Skip to content

Commit 5c0697a

Browse files
zeripathnadimkobeissi
zeripath
and
nadimkobeissi
authored
Use argon as default password hash algorithm (#12688)
* Restrict TLS connections to 1.2 minimum * Set Argon2 as the default KDF * Fix user.yml * Remove TLS minversion changes Signed-off-by: Andrew Thornton <[email protected]> * Add migration as per @techknowlogick Signed-off-by: Andrew Thornton <[email protected]> * set the password algo in the fixtures Signed-off-by: Andrew Thornton <[email protected]> * Remove the v148 migration - it needs recreate table to change the defaults Signed-off-by: Andrew Thornton <[email protected]> Co-authored-by: Nadim Kobeissi <[email protected]>
1 parent 8fa7a4b commit 5c0697a

File tree

6 files changed

+64
-35
lines changed

6 files changed

+64
-35
lines changed

custom/conf/app.example.ini

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -508,8 +508,8 @@ ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET = true
508508
;If left empty or no valid values are specified, the default is off (no checking)
509509
;Classes include "lower,upper,digit,spec"
510510
PASSWORD_COMPLEXITY = off
511-
; Password Hash algorithm, either "pbkdf2", "argon2", "scrypt" or "bcrypt"
512-
PASSWORD_HASH_ALGO = pbkdf2
511+
; Password Hash algorithm, either "argon2", "pbkdf2", "scrypt" or "bcrypt"
512+
PASSWORD_HASH_ALGO = argon2
513513
; Set false to allow JavaScript to read CSRF cookie
514514
CSRF_COOKIE_HTTP_ONLY = true
515515

docs/content/doc/advanced/config-cheat-sheet.en-us.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -325,7 +325,7 @@ set name for unique queues. Individual queues will default to
325325
- `IMPORT_LOCAL_PATHS`: **false**: Set to `false` to prevent all users (including admin) from importing local path on server.
326326
- `INTERNAL_TOKEN`: **\<random at every install if no uri set\>**: Secret used to validate communication within Gitea binary.
327327
- `INTERNAL_TOKEN_URI`: **<empty>**: Instead of defining internal token in the configuration, this configuration option can be used to give Gitea a path to a file that contains the internal token (example value: `file:/etc/gitea/internal_token`)
328-
- `PASSWORD_HASH_ALGO`: **pbkdf2**: The hash algorithm to use \[pbkdf2, argon2, scrypt, bcrypt\].
328+
- `PASSWORD_HASH_ALGO`: **argon2**: The hash algorithm to use \[argon2, pbkdf2, scrypt, bcrypt\].
329329
- `CSRF_COOKIE_HTTP_ONLY`: **true**: Set false to allow JavaScript to read CSRF cookie.
330330
- `PASSWORD_COMPLEXITY`: **off**: Comma separated list of character classes required to pass minimum complexity. If left empty or no valid values are specified, checking is disabled (off):
331331
- lower - use one or more lower latin characters

