• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /**
2  * \file hkdf.h
3  *
4  * \brief   This file contains the HKDF interface.
5  *
6  *          The HMAC-based Extract-and-Expand Key Derivation Function (HKDF) is
7  *          specified by RFC 5869.
8  */
9 /*
10  *  Copyright The Mbed TLS Contributors
11  *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
12  */
13 #ifndef MBEDTLS_HKDF_H
14 #define MBEDTLS_HKDF_H
15 
16 #if !defined(MBEDTLS_CONFIG_FILE)
17 #include "mbedtls/config.h"
18 #else
19 #include MBEDTLS_CONFIG_FILE
20 #endif
21 
22 #include "mbedtls/md.h"
23 
24 /**
25  *  \name HKDF Error codes
26  *  \{
27  */
28 /** Bad input parameters to function. */
29 #define MBEDTLS_ERR_HKDF_BAD_INPUT_DATA  -0x5F80
30 /** \} name */
31 
32 #ifdef __cplusplus
33 extern "C" {
34 #endif
35 
36 /**
37  *  \brief  This is the HMAC-based Extract-and-Expand Key Derivation Function
38  *          (HKDF).
39  *
40  *  \param  md        A hash function; md.size denotes the length of the hash
41  *                    function output in bytes.
42  *  \param  salt      An optional salt value (a non-secret random value);
43  *                    if the salt is not provided, a string of all zeros of
44  *                    md.size length is used as the salt.
45  *  \param  salt_len  The length in bytes of the optional \p salt.
46  *  \param  ikm       The input keying material.
47  *  \param  ikm_len   The length in bytes of \p ikm.
48  *  \param  info      An optional context and application specific information
49  *                    string. This can be a zero-length string.
50  *  \param  info_len  The length of \p info in bytes.
51  *  \param  okm       The output keying material of \p okm_len bytes.
52  *  \param  okm_len   The length of the output keying material in bytes. This
53  *                    must be less than or equal to 255 * md.size bytes.
54  *
55  *  \return 0 on success.
56  *  \return #MBEDTLS_ERR_HKDF_BAD_INPUT_DATA when the parameters are invalid.
57  *  \return An MBEDTLS_ERR_MD_* error for errors returned from the underlying
58  *          MD layer.
59  */
60 int mbedtls_hkdf(const mbedtls_md_info_t *md, const unsigned char *salt,
61                  size_t salt_len, const unsigned char *ikm, size_t ikm_len,
62                  const unsigned char *info, size_t info_len,
63                  unsigned char *okm, size_t okm_len);
64 
65 /**
66  *  \brief  Take the input keying material \p ikm and extract from it a
67  *          fixed-length pseudorandom key \p prk.
68  *
69  *  \warning    This function should only be used if the security of it has been
70  *              studied and established in that particular context (eg. TLS 1.3
71  *              key schedule). For standard HKDF security guarantees use
72  *              \c mbedtls_hkdf instead.
73  *
74  *  \param       md        A hash function; md.size denotes the length of the
75  *                         hash function output in bytes.
76  *  \param       salt      An optional salt value (a non-secret random value);
77  *                         if the salt is not provided, a string of all zeros
78  *                         of md.size length is used as the salt.
79  *  \param       salt_len  The length in bytes of the optional \p salt.
80  *  \param       ikm       The input keying material.
81  *  \param       ikm_len   The length in bytes of \p ikm.
82  *  \param[out]  prk       A pseudorandom key of at least md.size bytes.
83  *
84  *  \return 0 on success.
85  *  \return #MBEDTLS_ERR_HKDF_BAD_INPUT_DATA when the parameters are invalid.
86  *  \return An MBEDTLS_ERR_MD_* error for errors returned from the underlying
87  *          MD layer.
88  */
89 int mbedtls_hkdf_extract(const mbedtls_md_info_t *md,
90                          const unsigned char *salt, size_t salt_len,
91                          const unsigned char *ikm, size_t ikm_len,
92                          unsigned char *prk);
93 
94 /**
95  *  \brief  Expand the supplied \p prk into several additional pseudorandom
96  *          keys, which is the output of the HKDF.
97  *
98  *  \warning    This function should only be used if the security of it has been
99  *              studied and established in that particular context (eg. TLS 1.3
100  *              key schedule). For standard HKDF security guarantees use
101  *              \c mbedtls_hkdf instead.
102  *
103  *  \param  md        A hash function; md.size denotes the length of the hash
104  *                    function output in bytes.
105  *  \param  prk       A pseudorandom key of at least md.size bytes. \p prk is
106  *                    usually the output from the HKDF extract step.
107  *  \param  prk_len   The length in bytes of \p prk.
108  *  \param  info      An optional context and application specific information
109  *                    string. This can be a zero-length string.
110  *  \param  info_len  The length of \p info in bytes.
111  *  \param  okm       The output keying material of \p okm_len bytes.
112  *  \param  okm_len   The length of the output keying material in bytes. This
113  *                    must be less than or equal to 255 * md.size bytes.
114  *
115  *  \return 0 on success.
116  *  \return #MBEDTLS_ERR_HKDF_BAD_INPUT_DATA when the parameters are invalid.
117  *  \return An MBEDTLS_ERR_MD_* error for errors returned from the underlying
118  *          MD layer.
119  */
120 int mbedtls_hkdf_expand(const mbedtls_md_info_t *md, const unsigned char *prk,
121                         size_t prk_len, const unsigned char *info,
122                         size_t info_len, unsigned char *okm, size_t okm_len);
123 
124 #ifdef __cplusplus
125 }
126 #endif
127 
128 #endif /* hkdf.h */
129