From brooks@minya.sea.one-eyed-alien.net  Tue Sep 12 21:38:03 2000
Return-Path: <brooks@minya.sea.one-eyed-alien.net>
Received: from minya.sea.one-eyed-alien.net (sense-brooks-236.oz.net [216.39.168.236])
	by hub.freebsd.org (Postfix) with ESMTP id 85D5E37B42C
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 12 Sep 2000 21:38:02 -0700 (PDT)
Received: (from brooks@localhost)
	by minya. (8.11.0/8.11.0) id e8D4QbQ01128;
	Tue, 12 Sep 2000 21:26:37 -0700 (PDT)
	(envelope-from brooks)
Message-Id: <200009130426.e8D4QbQ01128@minya.>
Date: Tue, 12 Sep 2000 21:26:37 -0700 (PDT)
From: brooks@one-eyed-alien.net
Sender: brooks@minya.sea.one-eyed-alien.net
Reply-To: brooks@one-eyed-alien.net
To: FreeBSD-gnats-submit@freebsd.org
Subject: [PATCH] wicontrol(8)'s WEP key support is buggy/non-standard
X-Send-Pr-Version: 3.2

>Number:         21245
>Category:       bin
>Synopsis:       [PATCH] wicontrol(8)'s WEP key support is buggy/non-standard
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    wpaul
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Sep 12 21:40:02 PDT 2000
>Closed-Date:    Wed Sep 20 17:27:16 PDT 2000
>Last-Modified:  Wed Sep 20 17:27:45 PDT 2000
>Originator:     Brooks Davis
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
The Aerospace Corporation
>Environment:

FreeBSD minya 5.0-CURRENT FreeBSD 5.0-CURRENT #0: Tue Sep 12 17:56:11 PDT 2000     root@minya:/usr/obj/usr/src/sys/MINYA  i386

>Description:

wicontrol's WEP support has a number of minor bugs in it due to coding
errors and apparent misunderstandings of WEP.  They include:

a) So called, 128-bit crypto uses 13 byte (104-bit) keys.  Saying cards
support 40 and 128-bit crypto is a misnomer perpetuated by marketing
people.  40-bit crypto actually encrypts with 64-bit RC4 on each packet,
but the key is 40-bits long.  128-bit crypto encrypts packets with
128-bit RC4, but uses a 104-bit key so to compare apples to apples cards
really support 64/128 or 40/104.  The manpage and the code have been
cleaned up to reflect that fact that keys come in 0, 5, and 13 byte
lengths and the code now enforces this just like the Windows interface
does for this an the Cisco Aironet cards.

b) You couldn't enter 13 byte keys via the hex format because they were
longer then 14 bytes in string format.

c) The output of the keys was unreable if they were non-printable.
Printable keys (as defined by isprint) are now printed in like
before, but non-printable keys are printed in hex.

>How-To-Repeat:

b) Try to set a key like 0x12345678901234567890123456.
	wicontrol -i wi0 -k 0x12345678901234567890123456

c) Try to set and read back a hex key like 0x0123456789.
	wicontrol -i wi0 -k 0x0123456789
	wicontrol -i wi0

>Fix:

Apply this patch.  It has been tested in infrastucture mode with a Cisco
Aironet 340 series Access Point and a Lucent Gold card.

