crypt

package module
v0.1.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 16, 2022 License: MIT Imports: 19 Imported by: 3

README

Go Reference Go Report Card

github.com/go-crypt/crypt

Password Hashing / Digest / Crypt library.

Intent

This library aims to provide a convenient layer over the go password hashing crypto functions.

Tasks

A list of tasks that need to be accomplished are listed in the General Project.

Algorithms

Algorithm Variants
Argon2 Argon2id, Argon2i, Argon2d
SHA2 Crypt SHA256, SHA512
PBKDF2 SHA1, SHA224, SHA256, SHA384, SHA512
bcrypt bcrypt, bcrypt-sha256
scrypt scrypt
Plain Text Format

In addition to the crypt functions above we also support a plain text storage format which has a regular plain text variant and a Base64 format (for storage, not security).

The PHC string format we decided to use is as follows:

$<id>$<data>

Where id is either plaintext or base64, and data is either the password string or the Base64 (Adapted) encoded string.

bcrypt-sha256

This algorithm was thought of by the developers of Passlib. It circumvents the issue in bcrypt where the maximum password length is effectively 72 bytes by passing the password via a HMAC-SHA-256 function which uses the salt bytes as the key.

Note: Only bcrypt-sha256 version 2 which uses the PHC string format and passes the password through a HMAC-SHA-256 function the salt as the key is supported. The bcrypt-sha256 version 1 which uses the Modular Crypt Format and only passes the password via a SHA-256 sum function not supported at all.

Base64 (Adapted)

Many password storage formats use Base64 with an Adapted charset to store the bytes of the salt or hash key. This uses the standard Base64 encoding without padding as per RFC4648 section 4 but replaces the + chars with a ..

Documentation

Index

Constants

View Source 
const (
	AlgorithmPrefixPlainText    = "plaintext"
	AlgorithmPrefixBase64       = "base64"
	AlgorithmPrefixArgon2i      = "argon2i"
	AlgorithmPrefixArgon2d      = "argon2d"
	AlgorithmPrefixArgon2id     = "argon2id"
	AlgorithmPrefixBcrypt       = "2b"
	AlgorithmPrefixBcryptSHA256 = "bcrypt-sha256"
	AlgorithmPrefixSHA256       = "5"
	AlgorithmPrefixSHA512       = "6"
	AlgorithmPrefixScrypt       = "scrypt"
	AlgorithmPrefixPBKDF2       = "pbkdf2"
	AlgorithmPrefixPBKDF2SHA1   = "pbkdf2-sha1"
	AlgorithmPrefixPBKDF2SHA256 = "pbkdf2-sha256"
	AlgorithmPrefixPBKDF2SHA224 = "pbkdf2-sha224"
	AlgorithmPrefixPBKDF2SHA384 = "pbkdf2-sha384"
	AlgorithmPrefixPBKDF2SHA512 = "pbkdf2-sha512"
)

Algorithm Prefixes.

View Source 
const (
	StorageFormatPrefixLDAPCrypt  = "{CRYPT}"
	StorageFormatPrefixLDAPArgon2 = "{ARGON2}"

	StorageDelimiter          = "$"
	StorageFormatSHACrypt     = "$%s$rounds=%d$%s$%s"
	StorageFormatArgon2       = "$%s$v=%d$m=%d,t=%d,p=%d$%s$%s"
	StorageFormatScrypt       = "$%s$ln=%d,r=%d,p=%d$%s$%s"
	StorageFormatBcrypt       = "$%s$%d$%s%s"
	StorageFormatBcryptSHA256 = "$%s$v=2,t=%s,r=%d$%s$%s"
	StorageFormatPBKDF2       = "$%s$%d$%s$%s"
	StorageFormatSimple       = "$%s$%s"
)

Storage Formats.

Variables

View Source 
var (
	// ErrEncodedHashInvalidFormat is an error returned when an encoded hash has an invalid format.
	ErrEncodedHashInvalidFormat = errors.New("provided encoded hash has an invalid format")

	// ErrEncodedHashInvalidIdentifier is an error returned when an encoded hash has an invalid identifier for the
	// given digest.
	ErrEncodedHashInvalidIdentifier = errors.New("provided encoded hash has an invalid identifier")

	// ErrEncodedHashInvalidVersion is an error returned when an encoded hash has an unsupported or otherwise invalid
	// version.
	ErrEncodedHashInvalidVersion = errors.New("provided encoded hash has an invalid version")

	// ErrEncodedHashInvalidOption is an error returned when an encoded hash has an unsupported or otherwise invalid
	// option in the option field.
	ErrEncodedHashInvalidOption = errors.New("provided encoded hash has an invalid option")

	// ErrEncodedHashInvalidOptionKey is an error returned when an encoded hash has an unknown or otherwise invalid
	// option key in the option field.
	ErrEncodedHashInvalidOptionKey = errors.New("provided encoded hash has an invalid option key")

	// ErrEncodedHashInvalidOptionValue is an error returned when an encoded hash has an unknown or otherwise invalid
	// option value in the option field.
	ErrEncodedHashInvalidOptionValue = errors.New("provided encoded hash has an invalid option value")

	// ErrEncodedHashKeyEncoding is an error returned when an encoded hash has a salt with an invalid or unsupported
	// encoding.
	ErrEncodedHashKeyEncoding = errors.New("provided encoded hash has a key value that can't be decoded")

	// ErrEncodedHashSaltEncoding is an error returned when an encoded hash has a salt with an invalid or unsupported
	// encoding.
	ErrEncodedHashSaltEncoding = errors.New("provided encoded hash has a salt value that can't be decoded")

	// ErrKeyDerivation is returned when a Key function returns an error.
	ErrKeyDerivation = errors.New("failed to derive the key with the provided parameters")

	// ErrSaltEncoding is an error returned when a salt has an invalid or unsupported encoding.
	ErrSaltEncoding = errors.New("provided salt has a value that can't be decoded")

	// ErrPasswordInvalid is an error returned when a password has an invalid or unsupported properties. It is NOT
	// returned on password mismatches.
	ErrPasswordInvalid = errors.New("password is invalid")

	// ErrSaltInvalid is an error returned when a salt has an invalid or unsupported properties.
	ErrSaltInvalid = errors.New("salt is invalid")

	// ErrSaltReadRandomBytes is an error returned when generating the random bytes for salt resulted in an error.
	ErrSaltReadRandomBytes = errors.New("could not read random bytes for salt")

	// ErrParameterInvalid is an error returned when a parameter has an invalid value.
	ErrParameterInvalid = errors.New("parameter is invalid")
)

Functions

func CheckPassword 

func CheckPassword(password, encodedDigest string) (valid bool, err error)

CheckPassword takes the string password and an encoded digest. It decodes the Digest, then performs the MatchAdvanced() function on the Digest. If any process returns an error it returns false with the error, otherwise it returns the result of MatchAdvanced(). This is just a helper function and implementers can manually invoke this process themselves in situations where they may want to store the Digest to perform matches at a later date to avoid decoding multiple times for example.

func CheckPasswordWithPlainText 

func CheckPasswordWithPlainText(password, encodedDigest string) (valid bool, err error)

CheckPasswordWithPlainText is the same as CheckPassword however it uses DecodeWithPlainText instead.

func NormalizeEncodedDigest 

func NormalizeEncodedDigest(encodedDigest string) (out string)

NormalizeEncodedDigest helps normalize encoded digest strings from sources which don't use the same format as this library.

Types

type Argon2Digest 

type Argon2Digest struct {
	// contains filtered or unexported fields
}

Argon2Digest is a digest which handles Argon2 hashes like Argon2id, Argon2i, and Argon2d.

func (*Argon2Digest) Decode 

func (d *Argon2Digest) Decode(encodedDigest string) (err error)

Decode takes an encodedDigest string and parses it into this Digest.

func (*Argon2Digest) Encode 

func (d *Argon2Digest) Encode() (encodedHash string)

Encode returns the encoded form of this Digest.

func (*Argon2Digest) Match 

func (d *Argon2Digest) Match(password string) (match bool)

Match returns true if the string password matches the current Digest.

func (*Argon2Digest) MatchAdvanced 

func (d *Argon2Digest) MatchAdvanced(password string) (match bool, err error)

MatchAdvanced is the same as Match except if there is an error it returns that as well.

func (*Argon2Digest) MatchBytes 

func (d *Argon2Digest) MatchBytes(passwordBytes []byte) (match bool)

MatchBytes returns true if the []byte passwordBytes matches the current Digest.

func (*Argon2Digest) MatchBytesAdvanced 

func (d *Argon2Digest) MatchBytesAdvanced(passwordBytes []byte) (match bool, err error)

MatchBytesAdvanced is the same as MatchBytes except if there is an error it returns that as well.

func (*Argon2Digest) String 

func (d *Argon2Digest) String() string

String returns the storable format of the Digest encoded hash.

type Argon2Hash 

type Argon2Hash struct {
	// contains filtered or unexported fields
}

Argon2Hash is a Hash for Argon2 which provides a builder design pattern.

func NewArgon2DHash 

func NewArgon2DHash() *Argon2Hash

NewArgon2DHash returns a *Argon2Hash with just the D variant configured. This defaults to the low memory RFC9106 low memory profile.

func NewArgon2Hash 

func NewArgon2Hash() *Argon2Hash

NewArgon2Hash returns a *Argon2Hash without any settings configured. This defaults to the id variant with the low memory RFC9106 low memory profile.

func NewArgon2IDHash 

func NewArgon2IDHash() *Argon2Hash

NewArgon2IDHash returns a *Argon2Hash with just the ID variant configured. This defaults to the low memory RFC9106 low memory profile.

func NewArgon2IHash 

func NewArgon2IHash() *Argon2Hash

NewArgon2IHash returns a *Argon2Hash with just the I variant configured. This defaults to the low memory RFC9106 low memory profile.

func (*Argon2Hash) CopyParamsTo 

func (h *Argon2Hash) CopyParamsTo(hash *Argon2Hash)

CopyParamsTo copies all parameters from this Argon2Hash to another *Argon2Hash.

