postgrespro
diff --git a/‎contrib/passwordcheck/passwordcheck.c
Lines changed: 16 additions & 3 deletions b/‎contrib/passwordcheck/passwordcheck.c
Lines changed: 16 additions & 3 deletions
diff --git a/‎doc/src/sgml/client-auth.sgml
Lines changed: 11 additions & 4 deletions b/‎doc/src/sgml/client-auth.sgml
Lines changed: 11 additions & 4 deletions
diff --git a/‎doc/src/sgml/config.sgml
Lines changed: 4 additions & 3 deletions b/‎doc/src/sgml/config.sgml
Lines changed: 4 additions & 3 deletions
diff --git a/‎doc/src/sgml/protocol.sgml
Lines changed: 142 additions & 5 deletions b/‎doc/src/sgml/protocol.sgml
Lines changed: 142 additions & 5 deletions
diff --git a/‎doc/src/sgml/ref/create_role.sgml
Lines changed: 12 additions & 11 deletions b/‎doc/src/sgml/ref/create_role.sgml
Lines changed: 12 additions & 11 deletions
@@ -21,6 +21,7 @@
 #endif
 
 #include "commands/user.h"
+#include "libpq/scram.h"
 #include "fmgr.h"
 #include "libpq/md5.h"
 
@@ -57,14 +58,15 @@ check_password(const char *username,
 {
 	int			namelen = strlen(username);
 	int			pwdlen = strlen(password);
-	char		encrypted[MD5_PASSWD_LEN + 1];
+	char	   *encrypted;
 	int			i;
 	bool		pwd_has_letter,
 				pwd_has_nonletter;
 
 	switch (password_type)
 	{
 		case PASSWORD_TYPE_MD5:
+		case PASSWORD_TYPE_SCRAM:
 
 			/*
 			 * Unfortunately we cannot perform exhaustive checks on encrypted
@@ -74,12 +76,23 @@ check_password(const char *username,
 			 *
 			 * We only check for username = password.
 			 */
-			if (!pg_md5_encrypt(username, username, namelen, encrypted))
-				elog(ERROR, "password encryption failed");
+			if (password_type == PASSWORD_TYPE_MD5)
+			{
+				encrypted = palloc(MD5_PASSWD_LEN + 1);
+				if (pg_md5_encrypt(username, username, namelen, encrypted))
+					elog(ERROR, "password encryption failed");
+			}
+			else if (password_type == PASSWORD_TYPE_SCRAM)
+			{
+				encrypted = scram_build_verifier(username, password, 0);
+			}
+			else
+				Assert(0); /* should not happen */
 			if (strcmp(password, encrypted) == 0)
 				ereport(ERROR,
 						(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
 						 errmsg("password must not contain user name")));
+			pfree(encrypted);
 			break;
 
 		case PASSWORD_TYPE_PLAINTEXT:
 
@@ -661,17 +661,24 @@ host    all             all             localhost               trust
 host    postgres        all             192.168.93.0/24         ident
 
 # Allow any user from host 192.168.12.10 to connect to database
-# "postgres" if the user's password is correctly supplied.
+# "postgres" if the user's password is correctly supplied and is
+# using the correct password method.
 #
 # TYPE  DATABASE        USER            ADDRESS                 METHOD
 host    postgres        all             192.168.12.10/32        md5
+host    postgres        all             192.168.12.10/32        scram
 
 # Allow any user from hosts in the example.com domain to connect to
-# any database if the user's password is correctly supplied.
+# any database if the user's password is correctly supplied and is using
+# a MD5-encrypted password.
 #
 # TYPE  DATABASE        USER            ADDRESS                 METHOD
 host    all             all             .example.com            md5
 
+# Same as previous entry, except that the supplied password must be
+# encrypted with SCRAM-SHA-256.
+host    all             all             .example.com            scram
+
 # In the absence of preceding "host" lines, these two lines will
 # reject all connections from 192.168.54.1 (since that entry will be
 # matched first), but allow GSSAPI connections from anywhere else
@@ -899,9 +906,9 @@ omicron         bryanh                  guest1
 
    <para>
     The password-based authentication methods are <literal>md5</>
-    and <literal>password</>. These methods operate
+    <literal>scram</> and <literal>password</>. These methods operate
     similarly except for the way that the password is sent across the
-    connection, namely MD5-hashed and clear-text respectively.
+    connection, namely MD5-hashed, SCRAM-SHA-256 and clear-text respectively.
    </para>
 
    <para>
 
@@ -1179,9 +1179,10 @@ include_dir 'conf.d'
         password is to be encrypted. The default value is <literal>md5</>, which
         stores the password as an MD5 hash. Setting this to <literal>plain</> stores
         it in plaintext. <literal>on</> and <literal>off</> are also accepted, as
-        aliases for <literal>md5</> and <literal>plain</>, respectively.
-       </para>
-       
+        aliases for <literal>md5</> and <literal>plain</>, respectively.  Setting
+        this parameter to <literal>scram</> will encrypt the password with
+        SCRAM-SHA-256.
+       </para>       
       </listitem>
      </varlistentry>
 
 
@@ -228,11 +228,11 @@
     The server then sends an appropriate authentication request message,
     to which the frontend must reply with an appropriate authentication
     response message (such as a password).
-    For all authentication methods except GSSAPI and SSPI, there is at most
-    one request and one response. In some methods, no response
+    For all authentication methods except GSSAPI, SSPI and SASL, there is at
+    most one request and one response. In some methods, no response
     at all is needed from the frontend, and so no authentication request
-    occurs. For GSSAPI and SSPI, multiple exchanges of packets may be needed
-    to complete the authentication.
+    occurs. For GSSAPI, SSPI and SASL, multiple exchanges of packets may be
+    needed to complete the authentication.
    </para>
 
