From ed87d31d7d07fec5ddedc8afb19975e50d29a911 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 29 May 2019 17:32:39 +0200 Subject: [PATCH] Specify the order of inputs for TLS-1.2 KDFs From the implementation point of view does not make much difference to constrain the input order. We constrain it because, this way the code is easier to review, the data flow easier to understand and the implementations in general are easier to validate. --- include/psa/crypto_values.h | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index e9fb9ad01..19dc28bf4 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -1244,10 +1244,11 @@ * specified in Section 5 of RFC 5246. It is based on HMAC and can be * used with either SHA-256 or SHA-384. * - * This key derivation algorithm uses the following inputs: + * This key derivation algorithm uses the following inputs, which must be + * passed in the order given here: + * - #PSA_KEY_DERIVATION_INPUT_SEED is the seed. * - #PSA_KEY_DERIVATION_INPUT_SECRET is the secret key. * - #PSA_KEY_DERIVATION_INPUT_LABEL is the label. - * - #PSA_KEY_DERIVATION_INPUT_SEED is the seed. * * For the application to TLS-1.2 key expansion, the seed is the * concatenation of ServerHello.Random + ClientHello.Random, @@ -1288,10 +1289,11 @@ * The latter is based on HMAC and can be used with either SHA-256 * or SHA-384. * - * This key derivation algorithm uses the following inputs: + * This key derivation algorithm uses the following inputs, which must be + * passed in the order given here: + * - #PSA_KEY_DERIVATION_INPUT_SEED is the seed. * - #PSA_KEY_DERIVATION_INPUT_SECRET is the secret key. * - #PSA_KEY_DERIVATION_INPUT_LABEL is the label. - * - #PSA_KEY_DERIVATION_INPUT_SEED is the seed. * * For the application to TLS-1.2, the seed (which is * forwarded to the TLS-1.2 PRF) is the concatenation of the