Re: Re: Proposal for encrypting pg_shadow passwords
| От | Tom Lane |
|---|---|
| Тема | Re: Re: Proposal for encrypting pg_shadow passwords |
| Дата | |
| Msg-id | 10264.997981287@sss.pgh.pa.us обсуждение исходный текст |
| Ответ на | Re: Re: Proposal for encrypting pg_shadow passwords (Bruce Momjian <pgman@candle.pha.pa.us>) |
| Список | pgsql-patches |
Bruce Momjian <pgman@candle.pha.pa.us> writes:
> Can someone look at our use of port->salt in the code. The call to
> crypt() assumes port->salt is null-terminated, doesn't it.
I have not looked at the new patch, but the EncryptMD5 routine at the
bottom of the original patch's md5.c definitely does think that the
salt is null-terminated. It'd be a trivial change to pass the salt
as buffer pointer and length, however, avoiding any assumptions about
nullness.
BTW, it occurs to me that the day may come when a 4-byte salt space
looks too small too. Perhaps we should define the MD5 protocol as using
an 8-binary-byte salt. For the moment, you'd fill it with two calls to
random(), which'd not add any more security than using only one call;
but if we ever need a bigger salt space, we don't have to change the
protocol and clients to do it.
regards, tom lane
В списке pgsql-patches по дате отправления: