pep/xmpp-rs-mirror
1
0
Fork 0
mirror of https://gitlab.com/xmpp-rs/xmpp-rs.git synced 2024-07-12 22:21:53 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'update-dependency-and-edition' into 'master'

Browse source 
Update dependencies, edition, remove OpenSSL, and release 0.4.3

Closes #4

See merge request lumi/sasl-rs!5
This commit is contained in:
lumi 2019-01-17 23:31:54 +00:00
commit 999e7adaf6
12 changed files with 98 additions and 84 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
sasl/Cargo.toml
View file

@ -1,6 +1,6 @@
[package] [package]
name = "sasl" name = "sasl"
version = "0.4.2" version = "0.4.3"
authors = ["lumi <lumi@pew.im>"] authors = ["lumi <lumi@pew.im>"]
description = "A crate for SASL authentication. Currently only does the client side." description = "A crate for SASL authentication. Currently only does the client side."
homepage = "https://gitlab.com/lumi/sasl-rs" homepage = "https://gitlab.com/lumi/sasl-rs"
@ -9,17 +9,19 @@ documentation = "https://docs.rs/sasl"
readme = "README.md" readme = "README.md"
keywords = ["sasl", "authentication"] keywords = ["sasl", "authentication"]
license = "LGPL-3.0+" license = "LGPL-3.0+"
edition = "2018"
[badges] [badges]
gitlab = { repository = "lumi/sasl-rs" } gitlab = { repository = "lumi/sasl-rs" }
[features] [features]
default = ["scram"] default = ["scram"]
scram = ["openssl"] scram = []
[dependencies] [dependencies]
base64 = "0.9.1" base64 = "0.10"
rand_os = "0.1"
[dependencies.openssl] sha-1 = "0.8"
version = "0.10.7" sha2 = "0.8"
optional = true hmac = "0.7"
pbkdf2 = { version = "0.3", default-features = false }

4
sasl/src/client/mechanisms/anonymous.rs
View file

@ -1,7 +1,7 @@
//! Provides the SASL "ANONYMOUS" mechanism. //! Provides the SASL "ANONYMOUS" mechanism.
use client::Mechanism; use crate::client::Mechanism;
use common::{Secret, Credentials}; use crate::common::{Secret, Credentials};
/// A struct for the SASL ANONYMOUS mechanism. /// A struct for the SASL ANONYMOUS mechanism.
pub struct Anonymous; pub struct Anonymous;

4
sasl/src/client/mechanisms/plain.rs
View file

@ -1,7 +1,7 @@
//! Provides the SASL "PLAIN" mechanism. //! Provides the SASL "PLAIN" mechanism.
use client::Mechanism; use crate::client::Mechanism;
use common::{Secret, Credentials, Password, Identity}; use crate::common::{Secret, Credentials, Password, Identity};
/// A struct for the SASL PLAIN mechanism. /// A struct for the SASL PLAIN mechanism.
pub struct Plain { pub struct Plain {

