native_ossl/

kdf.rs

//! Key derivation — `KdfAlg`, `KdfCtx`, and typed builders.
//!
//! Phase 6 delivers a low-level `EVP_KDF` wrapper and three typed builders:
//!
//! | Builder           | Algorithm   | RFC       |
//! |-------------------|-------------|-----------|
//! | [`HkdfBuilder`]   | HKDF        | RFC 5869  |
//! | [`Pbkdf2Builder`] | PBKDF2      | PKCS #5   |
//! | [`ScryptBuilder`] | scrypt      | RFC 7914  |

use crate::error::ErrorStack;
use native_ossl_sys as sys;
use std::ffi::CStr;

// ── KdfAlg — algorithm descriptor ────────────────────────────────────────────

/// An OpenSSL KDF algorithm descriptor (`EVP_KDF*`).
///
/// Fetched once and reused to create [`KdfCtx`] instances.
pub struct KdfAlg {
    ptr: *mut sys::EVP_KDF,
}

impl KdfAlg {
    /// Fetch a KDF algorithm from the global default library context.
    ///
    /// Common names: `c"HKDF"`, `c"PBKDF2"`, `c"SCRYPT"`, `c"TLS13-KDF"`.
    ///
    /// # Errors
    ///
    /// Returns `Err` if the algorithm is not available.
    pub fn fetch(name: &CStr) -> Result<Self, ErrorStack> {
        let ptr =
            unsafe { sys::EVP_KDF_fetch(std::ptr::null_mut(), name.as_ptr(), std::ptr::null()) };
        if ptr.is_null() {
            return Err(ErrorStack::drain());
        }
        Ok(KdfAlg { ptr })
    }

    fn as_ptr(&self) -> *mut sys::EVP_KDF {
        self.ptr
    }
}

impl Drop for KdfAlg {
    fn drop(&mut self) {
        unsafe { sys::EVP_KDF_free(self.ptr) };
    }
}

// SAFETY: `EVP_KDF*` is reference-counted and immutable after fetch.
unsafe impl Send for KdfAlg {}
unsafe impl Sync for KdfAlg {}

// ── KdfCtx — stateful context ─────────────────────────────────────────────────

/// A key-derivation context (`EVP_KDF_CTX*`).
///
/// `!Clone` — create a new context for each derive operation.
pub struct KdfCtx {
    ptr: *mut sys::EVP_KDF_CTX,
}

impl KdfCtx {
    /// Create a new context from an algorithm descriptor.
    ///
    /// # Errors
    pub fn new(alg: &KdfAlg) -> Result<Self, ErrorStack> {
        let ptr = unsafe { sys::EVP_KDF_CTX_new(alg.as_ptr()) };
        if ptr.is_null() {
            return Err(ErrorStack::drain());
        }
        Ok(KdfCtx { ptr })
    }

    /// Derive key material into `out`.
    ///
    /// Parameters are supplied at derive time via the `params` argument.
    ///
    /// # Errors
    pub fn derive(
        &mut self,
        out: &mut [u8],
        params: &crate::params::Params<'_>,
    ) -> Result<(), ErrorStack> {
        crate::ossl_call!(sys::EVP_KDF_derive(
            self.ptr,
            out.as_mut_ptr(),
            out.len(),
            params.as_ptr()
        ))
    }

    /// Update parameters on this KDF context without destroying it.
    ///
    /// Use this to change algorithm-specific settings (e.g. HKDF mode, salt)
    /// on an already-initialised context instead of creating a new one.
    ///
    /// # Errors
    ///
    /// Returns `Err` if `EVP_KDF_CTX_set_params` fails (e.g. unknown key,
    /// type mismatch, or the algorithm does not support the parameter).
    pub fn set_params(&mut self, params: &crate::params::Params<'_>) -> Result<(), ErrorStack> {
        // SAFETY:
        // - self.ptr is non-null (constructor invariant)
        // - params.as_ptr() is valid for the duration of this call
        // - &mut self ensures exclusive access; no concurrent reads or writes
        crate::ossl_call!(sys::EVP_KDF_CTX_set_params(self.ptr, params.as_ptr()))
    }

    /// Retrieve parameter values from this KDF context.
    ///
    /// Build a [`Params`][crate::params::Params] with placeholder values for
    /// the keys you want, call this method, then read back with `params.get_*`.
    ///
    /// # Errors
    ///
    /// Returns `Err` if `EVP_KDF_CTX_get_params` fails.
    pub fn get_params(&self, params: &mut crate::params::Params<'_>) -> Result<(), ErrorStack> {
        // SAFETY:
        // - self.ptr is non-null (constructor invariant)
        // - params.as_mut_ptr() is valid for the duration of this call
        // - &self ensures no concurrent mutable access to self.ptr
        crate::ossl_call!(sys::EVP_KDF_CTX_get_params(self.ptr, params.as_mut_ptr()))
    }

    /// Return the output length of this KDF (if fixed), or `usize::MAX` if variable.
    #[must_use]
    pub fn size(&self) -> usize {
        // SAFETY: self.ptr is non-null; EVP_KDF_CTX_get_kdf_size is a pure read
        unsafe { sys::EVP_KDF_CTX_get_kdf_size(self.ptr) }
    }
}

impl Drop for KdfCtx {
    fn drop(&mut self) {
        unsafe { sys::EVP_KDF_CTX_free(self.ptr) };
    }
}

unsafe impl Send for KdfCtx {}

// ── HKDF mode ─────────────────────────────────────────────────────────────────

/// HKDF extraction/expansion mode.
#[derive(Default, Clone, Copy, PartialEq, Eq)]
pub enum HkdfMode {
    /// Extract a pseudorandom key (PRK) from the IKM, then expand it.
    ///
    /// This is the standard two-step mode from RFC 5869 §2.
    #[default]
    ExtractAndExpand,
    /// Extract phase only — output is the PRK.
    ExtractOnly,
    /// Expand phase only — input key must already be a PRK.
    ExpandOnly,
}

impl HkdfMode {
    fn as_uint(self) -> u32 {
        match self {
            HkdfMode::ExtractAndExpand => 0,
            HkdfMode::ExtractOnly => 1,
            HkdfMode::ExpandOnly => 2,
        }
    }
}

// ── HkdfBuilder ───────────────────────────────────────────────────────────────

/// HKDF key-derivation builder (RFC 5869).
///
/// ```ignore
/// let okm = HkdfBuilder::new(&sha256)
///     .key(ikm)
///     .salt(salt)
///     .info(info)
///     .derive_to_vec(32)?;
/// ```
pub struct HkdfBuilder<'a> {
    digest: &'a crate::digest::DigestAlg,
    key: Option<&'a [u8]>,
    salt: Option<&'a [u8]>,
    info: Option<&'a [u8]>,
    mode: HkdfMode,
}

impl<'a> HkdfBuilder<'a> {
    /// Create an `HKDF` builder bound to `digest`.
    ///
    /// The mode defaults to `ExtractAndExpand`.
    #[must_use]
    pub fn new(digest: &'a crate::digest::DigestAlg) -> Self {
        HkdfBuilder {
            digest,
            key: None,
            salt: None,
            info: None,
            mode: HkdfMode::default(),
        }
    }

    /// Set the input keying material (IKM).
    #[must_use]
    pub fn key(mut self, key: &'a [u8]) -> Self {
        self.key = Some(key);
        self
    }

    /// Set the salt (optional; defaults to zero-length within OpenSSL).
    #[must_use]
    pub fn salt(mut self, salt: &'a [u8]) -> Self {
        self.salt = Some(salt);
        self
    }

    /// Set the context/application-specific information bytes.
    #[must_use]
    pub fn info(mut self, info: &'a [u8]) -> Self {
        self.info = Some(info);
        self
    }

    /// Override the default extract-and-expand mode.
    #[must_use]
    pub fn mode(mut self, mode: HkdfMode) -> Self {
        self.mode = mode;
        self
    }

    /// Derive key material, writing into `out`.
    ///
    /// # Errors
    pub fn derive(self, out: &mut [u8]) -> Result<(), ErrorStack> {
        let name_ptr = unsafe { sys::OBJ_nid2sn(self.digest.nid()) };
        if name_ptr.is_null() {
            return Err(ErrorStack::drain());
        }
        let name = unsafe { CStr::from_ptr(name_ptr) };

        let mut builder = crate::params::ParamBuilder::new()?
            .push_utf8_string(c"digest", name)?
            .push_uint(c"mode", self.mode.as_uint())?;

        if let Some(k) = self.key {
            builder = builder.push_octet_slice(c"key", k)?;
        }
        if let Some(s) = self.salt {
            builder = builder.push_octet_slice(c"salt", s)?;
        }
        if let Some(i) = self.info {
            builder = builder.push_octet_slice(c"info", i)?;
        }

        let params = builder.build()?;
        let alg = KdfAlg::fetch(c"HKDF")?;
        KdfCtx::new(&alg)?.derive(out, &params)
    }

    /// Derive `len` bytes of key material, returning them in a freshly allocated `Vec<u8>`.
    ///
    /// # Errors
    pub fn derive_to_vec(self, len: usize) -> Result<Vec<u8>, ErrorStack> {
        let mut out = vec![0u8; len];
        self.derive(&mut out)?;
        Ok(out)
    }
}

// ── Pbkdf2Builder ─────────────────────────────────────────────────────────────

/// `PBKDF2` key-derivation builder (PKCS #5).
///
/// ```ignore
/// let dk = Pbkdf2Builder::new(&sha256, b"password", b"salt")
///     .iterations(600_000)
///     .derive_to_vec(32)?;
/// ```
pub struct Pbkdf2Builder<'a> {
    digest: &'a crate::digest::DigestAlg,
    password: &'a [u8],
    salt: &'a [u8],
    iterations: u32,
}

impl<'a> Pbkdf2Builder<'a> {
    /// Create a `PBKDF2` builder.
    ///
    /// The iteration count defaults to 600 000 (NIST SP 800-132 minimum for
    /// SHA-256 as of 2023).
    #[must_use]
    pub fn new(digest: &'a crate::digest::DigestAlg, password: &'a [u8], salt: &'a [u8]) -> Self {
        Pbkdf2Builder {
            digest,
            password,
            salt,
            iterations: 600_000,
        }
    }

    /// Override the iteration count.
    #[must_use]
    pub fn iterations(mut self, n: u32) -> Self {
        self.iterations = n;
        self
    }

    /// Derive key material, writing into `out`.
    ///
    /// # Errors
    pub fn derive(self, out: &mut [u8]) -> Result<(), ErrorStack> {
        let name_ptr = unsafe { sys::OBJ_nid2sn(self.digest.nid()) };
        if name_ptr.is_null() {
            return Err(ErrorStack::drain());
        }
        let name = unsafe { CStr::from_ptr(name_ptr) };

        let params = crate::params::ParamBuilder::new()?
            .push_octet_slice(c"pass", self.password)?
            .push_octet_slice(c"salt", self.salt)?
            .push_uint(c"iter", self.iterations)?
            .push_utf8_string(c"digest", name)?
            .build()?;

        let alg = KdfAlg::fetch(c"PBKDF2")?;
        KdfCtx::new(&alg)?.derive(out, &params)
    }

    /// Derive `len` bytes of key material, returning them in a freshly allocated `Vec<u8>`.
    ///
    /// # Errors
    pub fn derive_to_vec(self, len: usize) -> Result<Vec<u8>, ErrorStack> {
        let mut out = vec![0u8; len];
        self.derive(&mut out)?;
        Ok(out)
    }
}

// ── ScryptParams / ScryptBuilder ──────────────────────────────────────────────

/// Scrypt cost parameters.
///
/// Use struct-update syntax for partial overrides:
/// ```ignore
/// ScryptParams { n: 1 << 20, ..ScryptParams::default() }
/// ```
pub struct ScryptParams {
    /// CPU/memory cost factor — must be a power of two and greater than 1.
    pub n: u64,
    /// Block size factor.
    pub r: u32,
    /// Parallelisation factor.
    pub p: u32,
}

impl Default for ScryptParams {
    fn default() -> Self {
        // RFC 7914 §2 interactive-login recommendation.
        ScryptParams {
            n: 16_384,
            r: 8,
            p: 1,
        }
    }
}

/// Scrypt key-derivation builder (RFC 7914).
///
/// ```ignore
/// let dk = ScryptBuilder::new(b"password", b"NaCl")
///     .params(ScryptParams { n: 1 << 20, ..ScryptParams::default() })
///     .derive_to_vec(64)?;
/// ```
pub struct ScryptBuilder<'a> {
    password: &'a [u8],
    salt: &'a [u8],
    params: ScryptParams,
}

impl<'a> ScryptBuilder<'a> {
    /// Create a scrypt builder.
    ///
    /// Cost parameters default to `ScryptParams::default()`.
    #[must_use]
    pub fn new(password: &'a [u8], salt: &'a [u8]) -> Self {
        ScryptBuilder {
            password,
            salt,
            params: ScryptParams::default(),
        }
    }

    /// Override the cost parameters.
    #[must_use]
    pub fn params(mut self, params: ScryptParams) -> Self {
        self.params = params;
        self
    }

    /// Derive key material, writing into `out`.
    ///
    /// # Errors
    pub fn derive(self, out: &mut [u8]) -> Result<(), ErrorStack> {
        let params = crate::params::ParamBuilder::new()?
            .push_octet_slice(c"pass", self.password)?
            .push_octet_slice(c"salt", self.salt)?
            .push_uint64(c"n", self.params.n)?
            .push_uint(c"r", self.params.r)?
            .push_uint(c"p", self.params.p)?
            .build()?;

        let alg = KdfAlg::fetch(c"SCRYPT")?;
        KdfCtx::new(&alg)?.derive(out, &params)
    }

    /// Derive `len` bytes of key material, returning them in a freshly allocated `Vec<u8>`.
    ///
    /// # Errors
    pub fn derive_to_vec(self, len: usize) -> Result<Vec<u8>, ErrorStack> {
        let mut out = vec![0u8; len];
        self.derive(&mut out)?;
        Ok(out)
    }
}

// ── SSH-KDF (OpenSSL 3.5+) ────────────────────────────────────────────────────

