* Portions Copyright (c) 1996-2001, PostgreSQL Global Development Group
* Portions Copyright (c) 1994, Regents of the University of California
*
- * $Header: /cvsroot/pgsql/src/backend/commands/user.c,v 1.81 2001/08/15 21:08:20 momjian Exp $
+ * $Header: /cvsroot/pgsql/src/backend/commands/user.c,v 1.82 2001/08/17 02:59:19 momjian Exp $
*
*-------------------------------------------------------------------------
*/
DirectFunctionCall1(textin, CStringGetDatum(password));
else
{
- if (!EncryptMD5(password, stmt->user, encrypted_password))
+ if (!EncryptMD5(password, stmt->user, strlen(stmt->user),
+ encrypted_password))
elog(ERROR, "CREATE USER: password encryption failed");
new_record[Anum_pg_shadow_passwd - 1] =
DirectFunctionCall1(textin, CStringGetDatum(encrypted_password));
DirectFunctionCall1(textin, CStringGetDatum(password));
else
{
- if (!EncryptMD5(password, stmt->user, encrypted_password))
+ if (!EncryptMD5(password, stmt->user, strlen(stmt->user),
+ encrypted_password))
elog(ERROR, "CREATE USER: password encryption failed");
new_record[Anum_pg_shadow_passwd - 1] =
DirectFunctionCall1(textin, CStringGetDatum(encrypted_password));
*
*
* IDENTIFICATION
- * $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.59 2001/08/16 16:24:15 momjian Exp $
+ * $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.60 2001/08/17 02:59:19 momjian Exp $
*
*-------------------------------------------------------------------------
*/
pq_sendint(&buf, (int32) areq, sizeof(int32));
/* Add the salt for encrypted passwords. */
- if (areq == AUTH_REQ_CRYPT || areq == AUTH_REQ_MD5)
+ if (areq == AUTH_REQ_MD5)
{
- pq_sendint(&buf, port->salt[0], 1);
- pq_sendint(&buf, port->salt[1], 1);
+ pq_sendint(&buf, port->md5Salt[0], 1);
+ pq_sendint(&buf, port->md5Salt[1], 1);
+ pq_sendint(&buf, port->md5Salt[2], 1);
+ pq_sendint(&buf, port->md5Salt[3], 1);
+ }
+ if (areq == AUTH_REQ_CRYPT)
+ {
+ pq_sendint(&buf, port->cryptSalt[0], 1);
+ pq_sendint(&buf, port->cryptSalt[1], 1);
}
pq_endmessage(&buf);
* Dec 17, 1997 - Todd A. Brandys
* Orignal Version Completed.
*
- * $Id: crypt.c,v 1.34 2001/08/15 21:08:21 momjian Exp $
+ * $Id: crypt.c,v 1.35 2001/08/17 02:59:19 momjian Exp $
*
*-------------------------------------------------------------------------
*/
#include "postgres.h"
#include "libpq/crypt.h"
+#include "libpq/libpq.h"
#include "miscadmin.h"
#include "storage/fd.h"
#include "utils/nabstime.h"
return STATUS_ERROR;
}
+ /* If they encrypt their password, force MD5 */
+ if (isMD5(passwd) && port->auth_method != uaMD5)
+ {
+ snprintf(PQerrormsg, PQERRORMSG_LENGTH,
+ "Password is stored MD5 encrypted. "
+ "Only pg_hba.conf's MD5 protocol can be used for this user.\n");
+ fputs(PQerrormsg, stderr);
+ pqdebug("%s", PQerrormsg);
+ return STATUS_ERROR;
+ }
+
/*
* Compare with the encrypted or plain password depending on the
* authentication method being used for this connection.
*/
- switch (port->auth_method)
- {
+ switch (port->auth_method)
+ {
case uaCrypt:
- crypt_pwd = crypt(passwd, port->salt);
+ crypt_pwd = crypt(passwd, port->cryptSalt);
break;
case uaMD5:
crypt_pwd = palloc(MD5_PASSWD_LEN+1);
-
if (isMD5(passwd))
{
if (!EncryptMD5(passwd + strlen("md5"),
- (char *)port->salt, crypt_pwd))
+ (char *)port->md5Salt,
+ sizeof(port->md5Salt), crypt_pwd))
{
pfree(crypt_pwd);
return STATUS_ERROR;
{
char *crypt_pwd2 = palloc(MD5_PASSWD_LEN+1);
- if (!EncryptMD5(passwd, port->user, crypt_pwd2))
+ if (!EncryptMD5(passwd, port->user, strlen(port->user),
+ crypt_pwd2))
{
pfree(crypt_pwd);
pfree(crypt_pwd2);
return STATUS_ERROR;
}
- if (!EncryptMD5(crypt_pwd2 + strlen("md5"), port->salt,
- crypt_pwd))
+ if (!EncryptMD5(crypt_pwd2 + strlen("md5"), port->md5Salt,
+ sizeof(port->md5Salt), crypt_pwd))
{
pfree(crypt_pwd);
pfree(crypt_pwd2);
if (!strcmp(pgpass, crypt_pwd))
{
-
/*
* check here to be sure we are not past valuntil
*/
* puts md5(username+passwd) in buf provided buflen is at least 36 bytes
* returns 1 on success, 0 on any kind of failure and sets errno accordingly
*/
-bool EncryptMD5(const char *passwd, const char *salt, char *buf)
+bool EncryptMD5(const char *passwd, const char *salt, size_t salt_len,
+ char *buf)
{
char crypt_buf[128];
- if (strlen(salt) + strlen(passwd) > 127)
+ if (salt_len + strlen(passwd) > 127)
return false;
strcpy(buf, "md5");
memset(crypt_buf, 0, 128);
- sprintf(crypt_buf,"%s%s", salt, passwd);
+ memcpy(crypt_buf, salt, salt_len);
+ memcpy(crypt_buf+salt_len, passwd, strlen(passwd));
- return md5_hash(crypt_buf, strlen(crypt_buf), buf + 3);
+ return md5_hash(crypt_buf, salt_len + strlen(passwd), buf + 3);
}
*
*
* IDENTIFICATION
- * $Header: /cvsroot/pgsql/src/backend/postmaster/postmaster.c,v 1.235 2001/08/05 02:06:50 tgl Exp $
+ * $Header: /cvsroot/pgsql/src/backend/postmaster/postmaster.c,v 1.236 2001/08/17 02:59:19 momjian Exp $
*
* NOTES
*
static int initMasks(fd_set *rmask, fd_set *wmask);
static char *canAcceptConnections(void);
static long PostmasterRandom(void);
-static void RandomSalt(char *salt);
+static void RandomSalt(char *cryptSalt, char *md5Salt);
static void SignalChildren(int signal);
static int CountChildren(void);
static bool CreateOptsFile(int argc, char *argv[]);
}
else
{
- RandomSalt(port->salt);
+ RandomSalt(port->cryptSalt, port->md5Salt);
port->pktInfo.state = Idle;
}
* RandomSalt
*/
static void
-RandomSalt(char *salt)
+RandomSalt(char *cryptSalt, char *md5Salt)
{
long rand = PostmasterRandom();
- *salt = CharRemap(rand % 62);
- *(salt + 1) = CharRemap(rand / 62);
+ cryptSalt[0] = CharRemap(rand % 62);
+ cryptSalt[1] = CharRemap(rand / 62);
+ /* Grab top 16-bits of two random runs so as not to send full
+ random value over the network. The high-order bits are more random. */
+ md5Salt[0] = rand & 0xff000000;
+ md5Salt[1] = rand & 0x00ff0000;
+ rand = PostmasterRandom();
+ md5Salt[2] = rand & 0xff000000;
+ md5Salt[3] = rand & 0x00ff0000;
}
/*
extern bool md5_hash(const void *buff, size_t len, char *hexsum);
extern bool CheckMD5Pwd(char *passwd, char *storedpwd, char *seed);
-extern bool EncryptMD5(const char *passwd, const char *salt, char *buf);
+extern bool EncryptMD5(const char *passwd, const char *salt,
+ size_t salt_len, char *buf);
#define MD5_PASSWD_LEN 35
* Portions Copyright (c) 1996-2001, PostgreSQL Global Development Group
* Portions Copyright (c) 1994, Regents of the University of California
*
- * $Id: libpq-be.h,v 1.21 2001/01/24 19:43:24 momjian Exp $
+ * $Id: libpq-be.h,v 1.22 2001/08/17 02:59:19 momjian Exp $
*
*-------------------------------------------------------------------------
*/
typedef struct AuthRequestPacket
{
- char data[1 + sizeof(AuthRequest) + 2]; /* 'R' + the request +
+ char data[1 + sizeof(AuthRequest) + 4]; /* 'R' + the request +
* optional salt. */
} AuthRequestPacket;
Packet pktInfo; /* For the packet handlers */
SockAddr laddr; /* local addr (us) */
SockAddr raddr; /* remote addr (them) */
- char salt[2]; /* Password salt */
+ char md5Salt[4]; /* Password salt */
+ char cryptSalt[2]; /* Password salt */
/*
* Information that needs to be held during the fe/be authentication
* exceed INITIAL_EXPBUFFER_SIZE (currently 256 bytes).
*
* IDENTIFICATION
- * $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-auth.c,v 1.50 2001/08/15 21:08:21 momjian Exp $
+ * $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-auth.c,v 1.51 2001/08/17 02:59:19 momjian Exp $
*
*-------------------------------------------------------------------------
*/
switch (areq)
{
case AUTH_REQ_CRYPT:
- crypt_pwd = crypt(password, conn->salt);
+ crypt_pwd = crypt(password, conn->cryptSalt);
break;
case AUTH_REQ_MD5:
{
perror("malloc");
return STATUS_ERROR;
}
- if (!EncryptMD5(password, conn->pguser, crypt_pwd2))
+ if (!EncryptMD5(password, conn->pguser,
+ strlen(conn->pguser), crypt_pwd2))
{
free(crypt_pwd);
free(crypt_pwd2);
return STATUS_ERROR;
}
- if (!EncryptMD5(crypt_pwd2 + strlen("md5"), conn->salt,
- crypt_pwd))
+ if (!EncryptMD5(crypt_pwd2 + strlen("md5"), conn->md5Salt,
+ sizeof(conn->md5Salt), crypt_pwd))
{
free(crypt_pwd);
free(crypt_pwd2);
*
*
* IDENTIFICATION
- * $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-connect.c,v 1.173 2001/08/15 18:42:15 momjian Exp $
+ * $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-connect.c,v 1.174 2001/08/17 02:59:20 momjian Exp $
*
*-------------------------------------------------------------------------
*/
}
/* Get the password salt if there is one. */
- if (areq == AUTH_REQ_CRYPT || areq == AUTH_REQ_MD5)
+ if (areq == AUTH_REQ_MD5)
{
- if (pqGetnchar(conn->salt, sizeof(conn->salt), conn))
+ if (pqGetnchar(conn->md5Salt,
+ sizeof(conn->md5Salt), conn))
+ {
+ /* We'll come back when there are more data */
+ return PGRES_POLLING_READING;
+ }
+ }
+ if (areq == AUTH_REQ_CRYPT)
+ {
+ if (pqGetnchar(conn->cryptSalt,
+ sizeof(conn->cryptSalt), conn))
{
/* We'll come back when there are more data */
return PGRES_POLLING_READING;
* Portions Copyright (c) 1996-2001, PostgreSQL Global Development Group
* Portions Copyright (c) 1994, Regents of the University of California
*
- * $Id: libpq-int.h,v 1.38 2001/08/16 04:27:18 momjian Exp $
+ * $Id: libpq-int.h,v 1.39 2001/08/17 02:59:20 momjian Exp $
*
*-------------------------------------------------------------------------
*/
/* Miscellaneous stuff */
int be_pid; /* PID of backend --- needed for cancels */
int be_key; /* key of backend --- needed for cancels */
- char salt[2]; /* password salt received from backend */
+ char md5Salt[4]; /* password salt received from backend */
+ char cryptSalt[2]; /* password salt received from backend */
PGlobjfuncs *lobjfuncs; /* private state for large-object access
* fns */
int areq = -1;
int beresp;
char msgbuffer[ERROR_MSG_LENGTH];
- char salt[2];
+ char salt[5];
static char *func = "CC_connect";
mylog("%s: entering...\n", func);
mylog("auth got 'R'\n");
areq = SOCK_get_int(sock, 4);
- if (areq == AUTH_REQ_CRYPT || areq == AUTH_REQ_MD5)
+ if (areq == AUTH_REQ_MD5)
+ SOCK_get_n_char(sock, salt, 4);
+ if (areq == AUTH_REQ_CRYPT)
SOCK_get_n_char(sock, salt, 2);
mylog("areq = %d\n", areq);
projects / postgresql / commitdiff