From 60e9b44d8da6a9b50badef7fe2098fc233fd6b6c0cd23331896ce2c37a373310 Mon Sep 17 00:00:00 2001
From: Sergey Matveev <stargrave@stargrave.org>
Date: Thu, 18 Sep 2025 10:46:34 +0300
Subject: [PATCH] HKDF-Extract's input should not be HKDF-Extract's output

---
 go/cm/enc/chapoly/dem.go                         |  5 +++++
 spec/cm/dem/kuznechik-ctr-hmac-kr                | 10 +++++++---
 spec/cm/dem/xchacha-krmr                         |  8 ++++++--
 spec/cm/dem/xchapoly-krkc                        |  4 +++-
 spec/cm/kem/gost3410-hkdf                        |  1 +
 spec/cm/kem/mceliece6960119-x25519-hkdf-shake256 |  2 ++
 spec/cm/kem/sntrup761-x25519-hkdf-blake2b        |  2 ++
 7 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/go/cm/enc/chapoly/dem.go b/go/cm/enc/chapoly/dem.go
index 364762b..568895e 100644
--- a/go/cm/enc/chapoly/dem.go
+++ b/go/cm/enc/chapoly/dem.go
@@ -92,6 +92,11 @@ func do(
 			if errHKDF != nil {
 				panic(errHKDF)
 			}
+			ck, errHKDF = hkdf.Expand(
+				blake2bHash, ck, "cm/encrypted/xchapoly-krkc/kr", CEKLen)
+			if errHKDF != nil {
+				panic(errHKDF)
+			}
 		}
 	}()
 	blobChunkLen := ChunkLen + chacha20poly1305.Overhead + CommitmentLen
diff --git a/spec/cm/dem/kuznechik-ctr-hmac-kr b/spec/cm/dem/kuznechik-ctr-hmac-kr
index 756b0af..97e57e2 100644
--- a/spec/cm/dem/kuznechik-ctr-hmac-kr
+++ b/spec/cm/dem/kuznechik-ctr-hmac-kr
@@ -5,9 +5,13 @@ Data is split on 128 KiB chunks, each of which is encrypted the following way:
 
     H = Streebog-512
     CK0 = CEK
-    CKi = HKDF-Extract(H, salt="", ikm=CK{i-1})
-    Kenc = HKDF-Expand(H, prk=CKi, info="cm/encrypted/kuznechik-ctr-hmac-kr/enc")
-    IV = HKDF-Expand(H, prk=CKi, len=8, info="cm/encrypted/kuznechik-ctr-hmac-kr/iv")
+    CKi = HKDF-Expand(H,
+        prk=HKDF-Extract(H, salt="", ikm=CK{i-1}),
+        info="cm/encrypted/kuznechik-ctr-hmac-kr/kr")
+    Kenc = HKDF-Expand(H, prk=CKi,
+        info="cm/encrypted/kuznechik-ctr-hmac-kr/enc")
+    IV = HKDF-Expand(H, len=8, prk=CKi,
+        info="cm/encrypted/kuznechik-ctr-hmac-kr/iv")
     Kauth || KauthTail = HKDF-Expand(H, prk=CKi,
         info="cm/encrypted/kuznechik-ctr-hmac-kr/auth")
     CIPHERTEXT = Kuznechik-CTR(key=Kenc, ctr=IV, data=chunk)
diff --git a/spec/cm/dem/xchacha-krmr b/spec/cm/dem/xchacha-krmr
index 09d602f..24ac072 100644
--- a/spec/cm/dem/xchacha-krmr
+++ b/spec/cm/dem/xchacha-krmr
@@ -6,8 +6,12 @@ Data is split on 128 KiB chunks, each of which is encrypted the following way:
 
     H = BLAKE2b
     CK0, prMACx0 = CEK || prMACx
-    CKi = HKDF-Extract(H, salt="", ikm=CK{i-1})
-    prMACxi = HKDF-Extract(H, salt="", ikm=prMACx{i-1})
+    CKi = HKDF-Expand(H,
+        prk=HKDF-Extract(H, salt="", ikm=CK{i-1}),
+        info="cm/encrypted/xchacha-krmr/kr")
+    prMACxi = HKDF-Expand(H,
+        prk=HKDF-Extract(H, salt="", ikm=prMACx{i-1}),
+        info="cm/encrypted/xchacha-krmr/mr")
     KEY = HKDF-Expand(H, prk=CKi, info="cm/encrypted/xchacha-krmr/key")
     IV = HKDF-Expand(H, prk=CKi, info="cm/encrypted/xchacha-krmr/iv", len=24)
     if {last chunk} then { IV[23] |= 0x01 } else { IV[23] &= 0xFE }
diff --git a/spec/cm/dem/xchapoly-krkc b/spec/cm/dem/xchapoly-krkc
index bb2b14e..8224737 100644
--- a/spec/cm/dem/xchapoly-krkc
+++ b/spec/cm/dem/xchapoly-krkc
@@ -5,7 +5,9 @@ Data is split on 128 KiB chunks, each of which is encrypted the following way:
 
     H = BLAKE2b
     CK0 = CEK
-    CKi = HKDF-Extract(H, salt="", ikm=CK{i-1})
+    CKi = HKDF-Expand(H,
+        prk=HKDF-Extract(H, salt="", ikm=CK{i-1}),
+        info="cm/encrypted/xchapoly-krkc/kr")
     KEY = HKDF-Expand(H, prk=CKi, info="cm/encrypted/xchapoly-krkc/key")
     IV = HKDF-Expand(H, prk=CKi, info="cm/encrypted/xchapoly-krkc/iv", len=24)
     if {last chunk} then { IV[23] |= 0x01 } else { IV[23] &= 0xFE }
diff --git a/spec/cm/kem/gost3410-hkdf b/spec/cm/kem/gost3410-hkdf
index f376790..74f2aea 100644
--- a/spec/cm/kem/gost3410-hkdf
+++ b/spec/cm/kem/gost3410-hkdf
@@ -16,6 +16,7 @@ output is 512- or 1024-bit "BE(X)||BE(Y)" point, used in HKDF below:
     DH(sk, pk) = GOSTR3410-VKO(prv=sk, pub=pk, ukm=UKM)
     PRK = HKDF-Extract(H, salt="", ikm=DH(e, s))
     if {specified sender}
+        PRK = HKDF-Expand(H, prk=PRK, info="cm/encrypted/gost3410-hkdf/auth")
         PRK = HKDF-Extract(H, salt=PRK, ikm=DH(s, s))
     KEK = HKDF-Expand(H, prk=PRK, info="cm/encrypted/gost3410-hkdf" || /id)
 
diff --git a/spec/cm/kem/mceliece6960119-x25519-hkdf-shake256 b/spec/cm/kem/mceliece6960119-x25519-hkdf-shake256
index 01342bd..9436d2f 100644
--- a/spec/cm/kem/mceliece6960119-x25519-hkdf-shake256
+++ b/spec/cm/kem/mceliece6960119-x25519-hkdf-shake256
@@ -44,6 +44,8 @@ X25519 public key, computes shared secrets, combines them and derives KEK.
     if {specified sender}
         ss-x25519-shared-key = X25519(s-x25519-sender-private-key,
                                       s-x25519-recipient-public-key)
+        PRK = HKDF-Expand(H, prk=PRK,
+            info="cm/encrypted/mceliece6960119-x25519-hkdf-shake256/auth")
         PRK = HKDF-Extract(H, salt=PRK, ikm=
             ss-x25519-shared-key || s-x25519-sender-public-key)
     KEK = HKDF-Expand(H, prk=PRK,
diff --git a/spec/cm/kem/sntrup761-x25519-hkdf-blake2b b/spec/cm/kem/sntrup761-x25519-hkdf-blake2b
index 608122a..f9fc4c9 100644
--- a/spec/cm/kem/sntrup761-x25519-hkdf-blake2b
+++ b/spec/cm/kem/sntrup761-x25519-hkdf-blake2b
@@ -30,6 +30,8 @@ key of the CEK.
         H(sntrup761-sender-ciphertext || e-x25519-sender-public-key) ||
         H(sntrup761-recipient-public-key || s-x25519-recipient-public-key))
     if {specified sender}
+        PRK = HKDF-Expand(H, prk=PRK,
+            info="cm/encrypted/sntrup761-x25519-hkdf-blake2b/auth")
         PRK = HKDF-Extract(H, salt=PRK, ikm=
             ss-x25519-shared-key ||
             s-x25519-sender-public-key ||
-- 
2.51.0