Kyle Swenson | 8d8f654 | 2021-03-15 11:02:55 -0600 | [diff] [blame] | 1 | /* |
| 2 | * Software WEP encryption implementation |
| 3 | * Copyright 2002, Jouni Malinen <jkmaline@cc.hut.fi> |
| 4 | * Copyright 2003, Instant802 Networks, Inc. |
| 5 | * |
| 6 | * This program is free software; you can redistribute it and/or modify |
| 7 | * it under the terms of the GNU General Public License version 2 as |
| 8 | * published by the Free Software Foundation. |
| 9 | */ |
| 10 | |
| 11 | #include <linux/netdevice.h> |
| 12 | #include <linux/types.h> |
| 13 | #include <linux/random.h> |
| 14 | #include <linux/compiler.h> |
| 15 | #include <linux/crc32.h> |
| 16 | #include <linux/crypto.h> |
| 17 | #include <linux/err.h> |
| 18 | #include <linux/mm.h> |
| 19 | #include <linux/scatterlist.h> |
| 20 | #include <linux/slab.h> |
| 21 | #include <asm/unaligned.h> |
| 22 | |
| 23 | #include <net/mac80211.h> |
| 24 | #include "ieee80211_i.h" |
| 25 | #include "wep.h" |
| 26 | |
| 27 | |
| 28 | int ieee80211_wep_init(struct ieee80211_local *local) |
| 29 | { |
| 30 | /* start WEP IV from a random value */ |
| 31 | get_random_bytes(&local->wep_iv, IEEE80211_WEP_IV_LEN); |
| 32 | |
| 33 | local->wep_tx_tfm = crypto_alloc_cipher("arc4", 0, CRYPTO_ALG_ASYNC); |
| 34 | if (IS_ERR(local->wep_tx_tfm)) { |
| 35 | local->wep_rx_tfm = ERR_PTR(-EINVAL); |
| 36 | return PTR_ERR(local->wep_tx_tfm); |
| 37 | } |
| 38 | |
| 39 | local->wep_rx_tfm = crypto_alloc_cipher("arc4", 0, CRYPTO_ALG_ASYNC); |
| 40 | if (IS_ERR(local->wep_rx_tfm)) { |
| 41 | crypto_free_cipher(local->wep_tx_tfm); |
| 42 | local->wep_tx_tfm = ERR_PTR(-EINVAL); |
| 43 | return PTR_ERR(local->wep_rx_tfm); |
| 44 | } |
| 45 | |
| 46 | return 0; |
| 47 | } |
| 48 | |
| 49 | void ieee80211_wep_free(struct ieee80211_local *local) |
| 50 | { |
| 51 | if (!IS_ERR(local->wep_tx_tfm)) |
| 52 | crypto_free_cipher(local->wep_tx_tfm); |
| 53 | if (!IS_ERR(local->wep_rx_tfm)) |
| 54 | crypto_free_cipher(local->wep_rx_tfm); |
| 55 | } |
| 56 | |
| 57 | static inline bool ieee80211_wep_weak_iv(u32 iv, int keylen) |
| 58 | { |
| 59 | /* |
| 60 | * Fluhrer, Mantin, and Shamir have reported weaknesses in the |
| 61 | * key scheduling algorithm of RC4. At least IVs (KeyByte + 3, |
| 62 | * 0xff, N) can be used to speedup attacks, so avoid using them. |
| 63 | */ |
| 64 | if ((iv & 0xff00) == 0xff00) { |
| 65 | u8 B = (iv >> 16) & 0xff; |
| 66 | if (B >= 3 && B < 3 + keylen) |
| 67 | return true; |
| 68 | } |
| 69 | return false; |
| 70 | } |
| 71 | |
| 72 | |
| 73 | static void ieee80211_wep_get_iv(struct ieee80211_local *local, |
| 74 | int keylen, int keyidx, u8 *iv) |
| 75 | { |
| 76 | local->wep_iv++; |
| 77 | if (ieee80211_wep_weak_iv(local->wep_iv, keylen)) |
| 78 | local->wep_iv += 0x0100; |
| 79 | |
| 80 | if (!iv) |
| 81 | return; |
| 82 | |
| 83 | *iv++ = (local->wep_iv >> 16) & 0xff; |
| 84 | *iv++ = (local->wep_iv >> 8) & 0xff; |
| 85 | *iv++ = local->wep_iv & 0xff; |
| 86 | *iv++ = keyidx << 6; |
| 87 | } |
| 88 | |
| 89 | |
| 90 | static u8 *ieee80211_wep_add_iv(struct ieee80211_local *local, |
