Re: Modern SHA2- based password hashes for pgcrypto

Bernd Helmle <mailings@oopsware.de>

From: Bernd Helmle <mailings@oopsware.de>
To: Japin Li <japinli@hotmail.com>
Cc: PostgreSQL Development <pgsql-hackers@postgresql.org>
Date: 2025-01-07T17:48:25Z
Lists: pgsql-hackers

Attachments

Am Samstag, dem 04.01.2025 um 08:19 +0800 schrieb Japin Li:
> (gdb) bt
> #0  __pthread_kill_implementation (no_tid=0, signo=6,
> threadid=<optimized out>) at ./nptl/pthread_kill.c:44
> #1  __pthread_kill_internal (signo=6, threadid=<optimized out>) at
> ./nptl/pthread_kill.c:78
> #2  __GI___pthread_kill (threadid=<optimized out>,
> signo=signo@entry=6) at ./nptl/pthread_kill.c:89
> #3  0x00007ba852a4526e in __GI_raise (sig=sig@entry=6) at
> ../sysdeps/posix/raise.c:26
> #4  0x00007ba852a288ff in __GI_abort () at ./stdlib/abort.c:79
> #5  0x00007ba852a297b6 in __libc_message_impl
> (fmt=fmt@entry=0x7ba852bce765 "*** %s ***: terminated\n") at
> ../sysdeps/posix/libc_fatal.c:132
> #6  0x00007ba852b36c19 in __GI___fortify_fail
> (msg=msg@entry=0x7ba852bce77d "stack smashing detected") at
> ./debug/fortify_fail.c:24
> #7  0x00007ba852b37ea4 in __stack_chk_fail () at
> ./debug/stack_chk_fail.c:24
> #8  0x00007ba853d8cb2e in px_crypt_shacrypt (pw=0x64e191229370
> "hello", salt=0x64e191229388 "$5$$6$rounds=10000$/Zg436s2vmTwsoSz",
> passwd=0x64e1912293d8
> "$6$rounds=10000$/Zg436s2vmTwsoSz$TTCnOO7S5pkJHBVJ.oL74WN1Yt0n1RfQOWd
> 60CRb4xtd9q7ChipyZ00jwYZfhDGRRJOoJNOgYKAVGpdmA8qhT1", dstlen=128) at
> /data/Codes/pg/master/build/../contrib/pgcrypto/crypt-sha.c:546

Thank you very much.

This points to the same area i've investigated and it turned out i
confused length macros for the password salt, leading to the out_buf
buffer in px_crypt_shacrypt() being too small, stupid me.

Attached is a new version of the patch:

- Use correct length for the out_buf result buffer in
px_crypt_shacrypt()

- Silent a compiler warning in the error goto branch in
px_crypt_shacrypt()

- Don't accept rounds values lower or larger than supported (previously
they were silently changed to minimum/maximum).

- Per your suggestions, use CHECK_FOR_INTERRUPTS() during block
calculation to make it possible to interrupt the code when using large
values for the rounds option and just rely on the very first three
bytes when parsing the magic bytes of the salt string.

Please test again.
	
	Bernd

Commits

  1. Follow-up fixes for SHA-2 patch (commit 749a9e20c).

  2. Add modern SHA-2 based password hashes to pgcrypto.