use {constant_time, digest, error, hmac, polyfill};
pub fn derive(prf: &'static PRF, iterations: u32, salt: &[u8],
secret: &[u8], out: &mut [u8]) {
assert!(iterations >= 1);
let output_len = prf.digest_alg.output_len;
let secret = hmac::SigningKey::new(prf.digest_alg, secret);
polyfill::slice::fill(out, 0);
let mut idx: u32 = 0;
for chunk in out.chunks_mut(output_len) {
idx = idx.checked_add(1).expect("derived key too long");
derive_block(&secret, iterations, salt, idx, chunk);
}
}
fn derive_block(secret: &hmac::SigningKey, iterations: u32, salt: &[u8],
idx: u32, out: &mut [u8]) {
let mut ctx = hmac::SigningContext::with_key(secret);
ctx.update(salt);
ctx.update(&polyfill::slice::be_u8_from_u32(idx));
let mut u = ctx.sign();
let mut remaining = iterations;
loop {
for i in 0..out.len() {
out[i] ^= u.as_ref()[i];
}
if remaining == 1 {
break;
}
remaining -= 1;
u = hmac::sign(secret, u.as_ref());
}
}
pub fn verify(prf: &'static PRF, iterations: u32, salt: &[u8],
secret: &[u8], previously_derived: &[u8])
-> Result<(), error::Unspecified> {
if previously_derived.is_empty() {
return Err(error::Unspecified);
}
let mut derived_buf = [0u8; digest::MAX_OUTPUT_LEN];
let output_len = prf.digest_alg.output_len;
let secret = hmac::SigningKey::new(prf.digest_alg, secret);
let mut idx: u32 = 0;
let mut matches = 1;
for previously_derived_chunk in previously_derived.chunks(output_len) {
idx = idx.checked_add(1).expect("derived key too long");
let derived_chunk = &mut derived_buf[..previously_derived_chunk.len()];
polyfill::slice::fill(derived_chunk, 0);
derive_block(&secret, iterations, salt, idx, derived_chunk);
let current_block_matches =
if constant_time::verify_slices_are_equal(
derived_chunk, previously_derived_chunk).is_ok() {
1
} else {
0
};
matches &= current_block_matches;
}
if matches == 0 {
return Err(error::Unspecified);
}
Ok(())
}
pub struct PRF {
digest_alg: &'static digest::Algorithm,
}
pub static HMAC_SHA256: PRF = PRF { digest_alg: &digest::SHA256 };
pub static HMAC_SHA512: PRF = PRF { digest_alg: &digest::SHA512 };
#[cfg(test)]
mod tests {
use {error, pbkdf2, test};
#[test]
pub fn pkbdf2_tests() {
test::from_file("src/pbkdf2_tests.txt", |section, test_case| {
assert_eq!(section, "");
let prf_digest_alg = &test_case.consume_string("Hash");
let prf = match prf_digest_alg.as_ref() {
"SHA256" => &pbkdf2::HMAC_SHA256,
"SHA512" => &pbkdf2::HMAC_SHA512,
_ => panic!("Unexpected digest algorithm in PBKDF2 test"),
};
let iterations = test_case.consume_usize("c");
let secret = test_case.consume_bytes("P");
let salt = test_case.consume_bytes("S");
let dk = test_case.consume_bytes("DK");
let verify_expected_result = test_case.consume_string("Verify");
let verify_expected_result =
match verify_expected_result.as_str() {
"OK" => Ok(()),
"Err" => Err(error::Unspecified),
_ => panic!("Unsupported value of \"Verify\""),
};
{
let mut out = vec![0u8; dk.len()];
pbkdf2::derive(prf, iterations as u32, &salt, &secret,
&mut out);
assert_eq!(dk == out,
verify_expected_result.is_ok() || dk.is_empty());
}
assert_eq!(pbkdf2::verify(prf, iterations as u32, &salt, &secret,
&dk),
verify_expected_result);
Ok(())
});
}
#[test]
#[should_panic]
pub fn pkbdf2_zero_iterations() {
let prf = &pbkdf2::HMAC_SHA256;
let secret = "ZeroIterationsTest".as_bytes();
let iterations: u32 = 0;
let salt = "salt".as_bytes();
let mut out = vec![0u8; 2];
pbkdf2::derive(prf, iterations, &salt, &secret, &mut out);
}
#[test]
pub fn pkbdf2_one_iteration() {
let prf = &pbkdf2::HMAC_SHA256;
let secret = "ZeroIterationsTest".as_bytes();
let iterations: u32 = 1;
let salt = "salt".as_bytes();
let mut out = vec![0u8; 2];
pbkdf2::derive(prf, iterations, &salt, &secret, &mut out);
}
}