| 91 | struct sk_buff *skb, |
| 92 | int keylen, int keyidx) |
| 93 | { |
| 94 | struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; |
| 95 | struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); |
| 96 | unsigned int hdrlen; |
| 97 | u8 *newhdr; |
| 98 | |
| 99 | hdr->frame_control |= cpu_to_le16(IEEE80211_FCTL_PROTECTED); |
| 100 | |
| 101 | if (WARN_ON(skb_headroom(skb) < IEEE80211_WEP_IV_LEN)) |
| 102 | return NULL; |
| 103 | |
| 104 | hdrlen = ieee80211_hdrlen(hdr->frame_control); |
| 105 | newhdr = skb_push(skb, IEEE80211_WEP_IV_LEN); |
| 106 | memmove(newhdr, newhdr + IEEE80211_WEP_IV_LEN, hdrlen); |
| 107 | |
| 108 | /* the HW only needs room for the IV, but not the actual IV */ |
| 109 | if (info->control.hw_key && |
| 110 | (info->control.hw_key->flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE)) |
| 111 | return newhdr + hdrlen; |
| 112 | |
| 113 | ieee80211_wep_get_iv(local, keylen, keyidx, newhdr + hdrlen); |
| 114 | return newhdr + hdrlen; |
| 115 | } |
| 116 | |
| 117 | |
| 118 | static void ieee80211_wep_remove_iv(struct ieee80211_local *local, |
| 119 | struct sk_buff *skb, |
| 120 | struct ieee80211_key *key) |
| 121 | { |
| 122 | struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; |
| 123 | unsigned int hdrlen; |
| 124 | |
| 125 | hdrlen = ieee80211_hdrlen(hdr->frame_control); |
| 126 | memmove(skb->data + IEEE80211_WEP_IV_LEN, skb->data, hdrlen); |
| 127 | skb_pull(skb, IEEE80211_WEP_IV_LEN); |
| 128 | } |
| 129 | |
| 130 | |
| 131 | /* Perform WEP encryption using given key. data buffer must have tailroom |
| 132 | * for 4-byte ICV. data_len must not include this ICV. Note: this function |
| 133 | * does _not_ add IV. data = RC4(data | CRC32(data)) */ |
| 134 | int ieee80211_wep_encrypt_data(struct crypto_cipher *tfm, u8 *rc4key, |
| 135 | size_t klen, u8 *data, size_t data_len) |
| 136 | { |
| 137 | __le32 icv; |
| 138 | int i; |
| 139 | |
| 140 | if (IS_ERR(tfm)) |
| 141 | return -1; |
| 142 | |
| 143 | icv = cpu_to_le32(~crc32_le(~0, data, data_len)); |
| 144 | put_unaligned(icv, (__le32 *)(data + data_len)); |
| 145 | |
| 146 | crypto_cipher_setkey(tfm, rc4key, klen); |
| 147 | for (i = 0; i < data_len + IEEE80211_WEP_ICV_LEN; i++) |
| 148 | crypto_cipher_encrypt_one(tfm, data + i, data + i); |
| 149 | |
| 150 | return 0; |
| 151 | } |
| 152 | |
| 153 | |
| 154 | /* Perform WEP encryption on given skb. 4 bytes of extra space (IV) in the |
| 155 | * beginning of the buffer 4 bytes of extra space (ICV) in the end of the |
| 156 | * buffer will be added. Both IV and ICV will be transmitted, so the |
| 157 | * payload length increases with 8 bytes. |
| 158 | * |
| 159 | * WEP frame payload: IV + TX key idx, RC4(data), ICV = RC4(CRC32(data)) |
| 160 | */ |
| 161 | int ieee80211_wep_encrypt(struct ieee80211_local *local, |
| 162 | struct sk_buff *skb, |
| 163 | const u8 *key, int keylen, int keyidx) |
| 164 | { |
| 165 | u8 *iv; |
| 166 | size_t len; |
| 167 | u8 rc4key[3 + WLAN_KEY_LEN_WEP104]; |
| 168 | |
| 169 | if (WARN_ON(skb_tailroom(skb) < IEEE80211_WEP_ICV_LEN)) |
