1=pod 2 3=head1 NAME 4 5EVP_KDF-HKDF - The HKDF EVP_KDF implementation 6 7=head1 DESCRIPTION 8 9Support for computing the B<HKDF> KDF through the B<EVP_KDF> API. 10 11The EVP_KDF-HKDF algorithm implements the HKDF key derivation function. 12HKDF follows the "extract-then-expand" paradigm, where the KDF logically 13consists of two modules. The first stage takes the input keying material 14and "extracts" from it a fixed-length pseudorandom key K. The second stage 15"expands" the key K into several additional pseudorandom keys (the output 16of the KDF). 17 18The output is considered to be keying material. 19 20=head2 Identity 21 22"HKDF" is the name for this implementation; it 23can be used with the EVP_KDF_fetch() function. 24 25=head2 Supported parameters 26 27The supported parameters are: 28 29=over 4 30 31=item "properties" (B<OSSL_KDF_PARAM_PROPERTIES>) <UTF8 string> 32 33=item "digest" (B<OSSL_KDF_PARAM_DIGEST>) <UTF8 string> 34 35=item "key" (B<OSSL_KDF_PARAM_KEY>) <octet string> 36 37=item "salt" (B<OSSL_KDF_PARAM_SALT>) <octet string> 38 39These parameters work as described in L<EVP_KDF(3)/PARAMETERS>. 40 41=item "info" (B<OSSL_KDF_PARAM_INFO>) <octet string> 42 43This parameter sets the info value. 44The length of the context info buffer cannot exceed 1024 bytes; 45this should be more than enough for any normal use of HKDF. 46 47=item "mode" (B<OSSL_KDF_PARAM_MODE>) <UTF8 string> or <integer> 48 49This parameter sets the mode for the HKDF operation. 50There are three modes that are currently defined: 51 52=over 4 53 54=item "EXTRACT_AND_EXPAND" or B<EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND> 55 56This is the default mode. Calling L<EVP_KDF_derive(3)> on an EVP_KDF_CTX set 57up for HKDF will perform an extract followed by an expand operation in one go. 58The derived key returned will be the result after the expand operation. The 59intermediate fixed-length pseudorandom key K is not returned. 60 61In this mode the digest, key, salt and info values must be set before a key is 62derived otherwise an error will occur. 63 64=item "EXTRACT_ONLY" or B<EVP_KDF_HKDF_MODE_EXTRACT_ONLY> 65 66In this mode calling L<EVP_KDF_derive(3)> will just perform the extract 67operation. The value returned will be the intermediate fixed-length pseudorandom 68key K. The I<keylen> parameter must match the size of K, which can be looked 69up by calling EVP_KDF_CTX_get_kdf_size() after setting the mode and digest. 70 71The digest, key and salt values must be set before a key is derived otherwise 72an error will occur. 73 74=item "EXPAND_ONLY" or B<EVP_KDF_HKDF_MODE_EXPAND_ONLY> 75 76In this mode calling L<EVP_KDF_derive(3)> will just perform the expand 77operation. The input key should be set to the intermediate fixed-length 78pseudorandom key K returned from a previous extract operation. 79 80The digest, key and info values must be set before a key is derived otherwise 81an error will occur. 82 83=back 84 85=back 86 87The OpenSSL FIPS provider also supports the following parameters: 88 89=over 4 90 91=item "fips-indicator" (B<OSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR>) <integer> 92 93A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. 94This may be used after calling EVP_KDF_derive. It returns 0 if "key-check" 95is set to 0 and the check fails. 96 97=item "key-check" (B<OSSL_KDF_PARAM_FIPS_KEY_CHECK>) <integer> 98 99The default value of 1 causes an error during EVP_KDF_CTX_set_params() if the 100length of used key-derivation key (B<OSSL_KDF_PARAM_KEY>) is shorter than 112 101bits. 102Setting this to zero will ignore the error and set the approved 103"fips-indicator" to 0. 104This option breaks FIPS compliance if it causes the approved "fips-indicator" 105to return 0. 106 107=back 108 109=head1 NOTES 110 111A context for HKDF can be obtained by calling: 112 113 EVP_KDF *kdf = EVP_KDF_fetch(NULL, "HKDF", NULL); 114 EVP_KDF_CTX *kctx = EVP_KDF_CTX_new(kdf); 115 116The output length of an HKDF expand operation is specified via the I<keylen> 117parameter to the L<EVP_KDF_derive(3)> function. When using 118EVP_KDF_HKDF_MODE_EXTRACT_ONLY the I<keylen> parameter must equal the size of 119the intermediate fixed-length pseudorandom key otherwise an error will occur. 120For that mode, the fixed output size can be looked up by calling EVP_KDF_CTX_get_kdf_size() 121after setting the mode and digest on the B<EVP_KDF_CTX>. 122 123=head1 EXAMPLES 124 125This example derives 10 bytes using SHA-256 with the secret key "secret", 126salt value "salt" and info value "label": 127 128 EVP_KDF *kdf; 129 EVP_KDF_CTX *kctx; 130 unsigned char out[10]; 131 OSSL_PARAM params[5], *p = params; 132 133 kdf = EVP_KDF_fetch(NULL, "HKDF", NULL); 134 kctx = EVP_KDF_CTX_new(kdf); 135 EVP_KDF_free(kdf); 136 137 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, 138 SN_sha256, strlen(SN_sha256)); 139 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, 140 "secret", (size_t)6); 141 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, 142 "label", (size_t)5); 143 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, 144 "salt", (size_t)4); 145 *p = OSSL_PARAM_construct_end(); 146 if (EVP_KDF_derive(kctx, out, sizeof(out), params) <= 0) { 147 error("EVP_KDF_derive"); 148 } 149 150 EVP_KDF_CTX_free(kctx); 151 152=head1 CONFORMING TO 153 154RFC 5869 155 156=head1 SEE ALSO 157 158L<EVP_KDF(3)>, 159L<EVP_KDF_CTX_new(3)>, 160L<EVP_KDF_CTX_free(3)>, 161L<EVP_KDF_CTX_get_kdf_size(3)>, 162L<EVP_KDF_CTX_set_params(3)>, 163L<EVP_KDF_derive(3)>, 164L<EVP_KDF(3)/PARAMETERS>, 165L<EVP_KDF-TLS13_KDF(7)> 166 167=head1 HISTORY 168 169This functionality was added in OpenSSL 3.0. 170 171=head1 COPYRIGHT 172 173Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved. 174 175Licensed under the Apache License 2.0 (the "License"). You may not use 176this file except in compliance with the License. You can obtain a copy 177in the file LICENSE in the source distribution or at 178L<https://www.openssl.org/source/license.html>. 179 180=cut 181
