ieee80211_crypto.c revision 138568
1/*- 2 * Copyright (c) 2001 Atsushi Onoe 3 * Copyright (c) 2002-2004 Sam Leffler, Errno Consulting 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 3. The name of the author may not be used to endorse or promote products 15 * derived from this software without specific prior written permission. 16 * 17 * Alternatively, this software may be distributed under the terms of the 18 * GNU General Public License ("GPL") version 2 as published by the Free 19 * Software Foundation. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33#include <sys/cdefs.h> 34__FBSDID("$FreeBSD: head/sys/net80211/ieee80211_crypto.c 138568 2004-12-08 17:26:47Z sam $"); 35 36/* 37 * IEEE 802.11 generic crypto support. 38 */ 39#include <sys/param.h> 40#include <sys/mbuf.h> 41 42#include <sys/socket.h> 43 44#include <net/if.h> 45#include <net/if_media.h> 46#include <net/ethernet.h> /* XXX ETHER_HDR_LEN */ 47 48#include <net80211/ieee80211_var.h> 49 50/* 51 * Table of registered cipher modules. 52 */ 53static const struct ieee80211_cipher *ciphers[IEEE80211_CIPHER_MAX]; 54 55static int _ieee80211_crypto_delkey(struct ieee80211com *, 56 struct ieee80211_key *); 57 58/* 59 * Default "null" key management routines. 60 */ 61static int 62null_key_alloc(struct ieee80211com *ic, const struct ieee80211_key *k) 63{ 64 return IEEE80211_KEYIX_NONE; 65} 66static int 67null_key_delete(struct ieee80211com *ic, const struct ieee80211_key *k) 68{ 69 return 1; 70} 71static int 72null_key_set(struct ieee80211com *ic, const struct ieee80211_key *k, 73 const u_int8_t mac[IEEE80211_ADDR_LEN]) 74{ 75 return 1; 76} 77static void null_key_update(struct ieee80211com *ic) {} 78 79/* 80 * Write-arounds for common operations. 81 */ 82static __inline void 83cipher_detach(struct ieee80211_key *key) 84{ 85 key->wk_cipher->ic_detach(key); 86} 87 88static __inline void * 89cipher_attach(struct ieee80211com *ic, struct ieee80211_key *key) 90{ 91 return key->wk_cipher->ic_attach(ic, key); 92} 93 94/* 95 * Wrappers for driver key management methods. 96 */ 97static __inline int 98dev_key_alloc(struct ieee80211com *ic, 99 const struct ieee80211_key *key) 100{ 101 return ic->ic_crypto.cs_key_alloc(ic, key); 102} 103 104static __inline int 105dev_key_delete(struct ieee80211com *ic, 106 const struct ieee80211_key *key) 107{ 108 return ic->ic_crypto.cs_key_delete(ic, key); 109} 110 111static __inline int 112dev_key_set(struct ieee80211com *ic, const struct ieee80211_key *key, 113 const u_int8_t mac[IEEE80211_ADDR_LEN]) 114{ 115 return ic->ic_crypto.cs_key_set(ic, key, mac); 116} 117 118/* 119 * Setup crypto support. 120 */ 121void 122ieee80211_crypto_attach(struct ieee80211com *ic) 123{ 124 struct ieee80211_crypto_state *cs = &ic->ic_crypto; 125 int i; 126 127 /* NB: we assume everything is pre-zero'd */ 128 cs->cs_def_txkey = IEEE80211_KEYIX_NONE; 129 ciphers[IEEE80211_CIPHER_NONE] = &ieee80211_cipher_none; 130 for (i = 0; i < IEEE80211_WEP_NKID; i++) 131 ieee80211_crypto_resetkey(ic, &cs->cs_nw_keys[i], i); 132 /* 133 * Initialize the driver key support routines to noop entries. 134 * This is useful especially for the cipher test modules. 135 */ 136 cs->cs_key_alloc = null_key_alloc; 137 cs->cs_key_set = null_key_set; 138 cs->cs_key_delete = null_key_delete; 139 cs->cs_key_update_begin = null_key_update; 140 cs->cs_key_update_end = null_key_update; 141} 142 143/* 144 * Teardown crypto support. 