rnewson opened a new pull request, #4814: URL: https://github.com/apache/couchdb/pull/4814
## Overview Allow arbitrarily stong on-disk password hashes without impacting database request performance. This PR introduces PBKDF2 with SHA-256 (our existing version only uses SHA-1 which is now deprecated). This PR also introduces an in-memory cache of password hashes with a separate, and deliberately low, iteration count. The first request for a given user is forced to perform a slow password hash check (as is any attacker that might have access to the on-disk password hashes). Subsequent hashes are faster. Entries in the password hash cache are time-limited, unused entries are automatically deleted, and there is a capacity bound. TODO: 1) Need to add tests for the several new pieces of functionality here. 2) Need a process that will upgrade hashes to the stronger version on successful authentication in a way that works nicely under load and concurrency. ## Testing recommendations Will be covered by automated tests. ## Related Issues or Pull Requests N/A ## Checklist - [x] Code is written and works correctly - [ ] Changes are covered by tests - [ ] Any new configurable parameters are documented in `rel/overlay/etc/default.ini` - [ ] Documentation changes were made in the `src/docs` folder - [ ] Documentation changes were backported (separated PR) to affected branches -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
