[crypto] Add scrypt key derivation to SymmetricKey

Add a method for key derivation using the scrypt algorithm to
crypto::SymmetricKey.

Rename the pre-existing method for key derivation (which uses PBKDF2) to
clearly disambiguate between the two.

TBRing because all the changes to files not under crypto/ are a trivial
library method name change.

TBR=mnissler@chromium.org,droger@chromium.org,alemate@chromium.org,cfroussios@chromium.org,tbarzic@chromium.org

Bug: 875931
Change-Id: Iaa0b2bb0fc3ae2481733072363718cffd8811b97
Reviewed-on: https://chromium-review.googlesource.com/1181881
Commit-Queue: David Davidović <davidovic@google.com>
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: vitaliii <vitaliii@chromium.org>
Cr-Commit-Position: refs/heads/master@{#586247}

chrome/browser/chromeos/settings/token_encryptor.cc

@@ -70,7 +70,7 @@ std::string CryptohomeTokenEncryptor::DecryptWithSystemSalt(
 std::unique_ptr<crypto::SymmetricKey> CryptohomeTokenEncryptor::PassphraseToKey(
     const std::string& passphrase,
     const std::string& salt) {
-  return crypto::SymmetricKey::DeriveKeyFromPassword(
+  return crypto::SymmetricKey::DeriveKeyFromPasswordUsingPbkdf2(
       crypto::SymmetricKey::AES, passphrase, salt, 1000, 256);
 }
 

chrome/browser/signin/local_auth.cc

@@ -105,7 +105,7 @@ std::string CreateSecurePasswordHash(const std::string& salt,
 
   // Library call to create secure password hash as SymmetricKey (uses PBKDF2).
   std::unique_ptr<crypto::SymmetricKey> password_key(
-      crypto::SymmetricKey::DeriveKeyFromPassword(
+      crypto::SymmetricKey::DeriveKeyFromPasswordUsingPbkdf2(
           crypto::SymmetricKey::AES, password, salt, encoding.iteration_count,
           encoding.hash_bits));
   std::string password_hash = password_key->key();

chromeos/login/auth/authpolicy_login_helper.cc

@@ -88,7 +88,7 @@ std::string DoDecrypt(const std::string& encrypted_data,
   const size_t kHmacKeySize = 32;
   const size_t kKeySize = kAesKeySize + kAesIvSize + kHmacKeySize;
   std::unique_ptr<crypto::SymmetricKey> key =
-      crypto::SymmetricKey::DeriveKeyFromPassword(
+      crypto::SymmetricKey::DeriveKeyFromPasswordUsingPbkdf2(
           crypto::SymmetricKey::HMAC_SHA1, password, salt, 10000, kKeySize * 8);
   if (!key) {
     LOG(ERROR) << error_msg;

chromeos/login/auth/key.cc

@@ -85,7 +85,7 @@ void Key::Transform(KeyType target_key_type, const std::string& salt) {
     }
     case KEY_TYPE_SALTED_PBKDF2_AES256_1234: {
       std::unique_ptr<crypto::SymmetricKey> key(
-          crypto::SymmetricKey::DeriveKeyFromPassword(
+          crypto::SymmetricKey::DeriveKeyFromPasswordUsingPbkdf2(
               crypto::SymmetricKey::AES, secret_, salt, kNumIterations,
               kKeySizeInBits));
       base::Base64Encode(key->key(), &secret_);

chromeos/network/onc/onc_utils.cc

@@ -721,9 +721,9 @@ std::unique_ptr<base::Value> Decrypt(const std::string& passphrase,
   }
 
   std::unique_ptr<crypto::SymmetricKey> key(
-      crypto::SymmetricKey::DeriveKeyFromPassword(crypto::SymmetricKey::AES,
-                                                  passphrase, salt, iterations,
-                                                  kKeySizeInBits));
+      crypto::SymmetricKey::DeriveKeyFromPasswordUsingPbkdf2(
+          crypto::SymmetricKey::AES, passphrase, salt, iterations,
+          kKeySizeInBits));
 
   if (!base::Base64Decode(initial_vector, &initial_vector)) {
     NET_LOG(ERROR) << kUnableToDecode;

components/os_crypt/os_crypt_linux.cc

@@ -121,7 +121,7 @@ std::unique_ptr<crypto::SymmetricKey> GetEncryptionKey(Version version) {
 
   // Create an encryption key from our password and salt.
   std::unique_ptr<crypto::SymmetricKey> encryption_key(
-      crypto::SymmetricKey::DeriveKeyFromPassword(
+      crypto::SymmetricKey::DeriveKeyFromPasswordUsingPbkdf2(
           crypto::SymmetricKey::AES, *password, salt, kEncryptionIterations,
           kDerivedKeySizeInBits));
   DCHECK(encryption_key);

components/os_crypt/os_crypt_mac.mm

@@ -87,10 +87,11 @@ crypto::SymmetricKey* GetEncryptionKey() {
 
   // Create an encryption key from our password and salt. The key is
   // intentionally leaked.
-  cached_encryption_key = crypto::SymmetricKey::DeriveKeyFromPassword(
-                              crypto::SymmetricKey::AES, password, salt,
-                              kEncryptionIterations, kDerivedKeySizeInBits)
-                              .release();
+  cached_encryption_key =
+      crypto::SymmetricKey::DeriveKeyFromPasswordUsingPbkdf2(
+          crypto::SymmetricKey::AES, password, salt, kEncryptionIterations,
+          kDerivedKeySizeInBits)
+          .release();
   ANNOTATE_LEAKING_OBJECT_PTR(cached_encryption_key);
   DCHECK(cached_encryption_key);
   return cached_encryption_key;

components/os_crypt/os_crypt_posix.cc

@@ -46,11 +46,9 @@ crypto::SymmetricKey* GetEncryptionKey() {
 
   // Create an encryption key from our password and salt.
   std::unique_ptr<crypto::SymmetricKey> encryption_key(
-      crypto::SymmetricKey::DeriveKeyFromPassword(crypto::SymmetricKey::AES,
-                                                  password,
-                                                  salt,
-                                                  kEncryptionIterations,
-                                                  kDerivedKeySizeInBits));
+      crypto::SymmetricKey::DeriveKeyFromPasswordUsingPbkdf2(
+          crypto::SymmetricKey::AES, password, salt, kEncryptionIterations,
+          kDerivedKeySizeInBits));
   DCHECK(encryption_key.get());
 
   return encryption_key.release();

components/sync/base/nigori.cc

@@ -69,25 +69,26 @@ bool Nigori::InitByDerivation(const std::string& hostname,
   salt_password << username << hostname;
 
   // Suser = PBKDF2(Username || Servername, "saltsalt", Nsalt, 8)
-  std::unique_ptr<SymmetricKey> user_salt(SymmetricKey::DeriveKeyFromPassword(
-      SymmetricKey::HMAC_SHA1, salt_password.str(), kSaltSalt, kSaltIterations,
-      kSaltKeySizeInBits));
+  std::unique_ptr<SymmetricKey> user_salt(
+      SymmetricKey::DeriveKeyFromPasswordUsingPbkdf2(
+          SymmetricKey::HMAC_SHA1, salt_password.str(), kSaltSalt,
+          kSaltIterations, kSaltKeySizeInBits));
   DCHECK(user_salt);
 
   // Kuser = PBKDF2(P, Suser, Nuser, 16)
-  user_key_ = SymmetricKey::DeriveKeyFromPassword(
+  user_key_ = SymmetricKey::DeriveKeyFromPasswordUsingPbkdf2(
       SymmetricKey::AES, password, user_salt->key(), kUserIterations,
       kDerivedKeySizeInBits);
   DCHECK(user_key_);
 
   // Kenc = PBKDF2(P, Suser, Nenc, 16)
-  encryption_key_ = SymmetricKey::DeriveKeyFromPassword(
+  encryption_key_ = SymmetricKey::DeriveKeyFromPasswordUsingPbkdf2(
       SymmetricKey::AES, password, user_salt->key(), kEncryptionIterations,
       kDerivedKeySizeInBits);
   DCHECK(encryption_key_);
 
