include/mbedtls/hkdf.h

0001 /**
0002  * \file hkdf.h
0003  *
0004  * \brief   This file contains the HKDF interface.
0005  *
0006  *          The HMAC-based Extract-and-Expand Key Derivation Function (HKDF) is
0007  *          specified by RFC 5869.
0008  */
0009 /*
0010  *  Copyright The Mbed TLS Contributors
0011  *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
0012  */
0013 #ifndef MBEDTLS_HKDF_H
0014 #define MBEDTLS_HKDF_H
0015
0016 #include "mbedtls/build_info.h"
0017
0018 #include "mbedtls/md.h"
0019
0020 /**
0021  *  \name HKDF Error codes
0022  *  \{
0023  */
0024 /** Bad input parameters to function. */
0025 #define MBEDTLS_ERR_HKDF_BAD_INPUT_DATA  -0x5F80
0026 /** \} name */
0027
0028 #ifdef __cplusplus
0029 extern "C" {
0030 #endif
0031
0032 /**
0033  *  \brief  This is the HMAC-based Extract-and-Expand Key Derivation Function
0034  *          (HKDF).
0035  *
0036  *  \param  md        A hash function; md.size denotes the length of the hash
0037  *                    function output in bytes.
0038  *  \param  salt      An optional salt value (a non-secret random value);
0039  *                    if the salt is not provided, a string of all zeros of
0040  *                    md.size length is used as the salt.
0041  *  \param  salt_len  The length in bytes of the optional \p salt.
0042  *  \param  ikm       The input keying material.
0043  *  \param  ikm_len   The length in bytes of \p ikm.
0044  *  \param  info      An optional context and application specific information
0045  *                    string. This can be a zero-length string.
0046  *  \param  info_len  The length of \p info in bytes.
0047  *  \param  okm       The output keying material of \p okm_len bytes.
0048  *  \param  okm_len   The length of the output keying material in bytes. This
0049  *                    must be less than or equal to 255 * md.size bytes.
0050  *
0051  *  \return 0 on success.
0052  *  \return #MBEDTLS_ERR_HKDF_BAD_INPUT_DATA when the parameters are invalid.
0053  *  \return An MBEDTLS_ERR_MD_* error for errors returned from the underlying
0054  *          MD layer.
0055  */
0056 int mbedtls_hkdf(const mbedtls_md_info_t *md, const unsigned char *salt,
0057                  size_t salt_len, const unsigned char *ikm, size_t ikm_len,
0058                  const unsigned char *info, size_t info_len,
0059                  unsigned char *okm, size_t okm_len);
0060
0061 /**
0062  *  \brief  Take the input keying material \p ikm and extract from it a
0063  *          fixed-length pseudorandom key \p prk.
0064  *
0065  *  \warning    This function should only be used if the security of it has been
0066  *              studied and established in that particular context (eg. TLS 1.3
0067  *              key schedule). For standard HKDF security guarantees use
0068  *              \c mbedtls_hkdf instead.
0069  *
0070  *  \param       md        A hash function; md.size denotes the length of the
0071  *                         hash function output in bytes.
0072  *  \param       salt      An optional salt value (a non-secret random value);
0073  *                         if the salt is not provided, a string of all zeros
0074  *                         of md.size length is used as the salt.
0075  *  \param       salt_len  The length in bytes of the optional \p salt.
0076  *  \param       ikm       The input keying material.
0077  *  \param       ikm_len   The length in bytes of \p ikm.
0078  *  \param[out]  prk       A pseudorandom key of at least md.size bytes.
0079  *
0080  *  \return 0 on success.
0081  *  \return #MBEDTLS_ERR_HKDF_BAD_INPUT_DATA when the parameters are invalid.
0082  *  \return An MBEDTLS_ERR_MD_* error for errors returned from the underlying
0083  *          MD layer.
0084  */
0085 int mbedtls_hkdf_extract(const mbedtls_md_info_t *md,
0086                          const unsigned char *salt, size_t salt_len,
0087                          const unsigned char *ikm, size_t ikm_len,
0088                          unsigned char *prk);
0089
0090 /**
0091  *  \brief  Expand the supplied \p prk into several additional pseudorandom
0092  *          keys, which is the output of the HKDF.
0093  *
0094  *  \warning    This function should only be used if the security of it has been
0095  *              studied and established in that particular context (eg. TLS 1.3
0096  *              key schedule). For standard HKDF security guarantees use
0097  *              \c mbedtls_hkdf instead.
0098  *
0099  *  \param  md        A hash function; md.size denotes the length of the hash
0100  *                    function output in bytes.
0101  *  \param  prk       A pseudorandom key of at least md.size bytes. \p prk is
0102  *                    usually the output from the HKDF extract step.
0103  *  \param  prk_len   The length in bytes of \p prk.
0104  *  \param  info      An optional context and application specific information
0105  *                    string. This can be a zero-length string.
0106  *  \param  info_len  The length of \p info in bytes.
0107  *  \param  okm       The output keying material of \p okm_len bytes.
0108  *  \param  okm_len   The length of the output keying material in bytes. This
0109  *                    must be less than or equal to 255 * md.size bytes.
0110  *
0111  *  \return 0 on success.
0112  *  \return #MBEDTLS_ERR_HKDF_BAD_INPUT_DATA when the parameters are invalid.
0113  *  \return An MBEDTLS_ERR_MD_* error for errors returned from the underlying
0114  *          MD layer.
0115  */
0116 int mbedtls_hkdf_expand(const mbedtls_md_info_t *md, const unsigned char *prk,
0117                         size_t prk_len, const unsigned char *info,
0118                         size_t info_len, unsigned char *okm, size_t okm_len);
0119
0120 #ifdef __cplusplus
0121 }
0122 #endif
0123
0124 #endif /* hkdf.h */