Add validation when creating a user with bcrypt_hash

2024-11-22 23:52:03 +00:00 · 2024-06-13 19:56:54 +02:00 · 2024-06-13 19:56:54 +02:00 · 3506ed14f4
commit 3506ed14f4
parent afae991bf7
3 changed files with 15 additions and 1 deletions
--- a/src/Access/AuthenticationData.cpp
+++ b/src/Access/AuthenticationData.cpp
@ -31,6 +31,7 @@ namespace DB
 {
 namespace ErrorCodes
 {
+    extern const int AUTHENTICATION_FAILED;
    extern const int SUPPORT_IS_DISABLED;
    extern const int BAD_ARGUMENTS;
    extern const int LOGICAL_ERROR;
@ -90,8 +91,10 @@ bool AuthenticationData::Util::checkPasswordBcrypt(std::string_view password [[m
 {
 #if USE_BCRYPT
    int ret = bcrypt_checkpw(password.data(), reinterpret_cast<const char *>(password_bcrypt.data()));
+    /// Before 24.6 we didn't validate hashes on creation, so it could be that the stored hash is invalid
+    /// and it could not be decoded by the library
    if (ret == -1)
-        throw Exception(ErrorCodes::LOGICAL_ERROR, "BCrypt library failed: bcrypt_checkpw returned {}", ret);
+        throw Exception(ErrorCodes::AUTHENTICATION_FAILED, "Internal failure decoding Bcrypt hash");
    return (ret == 0);
 #else
    throw Exception(
@ -230,6 +233,15 @@ void AuthenticationData::setPasswordHashBinary(const Digest & hash)
                throw Exception(ErrorCodes::BAD_ARGUMENTS,
                                "Password hash for the 'BCRYPT_PASSWORD' authentication type has length {} "
                                "but must be 59 or 60 bytes.", hash.size());
+
+            auto resized = hash;
+            resized.resize(64);
+
+            /// Verify that it is a valid hash
+            int ret = bcrypt_checkpw("", reinterpret_cast<const char *>(resized.data()));
+            if (ret == -1)
+                throw Exception(ErrorCodes::BAD_ARGUMENTS, "Could not decode the provided hash with 'bcrypt_hash'");
+
            password_hash = hash;
            password_hash.resize(64);
            return;
--- a/tests/queries/0_stateless/03172_bcrypt_validation.reference
+++ b/tests/queries/0_stateless/03172_bcrypt_validation.reference
--- a/tests/queries/0_stateless/03172_bcrypt_validation.sql
+++ b/tests/queries/0_stateless/03172_bcrypt_validation.sql
@ -0,0 +1,2 @@
+DROP USER IF EXISTS 03172_user_invalid_bcrypt_hash;
+CREATE USER 03172_user_invalid_bcrypt_hash IDENTIFIED WITH bcrypt_hash BY '012345678901234567890123456789012345678901234567890123456789'; -- { serverError BAD_ARGUMENTS }