Convert TLS1.2 KDF descriptions to multistep key derivation

Convert the description of PSA_ALG_TLS12_PRF and PSA_ALG_TLS12_PSK_TO_MS to the key derivation API that takes one input at a time rather than the old {secret,salt,label} interface. Define a new input category "seed".
2025-11-04 04:32:24 -05:00 · 2019-05-21 15:58:13 +02:00 · 2019-05-21 15:58:13 +02:00 · 2cb9e39b50
commit 2cb9e39b50
parent 6c6195d7ba
1 changed files with 22 additions and 8 deletions
--- a/include/psa/crypto_values.h
+++ b/include/psa/crypto_values.h
@ -1232,11 +1232,14 @@
 * specified in Section 5 of RFC 5246. It is based on HMAC and can be
 * used with either SHA-256 or SHA-384.
 *
- * For the application to TLS-1.2, the salt and label arguments passed
- * to psa_key_derivation() are what's called 'seed' and 'label' in RFC 5246,
- * respectively. For example, for TLS key expansion, the salt is the
+ * This key derivation algorithm uses the following inputs:
+ * - #PSA_KEY_DERIVATION_INPUT_SECRET is the secret key.
+ * - #PSA_KEY_DERIVATION_INPUT_LABEL is the label.
+ * - #PSA_KEY_DERIVATION_INPUT_SEED is the seed.
+ *
+ * For the application to TLS-1.2 key expansion, the seed is the
 * concatenation of ServerHello.Random + ClientHello.Random,
- * while the label is "key expansion".
+ * and the label is "key expansion".
 *
 * For example, `PSA_ALG_TLS12_PRF(PSA_ALG_SHA256)` represents the
 * TLS 1.2 PRF using HMAC-SHA-256.
@ -1273,10 +1276,15 @@
 * The latter is based on HMAC and can be used with either SHA-256
 * or SHA-384.
 *
- * For the application to TLS-1.2, the salt passed to psa_key_derivation()
- * (and forwarded to the TLS-1.2 PRF) is the concatenation of the
- * ClientHello.Random + ServerHello.Random, while the label is "master secret"
- * or "extended master secret".
+ * This key derivation algorithm uses the following inputs:
+ * - #PSA_KEY_DERIVATION_INPUT_SECRET is the secret key.
+ * - #PSA_KEY_DERIVATION_INPUT_LABEL is the label.
+ * - #PSA_KEY_DERIVATION_INPUT_SEED is the seed.
+ *
+ * For the application to TLS-1.2, the seed (which is
+ * forwarded to the TLS-1.2 PRF) is the concatenation of the
+ * ClientHello.Random + ServerHello.Random,
+ * and the label is "master secret" or "extended master secret".
 *
 * For example, `PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA256)` represents the
 * TLS-1.2 PSK to MasterSecret derivation PRF using HMAC-SHA-256.
@ -1586,6 +1594,12 @@
 */
 #define PSA_KEY_DERIVATION_INPUT_INFO       ((psa_key_derivation_step_t)0x0203)

+/** A seed for key derivation.
+ *
+ * This must be a direct input.
+ */
+#define PSA_KEY_DERIVATION_INPUT_SEED       ((psa_key_derivation_step_t)0x0204)
+
 /**@}*/

 #endif /* PSA_CRYPTO_VALUES_H */