1b077aed3SPierre Pronchery=pod 2b077aed3SPierre Pronchery 3b077aed3SPierre Pronchery=head1 NAME 4b077aed3SPierre Pronchery 5b077aed3SPierre ProncheryEVP_KDF-SS - The Single Step / One Step EVP_KDF implementation 6b077aed3SPierre Pronchery 7b077aed3SPierre Pronchery=head1 DESCRIPTION 8b077aed3SPierre Pronchery 9b077aed3SPierre ProncheryThe EVP_KDF-SS algorithm implements the Single Step key derivation function (SSKDF). 10b077aed3SPierre ProncherySSKDF derives a key using input such as a shared secret key (that was generated 11b077aed3SPierre Proncheryduring the execution of a key establishment scheme) and fixedinfo. 12b077aed3SPierre ProncherySSKDF is also informally referred to as 'Concat KDF'. 13b077aed3SPierre Pronchery 14b077aed3SPierre Pronchery=head2 Auxiliary function 15b077aed3SPierre Pronchery 16b077aed3SPierre ProncheryThe implementation uses a selectable auxiliary function H, which can be one of: 17b077aed3SPierre Pronchery 18b077aed3SPierre Pronchery=over 4 19b077aed3SPierre Pronchery 20b077aed3SPierre Pronchery=item B<H(x) = hash(x, digest=md)> 21b077aed3SPierre Pronchery 22b077aed3SPierre Pronchery=item B<H(x) = HMAC_hash(x, key=salt, digest=md)> 23b077aed3SPierre Pronchery 24b077aed3SPierre Pronchery=item B<H(x) = KMACxxx(x, key=salt, custom="KDF", outlen=mac_size)> 25b077aed3SPierre Pronchery 26b077aed3SPierre Pronchery=back 27b077aed3SPierre Pronchery 28b077aed3SPierre ProncheryBoth the HMAC and KMAC implementations set the key using the 'salt' value. 29b077aed3SPierre ProncheryThe hash and HMAC also require the digest to be set. 30b077aed3SPierre Pronchery 31b077aed3SPierre Pronchery=head2 Identity 32b077aed3SPierre Pronchery 33b077aed3SPierre Pronchery"SSKDF" is the name for this implementation; it 34b077aed3SPierre Proncherycan be used with the EVP_KDF_fetch() function. 35b077aed3SPierre Pronchery 36b077aed3SPierre Pronchery=head2 Supported parameters 37b077aed3SPierre Pronchery 38b077aed3SPierre ProncheryThe supported parameters are: 39b077aed3SPierre Pronchery 40b077aed3SPierre Pronchery=over 4 41b077aed3SPierre Pronchery 42b077aed3SPierre Pronchery=item "properties" (B<OSSL_KDF_PARAM_PROPERTIES>) <UTF8 string> 43b077aed3SPierre Pronchery 44b077aed3SPierre Pronchery=item "digest" (B<OSSL_KDF_PARAM_DIGEST>) <UTF8 string> 45b077aed3SPierre Pronchery 46b077aed3SPierre ProncheryThis parameter is ignored for KMAC. 47b077aed3SPierre Pronchery 48b077aed3SPierre Pronchery=item "mac" (B<OSSL_KDF_PARAM_MAC>) <UTF8 string> 49b077aed3SPierre Pronchery 50b077aed3SPierre Pronchery=item "maclen" (B<OSSL_KDF_PARAM_MAC_SIZE>) <unsigned integer> 51b077aed3SPierre Pronchery 52b077aed3SPierre Pronchery=item "salt" (B<OSSL_KDF_PARAM_SALT>) <octet string> 53b077aed3SPierre Pronchery 54b077aed3SPierre ProncheryThese parameters work as described in L<EVP_KDF(3)/PARAMETERS>. 55b077aed3SPierre Pronchery 56*e0c4386eSCy Schubert=item "key" (B<OSSL_KDF_PARAM_SECRET>) <octet string> 57b077aed3SPierre Pronchery 58b077aed3SPierre ProncheryThis parameter set the shared secret that is used for key derivation. 59b077aed3SPierre Pronchery 60b077aed3SPierre Pronchery=item "info" (B<OSSL_KDF_PARAM_INFO>) <octet string> 61b077aed3SPierre Pronchery 62b077aed3SPierre ProncheryThis parameter sets an optional value for fixedinfo, also known as otherinfo. 63b077aed3SPierre Pronchery 64b077aed3SPierre Pronchery=back 65b077aed3SPierre Pronchery 66b077aed3SPierre Pronchery=head1 NOTES 67b077aed3SPierre Pronchery 68b077aed3SPierre ProncheryA context for SSKDF can be obtained by calling: 69b077aed3SPierre Pronchery 70b077aed3SPierre Pronchery EVP_KDF *kdf = EVP_KDF_fetch(NULL, "SSKDF", NULL); 71b077aed3SPierre Pronchery EVP_KDF_CTX *kctx = EVP_KDF_CTX_new(kdf); 72b077aed3SPierre Pronchery 73b077aed3SPierre ProncheryThe output length of an SSKDF is specified via the I<keylen> 74b077aed3SPierre Proncheryparameter to the L<EVP_KDF_derive(3)> function. 75b077aed3SPierre Pronchery 76b077aed3SPierre Pronchery=head1 EXAMPLES 77b077aed3SPierre Pronchery 78b077aed3SPierre ProncheryThis example derives 10 bytes using H(x) = SHA-256, with the secret key "secret" 79b077aed3SPierre Proncheryand fixedinfo value "label": 80b077aed3SPierre Pronchery 81b077aed3SPierre Pronchery EVP_KDF *kdf; 82b077aed3SPierre Pronchery EVP_KDF_CTX *kctx; 83b077aed3SPierre Pronchery unsigned char out[10]; 84b077aed3SPierre Pronchery OSSL_PARAM params[4], *p = params; 85b077aed3SPierre Pronchery 86b077aed3SPierre Pronchery kdf = EVP_KDF_fetch(NULL, "SSKDF", NULL); 87b077aed3SPierre Pronchery kctx = EVP_KDF_CTX_new(kdf); 88b077aed3SPierre Pronchery EVP_KDF_free(kdf); 89b077aed3SPierre Pronchery 90b077aed3SPierre Pronchery *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, 91b077aed3SPierre Pronchery SN_sha256, strlen(SN_sha256)); 92b077aed3SPierre Pronchery *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, 93b077aed3SPierre Pronchery "secret", (size_t)6); 94b077aed3SPierre Pronchery *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, 95b077aed3SPierre Pronchery "label", (size_t)5); 96b077aed3SPierre Pronchery *p = OSSL_PARAM_construct_end(); 97b077aed3SPierre Pronchery if (EVP_KDF_derive(kctx, out, sizeof(out), params) <= 0) { 98b077aed3SPierre Pronchery error("EVP_KDF_derive"); 99b077aed3SPierre Pronchery } 100b077aed3SPierre Pronchery 101b077aed3SPierre Pronchery EVP_KDF_CTX_free(kctx); 102b077aed3SPierre Pronchery 103b077aed3SPierre ProncheryThis example derives 10 bytes using H(x) = HMAC(SHA-256), with the secret key "secret", 104b077aed3SPierre Proncheryfixedinfo value "label" and salt "salt": 105b077aed3SPierre Pronchery 106b077aed3SPierre Pronchery EVP_KDF *kdf; 107b077aed3SPierre Pronchery EVP_KDF_CTX *kctx; 108b077aed3SPierre Pronchery unsigned char out[10]; 109b077aed3SPierre Pronchery OSSL_PARAM params[6], *p = params; 110b077aed3SPierre Pronchery 111b077aed3SPierre Pronchery kdf = EVP_KDF_fetch(NULL, "SSKDF", NULL); 112b077aed3SPierre Pronchery kctx = EVP_KDF_CTX_new(kdf); 113b077aed3SPierre Pronchery EVP_KDF_free(kdf); 114b077aed3SPierre Pronchery 115b077aed3SPierre Pronchery *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC, 116b077aed3SPierre Pronchery SN_hmac, strlen(SN_hmac)); 117b077aed3SPierre Pronchery *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, 118b077aed3SPierre Pronchery SN_sha256, strlen(SN_sha256)); 119*e0c4386eSCy Schubert *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET, 120b077aed3SPierre Pronchery "secret", (size_t)6); 121b077aed3SPierre Pronchery *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, 122b077aed3SPierre Pronchery "label", (size_t)5); 123b077aed3SPierre Pronchery *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, 124b077aed3SPierre Pronchery "salt", (size_t)4); 125b077aed3SPierre Pronchery *p = OSSL_PARAM_construct_end(); 126b077aed3SPierre Pronchery if (EVP_KDF_derive(kctx, out, sizeof(out), params) <= 0) { 127b077aed3SPierre Pronchery error("EVP_KDF_derive"); 128b077aed3SPierre Pronchery } 129b077aed3SPierre Pronchery 130b077aed3SPierre Pronchery EVP_KDF_CTX_free(kctx); 131b077aed3SPierre Pronchery 132b077aed3SPierre ProncheryThis example derives 10 bytes using H(x) = KMAC128(x,salt,outlen), with the secret key "secret" 133b077aed3SPierre Proncheryfixedinfo value "label", salt of "salt" and KMAC outlen of 20: 134b077aed3SPierre Pronchery 135b077aed3SPierre Pronchery EVP_KDF *kdf; 136b077aed3SPierre Pronchery EVP_KDF_CTX *kctx; 137b077aed3SPierre Pronchery unsigned char out[10]; 138b077aed3SPierre Pronchery OSSL_PARAM params[6], *p = params; 139b077aed3SPierre Pronchery 140b077aed3SPierre Pronchery kdf = EVP_KDF_fetch(NULL, "SSKDF", NULL); 141b077aed3SPierre Pronchery kctx = EVP_KDF_CTX_new(kdf); 142b077aed3SPierre Pronchery EVP_KDF_free(kdf); 143b077aed3SPierre Pronchery 144b077aed3SPierre Pronchery *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC, 145b077aed3SPierre Pronchery SN_kmac128, strlen(SN_kmac128)); 146*e0c4386eSCy Schubert *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET, 147b077aed3SPierre Pronchery "secret", (size_t)6); 148b077aed3SPierre Pronchery *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, 149b077aed3SPierre Pronchery "label", (size_t)5); 150b077aed3SPierre Pronchery *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, 151b077aed3SPierre Pronchery "salt", (size_t)4); 152b077aed3SPierre Pronchery *p++ = OSSL_PARAM_construct_size_t(OSSL_KDF_PARAM_MAC_SIZE, (size_t)20); 153b077aed3SPierre Pronchery *p = OSSL_PARAM_construct_end(); 154b077aed3SPierre Pronchery if (EVP_KDF_derive(kctx, out, sizeof(out), params) <= 0) { 155b077aed3SPierre Pronchery error("EVP_KDF_derive"); 156b077aed3SPierre Pronchery } 157b077aed3SPierre Pronchery 158b077aed3SPierre Pronchery EVP_KDF_CTX_free(kctx); 159b077aed3SPierre Pronchery 160b077aed3SPierre Pronchery=head1 CONFORMING TO 161b077aed3SPierre Pronchery 162b077aed3SPierre ProncheryNIST SP800-56Cr1. 163b077aed3SPierre Pronchery 164b077aed3SPierre Pronchery=head1 SEE ALSO 165b077aed3SPierre Pronchery 166b077aed3SPierre ProncheryL<EVP_KDF(3)>, 167b077aed3SPierre ProncheryL<EVP_KDF_CTX_new(3)>, 168b077aed3SPierre ProncheryL<EVP_KDF_CTX_free(3)>, 169b077aed3SPierre ProncheryL<EVP_KDF_CTX_set_params(3)>, 170b077aed3SPierre ProncheryL<EVP_KDF_CTX_get_kdf_size(3)>, 171b077aed3SPierre ProncheryL<EVP_KDF_derive(3)>, 172b077aed3SPierre ProncheryL<EVP_KDF(3)/PARAMETERS> 173b077aed3SPierre Pronchery 174b077aed3SPierre Pronchery=head1 HISTORY 175b077aed3SPierre Pronchery 176b077aed3SPierre ProncheryThis functionality was added in OpenSSL 3.0. 177b077aed3SPierre Pronchery 178b077aed3SPierre Pronchery=head1 COPYRIGHT 179b077aed3SPierre Pronchery 180b077aed3SPierre ProncheryCopyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Copyright 181b077aed3SPierre Pronchery(c) 2019, Oracle and/or its affiliates. All rights reserved. 182b077aed3SPierre Pronchery 183b077aed3SPierre ProncheryLicensed under the Apache License 2.0 (the "License"). You may not use 184b077aed3SPierre Proncherythis file except in compliance with the License. You can obtain a copy 185b077aed3SPierre Proncheryin the file LICENSE in the source distribution or at 186b077aed3SPierre ProncheryL<https://www.openssl.org/source/license.html>. 187b077aed3SPierre Pronchery 188b077aed3SPierre Pronchery=cut 189