crypto

package

v0.2.0 Latest Latest Go to latest Published: Jan 15, 2026 License: AGPL-3.0 Imports: 10 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/fclairamb/dbbat

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
func DatabaseAAD(databaseUID string) []byte
func Decrypt(ciphertext []byte, key []byte, aad []byte) ([]byte, error)
func Encrypt(plaintext []byte, key []byte, aad []byte) ([]byte, error)
func HashPassword(password string) (string, error)
func HashPasswordWithParams(password string, params HashParams) (string, error)
func VerifyPassword(encodedHash, password string) (bool, error)
type HashParams
- func DefaultHashParams() HashParams

Constants ¶

View Source

const DefaultArgon2Memory uint32 = 64 * 1024

DefaultArgon2Memory is the default memory in KB (64 MB).

View Source

const DefaultArgon2Threads uint8 = 4

DefaultArgon2Threads is the default parallelism factor.

View Source

const DefaultArgon2Time uint32 = 1

DefaultArgon2Time is the default number of iterations.

Variables ¶

View Source

var (
	ErrInvalidKeySize     = errors.New("key must be 32 bytes")
	ErrCiphertextTooShort = errors.New("ciphertext too short")
)

Encryption errors.

View Source

var (
	ErrInvalidHashFormat   = errors.New("invalid hash format")
	ErrUnsupportedHashAlgo = errors.New("unsupported hash algorithm")
)

Hash errors.

Functions ¶

func DatabaseAAD ¶

func DatabaseAAD(databaseUID string) []byte

DatabaseAAD returns the AAD for encrypting database credentials. This binds the ciphertext to a specific database UID, preventing credential transplant attacks where encrypted passwords are swapped between database rows.

func Decrypt ¶

func Decrypt(ciphertext []byte, key []byte, aad []byte) ([]byte, error)

Decrypt decrypts ciphertext using AES-256-GCM with the provided key. The ciphertext must include the nonce prefix. The aad must match the value used during encryption, or be nil for legacy data.

func Encrypt ¶

func Encrypt(plaintext []byte, key []byte, aad []byte) ([]byte, error)

Encrypt encrypts plaintext using AES-256-GCM with the provided key. The ciphertext includes the nonce prefix. Optional aad (Additional Authenticated Data) binds the ciphertext to a context, preventing the ciphertext from being used in a different context.

func HashPassword ¶

func HashPassword(password string) (string, error)

HashPassword generates an Argon2id hash of the password using default parameters.

func HashPasswordWithParams ¶ added in v0.0.1

func HashPasswordWithParams(password string, params HashParams) (string, error)

HashPasswordWithParams generates an Argon2id hash of the password using provided parameters.

func VerifyPassword ¶

func VerifyPassword(encodedHash, password string) (bool, error)

VerifyPassword verifies a password against an Argon2id hash.

Types ¶

type HashParams ¶ added in v0.0.1

type HashParams struct {
	MemoryKB uint32 // Memory in KB
	Time     uint32 // Number of iterations
	Threads  uint8  // Parallelism factor
}

HashParams holds configurable parameters for password hashing.

func DefaultHashParams ¶ added in v0.0.1

func DefaultHashParams() HashParams

DefaultHashParams returns the default hash parameters.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL