xref: /freebsd/crypto/openssl/doc/man7/EVP_KDF-TLS13_KDF.pod (revision 59c8e88e72633afbc47a4ace0d2170d00d51f7dc)
1=pod
2
3=head1 NAME
4
5EVP_KDF-TLS13_KDF - The TLS 1.3 EVP_KDF implementation
6
7=head1 DESCRIPTION
8
9Support for computing the TLS 1.3 version of the B<HKDF> KDF through
10the B<EVP_KDF> API.
11
12The EVP_KDF-TLS13_KDF algorithm implements the HKDF key derivation function
13as used by TLS 1.3.
14
15=head2 Identity
16
17"TLS13-KDF" is the name for this implementation; it
18can be used with the EVP_KDF_fetch() function.
19
20=head2 Supported parameters
21
22The supported parameters are:
23
24=over 4
25
26=item "properties" (B<OSSL_KDF_PARAM_PROPERTIES>) <UTF8 string>
27
28=item "digest" (B<OSSL_KDF_PARAM_DIGEST>) <UTF8 string>
29
30=item "key" (B<OSSL_KDF_PARAM_KEY>) <octet string>
31
32=item "salt" (B<OSSL_KDF_PARAM_SALT>) <octet string>
33
34These parameters work as described in L<EVP_KDF(3)/PARAMETERS>.
35
36=item "prefix" (B<OSSL_KDF_PARAM_PREFIX>) <octet string>
37
38This parameter sets the label prefix on the specified TLS 1.3 KDF context.
39For TLS 1.3 this should be set to the ASCII string "tls13 " without a
40trailing zero byte.  Refer to RFC 8446 section 7.1 "Key Schedule" for details.
41
42=item "label" (B<OSSL_KDF_PARAM_LABEL>) <octet string>
43
44This parameter sets the label on the specified TLS 1.3 KDF context.
45Refer to RFC 8446 section 7.1 "Key Schedule" for details.
46
47=item "data" (B<OSSL_KDF_PARAM_DATA>) <octet string>
48
49This parameter sets the context data on the specified TLS 1.3 KDF context.
50Refer to RFC 8446 section 7.1 "Key Schedule" for details.
51
52=item "mode" (B<OSSL_KDF_PARAM_MODE>) <UTF8 string> or <integer>
53
54This parameter sets the mode for the TLS 1.3 KDF operation.
55There are two modes that are currently defined:
56
57=over 4
58
59=item "EXTRACT_ONLY" or B<EVP_KDF_HKDF_MODE_EXTRACT_ONLY>
60
61In this mode calling L<EVP_KDF_derive(3)> will just perform the extract
62operation. The value returned will be the intermediate fixed-length pseudorandom
63key K.  The I<keylen> parameter must match the size of K, which can be looked
64up by calling EVP_KDF_CTX_get_kdf_size() after setting the mode and digest.
65
66The digest, key and salt values must be set before a key is derived otherwise
67an error will occur.
68
69=item "EXPAND_ONLY" or B<EVP_KDF_HKDF_MODE_EXPAND_ONLY>
70
71In this mode calling L<EVP_KDF_derive(3)> will just perform the expand
72operation. The input key should be set to the intermediate fixed-length
73pseudorandom key K returned from a previous extract operation.
74
75The digest, key and info values must be set before a key is derived otherwise
76an error will occur.
77
78=back
79
80=back
81
82=head1 NOTES
83
84This KDF is intended for use by the TLS 1.3 implementation in libssl.
85It does not support all the options and capabilities that HKDF does.
86
87The I<OSSL_PARAM> array passed to L<EVP_KDF_derive(3)> or
88L<EVP_KDF_CTX_set_params(3)> must specify all of the parameters required.
89This KDF does not support a piecemeal approach to providing these.
90
91A context for a TLS 1.3 KDF can be obtained by calling:
92
93 EVP_KDF *kdf = EVP_KDF_fetch(NULL, "TLS13-KDF", NULL);
94 EVP_KDF_CTX *kctx = EVP_KDF_CTX_new(kdf);
95
96The output length of a TLS 1.3 KDF expand operation is specified via the
97I<keylen> parameter to the L<EVP_KDF_derive(3)> function.  When using
98EVP_KDF_HKDF_MODE_EXTRACT_ONLY the I<keylen> parameter must equal the size of
99the intermediate fixed-length pseudorandom key otherwise an error will occur.
100For that mode, the fixed output size can be looked up by calling
101EVP_KDF_CTX_get_kdf_size() after setting the mode and digest on the
102B<EVP_KDF_CTX>.
103
104=head1 CONFORMING TO
105
106RFC 8446
107
108=head1 SEE ALSO
109
110L<EVP_KDF(3)>,
111L<EVP_KDF_CTX_new(3)>,
112L<EVP_KDF_CTX_free(3)>,
113L<EVP_KDF_CTX_get_kdf_size(3)>,
114L<EVP_KDF_CTX_set_params(3)>,
115L<EVP_KDF_derive(3)>,
116L<EVP_KDF(3)/PARAMETERS>,
117L<EVP_KDF-HKDF(7)>
118
119=head1 HISTORY
120
121This functionality was added in OpenSSL 3.0.
122
123=head1 COPYRIGHT
124
125Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
126
127Licensed under the Apache License 2.0 (the "License").  You may not use
128this file except in compliance with the License.  You can obtain a copy
129in the file LICENSE in the source distribution or at
130L<https://www.openssl.org/source/license.html>.
131
132=cut
133