   // Kmac = PBKDF2(P, Suser, Nmac, 16)
-  mac_key_ = SymmetricKey::DeriveKeyFromPassword(
+  mac_key_ = SymmetricKey::DeriveKeyFromPasswordUsingPbkdf2(
       SymmetricKey::HMAC_SHA1, password, user_salt->key(), kSigningIterations,
       kDerivedKeySizeInBits);
   DCHECK(mac_key_);

crypto/encryptor_unittest.cc

@@ -16,7 +16,7 @@
 
 TEST(EncryptorTest, EncryptDecrypt) {
   std::unique_ptr<crypto::SymmetricKey> key(
-      crypto::SymmetricKey::DeriveKeyFromPassword(
+      crypto::SymmetricKey::DeriveKeyFromPasswordUsingPbkdf2(
           crypto::SymmetricKey::AES, "password", "saltiest", 1000, 256));
   EXPECT_TRUE(key.get());
 
@@ -40,27 +40,27 @@ TEST(EncryptorTest, EncryptDecrypt) {
 
 TEST(EncryptorTest, DecryptWrongKey) {
   std::unique_ptr<crypto::SymmetricKey> key(
-      crypto::SymmetricKey::DeriveKeyFromPassword(
+      crypto::SymmetricKey::DeriveKeyFromPasswordUsingPbkdf2(
           crypto::SymmetricKey::AES, "password", "saltiest", 1000, 256));
   EXPECT_TRUE(key.get());
 
   // A wrong key that can be detected by implementations that validate every
   // byte in the padding.
   std::unique_ptr<crypto::SymmetricKey> wrong_key(
-      crypto::SymmetricKey::DeriveKeyFromPassword(
+      crypto::SymmetricKey::DeriveKeyFromPasswordUsingPbkdf2(
           crypto::SymmetricKey::AES, "wrongword", "sweetest", 1000, 256));
   EXPECT_TRUE(wrong_key.get());
 
   // A wrong key that can't be detected by any implementation.  The password
   // "wrongword;" would also work.
   std::unique_ptr<crypto::SymmetricKey> wrong_key2(
-      crypto::SymmetricKey::DeriveKeyFromPassword(
+      crypto::SymmetricKey::DeriveKeyFromPasswordUsingPbkdf2(
           crypto::SymmetricKey::AES, "wrongword+", "sweetest", 1000, 256));
   EXPECT_TRUE(wrong_key2.get());
 
   // A wrong key that can be detected by all implementations.
   std::unique_ptr<crypto::SymmetricKey> wrong_key3(
-      crypto::SymmetricKey::DeriveKeyFromPassword(
+      crypto::SymmetricKey::DeriveKeyFromPasswordUsingPbkdf2(
           crypto::SymmetricKey::AES, "wrongwordx", "sweetest", 1000, 256));
   EXPECT_TRUE(wrong_key3.get());
 

crypto/symmetric_key.cc

@@ -18,6 +18,26 @@
 
 namespace crypto {
 
+namespace {
+
+bool CheckDerivationParameters(SymmetricKey::Algorithm algorithm,
+                               size_t key_size_in_bits) {
+  switch (algorithm) {
+    case SymmetricKey::AES:
+      // Whitelist supported key sizes to avoid accidentally relying on
+      // algorithms available in NSS but not BoringSSL and vice
+      // versa. Note that BoringSSL does not support AES-192.
+      return key_size_in_bits == 128 || key_size_in_bits == 256;
+    case SymmetricKey::HMAC_SHA1:
+      return key_size_in_bits % 8 == 0 && key_size_in_bits != 0;
+  }
+
+  NOTREACHED();
+  return false;
+}
+
+}  // namespace
+
 SymmetricKey::~SymmetricKey() {
   std::fill(key_.begin(), key_.end(), '\0');  // Zero out the confidential key.
 }
@@ -50,32 +70,22 @@ std::unique_ptr<SymmetricKey> SymmetricKey::GenerateRandomKey(
 }
 
