3
0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2024-11-28 12:39:29 +01:00
Commit Graph

77 Commits

Author SHA1 Message Date
Rudi Heitbaum
fa25de4ad1 crypto: fix -std=c23 build failure
gcc-15 switched to -std=c23 by default:

    https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=55e3bd376b2214e200fa76d12b67ff259b06c212

As a result `iwd` fails the build as:

    ../src/crypto.c:1215:24: error: incompatible types when returning type '_Bool' but 'struct l_ecc_point *' was expected
     1215 |                 return false;
          |                        ^~~~~

Signed-off-by: Rudi Heitbaum <rudi@heitbaum.com>
2024-11-20 11:36:20 -06:00
Denis Kenzior
e565b75032 defs: Add defs.h to hold certain global definitions
This will help to get rid of magic number use throughout the project.
The definitions should be limited to global magic numbers that are used
throughout the project, for example SSID length, MAC address length,
etc.
2024-08-23 11:17:20 -05:00
James Prestwood
14aa333a39 crypto: fix uninitialized variable coverity warning
Same as for aes_siv_decrypt, check num_ads before calling memcpy.
2024-02-27 16:04:11 -06:00
James Prestwood
ee52968043 crypto: fix uninitialized variable coverity warning
For some encrypt operations DPP passes no AD iovecs (both are
NULL/0). But since the iovec itself is on the stack 'ad' is a
valid pointer from within aes_siv_encrypt. This causes memcpy
to be called which coverity complains about. Since the copy
length is zero it was effectively a no-op, but check num_ad to
prevent the call.
2024-02-27 14:33:33 -06:00
James Prestwood
6320d6db0f crypto: remove label from prf_plus, instead use va_args
The prf_plus API was a bit restrictive because it only took a
string label which isn't compatible with some specs (e.g. DPP
inputs to HKDF-Expand). In addition it took additional label
aruments which were appended to the HMAC call (and the
non-intuitive '\0' if there were extra arguments).

Instead the label argument has been removed and callers can pass
it in through va_args. This also lets the caller decided the length
and can include the '\0' or not, dependent on the spec the caller
is following.
2023-10-17 10:13:42 -05:00
Denis Kenzior
600bea73ec crypto: use SWAP from useful.h 2023-10-11 09:58:31 -05:00
James Prestwood
ae76fa876f crypto: modify crypto_derive_pmkid to take the length/checksum type
The existing API was limited to SHA1 or SHA256 and assumed a key
length of 32 bytes. Since other AKMs plan to be added update
this to take the checksum/length directly for better flexibility.
2023-06-26 21:32:11 -05:00
Denis Kenzior
ec3085e932 crypto: Add new cipher definitions 2022-10-24 11:05:24 -05:00
Denis Kenzior
201b85e8da crypto: Rename BIP to BIP_CMAC
To match the spec more closely.  Several additional BIP algorithms are
being introduced, including BIP_GMAC_128|256 and BIP_CMAC_256.
2022-10-24 11:05:24 -05:00
Denis Kenzior
fe95cbe077 treewide: Various style fixups
- Mostly problems with whitespace:
	- Use of spaces instead of tabs
	- Stray spaces before closing ')
	- Missing spaces

- Missing 'void' from function declarations & definitions that
  take no arguments.

- Wrong indentation level
2022-01-11 11:07:05 -06:00
James Prestwood
1a27cd1548 crypto: allow NULL 'ad' to aes_siv_decrypt 2021-12-16 12:16:31 -06:00
James Prestwood
53e68b64b2 crypto: allow NULL 'ad' to aes_siv_encrypt 2021-12-16 12:16:02 -06:00
James Prestwood
876fe9f210 crypto: use void* for hkdf_expand
This makes it more flexible for other storage types
2021-11-22 15:29:31 -06:00
James Prestwood
b735c90c42 crypto: use void* args for aes_siv_{encrypt,decrypt}
This makes these APIs more flexible for other storage types
2021-11-22 15:29:27 -06:00
Denis Kenzior
30d32e4a58 treewide: Remove non-ascii characters 2021-07-28 10:03:27 -05:00
Denis Kenzior
d12ac0fa71 crypto: Generalize kdf_sha{256|384} as crypto_kdf
This also allows us to easily implement KDF with SHA512
2021-07-14 09:58:42 -05:00
Denis Kenzior
993a934803 crypto: Expose crypto_sae_hash_from_ecc_prime_len 2021-07-14 09:58:42 -05:00
Denis Kenzior
77e387dd0c crypto: Add crypto_derive_sae_pwe_from_pt_ecc 2021-07-14 09:58:42 -05:00
Denis Kenzior
277437f3d6 crypto: Add crypto_derive_sae_pt_ecc 2021-07-07 21:03:19 -05:00
Denis Kenzior
fbe8b7a3c0 crypto: Add prf_plus function
PRF+ from RFC 5295 is the more generic function using which HKDF_Expand
is defined.  Allow this function to take a vararg list of arguments to
be hashed (these are referred to as 'S' in the RFCs).

