*
* We only check for username = password.
*/
- char *logdetail;
+ const char *logdetail = NULL;
if (plain_crypt_verify(username, shadow_pass, username, &logdetail) == STATUS_OK)
ereport(ERROR,
pg_cryptohash_ctx *ctx = (pg_cryptohash_ctx *) h->p.ptr;
if (pg_cryptohash_update(ctx, data, dlen) < 0)
- elog(ERROR, "could not update %s context", "SHA2");
+ elog(ERROR, "could not update %s context: %s", "SHA2",
+ pg_cryptohash_error(ctx));
}
static void
pg_cryptohash_ctx *ctx = (pg_cryptohash_ctx *) h->p.ptr;
if (pg_cryptohash_init(ctx) < 0)
- elog(ERROR, "could not initialize %s context", "SHA2");
+ elog(ERROR, "could not initialize %s context: %s", "SHA2",
+ pg_cryptohash_error(ctx));
}
static void
pg_cryptohash_ctx *ctx = (pg_cryptohash_ctx *) h->p.ptr;
if (pg_cryptohash_final(ctx, dst, h->result_size(h)) < 0)
- elog(ERROR, "could not finalize %s context", "SHA2");
+ elog(ERROR, "could not finalize %s context: %s", "SHA2",
+ pg_cryptohash_error(ctx));
}
static void
pg_cryptohash_ctx *ctx = (pg_cryptohash_ctx *) h->p.ptr;
if (pg_cryptohash_update(ctx, data, dlen) < 0)
- elog(ERROR, "could not update %s context", "MD5");
+ elog(ERROR, "could not update %s context: %s", "MD5",
+ pg_cryptohash_error(ctx));
}
static void
pg_cryptohash_ctx *ctx = (pg_cryptohash_ctx *) h->p.ptr;
if (pg_cryptohash_init(ctx) < 0)
- elog(ERROR, "could not initialize %s context", "MD5");
+ elog(ERROR, "could not initialize %s context: %s", "MD5",
+ pg_cryptohash_error(ctx));
}
static void
pg_cryptohash_ctx *ctx = (pg_cryptohash_ctx *) h->p.ptr;
if (pg_cryptohash_final(ctx, dst, h->result_size(h)) < 0)
- elog(ERROR, "could not finalize %s context", "MD5");
+ elog(ERROR, "could not finalize %s context: %s", "MD5",
+ pg_cryptohash_error(ctx));
}
static void
pg_cryptohash_ctx *ctx = (pg_cryptohash_ctx *) h->p.ptr;
if (pg_cryptohash_update(ctx, data, dlen) < 0)
- elog(ERROR, "could not update %s context", "SHA1");
+ elog(ERROR, "could not update %s context: %s", "SHA1",
+ pg_cryptohash_error(ctx));
}
static void
pg_cryptohash_ctx *ctx = (pg_cryptohash_ctx *) h->p.ptr;
if (pg_cryptohash_init(ctx) < 0)
- elog(ERROR, "could not initialize %s context", "SHA1");
+ elog(ERROR, "could not initialize %s context: %s", "SHA1",
+ pg_cryptohash_error(ctx));
}
static void
pg_cryptohash_ctx *ctx = (pg_cryptohash_ctx *) h->p.ptr;
if (pg_cryptohash_final(ctx, dst, h->result_size(h)) < 0)
- elog(ERROR, "could not finalize %s context", "SHA1");
+ elog(ERROR, "could not finalize %s context: %s", "SHA1",
+ pg_cryptohash_error(ctx));
}
static void
pg_cryptohash_ctx *ctx = pg_cryptohash_create(PG_MD5);
if (pg_cryptohash_init(ctx) < 0)
- elog(ERROR, "could not initialize %s context", "MD5");
+ elog(ERROR, "could not initialize %s context: %s", "MD5",
+ pg_cryptohash_error(ctx));
if (pg_cryptohash_update(ctx, ns, sizeof(uu)) < 0 ||
pg_cryptohash_update(ctx, (unsigned char *) ptr, len) < 0)
- elog(ERROR, "could not update %s context", "MD5");
+ elog(ERROR, "could not update %s context: %s", "MD5",
+ pg_cryptohash_error(ctx));
/* we assume sizeof MD5 result is 16, same as UUID size */
if (pg_cryptohash_final(ctx, (unsigned char *) &uu,
sizeof(uu)) < 0)
- elog(ERROR, "could not finalize %s context", "MD5");