 // static
-std::unique_ptr<SymmetricKey> SymmetricKey::DeriveKeyFromPassword(
+std::unique_ptr<SymmetricKey> SymmetricKey::DeriveKeyFromPasswordUsingPbkdf2(
     Algorithm algorithm,
     const std::string& password,
     const std::string& salt,
     size_t iterations,
     size_t key_size_in_bits) {
-  DCHECK(algorithm == AES || algorithm == HMAC_SHA1);
-
-  if (algorithm == AES) {
-    // Whitelist supported key sizes to avoid accidentaly relying on
-    // algorithms available in NSS but not BoringSSL and vice
-    // versa. Note that BoringSSL does not support AES-192.
-    if (key_size_in_bits != 128 && key_size_in_bits != 256)
-      return nullptr;
-  }
+  if (!CheckDerivationParameters(algorithm, key_size_in_bits))
+    return nullptr;
 
   size_t key_size_in_bytes = key_size_in_bits / 8;
-  DCHECK_EQ(key_size_in_bits, key_size_in_bytes * 8);
-
-  if (key_size_in_bytes == 0)
-    return nullptr;
 
   OpenSSLErrStackTracer err_tracer(FROM_HERE);
   std::unique_ptr<SymmetricKey> key(new SymmetricKey);
   uint8_t* key_data = reinterpret_cast<uint8_t*>(
       base::WriteInto(&key->key_, key_size_in_bytes + 1));
+
   int rv = PKCS5_PBKDF2_HMAC_SHA1(
       password.data(), password.length(),
       reinterpret_cast<const uint8_t*>(salt.data()), salt.length(),
@@ -84,6 +94,34 @@ std::unique_ptr<SymmetricKey> SymmetricKey::DeriveKeyFromPassword(
   return rv == 1 ? std::move(key) : nullptr;
 }
 
+// static
+std::unique_ptr<SymmetricKey> SymmetricKey::DeriveKeyFromPasswordUsingScrypt(
+    Algorithm algorithm,
+    const std::string& password,
+    const std::string& salt,
+    size_t cost_parameter,
+    size_t block_size,
+    size_t parallelization_parameter,
+    size_t max_memory_bytes,
+    size_t key_size_in_bits) {
+  if (!CheckDerivationParameters(algorithm, key_size_in_bits))
+    return nullptr;
+
+  size_t key_size_in_bytes = key_size_in_bits / 8;
+
+  OpenSSLErrStackTracer err_tracer(FROM_HERE);
+  std::unique_ptr<SymmetricKey> key(new SymmetricKey);
+  uint8_t* key_data = reinterpret_cast<uint8_t*>(
+      base::WriteInto(&key->key_, key_size_in_bytes + 1));
+
+  int rv = EVP_PBE_scrypt(password.data(), password.length(),
+                          reinterpret_cast<const uint8_t*>(salt.data()),
+                          salt.length(), cost_parameter, block_size,
+                          parallelization_parameter, max_memory_bytes, key_data,
+                          key_size_in_bytes);
+  return rv == 1 ? std::move(key) : nullptr;
+}
+
 // static
 std::unique_ptr<SymmetricKey> SymmetricKey::Import(Algorithm algorithm,
                                                    const std::string& raw_key) {

crypto/symmetric_key.h

@@ -41,17 +41,34 @@ class CRYPTO_EXPORT SymmetricKey {
   // used to derive the key from the password. |key_size_in_bits| must be a
   // multiple of 8. The caller is responsible for deleting the returned
   // SymmetricKey.
-  static std::unique_ptr<SymmetricKey> DeriveKeyFromPassword(
+  static std::unique_ptr<SymmetricKey> DeriveKeyFromPasswordUsingPbkdf2(
       Algorithm algorithm,
       const std::string& password,
       const std::string& salt,
       size_t iterations,
       size_t key_size_in_bits);
 
