remove unused dep in go.mod, addresses #4

vendor/gopkg.in/hlandau/passlib.v1/.travis.yml

@@ -2,9 +2,11 @@ language: go
 os:
   - linux
 go:
-  - 1.4
+  - 1.10
   - tip
 sudo: false
 install:
-  - go get gopkg.in/hlandau/passlib.v1
+  - mkdir -p $HOME/gopath/src/gopkg.in/hlandau/
+  - ln -s $TRAVIS_BUILD_DIR $HOME/gopath/src/gopkg.in/hlandau/passlib.v1
   - cd $HOME/gopath/src/gopkg.in/hlandau/passlib.v1
+  - go get

vendor/gopkg.in/hlandau/passlib.v1/README.md

@@ -10,9 +10,19 @@ put into it, or with more support for obscure password formats.
 This is a skeleton of a port of passlib to Go. It dogmatically adopts the
 modular crypt format, which [passlib has excellent documentation for](https://pythonhosted.org/passlib/modular_crypt_format.html#modular-crypt-format).
 
-Currently, it supports sha256-crypt, sha512-crypt, scrypt-sha256, bcrypt and
-passlib's bcrypt-sha256 variant. By default, it will hash using scrypt-sha256
-and verify existing hashes using any of these schemes.
+Currently, it supports:
+
+  - sha256-crypt
+  - sha512-crypt
+  - scrypt-sha256
+  - bcrypt
+  - passlib's bcrypt-sha256 variant
+  - pbkdf2-sha1 (in passlib format)
+  - pbkdf2-sha256 (in passlib format)
+  - pbkdf2-sha512 (in passlib format)
+
+By default, it will hash using scrypt-sha256 and verify existing hashes using
+any of these schemes.
 
 Example Usage
 -------------
@@ -81,11 +91,6 @@ Since scrypt does not have a pre-existing modular crypt format standard, I made
 
 ...where `N`, `r` and `p` are the respective difficulty parameters to scrypt as positive decimal integers without leading zeroes, and `salt` and `hash` are base64-encoded binary strings. Note that the RFC 4648 base64 encoding is used (not the one used by sha256-crypt and sha512-crypt).
 
-TODO
-----
-
-  - PBKDF2
-
 Licence
 -------
 passlib is partially derived from Python's passlib and so maintains its BSD license.