+ elog(ERROR, "could not finalize %s context: %s", "MD5",
+ pg_cryptohash_error(ctx));
pg_cryptohash_free(ctx);
}
else
unsigned char sha1result[SHA1_DIGEST_LENGTH];
if (pg_cryptohash_init(ctx) < 0)
- elog(ERROR, "could not initialize %s context", "SHA1");
+ elog(ERROR, "could not initialize %s context: %s", "SHA1",
+ pg_cryptohash_error(ctx));
if (pg_cryptohash_update(ctx, ns, sizeof(uu)) < 0 ||
pg_cryptohash_update(ctx, (unsigned char *) ptr, len) < 0)
- elog(ERROR, "could not update %s context", "SHA1");
+ elog(ERROR, "could not update %s context: %s", "SHA1",
+ pg_cryptohash_error(ctx));
if (pg_cryptohash_final(ctx, sha1result, sizeof(sha1result)) < 0)
- elog(ERROR, "could not finalize %s context", "SHA1");
+ elog(ERROR, "could not finalize %s context: %s", "SHA1",
+ pg_cryptohash_error(ctx));
pg_cryptohash_free(ctx);
memcpy(&uu, sha1result, sizeof(uu));
if (password)
{
char *shadow_pass;
- char *logdetail;
+ const char *logdetail = NULL;
/*
* Don't allow an empty password. Libpq treats an empty password the
if (password)
{
char *shadow_pass;
- char *logdetail;
+ const char *logdetail = NULL;
/* Like in CREATE USER, don't allow an empty password. */
if (password[0] == '\0' ||
*/
int
pg_be_scram_exchange(void *opaq, const char *input, int inputlen,
- char **output, int *outputlen, char **logdetail)
+ char **output, int *outputlen, const char **logdetail)
{
scram_state *state = (scram_state *) opaq;
int result;
*/
static void sendAuthRequest(Port *port, AuthRequest areq, const char *extradata,
int extralen);
-static void auth_failed(Port *port, int status, char *logdetail);
+static void auth_failed(Port *port, int status, const char *logdetail);
static char *recv_password_packet(Port *port);
static void set_authn_id(Port *port, const char *id);
* Password-based authentication methods (password, md5, and scram-sha-256)
*----------------------------------------------------------------
*/
-static int CheckPasswordAuth(Port *port, char **logdetail);
-static int CheckPWChallengeAuth(Port *port, char **logdetail);
+static int CheckPasswordAuth(Port *port, const char **logdetail);
+static int CheckPWChallengeAuth(Port *port, const char **logdetail);
-static int CheckMD5Auth(Port *port, char *shadow_pass, char **logdetail);
-static int CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail);
+static int CheckMD5Auth(Port *port, char *shadow_pass, const char **logdetail);
+static int CheckSCRAMAuth(Port *port, char *shadow_pass, const char **logdetail);
/*----------------------------------------------------------------
* particular, if logdetail isn't NULL, we send that string to the log.
*/
static void
-auth_failed(Port *port, int status, char *logdetail)
+auth_failed(Port *port, int status, const char *logdetail)
{
const char *errstr;
char *cdetail;
ClientAuthentication(Port *port)
{
int status = STATUS_ERROR;
- char *logdetail = NULL;
+ const char *logdetail = NULL;
/*
* Get the authentication method to use for this frontend/database
* Plaintext password authentication.
*/
static int
-CheckPasswordAuth(Port *port, char **logdetail)
+CheckPasswordAuth(Port *port, const char **logdetail)
{
char *passwd;
int result;
* MD5 and SCRAM authentication.
*/
static int
-CheckPWChallengeAuth(Port *port, char **logdetail)
+CheckPWChallengeAuth(Port *port, const char **logdetail)
{
int auth_result;
char *shadow_pass;
}
static int
-CheckMD5Auth(Port *port, char *shadow_pass, char **logdetail)
+CheckMD5Auth(Port *port, char *shadow_pass, const char **logdetail)
{
char md5Salt[4]; /* Password salt */
char *passwd;
}
static int
-CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
+CheckSCRAMAuth(Port *port, char *shadow_pass, const char **logdetail)
{
StringInfoData sasl_mechs;
int mtype;
md5trailer = packet->vector;
for (i = 0; i < encryptedpasswordlen; i += RADIUS_VECTOR_LENGTH)
{
+ const char *errstr = NULL;
+
memcpy(cryptvector + strlen(secret), md5trailer, RADIUS_VECTOR_LENGTH);
/*
*/
md5trailer = encryptedpassword + i;
- if (!pg_md5_binary(cryptvector, strlen(secret) + RADIUS_VECTOR_LENGTH, encryptedpassword + i))
+ if (!pg_md5_binary(cryptvector, strlen(secret) + RADIUS_VECTOR_LENGTH,
+ encryptedpassword + i, &errstr))
{
ereport(LOG,
- (errmsg("could not perform MD5 encryption of password")));
+ (errmsg("could not perform MD5 encryption of password: %s",
+ errstr)));
pfree(cryptvector);
pg_freeaddrinfo_all(hint.ai_family, serveraddrs);
return STATUS_ERROR;
struct timeval timeout;
struct timeval now;
int64 timeoutval;
+ const char *errstr = NULL;
gettimeofday(&now, NULL);
timeoutval = (endtime.tv_sec * 1000000 + endtime.tv_usec) - (now.tv_sec * 1000000 + now.tv_usec);
if (!pg_md5_binary(cryptvector,
packetlength + strlen(secret),
- encryptedpassword))
+ encryptedpassword, &errstr))
{
ereport(LOG,
- (errmsg("could not perform MD5 encryption of received packet")));
+ (errmsg("could not perform MD5 encryption of received packet: %s",
+ errstr)));
pfree(cryptvector);
continue;
}
* sent to the client, to avoid giving away user information!
*/
char *
-get_role_password(const char *role, char **logdetail)
+get_role_password(const char *role, const char **logdetail)
{
TimestampTz vuntil = 0;
HeapTuple roleTup;
{
PasswordType guessed_type = get_password_type(password);
char *encrypted_password;
+ const char *errstr = NULL;
if (guessed_type != PASSWORD_TYPE_PLAINTEXT)
{
encrypted_password = palloc(MD5_PASSWD_LEN + 1);
if (!pg_md5_encrypt(password, role, strlen(role),
- encrypted_password))
- elog(ERROR, "password encryption failed");
+ encrypted_password, &errstr))
+ elog(ERROR, "password encryption failed: %s", errstr);
return encrypted_password;
case PASSWORD_TYPE_SCRAM_SHA_256:
* 'client_pass' is the response given by the remote user to the MD5 challenge.
* 'md5_salt' is the salt used in the MD5 authentication challenge.
*
- * In the error case, optionally store a palloc'd string at *logdetail
- * that will be sent to the postmaster log (but not the client).
+ * In the error case, save a string at *logdetail that will be sent to the
+ * postmaster log (but not the client).
*/
int
md5_crypt_verify(const char *role, const char *shadow_pass,
const char *client_pass,
const char *md5_salt, int md5_salt_len,
- char **logdetail)
+ const char **logdetail)
{
int retval;
char crypt_pwd[MD5_PASSWD_LEN + 1];
+ const char *errstr = NULL;
Assert(md5_salt_len > 0);
/*
* Compute the correct answer for the MD5 challenge.
- *
- * We do not bother setting logdetail for any pg_md5_encrypt failure
- * below: the only possible error is out-of-memory, which is unlikely, and
- * if it did happen adding a psprintf call would only make things worse.
