Line data Source code
1 : /*
2 : * SHA384-based KDF (IEEE 802.11ac)
3 : * Copyright (c) 2003-2015, Jouni Malinen <j@w1.fi>
4 : *
5 : * This software may be distributed under the terms of the BSD license.
6 : * See README for more details.
7 : */
8 :
9 : #include "includes.h"
10 :
11 : #include "common.h"
12 : #include "sha384.h"
13 : #include "crypto.h"
14 :
15 :
16 : /**
17 : * sha384_prf - SHA384-based Key derivation function (IEEE 802.11ac, 11.6.1.7.2)
18 : * @key: Key for KDF
19 : * @key_len: Length of the key in bytes
20 : * @label: A unique label for each purpose of the PRF
21 : * @data: Extra data to bind into the key
22 : * @data_len: Length of the data
23 : * @buf: Buffer for the generated pseudo-random key
24 : * @buf_len: Number of bytes of key to generate
25 : *
26 : * This function is used to derive new, cryptographically separate keys from a
27 : * given key.
28 : */
29 6 : void sha384_prf(const u8 *key, size_t key_len, const char *label,
30 : const u8 *data, size_t data_len, u8 *buf, size_t buf_len)
31 : {
32 6 : sha384_prf_bits(key, key_len, label, data, data_len, buf, buf_len * 8);
33 6 : }
34 :
35 :
36 : /**
37 : * sha384_prf_bits - IEEE Std 802.11ac-2013, 11.6.1.7.2 Key derivation function
38 : * @key: Key for KDF
39 : * @key_len: Length of the key in bytes
40 : * @label: A unique label for each purpose of the PRF
41 : * @data: Extra data to bind into the key
42 : * @data_len: Length of the data
43 : * @buf: Buffer for the generated pseudo-random key
44 : * @buf_len: Number of bits of key to generate
45 : *
46 : * This function is used to derive new, cryptographically separate keys from a
47 : * given key. If the requested buf_len is not divisible by eight, the least
48 : * significant 1-7 bits of the last octet in the output are not part of the
49 : * requested output.
50 : */
51 6 : void sha384_prf_bits(const u8 *key, size_t key_len, const char *label,
52 : const u8 *data, size_t data_len, u8 *buf,
53 : size_t buf_len_bits)
54 : {
55 6 : u16 counter = 1;
56 : size_t pos, plen;
57 : u8 hash[SHA384_MAC_LEN];
58 : const u8 *addr[4];
59 : size_t len[4];
60 : u8 counter_le[2], length_le[2];
61 6 : size_t buf_len = (buf_len_bits + 7) / 8;
62 :
63 6 : addr[0] = counter_le;
64 6 : len[0] = 2;
65 6 : addr[1] = (u8 *) label;
66 6 : len[1] = os_strlen(label);
67 6 : addr[2] = data;
68 6 : len[2] = data_len;
69 6 : addr[3] = length_le;
70 6 : len[3] = sizeof(length_le);
71 :
72 6 : WPA_PUT_LE16(length_le, buf_len_bits);
73 6 : pos = 0;
74 18 : while (pos < buf_len) {
75 12 : plen = buf_len - pos;
76 12 : WPA_PUT_LE16(counter_le, counter);
77 12 : if (plen >= SHA384_MAC_LEN) {
78 6 : hmac_sha384_vector(key, key_len, 4, addr, len,
79 : &buf[pos]);
80 6 : pos += SHA384_MAC_LEN;
81 : } else {
82 6 : hmac_sha384_vector(key, key_len, 4, addr, len, hash);
83 6 : os_memcpy(&buf[pos], hash, plen);
84 6 : pos += plen;
85 6 : break;
86 : }
87 6 : counter++;
88 : }
89 :
90 : /*
91 : * Mask out unused bits in the last octet if it does not use all the
92 : * bits.
93 : */
94 6 : if (buf_len_bits % 8) {
95 0 : u8 mask = 0xff << (8 - buf_len_bits % 8);
96 0 : buf[pos - 1] &= mask;
97 : }
98 :
99 6 : os_memset(hash, 0, sizeof(hash));
100 6 : }
|
