NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commitbf6b9e9

committed

Don't allow logging in with empty password.

Some authentication methods allowed it, others did not. In the client-side,libpq does not even try to authenticate with an empty password, which makesusing empty passwords hazardous: an administrator might think that anaccount with an empty password cannot be used to log in, because psqldoesn't allow it, and not realize that a different client would in factallow it. To clear that confusion and to be be consistent, disallow emptypasswords in all authentication methods.All the authentication methods that used plaintext authentication over thewire, except for BSD authentication, already checked that the passwordreceived from the user was not empty. To avoid forgetting it in the futureagain, move the check to the recv_password_packet function. That onlyforbids using an empty password with plaintext authentication, however.MD5 and SCRAM need a different fix:* In stable branches, check that the MD5 hash stored for the user does notnot correspond to an empty string. This adds some overhead to MD5authentication, because the server needs to compute an extra MD5 hash, butit is not noticeable in practice.* In HEAD, modify CREATE and ALTER ROLE to clear the password if an emptystring, or a password hash that corresponds to an empty string, isspecified. The user-visible behavior is the same as in the stable branches,the user cannot log in, but it seems better to stop the empty password fromentering the system in the first place. Secondly, it is fairly expensive tocheck that a SCRAM hash doesn't correspond to an empty string, becausecomputing a SCRAM hash is much more expensive than an MD5 hash by design,so better avoid doing that on every authentication.We could clear the password on CREATE/ALTER ROLE also in stable branches,but we would still need to check at authentication time, because even if weprevent empty passwords from being stored in pg_authid, there might beexisting ones there already.Reported by Jeroen van der Ham, Ben de Graaff and Jelte Fennema.Security:CVE-2017-7546

1 parent86524f0 commitbf6b9e9Copy full SHA for bf6b9e9

File tree

6 files changed

+117

-38

lines changed

doc/src/sgml/ref
- create_role.sgml
src
- backend
  - commands
    - user.c
  - libpq
    - auth.c
    - crypt.c
- test/regress
  - expected
    - password.out
  - sql
    - password.sql

6 files changed

+117

-38

lines changed

`‎doc/src/sgml/ref/create_role.sgml`

Lines changed: 11 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -219,6 +219,17 @@ CREATE ROLE <replaceable class="PARAMETER">name</replaceable> [ [ WITH ] <replac`
`219`	`219`	`user. A null password can optionally be written explicitly as`
`220`	`220`	`<literal>PASSWORD NULL</literal>.`
`221`	`221`	`</para>`
	`222`	`+ <note>`
	`223`	`+ <para>`
	`224`	`+ Specifying an empty string will also set the password to null,`
	`225`	`+ but that was not the case before <productname>PostgreSQL</>`
	`226`	`+ version 10. In earlier versions, an empty string could be used,`
	`227`	`+ or not, depending on the authentication method and the exact`
	`228`	`+ version, and libpq would refuse to use it in any case.`
	`229`	`+ To avoid the ambiguity, specifying an empty string should be`
	`230`	`+ avoided.`
	`231`	`+ </para>`
	`232`	`+ </note>`
`222`	`233`	`<para>`
`223`	`234`	`The password is always stored encrypted in the system catalogs. The`
`224`	`235`	`<literal>ENCRYPTED</> keyword has no effect, but is accepted for`

