WL#14281: Make password hash rounds configurable.
Affects: Server-8.0
—
Status: Complete
The industry standard for how many hash rounds that are needed for a password storage is always changing. Currently our customers require it to be between 5000 and 10000. To meet their security requirements we must introduce a system global variable which sets the default value for the caching_sha2_password password plugin. The existing password format already supports a per user setting, but small adjustments needs to be made in order to handle different values.
FR1 - caching_sha2_digest_rounds system variable.
Introduce a new read-only system variable to specify the number of hash
rounds.
FR2 - Use caching_sha2_digest_rounds system variable instead of the
DEFAULT_STORED_DIGEST_ROUNDS
FR3 - Increase the maximum number of rounds limits.
FR4 - Unit test.
Introduce a new unit test to verify the specified hash rounds are taken into
account.
FR5 - MTR tests.
Make sure the existing MTR tests are passing with and without setting the
new system variable
Introduce a new read-only global system variable to specify the number of hashing
rounds done for the caching_sha2_password password plugin.
FR1 - caching_sha2_digest_rounds system variable.
Introduce a new read-only system variable, caching_sha2_digest_rounds, to
specify the number of hash rounds. The default value is the previous default
value, DEFAULT_STORED_DIGEST_ROUNDS. The minimum value is MIN_FAST_DIGEST_ROUNDS,
and the maximum value is MAX_FAST_DIGEST_ROUNDS,
FR2 - Use caching_sha2_digest_rounds system variable instead of the
DEFAULT_STORED_DIGEST_ROUNDS in the constructor of the g_caching_sha2_password
instance of the sha2_password::Caching_sha2_password object.
FR3 - Increase the maximum number of rounds limits.
Currently the default number of caching rounds is the maximum number of
rounds, 5000. The minimum is set to 1000.
The requirement is to have at least 5000 rounds. Make the maximum number of
rounds as high as possible, 4095000 (0xFFF*1000).
FR4 - Unit test.
Introduce a new unit test to verify the specified hash rounds are taken into
account.
FR5 - MTR tests.
Add a new set of tests to confirm the number of caching rounds is correctly
set, and a new user created with the specified number of caching rounds works
correctly.
Copyright (c) 2000, 2025, Oracle Corporation and/or its affiliates. All rights reserved.