cleanups

Author: eau

README.md

@@ -109,8 +109,9 @@ while encrypting new password and changing old ones can use the new "profile".
 
 # Changelog
 
-* v0.1.0: initial release
+* v0.1.2: fix hash parsing.
 * v0.1.1: fix /issues/1
+* v0.1.0: initial release
 
 # Status
 

argon.go

@@ -89,12 +89,12 @@ type Argon2Params struct {
 	Version int
 	Time    uint32
 	Memory  uint32
-	Thread  uint8
 	Saltlen uint32
 	Keylen  uint32
+	Thread  uint8
+	Masked  bool // are parameters private
 	// unexported
-	salt   []byte // on compare only..
-	Masked bool   // are parameters private
+	salt []byte // on compare only..
 }
 
 // [0] password: 'prout' hashed: '$2id$aiOE.rPFUFkkehxc6utWY.$1$65536$8$32$Wv1IMP6xwaqVaQGOX6Oxe.eSEbozeRJLzln8ZlthZfS'
@@ -107,14 +107,16 @@ func newArgon2ParamsFromFields(fields []string) (*Argon2Params, error) {
 	// salt
 	salt, err := base64Decode([]byte(fields[0])) // process the salt
 	if err != nil {
-		return nil, err
+		fmt.Printf("b64 decode error: %v\n", err)
+		return nil, ErrParse
 	}
 	saltlen := uint32(len(salt))
 
 	// ARGON FIELD: ["mezIC/cmChATxAfFFe9ele" "2" "65536" "8" "32" "omYy81uRZcZv6JkbH17wA0s1CSpH4UQttXBB42oKMXK"]
 	timeint, err := strconv.ParseInt(fields[1], 10, 32)
 	if err != nil {
-		return nil, err
+		fmt.Printf("invalid time decode error: %v\n", err)
+		return nil, ErrParse
 	}
 	time := uint32(timeint)
 

base64.go

@@ -14,9 +14,8 @@ import "encoding/base64"
 
 const alphabet = "./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
 
-var bcEncoding = base64.NewEncoding(alphabet)
-
 func base64Encode(src []byte) []byte {
+	bcEncoding := base64.NewEncoding(alphabet)
 	n := bcEncoding.EncodedLen(len(src))
 	dst := make([]byte, n)
 	bcEncoding.Encode(dst, src)
@@ -32,6 +31,7 @@ func base64Decode(src []byte) ([]byte, error) {
 		src = append(src, '=')
 	}
 
+	bcEncoding := base64.NewEncoding(alphabet)
 	dst := make([]byte, bcEncoding.DecodedLen(len(src)))
 	n, err := bcEncoding.Decode(dst, src)
 	if err != nil {

cmd/pcrypt/main.go

@@ -44,7 +44,11 @@ func main() {
 		switch {
 		case len(*checkFlag) > 0:
 			for idx, passwordStr := range argv {
-				fmt.Printf("[%d] is '%s' the passwd? %v\n", idx, passwordStr, passwd.Compare([]byte(*checkFlag), []byte(passwordStr)))
+				fmt.Printf("[%d] is '%s' the passwd? %v\n",
+					idx,
+					passwordStr,
+					passwd.Compare([]byte(*checkFlag), []byte(passwordStr)),
+				)
 			}
 		default:
 			for idx, passwordStr := range argv {

error.go

@@ -5,13 +5,18 @@ package passwd
 // also avoid your error checks can be diverted cross packages
 // when in usage in the rest of an package ecosystem
 
+// Error is the type helping defining errors as constants.
 type Error string
 
 func (e Error) Error() string { return string(e) }
 
 const (
-	ErrParse       = Error("parse error")
+	// ErrParse when a parse error happened
+	ErrParse = Error("parse error")
+	// ErrUnsupported when a feature is not supported
 	ErrUnsupported = Error("unsupported")
-	ErrMismatch    = Error("mismatch")
-	ErrUnsafe      = Error("unsafe parameters")
+	// ErrMismatch is returned when Compare() call does not match
+	ErrMismatch = Error("mismatch")
+	// ErrValidate is to validate password hashing parameters strength
+	ErrUnsafe = Error("unsafe parameters")
 )

go.mod

@@ -3,6 +3,7 @@ module git.sr.ht/~eau/passwd
 go 1.12
 
 require (
-	golang.org/x/crypto v0.0.0-20190411191339-88737f569e3a
-	golang.org/x/text v0.3.0
+	golang.org/x/crypto v0.0.0-20190618222545-ea8f1a30c443
+	golang.org/x/sys v0.0.0-20190621203818-d432491b9138 // indirect
+	golang.org/x/text v0.3.2
 )

go.sum

@@ -1,5 +1,12 @@
-golang.org/x/crypto v0.0.0-20190411191339-88737f569e3a h1:Igim7XhdOpBnWPuYJ70XcNpq8q3BCACtVgNfoJxOV7g=
-golang.org/x/crypto v0.0.0-20190411191339-88737f569e3a/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
-golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e h1:nFYrTHrdrAOpShe27kaFHjsqYSEQ0KWqdWLu3xuZJts=
-golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20190618222545-ea8f1a30c443 h1:IcSOAf4PyMp3U3XbIEj1/xJ2BjNN2jWv7JoyOsMxXUU=
+golang.org/x/crypto v0.0.0-20190618222545-ea8f1a30c443/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190621203818-d432491b9138 h1:t8BZD9RDjkm9/h7yYN6kE8oaeov5r9aztkB7zKA5Tkg=
+golang.org/x/sys v0.0.0-20190621203818-d432491b9138/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
+golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=