`‎src/backend/commands/user.c`

Lines changed: 45 additions & 10 deletions

Original file line number	Diff line number	Diff line change
`@@ -384,13 +384,36 @@ CreateRole(ParseState pstate, CreateRoleStmt stmt)`
`384`	`384`
`385`	`385`	`if (password)`
`386`	`386`	`{`
`387`		`-/* Encrypt the password to the requested format. */`
`388`	`387`	`char*shadow_pass;`
	`388`	`+char*logdetail;`
`389`	`389`
`390`		`-shadow_pass=encrypt_password(Password_encryption,stmt->role,`
`391`		`-password);`
`392`		`-new_record[Anum_pg_authid_rolpassword-1]=`
`393`		`-CStringGetTextDatum(shadow_pass);`
	`390`	`+/*`
	`391`	`+ * Don't allow an empty password. Libpq treats an empty password the`
	`392`	`+ * same as no password at all, and won't even try to authenticate. But`
	`393`	`+ * other clients might, so allowing it would be confusing. By clearing`
	`394`	`+ * the password when an empty string is specified, the account is`
	`395`	`+ * consistently locked for all clients.`
	`396`	`+ *`
	`397`	`+ * Note that this only covers passwords stored in the database itself.`
	`398`	`+ * There are also checks in the authentication code, to forbid an`
	`399`	`+ * empty password from being used with authentication methods that`
	`400`	`+ * fetch the password from an external system, like LDAP or PAM.`
	`401`	`+ */`
	`402`	`+if (password[0]=='\0'\|\|`
	`403`	`+plain_crypt_verify(stmt->role,password,"",&logdetail)==STATUS_OK)`
	`404`	`+{`
	`405`	`+ereport(NOTICE,`
	`406`	`+(errmsg("empty string is not a valid password, clearing password")));`
	`407`	`+new_record_nulls[Anum_pg_authid_rolpassword-1]= true;`
	`408`	`+}`
	`409`	`+else`
	`410`	`+{`
	`411`	`+/* Encrypt the password to the requested format. */`
	`412`	`+shadow_pass=encrypt_password(Password_encryption,stmt->role,`
	`413`	`+password);`
	`414`	`+new_record[Anum_pg_authid_rolpassword-1]=`
	`415`	`+CStringGetTextDatum(shadow_pass);`
	`416`	`+}`
`394`	`417`	`}`
`395`	`418`	`else`
`396`	`419`	`new_record_nulls[Anum_pg_authid_rolpassword-1]= true;`
`@@ -782,13 +805,25 @@ AlterRole(AlterRoleStmt *stmt)`
`782`	`805`	`/* password */`
`783`	`806`	`if (password)`
`784`	`807`	`{`
`785`		`-/* Encrypt the password to the requested format. */`
`786`	`808`	`char*shadow_pass;`
	`809`	`+char*logdetail;`
`787`	`810`
`788`		`-shadow_pass=encrypt_password(Password_encryption,rolename,`
`789`		`-password);`
`790`		`-new_record[Anum_pg_authid_rolpassword-1]=`
`791`		`-CStringGetTextDatum(shadow_pass);`
	`811`	`+/* Like in CREATE USER, don't allow an empty password. */`
	`812`	`+if (password[0]=='\0'\|\|`
	`813`	`+plain_crypt_verify(rolename,password,"",&logdetail)==STATUS_OK)`
	`814`	`+{`
	`815`	`+ereport(NOTICE,`
	`816`	`+(errmsg("empty string is not a valid password, clearing password")));`
	`817`	`+new_record_nulls[Anum_pg_authid_rolpassword-1]= true;`
	`818`	`+}`
	`819`	`+else`
	`820`	`+{`
	`821`	`+/* Encrypt the password to the requested format. */`
	`822`	`+shadow_pass=encrypt_password(Password_encryption,rolename,`
	`823`	`+password);`
	`824`	`+new_record[Anum_pg_authid_rolpassword-1]=`
	`825`	`+CStringGetTextDatum(shadow_pass);`
	`826`	`+}`
`792`	`827`	`new_record_repl[Anum_pg_authid_rolpassword-1]= true;`
`793`	`828`	`}`
`794`	`829`