vendor/gopkg.in/hlandau/passlib.v1/default.go

@@ -0,0 +1,141 @@
+package passlib
+
+import (
+	"fmt"
+	"gopkg.in/hlandau/passlib.v1/abstract"
+	"gopkg.in/hlandau/passlib.v1/hash/argon2"
+	"gopkg.in/hlandau/passlib.v1/hash/bcrypt"
+	"gopkg.in/hlandau/passlib.v1/hash/bcryptsha256"
+	"gopkg.in/hlandau/passlib.v1/hash/pbkdf2"
+	"gopkg.in/hlandau/passlib.v1/hash/scrypt"
+	"gopkg.in/hlandau/passlib.v1/hash/sha2crypt"
+	"time"
+)
+
+// This is the first and default set of defaults used by passlib. It prefers
+// scrypt-sha256. It is now obsolete.
+const Defaults20160922 = "20160922"
+
+// This is the most up-to-date set of defaults preferred by passlib. It prefers
+// Argon2i. You must opt into it by calling UseDefaults at startup.
+const Defaults20180601 = "20180601"
+
+// This value, when passed to UseDefaults, causes passlib to always use the
+// very latest set of defaults. DO NOT use this unless you are sure that
+// opportunistic hash upgrades will not cause breakage for your application
+// when future versions of passlib are released. See func UseDefaults.
+const DefaultsLatest = "latest"
+
+// Default schemes as of 2016-09-22.
+var defaultSchemes20160922 = []abstract.Scheme{
+	scrypt.SHA256Crypter,
+	argon2.Crypter,
+	sha2crypt.Crypter512,
+	sha2crypt.Crypter256,
+	bcryptsha256.Crypter,
+	pbkdf2.SHA512Crypter,
+	pbkdf2.SHA256Crypter,
+	bcrypt.Crypter,
+	pbkdf2.SHA1Crypter,
+}
+
+// Default schemes as of 2018-06-01.
+var defaultSchemes20180601 = []abstract.Scheme{
+	argon2.Crypter,
+	scrypt.SHA256Crypter,
+	sha2crypt.Crypter512,
+	sha2crypt.Crypter256,
+	bcryptsha256.Crypter,
+	pbkdf2.SHA512Crypter,
+	pbkdf2.SHA256Crypter,
+	bcrypt.Crypter,
+	pbkdf2.SHA1Crypter,
+}
+
+// The default schemes, most preferred first. The first scheme will be used to
+// hash passwords, and any of the schemes may be used to verify existing
+// passwords. The contents of this value may change with subsequent releases.
+//
+// If you want to change this, set DefaultSchemes to a slice to an
+// abstract.Scheme array of your own construction, rather than mutating the
+// array the slice points to.
+//
+// To see the default schemes used in the current release of passlib, see
+// default.go. See also the UseDefaults function for more information on how
+// the list of default schemes is determined. The default value of
+// DefaultSchemes (the default defaults) won't change; you need to call
+// UseDefaults to allow your application to upgrade to newer hashing schemes
+// (or set DefaultSchemes manually, or create a custom context with its own
+// schemes set).
+var DefaultSchemes []abstract.Scheme
+
+func init() {
+	DefaultSchemes = defaultSchemes20160922
+}
+
+// It is strongly recommended that you call this function like this before using passlib:
+//
+//   passlib.UseDefaults("YYYYMMDD")
+//
+// where YYYYMMDD is a date. This will be used to select the preferred scheme
+// to use. If you do not call UseDefaults, the preferred scheme (the first item
+// in the default schemes list) current as of 2016-09-22 will always be used,
+// meaning that upgrade will not occur even though better schemes are now
+// available.
+//
+// Note that even if you don't call this function, new schemes will still be
+// added to DefaultSchemes over time as non-initial values (items not at index
+// 0), so servers will always, by default, be able to validate all schemes
+// which passlib supports at any given time.
+//
+// The reason you must call this function is as follows: If passlib is deployed
+// as part of a web application in a multi-server deployment, and passlib is
+// updated, and the new version of that application with the updated passlib is
+// deployed, that upgrade process is unlikely to be instantaneous. Old versions
+// of the web application may continue to run on some servers. If merely
+// upgrading passlib caused password hashes to be upgraded to the newer scheme
+// on login, the older daemons may not be able to validate these passwords and
+// users may have issues logging in. Although this can be ameliorated to some
+// extent by introducing a new scheme to passlib, waiting some months, and only
+// then making this the default, this could still cause issued if passlib is
+// only updated very occasionally.
+//
+// Thus, you should update your call to UseDefaults only when all servers have
+// been upgraded, and it is thus guaranteed that they will all be able to
+// verify the new scheme. Making this value loadable from a configuration file
+// is recommended.
+//
+// If you are using a single-server configuration, you can use the special
+// value "latest" here (or, equivalently, a date far into the future), which
+// will always use the most preferred scheme. This is hazardous in a
+// multi-server environment.
+//
+// The constants beginning 'Defaults' in this package document dates
+// which are meaningful to this function. The constant values they are equal to
+// will never change, so there is no need to use them instead of string
+// literals, although you may if you wish; they are intended mainly as
+// documentation as to the significance of various dates.
+//
+// Example for opting in to the latest set of defaults:
+//
+//   passlib.UseDefaults(passlib.Defaults20180601)
+//
+func UseDefaults(date string) error {
+	if date == "latest" {
+		DefaultSchemes = defaultSchemes20180601
+		return nil
+	}
+
+	t, err := time.ParseInLocation("20060102", date, time.UTC)
+	if err != nil {
+		return fmt.Errorf("invalid time string passed to passlib.UseDefaults: %q", date)
+	}
+
+	if !t.Before(time.Date(2016, 9, 22, 0, 0, 0, 0, time.UTC)) {
+		DefaultSchemes = defaultSchemes20180601
+		return nil
+	}
+
+	DefaultSchemes = defaultSchemes20160922
+	return nil
+}

vendor/gopkg.in/hlandau/passlib.v1/hash/argon2/argon2.go

@@ -0,0 +1,115 @@
+// Package argon2 implements the argon2 password hashing mechanism, wrapped in
+// the argon2 encoded format.
+package argon2
+
+import (
+	"crypto/rand"
+	"encoding/base64"
+	"fmt"
+	"strings"
+
+	"golang.org/x/crypto/argon2"
+	"gopkg.in/hlandau/passlib.v1/abstract"
+	"gopkg.in/hlandau/passlib.v1/hash/argon2/raw"
+)
+
+// An implementation of Scheme performing argon2 hashing.
+//
+// Uses the recommended values for time, memory and threads defined in raw.
+var Crypter abstract.Scheme
+
+const saltLength = 16
+
+func init() {
+	Crypter = New(
+		raw.RecommendedTime,
+		raw.RecommendedMemory,
+		raw.RecommendedThreads,
+	)
+}
+
+// Returns an implementation of Scheme implementing argon2
+// with the specified parameters.
+func New(time, memory uint32, threads uint8) abstract.Scheme {
+	return &scheme{
+		time:    time,
+		memory:  memory,
+		threads: threads,
+	}
+}
+
+type scheme struct {
+	time, memory uint32
+	threads      uint8
+}
+
+func (c *scheme) SetParams(time, memory uint32, threads uint8) error {
+	c.time = time
+	c.memory = memory
+	c.threads = threads
+	return nil
+}
+
+func (c *scheme) SupportsStub(stub string) bool {
+	return strings.HasPrefix(stub, "$argon2i$")
+}
+
+func (c *scheme) Hash(password string) (string, error) {
+
+	stub, err := c.makeStub()
+	if err != nil {
+		return "", err
+	}
+
+	_, newHash, _, _, _, _, _, err := c.hash(password, stub)
+	return newHash, err
+}
+
+func (c *scheme) Verify(password, hash string) (err error) {
+
+	_, newHash, _, _, _, _, _, err := c.hash(password, hash)
+	if err == nil && !abstract.SecureCompare(hash, newHash) {
+		err = abstract.ErrInvalidPassword
+	}
+
+	return
+}
+
+func (c *scheme) NeedsUpdate(stub string) bool {
+	salt, _, version, time, memory, threads, err := raw.Parse(stub)
+	if err != nil {
+		return false // ...
+	}
+
+	return c.needsUpdate(salt, version, time, memory, threads)
+}
+
+func (c *scheme) needsUpdate(salt []byte, version int, time, memory uint32, threads uint8) bool {
+	return len(salt) < saltLength || version < argon2.Version || time < c.time || memory < c.memory || threads < c.threads
+}
+
+func (c *scheme) hash(password, stub string) (oldHashRaw []byte, newHash string, salt []byte, version int, memory, time uint32, threads uint8, err error) {
+
+	salt, oldHashRaw, version, time, memory, threads, err = raw.Parse(stub)
+	if err != nil {
+		return
+	}
+
+	return oldHashRaw, raw.Argon2(password, salt, time, memory, threads), salt, version, memory, time, threads, nil
+}
+
+func (c *scheme) makeStub() (string, error) {
+	buf := make([]byte, saltLength)
+	_, err := rand.Read(buf)
+	if err != nil {
+		return "", err
+	}
+
+	salt := base64.RawStdEncoding.EncodeToString(buf)
+
+	return fmt.Sprintf("$argon2i$v=%d$m=%d,t=%d,p=%d$%s$", argon2.Version, c.memory, c.time, c.threads, salt), nil
+}
+
+func (c *scheme) String() string {
+	return fmt.Sprintf("argon2(%d,%d,%d,%d)", argon2.Version, c.memory, c.time, c.threads)
+}

