From 911575267953e350bfbdb5e125a8873d9414a945 Mon Sep 17 00:00:00 2001
From: Nick Craig-Wood <nick@craig-wood.com>
Date: Thu, 7 Nov 2019 14:06:02 +0000
Subject: [PATCH] proxy: reduce the internal bcrypt strength to fix race tests

Before this change the race tests were taking too long.  The bcrypt
function went from about 20ms to 1s under the race detector and this
is called for every transaction on webdav.

This change reduces the bcrypt strength so it takes 1ms non race so
the race tests pass and still has adequate security for in memory only
storage.
---
 cmd/serve/proxy/proxy.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/cmd/serve/proxy/proxy.go b/cmd/serve/proxy/proxy.go
index 83a37bca2..1c55588e7 100644
--- a/cmd/serve/proxy/proxy.go
+++ b/cmd/serve/proxy/proxy.go
@@ -208,7 +208,10 @@ func (p *Proxy) call(user, pass string, passwordBytes []byte) (value interface{}
 		if err != nil {
 			return nil, false, err
 		}
-		pwHash, err := bcrypt.GenerateFromPassword(passwordBytes, bcrypt.DefaultCost)
+		// The bcrypt cost is a compromise between security and speed. The password is looked up on every
+		// transaction for WebDAV so we store it lightly hashed. An attacker would find it easier to go after
+		// the unencrypted password in memory most likely.
+		pwHash, err := bcrypt.GenerateFromPassword(passwordBytes, bcrypt.MinCost)
 		if err != nil {
 			return nil, false, err
 		}