1138568Ssam/*- 2178354Ssam * Copyright (c) 2002-2008 Sam Leffler, Errno Consulting 3138568Ssam * All rights reserved. 4138568Ssam * 5138568Ssam * Redistribution and use in source and binary forms, with or without 6138568Ssam * modification, are permitted provided that the following conditions 7138568Ssam * are met: 8138568Ssam * 1. Redistributions of source code must retain the above copyright 9138568Ssam * notice, this list of conditions and the following disclaimer. 10138568Ssam * 2. Redistributions in binary form must reproduce the above copyright 11138568Ssam * notice, this list of conditions and the following disclaimer in the 12138568Ssam * documentation and/or other materials provided with the distribution. 13138568Ssam * 14138568Ssam * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 15138568Ssam * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16138568Ssam * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17138568Ssam * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 18138568Ssam * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19138568Ssam * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20138568Ssam * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21138568Ssam * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22138568Ssam * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23138568Ssam * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24138568Ssam */ 25138568Ssam 26138568Ssam#include <sys/cdefs.h> 27138568Ssam__FBSDID("$FreeBSD$"); 28138568Ssam 29138568Ssam/* 30138568Ssam * IEEE 802.11 WEP crypto support. 31138568Ssam */ 32178354Ssam#include "opt_wlan.h" 33178354Ssam 34138568Ssam#include <sys/param.h> 35138568Ssam#include <sys/systm.h> 36138568Ssam#include <sys/mbuf.h> 37138568Ssam#include <sys/malloc.h> 38138568Ssam#include <sys/kernel.h> 39138568Ssam#include <sys/module.h> 40138568Ssam#include <sys/endian.h> 41138568Ssam 42138568Ssam#include <sys/socket.h> 43138568Ssam 44138568Ssam#include <net/if.h> 45138568Ssam#include <net/if_media.h> 46138568Ssam#include <net/ethernet.h> 47138568Ssam 48138568Ssam#include <net80211/ieee80211_var.h> 49138568Ssam 50178354Ssamstatic void *wep_attach(struct ieee80211vap *, struct ieee80211_key *); 51138568Ssamstatic void wep_detach(struct ieee80211_key *); 52138568Ssamstatic int wep_setkey(struct ieee80211_key *); 53170530Ssamstatic int wep_encap(struct ieee80211_key *, struct mbuf *, uint8_t keyid); 54147252Ssamstatic int wep_decap(struct ieee80211_key *, struct mbuf *, int hdrlen); 55147045Ssamstatic int wep_enmic(struct ieee80211_key *, struct mbuf *, int); 56147045Ssamstatic int wep_demic(struct ieee80211_key *, struct mbuf *, int); 57138568Ssam 58138568Ssamstatic const struct ieee80211_cipher wep = { 59138568Ssam .ic_name = "WEP", 60138568Ssam .ic_cipher = IEEE80211_CIPHER_WEP, 61138568Ssam .ic_header = IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN, 62138568Ssam .ic_trailer = IEEE80211_WEP_CRCLEN, 63138568Ssam .ic_miclen = 0, 64138568Ssam .ic_attach = wep_attach, 65138568Ssam .ic_detach = wep_detach, 66138568Ssam .ic_setkey = wep_setkey, 67138568Ssam .ic_encap = wep_encap, 68138568Ssam .ic_decap = wep_decap, 69138568Ssam .ic_enmic = wep_enmic, 70138568Ssam .ic_demic = wep_demic, 71138568Ssam}; 72138568Ssam 73138568Ssamstatic int wep_encrypt(struct ieee80211_key *, struct mbuf *, int hdrlen); 74138568Ssamstatic int wep_decrypt(struct ieee80211_key *, struct mbuf *, int hdrlen); 75138568Ssam 76138568Ssamstruct wep_ctx { 77178354Ssam struct ieee80211vap *wc_vap; /* for diagnostics+statistics */ 78178354Ssam struct ieee80211com *wc_ic; 79170530Ssam uint32_t wc_iv; /* initial vector for crypto */ 80138568Ssam}; 81138568Ssam 82153353Ssam/* number of references from net80211 layer */ 83153353Ssamstatic int nrefs = 0; 84153353Ssam 85138568Ssamstatic void * 86178354Ssamwep_attach(struct ieee80211vap *vap, struct ieee80211_key *k) 87138568Ssam{ 88138568Ssam struct wep_ctx *ctx; 89138568Ssam 90186302Ssam ctx = (struct wep_ctx *) malloc(sizeof(struct wep_ctx), 91178354Ssam M_80211_CRYPTO, M_NOWAIT | M_ZERO); 92138568Ssam if (ctx == NULL) { 93178354Ssam vap->iv_stats.is_crypto_nomem++; 94138568Ssam return NULL; 95138568Ssam } 96138568Ssam 97178354Ssam ctx->wc_vap = vap; 98178354Ssam ctx->wc_ic = vap->iv_ic; 99138568Ssam get_random_bytes(&ctx->wc_iv, sizeof(ctx->wc_iv)); 100153353Ssam nrefs++; /* NB: we assume caller locking */ 101138568Ssam return ctx; 102138568Ssam} 103138568Ssam 104138568Ssamstatic void 105138568Ssamwep_detach(struct ieee80211_key *k) 106138568Ssam{ 107138568Ssam struct wep_ctx *ctx = k->wk_private; 108138568Ssam 109186302Ssam free(ctx, M_80211_CRYPTO); 110153353Ssam KASSERT(nrefs > 0, ("imbalanced attach/detach")); 111153353Ssam nrefs--; /* NB: we assume caller locking */ 112138568Ssam} 113138568Ssam 114138568Ssamstatic int 115138568Ssamwep_setkey(struct ieee80211_key *k) 116138568Ssam{ 117138568Ssam return k->wk_keylen >= 40/NBBY; 118138568Ssam} 119138568Ssam 120138568Ssam/* 121138568Ssam * Add privacy headers appropriate for the specified key. 122138568Ssam */ 123138568Ssamstatic int 124170530Ssamwep_encap(struct ieee80211_key *k, struct mbuf *m, uint8_t keyid) 125138568Ssam{ 126138568Ssam struct wep_ctx *ctx = k->wk_private; 127139508Ssam struct ieee80211com *ic = ctx->wc_ic; 128170530Ssam uint32_t iv; 129170530Ssam uint8_t *ivp; 130138568Ssam int hdrlen; 131138568Ssam 132139508Ssam hdrlen = ieee80211_hdrspace(ic, mtod(m, void *)); 133138568Ssam 134138568Ssam /* 135138568Ssam * Copy down 802.11 header and add the IV + KeyID. 136138568Ssam */ 137138568Ssam M_PREPEND(m, wep.ic_header, M_NOWAIT); 138138568Ssam if (m == NULL) 139138568Ssam return 0; 140170530Ssam ivp = mtod(m, uint8_t *); 141138568Ssam ovbcopy(ivp + wep.ic_header, ivp, hdrlen); 142138568Ssam ivp += hdrlen; 143138568Ssam 144138568Ssam /* 145138568Ssam * XXX 146138568Ssam * IV must not duplicate during the lifetime of the key. 147138568Ssam * But no mechanism to renew keys is defined in IEEE 802.11 148138568Ssam * for WEP. And the IV may be duplicated at other stations 149138568Ssam * because the session key itself is shared. So we use a 150138568Ssam * pseudo random IV for now, though it is not the right way. 151138568Ssam * 152138568Ssam * NB: Rather than use a strictly random IV we select a 153138568Ssam * random one to start and then increment the value for 154138568Ssam * each frame. This is an explicit tradeoff between 155138568Ssam * overhead and security. Given the basic insecurity of 156138568Ssam * WEP this seems worthwhile. 157138568Ssam */ 158138568Ssam 159138568Ssam /* 160138568Ssam * Skip 'bad' IVs from Fluhrer/Mantin/Shamir: 161138568Ssam * (B, 255, N) with 3 <= B < 16 and 0 <= N <= 255 162138568Ssam */ 163138568Ssam iv = ctx->wc_iv; 164138568Ssam if ((iv & 0xff00) == 0xff00) { 165138568Ssam int B = (iv & 0xff0000) >> 16; 166138568Ssam if (3 <= B && B < 16) 167138568Ssam iv += 0x0100; 168138568Ssam } 169138568Ssam ctx->wc_iv = iv + 1; 170138568Ssam 171138568Ssam /* 172138568Ssam * NB: Preserve byte order of IV for packet 173138568Ssam * sniffers; it doesn't matter otherwise. 174138568Ssam */ 175138568Ssam#if _BYTE_ORDER == _BIG_ENDIAN 176138568Ssam ivp[0] = iv >> 0; 177138568Ssam ivp[1] = iv >> 8; 178138568Ssam ivp[2] = iv >> 16; 179138568Ssam#else 180138568Ssam ivp[2] = iv >> 0; 181138568Ssam ivp[1] = iv >> 8; 182138568Ssam ivp[0] = iv >> 16; 183138568Ssam#endif 184138568Ssam ivp[3] = keyid; 185138568Ssam 186138568Ssam /* 187138568Ssam * Finally, do software encrypt if neeed. 188138568Ssam */ 189179394Ssam if ((k->wk_flags & IEEE80211_KEY_SWENCRYPT) && 190138568Ssam !wep_encrypt(k, m, hdrlen)) 191138568Ssam return 0; 192138568Ssam 193138568Ssam return 1; 194138568Ssam} 195138568Ssam 196138568Ssam/* 197138568Ssam * Add MIC to the frame as needed. 198138568Ssam */ 199138568Ssamstatic int 200147045Ssamwep_enmic(struct ieee80211_key *k, struct mbuf *m, int force) 201138568Ssam{ 202138568Ssam 203138568Ssam return 1; 204138568Ssam} 205138568Ssam 206138568Ssam/* 207138568Ssam * Validate and strip privacy headers (and trailer) for a 208138568Ssam * received frame. If necessary, decrypt the frame using 209138568Ssam * the specified key. 210138568Ssam */ 211138568Ssamstatic int 212147252Ssamwep_decap(struct ieee80211_key *k, struct mbuf *m, int hdrlen) 213138568Ssam{ 214138568Ssam struct wep_ctx *ctx = k->wk_private; 215178354Ssam struct ieee80211vap *vap = ctx->wc_vap; 216138568Ssam struct ieee80211_frame *wh; 217138568Ssam 218138568Ssam wh = mtod(m, struct ieee80211_frame *); 219138568Ssam 220138568Ssam /* 221138568Ssam * Check if the device handled the decrypt in hardware. 222138568Ssam * If so we just strip the header; otherwise we need to 223138568Ssam * handle the decrypt in software. 