Clean the hash and salt (#2)

Techie-Pi · web-flow · commit f35d0c199dec · 2023-09-08T20:00:44.000+02:00
diff --git a/Cargo.toml b/Cargo.toml
@@ -5,7 +5,7 @@ repository = "https://github.com/Techie-Pi/firebase-scrypt-rust"
 homepage = "https://github.com/Techie-Pi/firebase-scrypt-rust"
 documentation = "https://github.com/Techie-Pi/firebase-scrypt-rust"
 readme = "README.md"
-version = "0.2.0"
+version = "0.2.1"
 edition = "2021"
 license = "MIT"
 rust-version = "1.59"
diff --git a/src/errors.rs b/src/errors.rs
@@ -29,7 +29,7 @@ impl From<InvalidOutputLen> for DerivedKeyError {
 
 #[derive(Clone, Debug)]
 pub(crate) enum EncryptError {
-    StreamCipher(StreamCipherError)
+    StreamCipher(StreamCipherError),
 }
 
 impl From<StreamCipherError> for EncryptError {
diff --git a/src/lib.rs b/src/lib.rs
@@ -26,12 +26,14 @@
 //! assert!(firebase_scrypt.verify_password(password, salt, password_hash).unwrap())
 //! ```
 
-use aes::{Aes256};
-use aes::cipher::{KeyIvInit, StreamCipher};
+use crate::errors::{DerivedKeyError, EncryptError, GenerateHashError};
+use aes::{
+    cipher::{KeyIvInit, StreamCipher},
+    Aes256,
+};
 use constant_time_eq::constant_time_eq;
-use ctr::{Ctr128BE};
+use ctr::Ctr128BE;
 use scrypt::Params;
-use crate::errors::{DerivedKeyError, EncryptError, GenerateHashError};
 
 pub mod errors;
 #[cfg(feature = "simple")]
@@ -42,6 +44,10 @@ pub use simple::FirebaseScrypt;
 
 const IV: [u8; 16] = *b"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0";
 
+fn clean(a: &str) -> String {
+    a.replace("-", "+").replace("_", "/")
+}
+
 fn generate_derived_key<'a>(
     password: &'a str,
     salt: &'a str,
@@ -61,12 +67,7 @@ fn generate_derived_key<'a>(
     let params = Params::new(log2_n as u8, rounds, p)?;
 
     let mut result = [0u8; 64];
-    scrypt::scrypt(
-        password,
-        salt.as_slice(),
-        &params,
-        &mut result
-    )?;
+    scrypt::scrypt(password, salt.as_slice(), &params, &mut result)?;
 
     Ok(result)
 }
@@ -75,8 +76,7 @@ fn encrypt(signer_key: &[u8], key: [u8; 32]) -> Result<Vec<u8>, EncryptError> {
     let mut cipher = Ctr128BE::<Aes256>::new(&key.into(), &IV.into());
 
     let mut buffer = vec![0u8; signer_key.len()];
-    cipher
-        .apply_keystream_b2b(signer_key, &mut buffer)?;
+    cipher.apply_keystream_b2b(signer_key, &mut buffer)?;
 
     Ok(buffer)
 }
@@ -120,9 +120,13 @@ pub fn verify_password(
     rounds: u32,
     mem_cost: u32,
 ) -> Result<bool, GenerateHashError> {
-    let password_hash = generate_raw_hash(password, salt, salt_separator, signer_key, rounds, mem_cost)?;
+    let password_hash =
+        generate_raw_hash(password, salt, salt_separator, signer_key, rounds, mem_cost)?;
 
-    Ok(constant_time_eq(password_hash.as_slice(), base64::decode(known_hash)?.as_slice()))
+    Ok(constant_time_eq(
+        password_hash.as_slice(),
+        base64::decode(clean(known_hash))?.as_slice(),
+    ))
 }
 
 /// Generates a hash in the form of a [`Vec<u8>`]
@@ -164,7 +168,8 @@ pub fn generate_raw_hash(
     rounds: u32,
     mem_cost: u32,
 ) -> Result<Vec<u8>, GenerateHashError> {
-    let derived_key = generate_derived_key(password, salt, salt_separator, rounds, mem_cost)?;
+    let derived_key =
+        generate_derived_key(password, &clean(salt), salt_separator, rounds, mem_cost)?;
     let signer_key = base64::decode(signer_key)?;
 
     let result = encrypt(signer_key.as_slice(), derived_key[..32].try_into().unwrap())?;
@@ -174,13 +179,15 @@ pub fn generate_raw_hash(
 #[cfg(test)]
 mod tests {
     const SALT_SEPARATOR: &str = "Bw==";
-    const SIGNER_KEY: &str = "jxspr8Ki0RYycVU8zykbdLGjFQ3McFUH0uiiTvC8pVMXAn210wjLNmdZJzxUECKbm0QsEmYUSDzZvpjeJ9WmXA==";
+    const SIGNER_KEY: &str =
+        "jxspr8Ki0RYycVU8zykbdLGjFQ3McFUH0uiiTvC8pVMXAn210wjLNmdZJzxUECKbm0QsEmYUSDzZvpjeJ9WmXA==";
     const ROUNDS: u32 = 8;
     const MEM_COST: u32 = 14;
 
     const PASSWORD: &str = "user1password";
     const SALT: &str = "42xEC+ixf3L2lw==";
-    const PASSWORD_HASH: &str ="lSrfV15cpx95/sZS2W9c9Kp6i/LVgQNDNC/qzrCnh1SAyZvqmZqAjTdn3aoItz+VHjoZilo78198JAdRuid5lQ==";
+    const PASSWORD_HASH: &str =
+        "lSrfV15cpx95/sZS2W9c9Kp6i/LVgQNDNC/qzrCnh1SAyZvqmZqAjTdn3aoItz+VHjoZilo78198JAdRuid5lQ==";
 
     use super::*;
 
@@ -194,27 +201,30 @@ mod tests {
             SIGNER_KEY,
             ROUNDS,
             MEM_COST
-        ).unwrap())
+        )
+        .unwrap())
     }
 
     #[test]
     fn generate_hash_works() {
-        assert_eq!(base64::encode(generate_raw_hash(
-            PASSWORD,
-            SALT,
-            SALT_SEPARATOR,
-            SIGNER_KEY,
-            ROUNDS,
-            MEM_COST,
-        ).unwrap()), PASSWORD_HASH)
+        assert_eq!(
+            base64::encode(
+                generate_raw_hash(PASSWORD, SALT, SALT_SEPARATOR, SIGNER_KEY, ROUNDS, MEM_COST,)
+                    .unwrap()
+            ),
+            PASSWORD_HASH
+        )
     }
 
     #[test]
     fn encrypt_works() {
         let param_1 = b"randomrandomrandomrandomrandomrandomrandom";
         let param_2 = b"12345678901234567890123456789012";
 
-        assert_eq!(hex::encode(encrypt(param_1, *param_2).unwrap()), "09f509fa3d09cde568f80709416681e4ed5d9677ca8b4807a932869ba3fd057be3606c2940877850ed96");
+        assert_eq!(
+            hex::encode(encrypt(param_1, *param_2).unwrap()),
+            "09f509fa3d09cde568f80709416681e4ed5d9677ca8b4807a932869ba3fd057be3606c2940877850ed96"
+        );
     }
 
     #[test]
diff --git a/src/simple.rs b/src/simple.rs
@@ -1,4 +1,4 @@
-use crate::{verify_password, GenerateHashError, generate_raw_hash};
+use crate::{generate_raw_hash, verify_password, GenerateHashError};
 