`‎src/backend/libpq/auth.c`

Lines changed: 40 additions & 20 deletions

Original file line number	Diff line number	Diff line change
`@@ -688,6 +688,24 @@ recv_password_packet(Port *port)`
`688`	`688`	`(errcode(ERRCODE_PROTOCOL_VIOLATION),`
`689`	`689`	`errmsg("invalid password packet size")));`
`690`	`690`
	`691`	`+/*`
	`692`	`+ * Don't allow an empty password. Libpq treats an empty password the same`
	`693`	`+ * as no password at all, and won't even try to authenticate. But other`
	`694`	`+ * clients might, so allowing it would be confusing.`
	`695`	`+ *`
	`696`	`+ * Note that this only catches an empty password sent by the client in`
	`697`	`+ * plaintext. There's also a check in CREATE/ALTER USER that prevents an`
	`698`	`+ * empty string from being stored as a user's password in the first place.`
	`699`	`+ * We rely on that for MD5 and SCRAM authentication, but we still need`
	`700`	`+ * this check here, to prevent an empty password from being used with`
	`701`	`+ * authentication methods that check the password against an external`
	`702`	`+ * system, like PAM, LDAP and RADIUS.`
	`703`	`+ */`
	`704`	`+if (buf.len==1)`
	`705`	`+ereport(ERROR,`
	`706`	`+(errcode(ERRCODE_INVALID_PASSWORD),`
	`707`	`+errmsg("empty password returned by client")));`
	`708`	`+`
`691`	`709`	`/* Do not echo password to logs, for security. */`
`692`	`710`	`elog(DEBUG5,"received password packet");`
`693`	`711`
`@@ -2081,12 +2099,6 @@ pam_passwd_conv_proc(int num_msg, const struct pam_message **msg,`
`2081`	`2099`	`*/`
`2082`	`2100`	`gotofail;`
`2083`	`2101`	`}`
`2084`		`-if (strlen(passwd)==0)`
`2085`		`-{`
`2086`		`-ereport(LOG,`
`2087`		`-(errmsg("empty password returned by client")));`
`2088`		`-gotofail;`
`2089`		`-}`
`2090`	`2102`	`}`
`2091`	`2103`	`if ((reply[i].resp=strdup(passwd))==NULL)`
`2092`	`2104`	`gotofail;`
`@@ -2277,6 +2289,8 @@ CheckBSDAuth(Port port, char user)`
`2277`	`2289`	`*/`
`2278`	`2290`	`retval=auth_userokay(user,NULL,"auth-postgresql",passwd);`
`2279`	`2291`
	`2292`	`+pfree(passwd);`
	`2293`	`+`
`2280`	`2294`	`if (!retval)`
`2281`	`2295`	`returnSTATUS_ERROR;`
`2282`	`2296`
`@@ -2407,16 +2421,12 @@ CheckLDAPAuth(Port *port)`
`2407`	`2421`	`if (passwd==NULL)`
`2408`	`2422`	`returnSTATUS_EOF;/* client wouldn't send password */`
`2409`	`2423`
`2410`		`-if (strlen(passwd)==0)`
`2411`		`-{`
`2412`		`-ereport(LOG,`
`2413`		`-(errmsg("empty password returned by client")));`
`2414`		`-returnSTATUS_ERROR;`
`2415`		`-}`
`2416`		`-`
`2417`	`2424`	`if (InitializeLDAPConnection(port,&ldap)==STATUS_ERROR)`
	`2425`	`+{`
`2418`	`2426`	`/* Error message already sent */`
	`2427`	`+pfree(passwd);`
`2419`	`2428`	`returnSTATUS_ERROR;`
	`2429`	`+}`
`2420`	`2430`
`2421`	`2431`	`if (port->hba->ldapbasedn)`
`2422`	`2432`	`{`
`@@ -2448,6 +2458,7 @@ CheckLDAPAuth(Port *port)`
`2448`	`2458`	`{`
`2449`	`2459`	`ereport(LOG,`
`2450`	`2460`	`(errmsg("invalid character in user name for LDAP authentication")));`
	`2461`	`+pfree(passwd);`
`2451`	`2462`	`returnSTATUS_ERROR;`
`2452`	`2463`	`}`
`2453`	`2464`	`}`
`@@ -2464,6 +2475,7 @@ CheckLDAPAuth(Port *port)`
`2464`	`2475`	`ereport(LOG,`
`2465`	`2476`	`(errmsg("could not perform initial LDAP bind for ldapbinddn \"%s\" on server \"%s\": %s",`
`2466`	`2477`	`port->hba->ldapbinddn,port->hba->ldapserver,ldap_err2string(r))));`
	`2478`	`+pfree(passwd);`
`2467`	`2479`	`returnSTATUS_ERROR;`
`2468`	`2480`	`}`
`2469`	`2481`
`@@ -2488,6 +2500,7 @@ CheckLDAPAuth(Port *port)`