    <para>
@@ -366,6 +366,35 @@
       </listitem>
      </varlistentry>
 
+     <varlistentry>
+      <term>AuthenticationSASL</term>
+      <listitem>
+       <para>
+        The frontend must now initiate a SASL negotiation, using the SASL
+        mechanism specified in the message. The frontend will send a
+        PasswordMessage with the first part of the SASL data stream in
+        response to this. If further messages are needed, the server will
+        respond with AuthenticationSASLContinue.
+       </para>
+      </listitem>
+
+     </varlistentry>
+     <varlistentry>
+      <term>AuthenticationSASLContinue</term>
+      <listitem>
+       <para>
+        This message contains the response data from the previous step
+        of SASL negotiation (AuthenticationSASL, or a previous
+        AuthenticationSASLContinue). If the SASL data in this message
+        indicates more data is needed to complete the authentication,
+        the frontend must send that data as another PasswordMessage. If
+        SASL authentication is completed by this message, the server
+        will next send AuthenticationOk to indicate successful authentication
+        or ErrorResponse to indicate failure.
+       </para>
+      </listitem>
+     </varlistentry>
+
     </variablelist>
    </para>
 
@@ -2578,6 +2607,114 @@ AuthenticationGSSContinue (B)
 </listitem>
 </varlistentry>
 
+<varlistentry>
+<term>
+AuthenticationSASL (B)
+</term>
+<listitem>
+<para>
+
+<variablelist>
+<varlistentry>
+<term>
+        Byte1('R')
+</term>
+<listitem>
+<para>
+                Identifies the message as an authentication request.
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term>
+        Int32
+</term>
+<listitem>
+<para>
+                Length of message contents in bytes, including self.
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term>
+        Int32(10)
+</term>
+<listitem>
+<para>
+                Specifies that SASL authentication is started.
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term>
+        String
+</term>
+<listitem>
+<para>
+                Name of a SASL authentication mechanism.
+</para>
+</listitem>
+</varlistentry>
+</variablelist>
+
+</para>
+</listitem>
+</varlistentry>
+
+<varlistentry>
+<term>
+AuthenticationSASLContinue (B)
+</term>
+<listitem>
+<para>
+
+<variablelist>
+<varlistentry>
+<term>
+        Byte1('R')
+</term>
+<listitem>
+<para>
+                Identifies the message as an authentication request.
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term>
+        Int32
+</term>
+<listitem>
+<para>
+                Length of message contents in bytes, including self.
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term>
+        Int32(11)
+</term>
+<listitem>
+<para>
+                Specifies that this message contains SASL-mechanism specific
+                data.
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term>
+        Byte<replaceable>n</replaceable>
+</term>
+<listitem>
+<para>
+                SASL data, specific to the SASL mechanism being used.
+</para>
+</listitem>
+</varlistentry>
+</variablelist>
+
+</para>
+</listitem>
+</varlistentry>
 
 <varlistentry>
 <term>
@@ -4340,7 +4477,7 @@ PasswordMessage (F)
 <listitem>
 <para>
                 Identifies the message as a password response. Note that
-                this is also used for GSSAPI and SSPI response messages
+                this is also used for GSSAPI, SSPI and SASL response messages
                 (which is really a design error, since the contained data
                 is not a null-terminated string in that case, but can be
                 arbitrary binary data).
 
@@ -229,16 +229,16 @@ CREATE ROLE <replaceable class="PARAMETER">name</replaceable> [ [ WITH ] <replac
         encrypted in the system catalogs.  (If neither is specified,
         the default behavior is determined by the configuration
         parameter <xref linkend="guc-password-encryption">.)  If the
-        presented password string is already in MD5-encrypted format,
-        then it is stored encrypted as-is, regardless of whether
-        <literal>ENCRYPTED</> or <literal>UNENCRYPTED</> is specified
-        (since the system cannot decrypt the specified encrypted
-        password string).  This allows reloading of encrypted
-        passwords during dump/restore.
+        presented password string is already in MD5-encrypted or
+        SCRAM-encrypted format, then it is stored encrypted as-is,
+        regardless of whether <literal>ENCRYPTED</> or <literal>UNENCRYPTED</>
+        is specified (since the system cannot decrypt the specified encrypted
+        password string).  This allows reloading of encrypted passwords
+        during dump/restore.
        </para>
 
        <para>
-        Note that older clients might lack support for the MD5
+        Note that older clients might lack support for the MD5 or SCRAM
         authentication mechanism that is needed to work with passwords
         that are stored encrypted.
        </para>
@@ -254,10 +254,11 @@ CREATE ROLE <replaceable class="PARAMETER">name</replaceable> [ [ WITH ] <replac
         attribute, but you can nonetheless define one for roles without it.)
         If you do not plan to use password authentication you can omit this
         option. The methods supported are <literal>md5</> to enforce
-        a password to be MD5-encrypted, and <literal>plain</> to use an
-        unencrypted password.  If the password string is already in
-        MD5-encrypted format, then it is stored encrypted even if
-        <literal>plain</> is specified.
+        a password to be MD5-encrypted, <literal>scram</> to enforce a password
+        to be encrypted with SCRAM-SHA-256, and <literal>plain</> to use
+        an unencrypted password.  If the password string is already in
+        MD5-encrypted or SCRAM-SHA-256 format, then it is stored encrypted
+        even if another protocol is specified.
        </para>
       </listitem>
      </varlistentry>