From 3e917a51632b50bc87d8aa77d1fffaebfb7790a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20Dachary?= Date: Mon, 20 Feb 2023 23:25:12 +0100 Subject: [PATCH] [SECURITY] default to pbkdf2 with 320,000 iterations (cherry picked from commit 3ea0b287d74b8fc0dad08b2a539105e1aa1c1e67) (cherry picked from commit db8392a8ac093d4d3760e8bb40c56d8e194d44fb) (cherry picked from commit bd2a5fa2923c320e01faeaa1fdc1ad823c337027) (cherry picked from commit 235a91c4ae2ddd1810ca172c3306e091742f6912) (cherry picked from commit ec12e54182736aa5401468da70cfe3ec4579ae8a) (cherry picked from commit d456d25d88dbb3909bf6b2850e40b74a19305221) (cherry picked from commit 4a332f73d15b9b1fd77b12e6c069b2d63dcaf073) (cherry picked from commit d59b79a72c2675618cc8a47cd663079a4ca8d4f3) (cherry picked from commit 0ec0e97b3b7ec78601a1becf3f9f51c2d7a17c76) (cherry picked from commit 9d51094c53d11bb4c94e6550ca54a7e634fa778c) --- custom/conf/app.example.ini | 4 ++-- modules/auth/password/hash/setting.go | 2 +- modules/auth/password/hash/setting_test.go | 8 ++++---- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini index d91d9a96ea..b0700da991 100644 --- a/custom/conf/app.example.ini +++ b/custom/conf/app.example.ini @@ -476,8 +476,8 @@ INTERNAL_TOKEN= ;;Classes include "lower,upper,digit,spec" ;PASSWORD_COMPLEXITY = off ;; -;; Password Hash algorithm, either "argon2", "pbkdf2", "scrypt" or "bcrypt" -;PASSWORD_HASH_ALGO = pbkdf2 +;; Password Hash algorithm, either "argon2", "pbkdf2"/"pbkdf2_v2", "pbkdf2_hi", "scrypt" or "bcrypt" +;PASSWORD_HASH_ALGO = pbkdf2_hi ;; ;; Set false to allow JavaScript to read CSRF cookie ;CSRF_COOKIE_HTTP_ONLY = true diff --git a/modules/auth/password/hash/setting.go b/modules/auth/password/hash/setting.go index f0715f31e1..05cd36fe3c 100644 --- a/modules/auth/password/hash/setting.go +++ b/modules/auth/password/hash/setting.go @@ -10,7 +10,7 @@ package hash // // It will be dealiased as per aliasAlgorithmNames whereas // defaultEmptyHashAlgorithmSpecification does not undergo dealiasing. -const DefaultHashAlgorithmName = "pbkdf2" +const DefaultHashAlgorithmName = "pbkdf2_hi" var DefaultHashAlgorithm *PasswordHashAlgorithm diff --git a/modules/auth/password/hash/setting_test.go b/modules/auth/password/hash/setting_test.go index d707207db6..548d87c570 100644 --- a/modules/auth/password/hash/setting_test.go +++ b/modules/auth/password/hash/setting_test.go @@ -28,11 +28,11 @@ func TestCheckSettingPasswordHashAlgorithm(t *testing.T) { }) } - t.Run("pbkdf2_v2 is the default when default password hash algorithm is empty", func(t *testing.T) { + t.Run("pbkdf2_hi is the default when default password hash algorithm is empty", func(t *testing.T) { emptyConfig, emptyAlgo := SetDefaultPasswordHashAlgorithm("") - pbkdf2v2Config, pbkdf2v2Algo := SetDefaultPasswordHashAlgorithm("pbkdf2_v2") + pbkdf2hiConfig, pbkdf2hiAlgo := SetDefaultPasswordHashAlgorithm("pbkdf2_hi") - assert.Equal(t, pbkdf2v2Config, emptyConfig) - assert.Equal(t, pbkdf2v2Algo.Specification, emptyAlgo.Specification) + assert.Equal(t, pbkdf2hiConfig, emptyConfig) + assert.Equal(t, pbkdf2hiAlgo.Specification, emptyAlgo.Specification) }) }