]>
Commit | Line | Data |
---|---|---|
d9c807ca JM |
1 | /* |
2 | * SHA384-based KDF (IEEE 802.11ac) | |
ef238385 | 3 | * Copyright (c) 2003-2017, Jouni Malinen <j@w1.fi> |
d9c807ca JM |
4 | * |
5 | * This software may be distributed under the terms of the BSD license. | |
6 | * See README for more details. | |
7 | */ | |
8 | ||
9 | #include "includes.h" | |
10 | ||
11 | #include "common.h" | |
12 | #include "sha384.h" | |
13 | #include "crypto.h" | |
14 | ||
15 | ||
16 | /** | |
17 | * sha384_prf - SHA384-based Key derivation function (IEEE 802.11ac, 11.6.1.7.2) | |
18 | * @key: Key for KDF | |
19 | * @key_len: Length of the key in bytes | |
20 | * @label: A unique label for each purpose of the PRF | |
21 | * @data: Extra data to bind into the key | |
22 | * @data_len: Length of the data | |
23 | * @buf: Buffer for the generated pseudo-random key | |
24 | * @buf_len: Number of bytes of key to generate | |
ef238385 | 25 | * Returns: 0 on success, -1 on failure |
d9c807ca JM |
26 | * |
27 | * This function is used to derive new, cryptographically separate keys from a | |
28 | * given key. | |
29 | */ | |
ef238385 JM |
30 | int sha384_prf(const u8 *key, size_t key_len, const char *label, |
31 | const u8 *data, size_t data_len, u8 *buf, size_t buf_len) | |
d9c807ca | 32 | { |
ef238385 JM |
33 | return sha384_prf_bits(key, key_len, label, data, data_len, buf, |
34 | buf_len * 8); | |
d9c807ca JM |
35 | } |
36 | ||
37 | ||
38 | /** | |
39 | * sha384_prf_bits - IEEE Std 802.11ac-2013, 11.6.1.7.2 Key derivation function | |
40 | * @key: Key for KDF | |
41 | * @key_len: Length of the key in bytes | |
42 | * @label: A unique label for each purpose of the PRF | |
43 | * @data: Extra data to bind into the key | |
44 | * @data_len: Length of the data | |
45 | * @buf: Buffer for the generated pseudo-random key | |
46 | * @buf_len: Number of bits of key to generate | |
ef238385 | 47 | * Returns: 0 on success, -1 on failure |
d9c807ca JM |
48 | * |
49 | * This function is used to derive new, cryptographically separate keys from a | |
50 | * given key. If the requested buf_len is not divisible by eight, the least | |
51 | * significant 1-7 bits of the last octet in the output are not part of the | |
52 | * requested output. | |
53 | */ | |
ef238385 JM |
54 | int sha384_prf_bits(const u8 *key, size_t key_len, const char *label, |
55 | const u8 *data, size_t data_len, u8 *buf, | |
56 | size_t buf_len_bits) | |
d9c807ca JM |
57 | { |
58 | u16 counter = 1; | |
59 | size_t pos, plen; | |
60 | u8 hash[SHA384_MAC_LEN]; | |
61 | const u8 *addr[4]; | |
62 | size_t len[4]; | |
63 | u8 counter_le[2], length_le[2]; | |
64 | size_t buf_len = (buf_len_bits + 7) / 8; | |
65 | ||
66 | addr[0] = counter_le; | |
67 | len[0] = 2; | |
68 | addr[1] = (u8 *) label; | |
69 | len[1] = os_strlen(label); | |
70 | addr[2] = data; | |
71 | len[2] = data_len; | |
72 | addr[3] = length_le; | |
73 | len[3] = sizeof(length_le); | |
74 | ||
75 | WPA_PUT_LE16(length_le, buf_len_bits); | |
76 | pos = 0; | |
77 | while (pos < buf_len) { | |
78 | plen = buf_len - pos; | |
79 | WPA_PUT_LE16(counter_le, counter); | |
80 | if (plen >= SHA384_MAC_LEN) { | |
ef238385 JM |
81 | if (hmac_sha384_vector(key, key_len, 4, addr, len, |
82 | &buf[pos]) < 0) | |
83 | return -1; | |
d9c807ca JM |
84 | pos += SHA384_MAC_LEN; |
85 | } else { | |
ef238385 JM |
86 | if (hmac_sha384_vector(key, key_len, 4, addr, len, |
87 | hash) < 0) | |
88 | return -1; | |
d9c807ca JM |
89 | os_memcpy(&buf[pos], hash, plen); |
90 | pos += plen; | |
91 | break; | |
92 | } | |
93 | counter++; | |
94 | } | |
95 | ||
96 | /* | |
97 | * Mask out unused bits in the last octet if it does not use all the | |
98 | * bits. | |
99 | */ | |
100 | if (buf_len_bits % 8) { | |
101 | u8 mask = 0xff << (8 - buf_len_bits % 8); | |
102 | buf[pos - 1] &= mask; | |
103 | } | |
104 | ||
31bc66e4 | 105 | forced_memzero(hash, sizeof(hash)); |
ef238385 JM |
106 | |
107 | return 0; | |
d9c807ca | 108 | } |