Documentation
¶
Index ¶
- Constants
- Variables
- func APIKeyAAD(keyPrefix string) []byte
- func DatabaseAAD(databaseUID string) []byte
- func Decrypt(ciphertext []byte, key []byte, aad []byte) ([]byte, error)
- func DeriveO5LogonVerifierKey(password string, salt []byte) []byte
- func Encrypt(plaintext []byte, key []byte, aad []byte) ([]byte, error)
- func GenerateO5LogonVerifier(password string) ([]byte, []byte, error)
- func HashPassword(password string) (string, error)
- func HashPasswordWithParams(password string, params HashParams) (string, error)
- func VerifyPassword(encodedHash, password string) (bool, error)
- type HashParams
Constants ¶
const ( // O5LogonSaltLength is the length of the O5LOGON salt. O5LogonSaltLength = 10 // O5LogonVerifierKeyLength is the length of the O5LOGON verifier key (SHA-1 zero-padded to 24). O5LogonVerifierKeyLength = 24 )
const DefaultArgon2Memory uint32 = 8 * 1024
DefaultArgon2Memory is the default memory in KB (8 MB).
const DefaultArgon2Threads uint8 = 4
DefaultArgon2Threads is the default parallelism factor.
const DefaultArgon2Time uint32 = 1
DefaultArgon2Time is the default number of iterations.
Variables ¶
var ( ErrInvalidKeySize = errors.New("key must be 32 bytes") ErrCiphertextTooShort = errors.New("ciphertext too short") )
Encryption errors.
var ( ErrInvalidHashFormat = errors.New("invalid hash format") ErrUnsupportedHashAlgo = errors.New("unsupported hash algorithm") )
Hash errors.
Functions ¶
func APIKeyAAD ¶ added in v0.5.0
APIKeyAAD returns the AAD for encrypting API key O5LOGON verifiers. This binds the ciphertext to a specific API key prefix, preventing verifier transplant attacks.
func DatabaseAAD ¶
DatabaseAAD returns the AAD for encrypting database credentials. This binds the ciphertext to a specific database UID, preventing credential transplant attacks where encrypted passwords are swapped between database rows.
func Decrypt ¶
Decrypt decrypts ciphertext using AES-256-GCM with the provided key. The ciphertext must include the nonce prefix. The aad must match the value used during encryption, or be nil for legacy data.
func DeriveO5LogonVerifierKey ¶ added in v0.5.0
DeriveO5LogonVerifierKey computes the O5LOGON verifier key from password and salt.
func Encrypt ¶
Encrypt encrypts plaintext using AES-256-GCM with the provided key. The ciphertext includes the nonce prefix. Optional aad (Additional Authenticated Data) binds the ciphertext to a context, preventing the ciphertext from being used in a different context.
func GenerateO5LogonVerifier ¶ added in v0.5.0
GenerateO5LogonVerifier creates salt + verifier key from a plaintext password. This is used at API key creation time to store O5LOGON verifier data for Oracle proxy auth.
verifier_key = SHA1(password || salt), zero-padded to 24 bytes.
func HashPassword ¶
HashPassword generates an Argon2id hash of the password using default parameters.
func HashPasswordWithParams ¶ added in v0.0.1
func HashPasswordWithParams(password string, params HashParams) (string, error)
HashPasswordWithParams generates an Argon2id hash of the password using provided parameters.
func VerifyPassword ¶
VerifyPassword verifies a password against an Argon2id hash.
Types ¶
type HashParams ¶ added in v0.0.1
type HashParams struct {
MemoryKB uint32 // Memory in KB
Time uint32 // Number of iterations
Threads uint8 // Parallelism factor
}
HashParams holds configurable parameters for password hashing.
func DefaultHashParams ¶ added in v0.0.1
func DefaultHashParams() HashParams
DefaultHashParams returns the default hash parameters.
Source Files