feat: improve ergonomics and add hash generation functions

Author: Techie-Pi

src/errors.rs

@@ -1,12 +1,10 @@
-use std::num::TryFromIntError;
 use base64::DecodeError;
 use ctr::cipher::StreamCipherError;
 use scrypt::errors::{InvalidOutputLen, InvalidParams};
 
 #[derive(Clone, Debug, PartialEq, Eq)]
 pub(crate) enum DerivedKeyError {
     Base64Decode(DecodeError),
-    IntError(TryFromIntError),
     InvalidScryptParams(InvalidParams),
     InvalidOutputLen(InvalidOutputLen),
 }
@@ -17,12 +15,6 @@ impl From<DecodeError> for DerivedKeyError {
     }
 }
 
-impl From<TryFromIntError> for DerivedKeyError {
-    fn from(e: TryFromIntError) -> Self {
-        Self::IntError(e)
-    }
-}
-
 impl From<InvalidParams> for DerivedKeyError {
     fn from(e: InvalidParams) -> Self {
         Self::InvalidScryptParams(e)
@@ -47,25 +39,25 @@ impl From<StreamCipherError> for EncryptError {
 }
 
 #[derive(Clone, Debug, PartialEq, Eq, PartialOrd, Ord)]
-pub enum VerifyPasswordError {
+pub enum GenerateHashError {
     GenerateDerivedKeyFailed,
     DecodingFailed,
     EncryptionFailed,
 }
 
-impl From<DecodeError> for VerifyPasswordError {
+impl From<DecodeError> for GenerateHashError {
     fn from(_: DecodeError) -> Self {
         Self::DecodingFailed
     }
 }
 
-impl From<EncryptError> for VerifyPasswordError {
+impl From<EncryptError> for GenerateHashError {
     fn from(_: EncryptError) -> Self {
         Self::EncryptionFailed
     }
 }
 
-impl From<DerivedKeyError> for VerifyPasswordError {
+impl From<DerivedKeyError> for GenerateHashError {
     fn from(_: DerivedKeyError) -> Self {
         Self::GenerateDerivedKeyFailed
     }

src/lib.rs

@@ -1,6 +1,6 @@
 //! Implementation of [Firebase Scrypt](https://github.com/firebase/scrypt) in pure Rust.
 //!
-//! If you are only using the [`verify_password`] function instead of the higher-level struct [`FirebaseScrypt`],
+//! If you are only using the raw functions instead of the higher-level struct [`FirebaseScrypt`],
 //! it's recommended to disable default features in your ``Cargo.toml``
 //!
 //! ```toml
@@ -31,7 +31,7 @@ use aes::cipher::{KeyIvInit, StreamCipher};
 use constant_time_eq::constant_time_eq;
 use ctr::{Ctr128BE};
 use scrypt::Params;
-use crate::errors::{DerivedKeyError, EncryptError, VerifyPasswordError};
+use crate::errors::{DerivedKeyError, EncryptError, GenerateHashError};
 
 pub mod errors;
 #[cfg(feature = "simple")]
@@ -119,14 +119,56 @@ pub fn verify_password(
     signer_key: &str,
     rounds: u32,
     mem_cost: u32,
-) -> Result<bool, VerifyPasswordError> {
+) -> Result<bool, GenerateHashError> {
+    let password_hash = generate_raw_hash(password, salt, salt_separator, signer_key, rounds, mem_cost)?;
+
+    Ok(constant_time_eq(password_hash.as_slice(), base64::decode(known_hash)?.as_slice()))
+}
+
+/// Generates a hash in the form of a [`Vec<u8>`]
+///
+/// In case you want or are using the same hash representation as Firebase, use the [`FirebaseScrypt`]
+/// struct to get the Base64 hashed directly.
+///
+/// # Example (generate Base64 hash)
+/// ```
+/// // Base64 crate for encoding the hash
+/// use base64::encode;
+/// use firebase_scrypt::generate_raw_hash;
+///
+/// const SALT_SEPARATOR: &str = "Bw==";
+/// const SIGNER_KEY: &str = "jxspr8Ki0RYycVU8zykbdLGjFQ3McFUH0uiiTvC8pVMXAn210wjLNmdZJzxUECKbm0QsEmYUSDzZvpjeJ9WmXA==";
+/// const ROUNDS: u32 = 8;
+/// const MEM_COST: u32 = 14;
+///
+/// let password = "user1password";
+/// let salt = "42xEC+ixf3L2lw==";
+/// let password_hash ="lSrfV15cpx95/sZS2W9c9Kp6i/LVgQNDNC/qzrCnh1SAyZvqmZqAjTdn3aoItz+VHjoZilo78198JAdRuid5lQ==";
+///
+/// let hash = encode(generate_raw_hash(
+///     password,
+///     salt,
+///     SALT_SEPARATOR,
+///     SIGNER_KEY,
+///     ROUNDS,
+///     MEM_COST,
+/// ).unwrap());
+///
+/// assert_eq!(hash, password_hash);
+/// ```
+pub fn generate_raw_hash(
+    password: &str,
+    salt: &str,
+    salt_separator: &str,
+    signer_key: &str,
+    rounds: u32,
+    mem_cost: u32,
+) -> Result<Vec<u8>, GenerateHashError> {
     let derived_key = generate_derived_key(password, salt, salt_separator, rounds, mem_cost)?;
     let signer_key = base64::decode(signer_key)?;
 
