Merge pull request '[SECURITY] default to pbkdf2 with 320,000 iterations' (#407) from dachary/forgejo:wip-v1.18-default-hash into v1.18/forgejo-development

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/407
This commit is contained in:
Loïc Dachary 2023-02-22 13:01:15 +00:00
commit 1a5a50c479
8 changed files with 19 additions and 7 deletions

View file

@ -439,8 +439,8 @@ INTERNAL_TOKEN=
;;Classes include "lower,upper,digit,spec" ;;Classes include "lower,upper,digit,spec"
;PASSWORD_COMPLEXITY = off ;PASSWORD_COMPLEXITY = off
;; ;;
;; Password Hash algorithm, either "argon2", "pbkdf2", "scrypt" or "bcrypt" ;; Password Hash algorithm, either "argon2", "pbkdf2"/"pbkdf2_v2", "pbkdf2_hi", "scrypt" or "bcrypt"
;PASSWORD_HASH_ALGO = pbkdf2 ;PASSWORD_HASH_ALGO = pbkdf2_hi
;; ;;
;; Set false to allow JavaScript to read CSRF cookie ;; Set false to allow JavaScript to read CSRF cookie
;CSRF_COOKIE_HTTP_ONLY = true ;CSRF_COOKIE_HTTP_ONLY = true

View file

@ -3,7 +3,14 @@
package hash package hash
const DefaultHashAlgorithmName = "pbkdf2" // DefaultHashAlgorithmName represents the default value of PASSWORD_HASH_ALGO
// configured in app.ini.
//
// It is NOT the same and does NOT map to the defaultEmptyHashAlgorithmSpecification.
//
// It will be dealiased as per aliasAlgorithmNames whereas
// defaultEmptyHashAlgorithmSpecification does not undergo dealiasing.
const DefaultHashAlgorithmName = "pbkdf2_hi"
var DefaultHashAlgorithm *PasswordHashAlgorithm var DefaultHashAlgorithm *PasswordHashAlgorithm

View file

@ -28,11 +28,11 @@ func TestCheckSettingPasswordHashAlgorithm(t *testing.T) {
}) })
} }
t.Run("pbkdf2_v2 is the default when default password hash algorithm is empty", func(t *testing.T) { t.Run("pbkdf2_hi is the default when default password hash algorithm is empty", func(t *testing.T) {
emptyConfig, emptyAlgo := SetDefaultPasswordHashAlgorithm("") emptyConfig, emptyAlgo := SetDefaultPasswordHashAlgorithm("")
pbkdf2v2Config, pbkdf2v2Algo := SetDefaultPasswordHashAlgorithm("pbkdf2_v2") pbkdf2hiConfig, pbkdf2hiAlgo := SetDefaultPasswordHashAlgorithm("pbkdf2_hi")
assert.Equal(t, pbkdf2v2Config, emptyConfig) assert.Equal(t, pbkdf2hiConfig, emptyConfig)
assert.Equal(t, pbkdf2v2Algo.Name, emptyAlgo.Name) assert.Equal(t, pbkdf2hiAlgo.Name, emptyAlgo.Name)
}) })
} }

View file

@ -98,6 +98,7 @@ COLORIZE = true
LEVEL = Debug LEVEL = Debug
[security] [security]
PASSWORD_HASH_ALGO = argon2
DISABLE_GIT_HOOKS = false DISABLE_GIT_HOOKS = false
INSTALL_LOCK = true INSTALL_LOCK = true
SECRET_KEY = 9pCviYTWSb SECRET_KEY = 9pCviYTWSb

View file

@ -117,6 +117,7 @@ COLORIZE = true
LEVEL = Debug LEVEL = Debug
[security] [security]
PASSWORD_HASH_ALGO = argon2
DISABLE_GIT_HOOKS = false DISABLE_GIT_HOOKS = false
INSTALL_LOCK = true INSTALL_LOCK = true
SECRET_KEY = 9pCviYTWSb SECRET_KEY = 9pCviYTWSb

View file

@ -95,6 +95,7 @@ COLORIZE = true
LEVEL = Debug LEVEL = Debug
[security] [security]
PASSWORD_HASH_ALGO = argon2
DISABLE_GIT_HOOKS = false DISABLE_GIT_HOOKS = false
INSTALL_LOCK = true INSTALL_LOCK = true
SECRET_KEY = 9pCviYTWSb SECRET_KEY = 9pCviYTWSb

View file

@ -99,6 +99,7 @@ COLORIZE = true
LEVEL = Debug LEVEL = Debug
[security] [security]
PASSWORD_HASH_ALGO = argon2
DISABLE_GIT_HOOKS = false DISABLE_GIT_HOOKS = false
INSTALL_LOCK = true INSTALL_LOCK = true
SECRET_KEY = 9pCviYTWSb SECRET_KEY = 9pCviYTWSb

View file

@ -94,6 +94,7 @@ COLORIZE = true
LEVEL = Debug LEVEL = Debug
[security] [security]
PASSWORD_HASH_ALGO = argon2
DISABLE_GIT_HOOKS = false DISABLE_GIT_HOOKS = false
INSTALL_LOCK = true INSTALL_LOCK = true
SECRET_KEY = 9pCviYTWSb SECRET_KEY = 9pCviYTWSb