224138568Ssam */ 225179394Ssam if ((k->wk_flags & IEEE80211_KEY_SWDECRYPT) && 226138568Ssam !wep_decrypt(k, m, hdrlen)) { 227178354Ssam IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, wh->i_addr2, 228178354Ssam "%s", "WEP ICV mismatch on decrypt"); 229178354Ssam vap->iv_stats.is_rx_wepfail++; 230138568Ssam return 0; 231138568Ssam } 232138568Ssam 233138568Ssam /* 234138568Ssam * Copy up 802.11 header and strip crypto bits. 235138568Ssam */ 236170530Ssam ovbcopy(mtod(m, void *), mtod(m, uint8_t *) + wep.ic_header, hdrlen); 237138568Ssam m_adj(m, wep.ic_header); 238138568Ssam m_adj(m, -wep.ic_trailer); 239138568Ssam 240138568Ssam return 1; 241138568Ssam} 242138568Ssam 243138568Ssam/* 244138568Ssam * Verify and strip MIC from the frame. 245138568Ssam */ 246138568Ssamstatic int 247147045Ssamwep_demic(struct ieee80211_key *k, struct mbuf *skb, int force) 248138568Ssam{ 249138568Ssam return 1; 250138568Ssam} 251138568Ssam 252138568Ssamstatic const uint32_t crc32_table[256] = { 253138568Ssam 0x00000000L, 0x77073096L, 0xee0e612cL, 0x990951baL, 0x076dc419L, 254138568Ssam 0x706af48fL, 0xe963a535L, 0x9e6495a3L, 0x0edb8832L, 0x79dcb8a4L, 255138568Ssam 0xe0d5e91eL, 0x97d2d988L, 0x09b64c2bL, 0x7eb17cbdL, 0xe7b82d07L, 256138568Ssam 0x90bf1d91L, 0x1db71064L, 0x6ab020f2L, 0xf3b97148L, 0x84be41deL, 257138568Ssam 0x1adad47dL, 0x6ddde4ebL, 0xf4d4b551L, 0x83d385c7L, 0x136c9856L, 258138568Ssam 0x646ba8c0L, 0xfd62f97aL, 0x8a65c9ecL, 0x14015c4fL, 0x63066cd9L, 259138568Ssam 0xfa0f3d63L, 0x8d080df5L, 0x3b6e20c8L, 0x4c69105eL, 0xd56041e4L, 260138568Ssam 0xa2677172L, 0x3c03e4d1L, 0x4b04d447L, 0xd20d85fdL, 0xa50ab56bL, 261138568Ssam 0x35b5a8faL, 0x42b2986cL, 0xdbbbc9d6L, 0xacbcf940L, 0x32d86ce3L, 262138568Ssam 0x45df5c75L, 0xdcd60dcfL, 0xabd13d59L, 0x26d930acL, 0x51de003aL, 263138568Ssam 0xc8d75180L, 0xbfd06116L, 0x21b4f4b5L, 0x56b3c423L, 0xcfba9599L, 264138568Ssam 0xb8bda50fL, 0x2802b89eL, 0x5f058808L, 0xc60cd9b2L, 0xb10be924L, 265138568Ssam 0x2f6f7c87L, 0x58684c11L, 0xc1611dabL, 0xb6662d3dL, 0x76dc4190L, 266138568Ssam 0x01db7106L, 0x98d220bcL, 0xefd5102aL, 0x71b18589L, 0x06b6b51fL, 267138568Ssam 0x9fbfe4a5L, 0xe8b8d433L, 0x7807c9a2L, 0x0f00f934L, 0x9609a88eL, 268138568Ssam 0xe10e9818L, 0x7f6a0dbbL, 0x086d3d2dL, 0x91646c97L, 0xe6635c01L, 269138568Ssam 0x6b6b51f4L, 0x1c6c6162L, 0x856530d8L, 0xf262004eL, 0x6c0695edL, 270138568Ssam 0x1b01a57bL, 0x8208f4c1L, 0xf50fc457L, 0x65b0d9c6L, 0x12b7e950L, 271138568Ssam 0x8bbeb8eaL, 0xfcb9887cL, 0x62dd1ddfL, 0x15da2d49L, 0x8cd37cf3L, 272138568Ssam 0xfbd44c65L, 0x4db26158L, 0x3ab551ceL, 0xa3bc0074L, 0xd4bb30e2L, 273138568Ssam 0x4adfa541L, 0x3dd895d7L, 0xa4d1c46dL, 0xd3d6f4fbL, 0x4369e96aL, 274138568Ssam 0x346ed9fcL, 0xad678846L, 0xda60b8d0L, 0x44042d73L, 0x33031de5L, 275138568Ssam 0xaa0a4c5fL, 0xdd0d7cc9L, 0x5005713cL, 0x270241aaL, 0xbe0b1010L, 276138568Ssam 0xc90c2086L, 0x5768b525L, 0x206f85b3L, 0xb966d409L, 0xce61e49fL, 277138568Ssam 