postgres_protocol/password/
mod.rs1use crate::authentication::sasl;
10use base64::display::Base64Display;
11use base64::engine::general_purpose::STANDARD;
12use hmac::{Hmac, Mac};
13use md5::Md5;
14use rand::RngCore;
15use sha2::digest::FixedOutput;
16use sha2::{Digest, Sha256};
17
18#[cfg(test)]
19mod test;
20
21const SCRAM_DEFAULT_ITERATIONS: u32 = 4096;
22const SCRAM_DEFAULT_SALT_LEN: usize = 16;
23
24pub fn scram_sha_256(password: &[u8]) -> String {
30 let mut salt: [u8; SCRAM_DEFAULT_SALT_LEN] = [0; SCRAM_DEFAULT_SALT_LEN];
31 let mut rng = rand::rng();
32 rng.fill_bytes(&mut salt);
33 scram_sha_256_salt(password, salt)
34}
35
36pub(crate) fn scram_sha_256_salt(password: &[u8], salt: [u8; SCRAM_DEFAULT_SALT_LEN]) -> String {
39 let prepared: Vec<u8> = match std::str::from_utf8(password) {
51 Ok(password_str) => {
52 match stringprep::saslprep(password_str) {
53 Ok(p) => p.into_owned().into_bytes(),
54 Err(_) => Vec::from(password),
56 }
57 }
58 Err(_) => Vec::from(password),
60 };
61
62 let salted_password = sasl::hi(&prepared, &salt, SCRAM_DEFAULT_ITERATIONS);
64
65 let mut hmac = Hmac::<Sha256>::new_from_slice(&salted_password)
67 .expect("HMAC is able to accept all key sizes");
68 hmac.update(b"Client Key");
69 let client_key = hmac.finalize().into_bytes();
70
71 let mut hash = Sha256::default();
73 hash.update(client_key.as_slice());
74 let stored_key = hash.finalize_fixed();
75
76 let mut hmac = Hmac::<Sha256>::new_from_slice(&salted_password)
78 .expect("HMAC is able to accept all key sizes");
79 hmac.update(b"Server Key");
80 let server_key = hmac.finalize().into_bytes();
81
82 format!(
83 "SCRAM-SHA-256${}:{}${}:{}",
84 SCRAM_DEFAULT_ITERATIONS,
85 Base64Display::new(&salt, &STANDARD),
86 Base64Display::new(&stored_key, &STANDARD),
87 Base64Display::new(&server_key, &STANDARD)
88 )
89}
90
91pub fn md5(password: &[u8], username: &str) -> String {
98 let mut salted_password = Vec::from(password);
100 salted_password.extend_from_slice(username.as_bytes());
101
102 let mut hash = Md5::new();
103 hash.update(&salted_password);
104 let digest = hash.finalize();
105 format!("md5{:x}", digest)
106}