`2488`	`2500`	`ereport(LOG,`
`2489`	`2501`	`(errmsg("could not search LDAP for filter \"%s\" on server \"%s\": %s",`
`2490`	`2502`	`filter,port->hba->ldapserver,ldap_err2string(r))));`
	`2503`	`+pfree(passwd);`
`2491`	`2504`	`pfree(filter);`
`2492`	`2505`	`returnSTATUS_ERROR;`
`2493`	`2506`	`}`
`@@ -2508,6 +2521,7 @@ CheckLDAPAuth(Port *port)`
`2508`	`2521`	`count,`
`2509`	`2522`	`filter,port->hba->ldapserver,count)));`
`2510`	`2523`
	`2524`	`+pfree(passwd);`
`2511`	`2525`	`pfree(filter);`
`2512`	`2526`	`ldap_msgfree(search_message);`
`2513`	`2527`	`returnSTATUS_ERROR;`
`@@ -2523,6 +2537,7 @@ CheckLDAPAuth(Port *port)`
`2523`	`2537`	`ereport(LOG,`
`2524`	`2538`	`(errmsg("could not get dn for the first entry matching \"%s\" on server \"%s\": %s",`
`2525`	`2539`	`filter,port->hba->ldapserver,ldap_err2string(error))));`
	`2540`	`+pfree(passwd);`
`2526`	`2541`	`pfree(filter);`
`2527`	`2542`	`ldap_msgfree(search_message);`
`2528`	`2543`	`returnSTATUS_ERROR;`
`@@ -2543,6 +2558,7 @@ CheckLDAPAuth(Port *port)`
`2543`	`2558`	`ereport(LOG,`
`2544`	`2559`	`(errmsg("could not unbind after searching for user \"%s\" on server \"%s\": %s",`
`2545`	`2560`	`fulluser,port->hba->ldapserver,ldap_err2string(error))));`
	`2561`	`+pfree(passwd);`
`2546`	`2562`	`pfree(fulluser);`
`2547`	`2563`	`returnSTATUS_ERROR;`
`2548`	`2564`	`}`
`@@ -2553,6 +2569,7 @@ CheckLDAPAuth(Port *port)`
`2553`	`2569`	`*/`
`2554`	`2570`	`if (InitializeLDAPConnection(port,&ldap)==STATUS_ERROR)`
`2555`	`2571`	`{`
	`2572`	`+pfree(passwd);`
`2556`	`2573`	`pfree(fulluser);`
`2557`	`2574`
`2558`	`2575`	`/* Error message already sent */`
`@@ -2573,10 +2590,12 @@ CheckLDAPAuth(Port *port)`
`2573`	`2590`	`ereport(LOG,`
`2574`	`2591`	`(errmsg("LDAP login failed for user \"%s\" on server \"%s\": %s",`
`2575`	`2592`	`fulluser,port->hba->ldapserver,ldap_err2string(r))));`
	`2593`	`+pfree(passwd);`
`2576`	`2594`	`pfree(fulluser);`
`2577`	`2595`	`returnSTATUS_ERROR;`
`2578`	`2596`	`}`
`2579`	`2597`
	`2598`	`+pfree(passwd);`
`2580`	`2599`	`pfree(fulluser);`
`2581`	`2600`
`2582`	`2601`	`returnSTATUS_OK;`
`@@ -2720,17 +2739,11 @@ CheckRADIUSAuth(Port *port)`
`2720`	`2739`	`if (passwd==NULL)`
`2721`	`2740`	`returnSTATUS_EOF;/* client wouldn't send password */`
`2722`	`2741`
`2723`		`-if (strlen(passwd)==0)`
`2724`		`-{`
`2725`		`-ereport(LOG,`
`2726`		`-(errmsg("empty password returned by client")));`
`2727`		`-returnSTATUS_ERROR;`
`2728`		`-}`
`2729`		`-`
`2730`	`2742`	`if (strlen(passwd)>RADIUS_MAX_PASSWORD_LENGTH)`
`2731`	`2743`	`{`
`2732`	`2744`	`ereport(LOG,`
`2733`	`2745`	`(errmsg("RADIUS authentication does not support passwords longer than %d characters",RADIUS_MAX_PASSWORD_LENGTH)));`
	`2746`	`+pfree(passwd);`
`2734`	`2747`	`returnSTATUS_ERROR;`
`2735`	`2748`	`}`
`2736`	`2749`
`@@ -2756,9 +2769,15 @@ CheckRADIUSAuth(Port *port)`
`2756`	`2769`	`*------`
`2757`	`2770`	`*/`
`2758`	`2771`	`if (ret==STATUS_OK)`
	`2772`	`+{`
	`2773`	`+pfree(passwd);`
`2759`	`2774`	`returnSTATUS_OK;`
	`2775`	`+}`
`2760`	`2776`	`elseif (ret==STATUS_EOF)`
	`2777`	`+{`
	`2778`	`+pfree(passwd);`
`2761`	`2779`	`returnSTATUS_ERROR;`
	`2780`	`+}`
`2762`	`2781`
`2763`	`2782`	`/*`
`2764`	`2783`	`* secret, port and identifiers either have length 0 (use default),`
`@@ -2775,6 +2794,7 @@ CheckRADIUSAuth(Port *port)`
`2775`	`2794`	`}`
`2776`	`2795`
`2777`	`2796`	`/* No servers left to try, so give up */`
	`2797`	`+pfree(passwd);`
`2778`	`2798`	`returnSTATUS_ERROR;`
`2779`	`2799`	`}`
`2780`	`2800`

