gotosocial/vendor/golang.org/x/crypto/hkdf/hkdf.go

// Copyright 2014 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

// Package hkdf implements the HMAC-based Extract-and-Expand Key Derivation
// Function (HKDF) as defined in RFC 5869.
//
// HKDF is a cryptographic key derivation function (KDF) with the goal of
// expanding limited input keying material into one or more cryptographically
// strong secret keys.
package hkdf

import (
	"crypto/hmac"
	"errors"
	"hash"
	"io"
)

// Extract generates a pseudorandom key for use with Expand from an input secret
// and an optional independent salt.
//
// Only use this function if you need to reuse the extracted key with multiple
// Expand invocations and different context values. Most common scenarios,
// including the generation of multiple keys, should use New instead.
func Extract(hash func() hash.Hash, secret, salt []byte) []byte {
	if salt == nil {
		salt = make([]byte, hash().Size())
	}
	extractor := hmac.New(hash, salt)
	extractor.Write(secret)
	return extractor.Sum(nil)
}

type hkdf struct {
	expander hash.Hash
	size     int

	info    []byte
	counter byte

	prev []byte
	buf  []byte
}

func (f *hkdf) Read(p []byte) (int, error) {
	// Check whether enough data can be generated
	need := len(p)
	remains := len(f.buf) + int(255-f.counter+1)*f.size
	if remains < need {
		return 0, errors.New("hkdf: entropy limit reached")
	}
	// Read any leftover from the buffer
	n := copy(p, f.buf)
	p = p[n:]

	// Fill the rest of the buffer
	for len(p) > 0 {
		if f.counter > 1 {
			f.expander.Reset()
		}
		f.expander.Write(f.prev)
		f.expander.Write(f.info)
		f.expander.Write([]byte{f.counter})
		f.prev = f.expander.Sum(f.prev[:0])
		f.counter++

		// Copy the new batch into p
		f.buf = f.prev
		n = copy(p, f.buf)
		p = p[n:]
	}
	// Save leftovers for next run
	f.buf = f.buf[n:]

	return need, nil
}

// Expand returns a Reader, from which keys can be read, using the given
// pseudorandom key and optional context info, skipping the extraction step.
//
// The pseudorandomKey should have been generated by Extract, or be a uniformly
// random or pseudorandom cryptographically strong key. See RFC 5869, Section
// 3.3. Most common scenarios will want to use New instead.
func Expand(hash func() hash.Hash, pseudorandomKey, info []byte) io.Reader {
	expander := hmac.New(hash, pseudorandomKey)
	return &hkdf{expander, expander.Size(), info, 1, nil, nil}
}

// New returns a Reader, from which keys can be read, using the given hash,
// secret, salt and context info. Salt and info can be nil.
func New(hash func() hash.Hash, secret, salt, info []byte) io.Reader {
	prk := Extract(hash, secret, salt)
	return Expand(hash, prk, info)
}
[feature] Push notifications (#3587) * Update push subscription API model to be Mastodon 4.0 compatible * Add webpush-go dependency # Conflicts: # go.sum * Single-row table for storing instance's VAPID key pair * Generate VAPID key pair during startup * Add VAPID public key to instance info API * Return VAPID public key when registering an app * Store Web Push subscriptions in DB * Add Web Push sender (similar to email sender) * Add no-op push senders to most processor tests * Test Web Push notifications from workers * Delete Web Push subscriptions when account is deleted * Implement push subscription API * Linter fixes * Update Swagger * Fix enum to int migration * Fix GetVAPIDKeyPair * Create web push subscriptions table with indexes * Log Web Push server error messages * Send instance URL as Web Push JWT subject * Accept any 2xx code as a success * Fix malformed VAPID sub claim * Use packed notification flags * Remove unused date columns * Add notification type for update notifications Not used yet * Make GetVAPIDKeyPair idempotent and remove PutVAPIDKeyPair * Post-rebase fixes * go mod tidy * Special-case 400 errors other than 408/429 Most client errors should remove the subscription. * Improve titles, trim body to reasonable length * Disallow cleartext HTTP for Web Push servers * Fix lint * Remove redundant index on unique column Also removes redundant unique and notnull tags on ID column since these are implied by pk * Make realsender.go more readable * Use Tobi's style for wrapping errors * Restore treating all 5xx codes as temporary problems * Always load target account settings * Stub `policy` and `standard` * webpush.Sender: take type converter as ctor param * Move webpush.MockSender and noopSender into testrig 2025-01-23 16:47:30 -08:00			`// Copyright 2014 The Go Authors. All rights reserved.`
			`// Use of this source code is governed by a BSD-style`
			`// license that can be found in the LICENSE file.`

			`// Package hkdf implements the HMAC-based Extract-and-Expand Key Derivation`
			`// Function (HKDF) as defined in RFC 5869.`
			`//`
			`// HKDF is a cryptographic key derivation function (KDF) with the goal of`
			`// expanding limited input keying material into one or more cryptographically`
			`// strong secret keys.`
			`package hkdf`

			`import (`
			`"crypto/hmac"`
			`"errors"`
			`"hash"`
			`"io"`
			`)`

			`// Extract generates a pseudorandom key for use with Expand from an input secret`
			`// and an optional independent salt.`
			`//`
			`// Only use this function if you need to reuse the extracted key with multiple`
			`// Expand invocations and different context values. Most common scenarios,`
			`// including the generation of multiple keys, should use New instead.`
			`func Extract(hash func() hash.Hash, secret, salt []byte) []byte {`
			`if salt == nil {`
			`salt = make([]byte, hash().Size())`
			`}`
			`extractor := hmac.New(hash, salt)`
			`extractor.Write(secret)`
			`return extractor.Sum(nil)`
			`}`

			`type hkdf struct {`
			`expander hash.Hash`
			`size int`

			`info []byte`
			`counter byte`

			`prev []byte`
			`buf []byte`
			`}`

			`func (f *hkdf) Read(p []byte) (int, error) {`
			`// Check whether enough data can be generated`
			`need := len(p)`
			`remains := len(f.buf) + int(255-f.counter+1)*f.size`
			`if remains < need {`
			`return 0, errors.New("hkdf: entropy limit reached")`
			`}`
			`// Read any leftover from the buffer`
			`n := copy(p, f.buf)`
			`p = p[n:]`

			`// Fill the rest of the buffer`
			`for len(p) > 0 {`
			`if f.counter > 1 {`
			`f.expander.Reset()`
			`}`
			`f.expander.Write(f.prev)`
			`f.expander.Write(f.info)`
			`f.expander.Write([]byte{f.counter})`
			`f.prev = f.expander.Sum(f.prev[:0])`
			`f.counter++`

			`// Copy the new batch into p`
			`f.buf = f.prev`
			`n = copy(p, f.buf)`
			`p = p[n:]`
			`}`
			`// Save leftovers for next run`
			`f.buf = f.buf[n:]`

			`return need, nil`
			`}`

			`// Expand returns a Reader, from which keys can be read, using the given`
			`// pseudorandom key and optional context info, skipping the extraction step.`
			`//`
			`// The pseudorandomKey should have been generated by Extract, or be a uniformly`
			`// random or pseudorandom cryptographically strong key. See RFC 5869, Section`
			`// 3.3. Most common scenarios will want to use New instead.`
			`func Expand(hash func() hash.Hash, pseudorandomKey, info []byte) io.Reader {`
			`expander := hmac.New(hash, pseudorandomKey)`
			`return &hkdf{expander, expander.Size(), info, 1, nil, nil}`
			`}`

			`// New returns a Reader, from which keys can be read, using the given hash,`
			`// secret, salt and context info. Salt and info can be nil.`
			`func New(hash func() hash.Hash, secret, salt, info []byte) io.Reader {`
			`prk := Extract(hash, secret, salt)`
			`return Expand(hash, prk, info)`
			`}`