From 61b89747ed54e17ab5c7730adbad1c5d4d5ff78a Mon Sep 17 00:00:00 2001 From: zeripath Date: Sun, 19 Feb 2023 07:35:20 +0000 Subject: Provide the ability to set password hash algorithm parameters (#22942) This PR refactors and improves the password hashing code within gitea and makes it possible for server administrators to set the password hashing parameters In addition it takes the opportunity to adjust the settings for `pbkdf2` in order to make the hashing a little stronger. The majority of this work was inspired by PR #14751 and I would like to thank @boppy for their work on this. Thanks to @gusted for the suggestion to adjust the `pbkdf2` hashing parameters. Close #14751 --------- Signed-off-by: Andrew Thornton Co-authored-by: delvh Co-authored-by: John Olheiser Co-authored-by: Lunny Xiao --- modules/setting/setting.go | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'modules/setting') diff --git a/modules/setting/setting.go b/modules/setting/setting.go index a68a46f7ad..0cd2db356d 100644 --- a/modules/setting/setting.go +++ b/modules/setting/setting.go @@ -21,6 +21,7 @@ import ( "text/template" "time" + "code.gitea.io/gitea/modules/auth/password/hash" "code.gitea.io/gitea/modules/container" "code.gitea.io/gitea/modules/generate" "code.gitea.io/gitea/modules/json" @@ -968,7 +969,14 @@ func loadFromConf(allowEmpty bool, extraConfig string) { DisableGitHooks = sec.Key("DISABLE_GIT_HOOKS").MustBool(true) DisableWebhooks = sec.Key("DISABLE_WEBHOOKS").MustBool(false) OnlyAllowPushIfGiteaEnvironmentSet = sec.Key("ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET").MustBool(true) - PasswordHashAlgo = sec.Key("PASSWORD_HASH_ALGO").MustString("pbkdf2") + + // Ensure that the provided default hash algorithm is a valid hash algorithm + var algorithm *hash.PasswordHashAlgorithm + PasswordHashAlgo, algorithm = hash.SetDefaultPasswordHashAlgorithm(sec.Key("PASSWORD_HASH_ALGO").MustString("")) + if algorithm == nil { + log.Fatal("The provided password hash algorithm was invalid: %s", sec.Key("PASSWORD_HASH_ALGO").MustString("")) + } + CSRFCookieHTTPOnly = sec.Key("CSRF_COOKIE_HTTP_ONLY").MustBool(true) PasswordCheckPwn = sec.Key("PASSWORD_CHECK_PWN").MustBool(false) SuccessfulTokensCacheSize = sec.Key("SUCCESSFUL_TOKENS_CACHE_SIZE").MustInt(20) -- cgit v1.2.3