| 170 | return -1; |
| 171 | |
| 172 | iv = ieee80211_wep_add_iv(local, skb, keylen, keyidx); |
| 173 | if (!iv) |
| 174 | return -1; |
| 175 | |
| 176 | len = skb->len - (iv + IEEE80211_WEP_IV_LEN - skb->data); |
| 177 | |
| 178 | /* Prepend 24-bit IV to RC4 key */ |
| 179 | memcpy(rc4key, iv, 3); |
| 180 | |
| 181 | /* Copy rest of the WEP key (the secret part) */ |
| 182 | memcpy(rc4key + 3, key, keylen); |
| 183 | |
| 184 | /* Add room for ICV */ |
| 185 | skb_put(skb, IEEE80211_WEP_ICV_LEN); |
| 186 | |
| 187 | return ieee80211_wep_encrypt_data(local->wep_tx_tfm, rc4key, keylen + 3, |
| 188 | iv + IEEE80211_WEP_IV_LEN, len); |
| 189 | } |
| 190 | |
| 191 | |
| 192 | /* Perform WEP decryption using given key. data buffer includes encrypted |
| 193 | * payload, including 4-byte ICV, but _not_ IV. data_len must not include ICV. |
| 194 | * Return 0 on success and -1 on ICV mismatch. */ |
| 195 | int ieee80211_wep_decrypt_data(struct crypto_cipher *tfm, u8 *rc4key, |
| 196 | size_t klen, u8 *data, size_t data_len) |
| 197 | { |
| 198 | __le32 crc; |
| 199 | int i; |
| 200 | |
| 201 | if (IS_ERR(tfm)) |
| 202 | return -1; |
| 203 | |
| 204 | crypto_cipher_setkey(tfm, rc4key, klen); |
| 205 | for (i = 0; i < data_len + IEEE80211_WEP_ICV_LEN; i++) |
| 206 | crypto_cipher_decrypt_one(tfm, data + i, data + i); |
| 207 | |
| 208 | crc = cpu_to_le32(~crc32_le(~0, data, data_len)); |
| 209 | if (memcmp(&crc, data + data_len, IEEE80211_WEP_ICV_LEN) != 0) |
| 210 | /* ICV mismatch */ |
| 211 | return -1; |
| 212 | |
| 213 | return 0; |
| 214 | } |
| 215 | |
| 216 | |
| 217 | /* Perform WEP decryption on given skb. Buffer includes whole WEP part of |
| 218 | * the frame: IV (4 bytes), encrypted payload (including SNAP header), |
| 219 | * ICV (4 bytes). skb->len includes both IV and ICV. |
| 220 | * |
| 221 | * Returns 0 if frame was decrypted successfully and ICV was correct and -1 on |
| 222 | * failure. If frame is OK, IV and ICV will be removed, i.e., decrypted payload |
| 223 | * is moved to the beginning of the skb and skb length will be reduced. |
| 224 | */ |
| 225 | static int ieee80211_wep_decrypt(struct ieee80211_local *local, |
| 226 | struct sk_buff *skb, |
| 227 | struct ieee80211_key *key) |
| 228 | { |
| 229 | u32 klen; |
| 230 | u8 rc4key[3 + WLAN_KEY_LEN_WEP104]; |
| 231 | u8 keyidx; |
| 232 | struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; |
| 233 | unsigned int hdrlen; |
| 234 | size_t len; |
| 235 | int ret = 0; |
| 236 | |
| 237 | if (!ieee80211_has_protected(hdr->frame_control)) |
| 238 | return -1; |
| 239 | |
| 240 | hdrlen = ieee80211_hdrlen(hdr->frame_control); |
| 241 | if (skb->len < hdrlen + IEEE80211_WEP_IV_LEN + IEEE80211_WEP_ICV_LEN) |
| 242 | return -1; |
| 243 | |
| 244 | len = skb->len - hdrlen - IEEE80211_WEP_IV_LEN - IEEE80211_WEP_ICV_LEN; |
| 245 | |
| 246 | keyidx = skb->data[hdrlen + 3] >> 6; |
| 247 | |
| 248 | if (!key || keyidx != key->conf.keyidx) |
| 249 | return -1; |
| 250 | |
| 251 | klen = 3 + key->conf.keylen; |
| 252 | |
| 253 | /* Prepend 24-bit IV to RC4 key */ |
| 254 | memcpy(rc4key, skb->data + hdrlen, 3); |
| 255 | |
| 256 | /* Copy rest of the WEP key (the secret part) */ |
| 257 | memcpy(rc4key + 3, key->conf.key, key->conf.keylen); |
| 258 | |
| 259 | if (ieee80211_wep_decrypt_data(local->wep_rx_tfm, rc4key, klen, |
| 260 | skb->data + hdrlen + |
| 261 | IEEE80211_WEP_IV_LEN, len)) |
| 262 | ret = -1; |
| 263 | |
| 264 | /* Trim ICV */ |
| 265 | skb_trim(skb, skb->len - IEEE80211_WEP_ICV_LEN); |
| 266 | |
| 267 | /* Remove IV */ |
| 268 | memmove(skb->data + IEEE80211_WEP_IV_LEN, skb->data, hdrlen); |
| 269 | skb_pull(skb, IEEE80211_WEP_IV_LEN); |
| 270 | |
| 271 | return ret; |
| 272 | } |
| 273 | |
| 274 | ieee80211_rx_result |
| 275 | ieee80211_crypto_wep_decrypt(struct ieee80211_rx_data *rx) |
| 276 | { |
| 277 | struct sk_buff *skb = rx->skb; |
| 278 | struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); |
| 279 | struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; |
| 280 | __le16 fc = hdr->frame_control; |
| 281 | |
| 282 | if (!ieee80211_is_data(fc) && !ieee80211_is_auth(fc)) |
| 283 | return RX_CONTINUE; |
| 284 | |
| 285 | if (!(status->flag & RX_FLAG_DECRYPTED)) { |
| 286 | if (skb_linearize(rx->skb)) |
| 287 | return RX_DROP_UNUSABLE; |
| 288 | if (ieee80211_wep_decrypt(rx->local, rx->skb, rx->key)) |
| 289 | return RX_DROP_UNUSABLE; |
| 290 | } else if (!(status->flag & RX_FLAG_IV_STRIPPED)) { |
| 291 | if (!pskb_may_pull(rx->skb, ieee80211_hdrlen(fc) + |
| 292 | IEEE80211_WEP_IV_LEN)) |
| 293 | return RX_DROP_UNUSABLE; |
| 294 | ieee80211_wep_remove_iv(rx->local, rx->skb, rx->key); |
| 295 | /* remove ICV */ |
| 296 | if (pskb_trim(rx->skb, rx->skb->len - IEEE80211_WEP_ICV_LEN)) |
| 297 | return RX_DROP_UNUSABLE; |
| 298 | } |
| 299 | |
| 300 | return RX_CONTINUE; |
| 301 | } |
| 302 | |
| 303 | static int wep_encrypt_skb(struct ieee80211_tx_data *tx, struct sk_buff *skb) |
| 304 | { |
| 305 | struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); |
| 306 | struct ieee80211_key_conf *hw_key = info->control.hw_key; |
| 307 | |
| 308 | if (!hw_key) { |
| 309 | if (ieee80211_wep_encrypt(tx->local, skb, tx->key->conf.key, |
| 310 | tx->key->conf.keylen, |
| 311 | tx->key->conf.keyidx)) |
| 312 | return -1; |
| 313 | } else if ((hw_key->flags & IEEE80211_KEY_FLAG_GENERATE_IV) || |
| 314 | (hw_key->flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE)) { |
| 315 | if (!ieee80211_wep_add_iv(tx->local, skb, |
| 316 | tx->key->conf.keylen, |
| 317 | tx->key->conf.keyidx)) |
| 318 | return -1; |
| 319 | } |
| 320 | |
| 321 | return 0; |
| 322 | } |
| 323 | |
| 324 | ieee80211_tx_result |
| 325 | ieee80211_crypto_wep_encrypt(struct ieee80211_tx_data *tx) |
| 326 | { |
| 327 | struct sk_buff *skb; |
| 328 | |
| 329 | ieee80211_tx_set_protected(tx); |
| 330 | |
| 331 | skb_queue_walk(&tx->skbs, skb) { |
| 332 | if (wep_encrypt_skb(tx, skb) < 0) { |
| 333 | I802_DEBUG_INC(tx->local->tx_handlers_drop_wep); |
| 334 | return TX_DROP; |
| 335 | } |
| 336 | } |
| 337 | |
| 338 | return TX_CONTINUE; |
| 339 | } |