2 * Copyright (c) 2002-2005 Sam Leffler, Errno Consulting
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. The name of the author may not be used to endorse or promote products
14 * derived from this software without specific prior written permission.
16 * Alternatively, this software may be distributed under the terms of the
17 * GNU General Public License ("GPL") version 2 as published by the Free
18 * Software Foundation.
20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
21 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
22 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
23 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
25 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
26 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
27 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
29 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 * $FreeBSD: src/sys/net80211/ieee80211_crypto_wep.c,v 1.7.2.1 2005/12/22 19:02:08 sam Exp $
32 * $DragonFly: src/sys/netproto/802_11/wlan_wep/ieee80211_crypto_wep.c,v 1.5 2007/05/07 14:12:16 sephe Exp $
36 * IEEE 802.11 WEP crypto support.
38 #include <sys/param.h>
39 #include <sys/systm.h>
41 #include <sys/malloc.h>
42 #include <sys/kernel.h>
43 #include <sys/module.h>
44 #include <sys/endian.h>
46 #include <sys/socket.h>
49 #include <net/if_arp.h>
50 #include <net/if_media.h>
51 #include <net/ethernet.h>
53 #include <netproto/802_11/ieee80211_var.h>
55 static void *wep_attach(struct ieee80211com *, struct ieee80211_key *);
56 static void wep_detach(struct ieee80211_key *);
57 static int wep_setkey(struct ieee80211_key *);
58 static int wep_encap(struct ieee80211_key *, struct mbuf *, uint8_t keyid);
59 static int wep_decap(struct ieee80211_key *, struct mbuf *, int hdrlen);
60 static int wep_enmic(struct ieee80211_key *, struct mbuf *, int);
61 static int wep_demic(struct ieee80211_key *, struct mbuf *, int);
62 static int wep_getiv(struct ieee80211_key *, struct ieee80211_crypto_iv *,
64 static int wep_update(struct ieee80211_key *,
65 const struct ieee80211_crypto_iv *,
66 const struct ieee80211_frame *);
68 static const struct ieee80211_cipher wep = {
70 .ic_cipher = IEEE80211_CIPHER_WEP,
71 .ic_header = IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN,
72 .ic_trailer = IEEE80211_WEP_CRCLEN,
74 .ic_attach = wep_attach,
75 .ic_detach = wep_detach,
76 .ic_setkey = wep_setkey,
77 .ic_encap = wep_encap,
78 .ic_decap = wep_decap,
79 .ic_enmic = wep_enmic,
80 .ic_demic = wep_demic,
81 .ic_getiv = wep_getiv,
82 .ic_update = wep_update
85 static int wep_encrypt(struct ieee80211_key *, struct mbuf *, int hdrlen);
86 static int wep_decrypt(struct ieee80211_key *, struct mbuf *, int hdrlen);
89 struct ieee80211com *wc_ic; /* for diagnostics */
90 uint32_t wc_iv; /* initial vector for crypto */
93 /* number of references from net80211 layer */
97 wep_attach(struct ieee80211com *ic, struct ieee80211_key *k)
101 ctx = kmalloc(sizeof(struct wep_ctx), M_DEVBUF, M_NOWAIT | M_ZERO);
103 ic->ic_stats.is_crypto_nomem++;
108 get_random_bytes(&ctx->wc_iv, sizeof(ctx->wc_iv));
109 nrefs++; /* NB: we assume caller locking */
114 wep_detach(struct ieee80211_key *k)
116 struct wep_ctx *ctx = k->wk_private;
119 KASSERT(nrefs > 0, ("imbalanced attach/detach"));
120 nrefs--; /* NB: we assume caller locking */
124 wep_setkey(struct ieee80211_key *k)
126 return k->wk_keylen >= 40/NBBY;
130 * Add privacy headers appropriate for the specified key.
133 wep_encap(struct ieee80211_key *k, struct mbuf *m, uint8_t keyid)
135 struct wep_ctx *ctx = k->wk_private;
136 struct ieee80211com *ic = ctx->wc_ic;
141 hdrlen = ieee80211_hdrspace(ic, mtod(m, void *));
144 * Copy down 802.11 header and add the IV + KeyID.
