Re: Possible to store invalid SCRAM-SHA-256 Passwords

Michael Paquier <michael@paquier.xyz>

From: Michael Paquier <michael@paquier.xyz>
To: "Jonathan S. Katz" <jkatz@postgresql.org>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, pgsql-bugs@lists.postgresql.org, Stephen Frost <sfrost@snowman.net>
Date: 2019-04-23T02:10:18Z
Lists: pgsql-bugs
On Mon, Apr 22, 2019 at 09:16:49PM -0400, Jonathan S. Katz wrote:
> +1; that's why I left the comparison in.
> 
> (e.g. "md512345678901234567890123456789012zzz" would pass without strlen).

That's a hard morning...  Yes you are right and I can see the failure.
By the way, grouping everything in one patch looks more adapted to me
as this tightens all the checks for the different verifier types.
--
Michael

Commits

  1. Fix detection of passwords hashed with MD5

  2. Fix detection of passwords hashed with MD5 or SCRAM-SHA-256