rename PBKDF2 to PBKDF2HMAC, address many other review comments
diff --git a/cryptography/hazmat/backends/interfaces.py b/cryptography/hazmat/backends/interfaces.py
index 936520e..53c7518 100644
--- a/cryptography/hazmat/backends/interfaces.py
+++ b/cryptography/hazmat/backends/interfaces.py
@@ -67,16 +67,17 @@
"""
-class PBKDF2Backend(six.with_metaclass(abc.ABCMeta)):
+class PBKDF2HMACBackend(six.with_metaclass(abc.ABCMeta)):
@abc.abstractmethod
- def pbkdf2_hash_supported(self, algorithm):
+ def pbkdf2_hmac_supported(self, algorithm):
"""
Return True if the hash algorithm is supported for PBKDF2 by this
backend.
"""
@abc.abstractmethod
- def derive_pbkdf2(self, algorithm, length, salt, iterations, key_material):
+ def derive_pbkdf2_hmac(self, algorithm, length, salt, iterations,
+ key_material):
"""
Return length bytes derived from provided PBKDF2 parameters.
"""
diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py
index ca7d177..dbdb2e5 100644
--- a/cryptography/hazmat/backends/openssl/backend.py
+++ b/cryptography/hazmat/backends/openssl/backend.py
@@ -20,7 +20,7 @@
UnsupportedAlgorithm, InvalidTag, InternalError
)
from cryptography.hazmat.backends.interfaces import (
- CipherBackend, HashBackend, HMACBackend, PBKDF2Backend
+ CipherBackend, HashBackend, HMACBackend, PBKDF2HMACBackend
)
from cryptography.hazmat.primitives import interfaces, hashes
from cryptography.hazmat.primitives.ciphers.algorithms import (
@@ -35,7 +35,7 @@
@utils.register_interface(CipherBackend)
@utils.register_interface(HashBackend)
@utils.register_interface(HMACBackend)
-@utils.register_interface(PBKDF2Backend)
+@utils.register_interface(PBKDF2HMACBackend)
class Backend(object):
"""
OpenSSL API binding interfaces.
@@ -134,15 +134,19 @@
def create_symmetric_decryption_ctx(self, cipher, mode):
return _CipherContext(self, cipher, mode, _CipherContext._DECRYPT)
- def pbkdf2_hash_supported(self, algorithm):
+ def pbkdf2_hmac_supported(self, algorithm):
if self._lib.Cryptography_HAS_PBKDF2_HMAC:
digest = self._lib.EVP_get_digestbyname(
algorithm.name.encode("ascii"))
return digest != self._ffi.NULL
else:
+ # OpenSSL < 1.0.0 has an explicit PBKDF2-HMAC-SHA1 function,
+ # so if the PBKDF2_HMAC function is missing we only support
+ # SHA1 via PBKDF2_HMAC_SHA1.
return isinstance(algorithm, hashes.SHA1)
- def derive_pbkdf2(self, algorithm, length, salt, iterations, key_material):
+ def derive_pbkdf2_hmac(self, algorithm, length, salt, iterations,
+ key_material):
buf = self._ffi.new("char[]", length)
if self._lib.Cryptography_HAS_PBKDF2_HMAC:
evp_md = self._lib.EVP_get_digestbyname(
diff --git a/cryptography/hazmat/primitives/kdf/pbkdf2.py b/cryptography/hazmat/primitives/kdf/pbkdf2.py
index 1cc35f6..940d991 100644
--- a/cryptography/hazmat/primitives/kdf/pbkdf2.py
+++ b/cryptography/hazmat/primitives/kdf/pbkdf2.py
@@ -21,11 +21,12 @@
@utils.register_interface(interfaces.KeyDerivationFunction)
-class PBKDF2(object):
+class PBKDF2HMAC(object):
def __init__(self, algorithm, length, salt, iterations, backend):
if not backend.pbkdf2_hash_supported(algorithm):
raise UnsupportedAlgorithm(
- "{0} is not supported by this backend".format(algorithm.name)
+ "{0} is not supported for PBKDF2 by this backend".format(
+ algorithm.name)
)
self._called = False
self.algorithm = algorithm
diff --git a/docs/hazmat/backends/interfaces.rst b/docs/hazmat/backends/interfaces.rst
index 975a7b0..e22c6bb 100644
--- a/docs/hazmat/backends/interfaces.rst
+++ b/docs/hazmat/backends/interfaces.rst
@@ -134,32 +134,32 @@
-.. class:: PBKDF2Backend
+.. class:: PBKDF2HMACBackend
.. versionadded:: 0.2
- A backend with methods for using PBKDF2.
+ A backend with methods for using PBKDF2 using HMAC as a PRF.
- .. method:: pbkdf2_hash_supported(algorithm)
+ .. method:: pbkdf2_hmac_supported(algorithm)
Check if the specified ``algorithm`` is supported by this backend.
- :param algorithm: An instance of a
+ :param prf: An instance of a
:class:`~cryptography.hazmat.primitives.interfaces.HashAlgorithm`
provider.
:returns: ``True`` if the specified ``algorithm`` is supported for
- PBKDF2 by this backend, otherwise ``False``.
+ PBKDF2 HMAC by this backend, otherwise ``False``.
- .. method:: derive_pbkdf2(self, algorithm, length, salt, iterations,
- key_material)
+ .. method:: derive_pbkdf2_hmac(self, algorithm, length, salt, iterations,
+ key_material)
:param algorithm: An instance of a
:class:`~cryptography.hazmat.primitives.interfaces.HashAlgorithm`
provider.
:param int length: The desired length of the derived key. Maximum is
- 2\ :sup:`31` - 1.
+ (2\ :sup:`32` - 1) * ``algorithm.digest_size``
:param bytes salt: A salt.
diff --git a/docs/hazmat/primitives/key-derivation-functions.rst b/docs/hazmat/primitives/key-derivation-functions.rst
index 51d73bc..bad7a36 100644
--- a/docs/hazmat/primitives/key-derivation-functions.rst
+++ b/docs/hazmat/primitives/key-derivation-functions.rst
@@ -35,7 +35,7 @@
:class:`~cryptography.hazmat.primitives.interfaces.HashAlgorithm`
provider.
:param int length: The desired length of the derived key. Maximum is
- 2\ :sup:`31` - 1.
+ (2\ :sup:`32` - 1) * ``algorithm.digest_size``
:param bytes salt: A salt. `NIST SP 800-132`_ recommends 128-bits or
longer.
:param int iterations: The number of iterations to perform of the hash