Fixes to the Aironet driver to clear up some WEP issues.

"Security notes" section to the man page added by me.

PR:		23097
Submitted by:	Doug Ambrisko <ambrisko@whistle.com>

3 files changed, 210 insertions, 52 deletions

diff --git a/usr.sbin/ancontrol/Makefile b/usr.sbin/ancontrol/Makefile
index 06d1b16..e8e45cc 100644
--- a/usr.sbin/ancontrol/Makefile
+++ b/usr.sbin/ancontrol/Makefile
@@ -5,6 +5,6 @@ SRCS=	ancontrol.c
 
 MAN8=	ancontrol.8
 
-CFLAGS+= 	-I${.CURDIR}/../../sys -DANCACHE
+CFLAGS+= 	-I${.CURDIR}/../../sys -DANCACHE -Wall
 
 .include <bsd.prog.mk>
diff --git a/usr.sbin/ancontrol/ancontrol.8 b/usr.sbin/ancontrol/ancontrol.8
index a5d6799..00ad199 100644
--- a/usr.sbin/ancontrol/ancontrol.8
+++ b/usr.sbin/ancontrol/ancontrol.8
@@ -37,65 +37,65 @@
 .Nm ancontrol
 .Nd configure Aironet 4500/4800 devices
 .Sh SYNOPSIS
-.Nm
+.Nm ancontrol
 .Fl i Ar iface Fl A
-.Nm
+.Nm ancontrol
 .Fl i Ar iface Fl N
-.Nm
+.Nm ancontrol
 .Fl i Ar iface Fl S
-.Nm
+.Nm ancontrol
 .Fl i Ar iface Fl I
-.Nm
+.Nm ancontrol
 .Fl i Ar iface Fl T
-.Nm
+.Nm ancontrol
 .Fl i Ar iface Fl C
-.Nm
+.Nm ancontrol
 .Fl i Ar iface Fl t Ar 0|1|2|3|4
-.Nm
+.Nm ancontrol
 .Fl i Ar iface Fl s Ar 0|1|2|3
-.Nm
+.Nm ancontrol
 .Fl i Ar iface 
 .Op Fl v Ar 1|2|3|4
 .Fl a Ar AP
-.Nm
+.Nm ancontrol
 .Fl i Ar iface Fl b Ar beacon period
-.Nm
+.Nm ancontrol
 .Fl i Ar iface 
-.Op v Ar 0|1
+.Op Fl v Ar 0|1
 .Fl d Ar 0|1|2|3
-.Nm
-.Fl i Ar iface Fl e Ar 0|1
-.Nm
+.Nm ancontrol
+.Fl i Ar iface Fl e Ar 0|1|2|4
+.Nm ancontrol
 .Fl i Ar iface 
-.Op Fl v Ar 0|1
+.Op Fl v Ar 0|1|2|3|4|5|6|7
 .Fl k Ar key
-.Nm
+.Nm ancontrol
 .Fl i Ar iface 
 .Fl K Ar mode
-.Nm
+.Nm ancontrol
 .Fl i Ar iface 
 .Fl W Ar mode
-.Nm
+.Nm ancontrol
 .Fl i Ar iface Fl j Ar netjoin timeout
-.Nm
+.Nm ancontrol
 .Fl i Ar iface Fl l Ar station name
-.Nm
+.Nm ancontrol
 .Fl i Ar iface Fl m Ar mac address
-.Nm
+.Nm ancontrol
 .Fl i Ar iface 
 .Op Fl v Ar 1|2|3
 .Fl n Ar SSID
-.Nm
+.Nm ancontrol
 .Fl i Ar iface Fl o Ar 0|1
-.Nm
+.Nm ancontrol
 .Fl i Ar iface Fl p Ar tx power
-.Nm
+.Nm ancontrol
 .Fl i Ar iface Fl c Ar channel number
-.Nm
+.Nm ancontrol
 .Fl i Ar iface Fl f Ar fragmentation threshold
-.Nm
+.Nm ancontrol
 .Fl i Ar iface Fl r Ar RTS threshold
-.Nm
+.Nm ancontrol
 .Fl h
 .Sh DESCRIPTION
 The
@@ -106,7 +106,7 @@ devices via the
 driver.
 Most of the parameters that can be changed relate to the
 IEEE 802.11 protocol which the Aironet cards implement.
-This includes
+This includes such things as
 the station name, whether the station is operating in ad-hoc (point
 to point) or infrastructure mode, and the network name of a service
 set to join.
@@ -122,11 +122,19 @@ argument given to
 should be the logical interface name associated with the Aironet
 device (an0, an1, etc...). If one isn't specified the device an0 will
 be assumed.
+.Pp
+The
+.Nm
+command is not designed to support the combination of arguments from different
+.Sy SYNOPSIS
+lines in a single
+.Nm
+invocation, and such combinations are not recommended.
 .Sh OPTIONS
 The options are as follows:
 .Bl -tag -width Fl
 .It Fl i Ar iface Fl A
-Display the prefered access point list.
+Display the preferred access point list.
 The AP list can be used by
 stations to specify the MAC address of access points with which it
 wishes to associate.
@@ -199,7 +207,11 @@ Valid selections are as follows:
 .Pp
 Note that for IBSS (ad-hoc) mode, only PSP mode is supported, and only
 if the ATIM window is non-zero.
-.It Fl i Ar iface "[-v 1|2|3|4]" Fl a Ar AP 
+.It Xo
+.Fl i Ar iface [
+.Fl v Ar 1|2|3|4 ]
+.Fl a Ar AP
+.Xc
 Set prefered access point.
 The
 .Ar AP
@@ -220,7 +232,11 @@ Set the ad-hoc mode beacon period.
 The becon period is specified in
 milliseconds.
 The default is 100ms.
-.It Fl i Ar iface "-v 0|1" Fl d Ar 0|1|2|3 
+.It Xo
+.Fl i Ar iface [
+.Fl v Ar 0|1 ]
+.Fl d Ar 0|1|2|3
+.Xc
 Select the antenna diversity.
 Aironet devices can be configured with up
 to two antennas, and transmit and receive diversity can be configured
