diff --git a/include/psa/crypto.h b/include/psa/crypto.h index 51d3716cd0..cc233f26e4 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -3206,6 +3206,9 @@ psa_status_t psa_key_derivation(psa_crypto_generator_t *generator, * The result of this function is a byte generator which can * be used to produce keys and other cryptographic material. * + * The resulting generator always has the maximum capacity permitted by + * the algorithm. + * * \param[in,out] generator The generator object to set up. It must * have been initialized to all-bits-zero, * a logical zero (`{0}`), diff --git a/library/psa_crypto.c b/library/psa_crypto.c index c18c8f022c..bc306cbd1c 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3371,6 +3371,15 @@ psa_status_t psa_generator_read( psa_crypto_generator_t *generator, if( generator->alg == PSA_ALG_SELECT_RAW ) { + /* Initially, the capacity of a selection generator is always + * the size of the buffer, i.e. `generator->ctx.buffer.size`, + * abbreviated in this comment as `size`. When the remaining + * capacity is `c`, the next bytes to serve start `c` bytes + * from the end of the buffer, i.e. `size - c` from the + * beginning of the buffer. Since `generator->capacity` was just + * decremented above, we need to serve the bytes from + * `size - generator->capacity - output_length` to + * `size - generator->capacity`. */ size_t offset = generator->ctx.buffer.size - generator->capacity - output_length; memcpy( output, generator->ctx.buffer.data + offset, output_length );