postgrespro
diff --git a/‎contrib/passwordcheck/passwordcheck.c
Lines changed: 16 additions & 3 deletions b/‎contrib/passwordcheck/passwordcheck.c
Lines changed: 16 additions & 3 deletions
diff --git a/‎doc/src/sgml/config.sgml
Lines changed: 6 additions & 3 deletions b/‎doc/src/sgml/config.sgml
Lines changed: 6 additions & 3 deletions
diff --git a/‎doc/src/sgml/protocol.sgml
Lines changed: 142 additions & 5 deletions b/‎doc/src/sgml/protocol.sgml
Lines changed: 142 additions & 5 deletions
diff --git a/‎doc/src/sgml/ref/create_role.sgml
Lines changed: 7 additions & 7 deletions b/‎doc/src/sgml/ref/create_role.sgml
Lines changed: 7 additions & 7 deletions
diff --git a/‎src/backend/commands/user.c
Lines changed: 11 additions & 7 deletions b/‎src/backend/commands/user.c
Lines changed: 11 additions & 7 deletions
diff --git a/‎src/backend/libpq/Makefile
Lines changed: 1 addition & 1 deletion b/‎src/backend/libpq/Makefile
Lines changed: 1 addition & 1 deletion
@@ -21,6 +21,7 @@
 #endif
 
 #include "commands/user.h"
+#include "libpq/scram.h"
 #include "fmgr.h"
 #include "libpq/md5.h"
 
@@ -57,14 +58,15 @@ check_password(const char *username,
 {
 	int			namelen = strlen(username);
 	int			pwdlen = strlen(password);
-	char		encrypted[MD5_PASSWD_LEN + 1];
+	char	   *encrypted;
 	int			i;
 	bool		pwd_has_letter,
 				pwd_has_nonletter;
 
 	switch (password_type)
 	{
 		case PASSWORD_TYPE_MD5:
+		case PASSWORD_TYPE_SCRAM:
 
 			/*
 			 * Unfortunately we cannot perform exhaustive checks on encrypted
@@ -74,12 +76,23 @@ check_password(const char *username,
 			 *
 			 * We only check for username = password.
 			 */
-			if (!pg_md5_encrypt(username, username, namelen, encrypted))
-				elog(ERROR, "password encryption failed");
+			if (password_type == PASSWORD_TYPE_MD5)
+			{
+				encrypted = palloc(MD5_PASSWD_LEN + 1);
+				if (pg_md5_encrypt(username, username, namelen, encrypted))
+					elog(ERROR, "password encryption failed");
+			}
+			else if (password_type == PASSWORD_TYPE_SCRAM)
+			{
+				encrypted = scram_build_verifier(username, password, 0);
+			}
+			else
+				Assert(0); /* should not happen */
 			if (strcmp(password, encrypted) == 0)
 				ereport(ERROR,
 						(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
 						 errmsg("password must not contain user name")));
+			pfree(encrypted);
 			break;
 
 		case PASSWORD_TYPE_PLAINTEXT:
 
@@ -1181,7 +1181,8 @@ include_dir 'conf.d'
        <para>
         A value set to <literal>on</> or <literal>md5</> corresponds to a 
         MD5-encrypted password, <literal>off</> or <literal>plain</>
-        corresponds to an unencrypted password.
+        corresponds to an unencrypted password.  Setting this parameter to
+        <literal>scram</> will encrypt the password with SCRAM-SHA-256.
        </para>
 
        <para>
@@ -1259,8 +1260,10 @@ include_dir 'conf.d'
         Authentication checks are always done with the server's user name
         so authentication methods must be configured for the
         server's user name, not the client's.  Because
-        <literal>md5</> uses the user name as salt on both the
-        client and server, <literal>md5</> cannot be used with
+        <literal>md5</>uses the user name as salt on both the
+        client and server, and <literal>scram</> uses the user name as
+        a portion of the salt used on both the client and server,
+        <literal>md5</> and <literal>scram</> cannot be used with
         <varname>db_user_namespace</>.
        </para>
 
 
@@ -228,11 +228,11 @@
     The server then sends an appropriate authentication request message,
     to which the frontend must reply with an appropriate authentication
     response message (such as a password).
-    For all authentication methods except GSSAPI and SSPI, there is at most
-    one request and one response. In some methods, no response
+    For all authentication methods except GSSAPI, SSPI and SASL, there is at
+    most one request and one response. In some methods, no response
     at all is needed from the frontend, and so no authentication request
-    occurs. For GSSAPI and SSPI, multiple exchanges of packets may be needed
-    to complete the authentication.
+    occurs. For GSSAPI, SSPI and SASL, multiple exchanges of packets may be
+    needed to complete the authentication.
    </para>
 
    <para>
@@ -366,6 +366,35 @@
       </listitem>
      </varlistentry>
 
+     <varlistentry>
+      <term>AuthenticationSASL</term>
+      <listitem>
+       <para>
+        The frontend must now initiate a SASL negotiation, using the SASL
+        mechanism specified in the message. The frontend will send a
+        PasswordMessage with the first part of the SASL data stream in
+        response to this. If further messages are needed, the server will
+        respond with AuthenticationSASLContinue.
+       </para>
+      </listitem>
+
+     </varlistentry>
+     <varlistentry>
+      <term>AuthenticationSASLContinue</term>
+      <listitem>
+       <para>
+        This message contains the response data from the previous step
+        of SASL negotiation (AuthenticationSASL, or a previous
+        AuthenticationSASLContinue). If the SASL data in this message
+        indicates more data is needed to complete the authentication,
+        the frontend must send that data as another PasswordMessage. If
+        SASL authentication is completed by this message, the server
+        will next send AuthenticationOk to indicate successful authentication
+        or ErrorResponse to indicate failure.
+       </para>
+      </listitem>
+     </varlistentry>
+
     </variablelist>
    </para>
 
@@ -2578,6 +2607,114 @@ AuthenticationGSSContinue (B)
 </listitem>
 </varlistentry>
 
+<varlistentry>
+<term>
+AuthenticationSASL (B)
+</term>
+<listitem>
+<para>
+
+<variablelist>
+<varlistentry>
+<term>
+        Byte1('R')
+</term>
+<listitem>
+<para>
+                Identifies the message as an authentication request.
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term>
+        Int32
+</term>
+<listitem>
+<para>
+                Length of message contents in bytes, including self.
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term>
+        Int32(10)
+</term>
+<listitem>
+<para>
+                Specifies that SASL authentication is started.
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term>
+        String
+</term>
+<listitem>
+<para>
+                Name of a SASL authentication mechanism.
+</para>
+</listitem>
+</varlistentry>
+</variablelist>
+
+</para>
+</listitem>
+</varlistentry>
+
+<varlistentry>
+<term>
+AuthenticationSASLContinue (B)
+</term>
+<listitem>
+<para>
+
+<variablelist>
+<varlistentry>
+<term>
+        Byte1('R')
+</term>
+<listitem>
+<para>
+                Identifies the message as an authentication request.
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term>
+        Int32
+</term>
+<listitem>
+<para>
+                Length of message contents in bytes, including self.
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term>
+        Int32(11)
+</term>
+<listitem>
+<para>
+                Specifies that this message contains SASL-mechanism specific
+                data.
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term>
+        Byte<replaceable>n</replaceable>
+</term>
+<listitem>
+<para>
+                SASL data, specific to the SASL mechanism being used.
+</para>
+</listitem>
+</varlistentry>
+</variablelist>
+
+</para>
+</listitem>
+</varlistentry>
 
 <varlistentry>
 <term>
@@ -4340,7 +4477,7 @@ PasswordMessage (F)
 <listitem>
 <para>
                 Identifies the message as a password response. Note that
-                this is also used for GSSAPI and SSPI response messages
+                this is also used for GSSAPI, SSPI and SASL response messages
                 (which is really a design error, since the contained data
                 is not a null-terminated string in that case, but can be
                 arbitrary binary data).
 
