Source File
	ctrkdf.go

Belonging Package
	crypto/internal/fips140/aes/gcm

// Copyright 2024 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package gcm

import (
	"crypto/internal/fips140"
	"crypto/internal/fips140/aes"
)

// CounterKDF implements a KDF in Counter Mode instantiated with CMAC-AES,
// according to NIST SP 800-108 Revision 1 Update 1, Section 4.1.
//
// It produces a 256-bit output, and accepts a 8-bit Label and a 96-bit Context.
// It uses a counter of 16 bits placed before the fixed data. The fixed data is
// the sequence Label || 0x00 || Context. The L field is omitted, since the
// output key length is fixed.
//
// It's optimized for use in XAES-256-GCM (https://c2sp.org/XAES-256-GCM),
// rather than for exposing it to applications as a stand-alone KDF.
type CounterKDF struct {
	mac CMAC
}

// NewCounterKDF creates a new CounterKDF with the given key.
func NewCounterKDF(b *aes.Block) *CounterKDF {
	return &CounterKDF{mac: *NewCMAC(b)}
}

// DeriveKey derives a key from the given label and context.
func (kdf *CounterKDF) DeriveKey(label byte, context [12]byte) [32]byte {
	fips140.RecordApproved()
	var output [32]byte

	var input [aes.BlockSize]byte
	input[2] = label
	copy(input[4:], context[:])

	input[1] = 0x01 // i = 1
	K1 := kdf.mac.MAC(input[:])

	input[1] = 0x02 // i = 2
	K2 := kdf.mac.MAC(input[:])

	copy(output[:], K1[:])
	copy(output[aes.BlockSize:], K2[:])
	return output
}

The pages are generated with Golds v0.7.9-preview. (GOOS=linux GOARCH=amd64)
Golds is a Go 101 project developed by Tapir Liu.
PR and bug reports are welcome and can be submitted to the issue list.
Please follow @zigo_101 (reachable from the left QR code) to get the latest news of Golds.