LCOV - code coverage report
Current view: top level - proxy/src - scram.rs (source / functions) Coverage Total Hit
Test: a43a77853355b937a79c57b07a8f05607cf29e6c.info Lines: 93.7 % 79 74
Test Date: 2024-09-19 12:04:32 Functions: 100.0 % 13 13

            Line data    Source code
       1              : //! Salted Challenge Response Authentication Mechanism.
       2              : //!
       3              : //! RFC: <https://datatracker.ietf.org/doc/html/rfc5802>.
       4              : //!
       5              : //! Reference implementation:
       6              : //! * <https://github.com/postgres/postgres/blob/94226d4506e66d6e7cbf4b391f1e7393c1962841/src/backend/libpq/auth-scram.c>
       7              : //! * <https://github.com/postgres/postgres/blob/94226d4506e66d6e7cbf4b391f1e7393c1962841/src/interfaces/libpq/fe-auth-scram.c>
       8              : 
       9              : mod countmin;
      10              : mod exchange;
      11              : mod key;
      12              : mod messages;
      13              : mod pbkdf2;
      14              : mod secret;
      15              : mod signature;
      16              : pub mod threadpool;
      17              : 
      18              : pub(crate) use exchange::{exchange, Exchange};
      19              : pub(crate) use key::ScramKey;
      20              : pub(crate) use secret::ServerSecret;
      21              : 
      22              : use hmac::{Hmac, Mac};
      23              : use sha2::{Digest, Sha256};
      24              : 
      25              : const SCRAM_SHA_256: &str = "SCRAM-SHA-256";
      26              : const SCRAM_SHA_256_PLUS: &str = "SCRAM-SHA-256-PLUS";
      27              : 
      28              : /// A list of supported SCRAM methods.
      29              : pub(crate) const METHODS: &[&str] = &[SCRAM_SHA_256_PLUS, SCRAM_SHA_256];
      30              : pub(crate) const METHODS_WITHOUT_PLUS: &[&str] = &[SCRAM_SHA_256];
      31              : 
      32              : /// Decode base64 into array without any heap allocations
      33           49 : fn base64_decode_array<const N: usize>(input: impl AsRef<[u8]>) -> Option<[u8; N]> {
      34           49 :     let mut bytes = [0u8; N];
      35              : 
      36           49 :     let size = base64::decode_config_slice(input, base64::STANDARD, &mut bytes).ok()?;
      37           49 :     if size != N {
      38            0 :         return None;
      39           49 :     }
      40           49 : 
      41           49 :     Some(bytes)
      42           49 : }
      43              : 
      44              : /// This function essentially is `Hmac(sha256, key, input)`.
      45              : /// Further reading: <https://datatracker.ietf.org/doc/html/rfc2104>.
      46           15 : fn hmac_sha256<'a>(key: &[u8], parts: impl IntoIterator<Item = &'a [u8]>) -> [u8; 32] {
      47           15 :     let mut mac = Hmac::<Sha256>::new_from_slice(key).expect("bad key size");
      48           75 :     parts.into_iter().for_each(|s| mac.update(s));
      49           15 : 
      50           15 :     mac.finalize().into_bytes().into()
      51           15 : }
      52              : 
      53           12 : fn sha256<'a>(parts: impl IntoIterator<Item = &'a [u8]>) -> [u8; 32] {
      54           12 :     let mut hasher = Sha256::new();
      55           12 :     parts.into_iter().for_each(|s| hasher.update(s));
      56           12 : 
      57           12 :     hasher.finalize().into()
      58           12 : }
      59              : 
      60              : #[cfg(test)]
      61              : mod tests {
      62              :     use crate::{
      63              :         intern::EndpointIdInt,
      64              :         sasl::{Mechanism, Step},
      65              :         EndpointId,
      66              :     };
      67              : 
      68              :     use super::{threadpool::ThreadPool, Exchange, ServerSecret};
      69              : 
      70              :     #[test]
      71            1 :     fn snapshot() {
      72            1 :         let iterations = 4096;
      73            1 :         let salt = "QSXCR+Q6sek8bf92";
      74            1 :         let stored_key = "FO+9jBb3MUukt6jJnzjPZOWc5ow/Pu6JtPyju0aqaE8=";
      75            1 :         let server_key = "qxJ1SbmSAi5EcS0J5Ck/cKAm/+Ixa+Kwp63f4OHDgzo=";
      76            1 :         let secret = format!("SCRAM-SHA-256${iterations}:{salt}${stored_key}:{server_key}",);
      77            1 :         let secret = ServerSecret::parse(&secret).unwrap();
      78              : 
      79              :         const NONCE: [u8; 18] = [
      80              :             1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18,
      81              :         ];
      82            1 :         let mut exchange = Exchange::new(
      83            1 :             &secret,
      84            1 :             || NONCE,
      85            1 :             crate::config::TlsServerEndPoint::Undefined,
      86            1 :         );
      87            1 : 
      88            1 :         let client_first = "n,,n=user,r=rOprNGfwEbeRWgbNEkqO";
      89            1 :         let client_final = "c=biws,r=rOprNGfwEbeRWgbNEkqOAQIDBAUGBwgJCgsMDQ4PEBES,p=rw1r5Kph5ThxmaUBC2GAQ6MfXbPnNkFiTIvdb/Rear0=";
      90            1 :         let server_first =
      91            1 :             "r=rOprNGfwEbeRWgbNEkqOAQIDBAUGBwgJCgsMDQ4PEBES,s=QSXCR+Q6sek8bf92,i=4096";
      92            1 :         let server_final = "v=qtUDIofVnIhM7tKn93EQUUt5vgMOldcDVu1HC+OH0o0=";
      93              : 
      94            1 :         exchange = match exchange.exchange(client_first).unwrap() {
      95            1 :             Step::Continue(exchange, message) => {
      96            1 :                 assert_eq!(message, server_first);
      97            1 :                 exchange
      98              :             }
      99            0 :             Step::Success(_, _) => panic!("expected continue, got success"),
     100            0 :             Step::Failure(f) => panic!("{f}"),
     101              :         };
     102              : 
     103            1 :         let key = match exchange.exchange(client_final).unwrap() {
     104            1 :             Step::Success(key, message) => {
     105            1 :                 assert_eq!(message, server_final);
     106            1 :                 key
     107              :             }
     108            0 :             Step::Continue(_, _) => panic!("expected success, got continue"),
     109            0 :             Step::Failure(f) => panic!("{f}"),
     110              :         };
     111              : 
     112            1 :         assert_eq!(
     113            1 :             key.as_bytes(),
     114            1 :             [
     115            1 :                 74, 103, 1, 132, 12, 31, 200, 48, 28, 54, 82, 232, 207, 12, 138, 189, 40, 32, 134,
     116            1 :                 27, 125, 170, 232, 35, 171, 167, 166, 41, 70, 228, 182, 112,
     117            1 :             ]
     118            1 :         );
     119            1 :     }
     120              : 
     121            2 :     async fn run_round_trip_test(server_password: &str, client_password: &str) {
     122            2 :         let pool = ThreadPool::new(1);
     123            2 : 
     124            2 :         let ep = EndpointId::from("foo");
     125            2 :         let ep = EndpointIdInt::from(ep);
     126              : 
     127            6 :         let scram_secret = ServerSecret::build(server_password).await.unwrap();
     128            2 :         let outcome = super::exchange(&pool, ep, &scram_secret, client_password.as_bytes())
     129            2 :             .await
     130            2 :             .unwrap();
     131            2 : 
     132            2 :         match outcome {
     133            1 :             crate::sasl::Outcome::Success(_) => {}
     134            1 :             crate::sasl::Outcome::Failure(r) => panic!("{r}"),
     135              :         }
     136            1 :     }
     137              : 
     138              :     #[tokio::test]
     139            1 :     async fn round_trip() {
     140            4 :         run_round_trip_test("pencil", "pencil").await;
     141            1 :     }
     142              : 
     143              :     #[tokio::test]
     144              :     #[should_panic(expected = "password doesn't match")]
     145            1 :     async fn failure() {
     146            4 :         run_round_trip_test("pencil", "eraser").await;
     147            1 :     }
     148              : }
        

Generated by: LCOV version 2.1-beta