crypto/internal/hpke: replace x/crypto/hkdf with crypto/internal/fips/hkdf

Change-Id: Id69e8e3a7dd61ca33489140eb76771b176a9ea4a Reviewed-on: https://go-review.googlesource.com/c/go/+/629057 Reviewed-by: Russ Cox <rsc@golang.org> Auto-Submit: Filippo Valsorda <filippo@golang.org> TryBot-Bypass: Filippo Valsorda <filippo@golang.org> Commit-Queue: Filippo Valsorda <filippo@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
2024-11-22 19:54:39 -07:00 · 2024-11-18 14:28:19 +01:00 · 2024-11-18 14:28:19 +01:00 · a332689620
commit a332689620
parent ad072b3ae6
4 changed files with 2 additions and 104 deletions
--- a/src/crypto/internal/hpke/hpke.go
+++ b/src/crypto/internal/hpke/hpke.go
@ -9,13 +9,13 @@ import (
 	"crypto/aes"
 	"crypto/cipher"
 	"crypto/ecdh"
+	"crypto/internal/fips/hkdf"
 	"crypto/rand"
 	"errors"
 	"internal/byteorder"
 	"math/bits"

 	"golang.org/x/crypto/chacha20poly1305"
-	"golang.org/x/crypto/hkdf"
 )

 // testingOnlyGenerateKey is only used during testing, to provide
@ -42,12 +42,7 @@ func (kdf *hkdfKDF) LabeledExpand(suiteID []byte, randomKey []byte, label string
 	labeledInfo = append(labeledInfo, suiteID...)
 	labeledInfo = append(labeledInfo, label...)
 	labeledInfo = append(labeledInfo, info...)
-	out := make([]byte, length)
-	n, err := hkdf.Expand(kdf.hash.New, randomKey, labeledInfo).Read(out)
-	if err != nil || n != int(length) {
-		panic("hpke: LabeledExpand failed unexpectedly")
-	}
-	return out
+	return hkdf.Expand(kdf.hash.New, randomKey, labeledInfo, int(length))
 }

 // dhKEM implements the KEM specified in RFC 9180, Section 4.1.
--- a/src/go/build/deps_test.go
+++ b/src/go/build/deps_test.go
@ -551,7 +551,6 @@ var depsRules = `
 	< golang.org/x/crypto/chacha20
 	< golang.org/x/crypto/internal/poly1305
 	< golang.org/x/crypto/chacha20poly1305
-	< golang.org/x/crypto/hkdf
 	< crypto/internal/hpke
 	< crypto/x509/internal/macos
 	< crypto/x509/pkix;
--- a/src/vendor/golang.org/x/crypto/hkdf/hkdf.go
+++ b/src/vendor/golang.org/x/crypto/hkdf/hkdf.go
@ -1,95 +0,0 @@
-// Copyright 2014 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package hkdf implements the HMAC-based Extract-and-Expand Key Derivation
-// Function (HKDF) as defined in RFC 5869.
-//
-// HKDF is a cryptographic key derivation function (KDF) with the goal of
-// expanding limited input keying material into one or more cryptographically
-// strong secret keys.
-package hkdf
-
-import (
-	"crypto/hmac"
-	"errors"
-	"hash"
-	"io"
-)
-
-// Extract generates a pseudorandom key for use with Expand from an input secret
-// and an optional independent salt.
-//
-// Only use this function if you need to reuse the extracted key with multiple
-// Expand invocations and different context values. Most common scenarios,
-// including the generation of multiple keys, should use New instead.
-func Extract(hash func() hash.Hash, secret, salt []byte) []byte {
-	if salt == nil {
-		salt = make([]byte, hash().Size())
-	}
-	extractor := hmac.New(hash, salt)
-	extractor.Write(secret)
-	return extractor.Sum(nil)
-}
-
-type hkdf struct {
-	expander hash.Hash
-	size     int
-
-	info    []byte
-	counter byte
-
-	prev []byte
-	buf  []byte
-}
-
-func (f *hkdf) Read(p []byte) (int, error) {
-	// Check whether enough data can be generated
-	need := len(p)
-	remains := len(f.buf) + int(255-f.counter+1)*f.size
-	if remains < need {
-		return 0, errors.New("hkdf: entropy limit reached")
-	}
-	// Read any leftover from the buffer
-	n := copy(p, f.buf)
-	p = p[n:]
-
-	// Fill the rest of the buffer
-	for len(p) > 0 {
-		if f.counter > 1 {
-			f.expander.Reset()
-		}
-		f.expander.Write(f.prev)
-		f.expander.Write(f.info)
-		f.expander.Write([]byte{f.counter})
-		f.prev = f.expander.Sum(f.prev[:0])
-		f.counter++
-
-		// Copy the new batch into p
-		f.buf = f.prev
-		n = copy(p, f.buf)
-		p = p[n:]
-	}
-	// Save leftovers for next run
-	f.buf = f.buf[n:]
-
-	return need, nil
-}
-
-// Expand returns a Reader, from which keys can be read, using the given
-// pseudorandom key and optional context info, skipping the extraction step.
-//
-// The pseudorandomKey should have been generated by Extract, or be a uniformly
-// random or pseudorandom cryptographically strong key. See RFC 5869, Section
-// 3.3. Most common scenarios will want to use New instead.
-func Expand(hash func() hash.Hash, pseudorandomKey, info []byte) io.Reader {
-	expander := hmac.New(hash, pseudorandomKey)
-	return &hkdf{expander, expander.Size(), info, 1, nil, nil}
-}
-
-// New returns a Reader, from which keys can be read, using the given hash,
-// secret, salt and context info. Salt and info can be nil.
-func New(hash func() hash.Hash, secret, salt, info []byte) io.Reader {
-	prk := Extract(hash, secret, salt)
-	return Expand(hash, prk, info)
-}
--- a/src/vendor/modules.txt
+++ b/src/vendor/modules.txt
@ -4,7 +4,6 @@ golang.org/x/crypto/chacha20
 golang.org/x/crypto/chacha20poly1305
 golang.org/x/crypto/cryptobyte
 golang.org/x/crypto/cryptobyte/asn1
-golang.org/x/crypto/hkdf
 golang.org/x/crypto/internal/alias
 golang.org/x/crypto/internal/poly1305
 # golang.org/x/net v0.27.1-0.20240722181819-765c7e89b3bd