diff options
| author | Peter Eisentraut <peter_e@gmx.net> | 2017-08-24 14:04:28 -0400 |
|---|---|---|
| committer | Peter Eisentraut <peter_e@gmx.net> | 2017-08-24 14:04:28 -0400 |
| commit | fe7774144d5c3f3a2941a2ca51e61352e4005991 (patch) | |
| tree | f244c24fe34e3fdd61b794b0d07927b0dae17878 /src | |
| parent | 1177ab1dabf72bafee8f19d904cee3a299f25892 (diff) | |
| download | postgresql-fe7774144d5c3f3a2941a2ca51e61352e4005991.tar.gz postgresql-fe7774144d5c3f3a2941a2ca51e61352e4005991.zip | |
Increase SCRAM salt length
The original value 12 was set based on RFC 5802 for SCRAM-SHA-1, but RFC
7677 for SCRAM-SHA-256 uses 16, so use that. (This does not affect the
validity of already stored verifiers.)
Discussion: https://www.postgresql.org/message-id/flat/12cc9297-7e05-932f-d863-765e5626ead4%402ndquadrant.com
Diffstat (limited to 'src')
| -rw-r--r-- | src/include/common/scram-common.h | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/src/include/common/scram-common.h b/src/include/common/scram-common.h index ebb733df4b3..0c5ee04f263 100644 --- a/src/include/common/scram-common.h +++ b/src/include/common/scram-common.h @@ -28,10 +28,17 @@ */ #define SCRAM_RAW_NONCE_LEN 18 -/* length of salt when generating new verifiers */ -#define SCRAM_DEFAULT_SALT_LEN 12 +/* + * Length of salt when generating new verifiers, in bytes. (It will be stored + * and sent over the wire encoded in Base64.) 16 bytes is what the example in + * RFC 7677 uses. + */ +#define SCRAM_DEFAULT_SALT_LEN 16 -/* default number of iterations when generating verifier */ +/* + * Default number of iterations when generating verifier. Should be at least + * 4096 per RFC 7677. + */ #define SCRAM_DEFAULT_ITERATIONS 4096 /* |