open-dsi
/
postgres
mirror of https://github.com/postgres/postgres
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Refactor the code for verifying user's password.

Browse Source 
Split md5_crypt_verify() into three functions:
* get_role_password() to fetch user's password from pg_authid, and check
  its expiration.
* md5_crypt_verify() to check an MD5 authentication challenge
* plain_crypt_verify() to check a plaintext password.

get_role_password() will be needed as a separate function by the upcoming
SCRAM authentication patch set. Most of the remaining functionality in
md5_crypt_verify() was different for MD5 and plaintext authentication, so
split that for readability.

While we're at it, simplify the *_crypt_verify functions by using
stack-allocated buffers to hold the temporary MD5 hashes, instead of
pallocing.

Reviewed by Michael Paquier.

Discussion: https://www.postgresql.org/message-id/3029e460-d47c-710e-507e-d8ba759d7cbb@iki.fi
pull/18/head
Heikki Linnakangas 9 years ago
parent 58445c5c8d
commit e7f051b8f9
3 changed files with 153 additions and 91 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 18
      src/backend/libpq/auth.c
  2. 217
      src/backend/libpq/crypt.c
  3. 9
      src/include/libpq/crypt.h

18
src/backend/libpq/auth.c
Unescape View File

@ -704,6 +704,7 @@ CheckMD5Auth(Port *port, char **logdetail)
{ {
char md5Salt[4]; /* Password salt */ char md5Salt[4]; /* Password salt */
char *passwd; char *passwd;
char *shadow_pass;
int result; int result;
if (Db_user_namespace) if (Db_user_namespace)
@ -722,12 +723,16 @@ CheckMD5Auth(Port *port, char **logdetail)
sendAuthRequest(port, AUTH_REQ_MD5, md5Salt, 4); sendAuthRequest(port, AUTH_REQ_MD5, md5Salt, 4);
passwd = recv_password_packet(port); passwd = recv_password_packet(port);
if (passwd == NULL) if (passwd == NULL)
return STATUS_EOF; /* client wouldn't send password */ return STATUS_EOF; /* client wouldn't send password */
result = md5_crypt_verify(port->user_name, passwd, md5Salt, 4, logdetail); result = get_role_password(port->user_name, &shadow_pass, logdetail);
if (result == STATUS_OK)
result = md5_crypt_verify(port->user_name, shadow_pass, passwd,
md5Salt, 4, logdetail);
if (shadow_pass)
pfree(shadow_pass);
pfree(passwd); pfree(passwd);
return result; return result;
@ -743,16 +748,21 @@ CheckPasswordAuth(Port *port, char **logdetail)
{ {
char *passwd; char *passwd;
int result; int result;
char *shadow_pass;
sendAuthRequest(port, AUTH_REQ_PASSWORD, NULL, 0); sendAuthRequest(port, AUTH_REQ_PASSWORD, NULL, 0);
passwd = recv_password_packet(port); passwd = recv_password_packet(port);
if (passwd == NULL) if (passwd == NULL)
return STATUS_EOF; /* client wouldn't send password */ return STATUS_EOF; /* client wouldn't send password */
result = md5_crypt_verify(port->user_name, passwd, NULL, 0, logdetail); result = get_role_password(port->user_name, &shadow_pass, logdetail);
if (result == STATUS_OK)
result = plain_crypt_verify(port->user_name, shadow_pass, passwd,
logdetail);
if (shadow_pass)
pfree(shadow_pass);
pfree(passwd); pfree(passwd);
return result; return result;

217
src/backend/libpq/crypt.c
Unescape View File

@ -30,28 +30,28 @@
/* /*
* Check given password for given user, and return STATUS_OK or STATUS_ERROR. * Fetch stored password for a user, for authentication.
* *
* 'client_pass' is the password response given by the remote user. If * Returns STATUS_OK on success. On error, returns STATUS_ERROR, and stores
* 'md5_salt' is not NULL, it is a response to an MD5 authentication * a palloc'd string describing the reason, for the postmaster log, in
* challenge, with the given salt. Otherwise, it is a plaintext password. * *logdetail. The error reason should *not* be sent to the client, to avoid
* giving away user information!
* *
* In the error case, optionally store a palloc'd string at *logdetail * If the password is expired, it is still returned in *shadow_pass, but the
* that will be sent to the postmaster log (but not the client). * return code is STATUS_ERROR. On other errors, *shadow_pass is set to
* NULL.
*/ */
int int
md5_crypt_verify(const char *role, char *client_pass, get_role_password(const char *role, char **shadow_pass, char **logdetail)
char *md5_salt, int md5_salt_len, char **logdetail)
{ {
int retval = STATUS_ERROR; int retval = STATUS_ERROR;
char *shadow_pass,
*crypt_pwd;
TimestampTz vuntil = 0; TimestampTz vuntil = 0;
char *crypt_client_pass = client_pass;
HeapTuple roleTup; HeapTuple roleTup;
Datum datum; Datum datum;
bool isnull; bool isnull;
*shadow_pass = NULL;
/* Get role info from pg_authid */ /* Get role info from pg_authid */
roleTup = SearchSysCache1(AUTHNAME, PointerGetDatum(role)); roleTup = SearchSysCache1(AUTHNAME, PointerGetDatum(role));
if (!HeapTupleIsValid(roleTup)) if (!HeapTupleIsValid(roleTup))
@ -70,7 +70,7 @@ md5_crypt_verify(const char *role, char *client_pass,
role); role);
return STATUS_ERROR; /* user has no password */ return STATUS_ERROR; /* user has no password */
} }
shadow_pass = TextDatumGetCString(datum); *shadow_pass = TextDatumGetCString(datum);
datum = SysCacheGetAttr(AUTHNAME, roleTup, datum = SysCacheGetAttr(AUTHNAME, roleTup,
Anum_pg_authid_rolvaliduntil, &isnull); Anum_pg_authid_rolvaliduntil, &isnull);
@ -79,104 +79,151 @@ md5_crypt_verify(const char *role, char *client_pass,
ReleaseSysCache(roleTup); ReleaseSysCache(roleTup);
if (*shadow_pass == '\0') if (**shadow_pass == '\0')
{ {
*logdetail = psprintf(_("User \"%s\" has an empty password."), *logdetail = psprintf(_("User \"%s\" has an empty password."),
role); role);
pfree(*shadow_pass);
*shadow_pass = NULL;
return STATUS_ERROR; /* empty password */ return STATUS_ERROR; /* empty password */
} }
/* /*
* Compare with the encrypted or plain password depending on the * Password OK, now check to be sure we are not past rolvaliduntil
* authentication method being used for this connection. (We do not
* bother setting logdetail for pg_md5_encrypt failure: the only possible
* error is out-of-memory, which is unlikely, and if it did happen adding
* a psprintf call would only make things worse.)
*/ */
if (md5_salt) if (isnull)
retval = STATUS_OK;
else if (vuntil < GetCurrentTimestamp())
{ {
/* MD5 authentication */ *logdetail = psprintf(_("User \"%s\" has an expired password."),
Assert(md5_salt_len > 0); role);
crypt_pwd = palloc(MD5_PASSWD_LEN + 1); retval = STATUS_ERROR;
if (isMD5(shadow_pass)) }
{ else
/* stored password already encrypted, only do salt */ retval = STATUS_OK;
if (!pg_md5_encrypt(shadow_pass + strlen("md5"),
md5_salt, md5_salt_len, return retval;
crypt_pwd)) }
{
pfree(crypt_pwd); /*
return STATUS_ERROR; * Check MD5 authentication response, and return STATUS_OK or STATUS_ERROR.
} *
} * 'shadow_pass' is the user's correct password or password hash, as stored
else * in pg_authid.rolpassword.
* 'client_pass' is the response given by the remote user to the MD5 challenge.
* 'md5_salt' is the salt used in the MD5 authentication challenge.
*
* In the error case, optionally store a palloc'd string at *logdetail
* that will be sent to the postmaster log (but not the client).
*/
int
md5_crypt_verify(const char *role, const char *shadow_pass,
const char *client_pass,
const char *md5_salt, int md5_salt_len,
char **logdetail)
{
int retval;
char crypt_pwd[MD5_PASSWD_LEN + 1];
