3
0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2024-11-05 19:49:23 +01:00
Commit Graph

44 Commits

Author SHA1 Message Date
Denis Kenzior
89017afdb2 crypto: Skip aes-ctr decryption for in_len = 16
If the input length is 16 bytes, this means aes_siv_decrypt should
only be verifying the 16 byte SIV and not decrypting any data. If
this is the case, we can skip over the whole AES-CTR portion of
AES-SIV and only verify the SIV.
2019-04-17 18:59:27 -05:00
James Prestwood
5e28b314a7 crypto: add aes_siv_{encrypt,decrypt}
FILS requires AES-SIV for rekeys
2019-04-17 13:55:11 -05:00
James Prestwood
e9618d97a8 crypto: add kdf_sha384
FILS requires the SHA384 KDF variant.
2019-04-05 17:58:03 -05:00
Marcel Holtmann
3f3e778719 build: Add support for including fallbacks for missing defines 2019-04-03 18:34:22 +02:00
Andrew Zaborowski
fa7db4be4d eap,eapol,crypto: Replace uses of memset with explicit_bzero
Replace existing uses of memset to clear secrets with explicit_bzero to
make sure it doesn't get optimized away.  This has some side effects as
documented in gcc docs but is still recommended.

In eap_secret_info_free make sure we clear both strings in the case of
EAP_SECRET_REMOTE_USER_PASSWORD secrets.
2019-03-21 20:28:14 -05:00
Andrew Zaborowski
881fbd1d80 crypto: Memzero copies of secrets 2019-03-21 09:33:40 -05:00
Andrew Zaborowski
c9490ce657 crypto: Optimize hkdf_expand slightly
Remove an unneeded buffer and its memcpy, remove the now unneeded use of
l_checksum_digest_length and use l_checksum_reset instead of creating a
new l_checksum for each chunk.
2019-01-22 11:40:07 -06:00
James Prestwood
7bfaf182e6 crypto: allow hkdf_expand/extract to use different SHA's
Rather than hard coding to SHA256, we can pass in l_checksum_type
and use that SHA. This will allow for OWE/SAE/PWD to support more
curves that use different SHA algorithms for hashing.
2019-01-17 15:20:28 -06:00
James Prestwood
2c82d6b223 crypto: pass PMK length to crypto_derive_pairwise_ptk
Right now the PMK is hard coded to 32 bytes, which works for the vast
majority of cases. The only outlier is OWE which can generate a PMK
of 32, 48 or 64 bytes depending on the ECC group used. The PMK length
is already stored in the handshake, so now we can just pass that to
crypto_derive_pairwise_ptk
2019-01-17 15:20:28 -06:00
James Prestwood
6771a06463 crypto/handshake/eapol: Allow other PTK lengths
The crypto_ptk was hard coded for 16 byte KCK/KEK. Depending on the
AKM these can be up to 32 bytes. This changes completely removes the
crypto_ptk struct and adds getters to the handshake object for the
kck and kek. Like before the PTK is derived into a continuous buffer,
and the kck/kek getters take care of returning the proper key offset
depending on AKM.

To allow for larger than 16 byte keys aes_unwrap needed to be
modified to take the kek length.
2019-01-17 15:20:28 -06:00
James Prestwood
37cfec01a2 crypto: add hmac_sha384
To support OWE group 20, which uses HMAC-SHA384 for hashing the PMK
2019-01-15 15:07:26 -06:00
James Prestwood
40685e8fe3 crypto: implement HKDF-Expand (RFC 5869)
This will be required by OWE
2018-11-16 16:38:28 -06:00
James Prestwood
0b42ca7c30 crypto: renamed hkdf_256
The RFC (5869) for this implementation defines two functions,
HKDF-Extract and HKDF-Expand. The existing 'hkdf_256' was implementing
the Extract function, so it was renamed appropriately. The name was
changed for consistency when the Expand function will be added in the
future.
2018-11-16 16:30:22 -06:00
Marcel Holtmann
9b2bb2723f crypto: Use full include path local includes 2018-10-26 21:35:27 +02:00
James Prestwood
397bf9c0bd crypto: pwd: sae: Made H function common
The "H" function used by SAE and EAP-PWD was effectively the same
function, EAP-PWD just used a zero key for its calls. This removes
the duplicate implementations and merges them into crypto.c as
"hkdf_256".

Since EAP-PWD always uses a zero'ed key, passing in a NULL key to
hkdf_256 will actually use a 32 byte zero'ed array as the key. This
avoids the need for EAP-PWD to store or create a zero'ed key for
every call.

