remove unused dep in go.mod, addresses #4

vendor/gopkg.in/hlandau/passlib.v1/hash/argon2/argon2.go

@@ -0,0 +1,115 @@
+// Package argon2 implements the argon2 password hashing mechanism, wrapped in
+// the argon2 encoded format.
+package argon2
+
+import (
+	"crypto/rand"
+	"encoding/base64"
+	"fmt"
+	"strings"
+
+	"golang.org/x/crypto/argon2"
+	"gopkg.in/hlandau/passlib.v1/abstract"
+	"gopkg.in/hlandau/passlib.v1/hash/argon2/raw"
+)
+
+// An implementation of Scheme performing argon2 hashing.
+//
+// Uses the recommended values for time, memory and threads defined in raw.
+var Crypter abstract.Scheme
+
+const saltLength = 16
+
+func init() {
+	Crypter = New(
+		raw.RecommendedTime,
+		raw.RecommendedMemory,
+		raw.RecommendedThreads,
+	)
+}
+
+// Returns an implementation of Scheme implementing argon2
+// with the specified parameters.
+func New(time, memory uint32, threads uint8) abstract.Scheme {
+	return &scheme{
+		time:    time,
+		memory:  memory,
+		threads: threads,
+	}
+}
+
+type scheme struct {
+	time, memory uint32
+	threads      uint8
+}
+
+func (c *scheme) SetParams(time, memory uint32, threads uint8) error {
+	c.time = time
+	c.memory = memory
+	c.threads = threads
+	return nil
+}
+
+func (c *scheme) SupportsStub(stub string) bool {
+	return strings.HasPrefix(stub, "$argon2i$")
+}
+
+func (c *scheme) Hash(password string) (string, error) {
+
+	stub, err := c.makeStub()
+	if err != nil {
+		return "", err
+	}
+
+	_, newHash, _, _, _, _, _, err := c.hash(password, stub)
+	return newHash, err
+}
+
+func (c *scheme) Verify(password, hash string) (err error) {
+
+	_, newHash, _, _, _, _, _, err := c.hash(password, hash)
+	if err == nil && !abstract.SecureCompare(hash, newHash) {
+		err = abstract.ErrInvalidPassword
+	}
+
+	return
+}
+
+func (c *scheme) NeedsUpdate(stub string) bool {
+	salt, _, version, time, memory, threads, err := raw.Parse(stub)
+	if err != nil {
+		return false // ...
+	}
+
+	return c.needsUpdate(salt, version, time, memory, threads)
+}
+
+func (c *scheme) needsUpdate(salt []byte, version int, time, memory uint32, threads uint8) bool {
+	return len(salt) < saltLength || version < argon2.Version || time < c.time || memory < c.memory || threads < c.threads
+}
+
+func (c *scheme) hash(password, stub string) (oldHashRaw []byte, newHash string, salt []byte, version int, memory, time uint32, threads uint8, err error) {
+
+	salt, oldHashRaw, version, time, memory, threads, err = raw.Parse(stub)
+	if err != nil {
+		return
+	}
+
+	return oldHashRaw, raw.Argon2(password, salt, time, memory, threads), salt, version, memory, time, threads, nil
+}
+
+func (c *scheme) makeStub() (string, error) {
+	buf := make([]byte, saltLength)
+	_, err := rand.Read(buf)
+	if err != nil {
+		return "", err
+	}
+
+	salt := base64.RawStdEncoding.EncodeToString(buf)
+
+	return fmt.Sprintf("$argon2i$v=%d$m=%d,t=%d,p=%d$%s$", argon2.Version, c.memory, c.time, c.threads, salt), nil
+}
+
+func (c *scheme) String() string {
+	return fmt.Sprintf("argon2(%d,%d,%d,%d)", argon2.Version, c.memory, c.time, c.threads)
+}

