e086b83 Ticket 49135 - PBKDF2 should determine rounds at startup

Authored and Committed by William Brown 6 years ago
    Ticket 49135 - PBKDF2 should determine rounds at startup
    
    Bug Description:  We used a hardcoded number of rounds for PBKDF2
    
    Fix Description:  Rather than hardcoding rounds at startup, we define
    an attacker "work" factor. We have chosen 40 milliseconds for now.
    
    Based on this factor, we then run a test to determine the CPU performance
    of the system. If the CPU performance is belowe a threshold, we use
    10,000 rounds. If it is above, we scale the rounds up to our work
    factor. This way, each attempt by an attacker on a password should
    take 40 milliseconds - enough to cause them headaches, but still
    have a fast ldap server (given a bind takes about 500 milliseconds
    on my laptop today).
    
    https://pagure.io/389-ds-base/issue/49135
    
    Author: wibrown
    
    Review by: mreynolds (Thanks!!)
    
        
file modified
+9 -3
file modified
+3 -0
file added
+31
file modified
+13 -0