jeltz/hostap
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Fix key derivation for Suite B 192-bit AKM to use SHA384

Browse source 
While the EAPOL-Key MIC derivation was already changed from SHA256 to
SHA384 for the Suite B 192-bit AKM, KDF had not been updated similarly.
Fix this by using HMAC-SHA384 instead of HMAC-SHA256 when deriving PTK
from PMK when using the Suite B 192-bit AKM.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2015-08-27 20:42:14 +03:00
parent a218e1ded4
commit d9c807cab1
7 changed files with 115 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
hostapd/Android.mk
View file

@ -806,6 +806,7 @@ endif
endif endif
ifdef NEED_SHA384 ifdef NEED_SHA384
L_CFLAGS += -DCONFIG_SHA384 L_CFLAGS += -DCONFIG_SHA384
OBJS += src/crypto/sha384-prf.c
endif endif
ifdef NEED_DH_GROUPS ifdef NEED_DH_GROUPS

1
hostapd/Makefile
View file

@ -791,6 +791,7 @@ endif
endif endif
ifdef NEED_SHA384 ifdef NEED_SHA384
CFLAGS += -DCONFIG_SHA384 CFLAGS += -DCONFIG_SHA384
OBJS += ../src/crypto/sha384-prf.o
endif endif
ifdef NEED_DH_GROUPS ifdef NEED_DH_GROUPS

6
src/common/wpa_common.c
View file

@ -170,6 +170,12 @@ int wpa_pmk_to_ptk(const u8 *pmk, size_t pmk_len, const char *label,
ptk->tk_len = wpa_cipher_key_len(cipher); ptk->tk_len = wpa_cipher_key_len(cipher);
ptk_len = ptk->kck_len + ptk->kek_len + ptk->tk_len; ptk_len = ptk->kck_len + ptk->kek_len + ptk->tk_len;
#ifdef CONFIG_SUITEB192
if (wpa_key_mgmt_sha384(akmp))
sha384_prf(pmk, pmk_len, label, data, sizeof(data),
tmp, ptk_len);
else
#endif /* CONFIG_SUITEB192 */
#ifdef CONFIG_IEEE80211W #ifdef CONFIG_IEEE80211W
if (wpa_key_mgmt_sha256(akmp)) if (wpa_key_mgmt_sha256(akmp))
sha256_prf(pmk, pmk_len, label, data, sizeof(data), sha256_prf(pmk, pmk_len, label, data, sizeof(data),

100
src/crypto/sha384-prf.c Normal file
View file

@ -0,0 +1,100 @@
/*
* SHA384-based KDF (IEEE 802.11ac)
* Copyright (c) 2003-2015, Jouni Malinen <j@w1.fi>
*
* This software may be distributed under the terms of the BSD license.
* See README for more details.
*/
#include "includes.h"
#include "common.h"
#include "sha384.h"
#include "crypto.h"
/**
* sha384_prf - SHA384-based Key derivation function (IEEE 802.11ac, 11.6.1.7.2)
* @key: Key for KDF
* @key_len: Length of the key in bytes
* @label: A unique label for each purpose of the PRF
* @data: Extra data to bind into the key
* @data_len: Length of the data
* @buf: Buffer for the generated pseudo-random key
* @buf_len: Number of bytes of key to generate
*
* This function is used to derive new, cryptographically separate keys from a
* given key.
*/
void sha384_prf(const u8 *key, size_t key_len, const char *label,
const u8 *data, size_t data_len, u8 *buf, size_t buf_len)
{
sha384_prf_bits(key, key_len, label, data, data_len, buf, buf_len * 8);
}
/**
* sha384_prf_bits - IEEE Std 802.11ac-2013, 11.6.1.7.2 Key derivation function
* @key: Key for KDF
* @key_len: Length of the key in bytes
* @label: A unique label for each purpose of the PRF
* @data: Extra data to bind into the key
* @data_len: Length of the data
* @buf: Buffer for the generated pseudo-random key
* @buf_len: Number of bits of key to generate
*
* This function is used to derive new, cryptographically separate keys from a
* given key. If the requested buf_len is not divisible by eight, the least
* significant 1-7 bits of the last octet in the output are not part of the
* requested output.
*/
void sha384_prf_bits(const u8 *key, size_t key_len, const char *label,
const u8 *data, size_t data_len, u8 *buf,
size_t buf_len_bits)
{
u16 counter = 1;
size_t pos, plen;
u8 hash[SHA384_MAC_LEN];
const u8 *addr[4];
size_t len[4];
u8 counter_le[2], length_le[2];
size_t buf_len = (buf_len_bits + 7) / 8;
addr[0] = counter_le;
len[0] = 2;
addr[1] = (u8 *) label;
len[1] = os_strlen(label);
addr[2] = data;
len[2] = data_len;
addr[3] = length_le;
len[3] = sizeof(length_le);
WPA_PUT_LE16(length_le, buf_len_bits);
pos = 0;
while (pos < buf_len) {
plen = buf_len - pos;
WPA_PUT_LE16(counter_le, counter);
if (plen >= SHA384_MAC_LEN) {
hmac_sha384_vector(key, key_len, 4, addr, len,
&buf[pos]);
pos += SHA384_MAC_LEN;
} else {
hmac_sha384_vector(key, key_len, 4, addr, len, hash);
os_memcpy(&buf[pos], hash, plen);
pos += plen;
break;
}
counter++;
}
/*
* Mask out unused bits in the last octet if it does not use all the
* bits.
*/
if (buf_len_bits % 8) {
u8 mask = 0xff << (8 - buf_len_bits % 8);
buf[pos - 1] &= mask;
}
os_memset(hash, 0, sizeof(hash));
}

5
src/crypto/sha384.h
View file

@ -15,5 +15,10 @@ int hmac_sha384_vector(const u8 *key, size_t key_len, size_t num_elem,
const u8 *addr[], const size_t *len, u8 *mac); const u8 *addr[], const size_t *len, u8 *mac);
int hmac_sha384(const u8 *key, size_t key_len, const u8 *data, int hmac_sha384(const u8 *key, size_t key_len, const u8 *data,
size_t data_len, u8 *mac); size_t data_len, u8 *mac);
void sha384_prf(const u8 *key, size_t key_len, const char *label,
const u8 *data, size_t data_len, u8 *buf, size_t buf_len);
void sha384_prf_bits(const u8 *key, size_t key_len, const char *label,
const u8 *data, size_t data_len, u8 *buf,
size_t buf_len_bits);
#endif /* SHA384_H */ #endif /* SHA384_H */

1
wpa_supplicant/Android.mk
View file

@ -1282,6 +1282,7 @@ OBJS += $(SHA256OBJS)
endif endif
ifdef NEED_SHA384 ifdef NEED_SHA384
L_CFLAGS += -DCONFIG_SHA384 L_CFLAGS += -DCONFIG_SHA384
OBJS += src/crypto/sha384-prf.c
endif endif
ifdef NEED_DH_GROUPS ifdef NEED_DH_GROUPS

1
wpa_supplicant/Makefile
View file

@ -1293,6 +1293,7 @@ OBJS += $(SHA256OBJS)
endif endif
ifdef NEED_SHA384 ifdef NEED_SHA384
CFLAGS += -DCONFIG_SHA384 CFLAGS += -DCONFIG_SHA384
OBJS += ../src/crypto/sha384-prf.o
endif endif
ifdef NEED_DH_GROUPS ifdef NEED_DH_GROUPS