Index: wicontrol.8
===================================================================
RCS file: /home/ncvs/src/usr.sbin/wicontrol/wicontrol.8,v
retrieving revision 1.15
diff -u -r1.15 wicontrol.8
--- wicontrol.8	2000/07/26 12:50:35	1.15
+++ wicontrol.8	2000/09/13 04:06:15
@@ -238,14 +238,10 @@
 digits (i.e. "0x1234512345"). For
 WaveLAN Turbo Silver cards, the key is restricted to 40 bits, hence
 the key can be either a 5 character text string or 10 hex digits.
-For WaveLAN Turbo Gold cards, the key can be up to 128 bits,
-which means the key can be specified as either a 16 character text
-string or 32 hex digits.
-.Pp
-Note: currently, the field in the structure used to program the key
-into the NIC is only 14 bytes long, not 16.
-I'm not sure how this is
-supposed to allow 128 bits of key info for the gold cards.
+For WaveLAN Turbo Gold cards, the key can also be 104 bits,
+which means the key can be specified as either a 13 character text
+string or 26 hex digits in addition to the formats supported by the
+Silver cards.
 .It Fl i Ar iface Fl T Ar 1|2|3|4
 Specify which of the four WEP encryption keys will be used to
 encrypt transmitted packets.
Index: wicontrol.c
===================================================================
RCS file: /home/ncvs/src/usr.sbin/wicontrol/wicontrol.c,v
retrieving revision 1.10
diff -u -r1.10 wicontrol.c
--- wicontrol.c	2000/06/18 23:45:17	1.10
+++ wicontrol.c	2000/09/13 04:01:01
@@ -49,6 +49,7 @@
 #include <string.h>
 #include <stdlib.h>
 #include <unistd.h>
+#include <ctype.h>
 #include <errno.h>
 #include <err.h>
 
@@ -282,6 +283,7 @@
 	char			*key;
 	int			idx;
 {
+	int			keylen;
 	struct wi_req		wreq;
 	struct wi_ltv_keys	*keys;
 	struct wi_key		*k;
@@ -301,9 +303,17 @@
 	wi_getval(iface, &wreq);
 	keys = (struct wi_ltv_keys *)&wreq;
 
-	if (strlen(key) > 14) {
-		err(1, "encryption key must be no "
-		    "more than 14 characters long");
+	keylen = strlen(key);
+	if (key[0] == '0' && (key[1] == 'x' || key[1] == 'X')) {
+		if(keylen != 2 && keylen != 12 && keylen != 28) {
+			err(1, "encryption key must be 0, 10, or 26 "
+			    "hex digits long");
+		}
+	} else {
+		if (keylen != 0 && keylen != 5 && keylen != 13) {
+			err(1, "encryption key must be 0, 5, or 13 "
+			    "bytes long");
+		}
 	}
 
 	if (idx > 3)
@@ -323,6 +333,7 @@
 	struct wi_req		*wreq;
 {
 	int			i, j;
+	int			isprintable;
 	struct wi_key		*k;
 	struct wi_ltv_keys	*keys;
 	char			*ptr;
@@ -332,12 +343,24 @@
 	for (i = 0; i < 4; i++) {
 		k = &keys->wi_keys[i];
 		ptr = (char *)k->wi_keydat;
+		isprintable = 1;
 		for (j = 0; j < k->wi_keylen; j++) {
-			if (ptr[i] == '\0')
-				ptr[i] = ' ';
+			if (!isprint(ptr[j])) {
+				isprintable = 0;
+				break;
+			}
+		}
+		if(isprintable) {
+			ptr[j] = '\0';
+			printf("[ %s ]", ptr);
+		} else {
+			printf("[ 0x");
+			for (j = 0; j < k->wi_keylen; j++) {
+				printf("%02x", ptr[j] & 0xFF);
+			}
+			printf(" ]");
+					
 		}
-		ptr[j] = '\0';
-		printf("[ %s ]", ptr);
 	}
 
 	return;


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->wpaul 
Responsible-Changed-By: johan 
Responsible-Changed-When: Sat Sep 16 04:24:04 PDT 2000 
Responsible-Changed-Why:  
Over to wi(4) / wicontrol(8) maintainer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=21245 
State-Changed-From-To: open->closed 
State-Changed-By: wpaul 
State-Changed-When: Wed Sep 20 17:27:16 PDT 2000 
State-Changed-Why:  
Patch applied to -current and -stable (with one minor tweak, errx() instead 
of err()). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=21245 
>Unformatted:
