From: Roland Shoemaker <roland@golang.org>
Date: Tue, 14 May 2024 18:16:56 +0000 (-0700)
Subject: crypto/internal/hpke: add basic implementation
X-Git-Tag: go1.23rc1~187
X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=27c302d5d55212eb3cf3797216b3cd4fe020e11c;p=gostls13.git

crypto/internal/hpke: add basic implementation

Only implements the sender role, since that's all we need for
client-side ECH for now.

Change-Id: Ia7cba1bc3bad8e8dc801d98d5ea859738b1f2790
Reviewed-on: https://go-review.googlesource.com/c/go/+/585436
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Roland Shoemaker <roland@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
---

diff --git a/src/crypto/internal/hpke/hpke.go b/src/crypto/internal/hpke/hpke.go
new file mode 100644
index 0000000000..611c89aac0
--- /dev/null
+++ b/src/crypto/internal/hpke/hpke.go
@@ -0,0 +1,259 @@
+// Copyright 2024 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package hpke
+
+import (
+	"crypto"
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/ecdh"
+	"crypto/rand"
+	"encoding/binary"
+	"errors"
+	"math/bits"
+
+	"golang.org/x/crypto/chacha20poly1305"
+	"golang.org/x/crypto/hkdf"
+)
+
+// testingOnlyGenerateKey is only used during testing, to provide
+// a fixed test key to use when checking the RFC 9180 vectors.
+var testingOnlyGenerateKey func() (*ecdh.PrivateKey, error)
+
+type hkdfKDF struct {
+	hash crypto.Hash
+}
+
+func (kdf *hkdfKDF) LabeledExtract(suiteID []byte, salt []byte, label string, inputKey []byte) []byte {
+	labeledIKM := make([]byte, 0, 7+len(suiteID)+len(label)+len(inputKey))
+	labeledIKM = append(labeledIKM, []byte("HPKE-v1")...)
+	labeledIKM = append(labeledIKM, suiteID...)
+	labeledIKM = append(labeledIKM, label...)
+	labeledIKM = append(labeledIKM, inputKey...)
+	return hkdf.Extract(kdf.hash.New, labeledIKM, salt)
+}
+
+func (kdf *hkdfKDF) LabeledExpand(suiteID []byte, randomKey []byte, label string, info []byte, length uint16) []byte {
+	labeledInfo := make([]byte, 0, 2+7+len(suiteID)+len(label)+len(info))
+	labeledInfo = binary.BigEndian.AppendUint16(labeledInfo, length)
+	labeledInfo = append(labeledInfo, []byte("HPKE-v1")...)
+	labeledInfo = append(labeledInfo, suiteID...)
+	labeledInfo = append(labeledInfo, label...)
+	labeledInfo = append(labeledInfo, info...)
+	out := make([]byte, length)
+	n, err := hkdf.Expand(kdf.hash.New, randomKey, labeledInfo).Read(out)
+	if err != nil || n != int(length) {
+		panic("hpke: LabeledExpand failed unexpectedly")
+	}
+	return out
+}
+
+// dhKEM implements the KEM specified in RFC 9180, Section 4.1.
+type dhKEM struct {
+	dh  ecdh.Curve
+	kdf hkdfKDF
+
+	suiteID []byte
+	nSecret uint16
+}
+
+var SupportedKEMs = map[uint16]struct {
+	curve   ecdh.Curve
+	hash    crypto.Hash
+	nSecret uint16
+}{
+	// RFC 9180 Section 7.1
+	0x0020: {ecdh.X25519(), crypto.SHA256, 32},
+}
+
+func newDHKem(kemID uint16) (*dhKEM, error) {
+	suite, ok := SupportedKEMs[kemID]
+	if !ok {
+		return nil, errors.New("unsupported suite ID")
+	}
+	return &dhKEM{
+		dh:      suite.curve,
+		kdf:     hkdfKDF{suite.hash},
+		suiteID: binary.BigEndian.AppendUint16([]byte("KEM"), kemID),
+		nSecret: suite.nSecret,
+	}, nil
+}
+
+func (dh *dhKEM) ExtractAndExpand(dhKey, kemContext []byte) []byte {
+	eaePRK := dh.kdf.LabeledExtract(dh.suiteID[:], nil, "eae_prk", dhKey)
+	return dh.kdf.LabeledExpand(dh.suiteID[:], eaePRK, "shared_secret", kemContext, dh.nSecret)
+}
+
+func (dh *dhKEM) Encap(pubRecipient *ecdh.PublicKey) (sharedSecret []byte, encapPub []byte, err error) {
+	var privEph *ecdh.PrivateKey
+	if testingOnlyGenerateKey != nil {
+		privEph, err = testingOnlyGenerateKey()
+	} else {
+		privEph, err = dh.dh.GenerateKey(rand.Reader)
+	}
+	if err != nil {
+		return nil, nil, err
+	}
+	dhVal, err := privEph.ECDH(pubRecipient)
+	if err != nil {
+		return nil, nil, err
+	}
+	encPubEph := privEph.PublicKey().Bytes()
+
+	encPubRecip := pubRecipient.Bytes()
+	kemContext := append(encPubEph, encPubRecip...)
+
+	return dh.ExtractAndExpand(dhVal, kemContext), encPubEph, nil
+}
+
+type Sender struct {
+	aead cipher.AEAD
+	kem  *dhKEM
+
+	sharedSecret []byte
+
+	suiteID []byte
+
+	key            []byte
+	baseNonce      []byte
+	exporterSecret []byte
+
+	seqNum uint128
+}
+
+var aesGCMNew = func(key []byte) (cipher.AEAD, error) {
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+	return cipher.NewGCM(block)
+}
+
+var SupportedAEADs = map[uint16]struct {
+	keySize   int
+	nonceSize int
+	aead      func([]byte) (cipher.AEAD, error)
+}{
+	// RFC 9180, Section 7.3
+	0x0001: {keySize: 16, nonceSize: 12, aead: aesGCMNew},
+	0x0002: {keySize: 32, nonceSize: 12, aead: aesGCMNew},
+	0x0003: {keySize: chacha20poly1305.KeySize, nonceSize: chacha20poly1305.NonceSize, aead: chacha20poly1305.New},
+}
+
+var SupportedKDFs = map[uint16]func() *hkdfKDF{
+	// RFC 9180, Section 7.2
+	0x0001: func() *hkdfKDF { return &hkdfKDF{crypto.SHA256} },
+}
+
+func SetupSender(kemID, kdfID, aeadID uint16, pub crypto.PublicKey, info []byte) ([]byte, *Sender, error) {
+	suiteID := SuiteID(kemID, kdfID, aeadID)
+
+	kem, err := newDHKem(kemID)
+	if err != nil {
+		return nil, nil, err
+	}
+	pubRecipient, ok := pub.(*ecdh.PublicKey)
+	if !ok {
+		return nil, nil, errors.New("incorrect public key type")
+	}
+	sharedSecret, encapsulatedKey, err := kem.Encap(pubRecipient)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	kdfInit, ok := SupportedKDFs[kdfID]
+	if !ok {
+		return nil, nil, errors.New("unsupported KDF id")
+	}
+	kdf := kdfInit()
+
+	aeadInfo, ok := SupportedAEADs[aeadID]
+	if !ok {
+		return nil, nil, errors.New("unsupported AEAD id")
+	}
+
+	pskIDHash := kdf.LabeledExtract(suiteID, nil, "psk_id_hash", nil)
+	infoHash := kdf.LabeledExtract(suiteID, nil, "info_hash", info)
+	ksContext := append([]byte{0}, pskIDHash...)
+	ksContext = append(ksContext, infoHash...)
+
+	secret := kdf.LabeledExtract(suiteID, sharedSecret, "secret", nil)
+
+	key := kdf.LabeledExpand(suiteID, secret, "key", ksContext, uint16(aeadInfo.keySize) /* Nk - key size for AEAD */)
+	baseNonce := kdf.LabeledExpand(suiteID, secret, "base_nonce", ksContext, uint16(aeadInfo.nonceSize) /* Nn - nonce size for AEAD */)
+	exporterSecret := kdf.LabeledExpand(suiteID, secret, "exp", ksContext, uint16(kdf.hash.Size()) /* Nh - hash output size of the kdf*/)
+
+	aead, err := aeadInfo.aead(key)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return encapsulatedKey, &Sender{
+		kem:            kem,
+		aead:           aead,
+		sharedSecret:   sharedSecret,
+		suiteID:        suiteID,
+		key:            key,
+		baseNonce:      baseNonce,
+		exporterSecret: exporterSecret,
+	}, nil
+}
+
+func (s *Sender) nextNonce() []byte {
+	nonce := s.seqNum.bytes()[16-s.aead.NonceSize():]
+	for i := range s.baseNonce {
+		nonce[i] ^= s.baseNonce[i]
+	}
+	// Message limit is, according to the RFC, 2^95+1, which
+	// is somewhat confusing, but we do as we're told.
+	if s.seqNum.bitLen() >= (s.aead.NonceSize()*8)-1 {
+		panic("message limit reached")
+	}
+	s.seqNum = s.seqNum.addOne()
+	return nonce
+}
+
+func (s *Sender) Seal(aad, plaintext []byte) ([]byte, error) {
+
+	ciphertext := s.aead.Seal(nil, s.nextNonce(), plaintext, aad)
+	return ciphertext, nil
+}
+
+func SuiteID(kemID, kdfID, aeadID uint16) []byte {
+	suiteID := make([]byte, 0, 4+2+2+2)
+	suiteID = append(suiteID, []byte("HPKE")...)
