1*b077aed3SPierre Pronchery=pod 2*b077aed3SPierre Pronchery 3*b077aed3SPierre Pronchery=head1 NAME 4*b077aed3SPierre Pronchery 5*b077aed3SPierre ProncheryEVP_KDF-HKDF - The HKDF EVP_KDF implementation 6*b077aed3SPierre Pronchery 7*b077aed3SPierre Pronchery=head1 DESCRIPTION 8*b077aed3SPierre Pronchery 9*b077aed3SPierre ProncherySupport for computing the B<HKDF> KDF through the B<EVP_KDF> API. 10*b077aed3SPierre Pronchery 11*b077aed3SPierre ProncheryThe EVP_KDF-HKDF algorithm implements the HKDF key derivation function. 12*b077aed3SPierre ProncheryHKDF follows the "extract-then-expand" paradigm, where the KDF logically 13*b077aed3SPierre Proncheryconsists of two modules. The first stage takes the input keying material 14*b077aed3SPierre Proncheryand "extracts" from it a fixed-length pseudorandom key K. The second stage 15*b077aed3SPierre Pronchery"expands" the key K into several additional pseudorandom keys (the output 16*b077aed3SPierre Proncheryof the KDF). 17*b077aed3SPierre Pronchery 18*b077aed3SPierre Pronchery=head2 Identity 19*b077aed3SPierre Pronchery 20*b077aed3SPierre Pronchery"HKDF" is the name for this implementation; it 21*b077aed3SPierre Proncherycan be used with the EVP_KDF_fetch() function. 22*b077aed3SPierre Pronchery 23*b077aed3SPierre Pronchery=head2 Supported parameters 24*b077aed3SPierre Pronchery 25*b077aed3SPierre ProncheryThe supported parameters are: 26*b077aed3SPierre Pronchery 27*b077aed3SPierre Pronchery=over 4 28*b077aed3SPierre Pronchery 29*b077aed3SPierre Pronchery=item "properties" (B<OSSL_KDF_PARAM_PROPERTIES>) <UTF8 string> 30*b077aed3SPierre Pronchery 31*b077aed3SPierre Pronchery=item "digest" (B<OSSL_KDF_PARAM_DIGEST>) <UTF8 string> 32*b077aed3SPierre Pronchery 33*b077aed3SPierre Pronchery=item "key" (B<OSSL_KDF_PARAM_KEY>) <octet string> 34*b077aed3SPierre Pronchery 35*b077aed3SPierre Pronchery=item "salt" (B<OSSL_KDF_PARAM_SALT>) <octet string> 36*b077aed3SPierre Pronchery 37*b077aed3SPierre ProncheryThese parameters work as described in L<EVP_KDF(3)/PARAMETERS>. 38*b077aed3SPierre Pronchery 39*b077aed3SPierre Pronchery=item "info" (B<OSSL_KDF_PARAM_INFO>) <octet string> 40*b077aed3SPierre Pronchery 41*b077aed3SPierre ProncheryThis parameter sets the info value. 42*b077aed3SPierre ProncheryThe length of the context info buffer cannot exceed 1024 bytes; 43*b077aed3SPierre Proncherythis should be more than enough for any normal use of HKDF. 44*b077aed3SPierre Pronchery 45*b077aed3SPierre Pronchery=item "mode" (B<OSSL_KDF_PARAM_MODE>) <UTF8 string> or <integer> 46*b077aed3SPierre Pronchery 47*b077aed3SPierre ProncheryThis parameter sets the mode for the HKDF operation. 48*b077aed3SPierre ProncheryThere are three modes that are currently defined: 49*b077aed3SPierre Pronchery 50*b077aed3SPierre Pronchery=over 4 51*b077aed3SPierre Pronchery 52*b077aed3SPierre Pronchery=item "EXTRACT_AND_EXPAND" or B<EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND> 53*b077aed3SPierre Pronchery 54*b077aed3SPierre ProncheryThis is the default mode. Calling L<EVP_KDF_derive(3)> on an EVP_KDF_CTX set 55*b077aed3SPierre Proncheryup for HKDF will perform an extract followed by an expand operation in one go. 56*b077aed3SPierre ProncheryThe derived key returned will be the result after the expand operation. The 57*b077aed3SPierre Proncheryintermediate fixed-length pseudorandom key K is not returned. 