From: Marko Kreen Date: Fri, 7 Aug 2015 17:16:59 +0000 (+0300) Subject: Remove crypt auth. X-Git-Tag: pgbouncer_1_7_rc1~28 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=9d8e3e4046c8040bd44a7d9c4fc3dd1b5d843e70;p=pgbouncer Remove crypt auth. Highly obsolete. --- diff --git a/NEWS.rst b/NEWS.rst index b6beea6..7e2e3ff 100644 --- a/NEWS.rst +++ b/NEWS.rst @@ -12,6 +12,10 @@ Unreleased * Unix sockets support "peer" auth. +- Cleanups + + * Remove **crypt** auth. + PgBouncer 1.6.x --------------- diff --git a/configure.ac b/configure.ac index 36add68..86c27ba 100644 --- a/configure.ac +++ b/configure.ac @@ -26,7 +26,6 @@ AC_CHECK_TOOL([STRIP], [strip]) dnl Checks for header files. AC_USUAL_HEADER_CHECK -AC_CHECK_HEADERS([crypt.h]) AC_CHECK_HEADERS([sys/resource.h sys/wait.h]) dnl Checks for typedefs, structures, and compiler characteristics. @@ -46,12 +45,11 @@ m4_ifdef([AC_TYPE_UINT8_T], [ dnl Checks for library functions. AC_USUAL_FUNCTION_CHECK -AC_SEARCH_LIBS(crypt, crypt) AC_SEARCH_LIBS(clock_gettime, rt) AC_SEARCH_LIBS(getsockname, socket) AC_SEARCH_LIBS(gethostbyname, nsl) AC_SEARCH_LIBS(hstrerror, resolv) -AC_CHECK_FUNCS(crypt lstat) +AC_CHECK_FUNCS(lstat) dnl Find libevent AC_USUAL_LIBEVENT diff --git a/doc/config.rst b/doc/config.rst index 266a83c..07a13f7 100644 --- a/doc/config.rst +++ b/doc/config.rst @@ -119,10 +119,6 @@ md5 Use MD5-based password check. `auth_file`_ may contain both MD5-encrypted or plain-text passwords. This is the default authentication method. -crypt - Use crypt(3) based password check. `auth_file`_ must contain plain-text - passwords. Deprecated, removed in PostgreSQL 8.4. - plain Clear-text password is sent over wire. Deprecated. diff --git a/include/bouncer.h b/include/bouncer.h index d409227..ca33199 100644 --- a/include/bouncer.h +++ b/include/bouncer.h @@ -119,9 +119,9 @@ extern int cf_sbuf_len; #define AUTH_ANY -1 /* same as trust but without username check */ #define AUTH_TRUST 0 #define AUTH_PLAIN 3 -#define AUTH_CRYPT 4 +/* #define AUTH_CRYPT 4 */ #define AUTH_MD5 5 -#define AUTH_CREDS 6 +/* #define AUTH_CREDS 6 */ #define AUTH_CERT 7 #define AUTH_PEER 8 #define AUTH_HBA 9 diff --git a/include/system.h b/include/system.h index ab8e0aa..4fa3f96 100644 --- a/include/system.h +++ b/include/system.h @@ -34,9 +34,6 @@ #include -#ifdef HAVE_CRYPT_H -#include -#endif #ifdef HAVE_LIBGEN_H #include #endif @@ -60,9 +57,6 @@ * libc compat functions. */ -#ifndef HAVE_CRYPT -static inline char *crypt(const char *p, const char *s) { return NULL; } -#endif #ifndef HAVE_LSTAT static inline int lstat(const char *path, struct stat *st) { return stat(path, st); } #endif diff --git a/src/client.c b/src/client.c index 9f0c48f..4378474 100644 --- a/src/client.c +++ b/src/client.c @@ -36,7 +36,6 @@ static const char *hdr2hex(const struct MBuf *data, char *buf, unsigned buflen) static bool check_client_passwd(PgSocket *client, const char *passwd) { char md5[MD5_PASSWD_LEN + 1]; - const char *correct; PgUser *user = client->auth_user; /* disallow empty passwords */ @@ -46,9 +45,6 @@ static bool check_client_passwd(PgSocket *client, const char *passwd) switch (cf_auth_type) { case AUTH_PLAIN: return strcmp(user->passwd, passwd) == 0; - case AUTH_CRYPT: - correct = crypt(user->passwd, (char *)client->tmp_login_salt); - return correct && strcmp(correct, passwd) == 0; case AUTH_MD5: if (strlen(passwd) != MD5_PASSWD_LEN) return false; @@ -60,26 +56,13 @@ static bool check_client_passwd(PgSocket *client, const char *passwd) return false; } -/* mask to get offset into valid_crypt_salt[] */ -#define SALT_MASK 0x3F - -static const char valid_crypt_salt[] = -"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; - static bool send_client_authreq(PgSocket *client) { uint8_t saltlen = 0; int res; int auth = cf_auth_type; - uint8_t randbuf[2]; - - if (auth == AUTH_CRYPT) { - saltlen = 2; - get_random_bytes(randbuf, saltlen); - client->tmp_login_salt[0] = valid_crypt_salt[randbuf[0] & SALT_MASK]; - client->tmp_login_salt[1] = valid_crypt_salt[randbuf[1] & SALT_MASK]; - client->tmp_login_salt[2] = 0; - } else if (cf_auth_type == AUTH_MD5) { + + if (cf_auth_type == AUTH_MD5) { saltlen = 4; get_random_bytes((void*)client->tmp_login_salt, saltlen); } else if (cf_auth_type == AUTH_PLAIN) { @@ -237,7 +220,6 @@ static bool finish_set_pool(PgSocket *client, bool takeover) ok = finish_client_login(client); break; case AUTH_PLAIN: - case AUTH_CRYPT: case AUTH_MD5: ok = send_client_authreq(client); break; diff --git a/src/main.c b/src/main.c index 983faaa..b6c2f28 100644 --- a/src/main.c +++ b/src/main.c @@ -167,9 +167,6 @@ static const struct CfLookup auth_type_map[] = { { "any", AUTH_ANY }, { "trust", AUTH_TRUST }, { "plain", AUTH_PLAIN }, -#ifdef HAVE_CRYPT - { "crypt", AUTH_CRYPT }, -#endif { "md5", AUTH_MD5 }, { "cert", AUTH_CERT }, { "hba", AUTH_HBA }, diff --git a/src/proto.c b/src/proto.c index 8aad019..670b7c7 100644 --- a/src/proto.c +++ b/src/proto.c @@ -275,23 +275,6 @@ static bool login_clear_psw(PgSocket *server) return send_password(server, user->passwd); } -static bool login_crypt_psw(PgSocket *server, const uint8_t *salt) -{ - char saltbuf[3]; - const char *enc; - PgUser *user = get_srv_psw(server); - - slog_debug(server, "P: send crypt password"); - memcpy(saltbuf, salt, 2); - saltbuf[2] = 0; - enc = crypt(user->passwd, saltbuf); - if (!enc) { - slog_warning(server, "crypt failed"); - return false; - } - return send_password(server, enc); -} - static bool login_md5_psw(PgSocket *server, const uint8_t *salt) { char txt[MD5_PASSWD_LEN + 1], *src; @@ -331,12 +314,6 @@ bool answer_authreq(PgSocket *server, PktHdr *pkt) slog_debug(server, "S: req cleartext password"); res = login_clear_psw(server); break; - case 4: - slog_debug(server, "S: req crypt psw"); - if (!mbuf_get_bytes(&pkt->data, 2, &salt)) - return false; - res = login_crypt_psw(server, salt); - break; case 5: slog_debug(server, "S: req md5-crypted psw"); if (!mbuf_get_bytes(&pkt->data, 4, &salt))