WL#14281: Make password hash rounds configurable.
Affects: Server-8.0
—
Status: Complete
The industry standard for how many hash rounds that are needed for a password storage is always changing. Currently our customers require it to be between 5000 and 10000. To meet their security requirements we must introduce a system global variable which sets the default value for the caching_sha2_password password plugin. The existing password format already supports a per user setting, but small adjustments needs to be made in order to handle different values.
FR1 - caching_sha2_digest_rounds system variable. Introduce a new read-only system variable to specify the number of hash rounds. FR2 - Use caching_sha2_digest_rounds system variable instead of the DEFAULT_STORED_DIGEST_ROUNDS FR3 - Increase the maximum number of rounds limits. FR4 - Unit test. Introduce a new unit test to verify the specified hash rounds are taken into account. FR5 - MTR tests. Make sure the existing MTR tests are passing with and without setting the new system variable
Introduce a new read-only global system variable to specify the number of hashing rounds done for the caching_sha2_password password plugin.
FR1 - caching_sha2_digest_rounds system variable. Introduce a new read-only system variable, caching_sha2_digest_rounds, to specify the number of hash rounds. The default value is the previous default value, DEFAULT_STORED_DIGEST_ROUNDS. The minimum value is MIN_FAST_DIGEST_ROUNDS, and the maximum value is MAX_FAST_DIGEST_ROUNDS, FR2 - Use caching_sha2_digest_rounds system variable instead of the DEFAULT_STORED_DIGEST_ROUNDS in the constructor of the g_caching_sha2_password instance of the sha2_password::Caching_sha2_password object. FR3 - Increase the maximum number of rounds limits. Currently the default number of caching rounds is the maximum number of rounds, 5000. The minimum is set to 1000. The requirement is to have at least 5000 rounds. Make the maximum number of rounds as high as possible, 4095000 (0xFFF*1000). FR4 - Unit test. Introduce a new unit test to verify the specified hash rounds are taken into account. FR5 - MTR tests. Add a new set of tests to confirm the number of caching rounds is correctly set, and a new user created with the specified number of caching rounds works correctly.
Copyright (c) 2000, 2024, Oracle Corporation and/or its affiliates. All rights reserved.