58*b077aed3SPierre Pronchery 59*b077aed3SPierre ProncheryIn this mode the digest, key, salt and info values must be set before a key is 60*b077aed3SPierre Proncheryderived otherwise an error will occur. 61*b077aed3SPierre Pronchery 62*b077aed3SPierre Pronchery=item "EXTRACT_ONLY" or B<EVP_KDF_HKDF_MODE_EXTRACT_ONLY> 63*b077aed3SPierre Pronchery 64*b077aed3SPierre ProncheryIn this mode calling L<EVP_KDF_derive(3)> will just perform the extract 65*b077aed3SPierre Proncheryoperation. The value returned will be the intermediate fixed-length pseudorandom 66*b077aed3SPierre Proncherykey K. The I<keylen> parameter must match the size of K, which can be looked 67*b077aed3SPierre Proncheryup by calling EVP_KDF_CTX_get_kdf_size() after setting the mode and digest. 68*b077aed3SPierre Pronchery 69*b077aed3SPierre ProncheryThe digest, key and salt values must be set before a key is derived otherwise 70*b077aed3SPierre Proncheryan error will occur. 71*b077aed3SPierre Pronchery 72*b077aed3SPierre Pronchery=item "EXPAND_ONLY" or B<EVP_KDF_HKDF_MODE_EXPAND_ONLY> 73*b077aed3SPierre Pronchery 74*b077aed3SPierre ProncheryIn this mode calling L<EVP_KDF_derive(3)> will just perform the expand 75*b077aed3SPierre Proncheryoperation. The input key should be set to the intermediate fixed-length 76*b077aed3SPierre Proncherypseudorandom key K returned from a previous extract operation. 77*b077aed3SPierre Pronchery 78*b077aed3SPierre ProncheryThe digest, key and info values must be set before a key is derived otherwise 79*b077aed3SPierre Proncheryan error will occur. 80*b077aed3SPierre Pronchery 81*b077aed3SPierre Pronchery=back 82*b077aed3SPierre Pronchery 83*b077aed3SPierre Pronchery=back 84*b077aed3SPierre Pronchery 85*b077aed3SPierre Pronchery=head1 NOTES 86*b077aed3SPierre Pronchery 87*b077aed3SPierre ProncheryA context for HKDF can be obtained by calling: 88*b077aed3SPierre Pronchery 89*b077aed3SPierre Pronchery EVP_KDF *kdf = EVP_KDF_fetch(NULL, "HKDF", NULL); 90*b077aed3SPierre Pronchery EVP_KDF_CTX *kctx = EVP_KDF_CTX_new(kdf); 91*b077aed3SPierre Pronchery 92*b077aed3SPierre ProncheryThe output length of an HKDF expand operation is specified via the I<keylen> 93*b077aed3SPierre Proncheryparameter to the L<EVP_KDF_derive(3)> function. When using 94*b077aed3SPierre ProncheryEVP_KDF_HKDF_MODE_EXTRACT_ONLY the I<keylen> parameter must equal the size of 95*b077aed3SPierre Proncherythe intermediate fixed-length pseudorandom key otherwise an error will occur. 96*b077aed3SPierre ProncheryFor that mode, the fixed output size can be looked up by calling EVP_KDF_CTX_get_kdf_size() 97*b077aed3SPierre Proncheryafter setting the mode and digest on the B<EVP_KDF_CTX>. 