xref: /netbsd-src/crypto/external/bsd/openssl/dist/doc/man7/EVP_KDF-SSHKDF.pod (revision b0d1725196a7921d003d2c66a14f186abda4176b) 
1*b0d17251Schristos=pod
2*b0d17251Schristos
3*b0d17251Schristos=head1 NAME
4*b0d17251Schristos
5*b0d17251SchristosEVP_KDF-SSHKDF - The SSHKDF EVP_KDF implementation
6*b0d17251Schristos
7*b0d17251Schristos=head1 DESCRIPTION
8*b0d17251Schristos
9*b0d17251SchristosSupport for computing the B<SSHKDF> KDF through the B<EVP_KDF> API.
10*b0d17251Schristos
11*b0d17251SchristosThe EVP_KDF-SSHKDF algorithm implements the SSHKDF key derivation function.
12*b0d17251SchristosIt is defined in RFC 4253, section 7.2 and is used by SSH to derive IVs,
13*b0d17251Schristosencryption keys and integrity keys.
14*b0d17251SchristosFive inputs are required to perform key derivation: The hashing function
15*b0d17251Schristos(for example SHA256), the Initial Key, the Exchange Hash, the Session ID,
16*b0d17251Schristosand the derivation key type.
17*b0d17251Schristos
18*b0d17251Schristos=head2 Identity
19*b0d17251Schristos
20*b0d17251Schristos"SSHKDF" is the name for this implementation; it
21*b0d17251Schristoscan be used with the EVP_KDF_fetch() function.
22*b0d17251Schristos
23*b0d17251Schristos=head2 Supported parameters
24*b0d17251Schristos
25*b0d17251SchristosThe supported parameters are:
26*b0d17251Schristos
27*b0d17251Schristos=over 4
28*b0d17251Schristos
29*b0d17251Schristos=item "properties" (B<OSSL_KDF_PARAM_PROPERTIES>) <UTF8 string>
30*b0d17251Schristos
31*b0d17251Schristos=item "digest" (B<OSSL_KDF_PARAM_DIGEST>) <UTF8 string>
32*b0d17251Schristos
33*b0d17251Schristos=item "key" (B<OSSL_KDF_PARAM_KEY>) <octet string>
34*b0d17251Schristos
35*b0d17251SchristosThese parameters work as described in L<EVP_KDF(3)/PARAMETERS>.
36*b0d17251Schristos
37*b0d17251Schristos=item "xcghash" (B<OSSL_KDF_PARAM_SSHKDF_XCGHASH>) <octet string>
38*b0d17251Schristos
39*b0d17251Schristos=item "session_id" (B<OSSL_KDF_PARAM_SSHKDF_SESSION_ID>) <octet string>
40*b0d17251Schristos
41*b0d17251SchristosThese parameters set the respective values for the KDF.
42*b0d17251SchristosIf a value is already set, the contents are replaced.
43*b0d17251Schristos
44*b0d17251Schristos=item "type" (B<OSSL_KDF_PARAM_SSHKDF_TYPE>) <UTF8 string>
45*b0d17251Schristos
46*b0d17251SchristosThis parameter sets the type for the SSHKDF operation.
47*b0d17251SchristosThere are six supported types:
48*b0d17251Schristos
49*b0d17251Schristos=over 4
50*b0d17251Schristos
51*b0d17251Schristos=item EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV
52*b0d17251Schristos
53*b0d17251SchristosThe Initial IV from client to server.
54*b0d17251SchristosA single char of value 65 (ASCII char 'A').
55*b0d17251Schristos
56*b0d17251Schristos=item EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI
57*b0d17251Schristos
58*b0d17251SchristosThe Initial IV from server to client
59*b0d17251SchristosA single char of value 66 (ASCII char 'B').
60*b0d17251Schristos
61*b0d17251Schristos=item EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV
62*b0d17251Schristos
63*b0d17251SchristosThe Encryption Key from client to server
64*b0d17251SchristosA single char of value 67 (ASCII char 'C').
65*b0d17251Schristos
66*b0d17251Schristos=item EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_SRV_TO_CLI
67*b0d17251Schristos
68*b0d17251SchristosThe Encryption Key from server to client
69*b0d17251SchristosA single char of value 68 (ASCII char 'D').
70*b0d17251Schristos
71*b0d17251Schristos=item EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_CLI_TO_SRV
72*b0d17251Schristos
73*b0d17251SchristosThe Integrity Key from client to server
74*b0d17251SchristosA single char of value 69 (ASCII char 'E').
75*b0d17251Schristos
76*b0d17251Schristos=item EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_SRV_TO_CLI
77*b0d17251Schristos
78*b0d17251SchristosThe Integrity Key from client to server
79*b0d17251SchristosA single char of value 70 (ASCII char 'F').
