scram and \password

From 8849fb8d0ef824377f6af36f33757060162b7fa7 Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Thu, 16 Mar 2017 00:25:51 +0900
Subject: [PATCH 4/4] Extend PQencryptPassword with a hashing method

This extra argument can use the following values when hashing the
password:
- scram, for SCRAM-SHA-256 hashing.
- md5, for MD5 hashing.
- plain, for cleartext.
---
 doc/src/sgml/libpq.sgml         |  6 ++++-
 src/bin/psql/command.c          |  2 +-
 src/bin/scripts/createuser.c    |  3 ++-
 src/interfaces/libpq/fe-auth.c  | 49 +++++++++++++++++++++++++++++++----------
 src/interfaces/libpq/libpq-fe.h |  3 ++-
 5 files changed, 47 insertions(+), 16 deletions(-)

diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index 4bc5bf3192..fc1aa4b5e5 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -5887,7 +5887,8 @@ void PQconninfoFree(PQconninfoOption *connOptions);
      <para>
       Prepares the encrypted form of a <productname>PostgreSQL</> password.
 <synopsis>
-char * PQencryptPassword(const char *passwd, const char *user);
+char * PQencryptPassword(const char *passwd, const char *user,
+                         const char *method);
 </synopsis>
       This function is intended to be used by client applications that
       wish to send commands like <literal>ALTER USER joe PASSWORD
@@ -5901,6 +5902,9 @@ char * PQencryptPassword(const char *passwd, const char *user);
       memory.  The caller can assume the string doesn't contain any
       special characters that would require escaping.  Use
       <function>PQfreemem</> to free the result when done with it.
+      The encryption method of the password can be specified as
+      <literal>md5</> for hashing with MD5, <literal>scram</> for
+      hashing with SCRAM-SHA-256 and <literal>plain</> for cleartext.
      </para>
     </listitem>
    </varlistentry>
diff --git a/src/bin/psql/command.c b/src/bin/psql/command.c
index 4f4a0aa9bd..c100256dea 100644
--- a/src/bin/psql/command.c
+++ b/src/bin/psql/command.c
@@ -1135,7 +1135,7 @@ exec_command(const char *cmd,
 			else
 				user = PQuser(pset.db);
 
-			encrypted_password = PQencryptPassword(pw1, user);
+			encrypted_password = PQencryptPassword(pw1, user, "scram");
 
 			if (!encrypted_password)
 			{
diff --git a/src/bin/scripts/createuser.c b/src/bin/scripts/createuser.c
index 3d74797a8f..42e1dc8650 100644
--- a/src/bin/scripts/createuser.c
+++ b/src/bin/scripts/createuser.c
@@ -275,7 +275,8 @@ main(int argc, char *argv[])
 			char	   *encrypted_password;
 
 			encrypted_password = PQencryptPassword(newpassword,
-												   newuser);
+												   newuser,
+												   "scram");
 			if (!encrypted_password)
 			{
 				fprintf(stderr, _("Password encryption failed.\n"));
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index 5fe7e565a0..c94fb6127f 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -39,6 +39,7 @@
 #endif
 
 #include "common/md5.h"
+#include "common/scram-common.h"
 #include "libpq-fe.h"
 #include "libpq/scram.h"
 #include "fe-auth.h"
@@ -919,27 +920,51 @@ pg_fe_getauthname(PQExpBuffer errorMessage)
  * be dependent on low-level details like whether the encryption is MD5
  * or something else.
  *
- * Arguments are the cleartext password, and the SQL name of the user it
- * is for.
+ * Arguments are the cleartext password, the SQL name of the user it
+ * is for, and the name of password hashing method:
+ * - "scram", to hash password using SCRAM-SHA-256.
+ * - "md5", to hash password using MD5.
+ * - "plain", to get a cleartext value of password.
  *
- * Return value is a malloc'd string, or NULL if out-of-memory.  The client
- * may assume the string doesn't contain any special characters that would
- * require escaping.
+ * Return value is a malloc'd string, or NULL if out-of-memory or in
+ * the event of an error.  The client may assume the string doesn't
+ * contain any special characters that would require escaping.
  */
 char *
-PQencryptPassword(const char *passwd, const char *user)
+PQencryptPassword(const char *passwd, const char *user, const char *method)
 {
 	char	   *crypt_pwd;
 
-	crypt_pwd = malloc(MD5_PASSWD_LEN + 1);
-	if (!crypt_pwd)
-		return NULL;
+	if (strcmp(method, "md5") == 0)
+	{
+		crypt_pwd = malloc(MD5_PASSWD_LEN + 1);
+		if (!crypt_pwd)
+			return NULL;
 
-	if (!pg_md5_encrypt(passwd, user, strlen(user), crypt_pwd))
+		if (!pg_md5_encrypt(passwd, user, strlen(user), crypt_pwd))
+		{
+			free(crypt_pwd);
+			return NULL;
+		}
+	}
+	else if (strcmp(method, "scram") == 0)
 	{
-		free(crypt_pwd);
-		return NULL;
+		crypt_pwd = malloc(SCRAM_VERIFIER_LEN + 1);
+		if (!crypt_pwd)
+			return NULL;
+
+		if (!scram_build_verifier(user, passwd, 0, crypt_pwd))
+		{
+			free(crypt_pwd);
+			return NULL;
+		}
 	}
+	else if (strcmp(method, "plain") == 0)
+	{
+		crypt_pwd = strdup(passwd);
+	}
+	else
+		return NULL;
 
 	return crypt_pwd;
 }
diff --git a/src/interfaces/libpq/libpq-fe.h b/src/interfaces/libpq/libpq-fe.h
index 635af5b50e..c312dd0152 100644
--- a/src/interfaces/libpq/libpq-fe.h
+++ b/src/interfaces/libpq/libpq-fe.h
@@ -596,7 +596,8 @@ extern int	PQenv2encoding(void);
 
 /* === in fe-auth.c === */
 
-extern char *PQencryptPassword(const char *passwd, const char *user);
+extern char *PQencryptPassword(const char *passwd, const char *user,
+							   const char *method);
 
 /* === in encnames.c === */
 
-- 
2.12.0

From 6bc12ddad069e8320f5533435695b35030399c86 Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Thu, 16 Mar 2017 00:35:40 +0900
Subject: [PATCH 1/4] Use base64-based encoding for stored and server keys in
 SCRAM verifiers

In order to be able to generate a SCRAM verifier even for frontends, let's
simplify the tools used to generate it and switch all the elements of the
verifiers to be base64-encoded using the routines already in place in
src/common/.
---
 doc/src/sgml/catalogs.sgml             |  2 +-
 src/backend/libpq/auth-scram.c         | 30 +++++++++++++++++-------------
 src/test/regress/expected/password.out |  8 ++++----
 src/test/regress/sql/password.sql      |  8 ++++----
 4 files changed, 26 insertions(+), 22 deletions(-)

diff --git a/doc/src/sgml/catalogs.sgml b/doc/src/sgml/catalogs.sgml
index 2c2da2ad8a..737c6f1a48 100644
--- a/doc/src/sgml/catalogs.sgml
+++ b/doc/src/sgml/catalogs.sgml
@@ -1361,7 +1361,7 @@
    identify the password as a SCRAM-SHA-256 verifier. The second field is a
    salt, Base64-encoded, and the third field is the number of iterations used
    to generate the password.  The fourth field and fifth field are the stored
-   key and server key, respectively, in hexadecimal format. A password that
+   key and server key, respectively, in Base64 format. A password that
    does not follow either of those formats is assumed to be unencrypted.
   </para>
  </sect1>
diff --git a/src/backend/libpq/auth-scram.c b/src/backend/libpq/auth-scram.c
index 9f78e57aae..29e2965883 100644
--- a/src/backend/libpq/auth-scram.c
+++ b/src/backend/libpq/auth-scram.c
@@ -327,8 +327,8 @@ scram_build_verifier(const char *username, const char *password,
 					 int iterations)
 {
 	uint8		keybuf[SCRAM_KEY_LEN + 1];
-	char		storedkey_hex[SCRAM_KEY_LEN * 2 + 1];
-	char		serverkey_hex[SCRAM_KEY_LEN * 2 + 1];
+	char	   *encoded_storedkey;
+	char	   *encoded_serverkey;
 	char		salt[SCRAM_SALT_LEN];
 	char	   *encoded_salt;
 	int			encoded_len;
@@ -348,20 +348,25 @@ scram_build_verifier(const char *username, const char *password,
 	encoded_len = pg_b64_encode(salt, SCRAM_SALT_LEN, encoded_salt);
 	encoded_salt[encoded_len] = '\0';
 
-	/* Calculate StoredKey, and encode it in hex */
+	/* Calculate StoredKey, and encode it in base64 */
+	encoded_storedkey = palloc(pg_b64_enc_len(SCRAM_KEY_LEN) + 1);
 	scram_ClientOrServerKey(password, salt, SCRAM_SALT_LEN,
 							iterations, SCRAM_CLIENT_KEY_NAME, keybuf);
 	scram_H(keybuf, SCRAM_KEY_LEN, keybuf);		/* StoredKey */
-	(void) hex_encode((const char *) keybuf, SCRAM_KEY_LEN, storedkey_hex);
-	storedkey_hex[SCRAM_KEY_LEN * 2] = '\0';
+	encoded_len = pg_b64_encode((const char *) keybuf, SCRAM_KEY_LEN,
+								encoded_storedkey);
+	encoded_storedkey[encoded_len] = '\0';
 
 	/* And same for ServerKey */
+	encoded_serverkey = palloc(pg_b64_enc_len(SCRAM_KEY_LEN) + 1);
 	scram_ClientOrServerKey(password, salt, SCRAM_SALT_LEN, iterations,
 							SCRAM_SERVER_KEY_NAME, keybuf);
-	(void) hex_encode((const char *) keybuf, SCRAM_KEY_LEN, serverkey_hex);
-	serverkey_hex[SCRAM_KEY_LEN * 2] = '\0';
+	encoded_len = pg_b64_encode((const char *) keybuf, SCRAM_KEY_LEN,
+								encoded_serverkey);
+	encoded_serverkey[encoded_len] = '\0';
 
-	return psprintf("scram-sha-256:%s:%d:%s:%s", encoded_salt, iterations, storedkey_hex, serverkey_hex);
+	return psprintf("scram-sha-256:%s:%d:%s:%s", encoded_salt, iterations,
+					encoded_storedkey, encoded_serverkey);
 }
 
 
@@ -425,17 +430,16 @@ parse_scram_verifier(const char *verifier, char **salt, int *iterations,
 	/* storedkey */
 	if ((p = strtok(NULL, ":")) == NULL)
 		goto invalid_verifier;
-	if (strlen(p) != SCRAM_KEY_LEN * 2)
+	if (strlen(p) != pg_b64_enc_len(SCRAM_KEY_LEN) - 1)
 		goto invalid_verifier;
-
-	hex_decode(p, SCRAM_KEY_LEN * 2, (char *) stored_key);
+	pg_b64_decode(p, pg_b64_enc_len(SCRAM_KEY_LEN), (char *) stored_key);
 
 	/* serverkey */
 	if ((p = strtok(NULL, ":")) == NULL)
 		goto invalid_verifier;
-	if (strlen(p) != SCRAM_KEY_LEN * 2)
+	if (strlen(p) != pg_b64_enc_len(SCRAM_KEY_LEN) - 1)
 		goto invalid_verifier;
-	hex_decode(p, SCRAM_KEY_LEN * 2, (char *) server_key);
+	pg_b64_decode(p, pg_b64_enc_len(SCRAM_KEY_LEN), (char *) server_key);
 
 	pfree(v);
 	return true;
diff --git a/src/test/regress/expected/password.out b/src/test/regress/expected/password.out
index c503e43abe..0cdb6141e2 100644
--- a/src/test/regress/expected/password.out
+++ b/src/test/regress/expected/password.out
@@ -23,11 +23,11 @@ CREATE ROLE regress_passwd5 PASSWORD NULL;
 -- check list of created entries
 --
 -- The scram verifier will look something like:
--- scram-sha-256:E4HxLGtnRzsYwg==:4096:5ebc825510cb7862efd87dfa638d8337179e6913a724441dc9e888a856fbc10c:e966b1c72fad89d69aaebb156eae04edc9581286f92207c044711e79cd461bee
+-- scram-sha-256:E4HxLGtnRzsYwg==:4096:6YtlR4t69SguDiwFvbVgVZtuz6gpJQQqUMZ7IQJK5yI=:ps75jrHeYU4lXCcXI4O8oIdJ3eO8o2jirjruw9phBTo=
 --
 -- Since the salt is random, the exact value stored will be different on every test
 -- run. Use a regular expression to mask the changing parts.
-SELECT rolname, regexp_replace(rolpassword, '(scram-sha-256):([a-zA-Z0-9+/]+==):(\d+):(\w+):(\w+)', '\1:<salt>:\3:<storedkey>:<serverkey>') as rolpassword_masked
+SELECT rolname, regexp_replace(rolpassword, '(scram-sha-256):([a-zA-Z0-9+/]+==):(\d+):([a-zA-Z0-9+/]+=):([a-zA-Z0-9+/]+=)', '\1:<salt>:\3:<storedkey>:<serverkey>') as rolpassword_masked
     FROM pg_authid
     WHERE rolname LIKE 'regress_passwd%'
     ORDER BY rolname, rolpassword;
@@ -59,11 +59,11 @@ ALTER ROLE regress_passwd1 UNENCRYPTED PASSWORD 'foo'; -- unencrypted
 ALTER ROLE regress_passwd2 UNENCRYPTED PASSWORD 'md5dfa155cadd5f4ad57860162f3fab9cdb'; -- encrypted with MD5
 SET password_encryption = 'md5';
 ALTER ROLE regress_passwd3 ENCRYPTED PASSWORD 'foo'; -- encrypted with MD5
-ALTER ROLE regress_passwd4 ENCRYPTED PASSWORD 'scram-sha-256:VLK4RMaQLCvNtQ==:4096:3ded2376f7aafa93b1bdbd71bcc18b7d6ee50ed018029cc583d152ef3fc7d430:a6dd36dfc94c181956a6ae95f05e01b1864f0a22a2657d1de4ba84d2a24dc438'; -- client-supplied SCRAM verifier, use as it is
+ALTER ROLE regress_passwd4 ENCRYPTED PASSWORD 'scram-sha-256:VLK4RMaQLCvNtQ==:4096:6YtlR4t69SguDiwFvbVgVZtuz6gpJQQqUMZ7IQJK5yI=:ps75jrHeYU4lXCcXI4O8oIdJ3eO8o2jirjruw9phBTo='; -- client-supplied SCRAM verifier, use as it is
 SET password_encryption = 'scram';
 ALTER ROLE  regress_passwd5 ENCRYPTED PASSWORD 'foo'; -- create SCRAM verifier
 CREATE ROLE regress_passwd6 ENCRYPTED PASSWORD 'md53725413363ab045e20521bf36b8d8d7f'; -- encrypted with MD5, use as it is
-SELECT rolname, regexp_replace(rolpassword, '(scram-sha-256):([a-zA-Z0-9+/]+==):(\d+):(\w+):(\w+)', '\1:<salt>:\3:<storedkey>:<serverkey>') as rolpassword_masked
+SELECT rolname, regexp_replace(rolpassword, '(scram-sha-256):([a-zA-Z0-9+/]+==):(\d+):([a-zA-Z0-9+/]+=):([a-zA-Z0-9+/]+=)', '\1:<salt>:\3:<storedkey>:<serverkey>') as rolpassword_masked
     FROM pg_authid
     WHERE rolname LIKE 'regress_passwd%'
     ORDER BY rolname, rolpassword;
diff --git a/src/test/regress/sql/password.sql b/src/test/regress/sql/password.sql
index f4b3a9ac3a..df1ff989cc 100644
--- a/src/test/regress/sql/password.sql
+++ b/src/test/regress/sql/password.sql
@@ -24,11 +24,11 @@ CREATE ROLE regress_passwd5 PASSWORD NULL;
 -- check list of created entries
 --
 -- The scram verifier will look something like:
--- scram-sha-256:E4HxLGtnRzsYwg==:4096:5ebc825510cb7862efd87dfa638d8337179e6913a724441dc9e888a856fbc10c:e966b1c72fad89d69aaebb156eae04edc9581286f92207c044711e79cd461bee
+-- scram-sha-256:E4HxLGtnRzsYwg==:4096:6YtlR4t69SguDiwFvbVgVZtuz6gpJQQqUMZ7IQJK5yI=:ps75jrHeYU4lXCcXI4O8oIdJ3eO8o2jirjruw9phBTo=
 --
 -- Since the salt is random, the exact value stored will be different on every test
 -- run. Use a regular expression to mask the changing parts.
-SELECT rolname, regexp_replace(rolpassword, '(scram-sha-256):([a-zA-Z0-9+/]+==):(\d+):(\w+):(\w+)', '\1:<salt>:\3:<storedkey>:<serverkey>') as rolpassword_masked
+SELECT rolname, regexp_replace(rolpassword, '(scram-sha-256):([a-zA-Z0-9+/]+==):(\d+):([a-zA-Z0-9+/]+=):([a-zA-Z0-9+/]+=)', '\1:<salt>:\3:<storedkey>:<serverkey>') as rolpassword_masked
     FROM pg_authid
     WHERE rolname LIKE 'regress_passwd%'
     ORDER BY rolname, rolpassword;
@@ -48,13 +48,13 @@ ALTER ROLE regress_passwd2 UNENCRYPTED PASSWORD 'md5dfa155cadd5f4ad57860162f3fab
 SET password_encryption = 'md5';
 ALTER ROLE regress_passwd3 ENCRYPTED PASSWORD 'foo'; -- encrypted with MD5
 
-ALTER ROLE regress_passwd4 ENCRYPTED PASSWORD 'scram-sha-256:VLK4RMaQLCvNtQ==:4096:3ded2376f7aafa93b1bdbd71bcc18b7d6ee50ed018029cc583d152ef3fc7d430:a6dd36dfc94c181956a6ae95f05e01b1864f0a22a2657d1de4ba84d2a24dc438'; -- client-supplied SCRAM verifier, use as it is
+ALTER ROLE regress_passwd4 ENCRYPTED PASSWORD 'scram-sha-256:VLK4RMaQLCvNtQ==:4096:6YtlR4t69SguDiwFvbVgVZtuz6gpJQQqUMZ7IQJK5yI=:ps75jrHeYU4lXCcXI4O8oIdJ3eO8o2jirjruw9phBTo='; -- client-supplied SCRAM verifier, use as it is
 
 SET password_encryption = 'scram';
 ALTER ROLE  regress_passwd5 ENCRYPTED PASSWORD 'foo'; -- create SCRAM verifier
 CREATE ROLE regress_passwd6 ENCRYPTED PASSWORD 'md53725413363ab045e20521bf36b8d8d7f'; -- encrypted with MD5, use as it is
 
-SELECT rolname, regexp_replace(rolpassword, '(scram-sha-256):([a-zA-Z0-9+/]+==):(\d+):(\w+):(\w+)', '\1:<salt>:\3:<storedkey>:<serverkey>') as rolpassword_masked
+SELECT rolname, regexp_replace(rolpassword, '(scram-sha-256):([a-zA-Z0-9+/]+==):(\d+):([a-zA-Z0-9+/]+=):([a-zA-Z0-9+/]+=)', '\1:<salt>:\3:<storedkey>:<serverkey>') as rolpassword_masked
     FROM pg_authid
     WHERE rolname LIKE 'regress_passwd%'
     ORDER BY rolname, rolpassword;
-- 
2.12.0

From 539f4ea99bd7040045b83d58fe279a5db7dd213d Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Wed, 15 Mar 2017 22:06:12 +0900
Subject: [PATCH 2/4] Refactor frontend-side random number generation

pg_frontend_random() is moved into its own file in src/common/ to
give other portions of the code the ability to generate random numbers.
This will be used for the SCRAM verifier generation from clients.
---
 src/common/Makefile                  |  3 +-
 src/common/frontend_random.c         | 86 ++++++++++++++++++++++++++++++++++++
 src/include/common/frontend_random.h | 17 +++++++
 src/interfaces/libpq/.gitignore      |  1 +
 src/interfaces/libpq/Makefile        |  4 +-
 src/interfaces/libpq/fe-auth-scram.c | 59 +------------------------
 src/tools/msvc/Mkvcbuild.pm          |  2 +-
 7 files changed, 110 insertions(+), 62 deletions(-)
 create mode 100644 src/common/frontend_random.c
 create mode 100644 src/include/common/frontend_random.h

diff --git a/src/common/Makefile b/src/common/Makefile
index 971ddd5ea7..b516ec43f1 100644
--- a/src/common/Makefile
+++ b/src/common/Makefile
@@ -50,7 +50,8 @@ else
 OBJS_COMMON += sha2.o
 endif
 
-OBJS_FRONTEND = $(OBJS_COMMON) fe_memutils.o file_utils.o restricted_token.o
+OBJS_FRONTEND = $(OBJS_COMMON) fe_memutils.o file_utils.o frontend_random.c \
+	restricted_token.o
 
 OBJS_SRV = $(OBJS_COMMON:%.o=%_srv.o)
 
diff --git a/src/common/frontend_random.c b/src/common/frontend_random.c
new file mode 100644
index 0000000000..7ecc7d5fdf
--- /dev/null
+++ b/src/common/frontend_random.c
@@ -0,0 +1,86 @@
+/*-------------------------------------------------------------------------
+ *
+ * frontend_random.c
+ *	  Frontend random number generation routine.
+ *
+ * pg_frontend_random() function fills a buffer with random bytes. Normally,
+ * it is just a thin wrapper around pg_strong_random(), but when compiled
+ * with --disable-strong-random, there is a built-in implementation.
+ *
+ * The built-in implementation uses the standard erand48 algorithm, with
+ * a seed calculated using the process ID and a timestamp.
+ *
+ * Portions Copyright (c) 1996-2017, PostgreSQL Global Development Group
+ * Portions Copyright (c) 1994, Regents of the University of California
+ *
+ *
+ * IDENTIFICATION
+ *	  src/common/frontend_random.c
+ *
+ *-------------------------------------------------------------------------
+ */
+
+#ifndef FRONTEND
+#error "This file is not expected to be compiled for backend code"
+#endif
+
+#include "postgres_fe.h"
+#include "common/frontend_random.h"
+
+/* These are needed for getpid(), in the fallback implementation */
+#ifndef HAVE_STRONG_RANDOM
+#include <sys/types.h>
+#include <unistd.h>
+#endif
+
+/*
+ * Random number generator.
+ */
+bool
+pg_frontend_random(char *dst, int len)
+{
+#ifdef HAVE_STRONG_RANDOM
+	return pg_strong_random(dst, len);
+#else
+	int			i;
+	char	   *end = dst + len;
+
+	static unsigned short seed[3];
+	static int	mypid = 0;
+
+	pglock_thread();
+
+	if (mypid != getpid())
+	{
+		struct timeval now;
+
+		gettimeofday(&now, NULL);
+
+		seed[0] = now.tv_sec ^ getpid();
+		seed[1] = (unsigned short) (now.tv_usec);
+		seed[2] = (unsigned short) (now.tv_usec >> 16);
+	}
+
+	for (i = 0; dst < end; i++)
+	{
+		uint32		r;
+		int			j;
+
+		/*
+		 * pg_jrand48 returns a 32-bit integer.  Fill the next 4 bytes from
+		 * it.
+		 */
+		r = (uint32) pg_jrand48(seed);
+
+		for (j = 0; j < 4 && dst < end; j++)
+		{
+			*(dst++) = (char) (r & 0xFF);
+			r >>= 8;
+		}
+	}
+
+	pgunlock_thread();
+
+	return true;
+#endif
+}
diff --git a/src/include/common/frontend_random.h b/src/include/common/frontend_random.h
new file mode 100644
index 0000000000..600c55ace9
--- /dev/null
+++ b/src/include/common/frontend_random.h
@@ -0,0 +1,17 @@
+/*-------------------------------------------------------------------------
+ *
+ * frontend_random.h
+ *		Declarations for frontend random number generation
+ *
+ * Portions Copyright (c) 1996-2017, PostgreSQL Global Development Group
+ *
+ *	  src/include/common/frontend_random.h
+ *
+ *-------------------------------------------------------------------------
+ */
+#ifndef FRONTEND_RANDOM_H
+#define FRONTEND_RANDOM_H
+
+extern bool pg_frontend_random(char *dst, int len);
+
+#endif   /* FRONTEND_RANDOM_H */
diff --git a/src/interfaces/libpq/.gitignore b/src/interfaces/libpq/.gitignore
index 2224ada731..f84bc35706 100644
--- a/src/interfaces/libpq/.gitignore
+++ b/src/interfaces/libpq/.gitignore
@@ -2,6 +2,7 @@
 /base64.c
 /chklocale.c
 /crypt.c
+/frontend_random.c
 /getaddrinfo.c
 /getpeereid.c
 /inet_aton.c
diff --git a/src/interfaces/libpq/Makefile b/src/interfaces/libpq/Makefile
index 792232db49..757a702a37 100644
--- a/src/interfaces/libpq/Makefile
+++ b/src/interfaces/libpq/Makefile
@@ -49,7 +49,7 @@ endif
 # src/backend/utils/mb
 OBJS += encnames.o wchar.o
 # src/common
-OBJS += base64.o ip.o md5.o scram-common.o
+OBJS += base64.o frontend_random.o ip.o md5.o scram-common.o
 
 ifeq ($(with_openssl),yes)
 OBJS += fe-secure-openssl.o sha2_openssl.o
@@ -111,7 +111,7 @@ ip.c md5.c: % : $(top_srcdir)/src/common/%
 encnames.c wchar.c: % : $(backend_src)/utils/mb/%
 	rm -f $@ && $(LN_S) $< .
 
