| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | "Jonathan S(dot) Katz" <jkatz(at)postgresql(dot)org> |
| Cc: | Michael Paquier <michael(at)paquier(dot)xyz>, pgsql-bugs(at)lists(dot)postgresql(dot)org, Stephen Frost <sfrost(at)snowman(dot)net> |
| Subject: | Re: Possible to store invalid SCRAM-SHA-256 Passwords |
| Date: | 2019-04-22 22:42:01 |
| Message-ID: | 30284.1555972921@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
"Jonathan S. Katz" <jkatz(at)postgresql(dot)org> writes:
> OK, so I have something that sort of works, i.e:
> if (strncmp(shadow_pass, "md5", 3) == 0 &&
> strlen(shadow_pass) == MD5_PASSWD_LEN &&
> strspn(shadow_pass, MD5_PASSWD_CHARSET) == MD5_PASSWD_LEN
> )
> where MD5_PASSWD_CHARSET = "mabcdef0123456789"
> ...but you may notice something: the CHARSET contains an "m" as we store
> that "md5" prefix on the md5 hashed passwords.
Yeah, that's silly; why not
strspn(shadow_pass + 3, MD5_PASSWD_CHARSET) == MD5_PASSWD_LEN - 3
It's not like this code isn't very well aware of the first 3 characters
being not like the others.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jonathan S. Katz | 2019-04-22 23:36:45 | Re: Possible to store invalid SCRAM-SHA-256 Passwords |
| Previous Message | Jonathan S. Katz | 2019-04-22 22:32:45 | Re: Possible to store invalid SCRAM-SHA-256 Passwords |