vendor/gopkg.in/hlandau/passlib.v1/hash/argon2/raw/argon2.go

@@ -0,0 +1,186 @@
+// Package raw provides a raw implementation of the modular-crypt-wrapped Argon2i primitive.
+package raw
+
+import (
+	"encoding/base64"
+	"fmt"
+	"golang.org/x/crypto/argon2"
+	"strconv"
+	"strings"
+)
+
+// The current recommended time value for interactive logins.
+const RecommendedTime uint32 = 4
+
+// The current recommended memory for interactive logins.
+const RecommendedMemory uint32 = 32 * 1024
+
+// The current recommended number of threads for interactive logins.
+const RecommendedThreads uint8 = 4
+
+// Wrapper for golang.org/x/crypto/argon2 implementing a sensible
+// hashing interface.
+//
+// password should be a UTF-8 plaintext password.
+// salt should be a random salt value in binary form.
+//
+// Time, memory, and threads are parameters to argon2.
+//
+// Returns an argon2 encoded hash.
+func Argon2(password string, salt []byte, time, memory uint32, threads uint8) string {
+	passwordb := []byte(password)
+
+	hash := argon2.Key(passwordb, salt, time, memory, threads, 32)
+
+	hstr := base64.RawStdEncoding.EncodeToString(hash)
+	sstr := base64.RawStdEncoding.EncodeToString(salt)
+
+	return fmt.Sprintf("$argon2i$v=%d$m=%d,t=%d,p=%d$%s$%s", argon2.Version, memory, time, threads, sstr, hstr)
+}
+
+// Indicates that a password hash or stub is invalid.
+var ErrInvalidStub = fmt.Errorf("invalid argon2 password stub")
+
+// Indicates that a key-value pair in the configuration part is malformed.
+var ErrInvalidKeyValuePair = fmt.Errorf("invalid argon2 key-value pair")
+
+// Indicates that the version part had the wrong number of parameters.
+var ErrParseVersion = fmt.Errorf("version section has wrong number of parameters")
+
+// Indicates that the hash config part had the wrong number of parameters.
+var ErrParseConfig = fmt.Errorf("hash config section has wrong number of parameters")
+
+// Indicates that the version parameter ("v") was missing in the version part,
+// even though it is required.
+var ErrMissingVersion = fmt.Errorf("version parameter (v) is missing")
+
+// Indicates that the memory parameter ("m") was mossing in the hash config
+// part, even though it is required.
+var ErrMissingMemory = fmt.Errorf("memory parameter (m) is missing")
+
+// Indicates that the time parameter ("t") was mossing in the hash config part,
+// even though it is required.
+var ErrMissingTime = fmt.Errorf("time parameter (t) is missing")
+
+// Indicates that the parallelism parameter ("p") was mossing in the hash config
+// part, even though it is required.
+var ErrMissingParallelism = fmt.Errorf("parallelism parameter (p) is missing")
+
+// Parses an argon2 encoded hash.
+//
+// The format is as follows:
+//
+//   $argon2i$v=version$m=memory,t=time,p=threads$salt$hash   // hash
+//   $argon2i$v=version$m=memory,t=time,p=threads$salt        // stub
+//
+func Parse(stub string) (salt, hash []byte, version int, time, memory uint32, parallelism uint8, err error) {
+	if len(stub) < 26 || !strings.HasPrefix(stub, "$argon2i$") {
+		err = ErrInvalidStub
+		return
+	}
+
+	// $argon2i$  v=version$m=memory,t=time,p=threads$salt-base64$hash-base64
+	parts := strings.Split(stub[9:], "$")
+
+	// version-params$hash-config-params$salt[$hash]
+	if len(parts) < 3 || len(parts) > 4 {
+		err = ErrInvalidStub
+		return
+	}
+
+	// Parse the first configuration part, the version parameters.
+	versionParams, err := parseKeyValuePair(parts[0])
+	if err != nil {
+		return
+	}
+
+	// Must be exactly one parameter in the version part.
+	if len(versionParams) != 1 {
+		err = ErrParseVersion
+		return
+	}
+
+	// It must be "v".
+	val, ok := versionParams["v"]
+	if !ok {
+		err = ErrMissingVersion
+		return
+	}
+
+	version = int(val)
+
+	// Parse the second configuration part, the hash config parameters.
+	hashParams, err := parseKeyValuePair(parts[1])
+	if err != nil {
+		return
+	}
+
+	// It must have exactly three parameters.
+	if len(hashParams) != 3 {
+		err = ErrParseConfig
+		return
+	}
+
+	// Memory parameter.
+	val, ok = hashParams["m"]
+	if !ok {
+		err = ErrMissingMemory
+		return
+	}
+
+	memory = uint32(val)
+
+	// Time parameter.
+	val, ok = hashParams["t"]
+	if !ok {
+		err = ErrMissingTime
+		return
+	}
+
+	time = uint32(val)
+
+	// Parallelism parameter.
+	val, ok = hashParams["p"]
+	if !ok {
+		err = ErrMissingParallelism
+		return
+	}
+
+	parallelism = uint8(val)
+
+	// Decode salt.
+	salt, err = base64.RawStdEncoding.DecodeString(parts[2])
+	if err != nil {
+		return
+	}
+
+	// Decode hash if present.
+	if len(parts) >= 4 {
+		hash, err = base64.RawStdEncoding.DecodeString(parts[3])
+	}
+
+	return
+}
+
+func parseKeyValuePair(pairs string) (result map[string]uint64, err error) {
+	result = map[string]uint64{}
+
+	parameterParts := strings.Split(pairs, ",")
+
+	for _, parameter := range parameterParts {
+		parts := strings.SplitN(parameter, "=", 2)
+		if len(parts) != 2 {
+			err = ErrInvalidKeyValuePair
+			return
+		}
+
+		parsedi, err := strconv.ParseUint(parts[1], 10, 32)
+		if err != nil {
+			return result, err
+		}
+
+		result[parts[0]] = parsedi
+	}
+
+	return result, nil
+}

