Limit HKDF to SHA-{256,384,512} and remove HKDF-SHA-1 tests.

src/hkdf.rs

@@ -21,7 +21,7 @@
 //! fn derive_opening_key(
 //!     key_algorithm: &'static aead::Algorithm, salt: [u8; 32], ikm: [u8; 32], info: &[u8],
 //! ) -> Result<aead::OpeningKey, error::Unspecified> {
-//!     let salt = hkdf::Salt::new(&digest::SHA512, &salt);
+//!     let salt = hkdf::Salt::new(&hkdf::HKDF_SHA512, &salt);
 //!     let prk = salt.extract(&ikm);
 //!     let mut key_bytes = vec![0; key_algorithm.key_len()];
 //!     let out = prk.expand(info).fill(&mut key_bytes)?;
@@ -33,6 +33,19 @@
 
 use crate::{digest, error, hmac};
 
+/// An HKDF algorithm.
+#[derive(Clone, Copy, Debug, Eq, PartialEq)]
+pub struct Algorithm(&'static digest::Algorithm);
+
+/// HKDF using HMAC-SHA-256.
+pub static HKDF_SHA256: Algorithm = Algorithm(&digest::SHA256);
+
+/// HKDF using HMAC-SHA-384.
+pub static HKDF_SHA384: Algorithm = Algorithm(&digest::SHA384);
+
+/// HKDF using HMAC-SHA-512.
+pub static HKDF_SHA512: Algorithm = Algorithm(&digest::SHA512);
+
 /// A salt for HKDF operations.
 #[derive(Debug)]
 pub struct Salt(hmac::Key);
@@ -43,8 +56,8 @@ impl Salt {
     ///
     /// Constructing a `Salt` is relatively expensive so it is good to reuse a
     /// `Salt` object instead of re-constructing `Salt`s with the same value.
-    pub fn new(digest_algorithm: &'static digest::Algorithm, value: &[u8]) -> Self {
-        Salt(hmac::Key::new(digest_algorithm, value))
+    pub fn new(algorithm: &'static Algorithm, value: &[u8]) -> Self {
+        Salt(hmac::Key::new(algorithm.0, value))
     }
 
     /// The [HKDF-Extract] operation.

tests/hkdf_tests.rs

@@ -31,7 +31,7 @@
     warnings
 )]
 
-use ring::{error, hkdf, test, test_file};
+use ring::{digest, error, hkdf, test, test_file};
 
 #[cfg(target_arch = "wasm32")]
 use wasm_bindgen_test::wasm_bindgen_test;
@@ -47,16 +47,24 @@ wasm_bindgen_test_configure!(run_in_browser);
 fn hkdf_tests() {
     test::run(test_file!("hkdf_tests.txt"), |section, test_case| {
         assert_eq!(section, "");
-        let digest_alg = test_case
-            .consume_digest_alg("Hash")
-            .ok_or(error::Unspecified)?;
+        let alg = {
+            let digest_alg = test_case
+                .consume_digest_alg("Hash")
+                .ok_or(error::Unspecified)?;
+            if digest_alg == &digest::SHA256 {
+                &hkdf::HKDF_SHA256
+            } else {
+                // TODO: add test vectors for other algorithms
+                panic!("unsupported algorithm: {:?}", digest_alg);
+            }
+        };
         let secret = test_case.consume_bytes("IKM");
         let salt = test_case.consume_bytes("salt");
         let info = test_case.consume_bytes("info");
         let _ = test_case.consume_bytes("PRK");
         let expected_out = test_case.consume_bytes("OKM");
 
-        let salt = hkdf::Salt::new(digest_alg, &salt);
+        let salt = hkdf::Salt::new(alg, &salt);
 
         let mut out = vec![0u8; expected_out.len()];
         salt.extract(&secret).expand(&info).fill(&mut out).unwrap();

tests/hkdf_tests.txt

@@ -25,40 +25,6 @@ info = ""
 PRK = 19ef24a32c717b167f33a91d6f648bdf96596776afdb6377ac434c1c293ccb04
 OKM = 8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d9d201395faa4b61a96c8
 
-# A.4. Test Case 4 = Basic test case with SHA-1
-Hash = SHA1
-IKM = 0b0b0b0b0b0b0b0b0b0b0b
-salt = 000102030405060708090a0b0c
-info = f0f1f2f3f4f5f6f7f8f9
-PRK = 9b6c18c432a7bf8f0e71c8eb88f4b30baa2ba243
-OKM = 085a01ea1b10f36933068b56efa5ad81a4f14b822f5b091568a9cdd4f155fda2c22e422478d305f3f896
-
-# A.5. Test Case 5 = Test with SHA-1 and longer inputs/outputs
-Hash = SHA1
-IKM = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f
-salt = 606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf
-info = b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
-PRK = 8adae09a2a307059478d309b26c4115a224cfaf6
-OKM = 0bd770a74d1160f7c9f12cd5912a06ebff6adcae899d92191fe4305673ba2ffe8fa3f1a4e5ad79f3f334b3b202b2173c486ea37ce3d397ed034c7f9dfeb15c5e927336d0441f4c4300e2cff0d0900b52d3b4
-
-# A.6. Test Case 6 = Test with SHA-1 and zero-length salt/info
-Hash = SHA1
-IKM = 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
-salt = ""
-info = ""
-PRK = da8c8a73c7fa77288ec6f5e7c297786aa0d32d01
-OKM = 0ac1af7002b3d761d1e55298da9d0506b9ae52057220a306e07b6b87e8df21d0ea00033de03984d34918
-
-# A.7. Test Case 7 = Test with SHA-1, salt not provided (defaults to HashLen
-# zero octets), zero-length info
-Hash = SHA1
-IKM = 0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c
-salt = ""
-info = ""
-PRK = 2adccada18779e7c2077ad2eb19d3f3e731385dd
-OKM = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48
-
-
 # Variants of the above tests.
 
 # Variant of A.1. with zero-length output