vendor/gopkg.in/hlandau/passlib.v1/hash/argon2/raw/argon2.go

@@ -0,0 +1,186 @@
+// Package raw provides a raw implementation of the modular-crypt-wrapped Argon2i primitive.
+package raw
+
+import (
+	"encoding/base64"
+	"fmt"
+	"golang.org/x/crypto/argon2"
+	"strconv"
+	"strings"
+)
+
+// The current recommended time value for interactive logins.
+const RecommendedTime uint32 = 4
+
+// The current recommended memory for interactive logins.
+const RecommendedMemory uint32 = 32 * 1024
+
+// The current recommended number of threads for interactive logins.
+const RecommendedThreads uint8 = 4
+
+// Wrapper for golang.org/x/crypto/argon2 implementing a sensible
+// hashing interface.
+//
+// password should be a UTF-8 plaintext password.
+// salt should be a random salt value in binary form.
+//
+// Time, memory, and threads are parameters to argon2.
+//
+// Returns an argon2 encoded hash.
+func Argon2(password string, salt []byte, time, memory uint32, threads uint8) string {
+	passwordb := []byte(password)
+
+	hash := argon2.Key(passwordb, salt, time, memory, threads, 32)
+
+	hstr := base64.RawStdEncoding.EncodeToString(hash)
+	sstr := base64.RawStdEncoding.EncodeToString(salt)
+
+	return fmt.Sprintf("$argon2i$v=%d$m=%d,t=%d,p=%d$%s$%s", argon2.Version, memory, time, threads, sstr, hstr)
+}
+
+// Indicates that a password hash or stub is invalid.
+var ErrInvalidStub = fmt.Errorf("invalid argon2 password stub")
+
+// Indicates that a key-value pair in the configuration part is malformed.
+var ErrInvalidKeyValuePair = fmt.Errorf("invalid argon2 key-value pair")
+
+// Indicates that the version part had the wrong number of parameters.
+var ErrParseVersion = fmt.Errorf("version section has wrong number of parameters")
+
+// Indicates that the hash config part had the wrong number of parameters.
+var ErrParseConfig = fmt.Errorf("hash config section has wrong number of parameters")
+
+// Indicates that the version parameter ("v") was missing in the version part,
+// even though it is required.
+var ErrMissingVersion = fmt.Errorf("version parameter (v) is missing")
+
+// Indicates that the memory parameter ("m") was mossing in the hash config
+// part, even though it is required.
+var ErrMissingMemory = fmt.Errorf("memory parameter (m) is missing")
+
+// Indicates that the time parameter ("t") was mossing in the hash config part,
+// even though it is required.
+var ErrMissingTime = fmt.Errorf("time parameter (t) is missing")
+
+// Indicates that the parallelism parameter ("p") was mossing in the hash config
+// part, even though it is required.
+var ErrMissingParallelism = fmt.Errorf("parallelism parameter (p) is missing")
+
+// Parses an argon2 encoded hash.
+//
+// The format is as follows:
+//
+//   $argon2i$v=version$m=memory,t=time,p=threads$salt$hash   // hash
+//   $argon2i$v=version$m=memory,t=time,p=threads$salt        // stub
+//
+func Parse(stub string) (salt, hash []byte, version int, time, memory uint32, parallelism uint8, err error) {
+	if len(stub) < 26 || !strings.HasPrefix(stub, "$argon2i$") {
+		err = ErrInvalidStub
+		return
+	}
+
+	// $argon2i$  v=version$m=memory,t=time,p=threads$salt-base64$hash-base64
+	parts := strings.Split(stub[9:], "$")
+
+	// version-params$hash-config-params$salt[$hash]
+	if len(parts) < 3 || len(parts) > 4 {
+		err = ErrInvalidStub
+		return
+	}
+
+	// Parse the first configuration part, the version parameters.
+	versionParams, err := parseKeyValuePair(parts[0])
+	if err != nil {
+		return
+	}
+
+	// Must be exactly one parameter in the version part.
+	if len(versionParams) != 1 {
+		err = ErrParseVersion
+		return
+	}
+
+	// It must be "v".
+	val, ok := versionParams["v"]
+	if !ok {
+		err = ErrMissingVersion
+		return
+	}
+
+	version = int(val)
+
+	// Parse the second configuration part, the hash config parameters.
+	hashParams, err := parseKeyValuePair(parts[1])
+	if err != nil {
+		return
+	}
+
+	// It must have exactly three parameters.
+	if len(hashParams) != 3 {
+		err = ErrParseConfig
+		return
+	}
+
+	// Memory parameter.
+	val, ok = hashParams["m"]
+	if !ok {
+		err = ErrMissingMemory
+		return
+	}
+
+	memory = uint32(val)
+
+	// Time parameter.
+	val, ok = hashParams["t"]
+	if !ok {
+		err = ErrMissingTime
+		return
+	}
+
+	time = uint32(val)
+
+	// Parallelism parameter.
+	val, ok = hashParams["p"]
+	if !ok {
+		err = ErrMissingParallelism
+		return
+	}
+
+	parallelism = uint8(val)
+
+	// Decode salt.
+	salt, err = base64.RawStdEncoding.DecodeString(parts[2])
+	if err != nil {
+		return
+	}
+
+	// Decode hash if present.
+	if len(parts) >= 4 {
+		hash, err = base64.RawStdEncoding.DecodeString(parts[3])
+	}
+
+	return
+}
+
+func parseKeyValuePair(pairs string) (result map[string]uint64, err error) {
+	result = map[string]uint64{}
+
+	parameterParts := strings.Split(pairs, ",")
+
+	for _, parameter := range parameterParts {
+		parts := strings.SplitN(parameter, "=", 2)
+		if len(parts) != 2 {
+			err = ErrInvalidKeyValuePair
+			return
+		}
+
+		parsedi, err := strconv.ParseUint(parts[1], 10, 32)
+		if err != nil {
+			return result, err
+		}
+
+		result[parts[0]] = parsedi
+	}
+
+	return result, nil
+}

