How to use OpenSSL 1.1.1 to implement HDF-Extract?

Question

I'm trying to implement parts of the QUIC RFC and they note:

   initial_salt = 0xc3eef712c72ebb5a11a7d2432bb46365bef9f502
   initial_secret = HKDF-Extract(initial_salt,
                                 client_dst_connection_id)

I was just wondering, how does one map this to here: https://www.openssl.org/docs/man1.1.1/man3/EVP_PKEY_CTX_set_hkdf_md.html

I get this:

EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY In this mode calling EVP_PKEY_derive(3) will just perform the extract operation. The value returned will be the intermediate fixed-length pseudorandom key K.

The digest, key and salt values must be set before a key is derived or an error occurs.

But I'm confused here. I can see how to set the mode, the algorithm, the salt but I'm lost which where to set the client_dst_connection_id.

Answer 1

HKDF is described in RFC5869 which defines the HKDF-Extract operation like this:

HKDF-Extract(salt, IKM) -> PRK

Options: Hash a hash function; HashLen denotes the length of the hash function output in octets

Inputs: salt optional salt value (a non-secret random value); if not provided, it is set to a string of HashLen zeros. IKM input keying material

Output: PRK a pseudorandom key (of HashLen octets)

So, the second parameter (client_dst_connection_id in this case) is the "input keying material".

On the OpenSSL man page you linked to you can see that the keying material can be set using EVP_PKEY_CTX_set1_hkdf_key().

Note that the man page also says the following for EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY:

The digest, key and salt values must be set before a key is derived or an error occurs.

So, the key and salt values are clear. You will also need to specify the digest in use via EVP_PKEY_CTX_set_hkdf_md()