third_party
/
gitea
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[Refactor] Passwort Hash/Set (#14282)

Browse Source 
* move SaltGeneration into HashPasswort and rename it to what it does

* Migration: Where Password is Valid with Empty String delete it

* prohibit empty password hash

* let SetPassword("") unset pwd stuff
tokarchuk/v1.17
6543 4 years ago committed by GitHub
parent 6b3b6f1833
commit 74a0481586
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 158 additions and 32 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 5
      cmd/admin.go
  2. 6
      models/login_source.go
  3. 2
      models/migrations/migrations.go
  4. 115
      models/migrations/v166.go
  5. 22
      models/user.go
  6. 19
      models/user_test.go
  7. 5
      routers/admin/users.go
  8. 5
      routers/api/v1/admin/user.go
  9. 6
      routers/user/auth.go
  10. 3
      routers/user/setting/account.go

5
cmd/admin.go
Unescape View File

@ -349,12 +349,11 @@ func runChangePassword(c *cli.Context) error {
if err != nil { if err != nil {
return err return err
} }
if user.Salt, err = models.GetUserSalt(); err != nil { if err = user.SetPassword(c.String("password")); err != nil {
return err return err
} }
user.HashPassword(c.String("password"))
if err := models.UpdateUserCols(user, "passwd", "passwd_hash_algo", "salt"); err != nil { if err = models.UpdateUserCols(user, "passwd", "passwd_hash_algo", "salt"); err != nil {
return err return err
} }

6
models/login_source.go
Unescape View File

@ -771,8 +771,10 @@ func UserSignIn(username, password string) (*User, error) {
// Update password hash if server password hash algorithm have changed // Update password hash if server password hash algorithm have changed
if user.PasswdHashAlgo != setting.PasswordHashAlgo { if user.PasswdHashAlgo != setting.PasswordHashAlgo {
user.HashPassword(password) if err = user.SetPassword(password); err != nil {
if err := UpdateUserCols(user, "passwd", "passwd_hash_algo"); err != nil { return nil, err
}
if err = UpdateUserCols(user, "passwd", "passwd_hash_algo", "salt"); err != nil {
return nil, err return nil, err
} }
} }

2
models/migrations/migrations.go
Unescape View File

@ -277,6 +277,8 @@ var migrations = []Migration{
NewMigration("Add scope and nonce columns to oauth2_grant table", addScopeAndNonceColumnsToOAuth2Grant), NewMigration("Add scope and nonce columns to oauth2_grant table", addScopeAndNonceColumnsToOAuth2Grant),
// v165 -> v166 // v165 -> v166
NewMigration("Convert hook task type from char(16) to varchar(16) and trim the column", convertHookTaskTypeToVarcharAndTrim), NewMigration("Convert hook task type from char(16) to varchar(16) and trim the column", convertHookTaskTypeToVarcharAndTrim),
// v166 -> v167
NewMigration("Where Password is Valid with Empty String delete it", recalculateUserEmptyPWD),
} }
// GetCurrentDBVersion returns the current db version // GetCurrentDBVersion returns the current db version

115
models/migrations/v166.go
Unescape View File

@ -0,0 +1,115 @@
// Copyright 2021 The Gitea Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
package migrations
import (
"crypto/sha256"
"fmt"
"golang.org/x/crypto/argon2"
"golang.org/x/crypto/bcrypt"
"golang.org/x/crypto/pbkdf2"
"golang.org/x/crypto/scrypt"
"xorm.io/builder"
"xorm.io/xorm"
)
func recalculateUserEmptyPWD(x *xorm.Engine) (err error) {
const (
algoBcrypt = "bcrypt"
algoScrypt = "scrypt"
algoArgon2 = "argon2"
algoPbkdf2 = "pbkdf2"
)
type User struct {
ID int64 `xorm:"pk autoincr"`
Passwd string `xorm:"NOT NULL"`
PasswdHashAlgo string `xorm:"NOT NULL DEFAULT 'argon2'"`
MustChangePassword bool `xorm:"NOT NULL DEFAULT false"`
LoginType int
LoginName string
Type int
Salt string `xorm:"VARCHAR(10)"`
}
// hashPassword hash password based on algo and salt
// state 461406070c
hashPassword := func(passwd, salt, algo string) string {
var tempPasswd []byte
switch algo {
case algoBcrypt:
tempPasswd, _ = bcrypt.GenerateFromPassword([]byte(passwd), bcrypt.DefaultCost)
return string(tempPasswd)
case algoScrypt:
tempPasswd, _ = scrypt.Key([]byte(passwd), []byte(salt), 65536, 16, 2, 50)
case algoArgon2:
tempPasswd = argon2.IDKey([]byte(passwd), []byte(salt), 2, 65536, 8, 50)
case algoPbkdf2:
fallthrough
default:
tempPasswd = pbkdf2.Key([]byte(passwd), []byte(salt), 10000, 50, sha256.New)
}
return fmt.Sprintf("%x", tempPasswd)
}
// ValidatePassword checks if given password matches the one belongs to the user.
// state 461406070c, changed since it's not necessary to be time constant
ValidatePassword := func(u *User, passwd string) bool {
tempHash := hashPassword(passwd, u.Salt, u.PasswdHashAlgo)
if u.PasswdHashAlgo != algoBcrypt && u.Passwd == tempHash {
return true
}
if u.PasswdHashAlgo == algoBcrypt && bcrypt.CompareHashAndPassword([]byte(u.Passwd), []byte(passwd)) == nil {
return true
}
return false
}
sess := x.NewSession()
defer sess.Close()
const batchSize = 100
for start := 0; ; start += batchSize {
users := make([]*User, 0, batchSize)
if err = sess.Limit(batchSize, start).Where(builder.Neq{"passwd": ""}, 0).Find(&users); err != nil {
return
}
if len(users) == 0 {
break
}
if err = sess.Begin(); err != nil {
return
}
for _, user := range users {
if ValidatePassword(user, "") {
user.Passwd = ""
user.Salt = ""
user.PasswdHashAlgo = ""
if _, err = sess.ID(user.ID).Cols("passwd", "salt", "passwd_hash_algo").Update(user); err != nil {
return err
}
}
}
if err = sess.Commit(); err != nil {
return
}
}
// delete salt and algo where password is empty
if _, err = sess.Where(builder.Eq{"passwd": ""}.And(builder.Neq{"salt": ""}.Or(builder.Neq{"passwd_hash_algo": ""}))).
Cols("salt", "passwd_hash_algo").Update(&User{}); err != nil {
return err
}
return sess.Commit()
}

