From 73f97d484101aee030891cd4ecc44732bd1cee88 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Fri, 3 Jun 2022 09:05:08 +0200 Subject: [PATCH] PSA_ALG_HKDF: add salt processing warning Signed-off-by: Przemek Stekiel --- include/psa/crypto_values.h | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 764feb8d5..85878a74b 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -1737,6 +1737,12 @@ * You may pass #PSA_KEY_DERIVATION_INPUT_INFO at any time after steup and before * starting to generate output. * + * \warning HKDF processes the salt as follows: first hash it with hash_alg + * if the salt is longer than the block size of the hash algorithm; then + * pad with null bytes up to the block size. As a result, it is possible + * for distinct salt inputs to result in the same outputs. To ensure + * unique outputs, it is recommended to use a fixed length for salt values. + * * \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that * #PSA_ALG_IS_HASH(\p hash_alg) is true). *