ring-native 0.0.0

data/vendor/ring/src/input.rs

@@ -0,0 +1,312 @@
+// Copyright 2015 Brian Smith.
+//
+// Permission to use, copy, modify, and/or distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
+// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
+// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+//! The Input/Reader framework for safe, fast, zero-heap-usage protocol parsing.
+//!
+//! The Input/Reader framework goes beyond Rust's normal safety guarantees by
+//! also guaranteeing that parsing will be panic-free, as long as
+//! `Input::as_slice_less_safe` is not used. It avoids copying data and heap
+//! allocation and strives to prevent common pitfalls such as accidentally
+//! parsing input bytes multiple times. In order to meet these goals, the
+//! Input/Reader framework is limited in functionality such that it works best
+//! for input languages with a small fixed amount of lookahead such as ASN.1,
+//! TLS, TCP/IP, and many other networking, IPC, and related protocols.
+//! Input languages that require more lookahead and/or backtracking require
+//! some significant contortions to parse using this framework. It would not be
+//! realistic to use it for parsing programming language code or natural
+//! language text, for example.
+//!
+//! The overall pattern for using the Input/Reader framework is:
+//!
+//! 1. Write a recursive-descent-style parser for the input language, where the
+//!    input data is given as a `&mut Reader` parameter to each function. Each
+//!    function should have a return type of `Result<V, E>` for some value type
+//!    `V` and some error type `E`, either or both of which may be `()`.
+//!    Functions for parsing the lowest-level language constructs should be
+//!    defined. Those lowest-level functions will parse their inputs using
+//!    `Reader::read_byte`, `Reader::peek`, and similar functions. Higher-level
+//!    language constructs are then parsed by calling the lower-level functions
+//!    in sequence.
+//!
+//! 2. Wrap the top-most functions of your recursive-descent parser in
+//!    functions that take their input data as an `Input`. The wrapper
+//!    functions should pass the `Input` to `read_all` or one of the variants.
+//!    The wrapper functions are the only ones that should be exposed outside
+//!    the parser's module.
+//!
+//! 3. After receiving the input data to parse, wrap it in an `Input` using
+//!    `Input::new` as early as possible. Pass the `Input` to the wrapper
+//!    functions when they need to be parsed.
+//!
+//! In general parsers built using `Reader` do not need to explicitly check
+//! for end-of-input unless they are parsing optional constructs, because
+//! `Reader::read_byte()` will return `Err(())` on end-of-input. Similarly,
+//! parsers using `Reader` generally don't need to check for extra junk at the
+//! end of the input as long as the parser's API uses the pattern described
+//! above, as `read_all` and its variants automatically check for trailing
+//! junk. `Reader::skip_to_end` should be used when the end of the input should
+//! be ignored without triggering an error.
+//!
+//! The Input/Reader framework works best when all processing of the input data
+//! is done through the `Input` and `Reader` types. In particular, avoid trying
+//! to parse input data using functions that take slices. However, when you
+//! need to access a part of the input data as a slice,
+//! `Input::as_slice_less_safe` can be used. *ring* is in the process of
+//! migrating fully to using `Input` for all inputs to the crypto functions,
+//! which means that `Input::as_slice_less_safe` currently needs to be used
+//! frequently to use *ring*'s crypto functionality. This will change soon.
+//!
+//! [libwebpki](https://github.com/briansmith/webpki)'s X.509 certificate
+//! parser is a good example of a real-world use of the Input/Reader framework
+//! to parse complex data.
+
+use std;
+
+/// Calls `read` with the given input as a `Reader`, ensuring that `read`
+/// consumed the entire input. If `read` does not consume the entire input,
+/// `incomplete_read` is returned.
