hoist HKDF into rust for even more speed

This PR was done via zed+claude sonnet 4 (with some cleanup and
additions) using the following prompt:

Please implement HKDF in rust. You can follow the example in hmac.rs
to see similar structure, but implement the general HKDF algorithm
as seen in hkdf.py

Author: reaperhulk

src/cryptography/hazmat/bindings/_rust/openssl/kdf.pyi

@@ -47,3 +47,26 @@ class Argon2id:
     def verify_phc_encoded(
         cls, key_material: bytes, phc_encoded: str, secret: bytes | None = None
     ) -> None: ...
+
+class HKDF:
+    def __init__(
+        self,
+        algorithm: HashAlgorithm,
+        length: int,
+        salt: bytes | None,
+        info: bytes | None,
+        backend: typing.Any = None,
+    ): ...
+    def derive(self, key_material: Buffer) -> bytes: ...
+    def verify(self, key_material: bytes, expected_key: bytes) -> None: ...
+
+class HKDFExpand:
+    def __init__(
+        self,
+        algorithm: HashAlgorithm,
+        length: int,
+        info: bytes | None,
+        backend: typing.Any = None,
+    ): ...
+    def derive(self, key_material: Buffer) -> bytes: ...
+    def verify(self, key_material: bytes, expected_key: bytes) -> None: ...

src/cryptography/hazmat/primitives/kdf/hkdf.py

@@ -4,99 +4,13 @@
 
 from __future__ import annotations
 
-import typing
-
-from cryptography import utils
-from cryptography.exceptions import AlreadyFinalized, InvalidKey
-from cryptography.hazmat.primitives import constant_time, hashes, hmac
+from cryptography.hazmat.bindings._rust import openssl as rust_openssl
 from cryptography.hazmat.primitives.kdf import KeyDerivationFunction
 
+HKDF = rust_openssl.kdf.HKDF
+HKDFExpand = rust_openssl.kdf.HKDFExpand
 
-class HKDF(KeyDerivationFunction):
-    def __init__(
-        self,
-        algorithm: hashes.HashAlgorithm,
-        length: int,
-        salt: bytes | None,
-        info: bytes | None,
-        backend: typing.Any = None,
-    ):
-        self._algorithm = algorithm
-
-        if salt is None:
-            salt = b"\x00" * self._algorithm.digest_size
-        else:
-            utils._check_bytes("salt", salt)
-
-        self._salt = salt
-
-        self._hkdf_expand = HKDFExpand(self._algorithm, length, info)
-
-    def _extract(self, key_material: utils.Buffer) -> bytes:
-        h = hmac.HMAC(self._salt, self._algorithm)
-        h.update(key_material)
-        return h.finalize()
-
-    def derive(self, key_material: utils.Buffer) -> bytes:
-        utils._check_byteslike("key_material", key_material)
-        return self._hkdf_expand.derive(self._extract(key_material))
-
-    def verify(self, key_material: bytes, expected_key: bytes) -> None:
-        if not constant_time.bytes_eq(self.derive(key_material), expected_key):
-            raise InvalidKey
-
-
-class HKDFExpand(KeyDerivationFunction):
-    def __init__(
-        self,
-        algorithm: hashes.HashAlgorithm,
-        length: int,
-        info: bytes | None,
-        backend: typing.Any = None,
-    ):
-        self._algorithm = algorithm
-
-        max_length = 255 * algorithm.digest_size
-
-        if length > max_length:
-            raise ValueError(
-                f"Cannot derive keys larger than {max_length} octets."
-            )
-
-        self._length = length
-
-        if info is None:
-            info = b""
-        else:
-            utils._check_bytes("info", info)
-
-        self._info = info
-
-        self._used = False
-
-    def _expand(self, key_material: utils.Buffer) -> bytes:
-        output = [b""]
-        counter = 1
-
-        h_prime = hmac.HMAC(key_material, self._algorithm)
-        while self._algorithm.digest_size * (len(output) - 1) < self._length:
-            h = h_prime.copy()
-            h.update(output[-1])
-            h.update(self._info)
-            h.update(bytes([counter]))
-            output.append(h.finalize())
-            counter += 1
-
-        return b"".join(output)[: self._length]
-
-    def derive(self, key_material: utils.Buffer) -> bytes:
-        utils._check_byteslike("key_material", key_material)
-        if self._used:
-            raise AlreadyFinalized
-
-        self._used = True
-        return self._expand(key_material)
+KeyDerivationFunction.register(HKDF)
+KeyDerivationFunction.register(HKDFExpand)
 
