NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit0557a5d

committed

Make SCRAM salts and nonces longer.

The salt is stored base64-encoded. With the old 10 bytes raw length, it wasalways padded to 16 bytes after encoding. We might as well use 12 raw bytesfor the salt, and it's still encoded into 16 bytes.Similarly for the random nonces, use a raw length that's divisible by 3, sothat there's no padding after base64 encoding. Make the nonces longer whilewe're at it. 10 bytes was probably enough to prevent replay attacks, butthere's no reason to be skimpy here.Per suggestion from Álvaro Hernández Tortosa.Discussion:https://www.postgresql.org/message-id/df8c6e27-4d8e-5281-96e5-131a4e638fc8@8kdata.com

1 parente6e9c4d commit0557a5dCopy full SHA for 0557a5d

File tree

3 files changed

-6

lines changed

src
- include/common
  - scram-common.h
- test/regress
  - expected
    - password.out
  - sql
    - password.sql

3 files changed

-6

lines changed

`‎src/include/common/scram-common.h`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -26,10 +26,10 @@`
`26`	`26`	`* is in "raw" number of bytes, the actual nonces sent over the wire are`
`27`	`27`	`* encoded using only ASCII-printable characters.`
`28`	`28`	`*/`
`29`		`-#defineSCRAM_RAW_NONCE_LEN10`
	`29`	`+#defineSCRAM_RAW_NONCE_LEN18`
`30`	`30`
`31`	`31`	`/* length of salt when generating new verifiers */`
`32`		`-#defineSCRAM_DEFAULT_SALT_LEN10`
	`32`	`+#defineSCRAM_DEFAULT_SALT_LEN12`
`33`	`33`
`34`	`34`	`/* default number of iterations when generating verifier */`
`35`	`35`	`#defineSCRAM_DEFAULT_ITERATIONS4096`

`‎src/test/regress/expected/password.out`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -27,7 +27,7 @@ CREATE ROLE regress_passwd5 PASSWORD NULL;`
`27`	`27`	`--`
`28`	`28`	`-- Since the salt is random, the exact value stored will be different on every test`
`29`	`29`	`-- run. Use a regular expression to mask the changing parts.`
`30`		`-SELECT rolname, regexp_replace(rolpassword, '(SCRAM-SHA-256)\$(\d+):([a-zA-Z0-9+/]+==)\$([a-zA-Z0-9+/]+=):([a-zA-Z0-9+/]+=)', '\1$\2:<salt>$<storedkey>:<serverkey>') as rolpassword_masked`
	`30`	`+SELECT rolname, regexp_replace(rolpassword, '(SCRAM-SHA-256)\$(\d+):([a-zA-Z0-9+/=]+)\$([a-zA-Z0-9+=/]+):([a-zA-Z0-9+/=]+)', '\1$\2:<salt>$<storedkey>:<serverkey>') as rolpassword_masked`
`31`	`31`	`FROM pg_authid`
`32`	`32`	`WHERE rolname LIKE 'regress_passwd%'`
`33`	`33`	`ORDER BY rolname, rolpassword;`
`@@ -63,7 +63,7 @@ ALTER ROLE regress_passwd4 ENCRYPTED PASSWORD 'SCRAM-SHA-256$4096:VLK4RMaQLCvNtQ`
`63`	`63`	`SET password_encryption = 'scram-sha-256';`
`64`	`64`	`ALTER ROLE regress_passwd5 ENCRYPTED PASSWORD 'foo'; -- create SCRAM verifier`
`65`	`65`	`CREATE ROLE regress_passwd6 ENCRYPTED PASSWORD 'md53725413363ab045e20521bf36b8d8d7f'; -- encrypted with MD5, use as it is`
`66`		`-SELECT rolname, regexp_replace(rolpassword, '(SCRAM-SHA-256)\$(\d+):([a-zA-Z0-9+/]+==)\$([a-zA-Z0-9+/]+=):([a-zA-Z0-9+/]+=)', '\1$\2:<salt>$<storedkey>:<serverkey>') as rolpassword_masked`
	`66`	`+SELECT rolname, regexp_replace(rolpassword, '(SCRAM-SHA-256)\$(\d+):([a-zA-Z0-9+/=]+)\$([a-zA-Z0-9+=/]+):([a-zA-Z0-9+/=]+)', '\1$\2:<salt>$<storedkey>:<serverkey>') as rolpassword_masked`
`67`	`67`	`FROM pg_authid`
`68`	`68`	`WHERE rolname LIKE 'regress_passwd%'`
`69`	`69`	`ORDER BY rolname, rolpassword;`

`‎src/test/regress/sql/password.sql`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@ CREATE ROLE regress_passwd5 PASSWORD NULL;`
`28`	`28`	`--`
`29`	`29`	`-- Since the salt is random, the exact value stored will be different on every test`
`30`	`30`	`-- run. Use a regular expression to mask the changing parts.`
`31`		`-SELECT rolname, regexp_replace(rolpassword,'(SCRAM-SHA-256)\$(\d+):([a-zA-Z0-9+/]+==)\$([a-zA-Z0-9+/]+=):([a-zA-Z0-9+/]+=)','\1$\2:<salt>$<storedkey>:<serverkey>')as rolpassword_masked`
	`31`	`+SELECT rolname, regexp_replace(rolpassword,'(SCRAM-SHA-256)\$(\d+):([a-zA-Z0-9+/=]+)\$([a-zA-Z0-9+=/]+):([a-zA-Z0-9+/=]+)','\1$\2:<salt>$<storedkey>:<serverkey>')as rolpassword_masked`
`32`	`32`	`FROM pg_authid`
`33`	`33`	`WHERE rolnameLIKE'regress_passwd%'`
`34`	`34`	`ORDER BY rolname, rolpassword;`
`@@ -54,7 +54,7 @@ SET password_encryption = 'scram-sha-256';`
`54`	`54`	`ALTER ROLE regress_passwd5 ENCRYPTED PASSWORD'foo';-- create SCRAM verifier`
`55`	`55`	`CREATE ROLE regress_passwd6 ENCRYPTED PASSWORD'md53725413363ab045e20521bf36b8d8d7f';-- encrypted with MD5, use as it is`
`56`	`56`
`57`		`-SELECT rolname, regexp_replace(rolpassword,'(SCRAM-SHA-256)\$(\d+):([a-zA-Z0-9+/]+==)\$([a-zA-Z0-9+/]+=):([a-zA-Z0-9+/]+=)','\1$\2:<salt>$<storedkey>:<serverkey>')as rolpassword_masked`
	`57`	`+SELECT rolname, regexp_replace(rolpassword,'(SCRAM-SHA-256)\$(\d+):([a-zA-Z0-9+/=]+)\$([a-zA-Z0-9+=/]+):([a-zA-Z0-9+/=]+)','\1$\2:<salt>$<storedkey>:<serverkey>')as rolpassword_masked`
`58`	`58`	`FROM pg_authid`
`59`	`59`	`WHERE rolnameLIKE'regress_passwd%'`
`60`	`60`	`ORDER BY rolname, rolpassword;`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit0557a5d

File tree

3 files changed

3 files changed

`‎src/include/common/scram-common.h`

`‎src/test/regress/expected/password.out`

`‎src/test/regress/sql/password.sql`

0 commit comments