-base64.c scram-common.c sha2.c sha2_openssl.c: % : $(top_srcdir)/src/common/%
+base64.c frontend_random.c scram-common.c sha2.c sha2_openssl.c: % : $(top_srcdir)/src/common/%
 	rm -f $@ && $(LN_S) $< .
 
 
diff --git a/src/interfaces/libpq/fe-auth-scram.c b/src/interfaces/libpq/fe-auth-scram.c
index a7bb30a141..6390ccf30d 100644
--- a/src/interfaces/libpq/fe-auth-scram.c
+++ b/src/interfaces/libpq/fe-auth-scram.c
@@ -15,14 +15,10 @@
 #include "postgres_fe.h"
 
 #include "common/base64.h"
+#include "common/frontend_random.h"
 #include "common/scram-common.h"
 #include "fe-auth.h"
 
-/* These are needed for getpid(), in the fallback implementation */
-#ifndef HAVE_STRONG_RANDOM
-#include <sys/types.h>
-#include <unistd.h>
-#endif
 
 /*
  * Status of exchange messages used for SCRAM authentication via the
@@ -73,7 +69,6 @@ static bool verify_server_proof(fe_scram_state *state);
 static void calculate_client_proof(fe_scram_state *state,
 					   const char *client_final_message_without_proof,
 					   uint8 *result);
-static bool pg_frontend_random(char *dst, int len);
 
 /*
  * Initialize SCRAM exchange status.
@@ -586,55 +581,3 @@ verify_server_proof(fe_scram_state *state)
 
 	return true;
 }
-
-/*
- * Random number generator.
- */
-static bool
-pg_frontend_random(char *dst, int len)
-{
-#ifdef HAVE_STRONG_RANDOM
-	return pg_strong_random(dst, len);
-#else
-	int			i;
-	char	   *end = dst + len;
-
-	static unsigned short seed[3];
-	static int	mypid = 0;
-
-	pglock_thread();
-
-	if (mypid != getpid())
-	{
-		struct timeval now;
-
-		gettimeofday(&now, NULL);
-
-		seed[0] = now.tv_sec ^ getpid();
-		seed[1] = (unsigned short) (now.tv_usec);
-		seed[2] = (unsigned short) (now.tv_usec >> 16);
-	}
-
-	for (i = 0; dst < end; i++)
-	{
-		uint32		r;
-		int			j;
-
-		/*
-		 * pg_jrand48 returns a 32-bit integer.  Fill the next 4 bytes from
-		 * it.
-		 */
-		r = (uint32) pg_jrand48(seed);
-
-		for (j = 0; j < 4 && dst < end; j++)
-		{
-			*(dst++) = (char) (r & 0xFF);
-			r >>= 8;
-		}
-	}
-
-	pgunlock_thread();
-
-	return true;
-#endif
-}
diff --git a/src/tools/msvc/Mkvcbuild.pm b/src/tools/msvc/Mkvcbuild.pm
index 12f73f344c..615c769483 100644
--- a/src/tools/msvc/Mkvcbuild.pm
+++ b/src/tools/msvc/Mkvcbuild.pm
@@ -125,7 +125,7 @@ sub mkvcbuild
 
 	our @pgcommonfrontendfiles = (
 		@pgcommonallfiles, qw(fe_memutils.c file_utils.c
-		  restricted_token.c));
+		  frontend_random.c restricted_token.c));
 
 	our @pgcommonbkndfiles = @pgcommonallfiles;
 
-- 
2.12.0

From 8e1a53287a75e0000a4823b6aac569f08dcf1599 Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Wed, 15 Mar 2017 23:45:50 +0900
Subject: [PATCH 3/4] Move routine to build SCRAM verifier into src/common/

This is aimed at being used by libpq to allow frontend-side creation
of SCRAM verifiers.
---
 src/backend/libpq/auth-scram.c    | 57 ++----------------------------
 src/backend/libpq/crypt.c         |  7 +++-
 src/common/scram-common.c         | 74 +++++++++++++++++++++++++++++++++++++++
 src/include/common/scram-common.h | 20 +++++++++++
 src/include/libpq/scram.h         |  5 +--
 5 files changed, 103 insertions(+), 60 deletions(-)

diff --git a/src/backend/libpq/auth-scram.c b/src/backend/libpq/auth-scram.c
index 29e2965883..4ed0e968d7 100644
--- a/src/backend/libpq/auth-scram.c
+++ b/src/backend/libpq/auth-scram.c
@@ -171,14 +171,14 @@ pg_be_scram_init(const char *username, const char *shadow_pass, bool doomed)
 	}
 	else if (password_type == PASSWORD_TYPE_PLAINTEXT)
 	{
-		char	   *verifier;
+		char	   *verifier = palloc(SCRAM_VERIFIER_LEN + 1);
 
 		/*
 		 * The password provided is in plain format, in which case a fresh
 		 * SCRAM verifier can be generated and used for the rest of the
 		 * processing.
 		 */
-		verifier = scram_build_verifier(username, shadow_pass, 0);
+		(void) scram_build_verifier(username, shadow_pass, 0, verifier);
 
 		(void) parse_scram_verifier(verifier, &state->salt, &state->iterations,
 									state->StoredKey, state->ServerKey);
@@ -316,59 +316,6 @@ pg_be_scram_exchange(void *opaq, char *input, int inputlen,
 	return result;
 }
 
-/*
- * Construct a verifier string for SCRAM, stored in pg_authid.rolpassword.
- *
- * If iterations is 0, default number of iterations is used.  The result is
- * palloc'd, so caller is responsible for freeing it.
- */
-char *
-scram_build_verifier(const char *username, const char *password,
-					 int iterations)
-{
-	uint8		keybuf[SCRAM_KEY_LEN + 1];
-	char	   *encoded_storedkey;
-	char	   *encoded_serverkey;
-	char		salt[SCRAM_SALT_LEN];
-	char	   *encoded_salt;
-	int			encoded_len;
-
-	if (iterations <= 0)
-		iterations = SCRAM_ITERATIONS_DEFAULT;
-
-	if (!pg_backend_random(salt, SCRAM_SALT_LEN))
-	{
-		ereport(LOG,
-				(errcode(ERRCODE_INTERNAL_ERROR),
-				 errmsg("could not generate random salt")));
-		return NULL;
-	}
-
-	encoded_salt = palloc(pg_b64_enc_len(SCRAM_SALT_LEN) + 1);
-	encoded_len = pg_b64_encode(salt, SCRAM_SALT_LEN, encoded_salt);
-	encoded_salt[encoded_len] = '\0';
-
-	/* Calculate StoredKey, and encode it in base64 */
-	encoded_storedkey = palloc(pg_b64_enc_len(SCRAM_KEY_LEN) + 1);
-	scram_ClientOrServerKey(password, salt, SCRAM_SALT_LEN,
-							iterations, SCRAM_CLIENT_KEY_NAME, keybuf);
-	scram_H(keybuf, SCRAM_KEY_LEN, keybuf);		/* StoredKey */
-	encoded_len = pg_b64_encode((const char *) keybuf, SCRAM_KEY_LEN,
-								encoded_storedkey);
-	encoded_storedkey[encoded_len] = '\0';
-
-	/* And same for ServerKey */
-	encoded_serverkey = palloc(pg_b64_enc_len(SCRAM_KEY_LEN) + 1);
-	scram_ClientOrServerKey(password, salt, SCRAM_SALT_LEN, iterations,
-							SCRAM_SERVER_KEY_NAME, keybuf);
-	encoded_len = pg_b64_encode((const char *) keybuf, SCRAM_KEY_LEN,
-								encoded_serverkey);
-	encoded_serverkey[encoded_len] = '\0';
-
-	return psprintf("scram-sha-256:%s:%d:%s:%s", encoded_salt, iterations,
-					encoded_storedkey, encoded_serverkey);
-}
-
 
 /*
  * Check if given verifier can be used for SCRAM authentication.
diff --git a/src/backend/libpq/crypt.c b/src/backend/libpq/crypt.c
index 9f0ae15b00..9a448fad11 100644
--- a/src/backend/libpq/crypt.c
+++ b/src/backend/libpq/crypt.c
@@ -20,6 +20,7 @@
 
 #include "catalog/pg_authid.h"
 #include "common/md5.h"
+#include "common/scram-common.h"
 #include "libpq/crypt.h"
 #include "libpq/scram.h"
 #include "miscadmin.h"
@@ -168,7 +169,11 @@ encrypt_password(PasswordType target_type, const char *role,
 			switch (guessed_type)
 			{
 				case PASSWORD_TYPE_PLAINTEXT:
-					return scram_build_verifier(role, password, 0);
+					encrypted_password = palloc(SCRAM_VERIFIER_LEN + 1);
+					if (!scram_build_verifier(role, password, 0,
+											  encrypted_password))
+						elog(ERROR, "password encryption failed");
+					return encrypted_password;
 
 				case PASSWORD_TYPE_MD5:
 
diff --git a/src/common/scram-common.c b/src/common/scram-common.c
index e44f38f652..00e45a800a 100644
--- a/src/common/scram-common.c
+++ b/src/common/scram-common.c
@@ -24,6 +24,11 @@
 #include <arpa/inet.h>
 
 #include "common/scram-common.h"
+#ifndef FRONTEND
+#include "utils/backend_random.h"
+#else
+#include "common/frontend_random.h"
+#endif
 
 #define HMAC_IPAD 0x36
 #define HMAC_OPAD 0x5C
@@ -184,3 +189,72 @@ scram_ClientOrServerKey(const char *password,
 	scram_HMAC_update(&ctx, keystr, strlen(keystr));
 	scram_HMAC_final(result, &ctx);
 }
+
+/*
+ * Construct a verifier string for SCRAM, stored in pg_authid.rolpassword.
+ *
+ * If iterations is 0, default number of iterations is used.  The result is
+ * stored in "verifier" that caller is responsible to allocate a buffer of
+ * size SCRAM_VERIFIER_LEN.  Returns true if the verifier has been generated,
+ * false otherwise.  It is important for this routine to do no memory
+ * allocations.
+ */
+bool
+scram_build_verifier(const char *username, const char *password,
+					 int iterations, char *verifier)
+{
+	uint8		keybuf[SCRAM_KEY_LEN + 1];
+	char		salt[SCRAM_SALT_LEN];
+	char		intbuf[SCRAM_ITERATION_LEN];
+	char	   *p;
+
+	if (iterations <= 0)
+		iterations = SCRAM_ITERATIONS_DEFAULT;
+
+#ifdef FRONTEND
+	if (!pg_frontend_random(salt, SCRAM_SALT_LEN))
+		return false;
+#else
+	if (!pg_backend_random(salt, SCRAM_SALT_LEN))
+	{
+		ereport(LOG,
+				(errcode(ERRCODE_INTERNAL_ERROR),
+				 errmsg("could not generate random salt")));
+		return false;
+	}
+#endif
+
+	/* Fill in the data of the verifier */
+	p = verifier;
+	memcpy(p, SCRAM_VERIFIER_PREFIX, strlen(SCRAM_VERIFIER_PREFIX));
+	p += strlen(SCRAM_VERIFIER_PREFIX);
+	*p++ = ':';
+
+	/* salt */
+	(void) pg_b64_encode(salt, SCRAM_SALT_LEN, p);
+	p += pg_b64_enc_len(SCRAM_SALT_LEN);
+	*p++ = ':';
+
+	/* iterations */
+	sprintf(intbuf, "%d", iterations);
+	memcpy(p, intbuf, strlen(intbuf));
+	p += strlen(intbuf);
+	*p++ = ':';
+
+	/* Calculate StoredKey, and encode it in base64 */
+	scram_ClientOrServerKey(password, salt, SCRAM_SALT_LEN,
+							iterations, SCRAM_CLIENT_KEY_NAME, keybuf);
+	scram_H(keybuf, SCRAM_KEY_LEN, keybuf);		/* StoredKey */
+	(void) pg_b64_encode((const char *) keybuf, SCRAM_KEY_LEN, p);
+	p += pg_b64_enc_len(SCRAM_KEY_LEN) - 1;
+	*p++ = ':';
+
+	/* And same for ServerKey */
+	scram_ClientOrServerKey(password, salt, SCRAM_SALT_LEN, iterations,
+							SCRAM_SERVER_KEY_NAME, keybuf);
+	(void) pg_b64_encode((const char *) keybuf, SCRAM_KEY_LEN, p);
+	p += pg_b64_enc_len(SCRAM_KEY_LEN) - 1;
+	*p++ = '\0';
+
+	return true;
+}
diff --git a/src/include/common/scram-common.h b/src/include/common/scram-common.h
index 7c98cc74d6..3fdfca44d6 100644
--- a/src/include/common/scram-common.h
+++ b/src/include/common/scram-common.h
@@ -13,6 +13,7 @@
 #ifndef SCRAM_COMMON_H
 #define SCRAM_COMMON_H
 
+#include "common/base64.h"
 #include "common/sha2.h"
 
 /* Length of SCRAM keys (client and server) */
@@ -41,6 +42,23 @@
 #define SCRAM_SERVER_KEY_NAME "Server Key"
 #define SCRAM_CLIENT_KEY_NAME "Client Key"
 
+#define SCRAM_VERIFIER_PREFIX "scram-sha-256"
+
+/*
+ * Length of a SCRAM verifier, which is made of the following five fields
+ * separated by a colon:
+ * - prefix "scram-sha-256", made of 13 characters.
+ * - 4 colon separators.
+ * - 32-bit number of interations, up to 10 characters.
+ * - base64-encoded salt of length SCRAM_SALT_LEN
+ * - base64-encoded stored key of length SCRAM_KEY_LEN
+ * - base64-encoded server key of length SCRAM_KEY_LEN
+ */
+#define SCRAM_VERIFIER_LEN (strlen("scram-sha-256") + 4 + \
+							SCRAM_ITERATION_LEN + \
+							pg_b64_enc_len(SCRAM_SALT_LEN) + \
+							pg_b64_enc_len(SCRAM_KEY_LEN) * 2)
+
 /*
  * Context data for HMAC used in SCRAM authentication.
  */
@@ -58,5 +76,7 @@ extern void scram_H(const uint8 *str, int len, uint8 *result);
 extern void scram_ClientOrServerKey(const char *password, const char *salt,
 						int saltlen, int iterations,
 						const char *keystr, uint8 *result);
+extern bool scram_build_verifier(const char *username, const char *password,
+								 int iterations, char *verifier);
 
 #endif   /* SCRAM_COMMON_H */
diff --git a/src/include/libpq/scram.h b/src/include/libpq/scram.h
index 78a52db684..3aaa9ef18a 100644
--- a/src/include/libpq/scram.h
+++ b/src/include/libpq/scram.h
@@ -26,10 +26,7 @@ extern void *pg_be_scram_init(const char *username, const char *shadow_pass, boo
 extern int pg_be_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen, char **logdetail);
 
-/* Routines to handle and check SCRAM-SHA-256 verifier */
-extern char *scram_build_verifier(const char *username,
-					 const char *password,
-					 int iterations);
+/* Routines to check SCRAM-SHA-256 verifier */
 extern bool is_scram_verifier(const char *verifier);
 
 #endif   /* PG_SCRAM_H */
-- 
2.12.0

From 4a6856c1becca8905a5255661b6b64b1aed64ec8 Mon Sep 17 00:00:00 2001
From: Heikki Linnakangas <heikki.linnakangas@iki.fi>
Date: Thu, 16 Mar 2017 15:45:16 +0200
Subject: [PATCH 1/1] Allow SCRAM authentication, when pg_hba.conf says 'md5'.

If a user has a SCRAM verifier in pg_authid.rolpassword, there's no reason
we cannot attempt to perform SCRAM authentication instead of MD5. In the
worst case, the client doesn't support SCRAM, and the authentication will
fail. But previously, it would fail for sure, because we would not even
try. SCRAM is strictly more secure than MD5, so there's no harm in trying
it. This allows for a more graceful transition from MD5 passwords to SCRAM,
as user passwords can be switched to SCRAM incrementally, without changing
pg_hba.conf.

Refactor the code in auth.c to support that better. Notably, we now have
to look up the user's pg_authid entry before sending the password
challenge, also when performing MD5 authentication. Also simplify the
concept of a "doomed" authentication. Previously, if a user had a password,
but it had expired, we still performed SCRAM authentication (but always
returned error at the end) using the salt and iteration count from the
expired password. Now we construct a fake salt, like we do when the user
doesn't have a password or doesn't exist at all. That simplifies
get_role_password(), and we can don't need to distinguish the  "user has
 expired password", and "user does not exist" cases in auth.c.

On second thoughts, also rename uaSASL to uaSCRAM. It refers to the
mechanism specified in pg_hba.conf, and while we use SASL for SCRAM
authentication at the protocol level, the mechanism should be called SCRAM,
not SASL. As a comparison, we have uaLDAP, even though it looks like the
plain 'password' authentication at the protocol level.
---
 doc/src/sgml/client-auth.sgml  |  38 ++++-----
 src/backend/libpq/auth-scram.c | 104 ++++++++++++++-----------
 src/backend/libpq/auth.c       | 173 ++++++++++++++++++++++++++---------------
 src/backend/libpq/crypt.c      |  44 ++++-------
 src/backend/libpq/hba.c        |   2 +-
 src/include/libpq/crypt.h      |   3 +-
 src/include/libpq/hba.h        |   2 +-
 src/include/libpq/scram.h      |   2 +-
 8 files changed, 207 insertions(+), 161 deletions(-)

diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index bbd52a5418..db200d4b76 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -412,23 +412,22 @@ hostnossl  <replaceable>database</replaceable>  <replaceable>user</replaceable>
        </varlistentry>
 
        <varlistentry>
-        <term><literal>md5</></term>
+        <term><literal>scram</></term>
         <listitem>
          <para>
-          Require the client to supply a double-MD5-hashed password for
-          authentication.
-          See <xref linkend="auth-password"> for details.
+          Perform SCRAM-SHA-256 authentication to verify the user's
+          password. See <xref linkend="auth-password"> for details.
          </para>
         </listitem>
        </varlistentry>
 
        <varlistentry>
-        <term><literal>scram</></term>
+        <term><literal>md5</></term>
         <listitem>
          <para>
-          Perform SCRAM-SHA-256 authentication to verify the user's
-          password.
-          See <xref linkend="auth-password"> for details.
+          Perform SCRAM-SHA-256 or MD5 authentication to verify the
+          user's password. See <xref linkend="auth-password">
+          for details.
          </para>
         </listitem>
        </varlistentry>
@@ -689,13 +688,12 @@ host    postgres        all             192.168.12.10/32        scram
 # Allow any user from hosts in the example.com domain to connect to
 # any database if the user's password is correctly supplied.
 #
-# Most users use SCRAM authentication, but some users use older clients
-# that don't support SCRAM authentication, and need to be able to log
-# in using MD5 authentication. Such users are put in the @md5users
-# group, everyone else must use SCRAM.
+# Require SCRAM authentication for most users, but make an exception
+# for user 'mike', who uses an older client that doesn't support SCRAM
+# authentication.
 #
 # TYPE  DATABASE        USER            ADDRESS                 METHOD
-host    all             @md5users       .example.com            md5
+host    all             mike            .example.com            md5
 host    all             all             .example.com            scram
 
 # In the absence of preceding "host" lines, these two lines will
@@ -949,12 +947,14 @@ omicron         bryanh                  guest1
    </para>
 
    <para>
-    In <literal>md5</>, the client sends a hash of a random challenge,
-    generated by the server, and the password. It prevents password sniffing,
-    but is less secure than <literal>scram</>, and provides no protection
-    if an attacker manages to steal the password hash from the server.
-    <literal>md5</> cannot be used with the <xref
-    linkend="guc-db-user-namespace"> feature.  
+    <literal>md5</> allows falling back to a less secure challenge-response
+    mechanism for those users that have an MD5 hash set in the system catalog.
+    The fallback mechanism also prevents password sniffing, but provides no
+    protection if an attacker manages to steal the password hash from the
+    server, and it cannot be used with the <xref
+    linkend="guc-db-user-namespace"> feature. For users that have set their
+    password as a SCRAM verifier, <literal>md5</> works the same as
+    <literal>scram</>.
    </para>
 
    <para>
diff --git a/src/backend/libpq/auth-scram.c b/src/backend/libpq/auth-scram.c
index 9f78e57aae..c1a229c804 100644
--- a/src/backend/libpq/auth-scram.c
+++ b/src/backend/libpq/auth-scram.c
@@ -130,79 +130,91 @@ static char *scram_MockSalt(const char *username);
  * after the beginning of the exchange with verifier data.
  *
  * 'username' is the provided by the client.  'shadow_pass' is the role's
- * password verifier, from pg_authid.rolpassword.  If 'doomed' is true, the
- * authentication must fail, as if an incorrect password was given.
- * 'shadow_pass' may be NULL, when 'doomed' is set.
+ * password verifier, from pg_authid.rolpassword.  If 'shadow_pass' is NULL, we
+ * still perform an authentication exchange, but it will fail, as if an
+ * incorrect password was given.
  */
 void *
-pg_be_scram_init(const char *username, const char *shadow_pass, bool doomed)
+pg_be_scram_init(const char *username, const char *shadow_pass)
 {
 	scram_state *state;
-	int			password_type;
+	bool		got_verifier;
 
 	state = (scram_state *) palloc0(sizeof(scram_state));
 	state->state = SCRAM_AUTH_INIT;
 	state->username = username;
 
 	/*
-	 * Perform sanity checks on the provided password after catalog lookup.
-	 * The authentication is bound to fail if the lookup itself failed or if
-	 * the password stored is MD5-encrypted.  Authentication is possible for
-	 * users with a valid plain password though.
+	 * Parse the stored password verifier.
 	 */
+	if (shadow_pass)
+	{
+		int			password_type = get_password_type(shadow_pass);
 
-	if (shadow_pass == NULL || doomed)
-		password_type = -1;
-	else
-		password_type = get_password_type(shadow_pass);
+		if (password_type == PASSWORD_TYPE_SCRAM)
+		{
+			if (parse_scram_verifier(shadow_pass, &state->salt, &state->iterations,
+									 state->StoredKey, state->ServerKey))
+				got_verifier = true;
+			else
+			{
+				/*
+				 * The password looked like a SCRAM verifier, but could not be
+				 * parsed.
+				 */
+				elog(LOG, "invalid SCRAM verifier for user \"%s\"", username);
+				got_verifier = false;
+			}
+		}
+		else if (password_type == PASSWORD_TYPE_PLAINTEXT)
+		{
+			/*
+			 * The stored password is in plain format.  Generate a fresh SCRAM
+			 * verifier from it, and proceed with that.
+			 */
+			char	   *verifier;
 
-	if (password_type == PASSWORD_TYPE_SCRAM)
-	{
-		if (!parse_scram_verifier(shadow_pass, &state->salt, &state->iterations,
-								  state->StoredKey, state->ServerKey))
+			verifier = scram_build_verifier(username, shadow_pass, 0);
+
+			(void) parse_scram_verifier(verifier, &state->salt, &state->iterations,
+										state->StoredKey, state->ServerKey);
+			pfree(verifier);
+
+			got_verifier = true;
+		}
+		else
 		{
 			/*
-			 * The password looked like a SCRAM verifier, but could not be
-			 * parsed.
+			 * The user doesn't have SCRAM verifier, nor could we generate
+			 * one. (You cannot do SCRAM authentication with an MD5 hash.)
 			 */
-			elog(LOG, "invalid SCRAM verifier for user \"%s\"", username);
-			doomed = true;
+			state->logdetail = psprintf(_("User \"%s\" does not have a valid SCRAM verifier."),
+										state->username);
+			got_verifier = false;
 		}
 	}
-	else if (password_type == PASSWORD_TYPE_PLAINTEXT)
+	else
 	{
-		char	   *verifier;
-
 		/*
-		 * The password provided is in plain format, in which case a fresh
-		 * SCRAM verifier can be generated and used for the rest of the
-		 * processing.
+		 * The caller requested us to perform a dummy authentication.  This is
+		 * considered normal, since the caller requested it, so don't set log
+		 * detail.
 		 */
-		verifier = scram_build_verifier(username, shadow_pass, 0);
-
-		(void) parse_scram_verifier(verifier, &state->salt, &state->iterations,
-									state->StoredKey, state->ServerKey);
-		pfree(verifier);
+		got_verifier = false;
 	}
-	else
-		doomed = true;
 
-	if (doomed)
+	/*
+	 * If the user did not have a valid SCRAM verifier, we still go through
+	 * the motions with a mock one, and fail as if the client supplied an
+	 * incorrect password.  This is to avoid revealing information to an
+	 * attacker.
+	 */
+	if (!got_verifier)
 	{
-		/*
-		 * We don't have a valid SCRAM verifier, nor could we generate one, or
-		 * the caller requested us to perform a dummy authentication.
-		 *
-		 * The authentication is bound to fail, but to avoid revealing
-		 * information to the attacker, go through the motions with a fake
-		 * SCRAM verifier, and fail as if the password was incorrect.
-		 */
-		state->logdetail = psprintf(_("User \"%s\" does not have a valid SCRAM verifier."),
-									state->username);
 		mock_scram_verifier(username, &state->salt, &state->iterations,
 							state->StoredKey, state->ServerKey);
+		state->doomed = true;
 	}
-	state->doomed = doomed;
 
 	return state;
 }
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index ebf10bbbae..27ed11a554 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -24,6 +24,7 @@
 #include <sys/select.h>
 #endif
 
+#include "commands/user.h"
 #include "common/ip.h"
 #include "common/md5.h"
 #include "libpq/auth.h"
@@ -49,17 +50,15 @@ static char *recv_password_packet(Port *port);
 
 
 /*----------------------------------------------------------------
- * MD5 authentication
+ * Password-based authentication methods (password, md5, and scram)
  *----------------------------------------------------------------
  */
-static int	CheckMD5Auth(Port *port, char **logdetail);
+static int	CheckPasswordAuth(Port *port, char **logdetail);
+static int	CheckPWChallengeAuth(Port *port, char **logdetail);
 
-/*----------------------------------------------------------------
- * Plaintext password authentication
- *----------------------------------------------------------------
- */
+static int	CheckMD5Auth(Port *port, char *shadow_pass, char **logdetail);
+static int	CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail);
 
-static int	CheckPasswordAuth(Port *port, char **logdetail);
 
 /*----------------------------------------------------------------
  * Ident authentication
@@ -199,12 +198,6 @@ static int pg_SSPI_make_upn(char *accountname,
 static int	CheckRADIUSAuth(Port *port);
 
 
-/*----------------------------------------------------------------
- * SASL authentication
- *----------------------------------------------------------------
- */
-static int	CheckSASLAuth(Port *port, char **logdetail);
-
 /*
  * Maximum accepted size of GSS and SSPI authentication tokens.
  *
@@ -290,7 +283,7 @@ auth_failed(Port *port, int status, char *logdetail)
 			break;
 		case uaPassword:
 		case uaMD5:
-		case uaSASL:
+		case uaSCRAM:
 			errstr = gettext_noop("password authentication failed for user \"%s\"");
 			/* We use it to indicate if a .pgpass password failed. */
 			errcode_return = ERRCODE_INVALID_PASSWORD;
@@ -551,17 +544,14 @@ ClientAuthentication(Port *port)
 			break;
 
 		case uaMD5:
-			status = CheckMD5Auth(port, &logdetail);
+		case uaSCRAM:
+			status = CheckPWChallengeAuth(port, &logdetail);
 			break;
 
 		case uaPassword:
 			status = CheckPasswordAuth(port, &logdetail);
 			break;
 
-		case uaSASL:
-			status = CheckSASLAuth(port, &logdetail);
-			break;
-
 		case uaPAM:
 #ifdef USE_PAM
 			status = CheckPAMAuth(port, port->user_name, "");
@@ -709,41 +699,30 @@ recv_password_packet(Port *port)
 
 
 /*----------------------------------------------------------------
- * MD5 authentication
+ * Password-based authentication mechanisms
  *----------------------------------------------------------------
  */
 
+/*
+ * Plaintext password authentication.
+ */
 static int
-CheckMD5Auth(Port *port, char **logdetail)
+CheckPasswordAuth(Port *port, char **logdetail)
 {
-	char		md5Salt[4];		/* Password salt */
 	char	   *passwd;
-	char	   *shadow_pass;
 	int			result;
+	char	   *shadow_pass;
 
-	if (Db_user_namespace)
-		ereport(FATAL,
-				(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
-				 errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled")));
-
-	/* include the salt to use for computing the response */
-	if (!pg_backend_random(md5Salt, 4))
-	{
-		ereport(LOG,
-				(errmsg("could not generate random MD5 salt")));
-		return STATUS_ERROR;
-	}
-
-	sendAuthRequest(port, AUTH_REQ_MD5, md5Salt, 4);
+	sendAuthRequest(port, AUTH_REQ_PASSWORD, NULL, 0);
 
 	passwd = recv_password_packet(port);
 	if (passwd == NULL)
 		return STATUS_EOF;		/* client wouldn't send password */
 
-	result = get_role_password(port->user_name, &shadow_pass, logdetail);
+	shadow_pass = get_role_password(port->user_name, logdetail);
 	if (result == STATUS_OK)
-		result = md5_crypt_verify(port->user_name, shadow_pass, passwd,
-								  md5Salt, 4, logdetail);
+		result = plain_crypt_verify(port->user_name, shadow_pass, passwd,
+									logdetail);
 
 	if (shadow_pass)
 		pfree(shadow_pass);
@@ -752,42 +731,114 @@ CheckMD5Auth(Port *port, char **logdetail)
 	return result;
 }
 
-/*----------------------------------------------------------------
- * Plaintext password authentication
- *----------------------------------------------------------------
+/*
+ * MD5 and SCRAM authentication.
  */
+static int
+CheckPWChallengeAuth(Port *port, char **logdetail)
+{
+	int			auth_result;
+	char	   *shadow_pass;
+	PasswordType pwtype;
+
+	Assert(port->hba->auth_method == uaSCRAM ||
+		   port->hba->auth_method == uaMD5);
+
+	/* First look up the user's password. */
+	shadow_pass = get_role_password(port->user_name, logdetail);
+
+	/*
+	 * If the user does not exist, or has no password, we still go through the
+	 * motions of authentication, to avoid revealing to the client that the
+	 * user didn't exist.  If 'md5' is allowed, we choose whether to use 'md5'
+	 * or 'scram' authentication based on current password_encryption setting.
+	 * The idea is that most genuine users probably have a password of that
+	 * type, if we pretend that this user had a password of that type, too, it
+	 * "blends in" best.
+	 *
+	 * If the user had a password, but it was expired, we'll use the details
+	 * of the expired password for the authentication, but report it as
+	 * failure to the client even if correct password was given.
+	 */
+	if (!shadow_pass)
+		pwtype = Password_encryption;
+	else
+		pwtype = get_password_type(shadow_pass);
+
+	/*
+	 * If 'md5' authentication is allowed, decide whether to perform 'md5' or
+	 * 'scram' authentication based on the type of password the user has.  If
+	 * it's an MD5 hash, we must do MD5 authentication, and if it's a SCRAM
+	 * verifier, we must do SCRAM authentication.  If it's stored in
+	 * plaintext, we could do either one, so we opt for the more secure
+	 * mechanism, SCRAM.
+	 *
+	 * If MD5 authentication is not allowed, always use SCRAM.  If the user
+	 * had an MD5 password, CheckSCRAMAuth() will fail.
+	 */
+	if (port->hba->auth_method == uaMD5 && pwtype == PASSWORD_TYPE_MD5)
+	{
+		auth_result = CheckMD5Auth(port, shadow_pass, logdetail);
+	}
+	else
+	{
+		auth_result = CheckSCRAMAuth(port, shadow_pass, logdetail);
+	}
+
+	if (shadow_pass)
+		pfree(shadow_pass);
+
+	/*
+	 * If get_role_password() returned error, return error, even if the
+	 * authentication succeeded.
+	 */
+	if (!shadow_pass)
+	{
+		Assert(auth_result != STATUS_OK);
+		return STATUS_ERROR;
+	}
+	return auth_result;
+}
 
 static int
-CheckPasswordAuth(Port *port, char **logdetail)
+CheckMD5Auth(Port *port, char *shadow_pass, char **logdetail)
 {
+	char		md5Salt[4];		/* Password salt */
 	char	   *passwd;
 	int			result;
-	char	   *shadow_pass;
 
-	sendAuthRequest(port, AUTH_REQ_PASSWORD, NULL, 0);
+	if (Db_user_namespace)
+		ereport(FATAL,
+				(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
+				 errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled")));
+
+	/* include the salt to use for computing the response */
+	if (!pg_backend_random(md5Salt, 4))
+	{
+		ereport(LOG,
+				(errmsg("could not generate random MD5 salt")));
+		return STATUS_ERROR;
+	}
+
+	sendAuthRequest(port, AUTH_REQ_MD5, md5Salt, 4);
 
 	passwd = recv_password_packet(port);
 	if (passwd == NULL)
 		return STATUS_EOF;		/* client wouldn't send password */
 
-	result = get_role_password(port->user_name, &shadow_pass, logdetail);
-	if (result == STATUS_OK)
-		result = plain_crypt_verify(port->user_name, shadow_pass, passwd,
-									logdetail);
-
 	if (shadow_pass)
-		pfree(shadow_pass);
+		result = md5_crypt_verify(port->user_name, shadow_pass, passwd,
+								  md5Salt, 4, logdetail);
+	else
+		result = STATUS_ERROR;
+
 	pfree(passwd);
 
 	return result;
 }
 
-/*----------------------------------------------------------------
- * SASL authentication system
- *----------------------------------------------------------------
- */
 static int
-CheckSASLAuth(Port *port, char **logdetail)
+CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 {
 	int			mtype;
 	StringInfoData buf;
@@ -795,8 +846,6 @@ CheckSASLAuth(Port *port, char **logdetail)
 	char	   *output = NULL;
 	int			outputlen = 0;
 	int			result;
-	char	   *shadow_pass;
-	bool		doomed = false;
 
 	/*
 	 * SASL auth is not supported for protocol versions before 3, because it
@@ -826,11 +875,9 @@ CheckSASLAuth(Port *port, char **logdetail)
 	 * This is because we don't want to reveal to an attacker what usernames
 	 * are valid, nor which users have a valid password.
 	 */
-	if (get_role_password(port->user_name, &shadow_pass, logdetail) != STATUS_OK)
-		doomed = true;
 
 	/* Initialize the status tracker for message exchanges */
-	scram_opaq = pg_be_scram_init(port->user_name, shadow_pass, doomed);
+	scram_opaq = pg_be_scram_init(port->user_name, shadow_pass);
 
 	/*
 	 * Loop through SASL message exchange.  This exchange can consist of
@@ -874,7 +921,7 @@ CheckSASLAuth(Port *port, char **logdetail)
 		 */
 		result = pg_be_scram_exchange(scram_opaq, buf.data, buf.len,
 									  &output, &outputlen,
-									  doomed ? NULL : logdetail);
+									  logdetail);
 
 		/* input buffer no longer used */
 		pfree(buf.data);
diff --git a/src/backend/libpq/crypt.c b/src/backend/libpq/crypt.c
index 9f0ae15b00..1c5a3fa5f3 100644
--- a/src/backend/libpq/crypt.c
+++ b/src/backend/libpq/crypt.c
@@ -31,25 +31,18 @@
 /*
  * Fetch stored password for a user, for authentication.
  *
- * Returns STATUS_OK on success.  On error, returns STATUS_ERROR, and stores
- * a palloc'd string describing the reason, for the postmaster log, in
- * *logdetail.  The error reason should *not* be sent to the client, to avoid
- * giving away user information!
- *
- * If the password is expired, it is still returned in *shadow_pass, but the
- * return code is STATUS_ERROR.  On other errors, *shadow_pass is set to
- * NULL.
+ * On error, returns NULL, and stores a palloc'd string describing the reason,
+ * for the postmaster log, in *logdetail.  The error reason should *not* be
+ * sent to the client, to avoid giving away user information!
  */
-int
-get_role_password(const char *role, char **shadow_pass, char **logdetail)
+char *
+get_role_password(const char *role, char **logdetail)
 {
-	int			retval = STATUS_ERROR;
 	TimestampTz vuntil = 0;
 	HeapTuple	roleTup;
 	Datum		datum;
 	bool		isnull;
-
-	*shadow_pass = NULL;
+	char	   *shadow_pass;
 
 	/* Get role info from pg_authid */
 	roleTup = SearchSysCache1(AUTHNAME, PointerGetDatum(role));
@@ -57,7 +50,7 @@ get_role_password(const char *role, char **shadow_pass, char **logdetail)
 	{
 		*logdetail = psprintf(_("Role \"%s\" does not exist."),
 							  role);
-		return STATUS_ERROR;	/* no such user */
+		return NULL;	/* no such user */
 	}
 
 	datum = SysCacheGetAttr(AUTHNAME, roleTup,
@@ -67,9 +60,9 @@ get_role_password(const char *role, char **shadow_pass, char **logdetail)
 		ReleaseSysCache(roleTup);
 		*logdetail = psprintf(_("User \"%s\" has no password assigned."),
 							  role);
-		return STATUS_ERROR;	/* user has no password */
+		return NULL;	/* user has no password */
 	}
-	*shadow_pass = TextDatumGetCString(datum);
+	shadow_pass = TextDatumGetCString(datum);
 
 	datum = SysCacheGetAttr(AUTHNAME, roleTup,
 							Anum_pg_authid_rolvaliduntil, &isnull);
@@ -78,30 +71,25 @@ get_role_password(const char *role, char **shadow_pass, char **logdetail)
 
 	ReleaseSysCache(roleTup);
 
-	if (**shadow_pass == '\0')
+	if (*shadow_pass == '\0')
 	{
 		*logdetail = psprintf(_("User \"%s\" has an empty password."),
 							  role);
-		pfree(*shadow_pass);
-		*shadow_pass = NULL;
-		return STATUS_ERROR;	/* empty password */
+		pfree(shadow_pass);
+		return NULL;	/* empty password */
 	}
 
 	/*
-	 * Password OK, now check to be sure we are not past rolvaliduntil
+	 * Password OK, but check to be sure we are not past rolvaliduntil
 	 */
-	if (isnull)
-		retval = STATUS_OK;
-	else if (vuntil < GetCurrentTimestamp())
+	if (!isnull && vuntil < GetCurrentTimestamp())
 	{
 		*logdetail = psprintf(_("User \"%s\" has an expired password."),
 							  role);
-		retval = STATUS_ERROR;
+		return NULL;
 	}
-	else
-		retval = STATUS_OK;
 
-	return retval;
+	return shadow_pass;
 }
 
 /*
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index 3817d249c4..e2c1a86901 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -1325,7 +1325,7 @@ parse_hba_line(TokenizedLine *tok_line, int elevel)
 		parsedline->auth_method = uaMD5;
 	}
 	else if (strcmp(token->string, "scram") == 0)
-		parsedline->auth_method = uaSASL;
+		parsedline->auth_method = uaSCRAM;
 	else if (strcmp(token->string, "pam") == 0)
 #ifdef USE_PAM
 		parsedline->auth_method = uaPAM;
diff --git a/src/include/libpq/crypt.h b/src/include/libpq/crypt.h
index 0502d6a0e5..3b5da69b08 100644
--- a/src/include/libpq/crypt.h
+++ b/src/include/libpq/crypt.h
@@ -32,8 +32,7 @@ extern PasswordType get_password_type(const char *shadow_pass);
 extern char *encrypt_password(PasswordType target_type, const char *role,
 				 const char *password);
 
-extern int get_role_password(const char *role, char **shadow_pass,
-				  char **logdetail);
+extern char *get_role_password(const char *role, char **logdetail);
 
 extern int md5_crypt_verify(const char *role, const char *shadow_pass,
 				 const char *client_pass, const char *md5_salt,
diff --git a/src/include/libpq/hba.h b/src/include/libpq/hba.h
index 8f55edb16a..4925e9d609 100644
--- a/src/include/libpq/hba.h
+++ b/src/include/libpq/hba.h
@@ -30,7 +30,7 @@ typedef enum UserAuth
 	uaIdent,
 	uaPassword,
 	uaMD5,
-	uaSASL,
+	uaSCRAM,
 	uaGSS,
 	uaSSPI,
 	uaPAM,
diff --git a/src/include/libpq/scram.h b/src/include/libpq/scram.h
index 78a52db684..7cc47a757e 100644
--- a/src/include/libpq/scram.h
+++ b/src/include/libpq/scram.h
@@ -22,7 +22,7 @@
 #define SASL_EXCHANGE_FAILURE		2
 
 /* Routines dedicated to authentication */
-extern void *pg_be_scram_init(const char *username, const char *shadow_pass, bool doomed);
+extern void *pg_be_scram_init(const char *username, const char *shadow_pass);
 extern int pg_be_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen, char **logdetail);
 
-- 
2.11.0

From 06383d8f2a1538ffb62ec5796dfe1e09b798587d Mon Sep 17 00:00:00 2001
From: Heikki Linnakangas <heikki.linnakangas@iki.fi>
Date: Wed, 22 Mar 2017 13:49:10 +0200
Subject: [PATCH 1/1] Allow SCRAM authentication, when pg_hba.conf says 'md5'.

If a user has a SCRAM verifier in pg_authid.rolpassword, there's no reason
we cannot attempt to perform SCRAM authentication instead of MD5. In the
worst case, the client doesn't support SCRAM, and the authentication will
fail. But previously, it would fail for sure, because we would not even
try. SCRAM is strictly more secure than MD5, so there's no harm in trying
it. This allows for a more graceful transition from MD5 passwords to SCRAM,
as user passwords can be switched to SCRAM incrementally, without changing
pg_hba.conf.

Refactor the code in auth.c to support that better. Notably, we now have
to look up the user's pg_authid entry before sending the password
challenge, also when performing MD5 authentication. Also simplify the
concept of a "doomed" authentication. Previously, if a user had a password,
but it had expired, we still performed SCRAM authentication (but always
returned error at the end) using the salt and iteration count from the
expired password. Now we construct a fake salt, like we do when the user
doesn't have a password or doesn't exist at all. That simplifies
get_role_password(), and we can don't need to distinguish the  "user has
 expired password", and "user does not exist" cases in auth.c.

On second thoughts, also rename uaSASL to uaSCRAM. It refers to the
mechanism specified in pg_hba.conf, and while we use SASL for SCRAM
authentication at the protocol level, the mechanism should be called SCRAM,
not SASL. As a comparison, we have uaLDAP, even though it looks like the
plain 'password' authentication at the protocol level.
---
 doc/src/sgml/client-auth.sgml             |  37 ++++---
 src/backend/libpq/auth-scram.c            | 104 ++++++++++--------
 src/backend/libpq/auth.c                  | 173 +++++++++++++++++++-----------
 src/backend/libpq/crypt.c                 |  44 +++-----
 src/backend/libpq/hba.c                   |   2 +-
 src/include/libpq/crypt.h                 |   3 +-
 src/include/libpq/hba.h                   |   2 +-
 src/include/libpq/scram.h                 |   2 +-
 src/test/authentication/t/001_password.pl |   6 +-
 9 files changed, 209 insertions(+), 164 deletions(-)

diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index bbd52a5418..9050be44d3 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -412,23 +412,22 @@ hostnossl  <replaceable>database</replaceable>  <replaceable>user</replaceable>
        </varlistentry>
 
        <varlistentry>
-        <term><literal>md5</></term>
+        <term><literal>scram</></term>
         <listitem>
          <para>
-          Require the client to supply a double-MD5-hashed password for
-          authentication.
-          See <xref linkend="auth-password"> for details.
+          Perform SCRAM-SHA-256 authentication to verify the user's
+          password. See <xref linkend="auth-password"> for details.
          </para>
         </listitem>
        </varlistentry>
 
        <varlistentry>
-        <term><literal>scram</></term>
+        <term><literal>md5</></term>
         <listitem>
          <para>
-          Perform SCRAM-SHA-256 authentication to verify the user's
-          password.
-          See <xref linkend="auth-password"> for details.
+          Perform SCRAM-SHA-256 or MD5 authentication to verify the
+          user's password. See <xref linkend="auth-password">
+          for details.
          </para>
         </listitem>
        </varlistentry>
@@ -689,13 +688,12 @@ host    postgres        all             192.168.12.10/32        scram
 # Allow any user from hosts in the example.com domain to connect to
 # any database if the user's password is correctly supplied.
 #
-# Most users use SCRAM authentication, but some users use older clients
-# that don't support SCRAM authentication, and need to be able to log
-# in using MD5 authentication. Such users are put in the @md5users
-# group, everyone else must use SCRAM.
+# Require SCRAM authentication for most users, but make an exception
+# for user 'mike', who uses an older client that doesn't support SCRAM
+# authentication.
 #
 # TYPE  DATABASE        USER            ADDRESS                 METHOD
-host    all             @md5users       .example.com            md5
+host    all             mike            .example.com            md5
 host    all             all             .example.com            scram
 
 # In the absence of preceding "host" lines, these two lines will
@@ -949,12 +947,13 @@ omicron         bryanh                  guest1
    </para>
 
    <para>
-    In <literal>md5</>, the client sends a hash of a random challenge,
-    generated by the server, and the password. It prevents password sniffing,
-    but is less secure than <literal>scram</>, and provides no protection
-    if an attacker manages to steal the password hash from the server.
-    <literal>md5</> cannot be used with the <xref
-    linkend="guc-db-user-namespace"> feature.  
+    <literal>md5</> allows falling back to a less secure challenge-response
+    mechanism for those users with an MD5 hashed password.
+    The fallback mechanism also prevents password sniffing, but provides no
+    protection if an attacker manages to steal the password hash from the
+    server, and it cannot be used with the <xref
+    linkend="guc-db-user-namespace"> feature. For all other users,
+    <literal>md5</> works the same as <literal>scram</>.
    </para>
 
    <para>
diff --git a/src/backend/libpq/auth-scram.c b/src/backend/libpq/auth-scram.c
index db15a2fac6..bcc8d03ef5 100644
--- a/src/backend/libpq/auth-scram.c
+++ b/src/backend/libpq/auth-scram.c
@@ -130,79 +130,91 @@ static char *scram_MockSalt(const char *username);
  * after the beginning of the exchange with verifier data.
  *
  * 'username' is the provided by the client.  'shadow_pass' is the role's
- * password verifier, from pg_authid.rolpassword.  If 'doomed' is true, the
- * authentication must fail, as if an incorrect password was given.
- * 'shadow_pass' may be NULL, when 'doomed' is set.
+ * password verifier, from pg_authid.rolpassword.  If 'shadow_pass' is NULL, we
+ * still perform an authentication exchange, but it will fail, as if an
+ * incorrect password was given.
  */
 void *
-pg_be_scram_init(const char *username, const char *shadow_pass, bool doomed)
+pg_be_scram_init(const char *username, const char *shadow_pass)
 {
 	scram_state *state;
-	int			password_type;
+	bool		got_verifier;
 
 	state = (scram_state *) palloc0(sizeof(scram_state));
 	state->state = SCRAM_AUTH_INIT;
 	state->username = username;
 
 	/*
-	 * Perform sanity checks on the provided password after catalog lookup.
-	 * The authentication is bound to fail if the lookup itself failed or if
-	 * the password stored is MD5-encrypted.  Authentication is possible for
-	 * users with a valid plain password though.
+	 * Parse the stored password verifier.
 	 */
+	if (shadow_pass)
+	{
+		int			password_type = get_password_type(shadow_pass);
 
-	if (shadow_pass == NULL || doomed)
-		password_type = -1;
-	else
-		password_type = get_password_type(shadow_pass);
+		if (password_type == PASSWORD_TYPE_SCRAM)
+		{
+			if (parse_scram_verifier(shadow_pass, &state->salt, &state->iterations,
+									 state->StoredKey, state->ServerKey))
+				got_verifier = true;
+			else
+			{
+				/*
+				 * The password looked like a SCRAM verifier, but could not be
+				 * parsed.
+				 */
+				elog(LOG, "invalid SCRAM verifier for user \"%s\"", username);
+				got_verifier = false;
+			}
+		}
+		else if (password_type == PASSWORD_TYPE_PLAINTEXT)
+		{
+			/*
+			 * The stored password is in plain format.  Generate a fresh SCRAM
+			 * verifier from it, and proceed with that.
+			 */
+			char	   *verifier;
 
-	if (password_type == PASSWORD_TYPE_SCRAM)
-	{
-		if (!parse_scram_verifier(shadow_pass, &state->salt, &state->iterations,
-								  state->StoredKey, state->ServerKey))
+			verifier = scram_build_verifier(username, shadow_pass, 0);
+
+			(void) parse_scram_verifier(verifier, &state->salt, &state->iterations,
+										state->StoredKey, state->ServerKey);
+			pfree(verifier);
+
+			got_verifier = true;
+		}
+		else
 		{
 			/*
-			 * The password looked like a SCRAM verifier, but could not be
-			 * parsed.
+			 * The user doesn't have SCRAM verifier, nor could we generate
+			 * one. (You cannot do SCRAM authentication with an MD5 hash.)
 			 */
-			elog(LOG, "invalid SCRAM verifier for user \"%s\"", username);
-			doomed = true;
+			state->logdetail = psprintf(_("User \"%s\" does not have a valid SCRAM verifier."),
+										state->username);
+			got_verifier = false;
 		}
 	}
-	else if (password_type == PASSWORD_TYPE_PLAINTEXT)
+	else
 	{
-		char	   *verifier;
-
 		/*
-		 * The password provided is in plain format, in which case a fresh
-		 * SCRAM verifier can be generated and used for the rest of the
-		 * processing.
+		 * The caller requested us to perform a dummy authentication.  This is
+		 * considered normal, since the caller requested it, so don't set log
+		 * detail.
 		 */
-		verifier = scram_build_verifier(username, shadow_pass, 0);
-
-		(void) parse_scram_verifier(verifier, &state->salt, &state->iterations,
-									state->StoredKey, state->ServerKey);
-		pfree(verifier);
+		got_verifier = false;
 	}
-	else
-		doomed = true;
 
