| /* |
| * TLS PRF P_SHA256 |
| * Copyright (c) 2011, Jouni Malinen <j@w1.fi> |
| * |
| * This software may be distributed under the terms of the BSD license. |
| * See README for more details. |
| */ |
| |
| #include "includes.h" |
| |
| #include "common.h" |
| #include "sha256.h" |
| |
| |
| /** |
| * tls_prf_sha256 - Pseudo-Random Function for TLS v1.2 (P_SHA256, RFC 5246) |
| * @secret: Key for PRF |
| * @secret_len: Length of the key in bytes |
| * @label: A unique label for each purpose of the PRF |
| * @seed: Seed value to bind into the key |
| * @seed_len: Length of the seed |
| * @out: Buffer for the generated pseudo-random key |
| * @outlen: Number of bytes of key to generate |
| * Returns: 0 on success, -1 on failure. |
| * |
| * This function is used to derive new, cryptographically separate keys from a |
| * given key in TLS. This PRF is defined in RFC 2246, Chapter 5. |
| */ |
| int tls_prf_sha256(const u8 *secret, size_t secret_len, const char *label, |
| const u8 *seed, size_t seed_len, u8 *out, size_t outlen) |
| { |
| size_t clen; |
| u8 A[SHA256_MAC_LEN]; |
| u8 P[SHA256_MAC_LEN]; |
| size_t pos; |
| const unsigned char *addr[3]; |
| size_t len[3]; |
| |
| addr[0] = A; |
| len[0] = SHA256_MAC_LEN; |
| addr[1] = (unsigned char *) label; |
| len[1] = os_strlen(label); |
| addr[2] = seed; |
| len[2] = seed_len; |
| |
| /* |
| * RFC 5246, Chapter 5 |
| * A(0) = seed, A(i) = HMAC(secret, A(i-1)) |
| * P_hash = HMAC(secret, A(1) + seed) + HMAC(secret, A(2) + seed) + .. |
| * PRF(secret, label, seed) = P_SHA256(secret, label + seed) |
| */ |
| |
| if (hmac_sha256_vector(secret, secret_len, 2, &addr[1], &len[1], A) < 0) |
| return -1; |
| |
| pos = 0; |
| while (pos < outlen) { |
| if (hmac_sha256_vector(secret, secret_len, 3, addr, len, P) < |
| 0 || |
| hmac_sha256(secret, secret_len, A, SHA256_MAC_LEN, A) < 0) |
| return -1; |
| |
| clen = outlen - pos; |
| if (clen > SHA256_MAC_LEN) |
| clen = SHA256_MAC_LEN; |
| os_memcpy(out + pos, P, clen); |
| pos += clen; |
| } |
| |
| return 0; |
| } |