@@ -228,16 +228,16 @@ CREATE ROLE <replaceable class="PARAMETER">name</replaceable> [ [ WITH ] <replac
         encrypted in the system catalogs.  (If neither is specified,
         the default behavior is determined by the configuration
         parameter <xref linkend="guc-password-encryption">.)  If the
-        presented password string is already in MD5-encrypted format,
-        then it is stored encrypted as-is, regardless of whether
-        <literal>ENCRYPTED</> or <literal>UNENCRYPTED</> is specified
-        (since the system cannot decrypt the specified encrypted
-        password string).  This allows reloading of encrypted
-        passwords during dump/restore.
+        presented password string is already in MD5-encrypted or
+        SCRAM-encrypted format, then it is stored encrypted as-is,
+        regardless of whether <literal>ENCRYPTED</> or <literal>UNENCRYPTED</>
+        is specified (since the system cannot decrypt the specified encrypted
+        password string).  This allows reloading of encrypted passwords
+        during dump/restore.
        </para>
 
        <para>
-        Note that older clients might lack support for the MD5
+        Note that older clients might lack support for the MD5 or SCRAM
         authentication mechanism that is needed to work with passwords
         that are stored encrypted.
        </para>
 
@@ -30,6 +30,7 @@
 #include "commands/seclabel.h"
 #include "commands/user.h"
 #include "libpq/md5.h"
+#include "libpq/scram.h"
 #include "miscadmin.h"
 #include "storage/lmgr.h"
 #include "utils/acl.h"
@@ -69,9 +70,9 @@ have_createrole_privilege(void)
 /*
  * Encrypt a password if necessary for insertion in pg_authid.
  *
- * If a password is found as already MD5-encrypted, no error is raised
- * to ease the dump and reload of such data. Returns a palloc'ed string
- * holding the encrypted password.
+ * If a password is found as already MD5-encrypted or SCRAM-encrypted, no
+ * error is raised to ease the dump and reload of such data. Returns a
+ * palloc'ed string holding the encrypted password.
  */
 static char *
 encrypt_password(char *password, char *rolname, int passwd_type)
@@ -81,11 +82,11 @@ encrypt_password(char *password, char *rolname, int passwd_type)
 	Assert(password != NULL);
 
 	/*
-	 * If a password is already identified as MD5-encrypted, it is used
-	 * as such.  If the password given is not encrypted, adapt it depending
-	 * on the type wanted by the caller of this routine.
+	 * A password already identified as a SCRAM-encrypted or MD5-encrypted
+	 * those are used as such.  If the password given is not encrypted,
+	 * adapt it depending on the type wanted by the caller of this routine.
 	 */
-	if (isMD5(password))
+	if (isMD5(password) || is_scram_verifier(password))
 		res = pstrdup(password);
 	else
 	{
@@ -101,6 +102,9 @@ encrypt_password(char *password, char *rolname, int passwd_type)
 									res))
 					elog(ERROR, "password encryption failed");
 				break;
+			case PASSWORD_TYPE_SCRAM:
+				res = scram_build_verifier(rolname, password, 0);
+				break;
 			default:
 				Assert(0);	/* should not come here */
 		}
 
@@ -15,7 +15,7 @@ include $(top_builddir)/src/Makefile.global
 # be-fsstubs is here for historical reasons, probably belongs elsewhere
 
 OBJS = be-fsstubs.o be-secure.o auth.o crypt.o hba.o ip.o md5.o pqcomm.o \
-       pqformat.o pqmq.o pqsignal.o
+       pqformat.o pqmq.o pqsignal.o auth-scram.o
 
 ifeq ($(with_openssl),yes)
 OBJS += be-secure-openssl.o