3
0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2024-11-09 13:39:23 +01:00
Commit Graph

66 Commits

Author SHA1 Message Date
James Prestwood
53e68b64b2 crypto: allow NULL 'ad' to aes_siv_encrypt 2021-12-16 12:16:02 -06:00
James Prestwood
876fe9f210 crypto: use void* for hkdf_expand
This makes it more flexible for other storage types
2021-11-22 15:29:31 -06:00
James Prestwood
b735c90c42 crypto: use void* args for aes_siv_{encrypt,decrypt}
This makes these APIs more flexible for other storage types
2021-11-22 15:29:27 -06:00
Denis Kenzior
30d32e4a58 treewide: Remove non-ascii characters 2021-07-28 10:03:27 -05:00
Denis Kenzior
d12ac0fa71 crypto: Generalize kdf_sha{256|384} as crypto_kdf
This also allows us to easily implement KDF with SHA512
2021-07-14 09:58:42 -05:00
Denis Kenzior
993a934803 crypto: Expose crypto_sae_hash_from_ecc_prime_len 2021-07-14 09:58:42 -05:00
Denis Kenzior
77e387dd0c crypto: Add crypto_derive_sae_pwe_from_pt_ecc 2021-07-14 09:58:42 -05:00
Denis Kenzior
277437f3d6 crypto: Add crypto_derive_sae_pt_ecc 2021-07-07 21:03:19 -05:00
Denis Kenzior
fbe8b7a3c0 crypto: Add prf_plus function
PRF+ from RFC 5295 is the more generic function using which HKDF_Expand
is defined.  Allow this function to take a vararg list of arguments to
be hashed (these are referred to as 'S' in the RFCs).

Implement hkdf_expand in terms of prf_plus and update all uses to the
new syntax.
2021-06-29 20:37:38 -05:00
Denis Kenzior
412fea3ffa crypto: Make hkdf_extract take void *
This makes it easier to use from unit tests and other places which might
be dealing with const char * data.
2021-06-29 11:55:16 -05:00
Andrew Zaborowski
0b5e7ab7bb crypto: Check for l_cipher_decrypt error 2021-02-10 11:56:24 -06:00
Andrew Zaborowski
9ef3d51f87 crypto: Update l_pkcs5_pbkdf2 call after rename 2021-01-07 14:05:40 -06:00
Ard Biesheuvel
1db8a85a60 crypto: incorporate C implementation of ARC4
Incorporate the LGPL v2.1 licensed implementation of ARC4, taken from
the Nettle project (https://git.lysator.liu.se/nettle/nettle.git,
commit 3e7a480a1e351884), and tweak it a bit so we don't have to
operate on a skip buffer to fast forward the stream cipher, but can
simply invoke it with NULL dst or src arguments to achieve the same.

This removes the dependency [via libell] on the OS's implementation of
ecb(arc4), which may be going away, and which is not usually accelerated
in the first place.
2020-08-03 16:28:24 -05:00
Rosen Penev
a47609acbe iwd: remove unnecessary semicolons
Found with clang's -Wextra-semi-stmt
2020-04-08 21:02:15 -05:00
Tim Kourt
1b483c3963 crypto: Add support for PRF+ SHA1
The PRF+ algorithm is based Internet Key Exchange (IKEv2) Protocol:
	https://www.ietf.org/rfc/rfc4306.txt
2019-12-09 01:47:11 -06:00
Marcel Holtmann
152b56a12a treewide: Move the Intel copyright forward to 2019 2019-10-25 00:43:08 +02:00
James Prestwood
a8e935ee77 crypto: fix potential memory leak 2019-10-16 17:58:50 -05:00
Will Dietz
f74e6ff2f2 crypto: fix copy size causing overruns/crashing
num_ad is already accounted for in `sizeof(iov)`
as iov has size `sizeof(struct iovec) * (num_ad+1)`.
2019-10-03 12:25:57 -05:00
James Prestwood
42e083cf9b crypto: add crypto_passphrase_is_valid
Move this check out of crypto_psk_from_passphrase so other modules
can validate a passphrase.
2019-09-18 16:48:07 -05:00
James Prestwood
bc381bd8c3 crypto: update FT derivation functions to use sha384
FILS-FT requires the SHA384 KDF to derive the FT keys
2019-05-22 16:14:14 -05:00
James Prestwood
e109e1b1cf crypto: pass xxkey length for crypto_derive_pmk_r0
FILS-FT has a special derivation for xxkey, and depending on AKM
the key may be 32 or 48 bytes long.
2019-05-22 16:13:57 -05:00
James Prestwood
62097e7d82 crypto: allow PTK derivation using SHA384
crypto_derive_pairwise_ptk was taking a boolean to decide whether to
use SHA1 or SHA256, but for FILS SHA384 may also be required for
rekeys depending on the AKM.