 /// Struct to simplify the usage of hash generation and checking.
 ///
@@ -68,7 +68,12 @@ impl FirebaseScrypt {
     ///
     /// assert!(is_valid)
     /// ```
-    pub fn verify_password(&self, password: &str, salt: &str, known_hash: &str) -> Result<bool, GenerateHashError> {
+    pub fn verify_password(
+        &self,
+        password: &str,
+        salt: &str,
+        known_hash: &str,
+    ) -> Result<bool, GenerateHashError> {
         verify_password(
             password,
             known_hash,
@@ -117,7 +122,11 @@ impl FirebaseScrypt {
     ///
     /// firebase_scrypt.generate_base64_hash(password, salt).unwrap();
     /// ```
-    pub fn generate_base64_hash(&self, password: &str, salt: &str) -> Result<String, GenerateHashError> {
+    pub fn generate_base64_hash(
+        &self,
+        password: &str,
+        salt: &str,
+    ) -> Result<String, GenerateHashError> {
         let hash = generate_raw_hash(
             password,
             salt,
@@ -134,34 +143,36 @@ impl FirebaseScrypt {
 #[cfg(test)]
 mod tests {
     const SALT_SEPARATOR: &str = "Bw==";
-    const SIGNER_KEY: &str = "jxspr8Ki0RYycVU8zykbdLGjFQ3McFUH0uiiTvC8pVMXAn210wjLNmdZJzxUECKbm0QsEmYUSDzZvpjeJ9WmXA==";
+    const SIGNER_KEY: &str =
+        "jxspr8Ki0RYycVU8zykbdLGjFQ3McFUH0uiiTvC8pVMXAn210wjLNmdZJzxUECKbm0QsEmYUSDzZvpjeJ9WmXA==";
     const ROUNDS: u32 = 8;
     const MEM_COST: u32 = 14;
 
     const PASSWORD: &str = "user1password";
     const SALT: &str = "42xEC+ixf3L2lw==";
-    const PASSWORD_HASH: &str ="lSrfV15cpx95/sZS2W9c9Kp6i/LVgQNDNC/qzrCnh1SAyZvqmZqAjTdn3aoItz+VHjoZilo78198JAdRuid5lQ==";
+    const PASSWORD_HASH: &str =
+        "lSrfV15cpx95/sZS2W9c9Kp6i/LVgQNDNC/qzrCnh1SAyZvqmZqAjTdn3aoItz+VHjoZilo78198JAdRuid5lQ==";
 
     use super::*;
 
     #[test]
     fn verify_password_with_simple_works() {
         let firebase_scrypt = FirebaseScrypt::new(SALT_SEPARATOR, SIGNER_KEY, ROUNDS, MEM_COST);
 
-        assert!(firebase_scrypt.verify_password(
-            PASSWORD,
-            SALT,
-            PASSWORD_HASH,
-        ).unwrap())
+        assert!(firebase_scrypt
+            .verify_password(PASSWORD, SALT, PASSWORD_HASH,)
+            .unwrap())
     }
 
     #[test]
     fn generate_hash_with_simple_works() {
         let firebase_scrypt = FirebaseScrypt::new(SALT_SEPARATOR, SIGNER_KEY, ROUNDS, MEM_COST);
 
-        assert_eq!(firebase_scrypt.generate_base64_hash(
-            PASSWORD,
-            SALT,
-        ).unwrap(), PASSWORD_HASH)
+        assert_eq!(
+            firebase_scrypt
+                .generate_base64_hash(PASSWORD, SALT,)
+                .unwrap(),
+            PASSWORD_HASH
+        )
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ impl From<InvalidOutputLen> for DerivedKeyError {`
`29`	`29`
`30`	`30`	`#[derive(Clone, Debug)]`
`31`	`31`	`pub(crate) enum EncryptError {`
`32`		`- StreamCipher(StreamCipherError)`
	`32`	`+ StreamCipher(StreamCipherError),`
`33`	`33`	`}`
`34`	`34`
`35`	`35`	`impl From<StreamCipherError> for EncryptError {`