0x5edef90eL, 0x29d9c998L, 0xb0d09822L, 0xc7d7a8b4L, 0x59b33d17L, 278138568Ssam 0x2eb40d81L, 0xb7bd5c3bL, 0xc0ba6cadL, 0xedb88320L, 0x9abfb3b6L, 279138568Ssam 0x03b6e20cL, 0x74b1d29aL, 0xead54739L, 0x9dd277afL, 0x04db2615L, 280138568Ssam 0x73dc1683L, 0xe3630b12L, 0x94643b84L, 0x0d6d6a3eL, 0x7a6a5aa8L, 281138568Ssam 0xe40ecf0bL, 0x9309ff9dL, 0x0a00ae27L, 0x7d079eb1L, 0xf00f9344L, 282138568Ssam 0x8708a3d2L, 0x1e01f268L, 0x6906c2feL, 0xf762575dL, 0x806567cbL, 283138568Ssam 0x196c3671L, 0x6e6b06e7L, 0xfed41b76L, 0x89d32be0L, 0x10da7a5aL, 284138568Ssam 0x67dd4accL, 0xf9b9df6fL, 0x8ebeeff9L, 0x17b7be43L, 0x60b08ed5L, 285138568Ssam 0xd6d6a3e8L, 0xa1d1937eL, 0x38d8c2c4L, 0x4fdff252L, 0xd1bb67f1L, 286138568Ssam 0xa6bc5767L, 0x3fb506ddL, 0x48b2364bL, 0xd80d2bdaL, 0xaf0a1b4cL, 287138568Ssam 0x36034af6L, 0x41047a60L, 0xdf60efc3L, 0xa867df55L, 0x316e8eefL, 288138568Ssam 0x4669be79L, 0xcb61b38cL, 0xbc66831aL, 0x256fd2a0L, 0x5268e236L, 289138568Ssam 0xcc0c7795L, 0xbb0b4703L, 0x220216b9L, 0x5505262fL, 0xc5ba3bbeL, 290138568Ssam 0xb2bd0b28L, 0x2bb45a92L, 0x5cb36a04L, 0xc2d7ffa7L, 0xb5d0cf31L, 291138568Ssam 0x2cd99e8bL, 0x5bdeae1dL, 0x9b64c2b0L, 0xec63f226L, 0x756aa39cL, 292138568Ssam 0x026d930aL, 0x9c0906a9L, 0xeb0e363fL, 0x72076785L, 0x05005713L, 293138568Ssam 0x95bf4a82L, 0xe2b87a14L, 0x7bb12baeL, 0x0cb61b38L, 0x92d28e9bL, 294138568Ssam 0xe5d5be0dL, 0x7cdcefb7L, 0x0bdbdf21L, 0x86d3d2d4L, 0xf1d4e242L, 295138568Ssam 0x68ddb3f8L, 0x1fda836eL, 0x81be16cdL, 0xf6b9265bL, 0x6fb077e1L, 296138568Ssam 0x18b74777L, 0x88085ae6L, 0xff0f6a70L, 0x66063bcaL, 0x11010b5cL, 297138568Ssam 0x8f659effL, 0xf862ae69L, 0x616bffd3L, 0x166ccf45L, 0xa00ae278L, 298138568Ssam 0xd70dd2eeL, 0x4e048354L, 0x3903b3c2L, 0xa7672661L, 0xd06016f7L, 299138568Ssam 0x4969474dL, 0x3e6e77dbL, 0xaed16a4aL, 0xd9d65adcL, 0x40df0b66L, 300138568Ssam 0x37d83bf0L, 0xa9bcae53L, 0xdebb9ec5L, 0x47b2cf7fL, 0x30b5ffe9L, 301138568Ssam 0xbdbdf21cL, 0xcabac28aL, 0x53b39330L, 0x24b4a3a6L, 0xbad03605L, 302138568Ssam 0xcdd70693L, 0x54de5729L, 0x23d967bfL, 0xb3667a2eL, 0xc4614ab8L, 303138568Ssam 0x5d681b02L, 0x2a6f2b94L, 0xb40bbe37L, 0xc30c8ea1L, 0x5a05df1bL, 304138568Ssam 0x2d02ef8dL 305138568Ssam}; 306138568Ssam 307138568Ssamstatic int 308138568Ssamwep_encrypt(struct ieee80211_key *key, struct mbuf *m0, int hdrlen) 309138568Ssam{ 310138568Ssam#define S_SWAP(a,b) do { uint8_t t = S[a]; S[a] = S[b]; S[b] = t; } while(0) 311138568Ssam struct wep_ctx *ctx = key->wk_private; 312178354Ssam struct ieee80211vap *vap = ctx->wc_vap; 313138568Ssam struct mbuf *m = m0; 314170530Ssam uint8_t rc4key[IEEE80211_WEP_IVLEN + IEEE80211_KEYBUF_SIZE]; 315138568Ssam uint8_t icv[IEEE80211_WEP_CRCLEN]; 316138568Ssam uint32_t i, j, k, crc; 317138568Ssam size_t buflen, data_len; 318138568Ssam uint8_t S[256]; 319138568Ssam uint8_t *pos; 320138568Ssam u_int off, keylen; 321138568Ssam 322178354Ssam vap->iv_stats.is_crypto_wep++; 323138568Ssam 324138568Ssam /* NB: this assumes the header was pulled up */ 325170530Ssam memcpy(rc4key, mtod(m, uint8_t *) + hdrlen, IEEE80211_WEP_IVLEN); 326138568Ssam memcpy(rc4key + IEEE80211_WEP_IVLEN, key->wk_key, key->wk_keylen); 327138568Ssam 328138568Ssam /* Setup RC4 state */ 329138568Ssam for (i = 0; i < 256; i++) 330138568Ssam S[i] = i; 331138568Ssam j = 0; 332138568Ssam keylen = key->wk_keylen + IEEE80211_WEP_IVLEN; 333138568Ssam for (i = 0; i < 256; i++) { 334138568Ssam j = (j + S[i] + rc4key[i % keylen]) & 0xff; 335138568Ssam S_SWAP(i, j); 336138568Ssam } 337138568Ssam 338138568Ssam off = hdrlen + wep.ic_header; 339138568Ssam data_len = m->m_pkthdr.len - off; 340138568Ssam 341138568Ssam /* Compute CRC32 over unencrypted data and apply RC4 to data */ 342138568Ssam crc = ~0; 343138568Ssam i = j = 0; 344138568Ssam pos = mtod(m, uint8_t *) + off; 345138568Ssam buflen = m->m_len - off; 346138568Ssam for (;;) { 347138568Ssam if (buflen > data_len) 348138568Ssam buflen = data_len; 349138568Ssam data_len -= buflen; 350138568Ssam for (k = 0; k < buflen; k++) { 351138568Ssam crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8); 352138568Ssam i = (i + 1) & 0xff; 353138568Ssam j = (j + S[i]) & 0xff; 354138568Ssam S_SWAP(i, j); 355138568Ssam *pos++ ^= S[(S[i] + S[j]) & 0xff]; 356138568Ssam } 357138568Ssam if (m->m_next == NULL) { 358138568Ssam if (data_len != 0) { /* out of data */ 359178354Ssam IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, 360138568Ssam ether_sprintf(mtod(m0, 361138568Ssam struct ieee80211_frame *)->i_addr2), 362178354Ssam "out of data for WEP (data_len %zu)", 363138568Ssam data_len); 364178354Ssam /* XXX stat */ 365138568Ssam return 0; 366138568Ssam } 367138568Ssam break; 368138568Ssam } 369138568Ssam m = m->m_next; 370138568Ssam pos = mtod(m, uint8_t *); 371138568Ssam buflen = m->m_len; 372138568Ssam } 373138568Ssam crc = ~crc; 374138568Ssam 375138568Ssam /* Append little-endian CRC32 and encrypt it to produce ICV */ 376138568Ssam icv[0] = crc; 377138568Ssam icv[1] = crc >> 8; 378138568Ssam icv[2] = crc >> 16; 379138568Ssam icv[3] = crc >> 24; 380138568Ssam for (k = 0; k < IEEE80211_WEP_CRCLEN; k++) { 381138568Ssam i = (i + 1) & 0xff; 382138568Ssam j = (j + S[i]) & 0xff; 383138568Ssam S_SWAP(i, j); 384138568Ssam icv[k] ^= S[(S[i] + S[j]) & 0xff]; 385138568Ssam } 386138568Ssam return m_append(m0, IEEE80211_WEP_CRCLEN, icv); 387138568Ssam#undef S_SWAP 388138568Ssam} 389138568Ssam 390138568Ssamstatic int 391138568Ssamwep_decrypt(struct ieee80211_key *key, struct mbuf *m0, int hdrlen) 392138568Ssam{ 393138568Ssam#define S_SWAP(a,b) do { uint8_t t = S[a]; S[a] = S[b]; S[b] = t; } while(0) 394138568Ssam struct wep_ctx *ctx = key->wk_private; 395178354Ssam struct ieee80211vap *vap = ctx->wc_vap; 396138568Ssam struct mbuf *m = m0; 397170530Ssam uint8_t rc4key[IEEE80211_WEP_IVLEN + IEEE80211_KEYBUF_SIZE]; 398138568Ssam uint8_t icv[IEEE80211_WEP_CRCLEN]; 399138568Ssam