Both the original "H" functions never called va_end, so that was
added to hkdf_256.
2018-09-05 11:12:54 -05:00
Andrew Zaborowski
ba78950c83 crypto: Use l_pkcs5_pbkdf2 in place of local pbkdf2_sha1 2017-10-09 14:34:31 -05:00
Denis Kenzior
6d6fa57550 crypto: Make aes_unwrap look similar to aes_wrap
Running basic performance testing on x86 shows new and old code within a
few percent of each other.  The main penalty is the AES AF_ALG
invocation.
2017-08-31 13:00:46 -05:00
Andrew Zaborowski
4f865ba9f8 crypto: Implement aes_wrap
Add the inverse of aes_unwrap for eapol server usage.
2017-08-31 12:53:53 -05:00
Andrew Zaborowski
f66ae1e481 crypto: remove unneeded assignments in aes_unwrap
A is present in the specification but in practice B always contains A so
drop A.
2017-08-30 22:47:08 -05:00
Denis Kenzior
ff319b8234 crypto: Fix valgrind warning
==40686== Syscall param sendmsg(msg.msg_iov[0]) points to uninitialised byte(s)
==40686==    at 0x5147037: sendmsg (in /usr/lib64/libc-2.24.so)
==40686==    by 0x43957C: operate_cipher (cipher.c:354)
==40686==    by 0x439C18: l_cipher_decrypt (cipher.c:415)
==40686==    by 0x40FAB8: arc4_skip (crypto.c:181)

Initialize the skip buffer to 0s.  This isn't strictly necessary, but
hides the above valgrind warning.

The aim of arc4 skip is simply to seed some data into the RC4 cipher so
it makes it harder for the attacker to decrypt.  This 'initialization'
doesn't really care what data is fed.
2017-06-06 13:33:08 -05:00
Denis Kenzior
7e2e965eb7 crypto: Optimize arc4_skip 2017-06-06 13:32:14 -05:00
Andrew Zaborowski
0f6685bf45 crypto: Add crypto_derive_pmkid
Calculates the PMKID for given PMK
2017-04-17 14:24:02 -05:00
Andrew Zaborowski
443e363c20 crypto: Implement crypto_derive_ft_ptk 2016-09-06 13:50:17 -05:00
Andrew Zaborowski
efbbe9870b crypto: Implement crypto_derive_pmk_r1 2016-09-06 13:48:50 -05:00
Andrew Zaborowski
994ffd94c5 crypto: Implement crypto_derive_pmk_r0 2016-09-06 13:47:18 -05:00
Denis Kenzior
5d2c5b3b71 crypto: Add some missing whitespace 2016-08-22 15:54:24 -05:00
Denis Kenzior
eb539ddd82 crypto: Add D-H MODP Group 5 prime & generator 2016-08-15 10:47:36 -05:00
Denis Kenzior
e084839b4f crypto: Prepare for SHA256 based PTK derivation 2016-02-10 16:54:55 -06:00
Denis Kenzior
39444ab532 crypto: Add SHA256 based KDF 2016-02-10 16:30:22 -06:00
Denis Kenzior
3320d31ead sha1: Remove sha1.[ch] 2016-02-10 14:36:14 -06:00
Denis Kenzior
ac4a901518 crypto: move pbkdf2_sha1 to crypto.c 2016-02-10 14:32:27 -06:00
Denis Kenzior
6199960b52 crypto: Move + rework prf_sha1 into crypto.c 2016-02-10 14:16:32 -06:00
Denis Kenzior
064f1e0df9 crypto: Move hmac_sha1 to crypto.c 2016-02-10 14:12:46 -06:00
Denis Kenzior
ad3e0b6bf2 arc4: Remove and move to src/crypto.c 2015-02-18 21:11:37 -06:00
Denis Kenzior
b3e617838d aes: Remove and move to src/crypto.c 2015-02-18 21:02:09 -06:00
Denis Kenzior
260ef5bb9d md5: Remove and move to src/crypto.c 2015-02-18 20:56:18 -06:00
Denis Kenzior
02d101e3d7 sha256: Remove and move to src/crypto.c 2015-02-18 20:45:52 -06:00
Denis Kenzior
5e7771ef66 crypto: Add crypto_derive_pairwise_ptk 2014-12-27 22:34:39 -06:00
Denis Kenzior
1c4e3bc774 crypto: Make const correct 2014-12-27 22:34:39 -06:00
Denis Kenzior
dab93ef14a crypto: Update comment 2014-12-27 22:34:39 -06:00
Denis Kenzior
f647e03166 crypto: Add crypto_cipher_tk_bits 2014-12-27 22:34:39 -06:00
Denis Kenzior
07c8876d9e crypto: Add crypto_cipher_key_len 2014-12-27 22:34:39 -06:00
Denis Kenzior
0693740731 crypto: Add crypto_derive_ptk 2014-12-27 22:34:39 -06:00
Denis Kenzior
d87d7d469f crypto: Add passphrase generation utility 2014-11-14 21:41:28 -06:00