Merge verification policies together

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-01-28 18:32:56 +00:00 · 2021-05-03 10:23:12 +02:00 · 2021-05-03 10:23:12 +02:00 · 9023cacf15
commit 9023cacf15
parent d307f63597
2 changed files with 13 additions and 17 deletions
--- a/include/psa/crypto.h
+++ b/include/psa/crypto.h
@ -3724,7 +3724,7 @@ psa_status_t psa_key_derivation_verify_bytes(
 * \param[in,out] operation The key derivation operation object to read from.
 * \param[in] expected      A key of type #PSA_KEY_TYPE_RAW_DATA containing
 *                          the expected output. Its policy must include the
- *                          #PSA_KEY_USAGE_PASSWORD_HASH_VERIFIER flag.
+ *                          #PSA_KEY_USAGE_VERIFY_DERIVATION flag.
 *                          The value of this key was likely computed by a
 *                          previous call to psa_key_derivation_output_key().
 *
--- a/include/psa/crypto_values.h
+++ b/include/psa/crypto_values.h
@ -2199,25 +2199,21 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key )
 */
 #define PSA_KEY_USAGE_DERIVE                    ((psa_key_usage_t)0x00004000)

-/** Whether the key may be used to produce a password hash and verify it
- * against an expected value.
+/** Whether the key may be used to verify the result of a key derivation,
+ * including password hashing.
 *
- * This flag allows the key to be used as the input of
- * psa_key_derivation_input_key() at the step
- * #PSA_KEY_DERIVATION_INPUT_SECRET of #PSA_KEY_DERIVATION_INPUT_PASSWORD
- * depending on the algorithm, and allows the use of
- * psa_key_derivation_verify_bytes() or
- * psa_key_derivation_verify_key() at the end of the operation.
- */
-#define PSA_KEY_USAGE_PASSWORD_HASH_AND_VERIFY  ((psa_key_usage_t)0x00008000)
-
-/** Whether the key may be used to as the expected value to which a password
- * hash will be compared.
+ * This flag allows the key to be used:
 *
- * This flag allows key to be used as the \c key argument of
- * psa_key_derivation_verify_key().
+ * - for a key of type #PSA_KEY_TYPE_RAW_DATA, as the \c key argument of
+ *   psa_key_derivation_verify_key();
+ * - for a key of type #PSA_KEY_TYPE_PASSWORD (or #PSA_KEY_TYPE_DERIVE), as
+ *   the input to psa_key_derivation_input_key() at the step
+ *   #PSA_KEY_DERIVATION_INPUT_PASSWORD (or #PSA_KEY_DERIVATION_INPUT_SECRET);
+ *   then at the end of the operation use of psa_key_derivation_verify_bytes()
+ *   or psa_key_derivation_verify_key() will be permitted (but not
+ *   psa_key_derivation_output_xxx() unless #PSA_KEY_USAGE_DERIVE is set).
 */
-#define PSA_KEY_USAGE_PASSWORD_HASH_VERIFIER    ((psa_key_usage_t)0x00010000)
+#define PSA_KEY_USAGE_VERIFY_DERIVATION         ((psa_key_usage_t)0x00008000)

 /**@}*/