added argon2 algorithm

Author: phifty

Gopkg.lock

@@ -0,0 +1,68 @@
+package crypt
+
+import (
+	"bytes"
+	"fmt"
+	"strconv"
+	"strings"
+
+	"golang.org/x/crypto/argon2"
+)
+
+// Argon2iPrefix defines the settings prefix for argon2i hashes.
+const Argon2iPrefix = "$argon2i$"
+
+func init() {
+	RegisterAlgorithm(Argon2iPrefix, argon2iAlgorithm)
+}
+
+const (
+	argon2iDefaultMemory  = 32 * 1024
+	argon2iDefaultTime    = 4
+	argon2iDefaultThreads = 4
+	argon2iKeySize        = 32
+	argon2iMaxSaltSize    = 0xFFFFFFFF
+)
+
+func argon2iAlgorithm(password, settings string) (string, error) {
+	passwordBytes := []byte(password)
+	_, parameter, salt, _, err := DecodeSettings(settings)
+	if err != nil {
+		return "", err
+	}
+	saltBytes, err := Base64Encoding.DecodeString(salt)
+	if err != nil {
+		return "", fmt.Errorf("base64 decode [%s]: %v", salt, err)
+	}
+	if len(saltBytes) > argon2iMaxSaltSize {
+		saltBytes = saltBytes[:argon2iMaxSaltSize]
+	}
+	memory := parameter.GetInt("m", argon2iDefaultMemory)
+	time := parameter.GetInt("t", argon2iDefaultTime)
+	threads := parameter.GetInt("p", argon2iDefaultThreads)
+
+	hash := argon2.Key(passwordBytes, saltBytes, uint32(time), uint32(memory), uint8(threads), argon2iKeySize)
+
+	p := []string{}
+	if memory != argon2iDefaultMemory {
+		p = append(p, "m="+strconv.Itoa(memory))
+	}
+	if time != argon2iDefaultTime {
+		p = append(p, "t="+strconv.Itoa(time))
+	}
+	if threads != argon2iDefaultThreads {
+		p = append(p, "p="+strconv.Itoa(threads))
+	}
+
+	buf := bytes.Buffer{}
+	buf.Write([]byte(Argon2iPrefix))
+	buf.WriteString("v=19$")
+	if len(p) > 0 {
+		buf.WriteString(strings.Join(p, ","))
+		buf.WriteString("$")
+	}
+	buf.WriteString(Base64Encoding.EncodeToString(saltBytes))
+	buf.WriteString("$")
+	buf.WriteString(Base64Encoding.EncodeToString(hash))
+	return buf.String(), nil
+}

argon2i.go

@@ -0,0 +1,30 @@
+package crypt_test
+
+import (
+	"testing"
+
+	"github.com/simia-tech/crypt"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestArgon2i(t *testing.T) {
+	tcs := []struct {
+		password       string
+		settings       string
+		expectedResult string
+		expectedErr    error
+	}{
+		{"password", "$argon2i$v=19$m=65536,t=2,p=4$c29tZXNhbHQ", "$argon2i$v=19$m=65536,t=2$c29tZXNhbHQ$IMit9qkFULCMA/ViizL57cnTLOa5DiVM9eMwpAvPwr4", nil},
+		{"another password", "$argon2i$v=19$m=65536,t=2,p=4$YW5vdGhlcnNhbHQ", "$argon2i$v=19$m=65536,t=2$YW5vdGhlcnNhbHQ$BCRltpeTFX0QYrELiOXWGZniID9nOUsBPy8Bu0SE7bM", nil},
+		{"password", "$argon2i$v=19$m=65536,t=2,p=4$bG9uZ3NhbHRsb25nc2FsdGxvbmc", "$argon2i$v=19$m=65536,t=2$bG9uZ3NhbHRsb25nc2FsdGxvbmc$rDmQABiNkSO3bGHbBUkShgb7wIlBP8HHfq6nDH+Sqss", nil},
+	}
+
+	for _, tc := range tcs {
+		t.Run(tc.settings, func(t *testing.T) {
+			result, err := crypt.Crypt(tc.password, tc.settings)
+			require.Equal(t, tc.expectedErr, err)
+			assert.Equal(t, tc.expectedResult, result)
+		})
+	}
+}

argon2i_test.go

@@ -1,10 +1,17 @@
 package crypt
 
+import "encoding/base64"
+
+// Base64Encoding implements the crypt-specific base63 encoding.
+var Base64Encoding = base64.StdEncoding.WithPadding(base64.NoPadding)
+
 const (
-	alphabet = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
+	encode24Bit = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
 )
 
