EVP_KDF, EVP_KDF_fetch, EVP_KDF_free, EVP_KDF_up_ref, EVP_KDF_CTX, EVP_KDF_CTX_new, EVP_KDF_CTX_free, EVP_KDF_CTX_dup, EVP_KDF_reset, EVP_KDF_derive, EVP_KDF_size, EVP_KDF_provider, EVP_KDF_CTX_kdf, EVP_KDF_is_a, EVP_KDF_number, EVP_KDF_names_do_all, EVP_KDF_CTX_get_params, EVP_KDF_CTX_set_params, EVP_KDF_do_all_provided, EVP_KDF_get_params, EVP_KDF_gettable_ctx_params, EVP_KDF_settable_ctx_params, EVP_KDF_gettable_params - EVP KDF routines
#include <openssl/kdf.h>
typedef struct evp_kdf_st EVP_KDF; typedef struct evp_kdf_ctx_st EVP_KDF_CTX;
EVP_KDF_CTX *EVP_KDF_CTX_new(const EVP_KDF *kdf); const EVP_KDF *EVP_KDF_CTX_kdf(EVP_KDF_CTX *ctx); void EVP_KDF_CTX_free(EVP_KDF_CTX *ctx); EVP_KDF_CTX *EVP_KDF_CTX_dup(const EVP_KDF_CTX *src); void EVP_KDF_reset(EVP_KDF_CTX *ctx); size_t EVP_KDF_size(EVP_KDF_CTX *ctx); int EVP_KDF_derive(EVP_KDF_CTX *ctx, unsigned char *key, size_t keylen); int EVP_KDF_up_ref(EVP_KDF *kdf); void EVP_KDF_free(EVP_KDF *kdf); EVP_KDF *EVP_KDF_fetch(OPENSSL_CTX *libctx, const char *algorithm, const char *properties); int EVP_KDF_number(const EVP_KDF *kdf); int EVP_KDF_is_a(const EVP_KDF *kdf, const char *name); const OSSL_PROVIDER *EVP_KDF_provider(const EVP_KDF *kdf); void EVP_KDF_do_all_provided(OPENSSL_CTX *libctx, void (*fn)(EVP_KDF *kdf, void *arg), void *arg); void EVP_KDF_names_do_all(const EVP_KDF *kdf, void (*fn)(const char *name, void *data), void *data); int EVP_KDF_get_params(EVP_KDF *kdf, OSSL_PARAM params[]); int EVP_KDF_CTX_get_params(EVP_KDF_CTX *ctx, OSSL_PARAM params[]); int EVP_KDF_CTX_set_params(EVP_KDF_CTX *ctx, const OSSL_PARAM params[]); const OSSL_PARAM *EVP_KDF_gettable_params(const EVP_KDF *kdf); const OSSL_PARAM *EVP_KDF_gettable_ctx_params(const EVP_KDF *kdf); const OSSL_PARAM *EVP_KDF_settable_ctx_params(const EVP_KDF *kdf); const OSSL_PROVIDER *EVP_KDF_provider(const EVP_KDF *kdf);
The EVP KDF routines are a high level interface to Key Derivation Function algorithms and should be used instead of algorithm-specific functions.
After creating a EVP_KDF_CTX for the required algorithm using
EVP_KDF_CTX_new()
, inputs to the algorithm are supplied
using calls to EVP_KDF_CTX_set_params()
before
calling EVP_KDF_derive()
to derive the key.
EVP_KDF is a type that holds the implementation of a KDF.
EVP_KDF_CTX is a context type that holds the algorithm inputs.
EVP_KDF_fetch()
fetches an implementation of a KDF algorithm, given
a library context libctx and a set of properties.
See provider(7)/Fetching algorithms for further information.
The returned value must eventually be freed with EVP_KDF_free(3).
EVP_KDF_up_ref()
increments the reference count of an already fetched
KDF.
EVP_KDF_free()
frees a fetched algorithm.
NULL is a valid parameter, for which this function is a no-op.
EVP_KDF_CTX_new()
creates a new context for the KDF implementation kdf.
EVP_KDF_CTX_free()
frees up the context ctx. If ctx is NULL, nothing
is done.
EVP_KDF_CTX_kdf()
returns the EVP_KDF associated with the context
ctx.
EVP_KDF_reset()
resets the context to the default state as if the context
had just been created.
EVP_KDF_derive()
derives keylen bytes of key material and places it in the
key buffer. If the algorithm produces a fixed amount of output then an
error will occur unless the keylen parameter is equal to that output size,
as returned by EVP_KDF_size()
.
