code.gitea.io/gitea@v1.19.3/modules/auth/password/hash/setting.go

code.gitea.io/gitea@v1.19.3/modules/auth/password/hash/setting.go (about)

     1  // Copyright 2023 The Gitea Authors. All rights reserved.
     2  // SPDX-License-Identifier: MIT
     3  
     4  package hash
     5  
     6  // DefaultHashAlgorithmName represents the default value of PASSWORD_HASH_ALGO
     7  // configured in app.ini.
     8  //
     9  // It is NOT the same and does NOT map to the defaultEmptyHashAlgorithmSpecification.
    10  //
    11  // It will be dealiased as per aliasAlgorithmNames whereas
    12  // defaultEmptyHashAlgorithmSpecification does not undergo dealiasing.
    13  const DefaultHashAlgorithmName = "pbkdf2"
    14  
    15  var DefaultHashAlgorithm *PasswordHashAlgorithm
    16  
    17  // aliasAlgorithNames provides a mapping between the value of PASSWORD_HASH_ALGO
    18  // configured in the app.ini and the parameters used within the hashers internally.
    19  //
    20  // If it is necessary to change the default parameters for any hasher in future you
    21  // should change these values and not those in argon2.go etc.
    22  var aliasAlgorithmNames = map[string]string{
    23  	"argon2":    "argon2$2$65536$8$50",
    24  	"bcrypt":    "bcrypt$10",
    25  	"scrypt":    "scrypt$65536$16$2$50",
    26  	"pbkdf2":    "pbkdf2_v2", // pbkdf2 should default to pbkdf2_v2
    27  	"pbkdf2_v1": "pbkdf2$10000$50",
    28  	// The latest PBKDF2 password algorithm is used as the default since it doesn't
    29  	// use a lot of  memory and is safer to use on less powerful devices.
    30  	"pbkdf2_v2": "pbkdf2$50000$50",
    31  	// The pbkdf2_hi password algorithm is offered as a stronger alternative to the
    32  	// slightly improved pbkdf2_v2 algorithm
    33  	"pbkdf2_hi": "pbkdf2$320000$50",
    34  }
    35  
    36  var RecommendedHashAlgorithms = []string{
    37  	"pbkdf2",
    38  	"argon2",
    39  	"bcrypt",
    40  	"scrypt",
    41  	"pbkdf2_hi",
    42  }
    43  
    44  // hashAlgorithmToSpec converts an algorithm name or a specification to a full algorithm specification
    45  func hashAlgorithmToSpec(algorithmName string) string {
    46  	if algorithmName == "" {
    47  		algorithmName = DefaultHashAlgorithmName
    48  	}
    49  	alias, has := aliasAlgorithmNames[algorithmName]
    50  	for has {
    51  		algorithmName = alias
    52  		alias, has = aliasAlgorithmNames[algorithmName]
    53  	}
    54  	return algorithmName
    55  }
    56  
    57  // SetDefaultPasswordHashAlgorithm will take a provided algorithmName and de-alias it to
    58  // a complete algorithm specification.
    59  func SetDefaultPasswordHashAlgorithm(algorithmName string) (string, *PasswordHashAlgorithm) {
    60  	algoSpec := hashAlgorithmToSpec(algorithmName)
    61  	// now we get a full specification, e.g. pbkdf2$50000$50 rather than pbdkf2
    62  	DefaultHashAlgorithm = Parse(algoSpec)
    63  	return algoSpec, DefaultHashAlgorithm
    64  }
    65  
    66  // ConfigHashAlgorithm will try to find a "recommended algorithm name" defined by RecommendedHashAlgorithms for config
    67  // This function is not fast and is only used for the installation page
    68  func ConfigHashAlgorithm(algorithm string) string {
    69  	algorithm = hashAlgorithmToSpec(algorithm)
    70  	for _, recommAlgo := range RecommendedHashAlgorithms {
    71  		if algorithm == hashAlgorithmToSpec(recommAlgo) {
    72  			return recommAlgo
    73  		}
    74  	}
    75  	return algorithm
    76  }