MVP, no mod tools or anything but it works

vendor/github.com/hlandau/passlib/COPYING

@@ -0,0 +1,39 @@
+passlib is a Golang password verification library strongly inspired by and
+derived from Python passlib (<https://pypi.python.org/pypi/passlib>). The BSD
+license is preserved and extended to all new code.
+
+License for Passlib
+===================
+Passlib is (c) `Assurance Technologies <http://www.assurancetechnologies.com>`_,
+and is released under the `BSD license <http://www.opensource.org/licenses/bsd-license.php>`_::
+
+    Passlib
+    Copyright (c) 2008-2012 Assurance Technologies, LLC.
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are
+    met:
+
+    * Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+
+    * Redistributions in binary form must reproduce the above copyright
+      notice, this list of conditions and the following disclaimer in the
+      documentation and/or other materials provided with the distribution.
+
+    * Neither the name of Assurance Technologies, nor the names of the
+      contributors may be used to endorse or promote products derived
+      from this software without specific prior written permission.
+
+    THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+    "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+    LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+    A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+    OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+    SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+    LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+    DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+    THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+    (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+    OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

vendor/github.com/hlandau/passlib/README.md

@@ -0,0 +1,95 @@
+passlib for go
+==============
+
+[![GoDoc](https://godoc.org/gopkg.in/hlandau/passlib.v1?status.svg)](https://godoc.org/gopkg.in/hlandau/passlib.v1) [![Build Status](https://travis-ci.org/hlandau/passlib.svg?branch=master)](https://travis-ci.org/hlandau/passlib)
+
+[Python's passlib](https://pythonhosted.org/passlib/) is quite an amazing
+library. I'm not sure there's a password library in existence with more thought
+put into it, or with more support for obscure password formats.
+
+This is a skeleton of a port of passlib to Go. It dogmatically adopts the
+modular crypt format, which [passlib has excellent documentation for](https://pythonhosted.org/passlib/modular_crypt_format.html#modular-crypt-format).
+
+Currently, it supports sha256-crypt, sha512-crypt, scrypt-sha256, bcrypt and
+passlib's bcrypt-sha256 variant. By default, it will hash using scrypt-sha256
+and verify existing hashes using any of these schemes.
+
+Example Usage
+-------------
+There's a default context for ease of use. Most people need only concern
+themselves with the functions `Hash` and `Verify`:
+
+```go
+// Hash a plaintext, UTF-8 password.
+func Hash(password string) (hash string, err error)
+
+// Verifies a plaintext, UTF-8 password using a previously derived hash.
+// Returns non-nil err if verification fails.
+//
+// Also returns an upgraded password hash if the hash provided is
+// deprecated.
+func Verify(password, hash string) (newHash string, err error)
+```
+
+Here's a rough skeleton of typical usage.
+
+```go
+import "gopkg.in/hlandau/passlib.v1"
+
+func RegisterUser() {
+  (...)
+
+  password := get a (UTF-8, plaintext) password from somewhere
+
+  hash, err := passlib.Hash(password)
+  if err != nil {
+    // couldn't hash password for some reason
+    return
+  }
+
+  (store hash in database, etc.)
+}
+
+func CheckPassword() bool {
+  password := get the password the user entered
+  hash := the hash you stored from the call to Hash()
+
+  newHash, err := passlib.Verify(password, hash)
+  if err != nil {
+    // incorrect password, malformed hash, etc.
+    // either way, reject
+    return false
+  }
+
+  // The context has decided, as per its policy, that
+  // the hash which was used to validate the password
+  // should be changed. It has upgraded the hash using
+  // the verified password.
+  if newHash != "" {
+    (store newHash in database, replacing old hash)
+  }
+
+  return true
+}
+```
+
+scrypt Modular Crypt Format
+---------------------------
+Since scrypt does not have a pre-existing modular crypt format standard, I made one. It's as follows:
+
+    $s2$N$r$p$salt$hash
+
+...where `N`, `r` and `p` are the respective difficulty parameters to scrypt as positive decimal integers without leading zeroes, and `salt` and `hash` are base64-encoded binary strings. Note that the RFC 4648 base64 encoding is used (not the one used by sha256-crypt and sha512-crypt).
+
+TODO
+----
+
+  - PBKDF2
+
+Licence
+-------
+passlib is partially derived from Python's passlib and so maintains its BSD license.
+
+    © 2008-2012 Assurance Technologies LLC.  (Python passlib)  BSD License
+    © 2014 Hugo Landau <hlandau@devever.net>  BSD License
+