22
sasl/src/client/mechanisms/scram.rs
View file

@ -2,11 +2,11 @@
use base64; use base64;
use client::Mechanism; use crate::client::Mechanism;
use common::{ChannelBinding, parse_frame, xor, Password, Credentials, Secret, Identity}; use crate::common::{ChannelBinding, parse_frame, xor, Password, Credentials, Secret, Identity};
use common::scram::{ScramProvider, generate_nonce}; use crate::common::scram::{ScramProvider, generate_nonce};
use error::Error; use crate::error::Error;
use std::marker::PhantomData; use std::marker::PhantomData;
@ -118,8 +118,8 @@ impl<S: ScramProvider> Mechanism for Scram<S> {
client_final_message_bare.extend(b",r="); client_final_message_bare.extend(b",r=");
client_final_message_bare.extend(server_nonce.bytes()); client_final_message_bare.extend(server_nonce.bytes());
let salted_password = S::derive(&self.password, &salt, iterations)?; let salted_password = S::derive(&self.password, &salt, iterations)?;
let client_key = S::hmac(b"Client Key", &salted_password); let client_key = S::hmac(b"Client Key", &salted_password)?;
let server_key = S::hmac(b"Server Key", &salted_password); let server_key = S::hmac(b"Server Key", &salted_password)?;
let mut auth_message = Vec::new(); let mut auth_message = Vec::new();
auth_message.extend(initial_message); auth_message.extend(initial_message);
auth_message.push(b','); auth_message.push(b',');
@ -127,9 +127,9 @@ impl<S: ScramProvider> Mechanism for Scram<S> {
auth_message.push(b','); auth_message.push(b',');
auth_message.extend(&client_final_message_bare); auth_message.extend(&client_final_message_bare);
let stored_key = S::hash(&client_key); let stored_key = S::hash(&client_key);
let client_signature = S::hmac(&auth_message, &stored_key); let client_signature = S::hmac(&auth_message, &stored_key)?;
let client_proof = xor(&client_key, &client_signature); let client_proof = xor(&client_key, &client_signature);
let server_signature = S::hmac(&auth_message, &server_key); let server_signature = S::hmac(&auth_message, &server_key)?;
let mut client_final_message = Vec::new(); let mut client_final_message = Vec::new();
client_final_message.extend(&client_final_message_bare); client_final_message.extend(&client_final_message_bare);
client_final_message.extend(b",p="); client_final_message.extend(b",p=");
@ -168,9 +168,9 @@ impl<S: ScramProvider> Mechanism for Scram<S> {
#[cfg(test)] #[cfg(test)]
mod tests { mod tests {
use client::Mechanism; use crate::client::Mechanism;
use client::mechanisms::Scram; use crate::client::mechanisms::Scram;
use common::scram::{Sha1, Sha256}; use crate::common::scram::{Sha1, Sha256};
#[test] #[test]
fn scram_sha1_works() { // Source: https://wiki.xmpp.org/web/SASLandSCRAM-SHA-1 fn scram_sha1_works() { // Source: https://wiki.xmpp.org/web/SASLandSCRAM-SHA-1

2
sasl/src/client/mod.rs
View file

@ -1,4 +1,4 @@
use common::Credentials; use crate::common::Credentials;
/// A trait which defines SASL mechanisms. /// A trait which defines SASL mechanisms.
pub trait Mechanism { pub trait Mechanism {