+pub fn read_all<'a, F, R, E>(input: Input<'a>, incomplete_read: E, read: F)
+                             -> Result<R, E>
+                             where F: FnOnce(&mut Reader<'a>) -> Result<R, E> {
+    let mut input = Reader::new(input);
+    let result = try!(read(&mut input));
+    if input.at_end() {
+        Ok(result)
+    } else {
+        Err(incomplete_read)
+    }
+}
+
+/// Like `read_all`, except taking an `FnMut`.
+pub fn read_all_mut<'a, F, R, E>(input: Input<'a>, incomplete_read: E, mut read: F)
+                                 -> Result<R, E>
+                                 where F: FnMut(&mut Reader<'a>)
+                                                -> Result<R, E> {
+    let mut input = Reader::new(input);
+    let result = try!(read(&mut input));
+    if input.at_end() {
+        Ok(result)
+    } else {
+        Err(incomplete_read)
+    }
+}
+
+/// Calls `read` with the given input as a `Reader`, ensuring that `read`
+/// consumed the entire input. When `input` is `None`, `read` will be called
+/// with `None`.
+pub fn read_all_optional<'a, F, R, E>(input: Option<Input<'a>>,
+                                      incomplete_read: E, read: F)
+                                      -> Result<R, E>
+                                      where F: FnOnce(Option<&mut Reader>)
+                                                      -> Result<R, E> {
+    match input {
+        Some(input) => {
+            let mut input = Reader::new(input);
+            let result = try!(read(Option::Some(&mut input)));
+            if input.at_end() {
+                Ok(result)
+            } else {
+                Err(incomplete_read)
+            }
+        },
+        None => read(Option::None)
+    }
+}
+
+/// A wrapper around `&'a [u8]` that helps in writing panic-free code.
+///
+/// No methods of `Input` will ever panic.
+#[derive(Clone, Copy, Debug, PartialEq)]
+pub struct Input<'a> {
+    value: no_panic::NoPanicSlice<'a>
+}
+
+impl<'a> Input<'a> {
+    /// Construct a new `Input` for the given input `bytes`.
+    pub fn new(bytes: &'a [u8]) -> Result<Input<'a>, ()> {
+        // This limit is important for avoiding integer overflow. In particular,
+        // `Reader` assumes that an `i + 1 > i` if `input.value.get(i)` does
+        // not return `None`.
+        if bytes.len() > std::usize::MAX - 1 {
+            return Err(())
+        }
+        Ok(Input { value: no_panic::NoPanicSlice::new(bytes) })
+    }
+
+    /// Returns `true` if the input is empty and false otherwise.
+    #[inline]
+    pub fn is_empty(&self) -> bool { self.value.len() == 0 }
+
+    /// Returns the length of the `Input`.
+    #[inline]
+    pub fn len(&self) -> usize { self.value.len() }
+
+    /// Access the input as a slice so it can be processed by functions that
+    /// are not written using the Input/Reader framework.
+    #[inline]
+    pub fn as_slice_less_safe(&self) -> &'a [u8] {
+        self.value.as_slice_less_safe()
+    }
+}
+
+/// Returns `true` if the contents of `Input` `a` are equal to the contents of
+/// slice `b`, and `false` otherwise.
+#[inline]
+pub fn input_equals(a: Input, b: &[u8]) -> bool {
+    a.value.as_slice_less_safe() == b
+}
+
+/// A read-only, forward-only* cursor into the data in an `Input`.
+///
+/// Using `Reader` to parse input helps to ensure that no byte of the input
+/// will be accidentally processed more than once. Using `Reader` in
+/// conjunction with `read_all`, `read_all_mut`, and `read_all_optional`
+/// helps ensure that no byte of the input is accidentally left unprocessed.
+/// The methods of `Reader` never panic, so `Reader` also assists the writing
+/// of panic-free code.
+///
+/// \* `Reader` is not strictly forward-only because of the method
+/// `get_input_between_marks`, which is provided mainly to support calculating
+/// digests over parsed data.
+#[derive(Debug)]
+pub struct Reader<'a> {
+    input: no_panic::NoPanicSlice<'a>,
+    i: usize
+}
+
+/// An index into the already-parsed input of a `Reader`.
