From: Bruce Momjian Date: Thu, 27 Sep 2001 23:16:23 +0000 (+0000) Subject: Put MD5 salt at the end for security. X-Git-Tag: REL7_2_BETA1~308 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=44f18333b754dafa75d48a691b5af13b72256c7d;p=postgresql Put MD5 salt at the end for security. --- diff --git a/src/backend/libpq/md5.c b/src/backend/libpq/md5.c index ad5b4c91ec..d4a6730319 100644 --- a/src/backend/libpq/md5.c +++ b/src/backend/libpq/md5.c @@ -10,7 +10,7 @@ * * Sverre H. Huseby * - * $Header: /cvsroot/pgsql/src/backend/libpq/md5.c,v 1.6 2001/09/21 20:31:47 tgl Exp $ + * $Header: /cvsroot/pgsql/src/backend/libpq/md5.c,v 1.7 2001/09/27 23:16:23 momjian Exp $ */ #include "postgres.h" @@ -19,6 +19,14 @@ #include "libpq/crypt.h" +#ifdef FRONTEND +#undef palloc +#define palloc malloc +#undef pfree +#define pfree free +#endif + + /* * PRIVATE FUNCTIONS */ @@ -289,15 +297,19 @@ md5_hash(const void *buff, size_t len, char *hexsum) bool EncryptMD5(const char *passwd, const char *salt, size_t salt_len, char *buf) { - char crypt_buf[128]; - - if (salt_len + strlen(passwd) > 127) - return false; - + char *crypt_buf = palloc(strlen(passwd) + salt_len); + bool ret; + strcpy(buf, "md5"); - memset(crypt_buf, 0, 128); - memcpy(crypt_buf, salt, salt_len); - memcpy(crypt_buf+salt_len, passwd, strlen(passwd)); + /* + * Place salt at the end because it may be known by users + * trying to crack the MD5 output. + */ + strcpy(crypt_buf, passwd); + memcpy(crypt_buf+strlen(passwd), salt, salt_len); + + ret = md5_hash(crypt_buf, strlen(passwd) + salt_len, buf + 3); + pfree(crypt_buf); - return md5_hash(crypt_buf, salt_len + strlen(passwd), buf + 3); + return ret; }