uint32_t i, j, k, crc; 400138568Ssam size_t buflen, data_len; 401138568Ssam uint8_t S[256]; 402138568Ssam uint8_t *pos; 403138568Ssam u_int off, keylen; 404138568Ssam 405178354Ssam vap->iv_stats.is_crypto_wep++; 406138568Ssam 407138568Ssam /* NB: this assumes the header was pulled up */ 408170530Ssam memcpy(rc4key, mtod(m, uint8_t *) + hdrlen, IEEE80211_WEP_IVLEN); 409138568Ssam memcpy(rc4key + IEEE80211_WEP_IVLEN, key->wk_key, key->wk_keylen); 410138568Ssam 411138568Ssam /* Setup RC4 state */ 412138568Ssam for (i = 0; i < 256; i++) 413138568Ssam S[i] = i; 414138568Ssam j = 0; 415138568Ssam keylen = key->wk_keylen + IEEE80211_WEP_IVLEN; 416138568Ssam for (i = 0; i < 256; i++) { 417138568Ssam j = (j + S[i] + rc4key[i % keylen]) & 0xff; 418138568Ssam S_SWAP(i, j); 419138568Ssam } 420138568Ssam 421138568Ssam off = hdrlen + wep.ic_header; 422138568Ssam data_len = m->m_pkthdr.len - (off + wep.ic_trailer), 423138568Ssam 424138568Ssam /* Compute CRC32 over unencrypted data and apply RC4 to data */ 425138568Ssam crc = ~0; 426138568Ssam i = j = 0; 427138568Ssam pos = mtod(m, uint8_t *) + off; 428138568Ssam buflen = m->m_len - off; 429138568Ssam for (;;) { 430138568Ssam if (buflen > data_len) 431138568Ssam buflen = data_len; 432138568Ssam data_len -= buflen; 433138568Ssam for (k = 0; k < buflen; k++) { 434138568Ssam i = (i + 1) & 0xff; 435138568Ssam j = (j + S[i]) & 0xff; 436138568Ssam S_SWAP(i, j); 437138568Ssam *pos ^= S[(S[i] + S[j]) & 0xff]; 438138568Ssam crc = crc32_table[(crc ^ *pos) & 0xff] ^ (crc >> 8); 439138568Ssam pos++; 440138568Ssam } 441138568Ssam m = m->m_next; 442138568Ssam if (m == NULL) { 443138568Ssam if (data_len != 0) { /* out of data */ 444178354Ssam IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO, 445178354Ssam mtod(m0, struct ieee80211_frame *)->i_addr2, 446178354Ssam "out of data for WEP (data_len %zu)", 447138568Ssam data_len); 448138568Ssam return 0; 449138568Ssam } 450138568Ssam break; 451138568Ssam } 452138568Ssam pos = mtod(m, uint8_t *); 453138568Ssam buflen = m->m_len; 454138568Ssam } 455138568Ssam crc = ~crc; 456138568Ssam 457138568Ssam /* Encrypt little-endian CRC32 and verify that it matches with 458138568Ssam * received ICV */ 459138568Ssam icv[0] = crc; 460138568Ssam icv[1] = crc >> 8; 461138568Ssam icv[2] = crc >> 16; 462138568Ssam icv[3] = crc >> 24; 463138568Ssam for (k = 0; k < IEEE80211_WEP_CRCLEN; k++) { 464138568Ssam i = (i + 1) & 0xff; 465138568Ssam j = (j + S[i]) & 0xff; 466138568Ssam S_SWAP(i, j); 467138568Ssam /* XXX assumes ICV is contiguous in mbuf */ 468138568Ssam if ((icv[k] ^ S[(S[i] + S[j]) & 0xff]) != *pos++) { 469138568Ssam /* ICV mismatch - drop frame */ 470138568Ssam return 0; 471138568Ssam } 472138568Ssam } 473138568Ssam return 1; 474138568Ssam#undef S_SWAP 475138568Ssam} 476138568Ssam 477138568Ssam/* 478138568Ssam * Module glue. 479138568Ssam */ 480170530SsamIEEE80211_CRYPTO_MODULE(wep, 1); 481