80*b0d17251Schristos
81*b0d17251Schristos=back
82*b0d17251Schristos
83*b0d17251Schristos=back
84*b0d17251Schristos
85*b0d17251Schristos=head1 NOTES
86*b0d17251Schristos
87*b0d17251SchristosA context for SSHKDF can be obtained by calling:
88*b0d17251Schristos
89*b0d17251Schristos EVP_KDF *kdf = EVP_KDF_fetch(NULL, "SSHKDF", NULL);
90*b0d17251Schristos EVP_KDF_CTX *kctx = EVP_KDF_CTX_new(kdf);
91*b0d17251Schristos
92*b0d17251SchristosThe output length of the SSHKDF derivation is specified via the I<keylen>
93*b0d17251Schristosparameter to the L<EVP_KDF_derive(3)> function.
94*b0d17251SchristosSince the SSHKDF output length is variable, calling L<EVP_KDF_CTX_get_kdf_size(3)>
95*b0d17251Schristosto obtain the requisite length is not meaningful. The caller must
96*b0d17251Schristosallocate a buffer of the desired length, and pass that buffer to the
97*b0d17251SchristosL<EVP_KDF_derive(3)> function along with the desired length.
98*b0d17251Schristos
99*b0d17251Schristos=head1 EXAMPLES
100*b0d17251Schristos
101*b0d17251SchristosThis example derives an 8 byte IV using SHA-256 with a 1K "key" and appropriate
102*b0d17251Schristos"xcghash" and "session_id" values:
103*b0d17251Schristos
104*b0d17251Schristos EVP_KDF *kdf;
105*b0d17251Schristos EVP_KDF_CTX *kctx;
106*b0d17251Schristos char type = EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV;
107*b0d17251Schristos unsigned char key[1024] = "01234...";
108*b0d17251Schristos unsigned char xcghash[32] = "012345...";
109*b0d17251Schristos unsigned char session_id[32] = "012345...";
110*b0d17251Schristos unsigned char out[8];
111*b0d17251Schristos size_t outlen = sizeof(out);
112*b0d17251Schristos OSSL_PARAM params[6], *p = params;
113*b0d17251Schristos
114*b0d17251Schristos kdf = EVP_KDF_fetch(NULL, "SSHKDF", NULL);
115*b0d17251Schristos kctx = EVP_KDF_CTX_new(kdf);
116*b0d17251Schristos EVP_KDF_free(kdf);
117*b0d17251Schristos
118*b0d17251Schristos *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
119*b0d17251Schristos                                         SN_sha256, strlen(SN_sha256));
120*b0d17251Schristos *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
121*b0d17251Schristos                                          key, (size_t)1024);
122*b0d17251Schristos *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_XCGHASH,
123*b0d17251Schristos                                          xcghash, (size_t)32);
124*b0d17251Schristos *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_SESSION_ID,
125*b0d17251Schristos                                          session_id, (size_t)32);
126*b0d17251Schristos *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_SSHKDF_TYPE,
127*b0d17251Schristos                                         &type, sizeof(type));
128*b0d17251Schristos *p = OSSL_PARAM_construct_end();
129*b0d17251Schristos if (EVP_KDF_derive(kctx, out, outlen, params) <= 0)
130*b0d17251Schristos     /* Error */
131*b0d17251Schristos
132*b0d17251Schristos
133*b0d17251Schristos=head1 CONFORMING TO
134*b0d17251Schristos
135*b0d17251SchristosRFC 4253
136*b0d17251Schristos
137*b0d17251Schristos=head1 SEE ALSO
138*b0d17251Schristos
139*b0d17251SchristosL<EVP_KDF(3)>,
140*b0d17251SchristosL<EVP_KDF_CTX_new(3)>,
141*b0d17251SchristosL<EVP_KDF_CTX_free(3)>,
142*b0d17251SchristosL<EVP_KDF_CTX_set_params(3)>,
143*b0d17251SchristosL<EVP_KDF_CTX_get_kdf_size(3)>,
144*b0d17251SchristosL<EVP_KDF_derive(3)>,
145*b0d17251SchristosL<EVP_KDF(3)/PARAMETERS>
146*b0d17251Schristos
147*b0d17251Schristos=head1 HISTORY
148*b0d17251Schristos
149*b0d17251SchristosThis functionality was added in OpenSSL 3.0.
150*b0d17251Schristos
151*b0d17251Schristos=head1 COPYRIGHT
152*b0d17251Schristos
153*b0d17251SchristosCopyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
154*b0d17251Schristos
155*b0d17251SchristosLicensed under the Apache License 2.0 (the "License").  You may not use
156*b0d17251Schristosthis file except in compliance with the License.  You can obtain a copy
157*b0d17251Schristosin the file LICENSE in the source distribution or at
158*b0d17251SchristosL<https://www.openssl.org/source/license.html>.
159*b0d17251Schristos
160*b0d17251Schristos=cut
161*b0d17251Schristos
162