盐值挑战响应身份验证机制 (SCRAM)

此实现根据 RFC5802 和 RFC7677 提供了 SCRAM-SHA-256 机制的客户端和服务器。它不支持通道绑定。

阅读文档。

限制

强制性的 SCRAM-SHA-1 身份验证机制目前尚未实现。这也适用于 *-PLUS 变体，因为此库不支持通道绑定。如果您想贡献或维护它们，我将非常感激。

使用方法

客户端

以下是一个典型使用场景。有关方法的详细说明，请参阅其文档。在生产代码中，您应该用适当的错误处理来替换 unwrapping。

首先，必须使用以下方法之一提供用户和密码：`ClientFirst::new` 或 `ClientFirst::with_rng`。这些方法返回一个 SCRAM 状态，您可以使用它来计算第一个客户端消息。

服务器和客户端使用 SCRAM 机制交换四个消息。每种消息都有一个 Rust 类型。在相应的类型上调用 `client_first`、`handle_server_first`、`client_final` 和 `handle_server_final` 方法可以逐步推进 SCRAM 握手。计算客户端消息永远不会失败，但处理服务器消息可能导致失败。

use scram::ScramClient;

// This function represents your I/O implementation.
fn send_and_receive(message: &str) -> String {
    unimplemented!()
}

// Create a SCRAM state from the credentials.
let scram = ScramClient::new("user", "password", None);

// Get the client message and reassign the SCRAM state.
let (scram, client_first) = scram.client_first();

// Send the client first message and receive the servers reply.
let server_first = send_and_receive(&client_first);

// Process the reply and again reassign the SCRAM state. You can add error handling to
// abort the authentication attempt.
let scram = scram.handle_server_first(&server_first).unwrap();

// Get the client final message and reassign the SCRAM state.
let (scram, client_final) = scram.client_final();

// Send the client final message and receive the servers reply.
let server_final = send_and_receive(&client_final);

// Process the last message. Any error returned means that the authentication attempt
// wasn't successful.
let () = scram.handle_server_final(&server_final).unwrap();

服务器

服务器是为了响应用户端的挑战而创建的。以下是一个使用默认提供者的典型使用模式。在生产中，您将实现一个 AuthenticationProvider，它可以根据用户名查找凭据。

服务器和客户端使用SCRAM机制交换四个消息。每个消息都有一个rust类型。调用handle_client_first()、server_first()、handle_client_final()和server_final()方法，分别对不同类型进行操作，可以逐步推进SCRAM握手。计算服务器消息永远不会失败（除非随机数源的随机性失败），但处理客户端消息可能会失败。

如果认证失败，最后一步将不会返回错误，但会返回一个AuthenticationStatus，你可以用它来判断认证是否成功。

use scram::{ScramServer, AuthenticationStatus, AuthenticationProvider, PasswordInfo};

// Create a dummy authentication provider
struct ExampleProvider;
impl AuthenticationProvider for ExampleProvider {
    // Here you would look up password information for the the given username
    fn get_password_for(&self, username: &str) -> Option<PasswordInfo> {
       unimplemented!()
    }

}
// These functions represent your I/O implementation.
# #[allow(unused_variables)]
fn receive() -> String {
    unimplemented!()
}
# #[allow(unused_variables)]
fn send(message: &str) {
    unimplemented!()
}

// Create a new ScramServer using the example authenication provider
let scram_server = ScramServer::new(ExampleProvider{});

// Receive a message from the client
let client_first = receive();

// Create a SCRAM state from the client's first message
let scram_server = scram_server.handle_client_first(&client_first).unwrap();
// Craft a response to the client's message and advance the SCRAM state
// We could use our own source of randomness here, with `server_first_with_rng()`
let (scram_server, server_first) = scram_server.server_first();
// Send our message to the client and read the response
send(&server_first);
let client_final = receive();

// Process the client's challenge and re-assign the SCRAM state.  This could fail if the
// message was poorly formatted
let scram_server = scram_server.handle_client_final(&client_final).unwrap();

// Prepare the final message and get the authentication status
let(status, server_final) = scram_server.server_final();
// Send our final message to the client
send(&server_final);

// Check if the client successfully authenticated
assert_eq!(status, AuthenticationStatus::Authenticated);