bootutil: Improve HKDF code

Provide proper identifiers for size and partitioning of the
HKDF output.

Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>

Author: de-nordic

boot/bootutil/src/encrypted_psa.c

@@ -43,6 +43,16 @@ static const uint8_t ec_pubkey_oid[] = MBEDTLS_OID_ISO_IDENTIFIED_ORG \
 
 #define PRIV_KEY_LEN   32
 
+/* Partitioning of HKDF derived material, from the exchange derived key */
+/* AES key encryption key */
+#define HKDF_AES_KEY_INDEX  0
+#define HKDF_ASE_KEY_SIZE   (BOOT_ENC_KEY_SIZE)
+/* MAC feed */
+#define HKDF_MAC_FEED_INDEX (HKDF_AES_KEY_INDEX + HKDF_ASE_KEY_SIZE)
+#define HKDF_MAC_FEED_SIZE  (32)    /* This is SHA independent */
+/* Total size */
+#define HKDF_SIZE           (HKDF_ASE_KEY_SIZE + HKDF_MAC_FEED_SIZE)
+
 /* Fixme: This duplicates code from encrypted.c and depends on mbedtls */
 static int
 parse_x25519_enckey(uint8_t **p, uint8_t *end, uint8_t *private_key)
@@ -114,7 +124,7 @@ extern const struct bootutil_key bootutil_enc_key;
 int
 boot_decrypt_key(const uint8_t *buf, uint8_t *enckey)
 {
-    uint8_t derived_key[BOOT_ENC_KEY_SIZE + BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE];
+    uint8_t derived_key[HKDF_SIZE];
     uint8_t *cp;
     uint8_t *cpend;
     uint8_t private_key[PRIV_KEY_LEN];
@@ -208,7 +218,7 @@ boot_decrypt_key(const uint8_t *buf, uint8_t *enckey)
         return -1;
     }
 
-    len = BOOT_ENC_KEY_SIZE + BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE;
+    len = HKDF_SIZE;
     psa_ret = psa_key_derivation_output_bytes(&key_do, derived_key, len);
     psa_cleanup_ret = psa_key_derivation_abort(&key_do);
     if (psa_cleanup_ret != PSA_SUCCESS) {
@@ -227,13 +237,10 @@ boot_decrypt_key(const uint8_t *buf, uint8_t *enckey)
     psa_set_key_usage_flags(&kattr, PSA_KEY_USAGE_VERIFY_MESSAGE);
     psa_set_key_algorithm(&kattr, PSA_ALG_HMAC(PSA_ALG_SHA_256));
 
-    /* Import the MAC tag key part of derived key, that is the part that starts
-     * after BOOT_ENC_KEY_SIZE and has length of
-     * BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE bytes.
-     */
+    /* Import the MAC tag key part of derived key */
     psa_ret = psa_import_key(&kattr,
-                             &derived_key[BOOT_ENC_KEY_SIZE],
-                             BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE, &kid);
+                             &derived_key[HKDF_MAC_FEED_INDEX],
+                             HKDF_MAC_FEED_SIZE, &kid);
     psa_reset_key_attributes(&kattr);
     if (psa_ret != PSA_SUCCESS) {
         memset(derived_key, 0, sizeof(derived_key));
@@ -262,7 +269,8 @@ boot_decrypt_key(const uint8_t *buf, uint8_t *enckey)
     psa_set_key_algorithm(&kattr, PSA_ALG_CTR);
 
     /* Import the AES partition of derived key, the first 16 bytes */
-    psa_ret = psa_import_key(&kattr, &derived_key[0], BOOT_ENC_KEY_SIZE, &kid);
+    psa_ret = psa_import_key(&kattr, &derived_key[HKDF_AES_KEY_INDEX],
+                             HKDF_ASE_KEY_SIZE, &kid);
     memset(derived_key, 0, sizeof(derived_key));
     if (psa_ret != PSA_SUCCESS) {
         BOOT_LOG_ERR("AES key import failed %d", psa_ret);