*/
/* stored password already encrypted, only do salt */
if (!pg_md5_encrypt(shadow_pass + strlen("md5"),
md5_salt, md5_salt_len,
- crypt_pwd))
+ crypt_pwd, &errstr))
{
+ *logdetail = errstr;
return STATUS_ERROR;
}
* pg_authid.rolpassword.
* 'client_pass' is the password given by the remote user.
*
- * In the error case, optionally store a palloc'd string at *logdetail
- * that will be sent to the postmaster log (but not the client).
+ * In the error case, store a string at *logdetail that will be sent to the
+ * postmaster log (but not the client).
*/
int
plain_crypt_verify(const char *role, const char *shadow_pass,
const char *client_pass,
- char **logdetail)
+ const char **logdetail)
{
char crypt_client_pass[MD5_PASSWD_LEN + 1];
+ const char *errstr = NULL;
/*
* Client sent password in plaintext. If we have an MD5 hash stored, hash
if (!pg_md5_encrypt(client_pass,
role,
strlen(role),
- crypt_client_pass))
+ crypt_client_pass,
+ &errstr))
{
- /*
- * We do not bother setting logdetail for pg_md5_encrypt
- * failure: the only possible error is out-of-memory, which is
- * unlikely, and if it did happen adding a psprintf call would
- * only make things worse.
- */
+ *logdetail = errstr;
return STATUS_ERROR;
}
if (strcmp(crypt_client_pass, shadow_pass) == 0)
manifest->buffile = BufFileCreateTemp(false);
manifest->manifest_ctx = pg_cryptohash_create(PG_SHA256);
if (pg_cryptohash_init(manifest->manifest_ctx) < 0)
- elog(ERROR, "failed to initialize checksum of backup manifest");
+ elog(ERROR, "failed to initialize checksum of backup manifest: %s",
+ pg_cryptohash_error(manifest->manifest_ctx));
}
manifest->manifest_size = UINT64CONST(0);
manifest->still_checksumming = false;
if (pg_cryptohash_final(manifest->manifest_ctx, checksumbuf,
sizeof(checksumbuf)) < 0)
- elog(ERROR, "failed to finalize checksum of backup manifest");
+ elog(ERROR, "failed to finalize checksum of backup manifest: %s",
+ pg_cryptohash_error(manifest->manifest_ctx));
AppendStringToManifest(manifest, "\"Manifest-Checksum\": \"");
hex_encode((char *) checksumbuf, sizeof checksumbuf, checksumstringbuf);
if (manifest->still_checksumming)
{
if (pg_cryptohash_update(manifest->manifest_ctx, (uint8 *) s, len) < 0)
- elog(ERROR, "failed to update checksum of backup manifest");
+ elog(ERROR, "failed to update checksum of backup manifest: %s",
+ pg_cryptohash_error(manifest->manifest_ctx));
}
BufFileWrite(manifest->buffile, s, len);
manifest->manifest_size += len;
text *in_text = PG_GETARG_TEXT_PP(0);
size_t len;
char hexsum[MD5_HASH_LEN + 1];
+ const char *errstr = NULL;
/* Calculate the length of the buffer using varlena metadata */
len = VARSIZE_ANY_EXHDR(in_text);
/* get the hash result */
- if (pg_md5_hash(VARDATA_ANY(in_text), len, hexsum) == false)
+ if (pg_md5_hash(VARDATA_ANY(in_text), len, hexsum, &errstr) == false)
ereport(ERROR,
- (errcode(ERRCODE_OUT_OF_MEMORY),
- errmsg("out of memory")));
+ (errcode(ERRCODE_INTERNAL_ERROR),
