3 files changed, 58 insertions, 7 deletions
diff --git a/internal/cryptocore/cryptocore.go b/internal/cryptocore/cryptocore.go
index 2e02c3a..1ad928d 100644
--- a/internal/cryptocore/cryptocore.go
+++ b/internal/cryptocore/cryptocore.go
@@ -63,8 +63,7 @@ func New(key []byte, aeadType AEADTypeEnum, IVBitLen int, useHKDF bool, forceDec
 	{
 		emeKey := key
 		if useHKDF {
-			info := "EME filename encryption"
-			emeKey = hkdfDerive(key, info, KeyLen)
+			emeKey = hkdfDerive(key, hkdfInfoEMENames, KeyLen)
 		}
 		emeBlockCipher, err := aes.NewCipher(emeKey)
 		if err != nil {
@@ -78,8 +77,7 @@ func New(key []byte, aeadType AEADTypeEnum, IVBitLen int, useHKDF bool, forceDec
 	if aeadType == BackendOpenSSL || aeadType == BackendGoGCM {
 		gcmKey := key
 		if useHKDF {
-			info := "AES-GCM file content encryption"
-			gcmKey = hkdfDerive(key, info, KeyLen)
+			gcmKey = hkdfDerive(key, hkdfInfoGCMContent, KeyLen)
 		}
 		switch aeadType {
 		case BackendOpenSSL:
@@ -104,8 +102,7 @@ func New(key []byte, aeadType AEADTypeEnum, IVBitLen int, useHKDF bool, forceDec
 		}
 		var key64 []byte
 		if useHKDF {
-			info := "AES-SIV file content encryption"
-			key64 = hkdfDerive(key, info, siv_aead.KeyLen)
+			key64 = hkdfDerive(key, hkdfInfoSIVContent, siv_aead.KeyLen)
 		} else {
 			// AES-SIV uses 1/2 of the key for authentication, 1/2 for
 			// encryption, so we need a 64-bytes key for AES-256. Derive it from
diff --git a/internal/cryptocore/hkdf.go b/internal/cryptocore/hkdf.go
index 6944825..87ca1b9 100644
--- a/internal/cryptocore/hkdf.go
+++ b/internal/cryptocore/hkdf.go
@@ -7,8 +7,16 @@ import (
 	"golang.org/x/crypto/hkdf"
 )
 
+const (
+	// "info" data that HKDF mixes into the generated key to make it unique.
+	// For convenience, we use a readable string.
+	hkdfInfoEMENames   = "EME filename encryption"
+	hkdfInfoGCMContent = "AES-GCM file content encryption"
+	hkdfInfoSIVContent = "AES-SIV file content encryption"
+)
+
 // hkdfDerive derives "outLen" bytes from "masterkey" and "info" using
-// HKDF-SHA256.
+// HKDF-SHA256 (RFC 5869).
 // It returns the derived bytes or panics.
 func hkdfDerive(masterkey []byte, info string, outLen int) (out []byte) {
 	h := hkdf.New(sha256.New, masterkey, nil, []byte(info))
diff --git a/internal/cryptocore/hkdf_test.go b/internal/cryptocore/hkdf_test.go
new file mode 100644
index 0000000..96ee01f
--- /dev/null
+++ b/internal/cryptocore/hkdf_test.go
@@ -0,0 +1,46 @@
+package cryptocore
+
+import (
+	"bytes"
+	"encoding/hex"
+	"testing"
+)
+
+type hkdfTestCase struct {
+	masterkey []byte
+	info      string
+	out       []byte
+}
+
+// TestHkdfDerive verifies that we get the expected values from hkdfDerive. They
+// must not change because this would change the on-disk format.
+func TestHkdfDerive(t *testing.T) {
+	master0 := bytes.Repeat([]byte{0x00}, 32)
+	master1 := bytes.Repeat([]byte{0x01}, 32)
+	out1, _ := hex.DecodeString("9ba3cddd48c6339c6e56ebe85f0281d6e9051be4104176e65cb0f8a6f77ae6b4")
+	out2, _ := hex.DecodeString("e8a2499f48700b954f31de732efd04abce822f5c948e7fbc0896607be0d36d12")
+	out3, _ := hex.DecodeString("9137f2e67a842484137f3c458f357f204c30d7458f94f432fa989be96854a649")
+	out4, _ := hex.DecodeString("0bfa5da7d9724d4753269940d36898e2c0f3717c0fee86ada58b5fd6c08cc26c")
+
+	testCases := []hkdfTestCase{
+		{master0, "EME filename encryption", out1},
+		{master0, hkdfInfoEMENames, out1},
+		{master1, "EME filename encryption", out2},
+		{master1, hkdfInfoEMENames, out2},
+		{master1, "AES-GCM file content encryption", out3},
+		{master1, hkdfInfoGCMContent, out3},
+		{master1, "AES-SIV file content encryption", out4},
+		{master1, hkdfInfoSIVContent, out4},
+	}
+
+	for i, v := range testCases {
+		out := hkdfDerive(v.masterkey, v.info, 32)
+		if !bytes.Equal(out, v.out) {
+			want := hex.EncodeToString(v.out)
+			have := hex.EncodeToString(out)
+			t.Errorf("testcase %d error:\n"+
+				"want=%s\n"+
+				"have=%s", i, want, have)
+		}
+	}
+}