2 * Copyright (c) 2002-2005 Sam Leffler, Errno Consulting
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. The name of the author may not be used to endorse or promote products
14 * derived from this software without specific prior written permission.
16 * Alternatively, this software may be distributed under the terms of the
17 * GNU General Public License ("GPL") version 2 as published by the Free
18 * Software Foundation.
20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
21 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
22 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
23 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
25 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
26 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
27 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
29 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 * $FreeBSD: src/sys/net80211/ieee80211_crypto_wep.c,v 1.7.2.1 2005/12/22 19:02:08 sam Exp $
32 * $DragonFly: src/sys/netproto/802_11/wlan_wep/ieee80211_crypto_wep.c,v 1.4 2006/12/22 23:57:53 swildner Exp $
36 * IEEE 802.11 WEP crypto support.
38 #include <sys/param.h>
39 #include <sys/systm.h>
41 #include <sys/malloc.h>
42 #include <sys/kernel.h>
43 #include <sys/module.h>
44 #include <sys/endian.h>
46 #include <sys/socket.h>
49 #include <net/if_arp.h>
50 #include <net/if_media.h>
51 #include <net/ethernet.h>
53 #include <netproto/802_11/ieee80211_var.h>
55 static void *wep_attach(struct ieee80211com *, struct ieee80211_key *);
56 static void wep_detach(struct ieee80211_key *);
57 static int wep_setkey(struct ieee80211_key *);
58 static int wep_encap(struct ieee80211_key *, struct mbuf *, uint8_t keyid);
59 static int wep_decap(struct ieee80211_key *, struct mbuf *, int hdrlen);
60 static int wep_enmic(struct ieee80211_key *, struct mbuf *, int);
61 static int wep_demic(struct ieee80211_key *, struct mbuf *, int);
63 static const struct ieee80211_cipher wep = {
65 .ic_cipher = IEEE80211_CIPHER_WEP,
66 .ic_header = IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN,
67 .ic_trailer = IEEE80211_WEP_CRCLEN,
69 .ic_attach = wep_attach,
70 .ic_detach = wep_detach,
71 .ic_setkey = wep_setkey,
72 .ic_encap = wep_encap,
73 .ic_decap = wep_decap,
74 .ic_enmic = wep_enmic,
75 .ic_demic = wep_demic,
78 static int wep_encrypt(struct ieee80211_key *, struct mbuf *, int hdrlen);
79 static int wep_decrypt(struct ieee80211_key *, struct mbuf *, int hdrlen);
82 struct ieee80211com *wc_ic; /* for diagnostics */
83 uint32_t wc_iv; /* initial vector for crypto */
86 /* number of references from net80211 layer */
90 wep_attach(struct ieee80211com *ic, struct ieee80211_key *k)
94 ctx = kmalloc(sizeof(struct wep_ctx), M_DEVBUF, M_NOWAIT | M_ZERO);
96 ic->ic_stats.is_crypto_nomem++;
101 get_random_bytes(&ctx->wc_iv, sizeof(ctx->wc_iv));
102 nrefs++; /* NB: we assume caller locking */
107 wep_detach(struct ieee80211_key *k)
109 struct wep_ctx *ctx = k->wk_private;
112 KASSERT(nrefs > 0, ("imbalanced attach/detach"));
113 nrefs--; /* NB: we assume caller locking */
117 wep_setkey(struct ieee80211_key *k)
119 return k->wk_keylen >= 40/NBBY;
123 * Add privacy headers appropriate for the specified key.
126 wep_encap(struct ieee80211_key *k, struct mbuf *m, uint8_t keyid)
128 struct wep_ctx *ctx = k->wk_private;
129 struct ieee80211com *ic = ctx->wc_ic;
134 hdrlen = ieee80211_hdrspace(ic, mtod(m, void *));
137 * Copy down 802.11 header and add the IV + KeyID.
139 M_PREPEND(m, wep.ic_header, MB_DONTWAIT);
142 ivp = mtod(m, uint8_t *);
143 ovbcopy(ivp + wep.ic_header, ivp, hdrlen);
148 * IV must not duplicate during the lifetime of the key.
149 * But no mechanism to renew keys is defined in IEEE 802.11
150 * for WEP. And the IV may be duplicated at other stations
151 * because the session key itself is shared. So we use a
152 * pseudo random IV for now, though it is not the right way.
154 * NB: Rather than use a strictly random IV we select a
155 * random one to start and then increment the value for
156 * each frame. This is an explicit tradeoff between
157 * overhead and security. Given the basic insecurity of
158 * WEP this seems worthwhile.
162 * Skip 'bad' IVs from Fluhrer/Mantin/Shamir:
163 * (B, 255, N) with 3 <= B < 16 and 0 <= N <= 255
166 if ((iv & 0xff00) == 0xff00) {
167 int B = (iv & 0xff0000) >> 16;
168 if (3 <= B && B < 16)
174 * NB: Preserve byte order of IV for packet
175 * sniffers; it doesn't matter otherwise.
177 #if _BYTE_ORDER == _BIG_ENDIAN
189 * Finally, do software encrypt if neeed.
191 if ((k->wk_flags & IEEE80211_KEY_SWCRYPT) &&
192 !wep_encrypt(k, m, hdrlen))
199 * Add MIC to the frame as needed.
202 wep_enmic(struct ieee80211_key *k, struct mbuf *m, int force)
208 * Validate and strip privacy headers (and trailer) for a
209 * received frame. If necessary, decrypt the frame using
213 wep_decap(struct ieee80211_key *k, struct mbuf *m, int hdrlen)
215 struct wep_ctx *ctx = k->wk_private;
216 struct ieee80211_frame *wh;
218 wh = mtod(m, struct ieee80211_frame *);
221 * Check if the device handled the decrypt in hardware.
222 * If so we just strip the header; otherwise we need to
223 * handle the decrypt in software.
225 if ((k->wk_flags & IEEE80211_KEY_SWCRYPT) &&
226 !wep_decrypt(k, m, hdrlen)) {
227 IEEE80211_DPRINTF(ctx->wc_ic, IEEE80211_MSG_CRYPTO,
228 "[%6D] WEP ICV mismatch on decrypt\n",
230 ctx->wc_ic->ic_stats.is_rx_wepfail++;
235 * Copy up 802.11 header and strip crypto bits.
237 ovbcopy(mtod(m, void *), mtod(m, uint8_t *) + wep.ic_header, hdrlen);
238 m_adj(m, wep.ic_header);
239 m_adj(m, -wep.ic_trailer);
245 * Verify and strip MIC from the frame.
248 wep_demic(struct ieee80211_key *k, struct mbuf *skb, int force)
253 static const uint32_t crc32_table[256] = {
254 0x00000000L, 0x77073096L, 0xee0e612cL, 0x990951baL, 0x076dc419L,
255 0x706af48fL, 0xe963a535L, 0x9e6495a3L, 0x0edb8832L, 0x79dcb8a4L,
256 0xe0d5e91eL, 0x97d2d988L, 0x09b64c2bL, 0x7eb17cbdL, 0xe7b82d07L,
257 0x90bf1d91L, 0x1db71064L, 0x6ab020f2L, 0xf3b97148L, 0x84be41deL,
258 0x1adad47dL, 0x6ddde4ebL, 0xf4d4b551L, 0x83d385c7L, 0x136c9856L,
259 0x646ba8c0L, 0xfd62f97aL, 0x8a65c9ecL, 0x14015c4fL, 0x63066cd9L,
260 0xfa0f3d63L, 0x8d080df5L, 0x3b6e20c8L, 0x4c69105eL, 0xd56041e4L,
261 0xa2677172L, 0x3c03e4d1L, 0x4b04d447L, 0xd20d85fdL, 0xa50ab56bL,
262 0x35b5a8faL, 0x42b2986cL, 0xdbbbc9d6L, 0xacbcf940L, 0x32d86ce3L,
263 0x45df5c75L, 0xdcd60dcfL, 0xabd13d59L, 0x26d930acL, 0x51de003aL,
264 0xc8d75180L, 0xbfd06116L, 0x21b4f4b5L, 0x56b3c423L, 0xcfba9599L,
265 0xb8bda50fL, 0x2802b89eL, 0x5f058808L, 0xc60cd9b2L, 0xb10be924L,
266 0x2f6f7c87L, 0x58684c11L, 0xc1611dabL, 0xb6662d3dL, 0x76dc4190L,
267 0x01db7106L, 0x98d220bcL, 0xefd5102aL, 0x71b18589L, 0x06b6b51fL,
268 0x9fbfe4a5L, 0xe8b8d433L, 0x7807c9a2L, 0x0f00f934L, 0x9609a88eL,
269 0xe10e9818L, 0x7f6a0dbbL, 0x086d3d2dL, 0x91646c97L, 0xe6635c01L,
270 0x6b6b51f4L, 0x1c6c6162L, 0x856530d8L, 0xf262004eL, 0x6c0695edL,
271 0x1b01a57bL, 0x8208f4c1L, 0xf50fc457L, 0x65b0d9c6L, 0x12b7e950L,
272 0x8bbeb8eaL, 0xfcb9887cL, 0x62dd1ddfL, 0x15da2d49L, 0x8cd37cf3L,
273 0xfbd44c65L, 0x4db26158L, 0x3ab551ceL, 0xa3bc0074L, 0xd4bb30e2L,
274 0x4adfa541L, 0x3dd895d7L, 0xa4d1c46dL, 0xd3d6f4fbL, 0x4369e96aL,
275 0x346ed9fcL, 0xad678846L, 0xda60b8d0L, 0x44042d73L, 0x33031de5L,
276 0xaa0a4c5fL, 0xdd0d7cc9L, 0x5005713cL, 0x270241aaL, 0xbe0b1010L,
277 0xc90c2086L, 0x5768b525L, 0x206f85b3L, 0xb966d409L, 0xce61e49fL,
278 0x5edef90eL, 0x29d9c998L, 0xb0d09822L, 0xc7d7a8b4L, 0x59b33d17L,
279 0x2eb40d81L, 0xb7bd5c3bL, 0xc0ba6cadL, 0xedb88320L, 0x9abfb3b6L,
280 0x03b6e20cL, 0x74b1d29aL, 0xead54739L, 0x9dd277afL, 0x04db2615L,
281 0x73dc1683L, 0xe3630b12L, 0x94643b84L, 0x0d6d6a3eL, 0x7a6a5aa8L,
282 0xe40ecf0bL, 0x9309ff9dL, 0x0a00ae27L, 0x7d079eb1L, 0xf00f9344L,
283 0x8708a3d2L, 0x1e01f268L, 0x6906c2feL, 0xf762575dL, 0x806567cbL,
284 0x196c3671L, 0x6e6b06e7L, 0xfed41b76L, 0x89d32be0L, 0x10da7a5aL,
285 0x67dd4accL, 0xf9b9df6fL, 0x8ebeeff9L, 0x17b7be43L, 0x60b08ed5L,
286 0xd6d6a3e8L, 0xa1d1937eL, 0x38d8c2c4L, 0x4fdff252L, 0xd1bb67f1L,
287 0xa6bc5767L, 0x3fb506ddL, 0x48b2364bL, 0xd80d2bdaL, 0xaf0a1b4cL,
288 0x36034af6L, 0x41047a60L, 0xdf60efc3L, 0xa867df55L, 0x316e8eefL,
289 0x4669be79L, 0xcb61b38cL, 0xbc66831aL, 0x256fd2a0L, 0x5268e236L,
290 0xcc0c7795L, 0xbb0b4703L, 0x220216b9L, 0x5505262fL, 0xc5ba3bbeL,
291 0xb2bd0b28L, 0x2bb45a92L, 0x5cb36a04L, 0xc2d7ffa7L, 0xb5d0cf31L,
292 0x2cd99e8bL, 0x5bdeae1dL, 0x9b64c2b0L, 0xec63f226L, 0x756aa39cL,
293 0x026d930aL, 0x9c0906a9L, 0xeb0e363fL, 0x72076785L, 0x05005713L,
294 0x95bf4a82L, 0xe2b87a14L, 0x7bb12baeL, 0x0cb61b38L, 0x92d28e9bL,
295 0xe5d5be0dL, 0x7cdcefb7L, 0x0bdbdf21L, 0x86d3d2d4L, 0xf1d4e242L,
296 0x68ddb3f8L, 0x1fda836eL, 0x81be16cdL, 0xf6b9265bL, 0x6fb077e1L,
297 0x18b74777L, 0x88085ae6L, 0xff0f6a70L, 0x66063bcaL, 0x11010b5cL,
298 0x8f659effL, 0xf862ae69L, 0x616bffd3L, 0x166ccf45L, 0xa00ae278L,
299 0xd70dd2eeL, 0x4e048354L, 0x3903b3c2L, 0xa7672661L, 0xd06016f7L,
300 0x4969474dL, 0x3e6e77dbL, 0xaed16a4aL, 0xd9d65adcL, 0x40df0b66L,
301 0x37d83bf0L, 0xa9bcae53L, 0xdebb9ec5L, 0x47b2cf7fL, 0x30b5ffe9L,
302 0xbdbdf21cL, 0xcabac28aL, 0x53b39330L, 0x24b4a3a6L, 0xbad03605L,
303 0xcdd70693L, 0x54de5729L, 0x23d967bfL, 0xb3667a2eL, 0xc4614ab8L,
304 0x5d681b02L, 0x2a6f2b94L, 0xb40bbe37L, 0xc30c8ea1L, 0x5a05df1bL,
309 wep_encrypt(struct ieee80211_key *key, struct mbuf *m0, int hdrlen)
311 #define S_SWAP(a,b) do { uint8_t t = S[a]; S[a] = S[b]; S[b] = t; } while(0)
312 struct wep_ctx *ctx = key->wk_private;
314 uint8_t rc4key[IEEE80211_WEP_IVLEN + IEEE80211_KEYBUF_SIZE];
315 uint8_t icv[IEEE80211_WEP_CRCLEN];
316 uint32_t i, j, k, crc;
317 size_t buflen, data_len;
322 ctx->wc_ic->ic_stats.is_crypto_wep++;
324 /* NB: this assumes the header was pulled up */
325 memcpy(rc4key, mtod(m, uint8_t *) + hdrlen, IEEE80211_WEP_IVLEN);
326 memcpy(rc4key + IEEE80211_WEP_IVLEN, key->wk_key, key->wk_keylen);
328 /* Setup RC4 state */
329 for (i = 0; i < 256; i++)
332 keylen = key->wk_keylen + IEEE80211_WEP_IVLEN;
333 for (i = 0; i < 256; i++) {
334 j = (j + S[i] + rc4key[i % keylen]) & 0xff;
338 off = hdrlen + wep.ic_header;
339 data_len = m->m_pkthdr.len - off;
