postgresql/contrib/pgcrypto/expected/crypt-xdes.out
Noah Misch 1d812c8b05 pgcrypto: Detect and report too-short crypt() salts.
Certain short salts crashed the backend or disclosed a few bytes of
backend memory.  For existing salt-induced error conditions, emit a
message saying as much.  Back-patch to 9.0 (all supported versions).

Josh Kupershmidt

Security: CVE-2015-5288
2015-10-05 10:06:29 -04:00

52 lines
1.3 KiB
Plaintext

--
-- crypt() and gen_salt(): extended des
--
SELECT crypt('', '_J9..j2zz');
crypt
----------------------
_J9..j2zzR/nIRDK3pPc
(1 row)
SELECT crypt('foox', '_J9..j2zz');
crypt
----------------------
_J9..j2zzAYKMvO2BYRY
(1 row)
-- check XDES handling of keys longer than 8 chars
SELECT crypt('longlongpassword', '_J9..j2zz');
crypt
----------------------
_J9..j2zz4BeseiQNwUg
(1 row)
-- error, salt too short
SELECT crypt('foox', '_J9..BWH');
ERROR: invalid salt
-- error, count specified in the second argument is 0
SELECT crypt('password', '_........');
ERROR: crypt(3) returned NULL
-- error, count will wind up still being 0 due to invalid encoding
-- of the count: only chars ``./0-9A-Za-z' are valid
SELECT crypt('password', '_..!!!!!!');
ERROR: crypt(3) returned NULL
-- count should be non-zero here, will work
SELECT crypt('password', '_/!!!!!!!');
crypt
----------------------
_/!!!!!!!zqM49hRzxko
(1 row)
CREATE TABLE ctest (data text, res text, salt text);
INSERT INTO ctest VALUES ('password', '', '');
UPDATE ctest SET salt = gen_salt('xdes', 1001);
UPDATE ctest SET res = crypt(data, salt);
SELECT res = crypt(data, res) AS "worked"
FROM ctest;
worked
--------
t
(1 row)
DROP TABLE ctest;