/// Purpose codes for SSH key derivation (RFC 4253 §7.2).
#[cfg(ossl350)]
#[derive(Clone, Copy, Debug, PartialEq, Eq)]
pub enum SshkdfKeyType {
    /// Initial IV, client to server.
    InitialIvClientToServer,
    /// Initial IV, server to client.
    InitialIvServerToClient,
    /// Encryption key, client to server.
    EncryptionKeyClientToServer,
    /// Encryption key, server to client.
    EncryptionKeyServerToClient,
    /// Integrity key, client to server.
    IntegrityKeyClientToServer,
    /// Integrity key, server to client.
    IntegrityKeyServerToClient,
}

#[cfg(ossl350)]
impl SshkdfKeyType {
    fn as_cstr(self) -> &'static CStr {
        match self {
            Self::InitialIvClientToServer => c"A",
            Self::InitialIvServerToClient => c"B",
            Self::EncryptionKeyClientToServer => c"C",
            Self::EncryptionKeyServerToClient => c"D",
            Self::IntegrityKeyClientToServer => c"E",
            Self::IntegrityKeyServerToClient => c"F",
        }
    }
}

/// SSH key-derivation builder (RFC 4253 §7.2).
///
/// ```ignore
/// let iv = SshkdfBuilder::new(&sha256, &shared_secret, &exchange_hash, &session_id,
///                             SshkdfKeyType::InitialIvClientToServer)
///     .derive_to_vec(16)?;
/// ```
#[cfg(ossl350)]
pub struct SshkdfBuilder<'a> {
    digest: &'a crate::digest::DigestAlg,
    key: &'a [u8],
    xcghash: &'a [u8],
    session_id: &'a [u8],
    key_type: SshkdfKeyType,
}

#[cfg(ossl350)]
impl<'a> SshkdfBuilder<'a> {
    /// Create an SSH-KDF builder.
    ///
    /// - `digest` — hash algorithm (e.g. SHA-256).
    /// - `key` — the shared secret `K` from the Diffie-Hellman exchange.
    /// - `xcghash` — exchange hash `H`.
    /// - `session_id` — the session identifier (= first `H` for the session).
    /// - `key_type` — which key/IV component to derive (A–F).
    #[must_use]
    pub fn new(
        digest: &'a crate::digest::DigestAlg,
        key: &'a [u8],
        xcghash: &'a [u8],
        session_id: &'a [u8],
        key_type: SshkdfKeyType,
    ) -> Self {
        SshkdfBuilder {
            digest,
            key,
            xcghash,
            session_id,
            key_type,
        }
    }

    /// Derive key material, writing into `out`.
    ///
    /// # Errors
    pub fn derive(self, out: &mut [u8]) -> Result<(), ErrorStack> {
        let name_ptr = unsafe { sys::OBJ_nid2sn(self.digest.nid()) };
        if name_ptr.is_null() {
            return Err(ErrorStack::drain());
        }
        let name = unsafe { CStr::from_ptr(name_ptr) };

        let params = crate::params::ParamBuilder::new()?
            .push_utf8_string(c"digest", name)?
            .push_octet_slice(c"key", self.key)?
            .push_octet_slice(c"xcghash", self.xcghash)?
            .push_octet_slice(c"session-id", self.session_id)?
            .push_utf8_string(c"type", self.key_type.as_cstr())?
            .build()?;

        let alg = KdfAlg::fetch(c"SSHKDF")?;
        KdfCtx::new(&alg)?.derive(out, &params)
    }

    /// Derive `len` bytes, returning them in a freshly allocated `Vec<u8>`.
    ///
    /// # Errors
    pub fn derive_to_vec(self, len: usize) -> Result<Vec<u8>, ErrorStack> {
        let mut out = vec![0u8; len];
        self.derive(&mut out)?;
        Ok(out)
    }
}

// ── KBKDF (OpenSSL 3.5+) ─────────────────────────────────────────────────────

/// KBKDF derivation mode (SP 800-108).
#[cfg(ossl350)]
#[derive(Clone, Copy, Debug, PartialEq, Eq)]
pub enum KbkdfMode {
    /// Counter mode — a counter is appended to each PRF input block.
    Counter,
    /// Feedback mode — the previous PRF output is fed into the next block.
    Feedback,
}

#[cfg(ossl350)]
impl KbkdfMode {
    fn as_cstr(self) -> &'static CStr {
        match self {
            KbkdfMode::Counter => c"counter",
            KbkdfMode::Feedback => c"feedback",
        }
    }
}

/// Counter field length (in bits) for KBKDF counter mode.
#[cfg(ossl350)]
#[derive(Clone, Copy, Debug, PartialEq, Eq)]
#[cfg_attr(ossl350, derive(Default))]
pub enum KbkdfCounterLen {
    /// 8-bit counter.
    Bits8 = 8,
    /// 16-bit counter.
    Bits16 = 16,
    /// 24-bit counter.
    Bits24 = 24,
    /// 32-bit counter (default).
    #[cfg_attr(ossl350, default)]
    Bits32 = 32,
}

/// KBKDF key-derivation builder (NIST SP 800-108).
///
/// Supports both HMAC-based and CMAC-based PRFs.
///
/// ```ignore
/// let key = KbkdfBuilder::new(KbkdfMode::Counter, &hmac_alg, &master_key)
///     .digest(&sha256)
///     .label(b"my label")
///     .context(b"my context")
///     .derive_to_vec(32)?;
/// ```
#[cfg(ossl350)]
pub struct KbkdfBuilder<'a> {
    mode: KbkdfMode,
    mac: &'a crate::mac::MacAlg,
    digest: Option<&'a crate::digest::DigestAlg>,
    key: &'a [u8],
    label: Option<&'a [u8]>,
    context: Option<&'a [u8]>,
    /// Feedback mode only: IV / salt fed into the first PRF block.
    salt: Option<&'a [u8]>,
    counter_len: KbkdfCounterLen,
    use_l: Option<bool>,
    use_separator: Option<bool>,
}

#[cfg(ossl350)]
impl<'a> KbkdfBuilder<'a> {
    /// Create a KBKDF builder.
    ///
    /// - `mode` — counter or feedback.
    /// - `mac` — MAC algorithm (HMAC or CMAC).
    /// - `key` — the key derivation key (KDK).
    #[must_use]
    pub fn new(mode: KbkdfMode, mac: &'a crate::mac::MacAlg, key: &'a [u8]) -> Self {
        KbkdfBuilder {
            mode,
            mac,
            digest: None,
            key,
            label: None,
            context: None,
            salt: None,
            counter_len: KbkdfCounterLen::default(),
            use_l: None,
            use_separator: None,
        }
    }

    /// Set the hash digest for HMAC-based derivation.
    #[must_use]
    pub fn digest(mut self, digest: &'a crate::digest::DigestAlg) -> Self {
        self.digest = Some(digest);
        self
    }

    /// Set the label (identifies the purpose of the derived key).
    #[must_use]
    pub fn label(mut self, label: &'a [u8]) -> Self {
        self.label = Some(label);
        self
    }

    /// Set the context (caller-specific data bound into the derivation).
    #[must_use]
    pub fn context(mut self, context: &'a [u8]) -> Self {
        self.context = Some(context);
        self
    }

    /// Set the salt / feedback IV (feedback mode only).
    #[must_use]
    pub fn salt(mut self, salt: &'a [u8]) -> Self {
        self.salt = Some(salt);
        self
    }

    /// Override the counter field length (default: 32 bits).
    #[must_use]
    pub fn counter_len(mut self, len: KbkdfCounterLen) -> Self {
        self.counter_len = len;
        self
    }

    /// Control whether the length field `L` is included (default: true).
    #[must_use]
    pub fn use_l(mut self, enabled: bool) -> Self {
        self.use_l = Some(enabled);
        self
    }

    /// Control whether the zero-byte separator is included (default: true).
    #[must_use]
    pub fn use_separator(mut self, enabled: bool) -> Self {
        self.use_separator = Some(enabled);
        self
    }

    /// Derive key material, writing into `out`.
    ///
    /// # Errors
    pub fn derive(self, out: &mut [u8]) -> Result<(), ErrorStack> {
        let mut builder = crate::params::ParamBuilder::new()?
            .push_utf8_string(c"mode", self.mode.as_cstr())?
            .push_utf8_string(c"mac", self.mac.name())?
            .push_octet_slice(c"key", self.key)?
            .push_uint(c"r", self.counter_len as u32)?;

        if let Some(d) = self.digest {
            let name_ptr = unsafe { sys::OBJ_nid2sn(d.nid()) };
            if name_ptr.is_null() {
                return Err(ErrorStack::drain());
            }
            let name = unsafe { CStr::from_ptr(name_ptr) };
            builder = builder.push_utf8_string(c"digest", name)?;
        }
        if let Some(l) = self.label {
            builder = builder.push_octet_slice(c"label", l)?;
        }
        if let Some(c) = self.context {
            builder = builder.push_octet_slice(c"data", c)?;
        }
        if let Some(s) = self.salt {
            builder = builder.push_octet_slice(c"salt", s)?;
        }
        if let Some(v) = self.use_l {
            builder = builder.push_int(c"use-l", i32::from(v))?;
        }
        if let Some(v) = self.use_separator {
            builder = builder.push_int(c"use-separator", i32::from(v))?;
        }

        let params = builder.build()?;
        let alg = KdfAlg::fetch(c"KBKDF")?;
        KdfCtx::new(&alg)?.derive(out, &params)
    }

    /// Derive `len` bytes, returning them in a freshly allocated `Vec<u8>`.
    ///
    /// # Errors
    pub fn derive_to_vec(self, len: usize) -> Result<Vec<u8>, ErrorStack> {
        let mut out = vec![0u8; len];
        self.derive(&mut out)?;
        Ok(out)
    }
}

