{ "content": [ { "type": "text", "text": "# EVP_KDF-KRB5KDF (man)\n\n**Summary:** EVPKDF-KRB5KDF - The RFC3961 Krb5 KDF EVPKDF implementation\n\n## Examples\n\n- `This example derives a key using the AES-128-CBC cipher:`\n- `EVPKDF *kdf;`\n- `EVPKDFCTX *kctx;`\n- `unsigned char key[16] = \"01234...\";`\n- `unsigned char constant[] = \"I'm a constant\";`\n- `unsigned char out[16];`\n- `sizet outlen = sizeof(out);`\n- `OSSLPARAM params[4], *p = params;`\n- `kdf = EVPKDFfetch(NULL, \"KRB5KDF\", NULL);`\n- `kctx = EVPKDFCTXnew(kdf);`\n- `EVPKDFfree(kdf);`\n- `*p++ = OSSLPARAMconstructutf8string(OSSLKDFPARAMCIPHER,`\n- `SNaes128cbc,`\n- `strlen(SNaes128cbc));`\n- `*p++ = OSSLPARAMconstructoctetstring(OSSLKDFPARAMKEY,`\n- `key, (sizet)16);`\n- `*p++ = OSSLPARAMconstructoctetstring(OSSLKDFPARAMCONSTANT,`\n- `constant, strlen(constant));`\n- `*p = OSSLPARAMconstructend();`\n- `if (EVPKDFderive(kctx, out, outlen, params) <= 0)`\n- `/* Error */`\n- `EVPKDFCTXfree(kctx);`\n\n## See Also\n\n- EVPKDF(3)\n- EVPKDFCTXfree(3)\n- EVPKDFCTXgetkdfsize(3)\n- EVPKDFderive(3)\n- EVPKDF(3)\n\n## Section Outline\n\n- **NAME** (2 lines)\n- **DESCRIPTION** (6 lines) — 2 subsections\n - Identity (3 lines)\n - Supported parameters (11 lines)\n- **NOTES** (14 lines)\n- **EXAMPLES** (27 lines)\n- **CONFORMING TO** (2 lines)\n- **SEE ALSO** (3 lines)\n- **HISTORY** (2 lines)\n- **COPYRIGHT** (9 lines)\n\n## Full Content\n\n### NAME\n\nEVPKDF-KRB5KDF - The RFC3961 Krb5 KDF EVPKDF implementation\n\n### DESCRIPTION\n\nSupport for computing the KRB5KDF KDF through the EVPKDF API.\n\nThe EVPKDF-KRB5KDF algorithm implements the key derivation function defined in RFC 3961,\nsection 5.1 and is used by Krb5 to derive session keys. Three inputs are required to perform\nkey derivation: a cipher, (for example AES-128-CBC), the initial key, and a constant.\n\n#### Identity\n\n\"KRB5KDF\" is the name for this implementation; it can be used with the EVPKDFfetch()\nfunction.\n\n#### Supported parameters\n\nThe supported parameters are:\n\n\"properties\" (OSSLKDFPARAMPROPERTIES) \n\"cipher\" (OSSLKDFPARAMCIPHER) \n\"key\" (OSSLKDFPARAMKEY) \nThese parameters work as described in \"PARAMETERS\" in EVPKDF(3).\n\n\"constant\" (OSSLKDFPARAMCONSTANT) \nThis parameter sets the constant value for the KDF. If a value is already set, the\ncontents are replaced.\n\n### NOTES\n\nA context for KRB5KDF can be obtained by calling:\n\nEVPKDF *kdf = EVPKDFfetch(NULL, \"KRB5KDF\", NULL);\nEVPKDFCTX *kctx = EVPKDFCTXnew(kdf);\n\nThe output length of the KRB5KDF derivation is specified via the keylen parameter to the\nEVPKDFderive(3) function, and MUST match the key length for the chosen cipher or an error\nis returned. Moreover, the constant's length must not exceed the block size of the cipher.\nSince the KRB5KDF output length depends on the chosen cipher, calling\nEVPKDFCTXgetkdfsize(3) to obtain the requisite length returns the correct length only\nafter the cipher is set. Prior to that EVPMAXKEYLENGTH is returned. The caller must\nallocate a buffer of the correct length for the chosen cipher, and pass that buffer to the\nEVPKDFderive(3) function along with that length.\n\n### EXAMPLES\n\nThis example derives a key using the AES-128-CBC cipher:\n\nEVPKDF *kdf;\nEVPKDFCTX *kctx;\nunsigned char key[16] = \"01234...