postgrespro
diff --git a/‎contrib/passwordcheck/passwordcheck.c
Lines changed: 3 additions & 16 deletions b/‎contrib/passwordcheck/passwordcheck.c
Lines changed: 3 additions & 16 deletions
diff --git a/‎doc/src/sgml/config.sgml
Lines changed: 1 addition & 2 deletions b/‎doc/src/sgml/config.sgml
Lines changed: 1 addition & 2 deletions
diff --git a/‎doc/src/sgml/protocol.sgml
Lines changed: 5 additions & 142 deletions b/‎doc/src/sgml/protocol.sgml
Lines changed: 5 additions & 142 deletions
diff --git a/‎doc/src/sgml/ref/create_role.sgml
Lines changed: 7 additions & 7 deletions b/‎doc/src/sgml/ref/create_role.sgml
Lines changed: 7 additions & 7 deletions
diff --git a/‎src/backend/commands/user.c
Lines changed: 7 additions & 11 deletions b/‎src/backend/commands/user.c
Lines changed: 7 additions & 11 deletions
diff --git a/‎src/backend/libpq/Makefile
Lines changed: 1 addition & 1 deletion b/‎src/backend/libpq/Makefile
Lines changed: 1 addition & 1 deletion
@@ -21,7 +21,6 @@
 #endif
 
 #include "commands/user.h"
-#include "libpq/scram.h"
 #include "fmgr.h"
 #include "libpq/md5.h"
 
@@ -58,15 +57,14 @@ check_password(const char *username,
 {
 	int			namelen = strlen(username);
 	int			pwdlen = strlen(password);
-	char	   *encrypted;
+	char		encrypted[MD5_PASSWD_LEN + 1];
 	int			i;
 	bool		pwd_has_letter,
 				pwd_has_nonletter;
 
 	switch (password_type)
 	{
 		case PASSWORD_TYPE_MD5:
-		case PASSWORD_TYPE_SCRAM:
 
 			/*
 			 * Unfortunately we cannot perform exhaustive checks on encrypted
@@ -76,23 +74,12 @@ check_password(const char *username,
 			 *
 			 * We only check for username = password.
 			 */
-			if (password_type == PASSWORD_TYPE_MD5)
-			{
-				encrypted = palloc(MD5_PASSWD_LEN + 1);
-				if (pg_md5_encrypt(username, username, namelen, encrypted))
-					elog(ERROR, "password encryption failed");
-			}
-			else if (password_type == PASSWORD_TYPE_SCRAM)
-			{
-				encrypted = scram_build_verifier(username, password, 0);
-			}
-			else
-				Assert(0); /* should not happen */
+			if (!pg_md5_encrypt(username, username, namelen, encrypted))
+				elog(ERROR, "password encryption failed");
 			if (strcmp(password, encrypted) == 0)
 				ereport(ERROR,
 						(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
 						 errmsg("password must not contain user name")));
-			pfree(encrypted);
 			break;
 
 		case PASSWORD_TYPE_PLAINTEXT:
 
@@ -1181,8 +1181,7 @@ include_dir 'conf.d'
        <para>
         A value set to <literal>on</> or <literal>md5</> corresponds to a 
         MD5-encrypted password, <literal>off</> or <literal>plain</>
-        corresponds to an unencrypted password.  Setting this parameter to
-        <literal>scram</> will encrypt the password with SCRAM-SHA-256.
+        corresponds to an unencrypted password.
        </para>
 
        <para>
 
@@ -228,11 +228,11 @@
     The server then sends an appropriate authentication request message,
     to which the frontend must reply with an appropriate authentication
     response message (such as a password).
-    For all authentication methods except GSSAPI, SSPI and SASL, there is at
-    most one request and one response. In some methods, no response
+    For all authentication methods except GSSAPI and SSPI, there is at most
+    one request and one response. In some methods, no response
     at all is needed from the frontend, and so no authentication request
-    occurs. For GSSAPI, SSPI and SASL, multiple exchanges of packets may be
-    needed to complete the authentication.
+    occurs. For GSSAPI and SSPI, multiple exchanges of packets may be needed
+    to complete the authentication.
    </para>
 
