From 09950345584f6d991a5853f62c67d9c98abc3efc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20Dachary?= Date: Mon, 20 Feb 2023 23:25:12 +0100 Subject: [PATCH] [SECURITY] default to pbkdf2 with 320,000 iterations Conflicts: modules/auth/password/hash/setting.go modules/auth/password/hash/setting_test.go --- custom/conf/app.example.ini | 4 ++-- modules/auth/password/hash/setting.go | 9 ++++++++- modules/auth/password/hash/setting_test.go | 8 ++++---- 3 files changed, 14 insertions(+), 7 deletions(-) diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini index 3ca49cf730..67013ac19a 100644 --- a/custom/conf/app.example.ini +++ b/custom/conf/app.example.ini @@ -439,8 +439,8 @@ INTERNAL_TOKEN= ;;Classes include "lower,upper,digit,spec" ;PASSWORD_COMPLEXITY = off ;; -;; Password Hash algorithm, either "argon2", "pbkdf2", "scrypt" or "bcrypt" -;PASSWORD_HASH_ALGO = pbkdf2 +;; Password Hash algorithm, either "argon2", "pbkdf2"/"pbkdf2_v2", "pbkdf2_hi", "scrypt" or "bcrypt" +;PASSWORD_HASH_ALGO = pbkdf2_hi ;; ;; Set false to allow JavaScript to read CSRF cookie ;CSRF_COOKIE_HTTP_ONLY = true diff --git a/modules/auth/password/hash/setting.go b/modules/auth/password/hash/setting.go index 22f97dffe5..f33c3ba376 100644 --- a/modules/auth/password/hash/setting.go +++ b/modules/auth/password/hash/setting.go @@ -3,7 +3,14 @@ package hash -const DefaultHashAlgorithmName = "pbkdf2" +// DefaultHashAlgorithmName represents the default value of PASSWORD_HASH_ALGO +// configured in app.ini. +// +// It is NOT the same and does NOT map to the defaultEmptyHashAlgorithmSpecification. +// +// It will be dealiased as per aliasAlgorithmNames whereas +// defaultEmptyHashAlgorithmSpecification does not undergo dealiasing. +const DefaultHashAlgorithmName = "pbkdf2_hi" var DefaultHashAlgorithm *PasswordHashAlgorithm diff --git a/modules/auth/password/hash/setting_test.go b/modules/auth/password/hash/setting_test.go index 4c20ff179b..04965363a1 100644 --- a/modules/auth/password/hash/setting_test.go +++ b/modules/auth/password/hash/setting_test.go @@ -28,11 +28,11 @@ func TestCheckSettingPasswordHashAlgorithm(t *testing.T) { }) } - t.Run("pbkdf2_v2 is the default when default password hash algorithm is empty", func(t *testing.T) { + t.Run("pbkdf2_hi is the default when default password hash algorithm is empty", func(t *testing.T) { emptyConfig, emptyAlgo := SetDefaultPasswordHashAlgorithm("") - pbkdf2v2Config, pbkdf2v2Algo := SetDefaultPasswordHashAlgorithm("pbkdf2_v2") + pbkdf2hiConfig, pbkdf2hiAlgo := SetDefaultPasswordHashAlgorithm("pbkdf2_hi") - assert.Equal(t, pbkdf2v2Config, emptyConfig) - assert.Equal(t, pbkdf2v2Algo.Name, emptyAlgo.Name) + assert.Equal(t, pbkdf2hiConfig, emptyConfig) + assert.Equal(t, pbkdf2hiAlgo.Name, emptyAlgo.Name) }) }