Use argon as default password hash algorithm (#12688)

* Restrict TLS connections to 1.2 minimum * Set Argon2 as the default KDF * Fix user.yml * Remove TLS minversion changes Signed-off-by: Andrew Thornton <art27@cantab.net> * Add migration as per @techknowlogick Signed-off-by: Andrew Thornton <art27@cantab.net> * set the password algo in the fixtures Signed-off-by: Andrew Thornton <art27@cantab.net> * Remove the v148 migration - it needs recreate table to change the defaults Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: Nadim Kobeissi <nadim@symbolic.software>
author: zeripath <art27@cantab.net> 2020-09-03 19:58:31 +0100
committer: GitHub <noreply@github.com> 2020-09-03 14:58:31 -0400
commit: 5c0697ad1ecbd25ff245a93ea5af55c07817249e (patch)
tree: 6b142324939f263e7e0b5eedf240c24d82480bec /models
parent: 8fa7a4b511e9318a50458488474ff4039a4f826a (diff)
download: gitea-5c0697ad1ecbd25ff245a93ea5af55c07817249e.tar.gz
gitea-5c0697ad1ecbd25ff245a93ea5af55c07817249e.zip
3 files changed, 60 insertions, 31 deletions
diff --git a/models/fixtures/user.yml b/models/fixtures/user.yml
index 640fd65bff..7ed7d7ffd1 100644
--- a/models/fixtures/user.yml
+++ b/models/fixtures/user.yml
@@ -7,7 +7,8 @@
   full_name: User One
   email: user1@example.com
   email_notifications_preference: enabled
-  passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
+  passwd_hash_algo: argon2
+  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
   type: 0 # individual
   salt: ZogKvWdyEx
   is_admin: true
@@ -24,7 +25,8 @@
   email: user2@example.com
   keep_email_private: true
   email_notifications_preference: enabled
-  passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
+  passwd_hash_algo: argon2
+  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
   type: 0 # individual
   salt: ZogKvWdyEx
   is_admin: false
@@ -43,7 +45,8 @@
   full_name: " <<<< >> >> > >> > >>> >> "
   email: user3@example.com
   email_notifications_preference: onmention
-  passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
+  passwd_hash_algo: argon2
+  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
   type: 1 # organization
   salt: ZogKvWdyEx
   is_admin: false
@@ -60,7 +63,8 @@
   full_name: "          "
   email: user4@example.com
   email_notifications_preference: onmention
-  passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
+  passwd_hash_algo: argon2
+  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
   type: 0 # individual
   salt: ZogKvWdyEx
   is_admin: false
@@ -77,7 +81,8 @@
   full_name: User Five
   email: user5@example.com
   email_notifications_preference: enabled
-  passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
+  passwd_hash_algo: argon2
+  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
   type: 0 # individual
   salt: ZogKvWdyEx
   is_admin: false
@@ -95,7 +100,8 @@
   full_name: User Six
   email: user6@example.com
   email_notifications_preference: enabled
-  passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
+  passwd_hash_algo: argon2
+  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
   type: 1 # organization
   salt: ZogKvWdyEx
   is_admin: false
@@ -112,7 +118,8 @@
   full_name: User Seven
   email: user7@example.com
   email_notifications_preference: disabled
-  passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
+  passwd_hash_algo: argon2
+  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
   type: 1 # organization
   salt: ZogKvWdyEx
   is_admin: false
@@ -129,7 +136,8 @@
   full_name: User Eight
   email: user8@example.com
   email_notifications_preference: enabled
-  passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
+  passwd_hash_algo: argon2
+  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
   type: 0 # individual
   salt: ZogKvWdyEx
   is_admin: false
@@ -147,7 +155,8 @@
   full_name: User Nine
   email: user9@example.com
   email_notifications_preference: onmention
-  passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
+  passwd_hash_algo: argon2
+  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
   type: 0 # individual
   salt: ZogKvWdyEx
   is_admin: false
@@ -162,7 +171,8 @@
   name: user10
   full_name: User Ten
   email: user10@example.com
-  passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
+  passwd_hash_algo: argon2
+  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
   type: 0 # individual
   salt: ZogKvWdyEx
   is_admin: false
@@ -177,7 +187,8 @@
   name: user11
   full_name: User Eleven
   email: user11@example.com
-  passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
+  passwd_hash_algo: argon2
+  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
   type: 0 # individual
   salt: ZogKvWdyEx
   is_admin: false
@@ -192,7 +203,8 @@
   name: user12
   full_name: User 12
   email: user12@example.com
-  passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
+  passwd_hash_algo: argon2
+  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
   type: 0 # individual
   salt: ZogKvWdyEx
   is_admin: false
@@ -207,7 +219,8 @@
   name: user13
   full_name: User 13
   email: user13@example.com
-  passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
+  passwd_hash_algo: argon2
+  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
   type: 0 # individual
   salt: ZogKvWdyEx
   is_admin: false
@@ -222,7 +235,8 @@
   name: user14
   full_name: User 14
   email: user14@example.com
-  passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
+  passwd_hash_algo: argon2
+  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
   type: 0 # individual
   salt: ZogKvWdyEx
   is_admin: false
@@ -237,7 +251,8 @@
   name: user15
   full_name: User 15
   email: user15@example.com
-  passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
+  passwd_hash_algo: argon2
+  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