+pub struct Mark {
+    i: usize
+}
+
+impl<'a> Reader<'a> {
+    /// Construct a new Reader for the given input. Use `read_all`,
+    /// `read_all_mut`, or `read_all_optional` instead of `Reader::new`
+    /// whenever possible.
+    #[inline]
+    pub fn new(input: Input<'a>) -> Reader<'a> {
+        Reader { input: input.value, i: 0 }
+    }
+
+    /// Returns `true` if the reader is at the end of the input, and `false`
+    /// otherwise.
+    #[inline]
+    pub fn at_end(&self) -> bool { self.i == self.input.len() }
+
+    /// Returns an `Input` for already-parsed input that has had its boundaries
+    /// marked using `mark`.
+    #[inline]
+    pub fn get_input_between_marks(&self, mark1: Mark, mark2: Mark)
+                                   -> Result<Input<'a>, ()> {
+        self.input.subslice(mark1.i, mark2.i)
+                  .map(|subslice| Input { value: subslice })
+                  .ok_or(())
+    }
+
+    /// Return the current position of the `Reader` for future use in a call
+    /// to `get_input_between_marks`.
+    #[inline]
+    pub fn mark(&self) -> Mark { Mark { i: self.i } }
+
+    /// Returns `true` if there is at least one more byte in the input and that
+    /// byte is equal to `b`, and false otherwise.
+    pub fn peek(&self, b: u8) -> bool {
+        match self.input.get(self.i) {
+            Some(actual_b) => return b == *actual_b,
+            None => false
+        }
+    }
+
+    /// Reads the next input byte.
+    ///
+    /// Returns `Ok(b)` where `b` is the next input byte, or `Err(())` if the
+    /// `Reader` is at the end of the input.
+    pub fn read_byte(&mut self) -> Result<u8, ()> {
+        match self.input.get(self.i) {
+            Some(b) => {
+                self.i += 1; // safe from overflow; see Input::new.
+                Ok(*b)
+            }
+            None => Err(())
+        }
+    }
+
+    /// Skips `num_bytes` of the input.
+    ///
+    /// Returns `Ok(())` if there are at least `num_bytes` of input remaining,
+    /// and `Err(())` otherwise.
+    pub fn skip(&mut self, num_bytes: usize) -> Result<(), ()> {
+        self.skip_and_get_input(num_bytes).map(|_| ())
+    }
+
+    /// Skips `num_bytes` of the input, returning the skipped input as an `Input`.
+    ///
+    /// Returns `Ok(i)` where `i` is an `Input` if there are at least
+    /// `num_bytes` of input remaining, and `Err(())` otherwise.
+    pub fn skip_and_get_input(&mut self, num_bytes: usize)
+                              -> Result<Input<'a>, ()> {
+        match self.i.checked_add(num_bytes) {
+            Some(new_i) => {
+                let ret = self.input.subslice(self.i, new_i)
+                                    .map(|subslice| Input { value: subslice })
+                                    .ok_or(());
+                self.i = new_i;
+                ret
+            },
+            _ => Err(())
+        }
+    }
+
+    /// Skips the reader to the end of the input, returning the skipped input
+    /// as an `Input`.
+    pub fn skip_to_end(&mut self) -> Input<'a> {
+        let to_skip = self.input.len() - self.i;
+        self.skip_and_get_input(to_skip).unwrap()
+    }
+}
+
+mod no_panic {
+
+/// A wrapper around a slice that exposes no functions that can panic.
+#[derive(Clone, Copy, Debug, PartialEq)]
+pub struct NoPanicSlice<'a> {
+    bytes: &'a [u8]
+}
+
+impl<'a> NoPanicSlice<'a> {
+    #[inline]
+    pub fn new(bytes: &'a [u8]) -> NoPanicSlice<'a> {
+        NoPanicSlice { bytes: bytes }
+    }
+
+    #[inline]
+    pub fn get(&self, i: usize) -> Option<&u8> { self.bytes.get(i) }
+
+    #[inline]
+    pub fn len(&self) -> usize { self.bytes.len() }
+
+    #[inline]
+    pub fn subslice(&self, start: usize, end: usize) -> Option<NoPanicSlice<'a>> {
+        if start <= end && end <= self.bytes.len() {
+            Some(NoPanicSlice::new(&self.bytes[start..end]))
+        } else {
+            None
+        }
+    }
+
+    #[inline]
+    pub fn as_slice_less_safe(&self) -> &'a [u8] { self.bytes }
+}
+
+} // mod no_panic

data/vendor/ring/src/lib.rs

@@ -0,0 +1,41 @@
+// Copyright 2015 Brian Smith.
+//
+// Permission to use, copy, modify, and/or distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
+// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
+// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+#[cfg(test)]
+extern crate rustc_serialize;
+
+pub mod aead;
+pub mod agreement;
+mod c;
+pub mod constant_time;
+
+#[doc(hidden)]
+pub mod der;
+
+pub mod digest;
+mod ecc;
+mod ffi;
+pub mod hkdf;
+pub mod hmac;
+pub mod input;
+pub mod pbkdf2;
+mod polyfill;
+pub mod rand;
+pub mod signature;
+
+#[cfg(test)]
+mod exe_tests;
+
+#[cfg(test)]
+mod file_test;

data/vendor/ring/src/pbkdf2.rs

@@ -0,0 +1,265 @@
+// Copyright 2015 Brian Smith.
+//
+// Permission to use, copy, modify, and/or distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
+// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
+// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+//! PBKDF2 derivation and verification.
+//!
+//! Use `derive` to derive PBKDF2 outputs. Use `verify` to verify secret
+//! against previously-derived outputs.
+//!
+//! PBKDF2 is specified in
+//! [RFC 2898 Section 5.2](https://tools.ietf.org/html/rfc2898#section-5.2)
+//! with test vectors given in [RFC 6070](https://tools.ietf.org/html/rfc6070).
+//! See also [NIST Special Publication
+//! 800-132](http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf).
+//!
+//! # Examples
+//!
+//! ## Password Database Example
+//!
+//! ```
+//! use ring::pbkdf2;
+//! use std::collections::HashMap;
+//!
+//! static PBKDF2_PRF: &'static pbkdf2::PRF = &pbkdf2::HMAC_SHA256;
+//! const CREDENTIAL_LEN: usize = 32; // digest::SHA256.output_len()
+//! pub type Credential = [u8; CREDENTIAL_LEN];
+//!
+//! struct PasswordDatabase {
+//!     pbkdf2_iterations: usize,
+//!     db_salt_component: [u8; 16],
+//!
+//!     // Normally this would be a persistent database.
+//!     storage: HashMap<String, Credential>,
+//! }
+//!
+//! impl PasswordDatabase {
+//!     pub fn store_password(&mut self, username: &str, password: &str) {
+//!         let salt = self.salt(username);
+//!         let mut to_store: Credential = [0u8; CREDENTIAL_LEN];
+//!         pbkdf2::derive(PBKDF2_PRF, self.pbkdf2_iterations, &salt,
+//!                        password.as_bytes(), &mut to_store);
+//!         self.storage.insert(String::from(username), to_store);
+//!     }
+//!
+//!     pub fn verify_password(&self, username: &str, attempted_password: &str)
+//!                            -> Result<(), ()> {
+//!         match self.storage.get(username) {
+//!            Some(actual_password) => {
+//!                let salt = self.salt(username);
+//!                pbkdf2::verify(PBKDF2_PRF, self.pbkdf2_iterations, &salt,
+//!                               attempted_password.as_bytes(),
+//!                               actual_password)
+//!            },
+//!
+//!            None => Err(())
+//!         }
+//!     }
+//!
