Extend SHA-384 and SHA-512 support to match SHA-256

The additional SHA-384 and SHA-512 functionality is needed to support
DPP with various ECC curves.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
Jouni Malinen 2017-06-15 21:17:50 +03:00 committed by Jouni Malinen
parent 2c9d924975
commit 77f273c82c
10 changed files with 406 additions and 0 deletions

View file

@ -859,6 +859,15 @@ endif
ifdef NEED_TLS_PRF_SHA256 ifdef NEED_TLS_PRF_SHA256
OBJS += src/crypto/sha256-tlsprf.c OBJS += src/crypto/sha256-tlsprf.c
endif endif
ifdef NEED_HMAC_SHA256_KDF
OBJS += src/crypto/sha256-kdf.c
endif
ifdef NEED_HMAC_SHA384_KDF
OBJS += src/crypto/sha384-kdf.c
endif
ifdef NEED_HMAC_SHA512_KDF
OBJS += src/crypto/sha512-kdf.c
endif
endif endif
ifdef NEED_SHA384 ifdef NEED_SHA384
L_CFLAGS += -DCONFIG_SHA384 L_CFLAGS += -DCONFIG_SHA384
@ -867,6 +876,15 @@ OBJS += src/crypto/sha384.c
endif endif
OBJS += src/crypto/sha384-prf.c OBJS += src/crypto/sha384-prf.c
endif endif
ifdef NEED_SHA512
L_CFLAGS += -DCONFIG_SHA512
ifneq ($(CONFIG_TLS), openssl)
ifneq ($(CONFIG_TLS), linux)
OBJS += src/crypto/sha512.c
endif
endif
OBJS += src/crypto/sha512-prf.c
endif
ifdef CONFIG_INTERNAL_SHA384 ifdef CONFIG_INTERNAL_SHA384
L_CFLAGS += -DCONFIG_INTERNAL_SHA384 L_CFLAGS += -DCONFIG_INTERNAL_SHA384

View file

@ -952,6 +952,12 @@ endif
ifdef NEED_HMAC_SHA256_KDF ifdef NEED_HMAC_SHA256_KDF
OBJS += ../src/crypto/sha256-kdf.o OBJS += ../src/crypto/sha256-kdf.o
endif endif
ifdef NEED_HMAC_SHA384_KDF
OBJS += ../src/crypto/sha384-kdf.o
endif
ifdef NEED_HMAC_SHA512_KDF
OBJS += ../src/crypto/sha512-kdf.o
endif
endif endif
ifdef NEED_SHA384 ifdef NEED_SHA384
CFLAGS += -DCONFIG_SHA384 CFLAGS += -DCONFIG_SHA384
@ -962,6 +968,15 @@ endif
endif endif
OBJS += ../src/crypto/sha384-prf.o OBJS += ../src/crypto/sha384-prf.o
endif endif
ifdef NEED_SHA512
CFLAGS += -DCONFIG_SHA512
ifneq ($(CONFIG_TLS), openssl)
ifneq ($(CONFIG_TLS), linux)
OBJS += ../src/crypto/sha512.o
endif
endif
OBJS += ../src/crypto/sha512-prf.o
endif
ifdef CONFIG_INTERNAL_SHA384 ifdef CONFIG_INTERNAL_SHA384
CFLAGS += -DCONFIG_INTERNAL_SHA384 CFLAGS += -DCONFIG_INTERNAL_SHA384

