commit b398d8693f2bdb1caedfec53d7e51079a03e7a53
author Przemek Stekiel <przemyslaw.stekiel@mobica.com> Wed May 18 15:43:54 2022 +0200
committer Przemek Stekiel <przemyslaw.stekiel@mobica.com> Wed May 18 15:43:54 2022 +0200
tree 6304d5d9aa6e70e79fa6a41679efc462be89c5c2
parent ebf6281ce66351417e2d0772534197d8dd6e6f57

Update descryption of HKDF-Extract/Expand algs and fix comment

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>

include/psa/crypto_values.h

diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h
index 4668025..242ba90 100644
--- a/include/psa/crypto_values.h
+++ b/include/psa/crypto_values.h
@@ -1769,15 +1769,11 @@
  * HKDF-Extract using HMAC-SHA-256.
  *
  * This key derivation algorithm uses the following inputs:
- *  - PSA_KEY_DERIVATION_INPUT_SALT is the salt. Note that if the salt is
- *    shorter than the hash function's block size, it is padded to the block
- *    size with null bytes (and in particular an empty salt is equivalent to
- *    a string of zeros of the length of the hash, or of the  block size which
- *    is larger than the hash).
+ *  - PSA_KEY_DERIVATION_INPUT_SALT is the salt.
  *  - PSA_KEY_DERIVATION_INPUT_SECRET is the input keying material used in the
  *    "extract" step.
- * You must pass #PSA_KEY_DERIVATION_INPUT_SALT
- * before #PSA_KEY_DERIVATION_INPUT_SECRET.
+ * The inputs are mandatory and must be passed in the order above.
+ * Each input may only be passed once.
  *
  *  \warning HKDF-Extract is not meant to be used on its own. PSA_ALG_HKDF
  *  should be used instead if possible. PSA_ALG_HKDF_EXTRACT is provided
@@ -1786,6 +1782,12 @@
  *  in applications that use HKDF with the same salt and key but many
  *  different info strings.
  *
+ *  \warning  HKDF processes the salt as follows: first hash it with hash_alg
+ *  if the salt is longer than the block size of the hash algorithm; then
+ *  pad with null bytes up to the block size. As a result, it is possible
+ *  for distinct salt inputs to result in the same outputs. To ensure
+ *  unique outputs, it is recommended to use a fixed length for salt values.
+ *
  * \param hash_alg      A hash algorithm (\c PSA_ALG_XXX value such that
  *                      #PSA_ALG_IS_HASH(\p hash_alg) is true).
  *
@@ -1793,7 +1795,6 @@
  * \return              Unspecified if \p hash_alg is not a supported
  *                      hash algorithm.
  */
-
 #define PSA_ALG_HKDF_EXTRACT(hash_alg)                                  \
     (PSA_ALG_HKDF_EXTRACT_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
 /** Whether the specified algorithm is an HKDF-Extract algorithm.

library/psa_crypto.c

diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 0783697..4462a32 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -5194,7 +5194,6 @@
                 return( PSA_SUCCESS );
             }
         case PSA_KEY_DERIVATION_INPUT_SECRET:
-            /* If no salt was provided, use an empty salt. */
             if( PSA_ALG_IS_HKDF_EXPAND( kdf_alg ) )
             {
                 if( hkdf->state != HKDF_STATE_INIT )
@@ -5207,6 +5206,7 @@
             }
             else
             {
+                /* If no salt was provided, use an empty salt. */
                 if( hkdf->state == HKDF_STATE_INIT )
                 {
                     status = psa_key_derivation_start_hmac( &hkdf->hmac,