+	suiteID = binary.BigEndian.AppendUint16(suiteID, kemID)
+	suiteID = binary.BigEndian.AppendUint16(suiteID, kdfID)
+	suiteID = binary.BigEndian.AppendUint16(suiteID, aeadID)
+	return suiteID
+}
+
+func ParseHPKEPublicKey(kemID uint16, bytes []byte) (*ecdh.PublicKey, error) {
+	kemInfo, ok := SupportedKEMs[kemID]
+	if !ok {
+		return nil, errors.New("unsupported KEM id")
+	}
+	return kemInfo.curve.NewPublicKey(bytes)
+}
+
+type uint128 struct {
+	hi, lo uint64
+}
+
+func (u uint128) addOne() uint128 {
+	lo, carry := bits.Add64(u.lo, 1, 0)
+	return uint128{u.hi + carry, lo}
+}
+
+func (u uint128) bitLen() int {
+	return bits.Len64(u.hi) + bits.Len64(u.lo)
+}
+
+func (u uint128) bytes() []byte {
+	b := make([]byte, 16)
+	binary.BigEndian.PutUint64(b[0:], u.hi)
+	binary.BigEndian.PutUint64(b[8:], u.lo)
+	return b
+}
diff --git a/src/crypto/internal/hpke/hpke_test.go b/src/crypto/internal/hpke/hpke_test.go
new file mode 100644
index 0000000000..69db53bc92
--- /dev/null
+++ b/src/crypto/internal/hpke/hpke_test.go
@@ -0,0 +1,168 @@
+// Copyright 2024 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package hpke
+
+import (
+	"bytes"
+	"encoding/hex"
+	"encoding/json"
+	"os"
+	"strconv"
+	"strings"
+	"testing"
+
+	"crypto/ecdh"
+	_ "crypto/sha256"
+	_ "crypto/sha512"
+)
+
+func mustDecodeHex(t *testing.T, in string) []byte {
+	b, err := hex.DecodeString(in)
+	if err != nil {
+		t.Fatal(err)
+	}
+	return b
+}
+
+func parseVectorSetup(vector string) map[string]string {
+	vals := map[string]string{}
+	for _, l := range strings.Split(vector, "\n") {
+		fields := strings.Split(l, ": ")
+		vals[fields[0]] = fields[1]
+	}
+	return vals
+}
+
+func parseVectorEncryptions(vector string) []map[string]string {
+	vals := []map[string]string{}
+	for _, section := range strings.Split(vector, "\n\n") {
+		e := map[string]string{}
+		for _, l := range strings.Split(section, "\n") {
+			fields := strings.Split(l, ": ")
+			e[fields[0]] = fields[1]
+		}
+		vals = append(vals, e)
+	}
+	return vals
+}
+
+func TestRFC9180Vectors(t *testing.T) {
+	vectorsJSON, err := os.ReadFile("testdata/rfc9180-vectors.json")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	var vectors []struct {
+		Name        string
+		Setup       string
+		Encryptions string
+	}
+	if err := json.Unmarshal(vectorsJSON, &vectors); err != nil {
+		t.Fatal(err)
+	}
+
+	for _, vector := range vectors {
+		t.Run(vector.Name, func(t *testing.T) {
+			setup := parseVectorSetup(vector.Setup)
+
+			kemID, err := strconv.Atoi(setup["kem_id"])
+			if err != nil {
+				t.Fatal(err)
+			}
+			if _, ok := SupportedKEMs[uint16(kemID)]; !ok {
+				t.Skip("unsupported KEM")
+			}
+			kdfID, err := strconv.Atoi(setup["kdf_id"])
+			if err != nil {
+				t.Fatal(err)
+			}
+			if _, ok := SupportedKDFs[uint16(kdfID)]; !ok {
+				t.Skip("unsupported KDF")
+			}
+			aeadID, err := strconv.Atoi(setup["aead_id"])
+			if err != nil {
+				t.Fatal(err)
+			}
+			if _, ok := SupportedAEADs[uint16(aeadID)]; !ok {
+				t.Skip("unsupported AEAD")
+			}
+
+			info := mustDecodeHex(t, setup["info"])
+			pubKeyBytes := mustDecodeHex(t, setup["pkRm"])
+			pub, err := ParseHPKEPublicKey(uint16(kemID), pubKeyBytes)
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			ephemeralPrivKey := mustDecodeHex(t, setup["skEm"])
+
+			testingOnlyGenerateKey = func() (*ecdh.PrivateKey, error) {
+				return SupportedKEMs[uint16(kemID)].curve.NewPrivateKey(ephemeralPrivKey)
+			}
+			t.Cleanup(func() { testingOnlyGenerateKey = nil })
+
+			encap, context, err := SetupSender(
+				uint16(kemID),
+				uint16(kdfID),
+				uint16(aeadID),
+				pub,
+				info,
+			)
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			expectedEncap := mustDecodeHex(t, setup["enc"])
+			if !bytes.Equal(encap, expectedEncap) {
+				t.Errorf("unexpected encapsulated key, got: %x, want %x", encap, expectedEncap)
+			}
+			expectedSharedSecret := mustDecodeHex(t, setup["shared_secret"])
+			if !bytes.Equal(context.sharedSecret, expectedSharedSecret) {
+				t.Errorf("unexpected shared secret, got: %x, want %x", context.sharedSecret, expectedSharedSecret)
+			}
+			expectedKey := mustDecodeHex(t, setup["key"])
+			if !bytes.Equal(context.key, expectedKey) {
+				t.Errorf("unexpected key, got: %x, want %x", context.key, expectedKey)
+			}
+			expectedBaseNonce := mustDecodeHex(t, setup["base_nonce"])
+			if !bytes.Equal(context.baseNonce, expectedBaseNonce) {
+				t.Errorf("unexpected base nonce, got: %x, want %x", context.baseNonce, expectedBaseNonce)
+			}
+			expectedExporterSecret := mustDecodeHex(t, setup["exporter_secret"])
+			if !bytes.Equal(context.exporterSecret, expectedExporterSecret) {
+				t.Errorf("unexpected exporter secret, got: %x, want %x", context.exporterSecret, expectedExporterSecret)
+			}
+
+			for _, enc := range parseVectorEncryptions(vector.Encryptions) {
+				t.Run("seq num "+enc["sequence number"], func(t *testing.T) {
+					seqNum, err := strconv.Atoi(enc["sequence number"])
+					if err != nil {
+						t.Fatal(err)
+					}
+					context.seqNum = uint128{lo: uint64(seqNum)}
+					expectedNonce := mustDecodeHex(t, enc["nonce"])
+					// We can't call nextNonce, because it increments the sequence number,
+					// so just compute it directly.