146 M_PREPEND(m, wep.ic_header, MB_DONTWAIT);
149 ivp = mtod(m, uint8_t *);
150 ovbcopy(ivp + wep.ic_header, ivp, hdrlen);
155 * IV must not duplicate during the lifetime of the key.
156 * But no mechanism to renew keys is defined in IEEE 802.11
157 * for WEP. And the IV may be duplicated at other stations
158 * because the session key itself is shared. So we use a
159 * pseudo random IV for now, though it is not the right way.
161 * NB: Rather than use a strictly random IV we select a
162 * random one to start and then increment the value for
163 * each frame. This is an explicit tradeoff between
164 * overhead and security. Given the basic insecurity of
165 * WEP this seems worthwhile.
169 * Skip 'bad' IVs from Fluhrer/Mantin/Shamir:
170 * (B, 255, N) with 3 <= B < 16 and 0 <= N <= 255
173 if ((iv & 0xff00) == 0xff00) {
174 int B = (iv & 0xff0000) >> 16;
175 if (3 <= B && B < 16)
181 * NB: Preserve byte order of IV for packet
182 * sniffers; it doesn't matter otherwise.
184 #if _BYTE_ORDER == _BIG_ENDIAN
196 * Finally, do software encrypt if neeed.
198 if ((k->wk_flags & IEEE80211_KEY_SWCRYPT) &&
199 !wep_encrypt(k, m, hdrlen))
206 * Add MIC to the frame as needed.
209 wep_enmic(struct ieee80211_key *k, struct mbuf *m, int force)
215 * Validate and strip privacy headers (and trailer) for a
216 * received frame. If necessary, decrypt the frame using
220 wep_decap(struct ieee80211_key *k, struct mbuf *m, int hdrlen)
222 struct wep_ctx *ctx = k->wk_private;
223 struct ieee80211_frame *wh;
225 wh = mtod(m, struct ieee80211_frame *);
228 * Check if the device handled the decrypt in hardware.
229 * If so we just strip the header; otherwise we need to
230 * handle the decrypt in software.
232 if ((k->wk_flags & IEEE80211_KEY_SWCRYPT) &&
233 !wep_decrypt(k, m, hdrlen)) {
234 IEEE80211_DPRINTF(ctx->wc_ic, IEEE80211_MSG_CRYPTO,
235 "[%6D] WEP ICV mismatch on decrypt\n",
237 ctx->wc_ic->ic_stats.is_rx_wepfail++;
242 * Copy up 802.11 header and strip crypto bits.
244 ovbcopy(mtod(m, void *), mtod(m, uint8_t *) + wep.ic_header, hdrlen);
245 m_adj(m, wep.ic_header);
246 m_adj(m, -wep.ic_trailer);
252 wep_update(struct ieee80211_key *k, const struct ieee80211_crypto_iv *iv,
253 const struct ieee80211_frame *wh)
259 * Verify and strip MIC from the frame.
262 wep_demic(struct ieee80211_key *k, struct mbuf *skb, int force)
268 wep_getiv(struct ieee80211_key *k, struct ieee80211_crypto_iv *ivp,
271 struct wep_ctx *ctx = k->wk_private;
275 * Skip 'bad' IVs from Fluhrer/Mantin/Shamir:
276 * (B, 255, N) with 3 <= B < 16 and 0 <= N <= 255
279 if ((iv & 0xff00) == 0xff00) {
280 int B = (iv & 0xff0000) >> 16;
281 if (3 <= B && B < 16)
287 * NB: Preserve byte order of IV for packet
288 * sniffers; it doesn't matter otherwise.
