| // Copyright 2024 The Go Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style |
| // license that can be found in the LICENSE file. |
| |
| package gcm |
| |
| import ( |
| "crypto/internal/fips140" |
| "crypto/internal/fips140/aes" |
| ) |
| |
| // CounterKDF implements a KDF in Counter Mode instantiated with CMAC-AES, |
| // according to NIST SP 800-108 Revision 1 Update 1, Section 4.1. |
| // |
| // It produces a 256-bit output, and accepts a 8-bit Label and a 96-bit Context. |
| // It uses a counter of 16 bits placed before the fixed data. The fixed data is |
| // the sequence Label || 0x00 || Context. The L field is omitted, since the |
| // output key length is fixed. |
| // |
| // It's optimized for use in XAES-256-GCM (https://c2sp.org/XAES-256-GCM), |
| // rather than for exposing it to applications as a stand-alone KDF. |
| type CounterKDF struct { |
| mac CMAC |
| } |
| |
| // NewCounterKDF creates a new CounterKDF with the given key. |
| func NewCounterKDF(b *aes.Block) *CounterKDF { |
| return &CounterKDF{mac: *NewCMAC(b)} |
| } |
| |
| // DeriveKey derives a key from the given label and context. |
| func (kdf *CounterKDF) DeriveKey(label byte, context [12]byte) [32]byte { |
| fips140.RecordApproved() |
| var output [32]byte |
| |
| var input [aes.BlockSize]byte |
| input[2] = label |
| copy(input[4:], context[:]) |
| |
| input[1] = 0x01 // i = 1 |
| K1 := kdf.mac.MAC(input[:]) |
| |
| input[1] = 0x02 // i = 2 |
| K2 := kdf.mac.MAC(input[:]) |
| |
| copy(output[:], K1[:]) |
| copy(output[aes.BlockSize:], K2[:]) |
| return output |
| } |
