Abstract password hashing into util.

Signed-off-by: Jason Volk <jason@zemos.net>

src/core/Cargo.toml

@@ -60,6 +60,7 @@ perf_measurements = []
 sentry_telemetry = []
 
 [dependencies]
+argon2.workspace = true
 axum-server.workspace = true
 axum.workspace = true
 bytes.workspace = true

src/core/utils/hash.rs

@@ -0,0 +1,72 @@
+use std::sync::Mutex;
+
+use argon2::{
+	password_hash, password_hash::SaltString, Algorithm, Argon2, Params, PasswordHash, PasswordHasher,
+	PasswordVerifier, Version,
+};
+
+const M_COST: u32 = Params::DEFAULT_M_COST; // memory size in 1 KiB blocks
+const T_COST: u32 = Params::DEFAULT_T_COST; // nr of iterations
+const P_COST: u32 = Params::DEFAULT_P_COST; // parallelism
+
+static STATE: Mutex<Option<Argon2<'static>>> = Mutex::new(None);
+
+#[allow(clippy::let_underscore_must_use)]
+pub fn init() {
+	// 19456 Kib blocks, iterations = 2, parallelism = 1
+	// * <https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#argon2id>
+	debug_assert!(M_COST == 19_456, "M_COST default changed");
+	debug_assert!(T_COST == 2, "T_COST default changed");
+	debug_assert!(P_COST == 1, "P_COST default changed");
+
+	let algorithm = Algorithm::Argon2id;
+	let version = Version::default();
+	let out_len: Option<usize> = None;
+	let params = Params::new(M_COST, T_COST, P_COST, out_len).expect("valid parameters");
+	let state = Argon2::new(algorithm, version, params);
+	_ = STATE.lock().expect("hashing state locked").insert(state);
+}
+
+pub fn password(password: &str) -> Result<String, password_hash::Error> {
+	let salt = SaltString::generate(rand::thread_rng());
+	STATE
+		.lock()
+		.expect("hashing state locked")
+		.as_ref()
+		.expect("hashing state initialized")
+		.hash_password(password.as_bytes(), &salt)
+		.map(|it| it.to_string())
+}
+
+pub fn verify_password(password: &str, password_hash: &str) -> Result<(), password_hash::Error> {
+	let password_hash = PasswordHash::new(password_hash)?;
+	STATE
+		.lock()
+		.expect("hashing state locked")
+		.as_ref()
+		.expect("hashing state initialized")
+		.verify_password(password.as_bytes(), &password_hash)
+}
+
+#[cfg(test)]
+mod tests {
+	#[test]
+	fn password_hash_and_verify() {
+		use crate::utils::hash;
+		hash::init();
+		let preimage = "temp123";
+		let digest = hash::password(preimage).expect("digest");
+		hash::verify_password(preimage, &digest).expect("verified");
+	}
+
+	#[test]
+	#[should_panic(expected = "unverified")]
+	fn password_hash_and_verify_fail() {
+		use crate::utils::hash;
+		hash::init();
+		let preimage = "temp123";
+		let fakeimage = "temp321";
+		let digest = hash::password(preimage).expect("digest");
+		hash::verify_password(fakeimage, &digest).expect("unverified");
+	}
+}

src/core/utils/mod.rs

@@ -1,6 +1,7 @@
 pub mod content_disposition;
 pub mod debug;
 pub mod defer;
+pub mod hash;
 pub mod html;
 pub mod json;
 pub mod sys;