View file

@ -246,6 +246,7 @@ int sha256_vector(size_t num_elem, const u8 *addr[], const size_t *len,
} }
#endif /* NO_SHA256_WRAPPER */ #endif /* NO_SHA256_WRAPPER */
#ifndef NO_SHA384_WRAPPER #ifndef NO_SHA384_WRAPPER
int sha384_vector(size_t num_elem, const u8 *addr[], const size_t *len, int sha384_vector(size_t num_elem, const u8 *addr[], const size_t *len,
u8 *mac) u8 *mac)
@ -255,6 +256,15 @@ int sha384_vector(size_t num_elem, const u8 *addr[], const size_t *len,
#endif /* NO_SHA384_WRAPPER */ #endif /* NO_SHA384_WRAPPER */
#ifndef NO_SHA512_WRAPPER
int sha512_vector(size_t num_elem, const u8 *addr[], const size_t *len,
u8 *mac)
{
return openssl_digest_vector(EVP_sha512(), num_elem, addr, len, mac);
}
#endif /* NO_SHA512_WRAPPER */
static const EVP_CIPHER * aes_get_evp_cipher(size_t keylen) static const EVP_CIPHER * aes_get_evp_cipher(size_t keylen)
{ {
switch (keylen) { switch (keylen) {
@ -1049,6 +1059,25 @@ int hmac_sha384(const u8 *key, size_t key_len, const u8 *data,
#endif /* CONFIG_SHA384 */ #endif /* CONFIG_SHA384 */
#ifdef CONFIG_SHA512
int hmac_sha512_vector(const u8 *key, size_t key_len, size_t num_elem,
const u8 *addr[], const size_t *len, u8 *mac)
{
return openssl_hmac_vector(EVP_sha512(), key, key_len, num_elem, addr,
len, mac, 64);
}
int hmac_sha512(const u8 *key, size_t key_len, const u8 *data,
size_t data_len, u8 *mac)
{
return hmac_sha512_vector(key, key_len, 1, &data, &data_len, mac);
}
#endif /* CONFIG_SHA512 */
int crypto_get_random(void *buf, size_t len) int crypto_get_random(void *buf, size_t len)
{ {
if (RAND_bytes(buf, len) != 1) if (RAND_bytes(buf, len) != 1)

87
src/crypto/sha384-kdf.c Normal file
View file

@ -0,0 +1,87 @@
/*
* HMAC-SHA384 KDF (RFC 5295) and HKDF-Expand(SHA384) (RFC 5869)
* Copyright (c) 2014-2017, Jouni Malinen <j@w1.fi>
*
* This software may be distributed under the terms of the BSD license.
* See README for more details.
*/
#include "includes.h"
#include "common.h"
#include "sha384.h"
/**
* hmac_sha384_kdf - HMAC-SHA384 based KDF (RFC 5295)
* @secret: Key for KDF
* @secret_len: Length of the key in bytes
* @label: A unique label for each purpose of the KDF or %NULL to select
* RFC 5869 HKDF-Expand() with arbitrary seed (= info)
* @seed: Seed value to bind into the key
* @seed_len: Length of the seed
* @out: Buffer for the generated pseudo-random key
* @outlen: Number of bytes of key to generate
* Returns: 0 on success, -1 on failure.
*
* This function is used to derive new, cryptographically separate keys from a
* given key in ERP. This KDF is defined in RFC 5295, Chapter 3.1.2. When used
* with label = NULL and seed = info, this matches HKDF-Expand() defined in
* RFC 5869, Chapter 2.3.
*/
int hmac_sha384_kdf(const u8 *secret, size_t secret_len,
const char *label, const u8 *seed, size_t seed_len,
u8 *out, size_t outlen)
{
u8 T[SHA384_MAC_LEN];
u8 iter = 1;
const unsigned char *addr[4];
size_t len[4];
size_t pos, clen;
addr[0] = T;
len[0] = SHA384_MAC_LEN;
if (label) {
addr[1] = (const unsigned char *) label;
len[1] = os_strlen(label) + 1;
} else {
addr[1] = (const u8 *) "";
len[1] = 0;
}
addr[2] = seed;
len[2] = seed_len;
addr[3] = &iter;
len[3] = 1;
if (hmac_sha384_vector(secret, secret_len, 3, &addr[1], &len[1], T) < 0)
return -1;
pos = 0;
for (;;) {
clen = outlen - pos;
if (clen > SHA384_MAC_LEN)
clen = SHA384_MAC_LEN;
os_memcpy(out + pos, T, clen);
pos += clen;
if (pos == outlen)
break;
if (iter == 255) {
os_memset(out, 0, outlen);
os_memset(T, 0, SHA384_MAC_LEN);
return -1;
}
iter++;
if (hmac_sha384_vector(secret, secret_len, 4, addr, len, T) < 0)
{
os_memset(out, 0, outlen);
os_memset(T, 0, SHA384_MAC_LEN);
return -1;
}
}
os_memset(T, 0, SHA384_MAC_LEN);
return 0;
}

View file

@ -20,5 +20,8 @@ int sha384_prf(const u8 *key, size_t key_len, const char *label,
int sha384_prf_bits(const u8 *key, size_t key_len, const char *label, int sha384_prf_bits(const u8 *key, size_t key_len, const char *label,
const u8 *data, size_t data_len, u8 *buf, const u8 *data, size_t data_len, u8 *buf,
size_t buf_len_bits); size_t buf_len_bits);
int hmac_sha384_kdf(const u8 *secret, size_t secret_len,
const char *label, const u8 *seed, size_t seed_len,
u8 *out, size_t outlen);
#endif /* SHA384_H */ #endif /* SHA384_H */

87
src/crypto/sha512-kdf.c Normal file
View file

@ -0,0 +1,87 @@
/*
* HMAC-SHA512 KDF (RFC 5295) and HKDF-Expand(SHA512) (RFC 5869)
* Copyright (c) 2014-2017, Jouni Malinen <j@w1.fi>
*
* This software may be distributed under the terms of the BSD license.
* See README for more details.
*/
#include "includes.h"
#include "common.h"
#include "sha512.h"
/**
* hmac_sha512_kdf - HMAC-SHA512 based KDF (RFC 5295)
* @secret: Key for KDF
* @secret_len: Length of the key in bytes
* @label: A unique label for each purpose of the KDF or %NULL to select
* RFC 5869 HKDF-Expand() with arbitrary seed (= info)
* @seed: Seed value to bind into the key
* @seed_len: Length of the seed
* @out: Buffer for the generated pseudo-random key
* @outlen: Number of bytes of key to generate
* Returns: 0 on success, -1 on failure.
*
* This function is used to derive new, cryptographically separate keys from a
* given key in ERP. This KDF is defined in RFC 5295, Chapter 3.1.2. When used
* with label = NULL and seed = info, this matches HKDF-Expand() defined in
* RFC 5869, Chapter 2.3.
*/
int hmac_sha512_kdf(const u8 *secret, size_t secret_len,
const char *label, const u8 *seed, size_t seed_len,
u8 *out, size_t outlen)
{
u8 T[SHA512_MAC_LEN];
u8 iter = 1;
const unsigned char *addr[4];
size_t len[4];
size_t pos, clen;
addr[0] = T;
len[0] = SHA512_MAC_LEN;
if (label) {
addr[1] = (const unsigned char *) label;
len[1] = os_strlen(label) + 1;
} else {
addr[1] = (const u8 *) "";
len[1] = 0;
}
addr[2] = seed;
len[2] = seed_len;
addr[3] = &iter;
len[3] = 1;
if (hmac_sha512_vector(secret, secret_len, 3, &addr[1], &len[1], T) < 0)
return -1;
pos = 0;
for (;;) {
clen = outlen - pos;
if (clen > SHA512_MAC_LEN)
clen = SHA512_MAC_LEN;
os_memcpy(out + pos, T, clen);
pos += clen;
if (pos == outlen)
break;
if (iter == 255) {
os_memset(out, 0, outlen);
os_memset(T, 0, SHA512_MAC_LEN);
return -1;
}
iter++;
if (hmac_sha512_vector(secret, secret_len, 4, addr, len, T) < 0)
{
os_memset(out, 0, outlen);
os_memset(T, 0, SHA512_MAC_LEN);
return -1;
}
}
os_memset(T, 0, SHA512_MAC_LEN);
return 0;
}

