NotificationsYou must be signed in to change notification settings
Fork28
Star151

Commit37f51ba

committed

revertbee9be2

1 parentafe281d commit37f51baCopy full SHA for 37f51ba

File tree

28 files changed

+76

-2196

lines changed

contrib/passwordcheck
- passwordcheck.c
doc/src/sgml
src
- backend
  - commands
    - user.c
  - libpq
  - postmaster
    - postmaster.c
  - utils/misc
    - guc.c
    - postgresql.conf.sample
- common
  - Makefile
  - scram-common.c
- include
  - commands
    - user.h
  - common
    - scram-common.h
  - libpq
- interfaces/libpq

28 files changed

+76

-2196

lines changed

`‎contrib/passwordcheck/passwordcheck.c`

Lines changed: 3 additions & 16 deletions

Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,6 @@`
`21`	`21`	`#endif`
`22`	`22`
`23`	`23`	`#include"commands/user.h"`
`24`		`-#include"libpq/scram.h"`
`25`	`24`	`#include"fmgr.h"`
`26`	`25`	`#include"libpq/md5.h"`
`27`	`26`
`@@ -58,15 +57,14 @@ check_password(const char *username,`
`58`	`57`	`{`
`59`	`58`	`intnamelen=strlen(username);`
`60`	`59`	`intpwdlen=strlen(password);`
`61`		`-char*encrypted;`
	`60`	`+charencrypted[MD5_PASSWD_LEN+1];`
`62`	`61`	`inti;`
`63`	`62`	`boolpwd_has_letter,`
`64`	`63`	`pwd_has_nonletter;`
`65`	`64`
`66`	`65`	`switch (password_type)`
`67`	`66`	`{`
`68`	`67`	`casePASSWORD_TYPE_MD5:`
`69`		`-casePASSWORD_TYPE_SCRAM:`
`70`	`68`
`71`	`69`	`/*`
`72`	`70`	`* Unfortunately we cannot perform exhaustive checks on encrypted`
`@@ -76,23 +74,12 @@ check_password(const char *username,`
`76`	`74`	`*`
`77`	`75`	`* We only check for username = password.`
`78`	`76`	`*/`
`79`		`-if (password_type==PASSWORD_TYPE_MD5)`
`80`		`-{`
`81`		`-encrypted=palloc(MD5_PASSWD_LEN+1);`
`82`		`-if (pg_md5_encrypt(username,username,namelen,encrypted))`
`83`		`-elog(ERROR,"password encryption failed");`
`84`		`-}`
`85`		`-elseif (password_type==PASSWORD_TYPE_SCRAM)`
`86`		`-{`
`87`		`-encrypted=scram_build_verifier(username,password,0);`
`88`		`-}`
`89`		`-else`
`90`		`-Assert(0);/* should not happen */`
	`77`	`+if (!pg_md5_encrypt(username,username,namelen,encrypted))`
	`78`	`+elog(ERROR,"password encryption failed");`
`91`	`79`	`if (strcmp(password,encrypted)==0)`
`92`	`80`	`ereport(ERROR,`
`93`	`81`	`(errcode(ERRCODE_INVALID_PARAMETER_VALUE),`
`94`	`82`	`errmsg("password must not contain user name")));`
`95`		`-pfree(encrypted);`
`96`	`83`	`break;`
`97`	`84`
`98`	`85`	`casePASSWORD_TYPE_PLAINTEXT:`

`‎doc/src/sgml/config.sgml`

Lines changed: 1 addition & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -1181,8 +1181,7 @@ include_dir 'conf.d'`
`1181`	`1181`	`<para>`
`1182`	`1182`	`A value set to <literal>on</> or <literal>md5</> corresponds to a`
`1183`	`1183`	`MD5-encrypted password, <literal>off</> or <literal>plain</>`
`1184`		`- corresponds to an unencrypted password. Setting this parameter to`
`1185`		`- <literal>scram</> will encrypt the password with SCRAM-SHA-256.`
	`1184`	`+ corresponds to an unencrypted password.`
`1186`	`1185`	`</para>`
`1187`	`1186`
`1188`	`1187`	`<para>`