-func base64_24Bit(src []byte) []byte {
+// Encode24BitBase64 implements a special version of base64 that is used
+// with md5, sha256 and sha512.
+func Encode24BitBase64(src []byte) []byte {
 	if len(src) == 0 {
 		return []byte{} // TODO: return nil
 	}
@@ -16,10 +23,10 @@ func base64_24Bit(src []byte) []byte {
 	n := len(src) / 3 * 3
 	for si < n {
 		val := uint(src[si+2])<<16 | uint(src[si+1])<<8 | uint(src[si])
-		dst[di+0] = alphabet[val&0x3f]
-		dst[di+1] = alphabet[val>>6&0x3f]
-		dst[di+2] = alphabet[val>>12&0x3f]
-		dst[di+3] = alphabet[val>>18]
+		dst[di+0] = encode24Bit[val&0x3f]
+		dst[di+1] = encode24Bit[val>>6&0x3f]
+		dst[di+2] = encode24Bit[val>>12&0x3f]
+		dst[di+3] = encode24Bit[val>>18]
 		di += 4
 		si += 3
 	}
@@ -34,10 +41,10 @@ func base64_24Bit(src []byte) []byte {
 		val |= uint(src[si+1]) << 8
 	}
 
-	dst[di+0] = alphabet[val&0x3f]
-	dst[di+1] = alphabet[val>>6&0x3f]
+	dst[di+0] = encode24Bit[val&0x3f]
+	dst[di+1] = encode24Bit[val>>6&0x3f]
 	if rem == 2 {
-		dst[di+2] = alphabet[val>>12]
+		dst[di+2] = encode24Bit[val>>12]
 	}
 	return dst
 }

base64.go

@@ -0,0 +1,49 @@
+package crypt_test
+
+import (
+	"testing"
+
+	"github.com/simia-tech/crypt"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestBase64(t *testing.T) {
+	tcs := []struct {
+		decoded string
+		encoded string
+	}{
+		{"somesalt", "c29tZXNhbHQ"},
+		{"test", "dGVzdA"},
+		{"test123test123", "dGVzdDEyM3Rlc3QxMjM"},
+	}
+
+	for _, tc := range tcs {
+		t.Run(tc.decoded, func(t *testing.T) {
+			encodeResult := crypt.Base64Encoding.EncodeToString([]byte(tc.decoded))
+			assert.Equal(t, tc.encoded, encodeResult)
+
+			decodeResult, err := crypt.Base64Encoding.DecodeString(string(encodeResult))
+			require.NoError(t, err)
+			assert.Equal(t, tc.decoded, string(decodeResult))
+		})
+	}
+}
+
+func TestEncode24BitBase64(t *testing.T) {
+	tcs := []struct {
+		decoded       string
+		expectEncoded string
+	}{
+		{"somesalt", "nxKPZBLMgF5"},
+		{"test", "oJqQo/"},
+		{"test123test123", "oJqQo3XAnELNnFLAmA1"},
+	}
+
+	for _, tc := range tcs {
+		t.Run(tc.decoded, func(t *testing.T) {
+			encodeResult := crypt.Encode24BitBase64([]byte(tc.decoded))
+			assert.Equal(t, tc.expectEncoded, string(encodeResult))
+		})
+	}
+}

base64_test.go

@@ -92,7 +92,7 @@ func md5Algorithm(password, settings string) (string, error) {
 	buf.Write([]byte(MD5Prefix))
 	buf.Write(saltBytes)
 	buf.WriteByte('$')
-	buf.Write(base64_24Bit([]byte{
+	buf.Write(Encode24BitBase64([]byte{
 		sumA[12], sumA[6], sumA[0],
 		sumA[13], sumA[7], sumA[1],
 		sumA[14], sumA[8], sumA[2],

md5.go

@@ -25,28 +25,39 @@ func (p Parameter) GetInt(key string, defaultValue int) int {
 }
 
