From c2b02d01d5c0bb684565d5b23b34022b752e9507 Mon Sep 17 00:00:00 2001 From: Rob Napier Date: Fri, 11 Sep 2020 17:10:27 -0400 Subject: [PATCH 01/15] Add crypto.kdf.pbkdf2 --- lib/std/crypto.zig | 6 + lib/std/crypto/pbkdf2.zig | 227 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 233 insertions(+) create mode 100644 lib/std/crypto/pbkdf2.zig diff --git a/lib/std/crypto.zig b/lib/std/crypto.zig index 5de2f13896..2b42942824 100644 --- a/lib/std/crypto.zig +++ b/lib/std/crypto.zig @@ -35,6 +35,11 @@ pub const onetimeauth = struct { pub const Poly1305 = @import("crypto/poly1305.zig").Poly1305; }; +/// Key derivation functions +pub const kdf = struct { + pub const pbkdf2 = @import("crypto/pbkdf2.zig").pbkdf2; +}; + /// Core functions, that should rarely be used directly by applications. pub const core = struct { pub const aes = @import("crypto/aes.zig"); @@ -77,6 +82,7 @@ test "crypto" { _ = @import("crypto/gimli.zig"); _ = @import("crypto/hmac.zig"); _ = @import("crypto/md5.zig"); + _ = @import("crypto/pbkdf2.zig"); _ = @import("crypto/poly1305.zig"); _ = @import("crypto/sha1.zig"); _ = @import("crypto/sha2.zig"); diff --git a/lib/std/crypto/pbkdf2.zig b/lib/std/crypto/pbkdf2.zig new file mode 100644 index 0000000000..fe00f7ee08 --- /dev/null +++ b/lib/std/crypto/pbkdf2.zig @@ -0,0 +1,227 @@ +// SPDX-License-Identifier: MIT +// Copyright (c) 2015-2020 Zig Contributors +// This file is part of [zig](https://ziglang.org/), which is MIT licensed. +// The MIT license requires this copyright notice to be included in all copies +// and substantial portions of the software. + +const std = @import("std"); +const crypto = std.crypto; +const debug = std.debug; +const assert = debug.assert; +const mem = std.mem; + +// RFC 2898 Section 5.2 +// +// FromSpec: +// +// PBKDF2 applies a pseudorandom function (see Appendix B.1 for an +// example) to derive keys. The length of the derived key is essentially +// unbounded. (However, the maximum effective search space for the +// derived key may be limited by the structure of the underlying +// pseudorandom function. See Appendix B.1 for further discussion.) +// PBKDF2 is recommended for new applications. +// +// PBKDF2 (P, S, c, dkLen) +// +// Options: PRF underlying pseudorandom function (hLen +// denotes the length in octets of the +// pseudorandom function output) +// +// Input: P password, an octet string +// S salt, an octet string +// c iteration count, a positive integer +// dkLen intended length in octets of the derived +// key, a positive integer, at most +// (2^32 - 1) * hLen +// +// Output: DK derived key, a dkLen-octet string + +// Based on Apple's CommonKeyDerivation, based originally on code by Damien Bergamini. + +pub fn pbkdf2(derivedKey: []u8, password: []const u8, salt: []const u8, rounds: u32, comptime Hash: type) void { + assert(rounds >= 1); + + const dkLen = derivedKey.len; + const hLen = Hash.digest_length; + const Prf = crypto.auth.hmac.Hmac(Hash); + + // FromSpec: + // + // 1. If dkLen > (2^32 - 1) * hLen, output "derived key too long" and + // stop. + // + assert(dkLen > 0 and dkLen <= (1 << 32 - 1) * hLen); + + // FromSpec: + // + // 2. Let l be the number of hLen-octet blocks in the derived key, + // rounding up, and let r be the number of octets in the last + // block + // + const l = (dkLen + hLen - 1) / hLen; + var r = dkLen % hLen; + r = if (r != 0) r else hLen; + + // FromSpec: + // + // 3. For each block of the derived key apply the function F defined + // below to the password P, the salt S, the iteration count c, and + // the block index to compute the block: + // + // T_1 = F (P, S, c, 1) , + // T_2 = F (P, S, c, 2) , + // ... + // T_l = F (P, S, c, l) , + // + // where the function F is defined as the exclusive-or sum of the + // first c iterates of the underlying pseudorandom function PRF + // applied to the password P and the concatenation of the salt S + // and the block index i: + // + // F (P, S, c, i) = U_1 \xor U_2 \xor ... \xor U_c + // + // where + // + // U_1 = PRF (P, S || INT (i)) , + // U_2 = PRF (P, U_1) , + // ... + // U_c = PRF (P, U_{c-1}) . + // + // Here, INT (i) is a four-octet encoding of the integer i, most + // significant octet first. + // + // 4. Concatenate the blocks and extract the first dkLen octets to + // produce a derived key DK: + // + // DK = T_1 || T_2 || ... || T_l<0..r-1> + + var prevBlock: [hLen]u8 = undefined; + var newBlock: [hLen]u8 = undefined; + + var block: u32 = 0; // Spec limits to u32 + while (block < l) : (block += 1) { + + // U_1 = PRF (P, S || INT (i)) + const blockIndex = mem.toBytes(mem.nativeToBig(u32, block + 1)); // Block index starts at 0001 + var ctx = Prf.init(password); + ctx.update(salt); + ctx.update(blockIndex[0..]); + ctx.final(prevBlock[0..]); + + // Choose portion of DK to write into (T_n) and initialize + const offset = block * hLen; + const blockLen = if (block != l - 1) hLen else r; + var dkBlock = derivedKey[offset..(offset + blockLen)]; + mem.copy(u8, dkBlock[0..], prevBlock[0..dkBlock.len]); + + var i: u32 = 1; + while (i < rounds) : (i += 1) { + // U_c = PRF (P, U_{c-1}) + Prf.create(newBlock[0..], prevBlock[0..], password); + mem.copy(u8, prevBlock[0..], newBlock[0..]); + + // F (P, S, c, i) = U_1 \xor U_2 \xor ... \xor U_c + for (dkBlock) |_, j| { + dkBlock[j] ^= newBlock[j]; + } + } + } +} + +const htest = @import("test.zig"); + +// RFC 6070 PBKDF2 HMAC-SHA1 Test Vectors +test "RFC 6070 one iteration" { + const p = "password"; + const s = "salt"; + const c = 1; + const dkLen = 20; + + var derivedKey: [dkLen]u8 = undefined; + + pbkdf2(&derivedKey, p, s, c, crypto.hash.Sha1); + + const expected = "0c60c80f961f0e71f3a9b524af6012062fe037a6"; + + htest.assertEqual(expected, derivedKey[0..]); +} + +test "RFC 6070 two iterations" { + const p = "password"; + const s = "salt"; + const c = 2; + const dkLen = 20; + + var derivedKey: [dkLen]u8 = undefined; + + pbkdf2(&derivedKey, p, s, c, crypto.hash.Sha1); + + const expected = "ea6c014dc72d6f8ccd1ed92ace1d41f0d8de8957"; + + htest.assertEqual(expected, derivedKey[0..]); +} + +test "RFC 6070 4096 iterations" { + const p = "password"; + const s = "salt"; + const c = 4096; + const dkLen = 20; + + var derivedKey: [dkLen]u8 = undefined; + + pbkdf2(&derivedKey, p, s, c, crypto.hash.Sha1); + + const expected = "4b007901b765489abead49d926f721d065a429c1"; + + htest.assertEqual(expected, derivedKey[0..]); +} + +test "RFC 6070 16,777,216 iterations" { + // These iteration tests are slow so we always skip them. Results have been verified. + if (true) { + return error.SkipZigTest; + } + + const p = "password"; + const s = "salt"; + const c = 16777216; + const dkLen = 20; + + var derivedKey = [_]u8{0} ** dkLen; + + pbkdf2(&derivedKey, p, s, c, crypto.hash.Sha1); + + const expected = "eefe3d61cd4da4e4e9945b3d6ba2158c2634e984"; + + htest.assertEqual(expected, derivedKey[0..]); +} + +test "RFC 6070 multi-block salt and password" { + const p = "passwordPASSWORDpassword"; + const s = "saltSALTsaltSALTsaltSALTsaltSALTsalt"; + const c = 4096; + const dkLen = 25; + + var derivedKey: [dkLen]u8 = undefined; + + pbkdf2(&derivedKey, p, s, c, crypto.hash.Sha1); + + const expected = "3d2eec4fe41c849b80c8d83662c0e44a8b291a964cf2f07038"; + + htest.assertEqual(expected, derivedKey[0..]); +} + +test "RFC 6070 embedded NUL" { + const p = "pass\x00word"; + const s = "sa\x00lt"; + const c = 4096; + const dkLen = 16; + + var derivedKey: [dkLen]u8 = undefined; + + pbkdf2(&derivedKey, p, s, c, crypto.hash.Sha1); + + const expected = "56fa6aa75548099dcc37d7f03425e0c3"; + + htest.assertEqual(expected, derivedKey[0..]); +} From 37db93e4260dfcb90ac1553cf096a35ada1825ca Mon Sep 17 00:00:00 2001 From: Rob Napier Date: Sat, 12 Sep 2020 15:02:00 -0400 Subject: [PATCH 02/15] Review comments from pbkdf2.zig Move block definitions inside while loop. Use usize for offset. (This still crashes on overflow) Remove unneeded slice syntax. Add slow test for Very large dkLen --- lib/std/crypto/pbkdf2.zig | 34 ++++++++++++++++++++++++++++------ 1 file changed, 28 insertions(+), 6 deletions(-) diff --git a/lib/std/crypto/pbkdf2.zig b/lib/std/crypto/pbkdf2.zig index fe00f7ee08..d0eaca1b0a 100644 --- a/lib/std/crypto/pbkdf2.zig +++ b/lib/std/crypto/pbkdf2.zig @@ -95,11 +95,10 @@ pub fn pbkdf2(derivedKey: []u8, password: []const u8, salt: []const u8, rounds: // // DK = T_1 || T_2 || ... || T_l<0..r-1> - var prevBlock: [hLen]u8 = undefined; - var newBlock: [hLen]u8 = undefined; - var block: u32 = 0; // Spec limits to u32 while (block < l) : (block += 1) { + var prevBlock: [hLen]u8 = undefined; + var newBlock: [hLen]u8 = undefined; // U_1 = PRF (P, S || INT (i)) const blockIndex = mem.toBytes(mem.nativeToBig(u32, block + 1)); // Block index starts at 0001 @@ -109,15 +108,15 @@ pub fn pbkdf2(derivedKey: []u8, password: []const u8, salt: []const u8, rounds: ctx.final(prevBlock[0..]); // Choose portion of DK to write into (T_n) and initialize - const offset = block * hLen; + const offset: usize = block * hLen; const blockLen = if (block != l - 1) hLen else r; var dkBlock = derivedKey[offset..(offset + blockLen)]; - mem.copy(u8, dkBlock[0..], prevBlock[0..dkBlock.len]); + mem.copy(u8, dkBlock, prevBlock[0..dkBlock.len]); var i: u32 = 1; while (i < rounds) : (i += 1) { // U_c = PRF (P, U_{c-1}) - Prf.create(newBlock[0..], prevBlock[0..], password); + Prf.create(&newBlock, prevBlock[0..], password); mem.copy(u8, prevBlock[0..], newBlock[0..]); // F (P, S, c, i) = U_1 \xor U_2 \xor ... \xor U_c @@ -225,3 +224,26 @@ test "RFC 6070 embedded NUL" { htest.assertEqual(expected, derivedKey[0..]); } + +test "Very large dkLen" { + // These iteration tests are slow so we always skip them. Results have been verified. + if (true) { + return error.SkipZigTest; + } + + const p = "password"; + const s = "salt"; + const c = 1; + const dkLen = 1 << 33; + + var derivedKey = try std.testing.allocator.alloc(u8, dkLen); + defer { + std.testing.allocator.free(derivedKey); + } + + pbkdf2(derivedKey, p, s, c, crypto.hash.Sha1); + + const expected = "0c60c80f961f0e71f3a9b524af6012062fe037a6"; + + htest.assertEqual(expected, derivedKey[0..]); +} From 3f450b7e931b76b20e36d2bab2e2d1fed3ee19ec Mon Sep 17 00:00:00 2001 From: Rob Napier Date: Sat, 12 Sep 2020 18:17:04 -0400 Subject: [PATCH 03/15] Replace Hash function with Prf. Correct offset bit-width. --- lib/std/crypto/pbkdf2.zig | 51 +++++++++++++++++++++++++++------------ 1 file changed, 36 insertions(+), 15 deletions(-) diff --git a/lib/std/crypto/pbkdf2.zig b/lib/std/crypto/pbkdf2.zig index d0eaca1b0a..ceed9beb6d 100644 --- a/lib/std/crypto/pbkdf2.zig +++ b/lib/std/crypto/pbkdf2.zig @@ -10,6 +10,14 @@ const debug = std.debug; const assert = debug.assert; const mem = std.mem; +//! PBKDF2 (Password-Based Key Derivation Function 2) is a specific Key Derivation Function, +//! intended to turn a weak, human generated password into a strong key, suitable for cryptographic +//! uses. It does this by salting and stretching the password. Salting injects non-secret random +//! data, so that identical passwords will be converted into unique keys. Stretching applies a +//! deliberately slow hashing function to frustrate brute-force guessing. +//! +//! PBKDF2 is defined in RFC 2898, and is a recommendation of NIST SP 800-132. + // RFC 2898 Section 5.2 // // FromSpec: @@ -38,19 +46,33 @@ const mem = std.mem; // Based on Apple's CommonKeyDerivation, based originally on code by Damien Bergamini. -pub fn pbkdf2(derivedKey: []u8, password: []const u8, salt: []const u8, rounds: u32, comptime Hash: type) void { +/// Given a password, salt, iteration count (rounds), and a pseudo-random function, generates a +/// derived key in the provided buffer slice. +/// +/// derivedKey: Slice of appropriate size for generated key. Generally 16 or 32 bytes in length. +/// May be uninitialized. All bytes will be written. +/// Maximum size is (2^32 - 1) * Hash.digest_length +/// It is a programming error to pass buffer longer than the maximum size. +/// +/// password: Arbitrary sequence of bytes of any length, including empty. +/// +/// salt: Arbitrary sequence of bytes of any length, including empty. A common length is 8 bytes. +/// +/// rounds: Iteration count. Must be greater than 0. Common values range from 1,000 to 100,000. +/// +/// Prf: Pseudo-random function to use. The most common choice is std.crypto.auth.hmac.HmacSha256. +pub fn pbkdf2(derivedKey: []u8, password: []const u8, salt: []const u8, rounds: u32, comptime Prf: type) void { assert(rounds >= 1); - const dkLen = derivedKey.len; - const hLen = Hash.digest_length; - const Prf = crypto.auth.hmac.Hmac(Hash); + const dkLen: u64 = derivedKey.len; + const hLen: u32 = Prf.mac_length; // Force type to ensure multiplications can't overflow // FromSpec: // // 1. If dkLen > (2^32 - 1) * hLen, output "derived key too long" and // stop. // - assert(dkLen > 0 and dkLen <= (1 << 32 - 1) * hLen); + assert(dkLen > 0 and dkLen <= @as(u64, 1 << 32 - 1) * hLen); // FromSpec: // @@ -108,7 +130,7 @@ pub fn pbkdf2(derivedKey: []u8, password: []const u8, salt: []const u8, rounds: ctx.final(prevBlock[0..]); // Choose portion of DK to write into (T_n) and initialize - const offset: usize = block * hLen; + const offset: u64 = @as(u64, block) * hLen; const blockLen = if (block != l - 1) hLen else r; var dkBlock = derivedKey[offset..(offset + blockLen)]; mem.copy(u8, dkBlock, prevBlock[0..dkBlock.len]); @@ -138,7 +160,7 @@ test "RFC 6070 one iteration" { var derivedKey: [dkLen]u8 = undefined; - pbkdf2(&derivedKey, p, s, c, crypto.hash.Sha1); + pbkdf2(&derivedKey, p, s, c, crypto.auth.hmac.HmacSha1); const expected = "0c60c80f961f0e71f3a9b524af6012062fe037a6"; @@ -153,7 +175,7 @@ test "RFC 6070 two iterations" { var derivedKey: [dkLen]u8 = undefined; - pbkdf2(&derivedKey, p, s, c, crypto.hash.Sha1); + pbkdf2(&derivedKey, p, s, c, crypto.auth.hmac.HmacSha1); const expected = "ea6c014dc72d6f8ccd1ed92ace1d41f0d8de8957"; @@ -168,7 +190,7 @@ test "RFC 6070 4096 iterations" { var derivedKey: [dkLen]u8 = undefined; - pbkdf2(&derivedKey, p, s, c, crypto.hash.Sha1); + pbkdf2(&derivedKey, p, s, c, crypto.auth.hmac.HmacSha1); const expected = "4b007901b765489abead49d926f721d065a429c1"; @@ -188,7 +210,7 @@ test "RFC 6070 16,777,216 iterations" { var derivedKey = [_]u8{0} ** dkLen; - pbkdf2(&derivedKey, p, s, c, crypto.hash.Sha1); + pbkdf2(&derivedKey, p, s, c, crypto.auth.hmac.HmacSha1); const expected = "eefe3d61cd4da4e4e9945b3d6ba2158c2634e984"; @@ -203,7 +225,7 @@ test "RFC 6070 multi-block salt and password" { var derivedKey: [dkLen]u8 = undefined; - pbkdf2(&derivedKey, p, s, c, crypto.hash.Sha1); + pbkdf2(&derivedKey, p, s, c, crypto.auth.hmac.HmacSha1); const expected = "3d2eec4fe41c849b80c8d83662c0e44a8b291a964cf2f07038"; @@ -218,7 +240,7 @@ test "RFC 6070 embedded NUL" { var derivedKey: [dkLen]u8 = undefined; - pbkdf2(&derivedKey, p, s, c, crypto.hash.Sha1); + pbkdf2(&derivedKey, p, s, c, crypto.auth.hmac.HmacSha1); const expected = "56fa6aa75548099dcc37d7f03425e0c3"; @@ -226,11 +248,10 @@ test "RFC 6070 embedded NUL" { } test "Very large dkLen" { - // These iteration tests are slow so we always skip them. Results have been verified. + // This test allocates 8GB of memory and is expected to take several hours to run. if (true) { return error.SkipZigTest; } - const p = "password"; const s = "salt"; const