+//!     // The salt should have a user-specific component so that an attacker
+//!     // cannot crack one password for multiple users in the database. It
+//!     // should have a database-unique component so that an attacker cannot
+//!     // crack the same user's password across databases in the unfortunate
+//!     // but common case that the user has used the same password for
+//!     // multiple systems.
+//!     fn salt(&self, username: &str) -> Vec<u8> {
+//!         let mut salt = Vec::with_capacity(self.db_salt_component.len() +
+//!                                           username.as_bytes().len());
+//!         salt.extend(self.db_salt_component.as_ref());
+//!         salt.extend(username.as_bytes());
+//!         salt
+//!     }
+//! }
+//!
+//! fn main() {
+//!     // Normally these parameters would be loaded from a configuration file.
+//!     let mut db = PasswordDatabase {
+//!         pbkdf2_iterations: 100_000,
+//!         db_salt_component: [
+//!             // This value was generated from a secure PRNG.
+//!             0xd6, 0x26, 0x98, 0xda, 0xf4, 0xdc, 0x50, 0x52,
+//!             0x24, 0xf2, 0x27, 0xd1, 0xfe, 0x39, 0x01, 0x8a
+//!         ],
+//!         storage: HashMap::new(),
+//!     };
+//!
+//!     db.store_password("alice", "@74d7]404j|W}6u");
+//!
+//!     // An attempt to log in with the wrong password fails.
+//!     assert!(db.verify_password("alice", "wrong password").is_err());
+//!
+//!     // Normally there should be an expoentially-increasing delay between
+//!     // attempts to further protect against online attacks.
+//!
+//!     // An attempt to log in with the right password succeeds.
+//!     assert!(db.verify_password("alice", "@74d7]404j|W}6u").is_ok());
+//! }
+
+use super::{constant_time, digest, hmac};
+
+/// Fills `out` with the key derived using PBKDF2 with the given inputs.
+///
+/// Do not use `derive` as part of verifying a secret; use `verify` instead, to
+/// minimize the effectiveness of timing attacks.
+///
+/// `out.len()` must be no larger than the output length of the digest function
+/// used in the PRF algorithm. This limit is more strict than what the
+/// specification requires. As noted at https://github.com/ctz/fastpbkdf2,
+/// "PBKDF2 is mis-designed and you should avoid asking for more than your hash
+/// function's output length."
+///
+/// | Parameter   | RFC 2898 Section 5.2 Term
+/// |-------------|---------------------------------------
+/// | prf         | PRF
+/// | iterations  | c (iteration count)
+/// | salt        | S (salt)
+/// | secret      | P (password)
+/// | out         | dk (derived key)
+/// | out.len()   | dkLen (derived key length)
+///
+/// C analog: `PKCS5_PBKDF2_HMAC`
+///
+/// # Panics
+///
+/// `derive` panics if `iterations < 1`.
+///
+/// `derive` panics if `out.len()` is larger than the output length of the
+/// digest function used by the PRF algorithm.
+pub fn derive(prf: &'static PRF, iterations: usize, salt: &[u8], secret: &[u8],
+              out: &mut [u8]) {
+    assert!(iterations >= 1);
+    assert!(out.len() <= prf.digest_alg.output_len);
+
+    // This implementation's performance is asymptotically optimal as described
+    // in https://jbp.io/2015/08/11/pbkdf2-performance-matters/. However, it
+    // hasn't been optimized to the same extent as fastpbkdf2. In particular,
+    // this implementation is probably doing a lot of unnecessary copying.
+
+    let secret = hmac::SigningKey::new(prf.digest_alg, secret);
+
+    // Clear |out|.