vendor/gopkg.in/hlandau/passlib.v1/hash/pbkdf2/pbkdf2.go

@@ -0,0 +1,94 @@
+// Package pbkdf2 implements a modular crypt format for PBKDF2-SHA1,
+// PBKDF2-SHA256 and PBKDF-SHA512.
+//
+// The format is the same as that used by Python's passlib and is compatible.
+package pbkdf2
+
+import (
+	"crypto/rand"
+	"crypto/sha1"
+	"crypto/sha256"
+	"crypto/sha512"
+	"fmt"
+	"gopkg.in/hlandau/passlib.v1/abstract"
+	"gopkg.in/hlandau/passlib.v1/hash/pbkdf2/raw"
+	"hash"
+	"strings"
+)
+
+// An implementation of Scheme implementing a number of PBKDF2 modular crypt
+// formats used by Python's passlib ($pbkdf2$, $pbkdf2-sha256$,
+// $pbkdf2-sha512$).
+//
+// Uses RecommendedRounds.
+//
+// WARNING: SHA1 should not be used for new applications under any
+// circumstances. It should be used for legacy compatibility only.
+var SHA1Crypter abstract.Scheme
+var SHA256Crypter abstract.Scheme
+var SHA512Crypter abstract.Scheme
+
+const (
+	RecommendedRoundsSHA1   = 131000
+	RecommendedRoundsSHA256 = 29000
+	RecommendedRoundsSHA512 = 25000
+)
+
+const SaltLength = 16
+
+func init() {
+	SHA1Crypter = New("$pbkdf2$", sha1.New, RecommendedRoundsSHA1)
+	SHA256Crypter = New("$pbkdf2-sha256$", sha256.New, RecommendedRoundsSHA256)
+	SHA512Crypter = New("$pbkdf2-sha512$", sha512.New, RecommendedRoundsSHA512)
+}
+
+type scheme struct {
+	Ident    string
+	HashFunc func() hash.Hash
+	Rounds   int
+}
+
+func New(ident string, hf func() hash.Hash, rounds int) abstract.Scheme {
+	return &scheme{
+		Ident:    ident,
+		HashFunc: hf,
+		Rounds:   rounds,
+	}
+}
+
+func (s *scheme) Hash(password string) (string, error) {
+	salt := make([]byte, SaltLength)
+	_, err := rand.Read(salt)
+	if err != nil {
+		return "", err
+	}
+
+	hash := raw.Hash([]byte(password), salt, s.Rounds, s.HashFunc)
+
+	newHash := fmt.Sprintf("%s%d$%s$%s", s.Ident, s.Rounds, raw.Base64Encode(salt), hash)
+	return newHash, nil
+}
+
+func (s *scheme) Verify(password, stub string) (err error) {
+	_, rounds, salt, oldHash, err := raw.Parse(stub)
+	if err != nil {
+		return
+	}
+
+	newHash := raw.Hash([]byte(password), salt, rounds, s.HashFunc)
+
+	if len(newHash) == 0 || !abstract.SecureCompare(oldHash, newHash) {
+		err = abstract.ErrInvalidPassword
+	}
+
+	return
+}
+
+func (s *scheme) SupportsStub(stub string) bool {
+	return strings.HasPrefix(stub, s.Ident)
+}
+
+func (s *scheme) NeedsUpdate(stub string) bool {
+	_, rounds, salt, _, err := raw.Parse(stub)
+	return err == raw.ErrInvalidRounds || rounds < s.Rounds || len(salt) < SaltLength
+}