\";\nunsigned char constant[] = \"I'm a constant\";\nunsigned char out[16];\nsizet outlen = sizeof(out);\nOSSLPARAM params[4], *p = params;\n\nkdf = EVPKDFfetch(NULL, \"KRB5KDF\", NULL);\nkctx = EVPKDFCTXnew(kdf);\nEVPKDFfree(kdf);\n\n*p++ = OSSLPARAMconstructutf8string(OSSLKDFPARAMCIPHER,\nSNaes128cbc,\nstrlen(SNaes128cbc));\n*p++ = OSSLPARAMconstructoctetstring(OSSLKDFPARAMKEY,\nkey, (sizet)16);\n*p++ = OSSLPARAMconstructoctetstring(OSSLKDFPARAMCONSTANT,\nconstant, strlen(constant));\n*p = OSSLPARAMconstructend();\nif (EVPKDFderive(kctx, out, outlen, params) <= 0)\n/* Error */\n\nEVPKDFCTXfree(kctx);\n\n### CONFORMING TO\n\nRFC 3961\n\n### SEE ALSO\n\nEVPKDF(3), EVPKDFCTXfree(3), EVPKDFCTXgetkdfsize(3), EVPKDFderive(3), \"PARAMETERS\"\nin EVPKDF(3)\n\n### HISTORY\n\nThis functionality was added to OpenSSL 3.0.\n\n### COPYRIGHT\n\nCopyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.\n\nLicensed under the Apache License 2.0 (the \"License\"). You may not use this file except in\ncompliance with the License. You can obtain a copy in the file LICENSE in the source\ndistribution or at .\n\n\n\n3.0.2 2026-04-07 EVPKDF-KRB5KDF(7SSL)\n\n" } ], "structuredContent": { "command": "EVP_KDF-KRB5KDF", "section": "", "mode": "man", "summary": "EVPKDF-KRB5KDF - The RFC3961 Krb5 KDF EVPKDF implementation", "synopsis": null, "tldr_summary": null, "tldr_examples": [], "tldr_source": null, "flags": [], "examples": [ "This example derives a key using the AES-128-CBC cipher:", "EVPKDF *kdf;", "EVPKDFCTX *kctx;", "unsigned char key[16] = \"01234...\";", "unsigned char constant[] = \"I'm a constant\";", "unsigned char out[16];", "sizet outlen = sizeof(out);", "OSSLPARAM params[4], *p = params;", "kdf = EVPKDFfetch(NULL, \"KRB5KDF\", NULL);", "kctx = EVPKDFCTXnew(kdf);", "EVPKDFfree(kdf);", "*p++ = OSSLPARAMconstructutf8string(OSSLKDFPARAMCIPHER,", "SNaes128cbc,", "strlen(SNaes128cbc));", "*p++ = OSSLPARAMconstructoctetstring(OSSLKDFPARAMKEY,", "key, (sizet)16);", "*p++ = OSSLPARAMconstructoctetstring(OSSLKDFPARAMCONSTANT,", "constant, strlen(constant));", "*p = OSSLPARAMconstructend();", "if (EVPKDFderive(kctx, out, outlen, params) <= 0)", "/* Error */", "EVPKDFCTXfree(kctx);" ], "see_also": [ { "name": "EVPKDF", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/EVPKDF/3/json" }, { "name": "EVPKDFCTXfree", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/EVPKDFCTXfree/3/json" }, { "name": "EVPKDFCTXgetkdfsize", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/EVPKDFCTXgetkdfsize/3/json" }, { "name": "EVPKDFderive", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/EVPKDFderive/3/json" }, { "name": "EVPKDF", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/EVPKDF/3/json" } ], "section_outline": [ { "name": "NAME", "lines": 2, "subsections": [] }, { "name": "DESCRIPTION", "lines": 6, "subsections": [ { "name": "Identity", "lines": 3 }, { "name": "Supported parameters", "lines": 11 } ] }, { "name": "NOTES", "lines": 14, "subsections": [] }, { "name": "EXAMPLES", "lines": 27, "subsections": [] }, { "name": "CONFORMING TO", "lines": 2, "subsections": [] }, { "name": "SEE ALSO", "lines": 3, "subsections": [] }, { "name": "HISTORY", "lines": 2, "subsections": [] }, { "name": "COPYRIGHT", "lines": 9, "subsections": [] } ], "sections": { "NAME": { "content": "EVPKDF-KRB5KDF - The RFC3961 Krb5 KDF EVPKDF implementation\n", "subsections": [] }, "DESCRIPTION": { "content": "Support for computing the KRB5KDF KDF through the EVPKDF API.\n\nThe EVPKDF-KRB5KDF algorithm implements the key derivation function defined in RFC 3961,\nsection 5.1 and is used by Krb5 to derive session keys. Three inputs are required to perform\nkey derivation: a cipher, (for example AES-128-CBC), the initial key, and a constant.\n", "subsections": [ { "name": "Identity", "content": "\"KRB5KDF\" is the name for this implementation; it can be used with the EVPKDFfetch()\nfunction.\n" }, { "name": "Supported parameters", "content": "The supported parameters are:\n\n\"properties\" (OSSLKDFPARAMPROPERTIES) \n\"cipher\" (OSSLKDFPARAMCIPHER) \n\"key\" (OSSLKDFPARAMKEY) \nThese parameters work as described in \"PARAMETERS\" in EVPKDF(3).\n\n\"constant\" (OSSLKDFPARAMCONSTANT) \nThis parameter sets the constant value for the KDF. If a value is already set, the\ncontents are replaced.\n" } ] }, "NOTES": { "content": "A context for KRB5KDF can be obtained by calling:\n\nEVPKDF *kdf = EVPKDFfetch(NULL, \"KRB5KDF\", NULL);\nEVPKDFCTX *kctx = EVPKDFCTXnew(kdf);\n\nThe output length of the KRB5KDF derivation is specified via the keylen parameter to the\nEVPKDFderive(3) function, and MUST match the key length for the chosen cipher or an error\nis returned. Moreover, the constant's length must not exceed the block size of the cipher.\nSince the KRB5KDF output length depends on the chosen cipher, calling\nEVPKDFCTXgetkdfsize(3) to obtain the requisite length returns the correct length only\nafter the cipher is set. Prior to that EVPMAXKEYLENGTH is returned. The caller must\nallocate a buffer of the correct length for the chosen cipher, and pass that buffer to the\nEVPKDFderive(3) function along with that length.\n", "subsections": [] }, "EXAMPLES": { "content": "This example derives a key using the AES-128-CBC cipher:\n\nEVPKDF *kdf;\nEVPKDFCTX *kctx;\nunsigned char key[16] = \"01234...\";\nunsigned char constant[] = \"I'm a constant\";\nunsigned char out[16];\nsizet outlen = sizeof(out);\nOSSLPARAM params[4], *p = params;\n\nkdf = EVPKDFfetch(NULL, \"KRB5KDF\", NULL);\nkctx = EVPKDFCTXnew(kdf);\nEVPKDFfree(kdf);\n\n*p++ = OSSLPARAMconstructutf8string(OSSLKDFPARAMCIPHER,\nSNaes128cbc,\nstrlen(SNaes128cbc));\n*p++ = OSSLPARAMconstructoctetstring(OSSLKDFPARAMKEY,\nkey, (sizet)16);\n*p++ = OSSLPARAMconstructoctetstring(OSSLKDFPARAMCONSTANT,\nconstant, strlen(constant));\n*p = OSSLPARAMconstructend();\nif (EVPKDFderive(kctx, out, outlen, params) <= 0)\n/* Error */\n\nEVPKDFCTXfree(kctx);\n", "subsections": [] }, "CONFORMING TO": { "content": "RFC 3961\n", "subsections": [] }, "SEE ALSO": { "content": "EVPKDF(3), EVPKDFCTXfree(3), EVPKDFCTXgetkdfsize(3), EVPKDFderive(3), \"PARAMETERS\"\nin EVPKDF(3)\n", "subsections": [] }, "HISTORY": { "content": "This functionality was added to OpenSSL 3.0.\n", "subsections": [] }, "COPYRIGHT": { "content": "Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.\n\nLicensed under the Apache License 2.0 (the \"License\"). You may not use this file except in\ncompliance with the License. You can obtain a copy in the file LICENSE in the source\ndistribution or at .\n\n\n\n3.0.2 2026-04-07 EVPKDF-KRB5KDF(7SSL)", "subsections": [] } } } }