1/* 2 * SHA256-based PRF (IEEE 802.11r) 3 * Copyright (c) 2003-2013, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "includes.h" 10 11#include "common.h" 12#include "sha256.h" 13#include "crypto.h" 14 15 16/** 17 * sha256_prf - SHA256-based Pseudo-Random Function (IEEE 802.11r, 8.5.1.5.2) 18 * @key: Key for PRF 19 * @key_len: Length of the key in bytes 20 * @label: A unique label for each purpose of the PRF 21 * @data: Extra data to bind into the key 22 * @data_len: Length of the data 23 * @buf: Buffer for the generated pseudo-random key 24 * @buf_len: Number of bytes of key to generate 25 * 26 * This function is used to derive new, cryptographically separate keys from a 27 * given key. 28 */ 29void sha256_prf(const u8 *key, size_t key_len, const char *label, 30 const u8 *data, size_t data_len, u8 *buf, size_t buf_len) 31{ 32 sha256_prf_bits(key, key_len, label, data, data_len, buf, buf_len * 8); 33} 34 35 36/** 37 * sha256_prf_bits - IEEE Std 802.11-2012, 11.6.1.7.2 Key derivation function 38 * @key: Key for KDF 39 * @key_len: Length of the key in bytes 40 * @label: A unique label for each purpose of the PRF 41 * @data: Extra data to bind into the key 42 * @data_len: Length of the data 43 * @buf: Buffer for the generated pseudo-random key 44 * @buf_len: Number of bits of key to generate 45 * 46 * This function is used to derive new, cryptographically separate keys from a 47 * given key. If the requested buf_len is not divisible by eight, the least 48 * significant 1-7 bits of the last octet in the output are not part of the 49 * requested output. 50 */ 51void sha256_prf_bits(const u8 *key, size_t key_len, const char *label, 52 const u8 *data, size_t data_len, u8 *buf, 53 size_t buf_len_bits) 54{ 55 u16 counter = 1; 56 size_t pos, plen; 57 u8 hash[SHA256_MAC_LEN]; 58 const u8 *addr[4]; 59 size_t len[4]; 60 u8 counter_le[2], length_le[2]; 61 size_t buf_len = (buf_len_bits + 7) / 8; 62 63 addr[0] = counter_le; 64 len[0] = 2; 65 addr[1] = (u8 *) label; 66 len[1] = os_strlen(label); 67 addr[2] = data; 68 len[2] = data_len; 69 addr[3] = length_le; 70 len[3] = sizeof(length_le); 71 72 WPA_PUT_LE16(length_le, buf_len_bits); 73 pos = 0; 74 while (pos < buf_len) { 75 plen = buf_len - pos; 76 WPA_PUT_LE16(counter_le, counter); 77 if (plen >= SHA256_MAC_LEN) { 78 hmac_sha256_vector(key, key_len, 4, addr, len, 79 &buf[pos]); 80 pos += SHA256_MAC_LEN; 81 } else { 82 hmac_sha256_vector(key, key_len, 4, addr, len, hash); 83 os_memcpy(&buf[pos], hash, plen); 84 pos += plen; 85 break; 86 } 87 counter++; 88 } 89 90 /* 91 * Mask out unused bits in the last octet if it does not use all the 92 * bits. 93 */ 94 if (buf_len_bits % 8) { 95 u8 mask = 0xff << (8 - buf_len_bits % 8); 96 buf[pos - 1] &= mask; 97 } 98} 99