-	if (doomed)
+	/*
+	 * If the user did not have a valid SCRAM verifier, we still go through
+	 * the motions with a mock one, and fail as if the client supplied an
+	 * incorrect password.  This is to avoid revealing information to an
+	 * attacker.
+	 */
+	if (!got_verifier)
 	{
-		/*
-		 * We don't have a valid SCRAM verifier, nor could we generate one, or
-		 * the caller requested us to perform a dummy authentication.
-		 *
-		 * The authentication is bound to fail, but to avoid revealing
-		 * information to the attacker, go through the motions with a fake
-		 * SCRAM verifier, and fail as if the password was incorrect.
-		 */
-		state->logdetail = psprintf(_("User \"%s\" does not have a valid SCRAM verifier."),
-									state->username);
 		mock_scram_verifier(username, &state->salt, &state->iterations,
 							state->StoredKey, state->ServerKey);
+		state->doomed = true;
 	}
-	state->doomed = doomed;
 
 	return state;
 }
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index ebf10bbbae..27ed11a554 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -24,6 +24,7 @@
 #include <sys/select.h>
 #endif
 
+#include "commands/user.h"
 #include "common/ip.h"
 #include "common/md5.h"
 #include "libpq/auth.h"
@@ -49,17 +50,15 @@ static char *recv_password_packet(Port *port);
 
 
 /*----------------------------------------------------------------
- * MD5 authentication
+ * Password-based authentication methods (password, md5, and scram)
  *----------------------------------------------------------------
  */
-static int	CheckMD5Auth(Port *port, char **logdetail);
+static int	CheckPasswordAuth(Port *port, char **logdetail);
+static int	CheckPWChallengeAuth(Port *port, char **logdetail);
 
-/*----------------------------------------------------------------
- * Plaintext password authentication
- *----------------------------------------------------------------
- */
+static int	CheckMD5Auth(Port *port, char *shadow_pass, char **logdetail);
+static int	CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail);
 
-static int	CheckPasswordAuth(Port *port, char **logdetail);
 
 /*----------------------------------------------------------------
  * Ident authentication
@@ -199,12 +198,6 @@ static int pg_SSPI_make_upn(char *accountname,
 static int	CheckRADIUSAuth(Port *port);
 
 
-/*----------------------------------------------------------------
- * SASL authentication
- *----------------------------------------------------------------
- */
-static int	CheckSASLAuth(Port *port, char **logdetail);
-
 /*
  * Maximum accepted size of GSS and SSPI authentication tokens.
  *
@@ -290,7 +283,7 @@ auth_failed(Port *port, int status, char *logdetail)
 			break;
 		case uaPassword:
 		case uaMD5:
-		case uaSASL:
+		case uaSCRAM:
 			errstr = gettext_noop("password authentication failed for user \"%s\"");
 			/* We use it to indicate if a .pgpass password failed. */
 			errcode_return = ERRCODE_INVALID_PASSWORD;
@@ -551,17 +544,14 @@ ClientAuthentication(Port *port)
 			break;
 
 		case uaMD5:
-			status = CheckMD5Auth(port, &logdetail);
+		case uaSCRAM:
+			status = CheckPWChallengeAuth(port, &logdetail);
 			break;
 
 		case uaPassword:
 			status = CheckPasswordAuth(port, &logdetail);
 			break;
 
-		case uaSASL:
-			status = CheckSASLAuth(port, &logdetail);
-			break;
-
 		case uaPAM:
 #ifdef USE_PAM
 			status = CheckPAMAuth(port, port->user_name, "");
@@ -709,41 +699,30 @@ recv_password_packet(Port *port)
 
 
 /*----------------------------------------------------------------
- * MD5 authentication
+ * Password-based authentication mechanisms
  *----------------------------------------------------------------
  */
 
+/*
+ * Plaintext password authentication.
+ */
 static int
-CheckMD5Auth(Port *port, char **logdetail)
+CheckPasswordAuth(Port *port, char **logdetail)
 {
-	char		md5Salt[4];		/* Password salt */
 	char	   *passwd;
-	char	   *shadow_pass;
 	int			result;
+	char	   *shadow_pass;
 
-	if (Db_user_namespace)
-		ereport(FATAL,
-				(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
-				 errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled")));
-
-	/* include the salt to use for computing the response */
-	if (!pg_backend_random(md5Salt, 4))
-	{
-		ereport(LOG,
-				(errmsg("could not generate random MD5 salt")));
-		return STATUS_ERROR;
-	}
-
-	sendAuthRequest(port, AUTH_REQ_MD5, md5Salt, 4);
+	sendAuthRequest(port, AUTH_REQ_PASSWORD, NULL, 0);
 
 	passwd = recv_password_packet(port);
 	if (passwd == NULL)
 		return STATUS_EOF;		/* client wouldn't send password */
 
-	result = get_role_password(port->user_name, &shadow_pass, logdetail);
+	shadow_pass = get_role_password(port->user_name, logdetail);
 	if (result == STATUS_OK)
-		result = md5_crypt_verify(port->user_name, shadow_pass, passwd,
-								  md5Salt, 4, logdetail);
+		result = plain_crypt_verify(port->user_name, shadow_pass, passwd,
+									logdetail);
 
 	if (shadow_pass)
 		pfree(shadow_pass);
@@ -752,42 +731,114 @@ CheckMD5Auth(Port *port, char **logdetail)
 	return result;
 }
 
-/*----------------------------------------------------------------
- * Plaintext password authentication
- *----------------------------------------------------------------
+/*
+ * MD5 and SCRAM authentication.
  */
+static int
+CheckPWChallengeAuth(Port *port, char **logdetail)
+{
+	int			auth_result;
+	char	   *shadow_pass;
+	PasswordType pwtype;
+
+	Assert(port->hba->auth_method == uaSCRAM ||
+		   port->hba->auth_method == uaMD5);
+
+	/* First look up the user's password. */
+	shadow_pass = get_role_password(port->user_name, logdetail);
+
+	/*
+	 * If the user does not exist, or has no password, we still go through the
+	 * motions of authentication, to avoid revealing to the client that the
+	 * user didn't exist.  If 'md5' is allowed, we choose whether to use 'md5'
+	 * or 'scram' authentication based on current password_encryption setting.
+	 * The idea is that most genuine users probably have a password of that
+	 * type, if we pretend that this user had a password of that type, too, it
+	 * "blends in" best.
+	 *
+	 * If the user had a password, but it was expired, we'll use the details
+	 * of the expired password for the authentication, but report it as
+	 * failure to the client even if correct password was given.
+	 */
+	if (!shadow_pass)
+		pwtype = Password_encryption;
+	else
+		pwtype = get_password_type(shadow_pass);
+
+	/*
+	 * If 'md5' authentication is allowed, decide whether to perform 'md5' or
+	 * 'scram' authentication based on the type of password the user has.  If
+	 * it's an MD5 hash, we must do MD5 authentication, and if it's a SCRAM
+	 * verifier, we must do SCRAM authentication.  If it's stored in
+	 * plaintext, we could do either one, so we opt for the more secure
+	 * mechanism, SCRAM.
+	 *
+	 * If MD5 authentication is not allowed, always use SCRAM.  If the user
+	 * had an MD5 password, CheckSCRAMAuth() will fail.
+	 */
+	if (port->hba->auth_method == uaMD5 && pwtype == PASSWORD_TYPE_MD5)
+	{
+		auth_result = CheckMD5Auth(port, shadow_pass, logdetail);
+	}
+	else
+	{
+		auth_result = CheckSCRAMAuth(port, shadow_pass, logdetail);
+	}
+
+	if (shadow_pass)
+		pfree(shadow_pass);
+
+	/*
+	 * If get_role_password() returned error, return error, even if the
+	 * authentication succeeded.
+	 */
+	if (!shadow_pass)
+	{
+		Assert(auth_result != STATUS_OK);
+		return STATUS_ERROR;
+	}
+	return auth_result;
+}
 
 static int
-CheckPasswordAuth(Port *port, char **logdetail)
+CheckMD5Auth(Port *port, char *shadow_pass, char **logdetail)
 {
+	char		md5Salt[4];		/* Password salt */
 	char	   *passwd;
 	int			result;
-	char	   *shadow_pass;
 
-	sendAuthRequest(port, AUTH_REQ_PASSWORD, NULL, 0);
+	if (Db_user_namespace)
+		ereport(FATAL,
+				(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
+				 errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled")));
+
+	/* include the salt to use for computing the response */
+	if (!pg_backend_random(md5Salt, 4))
+	{
+		ereport(LOG,
+				(errmsg("could not generate random MD5 salt")));
+		return STATUS_ERROR;
+	}
+
+	sendAuthRequest(port, AUTH_REQ_MD5, md5Salt, 4);
 
 	passwd = recv_password_packet(port);
 	if (passwd == NULL)
 		return STATUS_EOF;		/* client wouldn't send password */
 
-	result = get_role_password(port->user_name, &shadow_pass, logdetail);
-	if (result == STATUS_OK)
-		result = plain_crypt_verify(port->user_name, shadow_pass, passwd,
-									logdetail);
-
 	if (shadow_pass)
-		pfree(shadow_pass);
+		result = md5_crypt_verify(port->user_name, shadow_pass, passwd,
+								  md5Salt, 4, logdetail);
+	else
+		result = STATUS_ERROR;
+
 	pfree(passwd);
 
 	return result;
 }
 
-/*----------------------------------------------------------------
- * SASL authentication system
- *----------------------------------------------------------------
- */
 static int
-CheckSASLAuth(Port *port, char **logdetail)
+CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 {
 	int			mtype;
 	StringInfoData buf;
@@ -795,8 +846,6 @@ CheckSASLAuth(Port *port, char **logdetail)
 	char	   *output = NULL;
 	int			outputlen = 0;
 	int			result;
-	char	   *shadow_pass;
-	bool		doomed = false;
 
 	/*
 	 * SASL auth is not supported for protocol versions before 3, because it
@@ -826,11 +875,9 @@ CheckSASLAuth(Port *port, char **logdetail)
 	 * This is because we don't want to reveal to an attacker what usernames
 	 * are valid, nor which users have a valid password.
 	 */
-	if (get_role_password(port->user_name, &shadow_pass, logdetail) != STATUS_OK)
-		doomed = true;
 
 	/* Initialize the status tracker for message exchanges */
-	scram_opaq = pg_be_scram_init(port->user_name, shadow_pass, doomed);
+	scram_opaq = pg_be_scram_init(port->user_name, shadow_pass);
 
 	/*
 	 * Loop through SASL message exchange.  This exchange can consist of
@@ -874,7 +921,7 @@ CheckSASLAuth(Port *port, char **logdetail)
 		 */
 		result = pg_be_scram_exchange(scram_opaq, buf.data, buf.len,
 									  &output, &outputlen,
-									  doomed ? NULL : logdetail);
+									  logdetail);
 
 		/* input buffer no longer used */
 		pfree(buf.data);
diff --git a/src/backend/libpq/crypt.c b/src/backend/libpq/crypt.c
index ac10751ec2..34beab5334 100644
--- a/src/backend/libpq/crypt.c
+++ b/src/backend/libpq/crypt.c
@@ -31,25 +31,18 @@
 /*
  * Fetch stored password for a user, for authentication.
  *
- * Returns STATUS_OK on success.  On error, returns STATUS_ERROR, and stores
- * a palloc'd string describing the reason, for the postmaster log, in
- * *logdetail.  The error reason should *not* be sent to the client, to avoid
- * giving away user information!
- *
- * If the password is expired, it is still returned in *shadow_pass, but the
- * return code is STATUS_ERROR.  On other errors, *shadow_pass is set to
- * NULL.
+ * On error, returns NULL, and stores a palloc'd string describing the reason,
+ * for the postmaster log, in *logdetail.  The error reason should *not* be
+ * sent to the client, to avoid giving away user information!
  */
-int
-get_role_password(const char *role, char **shadow_pass, char **logdetail)
+char *
+get_role_password(const char *role, char **logdetail)
 {
-	int			retval = STATUS_ERROR;
 	TimestampTz vuntil = 0;
 	HeapTuple	roleTup;
 	Datum		datum;
 	bool		isnull;
-
-	*shadow_pass = NULL;
+	char	   *shadow_pass;
 
 	/* Get role info from pg_authid */
 	roleTup = SearchSysCache1(AUTHNAME, PointerGetDatum(role));
@@ -57,7 +50,7 @@ get_role_password(const char *role, char **shadow_pass, char **logdetail)
 	{
 		*logdetail = psprintf(_("Role \"%s\" does not exist."),
 							  role);
-		return STATUS_ERROR;	/* no such user */
+		return NULL;	/* no such user */
 	}
 
 	datum = SysCacheGetAttr(AUTHNAME, roleTup,
@@ -67,9 +60,9 @@ get_role_password(const char *role, char **shadow_pass, char **logdetail)
 		ReleaseSysCache(roleTup);
 		*logdetail = psprintf(_("User \"%s\" has no password assigned."),
 							  role);
-		return STATUS_ERROR;	/* user has no password */
+		return NULL;	/* user has no password */
 	}
-	*shadow_pass = TextDatumGetCString(datum);
+	shadow_pass = TextDatumGetCString(datum);
 
 	datum = SysCacheGetAttr(AUTHNAME, roleTup,
 							Anum_pg_authid_rolvaliduntil, &isnull);
@@ -78,30 +71,25 @@ get_role_password(const char *role, char **shadow_pass, char **logdetail)
 
 	ReleaseSysCache(roleTup);
 
-	if (**shadow_pass == '\0')
+	if (*shadow_pass == '\0')
 	{
 		*logdetail = psprintf(_("User \"%s\" has an empty password."),
 							  role);
-		pfree(*shadow_pass);
-		*shadow_pass = NULL;
-		return STATUS_ERROR;	/* empty password */
+		pfree(shadow_pass);
+		return NULL;	/* empty password */
 	}
 
 	/*
-	 * Password OK, now check to be sure we are not past rolvaliduntil
+	 * Password OK, but check to be sure we are not past rolvaliduntil
 	 */
-	if (isnull)
-		retval = STATUS_OK;
-	else if (vuntil < GetCurrentTimestamp())
+	if (!isnull && vuntil < GetCurrentTimestamp())
 	{
 		*logdetail = psprintf(_("User \"%s\" has an expired password."),
 							  role);
-		retval = STATUS_ERROR;
+		return NULL;
 	}
-	else
-		retval = STATUS_OK;
 
-	return retval;
+	return shadow_pass;
 }
 
 /*
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index 3817d249c4..e2c1a86901 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -1325,7 +1325,7 @@ parse_hba_line(TokenizedLine *tok_line, int elevel)
 		parsedline->auth_method = uaMD5;
 	}
 	else if (strcmp(token->string, "scram") == 0)
-		parsedline->auth_method = uaSASL;
+		parsedline->auth_method = uaSCRAM;
 	else if (strcmp(token->string, "pam") == 0)
 #ifdef USE_PAM
 		parsedline->auth_method = uaPAM;
diff --git a/src/include/libpq/crypt.h b/src/include/libpq/crypt.h
index 0502d6a0e5..3b5da69b08 100644
--- a/src/include/libpq/crypt.h
+++ b/src/include/libpq/crypt.h
@@ -32,8 +32,7 @@ extern PasswordType get_password_type(const char *shadow_pass);
 extern char *encrypt_password(PasswordType target_type, const char *role,
 				 const char *password);
 
-extern int get_role_password(const char *role, char **shadow_pass,
-				  char **logdetail);
+extern char *get_role_password(const char *role, char **logdetail);
 
 extern int md5_crypt_verify(const char *role, const char *shadow_pass,
 				 const char *client_pass, const char *md5_salt,
diff --git a/src/include/libpq/hba.h b/src/include/libpq/hba.h
index 8f55edb16a..4925e9d609 100644
--- a/src/include/libpq/hba.h
+++ b/src/include/libpq/hba.h
@@ -30,7 +30,7 @@ typedef enum UserAuth
 	uaIdent,
 	uaPassword,
 	uaMD5,
-	uaSASL,
+	uaSCRAM,
 	uaGSS,
 	uaSSPI,
 	uaPAM,
diff --git a/src/include/libpq/scram.h b/src/include/libpq/scram.h
index fb21e056c8..e373f0c07e 100644
--- a/src/include/libpq/scram.h
+++ b/src/include/libpq/scram.h
@@ -22,7 +22,7 @@
 #define SASL_EXCHANGE_FAILURE		2
 
 /* Routines dedicated to authentication */
-extern void *pg_be_scram_init(const char *username, const char *shadow_pass, bool doomed);
+extern void *pg_be_scram_init(const char *username, const char *shadow_pass);
 extern int pg_be_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen, char **logdetail);
 
diff --git a/src/test/authentication/t/001_password.pl b/src/test/authentication/t/001_password.pl
index 8726a23e0d..d7bc13bd58 100644
--- a/src/test/authentication/t/001_password.pl
+++ b/src/test/authentication/t/001_password.pl
@@ -75,10 +75,10 @@ SKIP:
 	test_role($node, 'md5_role', 'scram', 2);
 	test_role($node, 'plain_role', 'scram', 0);
 
-	# For "md5" method, users "plain_role" and "md5_role" should be able to
-	# connect.
+	# For "md5" method, all users should be able to connect (SCRAM
+	# authentication will be performed for the user with a scram verifier.)
 	reset_pg_hba($node, 'md5');
-	test_role($node, 'scram_role', 'md5', 2);
+	test_role($node, 'scram_role', 'md5', 0);
 	test_role($node, 'md5_role', 'md5', 0);
 	test_role($node, 'plain_role', 'md5', 0);
 }
-- 
2.11.0

From 21e73b1bc1cf1985b7ca0e638b0e752ffd4b89b1 Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Sat, 25 Mar 2017 13:31:38 +0900
Subject: [PATCH 1/5] Use base64-based encoding for stored and server keys in
 SCRAM verifiers

In order to be able to generate a SCRAM verifier even for frontends, let's
simplify the tools used to generate it and switch all the elements of the
verifiers to be base64-encoded using the routines already in place in
src/common/.
---
 doc/src/sgml/catalogs.sgml             |  2 +-
 src/backend/libpq/auth-scram.c         | 30 +++++++++++++++++-------------
 src/test/regress/expected/password.out |  8 ++++----
 src/test/regress/sql/password.sql      |  8 ++++----
 4 files changed, 26 insertions(+), 22 deletions(-)

diff --git a/doc/src/sgml/catalogs.sgml b/doc/src/sgml/catalogs.sgml
index ac39c639ed..30a288ab91 100644
--- a/doc/src/sgml/catalogs.sgml
+++ b/doc/src/sgml/catalogs.sgml
@@ -1371,7 +1371,7 @@
    identify the password as a SCRAM-SHA-256 verifier. The second field is a
    salt, Base64-encoded, and the third field is the number of iterations used
    to generate the password.  The fourth field and fifth field are the stored
-   key and server key, respectively, in hexadecimal format. A password that
+   key and server key, respectively, in Base64 format. A password that
    does not follow either of those formats is assumed to be unencrypted.
   </para>
  </sect1>
diff --git a/src/backend/libpq/auth-scram.c b/src/backend/libpq/auth-scram.c
index bcc8d03ef5..e8068d3b7a 100644
--- a/src/backend/libpq/auth-scram.c
+++ b/src/backend/libpq/auth-scram.c
@@ -339,8 +339,8 @@ scram_build_verifier(const char *username, const char *password,
 					 int iterations)
 {
 	uint8		keybuf[SCRAM_KEY_LEN + 1];
-	char		storedkey_hex[SCRAM_KEY_LEN * 2 + 1];
-	char		serverkey_hex[SCRAM_KEY_LEN * 2 + 1];
+	char	   *encoded_storedkey;
+	char	   *encoded_serverkey;
 	char		salt[SCRAM_SALT_LEN];
 	char	   *encoded_salt;
 	int			encoded_len;
@@ -360,20 +360,25 @@ scram_build_verifier(const char *username, const char *password,
 	encoded_len = pg_b64_encode(salt, SCRAM_SALT_LEN, encoded_salt);
 	encoded_salt[encoded_len] = '\0';
 
-	/* Calculate StoredKey, and encode it in hex */
+	/* Calculate StoredKey, and encode it in base64 */
+	encoded_storedkey = palloc(pg_b64_enc_len(SCRAM_KEY_LEN) + 1);
 	scram_ClientOrServerKey(password, salt, SCRAM_SALT_LEN,
 							iterations, SCRAM_CLIENT_KEY_NAME, keybuf);
 	scram_H(keybuf, SCRAM_KEY_LEN, keybuf);		/* StoredKey */
-	(void) hex_encode((const char *) keybuf, SCRAM_KEY_LEN, storedkey_hex);
-	storedkey_hex[SCRAM_KEY_LEN * 2] = '\0';
+	encoded_len = pg_b64_encode((const char *) keybuf, SCRAM_KEY_LEN,
+								encoded_storedkey);
+	encoded_storedkey[encoded_len] = '\0';
 
 	/* And same for ServerKey */
+	encoded_serverkey = palloc(pg_b64_enc_len(SCRAM_KEY_LEN) + 1);
 	scram_ClientOrServerKey(password, salt, SCRAM_SALT_LEN, iterations,
 							SCRAM_SERVER_KEY_NAME, keybuf);
-	(void) hex_encode((const char *) keybuf, SCRAM_KEY_LEN, serverkey_hex);
-	serverkey_hex[SCRAM_KEY_LEN * 2] = '\0';
+	encoded_len = pg_b64_encode((const char *) keybuf, SCRAM_KEY_LEN,
+								encoded_serverkey);
+	encoded_serverkey[encoded_len] = '\0';
 
-	return psprintf("scram-sha-256:%s:%d:%s:%s", encoded_salt, iterations, storedkey_hex, serverkey_hex);
+	return psprintf("scram-sha-256:%s:%d:%s:%s", encoded_salt, iterations,
+					encoded_storedkey, encoded_serverkey);
 }
 
 /*
@@ -483,17 +488,16 @@ parse_scram_verifier(const char *verifier, char **salt, int *iterations,
 	/* storedkey */
 	if ((p = strtok(NULL, ":")) == NULL)
 		goto invalid_verifier;
-	if (strlen(p) != SCRAM_KEY_LEN * 2)
+	if (strlen(p) != pg_b64_enc_len(SCRAM_KEY_LEN) - 1)
 		goto invalid_verifier;
-
-	hex_decode(p, SCRAM_KEY_LEN * 2, (char *) stored_key);
+	pg_b64_decode(p, pg_b64_enc_len(SCRAM_KEY_LEN), (char *) stored_key);
 
