dnim/rust-postgres
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update hmac and sha2

Browse Source
This commit is contained in:
Steven Fackler 2020-06-10 16:45:58 -07:00
parent 2b59b7e63c
commit 58a7856646
2 changed files with 20 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
postgres-protocol/Cargo.toml
View File

@ -13,9 +13,9 @@ base64 = "0.12"
byteorder = "1.0" byteorder = "1.0"
bytes = "0.5" bytes = "0.5"
fallible-iterator = "0.2" fallible-iterator = "0.2"
hmac = "0.7" hmac = "0.8"
md5 = "0.7" md5 = "0.7"
memchr = "2.0" memchr = "2.0"
rand = "0.7" rand = "0.7"
sha2 = "0.8" sha2 = "0.9"
stringprep = "0.1" stringprep = "0.1"

35
postgres-protocol/src/authentication/sasl.rs
View File

@ -1,8 +1,9 @@
//! SASL-based authentication support. //! SASL-based authentication support.
use hmac::{Hmac, Mac}; use hmac::{Hmac, Mac, NewMac};
use rand::{self, Rng}; use rand::{self, Rng};
use sha2::{Digest, Sha256}; use sha2::{Digest, Sha256};
use sha2::digest::FixedOutput;
use std::fmt::Write; use std::fmt::Write;
use std::io; use std::io;
use std::iter; use std::iter;
@ -33,16 +34,16 @@ fn normalize(pass: &[u8]) -> Vec<u8> {
fn hi(str: &[u8], salt: &[u8], i: u32) -> [u8; 32] { fn hi(str: &[u8], salt: &[u8], i: u32) -> [u8; 32] {
let mut hmac = Hmac::<Sha256>::new_varkey(str).expect("HMAC is able to accept all key sizes"); let mut hmac = Hmac::<Sha256>::new_varkey(str).expect("HMAC is able to accept all key sizes");
hmac.input(salt); hmac.update(salt);
hmac.input(&[0, 0, 0, 1]); hmac.update(&[0, 0, 0, 1]);
let mut prev = hmac.result().code(); let mut prev = hmac.finalize().into_bytes();
let mut hi = prev; let mut hi = prev;
for _ in 1..i { for _ in 1..i {
let mut hmac = Hmac::<Sha256>::new_varkey(str).expect("already checked above"); let mut hmac = Hmac::<Sha256>::new_varkey(str).expect("already checked above");
hmac.input(prev.as_slice()); hmac.update(&prev);
prev = hmac.result().code(); prev = hmac.finalize().into_bytes();
for (hi, prev) in hi.iter_mut().zip(prev) { for (hi, prev) in hi.iter_mut().zip(prev) {
*hi ^= prev; *hi ^= prev;
@ -196,12 +197,12 @@ impl ScramSha256 {
let mut hmac = Hmac::<Sha256>::new_varkey(&salted_password) let mut hmac = Hmac::<Sha256>::new_varkey(&salted_password)
.expect("HMAC is able to accept all key sizes"); .expect("HMAC is able to accept all key sizes");
hmac.input(b"Client Key"); hmac.update(b"Client Key");
let client_key = hmac.result().code(); let client_key = hmac.finalize().into_bytes();
let mut hash = Sha256::default(); let mut hash = Sha256::default();
hash.input(client_key.as_slice()); hash.update(client_key.as_slice());
let stored_key = hash.result(); let stored_key = hash.finalize_fixed();
let mut cbind_input = vec![]; let mut cbind_input = vec![];
cbind_input.extend(channel_binding.gs2_header().as_bytes()); cbind_input.extend(channel_binding.gs2_header().as_bytes());
@ -215,11 +216,11 @@ impl ScramSha256 {
let mut hmac = let mut hmac =
Hmac::<Sha256>::new_varkey(&stored_key).expect("HMAC is able to accept all key sizes"); Hmac::<Sha256>::new_varkey(&stored_key).expect("HMAC is able to accept all key sizes");
hmac.input(auth_message.as_bytes()); hmac.update(auth_message.as_bytes());
let client_signature = hmac.result(); let client_signature = hmac.finalize().into_bytes();
let mut client_proof = client_key; let mut client_proof = client_key;
for (proof, signature) in client_proof.iter_mut().zip(client_signature.code()) { for (proof, signature) in client_proof.iter_mut().zip(client_signature) {
*proof ^= signature; *proof ^= signature;
} }
@ -267,12 +268,12 @@ impl ScramSha256 {
let mut hmac = Hmac::<Sha256>::new_varkey(&salted_password) let mut hmac = Hmac::<Sha256>::new_varkey(&salted_password)
.expect("HMAC is able to accept all key sizes"); .expect("HMAC is able to accept all key sizes");
hmac.input(b"Server Key"); hmac.update(b"Server Key");
let server_key = hmac.result(); let server_key = hmac.finalize().into_bytes();
let mut hmac = Hmac::<Sha256>::new_varkey(&server_key.code()) let mut hmac = Hmac::<Sha256>::new_varkey(&server_key)
.expect("HMAC is able to accept all key sizes"); .expect("HMAC is able to accept all key sizes");
hmac.input(auth_message.as_bytes()); hmac.update(auth_message.as_bytes());
hmac.verify(&verifier) hmac.verify(&verifier)
.map_err(|_| io::Error::new(io::ErrorKind::InvalidInput, "SCRAM verification error")) .map_err(|_| io::Error::new(io::ErrorKind::InvalidInput, "SCRAM verification error"))
} }