Home > mailing lists

Re: Possible to store invalid SCRAM-SHA-256 Passwords - Mailing list pgsql-bugs

From	Tom Lane
Subject	Re: Possible to store invalid SCRAM-SHA-256 Passwords
Date	April 23, 2019 01:42:01
Msg-id	30284.1555972921@sss.pgh.pa.us Whole thread Raw
In response to	Re: Possible to store invalid SCRAM-SHA-256 Passwords ("Jonathan S. Katz" <jkatz@postgresql.org>)
Responses	Re: Possible to store invalid SCRAM-SHA-256 Passwords ("Jonathan S. Katz" <jkatz@postgresql.org>)
List	pgsql-bugs

Tree view

"Jonathan S. Katz" <jkatz@postgresql.org> writes:
> OK, so I have something that sort of works, i.e:

> if (strncmp(shadow_pass, "md5", 3) == 0 &&
>     strlen(shadow_pass) == MD5_PASSWD_LEN &&
>     strspn(shadow_pass, MD5_PASSWD_CHARSET) == MD5_PASSWD_LEN
> )

> where MD5_PASSWD_CHARSET = "mabcdef0123456789"

> ...but you may notice something: the CHARSET contains an "m" as we store
> that "md5" prefix on the md5 hashed passwords.

Yeah, that's silly; why not

     strspn(shadow_pass + 3, MD5_PASSWD_CHARSET) == MD5_PASSWD_LEN - 3

It's not like this code isn't very well aware of the first 3 characters
being not like the others.

            regards, tom lane

pgsql-bugs by date:

From: "Jonathan S. Katz"
Date: 23 April 2019, 01:32:45
Subject: Re: Possible to store invalid SCRAM-SHA-256 Passwords

From: "Jonathan S. Katz"
Date: 23 April 2019, 02:36:45
Subject: Re: Possible to store invalid SCRAM-SHA-256 Passwords

Re: Possible to store invalid SCRAM-SHA-256 Passwords - Mailing list pgsql-bugs

Previous

Next