LCOV - code coverage report
Current view: top level - src/backend/libpq - crypt.c (source / functions) Hit Total Coverage
Test: PostgreSQL 16beta1 Lines: 58 78 74.4 %
Date: 2023-05-31 00:12:04 Functions: 5 5 100.0 %
Legend: Lines: hit not hit

          Line data    Source code
       1             : /*-------------------------------------------------------------------------
       2             :  *
       3             :  * crypt.c
       4             :  *    Functions for dealing with encrypted passwords stored in
       5             :  *    pg_authid.rolpassword.
       6             :  *
       7             :  * Portions Copyright (c) 1996-2023, PostgreSQL Global Development Group
       8             :  * Portions Copyright (c) 1994, Regents of the University of California
       9             :  *
      10             :  * src/backend/libpq/crypt.c
      11             :  *
      12             :  *-------------------------------------------------------------------------
      13             :  */
      14             : #include "postgres.h"
      15             : 
      16             : #include <unistd.h>
      17             : 
      18             : #include "catalog/pg_authid.h"
      19             : #include "common/md5.h"
      20             : #include "common/scram-common.h"
      21             : #include "libpq/crypt.h"
      22             : #include "libpq/scram.h"
      23             : #include "miscadmin.h"
      24             : #include "utils/builtins.h"
      25             : #include "utils/syscache.h"
      26             : #include "utils/timestamp.h"
      27             : 
      28             : 
      29             : /*
      30             :  * Fetch stored password for a user, for authentication.
      31             :  *
      32             :  * On error, returns NULL, and stores a palloc'd string describing the reason,
      33             :  * for the postmaster log, in *logdetail.  The error reason should *not* be
      34             :  * sent to the client, to avoid giving away user information!
      35             :  */
      36             : char *
      37         124 : get_role_password(const char *role, const char **logdetail)
      38             : {
      39         124 :     TimestampTz vuntil = 0;
      40             :     HeapTuple   roleTup;
      41             :     Datum       datum;
      42             :     bool        isnull;
      43             :     char       *shadow_pass;
      44             : 
      45             :     /* Get role info from pg_authid */
      46         124 :     roleTup = SearchSysCache1(AUTHNAME, PointerGetDatum(role));
      47         124 :     if (!HeapTupleIsValid(roleTup))
      48             :     {
      49           0 :         *logdetail = psprintf(_("Role \"%s\" does not exist."),
      50             :                               role);
      51           0 :         return NULL;            /* no such user */
      52             :     }
      53             : 
      54         124 :     datum = SysCacheGetAttr(AUTHNAME, roleTup,
      55             :                             Anum_pg_authid_rolpassword, &isnull);
      56         124 :     if (isnull)
      57             :     {
      58           0 :         ReleaseSysCache(roleTup);
      59           0 :         *logdetail = psprintf(_("User \"%s\" has no password assigned."),
      60             :                               role);
      61           0 :         return NULL;            /* user has no password */
      62             :     }
      63         124 :     shadow_pass = TextDatumGetCString(datum);
      64             : 
      65         124 :     datum = SysCacheGetAttr(AUTHNAME, roleTup,
      66             :                             Anum_pg_authid_rolvaliduntil, &isnull);
      67         124 :     if (!isnull)
      68           0 :         vuntil = DatumGetTimestampTz(datum);
      69             : 
      70         124 :     ReleaseSysCache(roleTup);
      71             : 
      72             :     /*
      73             :      * Password OK, but check to be sure we are not past rolvaliduntil
      74             :      */
      75         124 :     if (!isnull && vuntil < GetCurrentTimestamp())
      76             :     {
      77           0 :         *logdetail = psprintf(_("User \"%s\" has an expired password."),
      78             :                               role);
      79           0 :         return NULL;
      80             :     }
      81             : 
      82         124 :     return shadow_pass;
      83             : }
      84             : 
      85             : /*
      86             :  * What kind of a password type is 'shadow_pass'?