-    def verify(self, key_material: bytes, expected_key: bytes) -> None:
-        if not constant_time.bytes_eq(self.derive(key_material), expected_key):
-            raise InvalidKey
+__all__ = ["HKDF", "HKDFExpand"]

src/rust/src/backend/hmac.rs

@@ -99,7 +99,7 @@ impl Hmac {
         Ok(())
     }
 
-    fn copy(&self, py: pyo3::Python<'_>) -> CryptographyResult<Hmac> {
+    pub(crate) fn copy(&self, py: pyo3::Python<'_>) -> CryptographyResult<Hmac> {
         Ok(Hmac {
             ctx: Some(self.get_ctx()?.copy()?),
             algorithm: self.algorithm.clone_ref(py),

src/rust/src/backend/kdf.rs

@@ -6,10 +6,12 @@
 use base64::engine::general_purpose::STANDARD_NO_PAD;
 #[cfg(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER)]
 use base64::engine::Engine;
+use pyo3::prelude::PyAnyMethods;
 #[cfg(not(CRYPTOGRAPHY_IS_LIBRESSL))]
 use pyo3::types::PyBytesMethods;
 
 use crate::backend::hashes;
+use crate::backend::hmac::Hmac;
 use crate::buf::CffiBuf;
 use crate::error::{CryptographyError, CryptographyResult};
 use crate::exceptions;
@@ -447,12 +449,239 @@ impl Argon2id {
     }
 }
 
