I am going to have a look into this. Thanks for the instructions on how to reproduce. Might get a while to reply, please bear with me.

 

Thanks,

Antonio

 

 

Hi experts,

Recently we're testing the HKDF-EXPAND interface with TF-M v1.7.0 on stm32l562e_dk platform.

But the HKDF-EXPAND output didn't match the expected OKM.

The test vector is as below:

       ALG  : PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_256),
        "info"  : decode_hex("f0f1f2f3f4f5f6f7f8f9"),
        "L"     : 42,
        "PRK"   : "077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5"
        "OKM"   : "3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865"

The corresponding code is as follow：

    int8_t okm[42]={0};
    uint8_t info[] = {0xf0,0xf1,0xf2,0xf3,0xf4,0xf5,0xf6,0xf7,0xf8,0xf9};
    uint8_t ikm[]= {
                    0x7,0x77,0x9,0x36,0x2c,0x2e,0x32,0xdf,
                    0xd,0xdc,0x3f,0xd,0xc4,0x7b,0xba,0x63,
                    0x90,0xb6,0xc7,0x3b,0xb5,0xf,0x9c,0x31,
                    0x22,0xec,0x84,0x4a,0xd7,0xc2,0xb3,0xe5
    };

    status = psa_key_derivation_setup(&operation, PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_256));

    status = psa_key_derivation_input_bytes(&operation, PSA_KEY_DERIVATION_INPUT_SECRET,
                                                ikm, sizeof(ikm));
    status = psa_key_derivation_input_bytes(&operation, PSA_KEY_DERIVATION_INPUT_INFO,
                                                info, sizeof(info));
    status = psa_key_derivation_output_bytes( &operation, okm, sizeof(okm) );

The actual output okm is : 5a 1c ea 2d 24 ee 79 c5 bf ce 27 7b ... be b 3b 2e 19 18 77 ae, which didn't match the OKM of above test vector.

Have we misused the HKDF-EXPAND operation?



Best Regards,
Poppy Wu
吴偏偏

http://www.mxic.com.cn