func (*Argon2Hash) CopyUnsetParamsTo 

func (h *Argon2Hash) CopyUnsetParamsTo(hash *Argon2Hash)

CopyUnsetParamsTo copies all parameters from this Argon2Hash to another *Argon2Hash where the parameters are unset.

func (*Argon2Hash) Hash 

func (h *Argon2Hash) Hash(password string) (hashed Digest, err error)

Hash performs the hashing operation and returns either a Digest or an error.

func (*Argon2Hash) HashWithSalt 

func (h *Argon2Hash) HashWithSalt(password string, salt []byte) (hashed Digest, err error)

HashWithSalt overloads the Hash method allowing the user to provide a salt. It's recommended instead to configure the salt size and let this be a random value generated using crypto/rand.

func (*Argon2Hash) MustHash 

func (h *Argon2Hash) MustHash(password string) (hashed Digest)

MustHash overloads the Hash method and panics if the error is not nil. It's recommended if you use this option to utilize the Validate method first or handle the panic appropriately.

func (*Argon2Hash) Validate 

func (h *Argon2Hash) Validate() (err error)

Validate checks the settings/parameters for this Hash and returns an error.

func (*Argon2Hash) WithK 

func (h *Argon2Hash) WithK(length int) *Argon2Hash

WithK adjusts the key length of the resulting Argon2Digest hash. Default is 32.

func (*Argon2Hash) WithM 

func (h *Argon2Hash) WithM(bytes int) *Argon2Hash

WithM sets the m parameter in bytes of the resulting Argon2Digest hash. Default is 32768.

func (*Argon2Hash) WithP 

func (h *Argon2Hash) WithP(parallelism int) *Argon2Hash

WithP sets the p parameter of the resulting Argon2Digest hash. Default is 4.

func (*Argon2Hash) WithProfile 

func (h *Argon2Hash) WithProfile(profile Argon2Profile) *Argon2Hash

WithProfile sets a specific Argon2Profile.

func (*Argon2Hash) WithS 

func (h *Argon2Hash) WithS(length int) *Argon2Hash

WithS adjusts the salt length of the resulting Argon2Digest hash. Default is 16.

func (*Argon2Hash) WithT 

func (h *Argon2Hash) WithT(time int) *Argon2Hash

WithT sets the t parameter of the resulting Argon2Digest hash. Default is 4.

func (*Argon2Hash) WithVariant 

func (h *Argon2Hash) WithVariant(variant Argon2Variant) *Argon2Hash

WithVariant adjusts the variant of the Argon2Digest algorithm. Valid values are I, D, ID. Default is argon2id.

type Argon2Profile 

type Argon2Profile int

Argon2Profile represents a hashing profile for Argon2Hash. 

const (
	// Argon2ProfileRFC9106LowMemory is the RFC9106 low memory profile.
	Argon2ProfileRFC9106LowMemory Argon2Profile = iota

	// Argon2ProfileRFC9106Recommended is the RFC9106 recommended profile.
	Argon2ProfileRFC9106Recommended
)

func (Argon2Profile) Params 

func (p Argon2Profile) Params() *Argon2Hash

Params returns the Argon2Profile parameters as a Argon2Hash.

type Argon2Variant 

type Argon2Variant int

Argon2Variant is a variant of the Argon2Digest. 

const (
	// Argon2VariantNone is a variant of the Argon2Digest which is unknown.
	Argon2VariantNone Argon2Variant = iota

	// Argon2VariantD is the argon2d variant of the Argon2Digest.
	Argon2VariantD

	// Argon2VariantI is the argon2i variant of the Argon2Digest.
	Argon2VariantI

	// Argon2VariantID is the argon2id variant of the Argon2Digest.
	Argon2VariantID
)

func NewArgon2Variant 

func NewArgon2Variant(identifier string) (variant Argon2Variant)

NewArgon2Variant converts an identifier string to a Argon2Variant.

func (Argon2Variant) KeyFunc 

func (v Argon2Variant) KeyFunc() argon2.KeyFunc

KeyFunc returns the KeyFunc of this Argon2Variant.

func (Argon2Variant) Prefix 

func (v Argon2Variant) Prefix() (prefix string)

Prefix returns the Argon2Variant prefix identifier.

type BcryptDigest 

type BcryptDigest struct {
	// contains filtered or unexported fields
}

BcryptDigest is a digest which handles bcrypt hashes.

func (*BcryptDigest) Decode 

func (d *BcryptDigest) Decode(encodedDigest string) (err error)

Decode takes an encodedDigest string and parses it into this Digest.

func (*BcryptDigest) Encode 

func (d *BcryptDigest) Encode() string

Encode returns the encoded form of this digest.

func (BcryptDigest) Match 

func (d BcryptDigest) Match(password string) (match bool)

Match returns true if the string password matches the current Digest.

func (BcryptDigest) MatchAdvanced 

func (d BcryptDigest) MatchAdvanced(password string) (match bool, err error)

MatchAdvanced is the same as Match except if there is an error it returns that as well.

func (BcryptDigest) MatchBytes 

func (d BcryptDigest) MatchBytes(passwordBytes []byte) (match bool)

