File hkdf.h

This file contains the HKDF interface. 

     The HMAC-based Extract-and-Expand Key Derivation Function (HKDF) is
     specified by RFC 5869.

HKDF Error codes

MBEDTLS_ERR_HKDF_BAD_INPUT_DATA

Bad input parameters to function.

Functions

int mbedtls_hkdf(const mbedtls_md_info_t *md, const unsigned char *salt, size_t salt_len, const unsigned char *ikm, size_t ikm_len, const unsigned char *info, size_t info_len, unsigned char *okm, size_t okm_len)

This is the HMAC-based Extract-and-Expand Key Derivation Function (HKDF).

Parameters:

  • md – A hash function; md.size denotes the length of the hash function output in bytes.

  • salt – An optional salt value (a non-secret random value); if the salt is not provided, a string of all zeros of md.size length is used as the salt.

  • salt_len – The length in bytes of the optional salt.

  • ikm – The input keying material.

  • ikm_len – The length in bytes of ikm.

  • info – An optional context and application specific information string. This can be a zero-length string.

  • info_len – The length of info in bytes.

  • okm – The output keying material of okm_len bytes.

  • okm_len – The length of the output keying material in bytes. This must be less than or equal to 255 * md.size bytes.

Returns:

0 on success.

Returns:

MBEDTLS_ERR_HKDF_BAD_INPUT_DATA when the parameters are invalid.

Returns:

An MBEDTLS_ERR_MD_* error for errors returned from the underlying MD layer.

int mbedtls_hkdf_extract(const mbedtls_md_info_t *md, const unsigned char *salt, size_t salt_len, const unsigned char *ikm, size_t ikm_len, unsigned char *prk)

Take the input keying material ikm and extract from it a fixed-length pseudorandom key prk.

Warning

This function should only be used if the security of it has been studied and established in that particular context (eg. TLS 1.3 key schedule). For standard HKDF security guarantees use mbedtls_hkdf instead.

Parameters:

  • md – A hash function; md.size denotes the length of the hash function output in bytes.

  • salt – An optional salt value (a non-secret random value); if the salt is not provided, a string of all zeros of md.size length is used as the salt.

  • salt_len – The length in bytes of the optional salt.

  • ikm – The input keying material.

  • ikm_len – The length in bytes of ikm.

  • prk[out] A pseudorandom key of at least md.size bytes.

Returns:

0 on success.

Returns:

MBEDTLS_ERR_HKDF_BAD_INPUT_DATA when the parameters are invalid.

Returns:

An MBEDTLS_ERR_MD_* error for errors returned from the underlying MD layer.

int mbedtls_hkdf_expand(const mbedtls_md_info_t *md, const unsigned char *prk, size_t prk_len, const unsigned char *info, size_t info_len, unsigned char *okm, size_t okm_len)

Expand the supplied prk into several additional pseudorandom keys, which is the output of the HKDF.

Warning

This function should only be used if the security of it has been studied and established in that particular context (eg. TLS 1.3 key schedule). For standard HKDF security guarantees use mbedtls_hkdf instead.

Parameters:

  • md – A hash function; md.size denotes the length of the hash function output in bytes.

  • prk – A pseudorandom key of at least md.size bytes. prk is usually the output from the HKDF extract step.

  • prk_len – The length in bytes of prk.

  • info – An optional context and application specific information string. This can be a zero-length string.

  • info_len – The length of info in bytes.

  • okm – The output keying material of okm_len bytes.

  • okm_len – The length of the output keying material in bytes. This must be less than or equal to 255 * md.size bytes.

Returns:

0 on success.

Returns:

MBEDTLS_ERR_HKDF_BAD_INPUT_DATA when the parameters are invalid.

Returns:

An MBEDTLS_ERR_MD_* error for errors returned from the underlying MD layer.