Movatterモバイル変換


[0]ホーム

URL:


Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Sign up
Appearance settings

Commitc6305a9

Browse files
committed
Allow plaintext 'password' authentication when user has a SCRAM verifier.
Oversight in the main SCRAM patch.
1 parentff30aec commitc6305a9

File tree

3 files changed

+87
-22
lines changed

3 files changed

+87
-22
lines changed

‎src/backend/libpq/auth-scram.c

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -364,6 +364,52 @@ scram_build_verifier(const char *username, const char *password,
364364
returnpsprintf("scram-sha-256:%s:%d:%s:%s",encoded_salt,iterations,storedkey_hex,serverkey_hex);
365365
}
366366

367+
/*
368+
* Verify a plaintext password against a SCRAM verifier. This is used when
369+
* performing plaintext password authentication for a user that has a SCRAM
370+
* verifier stored in pg_authid.
371+
*/
372+
bool
373+
scram_verify_plain_password(constchar*username,constchar*password,
374+
constchar*verifier)
375+
{
376+
char*encoded_salt;
377+
char*salt;
378+
intsaltlen;
379+
intiterations;
380+
uint8stored_key[SCRAM_KEY_LEN];
381+
uint8server_key[SCRAM_KEY_LEN];
382+
uint8computed_key[SCRAM_KEY_LEN];
383+
384+
if (!parse_scram_verifier(verifier,&encoded_salt,&iterations,
385+
stored_key,server_key))
386+
{
387+
/*
388+
* The password looked like a SCRAM verifier, but could not be
389+
* parsed.
390+
*/
391+
elog(LOG,"invalid SCRAM verifier for user \"%s\"",username);
392+
return false;
393+
}
394+
395+
salt=palloc(pg_b64_dec_len(strlen(encoded_salt)));
396+
saltlen=pg_b64_decode(encoded_salt,strlen(encoded_salt),salt);
397+
if (saltlen==-1)
398+
{
399+
elog(LOG,"invalid SCRAM verifier for user \"%s\"",username);
400+
return false;
401+
}
402+
403+
/* Compute Server key based on the user-supplied plaintext password */
404+
scram_ClientOrServerKey(password,salt,saltlen,iterations,
405+
SCRAM_SERVER_KEY_NAME,computed_key);
406+
407+
/*
408+
* Compare the verifier's Server Key with the one computed from the
409+
* user-supplied password.
410+
*/
411+
returnmemcmp(computed_key,server_key,SCRAM_KEY_LEN)==0;
412+
}
367413

368414
/*
369415
* Check if given verifier can be used for SCRAM authentication.

‎src/backend/libpq/crypt.c

Lines changed: 39 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -283,7 +283,6 @@ plain_crypt_verify(const char *role, const char *shadow_pass,
283283
constchar*client_pass,
284284
char**logdetail)
285285
{
286-
intretval;
287286
charcrypt_client_pass[MD5_PASSWD_LEN+1];
288287

289288
/*
@@ -293,6 +292,21 @@ plain_crypt_verify(const char *role, const char *shadow_pass,
293292
*/
294293
switch (get_password_type(shadow_pass))
295294
{
295+
casePASSWORD_TYPE_SCRAM:
296+
if (scram_verify_plain_password(role,
297+
client_pass,
298+
shadow_pass))
299+
{
300+
returnSTATUS_OK;
301+
}
302+
else
303+
{
304+
*logdetail=psprintf(_("Password does not match for user \"%s\"."),
305+
role);
306+
returnSTATUS_ERROR;
307+
}
308+
break;
309+
296310
casePASSWORD_TYPE_MD5:
297311
if (!pg_md5_encrypt(client_pass,
298312
role,
@@ -307,30 +321,33 @@ plain_crypt_verify(const char *role, const char *shadow_pass,
307321
*/
308322
returnSTATUS_ERROR;
309323
}
310-
client_pass=crypt_client_pass;
324+
if (strcmp(crypt_client_pass,shadow_pass)==0)
325+
returnSTATUS_OK;
326+
else
327+
{
328+
*logdetail=psprintf(_("Password does not match for user \"%s\"."),
329+
role);
330+
returnSTATUS_ERROR;
331+
}
311332
break;
333+
312334
casePASSWORD_TYPE_PLAINTEXT:
335+
if (strcmp(client_pass,shadow_pass)==0)
336+
returnSTATUS_OK;
337+
else
338+
{
339+
*logdetail=psprintf(_("Password does not match for user \"%s\"."),
340+
role);
341+
returnSTATUS_ERROR;
342+
}
313343
break;
314-
315-
default:
316-
317-
/*
318-
* This shouldn't happen. Plain "password" authentication should
319-
* be possible with any kind of stored password hash.
320-
*/
321-
*logdetail=psprintf(_("Password of user \"%s\" is in unrecognized format."),
322-
role);
323-
returnSTATUS_ERROR;
324344
}
325345

326-
if (strcmp(client_pass,shadow_pass)==0)
327-
retval=STATUS_OK;
328-
else
329-
{
330-
*logdetail=psprintf(_("Password does not match for user \"%s\"."),
331-
role);
332-
retval=STATUS_ERROR;
333-
}
334-
335-
returnretval;
346+
/*
347+
* This shouldn't happen. Plain "password" authentication is possible
348+
* with any kind of stored password hash.
349+
*/
350+
*logdetail=psprintf(_("Password of user \"%s\" is in unrecognized format."),
351+
role);
352+
returnSTATUS_ERROR;
336353
}

‎src/include/libpq/scram.h

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,5 +31,7 @@ extern char *scram_build_verifier(const char *username,
3131
constchar*password,
3232
intiterations);
3333
externboolis_scram_verifier(constchar*verifier);
34+
externboolscram_verify_plain_password(constchar*username,
35+
constchar*password,constchar*verifier);
3436

3537
#endif/* PG_SCRAM_H */

0 commit comments

Comments
 (0)

[8]ページ先頭

©2009-2025 Movatter.jp