1=pod 2 3=head1 NAME 4 5EVP_KDF-HKDF - The HKDF EVP_KDF implementation 6 7=head1 DESCRIPTION 8 9Support for computing the B<HKDF> KDF through the B<EVP_KDF> API. 10 11The EVP_KDF-HKDF algorithm implements the HKDF key derivation function. 12HKDF follows the "extract-then-expand" paradigm, where the KDF logically 13consists of two modules. The first stage takes the input keying material 14and "extracts" from it a fixed-length pseudorandom key K. The second stage 15"expands" the key K into several additional pseudorandom keys (the output 16of the KDF). 17 18=head2 Identity 19 20"HKDF" is the name for this implementation; it 21can be used with the EVP_KDF_fetch() function. 22 23=head2 Supported parameters 24 25The supported parameters are: 26 27=over 4 28 29=item "properties" (B<OSSL_KDF_PARAM_PROPERTIES>) <UTF8 string> 30 31=item "digest" (B<OSSL_KDF_PARAM_DIGEST>) <UTF8 string> 32 33=item "key" (B<OSSL_KDF_PARAM_KEY>) <octet string> 34 35=item "salt" (B<OSSL_KDF_PARAM_SALT>) <octet string> 36 37These parameters work as described in L<EVP_KDF(3)/PARAMETERS>. 38 39=item "info" (B<OSSL_KDF_PARAM_INFO>) <octet string> 40 41This parameter sets the info value. 42The length of the context info buffer cannot exceed 1024 bytes; 43this should be more than enough for any normal use of HKDF. 44 45=item "mode" (B<OSSL_KDF_PARAM_MODE>) <UTF8 string> or <integer> 46 47This parameter sets the mode for the HKDF operation. 48There are three modes that are currently defined: 49 50=over 4 51 52=item "EXTRACT_AND_EXPAND" or B<EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND> 53 54This is the default mode. Calling L<EVP_KDF_derive(3)> on an EVP_KDF_CTX set 55up for HKDF will perform an extract followed by an expand operation in one go. 56The derived key returned will be the result after the expand operation. The 57intermediate fixed-length pseudorandom key K is not returned. 58 59In this mode the digest, key, salt and info values must be set before a key is 60derived otherwise an error will occur. 61 62=item "EXTRACT_ONLY" or B<EVP_KDF_HKDF_MODE_EXTRACT_ONLY> 63 64In this mode calling L<EVP_KDF_derive(3)> will just perform the extract 65operation. The value returned will be the intermediate fixed-length pseudorandom 66key K. The I<keylen> parameter must match the size of K, which can be looked 67up by calling EVP_KDF_CTX_get_kdf_size() after setting the mode and digest. 68 69The digest, key and salt values must be set before a key is derived otherwise 70an error will occur. 71 72=item "EXPAND_ONLY" or B<EVP_KDF_HKDF_MODE_EXPAND_ONLY> 73 74In this mode calling L<EVP_KDF_derive(3)> will just perform the expand 75operation. The input key should be set to the intermediate fixed-length 76pseudorandom key K returned from a previous extract operation. 77 78The digest, key and info values must be set before a key is derived otherwise 79an error will occur. 80 81=back 82 83=back 84 85The OpenSSL FIPS provider also supports the following parameters: 86 87=over 4 88 89=item "fips-indicator" (B<OSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR>) <integer> 90 91A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. 92This may be used after calling EVP_KDF_derive. It returns 0 if "key-check" 93is set to 0 and the check fails. 94 95=item "key-check" (B<OSSL_KDF_PARAM_FIPS_KEY_CHECK>) <integer> 96 97The default value of 1 causes an error during EVP_KDF_CTX_set_params() if the 98length of used key-derivation key (B<OSSL_KDF_PARAM_KEY>) is shorter than 112 99bits. 100Setting this to zero will ignore the error and set the approved 101"fips-indicator" to 0. 102This option breaks FIPS compliance if it causes the approved "fips-indicator" 103to return 0. 104 105=back 106 107=head1 NOTES 108 109A context for HKDF can be obtained by calling: 110 111 EVP_KDF *kdf = EVP_KDF_fetch(NULL, "HKDF", NULL); 112 EVP_KDF_CTX *kctx = EVP_KDF_CTX_new(kdf); 113 114The output length of an HKDF expand operation is specified via the I<keylen> 115parameter to the L<EVP_KDF_derive(3)> function. When using 116EVP_KDF_HKDF_MODE_EXTRACT_ONLY the I<keylen> parameter must equal the size of 117the intermediate fixed-length pseudorandom key otherwise an error will occur. 118For that mode, the fixed output size can be looked up by calling EVP_KDF_CTX_get_kdf_size() 119after setting the mode and digest on the B<EVP_KDF_CTX>. 120 121=head1 EXAMPLES 122 123This example derives 10 bytes using SHA-256 with the secret key "secret", 124salt value "salt" and info value "label": 125 126 EVP_KDF *kdf; 127 EVP_KDF_CTX *kctx; 128 unsigned char out[10]; 129 OSSL_PARAM params[5], *p = params; 130 131 kdf = EVP_KDF_fetch(NULL, "HKDF", NULL); 132 kctx = EVP_KDF_CTX_new(kdf); 133 EVP_KDF_free(kdf); 134 135 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, 136 SN_sha256, strlen(SN_sha256)); 137 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, 138 "secret", (size_t)6); 139 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, 140 "label", (size_t)5); 141 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, 142 "salt", (size_t)4); 143 *p = OSSL_PARAM_construct_end(); 144 if (EVP_KDF_derive(kctx, out, sizeof(out), params) <= 0) { 145 error("EVP_KDF_derive"); 146 } 147 148 EVP_KDF_CTX_free(kctx); 149 150=head1 CONFORMING TO 151 152RFC 5869 153 154=head1 SEE ALSO 155 156L<EVP_KDF(3)>, 157L<EVP_KDF_CTX_new(3)>, 158L<EVP_KDF_CTX_free(3)>, 159L<EVP_KDF_CTX_get_kdf_size(3)>, 160L<EVP_KDF_CTX_set_params(3)>, 161L<EVP_KDF_derive(3)>, 162L<EVP_KDF(3)/PARAMETERS>, 163L<EVP_KDF-TLS13_KDF(7)> 164 165=head1 HISTORY 166 167This functionality was added in OpenSSL 3.0. 168 169=head1 COPYRIGHT 170 171Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved. 172 173Licensed under the Apache License 2.0 (the "License"). You may not use 174this file except in compliance with the License. You can obtain a copy 175in the file LICENSE in the source distribution or at 176L<https://www.openssl.org/source/license.html>. 177 178=cut 179
