1 /** 2 * \file hkdf.h 3 * 4 * \brief This file contains the HKDF interface. 5 * 6 * The HMAC-based Extract-and-Expand Key Derivation Function (HKDF) is 7 * specified by RFC 5869. 8 */ 9 /* 10 * Copyright The Mbed TLS Contributors 11 * SPDX-License-Identifier: Apache-2.0 12 * 13 * Licensed under the Apache License, Version 2.0 (the "License"); you may 14 * not use this file except in compliance with the License. 15 * You may obtain a copy of the License at 16 * 17 * http://www.apache.org/licenses/LICENSE-2.0 18 * 19 * Unless required by applicable law or agreed to in writing, software 20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 22 * See the License for the specific language governing permissions and 23 * limitations under the License. 24 */ 25 #ifndef MBEDTLS_HKDF_H 26 #define MBEDTLS_HKDF_H 27 28 #include "mbedtls/build_info.h" 29 30 #include "mbedtls/md.h" 31 32 /** 33 * \name HKDF Error codes 34 * \{ 35 */ 36 /** Bad input parameters to function. */ 37 #define MBEDTLS_ERR_HKDF_BAD_INPUT_DATA -0x5F80 38 /** \} name */ 39 40 #ifdef __cplusplus 41 extern "C" { 42 #endif 43 44 /** 45 * \brief This is the HMAC-based Extract-and-Expand Key Derivation Function 46 * (HKDF). 47 * 48 * \param md A hash function; md.size denotes the length of the hash 49 * function output in bytes. 50 * \param salt An optional salt value (a non-secret random value); 51 * if the salt is not provided, a string of all zeros of 52 * md.size length is used as the salt. 53 * \param salt_len The length in bytes of the optional \p salt. 54 * \param ikm The input keying material. 55 * \param ikm_len The length in bytes of \p ikm. 56 * \param info An optional context and application specific information 57 * string. This can be a zero-length string. 58 * \param info_len The length of \p info in bytes. 59 * \param okm The output keying material of \p okm_len bytes. 60 * \param okm_len The length of the output keying material in bytes. This 61 * must be less than or equal to 255 * md.size bytes. 62 * 63 * \return 0 on success. 64 * \return #MBEDTLS_ERR_HKDF_BAD_INPUT_DATA when the parameters are invalid. 65 * \return An MBEDTLS_ERR_MD_* error for errors returned from the underlying 66 * MD layer. 67 */ 68 int mbedtls_hkdf(const mbedtls_md_info_t *md, const unsigned char *salt, 69 size_t salt_len, const unsigned char *ikm, size_t ikm_len, 70 const unsigned char *info, size_t info_len, 71 unsigned char *okm, size_t okm_len); 72 73 /** 74 * \brief Take the input keying material \p ikm and extract from it a 75 * fixed-length pseudorandom key \p prk. 76 * 77 * \warning This function should only be used if the security of it has been 78 * studied and established in that particular context (eg. TLS 1.3 79 * key schedule). For standard HKDF security guarantees use 80 * \c mbedtls_hkdf instead. 81 * 82 * \param md A hash function; md.size denotes the length of the 83 * hash function output in bytes. 84 * \param salt An optional salt value (a non-secret random value); 85 * if the salt is not provided, a string of all zeros 86 * of md.size length is used as the salt. 87 * \param salt_len The length in bytes of the optional \p salt. 88 * \param ikm The input keying material. 89 * \param ikm_len The length in bytes of \p ikm. 90 * \param[out] prk A pseudorandom key of at least md.size bytes. 91 * 92 * \return 0 on success. 93 * \return #MBEDTLS_ERR_HKDF_BAD_INPUT_DATA when the parameters are invalid. 94 * \return An MBEDTLS_ERR_MD_* error for errors returned from the underlying 95 * MD layer. 96 */ 97 int mbedtls_hkdf_extract(const mbedtls_md_info_t *md, 98 const unsigned char *salt, size_t salt_len, 99 const unsigned char *ikm, size_t ikm_len, 100 unsigned char *prk); 101 102 /** 103 * \brief Expand the supplied \p prk into several additional pseudorandom 104 * keys, which is the output of the HKDF. 105 * 106 * \warning This function should only be used if the security of it has been 107 * studied and established in that particular context (eg. TLS 1.3 108 * key schedule). For standard HKDF security guarantees use 109 * \c mbedtls_hkdf instead. 110 * 111 * \param md A hash function; md.size denotes the length of the hash 112 * function output in bytes. 113 * \param prk A pseudorandom key of at least md.size bytes. \p prk is 114 * usually the output from the HKDF extract step. 115 * \param prk_len The length in bytes of \p prk. 116 * \param info An optional context and application specific information 117 * string. This can be a zero-length string. 118 * \param info_len The length of \p info in bytes. 119 * \param okm The output keying material of \p okm_len bytes. 120 * \param okm_len The length of the output keying material in bytes. This 121 * must be less than or equal to 255 * md.size bytes. 122 * 123 * \return 0 on success. 124 * \return #MBEDTLS_ERR_HKDF_BAD_INPUT_DATA when the parameters are invalid. 125 * \return An MBEDTLS_ERR_MD_* error for errors returned from the underlying 126 * MD layer. 127 */ 128 int mbedtls_hkdf_expand(const mbedtls_md_info_t *md, const unsigned char *prk, 129 size_t prk_len, const unsigned char *info, 130 size_t info_len, unsigned char *okm, size_t okm_len); 131 132 #ifdef __cplusplus 133 } 134 #endif 135 136 #endif /* hkdf.h */ 137