & 0xff;
462 		S_SWAP(i, j);
463 		/* XXX assumes ICV is contiguous in mbuf */
464 		if ((icv[k] ^ S[(S[i] + S[j]) & 0xff]) != *pos++) {
465 			/* ICV mismatch - drop frame */
466 			return 0;
467 		}
468 	}
469 	return 1;
470 #undef S_SWAP
471 }
472 
473 /*
474  * Module glue.
475  */
476 IEEE80211_CRYPTO_MODULE(wep, 1);
477