+ errmsg("could not compute %s hash: %s", "MD5",
+ errstr)));
/* convert to text and return it */
PG_RETURN_TEXT_P(cstring_to_text(hexsum));
bytea *in = PG_GETARG_BYTEA_PP(0);
size_t len;
char hexsum[MD5_HASH_LEN + 1];
+ const char *errstr = NULL;
len = VARSIZE_ANY_EXHDR(in);
- if (pg_md5_hash(VARDATA_ANY(in), len, hexsum) == false)
+ if (pg_md5_hash(VARDATA_ANY(in), len, hexsum, &errstr) == false)
ereport(ERROR,
- (errcode(ERRCODE_OUT_OF_MEMORY),
- errmsg("out of memory")));
+ (errcode(ERRCODE_INTERNAL_ERROR),
+ errmsg("could not compute %s hash: %s", "MD5",
+ errstr)));
PG_RETURN_TEXT_P(cstring_to_text(hexsum));
}
ctx = pg_cryptohash_create(type);
if (pg_cryptohash_init(ctx) < 0)
- elog(ERROR, "could not initialize %s context", typestr);
+ elog(ERROR, "could not initialize %s context: %s", typestr,
+ pg_cryptohash_error(ctx));
if (pg_cryptohash_update(ctx, data, len) < 0)
- elog(ERROR, "could not update %s context", typestr);
+ elog(ERROR, "could not update %s context: %s", typestr,
+ pg_cryptohash_error(ctx));
if (pg_cryptohash_final(ctx, (unsigned char *) VARDATA(result),
digest_len) < 0)
- elog(ERROR, "could not finalize %s context", typestr);
+ elog(ERROR, "could not finalize %s context: %s", typestr,
+ pg_cryptohash_error(ctx));
pg_cryptohash_free(ctx);
SET_VARSIZE(result, digest_len + VARHDRSZ);
#define FREE(ptr) free(ptr)
#endif
+/* Set of error states */
+typedef enum pg_cryptohash_errno
+{
+ PG_CRYPTOHASH_ERROR_NONE = 0,
+ PG_CRYPTOHASH_ERROR_DEST_LEN
+} pg_cryptohash_errno;
+
/* Internal pg_cryptohash_ctx structure */
struct pg_cryptohash_ctx
{
pg_cryptohash_type type;
+ pg_cryptohash_errno error;
union
{
ctx = ALLOC(sizeof(pg_cryptohash_ctx));
if (ctx == NULL)
return NULL;
+
memset(ctx, 0, sizeof(pg_cryptohash_ctx));
ctx->type = type;
-
+ ctx->error = PG_CRYPTOHASH_ERROR_NONE;
return ctx;
}
{
case PG_MD5:
if (len < MD5_DIGEST_LENGTH)
+ {
+ ctx->error = PG_CRYPTOHASH_ERROR_DEST_LEN;
return -1;
+ }
pg_md5_final(&ctx->data.md5, dest);
break;
case PG_SHA1:
if (len < SHA1_DIGEST_LENGTH)
+ {
+ ctx->error = PG_CRYPTOHASH_ERROR_DEST_LEN;
return -1;
+ }
pg_sha1_final(&ctx->data.sha1, dest);
break;
case PG_SHA224:
if (len < PG_SHA224_DIGEST_LENGTH)
+ {
+ ctx->error = PG_CRYPTOHASH_ERROR_DEST_LEN;
return -1;
+ }
pg_sha224_final(&ctx->data.sha224, dest);
break;
case PG_SHA256:
if (len < PG_SHA256_DIGEST_LENGTH)
+ {
+ ctx->error = PG_CRYPTOHASH_ERROR_DEST_LEN;
return -1;
+ }
pg_sha256_final(&ctx->data.sha256, dest);
break;
case PG_SHA384:
if (len < PG_SHA384_DIGEST_LENGTH)
+ {
+ ctx->error = PG_CRYPTOHASH_ERROR_DEST_LEN;
return -1;
+ }
pg_sha384_final(&ctx->data.sha384, dest);
break;
case PG_SHA512:
if (len < PG_SHA512_DIGEST_LENGTH)
+ {
+ ctx->error = PG_CRYPTOHASH_ERROR_DEST_LEN;
return -1;
+ }
pg_sha512_final(&ctx->data.sha512, dest);
break;
}
explicit_bzero(ctx, sizeof(pg_cryptohash_ctx));
FREE(ctx);
}
+
+/*
+ * pg_cryptohash_error
+ *
+ * Returns a static string providing errors about an error that
+ * happened during a computation.