+  // Derives a key from the supplied password and salt using scrypt, suitable
+  // for use with specified |algorithm|. Note |algorithm| is not the algorithm
+  // used to derive the key from the password. |cost_parameter|, |block_size|,
+  // and |parallelization_parameter| correspond to the parameters |N|, |r|, and
+  // |p| from the scrypt specification (see RFC 7914). |key_size_in_bits| must
+  // be a multiple of 8. The caller is responsible for deleting the returned
+  // SymmetricKey.
+  static std::unique_ptr<SymmetricKey> DeriveKeyFromPasswordUsingScrypt(
+      Algorithm algorithm,
+      const std::string& password,
+      const std::string& salt,
+      size_t cost_parameter,
+      size_t block_size,
+      size_t parallelization_parameter,
+      size_t max_memory_bytes,
+      size_t key_size_in_bits);
+
   // Imports an array of key bytes in |raw_key|. This key may have been
-  // generated by GenerateRandomKey or DeriveKeyFromPassword and exported with
-  // key(). The key must be of suitable size for use with |algorithm|.
-  // The caller owns the returned SymmetricKey.
+  // generated by GenerateRandomKey or DeriveKeyFromPassword{Pbkdf2,Scrypt} and
+  // exported with key(). The key must be of suitable size for use with
+  // |algorithm|. The caller owns the returned SymmetricKey.
   static std::unique_ptr<SymmetricKey> Import(Algorithm algorithm,
                                               const std::string& raw_key);
 

crypto/symmetric_key_unittest.cc

@@ -40,7 +40,7 @@ TEST(SymmetricKeyTest, ImportGeneratedKey) {
 
 TEST(SymmetricKeyTest, ImportDerivedKey) {
   std::unique_ptr<crypto::SymmetricKey> key1(
-      crypto::SymmetricKey::DeriveKeyFromPassword(
+      crypto::SymmetricKey::DeriveKeyFromPasswordUsingPbkdf2(
           crypto::SymmetricKey::HMAC_SHA1, "password", "somesalt", 1024, 160));
   ASSERT_TRUE(key1);
 
@@ -57,17 +57,31 @@ struct PBKDF2TestVector {
   const char* salt;
   unsigned int rounds;
   unsigned int key_size_in_bits;
-  const char* expected;  // ASCII encoded hex bytes
+  const char* expected;  // ASCII encoded hex bytes.
 };
 
-class SymmetricKeyDeriveKeyFromPasswordTest
-    : public testing::TestWithParam<PBKDF2TestVector> {
+struct ScryptTestVector {
+  crypto::SymmetricKey::Algorithm algorithm;
+  const char* password;
+  const char* salt;
+  unsigned int cost_parameter;
+  unsigned int block_size;
+  unsigned int parallelization_parameter;
+  unsigned int key_size_in_bits;
+  const char* expected;  // ASCII encoded hex bytes.
 };
 
-TEST_P(SymmetricKeyDeriveKeyFromPasswordTest, DeriveKeyFromPassword) {
+class SymmetricKeyDeriveKeyFromPasswordUsingPbkdf2Test
+    : public testing::TestWithParam<PBKDF2TestVector> {};
+
+class SymmetricKeyDeriveKeyFromPasswordUsingScryptTest
+    : public testing::TestWithParam<ScryptTestVector> {};
+
+TEST_P(SymmetricKeyDeriveKeyFromPasswordUsingPbkdf2Test,
+       DeriveKeyFromPasswordUsingPbkdf2) {
   PBKDF2TestVector test_data(GetParam());
   std::unique_ptr<crypto::SymmetricKey> key(
-      crypto::SymmetricKey::DeriveKeyFromPassword(
+      crypto::SymmetricKey::DeriveKeyFromPasswordUsingPbkdf2(
           test_data.algorithm, test_data.password, test_data.salt,
           test_data.rounds, test_data.key_size_in_bits));
   ASSERT_TRUE(key);
@@ -79,34 +93,41 @@ TEST_P(SymmetricKeyDeriveKeyFromPasswordTest, DeriveKeyFromPassword) {
                                                raw_key.size())));
 }
 
