Dmitry Shmidt | 61d9df3 | 2012-08-29 16:22:06 -0700 | [diff] [blame] | 1 | /* |
| 2 | * SHA256-based PRF (IEEE 802.11r) |
Dmitry Shmidt | e466304 | 2016-04-04 10:07:49 -0700 | [diff] [blame^] | 3 | * Copyright (c) 2003-2016, Jouni Malinen <j@w1.fi> |
Dmitry Shmidt | 61d9df3 | 2012-08-29 16:22:06 -0700 | [diff] [blame] | 4 | * |
| 5 | * This software may be distributed under the terms of the BSD license. |
| 6 | * See README for more details. |
| 7 | */ |
| 8 | |
| 9 | #include "includes.h" |
| 10 | |
| 11 | #include "common.h" |
| 12 | #include "sha256.h" |
| 13 | #include "crypto.h" |
| 14 | |
| 15 | |
| 16 | /** |
| 17 | * sha256_prf - SHA256-based Pseudo-Random Function (IEEE 802.11r, 8.5.1.5.2) |
| 18 | * @key: Key for PRF |
| 19 | * @key_len: Length of the key in bytes |
| 20 | * @label: A unique label for each purpose of the PRF |
| 21 | * @data: Extra data to bind into the key |
| 22 | * @data_len: Length of the data |
| 23 | * @buf: Buffer for the generated pseudo-random key |
| 24 | * @buf_len: Number of bytes of key to generate |
Dmitry Shmidt | e466304 | 2016-04-04 10:07:49 -0700 | [diff] [blame^] | 25 | * Returns: 0 on success, -1 on failure |
Dmitry Shmidt | 61d9df3 | 2012-08-29 16:22:06 -0700 | [diff] [blame] | 26 | * |
| 27 | * This function is used to derive new, cryptographically separate keys from a |
| 28 | * given key. |
| 29 | */ |
Dmitry Shmidt | e466304 | 2016-04-04 10:07:49 -0700 | [diff] [blame^] | 30 | int sha256_prf(const u8 *key, size_t key_len, const char *label, |
Dmitry Shmidt | 61d9df3 | 2012-08-29 16:22:06 -0700 | [diff] [blame] | 31 | const u8 *data, size_t data_len, u8 *buf, size_t buf_len) |
| 32 | { |
Dmitry Shmidt | e466304 | 2016-04-04 10:07:49 -0700 | [diff] [blame^] | 33 | return sha256_prf_bits(key, key_len, label, data, data_len, buf, |
| 34 | buf_len * 8); |
Dmitry Shmidt | a54fa5f | 2013-01-15 13:53:35 -0800 | [diff] [blame] | 35 | } |
| 36 | |
| 37 | |
| 38 | /** |
| 39 | * sha256_prf_bits - IEEE Std 802.11-2012, 11.6.1.7.2 Key derivation function |
| 40 | * @key: Key for KDF |
| 41 | * @key_len: Length of the key in bytes |
| 42 | * @label: A unique label for each purpose of the PRF |
| 43 | * @data: Extra data to bind into the key |
| 44 | * @data_len: Length of the data |
| 45 | * @buf: Buffer for the generated pseudo-random key |
| 46 | * @buf_len: Number of bits of key to generate |
Dmitry Shmidt | e466304 | 2016-04-04 10:07:49 -0700 | [diff] [blame^] | 47 | * Returns: 0 on success, -1 on failure |
Dmitry Shmidt | a54fa5f | 2013-01-15 13:53:35 -0800 | [diff] [blame] | 48 | * |
| 49 | * This function is used to derive new, cryptographically separate keys from a |
| 50 | * given key. If the requested buf_len is not divisible by eight, the least |
| 51 | * significant 1-7 bits of the last octet in the output are not part of the |
