crypto: PBKDF2 function from OpenSSL

[pixelglow]

I've added the PBKDF2 function from OpenSSL i.e. the Password-Based Key Derivation Function using HMAC-SHA1 as the pseudorandom function. See for example: http://en.wikipedia.org/wiki/PBKDF2.

Since the function is meant to take significant time to process, I've written it with an async callback

crypto.pbkdf2('password', 'salt', 1, 20, function (err, result) { 
  assert.equal(result, '\x0c\x60\xc8\x0f\x96\x1f\x0e\x71\xf3\xa9\xb5\x24\xaf\x60\x12\x06\x2f\xe0\x37\xa6', 'pbkdf1 test vector 1');
});

The parameters are:

• password -- string or Buffer
• salt -- string or Buffer
• iter -- number of iterations, should be >= 0
• keylen -- the length of the derived key, should be >= 0

The callback returns either a generic error message or a binary-encoded string result.

I've added some tests based on RFC 6070 to exercise it.

Why this should be in core?

• Issue AES encryption and decryption gives incorrect results #1318 talks about the need for PBKDF2.
• It's a basic cryptographic function found in the same OpenSSL library that provides the other crypto library functions.
• It's just a simple function and would look out of place in a "userland" repo all by itself. :-)

[pixelglow]

There are other PBKDF2 implementations out there in pure Javascript, but they will be even slower because they work off the process ticks, rather than use the EIO thread pool like this implementation.

[bnoordhuis]

LGTM in general. Couple of nits but I'll address those in the patch. Can you sign the CLA?

cc @pquerna

[koichik]

@pixelglow - Can you add docs (crypto.markdown)?

[pixelglow]

Signed the CLA and applied the changes you wanted. The function seems to hold up well even when blasted with 1000 calls on a Snow Leopard system, and the underlying OpenSSL function doesn't appear to hold on to state, so I'm pretty sure it will work asynchronously as advertised.

[bnoordhuis]

Thanks, landed in 04122ad.

TryCatch try_catch; // don't quite see the necessity of this

If the callback throws and there's no TryCatch guard in place, the exception is re-raised the next time you enter V8 - but the stack trace will point to your point of entry, not the callback. Extremely confusing.