108
src/crypto/sha512-prf.c Normal file
View file

@ -0,0 +1,108 @@
/*
* SHA512-based KDF (IEEE 802.11ac)
* Copyright (c) 2003-2017, Jouni Malinen <j@w1.fi>
*
* This software may be distributed under the terms of the BSD license.
* See README for more details.
*/
#include "includes.h"
#include "common.h"
#include "sha512.h"
#include "crypto.h"
/**
* sha512_prf - SHA512-based Key derivation function (IEEE 802.11ac, 11.6.1.7.2)
* @key: Key for KDF
* @key_len: Length of the key in bytes
* @label: A unique label for each purpose of the PRF
* @data: Extra data to bind into the key
* @data_len: Length of the data
* @buf: Buffer for the generated pseudo-random key
* @buf_len: Number of bytes of key to generate
* Returns: 0 on success, -1 on failure
*
* This function is used to derive new, cryptographically separate keys from a
* given key.
*/
int sha512_prf(const u8 *key, size_t key_len, const char *label,
const u8 *data, size_t data_len, u8 *buf, size_t buf_len)
{
return sha512_prf_bits(key, key_len, label, data, data_len, buf,
buf_len * 8);
}
/**
* sha512_prf_bits - IEEE Std 802.11ac-2013, 11.6.1.7.2 Key derivation function
* @key: Key for KDF
* @key_len: Length of the key in bytes
* @label: A unique label for each purpose of the PRF
* @data: Extra data to bind into the key
* @data_len: Length of the data
* @buf: Buffer for the generated pseudo-random key
* @buf_len: Number of bits of key to generate
* Returns: 0 on success, -1 on failure
*
* This function is used to derive new, cryptographically separate keys from a
* given key. If the requested buf_len is not divisible by eight, the least
* significant 1-7 bits of the last octet in the output are not part of the
* requested output.
*/
int sha512_prf_bits(const u8 *key, size_t key_len, const char *label,
const u8 *data, size_t data_len, u8 *buf,
size_t buf_len_bits)
{
u16 counter = 1;
size_t pos, plen;
u8 hash[SHA512_MAC_LEN];
const u8 *addr[4];
size_t len[4];
u8 counter_le[2], length_le[2];
size_t buf_len = (buf_len_bits + 7) / 8;
addr[0] = counter_le;
len[0] = 2;
addr[1] = (u8 *) label;
len[1] = os_strlen(label);
addr[2] = data;
len[2] = data_len;
addr[3] = length_le;
len[3] = sizeof(length_le);
WPA_PUT_LE16(length_le, buf_len_bits);
pos = 0;
while (pos < buf_len) {
plen = buf_len - pos;
WPA_PUT_LE16(counter_le, counter);
if (plen >= SHA512_MAC_LEN) {
if (hmac_sha512_vector(key, key_len, 4, addr, len,
&buf[pos]) < 0)
return -1;
pos += SHA512_MAC_LEN;
} else {
if (hmac_sha512_vector(key, key_len, 4, addr, len,
hash) < 0)
return -1;
os_memcpy(&buf[pos], hash, plen);
pos += plen;
break;
}
counter++;
}
/*
* Mask out unused bits in the last octet if it does not use all the
* bits.
*/
if (buf_len_bits % 8) {
u8 mask = 0xff << (8 - buf_len_bits % 8);
buf[pos - 1] &= mask;
}
os_memset(hash, 0, sizeof(hash));
return 0;
}