290 #if _BYTE_ORDER == _BIG_ENDIAN
291 ivp->ic_iv[0] = iv >> 0;
292 ivp->ic_iv[1] = iv >> 8;
293 ivp->ic_iv[2] = iv >> 16;
295 ivp->ic_iv[2] = iv >> 0;
296 ivp->ic_iv[1] = iv >> 8;
297 ivp->ic_iv[0] = iv >> 16;
299 ivp->ic_iv[3] = keyid;
304 static const uint32_t crc32_table[256] = {
305 0x00000000L, 0x77073096L, 0xee0e612cL, 0x990951baL, 0x076dc419L,
306 0x706af48fL, 0xe963a535L, 0x9e6495a3L, 0x0edb8832L, 0x79dcb8a4L,
307 0xe0d5e91eL, 0x97d2d988L, 0x09b64c2bL, 0x7eb17cbdL, 0xe7b82d07L,
308 0x90bf1d91L, 0x1db71064L, 0x6ab020f2L, 0xf3b97148L, 0x84be41deL,
309 0x1adad47dL, 0x6ddde4ebL, 0xf4d4b551L, 0x83d385c7L, 0x136c9856L,
310 0x646ba8c0L, 0xfd62f97aL, 0x8a65c9ecL, 0x14015c4fL, 0x63066cd9L,
311 0xfa0f3d63L, 0x8d080df5L, 0x3b6e20c8L, 0x4c69105eL, 0xd56041e4L,
312 0xa2677172L, 0x3c03e4d1L, 0x4b04d447L, 0xd20d85fdL, 0xa50ab56bL,
313 0x35b5a8faL, 0x42b2986cL, 0xdbbbc9d6L, 0xacbcf940L, 0x32d86ce3L,
314 0x45df5c75L, 0xdcd60dcfL, 0xabd13d59L, 0x26d930acL, 0x51de003aL,
315 0xc8d75180L, 0xbfd06116L, 0x21b4f4b5L, 0x56b3c423L, 0xcfba9599L,
316 0xb8bda50fL, 0x2802b89eL, 0x5f058808L, 0xc60cd9b2L, 0xb10be924L,
317 0x2f6f7c87L, 0x58684c11L, 0xc1611dabL, 0xb6662d3dL, 0x76dc4190L,
318 0x01db7106L, 0x98d220bcL, 0xefd5102aL, 0x71b18589L, 0x06b6b51fL,
319 0x9fbfe4a5L, 0xe8b8d433L, 0x7807c9a2L, 0x0f00f934L, 0x9609a88eL,
320 0xe10e9818L, 0x7f6a0dbbL, 0x086d3d2dL, 0x91646c97L, 0xe6635c01L,
321 0x6b6b51f4L, 0x1c6c6162L, 0x856530d8L, 0xf262004eL, 0x6c0695edL,
322 0x1b01a57bL, 0x8208f4c1L, 0xf50fc457L, 0x65b0d9c6L, 0x12b7e950L,
323 0x8bbeb8eaL, 0xfcb9887cL, 0x62dd1ddfL, 0x15da2d49L, 0x8cd37cf3L,
324 0xfbd44c65L, 0x4db26158L, 0x3ab551ceL, 0xa3bc0074L, 0xd4bb30e2L,
325 0x4adfa541L, 0x3dd895d7L, 0xa4d1c46dL, 0xd3d6f4fbL, 0x4369e96aL,
326 0x346ed9fcL, 0xad678846L, 0xda60b8d0L, 0x44042d73L, 0x33031de5L,
327 0xaa0a4c5fL, 0xdd0d7cc9L, 0x5005713cL, 0x270241aaL, 0xbe0b1010L,
328 0xc90c2086L, 0x5768b525L, 0x206f85b3L, 0xb966d409L, 0xce61e49fL,
329 0x5edef90eL, 0x29d9c998L, 0xb0d09822L, 0xc7d7a8b4L, 0x59b33d17L,
330 0x2eb40d81L, 0xb7bd5c3bL, 0xc0ba6cadL, 0xedb88320L, 0x9abfb3b6L,
331 0x03b6e20cL, 0x74b1d29aL, 0xead54739L, 0x9dd277afL, 0x04db2615L,
332 0x73dc1683L, 0xe3630b12L, 0x94643b84L, 0x0d6d6a3eL, 0x7a6a5aa8L,
333 0xe40ecf0bL, 0x9309ff9dL, 0x0a00ae27L, 0x7d079eb1L, 0xf00f9344L,
334 0x8708a3d2L, 0x1e01f268L, 0x6906c2feL, 0xf762575dL, 0x806567cbL,
335 0x196c3671L, 0x6e6b06e7L, 0xfed41b76L, 0x89d32be0L, 0x10da7a5aL,
336 0x67dd4accL, 0xf9b9df6fL, 0x8ebeeff9L, 0x17b7be43L, 0x60b08ed5L,
337 0xd6d6a3e8L, 0xa1d1937eL, 0x38d8c2c4L, 0x4fdff252L, 0xd1bb67f1L,
338 0xa6bc5767L, 0x3fb506ddL, 0x48b2364bL, 0xd80d2bdaL, 0xaf0a1b4cL,
339 0x36034af6L, 0x41047a60L, 0xdf60efc3L, 0xa867df55L, 0x316e8eefL,
340 0x4669be79L, 0xcb61b38cL, 0xbc66831aL, 0x256fd2a0L, 0x5268e236L,
341 0xcc0c7795L, 0xbb0b4703L, 0x220216b9L, 0x5505262fL, 0xc5ba3bbeL,
342 0xb2bd0b28L, 0x2bb45a92L, 0x5cb36a04L, 0xc2d7ffa7L, 0xb5d0cf31L,
343 0x2cd99e8bL, 0x5bdeae1dL, 0x9b64c2b0L, 0xec63f226L, 0x756aa39cL,
344 0x026d930aL, 0x9c0906a9L, 0xeb0e363fL, 0x72076785L, 0x05005713L,
345 0x95bf4a82L, 0xe2b87a14L, 0x7bb12baeL, 0x0cb61b38L, 0x92d28e9bL,
346 0xe5d5be0dL, 0x7cdcefb7L, 0x0bdbdf21L, 0x86d3d2d4L, 0xf1d4e242L,
347 0x68ddb3f8L, 0x1fda836eL, 0x81be16cdL, 0xf6b9265bL, 0x6fb077e1L,
348 0x18b74777L, 0x88085ae6L, 0xff0f6a70L, 0x66063bcaL, 0x11010b5cL,
349 0x8f659effL, 0xf862ae69L, 0x616bffd3L, 0x166ccf45L, 0xa00ae278L,
350 0xd70dd2eeL, 0x4e048354L, 0x3903b3c2L, 0xa7672661L, 0xd06016f7L,
351 0x4969474dL, 0x3e6e77dbL, 0xaed16a4aL, 0xd9d65adcL, 0x40df0b66L,
352 0x37d83bf0L, 0xa9bcae53L, 0xdebb9ec5L, 0x47b2cf7fL, 0x30b5ffe9L,
353 0xbdbdf21cL, 0xcabac28aL, 0x53b39330L, 0x24b4a3a6L, 0xbad03605L,
354 0xcdd70693L, 0x54de5729L, 0x23d967bfL, 0xb3667a2eL, 0xc4614ab8L,
355 0x5d681b02L, 0x2a6f2b94L, 0xb40bbe37L, 0xc30c8ea1L, 0x5a05df1bL,
360 wep_encrypt(struct ieee80211_key *key, struct mbuf *m0, int hdrlen)
362 #define S_SWAP(a,b) do { uint8_t t = S[a]; S[a] = S[b]; S[b] = t; } while(0)
363 struct wep_ctx *ctx = key->wk_private;
365 uint8_t rc4key[IEEE80211_WEP_IVLEN + IEEE80211_KEYBUF_SIZE];
366 uint8_t icv[IEEE80211_WEP_CRCLEN];
367 uint32_t i, j, k, crc;
368 size_t buflen, data_len;
373 ctx->wc_ic->ic_stats.is_crypto_wep++;
375 /* NB: this assumes the header was pulled up */
376 memcpy(rc4key, mtod(m, uint8_t *) + hdrlen, IEEE80211_WEP_IVLEN);
377 memcpy(rc4key + IEEE80211_WEP_IVLEN, key->wk_key, key->wk_keylen);
379 /* Setup RC4 state */
380 for (i = 0; i < 256; i++)
383 keylen = key->wk_keylen + IEEE80211_WEP_IVLEN;
384 for (i = 0; i < 256; i++) {
385 j = (j + S[i] + rc4key[i % keylen]) & 0xff;
389 off = hdrlen + wep.ic_header;
390 data_len = m->m_pkthdr.len - off;
392 /* Compute CRC32 over unencrypted data and apply RC4 to data */
395 pos = mtod(m, uint8_t *) + off;
396 buflen = m->m_len - off;
398 if (buflen > data_len)
401 for (k = 0; k < buflen; k++) {
402 crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8);
404 j = (j + S[i]) & 0xff;
406 *pos++ ^= S[(S[i] + S[j]) & 0xff];
408 if (m->m_next == NULL) {
