database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-07-23 03:21:12 +03:00
Code Activity

Rename "scram" to "scram-sha-256" in pg_hba.conf and password_encryption.

Browse Source 
Per discussion, plain "scram" is confusing because we actually implement
SCRAM-SHA-256 rather than the original SCRAM that uses SHA-1 as the hash
algorithm. If we add support for SCRAM-SHA-512 or some other mechanism in
the SCRAM family in the future, that would become even more confusing.

Most of the internal files and functions still use just "scram" as a
shorthand for SCRMA-SHA-256, but I did change PASSWORD_TYPE_SCRAM to
PASSWORD_TYPE_SCRAM_SHA_256, as that could potentially be used by 3rd
party extensions that hook into the password-check hook.

Michael Paquier did this in an earlier version of the SCRAM patch set
already, but I didn't include that in the version that was committed.

Discussion: https://www.postgresql.org/message-id/fde71ff1-5858-90c8-99a9-1c2427e7bafb@iki.fi
This commit is contained in:
Heikki Linnakangas
2017-04-18 14:50:50 +03:00
parent 123aaffb5b
commit c727f120ff
15 changed files with 60 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/backend/libpq/crypt.c
View File

@ -101,7 +101,7 @@ get_password_type(const char *shadow_pass)
if (strncmp(shadow_pass, "md5", 3) == 0 && strlen(shadow_pass) == MD5_PASSWD_LEN)
return PASSWORD_TYPE_MD5;
if (strncmp(shadow_pass, "scram-sha-256:", strlen("scram-sha-256:")) == 0)
return PASSWORD_TYPE_SCRAM;
return PASSWORD_TYPE_SCRAM_SHA_256;
return PASSWORD_TYPE_PLAINTEXT;
}
@ -141,7 +141,7 @@ encrypt_password(PasswordType target_type, const char *role,
elog(ERROR, "password encryption failed");
return encrypted_password;
case PASSWORD_TYPE_SCRAM:
case PASSWORD_TYPE_SCRAM_SHA_256:
/*
* cannot convert a SCRAM verifier to an MD5 hash, so fall
@ -152,7 +152,7 @@ encrypt_password(PasswordType target_type, const char *role,
}
break;
case PASSWORD_TYPE_SCRAM:
case PASSWORD_TYPE_SCRAM_SHA_256:
switch (guessed_type)
{
case PASSWORD_TYPE_PLAINTEXT:
@ -164,7 +164,7 @@ encrypt_password(PasswordType target_type, const char *role,
* cannot convert an MD5 hash to a SCRAM verifier, so fall
* through to save the MD5 hash instead.
*/
case PASSWORD_TYPE_SCRAM:
case PASSWORD_TYPE_SCRAM_SHA_256:
return pstrdup(password);
}
break;
@ -280,7 +280,7 @@ plain_crypt_verify(const char *role, const char *shadow_pass,
*/
switch (get_password_type(shadow_pass))
{
case PASSWORD_TYPE_SCRAM:
case PASSWORD_TYPE_SCRAM_SHA_256:
if (scram_verify_plain_password(role,
client_pass,
shadow_pass))