1 /*
2 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
3 * Use is subject to license terms.
4 */
5
6 /*
7 * Copyright (c) 2001 Atsushi Onoe
8 * Copyright (c) 2002-2008 Sam Leffler, Errno Consulting
9 * All rights reserved.
10 *
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
13 * are met:
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * 3. The name of the author may not be used to endorse or promote products
20 * derived from this software without specific prior written permission.
21 *
22 * Alternatively, this software may be distributed under the terms of the
23 * GNU General Public License ("GPL") version 2 as published by the Free
24 * Software Foundation.
25 *
26 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
27 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
28 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
29 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
30 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
31 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
32 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
33 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
34 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36 */
37
38 /*
39 * IEEE 802.11 WEP crypto support.
40 */
41 #include <sys/byteorder.h>
42 #include <sys/crypto/common.h>
43 #include <sys/crypto/api.h>
44 #include <sys/crc32.h>
45 #include <sys/random.h>
46 #include <sys/strsun.h>
47 #include "net80211_impl.h"
48
49 static void *wep_attach(struct ieee80211com *, struct ieee80211_key *);
50 static void wep_detach(struct ieee80211_key *);
51 static int wep_setkey(struct ieee80211_key *);
52 static int wep_encap(struct ieee80211_key *, mblk_t *, uint8_t keyid);
53 static int wep_decap(struct ieee80211_key *, mblk_t *, int);
54 static int wep_enmic(struct ieee80211_key *, mblk_t *, int);
55 static int wep_demic(struct ieee80211_key *, mblk_t *, int);
56
57 const struct ieee80211_cipher wep = {
58 "WEP",
59 IEEE80211_CIPHER_WEP,
60 IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN,
61 IEEE80211_WEP_CRCLEN,
62 0,
63 wep_attach,
64 wep_detach,
65 wep_setkey,
66 wep_encap,
67 wep_decap,
68 wep_enmic,
69 wep_demic,
70 };
71
72 int rc4_init(crypto_context_t *, const uint8_t *, int);
73 int rc4_crypt(crypto_context_t, const uint8_t *, uint8_t *, int);
74 int rc4_final(crypto_context_t, uint8_t *, int);
75
76 static int wep_encrypt(struct ieee80211_key *, mblk_t *, int);
77 static int wep_decrypt(struct ieee80211_key *, mblk_t *, int);
78
79 struct wep_ctx {
80 ieee80211com_t *wc_ic; /* for diagnostics */
81 uint32_t wc_iv; /* initial vector for crypto */
82 };
83
84 /* Table of CRCs of all 8-bit messages */
85 static uint32_t crc_table[] = { CRC32_TABLE };
86
87 /* ARGSUSED */
88 static void *
wep_attach(struct ieee80211com * ic,struct ieee80211_key * k)89 wep_attach(struct ieee80211com *ic, struct ieee80211_key *k)
90 {
91 struct wep_ctx *ctx;
92
93 ctx = kmem_zalloc(sizeof (struct wep_ctx), KM_NOSLEEP);
94 if (ctx == NULL)
95 return (NULL);
96
97 ctx->wc_ic = ic;
98 (void) random_get_pseudo_bytes((unsigned char *)&ctx->wc_iv,
99 sizeof (uint32_t));
100 return (ctx);
101 }
102
103 static void
wep_detach(struct ieee80211_key * k)104 wep_detach(struct ieee80211_key *k)
105 {
106 struct wep_ctx *ctx = k->wk_private;
107
108 if (ctx != NULL)
109 kmem_free(ctx, sizeof (struct wep_ctx));
110 }
111
112 static int
wep_setkey(struct ieee80211_key * k)113 wep_setkey(struct ieee80211_key *k)
114 {
115 /*
116 * WEP key length is standardized to 40-bit. Many
117 * implementations support 104-bit WEP kwys.
118 */
119 return (k->wk_keylen == 40/NBBY || k->wk_keylen == 104/NBBY);
120 }
121
122 /*
123 * Add privacy headers appropriate for the specified key.