 	/* serverkey */
 	if ((p = strtok(NULL, ":")) == NULL)
 		goto invalid_verifier;
-	if (strlen(p) != SCRAM_KEY_LEN * 2)
+	if (strlen(p) != pg_b64_enc_len(SCRAM_KEY_LEN) - 1)
 		goto invalid_verifier;
-	hex_decode(p, SCRAM_KEY_LEN * 2, (char *) server_key);
+	pg_b64_decode(p, pg_b64_enc_len(SCRAM_KEY_LEN), (char *) server_key);
 
 	pfree(v);
 	return true;
diff --git a/src/test/regress/expected/password.out b/src/test/regress/expected/password.out
index c503e43abe..0cdb6141e2 100644
--- a/src/test/regress/expected/password.out
+++ b/src/test/regress/expected/password.out
@@ -23,11 +23,11 @@ CREATE ROLE regress_passwd5 PASSWORD NULL;
 -- check list of created entries
 --
 -- The scram verifier will look something like:
--- scram-sha-256:E4HxLGtnRzsYwg==:4096:5ebc825510cb7862efd87dfa638d8337179e6913a724441dc9e888a856fbc10c:e966b1c72fad89d69aaebb156eae04edc9581286f92207c044711e79cd461bee
+-- scram-sha-256:E4HxLGtnRzsYwg==:4096:6YtlR4t69SguDiwFvbVgVZtuz6gpJQQqUMZ7IQJK5yI=:ps75jrHeYU4lXCcXI4O8oIdJ3eO8o2jirjruw9phBTo=
 --
 -- Since the salt is random, the exact value stored will be different on every test
 -- run. Use a regular expression to mask the changing parts.
-SELECT rolname, regexp_replace(rolpassword, '(scram-sha-256):([a-zA-Z0-9+/]+==):(\d+):(\w+):(\w+)', '\1:<salt>:\3:<storedkey>:<serverkey>') as rolpassword_masked
+SELECT rolname, regexp_replace(rolpassword, '(scram-sha-256):([a-zA-Z0-9+/]+==):(\d+):([a-zA-Z0-9+/]+=):([a-zA-Z0-9+/]+=)', '\1:<salt>:\3:<storedkey>:<serverkey>') as rolpassword_masked
     FROM pg_authid
     WHERE rolname LIKE 'regress_passwd%'
     ORDER BY rolname, rolpassword;
@@ -59,11 +59,11 @@ ALTER ROLE regress_passwd1 UNENCRYPTED PASSWORD 'foo'; -- unencrypted
 ALTER ROLE regress_passwd2 UNENCRYPTED PASSWORD 'md5dfa155cadd5f4ad57860162f3fab9cdb'; -- encrypted with MD5
 SET password_encryption = 'md5';
 ALTER ROLE regress_passwd3 ENCRYPTED PASSWORD 'foo'; -- encrypted with MD5
-ALTER ROLE regress_passwd4 ENCRYPTED PASSWORD 'scram-sha-256:VLK4RMaQLCvNtQ==:4096:3ded2376f7aafa93b1bdbd71bcc18b7d6ee50ed018029cc583d152ef3fc7d430:a6dd36dfc94c181956a6ae95f05e01b1864f0a22a2657d1de4ba84d2a24dc438'; -- client-supplied SCRAM verifier, use as it is
+ALTER ROLE regress_passwd4 ENCRYPTED PASSWORD 'scram-sha-256:VLK4RMaQLCvNtQ==:4096:6YtlR4t69SguDiwFvbVgVZtuz6gpJQQqUMZ7IQJK5yI=:ps75jrHeYU4lXCcXI4O8oIdJ3eO8o2jirjruw9phBTo='; -- client-supplied SCRAM verifier, use as it is
 SET password_encryption = 'scram';
 ALTER ROLE  regress_passwd5 ENCRYPTED PASSWORD 'foo'; -- create SCRAM verifier
 CREATE ROLE regress_passwd6 ENCRYPTED PASSWORD 'md53725413363ab045e20521bf36b8d8d7f'; -- encrypted with MD5, use as it is
-SELECT rolname, regexp_replace(rolpassword, '(scram-sha-256):([a-zA-Z0-9+/]+==):(\d+):(\w+):(\w+)', '\1:<salt>:\3:<storedkey>:<serverkey>') as rolpassword_masked
+SELECT rolname, regexp_replace(rolpassword, '(scram-sha-256):([a-zA-Z0-9+/]+==):(\d+):([a-zA-Z0-9+/]+=):([a-zA-Z0-9+/]+=)', '\1:<salt>:\3:<storedkey>:<serverkey>') as rolpassword_masked
     FROM pg_authid
     WHERE rolname LIKE 'regress_passwd%'
     ORDER BY rolname, rolpassword;
diff --git a/src/test/regress/sql/password.sql b/src/test/regress/sql/password.sql
index f4b3a9ac3a..df1ff989cc 100644
--- a/src/test/regress/sql/password.sql
+++ b/src/test/regress/sql/password.sql
@@ -24,11 +24,11 @@ CREATE ROLE regress_passwd5 PASSWORD NULL;
 -- check list of created entries
 --
 -- The scram verifier will look something like:
--- scram-sha-256:E4HxLGtnRzsYwg==:4096:5ebc825510cb7862efd87dfa638d8337179e6913a724441dc9e888a856fbc10c:e966b1c72fad89d69aaebb156eae04edc9581286f92207c044711e79cd461bee
+-- scram-sha-256:E4HxLGtnRzsYwg==:4096:6YtlR4t69SguDiwFvbVgVZtuz6gpJQQqUMZ7IQJK5yI=:ps75jrHeYU4lXCcXI4O8oIdJ3eO8o2jirjruw9phBTo=
 --
 -- Since the salt is random, the exact value stored will be different on every test
 -- run. Use a regular expression to mask the changing parts.
-SELECT rolname, regexp_replace(rolpassword, '(scram-sha-256):([a-zA-Z0-9+/]+==):(\d+):(\w+):(\w+)', '\1:<salt>:\3:<storedkey>:<serverkey>') as rolpassword_masked
+SELECT rolname, regexp_replace(rolpassword, '(scram-sha-256):([a-zA-Z0-9+/]+==):(\d+):([a-zA-Z0-9+/]+=):([a-zA-Z0-9+/]+=)', '\1:<salt>:\3:<storedkey>:<serverkey>') as rolpassword_masked
     FROM pg_authid
     WHERE rolname LIKE 'regress_passwd%'
     ORDER BY rolname, rolpassword;
@@ -48,13 +48,13 @@ ALTER ROLE regress_passwd2 UNENCRYPTED PASSWORD 'md5dfa155cadd5f4ad57860162f3fab
 SET password_encryption = 'md5';
 ALTER ROLE regress_passwd3 ENCRYPTED PASSWORD 'foo'; -- encrypted with MD5
 
-ALTER ROLE regress_passwd4 ENCRYPTED PASSWORD 'scram-sha-256:VLK4RMaQLCvNtQ==:4096:3ded2376f7aafa93b1bdbd71bcc18b7d6ee50ed018029cc583d152ef3fc7d430:a6dd36dfc94c181956a6ae95f05e01b1864f0a22a2657d1de4ba84d2a24dc438'; -- client-supplied SCRAM verifier, use as it is
+ALTER ROLE regress_passwd4 ENCRYPTED PASSWORD 'scram-sha-256:VLK4RMaQLCvNtQ==:4096:6YtlR4t69SguDiwFvbVgVZtuz6gpJQQqUMZ7IQJK5yI=:ps75jrHeYU4lXCcXI4O8oIdJ3eO8o2jirjruw9phBTo='; -- client-supplied SCRAM verifier, use as it is
 
 SET password_encryption = 'scram';
 ALTER ROLE  regress_passwd5 ENCRYPTED PASSWORD 'foo'; -- create SCRAM verifier
 CREATE ROLE regress_passwd6 ENCRYPTED PASSWORD 'md53725413363ab045e20521bf36b8d8d7f'; -- encrypted with MD5, use as it is
 
-SELECT rolname, regexp_replace(rolpassword, '(scram-sha-256):([a-zA-Z0-9+/]+==):(\d+):(\w+):(\w+)', '\1:<salt>:\3:<storedkey>:<serverkey>') as rolpassword_masked
+SELECT rolname, regexp_replace(rolpassword, '(scram-sha-256):([a-zA-Z0-9+/]+==):(\d+):([a-zA-Z0-9+/]+=):([a-zA-Z0-9+/]+=)', '\1:<salt>:\3:<storedkey>:<serverkey>') as rolpassword_masked
     FROM pg_authid
     WHERE rolname LIKE 'regress_passwd%'
     ORDER BY rolname, rolpassword;
-- 
2.12.1

From ea4884552ed7646973c4be5f3357a6acb806f95c Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Sat, 25 Mar 2017 13:42:45 +0900
Subject: [PATCH 3/5] Move routine to build SCRAM verifier into src/common/

This is aimed at being used by libpq to allow frontend-side creation
of SCRAM verifiers. The result is not anymore allocated by the routine
itself, the caller is responsible for that, similarly to md5.
---
 src/backend/libpq/auth-scram.c    | 56 ++---------------------------
 src/backend/libpq/crypt.c         |  7 +++-
 src/common/scram-common.c         | 74 +++++++++++++++++++++++++++++++++++++++
 src/include/common/scram-common.h | 20 +++++++++++
 src/include/libpq/scram.h         |  5 +--
 5 files changed, 103 insertions(+), 59 deletions(-)

diff --git a/src/backend/libpq/auth-scram.c b/src/backend/libpq/auth-scram.c
index e8068d3b7a..9cec3c0f82 100644
--- a/src/backend/libpq/auth-scram.c
+++ b/src/backend/libpq/auth-scram.c
@@ -172,9 +172,9 @@ pg_be_scram_init(const char *username, const char *shadow_pass)
 			 * The stored password is in plain format.  Generate a fresh SCRAM
 			 * verifier from it, and proceed with that.
 			 */
-			char	   *verifier;
+			char	   *verifier = palloc(SCRAM_VERIFIER_LEN + 1);
 
-			verifier = scram_build_verifier(username, shadow_pass, 0);
+			(void) scram_build_verifier(username, shadow_pass, 0, verifier);
 
 			(void) parse_scram_verifier(verifier, &state->salt, &state->iterations,
 										state->StoredKey, state->ServerKey);
@@ -328,58 +328,6 @@ pg_be_scram_exchange(void *opaq, char *input, int inputlen,
 	return result;
 }
 
-/*
- * Construct a verifier string for SCRAM, stored in pg_authid.rolpassword.
- *
- * If iterations is 0, default number of iterations is used.  The result is
- * palloc'd, so caller is responsible for freeing it.
- */
-char *
-scram_build_verifier(const char *username, const char *password,
-					 int iterations)
-{
-	uint8		keybuf[SCRAM_KEY_LEN + 1];
-	char	   *encoded_storedkey;
-	char	   *encoded_serverkey;
-	char		salt[SCRAM_SALT_LEN];
-	char	   *encoded_salt;
-	int			encoded_len;
-
-	if (iterations <= 0)
-		iterations = SCRAM_ITERATIONS_DEFAULT;
-
-	if (!pg_backend_random(salt, SCRAM_SALT_LEN))
-	{
-		ereport(LOG,
-				(errcode(ERRCODE_INTERNAL_ERROR),
-				 errmsg("could not generate random salt")));
-		return NULL;
-	}
-
-	encoded_salt = palloc(pg_b64_enc_len(SCRAM_SALT_LEN) + 1);
-	encoded_len = pg_b64_encode(salt, SCRAM_SALT_LEN, encoded_salt);
-	encoded_salt[encoded_len] = '\0';
-
-	/* Calculate StoredKey, and encode it in base64 */
-	encoded_storedkey = palloc(pg_b64_enc_len(SCRAM_KEY_LEN) + 1);
-	scram_ClientOrServerKey(password, salt, SCRAM_SALT_LEN,
-							iterations, SCRAM_CLIENT_KEY_NAME, keybuf);
-	scram_H(keybuf, SCRAM_KEY_LEN, keybuf);		/* StoredKey */
-	encoded_len = pg_b64_encode((const char *) keybuf, SCRAM_KEY_LEN,
-								encoded_storedkey);
-	encoded_storedkey[encoded_len] = '\0';
-
-	/* And same for ServerKey */
-	encoded_serverkey = palloc(pg_b64_enc_len(SCRAM_KEY_LEN) + 1);
-	scram_ClientOrServerKey(password, salt, SCRAM_SALT_LEN, iterations,
-							SCRAM_SERVER_KEY_NAME, keybuf);
-	encoded_len = pg_b64_encode((const char *) keybuf, SCRAM_KEY_LEN,
-								encoded_serverkey);
-	encoded_serverkey[encoded_len] = '\0';
-
-	return psprintf("scram-sha-256:%s:%d:%s:%s", encoded_salt, iterations,
-					encoded_storedkey, encoded_serverkey);
-}
 
 /*
  * Verify a plaintext password against a SCRAM verifier.  This is used when
diff --git a/src/backend/libpq/crypt.c b/src/backend/libpq/crypt.c
index 34beab5334..d9aa2d93d6 100644
--- a/src/backend/libpq/crypt.c
+++ b/src/backend/libpq/crypt.c
@@ -20,6 +20,7 @@
 
 #include "catalog/pg_authid.h"
 #include "common/md5.h"
+#include "common/scram-common.h"
 #include "libpq/crypt.h"
 #include "libpq/scram.h"
 #include "miscadmin.h"
@@ -156,7 +157,11 @@ encrypt_password(PasswordType target_type, const char *role,
 			switch (guessed_type)
 			{
 				case PASSWORD_TYPE_PLAINTEXT:
-					return scram_build_verifier(role, password, 0);
+					encrypted_password = palloc(SCRAM_VERIFIER_LEN + 1);
+					if (!scram_build_verifier(role, password, 0,
+											  encrypted_password))
+						elog(ERROR, "password encryption failed");
+					return encrypted_password;
 
 				case PASSWORD_TYPE_MD5:
 
diff --git a/src/common/scram-common.c b/src/common/scram-common.c
index e44f38f652..00e45a800a 100644
--- a/src/common/scram-common.c
+++ b/src/common/scram-common.c
@@ -24,6 +24,11 @@
 #include <arpa/inet.h>
 
 #include "common/scram-common.h"
+#ifndef FRONTEND
+#include "utils/backend_random.h"
+#else
+#include "common/frontend_random.h"
+#endif
 
 #define HMAC_IPAD 0x36
 #define HMAC_OPAD 0x5C
@@ -184,3 +189,72 @@ scram_ClientOrServerKey(const char *password,
 	scram_HMAC_update(&ctx, keystr, strlen(keystr));
 	scram_HMAC_final(result, &ctx);
 }
+
+/*
+ * Construct a verifier string for SCRAM, stored in pg_authid.rolpassword.
+ *
+ * If iterations is 0, default number of iterations is used.  The result is
+ * stored in "verifier" that caller is responsible to allocate a buffer of
+ * size SCRAM_VERIFIER_LEN.  Returns true if the verifier has been generated,
+ * false otherwise.  It is important for this routine to do no memory
+ * allocations.
+ */
+bool
+scram_build_verifier(const char *username, const char *password,
+					 int iterations, char *verifier)
+{
+	uint8		keybuf[SCRAM_KEY_LEN + 1];
+	char		salt[SCRAM_SALT_LEN];
+	char		intbuf[SCRAM_ITERATION_LEN];
+	char	   *p;
+
+	if (iterations <= 0)
+		iterations = SCRAM_ITERATIONS_DEFAULT;
+
+#ifdef FRONTEND
+	if (!pg_frontend_random(salt, SCRAM_SALT_LEN))
+		return false;
+#else
+	if (!pg_backend_random(salt, SCRAM_SALT_LEN))
+	{
+		ereport(LOG,
+				(errcode(ERRCODE_INTERNAL_ERROR),
+				 errmsg("could not generate random salt")));
+		return false;
+	}
+#endif
+
+	/* Fill in the data of the verifier */
+	p = verifier;
+	memcpy(p, SCRAM_VERIFIER_PREFIX, strlen(SCRAM_VERIFIER_PREFIX));
+	p += strlen(SCRAM_VERIFIER_PREFIX);
+	*p++ = ':';
+
+	/* salt */
+	(void) pg_b64_encode(salt, SCRAM_SALT_LEN, p);
+	p += pg_b64_enc_len(SCRAM_SALT_LEN);
+	*p++ = ':';
+
+	/* iterations */
+	sprintf(intbuf, "%d", iterations);
+	memcpy(p, intbuf, strlen(intbuf));
+	p += strlen(intbuf);
+	*p++ = ':';
+
+	/* Calculate StoredKey, and encode it in base64 */
+	scram_ClientOrServerKey(password, salt, SCRAM_SALT_LEN,
+							iterations, SCRAM_CLIENT_KEY_NAME, keybuf);
+	scram_H(keybuf, SCRAM_KEY_LEN, keybuf);		/* StoredKey */
+	(void) pg_b64_encode((const char *) keybuf, SCRAM_KEY_LEN, p);
+	p += pg_b64_enc_len(SCRAM_KEY_LEN) - 1;
+	*p++ = ':';
+
+	/* And same for ServerKey */
+	scram_ClientOrServerKey(password, salt, SCRAM_SALT_LEN, iterations,
+							SCRAM_SERVER_KEY_NAME, keybuf);
+	(void) pg_b64_encode((const char *) keybuf, SCRAM_KEY_LEN, p);
+	p += pg_b64_enc_len(SCRAM_KEY_LEN) - 1;
+	*p++ = '\0';
+
+	return true;
+}
diff --git a/src/include/common/scram-common.h b/src/include/common/scram-common.h
index 7c98cc74d6..3fdfca44d6 100644
--- a/src/include/common/scram-common.h
+++ b/src/include/common/scram-common.h
@@ -13,6 +13,7 @@
 #ifndef SCRAM_COMMON_H
 #define SCRAM_COMMON_H
 
+#include "common/base64.h"
 #include "common/sha2.h"
 
 /* Length of SCRAM keys (client and server) */
@@ -41,6 +42,23 @@
 #define SCRAM_SERVER_KEY_NAME "Server Key"
 #define SCRAM_CLIENT_KEY_NAME "Client Key"
 
+#define SCRAM_VERIFIER_PREFIX "scram-sha-256"
+
+/*
+ * Length of a SCRAM verifier, which is made of the following five fields
+ * separated by a colon:
+ * - prefix "scram-sha-256", made of 13 characters.
+ * - 4 colon separators.
+ * - 32-bit number of interations, up to 10 characters.
+ * - base64-encoded salt of length SCRAM_SALT_LEN
+ * - base64-encoded stored key of length SCRAM_KEY_LEN
+ * - base64-encoded server key of length SCRAM_KEY_LEN
+ */
+#define SCRAM_VERIFIER_LEN (strlen("scram-sha-256") + 4 + \
+							SCRAM_ITERATION_LEN + \
+							pg_b64_enc_len(SCRAM_SALT_LEN) + \
+							pg_b64_enc_len(SCRAM_KEY_LEN) * 2)
+
 /*
  * Context data for HMAC used in SCRAM authentication.
  */
@@ -58,5 +76,7 @@ extern void scram_H(const uint8 *str, int len, uint8 *result);
 extern void scram_ClientOrServerKey(const char *password, const char *salt,
 						int saltlen, int iterations,
 						const char *keystr, uint8 *result);
+extern bool scram_build_verifier(const char *username, const char *password,
+								 int iterations, char *verifier);
 
 #endif   /* SCRAM_COMMON_H */
diff --git a/src/include/libpq/scram.h b/src/include/libpq/scram.h
index e373f0c07e..803fc4ef7a 100644
--- a/src/include/libpq/scram.h
+++ b/src/include/libpq/scram.h
@@ -26,10 +26,7 @@ extern void *pg_be_scram_init(const char *username, const char *shadow_pass);
 extern int pg_be_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen, char **logdetail);
 
-/* Routines to handle and check SCRAM-SHA-256 verifier */
-extern char *scram_build_verifier(const char *username,
-					 const char *password,
-					 int iterations);
+/* Routines to check SCRAM-SHA-256 verifier */
 extern bool is_scram_verifier(const char *verifier);
 extern bool scram_verify_plain_password(const char *username,
 							const char *password, const char *verifier);
-- 
2.12.1

From 863c71ea02c1abe302aec622ed3ae7fb45c56425 Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Sat, 25 Mar 2017 13:45:39 +0900
Subject: [PATCH 4/5] Extend PQencryptPassword with a hashing method

This extra argument can use the following values when hashing the
password:
- scram, for SCRAM-SHA-256 hashing.
- md5, for MD5 hashing.
- plain, for cleartext.
---
 doc/src/sgml/libpq.sgml         |  6 ++++-
 src/bin/psql/command.c          |  2 +-
 src/bin/scripts/createuser.c    |  3 ++-
 src/interfaces/libpq/fe-auth.c  | 49 +++++++++++++++++++++++++++++++----------
 src/interfaces/libpq/libpq-fe.h |  3 ++-
 5 files changed, 47 insertions(+), 16 deletions(-)

diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index 4bc5bf3192..fc1aa4b5e5 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -5887,7 +5887,8 @@ void PQconninfoFree(PQconninfoOption *connOptions);
      <para>
       Prepares the encrypted form of a <productname>PostgreSQL</> password.
 <synopsis>
-char * PQencryptPassword(const char *passwd, const char *user);
+char * PQencryptPassword(const char *passwd, const char *user,
+                         const char *method);
 </synopsis>
       This function is intended to be used by client applications that
       wish to send commands like <literal>ALTER USER joe PASSWORD
@@ -5901,6 +5902,9 @@ char * PQencryptPassword(const char *passwd, const char *user);
       memory.  The caller can assume the string doesn't contain any
       special characters that would require escaping.  Use
       <function>PQfreemem</> to free the result when done with it.
+      The encryption method of the password can be specified as
+      <literal>md5</> for hashing with MD5, <literal>scram</> for
+      hashing with SCRAM-SHA-256 and <literal>plain</> for cleartext.
      </para>
     </listitem>
    </varlistentry>
diff --git a/src/bin/psql/command.c b/src/bin/psql/command.c
index 4f4a0aa9bd..25205f589b 100644
--- a/src/bin/psql/command.c
+++ b/src/bin/psql/command.c
@@ -1135,7 +1135,7 @@ exec_command(const char *cmd,
 			else
 				user = PQuser(pset.db);
 
-			encrypted_password = PQencryptPassword(pw1, user);
+			encrypted_password = PQencryptPassword(pw1, user, "md5");
 
 			if (!encrypted_password)
 			{
diff --git a/src/bin/scripts/createuser.c b/src/bin/scripts/createuser.c
index 3d74797a8f..5af263e34a 100644
--- a/src/bin/scripts/createuser.c
+++ b/src/bin/scripts/createuser.c
@@ -275,7 +275,8 @@ main(int argc, char *argv[])
 			char	   *encrypted_password;
 
 			encrypted_password = PQencryptPassword(newpassword,
-												   newuser);
+												   newuser,
+												   "md5");
 			if (!encrypted_password)
 			{
 				fprintf(stderr, _("Password encryption failed.\n"));
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index 5fe7e565a0..c94fb6127f 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -39,6 +39,7 @@
 #endif
 
 #include "common/md5.h"
+#include "common/scram-common.h"
 #include "libpq-fe.h"
 #include "libpq/scram.h"
 #include "fe-auth.h"
@@ -919,27 +920,51 @@ pg_fe_getauthname(PQExpBuffer errorMessage)
  * be dependent on low-level details like whether the encryption is MD5
  * or something else.
  *
- * Arguments are the cleartext password, and the SQL name of the user it
- * is for.
+ * Arguments are the cleartext password, the SQL name of the user it
+ * is for, and the name of password hashing method:
+ * - "scram", to hash password using SCRAM-SHA-256.
+ * - "md5", to hash password using MD5.
+ * - "plain", to get a cleartext value of password.
  *
- * Return value is a malloc'd string, or NULL if out-of-memory.  The client
- * may assume the string doesn't contain any special characters that would
- * require escaping.
+ * Return value is a malloc'd string, or NULL if out-of-memory or in
+ * the event of an error.  The client may assume the string doesn't
+ * contain any special characters that would require escaping.
  */
 char *
-PQencryptPassword(const char *passwd, const char *user)
+PQencryptPassword(const char *passwd, const char *user, const char *method)
 {
 	char	   *crypt_pwd;
 
-	crypt_pwd = malloc(MD5_PASSWD_LEN + 1);
-	if (!crypt_pwd)
-		return NULL;
+	if (strcmp(method, "md5") == 0)
+	{
+		crypt_pwd = malloc(MD5_PASSWD_LEN + 1);
+		if (!crypt_pwd)
+			return NULL;
 
-	if (!pg_md5_encrypt(passwd, user, strlen(user), crypt_pwd))
+		if (!pg_md5_encrypt(passwd, user, strlen(user), crypt_pwd))
+		{
+			free(crypt_pwd);
+			return NULL;
+		}
+	}
+	else if (strcmp(method, "scram") == 0)
 	{
-		free(crypt_pwd);
-		return NULL;
+		crypt_pwd = malloc(SCRAM_VERIFIER_LEN + 1);
+		if (!crypt_pwd)
+			return NULL;
+
+		if (!scram_build_verifier(user, passwd, 0, crypt_pwd))
+		{
+			free(crypt_pwd);
+			return NULL;
+		}
 	}
+	else if (strcmp(method, "plain") == 0)
+	{
+		crypt_pwd = strdup(passwd);
+	}
+	else
+		return NULL;
 
 	return crypt_pwd;
 }
diff --git a/src/interfaces/libpq/libpq-fe.h b/src/interfaces/libpq/libpq-fe.h
index 635af5b50e..c312dd0152 100644
--- a/src/interfaces/libpq/libpq-fe.h
+++ b/src/interfaces/libpq/libpq-fe.h
@@ -596,7 +596,8 @@ extern int	PQenv2encoding(void);
 
 /* === in fe-auth.c === */
 
-extern char *PQencryptPassword(const char *passwd, const char *user);
+extern char *PQencryptPassword(const char *passwd, const char *user,
+							   const char *method);
 
 /* === in encnames.c === */
 
-- 
2.12.1

From 0fb421993918b1f1ffddf2b92169f72c27b5f7ec Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Sat, 25 Mar 2017 14:07:16 +0900
Subject: [PATCH 5/5] Extend psql's \password and createuser to handle SCRAM
 verifier creation