22
models/user.go
Unescape View File

@ -395,10 +395,23 @@ func hashPassword(passwd, salt, algo string) string {
return fmt.Sprintf("%x", tempPasswd) return fmt.Sprintf("%x", tempPasswd)
} }
// HashPassword hashes a password using the algorithm defined in the config value of PASSWORD_HASH_ALGO. // SetPassword hashes a password using the algorithm defined in the config value of PASSWORD_HASH_ALGO
func (u *User) HashPassword(passwd string) { // change passwd, salt and passwd_hash_algo fields
func (u *User) SetPassword(passwd string) (err error) {
if len(passwd) == 0 {
u.Passwd = ""
u.Salt = ""
u.PasswdHashAlgo = ""
return nil
}
if u.Salt, err = GetUserSalt(); err != nil {
return err
}
u.PasswdHashAlgo = setting.PasswordHashAlgo u.PasswdHashAlgo = setting.PasswordHashAlgo
u.Passwd = hashPassword(passwd, u.Salt, setting.PasswordHashAlgo) u.Passwd = hashPassword(passwd, u.Salt, setting.PasswordHashAlgo)
return nil
} }
// ValidatePassword checks if given password matches the one belongs to the user. // ValidatePassword checks if given password matches the one belongs to the user.
@ -416,7 +429,7 @@ func (u *User) ValidatePassword(passwd string) bool {
// IsPasswordSet checks if the password is set or left empty // IsPasswordSet checks if the password is set or left empty
func (u *User) IsPasswordSet() bool { func (u *User) IsPasswordSet() bool {
return !u.ValidatePassword("") return len(u.Passwd) != 0
} }
// IsOrganization returns true if user is actually a organization. // IsOrganization returns true if user is actually a organization.
@ -826,10 +839,9 @@ func CreateUser(u *User) (err error) {
if u.Rands, err = GetUserSalt(); err != nil { if u.Rands, err = GetUserSalt(); err != nil {
return err return err
} }
if u.Salt, err = GetUserSalt(); err != nil { if err = u.SetPassword(u.Passwd); err != nil {
return err return err
} }
u.HashPassword(u.Passwd)
u.AllowCreateOrganization = setting.Service.DefaultAllowCreateOrganization && !setting.Admin.DisableRegularOrgCreation u.AllowCreateOrganization = setting.Service.DefaultAllowCreateOrganization && !setting.Admin.DisableRegularOrgCreation
u.EmailNotificationsPreference = setting.Admin.DefaultEmailNotification u.EmailNotificationsPreference = setting.Admin.DefaultEmailNotification
u.MaxRepoCreation = -1 u.MaxRepoCreation = -1

