Merge cockroachdb#80809

80809: sql: support md5, bf pgcrypto crypt algo r=otan a=ecwall refs cockroachdb#73867 Release note (sql change): Add the pgcrypto crypt builtin with support for the md5, bf algo. Co-authored-by: Evan Wall <[email protected]>
maryliag · May 16, 2022 · 2afa29c · 2afa29c
2 parents a30f5a3 + 38a91a8
commit 2afa29c
Show file tree

Hide file tree

Showing 4 changed files with 327 additions and 15 deletions.
diff --git a/docs/generated/sql/functions.md b/docs/generated/sql/functions.md
@@ -378,6 +378,8 @@
 <table>
 <thead><tr><th>Function &rarr; Returns</th><th>Description</th></tr></thead>
 <tbody>
+<tr><td><a name="crypt"></a><code>crypt(password: <a href="string.html">string</a>, salt: <a href="string.html">string</a>) &rarr; <a href="string.html">string</a></code></td><td><span class="funcdesc"><p>Generates a hash based on a password and salt. The hash algorithm and number of rounds if applicable are encoded in the salt.</p>
+</span></td></tr>
 <tr><td><a name="digest"></a><code>digest(data: <a href="bytes.html">bytes</a>, type: <a href="string.html">string</a>) &rarr; <a href="bytes.html">bytes</a></code></td><td><span class="funcdesc"><p>Computes a binary hash of the given <code>data</code>. <code>type</code> is the algorithm to use (md5, sha1, sha224, sha256, sha384, or sha512).</p>
 </span></td></tr>
 <tr><td><a name="digest"></a><code>digest(data: <a href="string.html">string</a>, type: <a href="string.html">string</a>) &rarr; <a href="bytes.html">bytes</a></code></td><td><span class="funcdesc"><p>Computes a binary hash of the given <code>data</code>. <code>type</code> is the algorithm to use (md5, sha1, sha224, sha256, sha384, or sha512).</p>

diff --git a/pkg/sql/logictest/testdata/logic_test/pgcrypto_builtins b/pkg/sql/logictest/testdata/logic_test/pgcrypto_builtins
@@ -32,6 +32,8 @@ NULL
 statement error pgcode 22023 cannot use "made up alg", no such hash algorithm
 SELECT digest('cat', 'made up alg')
 
+subtest end
+
 subtest hmac
 
 # NB: These results were manually confirmed to match the hashed values
@@ -55,13 +57,16 @@ NULL  NULL  NULL
 statement error pgcode 22023 cannot use "made up alg", no such hash algorithm
 SELECT hmac('dog', 'key', 'made up alg')
 
+subtest end
+
 subtest gen_random_uuid
 
 query IB
 SELECT length(gen_random_uuid()::BYTES), gen_random_uuid() = gen_random_uuid()
 ----
 16 false
 
+subtest end
 
 subtest gen_salt_invalid_algo
 
@@ -71,6 +76,8 @@ SELECT gen_salt('invalid')
 statement error pgcode 22023 unknown salt algorithm
 SELECT gen_salt('invalid', 0)
 
+subtest end
+
 subtest gen_salt_des
 
 query I
@@ -86,9 +93,11 @@ FROM (VALUES (0), (25)) AS t (rounds)
 2
 
 # invalid rounds
-statement error pgcode 22023 incorrect number of rounds
+statement error pgcode 22023 invalid number of rounds
 SELECT gen_salt('des', 1)
 
+subtest end
+
 subtest gen_salt_xdes
 
 query TI
@@ -106,17 +115,19 @@ _/...  9
 _zzzz  9
 
 # invalid even rounds
-statement error pgcode 22023 incorrect number of rounds
+statement error pgcode 22023 invalid number of rounds
 SELECT gen_salt('xdes', 2)
 
 # invalid min rounds
-statement error pgcode 22023 incorrect number of rounds
+statement error pgcode 22023 invalid number of rounds
 SELECT gen_salt('xdes', -1)
 
 # invalid max rounds
-statement error pgcode 22023 incorrect number of rounds
+statement error pgcode 22023 invalid number of rounds
 SELECT gen_salt('xdes', 16777216)
 
+subtest end
+
 subtest gen_salt_md5
 
 query TI
@@ -133,9 +144,11 @@ $1$ 11
 $1$ 11
 
 # invalid rounds
-statement error pgcode 22023 incorrect number of rounds
+statement error pgcode 22023 invalid number of rounds
 SELECT gen_salt('md5', 1)
 
+subtest end
+
 subtest gen_salt_bf
 
 query TI
@@ -147,9 +160,131 @@ $2a$04$ 29
 $2a$31$ 29
 
 # invalid min rounds
-statement error pgcode 22023 incorrect number of rounds
+statement error pgcode 22023 invalid number of salt rounds
 SELECT gen_salt('bf', 3)
 
