Hi all,
I want to update my authentication code by using
golang.org/x/crypto/argon2, as a replacement of
github.com/tvdburgt/go-argon2 which uses the legacy C lib under the hood
through CGO.
The main benefit is of course to drop the usage of CGO.
But I encounter a serious issue, with the same inputs (password, salt,
times, threads, memory), the 2 libraries give me 2 different hashes.
That means it's impossible for me to migrate, or else I have to ask all my
users to regenerate their passwords, which is not acceptable for me.
I wonder if I did something wrong, to illustrate that I wrote a small test,
runnable inside github.com/tvdburgt/go-argon2 :
package argon2
import (
"bytes"
"encoding/base64"
"testing"
xargon2 "golang.org/x/crypto/argon2"
)
func TestCompat(t *testing.T) {
salt := []byte("0123456789abcdef")
pwd := []byte("some password")
ctx := &Context{
Iterations: 3,
Memory: 1 << 16,
Parallelism: 4,
HashLen: 32,
Mode: ModeArgon2i,
}
hash, err := Hash(ctx, pwd, salt)
if err != nil {
t.Fatal(err)
}
xhash := xargon2.Key(pwd, salt, 3, 1<<16, 4, 32)
if !bytes.Equal(hash, xhash) {
t.Errorf("Compat failed:\n%s\n%s\n",
base64.StdEncoding.EncodeToString(hash),
base64.StdEncoding.EncodeToString(xhash),
)
}
}
And the result is :
$ go test .
--- FAIL: TestCompat (0.08s)
compat_test.go:30: Compat failed:
UgjfozCx6kU6vTNKoN8Ic2UTh7Ckphy0Dc79+1xlT/0=
mf9LVGs+VH62cWpoLZVfCvtBWye6uMD7sWJfhYQk3fo=
FAIL
FAIL github.com/tvdburgt/go-argon2 0.362s
Thanks in advance
--
You received this message because you are subscribed to the Google Groups
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to golang-nuts+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
