commit 9023cacf15cffbcbe37d4fc1a463d5cf80f175a4
author Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Mon May 03 10:23:12 2021 +0200
committer Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Mon May 03 10:27:27 2021 +0200
tree 9e82e1b9bbb0f100f6fdd83c7e5e5a4029a45e0a
parent d307f6359725ce686b396690c8f7cb6d610aedeb

Merge verification policies together

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>

include/psa/crypto.h

diff --git a/include/psa/crypto.h b/include/psa/crypto.h
index fdab2b1..b92d194 100644
--- a/include/psa/crypto.h
+++ b/include/psa/crypto.h
@@ -3724,7 +3724,7 @@
  * \param[in,out] operation The key derivation operation object to read from.
  * \param[in] expected      A key of type #PSA_KEY_TYPE_RAW_DATA containing
  *                          the expected output. Its policy must include the
- *                          #PSA_KEY_USAGE_PASSWORD_HASH_VERIFIER flag.
+ *                          #PSA_KEY_USAGE_VERIFY_DERIVATION flag.
  *                          The value of this key was likely computed by a
  *                          previous call to psa_key_derivation_output_key().
  *

include/psa/crypto_values.h

diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h
index 7c3ca2c..faccaf6 100644
--- a/include/psa/crypto_values.h
+++ b/include/psa/crypto_values.h
@@ -2199,25 +2199,21 @@
  */
 #define PSA_KEY_USAGE_DERIVE                    ((psa_key_usage_t)0x00004000)
 
-/** Whether the key may be used to produce a password hash and verify it
- * against an expected value.
+/** Whether the key may be used to verify the result of a key derivation,
+ * including password hashing.
  *
- * This flag allows the key to be used as the input of
- * psa_key_derivation_input_key() at the step
- * #PSA_KEY_DERIVATION_INPUT_SECRET of #PSA_KEY_DERIVATION_INPUT_PASSWORD
- * depending on the algorithm, and allows the use of
- * psa_key_derivation_verify_bytes() or
- * psa_key_derivation_verify_key() at the end of the operation.
- */
-#define PSA_KEY_USAGE_PASSWORD_HASH_AND_VERIFY  ((psa_key_usage_t)0x00008000)
-
-/** Whether the key may be used to as the expected value to which a password
- * hash will be compared.
+ * This flag allows the key to be used:
  *
- * This flag allows key to be used as the \c key argument of
- * psa_key_derivation_verify_key().
+ * - for a key of type #PSA_KEY_TYPE_RAW_DATA, as the \c key argument of
+ *   psa_key_derivation_verify_key();
+ * - for a key of type #PSA_KEY_TYPE_PASSWORD (or #PSA_KEY_TYPE_DERIVE), as
+ *   the input to psa_key_derivation_input_key() at the step
+ *   #PSA_KEY_DERIVATION_INPUT_PASSWORD (or #PSA_KEY_DERIVATION_INPUT_SECRET);
+ *   then at the end of the operation use of psa_key_derivation_verify_bytes()
+ *   or psa_key_derivation_verify_key() will be permitted (but not
+ *   psa_key_derivation_output_xxx() unless #PSA_KEY_USAGE_DERIVE is set).
  */
-#define PSA_KEY_USAGE_PASSWORD_HASH_VERIFIER    ((psa_key_usage_t)0x00010000)
+#define PSA_KEY_USAGE_VERIFY_DERIVATION         ((psa_key_usage_t)0x00008000)
 
 /**@}*/