Categorygithub.com/pilinux/argon2
modulepackage
0.15.0
Repository: https://github.com/pilinux/argon2.git
Documentation: pkg.go.dev
Overview
Versions
1
Dependencies
12
Dependents
4
Files
624 SLOC

# README

argon2 unofficial

CodeQL Build Linter Codecov Go Reference Go Report Card CodeFactor CodeBeat

Package argon2 is an improved version of the official Go argon2 hashing package.

Features missing from the official Go argon2 package:

  • NIST 800-63B recommends using a secret value of at least 112 bits. But as of now (golang.org/x/crypto v0.19.0), Key and IDkey functions pass nil value when calling deriveKey function.
  • Does not provide any straightforward way for password hashing and verification.

This package contains two additional functions KeyWithSecret and IDKeyWithSecret to provide an extra layer of security on top of the existing Key and IDKey functions by including an additional secret.

One of the standout features of this package is the seamless integration of a user-friendly wrapper (an improved version of github.com/alexedwards/argon2id). The wrapper encapsulates the complexities of the underlying argon2 package, offering a simplified and intuitive interface for developers across different projects.

Usage

package main

import (
	"fmt"

	"github.com/pilinux/argon2"
)

func main() {
	// Argon2i
	// create hash using argon2i and without any secret
	// $argon2i$v=19$m=65536,t=1,p=2$frbISZVHQ/ZgUpNA0SgdNQ$GuGB9vz9rTcJmDIebUFmVk0kyAX9xninyCp696PRdCA
	hash, err := argon2.CreateHash("pa$$word", "", argon2.DefaultParams)
	if err != nil {
		fmt.Println(err)
		return
	}
	fmt.Println(hash)

	// ComparePasswordAndHash performs a constant-time comparison between a
	// plain-text password and argon2id hash, using the parameters and salt
	// contained in the hash. It returns true if they match, otherwise it returns
	// false.
	match, err := argon2.ComparePasswordAndHash("pa$$word", "", hash)
	if err != nil {
		fmt.Println(err)
		return
	}
	fmt.Printf("Match: %v\n", match)

	// create hash using argon2i and with secret
	// $argon2i$v=19$m=65536,t=1,p=2$TfGuJ6SGvluWcQjsDdQWPQ$Seozoi/ZKJngavqpyZ5rs5lX5EKzJ2HSnMWJwVwJmVU
	hash, err = argon2.CreateHash("pa$$word", "12€45", argon2.DefaultParams)
	if err != nil {
		fmt.Println(err)
		return
	}
	fmt.Println(hash)

	match, err = argon2.ComparePasswordAndHash("pa$$word", "12€45", hash)
	if err != nil {
		fmt.Println(err)
		return
	}
	fmt.Printf("Match: %v\n", match)
	// --------------------------------------------------------------

	// Argon2id
	// create hash using argon2id and without any secret
	// $argon2id$v=19$m=65536,t=1,p=2$+Ni27r9ZIaEBs8mZn60Dlg$cxuw8quTcT5fIDqNIU27SinXyKiKQWFo/mfF4sogeKo
	idHash, err := argon2.IDCreateHash("pa$$word", "", argon2.DefaultParams)
	if err != nil {
		fmt.Println(err)
		return
	}
	fmt.Println(idHash)

	match, err = argon2.ComparePasswordAndHash("pa$$word", "", idHash)
	if err != nil {
		fmt.Println(err)
		return
	}
	fmt.Printf("Match: %v\n", match)

	// create hash using argon2id and with secret
	// $argon2id$v=19$m=65536,t=1,p=2$+haa0lKvImdlxrXCs0aJ/A$1h2lpPic8KQ7XckSdg+cE7LJX5kQ83BAZGNCBL6zmZI
	idHash, err = argon2.IDCreateHash("pa$$word", "12€45", argon2.DefaultParams)
	if err != nil {
		fmt.Println(err)
		return
	}
	fmt.Println(idHash)

	match, err = argon2.ComparePasswordAndHash("pa$$word", "12€45", idHash)
	if err != nil {
		fmt.Println(err)
		return
	}
	fmt.Printf("Match: %v\n", match)
}

Parameters

  • Memory — The amount of memory used by the Argon2 algorithm (in kibibytes).
  • Iterations — The number of iterations (or passes) over the memory.
  • Parallelism — The number of threads (or lanes) used by the algorithm.
  • Salt length — Length of the random salt. 16 bytes or more is recommended for password hashing.
  • Key length — Length of the generated key (or password hash). 16 bytes or more is recommended.
params := &argon2.Params{
		Memory:      128 * 1024,
		Iterations:  4,
		Parallelism: 4,
		SaltLength:  16,
		KeyLength:   32,
	}

hash, err := argon2.CreateHash("pa$$word", "", params)

For guidance, visit: rfc9106

# Functions

CheckHash is like ComparePasswordAndHash, except it also returns the params that the hash was created with.
ComparePasswordAndHash performs a constant-time comparison between a plain-text password and Argon2 hash, using the parameters, secret and salt contained in the hash.
CreateHash generates an Argon2i password hash using the provided password, secret, and parameters.
DecodeHash expects a hash created from this package, and parses it to return the params used to create it, as well as the variant of argon2, salt and key (password hash).
IDCreateHash generates an Argon2id password hash using the provided password, secret, and parameters.
IDKey derives a key from the password, salt, and cost parameters using Argon2id returning a byte slice of length keyLen that can be used as cryptographic key.
IDKeyWithSecret adds an extra layer of security on top of the existing IDKey function by including an additional secret.
Key derives a key from the password, salt, and cost parameters using Argon2i returning a byte slice of length keyLen that can be used as cryptographic key.
KeyWithSecret adds an extra layer of security on top of the existing Key function by including an additional secret.

# Constants

The Argon2 version implemented by this package.

# Variables

DefaultParams provides some sane default parameters for hashing passwords.
ErrIncompatibleVariant is returned by ComparePasswordAndHash if the provided hash was created using a unsupported variant of Argon2.
ErrIncompatibleVersion is returned by ComparePasswordAndHash if the provided hash was created using a different version of Argon2.
ErrInvalidHash is returned by ComparePasswordAndHash if the provided hash isn't in the expected format.

# Structs

Params describes the input parameters used by the Argon2id algorithm.