char crypt_pwd2[MD5_PASSWD_LEN + 1];
Assert(md5_salt_len > 0);
/*
* Compute the correct answer for the MD5 challenge.
*
* We do not bother setting logdetail for any pg_md5_encrypt failure
* below: the only possible error is out-of-memory, which is unlikely, and
* if it did happen adding a psprintf call would only make things worse.
*/
if (isMD5(shadow_pass))
{
/* stored password already encrypted, only do salt */
if (!pg_md5_encrypt(shadow_pass + strlen("md5"),
md5_salt, md5_salt_len,
crypt_pwd))
{ {
/* stored password is plain, double-encrypt */ return STATUS_ERROR;
char *crypt_pwd2 = palloc(MD5_PASSWD_LEN + 1);
if (!pg_md5_encrypt(shadow_pass,
role,
strlen(role),
crypt_pwd2))
{
pfree(crypt_pwd);
pfree(crypt_pwd2);
return STATUS_ERROR;
}
if (!pg_md5_encrypt(crypt_pwd2 + strlen("md5"),
md5_salt, md5_salt_len,
crypt_pwd))
{
pfree(crypt_pwd);
pfree(crypt_pwd2);
return STATUS_ERROR;
}
pfree(crypt_pwd2);
} }
} }
else else
{ {
/* Client sent password in plaintext */ /* stored password is plain, double-encrypt */
if (isMD5(shadow_pass)) if (!pg_md5_encrypt(shadow_pass,
role,
strlen(role),
crypt_pwd2))
{ {
/* Encrypt user-supplied password to match stored MD5 */ return STATUS_ERROR;
crypt_client_pass = palloc(MD5_PASSWD_LEN + 1); }
if (!pg_md5_encrypt(client_pass, if (!pg_md5_encrypt(crypt_pwd2 + strlen("md5"),
role, md5_salt, md5_salt_len,
strlen(role), crypt_pwd))
crypt_client_pass)) {
{ return STATUS_ERROR;
pfree(crypt_client_pass);
return STATUS_ERROR;
}
} }
crypt_pwd = shadow_pass;
} }
if (strcmp(crypt_client_pass, crypt_pwd) == 0) if (strcmp(client_pass, crypt_pwd) == 0)
retval = STATUS_OK;
else
{ {
/* *logdetail = psprintf(_("Password does not match for user \"%s\"."),
* Password OK, now check to be sure we are not past rolvaliduntil role);
*/ retval = STATUS_ERROR;
if (isnull) }
retval = STATUS_OK;
else if (vuntil < GetCurrentTimestamp()) return retval;
}
/*
* Check given password for given user, and return STATUS_OK or STATUS_ERROR.
*
* 'shadow_pass' is the user's correct password or password hash, as stored
* in pg_authid.rolpassword.
* 'client_pass' is the password given by the remote user.
*
* In the error case, optionally store a palloc'd string at *logdetail
* that will be sent to the postmaster log (but not the client).
*/
int
plain_crypt_verify(const char *role, const char *shadow_pass,
const char *client_pass,
char **logdetail)
{
int retval;
char crypt_client_pass[MD5_PASSWD_LEN + 1];
/*
* Client sent password in plaintext. If we have an MD5 hash stored, hash
* the password the client sent, and compare the hashes. Otherwise
* compare the plaintext passwords directly.
*/
if (isMD5(shadow_pass))
{
if (!pg_md5_encrypt(client_pass,
role,
strlen(role),
crypt_client_pass))
{ {
*logdetail = psprintf(_("User \"%s\" has an expired password."), /*
role); * We do not bother setting logdetail for pg_md5_encrypt failure:
retval = STATUS_ERROR; * the only possible error is out-of-memory, which is unlikely,
* and if it did happen adding a psprintf call would only make
* things worse.
*/
return STATUS_ERROR;
} }
else client_pass = crypt_client_pass;
retval = STATUS_OK;
} }
if (strcmp(client_pass, shadow_pass) == 0)
retval = STATUS_OK;
else else
{
*logdetail = psprintf(_("Password does not match for user \"%s\"."), *logdetail = psprintf(_("Password does not match for user \"%s\"."),
role); role);
retval = STATUS_ERROR;
if (crypt_pwd != shadow_pass) }
pfree(crypt_pwd);
if (crypt_client_pass != client_pass)
pfree(crypt_client_pass);
return retval; return retval;
} }

9
src/include/libpq/crypt.h
Unescape View File

@ -15,7 +15,12 @@
#include "datatype/timestamp.h" #include "datatype/timestamp.h"
extern int md5_crypt_verify(const char *role, char *client_pass, extern int get_role_password(const char *role, char **shadow_pass, char **logdetail);
char *md5_salt, int md5_salt_len, char **logdetail);
extern int md5_crypt_verify(const char *role, const char *shadow_pass,
const char *client_pass, const char *md5_salt,
int md5_salt_len, char **logdetail);
extern int plain_crypt_verify(const char *role, const char *shadow_pass,
const char *client_pass, char **logdetail);
#endif #endif

Write Preview
Loading…
Cancel
Save