c = 1; @@ -241,7 +262,7 @@ test "Very large dkLen" { std.testing.allocator.free(derivedKey); } - pbkdf2(derivedKey, p, s, c, crypto.hash.Sha1); + pbkdf2(derivedKey, p, s, c, crypto.auth.hmac.HmacSha1); const expected = "0c60c80f961f0e71f3a9b524af6012062fe037a6"; From 17156e1775f60893b4c5040d7a0073659ea9157d Mon Sep 17 00:00:00 2001 From: Rob Napier Date: Sat, 12 Sep 2020 18:33:53 -0400 Subject: [PATCH 04/15] pbkdf2 "very large dklen test" should just check for crashes --- lib/std/crypto/pbkdf2.zig | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/lib/std/crypto/pbkdf2.zig b/lib/std/crypto/pbkdf2.zig index ceed9beb6d..6cf1e8a75e 100644 --- a/lib/std/crypto/pbkdf2.zig +++ b/lib/std/crypto/pbkdf2.zig @@ -59,8 +59,10 @@ const mem = std.mem; /// salt: Arbitrary sequence of bytes of any length, including empty. A common length is 8 bytes. /// /// rounds: Iteration count. Must be greater than 0. Common values range from 1,000 to 100,000. +/// Larger iteration counts improve security by increasing the time required to compute +/// the derivedKey. It is common to tune this parameter to achieve approximately 100ms. /// -/// Prf: Pseudo-random function to use. The most common choice is std.crypto.auth.hmac.HmacSha256. +/// Prf: Pseudo-random function to use. A common choice is std.crypto.auth.hmac.HmacSha256. pub fn pbkdf2(derivedKey: []u8, password: []const u8, salt: []const u8, rounds: u32, comptime Prf: type) void { assert(rounds >= 1); @@ -263,8 +265,5 @@ test "Very large dkLen" { } pbkdf2(derivedKey, p, s, c, crypto.auth.hmac.HmacSha1); - - const expected = "0c60c80f961f0e71f3a9b524af6012062fe037a6"; - - htest.assertEqual(expected, derivedKey[0..]); + // Just verify this doesn't crash with an overflow } From 0f85b85acb0bd322ff7408c25dc09a84ff6621dc Mon Sep 17 00:00:00 2001 From: Rob Napier Date: Sun, 13 Sep 2020 09:59:36 -0400 Subject: [PATCH 05/15] Improve doc text --- lib/std/crypto/pbkdf2.zig | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/lib/std/crypto/pbkdf2.zig b/lib/std/crypto/pbkdf2.zig index 6cf1e8a75e..2f9b720220 100644 --- a/lib/std/crypto/pbkdf2.zig +++ b/lib/std/crypto/pbkdf2.zig @@ -10,11 +10,11 @@ const debug = std.debug; const assert = debug.assert; const mem = std.mem; -//! PBKDF2 (Password-Based Key Derivation Function 2) is a specific Key Derivation Function, -//! intended to turn a weak, human generated password into a strong key, suitable for cryptographic -//! uses. It does this by salting and stretching the password. Salting injects non-secret random -//! data, so that identical passwords will be converted into unique keys. Stretching applies a -//! deliberately slow hashing function to frustrate brute-force guessing. +//! PBKDF2 (Password-Based Key Derivation Function 2) is intended to turn a weak, human generated +//! password into a strong key, suitable for cryptographic uses. It does this by salting and +//! stretching the password. Salting injects non-secret random data, so that identical passwords +//! will be converted into unique keys. Stretching applies a deliberately slow hashing function to +//! frustrate brute-force guessing. //! //! PBKDF2 is defined in RFC 2898, and is a recommendation of NIST SP 800-132. @@ -46,8 +46,7 @@ const mem = std.mem; // Based on Apple's CommonKeyDerivation, based originally on code by Damien Bergamini. -/// Given a password, salt, iteration count (rounds), and a pseudo-random function, generates a -/// derived key in the provided buffer slice. +/// Apply PBKDF2 to generate a key from a password. /// /// derivedKey: Slice of appropriate size for generated key. Generally 16 or 32 bytes in length. /// May be uninitialized. All bytes will be written. From 257c5b534839d75092909f604bb2663e883a290f Mon Sep 17 00:00:00 2001 From: Rob Napier Date: Sun, 13 Sep 2020 10:50:46 -0400 Subject: [PATCH 06/15] Explicitly reference std.crypto.kdf in test case --- lib/std/crypto.zig | 6 +++++- lib/std/crypto/pbkdf2.zig | 14 +++++--------- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/lib/std/crypto.zig b/lib/std/crypto.zig index 2b42942824..c375c02906 100644 --- a/lib/std/crypto.zig +++ b/lib/std/crypto.zig @@ -35,7 +35,11 @@ pub const onetimeauth = struct { pub const Poly1305 = @import("crypto/poly1305.zig").Poly1305; }; -/// Key derivation functions +/// A Key Derivation Function (KDF) is intended to turn a weak, human generated password into a +/// strong key, suitable for cryptographic uses. It does this by salting and stretching the +/// password. Salting injects non-secret random data, so that identical passwords will be converted +/// into unique keys. Stretching applies a deliberately slow hashing function to frustrate +/// brute-force guessing. pub const kdf = struct { pub const pbkdf2 = @import("crypto/pbkdf2.zig").pbkdf2; }; diff --git a/lib/std/crypto/pbkdf2.zig b/lib/std/crypto/pbkdf2.zig index 2f9b720220..dfa6b1c022 100644 --- a/lib/std/crypto/pbkdf2.zig +++ b/lib/std/crypto/pbkdf2.zig @@ -10,14 +10,6 @@ const debug = std.debug; const assert = debug.assert; const mem = std.mem; -//! PBKDF2 (Password-Based Key Derivation Function 2) is intended