@@ -245,16 +261,30 @@ option: selection
 sets the receive diversity and
 .Ar 1
 sets the transmit diversity.
-.It Fl i Ar iface "[ -v 0|1 ]" Fl k Ar key
-Set the WEP key.  For 40 bit prefix 10 hex character with 0x.
-For 128 bit prefix 26 hex character with 0x.
-Supports 4 keys, use even numbers are permanet and odd number 
-are temporary keys for example "-v 1" sets the first temporary key.
-.It Fl i Ar iface Fl K Ar 0|1|2|4
+.It Fl i Ar iface Fl e Ar 0|1|2|3
+Set the transmit WEP key to use.
+Note that until this command is issued, the device will use the
+last key programmed.  The transmit key is stored in NVRAM.  Currently
+set transmit key can be checked via "-C" option.
+.It Xo
+.Fl i Ar iface [
+.Fl v Ar 0|1|2|3|4|5|6|7 ]
+.Fl k Ar key
+.Xc
+Set a WEP key. For 40 bit prefix 10 hex character with 0x.
+For 128 bit prefix 26 hex character with 0x. Use "" as the key 
+to erase the key. Supports 4 keys; even numbers are for permanent keys
+and odd number are for temporary keys.
+For example, "-v 1" sets the first temporary key.
+(A "permanent" key is stored in NVRAM; a "temporary" key is not.)
+Note that the device will use the most recently-programmed key by default.
+Currently set keys can be checked via "-C" option, only the sizes of the
+keys are returned.
+.It Fl i Ar iface Fl K Ar 0|1|2
 Set authorization type. Use 0 for none, 1 for "Open", 
-2 for "Shared Key", 4 for "Exclude unencrypted".
-.It Fl i Ar iface Fl W Ar 0|1
-Enable WEP. Use 1 to enable, 0 for disable.
+2 for "Shared Key".
+.It Fl i Ar iface Fl W Ar 0|1|2
+Enable WEP. Use 0 for no WEP, 1 to enable full WEP, 2 for mixed cell.
 .It Fl i Ar iface Fl j Ar netjoin timeout
 Set the ad-hoc network join timeout.
 When a station is first activated
@@ -282,7 +312,11 @@ is specified as a series of six hexadecimal values separated by colons,
 e.g.: 00:60:1d:12:34:56.
 This programs the new address into the card
 and updates the interface as well.
-.It Fl i Ar iface "[-v 1|2|3]" Fl n Ar SSID 
+.It Xo
+.Fl i Ar iface [
+.Fl v Ar 1|2|3 ]
+.Fl n Ar SSID
+.Xc
 Set the desired SSID (network name). There are three SSIDs which allows
 the NIC to work with access points at several locations without needing
 to be reconfigured.
@@ -373,6 +407,31 @@ The default is 2312.
 .It Fl h
 Prints a list of available options and sample usage.
 .El
+.Sh SECURITY NOTES
+WEP ("wired equivalent privacy") is based on the RC4 algorithm,
+using a 24 bit initialization vector.
+.Pp
+RC4 is supposedly vunerable to certain known plaintext attacks,
+especially with 40 bit keys.
+So the security of WEP in part depends on how much known plaintext
+is transmitted.
+.Pp
+Because of this, although counter-intuitive, using "shared key"
+authentication (which involves sending known plaintext) is less
+secure than using "open" authentication when WEP is enabled.
+.Pp
+Devices may alternate among all of the configured WEP keys when
+tranmitting packets.
+Therefore, all configured keys (up to four) must agree.
+.Sh EXAMPLES
+.Pp
+.Dl ancontrol -i an0 -v 0 -k 0x12345678901234567890123456
+.Dl ancontrol -i an0 -K 2
+.Dl ancontrol -i an0 -W 1
+.Dl ancontrol -i an0 -e 0
+.Pp
+Sets a WEP key 0, enables "Shared Key" authentication, enables full WEP 
+and uses transmit key 0.
 .Sh SEE ALSO
 .Xr an 4 ,
 .Xr ifconfig 8
diff --git a/usr.sbin/ancontrol/ancontrol.c b/usr.sbin/ancontrol/ancontrol.c
index 22ef82e..8754063 100644
--- a/usr.sbin/ancontrol/ancontrol.c
+++ b/usr.sbin/ancontrol/ancontrol.c
@@ -76,6 +76,7 @@ static void an_setconfig	__P((char *, int, void *));
 static void an_setssid		__P((char *, int, void *));
 static void an_setap		__P((char *, int, void *));
 static void an_setspeed		__P((char *, int, void *));
+static void an_readkeyinfo	__P((char *));
 #ifdef ANCACHE
 static void an_zerocache	__P((char *));
 static void an_readcache	__P((char *));
@@ -121,6 +122,7 @@ int main			__P((int, char **));
 #define ACT_ENABLE_WEP 33
 #define ACT_SET_KEY_TYPE 34
 #define ACT_SET_KEYS 35
+#define ACT_ENABLE_TX_KEY 36
 