vendor/gopkg.in/hlandau/passlib.v1/hash/pbkdf2/pbkdf2.go

@@ -0,0 +1,94 @@
+// Package pbkdf2 implements a modular crypt format for PBKDF2-SHA1,
+// PBKDF2-SHA256 and PBKDF-SHA512.
+//
+// The format is the same as that used by Python's passlib and is compatible.
+package pbkdf2
+
+import (
+	"crypto/rand"
+	"crypto/sha1"
+	"crypto/sha256"
+	"crypto/sha512"
+	"fmt"
+	"gopkg.in/hlandau/passlib.v1/abstract"
+	"gopkg.in/hlandau/passlib.v1/hash/pbkdf2/raw"
+	"hash"
+	"strings"
+)
+
+// An implementation of Scheme implementing a number of PBKDF2 modular crypt
+// formats used by Python's passlib ($pbkdf2$, $pbkdf2-sha256$,
+// $pbkdf2-sha512$).
+//
+// Uses RecommendedRounds.
+//
+// WARNING: SHA1 should not be used for new applications under any
+// circumstances. It should be used for legacy compatibility only.
+var SHA1Crypter abstract.Scheme
+var SHA256Crypter abstract.Scheme
+var SHA512Crypter abstract.Scheme
+
+const (
+	RecommendedRoundsSHA1   = 131000
+	RecommendedRoundsSHA256 = 29000
+	RecommendedRoundsSHA512 = 25000
+)
+
+const SaltLength = 16
+
+func init() {
+	SHA1Crypter = New("$pbkdf2$", sha1.New, RecommendedRoundsSHA1)
+	SHA256Crypter = New("$pbkdf2-sha256$", sha256.New, RecommendedRoundsSHA256)
+	SHA512Crypter = New("$pbkdf2-sha512$", sha512.New, RecommendedRoundsSHA512)
+}
+
+type scheme struct {
+	Ident    string
+	HashFunc func() hash.Hash
+	Rounds   int
+}
+
+func New(ident string, hf func() hash.Hash, rounds int) abstract.Scheme {
+	return &scheme{
+		Ident:    ident,
+		HashFunc: hf,
+		Rounds:   rounds,
+	}
+}
+
+func (s *scheme) Hash(password string) (string, error) {
+	salt := make([]byte, SaltLength)
+	_, err := rand.Read(salt)
+	if err != nil {
+		return "", err
+	}
+
+	hash := raw.Hash([]byte(password), salt, s.Rounds, s.HashFunc)
+
+	newHash := fmt.Sprintf("%s%d$%s$%s", s.Ident, s.Rounds, raw.Base64Encode(salt), hash)
+	return newHash, nil
+}
+
+func (s *scheme) Verify(password, stub string) (err error) {
+	_, rounds, salt, oldHash, err := raw.Parse(stub)
+	if err != nil {
+		return
+	}
+
+	newHash := raw.Hash([]byte(password), salt, rounds, s.HashFunc)
+
+	if len(newHash) == 0 || !abstract.SecureCompare(oldHash, newHash) {
+		err = abstract.ErrInvalidPassword
+	}
+
+	return
+}
+
+func (s *scheme) SupportsStub(stub string) bool {
+	return strings.HasPrefix(stub, s.Ident)
+}
+
+func (s *scheme) NeedsUpdate(stub string) bool {
+	_, rounds, salt, _, err := raw.Parse(stub)
+	return err == raw.ErrInvalidRounds || rounds < s.Rounds || len(salt) < SaltLength
+}