27
src/crypto/sha512.h Normal file
View file

@ -0,0 +1,27 @@
/*
* SHA512 hash implementation and interface functions
* Copyright (c) 2015-2017, Jouni Malinen <j@w1.fi>
*
* This software may be distributed under the terms of the BSD license.
* See README for more details.
*/
#ifndef SHA512_H
#define SHA512_H
#define SHA512_MAC_LEN 64
int hmac_sha512_vector(const u8 *key, size_t key_len, size_t num_elem,
const u8 *addr[], const size_t *len, u8 *mac);
int hmac_sha512(const u8 *key, size_t key_len, const u8 *data,
size_t data_len, u8 *mac);
int sha512_prf(const u8 *key, size_t key_len, const char *label,
const u8 *data, size_t data_len, u8 *buf, size_t buf_len);
int sha512_prf_bits(const u8 *key, size_t key_len, const char *label,
const u8 *data, size_t data_len, u8 *buf,
size_t buf_len_bits);
int hmac_sha512_kdf(const u8 *secret, size_t secret_len,
const char *label, const u8 *seed, size_t seed_len,
u8 *out, size_t outlen);
#endif /* SHA512_H */

View file

@ -1306,6 +1306,14 @@ ifdef NEED_HMAC_SHA256_KDF
L_CFLAGS += -DCONFIG_HMAC_SHA256_KDF L_CFLAGS += -DCONFIG_HMAC_SHA256_KDF
SHA256OBJS += src/crypto/sha256-kdf.c SHA256OBJS += src/crypto/sha256-kdf.c
endif endif
ifdef NEED_HMAC_SHA384_KDF
L_CFLAGS += -DCONFIG_HMAC_SHA384_KDF
SHA256OBJS += src/crypto/sha384-kdf.c
endif
ifdef NEED_HMAC_SHA512_KDF
L_CFLAGS += -DCONFIG_HMAC_SHA512_KDF
SHA256OBJS += src/crypto/sha512-kdf.c
endif
OBJS += $(SHA256OBJS) OBJS += $(SHA256OBJS)
endif endif
ifdef NEED_SHA384 ifdef NEED_SHA384
@ -1315,6 +1323,13 @@ OBJS += src/crypto/sha384.c
endif endif
OBJS += src/crypto/sha384-prf.c OBJS += src/crypto/sha384-prf.c
endif endif
ifdef NEED_SHA512
L_CFLAGS += -DCONFIG_SHA512
ifneq ($(CONFIG_TLS), openssl)
OBJS += src/crypto/sha512.c
endif
OBJS += src/crypto/sha512-prf.c
endif
ifdef NEED_DH_GROUPS ifdef NEED_DH_GROUPS
OBJS += src/crypto/dh_groups.c OBJS += src/crypto/dh_groups.c

View file

@ -1403,6 +1403,14 @@ ifdef NEED_HMAC_SHA256_KDF
CFLAGS += -DCONFIG_HMAC_SHA256_KDF CFLAGS += -DCONFIG_HMAC_SHA256_KDF
OBJS += ../src/crypto/sha256-kdf.o OBJS += ../src/crypto/sha256-kdf.o
endif endif
ifdef NEED_HMAC_SHA384_KDF
CFLAGS += -DCONFIG_HMAC_SHA384_KDF
OBJS += ../src/crypto/sha384-kdf.o
endif
ifdef NEED_HMAC_SHA512_KDF
CFLAGS += -DCONFIG_HMAC_SHA512_KDF
OBJS += ../src/crypto/sha512-kdf.o
endif
OBJS += $(SHA256OBJS) OBJS += $(SHA256OBJS)
endif endif
ifdef NEED_SHA384 ifdef NEED_SHA384
@ -1414,6 +1422,15 @@ endif
CFLAGS += -DCONFIG_SHA384 CFLAGS += -DCONFIG_SHA384
OBJS += ../src/crypto/sha384-prf.o OBJS += ../src/crypto/sha384-prf.o
endif endif
ifdef NEED_SHA512
ifneq ($(CONFIG_TLS), openssl)
ifneq ($(CONFIG_TLS), linux)
OBJS += ../src/crypto/sha512.o
endif
endif
CFLAGS += -DCONFIG_SHA512
OBJS += ../src/crypto/sha512-prf.o
endif
ifdef NEED_DH_GROUPS ifdef NEED_DH_GROUPS
OBJS += ../src/crypto/dh_groups.o OBJS += ../src/crypto/dh_groups.o