1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82

extern crate hkdf;
extern crate sha2;

use self::hkdf::Hkdf;
use self::sha2::Sha256;
use openssl::hash::MessageDigest;
use openssl::pkcs5::pbkdf2_hmac;
use url::Url;

/// The length of the derived authentication key in bytes.
const KEY_AUTH_SIZE: usize = 64;

/// The number of iterations to do for deriving a passworded authentication
/// key.
const KEY_AUTH_ITERATIONS: usize = 100;

/// Derive a HKDF key.
///
/// No _salt_ bytes are used in this function.
///
/// # Arguments
/// * length - Length of the derived key value that is returned.
/// * ikm - The input keying material.
/// * info - Optional context and application specific information to use.
///
/// # Returns
/// The output keying material, with the length as as specified in the `length`
/// argument.
fn hkdf(length: usize, ikm: &[u8], info: Option<&[u8]>) -> Vec<u8> {
    // Unwrap info or use empty info, define output key material
    let info = info.unwrap_or(&[]);
    let mut okm = vec![0u8; length];

    // Derive a HKDF key with the given length
    Hkdf::<Sha256>::extract(None, &ikm)
        .expand(&info, &mut okm)
        .unwrap();

    okm
}

/// Derive a key to use for file data encryption, based on the given `secret`.
pub fn derive_file_key(secret: &[u8]) -> Vec<u8> {
    hkdf(16, secret, Some(b"encryption"))
}

/// Derive a key to use for metadata encryption, based on the given `secret`.
pub fn derive_meta_key(secret: &[u8]) -> Vec<u8> {
    hkdf(16, secret, Some(b"metadata"))
}

/// Derive a key used for authentication, based on the given `secret`.
///
/// A `password` and `url` may be given for special key deriving.
/// At this time this is not implemented however.
pub fn derive_auth_key(secret: &[u8], password: Option<&str>, url: Option<&Url>) -> Vec<u8> {
    // Nothing, or both a password and URL must be given
    assert_eq!(
        password.is_none(),
        url.is_none(),
        "unable to derive authentication key, missing password or URL",
    );

    // Derive a key without a password
    if password.is_none() {
        return hkdf(KEY_AUTH_SIZE, secret, Some(b"authentication"));
    }

    // Derive a key with a password and URL
    // TODO: do not expect/unwrap here
    let mut key = vec![0u8; KEY_AUTH_SIZE];
    pbkdf2_hmac(
        password.unwrap().as_bytes(),
        url.unwrap().as_str().as_bytes(),
        KEY_AUTH_ITERATIONS,
        MessageDigest::sha256(),
        &mut key,
    )
    .expect("failed to derive passworded authentication key");

    key
}