models/fixtures/user.yml

Lines changed: 58 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,8 @@
77
full_name: User One
88
email: [email protected]
99
email_notifications_preference: enabled
10-
passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
10+
passwd_hash_algo: argon2
11+
passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
1112
type: 0 # individual
1213
salt: ZogKvWdyEx
1314
is_admin: true
@@ -24,7 +25,8 @@
2425
email: [email protected]
2526
keep_email_private: true
2627
email_notifications_preference: enabled
27-
passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
28+
passwd_hash_algo: argon2
29+
passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
2830
type: 0 # individual
2931
salt: ZogKvWdyEx
3032
is_admin: false
@@ -43,7 +45,8 @@
4345
full_name: " <<<< >> >> > >> > >>> >> "
4446
email: [email protected]
4547
email_notifications_preference: onmention
46-
passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
48+
passwd_hash_algo: argon2
49+
passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
4750
type: 1 # organization
4851
salt: ZogKvWdyEx
4952
is_admin: false
@@ -60,7 +63,8 @@
6063
full_name: " "
6164
email: [email protected]
6265
email_notifications_preference: onmention
63-
passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
66+
passwd_hash_algo: argon2
67+
passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
6468
type: 0 # individual
6569
salt: ZogKvWdyEx
6670
is_admin: false
@@ -77,7 +81,8 @@
7781
full_name: User Five
7882
email: [email protected]
7983
email_notifications_preference: enabled
80-
passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
84+
passwd_hash_algo: argon2
85+
passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
8186
type: 0 # individual
8287
salt: ZogKvWdyEx
8388
is_admin: false
@@ -95,7 +100,8 @@
95100
full_name: User Six
96101
email: [email protected]
97102
email_notifications_preference: enabled
98-
passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
103+
passwd_hash_algo: argon2
104+
passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
99105
type: 1 # organization
100106
salt: ZogKvWdyEx
101107
is_admin: false
@@ -112,7 +118,8 @@
112118
full_name: User Seven
113119
email: [email protected]
114120
email_notifications_preference: disabled
115-
passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
121+
passwd_hash_algo: argon2
122+
passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
116123
type: 1 # organization
117124
salt: ZogKvWdyEx
118125
is_admin: false
@@ -129,7 +136,8 @@
129136
full_name: User Eight
130137
email: [email protected]
131138
email_notifications_preference: enabled
132-
passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
139+
passwd_hash_algo: argon2
140+
passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
133141
type: 0 # individual
134142
salt: ZogKvWdyEx
135143
is_admin: false
@@ -147,7 +155,8 @@
147155
full_name: User Nine
148156
email: [email protected]
149157
email_notifications_preference: onmention
150-
passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
158+
passwd_hash_algo: argon2
159+
passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
151160
type: 0 # individual
152161
salt: ZogKvWdyEx
153162
is_admin: false
@@ -162,7 +171,8 @@
162171
name: user10
163172
full_name: User Ten
164173
email: [email protected]
165-
passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
174+
passwd_hash_algo: argon2
175+
passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
166176
type: 0 # individual
167177
salt: ZogKvWdyEx
168178
is_admin: false
@@ -177,7 +187,8 @@
177187
name: user11
178188
full_name: User Eleven
179189
email: [email protected]
180-
passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
190+
passwd_hash_algo: argon2
191+
passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
181192
type: 0 # individual
182193
salt: ZogKvWdyEx
183194
is_admin: false
@@ -192,7 +203,8 @@
192203
name: user12
193204
full_name: User 12
194205
email: [email protected]
195-
passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
206+
passwd_hash_algo: argon2
207+
passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
196208
type: 0 # individual
197209
salt: ZogKvWdyEx
198210
is_admin: false
@@ -207,7 +219,8 @@
207219
name: user13
208220
full_name: User 13
209221
email: [email protected]
210-
passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
222+
passwd_hash_algo: argon2
223+
passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
211224
type: 0 # individual
212225
salt: ZogKvWdyEx
213226
is_admin: false
@@ -222,7 +235,8 @@
222235
name: user14
223236
full_name: User 14
224237
email: [email protected]
225-
passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
238+
passwd_hash_algo: argon2
239+
passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
226240
type: 0 # individual
227241
salt: ZogKvWdyEx
228242
is_admin: false
@@ -237,7 +251,8 @@
237251
name: user15
238252
full_name: User 15
239253
email: [email protected]
240-
passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
254+
passwd_hash_algo: argon2
255+
passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
241256
type: 0 # individual
242257
salt: ZogKvWdyEx
243258
is_admin: false
@@ -252,7 +267,8 @@
252267
name: user16
253268
full_name: User 16
254269
email: [email protected]
255-
passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
270+
passwd_hash_algo: argon2
271+
passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
256272
type: 0 # individual
257273
salt: ZogKvWdyEx
258274
is_admin: false
@@ -267,7 +283,8 @@
267283
name: user17
268284
full_name: User 17
269285
email: [email protected]
270-
passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
286+
passwd_hash_algo: argon2
287+
passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
271288
type: 1 # organization
272289
salt: ZogKvWdyEx
273290
is_admin: false
@@ -284,7 +301,8 @@
284301
name: user18
285302
full_name: User 18
286303
email: [email protected]
287-
passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
304+
passwd_hash_algo: argon2
305+
passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
288306
type: 0 # individual
289307
salt: ZogKvWdyEx
290308
is_admin: false
@@ -299,7 +317,8 @@
299317
name: user19
300318
full_name: User 19
301319
email: [email protected]
302-
passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
320+
passwd_hash_algo: argon2
321+
passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
303322
type: 1 # organization
304323
salt: ZogKvWdyEx
305324
is_admin: false
@@ -316,7 +335,8 @@
316335
name: user20
317336
full_name: User 20
318337
email: [email protected]
319-
passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
338+
passwd_hash_algo: argon2
339+
passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
320340
type: 0 # individual
321341
salt: ZogKvWdyEx
322342
is_admin: false
@@ -331,7 +351,8 @@
331351
name: user21
332352
full_name: User 21
333353
email: [email protected]
334-
passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
354+
passwd_hash_algo: argon2
355+
passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
335356
type: 0 # individual
336357
salt: ZogKvWdyEx
337358
is_admin: false
@@ -346,7 +367,8 @@
346367
name: limited_org
347368
full_name: Limited Org
348369
email: [email protected]
349-
passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
370+
passwd_hash_algo: argon2
371+
passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
350372
type: 1 # organization
351373
salt: ZogKvWdyEx
352374
is_admin: false
@@ -364,7 +386,8 @@
364386
name: privated_org
365387
full_name: Privated Org
366388
email: [email protected]
367-
passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
389+
passwd_hash_algo: argon2
390+
passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
368391
type: 1 # organization
369392
salt: ZogKvWdyEx
370393
is_admin: false
@@ -383,7 +406,8 @@
383406
full_name: "user24"
384407
email: [email protected]
385408
keep_email_private: true
386-
passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
409+
passwd_hash_algo: argon2
410+
passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
387411
type: 0 # individual
388412
salt: ZogKvWdyEx
389413
is_admin: false
@@ -401,7 +425,8 @@
401425
name: org25
402426
full_name: "org25"
403427
email: [email protected]
404-
passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
428+
passwd_hash_algo: argon2
429+
passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
405430
type: 1 # organization
406431
salt: ZogKvWdyEx
407432
is_admin: false
@@ -418,7 +443,8 @@
418443
full_name: "Org26"
419444
email: [email protected]
420445
email_notifications_preference: onmention
421-
passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
446+
passwd_hash_algo: argon2
447+
passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
422448
type: 1 # organization
423449
salt: ZogKvWdyEx
424450
is_admin: false
@@ -436,7 +462,8 @@
436462
full_name: User Twenty-Seven
437463
email: [email protected]
438464
email_notifications_preference: enabled
439-
passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
465+
passwd_hash_algo: argon2
466+
passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
440467
type: 0 # individual
441468
salt: ZogKvWdyEx
442469
is_admin: false
@@ -451,7 +478,8 @@
451478
full_name: "user27"
452479
email: [email protected]
453480
keep_email_private: true
454-
passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
481+
passwd_hash_algo: argon2
482+
passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
455483
type: 0 # individual
456484
salt: ZogKvWdyEx
457485
is_admin: false
@@ -469,7 +497,8 @@
469497
name: user29
470498
full_name: User 29
471499
email: [email protected]
472-
passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
500+
passwd_hash_algo: argon2
501+
passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
473502
type: 0 # individual
474503
salt: ZogKvWdyEx
475504
is_admin: false

models/user.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -105,7 +105,7 @@ type User struct {
105105
KeepEmailPrivate bool
106106
EmailNotificationsPreference string `xorm:"VARCHAR(20) NOT NULL DEFAULT 'enabled'"`
107107
Passwd string `xorm:"NOT NULL"`
108-
PasswdHashAlgo string `xorm:"NOT NULL DEFAULT 'pbkdf2'"`
108+
PasswdHashAlgo string `xorm:"NOT NULL DEFAULT 'argon2'"`
109109

110110
// MustChangePassword is an attribute that determines if a user
111111
// is to change his/her password after registration.

models/user_test.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -239,7 +239,7 @@ func TestHashPasswordDeterministic(t *testing.T) {
239239
b := make([]byte, 16)
240240
rand.Read(b)
241241
u := &User{Salt: string(b)}
242-
algos := []string{"pbkdf2", "argon2", "scrypt", "bcrypt"}
242+
algos := []string{"argon2", "pbkdf2", "scrypt", "bcrypt"}
243243
for j := 0; j < len(algos); j++ {
244244
u.PasswdHashAlgo = algos[j]
245245
for i := 0; i < 50; i++ {

modules/setting/setting.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -819,7 +819,7 @@ func NewContext() {
819819
ImportLocalPaths = sec.Key("IMPORT_LOCAL_PATHS").MustBool(false)
820820
DisableGitHooks = sec.Key("DISABLE_GIT_HOOKS").MustBool(false)
821821
OnlyAllowPushIfGiteaEnvironmentSet = sec.Key("ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET").MustBool(true)
822-
PasswordHashAlgo = sec.Key("PASSWORD_HASH_ALGO").MustString("pbkdf2")
822+
PasswordHashAlgo = sec.Key("PASSWORD_HASH_ALGO").MustString("argon2")
823823
CSRFCookieHTTPOnly = sec.Key("CSRF_COOKIE_HTTP_ONLY").MustBool(true)
824824

825825
InternalToken = loadInternalToken(sec)

0 commit comments

Comments
 (0)