    <para>
@@ -366,35 +366,6 @@
       </listitem>
      </varlistentry>
 
-     <varlistentry>
-      <term>AuthenticationSASL</term>
-      <listitem>
-       <para>
-        The frontend must now initiate a SASL negotiation, using the SASL
-        mechanism specified in the message. The frontend will send a
-        PasswordMessage with the first part of the SASL data stream in
-        response to this. If further messages are needed, the server will
-        respond with AuthenticationSASLContinue.
-       </para>
-      </listitem>
-
-     </varlistentry>
-     <varlistentry>
-      <term>AuthenticationSASLContinue</term>
-      <listitem>
-       <para>
-        This message contains the response data from the previous step
-        of SASL negotiation (AuthenticationSASL, or a previous
-        AuthenticationSASLContinue). If the SASL data in this message
-        indicates more data is needed to complete the authentication,
-        the frontend must send that data as another PasswordMessage. If
-        SASL authentication is completed by this message, the server
-        will next send AuthenticationOk to indicate successful authentication
-        or ErrorResponse to indicate failure.
-       </para>
-      </listitem>
-     </varlistentry>
-
     </variablelist>
    </para>
 
@@ -2607,114 +2578,6 @@ AuthenticationGSSContinue (B)
 </listitem>
 </varlistentry>
 
-<varlistentry>
-<term>
-AuthenticationSASL (B)
-</term>
-<listitem>
-<para>
-
-<variablelist>
-<varlistentry>
-<term>
-        Byte1('R')
-</term>
-<listitem>
-<para>
-                Identifies the message as an authentication request.
-</para>
-</listitem>
-</varlistentry>
-<varlistentry>
-<term>
-        Int32
-</term>
-<listitem>
-<para>
-                Length of message contents in bytes, including self.
-</para>
-</listitem>
-</varlistentry>
-<varlistentry>
-<term>
-        Int32(10)
-</term>
-<listitem>
-<para>
-                Specifies that SASL authentication is started.
-</para>
-</listitem>
-</varlistentry>
-<varlistentry>
-<term>
-        String
-</term>
-<listitem>
-<para>
-                Name of a SASL authentication mechanism.
-</para>
-</listitem>
-</varlistentry>
-</variablelist>
-
-</para>
-</listitem>
-</varlistentry>
-
-<varlistentry>
-<term>
-AuthenticationSASLContinue (B)
-</term>
-<listitem>
-<para>
-
-<variablelist>
-<varlistentry>
-<term>
-        Byte1('R')
-</term>
-<listitem>
-<para>
-                Identifies the message as an authentication request.
-</para>
-</listitem>
-</varlistentry>
-<varlistentry>
-<term>
-        Int32
-</term>
-<listitem>
-<para>
-                Length of message contents in bytes, including self.
-</para>
-</listitem>
-</varlistentry>
-<varlistentry>
-<term>
-        Int32(11)
-</term>
-<listitem>
-<para>
-                Specifies that this message contains SASL-mechanism specific
-                data.
-</para>
-</listitem>
-</varlistentry>
-<varlistentry>
-<term>
-        Byte<replaceable>n</replaceable>
-</term>
-<listitem>
-<para>
-                SASL data, specific to the SASL mechanism being used.
-</para>
-</listitem>
-</varlistentry>
-</variablelist>
-
-</para>
-</listitem>
-</varlistentry>
 
 <varlistentry>
 <term>
@@ -4477,7 +4340,7 @@ PasswordMessage (F)
 <listitem>
 <para>
                 Identifies the message as a password response. Note that
-                this is also used for GSSAPI, SSPI and SASL response messages
+                this is also used for GSSAPI and SSPI response messages
                 (which is really a design error, since the contained data
                 is not a null-terminated string in that case, but can be
                 arbitrary binary data).
 
