i have some additional questions about the two subsequent sections. section
3.6.1.2 says:
Salted S2K is exactly like Simple S2K, except that the input to the
hash function(s) consists of the 8 octets of salt from the S2K
specifier, followed by the passphrase.
i presume this means that if the hash size is less than the key size,
the method of utilizing multiple hash contexts and prepending octets
of zeros described in 3.6.1.1 is employed.
Yes.
i assume that this also applies to iterated and salted s2k (section 3.6.1.3).
Yes.
if that is the case, suppose that the hash size is less than the key size:
1) for the second and subsequent hash context instances, do the octets
of zeros get prepended to the salt:
zero(s) + salt + passphrase
or are the zeros prepended to the passphrase:
salt + zero(s) + passphrase
? i presume it is the former, is that correct?
Yes.
2) for iterated and salted s2k, is the calculated octet count value
taken over all hash context instances or just the first instance?
The count is per-instance. Each instance is given a number of bytes of
salt and passphrase, equal to the calculated octet count. The pre-loaded
zeros are not included in this count.
Hal