Compare compares the password with the given PHC encoded hash, returns true if they match. The time taken is a function of the length of the slices and is independent of the contents.
(password, phc []byte)
| 86 | // if they match. The time taken is a function of the length of the slices and |
| 87 | // is independent of the contents. |
| 88 | func Compare(password, phc []byte) (bool, error) { |
| 89 | id, version, params, salt, hash, err := phcDecode(string(phc)) |
| 90 | if err != nil { |
| 91 | return false, errors.Wrap(err, "error decoding hash") |
| 92 | } |
| 93 | |
| 94 | var hashedPass []byte |
| 95 | switch id { |
| 96 | case bcryptHash: |
| 97 | return (bcrypt.CompareHashAndPassword(hash, password) == nil), nil |
| 98 | case scryptHash: |
| 99 | p, err := newScryptParams(params) |
| 100 | if err != nil { |
| 101 | return false, err |
| 102 | } |
| 103 | hashedPass, err = scrypt.Key(password, salt, p.N, p.r, p.p, len(hash)) |
| 104 | if err != nil { |
| 105 | return false, errors.Wrap(err, "error deriving input") |
| 106 | } |
| 107 | case argon2iHash: |
| 108 | p, err := newArgon2Params(params) |
| 109 | if err != nil { |
| 110 | return false, err |
| 111 | } |
| 112 | if version != 0 && version != argon2.Version { |
| 113 | return false, errors.Errorf("unsupported argon2 version '%d'", version) |
| 114 | } |
| 115 | hashedPass = argon2.Key(password, salt, p.t, p.m, p.p, cast.Uint32(len(hash))) |
| 116 | case argon2idHash: |
| 117 | p, err := newArgon2Params(params) |
| 118 | if err != nil { |
| 119 | return false, err |
| 120 | } |
| 121 | if version != 0 && version != argon2.Version { |
| 122 | return false, errors.Errorf("unsupported argon2 version '%d'", version) |
| 123 | } |
| 124 | hashedPass = argon2.IDKey(password, salt, p.t, p.m, p.p, cast.Uint32(len(hash))) |
| 125 | default: |
| 126 | return false, errors.Errorf("invalid or unsupported hash method with id '%s'", id) |
| 127 | } |
| 128 | |
| 129 | return (subtle.ConstantTimeCompare(hash, hashedPass) == 1), nil |
| 130 | } |
| 131 | |
| 132 | // CompareString compares the given password with the given PHC encoded hash, |
| 133 | // returns true if they match. The time taken is a function of the length of |
searching dependent graphs…