341 /* Compute CRC32 over unencrypted data and apply RC4 to data */
344 pos = mtod(m, uint8_t *) + off;
345 buflen = m->m_len - off;
347 if (buflen > data_len)
350 for (k = 0; k < buflen; k++) {
351 crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8);
353 j = (j + S[i]) & 0xff;
355 *pos++ ^= S[(S[i] + S[j]) & 0xff];
357 if (m->m_next == NULL) {
358 if (data_len != 0) { /* out of data */
359 IEEE80211_DPRINTF(ctx->wc_ic,
360 IEEE80211_MSG_CRYPTO,
361 "[%6D] out of data for WEP "
363 mtod(m0, struct ieee80211_frame *)->i_addr2,
370 pos = mtod(m, uint8_t *);
375 /* Append little-endian CRC32 and encrypt it to produce ICV */
380 for (k = 0; k < IEEE80211_WEP_CRCLEN; k++) {
382 j = (j + S[i]) & 0xff;
384 icv[k] ^= S[(S[i] + S[j]) & 0xff];
386 return ieee80211_mbuf_append(m0, IEEE80211_WEP_CRCLEN, icv);
391 wep_decrypt(struct ieee80211_key *key, struct mbuf *m0, int hdrlen)
393 #define S_SWAP(a,b) do { uint8_t t = S[a]; S[a] = S[b]; S[b] = t; } while(0)
394 struct wep_ctx *ctx = key->wk_private;
396 uint8_t rc4key[IEEE80211_WEP_IVLEN + IEEE80211_KEYBUF_SIZE];
397 uint8_t icv[IEEE80211_WEP_CRCLEN];
398 uint32_t i, j, k, crc;
399 size_t buflen, data_len;
404 ctx->wc_ic->ic_stats.is_crypto_wep++;
406 /* NB: this assumes the header was pulled up */
407 memcpy(rc4key, mtod(m, uint8_t *) + hdrlen, IEEE80211_WEP_IVLEN);
408 memcpy(rc4key + IEEE80211_WEP_IVLEN, key->wk_key, key->wk_keylen);
410 /* Setup RC4 state */
411 for (i = 0; i < 256; i++)
414 keylen = key->wk_keylen + IEEE80211_WEP_IVLEN;
415 for (i = 0; i < 256; i++) {
416 j = (j + S[i] + rc4key[i % keylen]) & 0xff;
420 off = hdrlen + wep.ic_header;
421 data_len = m->m_pkthdr.len - (off + wep.ic_trailer),
423 /* Compute CRC32 over unencrypted data and apply RC4 to data */
426 pos = mtod(m, uint8_t *) + off;
427 buflen = m->m_len - off;
429 if (buflen > data_len)
432 for (k = 0; k < buflen; k++) {
434 j = (j + S[i]) & 0xff;
436 *pos ^= S[(S[i] + S[j]) & 0xff];
437 crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8);
442 if (data_len != 0) { /* out of data */
443 IEEE80211_DPRINTF(ctx->wc_ic,
444 IEEE80211_MSG_CRYPTO,
445 "[%s] out of data for WEP "
447 mtod(m0, struct ieee80211_frame *)->i_addr2,
453 pos = mtod(m, uint8_t *);
458 /* Encrypt little-endian CRC32 and verify that it matches with
464 for (k = 0; k < IEEE80211_WEP_CRCLEN; k++) {
466 j = (j + S[i]) & 0xff;
468 /* XXX assumes ICV is contiguous in mbuf */
469 if ((icv[k] ^ S[(S[i] + S[j]) & 0xff]) != *pos++) {
470 /* ICV mismatch - drop frame */
482 wep_modevent(module_t mod, int type, void *unused)
486 ieee80211_crypto_register(&wep);
490 kprintf("wlan_wep: still in use (%u dynamic refs)\n",
494 ieee80211_crypto_unregister(&wep);
500 static moduledata_t wep_mod = {
505 DECLARE_MODULE(wlan_wep, wep_mod, SI_SUB_DRIVERS, SI_ORDER_FIRST);
506 MODULE_VERSION(wlan_wep, 1);
507 MODULE_DEPEND(wlan_wep, wlan, 1, 1, 1);