| // Copyright 2014 The Go Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style |
| // license that can be found in the LICENSE file. |
| |
| // Package hkdf implements the HMAC-based Extract-and-Expand Key Derivation |
| // Function (HKDF) as defined in RFC 5869. |
| // |
| // HKDF is a cryptographic key derivation function (KDF) with the goal of |
| // expanding limited input keying material into one or more cryptographically |
| // strong secret keys. |
| package hkdf |
| |
| import ( |
| "crypto/hmac" |
| "errors" |
| "hash" |
| "io" |
| ) |
| |
| // Extract generates a pseudorandom key for use with Expand from an input secret |
| // and an optional independent salt. |
| // |
| // Only use this function if you need to reuse the extracted key with multiple |
| // Expand invocations and different context values. Most common scenarios, |
| // including the generation of multiple keys, should use New instead. |
| func Extract(hash func() hash.Hash, secret, salt []byte) []byte { |
| if salt == nil { |
| salt = make([]byte, hash().Size()) |
| } |
| extractor := hmac.New(hash, salt) |
| extractor.Write(secret) |
| return extractor.Sum(nil) |
| } |
| |
| type hkdf struct { |
| expander hash.Hash |
| size int |
| |
| info []byte |
| counter byte |
| |
| prev []byte |
| buf []byte |
| } |
| |
| func (f *hkdf) Read(p []byte) (int, error) { |
| // Check whether enough data can be generated |
| need := len(p) |
| remains := len(f.buf) + int(255-f.counter+1)*f.size |
| if remains < need { |
| return 0, errors.New("hkdf: entropy limit reached") |
| } |
| // Read any leftover from the buffer |
| n := copy(p, f.buf) |
| p = p[n:] |
| |
| // Fill the rest of the buffer |
| for len(p) > 0 { |
| if f.counter > 1 { |
| f.expander.Reset() |
| } |
| f.expander.Write(f.prev) |
| f.expander.Write(f.info) |
| f.expander.Write([]byte{f.counter}) |
| f.prev = f.expander.Sum(f.prev[:0]) |
| f.counter++ |
| |
| // Copy the new batch into p |
| f.buf = f.prev |
| n = copy(p, f.buf) |
| p = p[n:] |
| } |
| // Save leftovers for next run |
| f.buf = f.buf[n:] |
| |
| return need, nil |
| } |
| |
| // Expand returns a Reader, from which keys can be read, using the given |
| // pseudorandom key and optional context info, skipping the extraction step. |
| // |
| // The pseudorandomKey should have been generated by Extract, or be a uniformly |
| // random or pseudorandom cryptographically strong key. See RFC 5869, Section |
| // 3.3. Most common scenarios will want to use New instead. |
| func Expand(hash func() hash.Hash, pseudorandomKey, info []byte) io.Reader { |
| expander := hmac.New(hash, pseudorandomKey) |
| return &hkdf{expander, expander.Size(), info, 1, nil, nil} |
| } |
| |
| // New returns a Reader, from which keys can be read, using the given hash, |
| // secret, salt and context info. Salt and info can be nil. |
| func New(hash func() hash.Hash, secret, salt, info []byte) io.Reader { |
| prk := Extract(hash, secret, salt) |
| return Expand(hash, prk, info) |
| } |