ok, i think i've got it -- below is an outline of my current understanding.
for each hash context instance, the initial input is:
zero(s) + salt + passphrase
output from the hash, o1, is a fixed number of bytes, h.
if the length of salt + passphrase in bytes is less than the
calculated octet count, then o1 is given as input to the hash
function which produces o2 (also length h).
if the length of salt + passphrase + o1 is less than the calculated
octet count, then o2 is given as input to the hash function and the
process continues until the length of:
salt + passphrase + o1 + ... + on
is greater than or equal to the calculated octet count.
also, none of o1, ..., on have octets of zeros prepended.
is this correct?
No, unfortunately this is not correct, although I can see that the
"repeatedly hashed" language could be read this way. Actually what is
input is:
zero(s) + salt + passphrase + salt + passphrase + salt + passphrase + ...
<--------------------- COUNT bytes ------------------------->
and if COUNT (which is the computed octet count) is less than the length
of salt + passphrase, we hash enough bytes so that we include the full
salt + passphrase.
Hal