Re: BUG #16164: Sending shared secret in all low case

On Thu, Dec 12, 2019 at 08:15:22PM +0000, PG Bug reporting form wrote:
> The following bug has been logged on the website:
>
> Bug reference: 16164
> Logged by: Min Wang
> Email address: min(dot)wang(at)theice(dot)com
> PostgreSQL version: 11.5
> Operating system: Red Hat Enterprise Linux Server release 7.6 (Maipo
> Description:
>
> Sending shared secret in all low case for RADIUS user authentication

This was reported and fixed in November:

https://www.postgresql.org/message-id/flat/BC05948D-9509-4F30-A350-7E2C36570CF1%40palantir.com#26361cd70c0804f957f54d716bd3c820

with this commit:

commit 7618eaf5f3
Author: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Date: Wed Nov 13 13:41:04 2019 -0500

Avoid downcasing/truncation of RADIUS authentication parameters.

Commit 6b76f1bb5 changed all the RADIUS auth parameters to be lists
rather than single values. But its use of SplitIdentifierString
to parse the list format was not very carefully thought through,
because that function thinks it's parsing SQL identifiers, which
means it will (a) downcase the strings and (b) truncate them to
be shorter than NAMEDATALEN. While downcasing should be harmless
for the server names and ports, it's just wrong for the shared
secrets, and probably for the NAS Identifier strings as well.
The truncation aspect is at least potentially a problem too,
though typical values for these parameters would fit in 63 bytes.

Fortunately, we now have a function SplitGUCList that is exactly
the same except for not doing the two unwanted things, so fixing
this is a trivial matter of calling that function instead.

While here, improve the documentation to show how to double-quote
the parameter values. I failed to resist the temptation to do
some copy-editing as well.

Report and patch from Marcos David (bug #16106); doc changes by me.
Back-patch to v10 where the aforesaid commit came in, since this is
arguably a regression from our previous behavior with RADIUS auth.

Discussion: https://postgr.es/m/16106-7d319e4295d08e70@postgresql.org

Unfortunately the patch didn't make it into our November releases, so
you will have to wait for the next scheduled release in February for a
fix, or build from source and apply this patch. Sorry.

--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com

+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +