Re: Possible to store invalid SCRAM-SHA-256 Passwords

On 4/21/19 9:50 PM, Michael Paquier wrote:
> On Sat, Apr 20, 2019 at 04:12:56PM -0400, Jonathan S. Katz wrote:
>> I modified the "get_password_type" function to perform a SCRAM
>> verification to see if it is a properly hashed SCRAM password. If it is,
>> we treat the password as a SCRAM hashed one. Otherwise, we proceed to
>> the next step, which is to treat it as a plainly stored one.
>
> Since v10, we don't allow the storage of plain verifiers so if a
> string does not match what we think is a correct SCRAM or MD5
> verifier, then it should be processed according to
> password_encryption when storing the verifier or processed according
> to the auth protocol with the HBA entry matching.  Your patch looks
> fine to me, I would have just added a test case in password.sql (no
> need to send a new patch I can take care of it).

Thanks for verifying. I'm happy to add the test case -- I first wanted
to ensure I was on the right track.

> Any objections to back-patch that stuff to v10?

+1; I did not try it out, but am very confident that scenario #2 would
demonstrate the bug exists in 10 as well.

Thanks,

Jonathan