Introduce ability to update HashAlgo

custom/conf/app.example.ini

@@ -379,6 +379,37 @@ INTERNAL_TOKEN=
 ;; Validate against https://haveibeenpwned.com/Passwords to see if a password has been exposed
 ;PASSWORD_CHECK_PWN = false
 
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+[security.password_hash]
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;
+;; Every parameter for the built in hash algorithms can be changed in this section.
+;; Handle with care! Changing the values can massively change the hash calculation time and/or memory needed for the hashing process.
+;; After changing a value, the user password hash will be recalculated on next successful login.
+;;
+;; In order to use values diverging from the defaults, all parameters (for the hash of choice) need to be set!
+;;
+;; Parameters for BCrypt
+;BCRYPT_COST = 10
+;;
+;; Parameters for scrypt (all 4 parameters need to be set)
+;SCRYPT_N = 65536
+;SCRYPT_R = 16
+;SCRYPT_P = 2
+;SCRYPT_KEY_LENGTH = 50
+;;
+;; Parameters for Argon2id (all 4 parameters need to be set)
+;ARGON2_ITERATIONS = 2
+;ARGON2_MEMORY = 65536
+;ARGON2_PARALLELISM = 8
+;ARGON2_KEY_LENGTH = 50
+;;
+;; Parameters for Pbkdf2 (both parameters need to be set)
+;PBKDF2_ITERATIONS = 10000
+;PBKDF2_KEY_LENGTH = 50
+
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 [oauth2]

docs/content/doc/advanced/config-cheat-sheet.en-us.md

@@ -441,6 +441,20 @@ relation to port exhaustion.
     - off - do not check password complexity
 - `PASSWORD_CHECK_PWN`: **false**: Check [HaveIBeenPwned](https://haveibeenpwned.com/Passwords) to see if a password has been exposed.
 
+## Password Hash Algo (`password_hash`)
+
+- `BCRYPT_COST`: **10**: The `cost` parameter for Bcrypt hashing. Values from 4 to 31 are allowed. [More info on the bcrypt hashing algorithm.](https://en.wikipedia.org/wiki/Bcrypt#Algorithm)
+- `SCRYPT_N`: **65536**: The `CostFactor N` for Scrypt hashing. Must be a power of two. [More info on the scrypt hashing algorithm.](https://en.wikipedia.org/wiki/Scrypt#Algorithm)
+- `SCRYPT_R`: **16**: The `BlockSizeFactor r` for Scrypt hashing. 
+- `SCRYPT_P`: **2**: The `ParallelizationFactor p` for Scrypt hashing.
+- `SCRYPT_KEY_LENGTH`: **50**: Desired key length for Scrypt hashing.
+- `ARGON2_ITERATIONS`: **2**: Number of iterations for Argon2id hashing. [More info on the Argon2 hashing algorithm.](https://en.wikipedia.org/wiki/Argon2#Algorithm)
+- `ARGON2_MEMORY`: **65536**: Amount of memory to use for Argon2id hashing.
+- `ARGON2_PARALLELISM`: **8**: Number of threads to use for Argon2id hashing.
+- `ARGON2_KEY_LENGTH`: **50**: Desired key length for Argon2id hashing.
+- `PBKDF2_ITERATIONS`: **10000**: Number of iterations for PBKDF2 hashing. [More info on the PBKDF2 hashing algorithm.](https://en.wikipedia.org/wiki/PBKDF2)
+- `PBKDF2_KEY_LENGTH`: **50**: Desired key length for PBKDF2 hashing.
+
 ## OpenID (`openid`)
 
 - `ENABLE_OPENID_SIGNIN`: **false**: Allow authentication in via OpenID.

models/fixtures/user.yml

@@ -529,15 +529,34 @@
   id: 31
   lower_name: user31
   name: user31
-  full_name: "user31"
+  full_name: User ThirtyOne
   email: user31@example.com
-  passwd_hash_algo: argon2
-  passwd: a3d5fcd92bae586c2e3dbe72daea7a0d27833a8d0227aa1704f4bbd775c1f3b03535b76dd93b0d4d8d22a519dca47df1547b # password
+  passwd_hash_algo: argon2$2$65536$12$50
+  passwd: 1d2304e48d92db2fed37bdb4b3e7fca97fc41f2454b32de343007f0acb4623f04b07a477759fa83df487d12310a2c4c1ab25 # password
   type: 0 # individual
   salt: ZogKvWdyEx
   is_admin: false
-  visibility: 2
-  avatar: avatar31
+  login_type: 1
+  is_restricted: true
+  avatar: avatar29
   avatar_email: user31@example.com
   num_repos: 0
   is_active: true
+
+-
+  id: 32
+  lower_name: user32
+  name: user32
+  full_name: User ThirtyTwo
+  email: user32@example.com
+  passwd_hash_algo: argon2$2$65536$12$50
+  passwd: 1d2304e48d92db2fed37bdb4b3e7fca97fc41f2454b32de343007f0acb4623f04b07a477759fa83df487d12310a2c4c1ab25 # password
+  type: 0 # individual
+  salt: ZogKvWdyEx
+  is_admin: false
+  login_type: 1
+  is_restricted: true
+  avatar: avatar29
+  avatar_email: user32@example.com
+  num_repos: 0
+  is_active: true

models/login_source.go

@@ -14,6 +14,7 @@ import (
 	"strconv"
 	"strings"
 
+	"code.gitea.io/gitea/modules/auth/hash"
 	"code.gitea.io/gitea/modules/auth/ldap"
 	"code.gitea.io/gitea/modules/auth/oauth2"
 	"code.gitea.io/gitea/modules/auth/pam"
@@ -814,7 +815,7 @@ func UserSignIn(username, password string) (*User, error) {
 			if user.IsPasswordSet() && user.ValidatePassword(password) {
 
 				// Update password hash if server password hash algorithm have changed
-				if user.PasswdHashAlgo != setting.PasswordHashAlgo {
+				if hash.DefaultHasher.PasswordNeedUpdate(user.PasswdHashAlgo) {
 					if err = user.SetPassword(password); err != nil {
 						return nil, err
 					}

models/user.go

@@ -8,8 +8,6 @@ package models
 import (
 	"container/list"
 	"context"
-	"crypto/sha256"
-	"crypto/subtle"
 	"encoding/hex"
 	"errors"
 	"fmt"
@@ -21,6 +19,7 @@ import (
 	"time"
 	"unicode/utf8"
 
+	"code.gitea.io/gitea/modules/auth/hash"
 	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/git"
 	"code.gitea.io/gitea/modules/log"
@@ -30,10 +29,6 @@ import (
 	"code.gitea.io/gitea/modules/timeutil"
 	"code.gitea.io/gitea/modules/util"
 
-	"golang.org/x/crypto/argon2"
-	"golang.org/x/crypto/bcrypt"
-	"golang.org/x/crypto/pbkdf2"
-	"golang.org/x/crypto/scrypt"
 	"golang.org/x/crypto/ssh"
 	"xorm.io/builder"
 )
@@ -375,56 +370,28 @@ func (u *User) NewGitSig() *git.Signature {
 	}
 }
 
-func hashPassword(passwd, salt, algo string) string {
-	var tempPasswd []byte
-
-	switch algo {
-	case algoBcrypt:
-		tempPasswd, _ = bcrypt.GenerateFromPassword([]byte(passwd), bcrypt.DefaultCost)
-		return string(tempPasswd)
-	case algoScrypt:
-		tempPasswd, _ = scrypt.Key([]byte(passwd), []byte(salt), 65536, 16, 2, 50)
-	case algoArgon2:
-		tempPasswd = argon2.IDKey([]byte(passwd), []byte(salt), 2, 65536, 8, 50)
-	case algoPbkdf2:
-		fallthrough
-	default:
-		tempPasswd = pbkdf2.Key([]byte(passwd), []byte(salt), 10000, 50, sha256.New)
-	}
-
-	return fmt.Sprintf("%x", tempPasswd)
-}
-
 // SetPassword hashes a password using the algorithm defined in the config value of PASSWORD_HASH_ALGO
 // change passwd, salt and passwd_hash_algo fields
 func (u *User) SetPassword(passwd string) (err error) {
 	if len(passwd) == 0 {
 		u.Passwd = ""
-		u.Salt = ""
 		u.PasswdHashAlgo = ""
+		u.Salt = ""
 		return nil
 	}
 
 	if u.Salt, err = GetUserSalt(); err != nil {
 		return err
 	}
-	u.PasswdHashAlgo = setting.PasswordHashAlgo
-	u.Passwd = hashPassword(passwd, u.Salt, setting.PasswordHashAlgo)
 
-	return nil
+	u.Passwd, u.PasswdHashAlgo, err = hash.DefaultHasher.HashPassword(passwd, u.Salt, "")
+
+	return err
 }
 
-// ValidatePassword checks if given password matches the one belongs to the user.
+// ValidatePassword checks if given password matches the one belonging to the user.
 func (u *User) ValidatePassword(passwd string) bool {
-	tempHash := hashPassword(passwd, u.Salt, u.PasswdHashAlgo)
-
-	if u.PasswdHashAlgo != algoBcrypt && subtle.ConstantTimeCompare([]byte(u.Passwd), []byte(tempHash)) == 1 {
-		return true
-	}
-	if u.PasswdHashAlgo == algoBcrypt && bcrypt.CompareHashAndPassword([]byte(u.Passwd), []byte(passwd)) == nil {
-		return true
-	}
-	return false
+	return hash.DefaultHasher.Validate(passwd, u.Passwd, u.Salt, u.PasswdHashAlgo)
 }
 
 // IsPasswordSet checks if the password is set or left empty

models/user_test.go

@@ -10,6 +10,7 @@ import (
 	"strings"
 	"testing"
 
+	"code.gitea.io/gitea/modules/auth/hash"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/structs"
 	"code.gitea.io/gitea/modules/util"
@@ -137,13 +138,13 @@ func TestSearchUsers(t *testing.T) {
 	}
 
 	testUserSuccess(&SearchUserOptions{OrderBy: "id ASC", ListOptions: ListOptions{Page: 1}},
-		[]int64{1, 2, 4, 5, 8, 9, 10, 11, 12, 13, 14, 15, 16, 18, 20, 21, 24, 27, 28, 29, 30})
+		[]int64{1, 2, 4, 5, 8, 9, 10, 11, 12, 13, 14, 15, 16, 18, 20, 21, 24, 27, 28, 29, 30, 32})
 
 	testUserSuccess(&SearchUserOptions{ListOptions: ListOptions{Page: 1}, IsActive: util.OptionalBoolFalse},
 		[]int64{9})
 
 	testUserSuccess(&SearchUserOptions{OrderBy: "id ASC", ListOptions: ListOptions{Page: 1}, IsActive: util.OptionalBoolTrue},
-		[]int64{1, 2, 4, 5, 8, 10, 11, 12, 13, 14, 15, 16, 18, 20, 21, 24, 28, 29, 30})
+		[]int64{1, 2, 4, 5, 8, 10, 11, 12, 13, 14, 15, 16, 18, 20, 21, 24, 28, 29, 30, 32})
 
 	testUserSuccess(&SearchUserOptions{Keyword: "user1", OrderBy: "id ASC", ListOptions: ListOptions{Page: 1}, IsActive: util.OptionalBoolTrue},
 		[]int64{1, 10, 11, 12, 13, 14, 15, 16, 18})
@@ -225,7 +226,7 @@ func TestHashPasswordDeterministic(t *testing.T) {
 	u := &User{}
 	algos := []string{"argon2", "pbkdf2", "scrypt", "bcrypt"}
 	for j := 0; j < len(algos); j++ {
-		u.PasswdHashAlgo = algos[j]
+		hash.DefaultHasher.DefaultAlgorithm = algos[j]
 		for i := 0; i < 50; i++ {
 			// generate a random password
 			rand.Read(b)
@@ -234,17 +235,59 @@ func TestHashPasswordDeterministic(t *testing.T) {
 			// save the current password in the user - hash it and store the result
 			u.SetPassword(pass)
 			r1 := u.Passwd
+			a1 := u.PasswdHashAlgo
 
 			// run again
 			u.SetPassword(pass)
 			r2 := u.Passwd
+			a2 := u.PasswdHashAlgo
 
 			assert.NotEqual(t, r1, r2)
+			assert.NotEqual(t, a2, algos[j])
+			assert.Equal(t, a1, a2)
 			assert.True(t, u.ValidatePassword(pass))
 		}
 	}
 }
 