409 if (data_len != 0) { /* out of data */
410 IEEE80211_DPRINTF(ctx->wc_ic,
411 IEEE80211_MSG_CRYPTO,
412 "[%6D] out of data for WEP "
414 mtod(m0, struct ieee80211_frame *)->i_addr2,
421 pos = mtod(m, uint8_t *);
426 /* Append little-endian CRC32 and encrypt it to produce ICV */
431 for (k = 0; k < IEEE80211_WEP_CRCLEN; k++) {
433 j = (j + S[i]) & 0xff;
435 icv[k] ^= S[(S[i] + S[j]) & 0xff];
437 return ieee80211_mbuf_append(m0, IEEE80211_WEP_CRCLEN, icv);
442 wep_decrypt(struct ieee80211_key *key, struct mbuf *m0, int hdrlen)
444 #define S_SWAP(a,b) do { uint8_t t = S[a]; S[a] = S[b]; S[b] = t; } while(0)
445 struct wep_ctx *ctx = key->wk_private;
447 uint8_t rc4key[IEEE80211_WEP_IVLEN + IEEE80211_KEYBUF_SIZE];
448 uint8_t icv[IEEE80211_WEP_CRCLEN];
449 uint32_t i, j, k, crc;
450 size_t buflen, data_len;
455 ctx->wc_ic->ic_stats.is_crypto_wep++;
457 /* NB: this assumes the header was pulled up */
458 memcpy(rc4key, mtod(m, uint8_t *) + hdrlen, IEEE80211_WEP_IVLEN);
459 memcpy(rc4key + IEEE80211_WEP_IVLEN, key->wk_key, key->wk_keylen);
461 /* Setup RC4 state */
462 for (i = 0; i < 256; i++)
465 keylen = key->wk_keylen + IEEE80211_WEP_IVLEN;
466 for (i = 0; i < 256; i++) {
467 j = (j + S[i] + rc4key[i % keylen]) & 0xff;
471 off = hdrlen + wep.ic_header;
472 data_len = m->m_pkthdr.len - (off + wep.ic_trailer),
474 /* Compute CRC32 over unencrypted data and apply RC4 to data */
477 pos = mtod(m, uint8_t *) + off;
478 buflen = m->m_len - off;
480 if (buflen > data_len)
483 for (k = 0; k < buflen; k++) {
485 j = (j + S[i]) & 0xff;
487 *pos ^= S[(S[i] + S[j]) & 0xff];
488 crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8);
493 if (data_len != 0) { /* out of data */
494 IEEE80211_DPRINTF(ctx->wc_ic,
495 IEEE80211_MSG_CRYPTO,
496 "[%s] out of data for WEP "
498 mtod(m0, struct ieee80211_frame *)->i_addr2,
504 pos = mtod(m, uint8_t *);
509 /* Encrypt little-endian CRC32 and verify that it matches with
515 for (k = 0; k < IEEE80211_WEP_CRCLEN; k++) {
517 j = (j + S[i]) & 0xff;
519 /* XXX assumes ICV is contiguous in mbuf */
520 if ((icv[k] ^ S[(S[i] + S[j]) & 0xff]) != *pos++) {
521 /* ICV mismatch - drop frame */
533 wep_modevent(module_t mod, int type, void *unused)
537 ieee80211_crypto_register(&wep);
541 kprintf("wlan_wep: still in use (%u dynamic refs)\n",
545 ieee80211_crypto_unregister(&wep);
551 static moduledata_t wep_mod = {
556 DECLARE_MODULE(wlan_wep, wep_mod, SI_SUB_DRIVERS, SI_ORDER_FIRST);
557 MODULE_VERSION(wlan_wep, 1);
558 MODULE_DEPEND(wlan_wep, wlan, 1, 1, 1);