crypto_derive_pairwise_ptk was changed to take l_checksum_type instead
of a boolean to allow for all 3 SHA types.
2019-04-26 12:28:40 -05:00
Denis Kenzior
89017afdb2 crypto: Skip aes-ctr decryption for in_len = 16
If the input length is 16 bytes, this means aes_siv_decrypt should
only be verifying the 16 byte SIV and not decrypting any data. If
this is the case, we can skip over the whole AES-CTR portion of
AES-SIV and only verify the SIV.
2019-04-17 18:59:27 -05:00
James Prestwood
5e28b314a7 crypto: add aes_siv_{encrypt,decrypt}
FILS requires AES-SIV for rekeys
2019-04-17 13:55:11 -05:00
James Prestwood
e9618d97a8 crypto: add kdf_sha384
FILS requires the SHA384 KDF variant.
2019-04-05 17:58:03 -05:00
Marcel Holtmann
3f3e778719 build: Add support for including fallbacks for missing defines 2019-04-03 18:34:22 +02:00
Andrew Zaborowski
fa7db4be4d eap,eapol,crypto: Replace uses of memset with explicit_bzero
Replace existing uses of memset to clear secrets with explicit_bzero to
make sure it doesn't get optimized away.  This has some side effects as
documented in gcc docs but is still recommended.

In eap_secret_info_free make sure we clear both strings in the case of
EAP_SECRET_REMOTE_USER_PASSWORD secrets.
2019-03-21 20:28:14 -05:00
Andrew Zaborowski
881fbd1d80 crypto: Memzero copies of secrets 2019-03-21 09:33:40 -05:00
Andrew Zaborowski
c9490ce657 crypto: Optimize hkdf_expand slightly
Remove an unneeded buffer and its memcpy, remove the now unneeded use of
l_checksum_digest_length and use l_checksum_reset instead of creating a
new l_checksum for each chunk.
2019-01-22 11:40:07 -06:00
James Prestwood
7bfaf182e6 crypto: allow hkdf_expand/extract to use different SHA's
Rather than hard coding to SHA256, we can pass in l_checksum_type
and use that SHA. This will allow for OWE/SAE/PWD to support more
curves that use different SHA algorithms for hashing.
2019-01-17 15:20:28 -06:00
James Prestwood
2c82d6b223 crypto: pass PMK length to crypto_derive_pairwise_ptk
Right now the PMK is hard coded to 32 bytes, which works for the vast
majority of cases. The only outlier is OWE which can generate a PMK
of 32, 48 or 64 bytes depending on the ECC group used. The PMK length
is already stored in the handshake, so now we can just pass that to
crypto_derive_pairwise_ptk
2019-01-17 15:20:28 -06:00
James Prestwood
6771a06463 crypto/handshake/eapol: Allow other PTK lengths
The crypto_ptk was hard coded for 16 byte KCK/KEK. Depending on the
AKM these can be up to 32 bytes. This changes completely removes the
crypto_ptk struct and adds getters to the handshake object for the
kck and kek. Like before the PTK is derived into a continuous buffer,
and the kck/kek getters take care of returning the proper key offset
depending on AKM.

