Commit Graph

20 Commits

Author SHA1 Message Date
Tom Lane
932ded2ed5 Fix incorrect password transformation in contrib/pgcrypto's DES crypt().
Overly tight coding caused the password transformation loop to stop
examining input once it had processed a byte equal to 0x80.  Thus, if the
given password string contained such a byte (which is possible though not
highly likely in UTF8, and perhaps also in other non-ASCII encodings), all
subsequent characters would not contribute to the hash, making the password
much weaker than it appears on the surface.

This would only affect cases where applications used DES crypt() to encode
passwords before storing them in the database.  If a weak password has been
created in this fashion, the hash will stop matching after this update has
been applied, so it will be easy to tell if any passwords were unexpectedly
weak.  Changing to a different password would be a good idea in such a case.
(Since DES has been considered inadequately secure for some time, changing
to a different encryption algorithm can also be recommended.)

This code, and the bug, are shared with at least PHP, FreeBSD, and OpenBSD.
Since the other projects have already published their fixes, there is no
point in trying to keep this commit private.

This bug has been assigned CVE-2012-2143, and credit for its discovery goes
to Rubin Xu and Joseph Bonneau.
2012-05-30 10:53:30 -04:00
Robert Haas
5d4b60f2f2 Lots of doc corrections.
Josh Kupershmidt
2012-04-23 22:43:09 -04:00
Peter Eisentraut
1b81c2fe6e Remove many -Wcast-qual warnings
This addresses only those cases that are easy to fix by adding or
moving a const qualifier or removing an unnecessary cast.  There are
many more complicated cases remaining.
2011-09-11 21:54:32 +03:00
Bruce Momjian
6416a82a62 Remove unnecessary #include references, per pgrminclude script. 2011-09-01 10:04:27 -04:00
Magnus Hagander
9f2e211386 Remove cvs keywords from all files. 2010-09-20 22:08:53 +02:00
Neil Conway
1abf76e82c "Annual" pgcrypto update from Marko Kreen:
Few cleanups and couple of new things:

 - add SHA2 algorithm to older OpenSSL
 - add BIGNUM math to have public-key cryptography work on non-OpenSSL
   build.
 - gen_random_bytes() function

The status of SHA2 algoritms and public-key encryption can now be
changed to 'always available.'

That makes pgcrypto functionally complete and unless there will be new
editions of AES, SHA2 or OpenPGP standards, there is no major changes
planned.
2006-07-13 04:15:25 +00:00
Bruce Momjian
f3d99d160d Add CVS tag lines to files that were lacking them. 2006-03-11 04:38:42 +00:00
Bruce Momjian
1dc3498251 Standard pgindent run for 8.1. 2005-10-15 02:49:52 +00:00
Tom Lane
8a65b820e2 Suppress signed-vs-unsigned-char warnings in contrib. 2005-09-24 19:14:05 +00:00
Tom Lane
f1283ed6cc Fix a bunch of 'old-style parameter declaration' warnings induced by
writing 'foo()' rather than 'foo(void)'.
2004-10-25 02:15:02 +00:00
Tom Lane
78b08584b4 Fix various recent build and regression-test problems in contrib/.
Includes fixes from Joe Conway.
2003-05-14 03:27:22 +00:00
Bruce Momjian
8f73bb4da9 * include <endian.h> is not enough, include sys/types.h too
everywhere.

At least it was now detected correctly.

marko
2001-11-30 17:39:20 +00:00
Bruce Momjian
8aa538cfd5 * When postgres.h does not define BYTE_ENDIAN pgcrypto
produces garbage.

I learned the hard way that

        #if UNDEFINED_1 == UNDEFINED_2
        #error "gcc is idiot"
        #endif

prints "gcc is idiot" ...

Affected are MD5/SHA1 in internal library, and also HMAC-MD5/HMAC-SHA1/
crypt-md5 which use them.  Blowfish is ok, also Rijndael on at
least x86.

Big thanks to Daniel Holtzman who send me a build log which
contained warning:

        md5.c:246: warning: `X' defined but not used

Yes, gcc is that helpful...

Please apply this.

--
marko
2001-11-29 19:40:37 +00:00
Bruce Momjian
c78975f845 Include sys/types.h in crypt-des.c. FreeBSD netinet/in.h
needs it.

Seems it is getting compileable...

Marko Kreen
2001-11-20 21:10:38 +00:00
Bruce Momjian
ea08e6cd55 New pgindent run with fixes suggested by Tom. Patch manually reviewed,
initdb/regression tests pass.
2001-11-05 17:46:40 +00:00
Bruce Momjian
c41b6b1b9c Fix small problem Tom Lane found with pgindent run. 2001-10-30 05:38:56 +00:00
Bruce Momjian
6783b2372e Another pgindent run. Fixes enum indenting, and improves #endif
spacing.  Also adds space for one-line comments.
2001-10-28 06:26:15 +00:00
Bruce Momjian
b81844b173 pgindent run on all C files. Java run to follow. initdb/regression
tests pass.
2001-10-25 05:50:21 +00:00
Tom Lane
77f27d5ec3 Fix some portability problems (get it to compile, at least, on HP's cc) 2001-10-15 19:15:18 +00:00
Bruce Momjian
df24cb73f6 Add missing pgcrypto file. 2001-08-21 01:32:01 +00:00