NotificationsYou must be signed in to change notification settings
Fork28
Star151

Commit65a26f3

committed

Apply 0007-Support-for-SCRAM-SHA-256-authentication-RFC-5802-an.patch + cherry-pick8d3b9cc

1 parentae93312 commit65a26f3Copy full SHA for 65a26f3

File tree

29 files changed

+2411

-100

lines changed

contrib/passwordcheck
- passwordcheck.c
doc/src/sgml
src
- backend
  - commands
    - user.c
  - libpq
  - utils/misc
    - guc.c
    - postgresql.conf.sample
- common
  - Makefile
  - scram-common.c
- include
  - commands
    - user.h
  - common
    - scram-common.h
  - libpq
- interfaces/libpq
- tools/msvc
  - Mkvcbuild.pm

29 files changed

+2411

-100

lines changed

`‎contrib/passwordcheck/passwordcheck.c`

Lines changed: 17 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -21,8 +21,9 @@`
`21`	`21`	`#endif`
`22`	`22`
`23`	`23`	`#include"commands/user.h"`
`24`		`-#include"fmgr.h"`
`25`	`24`	`#include"libpq/md5.h"`
	`25`	`+#include"libpq/scram.h"`
	`26`	`+#include"fmgr.h"`
`26`	`27`
`27`	`28`	`PG_MODULE_MAGIC;`
`28`	`29`
`@@ -57,14 +58,15 @@ check_password(const char *username,`
`57`	`58`	`{`
`58`	`59`	`intnamelen=strlen(username);`
`59`	`60`	`intpwdlen=strlen(password);`
`60`		`-charencrypted[MD5_PASSWD_LEN+1];`
	`61`	`+char*encrypted;`
`61`	`62`	`inti;`
`62`	`63`	`boolpwd_has_letter,`
`63`	`64`	`pwd_has_nonletter;`
`64`	`65`
`65`	`66`	`switch (password_type)`
`66`	`67`	`{`
`67`	`68`	`casePASSWORD_TYPE_MD5:`
	`69`	`+casePASSWORD_TYPE_SCRAM:`
`68`	`70`
`69`	`71`	`/*`
`70`	`72`	`* Unfortunately we cannot perform exhaustive checks on encrypted`
`@@ -74,12 +76,23 @@ check_password(const char *username,`
`74`	`76`	`*`
`75`	`77`	`* We only check for username = password.`
`76`	`78`	`*/`
`77`		`-if (!pg_md5_encrypt(username,username,namelen,encrypted))`
`78`		`-elog(ERROR,"password encryption failed");`
	`79`	`+if (password_type==PASSWORD_TYPE_MD5)`
	`80`	`+{`
	`81`	`+encrypted=palloc(MD5_PASSWD_LEN+1);`
	`82`	`+if (pg_md5_encrypt(username,username,namelen,encrypted))`
	`83`	`+elog(ERROR,"password encryption failed");`
	`84`	`+}`
	`85`	`+elseif (password_type==PASSWORD_TYPE_SCRAM)`
	`86`	`+{`
	`87`	`+encrypted=scram_build_verifier(username,password,0);`
	`88`	`+}`
	`89`	`+else`
	`90`	`+Assert(0);/* should not happen */`
`79`	`91`	`if (strcmp(password,encrypted)==0)`
`80`	`92`	`ereport(ERROR,`
`81`	`93`	`(errcode(ERRCODE_INVALID_PARAMETER_VALUE),`
`82`	`94`	`errmsg("password must not contain user name")));`
	`95`	`+pfree(encrypted);`
`83`	`96`	`break;`
`84`	`97`
`85`	`98`	`casePASSWORD_TYPE_PLAINTEXT:`

`‎doc/src/sgml/config.sgml`

Lines changed: 5 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -1176,8 +1176,10 @@ include_dir 'conf.d'`
`1176`	`1176`	`password is to be encrypted. The default value is <literal>md5</>, which`
`1177`	`1177`	`stores the password as an MD5 hash. Setting this to <literal>plain</> stores`
`1178`	`1178`	`it in plaintext. <literal>on</> and <literal>off</> are also accepted, as`
`1179`		`- aliases for <literal>md5</> and <literal>plain</>, respectively.`
`1180`		`- </para>`
	`1179`	`+ aliases for <literal>md5</> and <literal>plain</>, respectively. Setting`
	`1180`	`+ this parameter to <literal>scram</> will encrypt the password with`
	`1181`	`+ SCRAM-SHA-256.`
	`1182`	`+ </para>`
`1181`	`1183`
`1182`	`1184`	`</listitem>`
`1183`	`1185`	`</varlistentry>`
`@@ -1251,7 +1253,7 @@ include_dir 'conf.d'`
`1251`	`1253`	`Authentication checks are always done with the server's user name`
`1252`	`1254`	`so authentication methods must be configured for the`
`1253`	`1255`	`server's user name, not the client's. Because`
`1254`		`- <literal>md5</>uses the user name as salt on both the`
	`1256`	`+ <literal>md5</>uses the user name as salt on both the`
`1255`	`1257`	`client and server, and <literal>scram</> uses the user name as`
`1256`	`1258`	`a portion of the salt used on both the client and server,`
`1257`	`1259`	`<literal>md5</> and <literal>scram</> cannot be used with`

`‎doc/src/sgml/protocol.sgml`

Lines changed: 142 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -228,11 +228,11 @@`
`228`	`228`	`The server then sends an appropriate authentication request message,`
`229`	`229`	`to which the frontend must reply with an appropriate authentication`
`230`	`230`	`response message (such as a password).`
`231`		`- For all authentication methods except GSSAPIandSSPI, there is at most`
`232`		`- one request and one response. In some methods, no response`
	`231`	`+ For all authentication methods except GSSAPI, SSPIandSASL, there is at`
	`232`	`+mostone request and one response. In some methods, no response`
`233`	`233`	`at all is needed from the frontend, and so no authentication request`
`234`		`- occurs. For GSSAPIandSSPI, multiple exchanges of packets may be needed`
`235`		`- to complete the authentication.`
	`234`	`+ occurs. For GSSAPI, SSPIandSASL, multiple exchanges of packets may be`
	`235`	`+neededto complete the authentication.`
`236`	`236`	`</para>`
`237`	`237`
`238`	`238`	`<para>`
`@@ -366,6 +366,35 @@`
`366`	`366`	`</listitem>`
`367`	`367`	`</varlistentry>`
`368`	`368`
	`369`	`+ <varlistentry>`
	`370`	`+ <term>AuthenticationSASL</term>`
	`371`	`+ <listitem>`
	`372`	`+ <para>`
	`373`	`+ The frontend must now initiate a SASL negotiation, using the SASL`
	`374`	`+ mechanism specified in the message. The frontend will send a`
	`375`	`+ PasswordMessage with the first part of the SASL data stream in`
	`376`	`+ response to this. If further messages are needed, the server will`
	`377`	`+ respond with AuthenticationSASLContinue.`
	`378`	`+ </para>`
	`379`	`+ </listitem>`
	`380`	`+`
	`381`	`+ </varlistentry>`
	`382`	`+ <varlistentry>`
	`383`	`+ <term>AuthenticationSASLContinue</term>`
	`384`	`+ <listitem>`
	`385`	`+ <para>`
	`386`	`+ This message contains the response data from the previous step`
	`387`	`+ of SASL negotiation (AuthenticationSASL, or a previous`
	`388`	`+ AuthenticationSASLContinue). If the SASL data in this message`
	`389`	`+ indicates more data is needed to complete the authentication,`
	`390`	`+ the frontend must send that data as another PasswordMessage. If`
	`391`	`+ SASL authentication is completed by this message, the server`
	`392`	`+ will next send AuthenticationOk to indicate successful authentication`
	`393`	`+ or ErrorResponse to indicate failure.`
	`394`	`+ </para>`
	`395`	`+ </listitem>`
	`396`	`+ </varlistentry>`
	`397`	`+`
`369`	`398`	`</variablelist>`
`370`	`399`	`</para>`
`371`	`400`
`@@ -2578,6 +2607,114 @@ AuthenticationGSSContinue (B)`
`2578`	`2607`	`</listitem>`
`2579`	`2608`	`</varlistentry>`
`2580`	`2609`
	`2610`	`+<varlistentry>`
	`2611`	`+<term>`
	`2612`	`+AuthenticationSASL (B)`
	`2613`	`+</term>`
	`2614`	`+<listitem>`
	`2615`	`+<para>`
	`2616`	`+`
	`2617`	`+<variablelist>`
	`2618`	`+<varlistentry>`
	`2619`	`+<term>`
	`2620`	`+ Byte1('R')`
	`2621`	`+</term>`
	`2622`	`+<listitem>`
	`2623`	`+<para>`
	`2624`	`+ Identifies the message as an authentication request.`
	`2625`	`+</para>`
	`2626`	`+</listitem>`
	`2627`	`+</varlistentry>`
	`2628`	`+<varlistentry>`
	`2629`	`+<term>`
	`2630`	`+ Int32`
	`2631`	`+</term>`
	`2632`	`+<listitem>`
	`2633`	`+<para>`
	`2634`	`+ Length of message contents in bytes, including self.`
	`2635`	`+</para>`
	`2636`	`+</listitem>`
	`2637`	`+</varlistentry>`
	`2638`	`+<varlistentry>`
	`2639`	`+<term>`
	`2640`	`+ Int32(10)`
	`2641`	`+</term>`
	`2642`	`+<listitem>`
	`2643`	`+<para>`
	`2644`	`+ Specifies that SASL authentication is started.`
	`2645`	`+</para>`
	`2646`	`+</listitem>`
	`2647`	`+</varlistentry>`
	`2648`	`+<varlistentry>`
	`2649`	`+<term>`
	`2650`	`+ String`
	`2651`	`+</term>`
	`2652`	`+<listitem>`
	`2653`	`+<para>`
	`2654`	`+ Name of a SASL authentication mechanism.`
	`2655`	`+</para>`
	`2656`	`+</listitem>`
	`2657`	`+</varlistentry>`
	`2658`	`+</variablelist>`
	`2659`	`+`
	`2660`	`+</para>`
	`2661`	`+</listitem>`
	`2662`	`+</varlistentry>`
	`2663`	`+`
	`2664`	`+<varlistentry>`
	`2665`	`+<term>`
	`2666`	`+AuthenticationSASLContinue (B)`
	`2667`	`+</term>`
	`2668`	`+<listitem>`
	`2669`	`+<para>`
	`2670`	`+`
	`2671`	`+<variablelist>`
	`2672`	`+<varlistentry>`
	`2673`	`+<term>`
	`2674`	`+ Byte1('R')`
	`2675`	`+</term>`
	`2676`	`+<listitem>`
	`2677`	`+<para>`
	`2678`	`+ Identifies the message as an authentication request.`
	`2679`	`+</para>`
	`2680`	`+</listitem>`
	`2681`	`+</varlistentry>`
	`2682`	`+<varlistentry>`
	`2683`	`+<term>`
	`2684`	`+ Int32`
	`2685`	`+</term>`
	`2686`	`+<listitem>`
	`2687`	`+<para>`
	`2688`	`+ Length of message contents in bytes, including self.`
	`2689`	`+</para>`
	`2690`	`+</listitem>`
	`2691`	`+</varlistentry>`
	`2692`	`+<varlistentry>`
	`2693`	`+<term>`
	`2694`	`+ Int32(11)`
	`2695`	`+</term>`
	`2696`	`+<listitem>`
	`2697`	`+<para>`
	`2698`	`+ Specifies that this message contains SASL-mechanism specific`
	`2699`	`+ data.`
	`2700`	`+</para>`
	`2701`	`+</listitem>`
	`2702`	`+</varlistentry>`
	`2703`	`+<varlistentry>`
	`2704`	`+<term>`
	`2705`	`+ Byte<replaceable>n</replaceable>`
	`2706`	`+</term>`
	`2707`	`+<listitem>`
	`2708`	`+<para>`
	`2709`	`+ SASL data, specific to the SASL mechanism being used.`
	`2710`	`+</para>`
	`2711`	`+</listitem>`
	`2712`	`+</varlistentry>`
	`2713`	`+</variablelist>`
	`2714`	`+`
	`2715`	`+</para>`
	`2716`	`+</listitem>`
	`2717`	`+</varlistentry>`
`2581`	`2718`
`2582`	`2719`	`<varlistentry>`
`2583`	`2720`	`<term>`
`@@ -4340,7 +4477,7 @@ PasswordMessage (F)`
`4340`	`4477`	`<listitem>`
`4341`	`4478`	`<para>`
`4342`	`4479`	`Identifies the message as a password response. Note that`
`4343`		`- this is also used for GSSAPIandSSPI response messages`
	`4480`	`+ this is also used for GSSAPI, SSPIandSASL response messages`
`4344`	`4481`	`(which is really a design error, since the contained data`
`4345`	`4482`	`is not a null-terminated string in that case, but can be`
`4346`	`4483`	`arbitrary binary data).`

`‎doc/src/sgml/ref/create_role.sgml`

Lines changed: 12 additions & 11 deletions

Original file line number	Diff line number	Diff line change
`@@ -229,16 +229,16 @@ CREATE ROLE <replaceable class="PARAMETER">name</replaceable> [ [ WITH ] <replac`
`229`	`229`	`encrypted in the system catalogs. (If neither is specified,`
`230`	`230`	`the default behavior is determined by the configuration`
`231`	`231`	`parameter <xref linkend="guc-password-encryption">.) If the`
`232`		`- presented password string is already in MD5-encryptedformat,`
`233`		`- then it is stored encrypted as-is, regardless of whether`
`234`		`- <literal>ENCRYPTED</> or <literal>UNENCRYPTED</> is specified`
`235`		`- (since the system cannot decrypt the specified encrypted`
`236`		`- password string). This allows reloading of encrypted`
`237`		`-passwordsduring dump/restore.`
	`232`	`+ presented password string is already in MD5-encryptedor`
	`233`	`+SCRAM-encrypted format,then it is stored encrypted as-is,`
	`234`	`+regardless of whether<literal>ENCRYPTED</> or <literal>UNENCRYPTED</>`
	`235`	`+is specified(since the system cannot decrypt the specified encrypted`
	`236`	`+ password string). This allows reloading of encrypted passwords`
	`237`	`+ during dump/restore.`
`238`	`238`	`</para>`
`239`	`239`
`240`	`240`	`<para>`
`241`		`- Note that older clients might lack support for the MD5`
	`241`	`+ Note that older clients might lack support for the MD5 or SCRAM`
`242`	`242`	`authentication mechanism that is needed to work with passwords`
`243`	`243`	`that are stored encrypted.`
`244`	`244`	`</para>`
`@@ -254,10 +254,11 @@ CREATE ROLE <replaceable class="PARAMETER">name</replaceable> [ [ WITH ] <replac`
`254`	`254`	`attribute, but you can nonetheless define one for roles without it.)`
`255`	`255`	`If you do not plan to use password authentication you can omit this`
`256`	`256`	`option. The protocols supported are <literal>md5</> to enforce`
`257`		`- a password to be MD5-encrypted, and <literal>plain</> to use an`
`258`		`- unencrypted password. If the password string is already in`
`259`		`- MD5-encrypted format, then it is stored encrypted even if`
`260`		`- <literal>plain</> is specified.`
	`257`	`+ a password to be MD5-encrypted, <literal>scram</> to enforce a password`
	`258`	`+ to be encrypted with SCRAM-SHA-256, and <literal>plain</> to use`
	`259`	`+ an unencrypted password. If the password string is already in`
	`260`	`+ MD5-encrypted or SCRAM-SHA-256 format, then it is stored encrypted`
	`261`	`+ even if another protocol is specified.`
`261`	`262`	`</para>`
`262`	`263`	`</listitem>`
`263`	`264`	`</varlistentry>`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit65a26f3

File tree

29 files changed

29 files changed

`‎contrib/passwordcheck/passwordcheck.c`

`‎doc/src/sgml/config.sgml`

`‎doc/src/sgml/protocol.sgml`

`‎doc/src/sgml/ref/create_role.sgml`

0 commit comments