     let result = encrypt(signer_key.as_slice(), derived_key[..32].try_into().unwrap())?;
-    let password_hash = base64::decode(base64::encode(result))?;
-
-    Ok(constant_time_eq(password_hash.as_slice(), base64::decode(known_hash)?.as_slice()))
+    Ok(base64::decode(base64::encode(result))?)
 }
 
 #[cfg(test)]
@@ -141,6 +183,7 @@ mod tests {
     const PASSWORD_HASH: &str ="lSrfV15cpx95/sZS2W9c9Kp6i/LVgQNDNC/qzrCnh1SAyZvqmZqAjTdn3aoItz+VHjoZilo78198JAdRuid5lQ==";
 
     use super::*;
+
     #[test]
     fn verify_password_works() {
         assert!(verify_password(
@@ -154,6 +197,18 @@ mod tests {
         ).unwrap())
     }
 
+    #[test]
+    fn generate_hash_works() {
+        assert_eq!(base64::encode(generate_raw_hash(
+            PASSWORD,
+            SALT,
+            SALT_SEPARATOR,
+            SIGNER_KEY,
+            ROUNDS,
+            MEM_COST,
+        ).unwrap()), PASSWORD_HASH)
+    }
+
     #[test]
     fn encrypt_works() {
         let param_1 = b"randomrandomrandomrandomrandomrandomrandom";

src/simple.rs

@@ -1,9 +1,9 @@
-use crate::{verify_password, VerifyPasswordError};
+use crate::{verify_password, GenerateHashError, generate_raw_hash};
 
-/// Struct to simplify the usage of the [`verify_password`] function.
+/// Struct to simplify the usage of hash generation and checking.
 ///
-/// Holds the salt separator, signer key, round and memory cost to make the usage of the [`verify_password`]
-/// function easier.
+/// Holds the salt separator, signer key, round and memory cost to make the usage of the hash generation
+/// and checking function easier.
 ///
 /// # Example
 /// ```
@@ -31,6 +31,7 @@ pub struct FirebaseScrypt {
 }
 
 impl FirebaseScrypt {
+    /// Create a new [`FirebaseScrypt`] instance.
     pub fn new(salt_separator: &str, signer_key: &str, rounds: u32, mem_cost: u32) -> Self {
         Self {
             salt_separator: salt_separator.to_string(),
@@ -41,15 +42,126 @@ impl FirebaseScrypt {
     }
 
     /// Calls [`verify_password`] with the data from the [`FirebaseScrypt`]
-    pub fn verify_password(&self, password: &str, salt: &str, known_hash: &str) -> Result<bool, VerifyPasswordError> {
-        Ok(verify_password(
+    ///
+    /// # Example
+    /// ```no_test
+    /// # This test doesn't pass for (some?) reason. But the ``verify_password_with_simple_works`` test
+    /// # passes, so no idea.
+    /// use firebase_scrypt::FirebaseScrypt;
+    ///
+    /// const SALT_SEPARATOR: &str = "Bw==";
+    /// const SIGNER_KEY: &str = "jxspr8Ki0RYycVU8zykbdLGjFQ3McFUH0uiiTvC8pVMXAn210wjLNmdZJzxUECKbm0QsEmYUSDzZvpjeJ9WmXA==";
+    /// const ROUNDS: u32 = 8;
+    /// const MEM_COST: u32 = 14;
+    ///
+    /// let password: &str = "user1password";
+    /// let salt: &str = "42xEC+ixf3L2lw==";
+    /// let password_hash: &str = "lSrfV15cpx95/sZS2W9c9Kp6i/LVgQNDNC/qzrCnh1SAyZvqmZqAjTdn3aoItz+VHjoZilo78198JAdRuid5lQ==";
+    ///
+    /// let firebase_scrypt = FirebaseScrypt::new(SALT_SEPARATOR, SIGNER_KEY, ROUNDS, MEM_COST);
+    ///
+    /// let is_valid = firebase_scrypt.verify_password(
+    ///     password,
+    ///     password_hash,
+    ///     salt,
+    /// ).unwrap();
+    ///
+    /// assert!(is_valid)
+    /// ```
+    pub fn verify_password(&self, password: &str, salt: &str, known_hash: &str) -> Result<bool, GenerateHashError> {
+        verify_password(
             password,
             known_hash,
             salt,
             self.salt_separator.as_str(),
             self.signer_key.as_str(),
             self.rounds,
             self.mem_cost,
-        )?)
+        )
+    }
+
+    /// Calls [`FirebaseScrypt::verify_password`] but returns false also if an error occurs, which
+    /// is _usually_ the best thing to do.
+    pub fn verify_password_bool(&self, password: &str, salt: &str, known_hash: &str) -> bool {
+        if let Ok(result) = self.verify_password(password, salt, known_hash) {
+            result
+        } else {
+            false
+        }
+    }
+
+    /// Generates a hash and returns its Base64 form, the same as the hashes from Firebase
+    ///
+    /// <div class="example-wrap" style="display:inline-block"><pre class="compile_fail" style="white-space:normal;font:inherit;">
+    ///
+    /// **Warning**: Do not use this function to check if a given password is valid, because that
+    /// could result in [side-channel attacks](https://en.wikipedia.org/wiki/Side-channel_attack).
+    ///
+    /// Use the [`FirebaseScrypt::verify_password`] function instead.
+    ///
+    /// </pre></div>
+    ///
+    /// # Example
+    /// ```
+    /// use firebase_scrypt::FirebaseScrypt;
+    ///
+    /// const SALT_SEPARATOR: &str = "Bw==";
+    /// const SIGNER_KEY: &str = "jxspr8Ki0RYycVU8zykbdLGjFQ3McFUH0uiiTvC8pVMXAn210wjLNmdZJzxUECKbm0QsEmYUSDzZvpjeJ9WmXA==";
+    /// const ROUNDS: u32 = 8;
+    /// const MEM_COST: u32 = 14;
+    ///
+    /// let password = "user1password";
+    /// let salt = "42xEC+ixf3L2lw==";
+    ///
+    /// let firebase_scrypt = FirebaseScrypt::new(SALT_SEPARATOR, SIGNER_KEY, ROUNDS, MEM_COST);
+    ///
+    /// firebase_scrypt.generate_base64_hash(password, salt).unwrap();
+    /// ```
+    pub fn generate_base64_hash(&self, password: &str, salt: &str) -> Result<String, GenerateHashError> {
+        let hash = generate_raw_hash(
+            password,
+            salt,
+            self.salt_separator.as_str(),
+            self.signer_key.as_str(),
+            self.rounds,
+            self.mem_cost,
+        )?;
+
+        Ok(base64::encode(hash))
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    const SALT_SEPARATOR: &str = "Bw==";
+    const SIGNER_KEY: &str = "jxspr8Ki0RYycVU8zykbdLGjFQ3McFUH0uiiTvC8pVMXAn210wjLNmdZJzxUECKbm0QsEmYUSDzZvpjeJ9WmXA==";
+    const ROUNDS: u32 = 8;
+    const MEM_COST: u32 = 14;
+
+    const PASSWORD: &str = "user1password";
+    const SALT: &str = "42xEC+ixf3L2lw==";
+    const PASSWORD_HASH: &str ="lSrfV15cpx95/sZS2W9c9Kp6i/LVgQNDNC/qzrCnh1SAyZvqmZqAjTdn3aoItz+VHjoZilo78198JAdRuid5lQ==";
+
+    use super::*;
+
+    #[test]
+    fn verify_password_with_simple_works() {
+        let firebase_scrypt = FirebaseScrypt::new(SALT_SEPARATOR, SIGNER_KEY, ROUNDS, MEM_COST);
+
+        assert!(firebase_scrypt.verify_password(
+            PASSWORD,
+            SALT,
+            PASSWORD_HASH,
+        ).unwrap())
+    }
+
+    #[test]
+    fn generate_hash_with_simple_works() {
+        let firebase_scrypt = FirebaseScrypt::new(SALT_SEPARATOR, SIGNER_KEY, ROUNDS, MEM_COST);
+
+        assert_eq!(firebase_scrypt.generate_base64_hash(
+            PASSWORD,
+            SALT,
+        ).unwrap(), PASSWORD_HASH)
     }
 }