124 */
125 static int
wep_encap(struct ieee80211_key * k,mblk_t * mp,uint8_t keyid)126 wep_encap(struct ieee80211_key *k, mblk_t *mp, uint8_t keyid)
127 {
128 struct wep_ctx *ctx = k->wk_private;
129 struct ieee80211_frame *wh = (struct ieee80211_frame *)mp->b_rptr;
130 uint32_t iv;
131 uint8_t *ivp;
132 int hdrlen;
133
134 if (mp == NULL)
135 return (0);
136 hdrlen = ieee80211_hdrspace(ctx->wc_ic, wh);
137
138 ivp = (uint8_t *)wh;
139 ivp += hdrlen;
140
141 /*
142 * IV must not duplicate during the lifetime of the key.
143 * But no mechanism to renew keys is defined in IEEE 802.11
144 * WEP. And IV may be duplicated between other stations
145 * because of the session key itself is shared.
146 * So we use pseudo random IV for now, though it is not the
147 * right way.
148 */
149 iv = ctx->wc_iv;
150 /*
151 * Skip 'bad' IVs from Fluhrer/Mantin/Shamir:
152 * (B, 255, N) with 3 <= B < 8
153 */
154 if ((iv & 0xff00) == 0xff00) {
155 int B = (iv & 0xff0000) >> 16;
156 if (3 <= B && B < 16)
157 iv = (B+1) << 16;
158 }
159 ctx->wc_iv = iv + 1;
160
161 ivp[2] = (uint8_t)(iv >> 0);
162 ivp[1] = (uint8_t)(iv >> 8);
163 ivp[0] = (uint8_t)(iv >> 16);
164
165 /* Key ID and pad */
166 ivp[IEEE80211_WEP_IVLEN] = keyid;
167
168 if ((k->wk_flags & IEEE80211_KEY_SWCRYPT) &&
169 (wep_encrypt(k, mp, hdrlen) == 0))
170 return (0);
171
172 return (1);
173 }
174
175 /*
176 * Validate and strip privacy headers (and trailer) for a
177 * received frame. If necessary, decrypt the frame using
178 * the specified key.
179 */
180 static int
wep_decap(struct ieee80211_key * k,mblk_t * mp,int hdrlen)181 wep_decap(struct ieee80211_key *k, mblk_t *mp, int hdrlen)
182 {
183 /*
184 * Check if the device handled the decrypt in hardware.
185 * If so we just strip the header; otherwise we need to
186 * handle the decrypt in software.
187 */
188 if ((k->wk_flags & IEEE80211_KEY_SWCRYPT) &&
189 (wep_decrypt(k, mp, hdrlen) == 0)) {
190 ieee80211_err("WEP ICV mismatch on decrypt\n");
191 return (0);
192 }
193
194 /*
195 * Copy up 802.11 header and strip crypto bits.
196 */
197 (void) memmove(mp->b_rptr + wep.ic_header, mp->b_rptr, hdrlen);
198 mp->b_rptr += wep.ic_header;
199 mp->b_wptr -= wep.ic_trailer;
200
201 return (1);
202 }
203
204 /*
205 * Add MIC to the frame as needed.
206 */
207 /* ARGSUSED */
208 static int
wep_enmic(struct ieee80211_key * k,mblk_t * mp,int force)209 wep_enmic(struct ieee80211_key *k, mblk_t *mp, int force)
210 {
211 return (1);
212 }
213
214 /*
215 * Verify and strip MIC from the frame.