MatchBytes returns true if the []byte passwordBytes matches the current Digest.

func (BcryptDigest) MatchBytesAdvanced 

func (d BcryptDigest) MatchBytesAdvanced(passwordBytes []byte) (match bool, err error)

MatchBytesAdvanced is the same as MatchBytes except if there is an error it returns that as well.

func (BcryptDigest) String 

func (d BcryptDigest) String() string

String returns the storable format of the Digest encoded hash.

type BcryptHash 

type BcryptHash struct {
	// contains filtered or unexported fields
}

BcryptHash is a Hash for bcrypt which provides a builder design pattern.

func NewBcryptHash 

func NewBcryptHash() *BcryptHash

NewBcryptHash returns a *BcryptHash without any settings configured.

func NewBcryptSHA256Hash 

func NewBcryptSHA256Hash() *BcryptHash

NewBcryptSHA256Hash returns a SHA256 variant *BcryptHash without any settings configured.

func (*BcryptHash) Hash 

func (h *BcryptHash) Hash(password string) (digest Digest, err error)

Hash performs the hashing operation and returns either a Digest or an error.

func (*BcryptHash) HashWithSalt 

func (h *BcryptHash) HashWithSalt(password string, salt []byte) (digest Digest, err error)

HashWithSalt overloads the Hash method allowing the user to provide a salt. It's recommended instead to configure the salt size and let this be a random value generated using crypto/rand.

func (*BcryptHash) MustHash 

func (h *BcryptHash) MustHash(password string) (digest Digest)

MustHash overloads the Hash method and panics if the error is not nil. It's recommended if you use this option to utilize the Validate method first or handle the panic appropriately.

func (*BcryptHash) Validate 

func (h *BcryptHash) Validate() (err error)

Validate checks the settings/parameters for this Hash and returns an error.

func (*BcryptHash) WithCost 

func (h *BcryptHash) WithCost(cost int) *BcryptHash

WithCost sets the cost parameter of the resulting Bcrypt hash. Default is 12.

func (*BcryptHash) WithVariant 

func (h *BcryptHash) WithVariant(variant BcryptVariant) *BcryptHash

WithVariant adjusts the variant of the BcryptDigest algorithm.

func (*BcryptHash) WithoutValidation 

func (h *BcryptHash) WithoutValidation() *BcryptHash

WithoutValidation disables the validation and allows potentially unsafe values. Use at your own risk.

type BcryptVariant 

type BcryptVariant int

BcryptVariant is a variant of the Argon2Digest. 

const (
	// BcryptVariantNone is a variant of the BcryptDigest which is unknown.
	BcryptVariantNone BcryptVariant = iota

	// BcryptVariantStandard is the standard variant of BcryptDigest.
	BcryptVariantStandard

	// BcryptVariantSHA256 is the variant of BcryptDigest which hashes the password with SHA-256.
	BcryptVariantSHA256
)

func NewBcryptVariant 

func NewBcryptVariant(identifier string) (variant BcryptVariant)

NewBcryptVariant converts an identifier string to a Argon2Variant.

func (BcryptVariant) Encode 

func (v BcryptVariant) Encode(cost int, version string, salt, key []byte) (f string)

Encode formats the variant encoded Digest.

func (BcryptVariant) EncodeInput 

func (v BcryptVariant) EncodeInput(src, salt []byte) (dst []byte)

EncodeInput returns the appropriate algorithm input.

func (BcryptVariant) PasswordMaxLength 

func (v BcryptVariant) PasswordMaxLength() int

PasswordMaxLength returns -1 if the variant has no max length, otherwise returns the maximum password length.

func (BcryptVariant) Prefix 

func (v BcryptVariant) Prefix() (prefix string)

Prefix returns the Argon2Variant prefix identifier.

type Digest 

type Digest interface {
	fmt.Stringer

	Matcher

	Encode() (hash string)
	Decode(encodedDigest string) (err error)
}

Digest represents a hashed password. It's implemented by all hashed password results so that when we pass a stored hash into its relevant type we can verify the password against the hash.

func Decode 

func Decode(encodedDigest string) (digest Digest, err error)

Decode an encoded digest string into a Digest.

func DecodeWithPlainText 

func DecodeWithPlainText(encodedDigest string) (digest Digest, err error)

DecodeWithPlainText is an extended version of Decode but also explicitly allows decoding plain text storage formats.

func NewDigest 

func NewDigest(encodedDigest string, digest Digest) (d Digest, err error)

NewDigest creates a new Digest given a Digest implementation and an encoded digest string.

type Hash 

type Hash interface {
	// Validate checks the hasher configuration to ensure it's valid. This should be used when the Hash is going to be
	// reused and you should use it in conjunction with MustHash.
	Validate() (err error)

	// Hash performs the hashing operation on a password and resets any relevant parameters such as a manually set salt.
	// It then returns a Digest and error.
	Hash(password string) (hashed Digest, err error)

	// HashWithSalt is an overload of Digest that also accepts a salt.
	HashWithSalt(password string, salt []byte) (hashed Digest, err error)

	// MustHash overloads the Hash method and panics if the error is not nil. It's recommended if you use this method to
	// utilize the Validate method first or handle the panic appropriately.
	MustHash(password string) (hashed Digest)
}

Hash is an interface which implements password hashing.

type HashFunc 

type HashFunc func() hash.Hash

HashFunc is a function which returns a hash.Hash.

type Matcher 

type Matcher interface {
	Match(password string) (match bool)
	MatchBytes(passwordBytes []byte) (match bool)
	MatchAdvanced(password string) (match bool, err error)
	MatchBytesAdvanced(passwordBytes []byte) (match bool, err error)
}

Matcher is an interface used to match passwords.

type PBKDF2Digest 

type PBKDF2Digest struct {
	// contains filtered or unexported fields
}

PBKDF2Digest is a Digest which handles PBKDF2 hashes.

func (*PBKDF2Digest) Decode 

func (d *PBKDF2Digest) Decode(encodedDigest string) (err error)

Decode takes an encodedDigest string and parses it into this Digest.

func (*PBKDF2Digest) Encode 

func (d *PBKDF2Digest) Encode() string

Encode returns the encoded form of this digest.

func (*PBKDF2Digest) Match 

func (d *PBKDF2Digest) Match(password string) (match bool)

Match returns true if the string password matches the current Digest.

func (*PBKDF2Digest) MatchAdvanced 

func (d *PBKDF2Digest) MatchAdvanced(password string) (match bool, err error)

MatchAdvanced is the same as Match except if there is an error it returns that as well.

func (*PBKDF2Digest) MatchBytes 

func (d *PBKDF2Digest) MatchBytes(passwordBytes []byte) (match bool)

MatchBytes returns true if the []byte passwordBytes matches the current Digest.

func (*PBKDF2Digest) MatchBytesAdvanced 

func (d *PBKDF2Digest) MatchBytesAdvanced(passwordBytes []byte) (match bool, err error)

MatchBytesAdvanced is the same as MatchBytes except if there is an error it returns that as well.

func (*PBKDF2Digest) String 

func (d *PBKDF2Digest) String() string

String returns the storable format of the Digest encoded hash.

type PBKDF2Hash 

type PBKDF2Hash struct {
	// contains filtered or unexported fields
}

PBKDF2Hash is a Hash for PBKDF2 which provides a builder design pattern.

func NewPBKDF2Hash 

func NewPBKDF2Hash() *PBKDF2Hash

NewPBKDF2Hash returns a *PBKDF2Hash without any settings configured.

func NewPBKDF2SHA1Hash 

func NewPBKDF2SHA1Hash() *PBKDF2Hash

NewPBKDF2SHA1Hash returns a SHA1 variant *PBKDF2Hash without any settings configured.

func NewPBKDF2SHA224Hash 

func NewPBKDF2SHA224Hash() *PBKDF2Hash

NewPBKDF2SHA224Hash returns a SHA224 variant *PBKDF2Hash without any settings configured.

func NewPBKDF2SHA256Hash 

func NewPBKDF2SHA256Hash() *PBKDF2Hash

NewPBKDF2SHA256Hash returns a SHA256 variant *PBKDF2Hash without any settings configured.

func NewPBKDF2SHA384Hash 

func NewPBKDF2SHA384Hash() *PBKDF2Hash

NewPBKDF2SHA384Hash returns a SHA384 variant *PBKDF2Hash without any settings configured.

func NewPBKDF2SHA512Hash 

func NewPBKDF2SHA512Hash() *PBKDF2Hash

NewPBKDF2SHA512Hash returns a SHA512 variant *PBKDF2Hash without any settings configured.

func (*PBKDF2Hash) Hash 

func (h *PBKDF2Hash) Hash(password string) (digest Digest, err error)

Hash performs the hashing operation and returns either a Digest or an error.

func (*PBKDF2Hash) HashWithSalt 

func (h *PBKDF2Hash) HashWithSalt(password string, salt []byte) (digest Digest, err error)

HashWithSalt overloads the Hash method allowing the user to provide a salt. It's recommended instead to configure the salt size and let this be a random value generated using crypto/rand.

func (*PBKDF2Hash) MustHash 

func (h *PBKDF2Hash) MustHash(password string) (digest Digest)

MustHash overloads the Hash method and panics if the error is not nil. It's recommended if you use this option to utilize the Validate method first or handle the panic appropriately.

func (*PBKDF2Hash) Validate 

func (h *PBKDF2Hash) Validate() (err error)

Validate checks the settings/parameters for this Hash and returns an error.

func (*PBKDF2Hash) WithIterations 

func (h *PBKDF2Hash) WithIterations(iterations int) *PBKDF2Hash

WithIterations sets the iterations parameter of the resulting PBKDF2Digest. Default is 29000.

func (*PBKDF2Hash) WithKeyLength 

func (h *PBKDF2Hash) WithKeyLength(bytes int) *PBKDF2Hash

WithKeyLength adjusts the key size (in bytes) of the resulting PBKDF2Digest. Default is 32.

