Add faster SHA512 token hashing for Doorkeeper (!200029) · Merge requests · GitLab.org / GitLab

What does this MR do and why?

Replace PBKDF2 token hashing with SHA512 for improved performance while maintaining fallback support for existing tokens and FIPS compliance.

PBKDF2-SHA512 with empty salts is rejected by FIPS-compliant OpenSSL in Ubuntu 22.04, preventing OAuth token authentication. SHA512 provides adequate security for cryptographically random OAuth tokens while being ~10,000x faster and FIPS compliant.

Fallback order: SHA512 → PBKDF2-SHA512 → Plain text (for SM instances migrating from very old GitLab versions).

we had to revert the original MR due to a an incident.

References

Original MR: !198910 (merged)
MR introducing token fallback mechanism: !200012 (merged)
Fixes: #551165 (closed)

How to set up and validate locally

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited Aug 04, 2025 by Aboobacker MK

Add faster SHA512 token hashing for Doorkeeper

What does this MR do and why?

References

How to set up and validate locally

MR acceptance checklist

Merge request reports