From 5c0697ad1ecbd25ff245a93ea5af55c07817249e Mon Sep 17 00:00:00 2001 From: zeripath Date: Thu, 3 Sep 2020 19:58:31 +0100 Subject: [PATCH] Use argon as default password hash algorithm (#12688) * Restrict TLS connections to 1.2 minimum * Set Argon2 as the default KDF * Fix user.yml * Remove TLS minversion changes Signed-off-by: Andrew Thornton * Add migration as per @techknowlogick Signed-off-by: Andrew Thornton * set the password algo in the fixtures Signed-off-by: Andrew Thornton * Remove the v148 migration - it needs recreate table to change the defaults Signed-off-by: Andrew Thornton Co-authored-by: Nadim Kobeissi --- custom/conf/app.example.ini | 4 +- .../doc/advanced/config-cheat-sheet.en-us.md | 2 +- models/fixtures/user.yml | 87 ++++++++++++------- models/user.go | 2 +- models/user_test.go | 2 +- modules/setting/setting.go | 2 +- 6 files changed, 64 insertions(+), 35 deletions(-) diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini index a5f81f83d3..bb65c4f08d 100644 --- a/custom/conf/app.example.ini +++ b/custom/conf/app.example.ini @@ -508,8 +508,8 @@ ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET = true ;If left empty or no valid values are specified, the default is off (no checking) ;Classes include "lower,upper,digit,spec" PASSWORD_COMPLEXITY = off -; Password Hash algorithm, either "pbkdf2", "argon2", "scrypt" or "bcrypt" -PASSWORD_HASH_ALGO = pbkdf2 +; Password Hash algorithm, either "argon2", "pbkdf2", "scrypt" or "bcrypt" +PASSWORD_HASH_ALGO = argon2 ; Set false to allow JavaScript to read CSRF cookie CSRF_COOKIE_HTTP_ONLY = true diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md index 4401c59b44..f86415c288 100644 --- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md +++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md @@ -325,7 +325,7 @@ set name for unique queues. Individual queues will default to - `IMPORT_LOCAL_PATHS`: **false**: Set to `false` to prevent all users (including admin) from importing local path on server. - `INTERNAL_TOKEN`: **\**: Secret used to validate communication within Gitea binary. - `INTERNAL_TOKEN_URI`: ****: Instead of defining internal token in the configuration, this configuration option can be used to give Gitea a path to a file that contains the internal token (example value: `file:/etc/gitea/internal_token`) -- `PASSWORD_HASH_ALGO`: **pbkdf2**: The hash algorithm to use \[pbkdf2, argon2, scrypt, bcrypt\]. +- `PASSWORD_HASH_ALGO`: **argon2**: The hash algorithm to use \[argon2, pbkdf2, scrypt, bcrypt\]. - `CSRF_COOKIE_HTTP_ONLY`: **true**: Set false to allow JavaScript to read CSRF cookie. - `PASSWORD_COMPLEXITY`: **off**: Comma separated list of character classes required to pass minimum complexity. If left empty or no valid values are specified, checking is disabled (off): - lower - use one or more lower latin characters diff --git a/models/fixtures/user.yml b/models/fixtures/user.yml index 640fd65bff..7ed7d7ffd1 100644 --- a/models/fixtures/user.yml +++ b/models/fixtures/user.yml @@ -7,7 +7,8 @@ full_name: User One email: user1@example.com email_notifications_preference: enabled - passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password + passwd_hash_algo: argon2 + passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password type: 0 # individual salt: ZogKvWdyEx is_admin: true @@ -24,7 +25,8 @@ email: user2@example.com keep_email_private: true email_notifications_preference: enabled - passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password + passwd_hash_algo: argon2 + passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password type: 0 # individual salt: ZogKvWdyEx is_admin: false @@ -43,7 +45,8 @@ full_name: " <<<< >> >> > >> > >>> >> " email: user3@example.com email_notifications_preference: onmention - passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password + passwd_hash_algo: argon2 + passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password type: 1 # organization salt: ZogKvWdyEx is_admin: false @@ -60,7 +63,8 @@ full_name: " " email: user4@example.com email_notifications_preference: onmention - passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password + passwd_hash_algo: argon2 + passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password type: 0 # individual salt: ZogKvWdyEx is_admin: false @@ -77,7 +81,8 @@ full_name: User Five email: user5@example.com email_notifications_preference: enabled - passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password + passwd_hash_algo: argon2 + passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password type: 0 # individual salt: ZogKvWdyEx is_admin: false @@ -95,7 +100,8 @@ full_name: User Six email: user6@example.com email_notifications_preference: enabled - passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password + passwd_hash_algo: argon2 + passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password type: 1 # organization salt: ZogKvWdyEx is_admin: false @@ -112,7 +118,8 @@ full_name: User Seven email: user7@example.com email_notifications_preference: disabled - passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password + passwd_hash_algo: argon2 + passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password type: 1 # organization salt: ZogKvWdyEx is_admin: false @@ -129,7 +136,8 @@ full_name: User Eight email: user8@example.com email_notifications_preference: enabled - passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password + passwd_hash_algo: argon2 + passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password type: 0 # individual salt: ZogKvWdyEx is_admin: false @@ -147,7 +155,8 @@ full_name: User Nine email: user9@example.com email_notifications_preference: onmention - passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password + passwd_hash_algo: argon2 + passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password type: 0 # individual salt: ZogKvWdyEx is_admin: false @@ -162,7 +171,8 @@ name: user10 full_name: User Ten email: user10@example.com - passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password + passwd_hash_algo: argon2 + passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password type: 0 # individual salt: ZogKvWdyEx is_admin: false @@ -177,7 +187,8 @@ name: user11 full_name: User Eleven email: user11@example.com - passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password + passwd_hash_algo: argon2 + passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password type: 0 # individual salt: ZogKvWdyEx is_admin: false @@ -192,7 +203,8 @@ name: user12 full_name: User 12 email: user12@example.com - passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password + passwd_hash_algo: argon2 + passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password type: 0 # individual salt: ZogKvWdyEx is_admin: false @@ -207,7 +219,8 @@ name: user13 full_name: User 13 email: user13@example.com - passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password + passwd_hash_algo: argon2 + passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password type: 0 # individual salt: ZogKvWdyEx is_admin: false @@ -222,7 +235,8 @@ name: user14 full_name: User 14 email: user14@example.com - passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password + passwd_hash_algo: argon2 + passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password type: 0 # individual salt: ZogKvWdyEx is_admin: false @@ -237,7 +251,8 @@ name: user15 full_name: User 15 email: user15@example.com - passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password + passwd_hash_algo: argon2 + passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password type: 0 # individual salt: ZogKvWdyEx is_admin: false @@ -252,7 +267,8 @@ name: user16 full_name: User 16 email: user16@example.com - passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password + passwd_hash_algo: argon2 + passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password type: 0 # individual salt: ZogKvWdyEx is_admin: false @@ -267,7 +283,8 @@ name: user17 full_name: User 17 email: user17@example.com - passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password + passwd_hash_algo: argon2 + passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password type: 1 # organization salt: ZogKvWdyEx is_admin: false @@ -284,7 +301,8 @@ name: user18 full_name: User 18 email: user18@example.com - passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password + passwd_hash_algo: argon2 + passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password type: 0 # individual salt: ZogKvWdyEx is_admin: false @@ -299,7 +317,8 @@ name: user19 full_name: User 19 email: user19@example.com - passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password + passwd_hash_algo: argon2 + passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password type: 1 # organization salt: ZogKvWdyEx is_admin: false @@ -316,7 +335,8 @@ name: user20 full_name: User 20 email: user20@example.com - passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password + passwd_hash_algo: argon2 + passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password