"crypto/aes"
"crypto/cipher"
"crypto/ecdh"
+ "crypto/internal/fips/hkdf"
"crypto/rand"
"errors"
"internal/byteorder"
"math/bits"
"golang.org/x/crypto/chacha20poly1305"
- "golang.org/x/crypto/hkdf"
)
// testingOnlyGenerateKey is only used during testing, to provide
labeledInfo = append(labeledInfo, suiteID...)
labeledInfo = append(labeledInfo, label...)
labeledInfo = append(labeledInfo, info...)
- out := make([]byte, length)
- n, err := hkdf.Expand(kdf.hash.New, randomKey, labeledInfo).Read(out)
- if err != nil || n != int(length) {
- panic("hpke: LabeledExpand failed unexpectedly")
- }
- return out
+ return hkdf.Expand(kdf.hash.New, randomKey, labeledInfo, int(length))
}
// dhKEM implements the KEM specified in RFC 9180, Section 4.1.
+++ /dev/null
-// Copyright 2014 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package hkdf implements the HMAC-based Extract-and-Expand Key Derivation
-// Function (HKDF) as defined in RFC 5869.
-//
-// HKDF is a cryptographic key derivation function (KDF) with the goal of
-// expanding limited input keying material into one or more cryptographically
-// strong secret keys.
-package hkdf
-
-import (
- "crypto/hmac"
- "errors"
- "hash"
- "io"
-)
-
-// Extract generates a pseudorandom key for use with Expand from an input secret
-// and an optional independent salt.
-//
-// Only use this function if you need to reuse the extracted key with multiple
-// Expand invocations and different context values. Most common scenarios,
-// including the generation of multiple keys, should use New instead.
-func Extract(hash func() hash.Hash, secret, salt []byte) []byte {
- if salt == nil {
- salt = make([]byte, hash().Size())
- }
- extractor := hmac.New(hash, salt)
- extractor.Write(secret)
- return extractor.Sum(nil)
-}
-
-type hkdf struct {
- expander hash.Hash
- size int
-
- info []byte
- counter byte
-
- prev []byte
- buf []byte
-}
-
-func (f *hkdf) Read(p []byte) (int, error) {
- // Check whether enough data can be generated
- need := len(p)
- remains := len(f.buf) + int(255-f.counter+1)*f.size
- if remains < need {
- return 0, errors.New("hkdf: entropy limit reached")
- }
- // Read any leftover from the buffer
- n := copy(p, f.buf)
- p = p[n:]
-
- // Fill the rest of the buffer
- for len(p) > 0 {
- if f.counter > 1 {
- f.expander.Reset()
- }
- f.expander.Write(f.prev)
- f.expander.Write(f.info)
- f.expander.Write([]byte{f.counter})
- f.prev = f.expander.Sum(f.prev[:0])
- f.counter++
-
- // Copy the new batch into p
- f.buf = f.prev
- n = copy(p, f.buf)
- p = p[n:]
- }
- // Save leftovers for next run
- f.buf = f.buf[n:]
-
- return need, nil
-}
-
-// Expand returns a Reader, from which keys can be read, using the given
-// pseudorandom key and optional context info, skipping the extraction step.
-//
-// The pseudorandomKey should have been generated by Extract, or be a uniformly
-// random or pseudorandom cryptographically strong key. See RFC 5869, Section
-// 3.3. Most common scenarios will want to use New instead.
-func Expand(hash func() hash.Hash, pseudorandomKey, info []byte) io.Reader {
- expander := hmac.New(hash, pseudorandomKey)
- return &hkdf{expander, expander.Size(), info, 1, nil, nil}
-}
-
-// New returns a Reader, from which keys can be read, using the given hash,
-// secret, salt and context info. Salt and info can be nil.
-func New(hash func() hash.Hash, secret, salt, info []byte) io.Reader {
- prk := Extract(hash, secret, salt)
- return Expand(hash, prk, info)
-}