Depending on the version of PostgreSQL those utilities are connected to,
generate MD5 verifiers when connecting to a server older than 10, and
MD5 otherwise.
---
 doc/src/sgml/ref/createuser.sgml |  6 ++++--
 doc/src/sgml/ref/psql-ref.sgml   |  4 +++-
 src/bin/psql/command.c           |  9 ++++++++-
 src/bin/scripts/createuser.c     | 16 +++++++++++++---
 4 files changed, 28 insertions(+), 7 deletions(-)

diff --git a/doc/src/sgml/ref/createuser.sgml b/doc/src/sgml/ref/createuser.sgml
index 4332008c68..4454591d79 100644
--- a/doc/src/sgml/ref/createuser.sgml
+++ b/doc/src/sgml/ref/createuser.sgml
@@ -125,7 +125,9 @@ PostgreSQL documentation
       <listitem>
        <para>
         Encrypts the user's password stored in the database. If not
-        specified, the default password behavior is used.
+        specified, the default password behavior is used. The password
+        is hashed using SCRAM-SHA-256 when connecting to a version of
+        <productname>PostgreSQL</> newer than 10, and MD5 otherwise.
        </para>
       </listitem>
      </varlistentry>
@@ -477,7 +479,7 @@ PostgreSQL documentation
 <prompt>$ </prompt><userinput>createuser -P -s -e joe</userinput>
 <computeroutput>Enter password for new role: </computeroutput><userinput>xyzzy</userinput>
 <computeroutput>Enter it again: </computeroutput><userinput>xyzzy</userinput>
-<computeroutput>CREATE ROLE joe PASSWORD 'md5b5f5ba1a423792b526f799ae4eb3d59e' SUPERUSER CREATEDB CREATEROLE INHERIT LOGIN;</computeroutput>
+<computeroutput>CREATE ROLE joe PASSWORD 'scram-sha-256:aPheg4yCAFhStg==:4096:TOHLPF8w+NzqtcxD2oz9w5wPISutHLOXWMKoe4HCvuo=:lTG0OiB/ZH5/hsfUqnndRwfMziY5j5C6FS8IAIwL2nA=' SUPERUSER CREATEDB CREATEROLE INHERIT LOGIN;</computeroutput>
 </screen>
     In the above example, the new password isn't actually echoed when typed,
     but we show what was typed for clarity.  As you see, the password is
diff --git a/doc/src/sgml/ref/psql-ref.sgml b/doc/src/sgml/ref/psql-ref.sgml
index 2a9c412020..c162f59b5a 100644
--- a/doc/src/sgml/ref/psql-ref.sgml
+++ b/doc/src/sgml/ref/psql-ref.sgml
@@ -2210,7 +2210,9 @@ lo_import 152801
         user).  This command prompts for the new password, encrypts it, and
         sends it to the server as an <command>ALTER ROLE</> command.  This
         makes sure that the new password does not appear in cleartext in the
-        command history, the server log, or elsewhere.
+        command history, the server log, or elsewhere. The password is hashed
+        with SCRAM-SHA-256 when connecting to <productname>PostgreSQL</> 10
+        and newer versions, and with MD5 otherwise.
         </para>
         </listitem>
       </varlistentry>
diff --git a/src/bin/psql/command.c b/src/bin/psql/command.c
index 25205f589b..b504e4a6cd 100644
--- a/src/bin/psql/command.c
+++ b/src/bin/psql/command.c
@@ -1135,7 +1135,14 @@ exec_command(const char *cmd,
 			else
 				user = PQuser(pset.db);
 
-			encrypted_password = PQencryptPassword(pw1, user, "md5");
+			/*
+			 * Hash password using SCRAM-SHA-256 when connecting to servers
+			 * newer than Postgres 10, and hash with MD5 otherwise.
+			 */
+			if (pset.sversion < 100000)
+				encrypted_password = PQencryptPassword(pw1, user, "md5");
+			else
+				encrypted_password = PQencryptPassword(pw1, user, "scram");
 
 			if (!encrypted_password)
 			{
diff --git a/src/bin/scripts/createuser.c b/src/bin/scripts/createuser.c
index 5af263e34a..0107497e23 100644
--- a/src/bin/scripts/createuser.c
+++ b/src/bin/scripts/createuser.c
@@ -274,9 +274,19 @@ main(int argc, char *argv[])
 		{
 			char	   *encrypted_password;
 
-			encrypted_password = PQencryptPassword(newpassword,
-												   newuser,
-												   "md5");
+			/*
+			 * Hash password using SCRAM-SHA-256 when connecting to servers
+			 * newer than Postgres 10, and hash with MD5 otherwise.
+			 */
+			if (PQserverVersion(conn) < 100000)
+				encrypted_password = PQencryptPassword(newpassword,
+													   newuser,
+													   "md5");
+			else
+				encrypted_password = PQencryptPassword(newpassword,
+													   newuser,
+													   "scram");
+
 			if (!encrypted_password)
 			{
 				fprintf(stderr, _("Password encryption failed.\n"));
-- 
2.12.1

From 7451c393920d85dc74858055571aeb8643d9a2a1 Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Sat, 25 Mar 2017 13:36:42 +0900
Subject: [PATCH 2/5] Refactor frontend-side random number generation

pg_frontend_random() is moved into its own file in src/common/ to
give other portions of the code the ability to generate random numbers.
This will be used for the SCRAM verifier generation from clients.
---
 src/common/Makefile                  |  3 +-
 src/common/frontend_random.c         | 86 ++++++++++++++++++++++++++++++++++++
 src/include/common/frontend_random.h | 17 +++++++
 src/interfaces/libpq/.gitignore      |  1 +
 src/interfaces/libpq/Makefile        |  4 +-
 src/interfaces/libpq/fe-auth-scram.c | 59 +------------------------
 src/tools/msvc/Mkvcbuild.pm          |  2 +-
 7 files changed, 110 insertions(+), 62 deletions(-)
 create mode 100644 src/common/frontend_random.c
 create mode 100644 src/include/common/frontend_random.h

diff --git a/src/common/Makefile b/src/common/Makefile
index 971ddd5ea7..b516ec43f1 100644
--- a/src/common/Makefile
+++ b/src/common/Makefile
@@ -50,7 +50,8 @@ else
 OBJS_COMMON += sha2.o
 endif
 
-OBJS_FRONTEND = $(OBJS_COMMON) fe_memutils.o file_utils.o restricted_token.o
+OBJS_FRONTEND = $(OBJS_COMMON) fe_memutils.o file_utils.o frontend_random.c \
+	restricted_token.o
 
 OBJS_SRV = $(OBJS_COMMON:%.o=%_srv.o)
 
diff --git a/src/common/frontend_random.c b/src/common/frontend_random.c
new file mode 100644
index 0000000000..7ecc7d5fdf
--- /dev/null
+++ b/src/common/frontend_random.c
@@ -0,0 +1,86 @@
+/*-------------------------------------------------------------------------
+ *
+ * frontend_random.c
+ *	  Frontend random number generation routine.
+ *
+ * pg_frontend_random() function fills a buffer with random bytes. Normally,
+ * it is just a thin wrapper around pg_strong_random(), but when compiled
+ * with --disable-strong-random, there is a built-in implementation.
+ *
+ * The built-in implementation uses the standard erand48 algorithm, with
+ * a seed calculated using the process ID and a timestamp.
+ *
+ * Portions Copyright (c) 1996-2017, PostgreSQL Global Development Group
+ * Portions Copyright (c) 1994, Regents of the University of California
+ *
+ *
+ * IDENTIFICATION
+ *	  src/common/frontend_random.c
+ *
+ *-------------------------------------------------------------------------
+ */
+
+#ifndef FRONTEND
+#error "This file is not expected to be compiled for backend code"
+#endif
+
+#include "postgres_fe.h"
+#include "common/frontend_random.h"
+
+/* These are needed for getpid(), in the fallback implementation */
+#ifndef HAVE_STRONG_RANDOM
+#include <sys/types.h>
+#include <unistd.h>
+#endif
+
+/*
+ * Random number generator.
+ */
+bool
+pg_frontend_random(char *dst, int len)
+{
+#ifdef HAVE_STRONG_RANDOM
+	return pg_strong_random(dst, len);
+#else
+	int			i;
+	char	   *end = dst + len;
+
+	static unsigned short seed[3];
+	static int	mypid = 0;
+
+	pglock_thread();
+
+	if (mypid != getpid())
+	{
+		struct timeval now;
+
+		gettimeofday(&now, NULL);
+
+		seed[0] = now.tv_sec ^ getpid();
+		seed[1] = (unsigned short) (now.tv_usec);
+		seed[2] = (unsigned short) (now.tv_usec >> 16);
+	}
+
+	for (i = 0; dst < end; i++)
+	{
+		uint32		r;
+		int			j;
+
+		/*
+		 * pg_jrand48 returns a 32-bit integer.  Fill the next 4 bytes from
+		 * it.
+		 */
+		r = (uint32) pg_jrand48(seed);
+
+		for (j = 0; j < 4 && dst < end; j++)
+		{
+			*(dst++) = (char) (r & 0xFF);
+			r >>= 8;
+		}
+	}
+
+	pgunlock_thread();
+
+	return true;
+#endif
+}
diff --git a/src/include/common/frontend_random.h b/src/include/common/frontend_random.h
new file mode 100644
index 0000000000..600c55ace9
--- /dev/null
+++ b/src/include/common/frontend_random.h
@@ -0,0 +1,17 @@
+/*-------------------------------------------------------------------------
+ *
+ * frontend_random.h
+ *		Declarations for frontend random number generation
+ *
+ * Portions Copyright (c) 1996-2017, PostgreSQL Global Development Group
+ *
+ *	  src/include/common/frontend_random.h
+ *
+ *-------------------------------------------------------------------------
+ */
+#ifndef FRONTEND_RANDOM_H
+#define FRONTEND_RANDOM_H
+
+extern bool pg_frontend_random(char *dst, int len);
+
+#endif   /* FRONTEND_RANDOM_H */
diff --git a/src/interfaces/libpq/.gitignore b/src/interfaces/libpq/.gitignore
index 2224ada731..f84bc35706 100644
--- a/src/interfaces/libpq/.gitignore
+++ b/src/interfaces/libpq/.gitignore
@@ -2,6 +2,7 @@
 /base64.c
 /chklocale.c
 /crypt.c
+/frontend_random.c
 /getaddrinfo.c
 /getpeereid.c
 /inet_aton.c
diff --git a/src/interfaces/libpq/Makefile b/src/interfaces/libpq/Makefile
index 36b57268a7..269f48ab1e 100644
--- a/src/interfaces/libpq/Makefile
+++ b/src/interfaces/libpq/Makefile
@@ -49,7 +49,7 @@ endif
 # src/backend/utils/mb
 OBJS += encnames.o wchar.o
 # src/common
-OBJS += base64.o ip.o md5.o scram-common.o
+OBJS += base64.o frontend_random.o ip.o md5.o scram-common.o
 
 ifeq ($(with_openssl),yes)
 OBJS += fe-secure-openssl.o sha2_openssl.o
@@ -106,7 +106,7 @@ backend_src = $(top_srcdir)/src/backend
 chklocale.c crypt.c erand48.c getaddrinfo.c getpeereid.c inet_aton.c inet_net_ntop.c noblock.c open.c system.c pgsleep.c pg_strong_random.c pgstrcasecmp.c pqsignal.c snprintf.c strerror.c strlcpy.c thread.c win32error.c win32setlocale.c: % : $(top_srcdir)/src/port/%
 	rm -f $@ && $(LN_S) $< .
 
-ip.c md5.c base64.c scram-common.c sha2.c sha2_openssl.c: % : $(top_srcdir)/src/common/%
+ip.c md5.c base64.c frontend_random.c scram-common.c sha2.c sha2_openssl.c: % : $(top_srcdir)/src/common/%
 	rm -f $@ && $(LN_S) $< .
 
 encnames.c wchar.c: % : $(backend_src)/utils/mb/%
diff --git a/src/interfaces/libpq/fe-auth-scram.c b/src/interfaces/libpq/fe-auth-scram.c
index a7bb30a141..6390ccf30d 100644
--- a/src/interfaces/libpq/fe-auth-scram.c
+++ b/src/interfaces/libpq/fe-auth-scram.c
@@ -15,14 +15,10 @@
 #include "postgres_fe.h"
 
 #include "common/base64.h"
+#include "common/frontend_random.h"
 #include "common/scram-common.h"
 #include "fe-auth.h"
 
-/* These are needed for getpid(), in the fallback implementation */
-#ifndef HAVE_STRONG_RANDOM
-#include <sys/types.h>
-#include <unistd.h>
-#endif
 
 /*
  * Status of exchange messages used for SCRAM authentication via the
@@ -73,7 +69,6 @@ static bool verify_server_proof(fe_scram_state *state);
 static void calculate_client_proof(fe_scram_state *state,
 					   const char *client_final_message_without_proof,
 					   uint8 *result);
-static bool pg_frontend_random(char *dst, int len);
 
 /*
  * Initialize SCRAM exchange status.
@@ -586,55 +581,3 @@ verify_server_proof(fe_scram_state *state)
 
 	return true;
 }
-
-/*
- * Random number generator.
- */
-static bool
-pg_frontend_random(char *dst, int len)
-{
-#ifdef HAVE_STRONG_RANDOM
-	return pg_strong_random(dst, len);
-#else
-	int			i;
-	char	   *end = dst + len;
-
-	static unsigned short seed[3];
-	static int	mypid = 0;
-
-	pglock_thread();
-
-	if (mypid != getpid())
-	{
-		struct timeval now;
-
-		gettimeofday(&now, NULL);
-
-		seed[0] = now.tv_sec ^ getpid();
-		seed[1] = (unsigned short) (now.tv_usec);
-		seed[2] = (unsigned short) (now.tv_usec >> 16);
-	}
-
-	for (i = 0; dst < end; i++)
-	{
-		uint32		r;
-		int			j;
-
-		/*
-		 * pg_jrand48 returns a 32-bit integer.  Fill the next 4 bytes from
-		 * it.
-		 */
-		r = (uint32) pg_jrand48(seed);
-
-		for (j = 0; j < 4 && dst < end; j++)
-		{
-			*(dst++) = (char) (r & 0xFF);
-			r >>= 8;
-		}
-	}
-
-	pgunlock_thread();
-
-	return true;
-#endif
-}
diff --git a/src/tools/msvc/Mkvcbuild.pm b/src/tools/msvc/Mkvcbuild.pm
index 12f73f344c..615c769483 100644
--- a/src/tools/msvc/Mkvcbuild.pm
+++ b/src/tools/msvc/Mkvcbuild.pm
@@ -125,7 +125,7 @@ sub mkvcbuild
 
 	our @pgcommonfrontendfiles = (
 		@pgcommonallfiles, qw(fe_memutils.c file_utils.c
-		  restricted_token.c));
+		  frontend_random.c restricted_token.c));
 
 	our @pgcommonbkndfiles = @pgcommonallfiles;
 
-- 
2.12.1

From 4b7733cabde0e0a8da4a42d0c6cc736860871f5a Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Sat, 25 Mar 2017 13:31:38 +0900
Subject: [PATCH 1/5] Use base64-based encoding for stored and server keys in
 SCRAM verifiers

In order to be able to generate a SCRAM verifier even for frontends, let's
simplify the tools used to generate it and switch all the elements of the
verifiers to be base64-encoded using the routines already in place in
src/common/.
---
 doc/src/sgml/catalogs.sgml             |  2 +-
 src/backend/libpq/auth-scram.c         | 30 +++++++++++++++++-------------
 src/test/regress/expected/password.out |  8 ++++----
 src/test/regress/sql/password.sql      |  8 ++++----
 4 files changed, 26 insertions(+), 22 deletions(-)

diff --git a/doc/src/sgml/catalogs.sgml b/doc/src/sgml/catalogs.sgml
index 5883673448..3d5999d829 100644
--- a/doc/src/sgml/catalogs.sgml
+++ b/doc/src/sgml/catalogs.sgml
@@ -1382,7 +1382,7 @@
    identify the password as a SCRAM-SHA-256 verifier. The second field is a
    salt, Base64-encoded, and the third field is the number of iterations used
    to generate the password.  The fourth field and fifth field are the stored
-   key and server key, respectively, in hexadecimal format. A password that
+   key and server key, respectively, in Base64 format. A password that
    does not follow either of those formats is assumed to be unencrypted.
   </para>
  </sect1>
diff --git a/src/backend/libpq/auth-scram.c b/src/backend/libpq/auth-scram.c
index 14ddc8bd54..8fef0e995d 100644
--- a/src/backend/libpq/auth-scram.c
+++ b/src/backend/libpq/auth-scram.c
@@ -339,8 +339,8 @@ scram_build_verifier(const char *username, const char *password,
 					 int iterations)
 {
 	uint8		keybuf[SCRAM_KEY_LEN + 1];
-	char		storedkey_hex[SCRAM_KEY_LEN * 2 + 1];
-	char		serverkey_hex[SCRAM_KEY_LEN * 2 + 1];
+	char	   *encoded_storedkey;
+	char	   *encoded_serverkey;
 	char		salt[SCRAM_SALT_LEN];
 	char	   *encoded_salt;
 	int			encoded_len;
@@ -360,20 +360,25 @@ scram_build_verifier(const char *username, const char *password,
 	encoded_len = pg_b64_encode(salt, SCRAM_SALT_LEN, encoded_salt);
 	encoded_salt[encoded_len] = '\0';
 
-	/* Calculate StoredKey, and encode it in hex */
+	/* Calculate StoredKey, and encode it in base64 */
+	encoded_storedkey = palloc(pg_b64_enc_len(SCRAM_KEY_LEN) + 1);
 	scram_ClientOrServerKey(password, salt, SCRAM_SALT_LEN,
 							iterations, SCRAM_CLIENT_KEY_NAME, keybuf);
 	scram_H(keybuf, SCRAM_KEY_LEN, keybuf);		/* StoredKey */
-	(void) hex_encode((const char *) keybuf, SCRAM_KEY_LEN, storedkey_hex);
-	storedkey_hex[SCRAM_KEY_LEN * 2] = '\0';
+	encoded_len = pg_b64_encode((const char *) keybuf, SCRAM_KEY_LEN,
+								encoded_storedkey);
+	encoded_storedkey[encoded_len] = '\0';
 
 	/* And same for ServerKey */
+	encoded_serverkey = palloc(pg_b64_enc_len(SCRAM_KEY_LEN) + 1);
 	scram_ClientOrServerKey(password, salt, SCRAM_SALT_LEN, iterations,
 							SCRAM_SERVER_KEY_NAME, keybuf);
-	(void) hex_encode((const char *) keybuf, SCRAM_KEY_LEN, serverkey_hex);
-	serverkey_hex[SCRAM_KEY_LEN * 2] = '\0';
+	encoded_len = pg_b64_encode((const char *) keybuf, SCRAM_KEY_LEN,
+								encoded_serverkey);
+	encoded_serverkey[encoded_len] = '\0';
 
-	return psprintf("scram-sha-256:%s:%d:%s:%s", encoded_salt, iterations, storedkey_hex, serverkey_hex);
+	return psprintf("scram-sha-256:%s:%d:%s:%s", encoded_salt, iterations,
+					encoded_storedkey, encoded_serverkey);
 }
 
 /*
@@ -483,17 +488,16 @@ parse_scram_verifier(const char *verifier, char **salt, int *iterations,
 	/* storedkey */
 	if ((p = strtok(NULL, ":")) == NULL)
 		goto invalid_verifier;
-	if (strlen(p) != SCRAM_KEY_LEN * 2)
+	if (strlen(p) != pg_b64_enc_len(SCRAM_KEY_LEN) - 1)
 		goto invalid_verifier;
-
-	hex_decode(p, SCRAM_KEY_LEN * 2, (char *) stored_key);
+	pg_b64_decode(p, pg_b64_enc_len(SCRAM_KEY_LEN), (char *) stored_key);
 
 	/* serverkey */
 	if ((p = strtok(NULL, ":")) == NULL)
 		goto invalid_verifier;
-	if (strlen(p) != SCRAM_KEY_LEN * 2)
+	if (strlen(p) != pg_b64_enc_len(SCRAM_KEY_LEN) - 1)
 		goto invalid_verifier;
-	hex_decode(p, SCRAM_KEY_LEN * 2, (char *) server_key);
+	pg_b64_decode(p, pg_b64_enc_len(SCRAM_KEY_LEN), (char *) server_key);
 
 	pfree(v);
 	return true;
diff --git a/src/test/regress/expected/password.out b/src/test/regress/expected/password.out
index c503e43abe..0cdb6141e2 100644
--- a/src/test/regress/expected/password.out
+++ b/src/test/regress/expected/password.out
@@ -23,11 +23,11 @@ CREATE ROLE regress_passwd5 PASSWORD NULL;
 -- check list of created entries
 --
 -- The scram verifier will look something like:
--- scram-sha-256:E4HxLGtnRzsYwg==:4096:5ebc825510cb7862efd87dfa638d8337179e6913a724441dc9e888a856fbc10c:e966b1c72fad89d69aaebb156eae04edc9581286f92207c044711e79cd461bee
+-- scram-sha-256:E4HxLGtnRzsYwg==:4096:6YtlR4t69SguDiwFvbVgVZtuz6gpJQQqUMZ7IQJK5yI=:ps75jrHeYU4lXCcXI4O8oIdJ3eO8o2jirjruw9phBTo=
 --
 -- Since the salt is random, the exact value stored will be different on every test
 -- run. Use a regular expression to mask the changing parts.
-SELECT rolname, regexp_replace(rolpassword, '(scram-sha-256):([a-zA-Z0-9+/]+==):(\d+):(\w+):(\w+)', '\1:<salt>:\3:<storedkey>:<serverkey>') as rolpassword_masked
+SELECT rolname, regexp_replace(rolpassword, '(scram-sha-256):([a-zA-Z0-9+/]+==):(\d+):([a-zA-Z0-9+/]+=):([a-zA-Z0-9+/]+=)', '\1:<salt>:\3:<storedkey>:<serverkey>') as rolpassword_masked
     FROM pg_authid
     WHERE rolname LIKE 'regress_passwd%'
     ORDER BY rolname, rolpassword;
@@ -59,11 +59,11 @@ ALTER ROLE regress_passwd1 UNENCRYPTED PASSWORD 'foo'; -- unencrypted
 ALTER ROLE regress_passwd2 UNENCRYPTED PASSWORD 'md5dfa155cadd5f4ad57860162f3fab9cdb'; -- encrypted with MD5
 SET password_encryption = 'md5';
 ALTER ROLE regress_passwd3 ENCRYPTED PASSWORD 'foo'; -- encrypted with MD5
-ALTER ROLE regress_passwd4 ENCRYPTED PASSWORD 'scram-sha-256:VLK4RMaQLCvNtQ==:4096:3ded2376f7aafa93b1bdbd71bcc18b7d6ee50ed018029cc583d152ef3fc7d430:a6dd36dfc94c181956a6ae95f05e01b1864f0a22a2657d1de4ba84d2a24dc438'; -- client-supplied SCRAM verifier, use as it is
+ALTER ROLE regress_passwd4 ENCRYPTED PASSWORD 'scram-sha-256:VLK4RMaQLCvNtQ==:4096:6YtlR4t69SguDiwFvbVgVZtuz6gpJQQqUMZ7IQJK5yI=:ps75jrHeYU4lXCcXI4O8oIdJ3eO8o2jirjruw9phBTo='; -- client-supplied SCRAM verifier, use as it is
 SET password_encryption = 'scram';
 ALTER ROLE  regress_passwd5 ENCRYPTED PASSWORD 'foo'; -- create SCRAM verifier
 CREATE ROLE regress_passwd6 ENCRYPTED PASSWORD 'md53725413363ab045e20521bf36b8d8d7f'; -- encrypted with MD5, use as it is
-SELECT rolname, regexp_replace(rolpassword, '(scram-sha-256):([a-zA-Z0-9+/]+==):(\d+):(\w+):(\w+)', '\1:<salt>:\3:<storedkey>:<serverkey>') as rolpassword_masked
+SELECT rolname, regexp_replace(rolpassword, '(scram-sha-256):([a-zA-Z0-9+/]+==):(\d+):([a-zA-Z0-9+/]+=):([a-zA-Z0-9+/]+=)', '\1:<salt>:\3:<storedkey>:<serverkey>') as rolpassword_masked
     FROM pg_authid
     WHERE rolname LIKE 'regress_passwd%'
     ORDER BY rolname, rolpassword;
diff --git a/src/test/regress/sql/password.sql b/src/test/regress/sql/password.sql
index f4b3a9ac3a..df1ff989cc 100644
--- a/src/test/regress/sql/password.sql
+++ b/src/test/regress/sql/password.sql
@@ -24,11 +24,11 @@ CREATE ROLE regress_passwd5 PASSWORD NULL;
 -- check list of created entries
 --
 -- The scram verifier will look something like:
--- scram-sha-256:E4HxLGtnRzsYwg==:4096:5ebc825510cb7862efd87dfa638d8337179e6913a724441dc9e888a856fbc10c:e966b1c72fad89d69aaebb156eae04edc9581286f92207c044711e79cd461bee
+-- scram-sha-256:E4HxLGtnRzsYwg==:4096:6YtlR4t69SguDiwFvbVgVZtuz6gpJQQqUMZ7IQJK5yI=:ps75jrHeYU4lXCcXI4O8oIdJ3eO8o2jirjruw9phBTo=
 --
 -- Since the salt is random, the exact value stored will be different on every test
 -- run. Use a regular expression to mask the changing parts.
-SELECT rolname, regexp_replace(rolpassword, '(scram-sha-256):([a-zA-Z0-9+/]+==):(\d+):(\w+):(\w+)', '\1:<salt>:\3:<storedkey>:<serverkey>') as rolpassword_masked
+SELECT rolname, regexp_replace(rolpassword, '(scram-sha-256):([a-zA-Z0-9+/]+==):(\d+):([a-zA-Z0-9+/]+=):([a-zA-Z0-9+/]+=)', '\1:<salt>:\3:<storedkey>:<serverkey>') as rolpassword_masked
     FROM pg_authid
     WHERE rolname LIKE 'regress_passwd%'
     ORDER BY rolname, rolpassword;
@@ -48,13 +48,13 @@ ALTER ROLE regress_passwd2 UNENCRYPTED PASSWORD 'md5dfa155cadd5f4ad57860162f3fab
 SET password_encryption = 'md5';
 ALTER ROLE regress_passwd3 ENCRYPTED PASSWORD 'foo'; -- encrypted with MD5
 
