1 /* 2 * TLS PRF P_SHA384 3 * Copyright (c) 2011-2019, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "sha384.h" 13 14 15 /** 16 * tls_prf_sha384 - Pseudo-Random Function for TLS v1.2 (P_SHA384, RFC 5246) 17 * @secret: Key for PRF 18 * @secret_len: Length of the key in bytes 19 * @label: A unique label for each purpose of the PRF 20 * @seed: Seed value to bind into the key 21 * @seed_len: Length of the seed 22 * @out: Buffer for the generated pseudo-random key 23 * @outlen: Number of bytes of key to generate 24 * Returns: 0 on success, -1 on failure. 25 * 26 * This function is used to derive new, cryptographically separate keys from a 27 * given key in TLS. This PRF is defined in RFC 5246, Chapter 5. 28 */ 29 int tls_prf_sha384(const u8 *secret, size_t secret_len, const char *label, 30 const u8 *seed, size_t seed_len, u8 *out, size_t outlen) 31 { 32 size_t clen; 33 u8 A[SHA384_MAC_LEN]; 34 u8 P[SHA384_MAC_LEN]; 35 size_t pos; 36 const unsigned char *addr[3]; 37 size_t len[3]; 38 39 addr[0] = A; 40 len[0] = SHA384_MAC_LEN; 41 addr[1] = (unsigned char *) label; 42 len[1] = os_strlen(label); 43 addr[2] = seed; 44 len[2] = seed_len; 45 46 /* 47 * RFC 5246, Chapter 5 48 * A(0) = seed, A(i) = HMAC(secret, A(i-1)) 49 * P_hash = HMAC(secret, A(1) + seed) + HMAC(secret, A(2) + seed) + .. 50 * PRF(secret, label, seed) = P_SHA384(secret, label + seed) 51 */ 52 53 if (hmac_sha384_vector(secret, secret_len, 2, &addr[1], &len[1], A) < 0) 54 return -1; 55 56 pos = 0; 57 while (pos < outlen) { 58 if (hmac_sha384_vector(secret, secret_len, 3, addr, len, P) < 59 0 || 60 hmac_sha384(secret, secret_len, A, SHA384_MAC_LEN, A) < 0) 61 return -1; 62 63 clen = outlen - pos; 64 if (clen > SHA384_MAC_LEN) 65 clen = SHA384_MAC_LEN; 66 os_memcpy(out + pos, P, clen); 67 pos += clen; 68 } 69 70 return 0; 71 } 72