package auth import ( "crypto/rand" "crypto/subtle" "encoding/base64" "fmt" "regexp" "strconv" "strings" "golang.org/x/crypto/argon2" ) const ( argonTime = 1 argonMemory = 64 * 1024 argonThreads = 4 argonKeyLen = 32 argonSaltLen = 16 // Upper bounds guard against a corrupted/attacker-controlled // password_hash forcing an oversized argon2 computation (DoS). argonMaxMemoryKiB = 1 << 21 // 2 GiB in KiB argonMaxTime = 10 argonMaxThreads = 16 ) // paramsRe strictly matches the "m=,t=,p=" parameter segment, // requiring the whole segment to be consumed (no trailing garbage). var paramsRe = regexp.MustCompile(`^m=([0-9]+),t=([0-9]+),p=([0-9]+)$`) func HashPassword(password string) (string, error) { salt := make([]byte, argonSaltLen) if _, err := rand.Read(salt); err != nil { return "", err } key := argon2.IDKey([]byte(password), salt, argonTime, argonMemory, argonThreads, argonKeyLen) b64 := base64.RawStdEncoding.EncodeToString return fmt.Sprintf("$argon2id$v=19$m=%d,t=%d,p=%d$%s$%s", argonMemory, argonTime, argonThreads, b64(salt), b64(key)), nil } func VerifyPassword(encoded, password string) (bool, error) { parts := strings.Split(encoded, "$") if len(parts) != 6 || parts[1] != "argon2id" { return false, fmt.Errorf("auth: bad hash format") } if parts[2] != "v=19" { return false, fmt.Errorf("auth: unsupported version") } matches := paramsRe.FindStringSubmatch(parts[3]) if matches == nil { return false, fmt.Errorf("auth: bad hash format") } m64, err := strconv.ParseUint(matches[1], 10, 32) if err != nil { return false, fmt.Errorf("auth: bad hash format") } t64, err := strconv.ParseUint(matches[2], 10, 32) if err != nil { return false, fmt.Errorf("auth: bad hash format") } p64, err := strconv.ParseUint(matches[3], 10, 8) if err != nil { return false, fmt.Errorf("auth: bad hash format") } m, t, p := uint32(m64), uint32(t64), uint8(p64) // argon2.IDKey panics if time<1 ("number of rounds too small") or // threads<1 ("parallelism degree too low"). Reject before calling it. // Minimum memory per argon2 spec is 8*parallelism (in KiB). if t < 1 || p < 1 || m < 8*uint32(p) { return false, fmt.Errorf("auth: bad hash params") } // Upper bounds guard against DoS via inflated parameters in a // corrupted or attacker-controlled stored hash. if m > argonMaxMemoryKiB || t > argonMaxTime || p > argonMaxThreads { return false, fmt.Errorf("auth: bad hash params") } salt, err := base64.RawStdEncoding.DecodeString(parts[4]) if err != nil { return false, err } want, err := base64.RawStdEncoding.DecodeString(parts[5]) if err != nil { return false, err } got := argon2.IDKey([]byte(password), salt, t, m, p, uint32(len(want))) return subtle.ConstantTimeCompare(got, want) == 1, nil }