diff --git a/internal/cryptocore/cryptocore.go b/internal/cryptocore/cryptocore.go index 2e02c3a..1ad928d 100644 --- a/internal/cryptocore/cryptocore.go +++ b/internal/cryptocore/cryptocore.go @@ -63,8 +63,7 @@ func New(key []byte, aeadType AEADTypeEnum, IVBitLen int, useHKDF bool, forceDec { emeKey := key if useHKDF { - info := "EME filename encryption" - emeKey = hkdfDerive(key, info, KeyLen) + emeKey = hkdfDerive(key, hkdfInfoEMENames, KeyLen) } emeBlockCipher, err := aes.NewCipher(emeKey) if err != nil { @@ -78,8 +77,7 @@ func New(key []byte, aeadType AEADTypeEnum, IVBitLen int, useHKDF bool, forceDec if aeadType == BackendOpenSSL || aeadType == BackendGoGCM { gcmKey := key if useHKDF { - info := "AES-GCM file content encryption" - gcmKey = hkdfDerive(key, info, KeyLen) + gcmKey = hkdfDerive(key, hkdfInfoGCMContent, KeyLen) } switch aeadType { case BackendOpenSSL: @@ -104,8 +102,7 @@ func New(key []byte, aeadType AEADTypeEnum, IVBitLen int, useHKDF bool, forceDec } var key64 []byte if useHKDF { - info := "AES-SIV file content encryption" - key64 = hkdfDerive(key, info, siv_aead.KeyLen) + key64 = hkdfDerive(key, hkdfInfoSIVContent, siv_aead.KeyLen) } else { // AES-SIV uses 1/2 of the key for authentication, 1/2 for // encryption, so we need a 64-bytes key for AES-256. Derive it from diff --git a/internal/cryptocore/hkdf.go b/internal/cryptocore/hkdf.go index 6944825..87ca1b9 100644 --- a/internal/cryptocore/hkdf.go +++ b/internal/cryptocore/hkdf.go @@ -7,8 +7,16 @@ import ( "golang.org/x/crypto/hkdf" ) +const ( + // "info" data that HKDF mixes into the generated key to make it unique. + // For convenience, we use a readable string. + hkdfInfoEMENames = "EME filename encryption" + hkdfInfoGCMContent = "AES-GCM file content encryption" + hkdfInfoSIVContent = "AES-SIV file content encryption" +) + // hkdfDerive derives "outLen" bytes from "masterkey" and "info" using -// HKDF-SHA256. +// HKDF-SHA256 (RFC 5869). // It returns the derived bytes or panics. func hkdfDerive(masterkey []byte, info string, outLen int) (out []byte) { h := hkdf.New(sha256.New, masterkey, nil, []byte(info)) diff --git a/internal/cryptocore/hkdf_test.go b/internal/cryptocore/hkdf_test.go new file mode 100644 index 0000000..96ee01f --- /dev/null +++ b/internal/cryptocore/hkdf_test.go @@ -0,0 +1,46 @@ +package cryptocore + +import ( + "bytes" + "encoding/hex" + "testing" +) + +type hkdfTestCase struct { + masterkey []byte + info string + out []byte +} + +// TestHkdfDerive verifies that we get the expected values from hkdfDerive. They +// must not change because this would change the on-disk format. +func TestHkdfDerive(t *testing.T) { + master0 := bytes.Repeat([]byte{0x00}, 32) + master1 := bytes.Repeat([]byte{0x01}, 32) + out1, _ := hex.DecodeString("9ba3cddd48c6339c6e56ebe85f0281d6e9051be4104176e65cb0f8a6f77ae6b4") + out2, _ := hex.DecodeString("e8a2499f48700b954f31de732efd04abce822f5c948e7fbc0896607be0d36d12") + out3, _ := hex.DecodeString("9137f2e67a842484137f3c458f357f204c30d7458f94f432fa989be96854a649") + out4, _ := hex.DecodeString("0bfa5da7d9724d4753269940d36898e2c0f3717c0fee86ada58b5fd6c08cc26c") + + testCases := []hkdfTestCase{ + {master0, "EME filename encryption", out1}, + {master0, hkdfInfoEMENames, out1}, + {master1, "EME filename encryption", out2}, + {master1, hkdfInfoEMENames, out2}, + {master1, "AES-GCM file content encryption", out3}, + {master1, hkdfInfoGCMContent, out3}, + {master1, "AES-SIV file content encryption", out4}, + {master1, hkdfInfoSIVContent, out4}, + } + + for i, v := range testCases { + out := hkdfDerive(v.masterkey, v.info, 32) + if !bytes.Equal(out, v.out) { + want := hex.EncodeToString(v.out) + have := hex.EncodeToString(out) + t.Errorf("testcase %d error:\n"+ + "want=%s\n"+ + "have=%s", i, want, have) + } + } +}