diff options
author | David Reid <dreid@dreid.org> | 2014-01-28 13:33:23 -0800 |
---|---|---|
committer | David Reid <dreid@dreid.org> | 2014-02-03 10:05:27 -0800 |
commit | 69d16c2c6e0fb6a90ac392cc09cae0baa0c5b692 (patch) | |
tree | 4533ed2e43754737baa7ae04e1102ee072c8c850 | |
parent | c4e7563ded0963097ce836cd701880b770f50ab9 (diff) | |
download | cryptography-69d16c2c6e0fb6a90ac392cc09cae0baa0c5b692.tar.gz cryptography-69d16c2c6e0fb6a90ac392cc09cae0baa0c5b692.tar.bz2 cryptography-69d16c2c6e0fb6a90ac392cc09cae0baa0c5b692.zip |
Expand, extract, verify.
-rw-r--r-- | cryptography/hazmat/primitives/kdf/hkdf.py | 23 |
1 files changed, 19 insertions, 4 deletions
diff --git a/cryptography/hazmat/primitives/kdf/hkdf.py b/cryptography/hazmat/primitives/kdf/hkdf.py index c7999f10..71c277f4 100644 --- a/cryptography/hazmat/primitives/kdf/hkdf.py +++ b/cryptography/hazmat/primitives/kdf/hkdf.py @@ -15,6 +15,7 @@ import six from cryptography import exceptions from cryptography.hazmat.primitives import hmac +from cryptography.hazmat.primitives import constant_time class HKDF(object): @@ -44,11 +45,27 @@ class HKDF(object): self._used = False + def extract(self, key_material): + if self._used: + raise exceptions.AlreadyFinalized + + self._used = True + + return self._extract(key_material) + def _extract(self, key_material): h = hmac.HMAC(self._salt, self._algorithm, backend=self._backend) h.update(key_material) return h.finalize() + def expand(self, key_material): + if self._used: + raise exceptions.AlreadyFinalized + + self._used = True + + return self._expand(key_material) + def _expand(self, key_material): output = [b''] counter = 1 @@ -71,7 +88,5 @@ class HKDF(object): return self._expand(self._extract(key_material)) def verify(self, key_material, expected_key): - if self._used: - raise exceptions.AlreadyFinalized - - self._used = True + if not constant_time.bytes_eq(self.derive(key_material), expected_key): + raise exceptions.InvalidKey |