oxicrypto_core/traits/kdf.rs
1use crate::CryptoError;
2
3/// Key derivation function (HKDF, PBKDF2, ...).
4pub trait Kdf: Send + Sync {
5 /// Human-readable algorithm identifier (e.g. `"HKDF-SHA-256"`).
6 #[must_use]
7 fn name(&self) -> &'static str;
8 /// Derive key material and write it into `okm_out`.
9 ///
10 /// - `ikm`: input key material
11 /// - `salt`: optional salt (may be empty)
12 /// - `info`: context/application-specific info (may be empty)
13 #[must_use = "result must be checked"]
14 fn derive(
15 &self,
16 ikm: &[u8],
17 salt: &[u8],
18 info: &[u8],
19 okm_out: &mut [u8],
20 ) -> Result<(), CryptoError>;
21}
22
23/// Parameters for a password-hashing KDF.
24pub trait PasswordHashParams: Send + Sync {
25 /// Memory cost in kibibytes (Argon2, scrypt) or `None` if not applicable.
26 #[must_use]
27 fn memory_cost(&self) -> Option<u32>;
28 /// Time cost (iterations for PBKDF2/Argon2) or `None` if not applicable.
29 #[must_use]
30 fn time_cost(&self) -> Option<u32>;
31 /// Degree of parallelism (Argon2/scrypt) or `None` if not applicable.
32 #[must_use]
33 fn parallelism(&self) -> Option<u32>;
34}
35
36/// Password-hashing function (Argon2id, PBKDF2, scrypt, …).
37///
38/// Distinct from [`Kdf`] because password KDFs expose memory/time/parallelism
39/// tuning that is irrelevant for stream KDFs like HKDF.
40pub trait PasswordHash: Send + Sync {
41 /// Human-readable algorithm identifier (e.g. `"Argon2id"`).
42 #[must_use]
43 fn name(&self) -> &'static str;
44 /// Hash `password` with `salt` using the given `params`; write output into `out`.
45 #[must_use = "result must be checked"]
46 fn hash_password(
47 &self,
48 password: &[u8],
49 salt: &[u8],
50 params: &dyn PasswordHashParams,
51 out: &mut [u8],
52 ) -> Result<(), CryptoError>;
53}