parse.go

@@ -41,7 +41,7 @@ func parseFromHashToParams(hashed []byte) (interface{}, error) {
 		sp, err := newScryptParamsFromFields(fields[1:]) // mismatch.
 		if err != nil {
 			// XXX wrapp the error
-			return nil, ErrParse
+			return nil, err
 		}
 		return *sp, nil
 	case idArgon2i:
@@ -51,9 +51,8 @@ func parseFromHashToParams(hashed []byte) (interface{}, error) {
 		ap, err := newArgon2ParamsFromFields(fields[1:]) // mismatch.
 		if err != nil {
 			// XXX wrapp the error
-			return nil, ErrParse
+			return nil, err
 		}
-		//return ap.Compare(hashed, password)
 		return *ap, nil
 	}
 	return nil, ErrParse
@@ -74,7 +73,7 @@ func parseFromHashToSalt(hashed []byte) ([]byte, error) {
 	case idArgon2id:
 		salt, err := base64Decode([]byte(fields[1])) // process the salt
 		if err != nil {
-			return nil, ErrParse
+			return nil, err
 		}
 		return salt, nil
 	}

passwd.go

@@ -52,9 +52,9 @@ const (
 	ScryptParanoid
 	BcryptDefault
 	BcryptParanoid
-	Argon2Custom
-	ScryptCustom
-	BcryptCustom
+	Argon2Custom // value for custom
+	ScryptCustom // value for custom
+	BcryptCustom // value for custom
 )
 
 var (
@@ -78,7 +78,7 @@ type Profile struct {
 	params interface{} // parameters
 }
 
-// New instanciate a new Profile
+// New instantiate a new Profile
 func New(profile HashProfile) (*Profile, error) {
 	var p Profile
 
@@ -95,39 +95,10 @@ func New(profile HashProfile) (*Profile, error) {
 	return nil, ErrUnsupported
 }
 
-// NewCustom instanciates a new Profile using user defined hash parameters
-func NewCustom(params interface{}) (*Profile, error) {
-	var p Profile
-
-	switch v := params.(type) {
-	case BcryptParams:
-		p = Profile{
-			t:      BcryptCustom,
-			params: v,
-		}
-		return &p, nil
-	case ScryptParams:
-		p = Profile{
-			t:      ScryptCustom,
-			params: v,
-		}
-		return &p, nil
-	case Argon2Params:
-		p = Profile{
-			t:      Argon2Custom,
-			params: v,
-		}
-		return &p, nil
-	}
-
-	return nil, ErrUnsupported
-}
-
 // NewMasked instanciates a new masked Profile.
 // "masked" translate to the fact that no hash parameters will be provided in
 // the resulting hash.
 func NewMasked(profile HashProfile) (*Profile, error) {
-
 	switch profile {
 	case Argon2idDefault, Argon2idParanoid, ScryptDefault, ScryptParanoid, BcryptDefault, BcryptParanoid:
 		var p Profile
@@ -161,6 +132,34 @@ func NewMasked(profile HashProfile) (*Profile, error) {
 	return nil, ErrUnsupported
 }
 
+// NewCustom instanciates a new Profile using user defined hash parameters
+func NewCustom(params interface{}) (*Profile, error) {
+	var p Profile
+
+	switch v := params.(type) {
+	case BcryptParams:
+		p = Profile{
+			t:      BcryptCustom,
+			params: v,
+		}
+		return &p, nil
+	case ScryptParams:
+		p = Profile{
+			t:      ScryptCustom,
+			params: v,
+		}
+		return &p, nil
+	case Argon2Params:
+		p = Profile{
+			t:      Argon2Custom,
+			params: v,
+		}
+		return &p, nil
+	}
+
+	return nil, ErrUnsupported
+}
+
 // Hash is the Profile method for computing the hash value
 // respective of the selected profile.
 // it takes the plaintext password to hash and output its hashed value
@@ -187,8 +186,8 @@ func (p *Profile) Hash(password []byte) ([]byte, error) {
 func (p *Profile) Compare(hashed, password []byte) error {
 	salt, err := parseFromHashToSalt(hashed)
 	if err != nil {
-		fmt.Printf("error: %v\n", err)
-		return err
+		fmt.Printf("compare parse error: %v\n", err)
+		return ErrMismatch
 	}
 
 	switch v := p.params.(type) {
@@ -220,7 +219,8 @@ func Compare(hashed, password []byte) error {
 
 	params, err := parseFromHashToParams(hashed)
 	if err != nil {
-		return err
+		fmt.Printf("compare parse error: %v\n", err)
+		return ErrMismatch
 	}
 
 	//fmt.Printf("PARAM TYPE: %T\n", params)

scrypt.go

@@ -80,8 +80,8 @@ type ScryptParams struct {
 	Saltlen uint32 // 128 bits min.
 	Keylen  uint32 // 128 bits min.
 	// unexported
-	salt   []byte // my salt..
 	Masked bool   // are parameters private
+	salt   []byte // my salt..
 }
 
 func newScryptParamsFromFields(fields []string) (*ScryptParams, error) {