From 644413c4a5be30afc39cad0bcad4e7f254a61c5d Mon Sep 17 00:00:00 2001 From: Conrad Ludgate Date: Wed, 20 Mar 2024 15:42:13 +0000 Subject: [PATCH] adjust cost --- proxy/src/auth/backend.rs | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/proxy/src/auth/backend.rs b/proxy/src/auth/backend.rs index 9026dcb449cb..d54b4ed264ca 100644 --- a/proxy/src/auth/backend.rs +++ b/proxy/src/auth/backend.rs @@ -217,25 +217,25 @@ async fn auth_quirks( }; let (cached_entry, secret) = cached_secret.take_value(); - let hash_iter_count = match &secret { - #[cfg(any(test, feature = "testing"))] - Some(AuthSecret::Md5(_)) => 1, - Some(AuthSecret::Scram(s)) => s.iterations, - None => 0, - }; - // only count the full hash count if password hack or websocket flow. - // in other words, if proxy needs to run the hashing - let password_weight = if unauthenticated_password.is_some() || allow_cleartext { - hash_iter_count - } else { - 1 - }; - let secret = match secret { Some(secret) => { // we have validated the endpoint exists, so let's intern it. let endpoint = EndpointIdInt::from(&info.endpoint); + // only count the full hash count if password hack or websocket flow. + // in other words, if proxy needs to run the hashing + let password_weight = if unauthenticated_password.is_some() || allow_cleartext { + match &secret { + #[cfg(any(test, feature = "testing"))] + AuthSecret::Md5(_) => 1, + // performing the full scram flow with a password takes hash_iter_count + 3 + 1 hmac_sha_256 operations. + AuthSecret::Scram(s) => s.iterations + 4, + } + } else { + // validating scram takes just 1 hmac_sha_256 operation. + 1 + }; + if config .rate_limiter .check((endpoint, ctx.peer_addr), password_weight)