@@ -207,7 +207,7 @@ pg_be_scram_init(const char *username, const char *shadow_pass)
207
207
*/
208
208
char * verifier ;
209
209
210
- verifier = scram_build_verifier ( username , shadow_pass , 0 );
210
+ verifier = pg_be_scram_build_verifier ( shadow_pass );
211
211
212
212
(void ) parse_scram_verifier (verifier , & state -> iterations , & state -> salt ,
213
213
state -> StoredKey , state -> ServerKey );
@@ -387,22 +387,14 @@ pg_be_scram_exchange(void *opaq, char *input, int inputlen,
387
387
/*
388
388
* Construct a verifier string for SCRAM, stored in pg_authid.rolpassword.
389
389
*
390
- * If iterations is 0, default number of iterations is used. The result is
391
- * palloc'd, so caller is responsible for freeing it.
390
+ * The result is palloc'd, so caller is responsible for freeing it.
392
391
*/
393
392
char *
394
- scram_build_verifier (const char * username , const char * password ,
395
- int iterations )
393
+ pg_be_scram_build_verifier (const char * password )
396
394
{
397
395
char * prep_password = NULL ;
398
396
pg_saslprep_rc rc ;
399
397
char saltbuf [SCRAM_DEFAULT_SALT_LEN ];
400
- uint8 salted_password [SCRAM_KEY_LEN ];
401
- uint8 keybuf [SCRAM_KEY_LEN ];
402
- char * encoded_salt ;
403
- char * encoded_storedkey ;
404
- char * encoded_serverkey ;
405
- int encoded_len ;
406
398
char * result ;
407
399
408
400
/*
@@ -414,10 +406,7 @@ scram_build_verifier(const char *username, const char *password,
414
406
if (rc == SASLPREP_SUCCESS )
415
407
password = (const char * ) prep_password ;
416
408
417
- if (iterations <= 0 )
418
- iterations = SCRAM_DEFAULT_ITERATIONS ;
419
-
420
- /* Generate salt, and encode it in base64 */
409
+ /* Generate random salt */
421
410
if (!pg_backend_random (saltbuf , SCRAM_DEFAULT_SALT_LEN ))
422
411
{
423
412
ereport (LOG ,
@@ -426,37 +415,11 @@ scram_build_verifier(const char *username, const char *password,
426
415
return NULL ;
427
416
}
428
417
429
- encoded_salt = palloc (pg_b64_enc_len (SCRAM_DEFAULT_SALT_LEN ) + 1 );
430
- encoded_len = pg_b64_encode (saltbuf , SCRAM_DEFAULT_SALT_LEN , encoded_salt );
431
- encoded_salt [encoded_len ] = '\0' ;
432
-
433
- /* Calculate StoredKey, and encode it in base64 */
434
- scram_SaltedPassword (password , saltbuf , SCRAM_DEFAULT_SALT_LEN ,
435
- iterations , salted_password );
436
- scram_ClientKey (salted_password , keybuf );
437
- scram_H (keybuf , SCRAM_KEY_LEN , keybuf ); /* StoredKey */
438
-
439
- encoded_storedkey = palloc (pg_b64_enc_len (SCRAM_KEY_LEN ) + 1 );
440
- encoded_len = pg_b64_encode ((const char * ) keybuf , SCRAM_KEY_LEN ,
441
- encoded_storedkey );
442
- encoded_storedkey [encoded_len ] = '\0' ;
443
-
444
- /* And same for ServerKey */
445
- scram_ServerKey (salted_password , keybuf );
446
-
447
- encoded_serverkey = palloc (pg_b64_enc_len (SCRAM_KEY_LEN ) + 1 );
448
- encoded_len = pg_b64_encode ((const char * ) keybuf , SCRAM_KEY_LEN ,
449
- encoded_serverkey );
450
- encoded_serverkey [encoded_len ] = '\0' ;
451
-
452
- result = psprintf ("SCRAM-SHA-256$%d:%s$%s:%s" , iterations , encoded_salt ,
453
- encoded_storedkey , encoded_serverkey );
418
+ result = scram_build_verifier (saltbuf , SCRAM_DEFAULT_SALT_LEN ,
419
+ SCRAM_DEFAULT_ITERATIONS , password );
454
420
455
421
if (prep_password )
456
422
pfree (prep_password );
457
- pfree (encoded_salt );
458
- pfree (encoded_storedkey );
459
- pfree (encoded_serverkey );
460
423
461
424
return result ;
462
425
}
@@ -1194,7 +1157,7 @@ scram_MockSalt(const char *username)
1194
1157
* Generate salt using a SHA256 hash of the username and the cluster's
1195
1158
* mock authentication nonce. (This works as long as the salt length is
1196
1159
* not larger the SHA256 digest length. If the salt is smaller, the caller
1197
- * will just ignore the extra data) )
1160
+ * will just ignore the extra data. )
1198
1161
*/
1199
1162
StaticAssertStmt (PG_SHA256_DIGEST_LENGTH >= SCRAM_DEFAULT_SALT_LEN ,
1200
1163
"salt length greater than SHA256 digest length" );
0 commit comments