password-hash: extract CustomizedPasswordHasher trait (#2105)

tarcieri · web-flow · commit 85ce438cffe1 · 2025-12-04T17:31:33.000-07:00
Splits out `PasswordHasher::hash_password_customized` into its own
separate `CustomizedPasswordHasher` trait.

This trait retains the associated `Params` type since that's used as a
method argument.

This also adds a type alias `Version` for `u32` to use in place of
`Decimal` (also a `u32` alias) for the `Version` parameter to
`hash_password_customized`, and changes the `salt` parameter to be `&amp;'a
str`, which removes any PHC-related types as input arguments to the
method.

However, there is still a dependency on `ParamsString` and
`PasswordHash`, which still needs to be addressed to fully decouple the
trait from PHC types.
diff --git a/password-hash/src/lib.rs b/password-hash/src/lib.rs
@@ -40,11 +40,23 @@ pub use phc::PasswordHash;
 #[cfg(feature = "alloc")]
 pub use phc::PasswordHashString;
 
-use crate::phc::{Decimal, Ident, ParamsString, Salt};
+use crate::phc::ParamsString;
 use core::fmt::Debug;
 
+/// Numeric version identifier for password hashing algorithms.
+pub type Version = u32;
+
 /// Trait for password hashing functions.
 pub trait PasswordHasher {
+    /// Simple API for computing a [`PasswordHash`] from a password and
+    /// salt value.
+    ///
+    /// Uses the default recommended parameters for a given algorithm.
+    fn hash_password<'a>(&self, password: &[u8], salt: &'a str) -> Result<PasswordHash<'a>>;
+}
+
+/// Trait for password hashing functions which support customization.
+pub trait CustomizedPasswordHasher {
     /// Algorithm-specific parameters.
     type Params: Clone
         + Debug
@@ -60,23 +72,11 @@ pub trait PasswordHasher {
     fn hash_password_customized<'a>(
         &self,
         password: &[u8],
-        algorithm: Option<Ident<'a>>,
-        version: Option<Decimal>,
+        algorithm: Option<&'a str>,
+        version: Option<Version>,
         params: Self::Params,
-        salt: impl Into<Salt<'a>>,
+        salt: &'a str,
     ) -> Result<PasswordHash<'a>>;
-
-    /// Simple API for computing a [`PasswordHash`] from a password and
-    /// salt value.
-    ///
-    /// Uses the default recommended parameters for a given algorithm.
-    fn hash_password<'a>(
-        &self,
-        password: &[u8],
-        salt: impl Into<Salt<'a>>,
-    ) -> Result<PasswordHash<'a>> {
-        self.hash_password_customized(password, None, None, Self::Params::default(), salt)
-    }
 }
 
 /// Trait for password verification.
@@ -93,15 +93,15 @@ pub trait PasswordVerifier {
     fn verify_password(&self, password: &[u8], hash: &PasswordHash<'_>) -> Result<()>;
 }
 
-impl<T: PasswordHasher> PasswordVerifier for T {
+impl<T: CustomizedPasswordHasher> PasswordVerifier for T {
     fn verify_password(&self, password: &[u8], hash: &PasswordHash<'_>) -> Result<()> {
         if let (Some(salt), Some(expected_output)) = (&hash.salt, &hash.hash) {
             let computed_hash = self.hash_password_customized(
                 password,
-                Some(hash.algorithm),
+                Some(hash.algorithm.as_str()),
                 hash.version,
                 T::Params::try_from(hash)?,
-                *salt,
+                salt.as_str(),
             )?;
 
             if let Some(computed_output) = &computed_hash.hash {
diff --git a/password-hash/src/phc.rs b/password-hash/src/phc.rs
@@ -161,7 +161,7 @@ impl<'a> PasswordHash<'a> {
     pub fn generate(
         phf: impl PasswordHasher,
         password: impl AsRef<[u8]>,
-        salt: impl Into<Salt<'a>>,
+        salt: &'a str,
     ) -> crate::Result<Self> {
         phf.hash_password(password.as_ref(), salt)
     }
diff --git a/password-hash/tests/hashing.rs b/password-hash/tests/hashing.rs
@@ -1,7 +1,8 @@
 //! Password hashing tests
 
+use password_hash::PasswordHasher;
 pub use password_hash::{
-    PasswordHasher,
+    CustomizedPasswordHasher,
     errors::{Error, Result},
     phc::{Decimal, Ident, Output, ParamsString, PasswordHash, Salt},
 };
@@ -12,21 +13,27 @@ const ALG: Ident = Ident::new_unwrap("example");
 pub struct StubPasswordHasher;
 
 impl PasswordHasher for StubPasswordHasher {
+    fn hash_password<'a>(&self, password: &[u8], salt: &'a str) -> Result<PasswordHash<'a>> {
+        self.hash_password_customized(password, None, None, StubParams, salt)
+    }
+}
+
+impl CustomizedPasswordHasher for StubPasswordHasher {
     type Params = StubParams;
 
     fn hash_password_customized<'a>(
         &self,
         password: &[u8],
-        algorithm: Option<Ident<'a>>,
+        algorithm: Option<&'a str>,
         version: Option<Decimal>,
         params: StubParams,
-        salt: impl Into<Salt<'a>>,
+        salt: &'a str,
     ) -> Result<PasswordHash<'a>> {
-        let salt = salt.into();
+        let salt = Salt::from_b64(salt)?;
         let mut output = Vec::new();
 
         if let Some(alg) = algorithm {
-            if alg != ALG {
+            if Ident::new(alg)? != ALG {
                 return Err(Error::Algorithm);
             }
         }
@@ -70,12 +77,12 @@ impl TryFrom<StubParams> for ParamsString {
 #[test]
 fn verify_password_hash() {
     let valid_password = "test password";
-    let salt = Salt::from_b64("test-salt").unwrap();
+    let salt = "test-salt";
     let hash = PasswordHash::generate(StubPasswordHasher, valid_password, salt).unwrap();
 
     // Sanity tests for StubFunction impl above
     assert_eq!(hash.algorithm, ALG);
-    assert_eq!(hash.salt.unwrap(), salt);
+    assert_eq!(hash.salt.unwrap().as_str(), salt);
 
     // Tests for generic password verification logic
     assert_eq!(

Original file line number	Diff line number	Diff line change
`@@ -161,7 +161,7 @@ impl<'a> PasswordHash<'a> {`
`161`	`161`	`pub fn generate(`
`162`	`162`	`phf: impl PasswordHasher,`
`163`	`163`	`password: impl AsRef<[u8]>,`
`164`		`- salt: impl Into<Salt<'a>>,`
	`164`	`+ salt: &'a str,`
`165`	`165`	`) -> crate::Result<Self> {`
`166`	`166`	`phf.hash_password(password.as_ref(), salt)`
`167`	`167`	`}`