11/*-------------------------------------------------------------------------
22 *
33 * crypt.c
4- *Look into the password file and check the encrypted password with
5- * the one passed in from the frontend.
4+ *Set of routines to look into the password file and check the
5+ *encrypted password with the one passed in from the frontend.
66 *
77 * Original coding by Todd A. Brandys
88 *
3030
3131
3232/*
33- * Check given password for given user, and return STATUS_OK or STATUS_ERROR.
34- * In the error case, optionally store a palloc'd string at *logdetail
35- * that will be sent to the postmaster log (but not the client).
33+ * Fetch information of a given role necessary to check password data,
34+ * and return STATUS_OK or STATUS_ERROR. In the case of an error,
35+ * optionally store a palloc'd string at *logdetail that will be sent
36+ * to the postmaster log (but not the client).
3637 */
3738int
38- md5_crypt_verify (const Port * port ,const char * role ,char * client_pass ,
39+ get_role_details (const char * role ,
40+ char * * password ,
41+ TimestampTz * vuntil ,
42+ bool * vuntil_null ,
3943char * * logdetail )
4044{
41- int retval = STATUS_ERROR ;
42- char * shadow_pass ,
43- * crypt_pwd ;
44- TimestampTz vuntil = 0 ;
45- char * crypt_client_pass = client_pass ;
4645HeapTuple roleTup ;
4746Datum datum ;
4847bool isnull ;
4948
49+ * vuntil = 0 ;
50+ * vuntil_null = true;
51+
5052/* Get role info from pg_authid */
5153roleTup = SearchSysCache1 (AUTHNAME ,PointerGetDatum (role ));
5254if (!HeapTupleIsValid (roleTup ))
@@ -65,22 +67,49 @@ md5_crypt_verify(const Port *port, const char *role, char *client_pass,
6567role );
6668return STATUS_ERROR ;/* user has no password */
6769}
68- shadow_pass = TextDatumGetCString (datum );
70+ * password = TextDatumGetCString (datum );
6971
7072datum = SysCacheGetAttr (AUTHNAME ,roleTup ,
7173Anum_pg_authid_rolvaliduntil ,& isnull );
7274if (!isnull )
73- vuntil = DatumGetTimestampTz (datum );
75+ {
76+ * vuntil = DatumGetTimestampTz (datum );
77+ * vuntil_null = false;
78+ }
7479
7580ReleaseSysCache (roleTup );
7681
77- if (* shadow_pass == '\0' )
82+ if (* * password == '\0' )
7883{
7984* logdetail = psprintf (_ ("User \"%s\" has an empty password." ),
8085role );
8186return STATUS_ERROR ;/* empty password */
8287}
8388
89+ return STATUS_OK ;
90+ }
91+
92+ /*
93+ * Check given password for given user, and return STATUS_OK or STATUS_ERROR.
94+ * In the error case, optionally store a palloc'd string at *logdetail
95+ * that will be sent to the postmaster log (but not the client).
96+ */
97+ int
98+ md5_crypt_verify (const Port * port ,const char * role ,char * client_pass ,
99+ char * * logdetail )
100+ {
101+ int retval = STATUS_ERROR ;
102+ char * shadow_pass ,
103+ * crypt_pwd ;
104+ TimestampTz vuntil ;
105+ char * crypt_client_pass = client_pass ;
106+ bool vuntil_null ;
107+
108+ /* fetch details about role needed for password checks */
109+ if (get_role_details (role ,& shadow_pass ,& vuntil ,& vuntil_null ,
110+ logdetail )!= STATUS_OK )
111+ return STATUS_ERROR ;
112+
84113/*
85114 * Compare with the encrypted or plain password depending on the
86115 * authentication method being used for this connection. (We do not
@@ -152,7 +181,7 @@ md5_crypt_verify(const Port *port, const char *role, char *client_pass,
152181/*
153182 * Password OK, now check to be sure we are not past rolvaliduntil
154183 */
155- if (isnull )
184+ if (vuntil_null )
156185retval = STATUS_OK ;
157186else if (vuntil < GetCurrentTimestamp ())
158187{