diff --git a/hostapd/Android.mk b/hostapd/Android.mk index 28f443cef..5885f2b06 100644 --- a/hostapd/Android.mk +++ b/hostapd/Android.mk @@ -806,6 +806,7 @@ endif endif ifdef NEED_SHA384 L_CFLAGS += -DCONFIG_SHA384 +OBJS += src/crypto/sha384-prf.c endif ifdef NEED_DH_GROUPS diff --git a/hostapd/Makefile b/hostapd/Makefile index 58213bb3a..a812b9d66 100644 --- a/hostapd/Makefile +++ b/hostapd/Makefile @@ -791,6 +791,7 @@ endif endif ifdef NEED_SHA384 CFLAGS += -DCONFIG_SHA384 +OBJS += ../src/crypto/sha384-prf.o endif ifdef NEED_DH_GROUPS diff --git a/src/common/wpa_common.c b/src/common/wpa_common.c index 0492810a6..e9d4248d7 100644 --- a/src/common/wpa_common.c +++ b/src/common/wpa_common.c @@ -170,6 +170,12 @@ int wpa_pmk_to_ptk(const u8 *pmk, size_t pmk_len, const char *label, ptk->tk_len = wpa_cipher_key_len(cipher); ptk_len = ptk->kck_len + ptk->kek_len + ptk->tk_len; +#ifdef CONFIG_SUITEB192 + if (wpa_key_mgmt_sha384(akmp)) + sha384_prf(pmk, pmk_len, label, data, sizeof(data), + tmp, ptk_len); + else +#endif /* CONFIG_SUITEB192 */ #ifdef CONFIG_IEEE80211W if (wpa_key_mgmt_sha256(akmp)) sha256_prf(pmk, pmk_len, label, data, sizeof(data), diff --git a/src/crypto/sha384-prf.c b/src/crypto/sha384-prf.c new file mode 100644 index 000000000..653920ba2 --- /dev/null +++ b/src/crypto/sha384-prf.c @@ -0,0 +1,100 @@ +/* + * SHA384-based KDF (IEEE 802.11ac) + * Copyright (c) 2003-2015, Jouni Malinen + * + * This software may be distributed under the terms of the BSD license. + * See README for more details. + */ + +#include "includes.h" + +#include "common.h" +#include "sha384.h" +#include "crypto.h" + + +/** + * sha384_prf - SHA384-based Key derivation function (IEEE 802.11ac, 11.6.1.7.2) + * @key: Key for KDF + * @key_len: Length of the key in bytes + * @label: A unique label for each purpose of the PRF + * @data: Extra data to bind into the key + * @data_len: Length of the data + * @buf: Buffer for the generated pseudo-random key + * @buf_len: Number of bytes of key to generate + * + * This function is used to derive new, cryptographically separate keys from a + * given key. + */ +void sha384_prf(const u8 *key, size_t key_len, const char *label, + const u8 *data, size_t data_len, u8 *buf, size_t buf_len) +{ + sha384_prf_bits(key, key_len, label, data, data_len, buf, buf_len * 8); +} + + +/** + * sha384_prf_bits - IEEE Std 802.11ac-2013, 11.6.1.7.2 Key derivation function + * @key: Key for KDF + * @key_len: Length of the key in bytes + * @label: A unique label for each purpose of the PRF + * @data: Extra data to bind into the key + * @data_len: Length of the data + * @buf: Buffer for the generated pseudo-random key + * @buf_len: Number of bits of key to generate + * + * This function is used to derive new, cryptographically separate keys from a + * given key. If the requested buf_len is not divisible by eight, the least + * significant 1-7 bits of the last octet in the output are not part of the + * requested output. + */ +void sha384_prf_bits(const u8 *key, size_t key_len, const char *label, + const u8 *data, size_t data_len, u8 *buf, + size_t buf_len_bits) +{ + u16 counter = 1; + size_t pos, plen; + u8 hash[SHA384_MAC_LEN]; + const u8 *addr[4]; + size_t len[4]; + u8 counter_le[2], length_le[2]; + size_t buf_len = (buf_len_bits + 7) / 8; + + addr[0] = counter_le; + len[0] = 2; + addr[1] = (u8 *) label; + len[1] = os_strlen(label); + addr[2] = data; + len[2] = data_len; + addr[3] = length_le; + len[3] = sizeof(length_le); + + WPA_PUT_LE16(length_le, buf_len_bits); + pos = 0; + while (pos < buf_len) { + plen = buf_len - pos; + WPA_PUT_LE16(counter_le, counter); + if (plen >= SHA384_MAC_LEN) { + hmac_sha384_vector(key, key_len, 4, addr, len, + &buf[pos]); + pos += SHA384_MAC_LEN; + } else { + hmac_sha384_vector(key, key_len, 4, addr, len, hash); + os_memcpy(&buf[pos], hash, plen); + pos += plen; + break; + } + counter++; + } + + /* + * Mask out unused bits in the last octet if it does not use all the + * bits. + */ + if (buf_len_bits % 8) { + u8 mask = 0xff << (8 - buf_len_bits % 8); + buf[pos - 1] &= mask; + } + + os_memset(hash, 0, sizeof(hash)); +} diff --git a/src/crypto/sha384.h b/src/crypto/sha384.h index e6a1fe41e..3deafa59e 100644 --- a/src/crypto/sha384.h +++ b/src/crypto/sha384.h @@ -15,5 +15,10 @@ int hmac_sha384_vector(const u8 *key, size_t key_len, size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac); int hmac_sha384(const u8 *key, size_t key_len, const u8 *data, size_t data_len, u8 *mac); +void sha384_prf(const u8 *key, size_t key_len, const char *label, + const u8 *data, size_t data_len, u8 *buf, size_t buf_len); +void sha384_prf_bits(const u8 *key, size_t key_len, const char *label, + const u8 *data, size_t data_len, u8 *buf, + size_t buf_len_bits); #endif /* SHA384_H */ diff --git a/wpa_supplicant/Android.mk b/wpa_supplicant/Android.mk index 3673ba77d..e235140bd 100644 --- a/wpa_supplicant/Android.mk +++ b/wpa_supplicant/Android.mk @@ -1282,6 +1282,7 @@ OBJS += $(SHA256OBJS) endif ifdef NEED_SHA384 L_CFLAGS += -DCONFIG_SHA384 +OBJS += src/crypto/sha384-prf.c endif ifdef NEED_DH_GROUPS diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile index 1f1527a3a..1597412e2 100644 --- a/wpa_supplicant/Makefile +++ b/wpa_supplicant/Makefile @@ -1293,6 +1293,7 @@ OBJS += $(SHA256OBJS) endif ifdef NEED_SHA384 CFLAGS += -DCONFIG_SHA384 +OBJS += ../src/crypto/sha384-prf.o endif ifdef NEED_DH_GROUPS