From f455d607af6123c7576c42ce65463f8e3e08378e Mon Sep 17 00:00:00 2001 From: Sehrope Sarkuni Date: Sat, 23 May 2026 10:11:52 -0400 Subject: [PATCH 5/6] Add test for connect_timeout during SCRAM iteration Exercises the new deadline check inside scram_SaltedPassword(). Creates a role with a normal SCRAM verifier, then doctors the stored iteration count up to a value high enough that even fast modern hardware cannot finish the loop within the 1-second connect_timeout The doctored verifier's StoredKey and ServerKey no longer match the iteration count, but that is irrelevant for this test as the patched client never reaches the end of the proof step. --- src/test/authentication/t/001_password.pl | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/src/test/authentication/t/001_password.pl b/src/test/authentication/t/001_password.pl index 69ed4919b16..3194d1224d0 100644 --- a/src/test/authentication/t/001_password.pl +++ b/src/test/authentication/t/001_password.pl @@ -792,4 +792,27 @@ test_conn( qr/connection authenticated: identity="regress_not_member" method=scram-sha-256/ ]); +# Test that connect_timeout interrupts a slow SCRAM auth +reset_pg_hba($node, 'all', 'all', 'trust'); +$node->safe_psql( + 'postgres', + "SET password_encryption='scram-sha-256'; + CREATE ROLE scram_slow LOGIN PASSWORD 'pass';"); +$node->safe_psql( + 'postgres', + q{UPDATE pg_authid + SET rolpassword = regexp_replace(rolpassword, + '^SCRAM-SHA-256\$[0-9]+:', + 'SCRAM-SHA-256$999999999:') + WHERE rolname = 'scram_slow';}); +reset_pg_hba($node, 'all', 'all', 'scram-sha-256'); +{ + $node->connect_fails( + "user=scram_slow connect_timeout=1", + 'connect_timeout aborts SCRAM iteration loop', + expected_stderr => qr/connection timeout expired/); +} +reset_pg_hba($node, 'all', 'all', 'trust'); +$node->safe_psql('postgres', 'DROP ROLE scram_slow;'); + done_testing(); -- 2.43.0