1=pod 2 3=head1 NAME 4 5EVP_KDF-TLS13_KDF - The TLS 1.3 EVP_KDF implementation 6 7=head1 DESCRIPTION 8 9Support for computing the TLS 1.3 version of the B<HKDF> KDF through 10the B<EVP_KDF> API. 11 12The EVP_KDF-TLS13_KDF algorithm implements the HKDF key derivation function 13as used by TLS 1.3. 14 15The output is considered to be keying material. 16 17=head2 Identity 18 19"TLS13-KDF" is the name for this implementation; it 20can be used with the EVP_KDF_fetch() function. 21 22=head2 Supported parameters 23 24The supported parameters are: 25 26=over 4 27 28=item "properties" (B<OSSL_KDF_PARAM_PROPERTIES>) <UTF8 string> 29 30=item "digest" (B<OSSL_KDF_PARAM_DIGEST>) <UTF8 string> 31 32=item "key" (B<OSSL_KDF_PARAM_KEY>) <octet string> 33 34=item "salt" (B<OSSL_KDF_PARAM_SALT>) <octet string> 35 36These parameters work as described in L<EVP_KDF(3)/PARAMETERS>. 37 38=item "prefix" (B<OSSL_KDF_PARAM_PREFIX>) <octet string> 39 40This parameter sets the label prefix on the specified TLS 1.3 KDF context. 41For TLS 1.3 this should be set to the ASCII string "tls13 " without a 42trailing zero byte. Refer to RFC 8446 section 7.1 "Key Schedule" for details. 43 44=item "label" (B<OSSL_KDF_PARAM_LABEL>) <octet string> 45 46This parameter sets the label on the specified TLS 1.3 KDF context. 47Refer to RFC 8446 section 7.1 "Key Schedule" for details. 48 49=item "data" (B<OSSL_KDF_PARAM_DATA>) <octet string> 50 51This parameter sets the context data on the specified TLS 1.3 KDF context. 52Refer to RFC 8446 section 7.1 "Key Schedule" for details. 53 54=item "mode" (B<OSSL_KDF_PARAM_MODE>) <UTF8 string> or <integer> 55 56This parameter sets the mode for the TLS 1.3 KDF operation. 57There are two modes that are currently defined: 58 59=over 4 60 61=item "EXTRACT_ONLY" or B<EVP_KDF_HKDF_MODE_EXTRACT_ONLY> 62 63In this mode calling L<EVP_KDF_derive(3)> will just perform the extract 64operation. The value returned will be the intermediate fixed-length pseudorandom 65key K. The I<keylen> parameter must match the size of K, which can be looked 66up by calling EVP_KDF_CTX_get_kdf_size() after setting the mode and digest. 67 68The digest, key and salt values must be set before a key is derived otherwise 69an error will occur. 70 71=item "EXPAND_ONLY" or B<EVP_KDF_HKDF_MODE_EXPAND_ONLY> 72 73In this mode calling L<EVP_KDF_derive(3)> will just perform the expand 74operation. The input key should be set to the intermediate fixed-length 75pseudorandom key K returned from a previous extract operation. 76 77The digest, key and info values must be set before a key is derived otherwise 78an error will occur. 79 80=back 81 82=back 83 84The OpenSSL FIPS provider also supports the following parameters: 85 86=over 4 87 88=item "fips-indicator" (B<OSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR>) <integer> 89 90A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. 91This may be used after calling EVP_KDF_derive. It returns 0 if any "***-check" 92related parameter is set to 0 and the check fails. 93 94=item "digest-check" (B<OSSL_KDF_PARAM_FIPS_DIGEST_CHECK>) <integer> 95 96The default value of 1 causes an error during EVP_KDF_CTX_set_params() if 97used digest is not approved. 98Setting this to zero will ignore the error and set the approved 99"fips-indicator" to 0. 100This option breaks FIPS compliance if it causes the approved "fips-indicator" 101to return 0. 102 103According to RFC 8446, the following are approved digest algorithms: SHA2-256, 104SHA2-384. 105 106=item "key-check" (B<OSSL_KDF_PARAM_FIPS_KEY_CHECK>) <integer> 107 108The default value of 1 causes an error during EVP_KDF_CTX_set_params() if the 109length of used key-derivation key (B<OSSL_KDF_PARAM_KEY>) is shorter than 112 110bits. 111Setting this to zero will ignore the error and set the approved 112"fips-indicator" to 0. 113This option breaks FIPS compliance if it causes the approved "fips-indicator" 114to return 0. 115 116=back 117 118=head1 NOTES 119 120This KDF is intended for use by the TLS 1.3 implementation in libssl. 121It does not support all the options and capabilities that HKDF does. 122 123The I<OSSL_PARAM> array passed to L<EVP_KDF_derive(3)> or 124L<EVP_KDF_CTX_set_params(3)> must specify all of the parameters required. 125This KDF does not support a piecemeal approach to providing these. 126 127A context for a TLS 1.3 KDF can be obtained by calling: 128 129 EVP_KDF *kdf = EVP_KDF_fetch(NULL, "TLS13-KDF", NULL); 130 EVP_KDF_CTX *kctx = EVP_KDF_CTX_new(kdf); 131 132The output length of a TLS 1.3 KDF expand operation is specified via the 133I<keylen> parameter to the L<EVP_KDF_derive(3)> function. When using 134EVP_KDF_HKDF_MODE_EXTRACT_ONLY the I<keylen> parameter must equal the size of 135the intermediate fixed-length pseudorandom key otherwise an error will occur. 136For that mode, the fixed output size can be looked up by calling 137EVP_KDF_CTX_get_kdf_size() after setting the mode and digest on the 138B<EVP_KDF_CTX>. 139 140=head1 CONFORMING TO 141 142RFC 8446 143 144=head1 SEE ALSO 145 146L<EVP_KDF(3)>, 147L<EVP_KDF_CTX_new(3)>, 148L<EVP_KDF_CTX_free(3)>, 149L<EVP_KDF_CTX_get_kdf_size(3)>, 150L<EVP_KDF_CTX_set_params(3)>, 151L<EVP_KDF_derive(3)>, 152L<EVP_KDF(3)/PARAMETERS>, 153L<EVP_KDF-HKDF(7)> 154 155=head1 HISTORY 156 157This functionality was added in OpenSSL 3.0. 158 159=head1 COPYRIGHT 160 161Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved. 162 163Licensed under the Apache License 2.0 (the "License"). You may not use 164this file except in compliance with the License. You can obtain a copy 165in the file LICENSE in the source distribution or at 166L<https://www.openssl.org/source/license.html>. 167 168=cut 169