75
sasl/src/common/scram.rs
View file

@ -1,21 +1,20 @@
use openssl::pkcs5::pbkdf2_hmac; use rand_os::{OsRng, rand_core::{RngCore, Error as RngError}};
use openssl::hash::hash; use sha1::{Sha1 as Sha1_hash, Digest};
use openssl::hash::MessageDigest; use sha2::Sha256 as Sha256_hash;
use openssl::sign::Signer; use hmac::{Hmac, Mac};
use openssl::pkey::PKey; use pbkdf2::pbkdf2;
use openssl::rand::rand_bytes;
use openssl::error::ErrorStack;
use common::Password; use crate::common::Password;
use secret; use crate::secret;
use base64; use base64;
/// Generate a nonce for SCRAM authentication. /// Generate a nonce for SCRAM authentication.
pub fn generate_nonce() -> Result<String, ErrorStack> { pub fn generate_nonce() -> Result<String, RngError> {
let mut data = vec![0; 32]; let mut data = [0u8; 32];
rand_bytes(&mut data)?; let mut rng = OsRng::new()?;
rng.fill_bytes(&mut data);
Ok(base64::encode(&data)) Ok(base64::encode(&data))
} }
@ -31,7 +30,7 @@ pub trait ScramProvider {
fn hash(data: &[u8]) -> Vec<u8>; fn hash(data: &[u8]) -> Vec<u8>;
/// A function which performs an HMAC using the hash function. /// A function which performs an HMAC using the hash function.
fn hmac(data: &[u8], key: &[u8]) -> Vec<u8>; fn hmac(data: &[u8], key: &[u8]) -> Result<Vec<u8>, String>;
/// A function which does PBKDF2 key derivation using the hash function. /// A function which does PBKDF2 key derivation using the hash function.
fn derive(data: &Password, salt: &[u8], iterations: usize) -> Result<Vec<u8>, String>; fn derive(data: &Password, salt: &[u8], iterations: usize) -> Result<Vec<u8>, String>;
@ -40,27 +39,36 @@ pub trait ScramProvider {
/// A `ScramProvider` which provides SCRAM-SHA-1 and SCRAM-SHA-1-PLUS /// A `ScramProvider` which provides SCRAM-SHA-1 and SCRAM-SHA-1-PLUS
pub struct Sha1; pub struct Sha1;
impl ScramProvider for Sha1 { // TODO: look at all these unwraps impl ScramProvider for Sha1 {
type Secret = secret::Pbkdf2Sha1; type Secret = secret::Pbkdf2Sha1;
fn name() -> &'static str { "SHA-1" } fn name() -> &'static str { "SHA-1" }
fn hash(data: &[u8]) -> Vec<u8> { fn hash(data: &[u8]) -> Vec<u8> {
hash(MessageDigest::sha1(), data).unwrap().to_vec() let hash = Sha1_hash::digest(data);
let mut vec = Vec::with_capacity(Sha1_hash::output_size());
vec.extend_from_slice(hash.as_slice());
vec
} }
fn hmac(data: &[u8], key: &[u8]) -> Vec<u8> { fn hmac(data: &[u8], key: &[u8]) -> Result<Vec<u8>, String> {
let pkey = PKey::hmac(key).unwrap(); type HmacSha1 = Hmac<Sha1_hash>;
let mut signer = Signer::new(MessageDigest::sha1(), &pkey).unwrap(); let mut mac = match HmacSha1::new_varkey(key) {
signer.update(data).unwrap(); Ok(mac) => mac,
signer.sign_to_vec().unwrap() Err(err) => return Err(format!("{}", err)),
};
mac.input(data);
let result = mac.result();
let mut vec = Vec::with_capacity(Sha1_hash::output_size());
vec.extend_from_slice(result.code().as_slice());
Ok(vec)
} }
fn derive(password: &Password, salt: &[u8], iterations: usize) -> Result<Vec<u8>, String> { fn derive(password: &Password, salt: &[u8], iterations: usize) -> Result<Vec<u8>, String> {
match *password { match *password {
Password::Plain(ref plain) => { Password::Plain(ref plain) => {
let mut result = vec![0; 20]; let mut result = vec![0; 20];
pbkdf2_hmac(plain.as_bytes(), salt, iterations, MessageDigest::sha1(), &mut result).unwrap(); pbkdf2::<Hmac<Sha1_hash>>(plain.as_bytes(), salt, iterations, &mut result);
Ok(result) Ok(result)
}, },
Password::Pbkdf2 { ref method, salt: ref my_salt, iterations: my_iterations, ref data } => { Password::Pbkdf2 { ref method, salt: ref my_salt, iterations: my_iterations, ref data } => {
@ -84,27 +92,36 @@ impl ScramProvider for Sha1 { // TODO: look at all these unwraps
/// A `ScramProvider` which provides SCRAM-SHA-256 and SCRAM-SHA-256-PLUS /// A `ScramProvider` which provides SCRAM-SHA-256 and SCRAM-SHA-256-PLUS
pub struct Sha256; pub struct Sha256;
impl ScramProvider for Sha256 { // TODO: look at all these unwraps impl ScramProvider for Sha256 {
type Secret = secret::Pbkdf2Sha256; type Secret = secret::Pbkdf2Sha256;
fn name() -> &'static str { "SHA-256" } fn name() -> &'static str { "SHA-256" }
fn hash(data: &[u8]) -> Vec<u8> { fn hash(data: &[u8]) -> Vec<u8> {
hash(MessageDigest::sha256(), data).unwrap().to_vec() let hash = Sha256_hash::digest(data);
let mut vec = Vec::with_capacity(Sha256_hash::output_size());
vec.extend_from_slice(hash.as_slice());
vec
} }
fn hmac(data: &[u8], key: &[u8]) -> Vec<u8> { fn hmac(data: &[u8], key: &[u8]) -> Result<Vec<u8>, String> {
let pkey = PKey::hmac(key).unwrap(); type HmacSha256 = Hmac<Sha256_hash>;
let mut signer = Signer::new(MessageDigest::sha256(), &pkey).unwrap(); let mut mac = match HmacSha256::new_varkey(key) {
signer.update(data).unwrap(); Ok(mac) => mac,
signer.sign_to_vec().unwrap() Err(err) => return Err(format!("{}", err)),
};
mac.input(data);
let result = mac.result();
let mut vec = Vec::with_capacity(Sha256_hash::output_size());
vec.extend_from_slice(result.code().as_slice());
Ok(vec)
} }
fn derive(password: &Password, salt: &[u8], iterations: usize) -> Result<Vec<u8>, String> { fn derive(password: &Password, salt: &[u8], iterations: usize) -> Result<Vec<u8>, String> {
match *password { match *password {
Password::Plain(ref plain) => { Password::Plain(ref plain) => {
let mut result = vec![0; 32]; let mut result = vec![0; 32];
pbkdf2_hmac(plain.as_bytes(), salt, iterations, MessageDigest::sha256(), &mut result).unwrap(); pbkdf2::<Hmac<Sha256_hash>>(plain.as_bytes(), salt, iterations, &mut result);
Ok(result) Ok(result)
}, },
Password::Pbkdf2 { ref method, salt: ref my_salt, iterations: my_iterations, ref data } => { Password::Pbkdf2 { ref method, salt: ref my_salt, iterations: my_iterations, ref data } => {

12
sasl/src/error.rs
View file

@ -1,19 +1,19 @@
#[cfg(feature = "scram")] #[cfg(feature = "scram")]
use openssl::error::ErrorStack; use rand_os::rand_core::Error as RngError;
/// A wrapper enum for things that could go wrong in this crate. /// A wrapper enum for things that could go wrong in this crate.
#[derive(Debug)] #[derive(Debug)]
pub enum Error { pub enum Error {
#[cfg(feature = "scram")] #[cfg(feature = "scram")]
/// An error in OpenSSL. /// An error while initializing the Rng.
OpenSslErrorStack(ErrorStack), RngError(RngError),
/// An error in a SASL mechanism. /// An error in a SASL mechanism.
SaslError(String), SaslError(String),
} }
#[cfg(feature = "scram")] #[cfg(feature = "scram")]
impl From<ErrorStack> for Error { impl From<RngError> for Error {
fn from(err: ErrorStack) -> Error { fn from(err: RngError) -> Error {
Error::OpenSslErrorStack(err) Error::RngError(err)
} }
} }

7
sasl/src/lib.rs
View file

@ -163,11 +163,6 @@
//! sasl = "*" //! sasl = "*"
//! ``` //! ```
extern crate base64;
#[cfg(feature = "scram")]
extern crate openssl;
mod error; mod error;
pub mod client; pub mod client;
@ -175,4 +170,4 @@ pub mod client;
pub mod common; pub mod common;
pub mod secret; pub mod secret;
pub use error::Error; pub use crate::error::Error;

12
sasl/src/secret.rs
View file

@ -19,10 +19,10 @@ pub struct Pbkdf2Sha1 {
} }
impl Pbkdf2Sha1 { impl Pbkdf2Sha1 {
#[cfg(feature = "openssl")] #[cfg(feature = "scram")]
pub fn derive(password: &str, salt: &[u8], iterations: usize) -> Result<Pbkdf2Sha1, String> { pub fn derive(password: &str, salt: &[u8], iterations: usize) -> Result<Pbkdf2Sha1, String> {
use common::scram::{ScramProvider, Sha1}; use crate::common::scram::{ScramProvider, Sha1};
use common::Password; use crate::common::Password;
let digest = Sha1::derive(&Password::Plain(password.to_owned()), salt, iterations)?; let digest = Sha1::derive(&Password::Plain(password.to_owned()), salt, iterations)?;
Ok(Pbkdf2Sha1 { Ok(Pbkdf2Sha1 {
salt: salt.to_vec(), salt: salt.to_vec(),
@ -48,10 +48,10 @@ pub struct Pbkdf2Sha256 {
} }
impl Pbkdf2Sha256 { impl Pbkdf2Sha256 {
#[cfg(feature = "openssl")] #[cfg(feature = "scram")]
pub fn derive(password: &str, salt: &[u8], iterations: usize) -> Result<Pbkdf2Sha256, String> { pub fn derive(password: &str, salt: &[u8], iterations: usize) -> Result<Pbkdf2Sha256, String> {
use common::scram::{ScramProvider, Sha256}; use crate::common::scram::{ScramProvider, Sha256};
use common::Password; use crate::common::Password;
let digest = Sha256::derive(&Password::Plain(password.to_owned()), salt, iterations)?; let digest = Sha256::derive(&Password::Plain(password.to_owned()), salt, iterations)?;
Ok(Pbkdf2Sha256 { Ok(Pbkdf2Sha256 {
salt: salt.to_vec(), salt: salt.to_vec(),

