feat: support MD5SHA256Password auth (#5)

WeihanLi · web-flow · commit b77322a823cc · 2025-04-26T22:45:06.000+08:00
diff --git a/src/Npgsql/BackendMessages/AuthenticationMessages.cs b/src/Npgsql/BackendMessages/AuthenticationMessages.cs
@@ -81,6 +81,19 @@ internal static AuthenticationRequestMessage Load(NpgsqlReadBuffer buf)
     }
 }
 
+sealed class AuthenticationMD5SHA256PasswordMessage : AuthenticationRequestMessage
+{
+    internal override AuthenticationRequestType AuthRequestType => AuthenticationRequestType.MD5SHA256Password;
+
+    internal ReadOnlyMemory<byte> Salt { get; }
+    internal string RandomCode { get; }
+    public AuthenticationMD5SHA256PasswordMessage(NpgsqlReadBuffer buf)
+    {
+        RandomCode = buf.ReadString(64);
+        Salt = buf.ReadMemory(4);
+    }
+}
+
 #endregion SHA256Password
 
 
@@ -126,7 +139,8 @@ enum AuthenticationRequestType
     GSS = 7,
     GSSContinue = 8,
     SSPI = 9,
-    SHA256Password = 10
+    SHA256Password = 10,
+    MD5SHA256Password = 11
 }
 
 enum PasswordStoreType
diff --git a/src/Npgsql/Internal/NpgsqlConnector.Auth.cs b/src/Npgsql/Internal/NpgsqlConnector.Auth.cs
@@ -51,6 +51,12 @@ async Task Authenticate(string username, NpgsqlTimeout timeout, bool async, Canc
                 await AuthenticateSHA256(username, (AuthenticationSHA256PasswordMessage)msg, async, cancellationToken).ConfigureAwait(false);
                 break;
 
+            case AuthenticationRequestType.MD5SHA256Password:
+                ThrowIfNotAllowed(requiredAuthModes, RequireAuthMode.ScramSHA256);
+                await AuthenticateMD5SHA256(username, (AuthenticationMD5SHA256PasswordMessage)msg, async, cancellationToken)
+                    .ConfigureAwait(false);
+                break;
+
             case AuthenticationRequestType.GSS:
             case AuthenticationRequestType.SSPI:
                 ThrowIfNotAllowed(requiredAuthModes, msg.AuthRequestType == AuthenticationRequestType.GSS ? RequireAuthMode.GSS : RequireAuthMode.SSPI);
@@ -237,22 +243,62 @@ async Task AuthenticateSHA256(string username, AuthenticationSHA256PasswordMessa
 
         var result = new byte[hValue.Length  * 2 + 1];
         BytesToHex(hValue, result, 0, hValue.Length);
-        await WriteSHA256Response(result, async, cancellationToken).ConfigureAwait(false);
+        await WritePassword(result, async, cancellationToken).ConfigureAwait(false);
         await Flush(async, cancellationToken).ConfigureAwait(false);
+    }
+
+    async Task AuthenticateMD5SHA256(string username, AuthenticationMD5SHA256PasswordMessage message, bool async, CancellationToken cancellationToken = default)
+    {
+        var password = await GetPassword(username, async, cancellationToken).ConfigureAwait(false);
+        if (string.IsNullOrEmpty(password))
+            throw new NpgsqlException("No password has been provided but the backend requires one (in SHA256)");
+
+        var passwordBytes = NpgsqlWriteBuffer.UTF8Encoding.GetBytes(password);
+
+        // https://github.com/HuaweiCloudDeveloper/gaussdb-r2dbc/blob/54783aa7ba09731300b31d9cf366185d0bf50447/src/main/java/io/r2dbc/gaussdb/util/MD5Digest.java#L227
+        var randomCodeBytes = Convert.FromHexString(message.RandomCode);
+
+        var passwordKeyBytes = Rfc2898DeriveBytes.Pbkdf2(passwordBytes, randomCodeBytes,
+            2048, HashAlgorithmName.SHA1, 32
+        );
+
+        var serverKey = HMACSHA256.HashData(passwordKeyBytes, "Sever Key"u8);
+        var clientKey = HMACSHA256.HashData(passwordKeyBytes, "Client Key"u8);
+        var storedKey = SHA256.HashData(clientKey);
+
+        var stringBuilder = new StringBuilder();
+        stringBuilder.Append(message.RandomCode);
+        stringBuilder.Append(Convert.ToHexString(serverKey).ToLowerInvariant());
+        stringBuilder.Append(Convert.ToHexString(storedKey).ToLowerInvariant());
+        var encryptedString = stringBuilder.ToString();
 
-        static void BytesToHex(byte[] bytes, byte[] hex, int offset, int length)
+        byte[] passDigest;
+        using (var md5 = MD5.Create())
         {
-            var lookup = new[] { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' };
-            var pos = offset;
-            for (var i = 0; i < length; ++i)
-            {
-                var c = bytes[i] & 255;
-                var j = c >> 4;
-                hex[pos++] = (byte)lookup[j];
-                j = c & 15;
-                hex[pos++] = (byte)lookup[j];
-            }
+            // Convert the string to bytes using UTF-8 encoding
+            var stringBytes = NpgsqlWriteBuffer.UTF8Encoding.GetBytes(encryptedString);
+
+            // Update the hash state with the string bytes
+            // The 'null, 0' arguments are for the output buffer, which isn't needed here
+            md5.TransformBlock(stringBytes, 0, stringBytes.Length, null, 0);
+
+            // Update the hash state with the salt bytes and finalize the hash calculation
+            // This is the final block of data being added.
+            var saltBytes = message.Salt.ToArray();
+            md5.TransformFinalBlock(saltBytes, 0, saltBytes.Length);
+
+            // Retrieve the computed hash digest
+            ArgumentNullException.ThrowIfNull(md5.Hash);
+            passDigest = md5.Hash;
         }
+
+        var result = new byte[MD5.HashSizeInBytes * 2 + 3];
+        result[0] = (byte)'m';
+        result[1] = (byte)'d';
+        result[2] = (byte)'5';
+        BytesToHex(passDigest, result, 3, MD5.HashSizeInBytes);
+        await WritePassword(result, async, cancellationToken).ConfigureAwait(false);
+        await Flush(async, cancellationToken).ConfigureAwait(false);
     }
 
     internal async Task AuthenticateGSS(bool async)
@@ -325,4 +371,18 @@ internal async Task AuthenticateGSS(bool async)
 
         return password;
     }
+
+    static void BytesToHex(byte[] bytes, byte[] hex, int offset, int length)
+    {
+        var lookup = new[] { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' };
+        var pos = offset;
+        for (var i = 0; i < length; ++i)
+        {
+            var c = bytes[i] & 255;
+            var j = c >> 4;
+            hex[pos++] = (byte)lookup[j];
+            j = c & 15;
+            hex[pos++] = (byte)lookup[j];
+        }
+    }
 }
diff --git a/src/Npgsql/Internal/NpgsqlConnector.FrontendMessages.cs b/src/Npgsql/Internal/NpgsqlConnector.FrontendMessages.cs
@@ -451,8 +451,6 @@ internal async Task WritePassword(byte[] payload, int offset, int count, bool as
         await WriteBuffer.DirectWrite(new ReadOnlyMemory<byte>(payload, offset, count), async, cancellationToken).ConfigureAwait(false);
     }
 
-    internal Task WriteSHA256Response(byte[] payload, bool async, CancellationToken cancellationToken = default) => WritePassword(payload, async, cancellationToken);
-
     #endregion Authentication
 
     internal Task WritePregenerated(byte[] data, bool async = false, CancellationToken cancellationToken = default)

Original file line number	Diff line number	Diff line change
`@@ -451,8 +451,6 @@ internal async Task WritePassword(byte[] payload, int offset, int count, bool as`
`451`	`451`	`await WriteBuffer.DirectWrite(new ReadOnlyMemory<byte>(payload, offset, count), async, cancellationToken).ConfigureAwait(false);`
`452`	`452`	`}`
`453`	`453`
`454`		`- internal Task WriteSHA256Response(byte[] payload, bool async, CancellationToken cancellationToken = default) => WritePassword(payload, async, cancellationToken);`
`455`		`-`
`456`	`454`	`#endregion Authentication`
`457`	`455`
`458`	`456`	`internal Task WritePregenerated(byte[] data, bool async = false, CancellationToken cancellationToken = default)`