|             Line data    Source code 
       1              : //! Functions to encrypt a password in the client.
       2              : //!
       3              : //! This is intended to be used by client applications that wish to
       4              : //! send commands like `ALTER USER joe PASSWORD 'pwd'`. The password
       5              : //! need not be sent in cleartext if it is encrypted on the client
       6              : //! side. This is good because it ensures the cleartext password won't
       7              : //! end up in logs pg_stat displays, etc.
       8              : 
       9              : use base64::Engine as _;
      10              : use base64::prelude::BASE64_STANDARD;
      11              : use hmac::{Hmac, Mac};
      12              : use rand::RngCore;
      13              : use sha2::digest::FixedOutput;
      14              : use sha2::{Digest, Sha256};
      15              : 
      16              : use crate::authentication::sasl;
      17              : 
      18              : #[cfg(test)]
      19              : mod test;
      20              : 
      21              : const SCRAM_DEFAULT_ITERATIONS: u32 = 4096;
      22              : const SCRAM_DEFAULT_SALT_LEN: usize = 16;
      23              : 
      24              : /// Hash password using SCRAM-SHA-256 with a randomly-generated
      25              : /// salt.
      26              : ///
      27              : /// The client may assume the returned string doesn't contain any
      28              : /// special characters that would require escaping in an SQL command.
      29           17 : pub async fn scram_sha_256(password: &[u8]) -> String {
      30           17 :     let mut salt: [u8; SCRAM_DEFAULT_SALT_LEN] = [0; SCRAM_DEFAULT_SALT_LEN];
      31           17 :     let mut rng = rand::rng();
      32           17 :     rng.fill_bytes(&mut salt);
      33           17 :     scram_sha_256_salt(password, salt).await
      34           17 : }
      35              : 
      36              : // Internal implementation of scram_sha_256 with a caller-provided
      37              : // salt. This is useful for testing.
      38           18 : pub(crate) async fn scram_sha_256_salt(
      39           18 :     password: &[u8],
      40           18 :     salt: [u8; SCRAM_DEFAULT_SALT_LEN],
      41           18 : ) -> String {
      42              :     // Prepare the password, per [RFC
      43              :     // 4013](https://tools.ietf.org/html/rfc4013), if possible.
      44              :     //
      45              :     // Postgres treats passwords as byte strings (without embedded NUL
      46              :     // bytes), but SASL expects passwords to be valid UTF-8.
      47              :     //
      48              :     // Follow the behavior of libpq's PQencryptPasswordConn(), and
      49              :     // also the backend. If the password is not valid UTF-8, or if it
      50              :     // contains prohibited characters (such as non-ASCII whitespace),
      51              :     // just skip the SASLprep step and use the original byte
      52              :     // sequence.
      53           18 :     let prepared: Vec<u8> = match std::str::from_utf8(password) {
      54           18 :         Ok(password_str) => {
      55           18 :             match stringprep::saslprep(password_str) {
      56           18 :                 Ok(p) => p.into_owned().into_bytes(),
      57              :                 // contains invalid characters; skip saslprep
      58            0 :                 Err(_) => Vec::from(password),
      59              :             }
      60              :         }
      61              :         // not valid UTF-8; skip saslprep
      62            0 :         Err(_) => Vec::from(password),
      63              :     };
      64              : 
      65              :     // salt password
      66           18 :     let salted_password = sasl::hi(&prepared, &salt, SCRAM_DEFAULT_ITERATIONS).await;
      67              : 
      68              :     // client key
      69           18 :     let mut hmac = Hmac::<Sha256>::new_from_slice(&salted_password)
      70           18 :         .expect("HMAC is able to accept all key sizes");
      71           18 :     hmac.update(b"Client Key");
      72           18 :     let client_key = hmac.finalize().into_bytes();
      73              : 
      74              :     // stored key
      75           18 :     let mut hash = Sha256::default();
      76           18 :     hash.update(client_key.as_slice());
      77           18 :     let stored_key = hash.finalize_fixed();
      78              : 
      79              :     // server key
      80           18 :     let mut hmac = Hmac::<Sha256>::new_from_slice(&salted_password)
      81           18 :         .expect("HMAC is able to accept all key sizes");
      82           18 :     hmac.update(b"Server Key");
      83           18 :     let server_key = hmac.finalize().into_bytes();
      84              : 
      85           18 :     format!(
      86           18 :         "SCRAM-SHA-256${}:{}${}:{}",
      87              :         SCRAM_DEFAULT_ITERATIONS,
      88           18 :         BASE64_STANDARD.encode(salt),
      89           18 :         BASE64_STANDARD.encode(stored_key),
      90           18 :         BASE64_STANDARD.encode(server_key)
      91              :     )
      92           18 : }
         |