-ALTER ROLE regress_passwd4 ENCRYPTED PASSWORD 'scram-sha-256:VLK4RMaQLCvNtQ==:4096:3ded2376f7aafa93b1bdbd71bcc18b7d6ee50ed018029cc583d152ef3fc7d430:a6dd36dfc94c181956a6ae95f05e01b1864f0a22a2657d1de4ba84d2a24dc438'; -- client-supplied SCRAM verifier, use as it is
+ALTER ROLE regress_passwd4 ENCRYPTED PASSWORD 'scram-sha-256:VLK4RMaQLCvNtQ==:4096:6YtlR4t69SguDiwFvbVgVZtuz6gpJQQqUMZ7IQJK5yI=:ps75jrHeYU4lXCcXI4O8oIdJ3eO8o2jirjruw9phBTo='; -- client-supplied SCRAM verifier, use as it is
 
 SET password_encryption = 'scram';
 ALTER ROLE  regress_passwd5 ENCRYPTED PASSWORD 'foo'; -- create SCRAM verifier
 CREATE ROLE regress_passwd6 ENCRYPTED PASSWORD 'md53725413363ab045e20521bf36b8d8d7f'; -- encrypted with MD5, use as it is
 
-SELECT rolname, regexp_replace(rolpassword, '(scram-sha-256):([a-zA-Z0-9+/]+==):(\d+):(\w+):(\w+)', '\1:<salt>:\3:<storedkey>:<serverkey>') as rolpassword_masked
+SELECT rolname, regexp_replace(rolpassword, '(scram-sha-256):([a-zA-Z0-9+/]+==):(\d+):([a-zA-Z0-9+/]+=):([a-zA-Z0-9+/]+=)', '\1:<salt>:\3:<storedkey>:<serverkey>') as rolpassword_masked
     FROM pg_authid
     WHERE rolname LIKE 'regress_passwd%'
     ORDER BY rolname, rolpassword;
-- 
2.12.2

From 62235ef08fa8ce64f90e55e640df39c5b9d23f10 Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Fri, 7 Apr 2017 10:10:15 +0900
Subject: [PATCH 2/5] Move routine to build SCRAM verifier into src/common/

This is aimed at being used by libpq to allow frontend-side creation
of SCRAM verifiers. The result is not anymore allocated by the routine
itself, the caller is responsible for that, similarly to md5.
---
 src/backend/libpq/auth-scram.c    | 65 +++++++--------------------------------
 src/backend/libpq/crypt.c         | 21 +++++++++++--
 src/common/scram-common.c         | 56 +++++++++++++++++++++++++++++++++
 src/include/common/scram-common.h | 20 ++++++++++++
 src/include/libpq/scram.h         |  5 +--
 5 files changed, 107 insertions(+), 60 deletions(-)

diff --git a/src/backend/libpq/auth-scram.c b/src/backend/libpq/auth-scram.c
index 8fef0e995d..22f1e1a6c6 100644
--- a/src/backend/libpq/auth-scram.c
+++ b/src/backend/libpq/auth-scram.c
@@ -172,9 +172,18 @@ pg_be_scram_init(const char *username, const char *shadow_pass)
 			 * The stored password is in plain format.  Generate a fresh SCRAM
 			 * verifier from it, and proceed with that.
 			 */
-			char	   *verifier;
+			char	   *verifier = palloc(SCRAM_VERIFIER_LEN + 1);
+			char		salt[SCRAM_SALT_LEN];
 
-			verifier = scram_build_verifier(username, shadow_pass, 0);
+			if (!pg_backend_random(salt, SCRAM_SALT_LEN))
+			{
+				ereport(LOG,
+						(errcode(ERRCODE_INTERNAL_ERROR),
+						 errmsg("could not generate random salt")));
+				return NULL;
+			}
+
+			(void) scram_build_verifier(username, shadow_pass, salt, 0, verifier);
 
 			(void) parse_scram_verifier(verifier, &state->salt, &state->iterations,
 										state->StoredKey, state->ServerKey);
@@ -328,58 +337,6 @@ pg_be_scram_exchange(void *opaq, char *input, int inputlen,
 	return result;
 }
 
-/*
- * Construct a verifier string for SCRAM, stored in pg_authid.rolpassword.
- *
- * If iterations is 0, default number of iterations is used.  The result is
- * palloc'd, so caller is responsible for freeing it.
- */
-char *
-scram_build_verifier(const char *username, const char *password,
-					 int iterations)
-{
-	uint8		keybuf[SCRAM_KEY_LEN + 1];
-	char	   *encoded_storedkey;
-	char	   *encoded_serverkey;
-	char		salt[SCRAM_SALT_LEN];
-	char	   *encoded_salt;
-	int			encoded_len;
-
-	if (iterations <= 0)
-		iterations = SCRAM_ITERATIONS_DEFAULT;
-
-	if (!pg_backend_random(salt, SCRAM_SALT_LEN))
-	{
-		ereport(LOG,
-				(errcode(ERRCODE_INTERNAL_ERROR),
-				 errmsg("could not generate random salt")));
-		return NULL;
-	}
-
-	encoded_salt = palloc(pg_b64_enc_len(SCRAM_SALT_LEN) + 1);
-	encoded_len = pg_b64_encode(salt, SCRAM_SALT_LEN, encoded_salt);
-	encoded_salt[encoded_len] = '\0';
-
-	/* Calculate StoredKey, and encode it in base64 */
-	encoded_storedkey = palloc(pg_b64_enc_len(SCRAM_KEY_LEN) + 1);
-	scram_ClientOrServerKey(password, salt, SCRAM_SALT_LEN,
-							iterations, SCRAM_CLIENT_KEY_NAME, keybuf);
-	scram_H(keybuf, SCRAM_KEY_LEN, keybuf);		/* StoredKey */
-	encoded_len = pg_b64_encode((const char *) keybuf, SCRAM_KEY_LEN,
-								encoded_storedkey);
-	encoded_storedkey[encoded_len] = '\0';
-
-	/* And same for ServerKey */
-	encoded_serverkey = palloc(pg_b64_enc_len(SCRAM_KEY_LEN) + 1);
-	scram_ClientOrServerKey(password, salt, SCRAM_SALT_LEN, iterations,
-							SCRAM_SERVER_KEY_NAME, keybuf);
-	encoded_len = pg_b64_encode((const char *) keybuf, SCRAM_KEY_LEN,
-								encoded_serverkey);
-	encoded_serverkey[encoded_len] = '\0';
-
-	return psprintf("scram-sha-256:%s:%d:%s:%s", encoded_salt, iterations,
-					encoded_storedkey, encoded_serverkey);
-}
 
 /*
  * Verify a plaintext password against a SCRAM verifier.  This is used when
diff --git a/src/backend/libpq/crypt.c b/src/backend/libpq/crypt.c
index 34beab5334..a0426f5450 100644
--- a/src/backend/libpq/crypt.c
+++ b/src/backend/libpq/crypt.c
@@ -20,9 +20,11 @@
 
 #include "catalog/pg_authid.h"
 #include "common/md5.h"
+#include "common/scram-common.h"
 #include "libpq/crypt.h"
 #include "libpq/scram.h"
 #include "miscadmin.h"
+#include "utils/backend_random.h"
 #include "utils/builtins.h"
 #include "utils/syscache.h"
 #include "utils/timestamp.h"
@@ -156,8 +158,23 @@ encrypt_password(PasswordType target_type, const char *role,
 			switch (guessed_type)
 			{
 				case PASSWORD_TYPE_PLAINTEXT:
-					return scram_build_verifier(role, password, 0);
-
+				{
+					char salt[SCRAM_SALT_LEN];
+
+					if (!pg_backend_random(salt, SCRAM_SALT_LEN))
+					{
+						ereport(ERROR,
+								(errcode(ERRCODE_INTERNAL_ERROR),
+								 errmsg("could not generate random salt")));
+						return NULL;
+					}
+
+					encrypted_password = palloc(SCRAM_VERIFIER_LEN + 1);
+					if (!scram_build_verifier(role, password, salt, 0,
+											  encrypted_password))
+						elog(ERROR, "password encryption failed");
+					return encrypted_password;
+				}
 				case PASSWORD_TYPE_MD5:
 
 					/*
diff --git a/src/common/scram-common.c b/src/common/scram-common.c
index e44f38f652..03bdc7b9d2 100644
--- a/src/common/scram-common.c
+++ b/src/common/scram-common.c
@@ -184,3 +184,59 @@ scram_ClientOrServerKey(const char *password,
 	scram_HMAC_update(&ctx, keystr, strlen(keystr));
 	scram_HMAC_final(result, &ctx);
 }
+
+/*
+ * Construct a verifier string for SCRAM, stored in pg_authid.rolpassword.
+ *
+ * If iterations is 0, default number of iterations is used.  The result is
+ * stored in "verifier" that caller is responsible to allocate a buffer of
+ * size SCRAM_VERIFIER_LEN.  Returns true if the verifier has been generated,
+ * false otherwise.  It is important for this routine to do no memory
+ * allocations. The salt defined by the caller needs to be a buffer pre-filled
+ * with random data of length SCRAM_SALT_LEN.
+ */
+bool
+scram_build_verifier(const char *username, const char *password,
+					 const char *salt, int iterations, char *verifier)
+{
+	uint8		keybuf[SCRAM_KEY_LEN + 1];
+	char		intbuf[12];
+	char	   *p;
+
+	if (iterations <= 0)
+		iterations = SCRAM_ITERATIONS_DEFAULT;
+
+	/* Fill in the data of the verifier */
+	p = verifier;
+	memcpy(p, SCRAM_VERIFIER_PREFIX, strlen(SCRAM_VERIFIER_PREFIX));
+	p += strlen(SCRAM_VERIFIER_PREFIX);
+	*p++ = ':';
+
+	/* salt */
+	(void) pg_b64_encode(salt, SCRAM_SALT_LEN, p);
+	p += pg_b64_enc_len(SCRAM_SALT_LEN);
+	*p++ = ':';
+
+	/* iterations */
+	sprintf(intbuf, "%d", iterations);
+	memcpy(p, intbuf, strlen(intbuf));
+	p += strlen(intbuf);
+	*p++ = ':';
+
+	/* Calculate StoredKey, and encode it in base64 */
+	scram_ClientOrServerKey(password, salt, SCRAM_SALT_LEN,
+							iterations, SCRAM_CLIENT_KEY_NAME, keybuf);
+	scram_H(keybuf, SCRAM_KEY_LEN, keybuf);		/* StoredKey */
+	(void) pg_b64_encode((const char *) keybuf, SCRAM_KEY_LEN, p);
+	p += pg_b64_enc_len(SCRAM_KEY_LEN) - 1;
+	*p++ = ':';
+
+	/* And same for ServerKey */
+	scram_ClientOrServerKey(password, salt, SCRAM_SALT_LEN, iterations,
+							SCRAM_SERVER_KEY_NAME, keybuf);
+	(void) pg_b64_encode((const char *) keybuf, SCRAM_KEY_LEN, p);
+	p += pg_b64_enc_len(SCRAM_KEY_LEN) - 1;
+	*p++ = '\0';
+
+	return true;
+}
diff --git a/src/include/common/scram-common.h b/src/include/common/scram-common.h
index 6740069eee..fcf3b98ba6 100644
--- a/src/include/common/scram-common.h
+++ b/src/include/common/scram-common.h
@@ -13,6 +13,7 @@
 #ifndef SCRAM_COMMON_H
 #define SCRAM_COMMON_H
 
+#include "common/base64.h"
 #include "common/sha2.h"
 
 /* Length of SCRAM keys (client and server) */
@@ -38,6 +39,22 @@
 #define SCRAM_SERVER_KEY_NAME "Server Key"
 #define SCRAM_CLIENT_KEY_NAME "Client Key"
 
+#define SCRAM_VERIFIER_PREFIX "scram-sha-256"
+
+/*
+ * Length of a SCRAM verifier, which is made of the following five fields
+ * separated by a colon:
+ * - prefix "scram-sha-256", made of 13 characters.
+ * - 4 colon separators.
+ * - 32-bit number of interations, up to 11 characters.
+ * - base64-encoded salt of length SCRAM_SALT_LEN
+ * - base64-encoded stored key of length SCRAM_KEY_LEN
+ * - base64-encoded server key of length SCRAM_KEY_LEN
+ */
+#define SCRAM_VERIFIER_LEN (strlen("scram-sha-256") + 4 + 11 + \
+							pg_b64_enc_len(SCRAM_SALT_LEN) + \
+							pg_b64_enc_len(SCRAM_KEY_LEN) * 2)
+
 /*
  * Context data for HMAC used in SCRAM authentication.
  */
@@ -55,5 +72,8 @@ extern void scram_H(const uint8 *str, int len, uint8 *result);
 extern void scram_ClientOrServerKey(const char *password, const char *salt,
 						int saltlen, int iterations,
 						const char *keystr, uint8 *result);
+extern bool scram_build_verifier(const char *username, const char *password,
+								 const char *salt, int iterations,
+								 char *verifier);
 
 #endif   /* SCRAM_COMMON_H */
diff --git a/src/include/libpq/scram.h b/src/include/libpq/scram.h
index e373f0c07e..803fc4ef7a 100644
--- a/src/include/libpq/scram.h
+++ b/src/include/libpq/scram.h
@@ -26,10 +26,7 @@ extern void *pg_be_scram_init(const char *username, const char *shadow_pass);
 extern int pg_be_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen, char **logdetail);
 
-/* Routines to handle and check SCRAM-SHA-256 verifier */
-extern char *scram_build_verifier(const char *username,
-					 const char *password,
-					 int iterations);
+/* Routines to check SCRAM-SHA-256 verifier */
 extern bool is_scram_verifier(const char *verifier);
 extern bool scram_verify_plain_password(const char *username,
 							const char *password, const char *verifier);
-- 
2.12.2

From 6f8baee4ef5fbc0b7d4b2a352b7667f70d1e0c31 Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Fri, 7 Apr 2017 10:24:44 +0900
Subject: [PATCH 3/5] Refactor frontend-side random number generation

pg_frontend_random() is moved into its own file in libpq/ to give other
portions of the libpq code the ability to generate random numbers. This
will be used for the SCRAM verifier generation from clients.
---
 src/interfaces/libpq/Makefile        |  2 +-
 src/interfaces/libpq/fe-auth-scram.c | 53 -----------------------
 src/interfaces/libpq/libpq-int.h     |  1 +
 src/interfaces/libpq/libpq-random.c  | 84 ++++++++++++++++++++++++++++++++++++
 src/interfaces/libpq/libpq-random.h  | 17 ++++++++
 src/tools/msvc/Install.pm            |  2 +-
 6 files changed, 104 insertions(+), 55 deletions(-)
 create mode 100644 src/interfaces/libpq/libpq-random.c
 create mode 100644 src/interfaces/libpq/libpq-random.h

diff --git a/src/interfaces/libpq/Makefile b/src/interfaces/libpq/Makefile
index 36b57268a7..1d20ae9ac2 100644
--- a/src/interfaces/libpq/Makefile
+++ b/src/interfaces/libpq/Makefile
@@ -33,7 +33,7 @@ LIBS := $(LIBS:-lpgport=)
 # OBJS from this file.
 OBJS=	fe-auth.o fe-auth-scram.o fe-connect.o fe-exec.o fe-misc.o fe-print.o fe-lobj.o \
 	fe-protocol2.o fe-protocol3.o pqexpbuffer.o fe-secure.o \
-	libpq-events.o
+	libpq-events.o libpq-random.o
 # libpgport C files we always use
 OBJS += chklocale.o inet_net_ntop.o noblock.o pgstrcasecmp.o pqsignal.o \
 	thread.o
diff --git a/src/interfaces/libpq/fe-auth-scram.c b/src/interfaces/libpq/fe-auth-scram.c
index 818ade4993..e6661a6524 100644
--- a/src/interfaces/libpq/fe-auth-scram.c
+++ b/src/interfaces/libpq/fe-auth-scram.c
@@ -73,7 +73,6 @@ static bool verify_server_proof(fe_scram_state *state);
 static void calculate_client_proof(fe_scram_state *state,
 					   const char *client_final_message_without_proof,
 					   uint8 *result);
-static bool pg_frontend_random(char *dst, int len);
 
 /*
  * Initialize SCRAM exchange status.
@@ -586,55 +585,3 @@ verify_server_proof(fe_scram_state *state)
 
 	return true;
 }
-
-/*
- * Random number generator.
- */
-static bool
-pg_frontend_random(char *dst, int len)
-{
-#ifdef HAVE_STRONG_RANDOM
-	return pg_strong_random(dst, len);
-#else
-	int			i;
-	char	   *end = dst + len;
-
-	static unsigned short seed[3];
-	static int	mypid = 0;
-
-	pglock_thread();
-
-	if (mypid != getpid())
-	{
-		struct timeval now;
-
-		gettimeofday(&now, NULL);
-
-		seed[0] = now.tv_sec ^ getpid();
-		seed[1] = (unsigned short) (now.tv_usec);
-		seed[2] = (unsigned short) (now.tv_usec >> 16);
-	}
-
-	for (i = 0; dst < end; i++)
-	{
-		uint32		r;
-		int			j;
-
-		/*
-		 * pg_jrand48 returns a 32-bit integer.  Fill the next 4 bytes from
-		 * it.
-		 */
-		r = (uint32) pg_jrand48(seed);
-
-		for (j = 0; j < 4 && dst < end; j++)
-		{
-			*(dst++) = (char) (r & 0xFF);
-			r >>= 8;
-		}
-	}
-
-	pgunlock_thread();
-
-	return true;
-#endif
-}
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index b8ec3418c5..6b72a17a75 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -22,6 +22,7 @@
 
 /* We assume libpq-fe.h has already been included. */
 #include "libpq-events.h"
+#include "libpq-random.h"
 
 #include <time.h>
 #ifndef WIN32
diff --git a/src/interfaces/libpq/libpq-random.c b/src/interfaces/libpq/libpq-random.c
new file mode 100644
index 0000000000..5e788dc821
--- /dev/null
+++ b/src/interfaces/libpq/libpq-random.c
@@ -0,0 +1,84 @@
+/*-------------------------------------------------------------------------
+ *
+ * libpq-random.c
+ *	  Frontend random number generation routine for libpq.
+ *
+ * pg_frontend_random() function fills a buffer with random bytes. Normally,
+ * it is just a thin wrapper around pg_strong_random(), but when compiled
+ * with --disable-strong-random, there is a built-in implementation.
+ *
+ * The built-in implementation uses the standard erand48 algorithm, with
+ * a seed calculated using the process ID and a timestamp.
+ *
+ * Portions Copyright (c) 1996-2017, PostgreSQL Global Development Group
+ * Portions Copyright (c) 1994, Regents of the University of California
+ *
+ *
+ * IDENTIFICATION
+ *	  src/interfaces/libpq/libpq-random.c
+ *
+ *-------------------------------------------------------------------------
+ */
+
+#include "postgres_fe.h"
+
+#include "libpq-fe.h"
+#include "libpq-int.h"
+
+/* These are needed for getpid(), in the fallback implementation */
+#ifndef HAVE_STRONG_RANDOM
+#include <sys/types.h>
+#include <unistd.h>
+#endif
+
+/*
+ * Random number generator.
+ */
+bool
+pg_frontend_random(char *dst, int len)
+{
+#ifdef HAVE_STRONG_RANDOM
+	return pg_strong_random(dst, len);
+#else
+	int			i;
+	char	   *end = dst + len;
+
+	static unsigned short seed[3];
+	static int	mypid = 0;
+
+	pglock_thread();
+
+	if (mypid != getpid())
+	{
+		struct timeval now;
+
+		gettimeofday(&now, NULL);
+
+		seed[0] = now.tv_sec ^ getpid();
+		seed[1] = (unsigned short) (now.tv_usec);
+		seed[2] = (unsigned short) (now.tv_usec >> 16);
+	}
+
+	for (i = 0; dst < end; i++)
+	{
+		uint32		r;
+		int			j;
+
+		/*
+		 * pg_jrand48 returns a 32-bit integer.  Fill the next 4 bytes from
+		 * it.
+		 */
+		r = (uint32) pg_jrand48(seed);
+
+		for (j = 0; j < 4 && dst < end; j++)
+		{
+			*(dst++) = (char) (r & 0xFF);
+			r >>= 8;
+		}
+	}
+
+	pgunlock_thread();
+
+	return true;
+#endif
+}
diff --git a/src/interfaces/libpq/libpq-random.h b/src/interfaces/libpq/libpq-random.h
new file mode 100644
index 0000000000..054998b8d9
--- /dev/null
+++ b/src/interfaces/libpq/libpq-random.h
@@ -0,0 +1,17 @@
+/*-------------------------------------------------------------------------
+ *
+ * frontend_random.h
+ *	  Declarations for frontend random number generation
+ *
+ * Portions Copyright (c) 1996-2017, PostgreSQL Global Development Group
+ *
+ *	  src/interfaces/libpq/libpq-random.h
+ *
+ *-------------------------------------------------------------------------
+ */
+#ifndef LIBPQ_RANDOM_H
+#define LIBPQ_RANDOM_H
+
+extern bool pg_frontend_random(char *dst, int len);
+
+#endif   /* LIBPQ_RANDOM_H */
diff --git a/src/tools/msvc/Install.pm b/src/tools/msvc/Install.pm
index 35ad5b8a44..4acd6592ad 100644
--- a/src/tools/msvc/Install.pm
+++ b/src/tools/msvc/Install.pm
@@ -601,7 +601,7 @@ sub CopyIncludeFiles
 	CopyFiles(
 		'Libpq internal headers',
 		$target . '/include/internal/',
-		'src/interfaces/libpq/', 'libpq-int.h', 'pqexpbuffer.h');
+		'src/interfaces/libpq/', 'libpq-int.h', 'libpq-random.h', 'pqexpbuffer.h');
 
 	CopyFiles(
 		'Internal headers',
-- 
2.12.2

From 2c06cfea054dab44b8df393700e052ff01e3bd22 Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Fri, 7 Apr 2017 10:39:27 +0900
Subject: [PATCH 4/5] Extend PQencryptPassword with a hashing method

This extra argument can use the following values when hashing the
password:
- scram, for SCRAM-SHA-256 hashing.
- md5, for MD5 hashing.
- plain, for cleartext.
---
 doc/src/sgml/libpq.sgml         |  6 ++++-
 src/bin/psql/command.c          |  2 +-
 src/bin/scripts/createuser.c    |  3 ++-
 src/interfaces/libpq/fe-auth.c  | 54 ++++++++++++++++++++++++++++++++---------
 src/interfaces/libpq/libpq-fe.h |  3 ++-
 5 files changed, 52 insertions(+), 16 deletions(-)

diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index 4bc5bf3192..fc1aa4b5e5 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -5887,7 +5887,8 @@ void PQconninfoFree(PQconninfoOption *connOptions);
      <para>
       Prepares the encrypted form of a <productname>PostgreSQL</> password.
 <synopsis>
-char * PQencryptPassword(const char *passwd, const char *user);
+char * PQencryptPassword(const char *passwd, const char *user,
+                         const char *method);
 </synopsis>
       This function is intended to be used by client applications that
       wish to send commands like <literal>ALTER USER joe PASSWORD
@@ -5901,6 +5902,9 @@ char * PQencryptPassword(const char *passwd, const char *user);
       memory.  The caller can assume the string doesn't contain any
       special characters that would require escaping.  Use
       <function>PQfreemem</> to free the result when done with it.
+      The encryption method of the password can be specified as
+      <literal>md5</> for hashing with MD5, <literal>scram</> for
+      hashing with SCRAM-SHA-256 and <literal>plain</> for cleartext.
      </para>
     </listitem>
    </varlistentry>
diff --git a/src/bin/psql/command.c b/src/bin/psql/command.c
index 494f468575..9716c98fc2 100644
--- a/src/bin/psql/command.c
+++ b/src/bin/psql/command.c
@@ -1882,7 +1882,7 @@ exec_command_password(PsqlScanState scan_state, bool active_branch)
 			else
 				user = PQuser(pset.db);
 
