Google Git
Sign in
go/crypto.git/master^!/.
commit
b9e53593a6073e6a786c49e9ad27956a9b77e54e
[log]
author
Filippo Valsorda <filippo@golang.org>
Wed Apr 22 12:12:18 2026 +0200
committer
Gopher Robot <gobot@golang.org>
Thu Apr 23 08:20:11 2026 -0700
tree
ba1ebb853725f455eec33fc587bbe00a0ddb85de
parent
cc0e4fc1d49127130b0d00612a2eeed2ab745d40 [diff]
pbkdf2: turn into a wrapper for crypto/pbkdf2

Change-Id: If95f1d771404fe88a8f9bc0a17b5a4d16a6a6964
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/769721
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Carlos Amedee <carlos@golang.org>

diff --git a/pbkdf2/pbkdf2.go b/pbkdf2/pbkdf2.go
index 28cd99c..b332122 100644
--- a/pbkdf2/pbkdf2.go
+++ b/pbkdf2/pbkdf2.go

@@ -2,24 +2,17 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-/*
-Package pbkdf2 implements the key derivation function PBKDF2 as defined in RFC
-2898 / PKCS #5 v2.0.
-
-A key derivation function is useful when encrypting data based on a password
-or any other not-fully-random data. It uses a pseudorandom function to derive
-a secure encryption key based on the password.
-
-While v2.0 of the standard defines only one pseudorandom function to use,
-HMAC-SHA1, the drafted v2.1 specification allows use of all five FIPS Approved
-Hash Functions SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512 for HMAC. To
-choose, you can pass the `New` functions from the different SHA packages to
-pbkdf2.Key.
-*/
+// Package pbkdf2 implements the key derivation function PBKDF2 as defined in
+// RFC 8018 (PKCS #5 v2.1).
+//
+// This package is a wrapper for the PBKDF2 implementation in the
+// [crypto/pbkdf2] package. It is [frozen] and is not accepting new features.
+//
+// [frozen]: https://go.dev/wiki/Frozen
 package pbkdf2
 
 import (
-	"crypto/hmac"
+	"crypto/pbkdf2"
 	"hash"
 )
 
@@ -27,51 +20,11 @@
 // []byte of length keylen that can be used as cryptographic key. The key is
 // derived based on the method described as PBKDF2 with the HMAC variant using
 // the supplied hash function.
-//
-// For example, to use a HMAC-SHA-1 based PBKDF2 key derivation function, you
-// can get a derived key for e.g. AES-256 (which needs a 32-byte key) by
-// doing:
-//
-//	dk := pbkdf2.Key([]byte("some password"), salt, 4096, 32, sha1.New)
-//
-// Remember to get a good random salt. At least 8 bytes is recommended by the
-// RFC.
-//
-// Using a higher iteration count will increase the cost of an exhaustive
-// search but will also make derivation proportionally slower.
 func Key(password, salt []byte, iter, keyLen int, h func() hash.Hash) []byte {
-	prf := hmac.New(h, password)
-	hashLen := prf.Size()
-	numBlocks := (keyLen + hashLen - 1) / hashLen
-
-	var buf [4]byte
-	dk := make([]byte, 0, numBlocks*hashLen)
-	U := make([]byte, hashLen)
-	for block := 1; block <= numBlocks; block++ {
-		// N.B.: || means concatenation, ^ means XOR
-		// for each block T_i = U_1 ^ U_2 ^ ... ^ U_iter
-		// U_1 = PRF(password, salt || uint(i))
-		prf.Reset()
-		prf.Write(salt)
-		buf[0] = byte(block >> 24)
-		buf[1] = byte(block >> 16)
-		buf[2] = byte(block >> 8)
-		buf[3] = byte(block)
-		prf.Write(buf[:4])
-		dk = prf.Sum(dk)
-		T := dk[len(dk)-hashLen:]
-		copy(U, T)
-
-		// U_n = PRF(password, U_(n-1))
-		for n := 2; n <= iter; n++ {
-			prf.Reset()
-			prf.Write(U)
-			U = U[:0]
-			U = prf.Sum(U)
-			for x := range U {
-				T[x] ^= U[x]
-			}
-		}
+	out, err := pbkdf2.Key(h, string(password), salt, iter, keyLen)
+	if err != nil {
+		// FIPS 140 enforcement, or an invalid key length.
+		panic(err)
 	}
-	return dk[:keyLen]
+	return out
 }