| 52 | * requested output. |
| 53 | */ |
Dmitry Shmidt | e466304 | 2016-04-04 10:07:49 -0700 | [diff] [blame^] | 54 | int sha256_prf_bits(const u8 *key, size_t key_len, const char *label, |
| 55 | const u8 *data, size_t data_len, u8 *buf, |
| 56 | size_t buf_len_bits) |
Dmitry Shmidt | a54fa5f | 2013-01-15 13:53:35 -0800 | [diff] [blame] | 57 | { |
Dmitry Shmidt | 61d9df3 | 2012-08-29 16:22:06 -0700 | [diff] [blame] | 58 | u16 counter = 1; |
| 59 | size_t pos, plen; |
| 60 | u8 hash[SHA256_MAC_LEN]; |
| 61 | const u8 *addr[4]; |
| 62 | size_t len[4]; |
| 63 | u8 counter_le[2], length_le[2]; |
Dmitry Shmidt | a54fa5f | 2013-01-15 13:53:35 -0800 | [diff] [blame] | 64 | size_t buf_len = (buf_len_bits + 7) / 8; |
Dmitry Shmidt | 61d9df3 | 2012-08-29 16:22:06 -0700 | [diff] [blame] | 65 | |
| 66 | addr[0] = counter_le; |
| 67 | len[0] = 2; |
| 68 | addr[1] = (u8 *) label; |
| 69 | len[1] = os_strlen(label); |
| 70 | addr[2] = data; |
| 71 | len[2] = data_len; |
| 72 | addr[3] = length_le; |
| 73 | len[3] = sizeof(length_le); |
| 74 | |
Dmitry Shmidt | a54fa5f | 2013-01-15 13:53:35 -0800 | [diff] [blame] | 75 | WPA_PUT_LE16(length_le, buf_len_bits); |
Dmitry Shmidt | 61d9df3 | 2012-08-29 16:22:06 -0700 | [diff] [blame] | 76 | pos = 0; |
| 77 | while (pos < buf_len) { |
| 78 | plen = buf_len - pos; |
| 79 | WPA_PUT_LE16(counter_le, counter); |
| 80 | if (plen >= SHA256_MAC_LEN) { |
Dmitry Shmidt | e466304 | 2016-04-04 10:07:49 -0700 | [diff] [blame^] | 81 | if (hmac_sha256_vector(key, key_len, 4, addr, len, |
| 82 | &buf[pos]) < 0) |
| 83 | return -1; |
Dmitry Shmidt | 61d9df3 | 2012-08-29 16:22:06 -0700 | [diff] [blame] | 84 | pos += SHA256_MAC_LEN; |
| 85 | } else { |
Dmitry Shmidt | e466304 | 2016-04-04 10:07:49 -0700 | [diff] [blame^] | 86 | if (hmac_sha256_vector(key, key_len, 4, addr, len, |
| 87 | hash) < 0) |
| 88 | return -1; |
Dmitry Shmidt | 61d9df3 | 2012-08-29 16:22:06 -0700 | [diff] [blame] | 89 | os_memcpy(&buf[pos], hash, plen); |
Dmitry Shmidt | a54fa5f | 2013-01-15 13:53:35 -0800 | [diff] [blame] | 90 | pos += plen; |
Dmitry Shmidt | 61d9df3 | 2012-08-29 16:22:06 -0700 | [diff] [blame] | 91 | break; |
| 92 | } |
| 93 | counter++; |
| 94 | } |
Dmitry Shmidt | a54fa5f | 2013-01-15 13:53:35 -0800 | [diff] [blame] | 95 | |
| 96 | /* |
| 97 | * Mask out unused bits in the last octet if it does not use all the |
| 98 | * bits. |
| 99 | */ |
| 100 | if (buf_len_bits % 8) { |
| 101 | u8 mask = 0xff << (8 - buf_len_bits % 8); |
| 102 | buf[pos - 1] &= mask; |
| 103 | } |
Dmitry Shmidt | 746bde5 | 2015-01-12 13:01:47 -0800 | [diff] [blame] | 104 | |
| 105 | os_memset(hash, 0, sizeof(hash)); |
Dmitry Shmidt | e466304 | 2016-04-04 10:07:49 -0700 | [diff] [blame^] | 106 | |
| 107 | return 0; |
Dmitry Shmidt | 61d9df3 | 2012-08-29 16:22:06 -0700 | [diff] [blame] | 108 | } |