From 4b58e3b6d41f9e42fd34469184a3c7d4c5205c86 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20Dachary?= Date: Mon, 20 Feb 2023 23:25:12 +0100 Subject: [PATCH] [SECURITY] default to pbkdf2 with 320,000 iterations (cherry picked from commit 3ea0b287d74b8fc0dad08b2a539105e1aa1c1e67) (cherry picked from commit db8392a8ac093d4d3760e8bb40c56d8e194d44fb) (cherry picked from commit bd2a5fa2923c320e01faeaa1fdc1ad823c337027) (cherry picked from commit 2436acb3d986bad08aa134e450420fc4a08f5d62) (cherry picked from commit 62f50e1c521c30729781e5cd58882e743bb8b851) (cherry picked from commit dba18925217254d22f76306c0fe1c046c419268e) --- custom/conf/app.example.ini | 4 ++-- modules/auth/password/hash/setting.go | 2 +- modules/auth/password/hash/setting_test.go | 8 ++++---- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini index 0543c85d50..7f1e20afe4 100644 --- a/custom/conf/app.example.ini +++ b/custom/conf/app.example.ini @@ -476,8 +476,8 @@ INTERNAL_TOKEN= ;;Classes include "lower,upper,digit,spec" ;PASSWORD_COMPLEXITY = off ;; -;; Password Hash algorithm, either "argon2", "pbkdf2", "scrypt" or "bcrypt" -;PASSWORD_HASH_ALGO = pbkdf2 +;; Password Hash algorithm, either "argon2", "pbkdf2"/"pbkdf2_v2", "pbkdf2_hi", "scrypt" or "bcrypt" +;PASSWORD_HASH_ALGO = pbkdf2_hi ;; ;; Set false to allow JavaScript to read CSRF cookie ;CSRF_COOKIE_HTTP_ONLY = true diff --git a/modules/auth/password/hash/setting.go b/modules/auth/password/hash/setting.go index f0715f31e1..05cd36fe3c 100644 --- a/modules/auth/password/hash/setting.go +++ b/modules/auth/password/hash/setting.go @@ -10,7 +10,7 @@ package hash // // It will be dealiased as per aliasAlgorithmNames whereas // defaultEmptyHashAlgorithmSpecification does not undergo dealiasing. -const DefaultHashAlgorithmName = "pbkdf2" +const DefaultHashAlgorithmName = "pbkdf2_hi" var DefaultHashAlgorithm *PasswordHashAlgorithm diff --git a/modules/auth/password/hash/setting_test.go b/modules/auth/password/hash/setting_test.go index d707207db6..548d87c570 100644 --- a/modules/auth/password/hash/setting_test.go +++ b/modules/auth/password/hash/setting_test.go @@ -28,11 +28,11 @@ func TestCheckSettingPasswordHashAlgorithm(t *testing.T) { }) } - t.Run("pbkdf2_v2 is the default when default password hash algorithm is empty", func(t *testing.T) { + t.Run("pbkdf2_hi is the default when default password hash algorithm is empty", func(t *testing.T) { emptyConfig, emptyAlgo := SetDefaultPasswordHashAlgorithm("") - pbkdf2v2Config, pbkdf2v2Algo := SetDefaultPasswordHashAlgorithm("pbkdf2_v2") + pbkdf2hiConfig, pbkdf2hiAlgo := SetDefaultPasswordHashAlgorithm("pbkdf2_hi") - assert.Equal(t, pbkdf2v2Config, emptyConfig) - assert.Equal(t, pbkdf2v2Algo.Specification, emptyAlgo.Specification) + assert.Equal(t, pbkdf2hiConfig, emptyConfig) + assert.Equal(t, pbkdf2hiAlgo.Specification, emptyAlgo.Specification) }) }