-static const PBKDF2TestVector kTestVectors[] = {
-  // These tests come from
-  // http://www.ietf.org/id/draft-josefsson-pbkdf2-test-vectors-00.txt
-  {
-    crypto::SymmetricKey::HMAC_SHA1,
-    "password",
-    "salt",
-    1,
-    160,
-    "0c60c80f961f0e71f3a9b524af6012062fe037a6",
-  },
-  {
-    crypto::SymmetricKey::HMAC_SHA1,
-    "password",
-    "salt",
-    2,
-    160,
-    "ea6c014dc72d6f8ccd1ed92ace1d41f0d8de8957",
-  },
-  {
-    crypto::SymmetricKey::HMAC_SHA1,
-    "password",
-    "salt",
-    4096,
-    160,
-    "4b007901b765489abead49d926f721d065a429c1",
-  },
-  // This test takes over 30s to run on the trybots.
+TEST_P(SymmetricKeyDeriveKeyFromPasswordUsingScryptTest,
+       DeriveKeyFromPasswordUsingScrypt) {
+  const int kScryptMaxMemoryBytes = 128 * 1024 * 1024;  // 128 MiB.
+
+  ScryptTestVector test_data(GetParam());
+  std::unique_ptr<crypto::SymmetricKey> key(
+      crypto::SymmetricKey::DeriveKeyFromPasswordUsingScrypt(
+          test_data.algorithm, test_data.password, test_data.salt,
+          test_data.cost_parameter, test_data.block_size,
+          test_data.parallelization_parameter, kScryptMaxMemoryBytes,
+          test_data.key_size_in_bits));
+  ASSERT_TRUE(key);
+
+  const std::string& raw_key = key->key();
+  EXPECT_EQ(test_data.key_size_in_bits / 8, raw_key.size());
+  EXPECT_EQ(test_data.expected, base::ToLowerASCII(base::HexEncode(
+                                    raw_key.data(), raw_key.size())));
+}
+
+static const PBKDF2TestVector kTestVectorsPbkdf2[] = {
+    // These tests come from
+    // http://www.ietf.org/id/draft-josefsson-pbkdf2-test-vectors-00.txt.
+    {
+        crypto::SymmetricKey::HMAC_SHA1, "password", "salt", 1, 160,
+        "0c60c80f961f0e71f3a9b524af6012062fe037a6",
+    },
+    {
+        crypto::SymmetricKey::HMAC_SHA1, "password", "salt", 2, 160,
+        "ea6c014dc72d6f8ccd1ed92ace1d41f0d8de8957",
+    },
+    {
+        crypto::SymmetricKey::HMAC_SHA1, "password", "salt", 4096, 160,
+        "4b007901b765489abead49d926f721d065a429c1",
+    },
+// This test takes over 30s to run on the trybots.
 #if 0
   {
     crypto::SymmetricKey::HMAC_SHA1,
@@ -118,83 +139,78 @@ static const PBKDF2TestVector kTestVectors[] = {
   },
 #endif
 
