Change EncodePasswd to HashPassword (#3329)
* Change EncodePasswd to HashPassword * Create test+benchmark for HashPassword
This commit is contained in:
parent
f2b841d0ec
commit
674cfb7cac
7 changed files with 48 additions and 9 deletions
|
@ -111,7 +111,7 @@ func runChangePassword(c *cli.Context) error {
|
||||||
if user.Salt, err = models.GetUserSalt(); err != nil {
|
if user.Salt, err = models.GetUserSalt(); err != nil {
|
||||||
return fmt.Errorf("%v", err)
|
return fmt.Errorf("%v", err)
|
||||||
}
|
}
|
||||||
user.EncodePasswd()
|
user.HashPassword()
|
||||||
if err := models.UpdateUserCols(user, "passwd", "salt"); err != nil {
|
if err := models.UpdateUserCols(user, "passwd", "salt"); err != nil {
|
||||||
return fmt.Errorf("%v", err)
|
return fmt.Errorf("%v", err)
|
||||||
}
|
}
|
||||||
|
|
|
@ -388,8 +388,8 @@ func (u *User) NewGitSig() *git.Signature {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// EncodePasswd encodes password to safe format.
|
// HashPassword hashes a password using PBKDF.
|
||||||
func (u *User) EncodePasswd() {
|
func (u *User) HashPassword() {
|
||||||
newPasswd := pbkdf2.Key([]byte(u.Passwd), []byte(u.Salt), 10000, 50, sha256.New)
|
newPasswd := pbkdf2.Key([]byte(u.Passwd), []byte(u.Salt), 10000, 50, sha256.New)
|
||||||
u.Passwd = fmt.Sprintf("%x", newPasswd)
|
u.Passwd = fmt.Sprintf("%x", newPasswd)
|
||||||
}
|
}
|
||||||
|
@ -397,7 +397,7 @@ func (u *User) EncodePasswd() {
|
||||||
// ValidatePassword checks if given password matches the one belongs to the user.
|
// ValidatePassword checks if given password matches the one belongs to the user.
|
||||||
func (u *User) ValidatePassword(passwd string) bool {
|
func (u *User) ValidatePassword(passwd string) bool {
|
||||||
newUser := &User{Passwd: passwd, Salt: u.Salt}
|
newUser := &User{Passwd: passwd, Salt: u.Salt}
|
||||||
newUser.EncodePasswd()
|
newUser.HashPassword()
|
||||||
return subtle.ConstantTimeCompare([]byte(u.Passwd), []byte(newUser.Passwd)) == 1
|
return subtle.ConstantTimeCompare([]byte(u.Passwd), []byte(newUser.Passwd)) == 1
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -711,7 +711,7 @@ func CreateUser(u *User) (err error) {
|
||||||
if u.Salt, err = GetUserSalt(); err != nil {
|
if u.Salt, err = GetUserSalt(); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
u.EncodePasswd()
|
u.HashPassword()
|
||||||
u.AllowCreateOrganization = setting.Service.DefaultAllowCreateOrganization
|
u.AllowCreateOrganization = setting.Service.DefaultAllowCreateOrganization
|
||||||
u.MaxRepoCreation = -1
|
u.MaxRepoCreation = -1
|
||||||
|
|
||||||
|
|
|
@ -5,6 +5,7 @@
|
||||||
package models
|
package models
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"math/rand"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
"code.gitea.io/gitea/modules/setting"
|
"code.gitea.io/gitea/modules/setting"
|
||||||
|
@ -123,3 +124,41 @@ func TestDeleteUser(t *testing.T) {
|
||||||
test(8)
|
test(8)
|
||||||
test(11)
|
test(11)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestHashPasswordDeterministic(t *testing.T) {
|
||||||
|
b := make([]byte, 16)
|
||||||
|
rand.Read(b)
|
||||||
|
u := &User{Salt: string(b)}
|
||||||
|
for i := 0; i < 50; i++ {
|
||||||
|
// generate a random password
|
||||||
|
rand.Read(b)
|
||||||
|
pass := string(b)
|
||||||
|
|
||||||
|
// save the current password in the user - hash it and store the result
|
||||||
|
u.Passwd = pass
|
||||||
|
u.HashPassword()
|
||||||
|
r1 := u.Passwd
|
||||||
|
|
||||||
|
// run again
|
||||||
|
u.Passwd = pass
|
||||||
|
u.HashPassword()
|
||||||
|
r2 := u.Passwd
|
||||||
|
|
||||||
|
// assert equal (given the same salt+pass, the same result is produced)
|
||||||
|
assert.Equal(t, r1, r2)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func BenchmarkHashPassword(b *testing.B) {
|
||||||
|
// BenchmarkHashPassword ensures that it takes a reasonable amount of time
|
||||||
|
// to hash a password - in order to protect from brute-force attacks.
|
||||||
|
pass := "password1337"
|
||||||
|
bs := make([]byte, 16)
|
||||||
|
rand.Read(bs)
|
||||||
|
u := &User{Salt: string(bs), Passwd: pass}
|
||||||
|
b.ResetTimer()
|
||||||
|
for i := 0; i < b.N; i++ {
|
||||||
|
u.HashPassword()
|
||||||
|
u.Passwd = pass
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
|
@ -200,7 +200,7 @@ func EditUserPost(ctx *context.Context, form auth.AdminEditUserForm) {
|
||||||
ctx.Handle(500, "UpdateUser", err)
|
ctx.Handle(500, "UpdateUser", err)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
u.EncodePasswd()
|
u.HashPassword()
|
||||||
}
|
}
|
||||||
|
|
||||||
u.LoginName = form.LoginName
|
u.LoginName = form.LoginName
|
||||||
|
|
|
@ -132,7 +132,7 @@ func EditUser(ctx *context.APIContext, form api.EditUserOption) {
|
||||||
ctx.Error(500, "UpdateUser", err)
|
ctx.Error(500, "UpdateUser", err)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
u.EncodePasswd()
|
u.HashPassword()
|
||||||
}
|
}
|
||||||
|
|
||||||
u.LoginName = form.LoginName
|
u.LoginName = form.LoginName
|
||||||
|
|
|
@ -994,7 +994,7 @@ func ResetPasswdPost(ctx *context.Context) {
|
||||||
ctx.Handle(500, "UpdateUser", err)
|
ctx.Handle(500, "UpdateUser", err)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
u.EncodePasswd()
|
u.HashPassword()
|
||||||
if err := models.UpdateUserCols(u, "passwd", "rands", "salt"); err != nil {
|
if err := models.UpdateUserCols(u, "passwd", "rands", "salt"); err != nil {
|
||||||
ctx.Handle(500, "UpdateUser", err)
|
ctx.Handle(500, "UpdateUser", err)
|
||||||
return
|
return
|
||||||
|
|
|
@ -235,7 +235,7 @@ func SettingsSecurityPost(ctx *context.Context, form auth.ChangePasswordForm) {
|
||||||
ctx.Handle(500, "UpdateUser", err)
|
ctx.Handle(500, "UpdateUser", err)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
ctx.User.EncodePasswd()
|
ctx.User.HashPassword()
|
||||||
if err := models.UpdateUserCols(ctx.User, "salt", "passwd"); err != nil {
|
if err := models.UpdateUserCols(ctx.User, "salt", "passwd"); err != nil {
|
||||||
ctx.Handle(500, "UpdateUser", err)
|
ctx.Handle(500, "UpdateUser", err)
|
||||||
return
|
return
|
||||||
|
|
Reference in a new issue