crypto/internal/fips/hkdf: new package

Tests imported from x/crypto, but the actual implementation was simpler
to implement ex-novo with a #61477-like API.

Updates #61477
For #69536

Change-Id: I5a9e8a71d8abd5b2aa6b74e73bf7f631ed0115cd
Reviewed-on: https://go-review.googlesource.com/c/go/+/621275
Reviewed-by: Dmitri Shuralyov <[email protected]>
Auto-Submit: Filippo Valsorda <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Daniel McCarney <[email protected]>
Reviewed-by: Russ Cox <[email protected]>

Author: FiloSottile

src/crypto/internal/fips/cast_external_test.go

@@ -13,6 +13,7 @@ import (
 
 	// Import packages that define CASTs to test them.
 	_ "crypto/internal/fips/drbg"
+	_ "crypto/internal/fips/hkdf"
 	_ "crypto/internal/fips/hmac"
 	_ "crypto/internal/fips/sha256"
 	_ "crypto/internal/fips/sha3"

src/crypto/internal/fips/hkdf/cast.go

@@ -0,0 +1,32 @@
+// Copyright 2024 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package hkdf
+
+import (
+	"bytes"
+	"crypto/internal/fips"
+	"crypto/internal/fips/sha256"
+	"errors"
+)
+
+func init() {
+	fips.CAST("HKDF-SHA2-256", func() error {
+		input := []byte{
+			0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+			0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
+		}
+		want := []byte{
+			0xb6, 0x53, 0x00, 0x5b, 0x51, 0x6d, 0x2b, 0xc9,
+			0x4a, 0xe4, 0xf9, 0x51, 0x73, 0x1f, 0x71, 0x21,
+			0xa6, 0xc1, 0xde, 0x42, 0x4f, 0x2c, 0x99, 0x60,
+			0x64, 0xdb, 0x66, 0x3e, 0xec, 0xa6, 0x37, 0xff,
+		}
+		got := Key(sha256.New, input, input, input, len(want))
+		if !bytes.Equal(got, want) {
+			return errors.New("unexpected result")
+		}
+		return nil
+	})
+}

src/crypto/internal/fips/hkdf/hkdf.go

@@ -0,0 +1,53 @@
+// Copyright 2024 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package hkdf
+
+import (
+	"crypto/internal/fips"
+	"crypto/internal/fips/hmac"
+)
+
+func Extract[H fips.Hash](h func() H, secret, salt []byte) []byte {
+	if len(secret) < 112/8 {
+		fips.RecordNonApproved()
+	}
+	if salt == nil {
+		salt = make([]byte, h().Size())
+	}
+	extractor := hmac.New(h, salt)
+	extractor.Write(secret)
+	return extractor.Sum(nil)
+}
+
+func Expand[H fips.Hash](h func() H, pseudorandomKey, info []byte, keyLen int) []byte {
+	out := make([]byte, 0, keyLen)
+	expander := hmac.New(h, pseudorandomKey)
+	var counter uint8
+	var buf []byte
+
+	for len(out) < keyLen {
+		counter++
+		if counter == 0 {
+			panic("hkdf: counter overflow")
+		}
+		if counter > 1 {
+			expander.Reset()
+		}
+		expander.Write(buf)
+		expander.Write(info)
+		expander.Write([]byte{counter})
+		buf = expander.Sum(buf[:0])
+		remain := keyLen - len(out)
+		remain = min(remain, len(buf))
+		out = append(out, buf[:remain]...)
+	}
+
+	return out
+}
+
+func Key[H fips.Hash](h func() H, secret, salt, info []byte, keyLen int) []byte {
+	prk := Extract(h, secret, salt)
+	return Expand(h, prk, info, keyLen)
+}