to turn a weak, human generated -//! password into a strong key, suitable for cryptographic uses. It does this by salting and -//! stretching the password. Salting injects non-secret random data, so that identical passwords -//! will be converted into unique keys. Stretching applies a deliberately slow hashing function to -//! frustrate brute-force guessing. -//! -//! PBKDF2 is defined in RFC 2898, and is a recommendation of NIST SP 800-132. - // RFC 2898 Section 5.2 // // FromSpec: @@ -48,6 +40,8 @@ const mem = std.mem; /// Apply PBKDF2 to generate a key from a password. /// +/// PBKDF2 is defined in RFC 2898, and is a recommendation of NIST SP 800-132. +/// /// derivedKey: Slice of appropriate size for generated key. Generally 16 or 32 bytes in length. /// May be uninitialized. All bytes will be written. /// Maximum size is (2^32 - 1) * Hash.digest_length @@ -62,6 +56,8 @@ const mem = std.mem; /// the derivedKey. It is common to tune this parameter to achieve approximately 100ms. /// /// Prf: Pseudo-random function to use. A common choice is std.crypto.auth.hmac.HmacSha256. +/// +/// PBKDF2 is defined in RFC 2898, and is a recommendation of NIST SP 800-132. pub fn pbkdf2(derivedKey: []u8, password: []const u8, salt: []const u8, rounds: u32, comptime Prf: type) void { assert(rounds >= 1); @@ -161,7 +157,7 @@ test "RFC 6070 one iteration" { var derivedKey: [dkLen]u8 = undefined; - pbkdf2(&derivedKey, p, s, c, crypto.auth.hmac.HmacSha1); + std.crypto.kdf.pbkdf2(&derivedKey, p, s, c, crypto.auth.hmac.HmacSha1); const expected = "0c60c80f961f0e71f3a9b524af6012062fe037a6"; From 8a1a40276fb1577f46b89e3aefc17f9e82a933d6 Mon Sep 17 00:00:00 2001 From: Rob Napier Date: Sun, 13 Sep 2020 11:08:06 -0400 Subject: [PATCH 07/15] Extract kdf.zig to provide namespace documentation --- lib/std/crypto.zig | 11 ++--------- lib/std/crypto/kdf.zig | 17 +++++++++++++++++ lib/std/crypto/pbkdf2.zig | 2 -- 3 files changed, 19 insertions(+), 11 deletions(-) create mode 100644 lib/std/crypto/kdf.zig diff --git a/lib/std/crypto.zig b/lib/std/crypto.zig index c375c02906..64ec22894c 100644 --- a/lib/std/crypto.zig +++ b/lib/std/crypto.zig @@ -35,14 +35,7 @@ pub const onetimeauth = struct { pub const Poly1305 = @import("crypto/poly1305.zig").Poly1305; }; -/// A Key Derivation Function (KDF) is intended to turn a weak, human generated password into a -/// strong key, suitable for cryptographic uses. It does this by salting and stretching the -/// password. Salting injects non-secret random data, so that identical passwords will be converted -/// into unique keys. Stretching applies a deliberately slow hashing function to frustrate -/// brute-force guessing. -pub const kdf = struct { - pub const pbkdf2 = @import("crypto/pbkdf2.zig").pbkdf2; -}; +pub const kdf = @import("crypto/kdf.zig"); /// Core functions, that should rarely be used directly by applications. pub const core = struct { @@ -86,7 +79,7 @@ test "crypto" { _ = @import("crypto/gimli.zig"); _ = @import("crypto/hmac.zig"); _ = @import("crypto/md5.zig"); - _ = @import("crypto/pbkdf2.zig"); + _ = @import("crypto/kdf.zig"); _ = @import("crypto/poly1305.zig"); _ = @import("crypto/sha1.zig"); _ = @import("crypto/sha2.zig"); diff --git a/lib/std/crypto/kdf.zig b/lib/std/crypto/kdf.zig new file mode 100644 index 0000000000..06bf67bbbd --- /dev/null +++ b/lib/std/crypto/kdf.zig @@ -0,0 +1,17 @@ +// SPDX-License-Identifier: MIT +// Copyright (c) 2015-2020 Zig Contributors +// This file is part of [zig](https://ziglang.org/), which is MIT licensed. +// The MIT license requires this copyright notice to be included in all copies +// and substantial portions of the software. + +//! A Key Derivation Function (KDF) is intended to turn a weak, human generated password into a +//! strong key, suitable for cryptographic uses. It does this by salting and stretching the +//! password. Salting injects non-secret random data, so that identical passwords will be converted +//! into unique keys. Stretching applies a deliberately slow hashing function to frustrate +//! brute-force guessing. + +pub const pbkdf2 = @import("pbkdf2.zig").pbkdf2; + +test "kdf" { + _ = @import("pbkdf2.zig"); +} diff --git a/lib/std/crypto/pbkdf2.zig b/lib/std/crypto/pbkdf2.zig index dfa6b1c022..424e2d6f62 100644 --- a/lib/std/crypto/pbkdf2.zig +++ b/lib/std/crypto/pbkdf2.zig @@ -56,8 +56,6 @@ const mem = std.mem; /// the derivedKey. It is common to tune this parameter to achieve approximately 100ms. /// /// Prf: Pseudo-random function to use. A common choice is std.crypto.auth.hmac.HmacSha256. -/// -/// PBKDF2 is defined in RFC 2898, and is a recommendation of NIST SP 800-132. pub fn pbkdf2(derivedKey: []u8, password: []const u8, salt: []const u8, rounds: u32, comptime Prf: type) void { assert(rounds >= 1); From 2f9c9662ba0bdc306c1b80534187251491ffdb17 Mon Sep 17 00:00:00 2001 From: Rob Napier Date: Sun, 13 Sep 2020 11:15:28 -0400 Subject: [PATCH 08/15] Use comptime to expose public method to doc system --- lib/std/crypto/pbkdf2.zig | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/lib/std/crypto/pbkdf2.zig b/lib/std/crypto/pbkdf2.zig