`‎src/backend/libpq/crypt.c`

Lines changed: 0 additions & 8 deletions

Original file line number	Diff line number	Diff line change
`@@ -71,14 +71,6 @@ get_role_password(const char role, char *logdetail)`
`71`	`71`
`72`	`72`	`ReleaseSysCache(roleTup);`
`73`	`73`
`74`		`-if (*shadow_pass=='\0')`
`75`		`-{`
`76`		`-*logdetail=psprintf(_("User \"%s\" has an empty password."),`
`77`		`-role);`
`78`		`-pfree(shadow_pass);`
`79`		`-returnNULL;/* empty password */`
`80`		`-}`
`81`		`-`
`82`	`74`	`/*`
`83`	`75`	`* Password OK, but check to be sure we are not past rolvaliduntil`
`84`	`76`	`*/`

`‎src/test/regress/expected/password.out`

Lines changed: 14 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -75,11 +75,25 @@ SELECT rolname, regexp_replace(rolpassword, '(SCRAM-SHA-256)\$(\d+):([a-zA-Z0-9+`
`75`	`75`	`regress_passwd5 \| md5e73a4b11df52a6068f8b39f90be36023`
`76`	`76`	`(5 rows)`
`77`	`77`
	`78`	`+-- An empty password is not allowed, in any form`
	`79`	`+CREATE ROLE regress_passwd_empty PASSWORD '';`
	`80`	`+NOTICE: empty string is not a valid password, clearing password`
	`81`	`+ALTER ROLE regress_passwd_empty PASSWORD 'md585939a5ce845f1a1b620742e3c659e0a';`
	`82`	`+NOTICE: empty string is not a valid password, clearing password`
	`83`	`+ALTER ROLE regress_passwd_empty PASSWORD 'SCRAM-SHA-256$4096:hpFyHTUsSWcR7O9P$LgZFIt6Oqdo27ZFKbZ2nV+vtnYM995pDh9ca6WSi120=:qVV5NeluNfUPkwm7Vqat25RjSPLkGeoZBQs6wVv+um4=';`
	`84`	`+NOTICE: empty string is not a valid password, clearing password`
	`85`	`+SELECT rolpassword FROM pg_authid WHERE rolname='regress_passwd_empty';`
	`86`	`+ rolpassword`
	`87`	`+-------------`
	`88`	`+`
	`89`	`+(1 row)`
	`90`	`+`
`78`	`91`	`DROP ROLE regress_passwd1;`
`79`	`92`	`DROP ROLE regress_passwd2;`
`80`	`93`	`DROP ROLE regress_passwd3;`
`81`	`94`	`DROP ROLE regress_passwd4;`
`82`	`95`	`DROP ROLE regress_passwd5;`
	`96`	`+DROP ROLE regress_passwd_empty;`
`83`	`97`	`-- all entries should have been removed`
`84`	`98`	`SELECT rolname, rolpassword`
`85`	`99`	`FROM pg_authid`

`‎src/test/regress/sql/password.sql`

Lines changed: 7 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -59,11 +59,18 @@ SELECT rolname, regexp_replace(rolpassword, '(SCRAM-SHA-256)\$(\d+):([a-zA-Z0-9+`
`59`	`59`	`WHERE rolnameLIKE'regress_passwd%'`
`60`	`60`	`ORDER BY rolname, rolpassword;`
`61`	`61`
	`62`	`+-- An empty password is not allowed, in any form`
	`63`	`+CREATE ROLE regress_passwd_empty PASSWORD'';`
	`64`	`+ALTER ROLE regress_passwd_empty PASSWORD'md585939a5ce845f1a1b620742e3c659e0a';`
	`65`	`+ALTER ROLE regress_passwd_empty PASSWORD'SCRAM-SHA-256$4096:hpFyHTUsSWcR7O9P$LgZFIt6Oqdo27ZFKbZ2nV+vtnYM995pDh9ca6WSi120=:qVV5NeluNfUPkwm7Vqat25RjSPLkGeoZBQs6wVv+um4=';`
	`66`	`+SELECT rolpasswordFROM pg_authidWHERE rolname='regress_passwd_empty';`
	`67`	`+`
`62`	`68`	`DROP ROLE regress_passwd1;`
`63`	`69`	`DROP ROLE regress_passwd2;`
`64`	`70`	`DROP ROLE regress_passwd3;`
`65`	`71`	`DROP ROLE regress_passwd4;`
`66`	`72`	`DROP ROLE regress_passwd5;`
	`73`	`+DROP ROLE regress_passwd_empty;`
`67`	`74`
`68`	`75`	`-- all entries should have been removed`
`69`	`76`	`SELECT rolname, rolpassword`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitbf6b9e9

File tree

6 files changed

6 files changed

`‎doc/src/sgml/ref/create_role.sgml`

`‎src/backend/commands/user.c`

`‎src/backend/libpq/auth.c`

`‎src/backend/libpq/crypt.c`

`‎src/test/regress/expected/password.out`

`‎src/test/regress/sql/password.sql`

0 commit comments