postgresql/contrib/pgcrypto/expected/crypt-blowfish.out
Noah Misch cc1210f0aa pgcrypto: Detect and report too-short crypt() salts.
Certain short salts crashed the backend or disclosed a few bytes of
backend memory.  For existing salt-induced error conditions, emit a
message saying as much.  Back-patch to 9.0 (all supported versions).

Josh Kupershmidt

Security: CVE-2015-5288
2015-10-05 10:06:34 -04:00

37 lines
1.1 KiB
Plaintext

--
-- crypt() and gen_salt(): bcrypt
--
SELECT crypt('', '$2a$06$RQiOJ.3ELirrXwxIZY8q0O');
crypt
--------------------------------------------------------------
$2a$06$RQiOJ.3ELirrXwxIZY8q0OlGbBEpDmx7IRZlNYvGJ1SHXwNi2cEKK
(1 row)
SELECT crypt('foox', '$2a$06$RQiOJ.3ELirrXwxIZY8q0O');
crypt
--------------------------------------------------------------
$2a$06$RQiOJ.3ELirrXwxIZY8q0OR3CVJrAfda1z26CCHPnB6mmVZD8p0/C
(1 row)
-- error, salt too short:
SELECT crypt('foox', '$2a$');
ERROR: invalid salt
-- error, first digit of count in salt invalid
SELECT crypt('foox', '$2a$40$RQiOJ.3ELirrXwxIZY8q0O');
ERROR: invalid salt
-- error, count in salt too small
SELECT crypt('foox', '$2a$00$RQiOJ.3ELirrXwxIZY8q0O');
ERROR: invalid salt
CREATE TABLE ctest (data text, res text, salt text);
INSERT INTO ctest VALUES ('password', '', '');
UPDATE ctest SET salt = gen_salt('bf', 8);
UPDATE ctest SET res = crypt(data, salt);
SELECT res = crypt(data, res) AS "worked"
FROM ctest;
worked
--------
t
(1 row)
DROP TABLE ctest;