iterations results from the CPAN

iterations
Crypt-PostgreSQL
view release on metacpan or search on metacpan
lib/Crypt/PostgreSQL.pm view on Meta::CPAN
use Crypt::Mac::HMAC qw(hmac hmac_b64);
use Crypt::Digest::SHA256 qw(sha256_b64);
use MIME::Base64;
use Digest::MD5 qw(md5_hex);

=head1 SYNOPSIS

    use Crypt::PostgreSQL;

    print Crypt::PostgreSQL::encrypt_md5('my password', 'myuser');

    my $scram_hash = Crypt::PostgreSQL::encrypt_scram('my password');
    my DBI;
    my $dbh = DBI->connect("dbi:Pg:dbname=...", '', '', {AutoCommit => 0});
    $dbh->do(q{
        ALTER USER my_user SET ENCRYPTION PASSWORD '$scram_hash';
    });


=head1 DESCRIPTION

This module is for generating password suitable to generate password hashes in PostgreSQL format,
using one of the two encrypted formats: scram_sha_256 and md5


=head2 encrypt_md5

The 1st argument is the password to encrypted

The 2th argument is the postgresgl user name

The function returns hash string suitable to use with ALTER USER SQL command.

=cut

sub encrypt_md5 {
    my($password, $user) = @_;
    if(!length $user){
        croak 'The 2nd parameter with the user is missing!';
    }
    return 'md5'.md5_hex($password.$user);
}

=head2 encrypt_scram

The 1st argument is the password to encrypted

The 2nd argument, can define salt (use only for test!)

The function returns hash string suitalbe to use with ALTER USER SQL command.

=cut

sub encrypt_scram {
    my($password, $salt) = @_;
    if(!defined $salt){
        $salt = Crypt::URandom::urandom(16);
    }elsif(length($salt) != 16){
        croak 'The salt length must be 16!';
    }
    my $iterations = 4096;
    my $digest_key = pbkdf2($password, $salt, $iterations, 'SHA256', 32);
    my $client_key = hmac('SHA256', $digest_key ,'Client Key');
    my $b64_client_key = sha256_b64($client_key);
    my $b64_server_key = hmac_b64('SHA256', $digest_key, 'Server Key');
    my $b64_salt = encode_base64($salt, '');
    return "SCRAM-SHA-256\$$iterations:$b64_salt\$$b64_client_key:$b64_server_key";
}


=head1 SECURITY

Report security vulnerabilities **privately** to the maintainer at
E<lt>gdo@leader.itE<gt>. See the F<SECURITY.md> file in this distribution's
root directory for the full policy (coordinated disclosure, optional CC to the
L<CPAN Security Group|https://security.metacpan.org/> at
E<lt>cpan-security@security.metacpan.orgE<gt>). Do not file security issues on
public bug trackers before coordination.

=head1 BUGS

Please let the author know if any are caught

=head1 AUTHOR

	Guido Brugnara
	gdo@leader.it


=head1 COPYRIGHT

This program is free software; you can redistribute
it and/or modify it under the same terms as Perl itself.

The full text of the license can be found in the
LICENSE file included with this module.


=head1 SEE ALSO

=over

=item L<https://www.postgresql.org/docs/current/auth-password.html>

PostgreSQL documentation: 20.5. Password Authentication

=item L<https://www.leader.it/Blog/PostgreSQL_SCRAM-SHA-256_authentication>

Blog article: PostgreSQL SCRAM-SHA-256 authentication with credits ...

=back

=cut

1;
( run in 0.962 second using v1.01-cache-2.11-cpan-96521ef73a4 )