A Quick Security Audit

[defuse]

Here are some issues and recommendations:

util.rs

• There was a missing return which made compare_ct return the wrong answer when y is longer than x and x and y are identical up to the length of x. PR to fix it: Fix a security bug in compare_ct #1

hkdf.rs

• The name "data" for the HKDF parameter is confusing (formally, it's called the Initial Key Material, so maybe just calling it key_material or something similar would be more informative).
• HKDF doesn't validate self.hmac before using it (it relies on the HMAC call later on panicing when it's a bad value). I would use an enum or something instead of an integer so that it's not possible to even express an incorrect value here.
• The maximum-length check in HKDF doesn't need to convert to f32, since self.hmac/8 will always be an integer.
• It would be a good idea to add unit tests that test HKDF's maximum-length check.
• The implementation of HKDF looks correct to me (and the test vector tests are nice!).

hmac.rs

• It looks correct to me (and it's awesome that the unit tests compare against test vectors).
• Again, it would be nice if sha2 were an enum or something instead of a usize so that there can't be invalid values.

default.rs

• hmac_validate would be more useful (and less error-prone) if its signature was: hmac_validate(expected_hmac: &[u8], message: &[u8], key: &[u8]). Currently, it just compares two &[u8]s, taking in the key and message would be more useful since it saves the caller from having to re-compute the HMAC for comparison.

other

• The doc comments used 10-byte keys, which might mislead people into thinking 10-byte keys are safe. PR to fix it: Fix doc-comments to use 16-bytes keys instead of 10-byte keys #2
• I'm still in the process of learning rust so I may have missed rust-specific problems.

[brycx]

Fantastic! Everything was covered in #4 so I'm closing this issue.