mirror of
https://github.com/jech/galene.git
synced 2024-11-09 18:25:58 +01:00
Add support for hashing password with BCrypt.
This commit is contained in:
parent
2a32ac8f40
commit
8628344a6d
3 changed files with 66 additions and 14 deletions
|
@ -9,22 +9,31 @@ import (
|
|||
"fmt"
|
||||
"log"
|
||||
"os"
|
||||
"strings"
|
||||
|
||||
"golang.org/x/crypto/bcrypt"
|
||||
"golang.org/x/crypto/pbkdf2"
|
||||
|
||||
"github.com/jech/galene/group"
|
||||
)
|
||||
|
||||
func main() {
|
||||
var algorithm string
|
||||
var iterations int
|
||||
var cost int
|
||||
var length int
|
||||
var saltLen int
|
||||
var username string
|
||||
flag.StringVar(&username, "user", "",
|
||||
"generate entry for given `username`")
|
||||
flag.IntVar(&iterations, "iterations", 4096, "`number` of iterations")
|
||||
flag.IntVar(&length, "key", 32, "key `length`")
|
||||
flag.IntVar(&saltLen, "salt", 8, "salt `length`")
|
||||
flag.StringVar(&algorithm, "hash", "pbkdf2",
|
||||
"hashing `algorithm`")
|
||||
flag.IntVar(&iterations, "iterations", 4096,
|
||||
"`number` of iterations (pbkdf2)")
|
||||
flag.IntVar(&cost, "cost", bcrypt.DefaultCost,
|
||||
"`cost` (bcrypt)")
|
||||
flag.IntVar(&length, "key", 32, "key `length` (pbkdf2)")
|
||||
flag.IntVar(&saltLen, "salt", 8, "salt `length` (pbkdf2)")
|
||||
flag.Parse()
|
||||
|
||||
if len(flag.Args()) == 0 {
|
||||
|
@ -43,17 +52,34 @@ func main() {
|
|||
if err != nil {
|
||||
log.Fatalf("Salt: %v", err)
|
||||
}
|
||||
key := pbkdf2.Key(
|
||||
[]byte(pw), salt, iterations, length, sha256.New,
|
||||
)
|
||||
var p group.Password
|
||||
if strings.EqualFold(algorithm, "pbkdf2") {
|
||||
key := pbkdf2.Key(
|
||||
[]byte(pw), salt, iterations, length, sha256.New,
|
||||
)
|
||||
p = group.Password{
|
||||
Type: "pbkdf2",
|
||||
Hash: "sha-256",
|
||||
Key: hex.EncodeToString(key),
|
||||
Salt: hex.EncodeToString(salt),
|
||||
Iterations: iterations,
|
||||
}
|
||||
} else if strings.EqualFold(algorithm, "bcrypt") {
|
||||
key, err := bcrypt.GenerateFromPassword(
|
||||
[]byte(pw), cost,
|
||||
)
|
||||
if err != nil {
|
||||
log.Fatalf("Couldn't hash password: %v", err)
|
||||
}
|
||||
|
||||
p := group.Password{
|
||||
Type: "pbkdf2",
|
||||
Hash: "sha-256",
|
||||
Key: hex.EncodeToString(key),
|
||||
Salt: hex.EncodeToString(salt),
|
||||
Iterations: iterations,
|
||||
p = group.Password{
|
||||
Type: "bcrypt",
|
||||
Key: string(key),
|
||||
}
|
||||
} else {
|
||||
log.Fatalf("Unknown hash type %v", algorithm)
|
||||
}
|
||||
|
||||
e := json.NewEncoder(os.Stdout)
|
||||
if username != "" {
|
||||
creds := group.ClientPattern{
|
||||
|
|
|
@ -8,6 +8,7 @@ import (
|
|||
"errors"
|
||||
"hash"
|
||||
|
||||
"golang.org/x/crypto/bcrypt"
|
||||
"golang.org/x/crypto/pbkdf2"
|
||||
|
||||
"github.com/jech/galene/conn"
|
||||
|
@ -47,6 +48,12 @@ func (p Password) Match(pw string) (bool, error) {
|
|||
[]byte(pw), salt, p.Iterations, len(key), h,
|
||||
)
|
||||
return bytes.Equal(key, theirKey), nil
|
||||
case "bcrypt":
|
||||
err := bcrypt.CompareHashAndPassword([]byte(p.Key), []byte(pw))
|
||||
if err == bcrypt.ErrMismatchedHashAndPassword {
|
||||
return false, nil
|
||||
}
|
||||
return err == nil, err
|
||||
default:
|
||||
return false, errors.New("unknown password type")
|
||||
}
|
||||
|
|
|
@ -17,6 +17,10 @@ var pw3 = Password{
|
|||
Iterations: 4096,
|
||||
}
|
||||
var pw4 = Password{
|
||||
Type: "bcrypt",
|
||||
Key: "$2a$10$afOr2f33onT/nDFFyT3mbOq5FMSw1wWXfyTXQTBMbKvZpBkoD3Qwu",
|
||||
}
|
||||
var pw5 = Password{
|
||||
Type: "bad",
|
||||
}
|
||||
|
||||
|
@ -27,6 +31,9 @@ func TestGood(t *testing.T) {
|
|||
if match, err := pw3.Match("pass"); err != nil || !match {
|
||||
t.Errorf("pw3 doesn't match (%v)", err)
|
||||
}
|
||||
if match, err := pw4.Match("pass"); err != nil || !match {
|
||||
t.Errorf("pw4 doesn't match (%v)", err)
|
||||
}
|
||||
}
|
||||
|
||||
func TestBad(t *testing.T) {
|
||||
|
@ -39,7 +46,10 @@ func TestBad(t *testing.T) {
|
|||
if match, err := pw3.Match("bad"); err != nil || match {
|
||||
t.Errorf("pw3 matches")
|
||||
}
|
||||
if match, err := pw4.Match("bad"); err == nil || match {
|
||||
if match, err := pw4.Match("bad"); err != nil || match {
|
||||
t.Errorf("pw4 matches")
|
||||
}
|
||||
if match, err := pw5.Match("bad"); err == nil || match {
|
||||
t.Errorf("pw4 matches")
|
||||
}
|
||||
}
|
||||
|
@ -50,7 +60,7 @@ func TestJSON(t *testing.T) {
|
|||
t.Errorf("Expected \"pass\", got %v", string(plain))
|
||||
}
|
||||
|
||||
for _, pw := range []Password{pw1, pw2, pw3, pw4} {
|
||||
for _, pw := range []Password{pw1, pw2, pw3, pw4, pw5} {
|
||||
j, err := json.Marshal(pw)
|
||||
if err != nil {
|
||||
t.Fatalf("Marshal: %v", err)
|
||||
|
@ -85,3 +95,12 @@ func BenchmarkPBKDF2(b *testing.B) {
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
func BenchmarkBCrypt(b *testing.B) {
|
||||
for i := 0; i < b.N; i++ {
|
||||
match, err := pw4.Match("bad")
|
||||
if err != nil || match {
|
||||
b.Errorf("pw3 matched")
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue