NotificationsYou must be signed in to change notification settings
Fork5
Star26

Commitfe7bdf0

committed

Clean up password authentication code a bit.

Commitfe0a0b5, which moved code to do MD5 authentication to a separateCheckMD5Auth() function, left behind a comment that really belongs insidethe function, too. Also move the check for db_user_namespace inside thefunction, seems clearer that way.Now that the md5 salt is passed as argument to md5_crypt_verify, it's a bitsilly that it peeks into the Port struct to see if MD5 authentication wasused. Seems more straightforward to treat it as an MD5 authentication, ifthe md5 salt argument is given. And after that, md5_crypt_verify only usedthe Port argument to look at port->user_name, but that is redundant,because it is also passed as a separate 'role' argument. So remove the Portargument altogether.

1 parentf7d54f4 commitfe7bdf0Copy full SHA for fe7bdf0

File tree

3 files changed

+70

-63

lines changed

src
- backend/libpq
  - auth.c
  - crypt.c
- include/libpq
  - crypt.h

3 files changed

+70

-63

lines changed

`‎src/backend/libpq/auth.c`

Lines changed: 10 additions & 9 deletions

Original file line number	Diff line number	Diff line change
`@@ -50,14 +50,14 @@ static char recv_password_packet(Port port);`
`50`	`50`	`* MD5 authentication`
`51`	`51`	`*----------------------------------------------------------------`
`52`	`52`	`*/`
`53`		`-staticintCheckMD5Auth(Portport,char*logdetail);`
	`53`	`+staticintCheckMD5Auth(Portport,char*logdetail);`
`54`	`54`
`55`	`55`	`/*----------------------------------------------------------------`
`56`	`56`	`* Plaintext password authentication`
`57`	`57`	`*----------------------------------------------------------------`
`58`	`58`	`*/`
`59`	`59`
`60`		`-staticintCheckPasswordAuth(Portport,char*logdetail);`
	`60`	`+staticintCheckPasswordAuth(Portport,char*logdetail);`
`61`	`61`
`62`	`62`	`/*----------------------------------------------------------------`
`63`	`63`	`* Ident authentication`
`@@ -544,11 +544,6 @@ ClientAuthentication(Port *port)`
`544`	`544`	`break;`
`545`	`545`
`546`	`546`	`caseuaMD5:`
`547`		`-if (Db_user_namespace)`
`548`		`-ereport(FATAL,`
`549`		`-(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),`
`550`		`-errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled")));`
`551`		`-/* include the salt to use for computing the response */`
`552`	`547`	`status=CheckMD5Auth(port,&logdetail);`
`553`	`548`	`break;`
`554`	`549`
`@@ -714,6 +709,12 @@ CheckMD5Auth(Port port, char *logdetail)`
`714`	`709`	`char*passwd;`
`715`	`710`	`intresult;`
`716`	`711`
	`712`	`+if (Db_user_namespace)`
	`713`	`+ereport(FATAL,`
	`714`	`+(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),`
	`715`	`+errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled")));`
	`716`	`+`
	`717`	`+/* include the salt to use for computing the response */`
`717`	`718`	`pg_backend_random(md5Salt,4);`
`718`	`719`
`719`	`720`	`sendAuthRequest(port,AUTH_REQ_MD5,md5Salt,4);`
`@@ -723,7 +724,7 @@ CheckMD5Auth(Port port, char *logdetail)`
`723`	`724`	`if (passwd==NULL)`
`724`	`725`	`returnSTATUS_EOF;/* client wouldn't send password */`
`725`	`726`
`726`		`-result=md5_crypt_verify(port,port->user_name,passwd,md5Salt,4,logdetail);`
	`727`	`+result=md5_crypt_verify(port->user_name,passwd,md5Salt,4,logdetail);`
`727`	`728`
`728`	`729`	`pfree(passwd);`
`729`	`730`
`@@ -748,7 +749,7 @@ CheckPasswordAuth(Port port, char *logdetail)`
`748`	`749`	`if (passwd==NULL)`
`749`	`750`	`returnSTATUS_EOF;/* client wouldn't send password */`
`750`	`751`
`751`		`-result=md5_crypt_verify(port,port->user_name,passwd,NULL,0,logdetail);`
	`752`	`+result=md5_crypt_verify(port->user_name,passwd,NULL,0,logdetail);`
`752`	`753`
`753`	`754`	`pfree(passwd);`
`754`	`755`

`‎src/backend/libpq/crypt.c`

Lines changed: 57 additions & 51 deletions

Original file line number	Diff line number	Diff line change
`@@ -31,11 +31,16 @@`
`31`	`31`
`32`	`32`	`/*`
`33`	`33`	`* Check given password for given user, and return STATUS_OK or STATUS_ERROR.`
	`34`	`+ *`
	`35`	`+ * 'client_pass' is the password response given by the remote user. If`
	`36`	`+ * 'md5_salt' is not NULL, it is a response to an MD5 authentication`
	`37`	`+ * challenge, with the given salt. Otherwise, it is a plaintext password.`
	`38`	`+ *`
`34`	`39`	`* In the error case, optionally store a palloc'd string at *logdetail`
`35`	`40`	`* that will be sent to the postmaster log (but not the client).`
`36`	`41`	`*/`
`37`	`42`	`int`
`38`		`-md5_crypt_verify(constPortport,constcharrole,char*client_pass,`
	`43`	`+md5_crypt_verify(constcharrole,charclient_pass,`
`39`	`44`	`charmd5_salt,intmd5_salt_len,char*logdetail)`
`40`	`45`	`{`
`41`	`46`	`intretval=STATUS_ERROR;`
`@@ -88,63 +93,64 @@ md5_crypt_verify(const Port port, const char role, char *client_pass,`
`88`	`93`	`* error is out-of-memory, which is unlikely, and if it did happen adding`
`89`	`94`	`* a psprintf call would only make things worse.)`
`90`	`95`	`*/`
`91`		`-switch (port->hba->auth_method)`
	`96`	`+if (md5_salt)`
`92`	`97`	`{`
`93`		`-caseuaMD5:`
`94`		`-Assert(md5_salt!=NULL&&md5_salt_len>0);`
`95`		`-crypt_pwd=palloc(MD5_PASSWD_LEN+1);`
`96`		`-if (isMD5(shadow_pass))`
	`98`	`+/* MD5 authentication */`
	`99`	`+Assert(md5_salt_len>0);`
	`100`	`+crypt_pwd=palloc(MD5_PASSWD_LEN+1);`
	`101`	`+if (isMD5(shadow_pass))`
	`102`	`+{`
	`103`	`+/* stored password already encrypted, only do salt */`
	`104`	`+if (!pg_md5_encrypt(shadow_pass+strlen("md5"),`
	`105`	`+md5_salt,md5_salt_len,`
	`106`	`+crypt_pwd))`
`97`	`107`	`{`
`98`		`-/* stored password already encrypted, only do salt */`
`99`		`-if (!pg_md5_encrypt(shadow_pass+strlen("md5"),`
`100`		`-md5_salt,md5_salt_len,`
`101`		`-crypt_pwd))`
`102`		`-{`
`103`		`-pfree(crypt_pwd);`
`104`		`-returnSTATUS_ERROR;`
`105`		`-}`
	`108`	`+pfree(crypt_pwd);`
	`109`	`+returnSTATUS_ERROR;`
`106`	`110`	`}`
`107`		`-else`
`108`		`-{`
`109`		`-/* stored password is plain, double-encrypt */`
`110`		`-char*crypt_pwd2=palloc(MD5_PASSWD_LEN+1);`
	`111`	`+}`
	`112`	`+else`
	`113`	`+{`
	`114`	`+/* stored password is plain, double-encrypt */`
	`115`	`+char*crypt_pwd2=palloc(MD5_PASSWD_LEN+1);`
`111`	`116`
`112`		`-if (!pg_md5_encrypt(shadow_pass,`
`113`		`-port->user_name,`
`114`		`-strlen(port->user_name),`
`115`		`-crypt_pwd2))`
`116`		`-{`
`117`		`-pfree(crypt_pwd);`
`118`		`-pfree(crypt_pwd2);`
`119`		`-returnSTATUS_ERROR;`
`120`		`-}`
`121`		`-if (!pg_md5_encrypt(crypt_pwd2+strlen("md5"),`
`122`		`-md5_salt,md5_salt_len,`
`123`		`-crypt_pwd))`
`124`		`-{`
`125`		`-pfree(crypt_pwd);`
`126`		`-pfree(crypt_pwd2);`
`127`		`-returnSTATUS_ERROR;`
`128`		`-}`
	`117`	`+if (!pg_md5_encrypt(shadow_pass,`
	`118`	`+role,`
	`119`	`+strlen(role),`
	`120`	`+crypt_pwd2))`
	`121`	`+{`
	`122`	`+pfree(crypt_pwd);`
`129`	`123`	`pfree(crypt_pwd2);`
	`124`	`+returnSTATUS_ERROR;`
`130`	`125`	`}`
`131`		`-break;`
`132`		`-default:`
`133`		`-if (isMD5(shadow_pass))`
	`126`	`+if (!pg_md5_encrypt(crypt_pwd2+strlen("md5"),`
	`127`	`+md5_salt,md5_salt_len,`
	`128`	`+crypt_pwd))`
`134`	`129`	`{`
`135`		`-/* Encrypt user-supplied password to match stored MD5 */`
`136`		`-crypt_client_pass=palloc(MD5_PASSWD_LEN+1);`
`137`		`-if (!pg_md5_encrypt(client_pass,`
`138`		`-port->user_name,`
`139`		`-strlen(port->user_name),`
`140`		`-crypt_client_pass))`
`141`		`-{`
`142`		`-pfree(crypt_client_pass);`
`143`		`-returnSTATUS_ERROR;`
`144`		`-}`
	`130`	`+pfree(crypt_pwd);`
	`131`	`+pfree(crypt_pwd2);`
	`132`	`+returnSTATUS_ERROR;`
`145`	`133`	`}`
`146`		`-crypt_pwd=shadow_pass;`
`147`		`-break;`
	`134`	`+pfree(crypt_pwd2);`
	`135`	`+}`
	`136`	`+}`
	`137`	`+else`
	`138`	`+{`
	`139`	`+/* Client sent password in plaintext */`
	`140`	`+if (isMD5(shadow_pass))`
	`141`	`+{`
	`142`	`+/* Encrypt user-supplied password to match stored MD5 */`
	`143`	`+crypt_client_pass=palloc(MD5_PASSWD_LEN+1);`
	`144`	`+if (!pg_md5_encrypt(client_pass,`
	`145`	`+role,`
	`146`	`+strlen(role),`
	`147`	`+crypt_client_pass))`
	`148`	`+{`
	`149`	`+pfree(crypt_client_pass);`
	`150`	`+returnSTATUS_ERROR;`
	`151`	`+}`
	`152`	`+}`
	`153`	`+crypt_pwd=shadow_pass;`
`148`	`154`	`}`
`149`	`155`
`150`	`156`	`if (strcmp(crypt_client_pass,crypt_pwd)==0)`
`@@ -167,7 +173,7 @@ md5_crypt_verify(const Port port, const char role, char *client_pass,`
`167`	`173`	`*logdetail=psprintf(_("Password does not match for user \"%s\"."),`
`168`	`174`	`role);`
`169`	`175`
`170`		`-if (port->hba->auth_method==uaMD5)`
	`176`	`+if (crypt_pwd!=shadow_pass)`
`171`	`177`	`pfree(crypt_pwd);`
`172`	`178`	`if (crypt_client_pass!=client_pass)`
`173`	`179`	`pfree(crypt_client_pass);`

`‎src/include/libpq/crypt.h`

Lines changed: 3 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -13,9 +13,9 @@`
`13`	`13`	`#ifndefPG_CRYPT_H`
`14`	`14`	`#definePG_CRYPT_H`
`15`	`15`
`16`		`-#include"libpq/libpq-be.h"`
	`16`	`+#include"datatype/timestamp.h"`
`17`	`17`
`18`		`-externintmd5_crypt_verify(constPortport,constcharrole,`
`19`		`-charclient_pass,charmd5_salt,intmd5_salt_len,char**logdetail);`
	`18`	`+externintmd5_crypt_verify(constcharrole,charclient_pass,`
	`19`	`+charmd5_salt,intmd5_salt_len,char*logdetail);`
`20`	`20`
`21`	`21`	`#endif`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitfe7bdf0

File tree

3 files changed

3 files changed

`‎src/backend/libpq/auth.c`

`‎src/backend/libpq/crypt.c`

`‎src/include/libpq/crypt.h`

0 commit comments