-  // These tests come from RFC 3962, via BSD source code at
-  // http://www.openbsd.org/cgi-bin/cvsweb/src/sbin/bioctl/pbkdf2.c?rev=HEAD&content-type=text/plain
-  {
-    crypto::SymmetricKey::HMAC_SHA1,
-    "password",
-    "ATHENA.MIT.EDUraeburn",
-    1,
-    160,
-    "cdedb5281bb2f801565a1122b25635150ad1f7a0",
-  },
-  {
-    crypto::SymmetricKey::HMAC_SHA1,
-    "password",
-    "ATHENA.MIT.EDUraeburn",
-    2,
-    160,
-    "01dbee7f4a9e243e988b62c73cda935da05378b9",
-  },
-  {
-    crypto::SymmetricKey::HMAC_SHA1,
-    "password",
-    "ATHENA.MIT.EDUraeburn",
-    1200,
-    160,
-    "5c08eb61fdf71e4e4ec3cf6ba1f5512ba7e52ddb",
-  },
-  {
-    crypto::SymmetricKey::HMAC_SHA1,
-    "password",
-    "\022" "4VxxV4\022", /* 0x1234567878563412 */
-    5,
-    160,
-    "d1daa78615f287e6a1c8b120d7062a493f98d203",
-  },
-  {
-    crypto::SymmetricKey::HMAC_SHA1,
-    "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
-    "pass phrase equals block size",
-    1200,
-    160,
-    "139c30c0966bc32ba55fdbf212530ac9c5ec59f1",
-  },
-  {
-    crypto::SymmetricKey::HMAC_SHA1,
-    "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
-    "pass phrase exceeds block size",
-    1200,
-    160,
-    "9ccad6d468770cd51b10e6a68721be611a8b4d28",
-  },
-  {
-    crypto::SymmetricKey::HMAC_SHA1,
-    "\360\235\204\236", /* g-clef (0xf09d849e) */
-    "EXAMPLE.COMpianist",
-    50,
-    160,
-    "6b9cf26d45455a43a5b8bb276a403b39e7fe37a0",
-  },
-
-  // Regression tests for AES keys, derived from the Linux NSS implementation.
-  {
-    crypto::SymmetricKey::AES,
-    "A test password",
-    "saltsalt",
-    1,
-    256,
-    "44899a7777f0e6e8b752f875f02044b8ac593de146de896f2e8a816e315a36de",
-  },
-  {
-    crypto::SymmetricKey::AES,
-    "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
-    "pass phrase exceeds block size",
-    20,
-    256,
-    "e0739745dc28b8721ba402e05214d2ac1eab54cf72bee1fba388297a09eb493c",
-  },
+    // These tests come from RFC 3962, via BSD source code at
+    // http://www.openbsd.org/cgi-bin/cvsweb/src/sbin/bioctl/pbkdf2.c?rev=HEAD&content-type=text/plain.
+    {
+        crypto::SymmetricKey::HMAC_SHA1, "password", "ATHENA.MIT.EDUraeburn", 1,
+        160, "cdedb5281bb2f801565a1122b25635150ad1f7a0",
+    },
+    {
+        crypto::SymmetricKey::HMAC_SHA1, "password", "ATHENA.MIT.EDUraeburn", 2,
+        160, "01dbee7f4a9e243e988b62c73cda935da05378b9",
+    },
+    {
+        crypto::SymmetricKey::HMAC_SHA1, "password", "ATHENA.MIT.EDUraeburn",
+        1200, 160, "5c08eb61fdf71e4e4ec3cf6ba1f5512ba7e52ddb",
+    },
+    {
+        crypto::SymmetricKey::HMAC_SHA1, "password",
+        "\022"
+        "4VxxV4\022", /* 0x1234567878563412 */
+        5, 160, "d1daa78615f287e6a1c8b120d7062a493f98d203",
+    },
+    {
+        crypto::SymmetricKey::HMAC_SHA1,
+        "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
+        "pass phrase equals block size", 1200, 160,
+        "139c30c0966bc32ba55fdbf212530ac9c5ec59f1",
+    },
+    {
+        crypto::SymmetricKey::HMAC_SHA1,
+        "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
+        "pass phrase exceeds block size", 1200, 160,
+        "9ccad6d468770cd51b10e6a68721be611a8b4d28",
+    },
+    {
+        crypto::SymmetricKey::HMAC_SHA1,
+        "\360\235\204\236", /* g-clef (0xf09d849e) */
+        "EXAMPLE.COMpianist", 50, 160,
+        "6b9cf26d45455a43a5b8bb276a403b39e7fe37a0",
+    },
+
+    // Regression tests for AES keys, derived from the Linux NSS implementation.
+    {
+        crypto::SymmetricKey::AES, "A test password", "saltsalt", 1, 256,
+        "44899a7777f0e6e8b752f875f02044b8ac593de146de896f2e8a816e315a36de",
+    },
+    {
+        crypto::SymmetricKey::AES,
+        "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
+        "pass phrase exceeds block size", 20, 256,
+        "e0739745dc28b8721ba402e05214d2ac1eab54cf72bee1fba388297a09eb493c",
+    },
 };
 
