From 39f93910075e1cf492fcf4a9f99a53c7d0b96b87 Mon Sep 17 00:00:00 2001
From: VastBlast <vastblastgaming@gmail.com>
Date: Tue, 2 Jun 2026 06:03:54 +0000
Subject: [PATCH] Merge commit from fork

* Fix wolfCrypt PBKDF2 key derivation

* Document wolfSSL PBKDF2 build option

* Handle wolfCrypt PBKDF2 failures
---
 src/Crypto/wolfCrypt.c  | 31 ++++++++++++++++++++++++-------
 src/Crypto/wolfCrypt.md |  2 +-
 2 files changed, 25 insertions(+), 8 deletions(-)

diff --git a/src/Crypto/wolfCrypt.c b/src/Crypto/wolfCrypt.c
index da0fbe2f..cbfa9018 100644
--- a/src/Crypto/wolfCrypt.c
+++ b/src/Crypto/wolfCrypt.c
@@ -3,7 +3,8 @@
 #include "Aes.h"
 #include "Sha2.h"
 #include "../Common/Crypto.h"
-#include <wolfssl/wolfcrypt/hmac.h>
+#include "../Common/Pkcs5.h"
+#include <wolfssl/wolfcrypt/pwdbased.h>
 
 
 AES_RETURN aes_init()
@@ -232,12 +233,28 @@ void sha512(unsigned char * result, const unsigned char* source, uint_64t source
     wc_Sha512Free(&sha512);
 }
 
-void derive_key_sha512 (unsigned char *pwd, int pwd_len, unsigned char *salt, int salt_len, uint32 iterations, unsigned char *dk, int dklen) {
-    (void) iterations;
-    wc_HKDF(WC_SHA512, (uint8*)pwd, (word32)pwd_len, (uint8*)salt, (word32)salt_len, NULL, 0, (uint8*)dk, (word32)dklen);
+void derive_key_sha512 (const unsigned char *pwd, int pwd_len, const unsigned char *salt, int salt_len, uint32 iterations, unsigned char *dk, int dklen
+#ifndef TC_WINDOWS_BOOT
+    , long volatile *pAbortKeyDerivation
+#endif
+)
+{
+#ifndef TC_WINDOWS_BOOT
+    (void) pAbortKeyDerivation;
+#endif
+    if (wc_PBKDF2 ((byte*) dk, (const byte*) pwd, pwd_len, (const byte*) salt, salt_len, (int) iterations, dklen, WC_SHA512) != 0)
+        burn (dk, dklen);
 }
 
-void derive_key_sha256 (unsigned char *pwd, int pwd_len, unsigned char *salt, int salt_len, uint32 iterations, unsigned char *dk, int dklen) {
-    (void) iterations;
-    wc_HKDF(WC_SHA256, (uint8*)pwd, (word32)pwd_len, (uint8*)salt, (word32)salt_len, NULL, 0, (uint8*)dk, (word32)dklen);
+void derive_key_sha256 (const unsigned char *pwd, int pwd_len, const unsigned char *salt, int salt_len, uint32 iterations, unsigned char *dk, int dklen
+#ifndef TC_WINDOWS_BOOT
+    , long volatile *pAbortKeyDerivation
+#endif
+)
+{
+#ifndef TC_WINDOWS_BOOT
+    (void) pAbortKeyDerivation;
+#endif
+    if (wc_PBKDF2 ((byte*) dk, (const byte*) pwd, pwd_len, (const byte*) salt, salt_len, (int) iterations, dklen, WC_SHA256) != 0)
+        burn (dk, dklen);
 }
diff --git a/src/Crypto/wolfCrypt.md b/src/Crypto/wolfCrypt.md
index 32ccf242..ea98ad54 100644
--- a/src/Crypto/wolfCrypt.md
+++ b/src/Crypto/wolfCrypt.md
@@ -10,7 +10,7 @@ Clone wolfSSL and build it as shown below.
 ```
 git clone https://github.com/wolfssl/wolfssl && cd wolfssl
 ./autogen.sh
-./configure --enable-xts CFLAGS="-DNO_OLD_WC_NAMES"
+./configure --enable-xts --enable-pwdbased CFLAGS="-DNO_OLD_WC_NAMES"
 make
 sudo make install
 ```