diff options
| -rw-r--r-- | src/backend/libpq/auth.c | 36 | ||||
| -rw-r--r-- | src/backend/libpq/crypt.c | 25 |
2 files changed, 41 insertions, 20 deletions
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c index f585ae0aed..ba64bcf913 100644 --- a/src/backend/libpq/auth.c +++ b/src/backend/libpq/auth.c @@ -697,6 +697,20 @@ recv_password_packet(Port *port) (errcode(ERRCODE_PROTOCOL_VIOLATION), errmsg("invalid password packet size"))); + /* + * Don't allow an empty password. Libpq treats an empty password the same + * as no password at all, and won't even try to authenticate. But other + * clients might, so allowing it would be confusing. + * + * Note that this only catches an empty password sent by the client in + * plaintext. There's another check in md5_crypt_verify to prevent an + * empty password from being used with MD5 authentication. + */ + if (buf.data[0] == '\0') + ereport(ERROR, + (errcode(ERRCODE_INVALID_PASSWORD), + errmsg("empty password returned by client"))); + /* Do not echo password to logs, for security. */ elog(DEBUG5, "received password packet"); @@ -1820,12 +1834,6 @@ pam_passwd_conv_proc(int num_msg, const struct pam_message ** msg, */ goto fail; } - if (strlen(passwd) == 0) - { - ereport(LOG, - (errmsg("empty password returned by client"))); - goto fail; - } } if ((reply[i].resp = strdup(passwd)) == NULL) goto fail; @@ -2146,16 +2154,11 @@ CheckLDAPAuth(Port *port) if (passwd == NULL) return STATUS_EOF; /* client wouldn't send password */ - if (strlen(passwd) == 0) - { - ereport(LOG, - (errmsg("empty password returned by client"))); - return STATUS_ERROR; - } - if (InitializeLDAPConnection(port, &ldap) == STATUS_ERROR) + { /* Error message already sent */ return STATUS_ERROR; + } if (port->hba->ldapbasedn) { @@ -2509,13 +2512,6 @@ CheckRADIUSAuth(Port *port) if (passwd == NULL) return STATUS_EOF; /* client wouldn't send password */ - if (strlen(passwd) == 0) - { - ereport(LOG, - (errmsg("empty password returned by client"))); - return STATUS_ERROR; - } - if (strlen(passwd) > RADIUS_MAX_PASSWORD_LENGTH) { ereport(LOG, diff --git a/src/backend/libpq/crypt.c b/src/backend/libpq/crypt.c index d79f5a2496..9cd7f787cc 100644 --- a/src/backend/libpq/crypt.c +++ b/src/backend/libpq/crypt.c @@ -74,12 +74,37 @@ md5_crypt_verify(const Port *port, const char *role, char *client_pass, ReleaseSysCache(roleTup); + /* + * Don't allow an empty password. Libpq treats an empty password the same + * as no password at all, and won't even try to authenticate. But other + * clients might, so allowing it would be confusing. + * + * For a plaintext password, we can simply check that it's not an empty + * string. For an encrypted password, check that it does not match the MD5 + * hash of an empty string. + */ if (*shadow_pass == '\0') { *logdetail = psprintf(_("User \"%s\" has an empty password."), role); return STATUS_ERROR; /* empty password */ } + if (isMD5(shadow_pass)) + { + char crypt_empty[MD5_PASSWD_LEN + 1]; + + if (!pg_md5_encrypt("", + port->user_name, + strlen(port->user_name), + crypt_empty)) + return STATUS_ERROR; + if (strcmp(shadow_pass, crypt_empty) == 0) + { + *logdetail = psprintf(_("User \"%s\" has an empty password."), + role); + return STATUS_ERROR; /* empty password */ + } + } /* * Compare with the encrypted or plain password depending on the |