`‎doc/src/sgml/protocol.sgml`

Lines changed: 5 additions & 142 deletions

Original file line number	Diff line number	Diff line change
`@@ -228,11 +228,11 @@`
`228`	`228`	`The server then sends an appropriate authentication request message,`
`229`	`229`	`to which the frontend must reply with an appropriate authentication`
`230`	`230`	`response message (such as a password).`
`231`		`- For all authentication methods except GSSAPI, SSPIandSASL, there is at`
`232`		`-mostone request and one response. In some methods, no response`
	`231`	`+ For all authentication methods except GSSAPIandSSPI, there is at most`
	`232`	`+ one request and one response. In some methods, no response`
`233`	`233`	`at all is needed from the frontend, and so no authentication request`
`234`		`- occurs. For GSSAPI, SSPIandSASL, multiple exchanges of packets may be`
`235`		`-neededto complete the authentication.`
	`234`	`+ occurs. For GSSAPIandSSPI, multiple exchanges of packets may be needed`
	`235`	`+ to complete the authentication.`
`236`	`236`	`</para>`
`237`	`237`
`238`	`238`	`<para>`
`@@ -366,35 +366,6 @@`
`366`	`366`	`</listitem>`
`367`	`367`	`</varlistentry>`
`368`	`368`
`369`		`- <varlistentry>`
`370`		`- <term>AuthenticationSASL</term>`
`371`		`- <listitem>`
`372`		`- <para>`
`373`		`- The frontend must now initiate a SASL negotiation, using the SASL`
`374`		`- mechanism specified in the message. The frontend will send a`
`375`		`- PasswordMessage with the first part of the SASL data stream in`
`376`		`- response to this. If further messages are needed, the server will`
`377`		`- respond with AuthenticationSASLContinue.`
`378`		`- </para>`
`379`		`- </listitem>`
`380`		`-`
`381`		`- </varlistentry>`
`382`		`- <varlistentry>`
`383`		`- <term>AuthenticationSASLContinue</term>`
`384`		`- <listitem>`
`385`		`- <para>`
`386`		`- This message contains the response data from the previous step`
`387`		`- of SASL negotiation (AuthenticationSASL, or a previous`
`388`		`- AuthenticationSASLContinue). If the SASL data in this message`
`389`		`- indicates more data is needed to complete the authentication,`
`390`		`- the frontend must send that data as another PasswordMessage. If`
`391`		`- SASL authentication is completed by this message, the server`
`392`		`- will next send AuthenticationOk to indicate successful authentication`
`393`		`- or ErrorResponse to indicate failure.`
`394`		`- </para>`
`395`		`- </listitem>`
`396`		`- </varlistentry>`
`397`		`-`
`398`	`369`	`</variablelist>`
`399`	`370`	`</para>`
`400`	`371`
`@@ -2607,114 +2578,6 @@ AuthenticationGSSContinue (B)`
`2607`	`2578`	`</listitem>`
`2608`	`2579`	`</varlistentry>`
`2609`	`2580`
`2610`		`-<varlistentry>`
`2611`		`-<term>`
`2612`		`-AuthenticationSASL (B)`
`2613`		`-</term>`
`2614`		`-<listitem>`
`2615`		`-<para>`
`2616`		`-`
`2617`		`-<variablelist>`
`2618`		`-<varlistentry>`
`2619`		`-<term>`
`2620`		`- Byte1('R')`
`2621`		`-</term>`
`2622`		`-<listitem>`
`2623`		`-<para>`
`2624`		`- Identifies the message as an authentication request.`
`2625`		`-</para>`
`2626`		`-</listitem>`
`2627`		`-</varlistentry>`
`2628`		`-<varlistentry>`
`2629`		`-<term>`
`2630`		`- Int32`
`2631`		`-</term>`
`2632`		`-<listitem>`
`2633`		`-<para>`
`2634`		`- Length of message contents in bytes, including self.`
`2635`		`-</para>`
`2636`		`-</listitem>`
`2637`		`-</varlistentry>`
`2638`		`-<varlistentry>`
`2639`		`-<term>`
`2640`		`- Int32(10)`
`2641`		`-</term>`
`2642`		`-<listitem>`
`2643`		`-<para>`
`2644`		`- Specifies that SASL authentication is started.`
`2645`		`-</para>`
`2646`		`-</listitem>`
`2647`		`-</varlistentry>`
`2648`		`-<varlistentry>`
`2649`		`-<term>`
`2650`		`- String`
`2651`		`-</term>`
`2652`		`-<listitem>`
`2653`		`-<para>`
`2654`		`- Name of a SASL authentication mechanism.`
`2655`		`-</para>`
`2656`		`-</listitem>`
`2657`		`-</varlistentry>`
`2658`		`-</variablelist>`
`2659`		`-`
`2660`		`-</para>`
`2661`		`-</listitem>`
`2662`		`-</varlistentry>`
`2663`		`-`
`2664`		`-<varlistentry>`
`2665`		`-<term>`
`2666`		`-AuthenticationSASLContinue (B)`
`2667`		`-</term>`
`2668`		`-<listitem>`
`2669`		`-<para>`
`2670`		`-`
`2671`		`-<variablelist>`
`2672`		`-<varlistentry>`
`2673`		`-<term>`
`2674`		`- Byte1('R')`
`2675`		`-</term>`
`2676`		`-<listitem>`
`2677`		`-<para>`
`2678`		`- Identifies the message as an authentication request.`
`2679`		`-</para>`
`2680`		`-</listitem>`
`2681`		`-</varlistentry>`
`2682`		`-<varlistentry>`
`2683`		`-<term>`
`2684`		`- Int32`
`2685`		`-</term>`
`2686`		`-<listitem>`
`2687`		`-<para>`
`2688`		`- Length of message contents in bytes, including self.`
`2689`		`-</para>`
`2690`		`-</listitem>`
`2691`		`-</varlistentry>`
`2692`		`-<varlistentry>`
`2693`		`-<term>`
`2694`		`- Int32(11)`
`2695`		`-</term>`
`2696`		`-<listitem>`
`2697`		`-<para>`
`2698`		`- Specifies that this message contains SASL-mechanism specific`
`2699`		`- data.`
`2700`		`-</para>`
`2701`		`-</listitem>`
`2702`		`-</varlistentry>`
`2703`		`-<varlistentry>`
`2704`		`-<term>`
`2705`		`- Byte<replaceable>n</replaceable>`
`2706`		`-</term>`
`2707`		`-<listitem>`
`2708`		`-<para>`
`2709`		`- SASL data, specific to the SASL mechanism being used.`
`2710`		`-</para>`
`2711`		`-</listitem>`
`2712`		`-</varlistentry>`
`2713`		`-</variablelist>`
`2714`		`-`
`2715`		`-</para>`
`2716`		`-</listitem>`
`2717`		`-</varlistentry>`
`2718`	`2581`
`2719`	`2582`	`<varlistentry>`
`2720`	`2583`	`<term>`
`@@ -4477,7 +4340,7 @@ PasswordMessage (F)`
`4477`	`4340`	`<listitem>`
`4478`	`4341`	`<para>`
`4479`	`4342`	`Identifies the message as a password response. Note that`
`4480`		`- this is also used for GSSAPI, SSPIandSASL response messages`
	`4343`	`+ this is also used for GSSAPIandSSPI response messages`
`4481`	`4344`	`(which is really a design error, since the contained data`
`4482`	`4345`	`is not a null-terminated string in that case, but can be`
`4483`	`4346`	`arbitrary binary data).`

`‎doc/src/sgml/ref/create_role.sgml`

Lines changed: 7 additions & 7 deletions

Original file line number	Diff line number	Diff line change
`@@ -228,16 +228,16 @@ CREATE ROLE <replaceable class="PARAMETER">name</replaceable> [ [ WITH ] <replac`
`228`	`228`	`encrypted in the system catalogs. (If neither is specified,`
`229`	`229`	`the default behavior is determined by the configuration`
`230`	`230`	`parameter <xref linkend="guc-password-encryption">.) If the`
`231`		`- presented password string is already in MD5-encryptedor`
`232`		`-SCRAM-encrypted format,then it is stored encrypted as-is,`
`233`		`-regardless of whether<literal>ENCRYPTED</> or <literal>UNENCRYPTED</>`
`234`		`-is specified(since the system cannot decrypt the specified encrypted`
`235`		`- password string). This allows reloading of encrypted passwords`
`236`		`- during dump/restore.`
	`231`	`+ presented password string is already in MD5-encryptedformat,`
	`232`	`+ then it is stored encrypted as-is, regardless of whether`
	`233`	`+ <literal>ENCRYPTED</> or <literal>UNENCRYPTED</> is specified`
	`234`	`+ (since the system cannot decrypt the specified encrypted`
	`235`	`+ password string). This allows reloading of encrypted`
	`236`	`+passwordsduring dump/restore.`
`237`	`237`	`</para>`
`238`	`238`
`239`	`239`	`<para>`
`240`		`- Note that older clients might lack support for the MD5 or SCRAM`
	`240`	`+ Note that older clients might lack support for the MD5`
`241`	`241`	`authentication mechanism that is needed to work with passwords`
`242`	`242`	`that are stored encrypted.`
`243`	`243`	`</para>`

`‎src/backend/commands/user.c`

Lines changed: 7 additions & 11 deletions

Original file line number	Diff line number	Diff line change
`@@ -30,7 +30,6 @@`
`30`	`30`	`#include"commands/seclabel.h"`
`31`	`31`	`#include"commands/user.h"`
`32`	`32`	`#include"libpq/md5.h"`
`33`		`-#include"libpq/scram.h"`
`34`	`33`	`#include"miscadmin.h"`
`35`	`34`	`#include"storage/lmgr.h"`
`36`	`35`	`#include"utils/acl.h"`
`@@ -70,9 +69,9 @@ have_createrole_privilege(void)`
`70`	`69`	`/*`
`71`	`70`	`* Encrypt a password if necessary for insertion in pg_authid.`
`72`	`71`	`*`
`73`		`- * If a password is found as already MD5-encrypted or SCRAM-encrypted, no`
`74`		`- *error is raisedto ease the dump and reload of such data. Returns a`
`75`		`- *palloc'ed stringholding the encrypted password.`
	`72`	`+ * If a password is found as already MD5-encrypted, no error is raised`
	`73`	`+ * to ease the dump and reload of such data. Returns a palloc'ed string`
	`74`	`+ * holding the encrypted password.`
`76`	`75`	`*/`
`77`	`76`	`staticchar*`
`78`	`77`	`encrypt_password(charpassword,charrolname,intpasswd_type)`
`@@ -82,11 +81,11 @@ encrypt_password(char password, char rolname, int passwd_type)`
`82`	`81`	`Assert(password!=NULL);`
`83`	`82`
`84`	`83`	`/*`
`85`		`- *Apassword already identified asa SCRAM-encrypted or MD5-encrypted`
`86`		`- *those are usedas such. If the password given is not encrypted,`
`87`		`- *adapt it dependingon the type wanted by the caller of this routine.`
	`84`	`+ *If apasswordisalready identified asMD5-encrypted, it is used`
	`85`	`+ * as such. If the password given is not encrypted, adapt it depending`
	`86`	`+ * on the type wanted by the caller of this routine.`
`88`	`87`	`*/`
`89`		`-if (isMD5(password)\|\|is_scram_verifier(password))`
	`88`	`+if (isMD5(password))`
`90`	`89`	`res=pstrdup(password);`
`91`	`90`	`else`
`92`	`91`	`{`
`@@ -102,9 +101,6 @@ encrypt_password(char password, char rolname, int passwd_type)`
`102`	`101`	`res))`
`103`	`102`	`elog(ERROR,"password encryption failed");`
`104`	`103`	`break;`
`105`		`-casePASSWORD_TYPE_SCRAM:`
`106`		`-res=scram_build_verifier(rolname,password,0);`
`107`		`-break;`
`108`	`104`	`default:`
`109`	`105`	`Assert(0);/* should not come here */`
`110`	`106`	`}`

`‎src/backend/libpq/Makefile`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,7 @@ include $(top_builddir)/src/Makefile.global`
`15`	`15`	`# be-fsstubs is here for historical reasons, probably belongs elsewhere`
`16`	`16`
`17`	`17`	`OBJS = be-fsstubs.o be-secure.o auth.o crypt.o hba.o ip.o md5.o pqcomm.o\`
`18`		`- pqformat.o pqmq.o pqsignal.o auth-scram.o`
	`18`	`+ pqformat.o pqmq.o pqsignal.o`
`19`	`19`
`20`	`20`	`ifeq ($(with_openssl),yes)`
`21`	`21`	`OBJS += be-secure-openssl.o`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit37f51ba

File tree

28 files changed

28 files changed

`‎contrib/passwordcheck/passwordcheck.c`

`‎doc/src/sgml/config.sgml`

`‎doc/src/sgml/protocol.sgml`

`‎doc/src/sgml/ref/create_role.sgml`

`‎src/backend/commands/user.c`

`‎src/backend/libpq/Makefile`

0 commit comments