func TestKDF(t *testing.T) { kdf1 := kdf.KDF([]byte("aardvark"), kdf.DefaultSalt, kdf.DefaultReps) kdf2 := kdf.KDF([]byte("aardvark"), kdf.DefaultSalt, kdf.DefaultReps) if !hmac.Equal(kdf1, kdf2) { t.Error("Expected kdf's to be equal") } if hmac.Equal(kdf1, kdf.KDF([]byte("sailboat"), kdf.DefaultSalt, kdf.DefaultReps)) { t.Error("Expected kdf's not to be equal") } if len(kdf1) != 32 { t.Error("Expected key to be 32 bytes") } }
// ChangePassword changes the password of this user. func (u *User) ChangePassword(oldPass, newPass string) error { var key []byte var err error if key, err = u.verifyPassword(oldPass); err != nil { return err } u.Key, err = aes.EncryptB(key, kdf.KDF([]byte(newPass), kdf.DefaultSalt, kdf.DefaultReps)) return err }
// InitWithKey initializes this user instance with a user name and password // so that the user uses key as its key. func (u *User) InitWithKey(name, password string, key *Key) (err error) { u.Owner = key.Id u.Name = name if u.Key, err = aes.EncryptB( key.Value, kdf.KDF( []byte(password), kdf.DefaultSalt, kdf.DefaultReps)); err != nil { return } u.Checksum = base64.StdEncoding.EncodeToString( kdf.NewHMAC(key.Value, kdf.DefaultReps)) return }
func (u *User) verifyPassword(password string) ([]byte, error) { var key []byte var err error key, err = aes.DecryptB(u.Key, kdf.KDF([]byte(password), kdf.DefaultSalt, kdf.DefaultReps)) if err != nil { return nil, err } var checksum []byte checksum, err = base64.StdEncoding.DecodeString(u.Checksum) if err != nil { return nil, err } if !kdf.VerifyHMAC(key, checksum, kdf.DefaultReps) { return nil, ErrWrongPassword } return key, nil }