+    for i in 0..out.len() {
+        out[i] = 0;
+    }
+
+    let mut ctx = hmac::SigningContext::with_key(&secret);
+    ctx.update(salt);
+    ctx.update(&[0, 0, 0, 1]);
+    let mut u = ctx.sign();
+
+    let mut remaining = iterations;
+    loop {
+        for i in 0..out.len() {
+            out[i] ^= u.as_ref()[i];
+        }
+
+        if remaining == 1 {
+            break;
+        }
+        remaining -= 1;
+
+        u = hmac::sign(&secret, u.as_ref());
+    }
+}
+
+/// Verifies that a previously-derived (e.g., using `derive`) PBKDF2 value
+/// matches the PBKDF2 value derived from the other inputs.
+///
+/// The comparison is done in constant time to prevent timing attacks.
+///
+/// | Parameter                | RFC 2898 Section 5.2 Term
+/// |--------------------------|---------------------------------------
+/// | prf                      | PRF
+/// | iterations               | c (iteration count)
+/// | salt                     | S (salt)
+/// | secret                   | P (password)
+/// | previously_derived       | dk (derived key)
+/// | previously_derived.len() | dkLen (derived key length)
+///
+/// C analog: `PKCS5_PBKDF2_HMAC` + `CRYPTO_memcmp`
+///
+/// # Panics
+///
+/// `verify` panics if `iterations < 1`.
+///
+/// `verify` panics if `out.len()` is larger than the output length of the
+/// digest function used by the PRF algorithm.
+pub fn verify(prf: &'static PRF, iterations: usize, salt: &[u8], secret: &[u8],
+              previously_derived: &[u8]) -> Result<(), ()> {
+    let mut derived_buf = [0u8; digest::MAX_OUTPUT_LEN];
+    if previously_derived.len() > derived_buf.len() {
+        return Err(());
+    }
+    let derived = &mut derived_buf[0..previously_derived.len()];
+    derive(prf, iterations, salt, secret, derived);
+    constant_time::verify_slices_are_equal(derived, previously_derived)
+}
+
+/// A PRF algorithm for use with `derive` and `verify`.
+pub struct PRF {
+    digest_alg: &'static digest::Algorithm,
+}
+
+/// HMAC-SHA256.
+pub static HMAC_SHA256: PRF  = PRF {
+    digest_alg: &digest::SHA256,
+};
+
+/// HMAC-SHA512.
+pub static HMAC_SHA512: PRF  = PRF {
+    digest_alg: &digest::SHA512,
+};
+
+/// HMAC-SHA1. *Deprecated*.
+///
+/// SHA-1 is deprecated in *ring* and its implementation in *ring* will be more
+/// optimized more for size than for speed on some platforms. Since PBKDF2
+/// requires an implementation highly optimized for speed, the size-for-speed
+/// trade-off does not work well for PBKDF2.
+///
+pub static HMAC_SHA1: PRF = PRF {
+    digest_alg: &digest::SHA1,
+};
+
+#[cfg(test)]
+mod tests {
+    use super::super::{digest, file_test, pbkdf2};
+
+    #[test]
+    pub fn pkbdf2_tests() {
+        file_test::run("src/pbkdf2_tests.txt", |section, test_case| {
+            assert_eq!(section, "");
+            let digest_alg = test_case.consume_digest_alg("Hash").unwrap();
+            let iterations = test_case.consume_usize("c");
+            let secret = test_case.consume_bytes("P");
+            let salt = test_case.consume_bytes("S");
+            let dk = test_case.consume_bytes("DK");
+
+            let prf = if digest_alg.nid == digest::SHA1.nid {
+                &pbkdf2::HMAC_SHA1
+            } else if digest_alg.nid ==  digest::SHA256.nid {
+                &pbkdf2::HMAC_SHA256
+            } else if digest_alg.nid == digest::SHA512.nid {
+                &pbkdf2::HMAC_SHA512
+            } else {
+                unimplemented!();
+            };
+
+            let mut out = vec![0u8; dk.len()];
+            pbkdf2::derive(prf, iterations, &salt, &secret, &mut out);
+            assert_eq!(dk, out);
+            assert!(pbkdf2::verify(prf, iterations, &salt, &secret, &out)
+                        .is_ok());
+        });
+    }
+}