On Thu, Jan 07, 2021 at 08:53:15AM +0100, Stephan Mueller wrote:

quoted

quoted

RFC5869
allows two optional parameters to be provided to the extract operation:
the salt and additional information. Both are to be provided with the
seed parameter where the salt is the first entry of the seed parameter
and all subsequent entries are handled as additional information. If
the caller intends to invoke the HKDF without salt, it has to provide a
NULL/0 entry as first entry in seed.

Where does "additional information" for extract come from?  RFC 5869 has:

        HKDF-Extract(salt, IKM) -> PRK

        Inputs:
              salt     optional salt value (a non-secret random value);
                       if not provided, it is set to a string of HashLen
zeros.
              IKM      input keying material

There's no "additional information".

I used the terminology from SP800-108. I will update the description
accordingly. 

For HKDF, it would be better to stick to the terminology used in RFC 5869
(https://tools.ietf.org/html/rfc5869), as generally that's what people are most
familiar with for HKDF.  It also matches the HKDF paper
(https://eprint.iacr.org/2010/264.pdf) more closely.

- Eric