   type: 0 # individual
   salt: ZogKvWdyEx
   is_admin: false
@@ -252,7 +267,8 @@
   name: user16
   full_name: User 16
   email: user16@example.com
-  passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
+  passwd_hash_algo: argon2
+  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
   type: 0 # individual
   salt: ZogKvWdyEx
   is_admin: false
@@ -267,7 +283,8 @@
   name: user17
   full_name: User 17
   email: user17@example.com
-  passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
+  passwd_hash_algo: argon2
+  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
   type: 1 # organization
   salt: ZogKvWdyEx
   is_admin: false
@@ -284,7 +301,8 @@
   name: user18
   full_name: User 18
   email: user18@example.com
-  passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
+  passwd_hash_algo: argon2
+  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
   type: 0 # individual
   salt: ZogKvWdyEx
   is_admin: false
@@ -299,7 +317,8 @@
   name: user19
   full_name: User 19
   email: user19@example.com
-  passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
+  passwd_hash_algo: argon2
+  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
   type: 1 # organization
   salt: ZogKvWdyEx
   is_admin: false
@@ -316,7 +335,8 @@
   name: user20
   full_name: User 20
   email: user20@example.com
-  passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
+  passwd_hash_algo: argon2
+  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
   type: 0 # individual
   salt: ZogKvWdyEx
   is_admin: false
@@ -331,7 +351,8 @@
   name: user21
   full_name: User 21
   email: user21@example.com
-  passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
+  passwd_hash_algo: argon2
+  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
   type: 0 # individual
   salt: ZogKvWdyEx
   is_admin: false
@@ -346,7 +367,8 @@
   name: limited_org
   full_name: Limited Org
   email: limited_org@example.com
-  passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
+  passwd_hash_algo: argon2
+  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
   type: 1 # organization
   salt: ZogKvWdyEx
   is_admin: false
@@ -364,7 +386,8 @@
   name: privated_org
   full_name: Privated Org
   email: privated_org@example.com
-  passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
+  passwd_hash_algo: argon2
+  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
   type: 1 # organization
   salt: ZogKvWdyEx
   is_admin: false
@@ -383,7 +406,8 @@
   full_name: "user24"
   email: user24@example.com
   keep_email_private: true
-  passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
+  passwd_hash_algo: argon2
+  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
   type: 0 # individual
   salt: ZogKvWdyEx
   is_admin: false
@@ -401,7 +425,8 @@
   name: org25
   full_name: "org25"
   email: org25@example.com
-  passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
+  passwd_hash_algo: argon2
+  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
   type: 1 # organization
   salt: ZogKvWdyEx
   is_admin: false
@@ -418,7 +443,8 @@
   full_name: "Org26"
   email: org26@example.com
   email_notifications_preference: onmention
-  passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
+  passwd_hash_algo: argon2
+  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
   type: 1 # organization
   salt: ZogKvWdyEx
   is_admin: false
@@ -436,7 +462,8 @@
   full_name: User Twenty-Seven
   email: user27@example.com
   email_notifications_preference: enabled
-  passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
+  passwd_hash_algo: argon2
+  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
   type: 0 # individual
   salt: ZogKvWdyEx
   is_admin: false
@@ -451,7 +478,8 @@
   full_name: "user27"
   email: user28@example.com
   keep_email_private: true
-  passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
+  passwd_hash_algo: argon2
+  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
   type: 0 # individual
   salt: ZogKvWdyEx
   is_admin: false
@@ -469,7 +497,8 @@
   name: user29
   full_name: User 29
   email: user29@example.com
-  passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
+  passwd_hash_algo: argon2
+  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
   type: 0 # individual
   salt: ZogKvWdyEx
   is_admin: false
diff --git a/models/user.go b/models/user.go
index 1c17453930..2e5d6473bb 100644
--- a/models/user.go
+++ b/models/user.go
@@ -105,7 +105,7 @@ type User struct {
 	KeepEmailPrivate             bool
 	EmailNotificationsPreference string `xorm:"VARCHAR(20) NOT NULL DEFAULT 'enabled'"`
 	Passwd                       string `xorm:"NOT NULL"`
-	PasswdHashAlgo               string `xorm:"NOT NULL DEFAULT 'pbkdf2'"`
+	PasswdHashAlgo               string `xorm:"NOT NULL DEFAULT 'argon2'"`
 
 	// MustChangePassword is an attribute that determines if a user
 	// is to change his/her password after registration.
diff --git a/models/user_test.go b/models/user_test.go
index 02b1893c43..220823ee02 100644
--- a/models/user_test.go
+++ b/models/user_test.go
@@ -239,7 +239,7 @@ func TestHashPasswordDeterministic(t *testing.T) {
 	b := make([]byte, 16)
 	rand.Read(b)
 	u := &User{Salt: string(b)}
-	algos := []string{"pbkdf2", "argon2", "scrypt", "bcrypt"}
+	algos := []string{"argon2", "pbkdf2", "scrypt", "bcrypt"}
 	for j := 0; j < len(algos); j++ {
 		u.PasswdHashAlgo = algos[j]
 		for i := 0; i < 50; i++ {
author	zeripath <art27@cantab.net>	2020-09-03 19:58:31 +0100
committer	GitHub <noreply@github.com>	2020-09-03 14:58:31 -0400
commit	5c0697ad1ecbd25ff245a93ea5af55c07817249e (patch)
tree	6b142324939f263e7e0b5eedf240c24d82480bec /models
parent	8fa7a4b511e9318a50458488474ff4039a4f826a (diff)
download	gitea-5c0697ad1ecbd25ff245a93ea5af55c07817249e.tar.gz gitea-5c0697ad1ecbd25ff245a93ea5af55c07817249e.zip