EVP_KDF_get_params()
retrieves details about the implementation
kdf.
The set of parameters given with params determine exactly what
parameters should be retrieved.
Note that a parameter that is unknown in the underlying context is
simply ignored.
EVP_KDF_CTX_get_params()
retrieves chosen parameters, given the
context ctx and its underlying context.
The set of parameters given with params determine exactly what
parameters should be retrieved.
Note that a parameter that is unknown in the underlying context is
simply ignored.
EVP_KDF_CTX_set_params()
passes chosen parameters to the underlying
context, given a context ctx.
The set of parameters given with params determine exactly what
parameters are passed down.
Note that a parameter that is unknown in the underlying context is
simply ignored.
Also, what happens when a needed parameter isn't passed down is
defined by the implementation.
EVP_KDF_gettable_params()
, EVP_KDF_gettable_ctx_params()
and
EVP_KDF_settable_ctx_params()
get a constant OSSL_PARAM array that
describes the retrievable and settable parameters, i.e. parameters that
can be used with EVP_KDF_get_params()
, EVP_KDF_CTX_get_params()
and EVP_KDF_CTX_set_params()
, respectively.
See OSSL_PARAM(3) for the use of OSSL_PARAM as parameter descriptor.
EVP_KDF_size()
returns the output size if the algorithm produces a fixed amount
of output and SIZE_MAX otherwise. If an error occurs then 0 is returned.
For some algorithms an error may result if input parameters necessary to
calculate a fixed output size have not yet been supplied.
EVP_KDF_is_a()
returns 1 if kdf is an implementation of an
algorithm that's identifiable with name, otherwise 0.
EVP_KDF_provider()
returns the provider that holds the implementation
of the given kdf.
EVP_KDF_do_all_provided()
traverses all KDF implemented by all activated
providers in the given library context libctx, and for each of the
implementations, calls the given function fn with the implementation method
and the given arg as argument.
EVP_KDF_number()
returns the internal dynamic number assigned to
kdf.
EVP_KDF_names_do_all()
traverses all names for kdf, and calls
fn with each name and data.
The standard parameter names are:
Some KDF implementations require a password. For those KDF implementations that support it, this parameter sets the password.
Some KDF implementations can take a salt. For those KDF implementations that support it, this parameter sets the salt.
The default value, if any, is implementation dependent.
Some KDF implementations require an iteration count. For those KDF implementations that support it, this parameter sets the iteration count.
The default value, if any, is implementation dependent.
For KDF implementations that use an underlying computation MAC, digest or cipher, these parameters set what the algorithm should be.
The value is always the name of the intended algorithm, or the properties.
Note that not all algorithms may support all possible underlying implementations.
Some KDF implementations require a key. For those KDF implementations that support it, this octet string parameter sets the key.
Used by implementations that use a MAC with a variable output size (KMAC). For those KDF implementations that support it, this parameter sets the MAC output size.
The default value, if any, is implementation dependent. The length must never exceed what can be given with a size_t.
Memory-hard password-based KDF algorithms, such as scrypt, use an amount of memory that depends on the load factors provided as input. For those KDF implementations that support it, this uint64_t parameter sets an upper limit on the amount of memory that may be consumed while performing a key derivation. If this memory usage limit is exceeded because the load factors are chosen too high, the key derivation will fail.
The default value is implementation dependent. The memory size must never exceed what can be given with a size_t.
EVP_KDF_fetch()
returns a pointer to a newly fetched EVP_KDF, or
NULL if allocation failed.
EVP_KDF_provider()
returns a pointer to the provider for the KDF, or
NULL on error.
EVP_KDF_up_ref()
returns 1 on success, 0 on error.
EVP_KDF_CTX_new()
returns either the newly allocated
EVP_KDF_CTX structure or NULL if an error occurred.
EVP_KDF_CTX_free()
and EVP_KDF_reset()
do not return a value.
EVP_KDF_size()
returns the output size. SIZE_MAX is returned to indicate
that the algorithm produces a variable amount of output; 0 to indicate failure.
The remaining functions return 1 for success and 0 or a negative value for failure. In particular, a return value of -2 indicates the operation is not supported by the KDF algorithm.
EVP_KDF-SCRYPT(7) EVP_KDF-TLS1_PRF(7) EVP_KDF-PBKDF2(7) EVP_KDF-HKDF(7) EVP_KDF-SS(7) EVP_KDF-SSHKDF(7) EVP_KDF-X963(7) EVP_KDF-X942(7)
This functionality was added to OpenSSL 3.0.
Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at https://www.openssl.org/source/license.html.