{
    "content": [
        {
            "type": "text",
            "text": "# EVP_KDF-KRB5KDF (info)\n\n## NAME\n\nEVPKDF-KRB5KDF - The RFC3961 Krb5 KDF EVPKDF implementation\n\n## DESCRIPTION\n\nSupport for computing the KRB5KDF KDF through the EVPKDF API.\n\n## Sections\n\n- **NAME**\n- **DESCRIPTION**\n- **NOTES**\n- **EXAMPLES**\n- **CONFORMING TO**\n- **SEE ALSO**\n- **HISTORY**\n- **COPYRIGHT**\n\nUse structuredContent.sections for detailed options, examples, and full documentation.\n"
        }
    ],
    "structuredContent": {
        "command": "EVP_KDF-KRB5KDF",
        "section": "",
        "mode": "info",
        "summary": "EVPKDF-KRB5KDF - The RFC3961 Krb5 KDF EVPKDF implementation",
        "synopsis": null,
        "tldr_summary": null,
        "tldr_examples": [],
        "tldr_source": null,
        "flags": [],
        "examples": [
            "This example derives a key using the AES-128-CBC cipher:",
            "EVPKDF *kdf;",
            "EVPKDFCTX *kctx;",
            "unsigned char key[16] = \"01234...\";",
            "unsigned char constant[] = \"I'm a constant\";",
            "unsigned char out[16];",
            "sizet outlen = sizeof(out);",
            "OSSLPARAM params[4], *p = params;",
            "kdf = EVPKDFfetch(NULL, \"KRB5KDF\", NULL);",
            "kctx = EVPKDFCTXnew(kdf);",
            "EVPKDFfree(kdf);",
            "*p++ = OSSLPARAMconstructutf8string(OSSLKDFPARAMCIPHER,",
            "SNaes128cbc,",
            "strlen(SNaes128cbc));",
            "*p++ = OSSLPARAMconstructoctetstring(OSSLKDFPARAMKEY,",
            "key, (sizet)16);",
            "*p++ = OSSLPARAMconstructoctetstring(OSSLKDFPARAMCONSTANT,",
            "constant, strlen(constant));",
            "*p = OSSLPARAMconstructend();",
            "if (EVPKDFderive(kctx, out, outlen, params) <= 0)",
            "/* Error */",
            "EVPKDFCTXfree(kctx);"
        ],
        "see_also": [
            {
                "name": "EVPKDF",
                "section": "3",
                "url": "https://www.chedong.com/phpMan.php/man/EVPKDF/3/json"
            },
            {
                "name": "EVPKDFCTXfree",
                "section": "3",
                "url": "https://www.chedong.com/phpMan.php/man/EVPKDFCTXfree/3/json"
            },
            {
                "name": "EVPKDFCTXgetkdfsize",
                "section": "3",
                "url": "https://www.chedong.com/phpMan.php/man/EVPKDFCTXgetkdfsize/3/json"
            },
            {
                "name": "EVPKDFderive",
                "section": "3",
                "url": "https://www.chedong.com/phpMan.php/man/EVPKDFderive/3/json"
            },
            {
                "name": "EVPKDF",
                "section": "3",
                "url": "https://www.chedong.com/phpMan.php/man/EVPKDF/3/json"
            }
        ],
        "section_outline": [
            {
                "name": "NAME",
                "lines": 2,
                "subsections": []
            },
            {
                "name": "DESCRIPTION",
                "lines": 23,
                "subsections": []
            },
            {
                "name": "NOTES",
                "lines": 16,
                "subsections": []
            },
            {
                "name": "EXAMPLES",
                "lines": 27,
                "subsections": []
            },
            {
                "name": "CONFORMING TO",
                "lines": 2,
                "subsections": []
            },
            {
                "name": "SEE ALSO",
                "lines": 3,
                "subsections": []
            },
            {
                "name": "HISTORY",
                "lines": 2,
                "subsections": []
            },
            {
                "name": "COPYRIGHT",
                "lines": 8,
                "subsections": []
            }
        ],
