Participants
Cyan Ogilvie
Cyan Ogilvie
Robert Haas
Robert Haas
Heikki Linnakangas
Heikki Linnakangas
Bruce Momjian
Bruce Momjian
Attachments
Thread Outline
#1Cyan OgilvieCyan Ogilvie
Jun 05, 2011
#2Robert HaasRobert Haasto Cyan Ogilvie (#1)
Jun 06, 2011
#3Heikki LinnakangasHeikki Linnakangasto Robert Haas (#2)
Jun 06, 2011
#4Bruce MomjianBruce Momjianto Heikki Linnakangas (#3)
Oct 14, 2011

WIP: AuthenticationMD5 protocol documentation clarification

Started by Cyan Ogilvieover 14 years ago4 messages
#1Cyan Ogilvie
Cyan Ogilvie
cyan.ogilvie@gmail.com
1 attachment(s)

This is my first patch, so I hope I've got the process right for submitting
patches.

I'm building a driver to talk version 3.0 of the protocol, and generally
I've found the documentation to be excellent. One are I had trouble with
was responding to the AuthenticationMD5Password challenge. After receiving
help on IRC, I've attached a patch to the protocol documentation attempting
to clarify what is expected by the backend, basically:

concat(
'md5',
hex_encode(
md5(
concat(
hex_encode(
md5(
concat(password, username)
)
),
salt
)
)
)
)

My technical writing skills were not up to wording that in plain english,
and it seems like the rest of the documentation for the protocol steers
clear of anything that looks like code. Is this policy in this area or is
the code-esque description ok?

No code is changed, only documentation, so I've left out the code-relevant
patch info fields

Patch info:

Project name: postgresql
Branch: master

Cyan

Attachments:

protocol_md5_clarification_v1.difftext/x-patch; charset=US-ASCII; name=protocol_md5_clarification_v1.diffDownload
diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml
new file mode 100644
index d3de330..ba95241
*** a/doc/src/sgml/protocol.sgml
--- b/doc/src/sgml/protocol.sgml
***************
*** 294,303 ****
        <listitem>
         <para>
          The frontend must now send a PasswordMessage containing the
!         password encrypted via MD5, using the 4-character salt
!         specified in the AuthenticationMD5Password message.  If
!         this is the correct password, the server responds with an
!         AuthenticationOk, otherwise it responds with an ErrorResponse.
         </para>
        </listitem>
       </varlistentry>
--- 294,306 ----
        <listitem>
         <para>
          The frontend must now send a PasswordMessage containing the
!         result of concat('md5',
!         hex_encode(md5(concat(hex_encode(md5(concat(password, username))),
!         salt)))), where salt is the 4-character salt specified in
!         the AuthenticationMD5Password message.  Username and password do not
!         include the trailing null byte.  If this is the correct password, the
!         server responds with an AuthenticationOk, otherwise it responds with
!         an ErrorResponse.
         </para>
        </listitem>
       </varlistentry>
#2Robert Haas
Robert Haas
robertmhaas@gmail.com
In reply to: Cyan Ogilvie (#1)
Re: WIP: AuthenticationMD5 protocol documentation clarification

On Sun, Jun 5, 2011 at 11:26 AM, Cyan Ogilvie <cyan.ogilvie@gmail.com> wrote:

This is my first patch, so I hope I've got the process right for submitting
patches.

You're doing great. I suspect we do want to either (1) reword what
you've done in English, rather than writing it as code, or at least
(2) add some SGML markup to the code. Our next CommitFest starts in
just over a week, so you should receive some more specific feedback
pretty soon.

Also, if you'd like to help review someone else's patch, that would be great.

http://archives.postgresql.org/pgsql-rrreviewers/2011-06/msg00000.php

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

#3Heikki Linnakangas
Heikki Linnakangas
heikki.linnakangas@enterprisedb.com
In reply to: Robert Haas (#2)
Re: WIP: AuthenticationMD5 protocol documentation clarification

On 06.06.2011 16:58, Robert Haas wrote:

On Sun, Jun 5, 2011 at 11:26 AM, Cyan Ogilvie<cyan.ogilvie@gmail.com> wrote:

This is my first patch, so I hope I've got the process right for submitting
patches.

You're doing great. I suspect we do want to either (1) reword what
you've done in English, rather than writing it as code, or at least
(2) add some SGML markup to the code. Our next CommitFest starts in
just over a week, so you should receive some more specific feedback
pretty soon.

That is quite complicated to explain in plain English, so some sort of
pseudo-code is probably a good idea. I would recommend not to formulate
it as a SQL expression, though. It makes you think you could execute it
from psql or something. Even if you know that's not how to do it, it
feels confusing. Maybe something like:

<literal>md5</literal> hex_encode(md5(hex_encode(md5(password username)
salt)

with some extra markup to make it look pretty.

--
Heikki Linnakangas
EnterpriseDB http://www.enterprisedb.com

#4Bruce Momjian
Bruce Momjian
bruce@momjian.us
In reply to: Heikki Linnakangas (#3)
1 attachment(s)
Re: WIP: AuthenticationMD5 protocol documentation clarification

Heikki Linnakangas wrote:

On 06.06.2011 16:58, Robert Haas wrote:

On Sun, Jun 5, 2011 at 11:26 AM, Cyan Ogilvie<cyan.ogilvie@gmail.com> wrote:

This is my first patch, so I hope I've got the process right for submitting
patches.

You're doing great. I suspect we do want to either (1) reword what
you've done in English, rather than writing it as code, or at least
(2) add some SGML markup to the code. Our next CommitFest starts in
just over a week, so you should receive some more specific feedback
pretty soon.

That is quite complicated to explain in plain English, so some sort of
pseudo-code is probably a good idea. I would recommend not to formulate
it as a SQL expression, though. It makes you think you could execute it
from psql or something. Even if you know that's not how to do it, it
feels confusing. Maybe something like:

<literal>md5</literal> hex_encode(md5(hex_encode(md5(password username)
salt)

with some extra markup to make it look pretty.

I have applied the attached doc patch to document this. Thanks for the
report --- it was something we certainly needed to document.

--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com

+ It's impossible for everything to be true. +

Attachments:

/rtmp/md5text/x-diffDownload
diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml
new file mode 100644
index 19c9686..4fda518
*** a/doc/src/sgml/protocol.sgml
--- b/doc/src/sgml/protocol.sgml
***************
*** 293,302 ****
        <listitem>
         <para>
          The frontend must now send a PasswordMessage containing the
!         password encrypted via MD5, using the 4-character salt
!         specified in the AuthenticationMD5Password message.  If
!         this is the correct password, the server responds with an
!         AuthenticationOk, otherwise it responds with an ErrorResponse.
         </para>
        </listitem>
       </varlistentry>
--- 293,307 ----
        <listitem>
         <para>
          The frontend must now send a PasswordMessage containing the
!         password (with username) encrypted via MD5, then encrypted
!         again using the 4-byte random salt specified in the
!         AuthenticationMD5Password message.  If this is the correct
!         password, the server responds with an AuthenticationOk,
!         otherwise it responds with an ErrorResponse.  The actual
!         PasswordMessage can be computed in SQL as <literal>concat('md5',
!         md5(concat(md5(concat(password, username)), random-salt)))</>.
!         (Keep in mind the <function>md5()</> function returns its
!         result as a hex string.)
         </para>
        </listitem>
       </varlistentry>
← Back to Topics