From a332689620b9582248b9450c32574ba7cfdd97ce Mon Sep 17 00:00:00 2001 From: Filippo Valsorda Date: Mon, 18 Nov 2024 14:28:19 +0100 Subject: [PATCH] crypto/internal/hpke: replace x/crypto/hkdf with crypto/internal/fips/hkdf Change-Id: Id69e8e3a7dd61ca33489140eb76771b176a9ea4a Reviewed-on: https://go-review.googlesource.com/c/go/+/629057 Reviewed-by: Russ Cox Auto-Submit: Filippo Valsorda TryBot-Bypass: Filippo Valsorda Commit-Queue: Filippo Valsorda Reviewed-by: Dmitri Shuralyov --- src/crypto/internal/hpke/hpke.go | 9 +- src/go/build/deps_test.go | 1 - src/vendor/golang.org/x/crypto/hkdf/hkdf.go | 95 --------------------- src/vendor/modules.txt | 1 - 4 files changed, 2 insertions(+), 104 deletions(-) delete mode 100644 src/vendor/golang.org/x/crypto/hkdf/hkdf.go diff --git a/src/crypto/internal/hpke/hpke.go b/src/crypto/internal/hpke/hpke.go index 978f79cbcf3..69c1f8b2baa 100644 --- a/src/crypto/internal/hpke/hpke.go +++ b/src/crypto/internal/hpke/hpke.go @@ -9,13 +9,13 @@ import ( "crypto/aes" "crypto/cipher" "crypto/ecdh" + "crypto/internal/fips/hkdf" "crypto/rand" "errors" "internal/byteorder" "math/bits" "golang.org/x/crypto/chacha20poly1305" - "golang.org/x/crypto/hkdf" ) // testingOnlyGenerateKey is only used during testing, to provide @@ -42,12 +42,7 @@ func (kdf *hkdfKDF) LabeledExpand(suiteID []byte, randomKey []byte, label string labeledInfo = append(labeledInfo, suiteID...) labeledInfo = append(labeledInfo, label...) labeledInfo = append(labeledInfo, info...) - out := make([]byte, length) - n, err := hkdf.Expand(kdf.hash.New, randomKey, labeledInfo).Read(out) - if err != nil || n != int(length) { - panic("hpke: LabeledExpand failed unexpectedly") - } - return out + return hkdf.Expand(kdf.hash.New, randomKey, labeledInfo, int(length)) } // dhKEM implements the KEM specified in RFC 9180, Section 4.1. diff --git a/src/go/build/deps_test.go b/src/go/build/deps_test.go index 3481461ef9d..365efa7e256 100644 --- a/src/go/build/deps_test.go +++ b/src/go/build/deps_test.go @@ -551,7 +551,6 @@ var depsRules = ` < golang.org/x/crypto/chacha20 < golang.org/x/crypto/internal/poly1305 < golang.org/x/crypto/chacha20poly1305 - < golang.org/x/crypto/hkdf < crypto/internal/hpke < crypto/x509/internal/macos < crypto/x509/pkix; diff --git a/src/vendor/golang.org/x/crypto/hkdf/hkdf.go b/src/vendor/golang.org/x/crypto/hkdf/hkdf.go deleted file mode 100644 index 3bee66294ec..00000000000 --- a/src/vendor/golang.org/x/crypto/hkdf/hkdf.go +++ /dev/null @@ -1,95 +0,0 @@ -// Copyright 2014 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Package hkdf implements the HMAC-based Extract-and-Expand Key Derivation -// Function (HKDF) as defined in RFC 5869. -// -// HKDF is a cryptographic key derivation function (KDF) with the goal of -// expanding limited input keying material into one or more cryptographically -// strong secret keys. -package hkdf - -import ( - "crypto/hmac" - "errors" - "hash" - "io" -) - -// Extract generates a pseudorandom key for use with Expand from an input secret -// and an optional independent salt. -// -// Only use this function if you need to reuse the extracted key with multiple -// Expand invocations and different context values. Most common scenarios, -// including the generation of multiple keys, should use New instead. -func Extract(hash func() hash.Hash, secret, salt []byte) []byte { - if salt == nil { - salt = make([]byte, hash().Size()) - } - extractor := hmac.New(hash, salt) - extractor.Write(secret) - return extractor.Sum(nil) -} - -type hkdf struct { - expander hash.Hash - size int - - info []byte - counter byte - - prev []byte - buf []byte -} - -func (f *hkdf) Read(p []byte) (int, error) { - // Check whether enough data can be generated - need := len(p) - remains := len(f.buf) + int(255-f.counter+1)*f.size - if remains < need { - return 0, errors.New("hkdf: entropy limit reached") - } - // Read any leftover from the buffer - n := copy(p, f.buf) - p = p[n:] - - // Fill the rest of the buffer - for len(p) > 0 { - if f.counter > 1 { - f.expander.Reset() - } - f.expander.Write(f.prev) - f.expander.Write(f.info) - f.expander.Write([]byte{f.counter}) - f.prev = f.expander.Sum(f.prev[:0]) - f.counter++ - - // Copy the new batch into p - f.buf = f.prev - n = copy(p, f.buf) - p = p[n:] - } - // Save leftovers for next run - f.buf = f.buf[n:] - - return need, nil -} - -// Expand returns a Reader, from which keys can be read, using the given -// pseudorandom key and optional context info, skipping the extraction step. -// -// The pseudorandomKey should have been generated by Extract, or be a uniformly -// random or pseudorandom cryptographically strong key. See RFC 5869, Section -// 3.3. Most common scenarios will want to use New instead. -func Expand(hash func() hash.Hash, pseudorandomKey, info []byte) io.Reader { - expander := hmac.New(hash, pseudorandomKey) - return &hkdf{expander, expander.Size(), info, 1, nil, nil} -} - -// New returns a Reader, from which keys can be read, using the given hash, -// secret, salt and context info. Salt and info can be nil. -func New(hash func() hash.Hash, secret, salt, info []byte) io.Reader { - prk := Extract(hash, secret, salt) - return Expand(hash, prk, info) -} diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt index 2ce5d0cf0d1..2ef127ad5a4 100644 --- a/src/vendor/modules.txt +++ b/src/vendor/modules.txt @@ -4,7 +4,6 @@ golang.org/x/crypto/chacha20 golang.org/x/crypto/chacha20poly1305 golang.org/x/crypto/cryptobyte golang.org/x/crypto/cryptobyte/asn1 -golang.org/x/crypto/hkdf golang.org/x/crypto/internal/alias golang.org/x/crypto/internal/poly1305 # golang.org/x/net v0.27.1-0.20240722181819-765c7e89b3bd