Skip to content

Commit 68e61ee

Browse files
hlinnakahlinnaka
committed
Change the on-disk format of SCRAM verifiers to conform to RFC 5803.
It doesn't make any immediate difference to PostgreSQL, but might as well follow the standard, since one exists. (I looked at RFC 5803 earlier, but didn't fully understand it back then.) The new format uses Base64 instead of hex to encode StoredKey and ServerKey, which makes the verifiers slightly smaller. Using the same encoding for the salt and the keys also means that you only need one encoder/decoder instead of two. Although we have code in the backend to do both, we are talking about teaching libpq how to create SCRAM verifiers for PQencodePassword(), and libpq doesn't currently have any code for hex encoding. Bump catversion, because this renders any existing SCRAM verifiers in pg_authid invalid. Discussion: https://www.postgresql.org/message-id/351ba574-85ea-d9b8-9689-8c928dd0955d@iki.fi
1 parent c29a752 commit 68e61ee

File tree

6 files changed

+119
-73
lines changed

6 files changed

+119
-73
lines changed

doc/src/sgml/catalogs.sgml

Lines changed: 16 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1376,14 +1376,22 @@
13761376
32-character hexadecimal MD5 hash. The MD5 hash will be of the user's
13771377
password concatenated to their user name. For example, if user
13781378
<literal>joe</> has password <literal>xyzzy</>, <productname>PostgreSQL</>
1379-
will store the md5 hash of <literal>xyzzyjoe</>. If the password is
1380-
encrypted with SCRAM-SHA-256, it consists of 5 fields separated by colons.
1381-
The first field is the constant <literal>scram-sha-256</literal>, to
1382-
identify the password as a SCRAM-SHA-256 verifier. The second field is a
1383-
salt, Base64-encoded, and the third field is the number of iterations used
1384-
to generate the password. The fourth field and fifth field are the stored
1385-
key and server key, respectively, in hexadecimal format. A password that
1386-
does not follow either of those formats is assumed to be unencrypted.
1379+
will store the md5 hash of <literal>xyzzyjoe</>.
1380+
</para>
1381+
1382+
<para>
1383+
If the password is encrypted with SCRAM-SHA-256, it has the format:
1384+
<synopsis>
1385+
SCRAM-SHA-256$<replaceable>&lt;iteration count&gt;</>:<replaceable>&lt;salt&gt;</>$<replaceable>&lt;StoredKey&gt;</>:<replaceable>&lt;ServerKey&gt;</>
1386+
</synopsis>
1387+
where <replaceable>salt</>, <replaceable>StoredKey</> and
1388+
<replaceable>ServerKey</> are in Base64 encoded format. This format is
1389+
the same as that specified by RFC 5803.
1390+
</para>
1391+
1392+
<para>
1393+
A password that does not follow either of those formats is assumed to be
1394+
unencrypted.
13871395
</para>
13881396
</sect1>
13891397

src/backend/libpq/auth-scram.c

Lines changed: 90 additions & 52 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@
55
*
66
* See the following RFCs for more details:
77
* - RFC 5802: https://tools.ietf.org/html/rfc5802
8+
* - RFC 5803: https://tools.ietf.org/html/rfc5803
89
* - RFC 7677: https://tools.ietf.org/html/rfc7677
910
*
1011
* Here are some differences:
@@ -19,7 +20,7 @@
1920
* - Channel binding is not supported yet.
2021
*
2122
*
22-
* The password stored in pg_authid consists of the salt, iteration count,
23+
* The password stored in pg_authid consists of the iteration count, salt,
2324
* StoredKey and ServerKey.
2425
*
2526
* SASLprep usage
@@ -111,8 +112,8 @@ typedef struct
111112

112113
const char *username; /* username from startup packet */
113114

114-
char *salt; /* base64-encoded */
115115
int iterations;
116+
char *salt; /* base64-encoded */
116117
uint8 StoredKey[SCRAM_KEY_LEN];
117118
uint8 ServerKey[SCRAM_KEY_LEN];
118119

@@ -146,10 +147,10 @@ static char *build_server_first_message(scram_state *state);
146147
static char *build_server_final_message(scram_state *state);
147148
static bool verify_client_proof(scram_state *state);
148149
static bool verify_final_nonce(scram_state *state);
149-
static bool parse_scram_verifier(const char *verifier, char **salt,
150-
int *iterations, uint8 *stored_key, uint8 *server_key);
151-
static void mock_scram_verifier(const char *username, char **salt, int *iterations,
152-
uint8 *stored_key, uint8 *server_key);
150+
static bool parse_scram_verifier(const char *verifier, int *iterations,
151+
char **salt, uint8 *stored_key, uint8 *server_key);
152+
static void mock_scram_verifier(const char *username, int *iterations,
153+
char **salt, uint8 *stored_key, uint8 *server_key);
153154
static bool is_scram_printable(char *p);
154155
static char *sanitize_char(char c);
155156
static char *scram_MockSalt(const char *username);
@@ -185,7 +186,7 @@ pg_be_scram_init(const char *username, const char *shadow_pass)
185186

186187
if (password_type == PASSWORD_TYPE_SCRAM_SHA_256)
187188
{
188-
if (parse_scram_verifier(shadow_pass, &state->salt, &state->iterations,
189+
if (parse_scram_verifier(shadow_pass, &state->iterations, &state->salt,
189190
state->StoredKey, state->ServerKey))
190191
got_verifier = true;
191192
else
@@ -208,7 +209,7 @@ pg_be_scram_init(const char *username, const char *shadow_pass)
208209

209210
verifier = scram_build_verifier(username, shadow_pass, 0);
210211

211-
(void) parse_scram_verifier(verifier, &state->salt, &state->iterations,
212+
(void) parse_scram_verifier(verifier, &state->iterations, &state->salt,
212213
state->StoredKey, state->ServerKey);
213214
pfree(verifier);
214215

@@ -243,7 +244,7 @@ pg_be_scram_init(const char *username, const char *shadow_pass)
243244
*/
244245
if (!got_verifier)
245246
{
246-
mock_scram_verifier(username, &state->salt, &state->iterations,
247+
mock_scram_verifier(username, &state->iterations, &state->salt,
247248
state->StoredKey, state->ServerKey);
248249
state->doomed = true;
249250
}
@@ -393,14 +394,15 @@ char *
393394
scram_build_verifier(const char *username, const char *password,
394395
int iterations)
395396
{
396-
uint8 keybuf[SCRAM_KEY_LEN + 1];
397-
char storedkey_hex[SCRAM_KEY_LEN * 2 + 1];
398-
char serverkey_hex[SCRAM_KEY_LEN * 2 + 1];
399-
char salt[SCRAM_SALT_LEN];
400-
char *encoded_salt;
401-
int encoded_len;
402397
char *prep_password = NULL;
403398
pg_saslprep_rc rc;
399+
char saltbuf[SCRAM_SALT_LEN];
400+
uint8 keybuf[SCRAM_KEY_LEN];
401+
char *encoded_salt;
402+
char *encoded_storedkey;
403+
char *encoded_serverkey;
404+
int encoded_len;
405+
char *result;
404406

405407
/*
406408
* Normalize the password with SASLprep. If that doesn't work, because
@@ -414,7 +416,8 @@ scram_build_verifier(const char *username, const char *password,
414416
if (iterations <= 0)
415417
iterations = SCRAM_ITERATIONS_DEFAULT;
416418

417-
if (!pg_backend_random(salt, SCRAM_SALT_LEN))
419+
/* Generate salt, and encode it in base64 */
420+
if (!pg_backend_random(saltbuf, SCRAM_SALT_LEN))
418421
{
419422
ereport(LOG,
420423
(errcode(ERRCODE_INTERNAL_ERROR),
@@ -423,26 +426,38 @@ scram_build_verifier(const char *username, const char *password,
423426
}
424427

425428
encoded_salt = palloc(pg_b64_enc_len(SCRAM_SALT_LEN) + 1);
426-
encoded_len = pg_b64_encode(salt, SCRAM_SALT_LEN, encoded_salt);
429+
encoded_len = pg_b64_encode(saltbuf, SCRAM_SALT_LEN, encoded_salt);
427430
encoded_salt[encoded_len] = '\0';
428431

429-
/* Calculate StoredKey, and encode it in hex */
430-
scram_ClientOrServerKey(password, salt, SCRAM_SALT_LEN,
432+
/* Calculate StoredKey, and encode it in base64 */
433+
scram_ClientOrServerKey(password, saltbuf, SCRAM_SALT_LEN,
431434
iterations, SCRAM_CLIENT_KEY_NAME, keybuf);
432435
scram_H(keybuf, SCRAM_KEY_LEN, keybuf); /* StoredKey */
433-
(void) hex_encode((const char *) keybuf, SCRAM_KEY_LEN, storedkey_hex);
434-
storedkey_hex[SCRAM_KEY_LEN * 2] = '\0';
436+
437+
encoded_storedkey = palloc(pg_b64_enc_len(SCRAM_KEY_LEN) + 1);
438+
encoded_len = pg_b64_encode((const char *) keybuf, SCRAM_KEY_LEN,
439+
encoded_storedkey);
440+
encoded_storedkey[encoded_len] = '\0';
435441

436442
/* And same for ServerKey */
437-
scram_ClientOrServerKey(password, salt, SCRAM_SALT_LEN, iterations,
443+
scram_ClientOrServerKey(password, saltbuf, SCRAM_SALT_LEN, iterations,
438444
SCRAM_SERVER_KEY_NAME, keybuf);
439-
(void) hex_encode((const char *) keybuf, SCRAM_KEY_LEN, serverkey_hex);
440-
serverkey_hex[SCRAM_KEY_LEN * 2] = '\0';
445+
446+
encoded_serverkey = palloc(pg_b64_enc_len(SCRAM_KEY_LEN) + 1);
447+
encoded_len = pg_b64_encode((const char *) keybuf, SCRAM_KEY_LEN,
448+
encoded_serverkey);
449+
encoded_serverkey[encoded_len] = '\0';
450+
451+
result = psprintf("SCRAM-SHA-256$%d:%s$%s:%s", iterations, encoded_salt,
452+
encoded_storedkey, encoded_serverkey);
441453

442454
if (prep_password)
443455
pfree(prep_password);
456+
pfree(encoded_salt);
457+
pfree(encoded_storedkey);
458+
pfree(encoded_serverkey);
444459

445-
return psprintf("scram-sha-256:%s:%d:%s:%s", encoded_salt, iterations, storedkey_hex, serverkey_hex);
460+
return result;
446461
}
447462

448463
/*
@@ -464,7 +479,7 @@ scram_verify_plain_password(const char *username, const char *password,
464479
char *prep_password = NULL;
465480
pg_saslprep_rc rc;
466481

467-
if (!parse_scram_verifier(verifier, &encoded_salt, &iterations,
482+
if (!parse_scram_verifier(verifier, &iterations, &encoded_salt,
468483
stored_key, server_key))
469484
{
470485
/*
@@ -509,13 +524,14 @@ scram_verify_plain_password(const char *username, const char *password,
509524
bool
510525
is_scram_verifier(const char *verifier)
511526
{
512-
char *salt = NULL;
513527
int iterations;
528+
char *salt = NULL;
514529
uint8 stored_key[SCRAM_KEY_LEN];
515530
uint8 server_key[SCRAM_KEY_LEN];
516531
bool result;
517532

518-
result = parse_scram_verifier(verifier, &salt, &iterations, stored_key, server_key);
533+
result = parse_scram_verifier(verifier, &iterations, &salt,
534+
stored_key, server_key);
519535
if (salt)
520536
pfree(salt);
521537

@@ -529,60 +545,82 @@ is_scram_verifier(const char *verifier)
529545
* Returns true if the SCRAM verifier has been parsed, and false otherwise.
530546
*/
531547
static bool
532-
parse_scram_verifier(const char *verifier, char **salt, int *iterations,
548+
parse_scram_verifier(const char *verifier, int *iterations, char **salt,
533549
uint8 *stored_key, uint8 *server_key)
534550
{
535551
char *v;
536552
char *p;
553+
char *scheme_str;
554+
char *salt_str;
555+
char *iterations_str;
556+
char *storedkey_str;
557+
char *serverkey_str;
558+
int decoded_len;
559+
char *decoded_salt_buf;
537560

538561
/*
539562
* The verifier is of form:
540563
*
541-
* scram-sha-256:<salt>:<iterations>:<storedkey>:<serverkey>
564+
* SCRAM-SHA-256$<iterations>:<salt>$<storedkey>:<serverkey>
542565
*/
543-
if (strncmp(verifier, "scram-sha-256:", strlen("scram-sha-256:")) != 0)
544-
return false;
545-
546-
v = pstrdup(verifier + strlen("scram-sha-256:"));
547-
548-
/* salt */
549-
if ((p = strtok(v, ":")) == NULL)
566+
v = pstrdup(verifier);
567+
if ((scheme_str = strtok(v, "$")) == NULL)
568+
goto invalid_verifier;
569+
if ((iterations_str = strtok(NULL, ":")) == NULL)
570+
goto invalid_verifier;
571+
if ((salt_str = strtok(NULL, "$")) == NULL)
572+
goto invalid_verifier;
573+
if ((storedkey_str = strtok(NULL, ":")) == NULL)
574+
goto invalid_verifier;
575+
if ((serverkey_str = strtok(NULL, "")) == NULL)
550576
goto invalid_verifier;
551-
*salt = pstrdup(p);
552577

553-
/* iterations */
554-
if ((p = strtok(NULL, ":")) == NULL)
578+
/* Parse the fields */
579+
if (strcmp(scheme_str, "SCRAM-SHA-256") != 0)
555580
goto invalid_verifier;
581+
556582
errno = 0;
557-
*iterations = strtol(p, &p, 10);
583+
*iterations = strtol(iterations_str, &p, 10);
558584
if (*p || errno != 0)
559585
goto invalid_verifier;
560586

561-
/* storedkey */
562-
if ((p = strtok(NULL, ":")) == NULL)
563-
goto invalid_verifier;
564-
if (strlen(p) != SCRAM_KEY_LEN * 2)
587+
/*
588+
* Verify that the salt is in Base64-encoded format, by decoding it,
589+
* although we return the encoded version to the caller.
590+
*/
591+
decoded_salt_buf = palloc(pg_b64_dec_len(strlen(salt_str)));
592+
decoded_len = pg_b64_decode(salt_str, strlen(salt_str), decoded_salt_buf);
593+
if (decoded_len < 0)
565594
goto invalid_verifier;
595+
*salt = pstrdup(salt_str);
566596

567-
hex_decode(p, SCRAM_KEY_LEN * 2, (char *) stored_key);
597+
/*
598+
* Decode StoredKey and ServerKey.
599+
*/
600+
if (pg_b64_dec_len(strlen(storedkey_str) != SCRAM_KEY_LEN))
601+
goto invalid_verifier;
602+
decoded_len = pg_b64_decode(storedkey_str, strlen(storedkey_str),
603+
(char *) stored_key);
604+
if (decoded_len != SCRAM_KEY_LEN)
605+
goto invalid_verifier;
568606

569-
/* serverkey */
570-
if ((p = strtok(NULL, ":")) == NULL)
607+
if (pg_b64_dec_len(strlen(serverkey_str) != SCRAM_KEY_LEN))
571608
goto invalid_verifier;
572-
if (strlen(p) != SCRAM_KEY_LEN * 2)
609+
decoded_len = pg_b64_decode(serverkey_str, strlen(serverkey_str),
610+
(char *) server_key);
611+
if (decoded_len != SCRAM_KEY_LEN)
573612
goto invalid_verifier;
574-
hex_decode(p, SCRAM_KEY_LEN * 2, (char *) server_key);
575613

576-
pfree(v);
577614
return true;
578615

579616
invalid_verifier:
580617
pfree(v);
618+
*salt = NULL;
581619
return false;
582620
}
583621

584622
static void
585-
mock_scram_verifier(const char *username, char **salt, int *iterations,
623+
mock_scram_verifier(const char *username, int *iterations, char **salt,
586624
uint8 *stored_key, uint8 *server_key)
587625
{
588626
char *raw_salt;

src/backend/libpq/crypt.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -100,7 +100,7 @@ get_password_type(const char *shadow_pass)
100100
{
101101
if (strncmp(shadow_pass, "md5", 3) == 0 && strlen(shadow_pass) == MD5_PASSWD_LEN)
102102
return PASSWORD_TYPE_MD5;
103-
if (strncmp(shadow_pass, "scram-sha-256:", strlen("scram-sha-256:")) == 0)
103+
if (strncmp(shadow_pass, "SCRAM-SHA-256$", strlen("SCRAM-SHA-256$")) == 0)
104104
return PASSWORD_TYPE_SCRAM_SHA_256;
105105
return PASSWORD_TYPE_PLAINTEXT;
106106
}

src/include/catalog/catversion.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,6 @@
5353
*/
5454

5555
/* yyyymmddN */
56-
#define CATALOG_VERSION_NO 201704171
56+
#define CATALOG_VERSION_NO 201704211
5757

5858
#endif

src/test/regress/expected/password.out

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -23,11 +23,11 @@ CREATE ROLE regress_passwd5 PASSWORD NULL;
2323
-- check list of created entries
2424
--
2525
-- The scram verifier will look something like:
26-
-- scram-sha-256:E4HxLGtnRzsYwg==:4096:5ebc825510cb7862efd87dfa638d8337179e6913a724441dc9e888a856fbc10c:e966b1c72fad89d69aaebb156eae04edc9581286f92207c044711e79cd461bee
26+
-- SCRAM-SHA-256$4096:E4HxLGtnRzsYwg==$6YtlR4t69SguDiwFvbVgVZtuz6gpJQQqUMZ7IQJK5yI=:ps75jrHeYU4lXCcXI4O8oIdJ3eO8o2jirjruw9phBTo=
2727
--
2828
-- Since the salt is random, the exact value stored will be different on every test
2929
-- run. Use a regular expression to mask the changing parts.
30-
SELECT rolname, regexp_replace(rolpassword, '(scram-sha-256):([a-zA-Z0-9+/]+==):(\d+):(\w+):(\w+)', '\1:<salt>:\3:<storedkey>:<serverkey>') as rolpassword_masked
30+
SELECT rolname, regexp_replace(rolpassword, '(SCRAM-SHA-256)\$(\d+):([a-zA-Z0-9+/]+==)\$([a-zA-Z0-9+/]+=):([a-zA-Z0-9+/]+=)', '\1$\2:<salt>$<storedkey>:<serverkey>') as rolpassword_masked
3131
FROM pg_authid
3232
WHERE rolname LIKE 'regress_passwd%'
3333
ORDER BY rolname, rolpassword;
@@ -36,7 +36,7 @@ SELECT rolname, regexp_replace(rolpassword, '(scram-sha-256):([a-zA-Z0-9+/]+==):
3636
regress_passwd1 | role_pwd1
3737
regress_passwd2 | md54044304ba511dd062133eb5b4b84a2a3
3838
regress_passwd3 | md50e5699b6911d87f17a08b8d76a21e8b8
39-
regress_passwd4 | scram-sha-256:<salt>:4096:<storedkey>:<serverkey>
39+
regress_passwd4 | SCRAM-SHA-256$4096:<salt>$<storedkey>:<serverkey>
4040
regress_passwd5 |
4141
(5 rows)
4242

