File: hasher.go

package info (click to toggle)
golang-github-go-crypt-crypt 0.4.7-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 516 kB
  • sloc: makefile: 4
file content (197 lines) | stat: -rw-r--r-- 4,718 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
 
package argon2

import (
	"fmt"

	"github.com/go-crypt/crypt/algorithm"
	"github.com/go-crypt/crypt/internal/random"
)

// New returns a new argon2.Hasher with the provided functional options applied.
func New(opts ...Opt) (hasher *Hasher, err error) {
	hasher = &Hasher{}

	if err = hasher.WithOptions(opts...); err != nil {
		return nil, err
	}

	if err = hasher.Validate(); err != nil {
		return nil, err
	}

	return hasher, nil
}

// Hasher is a crypt.Hash for Argon2 which can be initialized via argon2.New using a functional options pattern.
type Hasher struct {
	variant Variant

	s, k, t, p int

	m uint32

	d bool
}

// WithOptions applies the provided functional options provided as an argon2.Opt to the argon2.Hasher.
func (h *Hasher) WithOptions(opts ...Opt) (err error) {
	for _, opt := range opts {
		if err = opt(h); err != nil {
			return err
		}
	}

	return nil
}

// Copy copies all parameters from this argon2.Hasher to another *argon2.Hasher.
func (h *Hasher) Copy(hasher *Hasher) {
	hasher.variant, hasher.t, hasher.p, hasher.m, hasher.k, hasher.s = h.variant, h.t, h.p, h.m, h.k, h.s
}

// Clone returns a clone from this argon2.Hasher to another *argon2.Hasher.
func (h *Hasher) Clone() *Hasher {
	return &Hasher{
		variant: h.variant,
		t:       h.t,
		p:       h.p,
		m:       h.m,
		k:       h.k,
		s:       h.s,
	}
}

// Merge copies all parameters from this argon2.Hasher to another *argon2.Hasher where the parameters are unset.
func (h *Hasher) Merge(hash *Hasher) {
	if hash.variant == VariantNone {
		hash.variant = h.variant
	}

	if hash.t == 0 {
		hash.t = h.t
	}

	if hash.p == 0 {
		hash.p = h.p
	}

	if hash.m == 0 {
		hash.m = h.m
	}

	if hash.k == 0 {
		hash.k = h.k
	}

	if hash.s == 0 {
		hash.s = h.s
	}
}

// Hash performs the hashing operation and returns either a argon2.Digest or an error.
func (h *Hasher) Hash(password string) (digest algorithm.Digest, err error) {
	h.defaults()

	if digest, err = h.hash(password); err != nil {
		return nil, fmt.Errorf(algorithm.ErrFmtHasherHash, AlgName, err)
	}

	return digest, nil
}

func (h *Hasher) hash(password string) (hashed algorithm.Digest, err error) {
	var salt []byte

	if salt, err = random.Bytes(h.s); err != nil {
		return nil, fmt.Errorf("%w: %v", algorithm.ErrSaltReadRandomBytes, err)
	}

	return h.hashWithSalt(password, salt)
}

// HashWithSalt overloads the Hash method allowing the user to provide a salt. It's recommended instead to configure the
// salt size and let this be a random value generated using crypto/rand.
func (h *Hasher) HashWithSalt(password string, salt []byte) (digest algorithm.Digest, err error) {
	h.defaults()

	if digest, err = h.hashWithSalt(password, salt); err != nil {
		return nil, fmt.Errorf(algorithm.ErrFmtHasherHash, AlgName, err)
	}

	return digest, nil
}

func (h *Hasher) hashWithSalt(passwordRaw string, salt []byte) (digest algorithm.Digest, err error) {
	if s := len(salt); s > SaltLengthMax || s < SaltLengthMin {
		return nil, fmt.Errorf("%w: salt bytes must have a length of between %d and %d but has a length of %d", algorithm.ErrSaltInvalid, SaltLengthMin, SaltLengthMax, len(salt))
	}

	password := []byte(passwordRaw)

	if len(password) > PasswordInputSizeMax {
		return nil, fmt.Errorf("%w: passwordRaw has a length of '%d' but must be less than or equal to %d", algorithm.ErrParameterInvalid, len(password), PasswordInputSizeMax)
	}

	d := &Digest{
		variant: h.variant,
		t:       uint32(h.t),
		p:       uint32(h.p),
		m:       h.m,
		salt:    salt,
	}

	d.defaults()

	d.key = d.variant.KeyFunc()(password, d.salt, d.t, d.m, d.p, uint32(h.k))

	return d, nil
}

// MustHash overloads the Hash method and panics if the error is not nil. It's recommended if you use this option to
// utilize the Validate method first or handle the panic appropriately.
func (h *Hasher) MustHash(password string) (hashed algorithm.Digest) {
	var err error

	if hashed, err = h.Hash(password); err != nil {
		panic(err)
	}

	return hashed
}

// Validate checks the settings/parameters for this argon2.Hasher and returns an error.
func (h *Hasher) Validate() (err error) {
	if err = h.validate(); err != nil {
		return fmt.Errorf(algorithm.ErrFmtHasherValidation, AlgName, err)
	}

	return nil
}

func (h *Hasher) validate() (err error) {
	h.defaults()

	mMin := uint32(h.p) * MemoryMinParallelismMultiplier

	if h.m < mMin || h.m > MemoryMax {
		return fmt.Errorf(algorithm.ErrFmtInvalidIntParameter, algorithm.ErrParameterInvalid, "m", mMin, " (p * 8)", MemoryMax, h.m)
	}

	return nil
}

func (h *Hasher) defaults() {
	if h.d {
		return
	}

	h.d = true

	if h.k < KeyLengthMin {
		h.s = KeyLengthDefault
	}

	if h.s < SaltLengthMin {
		h.s = algorithm.SaltLengthDefault
	}
}