216 */
217 /* ARGSUSED */
218 static int
wep_demic(struct ieee80211_key * k,mblk_t * mp,int force)219 wep_demic(struct ieee80211_key *k, mblk_t *mp, int force)
220 {
221 return (1);
222 }
223
224 static int
wep_encrypt(struct ieee80211_key * key,mblk_t * mp,int hdrlen)225 wep_encrypt(struct ieee80211_key *key, mblk_t *mp, int hdrlen)
226 {
227 uint8_t rc4key[IEEE80211_WEP_IVLEN + IEEE80211_KEYBUF_SIZE];
228 uint8_t crcbuf[IEEE80211_WEP_CRCLEN];
229 uint8_t *icv;
230 uint32_t crc;
231 crypto_context_t ctx;
232 int rv;
233
234 ASSERT(key->wk_flags & IEEE80211_KEY_SWCRYPT);
235
236 /* ctx->wc_ic->isc_stats.is_crypto_wep++; */
237
238 (void) memcpy(rc4key, mp->b_rptr + hdrlen, IEEE80211_WEP_IVLEN);
239 (void) memcpy(rc4key + IEEE80211_WEP_IVLEN, key->wk_key,
240 key->wk_keylen);
241
242 ctx = NULL;
243 rv = rc4_init(&ctx, (const uint8_t *)rc4key,
244 IEEE80211_WEP_IVLEN + key->wk_keylen);
245
246 if (rv != CRYPTO_SUCCESS)
247 return (0);
248
249 /* calculate CRC over unencrypted data */
250 CRC32(crc, mp->b_rptr + hdrlen + wep.ic_header,
251 MBLKL(mp) - (hdrlen + wep.ic_header),
252 -1U, crc_table);
253
254 /* encrypt data */
255 (void) rc4_crypt(ctx,
256 mp->b_rptr + hdrlen + wep.ic_header,
257 mp->b_rptr + hdrlen + wep.ic_header,
258 MBLKL(mp) - (hdrlen + wep.ic_header));
259
260 /* tack on ICV */
261 *(uint32_t *)crcbuf = LE_32(~crc);
262 icv = mp->b_wptr;
263 mp->b_wptr += IEEE80211_WEP_CRCLEN;
264 (void) rc4_crypt(ctx, crcbuf, icv, IEEE80211_WEP_CRCLEN);
265
266 (void) rc4_final(ctx, icv, IEEE80211_WEP_CRCLEN);
267
268 return (1);
269 }
270
271 static int
wep_decrypt(struct ieee80211_key * key,mblk_t * mp,int hdrlen)272 wep_decrypt(struct ieee80211_key *key, mblk_t *mp, int hdrlen)
273 {
274 uint8_t rc4key[IEEE80211_WEP_IVLEN + IEEE80211_KEYBUF_SIZE];
275 uint8_t crcbuf[IEEE80211_WEP_CRCLEN];
276 uint8_t *icv;
277 uint32_t crc;
278 crypto_context_t ctx;
279 int rv;
280
281 ASSERT(key->wk_flags & IEEE80211_KEY_SWCRYPT);
282
283 /* ctx->wc_ic->isc_stats.is_crypto_wep++; */
284
285 (void) memcpy(rc4key, mp->b_rptr + hdrlen, IEEE80211_WEP_IVLEN);
286 (void) memcpy(rc4key + IEEE80211_WEP_IVLEN, key->wk_key,
287 key->wk_keylen);
288
289 ctx = NULL;
290 rv = rc4_init(&ctx, (const uint8_t *)rc4key,
291 IEEE80211_WEP_IVLEN + key->wk_keylen);
292
293 if (rv != CRYPTO_SUCCESS)
294 return (0);
295
296 /* decrypt data */
297 (void) rc4_crypt(ctx,
298 mp->b_rptr + hdrlen + wep.ic_header,
299 mp->b_rptr + hdrlen + wep.ic_header,
300 MBLKL(mp) -
301 (hdrlen + wep.ic_header + wep.ic_trailer));
302
303 /* calculate CRC over unencrypted data */
304 CRC32(crc, mp->b_rptr + hdrlen + wep.ic_header,
305 MBLKL(mp) -
306 (hdrlen + wep.ic_header + wep.ic_trailer),
307 -1U, crc_table);
308
309 /* decrypt ICV and compare to CRC */
310 icv = mp->b_wptr - IEEE80211_WEP_CRCLEN;
311 (void) rc4_crypt(ctx, icv, crcbuf, IEEE80211_WEP_CRCLEN);
312
313 (void) rc4_final(ctx, crcbuf, IEEE80211_WEP_CRCLEN);
314
315 return (crc == ~LE_32(*(uint32_t *)crcbuf));
316 }
317
318 /*
319 * rc_init() - To init the key, for multiply encryption/decryption
320 * Using the Kernel encryption framework
321 */
322 int
rc4_init(crypto_context_t * ctx,const uint8_t * key,int keylen)323 rc4_init(crypto_context_t *ctx, const uint8_t *key, int keylen)
324 {
325 crypto_mechanism_t mech;
326 crypto_key_t crkey;
327 int rv;
328
329 bzero(&crkey, sizeof (crkey));
330
331 crkey.ck_format = CRYPTO_KEY_RAW;
332 crkey.ck_data = (char *)key;
333 /* keys are measured in bits, not bytes, so multiply by 8 */
334 crkey.ck_length = keylen * 8;
335
336 mech.cm_type = crypto_mech2id(SUN_CKM_RC4);
337 mech.cm_param = NULL;
338 mech.cm_param_len = 0;
339
340 rv = crypto_encrypt_init(&mech, &crkey, NULL, ctx, NULL);
341 if (rv != CRYPTO_SUCCESS)
342 cmn_err(CE_WARN, "rc4_init failed (%x)", rv);
343
344 return (rv);
345 }
346
347 /*
348 * rc4_crypt
349 *
350 * Use the Kernel encryption framework to provide the
351 * crypto operations for the indicated data.
352 */
353 int
rc4_crypt(crypto_context_t ctx,const uint8_t * inbuf,uint8_t * outbuf,int buflen)354 rc4_crypt(crypto_context_t ctx, const uint8_t *inbuf,
355 uint8_t *outbuf, int buflen)
356 {
357 int rv = CRYPTO_FAILED;
358
359 crypto_data_t d1, d2;
360
361 ASSERT(inbuf != NULL);
362 ASSERT(outbuf != NULL);
363
364 bzero(&d1, sizeof (d1));
365 bzero(&d2, sizeof (d2));
366
367 d1.cd_format = CRYPTO_DATA_RAW;
368 d1.cd_offset = 0;
369 d1.cd_length = buflen;
370 d1.cd_raw.iov_base = (char *)inbuf;
371 d1.cd_raw.iov_len = buflen;
372
373 d2.cd_format = CRYPTO_DATA_RAW;
374 d2.cd_offset = 0;
375 d2.cd_length = buflen;
376 d2.cd_raw.iov_base = (char *)outbuf;
377 d2.cd_raw.iov_len = buflen;
378
379 rv = crypto_encrypt_update(ctx, &d1, &d2, NULL);
380
381 if (rv != CRYPTO_SUCCESS)
382 cmn_err(CE_WARN, "rc4_crypt failed (%x)", rv);
383 return (rv);
384 }
385
386 /*
387 * rc4_final
388 *
389 * Use the Kernel encryption framework to provide the
390 * crypto operations for the indicated data.
391 */
392 int
rc4_final(crypto_context_t ctx,uint8_t * outbuf,int buflen)393 rc4_final(crypto_context_t ctx, uint8_t *outbuf, int buflen)
394 {
395 int rv = CRYPTO_FAILED;
396
397 crypto_data_t d2;
398
399 ASSERT(outbuf != NULL);
400
401 bzero(&d2, sizeof (d2));
402
403 d2.cd_format = CRYPTO_DATA_RAW;
404 d2.cd_offset = 0;
405 d2.cd_length = buflen;
406 d2.cd_raw.iov_base = (char *)outbuf;
407 d2.cd_raw.iov_len = buflen;
408
409 rv = crypto_encrypt_final(ctx, &d2, NULL);
410
411 if (rv != CRYPTO_SUCCESS)
412 cmn_err(CE_WARN, "rc4_final failed (%x)", rv);
413 return (rv);
414 }
415