+ */
+const char *
+pg_cryptohash_error(pg_cryptohash_ctx *ctx)
+{
+ /*
+ * This implementation would never fail because of an out-of-memory error,
+ * except when creating the context.
+ */
+ if (ctx == NULL)
+ return _("out of memory");
+
+ switch (ctx->error)
+ {
+ case PG_CRYPTOHASH_ERROR_NONE:
+ return _("success");
+ case PG_CRYPTOHASH_ERROR_DEST_LEN:
+ return _("destination buffer too small");
+ }
+
+ Assert(false);
+ return _("success");
+}
#include "postgres_fe.h"
#endif
+#include <openssl/err.h>
#include <openssl/evp.h>
#include "common/cryptohash.h"
#define FREE(ptr) free(ptr)
#endif
+/* Set of error states */
+typedef enum pg_cryptohash_errno
+{
+ PG_CRYPTOHASH_ERROR_NONE = 0,
+ PG_CRYPTOHASH_ERROR_DEST_LEN,
+ PG_CRYPTOHASH_ERROR_OPENSSL
+} pg_cryptohash_errno;
+
/*
* Internal pg_cryptohash_ctx structure.
*
struct pg_cryptohash_ctx
{
pg_cryptohash_type type;
+ pg_cryptohash_errno error;
+ const char *errreason;
EVP_MD_CTX *evpctx;
#endif
};
+static const char *
+SSLerrmessage(unsigned long ecode)
+{
+ if (ecode == 0)
+ return NULL;
+
+ /*
+ * This may return NULL, but we would fall back to a default error path if
+ * that were the case.
+ */
+ return ERR_reason_error_string(ecode);
+}
+
/*
* pg_cryptohash_create
*
return NULL;
memset(ctx, 0, sizeof(pg_cryptohash_ctx));
ctx->type = type;
+ ctx->error = PG_CRYPTOHASH_ERROR_NONE;
+ ctx->errreason = NULL;
/*
* Initialization takes care of assigning the correct type for OpenSSL.
/* OpenSSL internals return 1 on success, 0 on failure */
if (status <= 0)
+ {
+ ctx->errreason = SSLerrmessage(ERR_get_error());
+ ctx->error = PG_CRYPTOHASH_ERROR_OPENSSL;
return -1;
+ }
return 0;
}
/* OpenSSL internals return 1 on success, 0 on failure */
if (status <= 0)
+ {
+ ctx->errreason = SSLerrmessage(ERR_get_error());
+ ctx->error = PG_CRYPTOHASH_ERROR_OPENSSL;
return -1;
+ }
return 0;
}
{
case PG_MD5:
if (len < MD5_DIGEST_LENGTH)
+ {
+ ctx->error = PG_CRYPTOHASH_ERROR_DEST_LEN;
return -1;
+ }
break;
case PG_SHA1:
if (len < SHA1_DIGEST_LENGTH)
+ {
+ ctx->error = PG_CRYPTOHASH_ERROR_DEST_LEN;
return -1;
+ }
break;
case PG_SHA224:
if (len < PG_SHA224_DIGEST_LENGTH)
+ {
+ ctx->error = PG_CRYPTOHASH_ERROR_DEST_LEN;
return -1;
+ }
break;
case PG_SHA256:
if (len < PG_SHA256_DIGEST_LENGTH)
+ {
+ ctx->error = PG_CRYPTOHASH_ERROR_DEST_LEN;
return -1;
+ }
break;
case PG_SHA384:
if (len < PG_SHA384_DIGEST_LENGTH)
+ {
+ ctx->error = PG_CRYPTOHASH_ERROR_DEST_LEN;
return -1;
+ }
break;
case PG_SHA512:
if (len < PG_SHA512_DIGEST_LENGTH)
+ {
+ ctx->error = PG_CRYPTOHASH_ERROR_DEST_LEN;
return -1;
+ }
break;
}
/* OpenSSL internals return 1 on success, 0 on failure */
if (status <= 0)
+ {
+ ctx->errreason = SSLerrmessage(ERR_get_error());
+ ctx->error = PG_CRYPTOHASH_ERROR_OPENSSL;
return -1;
+ }
return 0;
}
explicit_bzero(ctx, sizeof(pg_cryptohash_ctx));
FREE(ctx);
}
+
+/*
+ * pg_cryptohash_error
+ *
+ * Returns a static string providing errors about an error that
+ * happened during a computation.
+ */
+const char *
+pg_cryptohash_error(pg_cryptohash_ctx *ctx)
+{
+ /*
+ * This implementation would never fail because of an out-of-memory error,
+ * except when creating the context.
+ */
+ if (ctx == NULL)
+ return _("out of memory");
+
+ /*
+ * If a reason is provided, rely on it, else fallback to any error code
+ * set.
+ */
+ if (ctx->errreason)
+ return ctx->errreason;
+
+ switch (ctx->error)
+ {
+ case PG_CRYPTOHASH_ERROR_NONE:
+ return _("success");
+ case PG_CRYPTOHASH_ERROR_DEST_LEN:
+ return _("destination buffer too small");
+ case PG_CRYPTOHASH_ERROR_OPENSSL:
+ return _("OpenSSL failure");
+ }
+
+ Assert(false); /* cannot be reached */
+ return _("success");
+}
*/
bool
-pg_md5_hash(const void *buff, size_t len, char *hexsum)
+pg_md5_hash(const void *buff, size_t len, char *hexsum, const char **errstr)
{
uint8 sum[MD5_DIGEST_LENGTH];
pg_cryptohash_ctx *ctx;
pg_cryptohash_update(ctx, buff, len) < 0 ||
pg_cryptohash_final(ctx, sum, sizeof(sum)) < 0)
{
+ *errstr = pg_cryptohash_error(ctx);
pg_cryptohash_free(ctx);
return false;
}
}
bool
-pg_md5_binary(const void *buff, size_t len, void *outbuf)
+pg_md5_binary(const void *buff, size_t len, void *outbuf, const char **errstr)
{
pg_cryptohash_ctx *ctx;
+ *errstr = NULL;
ctx = pg_cryptohash_create(PG_MD5);
if (ctx == NULL)
+ {
+ *errstr = pg_cryptohash_error(NULL); /* returns OOM */
return false;
+ }
if (pg_cryptohash_init(ctx) < 0 ||
pg_cryptohash_update(ctx, buff, len) < 0 ||
pg_cryptohash_final(ctx, outbuf, MD5_DIGEST_LENGTH) < 0)
{
+ *errstr = pg_cryptohash_error(ctx);
pg_cryptohash_free(ctx);
return false;
}
* Output format is "md5" followed by a 32-hex-digit MD5 checksum.
* Hence, the output buffer "buf" must be at least 36 bytes long.
*
- * Returns true if okay, false on error (out of memory).
+ * Returns true if okay, false on error with *errstr providing some
+ * error context.
*/
bool
pg_md5_encrypt(const char *passwd, const char *salt, size_t salt_len,
- char *buf)
+ char *buf, const char **errstr)
{
size_t passwd_len = strlen(passwd);
bool ret;
if (!crypt_buf)
+ {
+ *errstr = _("out of memory");
return false;
+ }
/*
* Place salt at the end because it may be known by users trying to crack
memcpy(crypt_buf + passwd_len, salt, salt_len);
strcpy(buf, "md5");
- ret = pg_md5_hash(crypt_buf, passwd_len + salt_len, buf + 3);
+ ret = pg_md5_hash(crypt_buf, passwd_len + salt_len, buf + 3, errstr);
free(crypt_buf);
extern int pg_cryptohash_update(pg_cryptohash_ctx *ctx, const uint8 *data, size_t len);
extern int pg_cryptohash_final(pg_cryptohash_ctx *ctx, uint8 *dest, size_t len);
extern void pg_cryptohash_free(pg_cryptohash_ctx *ctx);
+extern const char *pg_cryptohash_error(pg_cryptohash_ctx *ctx);
#endif /* PG_CRYPTOHASH_H */
#define MD5_PASSWD_LEN 35
/* Utilities common to all the MD5 implementations, as of md5_common.c */
-extern bool pg_md5_hash(const void *buff, size_t len, char *hexsum);
-extern bool pg_md5_binary(const void *buff, size_t len, void *outbuf);