vendor/gopkg.in/hlandau/passlib.v1/hash/pbkdf2/raw/base64.go

@@ -0,0 +1,20 @@
+package raw
+
+import (
+	"encoding/base64"
+	"strings"
+)
+
+var b64 = base64.RawStdEncoding
+
+func Base64Encode(src []byte) (dst string) {
+	dst = b64.EncodeToString(src)
+	dst = strings.Replace(dst, "+", ".", -1)
+	return
+}
+
+func Base64Decode(src string) (dst []byte, err error) {
+	src = strings.Replace(src, ".", "+", -1)
+	dst, err = b64.DecodeString(src)
+	return
+}

vendor/gopkg.in/hlandau/passlib.v1/hash/pbkdf2/raw/parse.go

@@ -0,0 +1,62 @@
+package raw
+
+import (
+	"crypto/sha1"
+	"crypto/sha256"
+	"crypto/sha512"
+	"fmt"
+	"hash"
+	"strconv"
+	"strings"
+)
+
+// Indicates that a password hash or stub is invalid.
+var ErrInvalidStub = fmt.Errorf("invalid stub")
+
+// Indicates that the number of rounds specified is not in the valid range.
+var ErrInvalidRounds = fmt.Errorf("invalid number of rounds")
+
+var hashMap = map[string]func() hash.Hash{
+	"pbkdf2":        sha1.New,
+	"pbkdf2-sha256": sha256.New,
+	"pbkdf2-sha512": sha512.New,
+}
+
+func Parse(stub string) (hashFunc func() hash.Hash, rounds int, salt []byte, hash string, err error) {
+	// does not start with $pbkdf2
+	if !strings.HasPrefix(stub, "$pbkdf2") {
+		err = ErrInvalidStub
+		return
+	}
+
+	parts := strings.Split(stub, "$")
+	if f, ok := hashMap[parts[1]]; ok {
+		hashFunc = f
+	} else {
+		err = ErrInvalidStub
+		return
+	}
+
+	roundsStr := parts[2]
+	var n uint64
+	n, err = strconv.ParseUint(roundsStr, 10, 31)
+	if err != nil {
+		err = ErrInvalidStub
+		return
+	}
+	rounds = int(n)
+
+	if rounds < MinRounds || rounds > MaxRounds {
+		err = ErrInvalidRounds
+		return
+	}
+
+	salt, err = Base64Decode(parts[3])
+	if err != nil {
+		err = fmt.Errorf("could not decode base64 salt")
+		return
+	}
+	hash = parts[4]
+
+	return
+}