// ── Pkcs12KdfBuilder (RFC 7292 Appendix B) ───────────────────────────────────

/// Output type selector for the PKCS#12 (RFC 7292 Appendix B) KDF.
///
/// The id byte controls which key component the KDF derives from the passphrase.
#[derive(Clone, Copy, Debug, PartialEq, Eq)]
pub enum Pkcs12KdfId {
    /// Derive cipher key bytes (id = 1).
    Key = 1,
    /// Derive cipher IV bytes (id = 2).
    Iv = 2,
    /// Derive MAC key bytes (id = 3).
    Mac = 3,
}

/// PKCS#12 (RFC 7292 Appendix B) key/IV/MAC derivation builder.
///
/// Legacy — only needed for interoperability with PKCS#12 files encrypted
/// with deprecated algorithms such as `PBEWithSHAAnd3-KeyTripleDES-CBC`.
/// New PKCS#12 files should use PBES2/PBKDF2 instead.
///
/// ```ignore
/// let sha1 = DigestAlg::fetch(c"SHA1", None).unwrap();
/// let key = Pkcs12KdfBuilder::new(&sha1, b"password", &salt, Pkcs12KdfId::Key)
///     .iterations(2048)
///     .derive_to_vec(24)?;
/// ```
pub struct Pkcs12KdfBuilder<'a> {
    md: &'a crate::digest::DigestAlg,
    password: &'a [u8],
    salt: &'a [u8],
    id: Pkcs12KdfId,
    iter: u32,
}

impl<'a> Pkcs12KdfBuilder<'a> {
    /// Create a PKCS#12 KDF builder.
    ///
    /// - `md` — hash algorithm (SHA-1 for legacy 3DES; SHA-256 for PBES2).
    /// - `password` — UTF-8 passphrase bytes.
    /// - `salt` — random salt (typically 8 bytes per RFC 7292).
    /// - `id` — output type: [`Key`](Pkcs12KdfId::Key), [`Iv`](Pkcs12KdfId::Iv),
    ///   or [`Mac`](Pkcs12KdfId::Mac).
    ///
    /// The iteration count defaults to 2048.
    #[must_use]
    pub fn new(
        md: &'a crate::digest::DigestAlg,
        password: &'a [u8],
        salt: &'a [u8],
        id: Pkcs12KdfId,
    ) -> Self {
        Self {
            md,
            password,
            salt,
            id,
            iter: 2048,
        }
    }

    /// Override the iteration count.
    #[must_use]
    pub fn iterations(mut self, n: u32) -> Self {
        self.iter = n;
        self
    }

    /// Derive key material into `out`.
    ///
    /// # Panics
    ///
    /// Panics if the password, salt, or output buffer length exceeds `i32::MAX` bytes,
    /// which is not a practical concern for cryptographic inputs.
    ///
    /// # Errors
    pub fn derive(&self, out: &mut [u8]) -> Result<(), ErrorStack> {
        // SAFETY: PKCS12_key_gen_utf8 reads pass and salt; it does not retain
        // pointers after returning.  The salt parameter is typed `*mut u8` in
        // the C header despite being read-only; we cast from *const u8.
        let rc = unsafe {
            sys::PKCS12_key_gen_utf8(
                self.password.as_ptr().cast(),
                i32::try_from(self.password.len()).expect("password too long"),
                self.salt.as_ptr().cast_mut(),
                i32::try_from(self.salt.len()).expect("salt too long"),
                self.id as std::ffi::c_int,
                self.iter.cast_signed(),
                i32::try_from(out.len()).expect("output too long"),
                out.as_mut_ptr(),
                self.md.as_ptr(),
            )
        };
        if rc != 1 {
            return Err(ErrorStack::drain());
        }
        Ok(())
    }

    /// Derive `len` bytes of key material, returning them in a freshly
    /// allocated `Vec<u8>`.
    ///
    /// # Errors
    pub fn derive_to_vec(&self, len: usize) -> Result<Vec<u8>, ErrorStack> {
        let mut out = vec![0u8; len];
        self.derive(&mut out)?;
        Ok(out)
    }
}

// ── Tests ─────────────────────────────────────────────────────────────────────

#[cfg(test)]
mod tests {
    use super::*;
    use crate::digest::DigestAlg;
    use crate::util::hex_encode;