+extern bool pg_md5_hash(const void *buff, size_t len, char *hexsum,
+ const char **errstr);
+extern bool pg_md5_binary(const void *buff, size_t len, void *outbuf,
+ const char **errstr);
extern bool pg_md5_encrypt(const char *passwd, const char *salt,
- size_t salt_len, char *buf);
+ size_t salt_len, char *buf,
+ const char **errstr);
#endif /* PG_MD5_H */
extern char *encrypt_password(PasswordType target_type, const char *role,
const char *password);
-extern char *get_role_password(const char *role, char **logdetail);
+extern char *get_role_password(const char *role, const char **logdetail);
extern int md5_crypt_verify(const char *role, const char *shadow_pass,
const char *client_pass, const char *md5_salt,
- int md5_salt_len, char **logdetail);
+ int md5_salt_len, const char **logdetail);
extern int plain_crypt_verify(const char *role, const char *shadow_pass,
- const char *client_pass, char **logdetail);
+ const char *client_pass,
+ const char **logdetail);
#endif
extern void pg_be_scram_get_mechanisms(Port *port, StringInfo buf);
extern void *pg_be_scram_init(Port *port, const char *selected_mech, const char *shadow_pass);
extern int pg_be_scram_exchange(void *opaq, const char *input, int inputlen,
- char **output, int *outputlen, char **logdetail);
+ char **output, int *outputlen,
+ const char **logdetail);
/* Routines to handle and check SCRAM-SHA-256 secret */
extern char *pg_be_scram_build_secret(const char *password);
case AUTH_REQ_MD5:
{
char *crypt_pwd2;
+ const char *errstr = NULL;
/* Allocate enough space for two MD5 hashes */
crypt_pwd = malloc(2 * (MD5_PASSWD_LEN + 1));
crypt_pwd2 = crypt_pwd + MD5_PASSWD_LEN + 1;
if (!pg_md5_encrypt(password, conn->pguser,
- strlen(conn->pguser), crypt_pwd2))
+ strlen(conn->pguser), crypt_pwd2,
+ &errstr))
{
+ appendPQExpBuffer(&conn->errorMessage,
+ libpq_gettext("could not encrypt password: %s\n"),
+ errstr);
free(crypt_pwd);
return STATUS_ERROR;
}
if (!pg_md5_encrypt(crypt_pwd2 + strlen("md5"), md5Salt,
- 4, crypt_pwd))
+ 4, crypt_pwd, &errstr))
{
+ appendPQExpBuffer(&conn->errorMessage,
+ libpq_gettext("could not encrypt password: %s\n"),
+ errstr);
free(crypt_pwd);
return STATUS_ERROR;
}
PQencryptPassword(const char *passwd, const char *user)
{
char *crypt_pwd;
+ const char *errstr = NULL;
crypt_pwd = malloc(MD5_PASSWD_LEN + 1);
if (!crypt_pwd)
return NULL;
- if (!pg_md5_encrypt(passwd, user, strlen(user), crypt_pwd))
+ if (!pg_md5_encrypt(passwd, user, strlen(user), crypt_pwd, &errstr))
{
free(crypt_pwd);
return NULL;
crypt_pwd = malloc(MD5_PASSWD_LEN + 1);
if (crypt_pwd)
{
- if (!pg_md5_encrypt(passwd, user, strlen(user), crypt_pwd))
+ const char *errstr = NULL;
+
+ if (!pg_md5_encrypt(passwd, user, strlen(user), crypt_pwd, &errstr))
{
+ appendPQExpBuffer(&conn->errorMessage,
+ libpq_gettext("could not encrypt password: %s\n"),
+ errstr);
free(crypt_pwd);
crypt_pwd = NULL;
}
pg_crc32
pg_crc32c
pg_cryptohash_ctx
+pg_cryptohash_errno
pg_cryptohash_type
pg_ctype_cache
pg_enc
projects / postgresql.git / commitdiff