func (*PBKDF2Hash) WithSaltLength 

func (h *PBKDF2Hash) WithSaltLength(bytes int) *PBKDF2Hash

WithSaltLength adjusts the salt size (in bytes) of the resulting PBKDF2Digest. Default is 16.

func (*PBKDF2Hash) WithVariant 

func (h *PBKDF2Hash) WithVariant(variant PBKDF2Variant) *PBKDF2Hash

WithVariant configures the PBKDF2Variant.

func (*PBKDF2Hash) WithoutValidation 

func (h *PBKDF2Hash) WithoutValidation() *PBKDF2Hash

WithoutValidation disables the validation and allows potentially unsafe values. Use at your own risk.

type PBKDF2Variant 

type PBKDF2Variant int

PBKDF2Variant is a variant of the PBKDF2Digest. 

const (
	// PBKDF2VariantNone is a variant of the PBKDF2Digest which is unknown.
	PBKDF2VariantNone PBKDF2Variant = iota

	// PBKDF2VariantSHA1 is a variant of the PBKDF2Digest which uses HMAC-SHA-1.
	PBKDF2VariantSHA1

	// PBKDF2VariantSHA224 is a variant of the PBKDF2Digest which uses HMAC-SHA-224.
	PBKDF2VariantSHA224

	// PBKDF2VariantSHA256 is a variant of the PBKDF2Digest which uses HMAC-SHA-256.
	PBKDF2VariantSHA256

	// PBKDF2VariantSHA384 is a variant of the PBKDF2Digest which uses HMAC-SHA-384.
	PBKDF2VariantSHA384

	// PBKDF2VariantSHA512 is a variant of the PBKDF2Digest which uses HMAC-SHA-512.
	PBKDF2VariantSHA512
)

func NewPBKDF2Variant 

func NewPBKDF2Variant(identifier string) (variant PBKDF2Variant)

NewPBKDF2Variant converts an identifier string to a PBKDF2Variant.

func (PBKDF2Variant) HashFunc 

func (v PBKDF2Variant) HashFunc() HashFunc

HashFunc returns the internal HMAC HashFunc.

func (PBKDF2Variant) Prefix 

func (v PBKDF2Variant) Prefix() (prefix string)

Prefix returns the PlainTextVariant prefix identifier.

type PlainTextDigest 

type PlainTextDigest struct {
	// contains filtered or unexported fields
}

PlainTextDigest is a Digest which handles plain text matching.

func NewBase64Digest 

func NewBase64Digest(password string) (digest PlainTextDigest)

NewBase64Digest creates a new PlainTextDigest using the Base64 PlainTextVariant.

func NewPlainTextDigest 

func NewPlainTextDigest(password string) (digest PlainTextDigest)

NewPlainTextDigest creates a new PlainTextDigest using the PlainText PlainTextVariant.

func (*PlainTextDigest) Decode 

func (d *PlainTextDigest) Decode(encodedDigest string) (err error)

Decode takes an encodedDigest string and parses it into this Digest.

func (*PlainTextDigest) Encode 

func (d *PlainTextDigest) Encode() string

Encode returns the encoded form of this digest.

func (*PlainTextDigest) Match 

func (d *PlainTextDigest) Match(password string) (match bool)

Match returns true if the string password matches the current Digest.

func (*PlainTextDigest) MatchAdvanced 

func (d *PlainTextDigest) MatchAdvanced(password string) (match bool, err error)

MatchAdvanced is the same as Match except if there is an error it returns that as well.

func (*PlainTextDigest) MatchBytes 

func (d *PlainTextDigest) MatchBytes(passwordBytes []byte) (match bool)

MatchBytes returns true if the []byte passwordBytes matches the current Digest.

func (*PlainTextDigest) MatchBytesAdvanced 

func (d *PlainTextDigest) MatchBytesAdvanced(passwordBytes []byte) (match bool, err error)

MatchBytesAdvanced is the same as MatchBytes except if there is an error it returns that as well.

func (*PlainTextDigest) String 

func (d *PlainTextDigest) String() string

String returns the storable format of the Digest encoded hash.

type PlainTextVariant 

type PlainTextVariant int

PlainTextVariant is a variant of the PlainTextDigest. 

const (
	// PlainTextVariantNone is a variant of the PlainTextDigest which is unknown.
	PlainTextVariantNone PlainTextVariant = iota

	// PlainTextVariantPlainText is a variant of the PlainTextDigest which stores the key as plain text.
	PlainTextVariantPlainText

	// PlainTextVariantBase64 is a variant of the PlainTextDigest which stores the key as a base64 string.
	PlainTextVariantBase64
)

func NewPlainTextVariant 

func NewPlainTextVariant(identifier string) (variant PlainTextVariant)

NewPlainTextVariant converts an identifier string to a PlainTextVariant.

func (PlainTextVariant) Decode 

func (v PlainTextVariant) Decode(src string) (dst []byte, err error)

Decode performs the decode operation for this PlainTextVariant.

func (PlainTextVariant) Encode 

func (v PlainTextVariant) Encode(src []byte) (dst string)

Encode performs the encode operation for this PlainTextVariant.