vendor/github.com/hlandau/passlib/passlib.go

@@ -0,0 +1,177 @@
+// Package passlib provides a simple password hashing and verification
+// interface abstracting multiple password hashing schemes.
+//
+// Most people need concern themselves only with the functions Hash
+// and Verify, which uses the default context and sensible defaults.
+package passlib // import "gopkg.in/hlandau/passlib.v1"
+
+import "gopkg.in/hlandau/passlib.v1/abstract"
+import "gopkg.in/hlandau/passlib.v1/hash/scrypt"
+import "gopkg.in/hlandau/passlib.v1/hash/sha2crypt"
+import "gopkg.in/hlandau/passlib.v1/hash/bcryptsha256"
+import "gopkg.in/hlandau/passlib.v1/hash/bcrypt"
+import "gopkg.in/hlandau/easymetric.v1/cexp"
+
+var cHashCalls = cexp.NewCounter("passlib.ctx.hashCalls")
+var cVerifyCalls = cexp.NewCounter("passlib.ctx.verifyCalls")
+var cSuccessfulVerifyCalls = cexp.NewCounter("passlib.ctx.successfulVerifyCalls")
+var cFailedVerifyCalls = cexp.NewCounter("passlib.ctx.failedVerifyCalls")
+var cSuccessfulVerifyCallsWithUpgrade = cexp.NewCounter("passlib.ctx.successfulVerifyCallsWithUpgrade")
+var cSuccessfulVerifyCallsDeferringUpgrade = cexp.NewCounter("passlib.ctx.successfulVerifyCallsDeferringUpgrade")
+
+// The default schemes, most preferred first. The first scheme will be used to
+// hash passwords, and any of the schemes may be used to verify existing
+// passwords. The contents of this value may change with subsequent releases.
+var DefaultSchemes = []abstract.Scheme{
+	scrypt.SHA256Crypter,
+	sha2crypt.Crypter256,
+	sha2crypt.Crypter512,
+	bcryptsha256.Crypter,
+	bcrypt.Crypter,
+}
+
+// A password hashing context, that uses a given set of schemes to hash and
+// verify passwords.
+type Context struct {
+	// Slice of schemes to use, most preferred first.
+	//
+	// If left uninitialized, a sensible default set of schemes will be used.
+	//
+	// An upgrade hash (see the newHash return value of the Verify method of the
+	// abstract.Scheme interface) will be issued whenever a password is validated
+	// using a scheme which is not the first scheme in this slice.
+	Schemes []abstract.Scheme
+}
+
+func (ctx *Context) schemes() []abstract.Scheme {
+	if ctx.Schemes == nil {
+		return DefaultSchemes
+	}
+
+	return ctx.Schemes
+}
+
+// Hashes a UTF-8 plaintext password using the context and produces a password hash.
+//
+// If stub is "", one is generated automaticaly for the preferred password hashing
+// scheme; you should specify stub as "" in almost all cases.
+//
+// The provided or randomly generated stub is used to deterministically hash
+// the password. The returned hash is in modular crypt format.
+//
+// If the context has not been specifically configured, a sensible default policy
+// is used. See the fields of Context.
+func (ctx *Context) Hash(password string) (hash string, err error) {
+	cHashCalls.Add(1)
+
+	return ctx.schemes()[0].Hash(password)
+}
+
+// Verifies a UTF-8 plaintext password using a previously derived password hash
+// and the default context. Returns nil err only if the password is valid.
+//
+// If the hash is determined to be deprecated based on the context policy, and
+// the password is valid, the password is hashed using the preferred password
+// hashing scheme and returned in newHash. You should use this to upgrade any
+// stored password hash in your database.
+//
+// newHash is empty if the password was not valid or if no upgrade is required.
+//
+// You should treat any non-nil err as a password verification error.
+func (ctx *Context) Verify(password, hash string) (newHash string, err error) {
+	return ctx.verify(password, hash, true)
+}
+
+// Like Verify, but does not hash an upgrade password when upgrade is required.
+func (ctx *Context) VerifyNoUpgrade(password, hash string) error {
+	_, err := ctx.verify(password, hash, false)
+	return err
+}
+
+func (ctx *Context) verify(password, hash string, canUpgrade bool) (newHash string, err error) {
+	cVerifyCalls.Add(1)
+
+	for i, scheme := range ctx.schemes() {
+		if !scheme.SupportsStub(hash) {
+			continue
+		}
+
+		err = scheme.Verify(password, hash)
+		if err != nil {
+			cFailedVerifyCalls.Add(1)
+			return "", err
+		}
+
+		cSuccessfulVerifyCalls.Add(1)
+		if i != 0 || scheme.NeedsUpdate(hash) {
+			if canUpgrade {
+				cSuccessfulVerifyCallsWithUpgrade.Add(1)
+
+				// If the scheme is not the first scheme, try and rehash with the
+				// preferred scheme.
+				if newHash, err2 := ctx.Hash(password); err2 == nil {
+					return newHash, nil
+				}
+			} else {
+				cSuccessfulVerifyCallsDeferringUpgrade.Add(1)
+			}
+		}
+
+		return "", nil
+	}
+
+	return "", abstract.ErrUnsupportedScheme
+}
+
+// Determines whether a stub or hash needs updating according to the policy of
+// the context.
+func (ctx *Context) NeedsUpdate(stub string) bool {
+	for i, scheme := range ctx.schemes() {
+		if scheme.SupportsStub(stub) {
+			return i != 0 || scheme.NeedsUpdate(stub)
+		}
+	}
+
+	return false
+}
+
+// The default context, which uses sensible defaults. Most users should not
+// reconfigure this. The defaults may change over time, so you may wish
+// to reconfigure the context or use a custom context if you want precise
+// control over the hashes used.
+var DefaultContext Context
+
+// Hashes a UTF-8 plaintext password using the default context and produces a
+// password hash. Chooses the preferred password hashing scheme based on the
+// configured policy. The default policy is sensible.
+func Hash(password string) (hash string, err error) {
+	return DefaultContext.Hash(password)
+}
+
+// Verifies a UTF-8 plaintext password using a previously derived password hash
+// and the default context. Returns nil err only if the password is valid.
+//
+// If the hash is determined to be deprecated based on policy, and the password
+// is valid, the password is hashed using the preferred password hashing scheme
+// and returned in newHash. You should use this to upgrade any stored password
+// hash in your database.
+//
+// newHash is empty if the password was invalid or no upgrade is required.
+//
+// You should treat any non-nil err as a password verification error.
+func Verify(password, hash string) (newHash string, err error) {
+	return DefaultContext.Verify(password, hash)
+}
+
+// Like Verify, but never upgrades.
+func VerifyNoUpgrade(password, hash string) error {
+	return DefaultContext.VerifyNoUpgrade(password, hash)
+}
+
+// Uses the default context to determine whether a stub or hash needs updating.
+func NeedsUpdate(stub string) bool {
+	return DefaultContext.NeedsUpdate(stub)
+}
+
+// © 2008-2012 Assurance Technologies LLC.  (Python passlib)  BSD License
+// © 2014 Hugo Landau <hlandau@devever.net>  BSD License