[RFC v2 70/99] crypto: Add pbkdf2_sha256() and pbkdf2_sha384() functions

Andrei Otcheretianski andrei.otcheretianski at intel.com
Tue Dec 23 03:52:14 PST 2025 

These functions are required for ND-PMK derivation for NAN as defined in
Annex M and chapter 7.1.2 of Wi-Fi Aware Specification v4.0.
Implement these functions for openssl.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski at intel.com>
---
 src/crypto/crypto_openssl.c | 30 ++++++++++++++++++++++++++++++
 src/crypto/sha256.h         |  3 ++-
 src/crypto/sha384.h         |  2 ++
 3 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
index dad48e0461..b38d472706 100644
--- a/src/crypto/crypto_openssl.c
+++ b/src/crypto/crypto_openssl.c
@@ -1881,6 +1881,36 @@ int pbkdf2_sha1(const char *passphrase, const u8 *ssid, size_t ssid_len,
 }
 
 
+#ifdef CONFIG_SHA256
+
+int pbkdf2_sha256(const char *passphrase, const u8 *salt, size_t salt_len,
+		  int iterations, u8 *buf, size_t buflen)
+{
+	if (PKCS5_PBKDF2_HMAC(passphrase, os_strlen(passphrase), salt,
+			      salt_len, iterations, EVP_sha256(), buflen,
+			      buf) != 1)
+		return -1;
+	return 0;
+}
+
+#endif /* CONFIG_SHA256 */
+
+
+#ifdef CONFIG_SHA384
+
+int pbkdf2_sha384(const char *passphrase, const u8 *salt, size_t salt_len,
+		  int iterations, u8 *buf, size_t buflen)
+{
+	if (PKCS5_PBKDF2_HMAC(passphrase, os_strlen(passphrase), salt,
+			      salt_len, iterations, EVP_sha384(), buflen,
+			      buf) != 1)
+		return -1;
+	return 0;
+}
+
+#endif /* CONFIG_SHA384 */
+
+
 int crypto_get_random(void *buf, size_t len)
 {
 	if (RAND_bytes(buf, len) != 1)
diff --git a/src/crypto/sha256.h b/src/crypto/sha256.h
index 8054bbe5c5..d1e84e3528 100644
--- a/src/crypto/sha256.h
+++ b/src/crypto/sha256.h
@@ -26,5 +26,6 @@ int tls_prf_sha256(const u8 *secret, size_t secret_len,
 int hmac_sha256_kdf(const u8 *secret, size_t secret_len,
 		    const char *label, const u8 *seed, size_t seed_len,
 		    u8 *out, size_t outlen);
-
+int pbkdf2_sha256(const char *passphrase, const u8 *salt, size_t salt_len,
+		  int iterations, u8 *buf, size_t buflen);
 #endif /* SHA256_H */
diff --git a/src/crypto/sha384.h b/src/crypto/sha384.h
index d946907c67..276cdd3770 100644
--- a/src/crypto/sha384.h
+++ b/src/crypto/sha384.h
@@ -26,5 +26,7 @@ int tls_prf_sha384(const u8 *secret, size_t secret_len,
 int hmac_sha384_kdf(const u8 *secret, size_t secret_len,
 		    const char *label, const u8 *seed, size_t seed_len,
 		    u8 *out, size_t outlen);
+int pbkdf2_sha384(const char *passphrase, const u8 *salt, size_t salt_len,
+		  int iterations, u8 *buf, size_t buflen);
 
 #endif /* SHA384_H */
-- 
2.49.0

More information about the Hostap mailing list