      87             :  */
      88             : PasswordType
      89         520 : get_password_type(const char *shadow_pass)
      90             : {
      91             :     char       *encoded_salt;
      92             :     int         iterations;
      93         520 :     int         key_length = 0;
      94             :     pg_cryptohash_type hash_type;
      95             :     uint8       stored_key[SCRAM_MAX_KEY_LEN];
      96             :     uint8       server_key[SCRAM_MAX_KEY_LEN];
      97             : 
      98         520 :     if (strncmp(shadow_pass, "md5", 3) == 0 &&
      99         124 :         strlen(shadow_pass) == MD5_PASSWD_LEN &&
     100         112 :         strspn(shadow_pass + 3, MD5_PASSWD_CHARSET) == MD5_PASSWD_LEN - 3)
     101         100 :         return PASSWORD_TYPE_MD5;
     102         420 :     if (parse_scram_secret(shadow_pass, &iterations, &hash_type, &key_length,
     103             :                            &encoded_salt, stored_key, server_key))
     104         184 :         return PASSWORD_TYPE_SCRAM_SHA_256;
     105         236 :     return PASSWORD_TYPE_PLAINTEXT;
     106             : }
     107             : 
     108             : /*
     109             :  * Given a user-supplied password, convert it into a secret of
     110             :  * 'target_type' kind.
     111             :  *
     112             :  * If the password is already in encrypted form, we cannot reverse the
     113             :  * hash, so it is stored as it is regardless of the requested type.
     114             :  */
     115             : char *
     116         142 : encrypt_password(PasswordType target_type, const char *role,
     117             :                  const char *password)
     118             : {
     119         142 :     PasswordType guessed_type = get_password_type(password);
     120             :     char       *encrypted_password;
     121         142 :     const char *errstr = NULL;
     122             : 
     123         142 :     if (guessed_type != PASSWORD_TYPE_PLAINTEXT)
     124             :     {
     125             :         /*
     126             :          * Cannot convert an already-encrypted password from one format to
     127             :          * another, so return it as it is.
     128             :          */
     129          28 :         return pstrdup(password);
     130             :     }
     131             : 
     132         114 :     switch (target_type)
     133             :     {
     134          24 :         case PASSWORD_TYPE_MD5:
     135          24 :             encrypted_password = palloc(MD5_PASSWD_LEN + 1);
     136             : 
     137          24 :             if (!pg_md5_encrypt(password, role, strlen(role),
     138             :                                 encrypted_password, &errstr))
     139           0 :                 elog(ERROR, "password encryption failed: %s", errstr);
     140          24 :             return encrypted_password;
     141             : 
     142          90 :         case PASSWORD_TYPE_SCRAM_SHA_256:
     143          90 :             return pg_be_scram_build_secret(password);
     144             : 
     145           0 :         case PASSWORD_TYPE_PLAINTEXT:
     146           0 :             elog(ERROR, "cannot encrypt password with 'plaintext'");
     147             :     }
     148             : 
     149             :     /*
     150             :      * This shouldn't happen, because the above switch statements should
     151             :      * handle every combination of source and target password types.
     152             :      */
     153           0 :     elog(ERROR, "cannot encrypt password to requested type");
     154             :     return NULL;                /* keep compiler quiet */
     155             : }
     156             : 
     157             : /*
     158             :  * Check MD5 authentication response, and return STATUS_OK or STATUS_ERROR.
     159             :  *
     160             :  * 'shadow_pass' is the user's correct password or password hash, as stored
     161             :  * in pg_authid.rolpassword.
     162             :  * 'client_pass' is the response given by the remote user to the MD5 challenge.
     163             :  * 'md5_salt' is the salt used in the MD5 authentication challenge.
     164             :  *
     165             :  * In the error case, save a string at *logdetail that will be sent to the
     166             :  * postmaster log (but not the client).
     167             :  */
     168             : int
     169          12 : md5_crypt_verify(const char *role, const char *shadow_pass,
     170             :                  const char *client_pass,
     171             :                  const char *md5_salt, int md5_salt_len,
     172             :                  const char **logdetail)
     173             : {
     174             :     int         retval;
     175             :     char        crypt_pwd[MD5_PASSWD_LEN + 1];
     176          12 :     const char *errstr = NULL;
     177             : 
     178             :     Assert(md5_salt_len > 0);
     179             : 
     180          12 :     if (get_password_type(shadow_pass) != PASSWORD_TYPE_MD5)
     181             :     {
     182             :         /* incompatible password hash format. */
     183           0 :         *logdetail = psprintf(_("User \"%s\" has a password that cannot be used with MD5 authentication."),
     184             :                               role);
     185           0 :         return STATUS_ERROR;
     186             :     }
     187             : 
     188             :     /*
     189             :      * Compute the correct answer for the MD5 challenge.