6
sasl/src/server/mechanisms/plain.rs
View file

@ -1,6 +1,6 @@
use server::{Validator, Response, Mechanism}; use crate::server::{Validator, Response, Mechanism};
use common::Identity; use crate::common::Identity;
use secret; use crate::secret;
pub struct Plain<V: Validator<secret::Plain>> { pub struct Plain<V: Validator<secret::Plain>> {
validator: V, validator: V,

18
sasl/src/server/mechanisms/scram.rs
View file

@ -2,11 +2,11 @@ use std::marker::PhantomData;
use base64; use base64;
use server::{Provider, Response, Mechanism}; use crate::server::{Provider, Response, Mechanism};
use common::{Identity, ChannelBinding, parse_frame, xor}; use crate::common::{Identity, ChannelBinding, parse_frame, xor};
use common::scram::{ScramProvider, generate_nonce}; use crate::common::scram::{ScramProvider, generate_nonce};
use secret; use crate::secret;
use secret::Pbkdf2Secret; use crate::secret::Pbkdf2Secret;
enum ScramState { enum ScramState {
Init, Init,
@ -134,8 +134,8 @@ impl<S, P> Mechanism for Scram<S, P>
client_final_message_bare.extend(base64::encode(&cb_data).bytes()); client_final_message_bare.extend(base64::encode(&cb_data).bytes());
client_final_message_bare.extend(b",r="); client_final_message_bare.extend(b",r=");
client_final_message_bare.extend(server_nonce.bytes()); client_final_message_bare.extend(server_nonce.bytes());
let client_key = S::hmac(b"Client Key", &salted_password); let client_key = S::hmac(b"Client Key", &salted_password)?;
let server_key = S::hmac(b"Server Key", &salted_password); let server_key = S::hmac(b"Server Key", &salted_password)?;
let mut auth_message = Vec::new(); let mut auth_message = Vec::new();
auth_message.extend(initial_client_message); auth_message.extend(initial_client_message);
auth_message.extend(b","); auth_message.extend(b",");
@ -143,14 +143,14 @@ impl<S, P> Mechanism for Scram<S, P>
auth_message.extend(b","); auth_message.extend(b",");
auth_message.extend(client_final_message_bare.clone()); auth_message.extend(client_final_message_bare.clone());
let stored_key = S::hash(&client_key); let stored_key = S::hash(&client_key);
let client_signature = S::hmac(&auth_message, &stored_key); let client_signature = S::hmac(&auth_message, &stored_key)?;
let client_proof = xor(&client_key, &client_signature); let client_proof = xor(&client_key, &client_signature);
let sent_proof = frame.get("p").ok_or_else(|| "no proof".to_owned())?; let sent_proof = frame.get("p").ok_or_else(|| "no proof".to_owned())?;
let sent_proof = base64::decode(sent_proof).map_err(|_| "can't decode proof".to_owned())?; let sent_proof = base64::decode(sent_proof).map_err(|_| "can't decode proof".to_owned())?;
if client_proof != sent_proof { if client_proof != sent_proof {
return Err("authentication failed".to_owned()); return Err("authentication failed".to_owned());
} }
let server_signature = S::hmac(&auth_message, &server_key); let server_signature = S::hmac(&auth_message, &server_key)?;
let mut buf = Vec::new(); let mut buf = Vec::new();
buf.extend(b"v="); buf.extend(b"v=");
buf.extend(base64::encode(&server_signature).bytes()); buf.extend(base64::encode(&server_signature).bytes());

4
sasl/src/server/mod.rs
View file

@ -1,5 +1,5 @@
use common::Identity; use crate::common::Identity;
use secret::Secret; use crate::secret::Secret;
#[macro_export] #[macro_export]
macro_rules! impl_validator_using_provider { macro_rules! impl_validator_using_provider {