 # invalid max rounds
-statement error pgcode 22023 incorrect number of rounds
+statement error pgcode 22023 invalid number of salt rounds
 SELECT gen_salt('bf', 32)
+
+subtest crypt_invalid_algo
+
+# invalid header
+statement error pgcode 22023 invalid salt algorithm
+SELECT crypt('password', '')
+
+# invalid header
+statement error pgcode 22023 invalid salt algorithm
+SELECT crypt('password', '$')
+
+subtest end
+
+subtest crypt_md5
+
+query T
+SELECT crypt(password, '$1$aRnqRmeP')
+FROM (VALUES
+  (''),
+  ('0'),
+  ('password'),
+  (repeat('a', 50))
+) AS t (password)
+----
+$1$aRnqRmeP$.GKS2A8uOS7cKSGtb33BL0
+$1$aRnqRmeP$zSsYGTxby0DLjRezdRBT50
+$1$aRnqRmeP$79.GOqWdD1jolSFx6PGg5.
+$1$aRnqRmeP$Qtrye90cHoHamBO08sQKC1
+
+# salt is truncated to 11 chars
+query TB
+SELECT hash1, hash1 = hash2
+FROM (SELECT
+  crypt('password', '$1$aRnqRmeP') as hash1,
+  crypt('password', '$1$aRnqRmePextra') as hash2
+) as t
+----
+$1$aRnqRmeP$79.GOqWdD1jolSFx6PGg5.  true
+
+# random salt can be less than 8 characters
+query T
+SELECT crypt('password', '$1$')
+----
+$1$$I2o9Z7NcvQAKp7wyCTlia0
+
+subtest end
+
+subtest crypt_bf
+
+query T
+SELECT crypt(password, '$2a$06$Ukv6DxN3PpZo4YboQRrIVO')
+FROM (VALUES
+  (''),
+  ('0'),
+  ('password'),
+  (repeat('a', 50))
+) AS t (password)
+----
+$2a$06$Ukv6DxN3PpZo4YboQRrIVOXwHbf79QsnJ4GoQyYv5vZozGSILtNUu
+$2a$06$Ukv6DxN3PpZo4YboQRrIVOBxB6sdGuSnn.PViRLXxUFUiihB30ukm
+$2a$06$Ukv6DxN3PpZo4YboQRrIVO6UrBIvyPUuhsGQvYZyAvmsIjt02Ze3O
+$2a$06$Ukv6DxN3PpZo4YboQRrIVO9DZGS27nWDW5eSzsL/ckOByIGwpxf0a
+
+# password is truncated to 72 chars
+query TBB
+SELECT hash72, hash71 != hash72, hash72 = hash73
+FROM (SELECT
+  crypt(repeat('a', 71), salt) as hash71,
+  crypt(repeat('a', 72), salt) as hash72,
+  crypt(repeat('a', 73), salt) as hash73
+  FROM (SELECT '$2a$06$Ukv6DxN3PpZo4YboQRrIVO' as salt) as s
+) as t
+----
+$2a$06$Ukv6DxN3PpZo4YboQRrIVOIQPDI39RHxEgW32.ICmqRFFBxkR8ddC  true  true
+
+# salt is truncated to 29 chars
+query TB
+SELECT hash1, hash1 = hash2
+FROM (SELECT
+  crypt('password', '$2a$06$Ukv6DxN3PpZo4YboQRrIVO') as hash1,
+  crypt('password', '$2a$06$Ukv6DxN3PpZo4YboQRrIVOextra') as hash2
+) as t
+----
+$2a$06$Ukv6DxN3PpZo4YboQRrIVO6UrBIvyPUuhsGQvYZyAvmsIjt02Ze3O  true
+
+# test min and average num rounds (large num rounds take too long to run for a test)
+query T
+SELECT crypt('password', concat('$2a$', rounds, '$Ukv6DxN3PpZo4YboQRrIVO'))
+FROM (VALUES ('04'), ('10')) AS t (rounds)
+----
+$2a$04$Ukv6DxN3PpZo4YboQRrIVOSgyjUD9vDt2W.RjRVhm7XC2QTQrtLSK
+$2a$10$Ukv6DxN3PpZo4YboQRrIVOwLm63.TplP3REdrq258BBo3lUBnEbrm
+
+# invalid salt length
+statement error pgcode 22023 invalid salt length
+SELECT crypt('password', '$2a$06$')
+
+# invalid salt length
+statement error pgcode 22023 invalid salt length
+SELECT crypt('password', '$2a$06$Ukv6DxN3PpZo4YboQRrIV')
+
+# invalid round syntax
+statement error pgcode 22023 invalid salt rounds
+SELECT crypt('password', '$2a$AA$Ukv6DxN3PpZo4YboQRrIVO')
+
+# invalid min rounds
+statement error pgcode 22023 invalid number of salt rounds
+SELECT crypt('password', '$2a$03$Ukv6DxN3PpZo4YboQRrIVO')
+
+# invalid max rounds
+statement error pgcode 22023 invalid number of salt rounds
+SELECT crypt('password', '$2a$32$Ukv6DxN3PpZo4YboQRrIVO')
+
+# invalid salt formatting
+statement error pgcode 22023 invalid salt format
+SELECT crypt('password', '$2a$06AUkv6DxN3PpZo4YboQRrIVO')
+
+# invalid salt encoding
+statement error pgcode 22023 invalid salt encoding
+SELECT crypt('password', '$2a$06$#kv6DxN3PpZo4YboQRrIVO')
+
+subtest end
diff --git a/pkg/sql/sem/builtins/BUILD.bazel b/pkg/sql/sem/builtins/BUILD.bazel
@@ -114,6 +114,7 @@ go_library(
         "@com_github_lib_pq//oid",
         "@com_github_twpayne_go_geom//:go-geom",
         "@com_github_twpayne_go_geom//encoding/ewkb",
+        "@org_golang_x_crypto//bcrypt",
     ],
 )