@@ -59,11 +59,11 @@ ALTER ROLE regress_passwd1 UNENCRYPTED PASSWORD 'foo'; -- unencrypted
5959
ALTER ROLE regress_passwd2 UNENCRYPTED PASSWORD 'md5dfa155cadd5f4ad57860162f3fab9cdb'; -- encrypted with MD5
6060
SET password_encryption = 'md5';
6161
ALTER ROLE regress_passwd3 ENCRYPTED PASSWORD 'foo'; -- encrypted with MD5
62-
ALTER ROLE regress_passwd4 ENCRYPTED PASSWORD 'scram-sha-256:VLK4RMaQLCvNtQ==:4096:3ded2376f7aafa93b1bdbd71bcc18b7d6ee50ed018029cc583d152ef3fc7d430:a6dd36dfc94c181956a6ae95f05e01b1864f0a22a2657d1de4ba84d2a24dc438'; -- client-supplied SCRAM verifier, use as it is
62+
ALTER ROLE regress_passwd4 ENCRYPTED PASSWORD 'SCRAM-SHA-256$4096:VLK4RMaQLCvNtQ==$6YtlR4t69SguDiwFvbVgVZtuz6gpJQQqUMZ7IQJK5yI=:ps75jrHeYU4lXCcXI4O8oIdJ3eO8o2jirjruw9phBTo='; -- client-supplied SCRAM verifier, use as it is
6363
SET password_encryption = 'scram-sha-256';
6464
ALTER ROLE regress_passwd5 ENCRYPTED PASSWORD 'foo'; -- create SCRAM verifier
6565
CREATE ROLE regress_passwd6 ENCRYPTED PASSWORD 'md53725413363ab045e20521bf36b8d8d7f'; -- encrypted with MD5, use as it is
66-
SELECT rolname, regexp_replace(rolpassword, '(scram-sha-256):([a-zA-Z0-9+/]+==):(\d+):(\w+):(\w+)', '\1:<salt>:\3:<storedkey>:<serverkey>') as rolpassword_masked
66+
SELECT rolname, regexp_replace(rolpassword, '(SCRAM-SHA-256)\$(\d+):([a-zA-Z0-9+/]+==)\$([a-zA-Z0-9+/]+=):([a-zA-Z0-9+/]+=)', '\1$\2:<salt>$<storedkey>:<serverkey>') as rolpassword_masked
6767
FROM pg_authid
6868
WHERE rolname LIKE 'regress_passwd%'
6969
ORDER BY rolname, rolpassword;
@@ -72,8 +72,8 @@ SELECT rolname, regexp_replace(rolpassword, '(scram-sha-256):([a-zA-Z0-9+/]+==):
7272
regress_passwd1 | foo
7373
regress_passwd2 | md5dfa155cadd5f4ad57860162f3fab9cdb
7474
regress_passwd3 | md5530de4c298af94b3b9f7d20305d2a1bf
75-
regress_passwd4 | scram-sha-256:<salt>:4096:<storedkey>:<serverkey>
76-
regress_passwd5 | scram-sha-256:<salt>:4096:<storedkey>:<serverkey>
75+
regress_passwd4 | SCRAM-SHA-256$4096:<salt>$<storedkey>:<serverkey>
76+
regress_passwd5 | SCRAM-SHA-256$4096:<salt>$<storedkey>:<serverkey>
7777
regress_passwd6 | md53725413363ab045e20521bf36b8d8d7f
7878
(6 rows)
7979

0 commit comments

Comments
 (0)