Skip to content

Commit 44ab596

Browse files
bmomjianbmomjian
committed
Allow 'password' encryption even when pg_shadow has MD5 passwords, per
report from Terry Yapt and Hiroshi. Backpatch to 7.3.
1 parent 1fd0c59 commit 44ab596

File tree

2 files changed

+24
-8
lines changed

2 files changed

+24
-8
lines changed

src/backend/libpq/crypt.c

Lines changed: 22 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@
99
* Portions Copyright (c) 1996-2002, PostgreSQL Global Development Group
1010
* Portions Copyright (c) 1994, Regents of the University of California
1111
*
12-
* $Header: /cvsroot/pgsql/src/backend/libpq/crypt.c,v 1.49 2002/09/04 20:31:19 momjian Exp $
12+
* $Header: /cvsroot/pgsql/src/backend/libpq/crypt.c,v 1.50 2002/12/05 18:39:43 momjian Exp $
1313
*
1414
*-------------------------------------------------------------------------
1515
*/
@@ -29,14 +29,15 @@
2929

3030

3131
int
32-
md5_crypt_verify(const Port *port, const char *user, const char *pgpass)
32+
md5_crypt_verify(const Port *port, const char *user, char *pgpass)
3333
{
3434
char *passwd = NULL,
3535
*valuntil = NULL,
3636
*crypt_pwd;
3737
int retval = STATUS_ERROR;
3838
List **line;
3939
List *token;
40+
char *crypt_pgpass = pgpass;
4041

4142
if ((line = get_user_line(user)) == NULL)
4243
return STATUS_ERROR;
@@ -54,11 +55,11 @@ md5_crypt_verify(const Port *port, const char *user, const char *pgpass)
5455
if (passwd == NULL || *passwd == '\0')
5556
return STATUS_ERROR;
5657

57-
/* If they encrypt their password, force MD5 */
58-
if (isMD5(passwd) && port->auth_method != uaMD5)
58+
/* We can't do crypt with pg_shadow MD5 passwords */
59+
if (isMD5(passwd) && port->auth_method == uaCrypt)
5960
{
6061
elog(LOG, "Password is stored MD5 encrypted. "
61-
"'password' and 'crypt' auth methods cannot be used.");
62+
"'crypt' auth method cannot be used.");
6263
return STATUS_ERROR;
6364
}
6465

@@ -72,6 +73,7 @@ md5_crypt_verify(const Port *port, const char *user, const char *pgpass)
7273
crypt_pwd = palloc(MD5_PASSWD_LEN + 1);
7374
if (isMD5(passwd))
7475
{
76+
/* pg_shadow already encrypted, only do salt */
7577
if (!EncryptMD5(passwd + strlen("md5"),
7678
(char *) port->md5Salt,
7779
sizeof(port->md5Salt), crypt_pwd))
@@ -82,6 +84,7 @@ md5_crypt_verify(const Port *port, const char *user, const char *pgpass)
8284
}
8385
else
8486
{
87+
/* pg_shadow plain, double-encrypt */
8588
char *crypt_pwd2 = palloc(MD5_PASSWD_LEN + 1);
8689

8790
if (!EncryptMD5(passwd, port->user, strlen(port->user),
@@ -110,11 +113,22 @@ md5_crypt_verify(const Port *port, const char *user, const char *pgpass)
110113
break;
111114
}
112115
default:
116+
if (isMD5(passwd))
117+
{
118+
/* Encrypt user-supplied password to match MD5 in pg_shadow */
119+
crypt_pgpass = palloc(MD5_PASSWD_LEN + 1);
120+
if (!EncryptMD5(pgpass, port->user, strlen(port->user),
121+
crypt_pgpass))
122+
{
123+
pfree(crypt_pgpass);
124+
return STATUS_ERROR;
125+
}
126+
}
113127
crypt_pwd = passwd;
114128
break;
115129
}
116130

117-
if (strcmp(pgpass, crypt_pwd) == 0)
131+
if (strcmp(crypt_pgpass, crypt_pwd) == 0)
118132
{
119133
/*
120134
* Password OK, now check to be sure we are not past valuntil
@@ -136,6 +150,8 @@ md5_crypt_verify(const Port *port, const char *user, const char *pgpass)
136150

137151
if (port->auth_method == uaMD5)
138152
pfree(crypt_pwd);
153+
if (crypt_pgpass != pgpass)
154+
pfree(crypt_pgpass);
139155

140156
return retval;
141157
}

src/include/libpq/crypt.h

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66
* Portions Copyright (c) 1996-2002, PostgreSQL Global Development Group
77
* Portions Copyright (c) 1994, Regents of the University of California
88
*
9-
* $Id: crypt.h,v 1.22 2002/09/04 20:31:42 momjian Exp $
9+
* $Id: crypt.h,v 1.23 2002/12/05 18:39:43 momjian Exp $
1010
*
1111
*-------------------------------------------------------------------------
1212
*/
@@ -23,7 +23,7 @@
2323

2424

2525
extern int md5_crypt_verify(const Port *port, const char *user,
26-
const char *pgpass);
26+
char *pgpass);
2727
extern bool md5_hash(const void *buff, size_t len, char *hexsum);
2828
extern bool CheckMD5Pwd(char *passwd, char *storedpwd, char *seed);
2929

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy