Thread: BUG #16164: Sending shared secret in all low case

BUG #16164: Sending shared secret in all low case

From
PG Bug reporting form
Date:
The following bug has been logged on the website:

Bug reference:      16164
Logged by:          Min Wang
Email address:      min.wang@theice.com
PostgreSQL version: 11.5
Operating system:   Red Hat Enterprise Linux Server release 7.6 (Maipo
Description:

Sending shared secret in all low case for RADIUS user authentication


Re: BUG #16164: Sending shared secret in all low case

From
Bruce Momjian
Date:
On Thu, Dec 12, 2019 at 08:15:22PM +0000, PG Bug reporting form wrote:
> The following bug has been logged on the website:
> 
> Bug reference:      16164
> Logged by:          Min Wang
> Email address:      min.wang@theice.com
> PostgreSQL version: 11.5
> Operating system:   Red Hat Enterprise Linux Server release 7.6 (Maipo
> Description:        
> 
> Sending shared secret in all low case for RADIUS user authentication

This was reported and fixed in November:


https://www.postgresql.org/message-id/flat/BC05948D-9509-4F30-A350-7E2C36570CF1%40palantir.com#26361cd70c0804f957f54d716bd3c820

with this commit:

    commit 7618eaf5f3
    Author: Tom Lane <tgl@sss.pgh.pa.us>
    Date:   Wed Nov 13 13:41:04 2019 -0500
    
        Avoid downcasing/truncation of RADIUS authentication parameters.
    
        Commit 6b76f1bb5 changed all the RADIUS auth parameters to be lists
        rather than single values.  But its use of SplitIdentifierString
        to parse the list format was not very carefully thought through,
        because that function thinks it's parsing SQL identifiers, which
        means it will (a) downcase the strings and (b) truncate them to
        be shorter than NAMEDATALEN.  While downcasing should be harmless
        for the server names and ports, it's just wrong for the shared
        secrets, and probably for the NAS Identifier strings as well.
        The truncation aspect is at least potentially a problem too,
        though typical values for these parameters would fit in 63 bytes.
    
        Fortunately, we now have a function SplitGUCList that is exactly
        the same except for not doing the two unwanted things, so fixing
        this is a trivial matter of calling that function instead.
    
        While here, improve the documentation to show how to double-quote
        the parameter values.  I failed to resist the temptation to do
        some copy-editing as well.
    
        Report and patch from Marcos David (bug #16106); doc changes by me.
        Back-patch to v10 where the aforesaid commit came in, since this is
        arguably a regression from our previous behavior with RADIUS auth.
    
        Discussion: https://postgr.es/m/16106-7d319e4295d08e70@postgresql.org

Unfortunately the patch didn't make it into our November releases, so
you will have to wait for the next scheduled release in February for a
fix, or build from source and apply this patch.  Sorry.

-- 
  Bruce Momjian  <bruce@momjian.us>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

+ As you are, so once was I.  As I am, so you will be. +
+                      Ancient Roman grave inscription +