    /// RFC 5869 Test Case 1 — `HKDF-SHA-256`, known-answer test.
    ///
    /// IKM  = 0x0b0b...0b (22 bytes)
    /// salt = 0x000102...0c (13 bytes)
    /// info = 0xf0f1...f9 (10 bytes)
    /// L    = 42
    #[test]
    fn hkdf_sha256_rfc5869_tc1() {
        let digest = DigestAlg::fetch(c"SHA2-256", None).unwrap();

        let ikm = [0x0b_u8; 22];
        let salt = [
            0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c_u8,
        ];
        let info = [
            0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9_u8,
        ];

        let okm = HkdfBuilder::new(&digest)
            .key(&ikm)
            .salt(&salt)
            .info(&info)
            .derive_to_vec(42)
            .unwrap();

        assert_eq!(
            hex_encode(&okm),
            "3cb25f25faacd57a90434f64d0362f2a\
             2d2d0a90cf1a5a4c5db02d56ecc4c5bf\
             34007208d5b887185865"
        );
    }

    /// HKDF without salt — RFC 5869 Test Case 3.
    ///
    /// IKM  = 0x0b0b...0b (22 bytes)
    /// salt = (not provided)
    /// info = (not provided)
    /// L    = 42
    #[test]
    fn hkdf_sha256_no_salt_no_info() {
        let digest = DigestAlg::fetch(c"SHA2-256", None).unwrap();
        let ikm = [0x0b_u8; 22];

        let okm = HkdfBuilder::new(&digest)
            .key(&ikm)
            .derive_to_vec(42)
            .unwrap();

        assert_eq!(
            hex_encode(&okm),
            "8da4e775a563c18f715f802a063c5a31\
             b8a11f5c5ee1879ec3454e5f3c738d2d\
             9d201395faa4b61a96c8"
        );
    }

    /// `PBKDF2-SHA256` known-answer test.
    ///
    /// Password   = "password"
    /// Salt       = "salt"
    /// Iterations = 1
    /// dkLen      = 32
    #[test]
    fn pbkdf2_sha256_known_answer() {
        let digest = DigestAlg::fetch(c"SHA2-256", None).unwrap();

        let dk = Pbkdf2Builder::new(&digest, b"password", b"salt")
            .iterations(1)
            .derive_to_vec(32)
            .unwrap();

        assert_eq!(
            hex_encode(&dk),
            "120fb6cffcf8b32c43e7225256c4f837\
             a86548c92ccc35480805987cb70be17b"
        );
    }

    /// Scrypt functional test — verify correct output length and non-zeroness.
    ///
    /// Uses tiny cost parameters (N=32, r=1, p=1) so the test is fast.
    #[test]
    fn scrypt_derives_nonzero_output() {
        let dk = ScryptBuilder::new(b"password", b"salt")
            .params(ScryptParams { n: 32, r: 1, p: 1 })
            .derive_to_vec(32)
            .unwrap();

        assert_eq!(dk.len(), 32);
        assert_ne!(dk, vec![0u8; 32]);
    }

    /// Two different passwords produce different keys.
    #[test]
    fn scrypt_different_passwords_differ() {
        let p = ScryptParams { n: 32, r: 1, p: 1 };

        let dk1 = ScryptBuilder::new(b"pass1", b"salt")
            .params(ScryptParams {
                n: p.n,
                r: p.r,
                p: p.p,
            })
            .derive_to_vec(32)
            .unwrap();
        let dk2 = ScryptBuilder::new(b"pass2", b"salt")
            .params(ScryptParams {
                n: p.n,
                r: p.r,
                p: p.p,
            })
            .derive_to_vec(32)
            .unwrap();

        assert_ne!(dk1, dk2);
    }

    /// PKCS#12 KDF derives non-zero output of the requested length.
    ///
    /// No published test vectors exist for RFC 7292 Appendix B, so we use a
    /// functional check: same inputs → same output, different id → different output.
    #[test]
    fn pkcs12_kdf_basic() {
        let sha1 = DigestAlg::fetch(c"SHA1", None).unwrap();
        let salt = b"saltsalt";

        let key = Pkcs12KdfBuilder::new(&sha1, b"password", salt, Pkcs12KdfId::Key)
            .iterations(2048)
            .derive_to_vec(24)
            .unwrap();
        assert_eq!(key.len(), 24);
        assert_ne!(key, vec![0u8; 24]);

        // Same inputs, same output.
        let key2 = Pkcs12KdfBuilder::new(&sha1, b"password", salt, Pkcs12KdfId::Key)
            .iterations(2048)
            .derive_to_vec(24)
            .unwrap();
        assert_eq!(key, key2);

        // Different id byte → different output.
        let iv = Pkcs12KdfBuilder::new(&sha1, b"password", salt, Pkcs12KdfId::Iv)
            .iterations(2048)
            .derive_to_vec(8)
            .unwrap();
        assert_ne!(key[..8], iv[..]);
    }

    /// Different passwords produce different derived keys.
    #[test]
    fn pkcs12_kdf_different_passwords_differ() {
        let sha1 = DigestAlg::fetch(c"SHA1", None).unwrap();
        let salt = b"saltsalt";

        let k1 = Pkcs12KdfBuilder::new(&sha1, b"pass1", salt, Pkcs12KdfId::Key)
            .derive_to_vec(24)
            .unwrap();
        let k2 = Pkcs12KdfBuilder::new(&sha1, b"pass2", salt, Pkcs12KdfId::Key)
            .derive_to_vec(24)
            .unwrap();
        assert_ne!(k1, k2);
    }

