Merge pull request #15 from esl/update_fast_pbkdf2

DenysGonchar · web-flow · commit d65fe8f2cddf · 2025-02-21T10:25:41.000+01:00
Allow SHA3 hashes
diff --git a/README.md b/README.md
@@ -32,7 +32,7 @@ SaltedPassword = fast_scram:hi(Hash, Password, Salt, IterationCount)
 ```
 where `Hash` is the underlying hash function chosen as described by
 ```erlang
--type sha_type() :: crypto:sha1() | crypto:sha2().
+-type sha_type() :: crypto:sha1() | crypto:sha2() | crypto:sha3().
 ```
 
 ### Full algorithm
@@ -219,7 +219,7 @@ It all boils down to the right PBKDF2 implementation, as done in [fast_pbkdf2][f
 But while the erlang implementation consumes memory linearly to the iteration count, the NIF implementation does not allocate any more memory.
 
 ### Running without NIFs
-Note that since OTP24.2, the `crypto` application exposes a native `pbkdf2_hmac` function. However, the NIF implementation from [fast_pbkdf2] is twice as fast, so that one is left as a default.
+Note that since OTP24.2, the `crypto` application exposes a native `pbkdf2_hmac` function. However, the NIF implementation from [fast_pbkdf2] is ~30% faster, and supports SHA3, so that one is left as a default.
 
 If for any particular reason you want to skip compiling and loading custom NIFs, you can override the dependency using `rebar3`'s overrides as below, this way the dependency will not be fetched and code will be compiled to use the `crypto` callback instead.
 
@@ -229,7 +229,6 @@ If for any particular reason you want to skip compiling and loading custom NIFs,
     {override, fast_scram, [{erl_opts, [{d, 'WITHOUT_NIFS'}]}, {deps, []}]},
   ]
 }.
-
 ```
 
 ## Read more:
diff --git a/rebar.config b/rebar.config
@@ -43,7 +43,12 @@
         dirs => ["src/**"],
         filter => "*.erl",
         ruleset => erl_files,
-        rules => [{elvis_style, private_data_types, disable}]
+        rules => [
+            {elvis_style, private_data_types, disable},
+            {elvis_style, atom_naming_convention, #{
+                regex => "^([a-z][a-zA-Z0-9_]*_?)*$"
+            }}
+        ]
     },
     #{
         dirs => ["."],
diff --git a/src/fast_scram.erl b/src/fast_scram.erl
@@ -3,7 +3,11 @@
 
 -include("fast_scram.hrl").
 
+-ifdef(WITHOUT_NIFS).
 -type sha_type() :: crypto:sha1() | crypto:sha2().
+-else.
+-type sha_type() :: crypto:sha1() | crypto:sha2() | sha3_224 | sha3_256 | sha3_384 | sha3_512.
+-endif.
 %%% Supported underlying hashing algorithms.
 -type configuration() :: #{
     entity := client | server,
diff --git a/src/fast_scram.hrl b/src/fast_scram.hrl
@@ -5,7 +5,8 @@
     H =:= sha orelse
         H =:= sha224 orelse H =:= sha256 orelse
         H =:= sha384 orelse H =:= sha512 orelse
-        H =:= sha3_512
+        H =:= sha3_224 orelse H =:= sha3_256 orelse
+        H =:= sha3_384 orelse H =:= sha3_512
 ).
 
 -record(nonce, {
diff --git a/test/scram_SUITE.erl b/test/scram_SUITE.erl
@@ -8,7 +8,9 @@
 %% test cases
 -export([
     regular_scram_authentication_example_from_the_rfc/1,
-    regular_scram_authentication/1,
+    regular_scram_authentication_sha1/1,
+    regular_scram_authentication_sha2/1,
+    regular_scram_authentication_sha3/1,
     wrong_configuration_key/1,
     configuration_client_sends_wrong_username/1,
     configuration_cached_keys_works_easily/0,
@@ -73,7 +75,9 @@ groups() ->
     [
         {verifications, [parallel], [
             regular_scram_authentication_example_from_the_rfc,
-            regular_scram_authentication,
+            regular_scram_authentication_sha1,
+            regular_scram_authentication_sha2,
+            regular_scram_authentication_sha3,
             wrong_configuration_key,
             verification_name_escapes_values_correctly,
             verification_name_does_not_escape_values_correctly,
@@ -152,18 +156,33 @@ regular_scram_authentication_example_from_the_rfc(_Config) ->
     %% Client successfully accepts the server's verifier
     {ok, _Final, _ClientState7} = fast_scram:mech_step(ClientState5, ServerFinal).
 
-regular_scram_authentication(_Config) ->
+regular_scram_authentication_sha1(_Config) ->
+    regular_scram_authentication(_Config, sha).
+
+regular_scram_authentication_sha2(_Config) ->
+    regular_scram_authentication(_Config, sha224),
+    regular_scram_authentication(_Config, sha256),
+    regular_scram_authentication(_Config, sha384),
+    regular_scram_authentication(_Config, sha512).
+
+regular_scram_authentication_sha3(_Config) ->
+    regular_scram_authentication(_Config, sha3_224),
+    regular_scram_authentication(_Config, sha3_256),
+    regular_scram_authentication(_Config, sha3_384),
+    regular_scram_authentication(_Config, sha3_512).
+
+regular_scram_authentication(_Config, Hash) ->
     Password = base64:encode(crypto:strong_rand_bytes(8 + rand:uniform(8))),
     {ok, ClientState1} = fast_scram:mech_new(#{
         entity => client,
-        hash_method => sha256,
+        hash_method => Hash,
         username => <<"user">>,
         auth_data => #{password => Password}
     }),
     {ok, ServerState2} = fast_scram:mech_new(
         #{
             entity => server,
-            hash_method => sha256,
+            hash_method => Hash,
             username => <<"user">>,
             retrieve_mechanism =>
                 fun(U, S) -> retrieve_mechanism(U, #{password => Password}, S) end
