Line data Source code
1 : /*
2 : * SHA256-based PRF (IEEE 802.11r)
3 : * Copyright (c) 2003-2013, Jouni Malinen <j@w1.fi>
4 : *
5 : * This software may be distributed under the terms of the BSD license.
6 : * See README for more details.
7 : */
8 :
9 : #include "includes.h"
10 :
11 : #include "common.h"
12 : #include "sha256.h"
13 : #include "crypto.h"
14 :
15 :
16 : /**
17 : * sha256_prf - SHA256-based Pseudo-Random Function (IEEE 802.11r, 8.5.1.5.2)
18 : * @key: Key for PRF
19 : * @key_len: Length of the key in bytes
20 : * @label: A unique label for each purpose of the PRF
21 : * @data: Extra data to bind into the key
22 : * @data_len: Length of the data
23 : * @buf: Buffer for the generated pseudo-random key
24 : * @buf_len: Number of bytes of key to generate
25 : *
26 : * This function is used to derive new, cryptographically separate keys from a
27 : * given key.
28 : */
29 1429 : void sha256_prf(const u8 *key, size_t key_len, const char *label,
30 : const u8 *data, size_t data_len, u8 *buf, size_t buf_len)
31 : {
32 1429 : sha256_prf_bits(key, key_len, label, data, data_len, buf, buf_len * 8);
33 1429 : }
34 :
35 :
36 : /**
37 : * sha256_prf_bits - IEEE Std 802.11-2012, 11.6.1.7.2 Key derivation function
38 : * @key: Key for KDF
39 : * @key_len: Length of the key in bytes
40 : * @label: A unique label for each purpose of the PRF
41 : * @data: Extra data to bind into the key
42 : * @data_len: Length of the data
43 : * @buf: Buffer for the generated pseudo-random key
44 : * @buf_len: Number of bits of key to generate
45 : *
46 : * This function is used to derive new, cryptographically separate keys from a
47 : * given key. If the requested buf_len is not divisible by eight, the least
48 : * significant 1-7 bits of the last octet in the output are not part of the
49 : * requested output.
50 : */
51 1553 : void sha256_prf_bits(const u8 *key, size_t key_len, const char *label,
52 : const u8 *data, size_t data_len, u8 *buf,
53 : size_t buf_len_bits)
54 : {
55 1553 : u16 counter = 1;
56 : size_t pos, plen;
57 : u8 hash[SHA256_MAC_LEN];
58 : const u8 *addr[4];
59 : size_t len[4];
60 : u8 counter_le[2], length_le[2];
61 1553 : size_t buf_len = (buf_len_bits + 7) / 8;
62 :
63 1553 : addr[0] = counter_le;
64 1553 : len[0] = 2;
65 1553 : addr[1] = (u8 *) label;
66 1553 : len[1] = os_strlen(label);
67 1553 : addr[2] = data;
68 1553 : len[2] = data_len;
69 1553 : addr[3] = length_le;
70 1553 : len[3] = sizeof(length_le);
71 :
72 1553 : WPA_PUT_LE16(length_le, buf_len_bits);
73 1553 : pos = 0;
74 3638 : while (pos < buf_len) {
75 1800 : plen = buf_len - pos;
76 1800 : WPA_PUT_LE16(counter_le, counter);
77 1800 : if (plen >= SHA256_MAC_LEN) {
78 532 : hmac_sha256_vector(key, key_len, 4, addr, len,
79 : &buf[pos]);
80 532 : pos += SHA256_MAC_LEN;
81 : } else {
82 1268 : hmac_sha256_vector(key, key_len, 4, addr, len, hash);
83 1268 : os_memcpy(&buf[pos], hash, plen);
84 1268 : pos += plen;
85 1268 : break;
86 : }
87 532 : counter++;
88 : }
89 :
90 : /*
91 : * Mask out unused bits in the last octet if it does not use all the
92 : * bits.
93 : */
94 1553 : if (buf_len_bits % 8) {
95 6 : u8 mask = 0xff << (8 - buf_len_bits % 8);
96 6 : buf[pos - 1] &= mask;
97 : }
98 1553 : }
|
