database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-11-22 12:22:45 +03:00
Code Activity

Use MD5 for wire protocol encryption for >= 7.2 client/server.

Browse Source 
Allow pg_shadow to be MD5 encrypted.
Add ENCRYPTED/UNENCRYPTED option to CREATE/ALTER user.
Add password_encryption postgresql.conf option.
Update wire protocol version to 2.1.
This commit is contained in:
Bruce Momjian
2001-08-15 18:42:16 +00:00
parent 397f65d102
commit 38bb1abcda
27 changed files with 353 additions and 188 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/interfaces/libpq/Makefile
View File

@@ -4,7 +4,7 @@
#
# Copyright (c) 1994, Regents of the University of California
#
# $Header: /cvsroot/pgsql/src/interfaces/libpq/Makefile,v 1.53 2001/07/15 13:45:04 petere Exp $
# $Header: /cvsroot/pgsql/src/interfaces/libpq/Makefile,v 1.54 2001/08/15 18:42:15 momjian Exp $
#
#-------------------------------------------------------------------------
@@ -20,7 +20,7 @@ SO_MINOR_VERSION= 2
override CPPFLAGS := -I$(srcdir) $(CPPFLAGS) -DFRONTEND -DSYSCONFDIR='"$(sysconfdir)"'
OBJS= fe-auth.o fe-connect.o fe-exec.o fe-misc.o fe-print.o fe-lobj.o \
pqexpbuffer.o dllist.o pqsignal.o \
pqexpbuffer.o dllist.o md5.o pqsignal.o \
$(INET_ATON) $(SNPRINTF) $(STRERROR)
ifdef MULTIBYTE
@@ -33,7 +33,7 @@ endif
SHLIB_LINK += $(filter -L%, $(LDFLAGS)) $(filter -lcrypt -ldes -lkrb -lcom_err -lcrypto -lk5crypto -lkrb5 -lssl -lsocket -lnsl -lresolv -lintl, $(LIBS))
all: all-lib
all: md5.c md5.h all-lib
# Shared library stuff
include $(top_srcdir)/src/Makefile.shlib
@@ -49,6 +49,12 @@ backend_src = $(top_srcdir)/src/backend
dllist.c: $(backend_src)/lib/dllist.c
rm -f $@ && $(LN_S) $< .
md5.c: $(backend_src)/libpq/md5.c
rm -f $@ && $(LN_S) $< .
md5.h: $(backend_src)/../include/libpq/md5.h
rm -f $@ && $(LN_S) $< .
# this only gets done if configure finds system doesn't have inet_aton()
inet_aton.c: $(backend_src)/port/inet_aton.c
rm -f $@ && $(LN_S) $< .
@@ -82,7 +88,7 @@ uninstall: uninstall-lib
rm -f $(addprefix $(DESTDIR)$(includedir)/, libpq-fe.h libpq-int.h pqexpbuffer.h)
clean distclean maintainer-clean: clean-lib
rm -f $(OBJS) dllist.c wchar.c
rm -f $(OBJS) dllist.c md5.c md5.h wchar.c
rm -f $(OBJS) inet_aton.c snprintf.c strerror.c
depend dep:

52
src/interfaces/libpq/fe-auth.c
View File

@@ -10,7 +10,7 @@
* exceed INITIAL_EXPBUFFER_SIZE (currently 256 bytes).
*
* IDENTIFICATION
* $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-auth.c,v 1.48 2001/07/15 13:45:04 petere Exp $
* $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-auth.c,v 1.49 2001/08/15 18:42:15 momjian Exp $
*
*-------------------------------------------------------------------------
*/
@@ -33,6 +33,7 @@
#include "libpq-fe.h"
#include "libpq-int.h"
#include "fe-auth.h"
#include "md5.h"
#ifdef WIN32
#include "win32.h"
@@ -434,12 +435,52 @@ pg_krb5_sendauth(char *PQerrormsg, int sock,
static int
pg_password_sendauth(PGconn *conn, const char *password, AuthRequest areq)
{
int ret;
char *crypt_pwd;
/* Encrypt the password if needed. */
if (areq == AUTH_REQ_CRYPT)
password = crypt(password, conn->salt);
switch (areq)
{
case AUTH_REQ_CRYPT:
crypt_pwd = crypt(password, conn->salt);
break;
case AUTH_REQ_MD5:
{
char *crypt_pwd2;
return pqPacketSend(conn, password, strlen(password) + 1);
if (!(crypt_pwd = malloc(MD5_PASSWD_LEN+1)) ||
!(crypt_pwd2 = malloc(MD5_PASSWD_LEN+1)))
{
perror("malloc");
return STATUS_ERROR;
}
if (!EncryptMD5(password, conn->pguser, crypt_pwd2))
{
free(crypt_pwd);
free(crypt_pwd2);
return STATUS_ERROR;
}
if (!EncryptMD5(crypt_pwd2 + strlen("md5"), conn->salt,
crypt_pwd))
{
free(crypt_pwd);
free(crypt_pwd2);
return STATUS_ERROR;
}
free(crypt_pwd2);
break;
}
default:
/* discard const so we can assign it */
crypt_pwd = (char *)password;
break;
}
ret = pqPacketSend(conn, crypt_pwd, strlen(crypt_pwd) + 1);
if (areq == AUTH_REQ_MD5)
free(crypt_pwd);
return ret;
}
/*
@@ -494,6 +535,7 @@ fe_sendauth(AuthRequest areq, PGconn *conn, const char *hostname,
case AUTH_REQ_PASSWORD:
case AUTH_REQ_CRYPT:
case AUTH_REQ_MD5:
if (password == NULL || *password == '\0')
{
(void) sprintf(PQerrormsg,
@@ -506,9 +548,7 @@ fe_sendauth(AuthRequest areq, PGconn *conn, const char *hostname,
"fe_sendauth: error sending password authentication\n");
return STATUS_ERROR;
}
break;
default:
snprintf(PQerrormsg, PQERRORMSG_LENGTH,
libpq_gettext("authentication method %u not supported\n"), areq);