func (PlainTextVariant) Prefix 

func (v PlainTextVariant) Prefix() (prefix string)

Prefix returns the PlainTextVariant prefix identifier.

type SHA2CryptDigest 

type SHA2CryptDigest struct {
	// contains filtered or unexported fields
}

SHA2CryptDigest is a digest which handles SHA2 Crypt hashes like SHA256 or SHA512.

func (*SHA2CryptDigest) Decode 

func (d *SHA2CryptDigest) Decode(encodedDigest string) (err error)

Decode a password hash into this SHA2CryptDigest. Returns an error if the supplied encoded hash string cannot be decoded as a SHA2CryptDigest.

func (*SHA2CryptDigest) Encode 

func (d *SHA2CryptDigest) Encode() (hash string)

Encode this SHA2CryptDigest as a string for storage.

func (SHA2CryptDigest) Match 

func (d SHA2CryptDigest) Match(password string) (match bool)

Match returns true if the string password matches the current Digest.

func (SHA2CryptDigest) MatchAdvanced 

func (d SHA2CryptDigest) MatchAdvanced(password string) (match bool, err error)

MatchAdvanced is the same as Match except if there is an error it returns that as well.

func (SHA2CryptDigest) MatchBytes 

func (d SHA2CryptDigest) MatchBytes(passwordBytes []byte) (match bool)

MatchBytes returns true if the []byte passwordBytes matches the current Digest.

func (SHA2CryptDigest) MatchBytesAdvanced 

func (d SHA2CryptDigest) MatchBytesAdvanced(passwordBytes []byte) (match bool, err error)

MatchBytesAdvanced is the same as MatchBytes except if there is an error it returns that as well.

func (SHA2CryptDigest) String 

func (d SHA2CryptDigest) String() string

String returns the storable format of the SHA2CryptDigest hash utilizing fmt.Sprintf and StorageFormatSHACrypt.

type SHA2CryptHash 

type SHA2CryptHash struct {
	// contains filtered or unexported fields
}

SHA2CryptHash is a Hash for SHA2Crypt which provides a builder design pattern.

func NewSHA2CryptHash 

func NewSHA2CryptHash() *SHA2CryptHash

NewSHA2CryptHash returns a *SHA2CryptHash without any settings configured. This defaults to a SHA512 hash.Hash with 1000000 rounds. These settings can be overridden with the methods with the With prefix.

func NewSHA2CryptSHA256Hash 

func NewSHA2CryptSHA256Hash() *SHA2CryptHash

NewSHA2CryptSHA256Hash returns a *SHA2CryptHash with the SHA256 hash.Hash which defaults to 1000000 rounds. These settings can be overridden with the methods with the With prefix.

func NewSHA2CryptSHA512Hash 

func NewSHA2CryptSHA512Hash() *SHA2CryptHash

NewSHA2CryptSHA512Hash returns a *SHA2CryptHash with the SHA512 hash.Hash which defaults to 1000000 rounds. These settings can be overridden with the methods with the With prefix.

func (*SHA2CryptHash) Hash 

func (h *SHA2CryptHash) Hash(password string) (digest Digest, err error)

Hash performs the hashing operation and returns either a Digest or an error.

func (*SHA2CryptHash) HashWithSalt 

func (h *SHA2CryptHash) HashWithSalt(password string, salt []byte) (digest Digest, err error)

HashWithSalt overloads the Hash method allowing the user to provide a salt. It's recommended instead to configure the salt size and let this be a random value generated using crypto/rand.

func (*SHA2CryptHash) MustHash 

func (h *SHA2CryptHash) MustHash(password string) (digest Digest)

MustHash overloads the Hash method and panics if the error is not nil. It's recommended if you use this option to utilize the Validate method first or handle the panic appropriately.

func (*SHA2CryptHash) Validate 

func (h *SHA2CryptHash) Validate() (err error)

Validate checks the settings/parameters for this Hash and returns an error.

func (*SHA2CryptHash) WithRounds 

func (h *SHA2CryptHash) WithRounds(rounds int) *SHA2CryptHash

WithRounds sets the rounds parameter of the resulting SHA2CryptDigest. Default is 1000000.

func (*SHA2CryptHash) WithSHA256 

func (h *SHA2CryptHash) WithSHA256() *SHA2CryptHash

WithSHA256 adjusts this SHA2CryptHash to utilize the SHA256 hash.Hash.

func (*SHA2CryptHash) WithSHA512 

func (h *SHA2CryptHash) WithSHA512() *SHA2CryptHash

WithSHA512 adjusts this SHA2CryptHash to utilize the SHA512 hash.Hash.

func (*SHA2CryptHash) WithSaltLength 

func (h *SHA2CryptHash) WithSaltLength(bytes int) *SHA2CryptHash

WithSaltLength adjusts the salt size (in bytes) of the resulting SHA2CryptDigest. Minimum 1, Maximum 16. Default is 16.

func (*SHA2CryptHash) WithVariant 

func (h *SHA2CryptHash) WithVariant(variant SHA2CryptVariant) *SHA2CryptHash

WithVariant adjusts this SHA2CryptHash to utilize the provided variant.

func (*SHA2CryptHash) WithoutValidation 

func (h *SHA2CryptHash) WithoutValidation() *SHA2CryptHash

WithoutValidation disables the validation and allows potentially unsafe values. Use at your own risk.

type SHA2CryptVariant 

type SHA2CryptVariant int

SHA2CryptVariant is a variant of the SHA2CryptDigest. 

const (
	// SHA2CryptVariantNone is a variant of the SHA2CryptDigest which is unknown.
	SHA2CryptVariantNone SHA2CryptVariant = iota

	// SHA2CryptVariantSHA256 is a variant of the SHA2CryptDigest which uses SHA-256.
	SHA2CryptVariantSHA256

	// SHA2CryptVariantSHA512 is a variant of the SHA2CryptDigest which uses SHA-512.
	SHA2CryptVariantSHA512
)

func NewSHA2CryptVariant 

func NewSHA2CryptVariant(identifier string) SHA2CryptVariant

NewSHA2CryptVariant converts an identifier string to a SHA2CryptVariant.

func (SHA2CryptVariant) HashFunc 

func (v SHA2CryptVariant) HashFunc() HashFunc

HashFunc returns the internal HMAC HashFunc.

func (SHA2CryptVariant) Name 

func (v SHA2CryptVariant) Name() (s string)

Name returns the SHA2CryptVariant name.

func (SHA2CryptVariant) Prefix 

func (v SHA2CryptVariant) Prefix() (prefix string)

Prefix returns the SHA2CryptVariant prefix identifier.

type ScryptDigest 

type ScryptDigest struct {
	// contains filtered or unexported fields
}

ScryptDigest is a Digest which handles scrypt hashes.

func (*ScryptDigest) Decode 

func (d *ScryptDigest) Decode(encodedDigest string) (err error)

Decode takes an encodedDigest string and parses it into this Digest.

func (*ScryptDigest) Encode 

func (d *ScryptDigest) Encode() string

Encode returns the encoded form of this Digest.

func (*ScryptDigest) Match 

func (d *ScryptDigest) Match(password string) (match bool)

Match returns true if the string password matches the current Digest.

func (*ScryptDigest) MatchAdvanced 

func (d *ScryptDigest) MatchAdvanced(password string) (match bool, err error)

MatchAdvanced is the same as Match except if there is an error it returns that as well.

func (*ScryptDigest) MatchBytes 

func (d *ScryptDigest) MatchBytes(passwordBytes []byte) (match bool)

MatchBytes returns true if the []byte passwordBytes matches the current Digest.

func (*ScryptDigest) MatchBytesAdvanced 

func (d *ScryptDigest) MatchBytesAdvanced(passwordBytes []byte) (match bool, err error)

MatchBytesAdvanced is the same as MatchBytes except if there is an error it returns that as well.

func (*ScryptDigest) String 

func (d *ScryptDigest) String() string

String returns the storable format of the Digest encoded hash.

type ScryptHash 

type ScryptHash struct {
	// contains filtered or unexported fields
}

ScryptHash is a Hash for scrypt which provides a builder design pattern.

func NewScryptHash 

func NewScryptHash() *ScryptHash

NewScryptHash returns a *ScryptHash without any settings configured.

func (*ScryptHash) Hash 

func (h *ScryptHash) Hash(password string) (digest Digest, err error)

Hash performs the hashing operation and returns either a Digest or an error.

func (*ScryptHash) HashWithSalt 

func (h *ScryptHash) HashWithSalt(password string, salt []byte) (digest Digest, err error)

HashWithSalt overloads the Hash method allowing the user to provide a salt. It's recommended instead to configure the salt size and let this be a random value generated using crypto/rand.

func (*ScryptHash) MustHash 

func (h *ScryptHash) MustHash(password string) (digest Digest)

MustHash overloads the Hash method and panics if the error is not nil. It's recommended if you use this option to utilize the Validate method first or handle the panic appropriately.

func (*ScryptHash) Validate 

func (h *ScryptHash) Validate() (err error)

Validate checks the settings/parameters for this Hash and returns an error.

func (*ScryptHash) WithKeySize 

func (h *ScryptHash) WithKeySize(size int) *ScryptHash

WithKeySize adjusts the key size of the resulting Scrypt hash. Default is 32.

func (*ScryptHash) WithLN 

func (h *ScryptHash) WithLN(rounds int) *ScryptHash

WithLN sets the ln parameter (logN) of the resulting Scrypt hash. Default is 16.

func (*ScryptHash) WithP 

func (h *ScryptHash) WithP(parallelism int) *ScryptHash

WithP sets the p parameter (parallelism) of the resulting Scrypt hash. Default is 1.

func (*ScryptHash) WithR 

func (h *ScryptHash) WithR(blockSize int) *ScryptHash

WithR sets the r parameter (block size) of the resulting Scrypt hash. Default is 8.

func (*ScryptHash) WithSaltSize 

func (h *ScryptHash) WithSaltSize(size int) *ScryptHash

WithSaltSize adjusts the salt size of the resulting Scrypt hash. Default is 16.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.