Thanks for answering! Just curious, how do you enforce the output never changes, is there some programmatic way to do that? > On May 3, 2023, at 6:54 AM, Viktor Dukhovni <openssl-users@xxxxxxxxxxxx> wrote: > > On Wed, May 03, 2023 at 04:05:49PM +1000, pauli@xxxxxxxxxxx wrote: > >> They are never going to change in a way that breaks compatibility. > > The point being that HKDFs are used in key agreement protocols with > independently implemented peers of unknown vintage. If the HKDF's > output is ever to be a different function of its input, it is a new > HKDF. In terms of CS type theory, an HKDF is a "pure function". > > The only reason that an HKDF *could* change would be if a bug were > discovered in its implementation. In that unlikely scenario, a library > might consider exposing the legacy (buggy) implementation for legacy > purposes along with the fixed new version, if such a bug were to be > discovered. Ideally, the implementations of basic HKDFs are, and > indefinitely remain, correct. > > -- > Viktor.