+func TestOldPasswordMatchAndUpdate(t *testing.T) {
+	assert.NoError(t, PrepareTestDatabase())
+	u := AssertExistsAndLoadBean(t, &User{ID: 32}).(*User)
+
+	hash.DefaultHasher.DefaultAlgorithm = "argon2"
+
+	matchingPass := "password"
+	oldPass := u.Passwd
+	oldAlgo := u.PasswdHashAlgo
+
+	validates := u.ValidatePassword(matchingPass)
+	newPass := u.Passwd
+	// Should match even with not matching current config
+	assert.True(t, validates)
+	// Should not be altered
+	assert.Equal(t, oldPass, newPass)
+
+	// With update function
+	argonHasher := hash.DefaultHasher.Hashers["argon2"].(*hash.Argon2Hasher)
+	argonHasher.Iterations = 2
+	argonHasher.Memory = 65536
+	argonHasher.Parallelism = 8
+	argonHasher.KeyLength = 50
+
+	user, _ := UserSignIn("user32", matchingPass)
+
+	validates = user.ValidatePassword(matchingPass)
+	newPass = user.Passwd
+	newAlgo := user.PasswdHashAlgo
+
+	// Should still match after config update
+	assert.True(t, validates)
+	// Should be updated to new config
+	assert.NotEqual(t, oldPass, newPass)
+	// Should not be equal - test users Parallelism is not matching
+	assert.NotEqual(t, oldAlgo, newAlgo)
+}
+
 func BenchmarkHashPassword(b *testing.B) {
 	// BenchmarkHashPassword ensures that it takes a reasonable amount of time
 	// to hash a password - in order to protect from brute-force attacks.

modules/auth/hash/argon2.go

@@ -0,0 +1,92 @@
+// Copyright 2021 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package hash
+
+import (
+	"crypto/subtle"
+	"fmt"
+	"strconv"
+	"strings"
+
+	"golang.org/x/crypto/argon2"
+)
+
+// Argon2Hasher is a Hash implementation for Argon2
+type Argon2Hasher struct {
+	Iterations  uint32 `ini:"ARGON2_ITERATIONS"`
+	Memory      uint32 `ini:"ARGON2_MEMORY"`
+	Parallelism uint8  `ini:"ARGON2_PARALLELISM"`
+	KeyLength   uint32 `ini:"ARGON2_KEY_LENGTH"`
+	fallback    string
+}
+
+// HashPassword returns a PasswordHash, PassWordAlgo (and optionally an error)
+func (h *Argon2Hasher) HashPassword(password, salt, config string) (string, string, error) {
+	var tempPasswd []byte
+	if config == "fallback" {
+		// Fixed default config to match with original configuration
+		config = h.fallback
+	}
+
+	split := strings.Split(config, "$")
+	if len(split) != 4 {
+		fmt.Printf("Take from Config: %v", h.getConfigFromSetting())
+		split = strings.Split(h.getConfigFromSetting(), "$")
+	}
+
+	var iterations, memory, keyLength uint32
+	var parallelism uint8
+	var tmp int
+
+	var err error
+
+	if tmp, err = strconv.Atoi(split[0]); err != nil {
+		return "", "", err
+	}
+	iterations = uint32(tmp)
+
+	if tmp, err = strconv.Atoi(split[1]); err != nil {
+		return "", "", err
+	}
+	memory = uint32(tmp)
+	if tmp, err = strconv.Atoi(split[2]); err != nil {
+		return "", "", err
+	}
+	parallelism = uint8(tmp)
+	if tmp, err = strconv.Atoi(split[3]); err != nil {
+		return "", "", err
+	}
+	keyLength = uint32(tmp)
+
+	tempPasswd = argon2.IDKey([]byte(password), []byte(salt), iterations, memory, parallelism, keyLength)
+	return fmt.Sprintf("%x", tempPasswd),
+		fmt.Sprintf("argon2$%d$%d$%d$%d", iterations, memory, parallelism, keyLength),
+		nil
+}
+
+// Validate validates a plain-text password
+func (h *Argon2Hasher) Validate(password, hash, salt, config string) bool {
+	tempHash, _, _ := h.HashPassword(password, salt, config)
+	return subtle.ConstantTimeCompare([]byte(hash), []byte(tempHash)) == 1
+}
+
+func (h *Argon2Hasher) getConfigFromAlgo(algo string) string {
+	split := strings.SplitN(algo, "$", 2)
+	if len(split) == 1 {
+		split[1] = "fallback"
+	}
+	return split[1]
+}
+
+func (h *Argon2Hasher) getConfigFromSetting() string {
+	if h.Iterations == 0 || h.Memory == 0 || h.Parallelism == 0 || h.KeyLength == 0 {
+		return h.fallback
+	}
+	return fmt.Sprintf("%d$%d$%d$%d", h.Iterations, h.Memory, h.Parallelism, h.KeyLength)
+}
+
+func init() {
+	DefaultHasher.Hashers["argon2"] = &Argon2Hasher{2, 65536, 8, 50, "2$65536$8$50"}
+}