To allow for larger than 16 byte keys aes_unwrap needed to be
modified to take the kek length.
2019-01-17 15:20:28 -06:00
James Prestwood
37cfec01a2 crypto: add hmac_sha384
To support OWE group 20, which uses HMAC-SHA384 for hashing the PMK
2019-01-15 15:07:26 -06:00
James Prestwood
40685e8fe3 crypto: implement HKDF-Expand (RFC 5869)
This will be required by OWE
2018-11-16 16:38:28 -06:00
James Prestwood
0b42ca7c30 crypto: renamed hkdf_256
The RFC (5869) for this implementation defines two functions,
HKDF-Extract and HKDF-Expand. The existing 'hkdf_256' was implementing
the Extract function, so it was renamed appropriately. The name was
changed for consistency when the Expand function will be added in the
future.
2018-11-16 16:30:22 -06:00
Marcel Holtmann
9b2bb2723f crypto: Use full include path local includes 2018-10-26 21:35:27 +02:00
James Prestwood
397bf9c0bd crypto: pwd: sae: Made H function common
The "H" function used by SAE and EAP-PWD was effectively the same
function, EAP-PWD just used a zero key for its calls. This removes
the duplicate implementations and merges them into crypto.c as
"hkdf_256".

Since EAP-PWD always uses a zero'ed key, passing in a NULL key to
hkdf_256 will actually use a 32 byte zero'ed array as the key. This
avoids the need for EAP-PWD to store or create a zero'ed key for
every call.

Both the original "H" functions never called va_end, so that was
added to hkdf_256.
2018-09-05 11:12:54 -05:00
Andrew Zaborowski
ba78950c83 crypto: Use l_pkcs5_pbkdf2 in place of local pbkdf2_sha1 2017-10-09 14:34:31 -05:00
Denis Kenzior
6d6fa57550 crypto: Make aes_unwrap look similar to aes_wrap
Running basic performance testing on x86 shows new and old code within a
few percent of each other.  The main penalty is the AES AF_ALG
invocation.
2017-08-31 13:00:46 -05:00
Andrew Zaborowski
4f865ba9f8 crypto: Implement aes_wrap
Add the inverse of aes_unwrap for eapol server usage.
2017-08-31 12:53:53 -05:00
Andrew Zaborowski
f66ae1e481 crypto: remove unneeded assignments in aes_unwrap
A is present in the specification but in practice B always contains A so
drop A.
2017-08-30 22:47:08 -05:00
Denis Kenzior
ff319b8234 crypto: Fix valgrind warning
==40686== Syscall param sendmsg(msg.msg_iov[0]) points to uninitialised byte(s)
==40686==    at 0x5147037: sendmsg (in /usr/lib64/libc-2.24.so)
==40686==    by 0x43957C: operate_cipher (cipher.c:354)
==40686==    by 0x439C18: l_cipher_decrypt (cipher.c:415)
==40686==    by 0x40FAB8: arc4_skip (crypto.c:181)

Initialize the skip buffer to 0s.  This isn't strictly necessary, but
hides the above valgrind warning.

The aim of arc4 skip is simply to seed some data into the RC4 cipher so
it makes it harder for the attacker to decrypt.  This 'initialization'
doesn't really care what data is fed.
2017-06-06 13:33:08 -05:00
Denis Kenzior
7e2e965eb7 crypto: Optimize arc4_skip 2017-06-06 13:32:14 -05:00
Andrew Zaborowski
0f6685bf45 crypto: Add crypto_derive_pmkid
Calculates the PMKID for given PMK
2017-04-17 14:24:02 -05:00
Andrew Zaborowski
443e363c20 crypto: Implement crypto_derive_ft_ptk 2016-09-06 13:50:17 -05:00
Andrew Zaborowski
efbbe9870b crypto: Implement crypto_derive_pmk_r1 2016-09-06 13:48:50 -05:00
Andrew Zaborowski
994ffd94c5 crypto: Implement crypto_derive_pmk_r0 2016-09-06 13:47:18 -05:00
Denis Kenzior
5d2c5b3b71 crypto: Add some missing whitespace 2016-08-22 15:54:24 -05:00
Denis Kenzior
eb539ddd82 crypto: Add D-H MODP Group 5 prime & generator 2016-08-15 10:47:36 -05:00
Denis Kenzior
e084839b4f crypto: Prepare for SHA256 based PTK derivation 2016-02-10 16:54:55 -06:00