database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-11-07 19:06:32 +03:00
Code Activity

Refactor the code for verifying user's password.

Browse Source 
Split md5_crypt_verify() into three functions:
* get_role_password() to fetch user's password from pg_authid, and check
  its expiration.
* md5_crypt_verify() to check an MD5 authentication challenge
* plain_crypt_verify() to check a plaintext password.

get_role_password() will be needed as a separate function by the upcoming
SCRAM authentication patch set. Most of the remaining functionality in
md5_crypt_verify() was different for MD5 and plaintext authentication, so
split that for readability.

While we're at it, simplify the *_crypt_verify functions by using
stack-allocated buffers to hold the temporary MD5 hashes, instead of
pallocing.

Reviewed by Michael Paquier.

Discussion: https://www.postgresql.org/message-id/3029e460-d47c-710e-507e-d8ba759d7cbb@iki.fi
This commit is contained in:
Heikki Linnakangas
2016-12-12 12:48:13 +02:00
parent 58445c5c8d
commit e7f051b8f9
3 changed files with 168 additions and 106 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
src/backend/libpq/auth.c
View File

@@ -704,6 +704,7 @@ CheckMD5Auth(Port *port, char **logdetail)
{
char md5Salt[4]; /* Password salt */
char *passwd;
char *shadow_pass;
int result;
if (Db_user_namespace)
@@ -722,12 +723,16 @@ CheckMD5Auth(Port *port, char **logdetail)
sendAuthRequest(port, AUTH_REQ_MD5, md5Salt, 4);
passwd = recv_password_packet(port);
if (passwd == NULL)
return STATUS_EOF; /* client wouldn't send password */
result = md5_crypt_verify(port->user_name, passwd, md5Salt, 4, logdetail);
result = get_role_password(port->user_name, &shadow_pass, logdetail);
if (result == STATUS_OK)
result = md5_crypt_verify(port->user_name, shadow_pass, passwd,
md5Salt, 4, logdetail);
if (shadow_pass)
pfree(shadow_pass);
pfree(passwd);
return result;
@@ -743,16 +748,21 @@ CheckPasswordAuth(Port *port, char **logdetail)
{
char *passwd;
int result;
char *shadow_pass;
sendAuthRequest(port, AUTH_REQ_PASSWORD, NULL, 0);
passwd = recv_password_packet(port);
if (passwd == NULL)
return STATUS_EOF; /* client wouldn't send password */
result = md5_crypt_verify(port->user_name, passwd, NULL, 0, logdetail);
result = get_role_password(port->user_name, &shadow_pass, logdetail);
if (result == STATUS_OK)
result = plain_crypt_verify(port->user_name, shadow_pass, passwd,
logdetail);
if (shadow_pass)
pfree(shadow_pass);
pfree(passwd);
return result;