19
models/user_test.go
Unescape View File

@ -220,8 +220,7 @@ func TestEmailNotificationPreferences(t *testing.T) {
func TestHashPasswordDeterministic(t *testing.T) { func TestHashPasswordDeterministic(t *testing.T) {
b := make([]byte, 16) b := make([]byte, 16)
rand.Read(b) u := &User{}
u := &User{Salt: string(b)}
algos := []string{"argon2", "pbkdf2", "scrypt", "bcrypt"} algos := []string{"argon2", "pbkdf2", "scrypt", "bcrypt"}
for j := 0; j < len(algos); j++ { for j := 0; j < len(algos); j++ {
u.PasswdHashAlgo = algos[j] u.PasswdHashAlgo = algos[j]
@ -231,19 +230,15 @@ func TestHashPasswordDeterministic(t *testing.T) {
pass := string(b) pass := string(b)
// save the current password in the user - hash it and store the result // save the current password in the user - hash it and store the result
u.HashPassword(pass) u.SetPassword(pass)
r1 := u.Passwd r1 := u.Passwd
// run again // run again
u.HashPassword(pass) u.SetPassword(pass)
r2 := u.Passwd r2 := u.Passwd
// assert equal (given the same salt+pass, the same result is produced) except bcrypt
if u.PasswdHashAlgo == "bcrypt" {
assert.NotEqual(t, r1, r2) assert.NotEqual(t, r1, r2)
} else { assert.True(t, u.ValidatePassword(pass))
assert.Equal(t, r1, r2)
}
} }
} }
} }
@ -252,12 +247,10 @@ func BenchmarkHashPassword(b *testing.B) {
// BenchmarkHashPassword ensures that it takes a reasonable amount of time // BenchmarkHashPassword ensures that it takes a reasonable amount of time
// to hash a password - in order to protect from brute-force attacks. // to hash a password - in order to protect from brute-force attacks.
pass := "password1337" pass := "password1337"
bs := make([]byte, 16) u := &User{Passwd: pass}
rand.Read(bs)
u := &User{Salt: string(bs), Passwd: pass}
b.ResetTimer() b.ResetTimer()
for i := 0; i < b.N; i++ { for i := 0; i < b.N; i++ {
u.HashPassword(pass) u.SetPassword(pass)
} }
} }

5
routers/admin/users.go
Unescape View File

@ -267,7 +267,10 @@ func EditUserPost(ctx *context.Context, form auth.AdminEditUserForm) {
ctx.ServerError("UpdateUser", err) ctx.ServerError("UpdateUser", err)
return return
} }
u.HashPassword(form.Password) if err = u.SetPassword(form.Password); err != nil {
ctx.InternalServerError(err)
return
}
} }
if len(form.UserName) != 0 && u.Name != form.UserName { if len(form.UserName) != 0 && u.Name != form.UserName {

5
routers/api/v1/admin/user.go
Unescape View File

@ -174,7 +174,10 @@ func EditUser(ctx *context.APIContext, form api.EditUserOption) {
ctx.Error(http.StatusInternalServerError, "UpdateUser", err) ctx.Error(http.StatusInternalServerError, "UpdateUser", err)
return return
} }
u.HashPassword(form.Password) if err = u.SetPassword(form.Password); err != nil {
ctx.InternalServerError(err)
return
}
} }
if form.MustChangePassword != nil { if form.MustChangePassword != nil {

6
routers/user/auth.go
Unescape View File

@ -1517,11 +1517,10 @@ func ResetPasswdPost(ctx *context.Context) {
ctx.ServerError("UpdateUser", err) ctx.ServerError("UpdateUser", err)
return return
} }
if u.Salt, err = models.GetUserSalt(); err != nil { if err = u.SetPassword(passwd); err != nil {
ctx.ServerError("UpdateUser", err) ctx.ServerError("UpdateUser", err)
return return
} }
u.HashPassword(passwd)
u.MustChangePassword = false u.MustChangePassword = false
if err := models.UpdateUserCols(u, "must_change_password", "passwd", "passwd_hash_algo", "rands", "salt"); err != nil { if err := models.UpdateUserCols(u, "must_change_password", "passwd", "passwd_hash_algo", "rands", "salt"); err != nil {
ctx.ServerError("UpdateUser", err) ctx.ServerError("UpdateUser", err)
@ -1591,12 +1590,11 @@ func MustChangePasswordPost(ctx *context.Context, cpt *captcha.Captcha, form aut
} }
var err error var err error
if u.Salt, err = models.GetUserSalt(); err != nil { if err = u.SetPassword(form.Password); err != nil {
ctx.ServerError("UpdateUser", err) ctx.ServerError("UpdateUser", err)
return return
} }
u.HashPassword(form.Password)
u.MustChangePassword = false u.MustChangePassword = false
if err := models.UpdateUserCols(u, "must_change_password", "passwd", "passwd_hash_algo", "salt"); err != nil { if err := models.UpdateUserCols(u, "must_change_password", "passwd", "passwd_hash_algo", "salt"); err != nil {

3
routers/user/setting/account.go
Unescape View File

@ -63,11 +63,10 @@ func AccountPost(ctx *context.Context, form auth.ChangePasswordForm) {
ctx.Flash.Error(errMsg) ctx.Flash.Error(errMsg)
} else { } else {
var err error var err error
if ctx.User.Salt, err = models.GetUserSalt(); err != nil { if err = ctx.User.SetPassword(form.Password); err != nil {
ctx.ServerError("UpdateUser", err) ctx.ServerError("UpdateUser", err)
return return
} }
ctx.User.HashPassword(form.Password)
if err := models.UpdateUserCols(ctx.User, "salt", "passwd_hash_algo", "passwd"); err != nil { if err := models.UpdateUserCols(ctx.User, "salt", "passwd_hash_algo", "passwd"); err != nil {
ctx.ServerError("UpdateUser", err) ctx.ServerError("UpdateUser", err)
return return

Write Preview
Loading…
Cancel
Save