NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit8275325

committed

Restrict password hash length.

Commit6aa4406 removed pg_authid's TOAST table because the onlyvarlena column is rolpassword, which cannot be de-TOASTed duringauthentication because we haven't selected a database yet andcannot read pg_class. Since that change, attempts to set passwordhashes that require out-of-line storage will fail with a "row istoo big" error. This error message might be confusing to users.This commit places a limit on the length of password hashes so thatattempts to set long password hashes will fail with a moreuser-friendly error. The chosen limit of 512 bytes should besufficient to avoid "row is too big" errors independent of BLCKSZ,but it should also be lenient enough for all reasonable use-cases(or at least all the use-cases we could imagine).Reviewed-by: Tom Lane, Jonathan Katz, Michael Paquier, Jacob ChampionDiscussion:https://postgr.es/m/89e8649c-eb74-db25-7945-6d6b23992394%40gmail.com

1 parent022564f commit8275325Copy full SHA for 8275325

File tree

4 files changed

+63

-18

lines changed

src
- backend/libpq
  - crypt.c
- include/libpq
  - crypt.h
- test/regress
  - expected
    - password.out
  - sql
    - password.sql

4 files changed

+63

-18

lines changed

`‎src/backend/libpq/crypt.c`

Lines changed: 42 additions & 18 deletions

Original file line number	Diff line number	Diff line change
`@@ -116,7 +116,7 @@ encrypt_password(PasswordType target_type, const char *role,`
`116`	`116`	`constchar*password)`
`117`	`117`	`{`
`118`	`118`	`PasswordTypeguessed_type=get_password_type(password);`
`119`		`-char*encrypted_password;`
	`119`	`+char*encrypted_password=NULL;`
`120`	`120`	`constchar*errstr=NULL;`
`121`	`121`
`122`	`122`	`if (guessed_type!=PASSWORD_TYPE_PLAINTEXT)`
`@@ -125,32 +125,56 @@ encrypt_password(PasswordType target_type, const char *role,`
`125`	`125`	`* Cannot convert an already-encrypted password from one format to`
`126`	`126`	`* another, so return it as it is.`
`127`	`127`	`*/`
`128`		`-returnpstrdup(password);`
	`128`	`+encrypted_password=pstrdup(password);`
`129`	`129`	`}`
`130`		`-`
`131`		`-switch (target_type)`
	`130`	`+else`
`132`	`131`	`{`
`133`		`-casePASSWORD_TYPE_MD5:`
`134`		`-encrypted_password=palloc(MD5_PASSWD_LEN+1);`
	`132`	`+switch (target_type)`
	`133`	`+{`
	`134`	`+casePASSWORD_TYPE_MD5:`
	`135`	`+encrypted_password=palloc(MD5_PASSWD_LEN+1);`
`135`	`136`
`136`		`-if (!pg_md5_encrypt(password,role,strlen(role),`
`137`		`-encrypted_password,&errstr))`
`138`		`-elog(ERROR,"password encryption failed: %s",errstr);`
`139`		`-returnencrypted_password;`
	`137`	`+if (!pg_md5_encrypt(password,role,strlen(role),`
	`138`	`+encrypted_password,&errstr))`
	`139`	`+elog(ERROR,"password encryption failed: %s",errstr);`
	`140`	`+break;`
`140`	`141`
`141`		`-casePASSWORD_TYPE_SCRAM_SHA_256:`
`142`		`-returnpg_be_scram_build_secret(password);`
	`142`	`+casePASSWORD_TYPE_SCRAM_SHA_256:`
	`143`	`+encrypted_password=pg_be_scram_build_secret(password);`
	`144`	`+break;`
`143`	`145`
`144`		`-casePASSWORD_TYPE_PLAINTEXT:`
`145`		`-elog(ERROR,"cannot encrypt password with 'plaintext'");`
	`146`	`+casePASSWORD_TYPE_PLAINTEXT:`
	`147`	`+elog(ERROR,"cannot encrypt password with 'plaintext'");`
	`148`	`+break;`
	`149`	`+}`
`146`	`150`	`}`
`147`	`151`
	`152`	`+Assert(encrypted_password);`
	`153`	`+`
`148`	`154`	`/*`
`149`		`- * This shouldn't happen, because the above switch statements should`
`150`		`- * handle every combination of source and target password types.`
	`155`	`+ * Valid password hashes may be very long, but we don't want to store`
	`156`	`+ * anything that might need out-of-line storage, since de-TOASTing won't`
	`157`	`+ * work during authentication because we haven't selected a database yet`
	`158`	`+ * and cannot read pg_class. 512 bytes should be more than enough for all`
	`159`	`+ * practical use, so fail for anything longer.`
`151`	`160`	`*/`
`152`		`-elog(ERROR,"cannot encrypt password to requested type");`
`153`		`-returnNULL;/* keep compiler quiet */`
	`161`	`+if (encrypted_password&&/* keep compiler quiet */`
	`162`	`+strlen(encrypted_password)>MAX_ENCRYPTED_PASSWORD_LEN)`
	`163`	`+{`
	`164`	`+/*`
	`165`	`+ * We don't expect any of our own hashing routines to produce hashes`
	`166`	`+ * that are too long.`
	`167`	`+ */`
	`168`	`+Assert(guessed_type!=PASSWORD_TYPE_PLAINTEXT);`
	`169`	`+`
	`170`	`+ereport(ERROR,`
	`171`	`+(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),`
	`172`	`+errmsg("encrypted password is too long"),`
	`173`	`+errdetail("Encrypted passwords must be no longer than %d bytes.",`
	`174`	`+MAX_ENCRYPTED_PASSWORD_LEN)));`
	`175`	`+}`
	`176`	`+`
	`177`	`+returnencrypted_password;`
`154`	`178`	`}`
`155`	`179`
`156`	`180`	`/*`

`‎src/include/libpq/crypt.h`

Lines changed: 10 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,16 @@`
`15`	`15`
`16`	`16`	`#include"datatype/timestamp.h"`
`17`	`17`
	`18`	`+/*`
	`19`	`+ * Valid password hashes may be very long, but we don't want to store anything`
	`20`	`+ * that might need out-of-line storage, since de-TOASTing won't work during`
	`21`	`+ * authentication because we haven't selected a database yet and cannot read`
	`22`	`+ * pg_class. 512 bytes should be more than enough for all practical use, and`
	`23`	`+ * our own password encryption routines should never produce hashes longer than`
	`24`	`+ * this.`
	`25`	`+ */`
	`26`	`+#defineMAX_ENCRYPTED_PASSWORD_LEN (512)`
	`27`	`+`
`18`	`28`	`/*`
`19`	`29`	`* Types of password hashes or secrets.`
`20`	`30`	`*`

`‎src/test/regress/expected/password.out`

Lines changed: 7 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -127,6 +127,13 @@ SELECT rolname, rolpassword not like '%A6xHKoH/494E941doaPOYg==%' as is_rolpassw`
`127`	`127`	`regress_passwd_sha_len2 \| t`
`128`	`128`	`(3 rows)`
`129`	`129`
	`130`	`+-- Test that valid hashes that are too long are rejected`
	`131`	+CREATE ROLE regress_passwd10 PASSWORD 'SCRAM-SHA-256$000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004096:wNFxNSk1hAXBkgub8py3bg==$65zC6E+R0U7tiYTC9+Wtq4Thw6gUDj3eDCINij8TflU=:rC1I7tcVugrHEY2DT0iPjGyjM4aJxkMM9n8WBxtUtHU=';
	`132`	`+ERROR: encrypted password is too long`
	`133`	`+DETAIL: Encrypted passwords must be no longer than 512 bytes.`
	`134`	+ALTER ROLE regress_passwd9 PASSWORD 'SCRAM-SHA-256$000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004096:wNFxNSk1hAXBkgub8py3bg==$65zC6E+R0U7tiYTC9+Wtq4Thw6gUDj3eDCINij8TflU=:rC1I7tcVugrHEY2DT0iPjGyjM4aJxkMM9n8WBxtUtHU=';
	`135`	`+ERROR: encrypted password is too long`
	`136`	`+DETAIL: Encrypted passwords must be no longer than 512 bytes.`
`130`	`137`	`DROP ROLE regress_passwd1;`
`131`	`138`	`DROP ROLE regress_passwd2;`
`132`	`139`	`DROP ROLE regress_passwd3;`

`‎src/test/regress/sql/password.sql`

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -95,6 +95,10 @@ SELECT rolname, rolpassword not like '%A6xHKoH/494E941doaPOYg==%' as is_rolpassw`
`95`	`95`	`WHERE rolnameLIKE'regress_passwd_sha_len%'`
`96`	`96`	`ORDER BY rolname;`
`97`	`97`
	`98`	`+-- Test that valid hashes that are too long are rejected`
	`99`	+CREATE ROLE regress_passwd10 PASSWORD'SCRAM-SHA-256$000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004096:wNFxNSk1hAXBkgub8py3bg==$65zC6E+R0U7tiYTC9+Wtq4Thw6gUDj3eDCINij8TflU=:rC1I7tcVugrHEY2DT0iPjGyjM4aJxkMM9n8WBxtUtHU=';
	`100`	+ALTER ROLE regress_passwd9 PASSWORD'SCRAM-SHA-256$000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004096:wNFxNSk1hAXBkgub8py3bg==$65zC6E+R0U7tiYTC9+Wtq4Thw6gUDj3eDCINij8TflU=:rC1I7tcVugrHEY2DT0iPjGyjM4aJxkMM9n8WBxtUtHU=';
	`101`	`+`
`98`	`102`	`DROP ROLE regress_passwd1;`
`99`	`103`	`DROP ROLE regress_passwd2;`
`100`	`104`	`DROP ROLE regress_passwd3;`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit8275325

File tree

4 files changed

4 files changed

`‎src/backend/libpq/crypt.c`

`‎src/include/libpq/crypt.h`

`‎src/test/regress/expected/password.out`

`‎src/test/regress/sql/password.sql`

0 commit comments