+					computedNonce := context.seqNum.bytes()[16-context.aead.NonceSize():]
+					for i := range context.baseNonce {
+						computedNonce[i] ^= context.baseNonce[i]
+					}
+					if !bytes.Equal(computedNonce, expectedNonce) {
+						t.Errorf("unexpected nonce: got %x, want %x", computedNonce, expectedNonce)
+					}
+
+					expectedCiphertext := mustDecodeHex(t, enc["ct"])
+					ciphertext, err := context.Seal(mustDecodeHex(t, enc["aad"]), mustDecodeHex(t, enc["pt"]))
+					if err != nil {
+						t.Fatal(err)
+					}
+					if !bytes.Equal(ciphertext, expectedCiphertext) {
+						t.Errorf("unexpected ciphertext: got %x want %x", ciphertext, expectedCiphertext)
+					}
+				})
+			}
+		})
+	}
+}
diff --git a/src/crypto/internal/hpke/testdata/rfc9180-vectors.json b/src/crypto/internal/hpke/testdata/rfc9180-vectors.json
new file mode 100644
index 0000000000..3badbc641e
--- /dev/null
+++ b/src/crypto/internal/hpke/testdata/rfc9180-vectors.json
@@ -0,0 +1 @@
+[{"Name":"DHKEM(X25519, HKDF-SHA256), HKDF-SHA256, AES-128-GCM","Setup":"mode: 0\nkem_id: 32\nkdf_id: 1\naead_id: 1\ninfo: 4f6465206f6e2061204772656369616e2055726e\nikmE: 7268600d403fce431561aef583ee1613527cff655c1343f29812e66706df3234\npkEm: 37fda3567bdbd628e88668c3c8d7e97d1d1253b6d4ea6d44c150f741f1bf4431\nskEm: 52c4a758a802cd8b936eceea314432798d5baf2d7e9235dc084ab1b9cfa2f736\nikmR: 6db9df30aa07dd42ee5e8181afdb977e538f5e1fec8a06223f33f7013e525037\npkRm: 3948cfe0ad1ddb695d780e59077195da6c56506b027329794ab02bca80815c4d\nskRm: 4612c550263fc8ad58375df3f557aac531d26850903e55a9f23f21d8534e8ac8\nenc: 37fda3567bdbd628e88668c3c8d7e97d1d1253b6d4ea6d44c150f741f1bf4431\nshared_secret: fe0e18c9f024ce43799ae393c7e8fe8fce9d218875e8227b0187c04e7d2ea1fc\nkey_schedule_context: 00725611c9d98c07c03f60095cd32d400d8347d45ed67097bbad50fc56da742d07cb6cffde367bb0565ba28bb02c90744a20f5ef37f30523526106f637abb05449\nsecret: 12fff91991e93b48de37e7daddb52981084bd8aa64289c3788471d9a9712f397\nkey: 4531685d41d65f03dc48f6b8302c05b0\nbase_nonce: 56d890e5accaaf011cff4b7d\nexporter_secret: 45ff1c2e220db587171952c0592d5f5ebe103f1561a2614e38f2ffd47e99e3f8","Encryptions":"sequence number: 0\npt: 4265617574792069732074727574682c20747275746820626561757479\naad: 436f756e742d30\nnonce: 56d890e5accaaf011cff4b7d\nct: f938558b5d72f1a23810b4be2ab4f84331acc02fc97babc53a52ae8218a355a96d8770ac83d07bea87e13c512a\n\nsequence number: 1\npt: 4265617574792069732074727574682c20747275746820626561757479\naad: 436f756e742d31\nnonce: 56d890e5accaaf011cff4b7c\nct: af2d7e9ac9ae7e270f46ba1f975be53c09f8d875bdc8535458c2494e8a6eab251c03d0c22a56b8ca42c2063b84\n\nsequence number: 2\npt: 4265617574792069732074727574682c20747275746820626561757479\naad: 436f756e742d32\nnonce: 56d890e5accaaf011cff4b7f\nct: 498dfcabd92e8acedc281e85af1cb4e3e31c7dc394a1ca20e173cb72516491588d96a19ad4a683518973dcc180\n\nsequence number: 4\npt: 4265617574792069732074727574682c20747275746820626561757479\naad: 436f756e742d34\nnonce: 56d890e5accaaf011cff4b79\nct: 583bd32bc67a5994bb8ceaca813d369bca7b2a42408cddef5e22f880b631215a09fc0012bc69fccaa251c0246d\n\nsequence number: 255\npt: 4265617574792069732074727574682c20747275746820626561757479\naad: 436f756e742d323535\nnonce: 56d890e5accaaf011cff4b82\nct: 7175db9717964058640a3a11fb9007941a5d1757fda1a6935c805c21af32505bf106deefec4a49ac38d71c9e0a\n\nsequence number: 256\npt: 4265617574792069732074727574682c20747275746820626561757479\naad: 436f756e742d323536\nnonce: 56d890e5accaaf011cff4a7d\nct: 957f9800542b0b8891badb026d79cc54597cb2d225b54c00c5238c25d05c30e3fbeda97d2e0e1aba483a2df9f2"},{"Name":"DHKEM(X25519, HKDF-SHA256), HKDF-SHA256, ChaCha20Poly1305","Setup":"mode: 0\nkem_id: 32\nkdf_id: 1\naead_id: 3\ninfo: 4f6465206f6e2061204772656369616e2055726e\nikmE: 909a9b35d3dc4713a5e72a4da274b55d3d3821a37e5d099e74a647db583a904b\npkEm: 1afa08d3dec047a643885163f1180476fa7ddb54c6a8029ea33f95796bf2ac4a\nskEm: f4ec9b33b792c372c1d2c2063507b684ef925b8c75a42dbcbf57d63ccd381600\nikmR: 1ac01f181fdf9f352797655161c58b75c656a6cc2716dcb66372da835542e1df\npkRm: 4310ee97d88cc1f088a5576c77ab0cf5c3ac797f3d95139c6c84b5429c59662a\nskRm: 8057991eef8f1f1af18f4a9491d16a1ce333f695d4db8e38da75975c4478e0fb\nenc: 1afa08d3dec047a643885163f1180476fa7ddb54c6a8029ea33f95796bf2ac4a\nshared_secret: 0bbe78490412b4bbea4812666f7916932b828bba79942424abb65244930d69a7\nkey_schedule_context: 00431df6cd95e11ff49d7013563baf7f11588c75a6611e e2a4404a49306ae4cfc5b69c5718a60cc5876c358d3f7fc31ddb598503f67be58ea1e798c0bb19eb9796\nsecret: 5b9cd775e64b437a2335cf499361b2e0d5e444d5cb41a8a53336d8fe402282c6\nkey: ad2744de8e17f4ebba575b3f5f5a8fa1f69c2a07f6e7500bc60ca6e3e3ec1c91\nbase_nonce: 5c4d98150661b848853b547f\nexporter_secret: a3b010d4994890e2c6968a36f64470d3c824c8f5029942feb11e7a74b2921922","Encryptions":"sequence number: 0\npt: 4265617574792069732074727574682c20747275746820626561757479\naad: 436f756e742d30\nnonce: 5c4d98150661b848853b547f\nct: 1c5250d8034ec2b784ba2cfd69dbdb8af406cfe3ff938e131f0def8c8b60b4db21993c62ce81883d2dd1b51a28\n\nsequence number: 1\npt: 4265617574792069732074727574682c20747275746820626561757479\naad: 436f756e742d31\nnonce: 5c4d98150661b848853b547e\nct: 6b53c051e4199c518de79594e1c4ab18b96f081549d45ce015be002090bb119e85285337cc95ba5f59992dc98c\n\nsequence number: 2\npt: 4265617574792069732074727574682c20747275746820626561757479\naad: 436f756e742d32\nnonce: 5c4d98150661b848853b547d\nct: 71146bd6795ccc9c49ce25dda112a48f202ad220559502cef1f34271e0cb4b02b4f10ecac6f48c32f878fae86b\n\nsequence number: 4\npt: 4265617574792069732074727574682c20747275746820626561757479\naad: 436f756e742d34\nnonce: 5c4d98150661b848853b547b\nct: 63357a2aa291f5a4e5f27db6baa2af8cf77427c7c1a909e0b37214dd47db122bb153495ff0b02e9e54a50dbe16\n\nsequence number: 255\npt: 4265617574792069732074727574682c20747275746820626561757479\naad: 436f756e742d323535\nnonce: 5c4d98150661b848853b5480\nct: 18ab939d63ddec9f6ac2b60d61d36a7375d2070c9b683861110757062c52b8880a5f6b3936da9cd6c23ef2a95c\n\nsequence number: 256\npt: 4265617574792069732074727574682c20747275746820626561757479\naad: 436f756e742d323536\nnonce: 5c4d98150661b848853b557f\nct: 7a4a13e9ef23978e2c520fd4d2e757514ae160cd0cd05e556ef692370ca53076214c0c40d4c728d6ed9e727a5b"},{"Name":"DHKEM(P-256, HKDF-SHA256), HKDF-SHA256, AES-128-GCM","Setup":"mode: 0\nkem_id: 16\nkdf_id: 1\naead_id: 1\ninfo: 4f6465206f6e2061204772656369616e2055726e\nikmE: 4270e54ffd08d79d5928020af4686d8f6b7d35dbe470265f1f5aa22816ce860e\npkEm: 04a92719c6195d5085104f469a8b9814d5838ff72b60501e2c4466e5e67b325ac98536d7b61a1af4b78e5b7f951c0900be863c403ce65c9bfcb9382657222d18c4\nskEm: 4995788ef4b9d6132b249ce59a77281493eb39af373d236a1fe415cb0c2d7beb\nikmR: 668b37171f1072f3cf12ea8a236a45df23fc13b82af3609ad1e354f6ef817550\npkRm: 04fe8c19ce0905191ebc298a9245792531f26f0cece2460639e8bc39cb7f706a826a779b4cf969b8a0e539c7f62fb3d30ad6aa8f80e30f1d128aafd68a2ce72ea0\nskRm: f3ce7fdae57e1a310d87f1ebbde6f328be0a99cdbcadf4d6589cf29de4b8ffd2\nenc: 04a92719c6195d5085104f469a8b9814d5838ff72b60501e2c4466e5e67b325ac98536d7b61a1af4b78e5b7f951c0900be863c403ce65c9bfcb9382657222d18c4\nshared_secret: c0d26aeab536609a572b07695d933b589dcf363ff9d93c93adea537aeabb8cb8\nkey_schedule_context: 00b88d4e6d91759e65e87c470e8b9141113e9ad5f0c8ceefc1e088c82e6980500798e486f9c9c09c9b5c753ac72d6005de254c607d1b534ed11d493ae1c1d9ac85\nsecret: 2eb7b6bf138f6b5aff857414a058a3f1750054a9ba1f72c2cf0684a6f20b10e1\nkey: 868c066ef58aae6dc589b6cfdd18f97e\nbase_nonce: 4e0bc5018beba4bf004cca59\nexporter_secret: 14ad94af484a7ad3ef40e9f3be99ecc6fa9036df9d4920548424df127ee0d99f","Encryptions":"sequence number: 0\npt: 4265617574792069732074727574682c20747275746820626561757479\naad: 436f756e742d30\nnonce: 4e0bc5018beba4bf004cca59\nct: 5ad590bb8baa577f8619db35a36311226a896e7342a6d836d8b7bcd2f20b6c7f9076ac232e3ab2523f39513434\n\nsequence number: 1\npt: 4265617574792069732074727574682c20747275746820626561757479\naad: 436f756e742d31\nnonce: 4e0bc5018beba4bf004cca58\nct: fa6f037b47fc21826b610172ca9637e82d6e5801eb31cbd3748271affd4ecb06646e0329cbdf3c3cd655b28e82\n\nsequence number: 2\npt: 4265617574792069732074727574682c20747275746820626561757479\naad: 436f756e742d32\nnonce: 4e0bc5018beba4bf004cca5b\nct: 895cabfac50ce6c6eb02ffe6c048bf53b7f7be9a91fc559402cbc5b8dcaeb52b2ccc93e466c28fb55fed7a7fec\n\nsequence number: 4\npt: 4265617574792069732074727574682c20747275746820626561757479\naad: 436f756e742d34\nnonce: 4e0bc5018beba4bf004cca5d\nct: 8787491ee8df99bc99a246c4b3216d3d57ab5076e18fa27133f520703bc70ec999dd36ce042e44f0c3169a6a8f\n\nsequence number: 255\npt: 4265617574792069732074727574682c20747275746820626561757479\naad: 436f756e742d323535\nnonce: 4e0bc5018beba4bf004ccaa6\nct: 2ad71c85bf3f45c6eca301426289854b31448bcf8a8ccb1deef3ebd87f60848aa53c538c30a4dac71d619ee2cd\n\nsequence number: 256\npt: 4265617574792069732074727574682c20747275746820626561757479\naad: 436f756e742d323536\nnonce: 4e0bc5018beba4bf004ccb59\nct: 10f179686aa2caec1758c8e554513f16472bd0a11e2a907dde0b212cbe87d74f367f8ffe5e41cd3e9962a6afb2"},{"Name":"DHKEM(P-256, HKDF-SHA256), HKDF-SHA512, AES-128-GCM","Setup":"mode: 0\nkem_id: 16\nkdf_id: 3\naead_id: 1\ninfo: 4f6465206f6e2061204772656369616e2055726e\nikmE: 4ab11a9dd78c39668f7038f921ffc0993b368171d3ddde8031501ee1e08c4c9a\npkEm: 0493ed86735bdfb978cc055c98b45695ad7ce61ce748f4dd63c525a3b8d53a15565c6897888070070c1579db1f86aaa56deb8297e64db7e8924e72866f9a472580\nskEm: 2292bf14bb6e15b8c81a0f45b7a6e93e32d830e48cca702e0affcfb4d07e1b5c\nikmR: ea9ff7cc5b2705b188841c7ace169290ff312a9cb31467784ca92d7a2e6e1be8\npkRm: 04085aa5b665dc3826f9650ccbcc471be268c8ada866422f739e2d531d4a8818a9466bc6b449357096232919ec4fe9070ccbac4aac30f4a1a53efcf7af90610edd\nskRm: 3ac8530ad1b01885960fab38cf3cdc4f7aef121eaa239f222623614b4079fb38\nenc: 0493ed86735bdfb978cc055c98b45695ad7ce61ce748f4dd63c525a3b8d53a15565c6897888070070c1579db1f86aaa56deb8297e64db7e8924e72866f9a472580\nshared_secret: 02f584736390fc93f5b4ad039826a3fa08e9911bd1215a3db8e8791ba533cafd\nkey_schedule_context: 005b8a3617af7789ee716e7911c7e77f84cdc4cc46e60fb7e19e4059f9aeadc00585e26874d1ddde76e551a7679cd47168c466f6e1f705cc9374c192778a34fcd5ca221d77e229a9d11b654de7942d685069c633b2362ce3b3d8ea4891c9a2a87a4eb7cdb289ba5e2ecbf8cd2c8498bb4a383dc021454d70d46fcbbad1252ef4f9\nsecret: 0c7acdab61693f936c4c1256c78e7be30eebfe466812f9cc49f0b58dc970328dfc03ea359be0250a471b1635a193d2dfa8cb23c90aa2e25025b892a725353eeb\nkey: 090ca96e5f8aa02b69fac360da50ddf9\nbase_nonce: 9c995e621bf9a20c5ca45546\nexporter_secret: 4a7abb2ac43e6553f129b2c5750a7e82d149a76ed56dc342d7bca61e26d494f4855dff0d0165f27ce57756f7f16baca006539bb8e4518987ba610480ac03efa8","Encryptions":"sequence number: 0\npt: 4265617574792069732074727574682c20747275746820626561757479\naad: 436f756e742d30\nnonce: 9c995e621bf9a20c5ca45546\nct: d3cf4984931484a080f74c1bb2a6782700dc1fef9abe8442e44a6f09044c88907200b332003543754eb51917ba\n\nsequence number: 1\npt: 4265617574792069732074727574682c20747275746820626561757479\naad: 436f756e742d31\nnonce: 9c995e621bf9a20c5ca45547\nct: d14414555a47269dfead9fbf26abb303365e40709a4ed16eaefe1f2070f1ddeb1bdd94d9e41186f124e0acc62d\n\nsequence number: 2\npt: 4265617574792069732074727574682c20747275746820626561757479\naad: 436f756e742d32\nnonce: 9c995e621bf9a20c5ca45544\nct: 9bba136cade5c4069707ba91a61932e2cbedda2d9c7bdc33515aa01dd0e0f7e9d3579bf4016dec37da4aafa800\n\nsequence number: 4\npt: 4265617574792069732074727574682c20747275746820626561757479\naad: 436f756e742d34\nnonce: 9c995e621bf9a20c5ca45542\nct: a531c0655342be013bf32112951f8df1da643602f1866749519f5dcb09cc68432579de305a77e6864e862a7600\n\nsequence number: 255\npt: 4265617574792069732074727574682c20747275746820626561757479\naad: 436f756e742d323535\nnonce: 9c995e621bf9a20c5ca455b9\nct: be5da649469efbad0fb950366a82a73fefeda5f652ec7d3731fac6c4ffa21a7004d2ab8a04e13621bd3629547d\n\nsequence number: 256\npt: 4265617574792069732074727574682c20747275746820626561757479\naad: 436f756e742d323536\nnonce: 9c995e621bf9a20c5ca45446\nct: 62092672f5328a0dde095e57435edf7457ace60b26ee44c9291110ec135cb0e14b85594e4fea11247d937deb62"},{"Name":"DHKEM(P-256, HKDF-SHA256), HKDF-SHA256, ChaCha20Poly1305","Setup":"mode: 0\nkem_id: 16\nkdf_id: 1\naead_id: 3\ninfo: 4f6465206f6e2061204772656369616e2055726e\nikmE: f1f1a3bc95416871539ecb51c3a8f0cf608afb40fbbe305c0a72819d35c33f1f\npkEm: 04c07836a0206e04e31d8ae99bfd549380b072a1b1b82e563c935c095827824fc1559eac6fb9e3c70cd3193968994e7fe9781aa103f5b50e934b5b2f387e381291\nskEm: 7550253e1147aae48839c1f8af80d2770fb7a4c763afe7d0afa7e0f42a5b3689\nikmR: 61092f3f56994dd424405899154a9918353e3e008171517ad576b900ddb275e7\npkRm: 04a697bffde9405c992883c5c439d6cc358170b51af72812333b015621dc0f40bad9bb726f68a5c013806a790ec716ab8669f84f6b694596c2987cf35baba2a006\nskRm: a4d1c55836aa30f9b3fbb6ac98d338c877c2867dd3a77396d13f68d3ab150d3b\nenc: 04c07836a0206e04e31d8ae99bfd549380b072a1b1b82e563c935c095827824fc1559eac6fb9e3c70cd3193968994e7fe9781aa103f5b50e934b5b2f387e381291\nshared_secret: 806520f82ef0b03c823b7fc524b6b55a088f566b9751b89551c170f4113bd850\nkey_schedule_context: 00b738cd703db7b4106e93b4621e9a19c89c838e55964240e5d3f331aaf8b0d58b2e986ea1c671b61cf45eec134dac0bae58ec6f63e790b1400b47c33038b0269c\nsecret: fe891101629aa355aad68eff3cc5170d057eca0c7573f6575e91f9783e1d4506\nkey: a8f45490a92a3b04d1dbf6cf2c3939ad8bfc9bfcb97c04bffe116730c9dfe3fc\nbase_nonce: 726b4390ed2209809f58c693\nexporter_secret: 4f9bd9b3a8db7d7c3a5b9d44fdc1f6e37d5d77689ade5ec44a7242016e6aa205","Encryptions":"sequence number: 0\npt: 4265617574792069732074727574682c20747275746820626561757479\naad: 436f756e742d30\nnonce: 726b4390ed2209809f58c693\nct: 6469c41c5c81d3aa85432531ecf6460ec945bde1eb428cb2fedf7a29f5a685b4ccb0d057f03ea2952a27bb458b\n\nsequence number: 1\npt: 4265617574792069732074727574682c20747275746820626561757479\naad: 436f756e742d31\nnonce: 726b4390ed2209809f58c692\nct: f1564199f7e0e110ec9c1bcdde332177fc35c1adf6e57f8d1df24022227ffa8716862dbda2b1dc546c9d114374\n\nsequence number: 2\npt: 4265617574792069732074727574682c20747275746820626561757479\naad: 436f756e742d32\nnonce: 726b4390ed2209809f58c691\nct: 39de89728bcb774269f882af8dc5369e4f3d6322d986e872b3a8d074c7c18e8549ff3f85b6d6592ff87c3f310c\n\nsequence number: 4\npt: 4265617574792069732074727574682c20747275746820626561757479\naad: 436f756e742d34\nnonce: 726b4390ed2209809f58c697\nct: bc104a14fbede0cc79eeb826ea0476ce87b9c928c36e5e34dc9b6905d91473ec369a08b1a25d305dd45c6c5f80\n\nsequence number: 255\npt: 4265617574792069732074727574682c20747275746820626561757479\naad: 436f756e742d323535\nnonce: 726b4390ed2209809f58c66c\nct: 8f2814a2c548b3be50259713c6724009e092d37789f6856553d61df23ebc079235f710e6af3c3ca6eaba7c7c6c\n\nsequence number: 256\npt: 4265617574792069732074727574682c20747275746820626561757479\naad: 436f756e742d323536\nnonce: 726b4390ed2209809f58c793\nct: b45b69d419a9be7219d8c94365b89ad6951caf4576ea4774ea40e9b7047a09d6537d1aa2f7c12d6ae4b729b4d0"},{"Name":"DHKEM(P-521, HKDF-SHA512), HKDF-SHA512, AES-256-GCM","Setup":"mode: 0\nkem_id: 18\nkdf_id: 3\naead_id: 2\ninfo: 4f6465206f6e2061204772656369616e2055726e\nikmE: 7f06ab8215105fc46aceeb2e3dc5028b44364f960426eb0d8e4026c2f8b5d7e7a986688f1591abf5ab753c357a5d6f0440414b4ed4ede71317772ac98d9239f70904\npkEm: 