1 /*
2 * SHA256-based PRF (IEEE 802.11r)
3 * Copyright (c) 2003-2016, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "rtw_crypto_wrap.h"
10
11 //#include "common.h"
12 #include "sha256.h"
13 //#include "crypto.h"
14 #include "wlancrypto_wrap.h"
15
16
17 /**
18 * sha256_prf - SHA256-based Pseudo-Random Function (IEEE 802.11r, 8.5.1.5.2)
19 * @key: Key for PRF
20 * @key_len: Length of the key in bytes
21 * @label: A unique label for each purpose of the PRF
22 * @data: Extra data to bind into the key
23 * @data_len: Length of the data
24 * @buf: Buffer for the generated pseudo-random key
25 * @buf_len: Number of bytes of key to generate
26 * Returns: 0 on success, -1 on failure
27 *
28 * This function is used to derive new, cryptographically separate keys from a
29 * given key.
30 */
sha256_prf(const u8 * key,size_t key_len,const char * label,const u8 * data,size_t data_len,u8 * buf,size_t buf_len)31 int sha256_prf(const u8 *key, size_t key_len, const char *label,
32 const u8 *data, size_t data_len, u8 *buf, size_t buf_len)
33 {
34 return sha256_prf_bits(key, key_len, label, data, data_len, buf,
35 buf_len * 8);
36 }
37
38
39 /**
40 * sha256_prf_bits - IEEE Std 802.11-2012, 11.6.1.7.2 Key derivation function
41 * @key: Key for KDF
42 * @key_len: Length of the key in bytes
43 * @label: A unique label for each purpose of the PRF
44 * @data: Extra data to bind into the key
45 * @data_len: Length of the data
46 * @buf: Buffer for the generated pseudo-random key
47 * @buf_len: Number of bits of key to generate
48 * Returns: 0 on success, -1 on failure
49 *
50 * This function is used to derive new, cryptographically separate keys from a
51 * given key. If the requested buf_len is not divisible by eight, the least
52 * significant 1-7 bits of the last octet in the output are not part of the
53 * requested output.
54 */
sha256_prf_bits(const u8 * key,size_t key_len,const char * label,const u8 * data,size_t data_len,u8 * buf,size_t buf_len_bits)55 int sha256_prf_bits(const u8 *key, size_t key_len, const char *label,
56 const u8 *data, size_t data_len, u8 *buf,
57 size_t buf_len_bits)
58 {
59 u16 counter = 1;
60 size_t pos, plen;
61 u8 hash[SHA256_MAC_LEN];
62 const u8 *addr[4];
63 size_t len[4];
64 u8 counter_le[2], length_le[2];
65 size_t buf_len = (buf_len_bits + 7) / 8;
66
67 addr[0] = counter_le;
68 len[0] = 2;
69 addr[1] = (u8 *) label;
70 len[1] = os_strlen(label);
71 addr[2] = data;
72 len[2] = data_len;
73 addr[3] = length_le;
74 len[3] = sizeof(length_le);
75
76 WPA_PUT_LE16(length_le, buf_len_bits);
77 pos = 0;
78 while (pos < buf_len) {
79 plen = buf_len - pos;
80 WPA_PUT_LE16(counter_le, counter);
81 if (plen >= SHA256_MAC_LEN) {
82 if (hmac_sha256_vector(key, key_len, 4, addr, len,
83 &buf[pos]) < 0)
84 return -1;
85 pos += SHA256_MAC_LEN;
86 } else {
87 if (hmac_sha256_vector(key, key_len, 4, addr, len,
88 hash) < 0)
89 return -1;
90 os_memcpy(&buf[pos], hash, plen);
91 pos += plen;
92 break;
93 }
94 counter++;
95 }
96
97 /*
98 * Mask out unused bits in the last octet if it does not use all the
99 * bits.
100 */
101 if (buf_len_bits % 8) {
102 u8 mask = 0xff << (8 - buf_len_bits % 8);
103 buf[pos - 1] &= mask;
104 }
105
106 forced_memzero(hash, sizeof(hash));
107
108 return 0;
109 }
110