type: 0 # individual salt: ZogKvWdyEx is_admin: false @@ -331,7 +351,8 @@ name: user21 full_name: User 21 email: user21@example.com - passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password + passwd_hash_algo: argon2 + passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password type: 0 # individual salt: ZogKvWdyEx is_admin: false @@ -346,7 +367,8 @@ name: limited_org full_name: Limited Org email: limited_org@example.com - passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password + passwd_hash_algo: argon2 + passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password type: 1 # organization salt: ZogKvWdyEx is_admin: false @@ -364,7 +386,8 @@ name: privated_org full_name: Privated Org email: privated_org@example.com - passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password + passwd_hash_algo: argon2 + passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password type: 1 # organization salt: ZogKvWdyEx is_admin: false @@ -383,7 +406,8 @@ full_name: "user24" email: user24@example.com keep_email_private: true - passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password + passwd_hash_algo: argon2 + passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password type: 0 # individual salt: ZogKvWdyEx is_admin: false @@ -401,7 +425,8 @@ name: org25 full_name: "org25" email: org25@example.com - passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password + passwd_hash_algo: argon2 + passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password type: 1 # organization salt: ZogKvWdyEx is_admin: false @@ -418,7 +443,8 @@ full_name: "Org26" email: org26@example.com email_notifications_preference: onmention - passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password + passwd_hash_algo: argon2 + passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password type: 1 # organization salt: ZogKvWdyEx is_admin: false @@ -436,7 +462,8 @@ full_name: User Twenty-Seven email: user27@example.com email_notifications_preference: enabled - passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password + passwd_hash_algo: argon2 + passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password type: 0 # individual salt: ZogKvWdyEx is_admin: false @@ -451,7 +478,8 @@ full_name: "user27" email: user28@example.com keep_email_private: true - passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password + passwd_hash_algo: argon2 + passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password type: 0 # individual salt: ZogKvWdyEx is_admin: false @@ -469,7 +497,8 @@ name: user29 full_name: User 29 email: user29@example.com - passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password + passwd_hash_algo: argon2 + passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password type: 0 # individual salt: ZogKvWdyEx is_admin: false diff --git a/models/user.go b/models/user.go index 1c17453930..2e5d6473bb 100644 --- a/models/user.go +++ b/models/user.go @@ -105,7 +105,7 @@ type User struct { KeepEmailPrivate bool EmailNotificationsPreference string `xorm:"VARCHAR(20) NOT NULL DEFAULT 'enabled'"` Passwd string `xorm:"NOT NULL"` - PasswdHashAlgo string `xorm:"NOT NULL DEFAULT 'pbkdf2'"` + PasswdHashAlgo string `xorm:"NOT NULL DEFAULT 'argon2'"` // MustChangePassword is an attribute that determines if a user // is to change his/her password after registration. diff --git a/models/user_test.go b/models/user_test.go index 02b1893c43..220823ee02 100644 --- a/models/user_test.go +++ b/models/user_test.go @@ -239,7 +239,7 @@ func TestHashPasswordDeterministic(t *testing.T) { b := make([]byte, 16) rand.Read(b) u := &User{Salt: string(b)} - algos := []string{"pbkdf2", "argon2", "scrypt", "bcrypt"} + algos := []string{"argon2", "pbkdf2", "scrypt", "bcrypt"} for j := 0; j < len(algos); j++ { u.PasswdHashAlgo = algos[j] for i := 0; i < 50; i++ { diff --git a/modules/setting/setting.go b/modules/setting/setting.go index ae15f68faa..5b8aefdaa4 100644 --- a/modules/setting/setting.go +++ b/modules/setting/setting.go @@ -819,7 +819,7 @@ func NewContext() { ImportLocalPaths = sec.Key("IMPORT_LOCAL_PATHS").MustBool(false) DisableGitHooks = sec.Key("DISABLE_GIT_HOOKS").MustBool(false) OnlyAllowPushIfGiteaEnvironmentSet = sec.Key("ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET").MustBool(true) - PasswordHashAlgo = sec.Key("PASSWORD_HASH_ALGO").MustString("pbkdf2") + PasswordHashAlgo = sec.Key("PASSWORD_HASH_ALGO").MustString("argon2") CSRFCookieHTTPOnly = sec.Key("CSRF_COOKIE_HTTP_ONLY").MustBool(true) InternalToken = loadInternalToken(sec)