1=pod 2 3=head1 NAME 4 5EVP_KDF-TLS13_KDF - The TLS 1.3 EVP_KDF implementation 6 7=head1 DESCRIPTION 8 9Support for computing the TLS 1.3 version of the B<HKDF> KDF through 10the B<EVP_KDF> API. 11 12The EVP_KDF-TLS13_KDF algorithm implements the HKDF key derivation function 13as used by TLS 1.3. 14 15The output is considered to be keying material. 16 17=head2 Identity 18 19"TLS13-KDF" is the name for this implementation; it 20can be used with the EVP_KDF_fetch() function. 21 22=head2 Supported parameters 23 24The supported parameters are: 25 26=over 4 27 28=item "properties" (B<OSSL_KDF_PARAM_PROPERTIES>) <UTF8 string> 29 30=item "digest" (B<OSSL_KDF_PARAM_DIGEST>) <UTF8 string> 31 32=item "key" (B<OSSL_KDF_PARAM_KEY>) <octet string> 33 34=item "salt" (B<OSSL_KDF_PARAM_SALT>) <octet string> 35 36These parameters work as described in L<EVP_KDF(3)/PARAMETERS>. 37 38=item "prefix" (B<OSSL_KDF_PARAM_PREFIX>) <octet string> 39 40This parameter sets the label prefix on the specified TLS 1.3 KDF context. 41For TLS 1.3 this should be set to the ASCII string "tls13 " without a 42trailing zero byte. Refer to RFC 8446 section 7.1 "Key Schedule" for details. 43 44=item "label" (B<OSSL_KDF_PARAM_LABEL>) <octet string> 45 46This parameter sets the label on the specified TLS 1.3 KDF context. 47Refer to RFC 8446 section 7.1 "Key Schedule" for details. 48 49=item "data" (B<OSSL_KDF_PARAM_DATA>) <octet string> 50 51This parameter sets the context data on the specified TLS 1.3 KDF context. 52Refer to RFC 8446 section 7.1 "Key Schedule" for details. 53 54=item "mode" (B<OSSL_KDF_PARAM_MODE>) <UTF8 string> or <integer> 55 56This parameter sets the mode for the TLS 1.3 KDF operation. 57There are two modes that are currently defined: 58 59=over 4 60 61=item "EXTRACT_ONLY" or B<EVP_KDF_HKDF_MODE_EXTRACT_ONLY> 62 63In this mode calling L<EVP_KDF_derive(3)> will just perform the extract 64operation. The value returned will be the intermediate fixed-length pseudorandom 65key K. The I<keylen> parameter must match the size of K, which can be looked 66up by calling EVP_KDF_CTX_get_kdf_size() after setting the mode and digest. 67 68The digest, key and salt values must be set before a key is derived otherwise 69an error will occur. 70 71=item "EXPAND_ONLY" or B<EVP_KDF_HKDF_MODE_EXPAND_ONLY> 72 73In this mode calling L<EVP_KDF_derive(3)> will just perform the expand 74operation. The input key should be set to the intermediate fixed-length 75pseudorandom key K returned from a previous extract operation. 76 77The digest, key and info values must be set before a key is derived otherwise 78an error will occur. 79 80=back 81 82=back 83 84=head1 NOTES 85 86This KDF is intended for use by the TLS 1.3 implementation in libssl. 87It does not support all the options and capabilities that HKDF does. 88 89The I<OSSL_PARAM> array passed to L<EVP_KDF_derive(3)> or 90L<EVP_KDF_CTX_set_params(3)> must specify all of the parameters required. 91This KDF does not support a piecemeal approach to providing these. 92 93A context for a TLS 1.3 KDF can be obtained by calling: 94 95 EVP_KDF *kdf = EVP_KDF_fetch(NULL, "TLS13-KDF", NULL); 96 EVP_KDF_CTX *kctx = EVP_KDF_CTX_new(kdf); 97 98The output length of a TLS 1.3 KDF expand operation is specified via the 99I<keylen> parameter to the L<EVP_KDF_derive(3)> function. When using 100EVP_KDF_HKDF_MODE_EXTRACT_ONLY the I<keylen> parameter must equal the size of 101the intermediate fixed-length pseudorandom key otherwise an error will occur. 102For that mode, the fixed output size can be looked up by calling 103EVP_KDF_CTX_get_kdf_size() after setting the mode and digest on the 104B<EVP_KDF_CTX>. 105 106=head1 CONFORMING TO 107 108RFC 8446 109 110=head1 SEE ALSO 111 112L<EVP_KDF(3)>, 113L<EVP_KDF_CTX_new(3)>, 114L<EVP_KDF_CTX_free(3)>, 115L<EVP_KDF_CTX_get_kdf_size(3)>, 116L<EVP_KDF_CTX_set_params(3)>, 117L<EVP_KDF_derive(3)>, 118L<EVP_KDF(3)/PARAMETERS>, 119L<EVP_KDF-HKDF(7)> 120 121=head1 HISTORY 122 123This functionality was added in OpenSSL 3.0. 124 125=head1 COPYRIGHT 126 127Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. 128 129Licensed under the Apache License 2.0 (the "License"). You may not use 130this file except in compliance with the License. You can obtain a copy 131in the file LICENSE in the source distribution or at 132L<https://www.openssl.org/source/license.html>. 133 134=cut 135