Increase SCRAM salt length

The original value 12 was set based on RFC 5802 for SCRAM-SHA-1, but RFC 7677 for SCRAM-SHA-256 uses 16, so use that. (This does not affect the validity of already stored verifiers.) Discussion: https://www.postgresql.org/message-id/flat/12cc9297-7e05-932f-d863-765e5626ead4%402ndquadrant.com

Increase SCRAM salt length
The original value 12 was set based on RFC 5802 for SCRAM-SHA-1, but RFC 7677 for SCRAM-SHA-256 uses 16, so use that. (This does not affect the validity of already stored verifiers.) Discussion: https://www.postgresql.org/message-id/flat/12cc9297-7e05-932f-d863-765e5626ead4%402ndquadrant.com
fe777414 · Peter Eisentraut · 1177ab1d · fe777414
Commit fe777414 authored Aug 24, 2017 by Peter Eisentraut
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 3 deletions

src/include/common/scram-common.h src/include/common/scram-common.h +10 -3

No files found.
--- a/src/include/common/scram-common.h
+++ b/src/include/common/scram-common.h
@@ -28,10 +28,17 @@
 */
 #define SCRAM_RAW_NONCE_LEN			18

-/* length of salt when generating new verifiers */
-#define SCRAM_DEFAULT_SALT_LEN		12
+/*
+ * Length of salt when generating new verifiers, in bytes.  (It will be stored
+ * and sent over the wire encoded in Base64.)  16 bytes is what the example in
+ * RFC 7677 uses.
+ */
+#define SCRAM_DEFAULT_SALT_LEN		16

-/* default number of iterations when generating verifier */
+/*
+ * Default number of iterations when generating verifier.  Should be at least
+ * 4096 per RFC 7677.
+ */
 #define SCRAM_DEFAULT_ITERATIONS	4096

 /*