2017-03-27 14:15:02 +02:00
|
|
|
// Copyright (c) 2016 Daniel Oaks <daniel@danieloaks.net>
|
2016-09-05 10:45:42 +02:00
|
|
|
// released under the MIT license
|
|
|
|
|
|
2017-10-05 16:03:53 +02:00
|
|
|
package passwd
|
2016-09-05 10:45:42 +02:00
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"crypto/rand"
|
|
|
|
|
|
|
|
|
|
"golang.org/x/crypto/bcrypt"
|
|
|
|
|
)
|
|
|
|
|
|
2017-10-05 16:03:53 +02:00
|
|
|
const (
|
|
|
|
|
// newSaltLen is how many bytes long newly-generated salts are.
|
|
|
|
|
newSaltLen = 30
|
|
|
|
|
// defaultPasswordCost is the bcrypt cost we use for passwords.
|
|
|
|
|
defaultPasswordCost = 14
|
|
|
|
|
)
|
2016-09-05 10:45:42 +02:00
|
|
|
|
|
|
|
|
// NewSalt returns a salt for crypto uses.
|
|
|
|
|
func NewSalt() ([]byte, error) {
|
|
|
|
|
salt := make([]byte, newSaltLen)
|
|
|
|
|
_, err := rand.Read(salt)
|
|
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
var emptySalt []byte
|
|
|
|
|
return emptySalt, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return salt, nil
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-05 16:03:53 +02:00
|
|
|
// SaltedManager supports the hashing and comparing of passwords with the given salt.
|
|
|
|
|
type SaltedManager struct {
|
2016-09-05 10:45:42 +02:00
|
|
|
salt []byte
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-05 16:03:53 +02:00
|
|
|
// NewSaltedManager returns a new SaltedManager with the given salt.
|
|
|
|
|
func NewSaltedManager(salt []byte) SaltedManager {
|
2017-10-07 14:19:37 +02:00
|
|
|
return SaltedManager{
|
|
|
|
|
salt: salt,
|
|
|
|
|
}
|
2016-09-05 10:45:42 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// assemblePassword returns an assembled slice of bytes for the given password details.
|
2017-10-05 16:03:53 +02:00
|
|
|
func (sm *SaltedManager) assemblePassword(specialSalt []byte, password string) []byte {
|
2016-09-05 10:45:42 +02:00
|
|
|
var assembledPasswordBytes []byte
|
2017-10-05 16:03:53 +02:00
|
|
|
assembledPasswordBytes = append(assembledPasswordBytes, sm.salt...)
|
2016-09-05 10:45:42 +02:00
|
|
|
assembledPasswordBytes = append(assembledPasswordBytes, '-')
|
|
|
|
|
assembledPasswordBytes = append(assembledPasswordBytes, specialSalt...)
|
|
|
|
|
assembledPasswordBytes = append(assembledPasswordBytes, '-')
|
|
|
|
|
assembledPasswordBytes = append(assembledPasswordBytes, []byte(password)...)
|
|
|
|
|
return assembledPasswordBytes
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// GenerateFromPassword encrypts the given password.
|
2017-10-05 16:03:53 +02:00
|
|
|
func (sm *SaltedManager) GenerateFromPassword(specialSalt []byte, password string) ([]byte, error) {
|
|
|
|
|
assembledPasswordBytes := sm.assemblePassword(specialSalt, password)
|
2016-09-05 10:45:42 +02:00
|
|
|
return bcrypt.GenerateFromPassword(assembledPasswordBytes, defaultPasswordCost)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// CompareHashAndPassword compares a hashed password with its possible plaintext equivalent.
|
|
|
|
|
// Returns nil on success, or an error on failure.
|
2017-10-05 16:03:53 +02:00
|
|
|
func (sm *SaltedManager) CompareHashAndPassword(hashedPassword []byte, specialSalt []byte, password string) error {
|
|
|
|
|
assembledPasswordBytes := sm.assemblePassword(specialSalt, password)
|
2016-09-05 10:45:42 +02:00
|
|
|
return bcrypt.CompareHashAndPassword(hashedPassword, assembledPasswordBytes)
|
|
|
|
|
}
|