040138b385ca16bb0d5fa0c0665fbbd7e69e3ee29f63991d3e9b5fa740aab8900aaeed46ed73a49055758425a0ce36507c54b29cc5b85a5cee6bae0cf1c21f2731ece2013dc3fb7c8d21654bb161b463962ca19e8c654ff24c94dd2898de12051f1ed0692237fb02b2f8d1dc1c73e9b366b529eb436e98a996ee522aef863dd5739d2f29b0\nskEm: 014784c692da35df6ecde98ee43ac425dbdd0969c0c72b42f2e708ab9d535415a8569bdacfcc0a114c85b8e3f26acf4d68115f8c91a66178cdbd03b7bcc5291e374b\nikmR: 2ad954bbe39b7122529f7dde780bff626cd97f850d0784a432784e69d86eccaade43b6c10a8ffdb94bf943c6da479db137914ec835a7e715e36e45e29b587bab3bf1\npkRm: 0401b45498c1714e2dce167d3caf162e45e0642afc7ed435df7902ccae0e84ba0f7d373f646b7738bbbdca11ed91bdeae3cdcba3301f2457be452f271fa6837580e661012af49583a62e48d44bed350c7118c0d8dc861c238c72a2bda17f64704f464b57338e7f40b60959480c0e58e6559b190d81663ed816e523b6b6a418f66d2451ec64\nskRm: 01462680369ae375e4b3791070a7458ed527842f6a98a79ff5e0d4cbde83c27196a3916956655523a6a2556a7af62c5cadabe2ef9da3760bb21e005202f7b2462847\nenc: 040138b385ca16bb0d5fa0c0665fbbd7e69e3ee29f63991d3e9b5fa740aab8900aaeed46ed73a49055758425a0ce36507c54b29cc5b85a5cee6bae0cf1c21f2731ece2013dc3fb7c8d21654bb161b463962ca19e8c654ff24c94dd2898de12051f1ed0692237fb02b2f8d1dc1c73e9b366b529eb436e98a996ee522aef863dd5739d2f29b0\nshared_secret: 776ab421302f6eff7d7cb5cb1adaea0cd50872c71c2d63c30c4f1d5e43653336fef33b103c67e7a98add2d3b66e2fda95b5b2a667aa9dac7e59cc1d46d30e818\nkey_schedule_context: 0083a27c5b2358ab4dae1b2f5d8f57f10ccccc822a473326f543f239a70aee46347324e84e02d7651a10d08fb3dda739d22d50c53fbfa8122baacd0f9ae5913072ef45baa1f3a4b169e141feb957e48d03f28c837d8904c3d6775308c3d3faa75dd64adfa44e1a1141edf9349959b8f8e5291cbdc56f62b0ed6527d692e85b09a4\nsecret: 49fd9f53b0f93732555b2054edfdc0e3101000d75df714b98ce5aa295a37f1b18dfa86a1c37286d805d3ea09a20b72f93c21e83955a1f01eb7c5eead563d21e7\nkey: 751e346ce8f0ddb2305c8a2a85c70d5cf559c53093656be636b9406d4d7d1b70\nbase_nonce: 55ff7a7d739c69f44b25447b\nexporter_secret: e4ff9dfbc732a2b9c75823763c5ccc954a2c0648fc6de80a58581252d0ee3215388a4455e69086b50b87eb28c169a52f42e71de4ca61c920e7bd24c95cc3f992","Encryptions":"sequence number: 0\npt: 4265617574792069732074727574682c20747275746820626561757479\naad: 436f756e742d30\nnonce: 55ff7a7d739c69f44b25447b\nct: 170f8beddfe949b75ef9c387e201baf4132fa7374593dfafa90768788b7b2b200aafcc6d80ea4c795a7c5b841a\n\nsequence number: 1\npt: 4265617574792069732074727574682c20747275746820626561757479\naad: 436f756e742d31\nnonce: 55ff7a7d739c69f44b25447a\nct: d9ee248e220ca24ac00bbbe7e221a832e4f7fa64c4fbab3945b6f3af0c5ecd5e16815b328be4954a05fd352256\n\nsequence number: 2\npt: 4265617574792069732074727574682c20747275746820626561757479\naad: 436f756e742d32\nnonce: 55ff7a7d739c69f44b254479\nct: 142cf1e02d1f58d9285f2af7dcfa44f7c3f2d15c73d460c48c6e0e506a3144bae35284e7e221105b61d24e1c7a\n\nsequence number: 4\npt: 4265617574792069732074727574682c20747275746820626561757479\naad: 436f756e742d34\nnonce: 55ff7a7d739c69f44b25447f\nct: 3bb3a5a07100e5a12805327bf3b152df728b1c1be75a9fd2cb2bf5eac0cca1fb80addb37eb2a32938c7268e3e5\n\nsequence number: 255\npt: 4265617574792069732074727574682c20747275746820626561757479\naad: 436f756e742d323535\nnonce: 55ff7a7d739c69f44b254484\nct: 4f268d0930f8d50b8fd9d0f26657ba25b5cb08b308c92e33382f369c768b558e113ac95a4c70dd60909ad1adc7\n\nsequence number: 256\npt: 4265617574792069732074727574682c20747275746820626561757479\naad: 436f756e742d323536\nnonce: 55ff7a7d739c69f44b25457b\nct: dbbfc44ae037864e75f136e8b4b4123351d480e6619ae0e0ae437f036f2f8f1ef677686323977a1ccbb4b4f16a"}]
diff --git a/src/go/build/deps_test.go b/src/go/build/deps_test.go
index f7015ff33b..5db7b25330 100644
--- a/src/go/build/deps_test.go
+++ b/src/go/build/deps_test.go
@@ -511,6 +511,7 @@ var depsRules = `
 	< golang.org/x/crypto/internal/poly1305
 	< golang.org/x/crypto/chacha20poly1305
 	< golang.org/x/crypto/hkdf
+	< crypto/internal/hpke
 	< crypto/x509/internal/macos
 	< crypto/x509/pkix;