加盐挑战响应认证机制 (SCRAM)

此实现根据RFC5802和RFC7677提供了SCRAM-SHA-256机制的客户端和服务器。它不支持通道绑定。

阅读文档。

限制

强制性的SCRAM-SHA-1认证机制目前尚未实现。这同样适用于*-PLUS变体，因为此库不支持通道绑定。如果您想贡献或维护它们，我会很感激。

用法

客户端

以下是一个典型使用场景。有关方法的详细说明，请考虑它们的文档。在生产代码中，您应使用适当的错误处理来替换解包。

首先，必须使用以下方法之一提供用户和密码：ClientFirst::new 或 ClientFirst::with_rng。这些方法返回一个SCRAM状态，您可以使用它来计算第一个客户端消息。

服务器和客户端使用SCRAM机制交换四个消息。对于每个消息都有一个Rust类型。在不同的类型上调用方法 client_first、handle_server_first、client_final 和 handle_server_final 可以逐步推进SCRAM握手。计算客户端消息永远不会失败，但处理服务器消息可能会导致失败。

use scram::ScramClient;

// This function represents your I/O implementation.
fn send_and_receive(message: &str) -> String {
    unimplemented!()
}

// Create a SCRAM state from the credentials.
let scram = ScramClient::new("user", "password", None).unwrap();

// Get the client message and reassign the SCRAM state.
let (scram, client_first) = scram.client_first();

// Send the client first message and receive the servers reply.
let server_first = send_and_receive(&client_first);

// Process the reply and again reassign the SCRAM state. You can add error handling to
// abort the authentication attempt.
let scram = scram.handle_server_first(&server_first).unwrap();

// Get the client final message and reassign the SCRAM state.
let (scram, client_final) = scram.client_final();

// Send the client final message and receive the servers reply.
let server_final = send_and_receive(&client_final);

// Process the last message. Any error returned means that the authentication attempt
// wasn't successful.
let () = scram.handle_server_final(&server_final).unwrap();

服务器

服务器是为了响应来自客户端的挑战而创建的。以下是一个使用默认提供程序的典型使用模式。在生产中，您将实现一个AuthenticationProvider，它可以基于用户名查找用户凭据

服务器和客户端使用SCRAM机制交换四个消息。对于每个消息都有一个Rust类型。在不同的类型上调用方法 handle_client_first()、server_first()、handle_client_final() 和 server_final() 可以逐步推进SCRAM握手。计算服务器消息永远不会失败（除非随机的随机数源失败），但处理客户端消息可能会导致失败。

use scram::{ScramServer, AuthenticationStatus, AuthenticationProvider, PasswordInfo};

// Create a dummy authentication provider
struct ExampleProvider;
impl AuthenticationProvider for ExampleProvider {
    // Here you would look up password information for the the given username
    fn get_password_for(&self, username: &str) -> Option<PasswordInfo> {
       unimplemented!()
    }

}
// These functions represent your I/O implementation.
# #[allow(unused_variables)]
fn receive() -> String {
    unimplemented!()
}
# #[allow(unused_variables)]
fn send(message: &str) {
    unimplemented!()
}

// Create a new ScramServer using the example authenication provider
let scram_server = ScramServer::new(ExampleProvider{});

// Receive a message from the client
let client_first = receive();

// Create a SCRAM state from the client's first message
let scram_server = scram_server.handle_client_first(&client_first).unwrap();
// Craft a response to the client's message and advance the SCRAM state
// We could use our own source of randomness here, with `server_first_with_rng()`
let (scram_server, server_first) = scram_server.server_first().unwrap();
// Send our message to the client and read the response
send(&server_first);
let client_final = receive();

// Process the client's challenge and re-assign the SCRAM state.  This could fail if the
// message was poorly formatted
let scram_server = scram_server.handle_client_final(&client_final).unwrap();

// Prepare the final message and get the authentication status
let(status, server_final) = scram_server.server_final();
// Send our final message to the client
send(&server_final);

// Check if the client successfully authenticated
assert_eq!(status, AuthenticationStatus::Authenticated);