c702e7995d
Backport #22942 This PR refactors and improves the password hashing code within gitea and makes it possible for server administrators to set the password hashing parameters In addition it takes the opportunity to adjust the settings for `pbkdf2` in order to make the hashing a little stronger. The majority of this work was inspired by PR #14751 and I would like to thank @boppy for their work on this. Thanks to @gusted for the suggestion to adjust the `pbkdf2` hashing parameters. Close #14751 --------- Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: delvh <dev.lh@web.de> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
64 lines
1.6 KiB
Go
64 lines
1.6 KiB
Go
// Copyright 2023 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package hash
|
|
|
|
import (
|
|
"encoding/hex"
|
|
"strings"
|
|
|
|
"code.gitea.io/gitea/modules/log"
|
|
|
|
"golang.org/x/crypto/scrypt"
|
|
)
|
|
|
|
func init() {
|
|
Register("scrypt", NewScryptHasher)
|
|
}
|
|
|
|
// ScryptHasher implements PasswordHasher
|
|
// and uses the scrypt key derivation function.
|
|
type ScryptHasher struct {
|
|
n, r, p, keyLen int
|
|
}
|
|
|
|
// HashWithSaltBytes a provided password and salt
|
|
func (hasher *ScryptHasher) HashWithSaltBytes(password string, salt []byte) string {
|
|
if hasher == nil {
|
|
return ""
|
|
}
|
|
hashedPassword, _ := scrypt.Key([]byte(password), salt, hasher.n, hasher.r, hasher.p, hasher.keyLen)
|
|
return hex.EncodeToString(hashedPassword)
|
|
}
|
|
|
|
// NewScryptHasher is a factory method to create an ScryptHasher
|
|
// The provided config should be either empty or of the form:
|
|
// "<n>$<r>$<p>$<keyLen>", where <x> is the string representation
|
|
// of an integer
|
|
func NewScryptHasher(config string) *ScryptHasher {
|
|
hasher := &ScryptHasher{
|
|
n: 1 << 16,
|
|
r: 16,
|
|
p: 2, // 2 passes through memory - this default config will use 128MiB in total.
|
|
keyLen: 50,
|
|
}
|
|
|
|
if config == "" {
|
|
return hasher
|
|
}
|
|
|
|
vals := strings.SplitN(config, "$", 4)
|
|
if len(vals) != 4 {
|
|
log.Error("invalid scrypt hash spec %s", config)
|
|
return nil
|
|
}
|
|
var err error
|
|
hasher.n, err = parseIntParam(vals[0], "n", "scrypt", config, nil)
|
|
hasher.r, err = parseIntParam(vals[1], "r", "scrypt", config, err)
|
|
hasher.p, err = parseIntParam(vals[2], "p", "scrypt", config, err)
|
|
hasher.keyLen, err = parseIntParam(vals[3], "keyLen", "scrypt", config, err)
|
|
if err != nil {
|
|
return nil
|
|
}
|
|
return hasher
|
|
}
|