 static void an_getval(iface, areq)
 	char			*iface;
@@ -688,8 +690,13 @@ static void an_dumpconfig(iface)
 	printf("\nAuthentication timeout:\t\t\t");
 	an_printwords(&cfg->an_auth_timeout, 1);
 	printf("\nWEP enabled:\t\t\t\t[ ");
-	if (cfg->an_authtype & AN_AUTHTYPE_ENABLE)
-		printf("yes");
+	if (cfg->an_authtype & AN_AUTHTYPE_PRIVACY_IN_USE)
+	{
+		if (cfg->an_authtype & AN_AUTHTYPE_ALLOW_UNENCRYPTED)
+			 printf("mixed cell");
+		else
+			 printf("full");
+	}
 	else
 		printf("no");
 	printf(" ]");
@@ -700,8 +707,6 @@ static void an_dumpconfig(iface)
 		printf("open");
 	if ((cfg->an_authtype & AN_AUTHTYPE_MASK) == AN_AUTHTYPE_SHAREDKEY)
 		printf("shared key");
-	if ((cfg->an_authtype & AN_AUTHTYPE_MASK) == AN_AUTHTYPE_EXCLUDE_UNENCRYPTED)
-		printf("exclude unencrypted");
 	printf(" ]");
 	printf("\nAssociation timeout:\t\t\t");
 	an_printwords(&cfg->an_assoc_timeout, 1);
@@ -787,6 +792,8 @@ static void an_dumpconfig(iface)
 	an_printwords(&cfg->an_arl_delay, 1);
 
 	printf("\n");
+	printf("\n");
+	an_readkeyinfo(iface);
 
 	return;
 }
@@ -807,9 +814,10 @@ static void usage(p)
 	fprintf(stderr, "\t%s -i iface -b val (set beacon period)\n", p);
 	fprintf(stderr, "\t%s -i iface [-v 0|1] -d val (set diversity)\n", p);
 	fprintf(stderr, "\t%s -i iface -j val (set netjoin timeout)\n", p);
+	fprintf(stderr, "\t%s -i iface -e 0|1|2|3 (enable transmit key)\n", p);
 	fprintf(stderr, "\t%s -i iface [-v 0|1|2|3|4|5|6|7] -k key (set key)\n", p);
-	fprintf(stderr, "\t%s -i iface -K 0|1|2|4 (set auth type 2=shared secret)\n", p);
-	fprintf(stderr, "\t%s -i iface -W 0|1 (enable WEP)\n", p);
+	fprintf(stderr, "\t%s -i iface -K 0|1|2 (no auth/open/shared secret)\n", p);
+	fprintf(stderr, "\t%s -i iface -W 0|1|2 (no WEP/full WEP/mixed cell)\n", p);
 	fprintf(stderr, "\t%s -i iface -l val (set station name)\n", p);
 	fprintf(stderr, "\t%s -i iface -m val (set MAC address)\n", p);
 	fprintf(stderr, "\t%s -i iface [-v 1|2|3] -n SSID "
@@ -934,8 +942,23 @@ static void an_setconfig(iface, act, arg)
 		bcopy((char *)addr, (char *)&cfg->an_macaddr, ETHER_ADDR_LEN);
 		break;
 	case ACT_ENABLE_WEP:
-		cfg->an_authtype = (cfg->an_authtype & AN_AUTHTYPE_MASK)
-		        | atoi(arg) * AN_AUTHTYPE_ENABLE;
+		switch (atoi (arg)) {
+		case 0:
+			/* no WEP */
+			cfg->an_authtype &= ~(AN_AUTHTYPE_PRIVACY_IN_USE 
+					| AN_AUTHTYPE_ALLOW_UNENCRYPTED);
+			break;
+		case 1:
+			/* full WEP */
+			cfg->an_authtype |= AN_AUTHTYPE_PRIVACY_IN_USE;
+			cfg->an_authtype &= ~AN_AUTHTYPE_ALLOW_UNENCRYPTED;
+			break;
+		case 2:
+			/* mixed cell */
+			cfg->an_authtype = AN_AUTHTYPE_PRIVACY_IN_USE 
+					| AN_AUTHTYPE_ALLOW_UNENCRYPTED;
+			break;
+		}
 		break;
 	case ACT_SET_KEY_TYPE:
 		cfg->an_authtype = (cfg->an_authtype & ~AN_AUTHTYPE_MASK) 
@@ -1232,6 +1255,75 @@ static void an_setkeys(iface, key, keytype)
 	return;
 }
 
