Software APIs
hkdf.h
Go to the documentation of this file.
1 // Copyright lowRISC contributors (OpenTitan project).
2 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
3 // SPDX-License-Identifier: Apache-2.0
4 
5 #ifndef OPENTITAN_SW_DEVICE_LIB_CRYPTO_INCLUDE_HKDF_H_
6 #define OPENTITAN_SW_DEVICE_LIB_CRYPTO_INCLUDE_HKDF_H_
7 
8 #include "datatypes.h"
9 
10 /**
11  * @file
12  * @brief HKDF operations for the OpenTitan cryptography library.
13  *
14  * Implements the HMAC-based extract-and-expand key derivation function
15  * specified in IETF RFC 5869.
16  */
17 
18 #ifdef __cplusplus
19 extern "C" {
20 #endif // __cplusplus
21 
22 /**
23  * Performs HKDF (IETF RFC 5869) in one shot, both expand and extract stages.
24  *
25  * The hash mode for the underlying HMAC is determined by the mode of the input
26  * key material, e.g. the key mode `kOtcryptoKeyModeHmacSha256` results in HMAC
27  * with SHA-256.
28  *
29  * The caller should allocate and partially populate the `okm` blinded key
30  * struct, including populating the key configuration and allocating space for
31  * the keyblob. The configuration may not indicate a hardware-backed key and
32  * must indicate a symmetric mode. The allocated keyblob length for the output
33  * key should be twice the unmasked key length indicated in its key
34  * configuration, rounded up to the nearest 32-bit word. This unmasked key
35  * length must not be longer than 255*<length of digest for the chosen hash
36  * mode>, as per the RFC. The value in the `checksum` field of the blinded key
37  * struct will be populated by the key derivation function.
38  *
39  * @param ikm Blinded input key material.
40  * @param salt Salt value (optional, may be empty).
41  * @param info Context-specific string (optional, may be empty).
42  * @param[out] okm Blinded output keying material.
43  * @return Result of the key derivation operation.
44  */
49 
50 /**
51  * Performs the "extract" step of HKDF (IETF RFC 5869).
52  *
53  * The hash mode for the underlying HMAC is determined by the mode of the input
54  * key material, e.g. the key mode `kOtcryptoKeyModeHmacSha256` results in HMAC
55  * with SHA-256.
56  *
57  * The caller should allocate and partially populate the `prk` blinded key
58  * struct, including populating the key configuration and allocating space for
59  * the keyblob. The configuration may not indicate a hardware-backed key, and
60  * the mode should be the same HMAC mode as the input keying material. The
61  * allocated keyblob length should be twice the hash function digest length for
62  * the chosen hash mode (e.g. 512 bits for SHA-256).
63  *
64  * @param ikm Blinded input key material.
65  * @param salt Salt value (optional, may be empty).
66  * @param[out] prk Extracted pseudo-random key.
67  * @return Result of the key derivation operation.
68  */
72 
73 /**
74  * Performs the "expand" step of HKDF (IETF RFC 5869).
75  *
76  * The hash mode for the underlying HMAC is determined by the mode of the
77  * pseudo-random key, e.g. the key mode `kOtcryptoKeyModeHmacSha256` results in
78  * HMAC with SHA-256.
79  *
80  * See `otcrypto_hkdf` for the requirements on `okm`.
81  *
82  * @param prk Pseudo-random key from HKDF-extract.
83  * @param info Context-specific string (optional).
84  * @param[out] okm Blinded output key material.
85  * @return Result of the key derivation operation.
86  */
90 
91 #ifdef __cplusplus
92 } // extern "C"
93 #endif // __cplusplus
94 
95 #endif // OPENTITAN_SW_DEVICE_LIB_CRYPTO_INCLUDE_HKDF_H_