sha-crypt: simplify Base64 encoding (#728)

Composes the "simple" MCF API in terms of the existing Base64 APIs, and
factors the Base64 encoding functions into those Base64 APIs.

Author: tarcieri

sha-crypt/Cargo.toml

@@ -18,7 +18,7 @@ rust-version = "1.85"
 
 [dependencies]
 sha2 = { version = "0.11.0-rc.2", default-features = false }
-base64ct = { version = "1.7.1", default-features = false }
+base64ct = { version = "1.7.1", default-features = false, features = ["alloc"] }
 
 # optional dependencies
 mcf = { version = "0.2", optional = true, default-features = false, features = ["alloc", "base64"] }
@@ -27,7 +27,7 @@ subtle = { version = "2", optional = true, default-features = false }
 
 [features]
 default = ["simple"]
-simple = ["base64ct/alloc", "dep:mcf", "dep:rand_core", "dep:subtle"]
+simple = ["dep:mcf", "dep:rand_core", "dep:subtle"]
 
 [package.metadata.docs.rs]
 all-features = true

sha-crypt/src/b64.rs

@@ -1,34 +1,13 @@
 //! Base64 encoding support
 
-use crate::consts::{
-    BLOCK_SIZE_SHA256, BLOCK_SIZE_SHA512, MAP_SHA256, MAP_SHA512, PW_SIZE_SHA256, PW_SIZE_SHA512,
+#![cfg(feature = "simple")]
+
+use crate::{
+    consts::{BLOCK_SIZE_SHA256, BLOCK_SIZE_SHA512, MAP_SHA256, MAP_SHA512, PW_SIZE_SHA256},
+    errors::DecodeError,
 };
 use base64ct::{Base64ShaCrypt, Encoding};
 
-#[cfg(feature = "simple")]
-use crate::errors::DecodeError;
-
-pub fn encode_sha512(source: &[u8]) -> [u8; PW_SIZE_SHA512] {
-    let mut transposed = [0u8; BLOCK_SIZE_SHA512];
-    for (i, &ti) in MAP_SHA512.iter().enumerate() {
-        transposed[i] = source[ti as usize];
-    }
-    let mut buf = [0u8; PW_SIZE_SHA512];
-    Base64ShaCrypt::encode(&transposed, &mut buf).unwrap();
-    buf
-}
-
-pub fn encode_sha256(source: &[u8]) -> [u8; PW_SIZE_SHA256] {
-    let mut transposed = [0u8; BLOCK_SIZE_SHA256];
-    for (i, &ti) in MAP_SHA256.iter().enumerate() {
-        transposed[i] = source[ti as usize];
-    }
-    let mut buf = [0u8; PW_SIZE_SHA256];
-    Base64ShaCrypt::encode(&transposed, &mut buf).unwrap();
-    buf
-}
-
-#[cfg(feature = "simple")]
 pub fn decode_sha512(source: &[u8]) -> Result<[u8; BLOCK_SIZE_SHA512], DecodeError> {
     const BUF_SIZE: usize = 86;
     let mut buf = [0u8; BUF_SIZE];
@@ -40,7 +19,6 @@ pub fn decode_sha512(source: &[u8]) -> Result<[u8; BLOCK_SIZE_SHA512], DecodeErr
     Ok(transposed)
 }
 
-#[cfg(feature = "simple")]
 pub fn decode_sha256(source: &[u8]) -> Result<[u8; BLOCK_SIZE_SHA256], DecodeError> {
     let mut buf = [0u8; PW_SIZE_SHA256];
     Base64ShaCrypt::decode(source, &mut buf).unwrap();
@@ -51,41 +29,3 @@ pub fn decode_sha256(source: &[u8]) -> Result<[u8; BLOCK_SIZE_SHA256], DecodeErr
     }
     Ok(transposed)
 }
-
-mod tests {
-    #[cfg(feature = "simple")]
-    #[test]
-    fn test_encode_decode_sha512() {
-        let original: [u8; 64] = [
-            0x0b, 0x5b, 0xdf, 0x7d, 0x92, 0xe2, 0xfc, 0xbd, 0xab, 0x57, 0xcb, 0xf3, 0xe0, 0x03,
-            0x16, 0x62, 0xd3, 0x6e, 0xa0, 0x57, 0x44, 0x8c, 0xca, 0x35, 0xec, 0x80, 0x75, 0x2a,
-            0x37, 0xd4, 0xe6, 0xfa, 0xf7, 0xd7, 0x78, 0xf4, 0x8e, 0x0b, 0x3e, 0xab, 0x23, 0x05,
-            0x15, 0xdd, 0x79, 0x14, 0x45, 0xac, 0x66, 0x60, 0x25, 0x94, 0x97, 0x5e, 0x0f, 0x7f,
-            0x5f, 0xaf, 0x1a, 0xe5, 0x08, 0xe7, 0x7d, 0xd4,
-        ];
-
-        let e = super::encode_sha512(&original);
-        let d = super::decode_sha512(&e).unwrap();
-
-        for i in 0..d.len() {
-            assert_eq!(&original[i], &d[i]);
-        }
-    }
-
-    #[cfg(feature = "simple")]
-    #[test]
-    fn test_encode_decode_sha256() {
-        let original: [u8; 32] = [
-            0x0b, 0x5b, 0xdf, 0x7d, 0x92, 0xe2, 0xfc, 0xbd, 0xab, 0x57, 0xcb, 0xf3, 0xe0, 0x03,
-            0x16, 0x62, 0xd3, 0x6e, 0xa0, 0x57, 0x44, 0x8c, 0xca, 0x35, 0xec, 0x80, 0x75, 0x2a,
-            0x5f, 0xaf, 0x1a, 0xe5,
-        ];
-
-        let e = super::encode_sha256(&original);
-        let d = super::decode_sha256(&e).unwrap();
-
-        for i in 0..d.len() {
-            assert_eq!(&original[i], &d[i]);
-        }
-    }
-}

sha-crypt/src/consts.rs

@@ -5,11 +5,9 @@ pub const BLOCK_SIZE_SHA256: usize = 32;
 pub const BLOCK_SIZE_SHA512: usize = 64;
 
 /// PWD part length of the password string of SHA256
+#[cfg(feature = "simple")]
 pub const PW_SIZE_SHA256: usize = 43;
 
-/// PWD part length of the password string of SHA512
-pub const PW_SIZE_SHA512: usize = 86;
-
 /// Maximum length of a salt
 #[cfg(feature = "simple")]
 pub const SALT_MAX_LEN: usize = 16;

sha-crypt/src/lib.rs

@@ -52,16 +52,18 @@ pub use crate::{
 };
 
 use alloc::{string::String, vec::Vec};
+use base64ct::{Base64ShaCrypt, Encoding};
 use sha2::{Digest, Sha256, Sha512};
 
 #[cfg(feature = "simple")]
 pub use crate::errors::{CheckError, DecodeError};
 
+use crate::consts::{MAP_SHA256, MAP_SHA512};
+
 #[cfg(feature = "simple")]
 use {
     crate::consts::SALT_MAX_LEN,
     alloc::string::ToString,
-    base64ct::{Base64ShaCrypt, Encoding},
     rand_core::{OsRng, RngCore, TryRngCore},
 };
 
@@ -283,7 +285,13 @@ pub fn sha256_crypt(
 /// - `Err(errors::CryptError)` otherwise
 pub fn sha512_crypt_b64(password: &[u8], salt: &[u8], params: &Sha512Params) -> String {
     let output = sha512_crypt(password, salt, params);
-    String::from_utf8(b64::encode_sha512(&output).to_vec()).unwrap()
+
+    let mut transposed = [0u8; BLOCK_SIZE_SHA512];
+    for (i, &ti) in MAP_SHA512.iter().enumerate() {
+        transposed[i] = output[ti as usize];
+    }
+
+    Base64ShaCrypt::encode_string(&transposed)
 }
 
 /// Same as sha256_crypt except base64 representation will be returned.
@@ -299,7 +307,13 @@ pub fn sha512_crypt_b64(password: &[u8], salt: &[u8], params: &Sha512Params) ->
 /// - `Err(errors::CryptError)` otherwise
 pub fn sha256_crypt_b64(password: &[u8], salt: &[u8], params: &Sha256Params) -> String {
     let output = sha256_crypt(password, salt, params);
-    String::from_utf8(b64::encode_sha256(&output).to_vec()).unwrap()
+
+    let mut transposed = [0u8; BLOCK_SIZE_SHA256];
+    for (i, &ti) in MAP_SHA256.iter().enumerate() {
+        transposed[i] = output[ti as usize];
+    }
+
+    Base64ShaCrypt::encode_string(&transposed)
 }
 
 /// Simple interface for generating a SHA512 password hash.
@@ -316,7 +330,7 @@ pub fn sha256_crypt_b64(password: &[u8], salt: &[u8], params: &Sha256Params) ->
 #[cfg(feature = "simple")]
 pub fn sha512_simple(password: &str, params: &Sha512Params) -> String {
     let salt = random_salt();
-    let out = sha512_crypt(password.as_bytes(), salt.as_bytes(), params);
+    let out = sha512_crypt_b64(password.as_bytes(), salt.as_bytes(), params);
 
     let mut mcf_hash = mcf::PasswordHash::from_id(SHA512_MCF_ID).expect("should have valid ID");
 
@@ -327,9 +341,7 @@ pub fn sha512_simple(password: &str, params: &Sha512Params) -> String {
     }
 
     mcf_hash.push_str(&salt).expect("should have valid salt");
-
-    let s = String::from_utf8(b64::encode_sha512(&out).to_vec()).unwrap();
-    mcf_hash.push_str(&s).expect("should have valid hash");
+    mcf_hash.push_str(&out).expect("should have valid hash");
 
     mcf_hash.into()
 }
@@ -348,7 +360,7 @@ pub fn sha512_simple(password: &str, params: &Sha512Params) -> String {
 #[cfg(feature = "simple")]
 pub fn sha256_simple(password: &str, params: &Sha256Params) -> String {
     let salt = random_salt();
-    let out = sha256_crypt(password.as_bytes(), salt.as_bytes(), params);
+    let out = sha256_crypt_b64(password.as_bytes(), salt.as_bytes(), params);
 
     let mut mcf_hash = mcf::PasswordHash::from_id(SHA256_MCF_ID).expect("should have valid ID");
 
@@ -359,9 +371,7 @@ pub fn sha256_simple(password: &str, params: &Sha256Params) -> String {
     }
 
     mcf_hash.push_str(&salt).expect("should have valid salt");
-
-    let s = String::from_utf8(b64::encode_sha256(&out).to_vec()).unwrap();
-    mcf_hash.push_str(&s).expect("should have valid hash");
+    mcf_hash.push_str(&out).expect("should have valid hash");
 
     mcf_hash.into()
 }