     190             :      */
     191             :     /* stored password already encrypted, only do salt */
     192          12 :     if (!pg_md5_encrypt(shadow_pass + strlen("md5"),
     193             :                         md5_salt, md5_salt_len,
     194             :                         crypt_pwd, &errstr))
     195             :     {
     196           0 :         *logdetail = errstr;
     197           0 :         return STATUS_ERROR;
     198             :     }
     199             : 
     200          12 :     if (strcmp(client_pass, crypt_pwd) == 0)
     201          12 :         retval = STATUS_OK;
     202             :     else
     203             :     {
     204           0 :         *logdetail = psprintf(_("Password does not match for user \"%s\"."),
     205             :                               role);
     206           0 :         retval = STATUS_ERROR;
     207             :     }
     208             : 
     209          12 :     return retval;
     210             : }
     211             : 
     212             : /*
     213             :  * Check given password for given user, and return STATUS_OK or STATUS_ERROR.
     214             :  *
     215             :  * 'shadow_pass' is the user's correct password hash, as stored in
     216             :  * pg_authid.rolpassword.
     217             :  * 'client_pass' is the password given by the remote user.
     218             :  *
     219             :  * In the error case, store a string at *logdetail that will be sent to the
     220             :  * postmaster log (but not the client).
     221             :  */
     222             : int
     223         178 : plain_crypt_verify(const char *role, const char *shadow_pass,
     224             :                    const char *client_pass,
     225             :                    const char **logdetail)
     226             : {
     227             :     char        crypt_client_pass[MD5_PASSWD_LEN + 1];
     228         178 :     const char *errstr = NULL;
     229             : 
     230             :     /*
     231             :      * Client sent password in plaintext.  If we have an MD5 hash stored, hash
     232             :      * the password the client sent, and compare the hashes.  Otherwise
     233             :      * compare the plaintext passwords directly.
     234             :      */
     235         178 :     switch (get_password_type(shadow_pass))
     236             :     {
     237          30 :         case PASSWORD_TYPE_SCRAM_SHA_256:
     238          30 :             if (scram_verify_plain_password(role,
     239             :                                             client_pass,
     240             :                                             shadow_pass))
     241             :             {
     242          16 :                 return STATUS_OK;
     243             :             }
     244             :             else
     245             :             {
     246          14 :                 *logdetail = psprintf(_("Password does not match for user \"%s\"."),
     247             :                                       role);
     248          14 :                 return STATUS_ERROR;
     249             :             }
     250             :             break;
     251             : 
     252          34 :         case PASSWORD_TYPE_MD5:
     253          34 :             if (!pg_md5_encrypt(client_pass,
     254             :                                 role,
     255             :                                 strlen(role),
     256             :                                 crypt_client_pass,
     257             :                                 &errstr))
     258             :             {
     259           0 :                 *logdetail = errstr;
     260           0 :                 return STATUS_ERROR;
     261             :             }
     262          34 :             if (strcmp(crypt_client_pass, shadow_pass) == 0)
     263          18 :                 return STATUS_OK;
     264             :             else
     265             :             {
     266          16 :                 *logdetail = psprintf(_("Password does not match for user \"%s\"."),
     267             :                                       role);
     268          16 :                 return STATUS_ERROR;
     269             :             }
     270             :             break;
     271             : 
     272         114 :         case PASSWORD_TYPE_PLAINTEXT:
     273             : 
     274             :             /*
     275             :              * We never store passwords in plaintext, so this shouldn't
     276             :              * happen.
     277             :              */
     278         114 :             break;
     279             :     }
     280             : 
     281             :     /*
     282             :      * This shouldn't happen.  Plain "password" authentication is possible
     283             :      * with any kind of stored password hash.
     284             :      */
     285         114 :     *logdetail = psprintf(_("Password of user \"%s\" is in unrecognized format."),
     286             :                           role);
     287         114 :     return STATUS_ERROR;
     288             : }

Generated by: LCOV version 1.14