Home > mailing lists

[COMMITTERS] pgsql: Make SCRAM salts and nonces longer. - Mailing list pgsql-committers

From	Heikki Linnakangas
Subject	[COMMITTERS] pgsql: Make SCRAM salts and nonces longer.
Date	May 5, 2017 13:14:53
Msg-id	E1d6XS1-0005PL-0C@gemulon.postgresql.org Whole thread Raw
List	pgsql-committers

Tree view

Make SCRAM salts and nonces longer.

The salt is stored base64-encoded. With the old 10 bytes raw length, it was
always padded to 16 bytes after encoding. We might as well use 12 raw bytes
for the salt, and it's still encoded into 16 bytes.

Similarly for the random nonces, use a raw length that's divisible by 3, so
that there's no padding after base64 encoding. Make the nonces longer while
we're at it. 10 bytes was probably enough to prevent replay attacks, but
there's no reason to be skimpy here.

Per suggestion from Álvaro Hernández Tortosa.

Discussion: https://www.postgresql.org/message-id/df8c6e27-4d8e-5281-96e5-131a4e638fc8@8kdata.com

Branch
------
master

Details
-------
https://git.postgresql.org/pg/commitdiff/0557a5dc2cf845639d384801b6861ebbd35dc7ee

Modified Files
--------------
src/include/common/scram-common.h      | 4 ++--
src/test/regress/expected/password.out | 4 ++--
src/test/regress/sql/password.sql      | 4 ++--
3 files changed, 6 insertions(+), 6 deletions(-)

pgsql-committers by date:

From: Heikki Linnakangas
Date: 05 May 2017, 13:14:52
Subject: [COMMITTERS] pgsql: Don't use SCRAM-specific "e=invalid-proof" on invalid password.

From: Heikki Linnakangas
Date: 05 May 2017, 14:35:41
Subject: [COMMITTERS] pgsql: Give nicer error message when connecting to a v10 serverrequiri

[COMMITTERS] pgsql: Make SCRAM salts and nonces longer. - Mailing list pgsql-committers

Previous

Next