> The command line is using salt as the HMAC key and "password" as the data to > be HMACed while your program has those reversed.
<facepalm/> Funny thing is, this is all part of trying to build a PBKDF2 implementation, but the way I read the RFC regarding the calculation of U_1, I was certain that the command line example was the right way of doing it. Switching the pass and salt values makes all of my unit tests pass though, so it's hard to argue with the results.