-INSTANTIATE_TEST_CASE_P(, SymmetricKeyDeriveKeyFromPasswordTest,
-                        testing::ValuesIn(kTestVectors));
+static const ScryptTestVector kTestVectorsScrypt[] = {
+    // From RFC 7914, "The scrypt Password-Based Key Derivation Function",
+    // https://tools.ietf.org/html/rfc7914.html. The fourth test vector is
+    // intentionally not used, as it would make the test significantly slower,
+    // due to the very high cost parameter.
+    {crypto::SymmetricKey::HMAC_SHA1, "", "", 16, 1, 1, 512,
+     "77d6576238657b203b19ca42c18a0497f16b4844e3074ae8dfdffa3fede21442fcd0069de"
+     "d0948f8326a753a0fc81f17e8d3e0fb2e0d3628cf35e20c38d18906"},
+    {crypto::SymmetricKey::HMAC_SHA1, "password", "NaCl", 1024, 8, 16, 512,
+     "fdbabe1c9d3472007856e7190d01e9fe7c6ad7cbc8237830e77376634b3731622eaf30d92"
+     "e22a3886ff109279d9830dac727afb94a83ee6d8360cbdfa2cc0640"},
+    {crypto::SymmetricKey::HMAC_SHA1, "pleaseletmein", "SodiumChloride", 16384,
+     8, 1, 512,
+     "7023bdcb3afd7348461c06cd81fd38ebfda8fbba904f8e3ea9b543f6545da1f2d54329556"
+     "13f0fcf62d49705242a9af9e61e85dc0d651e40dfcf017b45575887"}};
+
+INSTANTIATE_TEST_CASE_P(,
+                        SymmetricKeyDeriveKeyFromPasswordUsingPbkdf2Test,
+                        testing::ValuesIn(kTestVectorsPbkdf2));
+
+INSTANTIATE_TEST_CASE_P(,
+                        SymmetricKeyDeriveKeyFromPasswordUsingScryptTest,
+                        testing::ValuesIn(kTestVectorsScrypt));

extensions/browser/api/lock_screen_data/data_item_unittest.cc

@@ -114,7 +114,7 @@ class DataItemTest : public testing::Test {
 
   std::string GenerateKey(const std::string& password) {
     std::unique_ptr<crypto::SymmetricKey> key =
-        crypto::SymmetricKey::DeriveKeyFromPassword(
+        crypto::SymmetricKey::DeriveKeyFromPasswordUsingPbkdf2(
             crypto::SymmetricKey::AES, password, "salt", 1000, 256);
     if (!key) {
       ADD_FAILURE() << "Failed to create symmetric key";

extensions/browser/api/lock_screen_data/lock_screen_value_store_migrator_impl_unittest.cc

@@ -138,7 +138,7 @@ class LockScreenValueStoreMigratorImplTest : public testing::Test {
 
   std::string GenerateKey(const std::string& password) {
     std::unique_ptr<crypto::SymmetricKey> key =
-        crypto::SymmetricKey::DeriveKeyFromPassword(
+        crypto::SymmetricKey::DeriveKeyFromPasswordUsingPbkdf2(
             crypto::SymmetricKey::AES, password, "salt", 1000, 256);
     if (!key) {
       ADD_FAILURE() << "Failed to create symmetric key";

net/extras/sqlite/sqlite_persistent_cookie_store_unittest.cc

@@ -65,12 +65,12 @@ class CookieCryptor : public CookieCryptoDelegate {
 
 CookieCryptor::CookieCryptor()
     : should_encrypt_(true),
-      key_(
-          crypto::SymmetricKey::DeriveKeyFromPassword(crypto::SymmetricKey::AES,
-                                                      "password",
-                                                      "saltiest",
-                                                      1000,
-                                                      256)) {
+      key_(crypto::SymmetricKey::DeriveKeyFromPasswordUsingPbkdf2(
+          crypto::SymmetricKey::AES,
+          "password",
+          "saltiest",
+          1000,
+          256)) {
   std::string iv("the iv: 16 bytes");
   encryptor_.Init(key_.get(), crypto::Encryptor::CBC, iv);
 }