@@ -228,16 +228,16 @@ CREATE ROLE <replaceable class="PARAMETER">name</replaceable> [ [ WITH ] <replac
         encrypted in the system catalogs.  (If neither is specified,
         the default behavior is determined by the configuration
         parameter <xref linkend="guc-password-encryption">.)  If the
-        presented password string is already in MD5-encrypted or
-        SCRAM-encrypted format, then it is stored encrypted as-is,
-        regardless of whether <literal>ENCRYPTED</> or <literal>UNENCRYPTED</>
-        is specified (since the system cannot decrypt the specified encrypted
-        password string).  This allows reloading of encrypted passwords
-        during dump/restore.
+        presented password string is already in MD5-encrypted format,
+        then it is stored encrypted as-is, regardless of whether
+        <literal>ENCRYPTED</> or <literal>UNENCRYPTED</> is specified
+        (since the system cannot decrypt the specified encrypted
+        password string).  This allows reloading of encrypted
+        passwords during dump/restore.
        </para>
 
        <para>
-        Note that older clients might lack support for the MD5 or SCRAM
+        Note that older clients might lack support for the MD5
         authentication mechanism that is needed to work with passwords
         that are stored encrypted.
        </para>
 
@@ -30,7 +30,6 @@
 #include "commands/seclabel.h"
 #include "commands/user.h"
 #include "libpq/md5.h"
-#include "libpq/scram.h"
 #include "miscadmin.h"
 #include "storage/lmgr.h"
 #include "utils/acl.h"
@@ -70,9 +69,9 @@ have_createrole_privilege(void)
 /*
  * Encrypt a password if necessary for insertion in pg_authid.
  *
- * If a password is found as already MD5-encrypted or SCRAM-encrypted, no
- * error is raised to ease the dump and reload of such data. Returns a
- * palloc'ed string holding the encrypted password.
+ * If a password is found as already MD5-encrypted, no error is raised
+ * to ease the dump and reload of such data. Returns a palloc'ed string
+ * holding the encrypted password.
  */
 static char *
 encrypt_password(char *password, char *rolname, int passwd_type)
@@ -82,11 +81,11 @@ encrypt_password(char *password, char *rolname, int passwd_type)
 	Assert(password != NULL);
 
 	/*
-	 * A password already identified as a SCRAM-encrypted or MD5-encrypted
-	 * those are used as such.  If the password given is not encrypted,
-	 * adapt it depending on the type wanted by the caller of this routine.
+	 * If a password is already identified as MD5-encrypted, it is used
+	 * as such.  If the password given is not encrypted, adapt it depending
+	 * on the type wanted by the caller of this routine.
 	 */
-	if (isMD5(password) || is_scram_verifier(password))
+	if (isMD5(password))
 		res = pstrdup(password);
 	else
 	{
@@ -102,9 +101,6 @@ encrypt_password(char *password, char *rolname, int passwd_type)
 									res))
 					elog(ERROR, "password encryption failed");
 				break;
-			case PASSWORD_TYPE_SCRAM:
-				res = scram_build_verifier(rolname, password, 0);
-				break;
 			default:
 				Assert(0);	/* should not come here */
 		}
 
@@ -15,7 +15,7 @@ include $(top_builddir)/src/Makefile.global
 # be-fsstubs is here for historical reasons, probably belongs elsewhere
 
 OBJS = be-fsstubs.o be-secure.o auth.o crypt.o hba.o ip.o md5.o pqcomm.o \
-       pqformat.o pqmq.o pqsignal.o auth-scram.o
+       pqformat.o pqmq.o pqsignal.o
 
 ifeq ($(with_openssl),yes)
 OBJS += be-secure-openssl.o