From 3b049d1829b326f817b1bdde74965fe96bc4139c Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 25 Dec 2023 15:12:29 -0800 Subject: [PATCH] Update hash iterations in heimdal-history Rebenchmark (admittedly not really on that newer of hardware) and bump the hash iterations by about 10%. --- NEWS | 8 +++++++- tools/heimdal-history | 2 +- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/NEWS b/NEWS index 71924d0..4c7408e 100644 --- a/NEWS +++ b/NEWS @@ -5,7 +5,13 @@ krb5-strength 3.3 (unreleased) heimdal-history now requires the Perl modules Const::Fast and JSON::MaybeXS instead of Readonly and JSON. - Explicitly erase the copy of the password made in the Heimdal plugin. + Increase hash iterations for heimdal-history by about 10% to maintain + the time required for a password hash at about 0.1 seconds on not + horribly modern hardware. This will affect newly-stored history + entries but will not invalidate existing password history entries. + + Explicitly erase the copy of the password made in the Heimdal plugin + before freeing memory. Add a spec file for building RPMs, contributed by Daria Phoebe Brashear. diff --git a/tools/heimdal-history b/tools/heimdal-history index 63cc345..dbf8fc5 100755 --- a/tools/heimdal-history +++ b/tools/heimdal-history @@ -33,7 +33,7 @@ use Sys::Syslog qw(openlog syslog LOG_AUTH LOG_INFO LOG_WARNING); # The number of PBKDF2 iterations to use when hashing passwords. This number # should be chosen so as to force the hash operation to take approximately 0.1 # seconds on current hardware. -const my $HASH_ITERATIONS => 40128; +const my $HASH_ITERATIONS => 45144; # Path to the history database. Currently, this must be a Berkeley DB file in # the old DB_HASH format. Keys will be principal names, and values will be a -- 2.39.2