    /// `set_params` allows re-parameterising an HKDF context in place.
    ///
    /// We derive in `ExtractAndExpand` mode, then use `set_params` to switch the
    /// same context to `ExpandOnly` mode (supplying a fresh IKM as the PRK) and
    /// derive again.  The two outputs must differ because the derivation modes are
    /// different.
    #[test]
    fn kdf_set_params_hkdf_mode() {
        use crate::params::ParamBuilder;

        let digest = DigestAlg::fetch(c"SHA2-256", None).unwrap();
        let name_ptr = unsafe { sys::OBJ_nid2sn(digest.nid()) };
        assert!(!name_ptr.is_null());
        let name = unsafe { std::ffi::CStr::from_ptr(name_ptr) };

        let ikm = [0x0b_u8; 32];
        let salt = b"test-salt-value!";
        let info = b"test-info-value!";

        // First derivation: ExtractAndExpand (mode = 0).
        let params1 = ParamBuilder::new()
            .unwrap()
            .push_utf8_string(c"digest", name)
            .unwrap()
            .push_uint(c"mode", HkdfMode::ExtractAndExpand.as_uint())
            .unwrap()
            .push_octet_slice(c"key", &ikm)
            .unwrap()
            .push_octet_slice(c"salt", salt)
            .unwrap()
            .push_octet_slice(c"info", info)
            .unwrap()
            .build()
            .unwrap();

        let alg = KdfAlg::fetch(c"HKDF").unwrap();
        let mut ctx = KdfCtx::new(&alg).unwrap();

        let mut out1 = [0u8; 32];
        ctx.derive(&mut out1, &params1).unwrap();

        // Re-parameterise in place: switch to ExpandOnly (mode = 2).
        // In ExpandOnly mode the "key" is treated as an already-extracted PRK.
        let params2 = ParamBuilder::new()
            .unwrap()
            .push_utf8_string(c"digest", name)
            .unwrap()
            .push_uint(c"mode", HkdfMode::ExpandOnly.as_uint())
            .unwrap()
            .push_octet_slice(c"key", &ikm)
            .unwrap()
            .push_octet_slice(c"info", info)
            .unwrap()
            .build()
            .unwrap();

        ctx.set_params(&params2).unwrap();

        let mut out2 = [0u8; 32];
        ctx.derive(&mut out2, &params2).unwrap();

        // The two outputs must differ: different modes produce different keys.
        assert_ne!(out1, out2, "ExtractAndExpand and ExpandOnly must differ");
    }

    /// `get_params` can query a KDF context for its current parameters.
    ///
    /// We set up an HKDF context with specific parameters, then retrieve the
    /// mode parameter back via `get_params` and confirm the round-trip value.
    #[test]
    fn kdf_get_params_mode() {
        use crate::params::ParamBuilder;

        let digest = DigestAlg::fetch(c"SHA2-256", None).unwrap();
        let name_ptr = unsafe { sys::OBJ_nid2sn(digest.nid()) };
        assert!(!name_ptr.is_null());
        let name = unsafe { std::ffi::CStr::from_ptr(name_ptr) };

        let params = ParamBuilder::new()
            .unwrap()
            .push_utf8_string(c"digest", name)
            .unwrap()
            .push_uint(c"mode", HkdfMode::ExtractOnly.as_uint())
            .unwrap()
            .push_octet_slice(c"key", &[0x0b_u8; 22])
            .unwrap()
            .push_octet_slice(c"salt", b"some-salt")
            .unwrap()
            .build()
            .unwrap();

        let alg = KdfAlg::fetch(c"HKDF").unwrap();
        let mut ctx = KdfCtx::new(&alg).unwrap();
        // Derive in ExtractOnly mode — output is the 32-byte PRK.
        // Note: OpenSSL 3.5's HKDF provider makes "mode" write-only;
        // get_params does not return it, so we verify correctness via the
        // derive result rather than reading back the param.
        let mut out = [0u8; 32];
        ctx.derive(&mut out, &params).unwrap();
        // PRK must be non-zero.
        assert_ne!(out, [0u8; 32], "ExtractOnly must produce non-zero PRK");
    }

    /// `KdfCtx::size` returns `usize::MAX` for HKDF (variable-length output).
    #[test]
    fn kdf_size_hkdf() {
        let alg = KdfAlg::fetch(c"HKDF").unwrap();
        let ctx = KdfCtx::new(&alg).unwrap();
        assert_eq!(
            ctx.size(),
            usize::MAX,
            "HKDF has variable output; size() must return usize::MAX"
        );
    }
}