Implement hkdf_expand in terms of prf_plus and update all uses to the
new syntax.
2021-06-29 20:37:38 -05:00
Denis Kenzior
412fea3ffa crypto: Make hkdf_extract take void *
This makes it easier to use from unit tests and other places which might
be dealing with const char * data.
2021-06-29 11:55:16 -05:00
Andrew Zaborowski
0b5e7ab7bb crypto: Check for l_cipher_decrypt error 2021-02-10 11:56:24 -06:00
Andrew Zaborowski
9ef3d51f87 crypto: Update l_pkcs5_pbkdf2 call after rename 2021-01-07 14:05:40 -06:00
Ard Biesheuvel
1db8a85a60 crypto: incorporate C implementation of ARC4
Incorporate the LGPL v2.1 licensed implementation of ARC4, taken from
the Nettle project (https://git.lysator.liu.se/nettle/nettle.git,
commit 3e7a480a1e351884), and tweak it a bit so we don't have to
operate on a skip buffer to fast forward the stream cipher, but can
simply invoke it with NULL dst or src arguments to achieve the same.

This removes the dependency [via libell] on the OS's implementation of
ecb(arc4), which may be going away, and which is not usually accelerated
in the first place.
2020-08-03 16:28:24 -05:00
Rosen Penev
a47609acbe iwd: remove unnecessary semicolons
Found with clang's -Wextra-semi-stmt
2020-04-08 21:02:15 -05:00
Tim Kourt
1b483c3963 crypto: Add support for PRF+ SHA1
The PRF+ algorithm is based Internet Key Exchange (IKEv2) Protocol:
	https://www.ietf.org/rfc/rfc4306.txt
2019-12-09 01:47:11 -06:00
Marcel Holtmann
152b56a12a treewide: Move the Intel copyright forward to 2019 2019-10-25 00:43:08 +02:00
James Prestwood
a8e935ee77 crypto: fix potential memory leak 2019-10-16 17:58:50 -05:00
Will Dietz
f74e6ff2f2 crypto: fix copy size causing overruns/crashing
num_ad is already accounted for in `sizeof(iov)`
as iov has size `sizeof(struct iovec) * (num_ad+1)`.
2019-10-03 12:25:57 -05:00
James Prestwood
42e083cf9b crypto: add crypto_passphrase_is_valid
Move this check out of crypto_psk_from_passphrase so other modules
can validate a passphrase.
2019-09-18 16:48:07 -05:00
James Prestwood
bc381bd8c3 crypto: update FT derivation functions to use sha384
FILS-FT requires the SHA384 KDF to derive the FT keys
2019-05-22 16:14:14 -05:00
James Prestwood
e109e1b1cf crypto: pass xxkey length for crypto_derive_pmk_r0
FILS-FT has a special derivation for xxkey, and depending on AKM
the key may be 32 or 48 bytes long.
2019-05-22 16:13:57 -05:00
James Prestwood
62097e7d82 crypto: allow PTK derivation using SHA384
crypto_derive_pairwise_ptk was taking a boolean to decide whether to
use SHA1 or SHA256, but for FILS SHA384 may also be required for
rekeys depending on the AKM.

crypto_derive_pairwise_ptk was changed to take l_checksum_type instead
of a boolean to allow for all 3 SHA types.
2019-04-26 12:28:40 -05:00
Denis Kenzior
89017afdb2 crypto: Skip aes-ctr decryption for in_len = 16
If the input length is 16 bytes, this means aes_siv_decrypt should
only be verifying the 16 byte SIV and not decrypting any data. If
this is the case, we can skip over the whole AES-CTR portion of
AES-SIV and only verify the SIV.
2019-04-17 18:59:27 -05:00
James Prestwood
5e28b314a7 crypto: add aes_siv_{encrypt,decrypt}
FILS requires AES-SIV for rekeys
2019-04-17 13:55:11 -05:00
James Prestwood
e9618d97a8 crypto: add kdf_sha384
FILS requires the SHA384 KDF variant.
2019-04-05 17:58:03 -05:00
Marcel Holtmann
3f3e778719 build: Add support for including fallbacks for missing defines 2019-04-03 18:34:22 +02:00
Andrew Zaborowski
fa7db4be4d eap,eapol,crypto: Replace uses of memset with explicit_bzero
Replace existing uses of memset to clear secrets with explicit_bzero to
make sure it doesn't get optimized away.  This has some side effects as
documented in gcc docs but is still recommended.

