Implement ExpandHKDFOneShot

[qmuntal]

Go 1.24 will most probably move the golang.org/x/crypto/hkdf package into the standard library: golang/go#61477. The new API will be a little bit simpler, basically hkdf.Expand won't return a io.Reader but a slice of bytes as bis as the keyLength parameter.

Our ExpandHKDF function is not well fitted to implement the new API, as it also returns an io.Reader and internally allocated a buffer that might not have the same size as keyLength, which will end up causing unnecessary allocations.

This PR implements the new ExpandHKDFOneShot function that will be used to implement the new API.

[dagood]

Why panic vs. returning the error?

[qmuntal]

This is common practice in this repo. The supported version switches should be exhaustive so we know what to update when we start supporting a new version.

[dagood]

What difference does return nil, errUnsupportedVersion() vs. panic(errUnsupportedVersion()) make to the switch's exhaustiveness?

FWIW, most uses of errUnsupportedVersion do use panic. Only tls1prf.go and hkdf.go return it, so maybe my confusion is in what situations it makes sense to return it rather than panic. (Maybe a doc comment on errUnsupportedVersion would make sense if it's worth explaining it for the future.)

(examples)

openssl/tls1prf.go

Lines 50 to 57 in 4f0359e

	switch vMajor {
	case 1:
	return tls1PRF1(result, secret, label, seed, md)
	case 3:
	return tls1PRF3(result, secret, label, seed, md)
	default:
	return errUnsupportedVersion()
	}

openssl/tls1prf.go

Lines 15 to 25 in 4f0359e

	func SupportsTLS1PRF() bool {
	switch vMajor {
	case 1:
	return vMinor >= 1
	case 3:
	_, err := fetchTLS1PRF3()
	return err == nil
	default:
	panic(errUnsupportedVersion())
	}
	}

openssl/hkdf.go

Lines 17 to 27 in a47a022

	func SupportsHKDF() bool {
	switch vMajor {
	case 1:
	return versionAtOrAbove(1, 1, 1)
	case 3:
	_, err := fetchHKDF3()
	return err == nil
	default:
	panic(errUnsupportedVersion())
	}
	}

openssl/hkdf.go

Lines 113 to 115 in a47a022

	if !SupportsHKDF() {
	return nil, errUnsupportedVersion()
	}

That said, since this isn't new, going ahead with approval. 😄

[qmuntal]

What difference does return nil, errUnsupportedVersion() vs. panic(errUnsupportedVersion()) make to the switch's exhaustiveness?

Go doesn't have exhaustive, so it is idiomatic to panic in the default case to at least get a runtime panic.

Good catch about the inconsistency, will fix in a follow up PR.

[dagood]

What difference does return nil, errUnsupportedVersion() vs. panic(errUnsupportedVersion()) make to the switch's exhaustiveness?

FWIW, most uses of errUnsupportedVersion do use panic. Only tls1prf.go and hkdf.go return it, so maybe my confusion is in what situations it makes sense to return it rather than panic. (Maybe a doc comment on errUnsupportedVersion would make sense if it's worth explaining it for the future.)

(examples)

openssl/tls1prf.go

Lines 50 to 57 in 4f0359e

	switch vMajor {
	case 1:
	return tls1PRF1(result, secret, label, seed, md)
	case 3:
	return tls1PRF3(result, secret, label, seed, md)
	default:
	return errUnsupportedVersion()
	}

openssl/tls1prf.go

Lines 15 to 25 in 4f0359e

	func SupportsTLS1PRF() bool {
	switch vMajor {
	case 1:
	return vMinor >= 1
	case 3:
	_, err := fetchTLS1PRF3()
	return err == nil
	default:
	panic(errUnsupportedVersion())
	}
	}

openssl/hkdf.go

Lines 17 to 27 in a47a022

	func SupportsHKDF() bool {
	switch vMajor {
	case 1:
	return versionAtOrAbove(1, 1, 1)
	case 3:
	_, err := fetchHKDF3()
	return err == nil
	default:
	panic(errUnsupportedVersion())
	}
	}

openssl/hkdf.go

Lines 113 to 115 in a47a022

	if !SupportsHKDF() {
	return nil, errUnsupportedVersion()
	}

That said, since this isn't new, going ahead with approval. 😄