Skip to main content

Module auth

hyperdb_api_core::client

Module auth 

Source
Expand description

Authentication mechanisms for Hyper connections.

The server selects the authentication method during the startup handshake by sending an AuthenticationRequest message. This module provides the client-side implementations for each supported method:

MethodServer messageClient response
TrustAuthenticationOk(none)
CleartextAuthenticationCleartextPasswordPassword in plain text
MD5AuthenticationMD5Password(salt)"md5" + MD5(MD5(password+user) + salt)
SCRAM-SHA-256AuthenticationSASLMulti-step: client-first, server-first, client-final, server-final

§SCRAM-SHA-256 Protocol (RFC 5802)

The SCRAM exchange is a 4-message handshake managed by AuthState:

  1. Client-first (scram_client_first) — Client sends n,,n=,r=<nonce>
  2. Server-first — Server responds with r=<combined-nonce>,s=<salt>,i=<iterations>
  3. Client-final (scram_client_final) — Client derives keys via PBKDF2-SHA-256 and sends proof: c=<channel-binding>,r=<nonce>,p=<client-proof>
  4. Server-final (scram_verify_server) — Client verifies server signature

§Security

This module uses zeroize to securely clear sensitive cryptographic material (passwords, derived keys, HMAC outputs) from memory when they go out of scope. All intermediate key material in the SCRAM exchange is wrapped in Zeroizing<Vec<u8>> to prevent memory disclosure.

§Attribution

Portions of this module’s SCRAM-SHA-256 implementation were adapted from postgres-protocol’s authentication/sasl.rs (Copyright (c) 2016 Steven Fackler, MIT or Apache-2.0). Adapted material includes the variable naming (client_first_bare, salted_password, client_key, server_key, stored_key, client_signature, client_proof, auth_message) and the key-derivation sequence. The field-parsing structure was rewritten; Hyper-specific changes added include zeroize-based memory hygiene of derived key material. See the NOTICE file at the repo root for the full upstream copyright and reproduced license text.

Structs§

AuthState
State for SCRAM-SHA-256 authentication exchange.

Functions§

compute_md5_password
Computes the MD5 password hash for PostgreSQL authentication.
scram_client_final
Processes the server-first message and generates the client-final message.
scram_client_first
Generates the client-first message for SCRAM-SHA-256.
scram_verify_server
Verifies the server-final message.