summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--internal/cryptocore/cryptocore.go9
-rw-r--r--internal/cryptocore/hkdf.go10
-rw-r--r--internal/cryptocore/hkdf_test.go46
3 files changed, 58 insertions, 7 deletions
diff --git a/internal/cryptocore/cryptocore.go b/internal/cryptocore/cryptocore.go
index 2e02c3a..1ad928d 100644
--- a/internal/cryptocore/cryptocore.go
+++ b/internal/cryptocore/cryptocore.go
@@ -63,8 +63,7 @@ func New(key []byte, aeadType AEADTypeEnum, IVBitLen int, useHKDF bool, forceDec
{
emeKey := key
if useHKDF {
- info := "EME filename encryption"
- emeKey = hkdfDerive(key, info, KeyLen)
+ emeKey = hkdfDerive(key, hkdfInfoEMENames, KeyLen)
}
emeBlockCipher, err := aes.NewCipher(emeKey)
if err != nil {
@@ -78,8 +77,7 @@ func New(key []byte, aeadType AEADTypeEnum, IVBitLen int, useHKDF bool, forceDec
if aeadType == BackendOpenSSL || aeadType == BackendGoGCM {
gcmKey := key
if useHKDF {
- info := "AES-GCM file content encryption"
- gcmKey = hkdfDerive(key, info, KeyLen)
+ gcmKey = hkdfDerive(key, hkdfInfoGCMContent, KeyLen)
}
switch aeadType {
case BackendOpenSSL:
@@ -104,8 +102,7 @@ func New(key []byte, aeadType AEADTypeEnum, IVBitLen int, useHKDF bool, forceDec
}
var key64 []byte
if useHKDF {
- info := "AES-SIV file content encryption"
- key64 = hkdfDerive(key, info, siv_aead.KeyLen)
+ key64 = hkdfDerive(key, hkdfInfoSIVContent, siv_aead.KeyLen)
} else {
// AES-SIV uses 1/2 of the key for authentication, 1/2 for
// encryption, so we need a 64-bytes key for AES-256. Derive it from
diff --git a/internal/cryptocore/hkdf.go b/internal/cryptocore/hkdf.go
index 6944825..87ca1b9 100644
--- a/internal/cryptocore/hkdf.go
+++ b/internal/cryptocore/hkdf.go
@@ -7,8 +7,16 @@ import (
"golang.org/x/crypto/hkdf"
)
+const (
+ // "info" data that HKDF mixes into the generated key to make it unique.
+ // For convenience, we use a readable string.
+ hkdfInfoEMENames = "EME filename encryption"
+ hkdfInfoGCMContent = "AES-GCM file content encryption"
+ hkdfInfoSIVContent = "AES-SIV file content encryption"
+)
+
// hkdfDerive derives "outLen" bytes from "masterkey" and "info" using
-// HKDF-SHA256.
+// HKDF-SHA256 (RFC 5869).
// It returns the derived bytes or panics.
func hkdfDerive(masterkey []byte, info string, outLen int) (out []byte) {
h := hkdf.New(sha256.New, masterkey, nil, []byte(info))
diff --git a/internal/cryptocore/hkdf_test.go b/internal/cryptocore/hkdf_test.go
new file mode 100644
index 0000000..96ee01f
--- /dev/null
+++ b/internal/cryptocore/hkdf_test.go
@@ -0,0 +1,46 @@
+package cryptocore
+
+import (
+ "bytes"
+ "encoding/hex"
+ "testing"
+)
+
+type hkdfTestCase struct {
+ masterkey []byte
+ info string
+ out []byte
+}
+
+// TestHkdfDerive verifies that we get the expected values from hkdfDerive. They
+// must not change because this would change the on-disk format.
+func TestHkdfDerive(t *testing.T) {
+ master0 := bytes.Repeat([]byte{0x00}, 32)
+ master1 := bytes.Repeat([]byte{0x01}, 32)
+ out1, _ := hex.DecodeString("9ba3cddd48c6339c6e56ebe85f0281d6e9051be4104176e65cb0f8a6f77ae6b4")
+ out2, _ := hex.DecodeString("e8a2499f48700b954f31de732efd04abce822f5c948e7fbc0896607be0d36d12")
+ out3, _ := hex.DecodeString("9137f2e67a842484137f3c458f357f204c30d7458f94f432fa989be96854a649")
+ out4, _ := hex.DecodeString("0bfa5da7d9724d4753269940d36898e2c0f3717c0fee86ada58b5fd6c08cc26c")
+
+ testCases := []hkdfTestCase{
+ {master0, "EME filename encryption", out1},
+ {master0, hkdfInfoEMENames, out1},
+ {master1, "EME filename encryption", out2},
+ {master1, hkdfInfoEMENames, out2},
+ {master1, "AES-GCM file content encryption", out3},
+ {master1, hkdfInfoGCMContent, out3},
+ {master1, "AES-SIV file content encryption", out4},
+ {master1, hkdfInfoSIVContent, out4},
+ }
+
+ for i, v := range testCases {
+ out := hkdfDerive(v.masterkey, v.info, 32)
+ if !bytes.Equal(out, v.out) {
+ want := hex.EncodeToString(v.out)
+ have := hex.EncodeToString(out)
+ t.Errorf("testcase %d error:\n"+
+ "want=%s\n"+
+ "have=%s", i, want, have)
+ }
+ }
+}