postgrespro
diff --git a/‎contrib/passwordcheck/passwordcheck.c
Lines changed: 4 additions & 17 deletions b/‎contrib/passwordcheck/passwordcheck.c
Lines changed: 4 additions & 17 deletions
diff --git a/‎doc/src/sgml/config.sgml
Lines changed: 3 additions & 5 deletions b/‎doc/src/sgml/config.sgml
Lines changed: 3 additions & 5 deletions
diff --git a/‎doc/src/sgml/protocol.sgml
Lines changed: 5 additions & 142 deletions b/‎doc/src/sgml/protocol.sgml
Lines changed: 5 additions & 142 deletions
diff --git a/‎doc/src/sgml/ref/create_role.sgml
Lines changed: 11 additions & 12 deletions b/‎doc/src/sgml/ref/create_role.sgml
Lines changed: 11 additions & 12 deletions
@@ -21,9 +21,8 @@
 #endif
 
 #include "commands/user.h"
-#include "libpq/md5.h"
-#include "libpq/scram.h"
 #include "fmgr.h"
+#include "libpq/md5.h"
 
 PG_MODULE_MAGIC;
 
@@ -58,15 +57,14 @@ check_password(const char *username,
 {
 	int			namelen = strlen(username);
 	int			pwdlen = strlen(password);
-	char	   *encrypted;
+	char		encrypted[MD5_PASSWD_LEN + 1];
 	int			i;
 	bool		pwd_has_letter,
 				pwd_has_nonletter;
 
 	switch (password_type)
 	{
 		case PASSWORD_TYPE_MD5:
-		case PASSWORD_TYPE_SCRAM:
 
 			/*
 			 * Unfortunately we cannot perform exhaustive checks on encrypted
@@ -76,23 +74,12 @@ check_password(const char *username,
 			 *
 			 * We only check for username = password.
 			 */
-			if (password_type == PASSWORD_TYPE_MD5)
-			{
-				encrypted = palloc(MD5_PASSWD_LEN + 1);
-				if (pg_md5_encrypt(username, username, namelen, encrypted))
-					elog(ERROR, "password encryption failed");
-			}
-			else if (password_type == PASSWORD_TYPE_SCRAM)
-			{
-				encrypted = scram_build_verifier(username, password, 0);
-			}
-			else
-				Assert(0); /* should not happen */
+			if (!pg_md5_encrypt(username, username, namelen, encrypted))
+				elog(ERROR, "password encryption failed");
 			if (strcmp(password, encrypted) == 0)
 				ereport(ERROR,
 						(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
 						 errmsg("password must not contain user name")));
-			pfree(encrypted);
 			break;
 
 		case PASSWORD_TYPE_PLAINTEXT:
 
@@ -1179,10 +1179,8 @@ include_dir 'conf.d'
         password is to be encrypted. The default value is <literal>md5</>, which
         stores the password as an MD5 hash. Setting this to <literal>plain</> stores
         it in plaintext. <literal>on</> and <literal>off</> are also accepted, as
-        aliases for <literal>md5</> and <literal>plain</>, respectively.  Setting
-        this parameter to <literal>scram</> will encrypt the password with
-        SCRAM-SHA-256.
-       </para>       
+        aliases for <literal>md5</> and <literal>plain</>, respectively.
+       </para>
 
       </listitem>
      </varlistentry>
@@ -1256,7 +1254,7 @@ include_dir 'conf.d'
         Authentication checks are always done with the server's user name
         so authentication methods must be configured for the
         server's user name, not the client's.  Because
-        <literal>md5</>uses the user name as salt on both the
+        <literal>md5</> uses the user name as salt on both the
         client and server, and <literal>scram</> uses the user name as
         a portion of the salt used on both the client and server,
         <literal>md5</> and <literal>scram</> cannot be used with
 
@@ -228,11 +228,11 @@
     The server then sends an appropriate authentication request message,
     to which the frontend must reply with an appropriate authentication
     response message (such as a password).
-    For all authentication methods except GSSAPI, SSPI and SASL, there is at
-    most one request and one response. In some methods, no response
+    For all authentication methods except GSSAPI and SSPI, there is at most
+    one request and one response. In some methods, no response
     at all is needed from the frontend, and so no authentication request
-    occurs. For GSSAPI, SSPI and SASL, multiple exchanges of packets may be
-    needed to complete the authentication.
+    occurs. For GSSAPI and SSPI, multiple exchanges of packets may be needed
+    to complete the authentication.
    </para>
 
    <para>
@@ -366,35 +366,6 @@
       </listitem>
      </varlistentry>
 
-     <varlistentry>
-      <term>AuthenticationSASL</term>
-      <listitem>
-       <para>
-        The frontend must now initiate a SASL negotiation, using the SASL
-        mechanism specified in the message. The frontend will send a
-        PasswordMessage with the first part of the SASL data stream in
-        response to this. If further messages are needed, the server will
-        respond with AuthenticationSASLContinue.
-       </para>
-      </listitem>
-
-     </varlistentry>
-     <varlistentry>
-      <term>AuthenticationSASLContinue</term>
-      <listitem>
-       <para>
-        This message contains the response data from the previous step
-        of SASL negotiation (AuthenticationSASL, or a previous
-        AuthenticationSASLContinue). If the SASL data in this message
-        indicates more data is needed to complete the authentication,
-        the frontend must send that data as another PasswordMessage. If
-        SASL authentication is completed by this message, the server
-        will next send AuthenticationOk to indicate successful authentication
-        or ErrorResponse to indicate failure.
-       </para>
-      </listitem>
-     </varlistentry>
-
     </variablelist>
    </para>
 