145 */ 146void 147ieee80211_crypto_detach(struct ieee80211com *ic) 148{ 149 ieee80211_crypto_delglobalkeys(ic); 150} 151 152/* 153 * Register a crypto cipher module. 154 */ 155void 156ieee80211_crypto_register(const struct ieee80211_cipher *cip) 157{ 158 if (cip->ic_cipher >= IEEE80211_CIPHER_MAX) { 159 printf("%s: cipher %s has an invalid cipher index %u\n", 160 __func__, cip->ic_name, cip->ic_cipher); 161 return; 162 } 163 if (ciphers[cip->ic_cipher] != NULL && ciphers[cip->ic_cipher] != cip) { 164 printf("%s: cipher %s registered with a different template\n", 165 __func__, cip->ic_name); 166 return; 167 } 168 ciphers[cip->ic_cipher] = cip; 169} 170 171/* 172 * Unregister a crypto cipher module. 173 */ 174void 175ieee80211_crypto_unregister(const struct ieee80211_cipher *cip) 176{ 177 if (cip->ic_cipher >= IEEE80211_CIPHER_MAX) { 178 printf("%s: cipher %s has an invalid cipher index %u\n", 179 __func__, cip->ic_name, cip->ic_cipher); 180 return; 181 } 182 if (ciphers[cip->ic_cipher] != NULL && ciphers[cip->ic_cipher] != cip) { 183 printf("%s: cipher %s registered with a different template\n", 184 __func__, cip->ic_name); 185 return; 186 } 187 /* NB: don't complain about not being registered */ 188 /* XXX disallow if references */ 189 ciphers[cip->ic_cipher] = NULL; 190} 191 192int 193ieee80211_crypto_available(u_int cipher) 194{ 195 return cipher < IEEE80211_CIPHER_MAX && ciphers[cipher] != NULL; 196} 197 198/* XXX well-known names! */ 199static const char *cipher_modnames[] = { 200 "wlan_wep", /* IEEE80211_CIPHER_WEP */ 201 "wlan_tkip", /* IEEE80211_CIPHER_TKIP */ 202 "wlan_aes_ocb", /* IEEE80211_CIPHER_AES_OCB */ 203 "wlan_ccmp", /* IEEE80211_CIPHER_AES_CCM */ 204 "wlan_ckip", /* IEEE80211_CIPHER_CKIP */ 205}; 206 207/* 208 * Establish a relationship between the specified key and cipher 209 * and, if not a global key, allocate a hardware index from the 210 * driver. Note that we may be called for global keys but they 211 * should have a key index already setup so the only work done 212 * is to setup the cipher reference. 213 * 214 * This must be the first call applied to a key; all the other key 215 * routines assume wk_cipher is setup. 216 * 217 * Locking must be handled by the caller using: 218 * ieee80211_key_update_begin(ic); 219 * ieee80211_key_update_end(ic); 220 */ 221int 222ieee80211_crypto_newkey(struct ieee80211com *ic, 223 int cipher, struct ieee80211_key *key) 224{ 225#define N(a) (sizeof(a) / sizeof(a[0])) 226 const struct ieee80211_cipher *cip; 227 void *keyctx; 228 int oflags; 229 230 /* 231 * Validate cipher and set reference to cipher routines. 232 */ 233 if (cipher >= IEEE80211_CIPHER_MAX) { 234 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO, 235 "%s: invalid cipher %u\n", __func__, cipher); 236 ic->ic_stats.is_crypto_badcipher++; 237 return 0; 238 } 239 cip = ciphers[cipher]; 240 if (cip == NULL) { 241 /* 242 * Auto-load cipher module if we have a well-known name 243 * for it. It might be better to use string names rather 244 * than numbers and craft a module name based on the cipher 245 * name; e.g. wlan_cipher_<cipher-name>. 246 */ 247 if (cipher < N(cipher_modnames)) { 248 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO, 249 "%s: unregistered cipher %u, load module %s\n", 250 __func__, cipher, cipher_modnames[cipher]); 251 ieee80211_load_module(cipher_modnames[cipher]); 252 /* 253 * If cipher module loaded it should immediately 254 * call ieee80211_crypto_register which will fill 255 * in the entry in the ciphers array. 256 */ 257 cip = ciphers[cipher]; 258 } 259 if (cip == NULL) { 260 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO, 261 "%s: unable to load cipher %u, module %s\n", 262 __func__, cipher, 263 cipher < N(cipher_modnames) ? 264 cipher_modnames[cipher] : "<unknown>"); 265 ic->ic_stats.is_crypto_nocipher++; 266 return 0; 267 } 268 } 269 270 oflags = key->wk_flags; 271 /* 272 * If the hardware does not support the cipher then 273 * fallback to a host-based implementation. 274 */ 275 key->wk_flags &= ~(IEEE80211_KEY_SWCRYPT|IEEE80211_KEY_SWMIC); 276 if ((ic->ic_caps & (1<<cipher)) == 0) { 277 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO, 278 "%s: no h/w support for cipher %s, falling back to s/w\n", 279 __func__, cip->ic_name); 280 key->wk_flags |= IEEE80211_KEY_SWCRYPT; 281 } 282 /* 283 * Hardware TKIP with software MIC is an important 284 * combination; we handle it by flagging each key, 285 * the cipher modules honor it. 286 */ 287 if (cipher == IEEE80211_CIPHER_TKIP && 288 (ic->ic_caps & IEEE80211_C_TKIPMIC) == 0) { 289 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO, 290 "%s: no h/w support for TKIP MIC, falling back to s/w\n", 291 __func__); 292 key->wk_flags |= IEEE80211_KEY_SWMIC; 293 } 294 295 /* 296 * Bind cipher to key instance. Note we do this 297 * after checking the device capabilities so the 298 * cipher module can optimize space usage based on 299 * whether or not it needs to do the cipher work. 300 */ 301 if (key->wk_cipher != cip || key->wk_flags != oflags) { 302again: 303 keyctx = cip->ic_attach(ic, key); 304 if (keyctx == NULL) { 305 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO, 306 "%s: unable to attach cipher %s\n", 307 __func__, cip->ic_name); 308 key->wk_flags = oflags; /* restore old flags */ 309 ic->ic_stats.is_crypto_attachfail++; 310 return 0; 311 } 312 cipher_detach(key); 313 key->wk_cipher = cip; /* XXX refcnt? */ 314 key->wk_private = keyctx; 315 } 316 317 /* 318 * Ask the driver for a key index if we don't have one. 319 * Note that entries in the global key table always have 320 * an index; this means it's safe to call this routine 321 * for these entries just to setup the reference to the 322 * cipher template. Note also that when using software 323 * crypto we also call the driver to give us a key index. 324 */ 325 if (key->wk_keyix == IEEE80211_KEYIX_NONE) { 326 key->wk_keyix = dev_key_alloc(ic, key); 327 if (key->wk_keyix == IEEE80211_KEYIX_NONE) { 328 /* 329 * Driver has no room; fallback to doing crypto 330 * in the host. We change the flags and start the 331 * procedure over. If we get back here then there's 332 * no hope and we bail. Note that this can leave 333 * the key in a inconsistent state if the caller 334 * continues to use it. 335 */ 336 if ((key->wk_flags & IEEE80211_KEY_SWCRYPT) == 0) { 337 ic->ic_stats.is_crypto_swfallback++; 338 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO, 339 "%s: no h/w resources for cipher %s, " 