mirrors/bun.sh
1
0
Fork 0
mirror of https://github.com/oven-sh/bun synced 2026-02-18 23:01:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(sql): enforce minimum PBKDF2 iteration count in SCRAM-SHA-256 auth

Browse Source 
Reject SCRAM SASLContinue messages with PBKDF2 iteration counts below
4096 (the RFC 7677 recommended minimum). Without this check, a MITM
attacker could modify the server's iteration count to 1, reducing
PBKDF2 to a single HMAC iteration and making offline password
brute-force ~4096x faster.

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Claude Bot
2026-02-12 04:43:43 +00:00
parent 50e478dcdc
commit 635d5db736
2 changed files with 12 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/sql/postgres/AnyPostgresError.zig
View File

@@ -20,6 +20,7 @@ pub const AnyPostgresError = error{
OutOfMemory,
Overflow,
PBKDFD2,
SASL_ITERATION_COUNT_TOO_LOW,
SASL_SIGNATURE_MISMATCH,
SASL_SIGNATURE_INVALID_BASE64,
ShortRead,
@@ -97,6 +98,7 @@ pub fn postgresErrorToJS(globalObject: *jsc.JSGlobalObject, message: ?[]const u8
error.NullsInArrayNotSupportedYet => "ERR_POSTGRES_NULLS_IN_ARRAY_NOT_SUPPORTED_YET",
error.Overflow => "ERR_POSTGRES_OVERFLOW",
error.PBKDFD2 => "ERR_POSTGRES_AUTHENTICATION_FAILED_PBKDF2",
error.SASL_ITERATION_COUNT_TOO_LOW => "ERR_POSTGRES_SASL_ITERATION_COUNT_TOO_LOW",
error.SASL_SIGNATURE_MISMATCH => "ERR_POSTGRES_SASL_SIGNATURE_MISMATCH",
error.SASL_SIGNATURE_INVALID_BASE64 => "ERR_POSTGRES_SASL_SIGNATURE_INVALID_BASE64",
error.TLSNotAvailable => "ERR_POSTGRES_TLS_NOT_AVAILABLE",