From ad30d366424aee9736f7a71be87e6941d7dd12df Mon Sep 17 00:00:00 2001
From: Bruce Momjian <bruce@momjian.us>
Date: Thu, 13 Oct 2011 20:48:50 -0400
Subject: [PATCH] Document actual string that has to be returned by the client
 for MD5 authentication.

Report and pseudo code by Cyan Ogilvie
---
 doc/src/sgml/protocol.sgml | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml
index 19c9686fff..4fda518970 100644
--- a/doc/src/sgml/protocol.sgml
+++ b/doc/src/sgml/protocol.sgml
@@ -293,10 +293,15 @@
       <listitem>
        <para>
         The frontend must now send a PasswordMessage containing the
-        password encrypted via MD5, using the 4-character salt
-        specified in the AuthenticationMD5Password message.  If
-        this is the correct password, the server responds with an
-        AuthenticationOk, otherwise it responds with an ErrorResponse.
+        password (with username) encrypted via MD5, then encrypted
+        again using the 4-byte random salt specified in the
+        AuthenticationMD5Password message.  If this is the correct
+        password, the server responds with an AuthenticationOk,
+        otherwise it responds with an ErrorResponse.  The actual
+        PasswordMessage can be computed in SQL as <literal>concat('md5',
+        md5(concat(md5(concat(password, username)), random-salt)))</>.
+        (Keep in mind the <function>md5()</> function returns its
+        result as a hex string.)
        </para>
       </listitem>
      </varlistentry>