index 424e2d6f62..809fff13ad 100644 --- a/lib/std/crypto/pbkdf2.zig +++ b/lib/std/crypto/pbkdf2.zig @@ -10,6 +10,11 @@ const debug = std.debug; const assert = debug.assert; const mem = std.mem; +// Exports +comptime { + _ = crypto.kdf.pbkdf2; +} + // RFC 2898 Section 5.2 // // FromSpec: @@ -155,7 +160,7 @@ test "RFC 6070 one iteration" { var derivedKey: [dkLen]u8 = undefined; - std.crypto.kdf.pbkdf2(&derivedKey, p, s, c, crypto.auth.hmac.HmacSha1); + pbkdf2(&derivedKey, p, s, c, crypto.auth.hmac.HmacSha1); const expected = "0c60c80f961f0e71f3a9b524af6012062fe037a6"; From 85366771ea21a0dcd93e58b35738489d773590fc Mon Sep 17 00:00:00 2001 From: Rob Napier Date: Sun, 13 Sep 2020 12:36:32 -0400 Subject: [PATCH 09/15] pbkdf2 offset into dk should be usize, not u64. --- lib/std/crypto/pbkdf2.zig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/std/crypto/pbkdf2.zig b/lib/std/crypto/pbkdf2.zig index 809fff13ad..2bbf0f15d8 100644 --- a/lib/std/crypto/pbkdf2.zig +++ b/lib/std/crypto/pbkdf2.zig @@ -130,7 +130,7 @@ pub fn pbkdf2(derivedKey: []u8, password: []const u8, salt: []const u8, rounds: ctx.final(prevBlock[0..]); // Choose portion of DK to write into (T_n) and initialize - const offset: u64 = @as(u64, block) * hLen; + const offset: usize = @as(usize, block) * hLen; const blockLen = if (block != l - 1) hLen else r; var dkBlock = derivedKey[offset..(offset + blockLen)]; mem.copy(u8, dkBlock, prevBlock[0..dkBlock.len]); From b6385870d0e65c5d7c6d7c6ef8c8ed33780b71e4 Mon Sep 17 00:00:00 2001 From: Rocknest <35231115+Rocknest@users.noreply.github.com> Date: Sun, 13 Sep 2020 22:39:54 +0300 Subject: [PATCH 10/15] Convert asserts to errors, make sure nothing overflows --- lib/std/crypto/pbkdf2.zig | 69 +++++++++++++++++++++------------------ 1 file changed, 37 insertions(+), 32 deletions(-) diff --git a/lib/std/crypto/pbkdf2.zig b/lib/std/crypto/pbkdf2.zig index 2bbf0f15d8..813535f3ff 100644 --- a/lib/std/crypto/pbkdf2.zig +++ b/lib/std/crypto/pbkdf2.zig @@ -5,15 +5,8 @@ // and substantial portions of the software. const std = @import("std"); -const crypto = std.crypto; -const debug = std.debug; -const assert = debug.assert; const mem = std.mem; - -// Exports -comptime { - _ = crypto.kdf.pbkdf2; -} +const maxInt = std.math.maxInt; // RFC 2898 Section 5.2 // @@ -48,8 +41,8 @@ comptime { /// PBKDF2 is defined in RFC 2898, and is a recommendation of NIST SP 800-132. /// /// derivedKey: Slice of appropriate size for generated key. Generally 16 or 32 bytes in length. -/// May be uninitialized. All bytes will be written. -/// Maximum size is (2^32 - 1) * Hash.digest_length +/// May be uninitialized. All bytes will be overwritten. +/// Maximum size is `maxInt(u32) * Hash.digest_length` /// It is a programming error to pass buffer longer than the maximum size. /// /// password: Arbitrary sequence of bytes of any length, including empty. @@ -60,29 +53,41 @@ comptime { /// Larger iteration counts improve security by increasing the time required to compute /// the derivedKey. It is common to tune this parameter to achieve approximately 100ms. /// -/// Prf: Pseudo-random function to use. A common choice is std.crypto.auth.hmac.HmacSha256. -pub fn pbkdf2(derivedKey: []u8, password: []const u8, salt: []const u8, rounds: u32, comptime Prf: type) void { - assert(rounds >= 1); +/// Prf: Pseudo-random function to use. A common choice is `std.crypto.auth.hmac.HmacSha256`. +pub fn pbkdf2(derivedKey: []u8, password: []const u8, salt: []const u8, rounds: u32, comptime Prf: type) !void { + if (rounds < 1) return error.TooFewRounds; - const dkLen: u64 = derivedKey.len; - const hLen: u32 = Prf.mac_length; // Force type to ensure multiplications can't overflow + const dkLen = derivedKey.len; + const hLen = Prf.mac_length; // FromSpec: // - // 1. If dkLen > (2^32 - 1) * hLen, output "derived key too long" and + // 1. If dkLen > maxInt(u32) * hLen, output "derived key too long" and // stop. // - assert(dkLen > 0 and dkLen <= @as(u64, 1 << 32 - 1) * hLen); + if (comptime (maxInt(usize) < maxInt(u32) * hLen) and (dkLen > @as(usize, maxInt(u32) * hLen))) { + // If maxInt(usize) is less than `maxInt(u32) * hLen` then dkLen is always inbounds + // This also asserts hLen >= 1 + return error.DerivedKeyTooLong; + } // FromSpec: // - // 2. Let l be the number of hLen-octet blocks in the derived key, - // rounding up, and let r be the number of octets in the last + // 2. Let l be the number of hLen-long blocks of bytes in the derived key, + // rounding up, and let r be the number of bytes in the last // block // - const l = (dkLen + hLen - 1) / hLen; - var r = dkLen % hLen; - r = if (r != 0) r else hLen; + + // l will not overflow, proof: + // let `L(dkLen, hLen) = (dkLen + hLen - 1) / hLen` + // then `L^-1(l, hLen) = l*hLen - hLen + 1` + // 1) L^-1(maxInt(u32), hLen) <= maxInt(u32)*hLen + // 2) maxInt(u32)*hLen - hLen + 1 <= maxInt(u32)*hLen // subtract maxInt(u32)*hLen + 1 + // 3) -hLen <= -1 // multiply by -1 + // 4) hLen >= 1 + const r_ = dkLen % hLen; + const l = @intCast(u32, (dkLen / hLen) + if (r_ == 0) 0 else 1); // original: (dkLen + hLen - 1) / hLen + const r = if (r_ == 0) hLen else r_; // FromSpec: // @@ -116,7 +121,6 @@ pub fn pbkdf2(derivedKey: []u8, password: []const u8, salt: []const u8, rounds: // produce a derived key DK: // // DK = T_1 || T_2 || ... || T_l<0..r-1> - var block: u32 = 0; // Spec limits to u32 while (block < l) : (block += 1) { var prevBlock: [hLen]u8 = undefined; @@ -130,9 +134,9 @@ pub fn pbkdf2(derivedKey: []u8, password: []const u8, salt: []const u8, rounds: ctx.final(prevBlock[0..]); // Choose portion of DK to write into (T_n) and initialize - const offset: usize = @as(usize, block) * hLen; + const offset = block * hLen; const blockLen = if (block != l - 1) hLen else r; - var dkBlock = derivedKey[offset..(offset + blockLen)]; + const dkBlock: []u8 = derivedKey[offset..][0..blockLen]; mem.copy(u8, dkBlock, prevBlock[0..dkBlock.len]); var i: u32 = 1; @@ -150,6 +154,7 @@ pub fn pbkdf2(derivedKey: []u8, password: []const u8, salt: []const u8, rounds: } const htest = @import("test.zig"); +const HmacSha1 = std.crypto.auth.hmac.HmacSha1; // RFC 6070 PBKDF2 HMAC-SHA1 Test Vectors test "RFC 6070 one iteration" { @@ -160,7 +165,7 @@ test "RFC 6070 one iteration" { var derivedKey: [dkLen]u8 = undefined; - pbkdf2(&derivedKey, p, s, c, crypto.auth.hmac.HmacSha1); + try pbkdf2(&derivedKey, p, s, c, HmacSha1); const expected = "0c60c80f961f0e71f3a9b524af6012062fe037a6"; @@ -175,7 +180,7 @@ test "RFC 6070 two iterations" { var derivedKey: [dkLen]u8 = undefined; - pbkdf2(&derivedKey, p, s, c, crypto.auth.hmac.HmacSha1); + try pbkdf2(&derivedKey, p, s, c, HmacSha1); const expected = "ea6c014dc72d6f8ccd1ed92ace1d41f0d8de8957"; @@ -190,7 +195,7 @@ test "RFC 6070 4096 iterations" { var derivedKey: [dkLen]u8 = undefined; - pbkdf2(&derivedKey, p, s, c, crypto.auth.hmac.HmacSha1); + try pbkdf2(&derivedKey, p, s, c, HmacSha1); const expected = "4b007901b765489abead49d926f721d065a429c1"; @@ -210,7 +215,7 @@ test "RFC 6070 16,777,216 iterations" { var derivedKey = [_]u8{0} ** dkLen; - pbkdf2(&derivedKey, p, s, c, crypto.auth.hmac.HmacSha1); + try pbkdf2(&derivedKey, p, s, c, HmacSha1); const expected = "eefe3d61cd4da4e4e9945b3d6ba2158c2634e984"; @@ -225,7 +230,7 @@ test "RFC 6070 multi-block salt and password" { var derivedKey: [dkLen]u8 = undefined; - pbkdf2(&derivedKey, p, s, c, crypto.auth.hmac.HmacSha1); + try pbkdf2(&derivedKey, p, s, c, HmacSha1); const expected = "3d2eec4fe41c849b80c8d83662c0e44a8b291a964cf2f07038"; @@ -240,7 +245,7 @@ test "RFC 6070 embedded NUL" { var derivedKey: [dkLen]u8 = undefined; - pbkdf2(&derivedKey, p, s, c, crypto.auth.hmac.HmacSha1); + try pbkdf2(&derivedKey, p, s, c, ); const expected = "56fa6aa75548099dcc37d7f03425e0c3"; @@ -262,6 +267,6 @@ test "Very large dkLen" { std.testing.allocator.free(derivedKey); } - pbkdf2(derivedKey, p, s, c, crypto.auth.hmac.HmacSha1); + try pbkdf2(derivedKey, p, s, c, HmacSha1); // Just verify this doesn't crash with an overflow } From d75cbb01db4f7fb73c4382af4351dc0e393d5d39 Mon Sep 17 00:00:00 2001 From: Rocknest <35231115+Rocknest@users.noreply.github.com> Date: Sun, 13 Sep 2020 23:00:33 +0300 Subject: [PATCH 11/15] Reference all crypto declarations --- lib/std/crypto.zig | 25 +++++++++++++++++++++++-- lib/std/crypto/kdf.zig | 17 ----------------- 2 files changed, 23 insertions(+), 19 deletions(-) delete mode 100644 lib/std/crypto/kdf.zig diff --git a/lib/std/crypto.zig b/lib/std/crypto.zig index 64ec22894c..9df96dec7d 100644 --- a/lib/std/crypto.zig +++ b/lib/std/crypto.zig @@ -35,7 +35,14 @@ pub const onetimeauth = struct { pub const Poly1305 = @import("crypto/poly1305.zig").Poly1305; }; -pub const kdf = @import("crypto/kdf.zig"); +/// A Key Derivation Function (KDF) is intended to turn a weak, human generated password into a +/// strong key, suitable for cryptographic uses. It does this by salting and stretching the +/// password. Salting injects non-secret random data, so that identical passwords will be converted +/// into unique keys. Stretching applies a deliberately slow hashing function to frustrate +/// brute-force guessing. +pub const kdf = struct { + pub const pbkdf2 = @import("crypto/pbkdf2.zig").pbkdf2; +}; /// Core functions, that should rarely be used directly by applications. pub const core = struct { @@ -72,6 +79,20 @@ const std = @import("std.zig"); pub const randomBytes = std.os.getrandom; test "crypto" { + inline for (std.meta.declarations(std)) |decl| { + switch (decl.data) { + .Type => |t| { + std.meta.refAllDecls(t); + }, + .Var => |v| { + _ = v; + }, + .Fn => |f| { + _ = f; + }, + } + } + _ = @import("crypto/aes.zig"); _ = @import("crypto/blake2.zig"); _ = @import("crypto/blake3.zig"); @@ -79,7 +100,7 @@ test "crypto" { _ = @import("crypto/gimli.zig"); _ = @import("crypto/hmac.zig"); _ = @import("crypto/md5.zig"); - _ = @import("crypto/kdf.zig"); + _ = @import("crypto/pbkdf2.zig"); _ = @import("crypto/poly1305.zig"); _ = @import("crypto/sha1.zig"); _ = @import("crypto/sha2.zig"); diff --git a/lib/std/crypto/kdf.zig b/lib/std/crypto/kdf.zig deleted file mode 100644 index 06bf67bbbd..0000000000 --- a/lib/std/crypto/kdf.zig +++ /dev/null @@ -1,17 +0,0 @@ -// SPDX-License-Identifier: MIT -// Copyright (c) 2015-2020 Zig Contributors -// This file is part of [zig](https://ziglang.org/), which is MIT licensed. -// The MIT license requires this copyright notice to be included in all copies -// and substantial portions of the software. - -//! A Key Derivation Function (KDF) is intended to turn a weak, human generated password into a -//! strong key, suitable for cryptographic uses. It does this by salting and stretching the -//! password. Salting injects non-secret random data, so that identical passwords will be converted -//! into unique keys. Stretching applies a deliberately slow hashing function to frustrate -//! brute-force guessing. - -pub const pbkdf2 = @import("pbkdf2.zig").pbkdf2; - -test "kdf" { - _ = @import("pbkdf2.zig"); -} From f6195be99770e3f9cc4e8a89bcf451a640bb4b95 Mon Sep 17 00:00:00 2001 From: Rocknest <35231115+Rocknest@users.noreply.github.com> Date: Sun, 13 Sep 2020 23:31:59 +0300 Subject: [PATCH 12/15] fix ref --- lib/std/crypto.zig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/std/crypto.zig b/lib/std/crypto.zig index 9df96dec7d..3a1ae599a0 100644 --- a/lib/std/crypto.zig +++ b/lib/std/crypto.zig @@ -79,7 +79,7 @@ const std = @import("std.zig"); pub const randomBytes = std.os.getrandom; test "crypto" { - inline for (std.meta.declarations(std)) |decl| { + inline for (std.meta.declarations(@This())) |decl| { switch (decl.data) { .Type => |t| { std.meta.refAllDecls(t); From 73863cf72be02020886d9f8daf15754a8d3b2567 Mon Sep 17 00:00:00 2001 From: Rocknest <35231115+Rocknest@users.noreply.github.com> Date: Sun, 13 Sep 2020 23:59:36 +0300 Subject: [PATCH 13/15] fix build --- lib/std/crypto/pbkdf2.zig | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/std/crypto/pbkdf2.zig b/lib/std/crypto/pbkdf2.zig index 813535f3ff..8ff2b4f640 100644 --- a/lib/std/crypto/pbkdf2.zig +++ b/lib/std/crypto/pbkdf2.zig @@ -86,7 +86,7 @@ pub fn pbkdf2(derivedKey: []u8, password: []const u8, salt: []const u8, rounds: // 3) -hLen <= -1 // multiply by -1 // 4) hLen >= 1 const r_ = dkLen % hLen; - const l = @intCast(u32, (dkLen / hLen) + if (r_ == 0) 0 else 1); // original: (dkLen + hLen - 1) / hLen + const l = @intCast(u32, (dkLen / hLen) + @as(u1, if (r_ == 0) 0 else 1)); // original: (dkLen + hLen - 1) / hLen const r = if (r_ == 0) hLen else r_; // FromSpec: @@ -245,7 +245,7 @@ test "RFC 6070 embedded NUL" { var derivedKey: [dkLen]u8 = undefined; - try pbkdf2(&derivedKey, p, s, c, ); + try pbkdf2(&derivedKey, p, s, c, HmacSha1); const expected = "56fa6aa75548099dcc37d7f03425e0c3"; From 988fc6f9d1419a63d7ecd3507966ba0b4c15eac5 Mon Sep 17 00:00:00 2001 From: Rocknest <35231115+Rocknest@users.noreply.github.com> Date: Mon, 14 Sep 2020 02:27:09 +0300 Subject: [PATCH 14/15] flip condition --- lib/std/crypto/pbkdf2.zig | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/std/crypto/pbkdf2.zig b/lib/std/crypto/pbkdf2.zig index 8ff2b4f640..1ba176ab9b 100644 --- a/lib/std/crypto/pbkdf2.zig +++ b/lib/std/crypto/pbkdf2.zig @@ -59,15 +59,15 @@ pub fn pbkdf2(derivedKey: []u8, password: []const u8, salt: []const u8, rounds: const dkLen = derivedKey.len; const hLen = Prf.mac_length; + comptime std.debug.assert(hLen >= 1); // FromSpec: // // 1. If dkLen > maxInt(u32) * hLen, output "derived key too long" and // stop. // - if (comptime (maxInt(usize) < maxInt(u32) * hLen) and (dkLen > @as(usize, maxInt(u32) * hLen))) { + if (comptime (maxInt(usize) > maxInt(u32) * hLen) and (dkLen > @as(usize, maxInt(u32) * hLen))) { // If maxInt(usize) is less than `maxInt(u32) * hLen` then dkLen is always inbounds - // This also asserts hLen >= 1 return error.DerivedKeyTooLong; } From c35703825f17bb2b1108a371bb0559b89ff2b2a0 Mon Sep 17 00:00:00 2001 From: Rocknest <35231115+Rocknest@users.noreply.github.com> Date: Wed, 16 Sep 2020 01:58:48 +0300 Subject: [PATCH 15/15] Add an error set --- lib/std/crypto/pbkdf2.zig | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/lib/std/crypto/pbkdf2.zig b/lib/std/crypto/pbkdf2.zig index 1ba176ab9b..85c8e01105 100644 --- a/lib/std/crypto/pbkdf2.zig +++ b/lib/std/crypto/pbkdf2.zig @@ -36,6 +36,14 @@ const maxInt = std.math.maxInt; // Based on Apple's CommonKeyDerivation, based originally on code by Damien Bergamini. +pub const Pbkdf2Error = error{ + /// At least one round is required + TooFewRounds, + + /// Maximum length of the derived key is `maxInt(u32) * Prf.mac_length` + DerivedKeyTooLong, +}; + /// Apply PBKDF2 to generate a key from a password. /// /// PBKDF2 is defined in RFC 2898, and is a recommendation of NIST SP 800-132. @@ -54,7 +62,7 @@ const maxInt = std.math.maxInt; /// the derivedKey. It is common to tune this parameter to achieve approximately 100ms. /// /// Prf: Pseudo-random function to use. A common choice is `std.crypto.auth.hmac.HmacSha256`. -pub fn pbkdf2(derivedKey: []u8, password: []const u8, salt: []const u8, rounds: u32, comptime Prf: type) !void { +pub fn pbkdf2(derivedKey: []u8, password: []const u8, salt: []const u8, rounds: u32, comptime Prf: type) Pbkdf2Error!void { if (rounds < 1) return error.TooFewRounds; const dkLen = derivedKey.len;