@@ -2607,114 +2578,6 @@ AuthenticationGSSContinue (B)
 </listitem>
 </varlistentry>
 
-<varlistentry>
-<term>
-AuthenticationSASL (B)
-</term>
-<listitem>
-<para>
-
-<variablelist>
-<varlistentry>
-<term>
-        Byte1('R')
-</term>
-<listitem>
-<para>
-                Identifies the message as an authentication request.
-</para>
-</listitem>
-</varlistentry>
-<varlistentry>
-<term>
-        Int32
-</term>
-<listitem>
-<para>
-                Length of message contents in bytes, including self.
-</para>
-</listitem>
-</varlistentry>
-<varlistentry>
-<term>
-        Int32(10)
-</term>
-<listitem>
-<para>
-                Specifies that SASL authentication is started.
-</para>
-</listitem>
-</varlistentry>
-<varlistentry>
-<term>
-        String
-</term>
-<listitem>
-<para>
-                Name of a SASL authentication mechanism.
-</para>
-</listitem>
-</varlistentry>
-</variablelist>
-
-</para>
-</listitem>
-</varlistentry>
-
-<varlistentry>
-<term>
-AuthenticationSASLContinue (B)
-</term>
-<listitem>
-<para>
-
-<variablelist>
-<varlistentry>
-<term>
-        Byte1('R')
-</term>
-<listitem>
-<para>
-                Identifies the message as an authentication request.
-</para>
-</listitem>
-</varlistentry>
-<varlistentry>
-<term>
-        Int32
-</term>
-<listitem>
-<para>
-                Length of message contents in bytes, including self.
-</para>
-</listitem>
-</varlistentry>
-<varlistentry>
-<term>
-        Int32(11)
-</term>
-<listitem>
-<para>
-                Specifies that this message contains SASL-mechanism specific
-                data.
-</para>
-</listitem>
-</varlistentry>
-<varlistentry>
-<term>
-        Byte<replaceable>n</replaceable>
-</term>
-<listitem>
-<para>
-                SASL data, specific to the SASL mechanism being used.
-</para>
-</listitem>
-</varlistentry>
-</variablelist>
-
-</para>
-</listitem>
-</varlistentry>
 
 <varlistentry>
 <term>
@@ -4477,7 +4340,7 @@ PasswordMessage (F)
 <listitem>
 <para>
                 Identifies the message as a password response. Note that
-                this is also used for GSSAPI, SSPI and SASL response messages
+                this is also used for GSSAPI and SSPI response messages
                 (which is really a design error, since the contained data
                 is not a null-terminated string in that case, but can be
                 arbitrary binary data).
 
@@ -229,16 +229,16 @@ CREATE ROLE <replaceable class="PARAMETER">name</replaceable> [ [ WITH ] <replac
         encrypted in the system catalogs.  (If neither is specified,
         the default behavior is determined by the configuration
         parameter <xref linkend="guc-password-encryption">.)  If the
-        presented password string is already in MD5-encrypted or
-        SCRAM-encrypted format, then it is stored encrypted as-is,
-        regardless of whether <literal>ENCRYPTED</> or <literal>UNENCRYPTED</>
-        is specified (since the system cannot decrypt the specified encrypted
-        password string).  This allows reloading of encrypted passwords
-        during dump/restore.
+        presented password string is already in MD5-encrypted format,
+        then it is stored encrypted as-is, regardless of whether
+        <literal>ENCRYPTED</> or <literal>UNENCRYPTED</> is specified
+        (since the system cannot decrypt the specified encrypted
+        password string).  This allows reloading of encrypted
+        passwords during dump/restore.
        </para>
 
        <para>
-        Note that older clients might lack support for the MD5 or SCRAM
+        Note that older clients might lack support for the MD5
         authentication mechanism that is needed to work with passwords
         that are stored encrypted.
        </para>
@@ -254,11 +254,10 @@ CREATE ROLE <replaceable class="PARAMETER">name</replaceable> [ [ WITH ] <replac
         attribute, but you can nonetheless define one for roles without it.)
         If you do not plan to use password authentication you can omit this
         option. The protocols supported are <literal>md5</> to enforce
-        a password to be MD5-encrypted, <literal>scram</> to enforce a password
-        to be encrypted with SCRAM-SHA-256, and <literal>plain</> to use
-        an unencrypted password.  If the password string is already in
-        MD5-encrypted or SCRAM-SHA-256 format, then it is stored encrypted
-        even if another protocol is specified.
+        a password to be MD5-encrypted, and <literal>plain</> to use an
+        unencrypted password.  If the password string is already in
+        MD5-encrypted format, then it is stored encrypted even if
+        <literal>plain</> is specified.
        </para>
       </listitem>
      </varlistentry>