vendor/gopkg.in/hlandau/passlib.v1/hash/pbkdf2/raw/base64.go

@@ -0,0 +1,20 @@
+package raw
+
+import (
+	"encoding/base64"
+	"strings"
+)
+
+var b64 = base64.RawStdEncoding
+
+func Base64Encode(src []byte) (dst string) {
+	dst = b64.EncodeToString(src)
+	dst = strings.Replace(dst, "+", ".", -1)
+	return
+}
+
+func Base64Decode(src string) (dst []byte, err error) {
+	src = strings.Replace(src, ".", "+", -1)
+	dst, err = b64.DecodeString(src)
+	return
+}

vendor/gopkg.in/hlandau/passlib.v1/hash/pbkdf2/raw/parse.go

@@ -0,0 +1,62 @@
+package raw
+
+import (
+	"crypto/sha1"
+	"crypto/sha256"
+	"crypto/sha512"
+	"fmt"
+	"hash"
+	"strconv"
+	"strings"
+)
+
+// Indicates that a password hash or stub is invalid.
+var ErrInvalidStub = fmt.Errorf("invalid stub")
+
+// Indicates that the number of rounds specified is not in the valid range.
+var ErrInvalidRounds = fmt.Errorf("invalid number of rounds")
+
+var hashMap = map[string]func() hash.Hash{
+	"pbkdf2":        sha1.New,
+	"pbkdf2-sha256": sha256.New,
+	"pbkdf2-sha512": sha512.New,
+}
+
+func Parse(stub string) (hashFunc func() hash.Hash, rounds int, salt []byte, hash string, err error) {
+	// does not start with $pbkdf2
+	if !strings.HasPrefix(stub, "$pbkdf2") {
+		err = ErrInvalidStub
+		return
+	}
+
+	parts := strings.Split(stub, "$")
+	if f, ok := hashMap[parts[1]]; ok {
+		hashFunc = f
+	} else {
+		err = ErrInvalidStub
+		return
+	}
+
+	roundsStr := parts[2]
+	var n uint64
+	n, err = strconv.ParseUint(roundsStr, 10, 31)
+	if err != nil {
+		err = ErrInvalidStub
+		return
+	}
+	rounds = int(n)
+
+	if rounds < MinRounds || rounds > MaxRounds {
+		err = ErrInvalidRounds
+		return
+	}
+
+	salt, err = Base64Decode(parts[3])
+	if err != nil {
+		err = fmt.Errorf("could not decode base64 salt")
+		return
+	}
+	hash = parts[4]
+
+	return
+}

vendor/gopkg.in/hlandau/passlib.v1/hash/pbkdf2/raw/pbkdf2.go

@@ -0,0 +1,15 @@
+package raw
+
+import (
+	"golang.org/x/crypto/pbkdf2"
+	"hash"
+)
+
+const (
+	MinRounds = 1
+	MaxRounds = 0xffffffff // setting at 32-bit limit for now
+)
+
+func Hash(password, salt []byte, rounds int, hf func() hash.Hash) (hash string) {
+	return Base64Encode(pbkdf2.Key(password, salt, rounds, hf().Size(), hf))
+}

vendor/gopkg.in/hlandau/passlib.v1/hash/pbkdf2/test.py

@@ -0,0 +1,30 @@
+#!/usr/bin/env python3
+import passlib.hash
+import base64
+def f(p):
+  h = passlib.hash.pbkdf2_sha256.hash(p)
+  print('  {"%s", "%s"},' % (p,h))
+
+f('')
+f('a')
+f('ab')
+f('abc')
+f('abcd')
+f('abcde')
+f('abcdef')
+f('abcdefg')
+f('abcdefgh')
+f('abcdefghi')
+f('abcdefghij')
+f('abcdefghijk')
+f('abcdefghijkl')
+f('abcdefghijklm')
+f('abcdefghijklmn')
+f('abcdefghijklmno')
+f('abcdefghijklmnop')
+f('qrstuvwxyz012345')
+f('67890./')
+f('ABCDEFGHIJKLMNOP')
+f('QRSTUVWXYZ012345')
+for i in range(70):
+    f(('password'*10)[0:i])