        "sections": {
            "NAME": {
                "content": "EVPKDF-KRB5KDF - The RFC3961 Krb5 KDF EVPKDF implementation\n",
                "subsections": []
            },
            "DESCRIPTION": {
                "content": "Support for computing the KRB5KDF KDF through the EVPKDF API.\n\nThe EVPKDF-KRB5KDF algorithm implements the key derivation function\ndefined in RFC 3961, section 5.1 and is used by Krb5 to derive session\nkeys.  Three inputs are required to perform key derivation: a cipher,\n(for example AES-128-CBC), the initial key, and a constant.\n\nIdentity\n\"KRB5KDF\" is the name for this implementation; it can be used with the\nEVPKDFfetch() function.\n\nSupported parameters\nThe supported parameters are:\n\n\"properties\" (OSSLKDFPARAMPROPERTIES) <UTF8 string>\n\"cipher\" (OSSLKDFPARAMCIPHER) <UTF8 string>\n\"key\" (OSSLKDFPARAMKEY) <octet string>\nThese parameters work as described in \"PARAMETERS\" in EVPKDF(3).\n\n\"constant\" (OSSLKDFPARAMCONSTANT) <octet string>\nThis parameter sets the constant value for the KDF.  If a value is\nalready set, the contents are replaced.\n",
                "subsections": []
            },
            "NOTES": {
                "content": "A context for KRB5KDF can be obtained by calling:\n\nEVPKDF *kdf = EVPKDFfetch(NULL, \"KRB5KDF\", NULL);\nEVPKDFCTX *kctx = EVPKDFCTXnew(kdf);\n\nThe output length of the KRB5KDF derivation is specified via the keylen\nparameter to the EVPKDFderive(3) function, and MUST match the key\nlength for the chosen cipher or an error is returned. Moreover, the\nconstant's length must not exceed the block size of the cipher.  Since\nthe KRB5KDF output length depends on the chosen cipher, calling\nEVPKDFCTXgetkdfsize(3) to obtain the requisite length returns the\ncorrect length only after the cipher is set. Prior to that\nEVPMAXKEYLENGTH is returned.  The caller must allocate a buffer of\nthe correct length for the chosen cipher, and pass that buffer to the\nEVPKDFderive(3) function along with that length.\n",
                "subsections": []
            },
            "EXAMPLES": {
                "content": "This example derives a key using the AES-128-CBC cipher:\n\nEVPKDF *kdf;\nEVPKDFCTX *kctx;\nunsigned char key[16] = \"01234...\";\nunsigned char constant[] = \"I'm a constant\";\nunsigned char out[16];\nsizet outlen = sizeof(out);\nOSSLPARAM params[4], *p = params;\n\nkdf = EVPKDFfetch(NULL, \"KRB5KDF\", NULL);\nkctx = EVPKDFCTXnew(kdf);\nEVPKDFfree(kdf);\n\n*p++ = OSSLPARAMconstructutf8string(OSSLKDFPARAMCIPHER,\nSNaes128cbc,\nstrlen(SNaes128cbc));\n*p++ = OSSLPARAMconstructoctetstring(OSSLKDFPARAMKEY,\nkey, (sizet)16);\n*p++ = OSSLPARAMconstructoctetstring(OSSLKDFPARAMCONSTANT,\nconstant, strlen(constant));\n*p = OSSLPARAMconstructend();\nif (EVPKDFderive(kctx, out, outlen, params) <= 0)\n/* Error */\n\nEVPKDFCTXfree(kctx);\n",
                "subsections": []
            },
            "CONFORMING TO": {
                "content": "RFC 3961\n",
                "subsections": []
            },
            "SEE ALSO": {
                "content": "EVPKDF(3), EVPKDFCTXfree(3), EVPKDFCTXgetkdfsize(3),\nEVPKDFderive(3), \"PARAMETERS\" in EVPKDF(3)\n",
                "subsections": []
            },
            "HISTORY": {
                "content": "This functionality was added to OpenSSL 3.0.\n",
                "subsections": []
            },
            "COPYRIGHT": {
                "content": "Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.\n\nLicensed under the Apache License 2.0 (the \"License\").  You may not use\nthis file except in compliance with the License.  You can obtain a copy\nin the file LICENSE in the source distribution or at\n<https://www.openssl.org/source/license.html>.\n\n3.0.2                             2026-06-02             EVPKDF-KRB5KDF(7SSL)",
                "subsections": []
            }
        }
    }
}