mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-02-25 18:39:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update descryption of HKDF-Extract/Expand algs and fix comment

Browse Source 
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
This commit is contained in:
Przemek Stekiel 2022-05-18 15:43:54 +02:00
parent ebf6281ce6
commit b398d8693f
2 changed files with 10 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
include/psa/crypto_values.h
View File

@ -1769,15 +1769,11 @@
* HKDF-Extract using HMAC-SHA-256. * HKDF-Extract using HMAC-SHA-256.
* *
* This key derivation algorithm uses the following inputs: * This key derivation algorithm uses the following inputs:
* - PSA_KEY_DERIVATION_INPUT_SALT is the salt. Note that if the salt is * - PSA_KEY_DERIVATION_INPUT_SALT is the salt.
* shorter than the hash function's block size, it is padded to the block
* size with null bytes (and in particular an empty salt is equivalent to
* a string of zeros of the length of the hash, or of the block size which
* is larger than the hash).
* - PSA_KEY_DERIVATION_INPUT_SECRET is the input keying material used in the * - PSA_KEY_DERIVATION_INPUT_SECRET is the input keying material used in the
* "extract" step. * "extract" step.
* You must pass #PSA_KEY_DERIVATION_INPUT_SALT * The inputs are mandatory and must be passed in the order above.
* before #PSA_KEY_DERIVATION_INPUT_SECRET. * Each input may only be passed once.
* *
* \warning HKDF-Extract is not meant to be used on its own. PSA_ALG_HKDF * \warning HKDF-Extract is not meant to be used on its own. PSA_ALG_HKDF
* should be used instead if possible. PSA_ALG_HKDF_EXTRACT is provided * should be used instead if possible. PSA_ALG_HKDF_EXTRACT is provided
@ -1786,6 +1782,12 @@
* in applications that use HKDF with the same salt and key but many * in applications that use HKDF with the same salt and key but many
* different info strings. * different info strings.
* *
* \warning HKDF processes the salt as follows: first hash it with hash_alg
* if the salt is longer than the block size of the hash algorithm; then
* pad with null bytes up to the block size. As a result, it is possible
* for distinct salt inputs to result in the same outputs. To ensure
* unique outputs, it is recommended to use a fixed length for salt values.
*
* \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that * \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that
* #PSA_ALG_IS_HASH(\p hash_alg) is true). * #PSA_ALG_IS_HASH(\p hash_alg) is true).
* *
@ -1793,7 +1795,6 @@
* \return Unspecified if \p hash_alg is not a supported * \return Unspecified if \p hash_alg is not a supported
* hash algorithm. * hash algorithm.
*/ */
#define PSA_ALG_HKDF_EXTRACT(hash_alg) \ #define PSA_ALG_HKDF_EXTRACT(hash_alg) \
(PSA_ALG_HKDF_EXTRACT_BASE | ((hash_alg) & PSA_ALG_HASH_MASK)) (PSA_ALG_HKDF_EXTRACT_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
/** Whether the specified algorithm is an HKDF-Extract algorithm. /** Whether the specified algorithm is an HKDF-Extract algorithm.

2
library/psa_crypto.c
View File

@ -5194,7 +5194,6 @@ static psa_status_t psa_hkdf_input( psa_hkdf_key_derivation_t *hkdf,
return( PSA_SUCCESS ); return( PSA_SUCCESS );
} }
case PSA_KEY_DERIVATION_INPUT_SECRET: case PSA_KEY_DERIVATION_INPUT_SECRET:
/* If no salt was provided, use an empty salt. */
if( PSA_ALG_IS_HKDF_EXPAND( kdf_alg ) ) if( PSA_ALG_IS_HKDF_EXPAND( kdf_alg ) )
{ {
if( hkdf->state != HKDF_STATE_INIT ) if( hkdf->state != HKDF_STATE_INIT )
@ -5207,6 +5206,7 @@ static psa_status_t psa_hkdf_input( psa_hkdf_key_derivation_t *hkdf,
} }
else else
{ {
/* If no salt was provided, use an empty salt. */
if( hkdf->state == HKDF_STATE_INIT ) if( hkdf->state == HKDF_STATE_INIT )
{ {
status = psa_key_derivation_start_hmac( &hkdf->hmac, status = psa_key_derivation_start_hmac( &hkdf->hmac,