Skip to content

crypto: add crypto:kdf/4#11301

Open
jtdowney wants to merge 1 commit into
erlang:masterfrom
jtdowney:add-crypto-kdf
Open

crypto: add crypto:kdf/4#11301
jtdowney wants to merge 1 commit into
erlang:masterfrom
jtdowney:add-crypto-kdf

Conversation

@jtdowney

Copy link
Copy Markdown
Contributor

Add a crypto:kdf/4 NIF backed by OpenSSL's EVP_KDF, supporting argon2, hkdf, scrypt, sskdf, and pbkdf2 with option maps.

This was something I had proposed on Erlang Forums and also discovered is the same as #10179.

Closes #10179

@github-actions

github-actions Bot commented Jun 28, 2026

Copy link
Copy Markdown
Contributor

CT Test Results

  2 files   14 suites   4m 31s ⏱️
206 tests 185 ✅  21 💤 0 ❌
498 runs  348 ✅ 150 💤 0 ❌

Results for commit fd899ca.

♻️ This comment has been updated with latest results.

To speed up review, make sure that you have read Contributing to Erlang/OTP and that all checks pass.

See the TESTING and DEVELOPMENT HowTo guides for details about how to run test locally.

Artifacts

// Erlang/OTP Github Action Bot

@Mikaka27 Mikaka27 self-assigned this Jun 30, 2026
@Mikaka27 Mikaka27 added the team:PS Assigned to OTP team PS label Jun 30, 2026

@Mikaka27 Mikaka27 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it be possible for you to add mentions of this to the documentation files as well?

Comment thread lib/crypto/c_src/kdf.c Outdated
Comment on lines +53 to +58
#ifndef HAVE_ARGON2
if (kdf->kind == ARGON2_kdf && kdf->kdf != NULL) {
EVP_KDF_free(kdf->kdf);
kdf->kdf = NULL;
}
#endif

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is that just a precaution, or does it actually happen on some openssl versions?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OpenSSL < 3.2 doesn't support argon2 but does support other KDFs. This showed up in the CT output, for example, because it appears to run against OpenSSL 3.0.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But did you see it when you locally compiled it with openssl 3.0, or in github or somewhere else? When I compiled it with openssl 3.0 EVP_KDF_fetch returned NULL for argon2.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see the pattern that is used in cipher.c and adopted that in a986cfa

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok I see, it was harmless anyway, but I was wondering if I missed something, thanks.

Comment thread lib/crypto/c_src/kdf.c Outdated
Comment thread lib/crypto/c_src/kdf.c
Comment thread lib/crypto/c_src/kdf.c
Comment thread lib/crypto/c_src/kdf.c
Comment thread lib/crypto/c_src/kdf.c Outdated
Comment thread lib/crypto/c_src/kdf.c
@Mikaka27 Mikaka27 added testing currently being tested, tag is used by OTP internal CI waiting waiting for changes/input from author labels Jul 7, 2026
@jtdowney

jtdowney commented Jul 7, 2026

Copy link
Copy Markdown
Contributor Author

Would it be possible for you to add mentions of this to the documentation files as well?

I've added docs to lib/crypto/doc/guides/algorithm_details.md in 83a045f. Let me know if I missed it somewhere else.

Comment thread lib/crypto/c_src/kdf.c
Comment thread lib/crypto/c_src/kdf.c
@Mikaka27 Mikaka27 added testing currently being tested, tag is used by OTP internal CI and removed testing currently being tested, tag is used by OTP internal CI waiting waiting for changes/input from author labels Jul 9, 2026

@Mikaka27 Mikaka27 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm sorry, I haven't caught everything at once, I added comments.
It would be good if you could squash the commits somehow so we don't have commits fixing other commits.
Otherwise this looks good to me.

Comment thread lib/crypto/c_src/kdf.c Outdated
Comment thread lib/crypto/c_src/kdf.c Outdated
Comment thread lib/crypto/src/crypto.erl Outdated
@jtdowney

Copy link
Copy Markdown
Contributor Author

It would be good if you could squash the commits somehow so we don't have commits fixing other commits. Otherwise this looks good to me.

Happy to squash, just was trying to keep it incremental for review.

@jtdowney

Copy link
Copy Markdown
Contributor Author

Squashed to d395559

@Mikaka27

Copy link
Copy Markdown
Contributor

I did a push, didn't want to bother you with it, I moved pbkdf2_hmac and kdf functions (and types they use in specs) to Kdf API, similar to other api groups in docs. I'll run this through the CI, and look at it on monday.

Mikaka27
Mikaka27 previously approved these changes Jul 11, 2026
@Mikaka27 Mikaka27 added testing currently being tested, tag is used by OTP internal CI and removed testing currently being tested, tag is used by OTP internal CI labels Jul 11, 2026
@jtdowney

Copy link
Copy Markdown
Contributor Author

One nit with that change, other initialisms (MAC, RSA, etc) are uppercased in the docs, but this is Kdf. I'd expect it to be KDF.

@Mikaka27

Copy link
Copy Markdown
Contributor

One nit with that change, other initialisms (MAC, RSA, etc) are uppercased in the docs, but this is Kdf. I'd expect it to be KDF.

I can fix that later, don't have my computer with me now, thanks :)

@Mikaka27

Copy link
Copy Markdown
Contributor

@jtdowney I've pushed what you pointed out, can you take a look if you see any other problems in the PR?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

team:PS Assigned to OTP team PS testing currently being tested, tag is used by OTP internal CI

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Exposé OpenSSL KDF/PHF functions in crypto

2 participants