Re: Possible to store invalid SCRAM-SHA-256 Passwords
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: "Jonathan S. Katz" <jkatz@postgresql.org>
Cc: Michael Paquier <michael@paquier.xyz>, pgsql-bugs@lists.postgresql.org,
Stephen Frost <sfrost@snowman.net>
Date: 2019-04-22T22:42:01Z
Lists: pgsql-bugs
"Jonathan S. Katz" <jkatz@postgresql.org> writes:
> OK, so I have something that sort of works, i.e:
> if (strncmp(shadow_pass, "md5", 3) == 0 &&
> strlen(shadow_pass) == MD5_PASSWD_LEN &&
> strspn(shadow_pass, MD5_PASSWD_CHARSET) == MD5_PASSWD_LEN
> )
> where MD5_PASSWD_CHARSET = "mabcdef0123456789"
> ...but you may notice something: the CHARSET contains an "m" as we store
> that "md5" prefix on the md5 hashed passwords.
Yeah, that's silly; why not
strspn(shadow_pass + 3, MD5_PASSWD_CHARSET) == MD5_PASSWD_LEN - 3
It's not like this code isn't very well aware of the first 3 characters
being not like the others.
regards, tom lane
Commits
-
Fix detection of passwords hashed with MD5
- a82c06f4001d 9.4.22 landed
- 20dbc84bd002 9.5.17 landed
- af298f00a1e8 9.6.13 landed
-
Fix detection of passwords hashed with MD5 or SCRAM-SHA-256
- 15fe91e70ec6 10.8 landed
- 7f56d43663dd 11.3 landed
- ccae190b916f 12.0 landed