aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLoïc Dachary2023-02-20 23:25:12 +0100
committerLoïc Dachary2023-03-12 15:17:10 +0100
commit2436acb3d986bad08aa134e450420fc4a08f5d62 (patch)
treecfc9d196f596d529280ace1729abb361b913f162
parentec5217b9d1b94bb04e34ce8c27eecbdc6f3a247a (diff)
[SECURITY] default to pbkdf2 with 320,000 iterations
(cherry picked from commit 3ea0b287d74b8fc0dad08b2a539105e1aa1c1e67) (cherry picked from commit db8392a8ac093d4d3760e8bb40c56d8e194d44fb) (cherry picked from commit bd2a5fa2923c320e01faeaa1fdc1ad823c337027)
-rw-r--r--custom/conf/app.example.ini4
-rw-r--r--modules/auth/password/hash/setting.go2
-rw-r--r--modules/auth/password/hash/setting_test.go8
3 files changed, 7 insertions, 7 deletions
diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
index c3c20a216..6854ddd22 100644
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@@ -476,8 +476,8 @@ INTERNAL_TOKEN=
;;Classes include "lower,upper,digit,spec"
;PASSWORD_COMPLEXITY = off
;;
-;; Password Hash algorithm, either "argon2", "pbkdf2", "scrypt" or "bcrypt"
-;PASSWORD_HASH_ALGO = pbkdf2
+;; Password Hash algorithm, either "argon2", "pbkdf2"/"pbkdf2_v2", "pbkdf2_hi", "scrypt" or "bcrypt"
+;PASSWORD_HASH_ALGO = pbkdf2_hi
;;
;; Set false to allow JavaScript to read CSRF cookie
;CSRF_COOKIE_HTTP_ONLY = true
diff --git a/modules/auth/password/hash/setting.go b/modules/auth/password/hash/setting.go
index f0715f31e..05cd36fe3 100644
--- a/modules/auth/password/hash/setting.go
+++ b/modules/auth/password/hash/setting.go
@@ -10,7 +10,7 @@ package hash
//
// It will be dealiased as per aliasAlgorithmNames whereas
// defaultEmptyHashAlgorithmSpecification does not undergo dealiasing.
-const DefaultHashAlgorithmName = "pbkdf2"
+const DefaultHashAlgorithmName = "pbkdf2_hi"
var DefaultHashAlgorithm *PasswordHashAlgorithm
diff --git a/modules/auth/password/hash/setting_test.go b/modules/auth/password/hash/setting_test.go
index d707207db..548d87c57 100644
--- a/modules/auth/password/hash/setting_test.go
+++ b/modules/auth/password/hash/setting_test.go
@@ -28,11 +28,11 @@ func TestCheckSettingPasswordHashAlgorithm(t *testing.T) {
})
}
- t.Run("pbkdf2_v2 is the default when default password hash algorithm is empty", func(t *testing.T) {
+ t.Run("pbkdf2_hi is the default when default password hash algorithm is empty", func(t *testing.T) {
emptyConfig, emptyAlgo := SetDefaultPasswordHashAlgorithm("")
- pbkdf2v2Config, pbkdf2v2Algo := SetDefaultPasswordHashAlgorithm("pbkdf2_v2")
+ pbkdf2hiConfig, pbkdf2hiAlgo := SetDefaultPasswordHashAlgorithm("pbkdf2_hi")
- assert.Equal(t, pbkdf2v2Config, emptyConfig)
- assert.Equal(t, pbkdf2v2Algo.Specification, emptyAlgo.Specification)
+ assert.Equal(t, pbkdf2hiConfig, emptyConfig)
+ assert.Equal(t, pbkdf2hiAlgo.Specification, emptyAlgo.Specification)
})
}