postgrespro
diff --git a/‎doc/src/sgml/config.sgml
Lines changed: 20 additions & 0 deletions b/‎doc/src/sgml/config.sgml
Lines changed: 20 additions & 0 deletions
diff --git a/‎src/backend/libpq/auth-scram.c
Lines changed: 7 additions & 2 deletions b/‎src/backend/libpq/auth-scram.c
Lines changed: 7 additions & 2 deletions
diff --git a/‎src/backend/utils/misc/guc_tables.c
Lines changed: 13 additions & 0 deletions b/‎src/backend/utils/misc/guc_tables.c
Lines changed: 13 additions & 0 deletions
diff --git a/‎src/backend/utils/misc/postgresql.conf.sample
Lines changed: 1 addition & 0 deletions b/‎src/backend/utils/misc/postgresql.conf.sample
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/common/scram-common.c
Lines changed: 1 addition & 2 deletions b/‎src/common/scram-common.c
Lines changed: 1 addition & 2 deletions
diff --git a/‎src/include/common/scram-common.h
Lines changed: 1 addition & 1 deletion b/‎src/include/common/scram-common.h
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/include/libpq/scram.h
Lines changed: 3 additions & 0 deletions b/‎src/include/libpq/scram.h
Lines changed: 3 additions & 0 deletions
diff --git a/‎src/interfaces/libpq/fe-auth-scram.c
Lines changed: 2 additions & 2 deletions b/‎src/interfaces/libpq/fe-auth-scram.c
Lines changed: 2 additions & 2 deletions
diff --git a/‎src/interfaces/libpq/fe-auth.c
Lines changed: 3 additions & 1 deletion b/‎src/interfaces/libpq/fe-auth.c
Lines changed: 3 additions & 1 deletion
diff --git a/‎src/interfaces/libpq/fe-auth.h
Lines changed: 1 addition & 0 deletions b/‎src/interfaces/libpq/fe-auth.h
Lines changed: 1 addition & 0 deletions
@@ -1132,6 +1132,26 @@ include_dir 'conf.d'
       </listitem>
      </varlistentry>
 
+     <varlistentry>
+      <term><varname>scram_iterations</varname> (<type>integer</type>)
+      <indexterm>
+       <primary><varname>scram_iterations</varname> configuration parameter</primary>
+      </indexterm>
+      </term>
+      <listitem>
+       <para>
+        The number of computational iterations to be performed when encrypting
+        a password using SCRAM-SHA-256. The default is <literal>4096</literal>.
+        A higher number of iterations provides additional protection against
+        brute-force attacks on stored passwords, but makes authentication
+        slower. Changing the value has no effect on existing passwords
+        encrypted with SCRAM-SHA-256 as the iteration count is fixed at the
+        time of encryption. In order to make use of a changed value, a new
+        password must be set.
+       </para>
+      </listitem>
+     </varlistentry>
+
      <varlistentry id="guc-krb-server-keyfile" xreflabel="krb_server_keyfile">
       <term><varname>krb_server_keyfile</varname> (<type>string</type>)
       <indexterm>
 
@@ -191,6 +191,11 @@ static char *scram_mock_salt(const char *username,
 							 pg_cryptohash_type hash_type,
 							 int key_length);
 
+/*
+ * The number of iterations to use when generating new secrets.
+ */
+int			scram_sha_256_iterations = SCRAM_SHA_256_DEFAULT_ITERATIONS;
+
 /*
  * Get a list of SASL mechanisms that this module supports.
  *
@@ -496,7 +501,7 @@ pg_be_scram_build_secret(const char *password)
 
 	result = scram_build_secret(PG_SHA256, SCRAM_SHA_256_KEY_LEN,
 								saltbuf, SCRAM_DEFAULT_SALT_LEN,
-								SCRAM_DEFAULT_ITERATIONS, password,
+								scram_sha_256_iterations, password,
 								&errstr);
 
 	if (prep_password)
@@ -717,7 +722,7 @@ mock_scram_secret(const char *username, pg_cryptohash_type *hash_type,
 	encoded_salt[encoded_len] = '\0';
 
 	*salt = encoded_salt;
-	*iterations = SCRAM_DEFAULT_ITERATIONS;
+	*iterations = SCRAM_SHA_256_DEFAULT_ITERATIONS;
 
 	/* StoredKey and ServerKey are not used in a doomed authentication */
 	memset(stored_key, 0, SCRAM_MAX_KEY_LEN);
 
@@ -41,9 +41,11 @@
 #include "commands/trigger.h"
 #include "commands/user.h"
 #include "commands/vacuum.h"
+#include "common/scram-common.h"
 #include "jit/jit.h"
 #include "libpq/auth.h"
 #include "libpq/libpq.h"
+#include "libpq/scram.h"
 #include "nodes/queryjumble.h"
 #include "optimizer/cost.h"
 #include "optimizer/geqo.h"
@@ -3468,6 +3470,17 @@ struct config_int ConfigureNamesInt[] =
 		NULL, NULL, NULL
 	},
 
