On Tue, Sep 24, 2013 at 11:20:55PM +0100, Richard Neill wrote:
> I'm sorry about that: I think I need to correct my proposed
> correction! I think I've been writing too much C recently, and so I
> foolishly mis-read that as returning pswhash, rather than returning
> the truth of the comparison.
>
> What I meant to write, for clarity, was:
>
> SELECT (pswhash = crypt('entered password', pswhash)) AS pswmatch FROM ... ;
>
> which would make it obvious that we're returning the boolean named pswmatch.
>
> >
> >>[Also, should the default example perhaps use gen_salt('bf'), as opposed to
> >>gen_salt('md5') ?]
> >
> >This, however, might be a good idea. People should of course always
> >read the documentation, but having the examples including the "best
> >practice" would probably be a good idea.
>
> Incidentally, there are 2 other things that confused me in this section.
>
> 1. Table F-18. Supported algorithms for crypt() has a column
> labelled "max password length". It would perhaps also be useful to
> know the size of column needed to store the crypted password (my
> original crypt using md5 easily fits in a varchar(70), whereas using
> bf needs the column to be varchar(100).)
>
>
> 2. Table F-20. Hash algorithm speeds
>
> What's the difference here between "crypt-md5" and "md5" ?
>
> If I've rightly read this, the algorithm named "md5" in the crypt()
> documentation is named "crypt-md5" here, whereas Table F20's "md5"
> algorithm seems to refer to something else - probably the "normal"
> version of md5.
>
> If so, it would be clearer to write that the last 2 lines ("md5" and
> "sha1") are for comparison only, and refer to the speed of doing an
> ordinary md5/sha1 sum, rather than the md5-variant of crypt().
>
>
> Anyway, thanks again for your help - Postgres is a wonderful system,
> which I've found to be repeatedly useful.
Based on your report, I have developed the attached doc patch which
clarifies when MD5 hash is being referenced, and when MD5 crypt is. I
have also added your other suggestions.
--
Bruce Momjian <br...@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ It's impossible for everything to be true. +
diff --git a/doc/src/sgml/pgcrypto.sgml b/doc/src/sgml/pgcrypto.sgml
new file mode 100644
index a0eead7..976c7db
*** a/doc/src/sgml/pgcrypto.sgml
--- b/doc/src/sgml/pgcrypto.sgml
*************** hmac(data bytea, key text, type text) re
*** 95,102 ****
</para>
<para>
! The algorithms in <function>crypt()</> differ from usual hashing algorithms
! like MD5 or SHA1 in the following respects:
</para>
<orderedlist>
--- 95,102 ----
</para>
<para>
! The algorithms in <function>crypt()</> differ from the usual
! MD5 or SHA1 hashing algorithms in the following respects:
</para>
<orderedlist>
*************** hmac(data bytea, key text, type text) re
*** 142,147 ****
--- 142,148 ----
<entry>Max Password Length</entry>
<entry>Adaptive?</entry>
<entry>Salt Bits</entry>
+ <entry>Output length</entry>
<entry>Description</entry>
</row>
</thead>
*************** hmac(data bytea, key text, type text) re
*** 151,156 ****
--- 152,158 ----
<entry>72</entry>
<entry>yes</entry>
<entry>128</entry>
+ <entry>60</entry>
<entry>Blowfish-based, variant 2a</entry>
</row>
<row>
*************** hmac(data bytea, key text, type text) re
*** 158,163 ****
--- 160,166 ----
<entry>unlimited</entry>
<entry>no</entry>
<entry>48</entry>
+ <entry>34</entry>
<entry>MD5-based crypt</entry>
</row>
<row>
*************** hmac(data bytea, key text, type text) re
*** 165,170 ****
--- 168,174 ----
<entry>8</entry>
<entry>yes</entry>
<entry>24</entry>
+ <entry>20</entry>
<entry>Extended DES</entry>
</row>
<row>
*************** hmac(data bytea, key text, type text) re
*** 172,177 ****
--- 176,182 ----
<entry>8</entry>
<entry>no</entry>
<entry>12</entry>
+ <entry>13</entry>
<entry>Original UNIX crypt</entry>
</row>
</tbody>
*************** UPDATE ... SET pswhash = crypt('new pass
*** 205,211 ****
<para>
Example of authentication:
<programlisting>
! SELECT pswhash = crypt('entered password', pswhash) FROM ... ;
</programlisting>
This returns <literal>true</> if the entered password is correct.
</para>
--- 210,216 ----
<para>
Example of authentication:
<programlisting>
! SELECT (pswhash = crypt('entered password', pswhash)) AS pswmatch FROM ... ;
</programlisting>
This returns <literal>true</> if the entered password is correct.
</para>
*************** gen_salt(type text [, iter_count integer
*** 353,359 ****
<entry>12 years</entry>
</row>
<row>
! <entry><literal>md5</></entry>
<entry>2345086</entry>
<entry>1 day</entry>
<entry>3 years</entry>
--- 358,364 ----
<entry>12 years</entry>
</row>
<row>
! <entry><literal>md5 hash</></entry>
<entry>2345086</entry>
<entry>1 day</entry>
<entry>3 years</entry>
*************** gen_salt(type text [, iter_count integer
*** 380,386 ****
</listitem>
<listitem>
<para>
! <literal>md5</> numbers are from mdcrack 1.2.
</para>
</listitem>
<listitem>
--- 385,391 ----
</listitem>
<listitem>
<para>
! <literal>md5 hash</> numbers are from mdcrack 1.2.
</para>
</listitem>
<listitem>
*************** gen_random_bytes(count integer) returns
*** 1343,1349 ****
<entry>OpenBSD sys/crypto</entry>
</row>
<row>
! <entry>MD5 and SHA1</entry>
<entry>WIDE Project</entry>
<entry>KAME kame/sys/crypto</entry>
</row>
--- 1348,1354 ----
<entry>OpenBSD sys/crypto</entry>
</row>
<row>
! <entry>MD5 hash and SHA1</entry>
<entry>WIDE Project</entry>
<entry>KAME kame/sys/crypto</entry>
</row>
--
Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-bugs
