From 6096a289848a9558b9852d740c3bde4cf1a7bd7e Mon Sep 17 00:00:00 2001
From: Sumner Evans <sumner@beeper.com>
Date: Mon, 26 Feb 2024 09:24:52 -0700
Subject: [PATCH] sas: clarify HKDF calculation uses base64-encoded keys
 (#1719)

---
 changelogs/client_server/newsfragments/1719.clarification | 1 +
 .../client-server-api/modules/end_to_end_encryption.md    | 8 ++++----
 2 files changed, 5 insertions(+), 4 deletions(-)
 create mode 100644 changelogs/client_server/newsfragments/1719.clarification

diff --git a/changelogs/client_server/newsfragments/1719.clarification b/changelogs/client_server/newsfragments/1719.clarification
new file mode 100644
index 00000000..031e1e41
--- /dev/null
+++ b/changelogs/client_server/newsfragments/1719.clarification
@@ -0,0 +1 @@
+Clarify that the HKDF calculation for SAS uses base64-encoded keys rather than the raw key bytes.
diff --git a/content/client-server-api/modules/end_to_end_encryption.md b/content/client-server-api/modules/end_to_end_encryption.md
index 880082bb..1126c648 100644
--- a/content/client-server-api/modules/end_to_end_encryption.md
+++ b/content/client-server-api/modules/end_to_end_encryption.md
@@ -836,15 +836,15 @@ is the concatenation of:
 -   The Device ID of the device which sent the
     `m.key.verification.start` message, followed by `|`.
 -   The public key from the `m.key.verification.key` message sent by
-    the device which sent the `m.key.verification.start` message,
-    followed by `|`.
+    the device which sent the `m.key.verification.start` message, encoded as
+    unpadded base64, followed by `|`.
 -   The Matrix ID of the user who sent the `m.key.verification.accept`
     message, followed by `|`.
 -   The Device ID of the device which sent the
     `m.key.verification.accept` message, followed by `|`.
 -   The public key from the `m.key.verification.key` message sent by
-    the device which sent the `m.key.verification.accept` message,
-    followed by `|`.
+    the device which sent the `m.key.verification.accept` message, encoded as
+    unpadded base64, followed by `|`.
 -   The `transaction_id` being used.
 
 When the `key_agreement_protocol` is the deprecated method `curve25519`,