1=pod 2 3=head1 NAME 4 5EVP_KDF-SS - The Single Step / One Step EVP_KDF implementation 6 7=head1 DESCRIPTION 8 9The EVP_KDF-SS algorithm implements the Single Step key derivation function (SSKDF). 10SSKDF derives a key using input such as a shared secret key (that was generated 11during the execution of a key establishment scheme) and fixedinfo. 12SSKDF is also informally referred to as 'Concat KDF'. 13 14=head2 Auxiliary function 15 16The implementation uses a selectable auxiliary function H, which can be one of: 17 18=over 4 19 20=item B<H(x) = hash(x, digest=md)> 21 22=item B<H(x) = HMAC_hash(x, key=salt, digest=md)> 23 24=item B<H(x) = KMACxxx(x, key=salt, custom="KDF", outlen=mac_size)> 25 26=back 27 28Both the HMAC and KMAC implementations set the key using the 'salt' value. 29The hash and HMAC also require the digest to be set. 30 31=head2 Identity 32 33"SSKDF" is the name for this implementation; it 34can be used with the EVP_KDF_fetch() function. 35 36=head2 Supported parameters 37 38The supported parameters are: 39 40=over 4 41 42=item "properties" (B<OSSL_KDF_PARAM_PROPERTIES>) <UTF8 string> 43 44=item "digest" (B<OSSL_KDF_PARAM_DIGEST>) <UTF8 string> 45 46This parameter is ignored for KMAC. 47 48=item "mac" (B<OSSL_KDF_PARAM_MAC>) <UTF8 string> 49 50=item "maclen" (B<OSSL_KDF_PARAM_MAC_SIZE>) <unsigned integer> 51 52=item "salt" (B<OSSL_KDF_PARAM_SALT>) <octet string> 53 54These parameters work as described in L<EVP_KDF(3)/PARAMETERS>. 55 56=item "key" (B<EVP_KDF_CTRL_SET_KEY>) <octet string> 57 58This parameter set the shared secret that is used for key derivation. 59 60=item "info" (B<OSSL_KDF_PARAM_INFO>) <octet string> 61 62This parameter sets an optional value for fixedinfo, also known as otherinfo. 63 64=back 65 66=head1 NOTES 67 68A context for SSKDF can be obtained by calling: 69 70 EVP_KDF *kdf = EVP_KDF_fetch(NULL, "SSKDF", NULL); 71 EVP_KDF_CTX *kctx = EVP_KDF_CTX_new(kdf); 72 73The output length of an SSKDF is specified via the I<keylen> 74parameter to the L<EVP_KDF_derive(3)> function. 75 76=head1 EXAMPLES 77 78This example derives 10 bytes using H(x) = SHA-256, with the secret key "secret" 79and fixedinfo value "label": 80 81 EVP_KDF *kdf; 82 EVP_KDF_CTX *kctx; 83 unsigned char out[10]; 84 OSSL_PARAM params[4], *p = params; 85 86 kdf = EVP_KDF_fetch(NULL, "SSKDF", NULL); 87 kctx = EVP_KDF_CTX_new(kdf); 88 EVP_KDF_free(kdf); 89 90 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, 91 SN_sha256, strlen(SN_sha256)); 92 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, 93 "secret", (size_t)6); 94 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, 95 "label", (size_t)5); 96 *p = OSSL_PARAM_construct_end(); 97 if (EVP_KDF_derive(kctx, out, sizeof(out), params) <= 0) { 98 error("EVP_KDF_derive"); 99 } 100 101 EVP_KDF_CTX_free(kctx); 102 103This example derives 10 bytes using H(x) = HMAC(SHA-256), with the secret key "secret", 104fixedinfo value "label" and salt "salt": 105 106 EVP_KDF *kdf; 107 EVP_KDF_CTX *kctx; 108 unsigned char out[10]; 109 OSSL_PARAM params[6], *p = params; 110 111 kdf = EVP_KDF_fetch(NULL, "SSKDF", NULL); 112 kctx = EVP_KDF_CTX_new(kdf); 113 EVP_KDF_free(kdf); 114 115 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC, 116 SN_hmac, strlen(SN_hmac)); 117 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, 118 SN_sha256, strlen(SN_sha256)); 119 *p++ = OSSL_PARAM_construct_octet_string(EVP_KDF_CTRL_SET_KEY, 120 "secret", (size_t)6); 121 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, 122 "label", (size_t)5); 123 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, 124 "salt", (size_t)4); 125 *p = OSSL_PARAM_construct_end(); 126 if (EVP_KDF_derive(kctx, out, sizeof(out), params) <= 0) { 127 error("EVP_KDF_derive"); 128 } 129 130 EVP_KDF_CTX_free(kctx); 131 132This example derives 10 bytes using H(x) = KMAC128(x,salt,outlen), with the secret key "secret" 133fixedinfo value "label", salt of "salt" and KMAC outlen of 20: 134 135 EVP_KDF *kdf; 136 EVP_KDF_CTX *kctx; 137 unsigned char out[10]; 138 OSSL_PARAM params[6], *p = params; 139 140 kdf = EVP_KDF_fetch(NULL, "SSKDF", NULL); 141 kctx = EVP_KDF_CTX_new(kdf); 142 EVP_KDF_free(kdf); 143 144 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC, 145 SN_kmac128, strlen(SN_kmac128)); 146 *p++ = OSSL_PARAM_construct_octet_string(EVP_KDF_CTRL_SET_KEY, 147 "secret", (size_t)6); 148 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, 149 "label", (size_t)5); 150 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, 151 "salt", (size_t)4); 152 *p++ = OSSL_PARAM_construct_size_t(OSSL_KDF_PARAM_MAC_SIZE, (size_t)20); 153 *p = OSSL_PARAM_construct_end(); 154 if (EVP_KDF_derive(kctx, out, sizeof(out), params) <= 0) { 155 error("EVP_KDF_derive"); 156 } 157 158 EVP_KDF_CTX_free(kctx); 159 160=head1 CONFORMING TO 161 162NIST SP800-56Cr1. 163 164=head1 SEE ALSO 165 166L<EVP_KDF(3)>, 167L<EVP_KDF_CTX_new(3)>, 168L<EVP_KDF_CTX_free(3)>, 169L<EVP_KDF_CTX_set_params(3)>, 170L<EVP_KDF_CTX_get_kdf_size(3)>, 171L<EVP_KDF_derive(3)>, 172L<EVP_KDF(3)/PARAMETERS> 173 174=head1 HISTORY 175 176This functionality was added in OpenSSL 3.0. 177 178=head1 COPYRIGHT 179 180Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Copyright 181(c) 2019, Oracle and/or its affiliates. All rights reserved. 182 183Licensed under the Apache License 2.0 (the "License"). You may not use 184this file except in compliance with the License. You can obtain a copy 185in the file LICENSE in the source distribution or at 186L<https://www.openssl.org/source/license.html>. 187 188=cut 189