340 "falling back to s/w\n", __func__, 341 cip->ic_name); 342 oflags = key->wk_flags; 343 key->wk_flags |= IEEE80211_KEY_SWCRYPT; 344 if (cipher == IEEE80211_CIPHER_TKIP) 345 key->wk_flags |= IEEE80211_KEY_SWMIC; 346 goto again; 347 } 348 ic->ic_stats.is_crypto_keyfail++; 349 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO, 350 "%s: unable to setup cipher %s\n", 351 __func__, cip->ic_name); 352 return 0; 353 } 354 } 355 return 1; 356#undef N 357} 358 359/* 360 * Remove the key (no locking, for internal use). 361 */ 362static int 363_ieee80211_crypto_delkey(struct ieee80211com *ic, struct ieee80211_key *key) 364{ 365 u_int16_t keyix; 366 367 KASSERT(key->wk_cipher != NULL, ("No cipher!")); 368 369 keyix = key->wk_keyix; 370 if (keyix != IEEE80211_KEYIX_NONE) { 371 /* 372 * Remove hardware entry. 373 */ 374 /* XXX key cache */ 375 if (!dev_key_delete(ic, key)) { 376 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO, 377 "%s: driver did not delete key index %u\n", 378 __func__, keyix); 379 ic->ic_stats.is_crypto_delkey++; 380 /* XXX recovery? */ 381 } 382 } 383 cipher_detach(key); 384 memset(key, 0, sizeof(*key)); 385 key->wk_cipher = &ieee80211_cipher_none; 386 key->wk_private = cipher_attach(ic, key); 387 /* NB: cannot depend on key index to decide this */ 388 if (&ic->ic_nw_keys[0] <= key && 389 key < &ic->ic_nw_keys[IEEE80211_WEP_NKID]) 390 key->wk_keyix = keyix; /* preserve shared key state */ 391 else 392 key->wk_keyix = IEEE80211_KEYIX_NONE; 393 return 1; 394} 395 396/* 397 * Remove the specified key. 398 */ 399int 400ieee80211_crypto_delkey(struct ieee80211com *ic, struct ieee80211_key *key) 401{ 402 int status; 403 404 ieee80211_key_update_begin(ic); 405 status = _ieee80211_crypto_delkey(ic, key); 406 ieee80211_key_update_end(ic); 407 return status; 408} 409 410/* 411 * Clear the global key table. 412 */ 413void 414ieee80211_crypto_delglobalkeys(struct ieee80211com *ic) 415{ 416 int i; 417 418 ieee80211_key_update_begin(ic); 419 for (i = 0; i < IEEE80211_WEP_NKID; i++) 420 (void) _ieee80211_crypto_delkey(ic, &ic->ic_nw_keys[i]); 421 ieee80211_key_update_end(ic); 422} 423 424/* 425 * Set the contents of the specified key. 426 * 427 * Locking must be handled by the caller using: 428 * ieee80211_key_update_begin(ic); 429 * ieee80211_key_update_end(ic); 430 */ 431int 432ieee80211_crypto_setkey(struct ieee80211com *ic, struct ieee80211_key *key, 433 const u_int8_t macaddr[IEEE80211_ADDR_LEN]) 434{ 435 const struct ieee80211_cipher *cip = key->wk_cipher; 436 437 KASSERT(cip != NULL, ("No cipher!")); 438 439 /* 440 * Give cipher a chance to validate key contents. 441 * XXX should happen before modifying state. 442 */ 443 if (!cip->ic_setkey(key)) { 444 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO, 445 "%s: cipher %s rejected key index %u len %u flags 0x%x\n", 446 __func__, cip->ic_name, key->wk_keyix, 447 key->wk_keylen, key->wk_flags); 448 ic->ic_stats.is_crypto_setkey_cipher++; 449 return 0; 450 } 451 if (key->wk_keyix == IEEE80211_KEYIX_NONE) { 452 /* XXX nothing allocated, should not happen */ 453 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO, 454 "%s: no key index; should not happen!\n", __func__); 455 ic->ic_stats.is_crypto_setkey_nokey++; 456 return 0; 457 } 458 return dev_key_set(ic, key, macaddr); 459} 460 461/* 462 * Add privacy headers appropriate for the specified key. 463 */ 464struct ieee80211_key * 465ieee80211_crypto_encap(struct ieee80211com *ic, 466 struct ieee80211_node *ni, struct mbuf *m) 467{ 468 struct ieee80211_key *k; 469 struct ieee80211_frame *wh; 470 const struct ieee80211_cipher *cip; 471 u_int8_t keyix; 472 473 /* 474 * Multicast traffic always uses the multicast key. 475 * Otherwise if a unicast key is set we use that and 476 * it is always key index 0. When no unicast key is 477 * set we fall back to the default transmit key. 478 */ 479 wh = mtod(m, struct ieee80211_frame *); 480 if (IEEE80211_IS_MULTICAST(wh->i_addr1) || 481 ni->ni_ucastkey.wk_cipher == &ieee80211_cipher_none) { 482 if (ic->ic_def_txkey == IEEE80211_KEYIX_NONE) { 483 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO, 484 "%s: No default xmit key for frame to %s\n", 485 __func__, ether_sprintf(wh->i_addr1)); 486 ic->ic_stats.is_tx_nodefkey++; 487 return NULL; 488 } 489 keyix = ic->ic_def_txkey; 490 k = &ic->ic_nw_keys[ic->ic_def_txkey]; 491 } else { 492 keyix = 0; 493 k = &ni->ni_ucastkey; 494 } 495 cip = k->wk_cipher; 496 return (cip->ic_encap(k, m, keyix<<6) ? k : NULL); 497} 498 499/* 500 * Validate and strip privacy headers (and trailer) for a 501 * received frame that has the WEP/Privacy bit set. 502 */ 503struct ieee80211_key * 504ieee80211_crypto_decap(struct ieee80211com *ic, 505 struct ieee80211_node *ni, struct mbuf *m) 506{ 507#define IEEE80211_WEP_HDRLEN (IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN) 508#define IEEE80211_WEP_MINLEN \ 509 (sizeof(struct ieee80211_frame) + ETHER_HDR_LEN + \ 510 IEEE80211_WEP_HDRLEN + IEEE80211_WEP_CRCLEN) 511 struct ieee80211_key *k; 512 struct ieee80211_frame *wh; 513 const struct ieee80211_cipher *cip; 514 u_int8_t *ivp; 515 u_int8_t keyid; 516 int hdrlen; 517 518 /* NB: this minimum size data frame could be bigger */ 519 if (m->m_pkthdr.len < IEEE80211_WEP_MINLEN) { 520 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY, 521 "%s: WEP data frame too short, len %u\n", 522 __func__, m->m_pkthdr.len); 523 ic->ic_stats.is_rx_tooshort++; /* XXX need unique stat? */ 524 return NULL; 525 } 526 527 /* 528 * Locate the key. If unicast and there is no unicast 529 * key then we fall back to the key id in the header. 530 * This assumes unicast keys are only configured when 531 * the key id in the header is meaningless (typically 0). 532 */ 533 wh = mtod(m, struct ieee80211_frame *); 534 hdrlen = ieee80211_hdrsize(wh); 535 ivp = mtod(m, u_int8_t *) + hdrlen; /* XXX contig */ 536 keyid = ivp[IEEE80211_WEP_IVLEN]; 537 if (IEEE80211_IS_MULTICAST(wh->i_addr1) || 538 ni->ni_ucastkey.wk_cipher == &ieee80211_cipher_none) 539 k = &ic->ic_nw_keys[keyid >> 6]; 540 else 541 k = &ni->ni_ucastkey; 542 543 /* 544 * Insure crypto header is contiguous for all decap work. 545 */ 546 cip = k->wk_cipher; 547 if (m->m_len < hdrlen + cip->ic_header && 548 (m = m_pullup(m, hdrlen + cip->ic_header)) == NULL) { 549 IEEE80211_DPRINTF(ic, IEEE80211_MSG_CRYPTO, 550 "[%s] unable to pullup %s header\n", 551 ether_sprintf(wh->i_addr2), cip->ic_name); 552 ic->ic_stats.is_rx_wepfail++; /* XXX */ 553 return 0; 554 } 555 556 return (cip->ic_decap(k, m) ? k : NULL); 557#undef IEEE80211_WEP_MINLEN 558#undef IEEE80211_WEP_HDRLEN 559} 560