vendor/gopkg.in/hlandau/passlib.v1/hash/pbkdf2/raw/pbkdf2.go

@@ -0,0 +1,15 @@
+package raw
+
+import (
+	"golang.org/x/crypto/pbkdf2"
+	"hash"
+)
+
+const (
+	MinRounds = 1
+	MaxRounds = 0xffffffff // setting at 32-bit limit for now
+)
+
+func Hash(password, salt []byte, rounds int, hf func() hash.Hash) (hash string) {
+	return Base64Encode(pbkdf2.Key(password, salt, rounds, hf().Size(), hf))
+}

vendor/gopkg.in/hlandau/passlib.v1/hash/pbkdf2/test.py

@@ -0,0 +1,30 @@
+#!/usr/bin/env python3
+import passlib.hash
+import base64
+def f(p):
+  h = passlib.hash.pbkdf2_sha256.hash(p)
+  print('  {"%s", "%s"},' % (p,h))
+
+f('')
+f('a')
+f('ab')
+f('abc')
+f('abcd')
+f('abcde')
+f('abcdef')
+f('abcdefg')
+f('abcdefgh')
+f('abcdefghi')
+f('abcdefghij')
+f('abcdefghijk')
+f('abcdefghijkl')
+f('abcdefghijklm')
+f('abcdefghijklmn')
+f('abcdefghijklmno')
+f('abcdefghijklmnop')
+f('qrstuvwxyz012345')
+f('67890./')
+f('ABCDEFGHIJKLMNOP')
+f('QRSTUVWXYZ012345')
+for i in range(70):
+    f(('password'*10)[0:i])

vendor/gopkg.in/hlandau/passlib.v1/passlib.go

@@ -1,16 +1,24 @@
 // Package passlib provides a simple password hashing and verification
 // interface abstracting multiple password hashing schemes.
 //
-// Most people need concern themselves only with the functions Hash
-// and Verify, which uses the default context and sensible defaults.
+// After initialisation, most people need concern themselves only with the
+// functions Hash and Verify, which uses the default context and sensible
+// defaults.
+//
+// Library Initialization
+//
+// You should initialise the library before using it with the following line.
+//
+//   // Call this at application startup.
+//   passlib.UseDefaults(passlib.Defaults20180601)
+//
+// See func UseDefaults for details.
 package passlib // import "gopkg.in/hlandau/passlib.v1"
 
-import "gopkg.in/hlandau/passlib.v1/abstract"
-import "gopkg.in/hlandau/passlib.v1/hash/scrypt"
-import "gopkg.in/hlandau/passlib.v1/hash/sha2crypt"
-import "gopkg.in/hlandau/passlib.v1/hash/bcryptsha256"
-import "gopkg.in/hlandau/passlib.v1/hash/bcrypt"
-import "gopkg.in/hlandau/easymetric.v1/cexp"
+import (
+	"gopkg.in/hlandau/easymetric.v1/cexp"
+	"gopkg.in/hlandau/passlib.v1/abstract"
+)
 
 var cHashCalls = cexp.NewCounter("passlib.ctx.hashCalls")
 var cVerifyCalls = cexp.NewCounter("passlib.ctx.verifyCalls")
@@ -19,17 +27,6 @@ var cFailedVerifyCalls = cexp.NewCounter("passlib.ctx.failedVerifyCalls")
 var cSuccessfulVerifyCallsWithUpgrade = cexp.NewCounter("passlib.ctx.successfulVerifyCallsWithUpgrade")
 var cSuccessfulVerifyCallsDeferringUpgrade = cexp.NewCounter("passlib.ctx.successfulVerifyCallsDeferringUpgrade")
 
-// The default schemes, most preferred first. The first scheme will be used to
-// hash passwords, and any of the schemes may be used to verify existing
-// passwords. The contents of this value may change with subsequent releases.
-var DefaultSchemes = []abstract.Scheme{
-	scrypt.SHA256Crypter,
-	sha2crypt.Crypter256,
-	sha2crypt.Crypter512,
-	bcryptsha256.Crypter,
-	bcrypt.Crypter,
-}
-
 // A password hashing context, that uses a given set of schemes to hash and
 // verify passwords.
 type Context struct {