In eap_secret_info_free make sure we clear both strings in the case of
EAP_SECRET_REMOTE_USER_PASSWORD secrets.
2019-03-21 20:28:14 -05:00
Andrew Zaborowski
881fbd1d80 crypto: Memzero copies of secrets 2019-03-21 09:33:40 -05:00
Andrew Zaborowski
c9490ce657 crypto: Optimize hkdf_expand slightly
Remove an unneeded buffer and its memcpy, remove the now unneeded use of
l_checksum_digest_length and use l_checksum_reset instead of creating a
new l_checksum for each chunk.
2019-01-22 11:40:07 -06:00
James Prestwood
7bfaf182e6 crypto: allow hkdf_expand/extract to use different SHA's
Rather than hard coding to SHA256, we can pass in l_checksum_type
and use that SHA. This will allow for OWE/SAE/PWD to support more
curves that use different SHA algorithms for hashing.
2019-01-17 15:20:28 -06:00
James Prestwood
2c82d6b223 crypto: pass PMK length to crypto_derive_pairwise_ptk
Right now the PMK is hard coded to 32 bytes, which works for the vast
majority of cases. The only outlier is OWE which can generate a PMK
of 32, 48 or 64 bytes depending on the ECC group used. The PMK length
is already stored in the handshake, so now we can just pass that to
crypto_derive_pairwise_ptk
2019-01-17 15:20:28 -06:00
James Prestwood
6771a06463 crypto/handshake/eapol: Allow other PTK lengths
The crypto_ptk was hard coded for 16 byte KCK/KEK. Depending on the
AKM these can be up to 32 bytes. This changes completely removes the
crypto_ptk struct and adds getters to the handshake object for the
kck and kek. Like before the PTK is derived into a continuous buffer,
and the kck/kek getters take care of returning the proper key offset
depending on AKM.

To allow for larger than 16 byte keys aes_unwrap needed to be
modified to take the kek length.
2019-01-17 15:20:28 -06:00
James Prestwood
37cfec01a2 crypto: add hmac_sha384
To support OWE group 20, which uses HMAC-SHA384 for hashing the PMK
2019-01-15 15:07:26 -06:00
James Prestwood
40685e8fe3 crypto: implement HKDF-Expand (RFC 5869)
This will be required by OWE
2018-11-16 16:38:28 -06:00
James Prestwood
0b42ca7c30 crypto: renamed hkdf_256
The RFC (5869) for this implementation defines two functions,
HKDF-Extract and HKDF-Expand. The existing 'hkdf_256' was implementing
the Extract function, so it was renamed appropriately. The name was
changed for consistency when the Expand function will be added in the
future.
2018-11-16 16:30:22 -06:00
Marcel Holtmann
9b2bb2723f crypto: Use full include path local includes 2018-10-26 21:35:27 +02:00
James Prestwood
397bf9c0bd crypto: pwd: sae: Made H function common
The "H" function used by SAE and EAP-PWD was effectively the same
function, EAP-PWD just used a zero key for its calls. This removes
the duplicate implementations and merges them into crypto.c as
"hkdf_256".

Since EAP-PWD always uses a zero'ed key, passing in a NULL key to
hkdf_256 will actually use a 32 byte zero'ed array as the key. This
avoids the need for EAP-PWD to store or create a zero'ed key for
every call.

Both the original "H" functions never called va_end, so that was
added to hkdf_256.
2018-09-05 11:12:54 -05:00
Andrew Zaborowski
ba78950c83 crypto: Use l_pkcs5_pbkdf2 in place of local pbkdf2_sha1 2017-10-09 14:34:31 -05:00
Denis Kenzior
6d6fa57550 crypto: Make aes_unwrap look similar to aes_wrap
Running basic performance testing on x86 shows new and old code within a
few percent of each other.  The main penalty is the AES AF_ALG
invocation.
2017-08-31 13:00:46 -05:00