98*b077aed3SPierre Pronchery 99*b077aed3SPierre Pronchery=head1 EXAMPLES 100*b077aed3SPierre Pronchery 101*b077aed3SPierre ProncheryThis example derives 10 bytes using SHA-256 with the secret key "secret", 102*b077aed3SPierre Proncherysalt value "salt" and info value "label": 103*b077aed3SPierre Pronchery 104*b077aed3SPierre Pronchery EVP_KDF *kdf; 105*b077aed3SPierre Pronchery EVP_KDF_CTX *kctx; 106*b077aed3SPierre Pronchery unsigned char out[10]; 107*b077aed3SPierre Pronchery OSSL_PARAM params[5], *p = params; 108*b077aed3SPierre Pronchery 109*b077aed3SPierre Pronchery kdf = EVP_KDF_fetch(NULL, "HKDF", NULL); 110*b077aed3SPierre Pronchery kctx = EVP_KDF_CTX_new(kdf); 111*b077aed3SPierre Pronchery EVP_KDF_free(kdf); 112*b077aed3SPierre Pronchery 113*b077aed3SPierre Pronchery *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, 114*b077aed3SPierre Pronchery SN_sha256, strlen(SN_sha256)); 115*b077aed3SPierre Pronchery *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, 116*b077aed3SPierre Pronchery "secret", (size_t)6); 117*b077aed3SPierre Pronchery *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, 118*b077aed3SPierre Pronchery "label", (size_t)5); 119*b077aed3SPierre Pronchery *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, 120*b077aed3SPierre Pronchery "salt", (size_t)4); 121*b077aed3SPierre Pronchery *p = OSSL_PARAM_construct_end(); 122*b077aed3SPierre Pronchery if (EVP_KDF_derive(kctx, out, sizeof(out), params) <= 0) { 123*b077aed3SPierre Pronchery error("EVP_KDF_derive"); 124*b077aed3SPierre Pronchery } 125*b077aed3SPierre Pronchery 126*b077aed3SPierre Pronchery EVP_KDF_CTX_free(kctx); 127*b077aed3SPierre Pronchery 128*b077aed3SPierre Pronchery=head1 CONFORMING TO 129*b077aed3SPierre Pronchery 130*b077aed3SPierre ProncheryRFC 5869 131*b077aed3SPierre Pronchery 132*b077aed3SPierre Pronchery=head1 SEE ALSO 133*b077aed3SPierre Pronchery 134*b077aed3SPierre ProncheryL<EVP_KDF(3)>, 135*b077aed3SPierre ProncheryL<EVP_KDF_CTX_new(3)>, 136*b077aed3SPierre ProncheryL<EVP_KDF_CTX_free(3)>, 137*b077aed3SPierre ProncheryL<EVP_KDF_CTX_get_kdf_size(3)>, 138*b077aed3SPierre ProncheryL<EVP_KDF_CTX_set_params(3)>, 139*b077aed3SPierre ProncheryL<EVP_KDF_derive(3)>, 140*b077aed3SPierre ProncheryL<EVP_KDF(3)/PARAMETERS>, 141*b077aed3SPierre ProncheryL<EVP_KDF-TLS13_KDF(7)> 142*b077aed3SPierre Pronchery 143*b077aed3SPierre Pronchery=head1 HISTORY 144*b077aed3SPierre Pronchery 145*b077aed3SPierre ProncheryThis functionality was added in OpenSSL 3.0. 146*b077aed3SPierre Pronchery 147*b077aed3SPierre Pronchery=head1 COPYRIGHT 148*b077aed3SPierre Pronchery 149*b077aed3SPierre ProncheryCopyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. 150*b077aed3SPierre Pronchery 151*b077aed3SPierre ProncheryLicensed under the Apache License 2.0 (the "License"). You may not use 152*b077aed3SPierre Proncherythis file except in compliance with the License. You can obtain a copy 153*b077aed3SPierre Proncheryin the file LICENSE in the source distribution or at 154*b077aed3SPierre ProncheryL<https://www.openssl.org/source/license.html>. 155*b077aed3SPierre Pronchery 156*b077aed3SPierre Pronchery=cut 157