#49135 pbkdf2 should determine rounds based on time at start up
Closed: fixed 2 years ago Opened 2 years ago by firstyear.

Issue Description

Instead of hardcoding a number of rounds, we should determine the number of rounds at startup. We should set a time factor of acceptable delay (ie 0.1 second, 0.2 second), and then have in the plugin start a function that attempts to make a number of rounds that matches or exceeds this number.

This way, we don't need to manually improve the number of rounds each release, or with new hardware, it adapts to the servers it is on.


Metadata Update from @firstyear:
- Issue assigned to firstyear

2 years ago

Metadata Update from @mreynolds:
- Custom field type adjusted to defect
- Issue set to the milestone: 1.3.7 backlog

2 years ago

Metadata Update from @firstyear:
- Issue tagged with: RFE, Security

2 years ago

Please note this comes with cmocka tests of the round determination algorithm, tests of the pbkdf2 algo itself and it's tampering evidence, as well as the addition of the algo to the python suite test. All tests pass, and are leak and crash free.

Metadata Update from @firstyear:
- Custom field reviewstatus adjusted to review

2 years ago

Looks fine, ack, but I wonder if we should change the logging level in pbkdf2_sha256_start() to SLAPI_LOG_PLUGIN?

Metadata Update from @mreynolds:
- Custom field reviewstatus adjusted to ack (was: review)

2 years ago

I had it an info, so that anyone doing a security audit of their system could see what was chosen at start up. I can see the argument from both sides, and I think having the audit capability is important. What do you think?

I had it an info, so that anyone doing a security audit of their system could see what was chosen at start up. I can see the argument from both sides, and I think having the audit capability is important. What do you think?

What I don't want is a new error log message that appears on every DS startup. If it's not going to do that then please push as is! I have another ticket I want to fix that is going to based off your fix(the ci test part that is).

Hmmm, it is logged every startup. Okay, I'll change the level and push now.

commit e086b83
To ssh://git@pagure.io/389-ds-base.git
93624c3..e086b83 master -> master

Metadata Update from @firstyear:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.

Metadata