lib/pow/ecto/schema/password/pbkdf2.ex

defmodule Pow.Ecto.Schema.Password.Pbkdf2 do
  @moduledoc """
  The Pbkdf2 hash generation code is pulled from
  [Plug.Crypto.KeyGenerator](https://github.com/elixir-plug/plug_crypto/blob/v1.2.1/lib/plug/crypto/key_generator.ex)
  and is under Apache 2 license.
  """
  use Bitwise

  @doc """
  Compares the two binaries in constant-time to avoid timing attacks.
  """
  @spec compare(binary(), binary()) :: boolean()
  def compare(left, right) when is_binary(left) and is_binary(right) do
    byte_size(left) == byte_size(right) and compare(left, right, 0)
  end

  defp compare(<<x, left::binary>>, <<y, right::binary>>, acc) do
    xorred = bxor(x, y)
    compare(left, right, acc ||| xorred)
  end

  defp compare(<<>>, <<>>, acc) do
    acc === 0
  end

  @max_length bsl(1, 32) - 1

  @doc """
  Returns a derived key suitable for use.
  """
  @spec generate(binary(), binary(), integer(), integer(), atom()) :: binary()
  def generate(secret, salt, iterations, length, digest) do
    cond do
      not is_integer(iterations) or iterations < 1 ->
        raise ArgumentError, "iterations must be an integer >= 1"

      length > @max_length ->
        raise ArgumentError, "length must be less than or equal to #{@max_length}"

      true ->
        generate(mac_fun(digest, secret), salt, iterations, length, 1, [], 0)
    end
  rescue
    e ->
      stacktrace =
        case __STACKTRACE__ do
          [{mod, fun, [_ | _] = args, info} | rest] ->
            [{mod, fun, length(args), info} | rest]

          stacktrace ->
            stacktrace
        end

      reraise e, stacktrace
  end

  defp generate(_fun, _salt, _iterations, max_length, _block_index, acc, length)
       when length >= max_length do
    acc
    |> IO.iodata_to_binary()
    |> binary_part(0, max_length)
  end

  defp generate(fun, salt, iterations, max_length, block_index, acc, length) do
    initial = fun.(<<salt::binary, block_index::integer-size(32)>>)
    block = iterate(fun, iterations - 1, initial, initial)
    length = byte_size(block) + length

    generate(
      fun,
      salt,
      iterations,
      max_length,
      block_index + 1,
      [acc | block],
      length
    )
  end

  defp iterate(_fun, 0, _prev, acc), do: acc

  defp iterate(fun, iteration, prev, acc) do
    next = fun.(prev)
    iterate(fun, iteration - 1, next, :crypto.exor(next, acc))
  end

  # TODO: Remove when OTP 22.1 is required
  if Code.ensure_loaded?(:crypto) and function_exported?(:crypto, :mac, 4) do
    defp mac_fun(digest, secret), do: &:crypto.mac(:hmac, digest, secret, &1)
  else
    defp mac_fun(digest, secret), do: &:crypto.hmac(digest, secret, &1)
  end
end