+#[pyo3::pyclass(module = "cryptography.hazmat.primitives.kdf.hkdf", name = "HKDF")]
+struct Hkdf {
+    algorithm: pyo3::Py<pyo3::PyAny>,
+    salt: pyo3::Py<pyo3::types::PyBytes>,
+    info: Option<pyo3::Py<pyo3::types::PyBytes>>,
+    length: usize,
+    used: bool,
+}
+
+#[pyo3::pymethods]
+impl Hkdf {
+    #[new]
+    #[pyo3(signature = (algorithm, length, salt=None, info=None, backend=None))]
+    fn new(
+        py: pyo3::Python<'_>,
+        algorithm: pyo3::Py<pyo3::PyAny>,
+        length: usize,
+        salt: Option<pyo3::Py<pyo3::types::PyBytes>>,
+        info: Option<pyo3::Py<pyo3::types::PyBytes>>,
+        backend: Option<pyo3::Bound<'_, pyo3::PyAny>>,
+    ) -> CryptographyResult<Self> {
+        _ = backend;
+
+        let algorithm_bound = algorithm.bind(py);
+        let digest_size = algorithm_bound
+            .getattr(pyo3::intern!(py, "digest_size"))?
+            .extract::<usize>()?;
+
+        let max_length = 255 * digest_size;
+        if length > max_length {
+            return Err(CryptographyError::from(
+                pyo3::exceptions::PyValueError::new_err(format!(
+                    "Cannot derive keys larger than {} octets.",
+                    max_length
+                )),
+            ));
+        }
+
+        let salt = if let Some(salt) = salt {
+            salt
+        } else {
+            let zero_salt = vec![0u8; digest_size];
+            pyo3::types::PyBytes::new(py, &zero_salt).into()
+        };
+
+        Ok(Hkdf {
+            algorithm,
+            salt,
+            info,
+            length,
+            used: false,
+        })
+    }
+
+    fn _extract<'p>(
+        &self,
+        py: pyo3::Python<'p>,
+        key_material: &[u8],
+    ) -> CryptographyResult<pyo3::Bound<'p, pyo3::types::PyBytes>> {
+        let algorithm_bound = self.algorithm.bind(py);
+        let mut hmac = Hmac::new_bytes(py, self.salt.as_bytes(py), algorithm_bound)?;
+        hmac.update_bytes(key_material)?;
+        hmac.finalize(py)
+    }
+
+    fn derive<'p>(
+        &mut self,
+        py: pyo3::Python<'p>,
+        key_material: CffiBuf<'_>,
+    ) -> CryptographyResult<pyo3::Bound<'p, pyo3::types::PyBytes>> {
+        if self.used {
+            return Err(exceptions::already_finalized_error());
+        }
+        self.used = true;
+
+        // HKDF Extract
+        let prk = self._extract(py, key_material.as_bytes())?;
+
+        // HKDF Expand
+        let mut hkdf_expand = HkdfExpand::new(
+            py,
+            self.algorithm.clone_ref(py),
+            self.length,
+            self.info.as_ref().map(|i| i.clone_ref(py)),
+            None,
+        )?;
+        let prk_bytes = prk.as_bytes();
+        let cffi_buf = CffiBuf::from_bytes(py, prk_bytes);
+        hkdf_expand.derive(py, cffi_buf)
+    }
+
+    fn verify(
+        &mut self,
+        py: pyo3::Python<'_>,
+        key_material: CffiBuf<'_>,
+        expected_key: CffiBuf<'_>,
+    ) -> CryptographyResult<()> {
+        let actual = self.derive(py, key_material)?;
+        let actual_bytes = actual.as_bytes();
+        let expected_bytes = expected_key.as_bytes();
+
+        if actual_bytes.len() != expected_bytes.len()
+            || !openssl::memcmp::eq(actual_bytes, expected_bytes)
+        {
+            return Err(CryptographyError::from(exceptions::InvalidKey::new_err(
+                "Keys do not match.",
+            )));
+        }
+
+        Ok(())
+    }
+}
+
+#[pyo3::pyclass(
+    module = "cryptography.hazmat.primitives.kdf.hkdf",
+    name = "HKDFExpand"
+)]
+struct HkdfExpand {
+    algorithm: pyo3::Py<pyo3::PyAny>,
+    info: pyo3::Py<pyo3::types::PyBytes>,
+    length: usize,
+    used: bool,
+}
+
+#[pyo3::pymethods]
+impl HkdfExpand {
+    #[new]
+    #[pyo3(signature = (algorithm, length, info, backend=None))]
+    fn new(
+        py: pyo3::Python<'_>,
+        algorithm: pyo3::Py<pyo3::PyAny>,
+        length: usize,
+        info: Option<pyo3::Py<pyo3::types::PyBytes>>,
+        backend: Option<pyo3::Bound<'_, pyo3::PyAny>>,
+    ) -> CryptographyResult<Self> {
+        _ = backend;
+
+        let algorithm_bound = algorithm.bind(py);
+        let digest_size = algorithm_bound
+            .getattr(pyo3::intern!(py, "digest_size"))?
+            .extract::<usize>()?;
+
+        let max_length = 255 * digest_size;
+        if length > max_length {
+            return Err(CryptographyError::from(
+                pyo3::exceptions::PyValueError::new_err(format!(
+                    "Cannot derive keys larger than {} octets.",
+                    max_length
+                )),
+            ));
+        }
+
+        let info = if let Some(info) = info {
+            info
+        } else {
+            pyo3::types::PyBytes::new(py, b"").into()
+        };
+
+        Ok(HkdfExpand {
+            algorithm,
+            info,
+            length,
+            used: false,
+        })
+    }
+
+    fn derive<'p>(
+        &mut self,
+        py: pyo3::Python<'p>,
+        key_material: CffiBuf<'_>,
+    ) -> CryptographyResult<pyo3::Bound<'p, pyo3::types::PyBytes>> {
+        if self.used {
+            return Err(exceptions::already_finalized_error());
+        }
+        self.used = true;
+
+        let algorithm_bound = self.algorithm.bind(py);
+
+        let mut output = Vec::new();
+        let mut counter = 1u8;
+        let mut previous_output = Vec::new();
+
+        let h_prime = Hmac::new_bytes(py, key_material.as_bytes(), algorithm_bound)?;
+        while output.len() < self.length {
+            let mut h = h_prime.copy(py)?;
+            h.update_bytes(&previous_output)?;
+            h.update_bytes(self.info.as_bytes(py))?;
+            h.update_bytes(&[counter])?;
+
+            let block = h.finalize(py)?;
+            let block_bytes = block.as_bytes();
+            previous_output = block_bytes.to_vec();
+            output.extend_from_slice(block_bytes);
+
+            counter += 1;
+        }
+
+        output.truncate(self.length);
+        Ok(pyo3::types::PyBytes::new(py, &output))
+    }
+
+    fn verify(
+        &mut self,
+        py: pyo3::Python<'_>,
+        key_material: CffiBuf<'_>,
+        expected_key: CffiBuf<'_>,
+    ) -> CryptographyResult<()> {
+        let actual = self.derive(py, key_material)?;
+        let actual_bytes = actual.as_bytes();
+        let expected_bytes = expected_key.as_bytes();
+
+        if actual_bytes.len() != expected_bytes.len()
+            || !openssl::memcmp::eq(actual_bytes, expected_bytes)
+        {
+            return Err(CryptographyError::from(exceptions::InvalidKey::new_err(
+                "Keys do not match.",
+            )));
+        }
+
+        Ok(())
+    }
+}
+
 #[pyo3::pymodule]
 pub(crate) mod kdf {
     #[pymodule_export]
     use super::derive_pbkdf2_hmac;
     #[pymodule_export]
     use super::Argon2id;
     #[pymodule_export]
+    use super::Hkdf;
+    #[pymodule_export]
+    use super::HkdfExpand;
+    #[pymodule_export]
     use super::Scrypt;
 }