 // DecodeSettings decodes the provided settings string into it's parts.
-func DecodeSettings(settings string) (string, Parameter, string, string, error) {
-	parts := strings.Split(settings, "$")
-	switch {
-	case len(parts) == 3:
-		return parts[1], nil, parts[2], "", nil
-	case len(parts) >= 4:
-		if strings.Contains(parts[2], "=") {
-			pairs := strings.Split(parts[2], ",")
-			p := Parameter{}
-			for _, pair := range pairs {
-				pairParts := strings.SplitN(pair, "=", 2)
-				if len(pairParts) < 2 {
-					continue
+func DecodeSettings(settings string) (code string, parameter Parameter, salt string, hash string, err error) {
+	step := 0
+	for _, part := range strings.Split(settings, "$") {
+		switch step {
+		case 0, 1:
+			code = part
+			step++
+		case 2:
+			if strings.Contains(part, "=") {
+				if parameter == nil {
+					parameter = Parameter{}
 				}
-				p[pairParts[0]] = pairParts[1]
+				parameter = decodeParameters(parameter, part)
+			} else {
+				salt = part
+				step++
 			}
-			if len(parts) >= 5 {
-				return parts[1], p, parts[3], parts[4], nil
-			}
-			return parts[1], p, parts[3], "", nil
+		case 3:
+			hash = part
+			step++
+		}
+	}
+	return
+}
+
+func decodeParameters(p Parameter, text string) Parameter {
+	pairs := strings.Split(text, ",")
+	for _, pair := range pairs {
+		parts := strings.SplitN(pair, "=", 2)
+		if len(parts) < 2 {
+			continue
 		}
-		return parts[1], nil, parts[2], parts[3], nil
+		p[parts[0]] = parts[1]
 	}
-	return "", nil, "", "", ErrInvalidSettings
+	return p
 }

settings.go

@@ -23,6 +23,8 @@ func TestDecodeSettings(t *testing.T) {
 		{"$1$rounds=100$salt", "1", crypt.Parameter{"rounds": "100"}, "salt", "", nil},
 		{"$1$rounds=200$salt$hash", "1", crypt.Parameter{"rounds": "200"}, "salt", "hash", nil},
 		{"$1$rounds=300$salt$hash$", "1", crypt.Parameter{"rounds": "300"}, "salt", "hash", nil},
+		{"$argon2i$v=19$m=65536,t=2,p=4$c29tZXNhbHQ$IMit9qkFULCMA/ViizL57cnTLOa5DiVM9eMwpAvPwr4",
+			"argon2i", crypt.Parameter{"v": "19", "m": "65536", "t": "2", "p": "4"}, "c29tZXNhbHQ", "IMit9qkFULCMA/ViizL57cnTLOa5DiVM9eMwpAvPwr4", nil},
 	}
 
 	for _, tc := range tcs {

settings_test.go

@@ -110,7 +110,7 @@ func sha256Algorithm(password, settings string) (string, error) {
 	}
 	buf.Write(saltBytes)
 	buf.WriteByte('$')
-	buf.Write(base64_24Bit([]byte{
+	buf.Write(Encode24BitBase64([]byte{
 		sumA[20], sumA[10], sumA[0],
 		sumA[11], sumA[1], sumA[21],
 		sumA[2], sumA[22], sumA[12],

sha256.go

@@ -114,7 +114,7 @@ func sha512Algorithm(password, settings string) (string, error) {
 	}
 	buf.Write(saltBytes)
 	buf.WriteByte('$')
-	buf.Write(base64_24Bit([]byte{
+	buf.Write(Encode24BitBase64([]byte{
 		sumA[42], sumA[21], sumA[0],
 		sumA[1], sumA[43], sumA[22],
 		sumA[23], sumA[2], sumA[44],