1*85732ac8SCy Schubert /* 2*85732ac8SCy Schubert * SHA512-based KDF (IEEE 802.11ac) 3*85732ac8SCy Schubert * Copyright (c) 2003-2017, Jouni Malinen <j@w1.fi> 4*85732ac8SCy Schubert * 5*85732ac8SCy Schubert * This software may be distributed under the terms of the BSD license. 6*85732ac8SCy Schubert * See README for more details. 7*85732ac8SCy Schubert */ 8*85732ac8SCy Schubert 9*85732ac8SCy Schubert #include "includes.h" 10*85732ac8SCy Schubert 11*85732ac8SCy Schubert #include "common.h" 12*85732ac8SCy Schubert #include "sha512.h" 13*85732ac8SCy Schubert #include "crypto.h" 14*85732ac8SCy Schubert 15*85732ac8SCy Schubert 16*85732ac8SCy Schubert /** 17*85732ac8SCy Schubert * sha512_prf - SHA512-based Key derivation function (IEEE 802.11ac, 11.6.1.7.2) 18*85732ac8SCy Schubert * @key: Key for KDF 19*85732ac8SCy Schubert * @key_len: Length of the key in bytes 20*85732ac8SCy Schubert * @label: A unique label for each purpose of the PRF 21*85732ac8SCy Schubert * @data: Extra data to bind into the key 22*85732ac8SCy Schubert * @data_len: Length of the data 23*85732ac8SCy Schubert * @buf: Buffer for the generated pseudo-random key 24*85732ac8SCy Schubert * @buf_len: Number of bytes of key to generate 25*85732ac8SCy Schubert * Returns: 0 on success, -1 on failure 26*85732ac8SCy Schubert * 27*85732ac8SCy Schubert * This function is used to derive new, cryptographically separate keys from a 28*85732ac8SCy Schubert * given key. 29*85732ac8SCy Schubert */ 30*85732ac8SCy Schubert int sha512_prf(const u8 *key, size_t key_len, const char *label, 31*85732ac8SCy Schubert const u8 *data, size_t data_len, u8 *buf, size_t buf_len) 32*85732ac8SCy Schubert { 33*85732ac8SCy Schubert return sha512_prf_bits(key, key_len, label, data, data_len, buf, 34*85732ac8SCy Schubert buf_len * 8); 35*85732ac8SCy Schubert } 36*85732ac8SCy Schubert 37*85732ac8SCy Schubert 38*85732ac8SCy Schubert /** 39*85732ac8SCy Schubert * sha512_prf_bits - IEEE Std 802.11ac-2013, 11.6.1.7.2 Key derivation function 40*85732ac8SCy Schubert * @key: Key for KDF 41*85732ac8SCy Schubert * @key_len: Length of the key in bytes 42*85732ac8SCy Schubert * @label: A unique label for each purpose of the PRF 43*85732ac8SCy Schubert * @data: Extra data to bind into the key 44*85732ac8SCy Schubert * @data_len: Length of the data 45*85732ac8SCy Schubert * @buf: Buffer for the generated pseudo-random key 46*85732ac8SCy Schubert * @buf_len: Number of bits of key to generate 47*85732ac8SCy Schubert * Returns: 0 on success, -1 on failure 48*85732ac8SCy Schubert * 49*85732ac8SCy Schubert * This function is used to derive new, cryptographically separate keys from a 50*85732ac8SCy Schubert * given key. If the requested buf_len is not divisible by eight, the least 51*85732ac8SCy Schubert * significant 1-7 bits of the last octet in the output are not part of the 52*85732ac8SCy Schubert * requested output. 53*85732ac8SCy Schubert */ 54*85732ac8SCy Schubert int sha512_prf_bits(const u8 *key, size_t key_len, const char *label, 55*85732ac8SCy Schubert const u8 *data, size_t data_len, u8 *buf, 56*85732ac8SCy Schubert size_t buf_len_bits) 57*85732ac8SCy Schubert { 58*85732ac8SCy Schubert u16 counter = 1; 59*85732ac8SCy Schubert size_t pos, plen; 60*85732ac8SCy Schubert u8 hash[SHA512_MAC_LEN]; 61*85732ac8SCy Schubert const u8 *addr[4]; 62*85732ac8SCy Schubert size_t len[4]; 63*85732ac8SCy Schubert u8 counter_le[2], length_le[2]; 64*85732ac8SCy Schubert size_t buf_len = (buf_len_bits + 7) / 8; 65*85732ac8SCy Schubert 66*85732ac8SCy Schubert addr[0] = counter_le; 67*85732ac8SCy Schubert len[0] = 2; 68*85732ac8SCy Schubert addr[1] = (u8 *) label; 69*85732ac8SCy Schubert len[1] = os_strlen(label); 70*85732ac8SCy Schubert addr[2] = data; 71*85732ac8SCy Schubert len[2] = data_len; 72*85732ac8SCy Schubert addr[3] = length_le; 73*85732ac8SCy Schubert len[3] = sizeof(length_le); 74*85732ac8SCy Schubert 75*85732ac8SCy Schubert WPA_PUT_LE16(length_le, buf_len_bits); 76*85732ac8SCy Schubert pos = 0; 77*85732ac8SCy Schubert while (pos < buf_len) { 78*85732ac8SCy Schubert plen = buf_len - pos; 79*85732ac8SCy Schubert WPA_PUT_LE16(counter_le, counter); 80*85732ac8SCy Schubert if (plen >= SHA512_MAC_LEN) { 81*85732ac8SCy Schubert if (hmac_sha512_vector(key, key_len, 4, addr, len, 82*85732ac8SCy Schubert &buf[pos]) < 0) 83*85732ac8SCy Schubert return -1; 84*85732ac8SCy Schubert pos += SHA512_MAC_LEN; 85*85732ac8SCy Schubert } else { 86*85732ac8SCy Schubert if (hmac_sha512_vector(key, key_len, 4, addr, len, 87*85732ac8SCy Schubert hash) < 0) 88*85732ac8SCy Schubert return -1; 89*85732ac8SCy Schubert os_memcpy(&buf[pos], hash, plen); 90*85732ac8SCy Schubert pos += plen; 91*85732ac8SCy Schubert break; 92*85732ac8SCy Schubert } 93*85732ac8SCy Schubert counter++; 94*85732ac8SCy Schubert } 95*85732ac8SCy Schubert 96*85732ac8SCy Schubert /* 97*85732ac8SCy Schubert * Mask out unused bits in the last octet if it does not use all the 98*85732ac8SCy Schubert * bits. 99*85732ac8SCy Schubert */ 100*85732ac8SCy Schubert if (buf_len_bits % 8) { 101*85732ac8SCy Schubert u8 mask = 0xff << (8 - buf_len_bits % 8); 102*85732ac8SCy Schubert buf[pos - 1] &= mask; 103*85732ac8SCy Schubert } 104*85732ac8SCy Schubert 105*85732ac8SCy Schubert os_memset(hash, 0, sizeof(hash)); 106*85732ac8SCy Schubert 107*85732ac8SCy Schubert return 0; 108*85732ac8SCy Schubert } 109