]>
git.ipfire.org Git - thirdparty/hostap.git/blob - src/crypto/sha1-tlsprf.c
3 * Copyright (c) 2003-2005, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
17 * tls_prf_sha1_md5 - Pseudo-Random Function for TLS (TLS-PRF, RFC 2246)
18 * @secret: Key for PRF
19 * @secret_len: Length of the key in bytes
20 * @label: A unique label for each purpose of the PRF
21 * @seed: Seed value to bind into the key
22 * @seed_len: Length of the seed
23 * @out: Buffer for the generated pseudo-random key
24 * @outlen: Number of bytes of key to generate
25 * Returns: 0 on success, -1 on failure.
27 * This function is used to derive new, cryptographically separate keys from a
28 * given key in TLS. This PRF is defined in RFC 2246, Chapter 5.
30 int tls_prf_sha1_md5(const u8
*secret
, size_t secret_len
, const char *label
,
31 const u8
*seed
, size_t seed_len
, u8
*out
, size_t outlen
)
35 u8 A_MD5
[MD5_MAC_LEN
], A_SHA1
[SHA1_MAC_LEN
];
36 u8 P_MD5
[MD5_MAC_LEN
], P_SHA1
[SHA1_MAC_LEN
];
37 int MD5_pos
, SHA1_pos
;
38 const u8
*MD5_addr
[3];
40 const unsigned char *SHA1_addr
[3];
44 MD5_len
[0] = MD5_MAC_LEN
;
45 MD5_addr
[1] = (unsigned char *) label
;
46 MD5_len
[1] = os_strlen(label
);
48 MD5_len
[2] = seed_len
;
50 SHA1_addr
[0] = A_SHA1
;
51 SHA1_len
[0] = SHA1_MAC_LEN
;
52 SHA1_addr
[1] = (unsigned char *) label
;
53 SHA1_len
[1] = os_strlen(label
);
55 SHA1_len
[2] = seed_len
;
57 /* RFC 2246, Chapter 5
58 * A(0) = seed, A(i) = HMAC(secret, A(i-1))
59 * P_hash = HMAC(secret, A(1) + seed) + HMAC(secret, A(2) + seed) + ..
60 * PRF = P_MD5(S1, label + seed) XOR P_SHA-1(S2, label + seed)
63 L_S1
= L_S2
= (secret_len
+ 1) / 2;
67 /* The last byte of S1 will be shared with S2 */
71 hmac_md5_vector(S1
, L_S1
, 2, &MD5_addr
[1], &MD5_len
[1], A_MD5
);
72 hmac_sha1_vector(S2
, L_S2
, 2, &SHA1_addr
[1], &SHA1_len
[1], A_SHA1
);
74 MD5_pos
= MD5_MAC_LEN
;
75 SHA1_pos
= SHA1_MAC_LEN
;
76 for (i
= 0; i
< outlen
; i
++) {
77 if (MD5_pos
== MD5_MAC_LEN
) {
78 hmac_md5_vector(S1
, L_S1
, 3, MD5_addr
, MD5_len
, P_MD5
);
80 hmac_md5(S1
, L_S1
, A_MD5
, MD5_MAC_LEN
, A_MD5
);
82 if (SHA1_pos
== SHA1_MAC_LEN
) {
83 hmac_sha1_vector(S2
, L_S2
, 3, SHA1_addr
, SHA1_len
,
86 hmac_sha1(S2
, L_S2
, A_SHA1
, SHA1_MAC_LEN
, A_SHA1
);
89 out
[i
] = P_MD5
[MD5_pos
] ^ P_SHA1
[SHA1_pos
];
95 forced_memzero(A_MD5
, MD5_MAC_LEN
);
96 forced_memzero(P_MD5
, MD5_MAC_LEN
);
97 forced_memzero(A_SHA1
, SHA1_MAC_LEN
);
98 forced_memzero(P_SHA1
, SHA1_MAC_LEN
);