+static void an_readkeyinfo(iface)
+	char			*iface;
+{
+	struct an_req		areq;
+	struct an_ltv_key	*k;
+	int i;
+
+	bzero((char *)&areq, sizeof(areq));
+	k = (struct an_ltv_key *)&areq;
+
+	printf("WEP Key status:\n");
+	areq.an_type = AN_RID_WEP_TEMP;  	/* read first key */
+	for(i=0; i<4; i++){
+		areq.an_len = sizeof(struct an_ltv_key);
+		an_getval(iface, &areq);
+		switch (k->klen){
+		case 0:
+			printf("\tKey %d is unset\n",i);
+			break;
+		case 5:
+			printf("\tKey %d is set  40 bits\n",i);
+			break;
+		case 13:
+			printf("\tKey %d is set 128 bits\n",i);
+			break;
+		default:
+			printf("\tWEP Key %d has an unknown size %d\n",
+			    i, k->klen);
+		}
+
+		areq.an_type = AN_RID_WEP_PERM;	/* read next key */
+	}
+	k->kindex = 0xffff;
+	areq.an_len = sizeof(struct an_ltv_key);
+      	an_getval(iface, &areq);
+	printf("\tThe active transmit key is %d\n", k->mac[0]);
+
+	return;
+}
+
+static void an_enable_tx_key(iface, arg)
+	char			*iface;
+	char			*arg;
+{
+	struct an_req		areq;
+	struct an_ltv_key	*k;
+
+	bzero((char *)&areq, sizeof(areq));
+	k = (struct an_ltv_key *)&areq;
+
+	/* From a Cisco engineer write the transmit key to use in the
+	   first MAC, index is FFFF*/
+	k->kindex=0xffff;
+	k->klen=0;
+
+	k->mac[0]=atoi(arg);
+	k->mac[1]=0;
+	k->mac[2]=0;
+	k->mac[3]=0;
+	k->mac[4]=0;
+	k->mac[5]=0;
+
+	areq.an_len = sizeof(struct an_ltv_key);
+	areq.an_type = AN_RID_WEP_PERM;
+	an_setval(iface, &areq);
+	  
+	return;
+}
+
 int main(argc, argv)
 	int			argc;
 	char			*argv[];
@@ -1257,7 +1349,7 @@ int main(argc, argv)
 	opterr = 1;
 
 	while ((ch = getopt(argc, argv,
-	    "ANISCTht:a:o:s:n:v:d:j:b:c:r:p:w:m:l:k:K:W:QZ")) != -1) {
+	    "ANISCTht:a:e:o:s:n:v:d:j:b:c:r:p:w:m:l:k:K:W:QZ")) != -1) {
 		switch(ch) {
 		case 'Z':
 #ifdef ANCACHE
@@ -1404,6 +1496,10 @@ int main(argc, argv)
 			act = ACT_SET_KEYS;
 			key = optarg;
 			break;
+		case 'e':
+			act = ACT_ENABLE_TX_KEY;
+			arg = optarg;
+			break;
 		case 'q':
 			act = ACT_SET_RTS_RETRYLIM;
 			arg = optarg;
@@ -1470,6 +1566,9 @@ int main(argc, argv)
 	case ACT_SET_KEYS:
 		an_setkeys(iface, key, modifier);
 		break;
+	case ACT_ENABLE_TX_KEY:
+		an_enable_tx_key(iface, arg);
+		break;
 	default:
 		an_setconfig(iface, act, arg);
 		break;