From 7b15fc1cac33d9b8cd3817da5ad26dd0d88f4c3e Mon Sep 17 00:00:00 2001
From: Simon Ser <contact@emersion.fr>
Date: Wed, 13 Mar 2024 22:45:35 +0100
Subject: [PATCH] hpke: relax seed size check in DeriveKeyPair

RFC 9180 section 7.1.3 says:

> For a given KEM, the ikm parameter given to DeriveKeyPair()
> SHOULD have length at least Nsk, and SHOULD have at least Nsk
> bytes of entropy.

Thus, it is not a requirement for HPKE to pass a seed with a fixed
size. Protocols such as MLS rely on this.

Closes: https://github.com/cloudflare/circl/issues/486
---
 hpke/hybridkem.go | 3 ---
 hpke/shortkem.go  | 3 ---
 hpke/xkem.go      | 3 ---
 3 files changed, 9 deletions(-)

diff --git a/hpke/hybridkem.go b/hpke/hybridkem.go
index 74e1ea6f1..52ed70787 100644
--- a/hpke/hybridkem.go
+++ b/hpke/hybridkem.go
@@ -160,9 +160,6 @@ func (k *hybridKEMPubKey) Equal(pk kem.PublicKey) bool {
 func (h hybridKEM) DeriveKeyPair(seed []byte) (kem.PublicKey, kem.PrivateKey) {
 	// Implementation based on
 	// https://www.ietf.org/archive/id/draft-irtf-cfrg-hpke-07.html#name-derivekeypair
-	if len(seed) != h.SeedSize() {
-		panic(kem.ErrSeedSize)
-	}
 
 	outputSeedSize := h.kemA.SeedSize() + h.kemB.SeedSize()
 	dkpPrk := h.labeledExtract([]byte(""), []byte("dkp_prk"), seed)
diff --git a/hpke/shortkem.go b/hpke/shortkem.go
index e5c55e991..db7e25bd4 100644
--- a/hpke/shortkem.go
+++ b/hpke/shortkem.go
@@ -44,9 +44,6 @@ func (s shortKEM) calcDH(dh []byte, sk kem.PrivateKey, pk kem.PublicKey) error {
 func (s shortKEM) DeriveKeyPair(seed []byte) (kem.PublicKey, kem.PrivateKey) {
 	// Implementation based on
 	// https://www.ietf.org/archive/id/draft-irtf-cfrg-hpke-07.html#name-derivekeypair
-	if len(seed) != s.SeedSize() {
-		panic(kem.ErrSeedSize)
-	}
 
 	bitmask := byte(0xFF)
 	if s.Params().BitSize == 521 {
diff --git a/hpke/xkem.go b/hpke/xkem.go
index f11ab6b37..a1dadaab4 100644
--- a/hpke/xkem.go
+++ b/hpke/xkem.go
@@ -55,9 +55,6 @@ func (x xKEM) calcDH(dh []byte, sk kem.PrivateKey, pk kem.PublicKey) error {
 func (x xKEM) DeriveKeyPair(seed []byte) (kem.PublicKey, kem.PrivateKey) {
 	// Implementation based on
 	// https://www.ietf.org/archive/id/draft-irtf-cfrg-hpke-07.html#name-derivekeypair
-	if len(seed) != x.SeedSize() {
-		panic(kem.ErrSeedSize)
-	}
 	sk := &xKEMPrivKey{scheme: x, priv: make([]byte, x.size)}
 	dkpPrk := x.labeledExtract([]byte(""), []byte("dkp_prk"), seed)
 	bytes := x.labeledExpand(