+	{
+		{"scram_iterations", PGC_USERSET, CONN_AUTH_AUTH,
+			gettext_noop("Sets the iteration count for SCRAM secret generation."),
+			NULL,
+			GUC_REPORT
+		},
+		&scram_sha_256_iterations,
+		SCRAM_SHA_256_DEFAULT_ITERATIONS, 1, INT_MAX,
+		NULL, NULL, NULL
+	},
+
 	/* End-of-list marker */
 	{
 		{NULL, 0, 0, NULL, NULL}, NULL, 0, 0, 0, NULL, NULL, NULL
 
@@ -95,6 +95,7 @@
 
 #authentication_timeout = 1min		# 1s-600s
 #password_encryption = scram-sha-256	# scram-sha-256 or md5
+#scram_iterations = 4096
 #db_user_namespace = off
 
 # GSSAPI using Kerberos
 
@@ -214,8 +214,7 @@ scram_build_secret(pg_cryptohash_type hash_type, int key_length,
 	/* Only this hash method is supported currently */
 	Assert(hash_type == PG_SHA256);
 
-	if (iterations <= 0)
-		iterations = SCRAM_DEFAULT_ITERATIONS;
+	Assert(iterations > 0);
 
 	/* Calculate StoredKey and ServerKey */
 	if (scram_SaltedPassword(password, hash_type, key_length,
 
@@ -47,7 +47,7 @@
  * Default number of iterations when generating secret.  Should be at least
  * 4096 per RFC 7677.
  */
-#define SCRAM_DEFAULT_ITERATIONS	4096
+#define SCRAM_SHA_256_DEFAULT_ITERATIONS	4096
 
 extern int	scram_SaltedPassword(const char *password,
 								 pg_cryptohash_type hash_type, int key_length,
 
@@ -18,6 +18,9 @@
 #include "libpq/libpq-be.h"
 #include "libpq/sasl.h"
 
+/* Number of iterations when generating new secrets */
+extern PGDLLIMPORT int scram_sha_256_iterations;
+
 /* SASL implementation callbacks */
 extern PGDLLIMPORT const pg_be_sasl_mech pg_be_scram_mech;
 
 
@@ -895,7 +895,7 @@ verify_server_signature(fe_scram_state *state, bool *match,
  * error details.
  */
 char *
-pg_fe_scram_build_secret(const char *password, const char **errstr)
+pg_fe_scram_build_secret(const char *password, int iterations, const char **errstr)
 {
 	char	   *prep_password;
 	pg_saslprep_rc rc;
@@ -927,7 +927,7 @@ pg_fe_scram_build_secret(const char *password, const char **errstr)
 
 	result = scram_build_secret(PG_SHA256, SCRAM_SHA_256_KEY_LEN, saltbuf,
 								SCRAM_DEFAULT_SALT_LEN,
-								SCRAM_DEFAULT_ITERATIONS, password,
+								iterations, password,
 								errstr);
 
 	free(prep_password);
 
@@ -1341,7 +1341,9 @@ PQencryptPasswordConn(PGconn *conn, const char *passwd, const char *user,
 	{
 		const char *errstr = NULL;
 
-		crypt_pwd = pg_fe_scram_build_secret(passwd, &errstr);
+		crypt_pwd = pg_fe_scram_build_secret(passwd,
+											 conn->scram_sha_256_iterations,
+											 &errstr);
 		if (!crypt_pwd)
 			libpq_append_conn_error(conn, "could not encrypt password: %s", errstr);
 	}
 
@@ -26,6 +26,7 @@ extern char *pg_fe_getauthname(PQExpBuffer errorMessage);
 /* Mechanisms in fe-auth-scram.c */
 extern const pg_fe_sasl_mech pg_scram_mech;
 extern char *pg_fe_scram_build_secret(const char *password,
+									  int iterations,
 									  const char **errstr);
 
 #endif							/* FE_AUTH_H */
Original file line number	Diff line number	Diff line change
`@@ -1341,7 +1341,9 @@ PQencryptPasswordConn(PGconn conn, const char passwd, const char *user,`
`1341`	`1341`	`{`
`1342`	`1342`	`const char *errstr = NULL;`
`1343`	`1343`
`1344`		`- crypt_pwd = pg_fe_scram_build_secret(passwd, &errstr);`
	`1344`	`+ crypt_pwd = pg_fe_scram_build_secret(passwd,`
	`1345`	`+ conn->scram_sha_256_iterations,`
	`1346`	`+ &errstr);`
`1345`	`1347`	`if (!crypt_pwd)`
`1346`	`1348`	`libpq_append_conn_error(conn, "could not encrypt password: %s", errstr);`
`1347`	`1349`	`}`