forked from hlandau/passlib
-
Notifications
You must be signed in to change notification settings - Fork 0
/
default.go
141 lines (129 loc) · 5.41 KB
/
default.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
package passlib
import (
"fmt"
"gopkg.in/hlandau/passlib.v1/abstract"
"gopkg.in/hlandau/passlib.v1/hash/argon2"
"gopkg.in/hlandau/passlib.v1/hash/bcrypt"
"gopkg.in/hlandau/passlib.v1/hash/bcryptsha256"
"gopkg.in/hlandau/passlib.v1/hash/pbkdf2"
"gopkg.in/hlandau/passlib.v1/hash/scrypt"
"gopkg.in/hlandau/passlib.v1/hash/sha2crypt"
"time"
)
// This is the first and default set of defaults used by passlib. It prefers
// scrypt-sha256. It is now obsolete.
const Defaults20160922 = "20160922"
// This is the most up-to-date set of defaults preferred by passlib. It prefers
// Argon2i. You must opt into it by calling UseDefaults at startup.
const Defaults20180601 = "20180601"
// This value, when passed to UseDefaults, causes passlib to always use the
// very latest set of defaults. DO NOT use this unless you are sure that
// opportunistic hash upgrades will not cause breakage for your application
// when future versions of passlib are released. See func UseDefaults.
const DefaultsLatest = "latest"
// Default schemes as of 2016-09-22.
var defaultSchemes20160922 = []abstract.Scheme{
scrypt.SHA256Crypter,
argon2.Crypter,
sha2crypt.Crypter512,
sha2crypt.Crypter256,
bcryptsha256.Crypter,
pbkdf2.SHA512Crypter,
pbkdf2.SHA256Crypter,
bcrypt.Crypter,
pbkdf2.SHA1Crypter,
}
// Default schemes as of 2018-06-01.
var defaultSchemes20180601 = []abstract.Scheme{
argon2.Crypter,
scrypt.SHA256Crypter,
sha2crypt.Crypter512,
sha2crypt.Crypter256,
bcryptsha256.Crypter,
pbkdf2.SHA512Crypter,
pbkdf2.SHA256Crypter,
bcrypt.Crypter,
pbkdf2.SHA1Crypter,
}
// The default schemes, most preferred first. The first scheme will be used to
// hash passwords, and any of the schemes may be used to verify existing
// passwords. The contents of this value may change with subsequent releases.
//
// If you want to change this, set DefaultSchemes to a slice to an
// abstract.Scheme array of your own construction, rather than mutating the
// array the slice points to.
//
// To see the default schemes used in the current release of passlib, see
// default.go. See also the UseDefaults function for more information on how
// the list of default schemes is determined. The default value of
// DefaultSchemes (the default defaults) won't change; you need to call
// UseDefaults to allow your application to upgrade to newer hashing schemes
// (or set DefaultSchemes manually, or create a custom context with its own
// schemes set).
var DefaultSchemes []abstract.Scheme
func init() {
DefaultSchemes = defaultSchemes20160922
}
// It is strongly recommended that you call this function like this before using passlib:
//
// passlib.UseDefaults("YYYYMMDD")
//
// where YYYYMMDD is a date. This will be used to select the preferred scheme
// to use. If you do not call UseDefaults, the preferred scheme (the first item
// in the default schemes list) current as of 2016-09-22 will always be used,
// meaning that upgrade will not occur even though better schemes are now
// available.
//
// Note that even if you don't call this function, new schemes will still be
// added to DefaultSchemes over time as non-initial values (items not at index
// 0), so servers will always, by default, be able to validate all schemes
// which passlib supports at any given time.
//
// The reason you must call this function is as follows: If passlib is deployed
// as part of a web application in a multi-server deployment, and passlib is
// updated, and the new version of that application with the updated passlib is
// deployed, that upgrade process is unlikely to be instantaneous. Old versions
// of the web application may continue to run on some servers. If merely
// upgrading passlib caused password hashes to be upgraded to the newer scheme
// on login, the older daemons may not be able to validate these passwords and
// users may have issues logging in. Although this can be ameliorated to some
// extent by introducing a new scheme to passlib, waiting some months, and only
// then making this the default, this could still cause issued if passlib is
// only updated very occasionally.
//
// Thus, you should update your call to UseDefaults only when all servers have
// been upgraded, and it is thus guaranteed that they will all be able to
// verify the new scheme. Making this value loadable from a configuration file
// is recommended.
//
// If you are using a single-server configuration, you can use the special
// value "latest" here (or, equivalently, a date far into the future), which
// will always use the most preferred scheme. This is hazardous in a
// multi-server environment.
//
// The constants beginning 'Defaults' in this package document dates
// which are meaningful to this function. The constant values they are equal to
// will never change, so there is no need to use them instead of string
// literals, although you may if you wish; they are intended mainly as
// documentation as to the significance of various dates.
//
// Example for opting in to the latest set of defaults:
//
// passlib.UseDefaults(passlib.Defaults20180601)
//
func UseDefaults(date string) error {
if date == "latest" {
DefaultSchemes = defaultSchemes20180601
return nil
}
t, err := time.ParseInLocation("20060102", date, time.UTC)
if err != nil {
return fmt.Errorf("invalid time string passed to passlib.UseDefaults: %q", date)
}
if !t.Before(time.Date(2016, 9, 22, 0, 0, 0, 0, time.UTC)) {
DefaultSchemes = defaultSchemes20180601
return nil
}
DefaultSchemes = defaultSchemes20160922
return nil
}