diff options
| author | qmuntal <quimmuntal@gmail.com> | 2025-03-17 16:16:53 +0100 |
|---|---|---|
| committer | Quim Muntal <quimmuntal@gmail.com> | 2025-03-17 13:28:25 -0700 |
| commit | eb7ab11aafc6bcffcb49cd4fc51307dfee7a321b (patch) | |
| tree | af25508683d47278f80110b605ca9c0561896715 /src/crypto | |
| parent | 44d1d2e5adaf95190a817980eb8439d080df6b12 (diff) | |
| download | go-eb7ab11aafc6bcffcb49cd4fc51307dfee7a321b.tar.xz | |
crypto/internal/hpke: propagate hkdf error value
The hkdf operations done in hpke are not expected to fail given that
we control the inputs. However, propagating the error instead of
doesn't hurt and makes the code more robust to future changes.
Change-Id: I168854593a40f67e2cc275e0dedc3b24b8f1480e
Reviewed-on: https://go-review.googlesource.com/c/go/+/658475
Reviewed-by: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: David Chase <drchase@google.com>
Diffstat (limited to 'src/crypto')
| -rw-r--r-- | src/crypto/internal/hpke/hpke.go | 64 |
1 files changed, 39 insertions, 25 deletions
diff --git a/src/crypto/internal/hpke/hpke.go b/src/crypto/internal/hpke/hpke.go index d451bff250..de601c4bfe 100644 --- a/src/crypto/internal/hpke/hpke.go +++ b/src/crypto/internal/hpke/hpke.go @@ -26,31 +26,23 @@ type hkdfKDF struct { hash crypto.Hash } -func (kdf *hkdfKDF) LabeledExtract(sid []byte, salt []byte, label string, inputKey []byte) []byte { +func (kdf *hkdfKDF) LabeledExtract(sid []byte, salt []byte, label string, inputKey []byte) ([]byte, error) { labeledIKM := make([]byte, 0, 7+len(sid)+len(label)+len(inputKey)) labeledIKM = append(labeledIKM, []byte("HPKE-v1")...) labeledIKM = append(labeledIKM, sid...) labeledIKM = append(labeledIKM, label...) labeledIKM = append(labeledIKM, inputKey...) - prk, err := hkdf.Extract(kdf.hash.New, labeledIKM, salt) - if err != nil { - panic(err) - } - return prk + return hkdf.Extract(kdf.hash.New, labeledIKM, salt) } -func (kdf *hkdfKDF) LabeledExpand(suiteID []byte, randomKey []byte, label string, info []byte, length uint16) []byte { +func (kdf *hkdfKDF) LabeledExpand(suiteID []byte, randomKey []byte, label string, info []byte, length uint16) ([]byte, error) { labeledInfo := make([]byte, 0, 2+7+len(suiteID)+len(label)+len(info)) labeledInfo = byteorder.BEAppendUint16(labeledInfo, length) labeledInfo = append(labeledInfo, []byte("HPKE-v1")...) labeledInfo = append(labeledInfo, suiteID...) labeledInfo = append(labeledInfo, label...) labeledInfo = append(labeledInfo, info...) - key, err := hkdf.Expand(kdf.hash.New, randomKey, string(labeledInfo), int(length)) - if err != nil { - panic(err) - } - return key + return hkdf.Expand(kdf.hash.New, randomKey, string(labeledInfo), int(length)) } // dhKEM implements the KEM specified in RFC 9180, Section 4.1. @@ -88,8 +80,11 @@ func newDHKem(kemID uint16) (*dhKEM, error) { }, nil } -func (dh *dhKEM) ExtractAndExpand(dhKey, kemContext []byte) []byte { - eaePRK := dh.kdf.LabeledExtract(dh.suiteID[:], nil, "eae_prk", dhKey) +func (dh *dhKEM) ExtractAndExpand(dhKey, kemContext []byte) ([]byte, error) { + eaePRK, err := dh.kdf.LabeledExtract(dh.suiteID[:], nil, "eae_prk", dhKey) + if err != nil { + return nil, err + } return dh.kdf.LabeledExpand(dh.suiteID[:], eaePRK, "shared_secret", kemContext, dh.nSecret) } @@ -111,8 +106,11 @@ func (dh *dhKEM) Encap(pubRecipient *ecdh.PublicKey) (sharedSecret []byte, encap encPubRecip := pubRecipient.Bytes() kemContext := append(encPubEph, encPubRecip...) - - return dh.ExtractAndExpand(dhVal, kemContext), encPubEph, nil + sharedSecret, err = dh.ExtractAndExpand(dhVal, kemContext) + if err != nil { + return nil, nil, err + } + return sharedSecret, encPubEph, nil } func (dh *dhKEM) Decap(encPubEph []byte, secRecipient *ecdh.PrivateKey) ([]byte, error) { @@ -125,8 +123,7 @@ func (dh *dhKEM) Decap(encPubEph []byte, secRecipient *ecdh.PrivateKey) ([]byte, return nil, err } kemContext := append(encPubEph, secRecipient.PublicKey().Bytes()...) - - return dh.ExtractAndExpand(dhVal, kemContext), nil + return dh.ExtractAndExpand(dhVal, kemContext) } type context struct { @@ -201,16 +198,33 @@ func newContext(sharedSecret []byte, kemID, kdfID, aeadID uint16, info []byte) ( return nil, errors.New("unsupported AEAD id") } - pskIDHash := kdf.LabeledExtract(sid, nil, "psk_id_hash", nil) - infoHash := kdf.LabeledExtract(sid, nil, "info_hash", info) + pskIDHash, err := kdf.LabeledExtract(sid, nil, "psk_id_hash", nil) + if err != nil { + return nil, err + } + infoHash, err := kdf.LabeledExtract(sid, nil, "info_hash", info) + if err != nil { + return nil, err + } ksContext := append([]byte{0}, pskIDHash...) ksContext = append(ksContext, infoHash...) - secret := kdf.LabeledExtract(sid, sharedSecret, "secret", nil) - - key := kdf.LabeledExpand(sid, secret, "key", ksContext, uint16(aeadInfo.keySize) /* Nk - key size for AEAD */) - baseNonce := kdf.LabeledExpand(sid, secret, "base_nonce", ksContext, uint16(aeadInfo.nonceSize) /* Nn - nonce size for AEAD */) - exporterSecret := kdf.LabeledExpand(sid, secret, "exp", ksContext, uint16(kdf.hash.Size()) /* Nh - hash output size of the kdf*/) + secret, err := kdf.LabeledExtract(sid, sharedSecret, "secret", nil) + if err != nil { + return nil, err + } + key, err := kdf.LabeledExpand(sid, secret, "key", ksContext, uint16(aeadInfo.keySize) /* Nk - key size for AEAD */) + if err != nil { + return nil, err + } + baseNonce, err := kdf.LabeledExpand(sid, secret, "base_nonce", ksContext, uint16(aeadInfo.nonceSize) /* Nn - nonce size for AEAD */) + if err != nil { + return nil, err + } + exporterSecret, err := kdf.LabeledExpand(sid, secret, "exp", ksContext, uint16(kdf.hash.Size()) /* Nh - hash output size of the kdf*/) + if err != nil { + return nil, err + } aead, err := aeadInfo.aead(key) if err != nil { |