6
src/interfaces/libpq/fe-connect.c
View File

@@ -8,7 +8,7 @@
*
*
* IDENTIFICATION
* $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-connect.c,v 1.172 2001/08/03 22:11:39 tgl Exp $
* $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-connect.c,v 1.173 2001/08/15 18:42:15 momjian Exp $
*
*-------------------------------------------------------------------------
*/
@@ -1341,7 +1341,7 @@ keep_going: /* We will come back to here until there
}
/* Get the password salt if there is one. */
if (areq == AUTH_REQ_CRYPT)
if (areq == AUTH_REQ_CRYPT || areq == AUTH_REQ_MD5)
{
if (pqGetnchar(conn->salt, sizeof(conn->salt), conn))
{
@@ -1960,7 +1960,7 @@ static void
closePGconn(PGconn *conn)
{
/* Note that the protocol doesn't allow us to send Terminate
messages during the startup phase. */
messages during the startup phase. */
if (conn->sock >= 0 && conn->status == CONNECTION_OK)
{

3
src/interfaces/libpq/fe-exec.c
View File

@@ -8,7 +8,7 @@
*
*
* IDENTIFICATION
* $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-exec.c,v 1.105 2001/08/03 22:11:39 tgl Exp $
* $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-exec.c,v 1.106 2001/08/15 18:42:15 momjian Exp $
*
*-------------------------------------------------------------------------
*/
@@ -1269,7 +1269,6 @@ errout:
static int
getNotice(PGconn *conn)
{
/*
* Since the Notice might be pretty long, we create a temporary
* PQExpBuffer rather than using conn->workBuffer. workBuffer is

4
src/interfaces/libpq/libpq-int.h
View File

@@ -12,7 +12,7 @@
* Portions Copyright (c) 1996-2001, PostgreSQL Global Development Group
* Portions Copyright (c) 1994, Regents of the University of California
*
* $Id: libpq-int.h,v 1.36 2001/07/15 13:45:04 petere Exp $
* $Id: libpq-int.h,v 1.37 2001/08/15 18:42:16 momjian Exp $
*
*-------------------------------------------------------------------------
*/
@@ -45,7 +45,7 @@
* pqcomm.h describe what the backend knows, not what libpq knows.
*/
#define PG_PROTOCOL_LIBPQ PG_PROTOCOL(2,0)
#define PG_PROTOCOL_LIBPQ PG_PROTOCOL(2,1)
/*
* POSTGRES backend dependent Constants.

25
src/interfaces/odbc/connection.c
View File

@@ -677,7 +677,7 @@ CC_connect(ConnectionClass *self, char do_password)
mylog("auth got 'R'\n");
areq = SOCK_get_int(sock, 4);
if (areq == AUTH_REQ_CRYPT)
if (areq == AUTH_REQ_CRYPT || areq == AUTH_REQ_MD5)
SOCK_get_n_char(sock, salt, 2);
mylog("areq = %d\n", areq);
@@ -717,6 +717,7 @@ CC_connect(ConnectionClass *self, char do_password)
break;
case AUTH_REQ_CRYPT:
case AUTH_REQ_MD5:
self->errormsg = "Password crypt authentication not supported";
self->errornumber = CONN_AUTH_TYPE_UNSUPPORTED;
return 0;
@@ -1672,15 +1673,15 @@ CC_log_error(char *func, char *desc, ConnectionClass *self)
int CC_get_max_query_len(const ConnectionClass *conn)
{
int value;
/* Long Queries in 7.0+ */
if (PG_VERSION_GE(conn, 7.0))
value = 0 /* MAX_STATEMENT_LEN */;
/* Prior to 7.0 we used 2*BLCKSZ */
else if (PG_VERSION_GE(conn, 6.5))
value = (2 * BLCKSZ);
else
/* Prior to 6.5 we used BLCKSZ */
value = BLCKSZ;
return value;
int value;
/* Long Queries in 7.0+ */
if (PG_VERSION_GE(conn, 7.0))
value = 0 /* MAX_STATEMENT_LEN */;
/* Prior to 7.0 we used 2*BLCKSZ */
else if (PG_VERSION_GE(conn, 6.5))
value = (2 * BLCKSZ);
else
/* Prior to 6.5 we used BLCKSZ */
value = BLCKSZ;
return value;
}

1
src/interfaces/odbc/connection.h
View File

@@ -93,6 +93,7 @@ typedef enum
#define AUTH_REQ_KRB5 2
#define AUTH_REQ_PASSWORD 3
#define AUTH_REQ_CRYPT 4
#define AUTH_REQ_MD5 5
/* Startup Packet sizes */
#define SM_DATABASE 64