This is an automated email from the ASF dual-hosted git repository. rnewson pushed a commit to branch pbkdf2-600k in repository https://gitbox.apache.org/repos/asf/couchdb.git
commit 9e46efaaea02ec9f514d9999374b55f60127a43a Author: Robert Newson <[email protected]> AuthorDate: Tue Sep 17 11:16:23 2024 +0100 default pbkdf2 rounds to 600,000 (OWASP) miscommunication between jan and myself when setting to 6 million. --- rel/overlay/etc/default.ini | 2 +- src/couch/src/couch_password_hasher.erl | 2 +- src/couch/src/couch_passwords.erl | 2 +- src/couch/src/couch_users_db.erl | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/rel/overlay/etc/default.ini b/rel/overlay/etc/default.ini index 41cd9de32..d9ac6606e 100644 --- a/rel/overlay/etc/default.ini +++ b/rel/overlay/etc/default.ini @@ -331,7 +331,7 @@ bind_address = 127.0.0.1 ;timeout = 600 ; number of seconds before automatic logout ;auth_cache_size = 50 ; size is number of cache entries ;allow_persistent_cookies = true ; set to false to disallow persistent cookies -;iterations = 6000000 ; iterations for password hashing +;iterations = 600000 ; iterations for password hashing ;min_iterations = 1 ;max_iterations = 1000000000 ;password_scheme = pbkdf2 diff --git a/src/couch/src/couch_password_hasher.erl b/src/couch/src/couch_password_hasher.erl index 1990a326e..90fb15c2b 100644 --- a/src/couch/src/couch_password_hasher.erl +++ b/src/couch/src/couch_password_hasher.erl @@ -116,7 +116,7 @@ needs_upgrade(UserProps) -> TargetPRF = ?l2b(chttpd_util:get_chttpd_auth_config("pbkdf2_prf", "sha256")), CurrentIterations = couch_util:get_value(<<"iterations">>, UserProps), TargetIterations = chttpd_util:get_chttpd_auth_config_integer( - "iterations", 6000000 + "iterations", 600000 ), case {TargetScheme, TargetIterations, TargetPRF} of {CurrentScheme, CurrentIterations, _} when CurrentScheme == <<"simple">> -> diff --git a/src/couch/src/couch_passwords.erl b/src/couch/src/couch_passwords.erl index 14ca69188..aca45ff0a 100644 --- a/src/couch/src/couch_passwords.erl +++ b/src/couch/src/couch_passwords.erl @@ -44,7 +44,7 @@ hash_admin_password("simple", ClearPassword) -> ?l2b("-hashed-" ++ couch_util:to_hex(Hash) ++ "," ++ ?b2l(Salt)); hash_admin_password("pbkdf2", ClearPassword) -> PRF = chttpd_util:get_chttpd_auth_config("pbkdf2_prf", "sha256"), - Iterations = chttpd_util:get_chttpd_auth_config("iterations", "6000000"), + Iterations = chttpd_util:get_chttpd_auth_config("iterations", "600000"), Salt = couch_uuids:random(), DerivedKey = couch_passwords:pbkdf2( list_to_existing_atom(PRF), diff --git a/src/couch/src/couch_users_db.erl b/src/couch/src/couch_users_db.erl index 857a62afa..b8929c412 100644 --- a/src/couch/src/couch_users_db.erl +++ b/src/couch/src/couch_users_db.erl @@ -101,7 +101,7 @@ save_doc(#doc{body = {Body}} = Doc) -> ok = validate_password(ClearPassword), PRF = chttpd_util:get_chttpd_auth_config("pbkdf2_prf", "sha256"), Iterations = chttpd_util:get_chttpd_auth_config_integer( - "iterations", 6000000 + "iterations", 600000 ), DerivedKey = couch_passwords:pbkdf2( list_to_existing_atom(PRF), ClearPassword, Salt, Iterations