-			encrypted_password = PQencryptPassword(pw1, user);
+			encrypted_password = PQencryptPassword(pw1, user, "md5");
 
 			if (!encrypted_password)
 			{
diff --git a/src/bin/scripts/createuser.c b/src/bin/scripts/createuser.c
index 3d74797a8f..5af263e34a 100644
--- a/src/bin/scripts/createuser.c
+++ b/src/bin/scripts/createuser.c
@@ -275,7 +275,8 @@ main(int argc, char *argv[])
 			char	   *encrypted_password;
 
 			encrypted_password = PQencryptPassword(newpassword,
-												   newuser);
+												   newuser,
+												   "md5");
 			if (!encrypted_password)
 			{
 				fprintf(stderr, _("Password encryption failed.\n"));
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index 5fe7e565a0..40d4be3ca6 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -39,6 +39,7 @@
 #endif
 
 #include "common/md5.h"
+#include "common/scram-common.h"
 #include "libpq-fe.h"
 #include "libpq/scram.h"
 #include "fe-auth.h"
@@ -919,27 +920,56 @@ pg_fe_getauthname(PQExpBuffer errorMessage)
  * be dependent on low-level details like whether the encryption is MD5
  * or something else.
  *
- * Arguments are the cleartext password, and the SQL name of the user it
- * is for.
+ * Arguments are the cleartext password, the SQL name of the user it
+ * is for, and the name of password hashing method:
+ * - "scram", to hash password using SCRAM-SHA-256.
+ * - "md5", to hash password using MD5.
+ * - "plain", to get a cleartext value of password.
  *
- * Return value is a malloc'd string, or NULL if out-of-memory.  The client
- * may assume the string doesn't contain any special characters that would
- * require escaping.
+ * Return value is a malloc'd string, or NULL if out-of-memory or in
+ * the event of an error.  The client may assume the string doesn't
+ * contain any special characters that would require escaping.
  */
 char *
-PQencryptPassword(const char *passwd, const char *user)
+PQencryptPassword(const char *passwd, const char *user, const char *method)
 {
 	char	   *crypt_pwd;
 
-	crypt_pwd = malloc(MD5_PASSWD_LEN + 1);
-	if (!crypt_pwd)
-		return NULL;
+	if (strcmp(method, "md5") == 0)
+	{
+		crypt_pwd = malloc(MD5_PASSWD_LEN + 1);
+		if (!crypt_pwd)
+			return NULL;
 
-	if (!pg_md5_encrypt(passwd, user, strlen(user), crypt_pwd))
+		if (!pg_md5_encrypt(passwd, user, strlen(user), crypt_pwd))
+		{
+			free(crypt_pwd);
+			return NULL;
+		}
+	}
+	else if (strcmp(method, "scram") == 0)
 	{
-		free(crypt_pwd);
-		return NULL;
+		char		salt[SCRAM_SALT_LEN];
+
+		crypt_pwd = malloc(SCRAM_VERIFIER_LEN + 1);
+		if (!crypt_pwd)
+			return NULL;
+
+		if (!pg_frontend_random(salt, SCRAM_SALT_LEN))
+			return NULL;
+
+		if (!scram_build_verifier(user, passwd, salt, 0, crypt_pwd))
+		{
+			free(crypt_pwd);
+			return NULL;
+		}
 	}
+	else if (strcmp(method, "plain") == 0)
+	{
+		crypt_pwd = strdup(passwd);
+	}
+	else
+		return NULL;
 
 	return crypt_pwd;
 }
diff --git a/src/interfaces/libpq/libpq-fe.h b/src/interfaces/libpq/libpq-fe.h
index 635af5b50e..c312dd0152 100644
--- a/src/interfaces/libpq/libpq-fe.h
+++ b/src/interfaces/libpq/libpq-fe.h
@@ -596,7 +596,8 @@ extern int	PQenv2encoding(void);
 
 /* === in fe-auth.c === */
 
-extern char *PQencryptPassword(const char *passwd, const char *user);
+extern char *PQencryptPassword(const char *passwd, const char *user,
+							   const char *method);
 
 /* === in encnames.c === */
 
-- 
2.12.2

From 78c9d261c5ea611dd19c97053201e2fea0c54cb5 Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Sat, 25 Mar 2017 14:07:16 +0900
Subject: [PATCH 5/5] Extend psql's \password and createuser to handle SCRAM
 verifier creation

Depending on the version of PostgreSQL those utilities are connected to,
generate MD5 verifiers when connecting to a server older than 10, and
MD5 otherwise.
---
 doc/src/sgml/ref/createuser.sgml |  6 ++++--
 doc/src/sgml/ref/psql-ref.sgml   |  4 +++-
 src/bin/psql/command.c           |  9 ++++++++-
 src/bin/scripts/createuser.c     | 16 +++++++++++++---
 4 files changed, 28 insertions(+), 7 deletions(-)

diff --git a/doc/src/sgml/ref/createuser.sgml b/doc/src/sgml/ref/createuser.sgml
index 4332008c68..4454591d79 100644
--- a/doc/src/sgml/ref/createuser.sgml
+++ b/doc/src/sgml/ref/createuser.sgml
@@ -125,7 +125,9 @@ PostgreSQL documentation
       <listitem>
        <para>
         Encrypts the user's password stored in the database. If not
-        specified, the default password behavior is used.
+        specified, the default password behavior is used. The password
+        is hashed using SCRAM-SHA-256 when connecting to a version of
+        <productname>PostgreSQL</> newer than 10, and MD5 otherwise.
        </para>
       </listitem>
      </varlistentry>
@@ -477,7 +479,7 @@ PostgreSQL documentation
 <prompt>$ </prompt><userinput>createuser -P -s -e joe</userinput>
 <computeroutput>Enter password for new role: </computeroutput><userinput>xyzzy</userinput>
 <computeroutput>Enter it again: </computeroutput><userinput>xyzzy</userinput>
-<computeroutput>CREATE ROLE joe PASSWORD 'md5b5f5ba1a423792b526f799ae4eb3d59e' SUPERUSER CREATEDB CREATEROLE INHERIT LOGIN;</computeroutput>
+<computeroutput>CREATE ROLE joe PASSWORD 'scram-sha-256:aPheg4yCAFhStg==:4096:TOHLPF8w+NzqtcxD2oz9w5wPISutHLOXWMKoe4HCvuo=:lTG0OiB/ZH5/hsfUqnndRwfMziY5j5C6FS8IAIwL2nA=' SUPERUSER CREATEDB CREATEROLE INHERIT LOGIN;</computeroutput>
 </screen>
     In the above example, the new password isn't actually echoed when typed,
     but we show what was typed for clarity.  As you see, the password is
diff --git a/doc/src/sgml/ref/psql-ref.sgml b/doc/src/sgml/ref/psql-ref.sgml
index 3b86612862..749221aa76 100644
--- a/doc/src/sgml/ref/psql-ref.sgml
+++ b/doc/src/sgml/ref/psql-ref.sgml
@@ -2380,7 +2380,9 @@ lo_import 152801
         user).  This command prompts for the new password, encrypts it, and
         sends it to the server as an <command>ALTER ROLE</> command.  This
         makes sure that the new password does not appear in cleartext in the
-        command history, the server log, or elsewhere.
+        command history, the server log, or elsewhere. The password is hashed
+        with SCRAM-SHA-256 when connecting to <productname>PostgreSQL</> 10
+        and newer versions, and with MD5 otherwise.
         </para>
         </listitem>
       </varlistentry>
diff --git a/src/bin/psql/command.c b/src/bin/psql/command.c
index 9716c98fc2..4e9b526e43 100644
--- a/src/bin/psql/command.c
+++ b/src/bin/psql/command.c
@@ -1882,7 +1882,14 @@ exec_command_password(PsqlScanState scan_state, bool active_branch)
 			else
 				user = PQuser(pset.db);
 
-			encrypted_password = PQencryptPassword(pw1, user, "md5");
+			/*
+			 * Hash password using SCRAM-SHA-256 when connecting to servers
+			 * newer than Postgres 10, and hash with MD5 otherwise.
+			 */
+			if (pset.sversion < 100000)
+				encrypted_password = PQencryptPassword(pw1, user, "md5");
+			else
+				encrypted_password = PQencryptPassword(pw1, user, "scram");
 
 			if (!encrypted_password)
 			{
diff --git a/src/bin/scripts/createuser.c b/src/bin/scripts/createuser.c
index 5af263e34a..0107497e23 100644
--- a/src/bin/scripts/createuser.c
+++ b/src/bin/scripts/createuser.c
@@ -274,9 +274,19 @@ main(int argc, char *argv[])
 		{
 			char	   *encrypted_password;
 
-			encrypted_password = PQencryptPassword(newpassword,
-												   newuser,
-												   "md5");
+			/*
+			 * Hash password using SCRAM-SHA-256 when connecting to servers
+			 * newer than Postgres 10, and hash with MD5 otherwise.
+			 */
+			if (PQserverVersion(conn) < 100000)
+				encrypted_password = PQencryptPassword(newpassword,
+													   newuser,
+													   "md5");
+			else
+				encrypted_password = PQencryptPassword(newpassword,
+													   newuser,
+													   "scram");
+
 			if (!encrypted_password)
 			{
 				fprintf(stderr, _("Password encryption failed.\n"));
-- 
2.12.2

From 6f66728f4173b8bfb6850ae936f60e81eae1657c Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Sat, 25 Mar 2017 13:31:38 +0900
Subject: [PATCH 1/5] Use base64-based encoding for stored and server keys in
 SCRAM verifiers

In order to be able to generate a SCRAM verifier even for frontends, let's
simplify the tools used to generate it and switch all the elements of the
verifiers to be base64-encoded using the routines already in place in
src/common/.
---
 doc/src/sgml/catalogs.sgml             |  2 +-
 src/backend/libpq/auth-scram.c         | 30 +++++++++++++++++-------------
 src/test/regress/expected/password.out |  8 ++++----
 src/test/regress/sql/password.sql      |  8 ++++----
 4 files changed, 26 insertions(+), 22 deletions(-)

diff --git a/doc/src/sgml/catalogs.sgml b/doc/src/sgml/catalogs.sgml
index 5883673448..3d5999d829 100644
--- a/doc/src/sgml/catalogs.sgml
+++ b/doc/src/sgml/catalogs.sgml
@@ -1382,7 +1382,7 @@
    identify the password as a SCRAM-SHA-256 verifier. The second field is a
    salt, Base64-encoded, and the third field is the number of iterations used
    to generate the password.  The fourth field and fifth field are the stored
-   key and server key, respectively, in hexadecimal format. A password that
+   key and server key, respectively, in Base64 format. A password that
    does not follow either of those formats is assumed to be unencrypted.
   </para>
  </sect1>
diff --git a/src/backend/libpq/auth-scram.c b/src/backend/libpq/auth-scram.c
index 5077ff33b1..75a261bd36 100644
--- a/src/backend/libpq/auth-scram.c
+++ b/src/backend/libpq/auth-scram.c
@@ -371,8 +371,8 @@ scram_build_verifier(const char *username, const char *password,
 					 int iterations)
 {
 	uint8		keybuf[SCRAM_KEY_LEN + 1];
-	char		storedkey_hex[SCRAM_KEY_LEN * 2 + 1];
-	char		serverkey_hex[SCRAM_KEY_LEN * 2 + 1];
+	char	   *encoded_storedkey;
+	char	   *encoded_serverkey;
 	char		salt[SCRAM_SALT_LEN];
 	char	   *encoded_salt;
 	int			encoded_len;
@@ -403,23 +403,28 @@ scram_build_verifier(const char *username, const char *password,
 	encoded_len = pg_b64_encode(salt, SCRAM_SALT_LEN, encoded_salt);
 	encoded_salt[encoded_len] = '\0';
 
-	/* Calculate StoredKey, and encode it in hex */
+	/* Calculate StoredKey, and encode it in base64 */
+	encoded_storedkey = palloc(pg_b64_enc_len(SCRAM_KEY_LEN) + 1);
 	scram_ClientOrServerKey(password, salt, SCRAM_SALT_LEN,
 							iterations, SCRAM_CLIENT_KEY_NAME, keybuf);
 	scram_H(keybuf, SCRAM_KEY_LEN, keybuf);		/* StoredKey */
-	(void) hex_encode((const char *) keybuf, SCRAM_KEY_LEN, storedkey_hex);
-	storedkey_hex[SCRAM_KEY_LEN * 2] = '\0';
+	encoded_len = pg_b64_encode((const char *) keybuf, SCRAM_KEY_LEN,
+								encoded_storedkey);
+	encoded_storedkey[encoded_len] = '\0';
 
 	/* And same for ServerKey */
+	encoded_serverkey = palloc(pg_b64_enc_len(SCRAM_KEY_LEN) + 1);
 	scram_ClientOrServerKey(password, salt, SCRAM_SALT_LEN, iterations,
 							SCRAM_SERVER_KEY_NAME, keybuf);
-	(void) hex_encode((const char *) keybuf, SCRAM_KEY_LEN, serverkey_hex);
-	serverkey_hex[SCRAM_KEY_LEN * 2] = '\0';
+	encoded_len = pg_b64_encode((const char *) keybuf, SCRAM_KEY_LEN,
+								encoded_serverkey);
+	encoded_serverkey[encoded_len] = '\0';
 
 	if (prep_password)
 		pfree(prep_password);
 
-	return psprintf("scram-sha-256:%s:%d:%s:%s", encoded_salt, iterations, storedkey_hex, serverkey_hex);
+	return psprintf("scram-sha-256:%s:%d:%s:%s", encoded_salt, iterations,
+					encoded_storedkey, encoded_serverkey);
 }
 
 /*
@@ -538,17 +543,16 @@ parse_scram_verifier(const char *verifier, char **salt, int *iterations,
 	/* storedkey */
 	if ((p = strtok(NULL, ":")) == NULL)
 		goto invalid_verifier;
-	if (strlen(p) != SCRAM_KEY_LEN * 2)
+	if (strlen(p) != pg_b64_enc_len(SCRAM_KEY_LEN) - 1)
 		goto invalid_verifier;
-
-	hex_decode(p, SCRAM_KEY_LEN * 2, (char *) stored_key);
+	pg_b64_decode(p, pg_b64_enc_len(SCRAM_KEY_LEN), (char *) stored_key);
 
 	/* serverkey */
 	if ((p = strtok(NULL, ":")) == NULL)
 		goto invalid_verifier;
-	if (strlen(p) != SCRAM_KEY_LEN * 2)
+	if (strlen(p) != pg_b64_enc_len(SCRAM_KEY_LEN) - 1)
 		goto invalid_verifier;
-	hex_decode(p, SCRAM_KEY_LEN * 2, (char *) server_key);
+	pg_b64_decode(p, pg_b64_enc_len(SCRAM_KEY_LEN), (char *) server_key);
 
 	pfree(v);
 	return true;
diff --git a/src/test/regress/expected/password.out b/src/test/regress/expected/password.out
index c503e43abe..0cdb6141e2 100644
--- a/src/test/regress/expected/password.out
+++ b/src/test/regress/expected/password.out
@@ -23,11 +23,11 @@ CREATE ROLE regress_passwd5 PASSWORD NULL;
 -- check list of created entries
 --
 -- The scram verifier will look something like:
--- scram-sha-256:E4HxLGtnRzsYwg==:4096:5ebc825510cb7862efd87dfa638d8337179e6913a724441dc9e888a856fbc10c:e966b1c72fad89d69aaebb156eae04edc9581286f92207c044711e79cd461bee
+-- scram-sha-256:E4HxLGtnRzsYwg==:4096:6YtlR4t69SguDiwFvbVgVZtuz6gpJQQqUMZ7IQJK5yI=:ps75jrHeYU4lXCcXI4O8oIdJ3eO8o2jirjruw9phBTo=
 --
 -- Since the salt is random, the exact value stored will be different on every test
 -- run. Use a regular expression to mask the changing parts.
-SELECT rolname, regexp_replace(rolpassword, '(scram-sha-256):([a-zA-Z0-9+/]+==):(\d+):(\w+):(\w+)', '\1:<salt>:\3:<storedkey>:<serverkey>') as rolpassword_masked
+SELECT rolname, regexp_replace(rolpassword, '(scram-sha-256):([a-zA-Z0-9+/]+==):(\d+):([a-zA-Z0-9+/]+=):([a-zA-Z0-9+/]+=)', '\1:<salt>:\3:<storedkey>:<serverkey>') as rolpassword_masked
     FROM pg_authid
     WHERE rolname LIKE 'regress_passwd%'
     ORDER BY rolname, rolpassword;
@@ -59,11 +59,11 @@ ALTER ROLE regress_passwd1 UNENCRYPTED PASSWORD 'foo'; -- unencrypted
 ALTER ROLE regress_passwd2 UNENCRYPTED PASSWORD 'md5dfa155cadd5f4ad57860162f3fab9cdb'; -- encrypted with MD5
 SET password_encryption = 'md5';
 ALTER ROLE regress_passwd3 ENCRYPTED PASSWORD 'foo'; -- encrypted with MD5
-ALTER ROLE regress_passwd4 ENCRYPTED PASSWORD 'scram-sha-256:VLK4RMaQLCvNtQ==:4096:3ded2376f7aafa93b1bdbd71bcc18b7d6ee50ed018029cc583d152ef3fc7d430:a6dd36dfc94c181956a6ae95f05e01b1864f0a22a2657d1de4ba84d2a24dc438'; -- client-supplied SCRAM verifier, use as it is
+ALTER ROLE regress_passwd4 ENCRYPTED PASSWORD 'scram-sha-256:VLK4RMaQLCvNtQ==:4096:6YtlR4t69SguDiwFvbVgVZtuz6gpJQQqUMZ7IQJK5yI=:ps75jrHeYU4lXCcXI4O8oIdJ3eO8o2jirjruw9phBTo='; -- client-supplied SCRAM verifier, use as it is
 SET password_encryption = 'scram';
 ALTER ROLE  regress_passwd5 ENCRYPTED PASSWORD 'foo'; -- create SCRAM verifier
 CREATE ROLE regress_passwd6 ENCRYPTED PASSWORD 'md53725413363ab045e20521bf36b8d8d7f'; -- encrypted with MD5, use as it is
-SELECT rolname, regexp_replace(rolpassword, '(scram-sha-256):([a-zA-Z0-9+/]+==):(\d+):(\w+):(\w+)', '\1:<salt>:\3:<storedkey>:<serverkey>') as rolpassword_masked
+SELECT rolname, regexp_replace(rolpassword, '(scram-sha-256):([a-zA-Z0-9+/]+==):(\d+):([a-zA-Z0-9+/]+=):([a-zA-Z0-9+/]+=)', '\1:<salt>:\3:<storedkey>:<serverkey>') as rolpassword_masked
     FROM pg_authid
     WHERE rolname LIKE 'regress_passwd%'
     ORDER BY rolname, rolpassword;
diff --git a/src/test/regress/sql/password.sql b/src/test/regress/sql/password.sql
index f4b3a9ac3a..df1ff989cc 100644
--- a/src/test/regress/sql/password.sql
+++ b/src/test/regress/sql/password.sql
@@ -24,11 +24,11 @@ CREATE ROLE regress_passwd5 PASSWORD NULL;
 -- check list of created entries
 --
 -- The scram verifier will look something like:
--- scram-sha-256:E4HxLGtnRzsYwg==:4096:5ebc825510cb7862efd87dfa638d8337179e6913a724441dc9e888a856fbc10c:e966b1c72fad89d69aaebb156eae04edc9581286f92207c044711e79cd461bee
+-- scram-sha-256:E4HxLGtnRzsYwg==:4096:6YtlR4t69SguDiwFvbVgVZtuz6gpJQQqUMZ7IQJK5yI=:ps75jrHeYU4lXCcXI4O8oIdJ3eO8o2jirjruw9phBTo=
 --
 -- Since the salt is random, the exact value stored will be different on every test
 -- run. Use a regular expression to mask the changing parts.
-SELECT rolname, regexp_replace(rolpassword, '(scram-sha-256):([a-zA-Z0-9+/]+==):(\d+):(\w+):(\w+)', '\1:<salt>:\3:<storedkey>:<serverkey>') as rolpassword_masked
+SELECT rolname, regexp_replace(rolpassword, '(scram-sha-256):([a-zA-Z0-9+/]+==):(\d+):([a-zA-Z0-9+/]+=):([a-zA-Z0-9+/]+=)', '\1:<salt>:\3:<storedkey>:<serverkey>') as rolpassword_masked
     FROM pg_authid
     WHERE rolname LIKE 'regress_passwd%'
     ORDER BY rolname, rolpassword;
@@ -48,13 +48,13 @@ ALTER ROLE regress_passwd2 UNENCRYPTED PASSWORD 'md5dfa155cadd5f4ad57860162f3fab
 SET password_encryption = 'md5';
 ALTER ROLE regress_passwd3 ENCRYPTED PASSWORD 'foo'; -- encrypted with MD5
 
-ALTER ROLE regress_passwd4 ENCRYPTED PASSWORD 'scram-sha-256:VLK4RMaQLCvNtQ==:4096:3ded2376f7aafa93b1bdbd71bcc18b7d6ee50ed018029cc583d152ef3fc7d430:a6dd36dfc94c181956a6ae95f05e01b1864f0a22a2657d1de4ba84d2a24dc438'; -- client-supplied SCRAM verifier, use as it is
+ALTER ROLE regress_passwd4 ENCRYPTED PASSWORD 'scram-sha-256:VLK4RMaQLCvNtQ==:4096:6YtlR4t69SguDiwFvbVgVZtuz6gpJQQqUMZ7IQJK5yI=:ps75jrHeYU4lXCcXI4O8oIdJ3eO8o2jirjruw9phBTo='; -- client-supplied SCRAM verifier, use as it is
 
 SET password_encryption = 'scram';
 ALTER ROLE  regress_passwd5 ENCRYPTED PASSWORD 'foo'; -- create SCRAM verifier
 CREATE ROLE regress_passwd6 ENCRYPTED PASSWORD 'md53725413363ab045e20521bf36b8d8d7f'; -- encrypted with MD5, use as it is
 
-SELECT rolname, regexp_replace(rolpassword, '(scram-sha-256):([a-zA-Z0-9+/]+==):(\d+):(\w+):(\w+)', '\1:<salt>:\3:<storedkey>:<serverkey>') as rolpassword_masked
+SELECT rolname, regexp_replace(rolpassword, '(scram-sha-256):([a-zA-Z0-9+/]+==):(\d+):([a-zA-Z0-9+/]+=):([a-zA-Z0-9+/]+=)', '\1:<salt>:\3:<storedkey>:<serverkey>') as rolpassword_masked
     FROM pg_authid
     WHERE rolname LIKE 'regress_passwd%'
     ORDER BY rolname, rolpassword;
-- 
2.12.2

From b6ed8cfed14fa3eb272ec514f5e5a7d46944cf99 Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Mon, 10 Apr 2017 14:33:51 +0900
Subject: [PATCH 2/5] Move routine to build SCRAM verifier into src/common/

This is aimed at being used by libpq to allow frontend-side creation
of SCRAM verifiers. The result is not anymore allocated by the routine
itself, the caller is responsible for that, similarly to md5.
---
 src/backend/libpq/auth-scram.c    | 79 ++++++---------------------------------
 src/backend/libpq/crypt.c         | 21 ++++++++++-
 src/common/scram-common.c         | 78 ++++++++++++++++++++++++++++++++++++++
 src/include/common/scram-common.h | 20 ++++++++++
 src/include/libpq/scram.h         |  5 +--
 5 files changed, 129 insertions(+), 74 deletions(-)

diff --git a/src/backend/libpq/auth-scram.c b/src/backend/libpq/auth-scram.c
index 75a261bd36..aa05662af2 100644
--- a/src/backend/libpq/auth-scram.c
+++ b/src/backend/libpq/auth-scram.c
@@ -204,9 +204,18 @@ pg_be_scram_init(const char *username, const char *shadow_pass)
 			 * The stored password is in plain format.  Generate a fresh SCRAM
 			 * verifier from it, and proceed with that.
 			 */
-			char	   *verifier;
+			char	   *verifier = palloc(SCRAM_VERIFIER_LEN + 1);
+			char		salt[SCRAM_SALT_LEN];
 
-			verifier = scram_build_verifier(username, shadow_pass, 0);
+			if (!pg_backend_random(salt, SCRAM_SALT_LEN))
+			{
+				ereport(LOG,
+						(errcode(ERRCODE_INTERNAL_ERROR),
+						 errmsg("could not generate random salt")));
+				return NULL;
+			}
+
+			(void) scram_build_verifier(username, shadow_pass, salt, 0, verifier);
 
 			(void) parse_scram_verifier(verifier, &state->salt, &state->iterations,
 										state->StoredKey, state->ServerKey);
@@ -360,72 +369,6 @@ pg_be_scram_exchange(void *opaq, char *input, int inputlen,
 	return result;
 }
 
-/*
- * Construct a verifier string for SCRAM, stored in pg_authid.rolpassword.
- *
- * If iterations is 0, default number of iterations is used.  The result is
- * palloc'd, so caller is responsible for freeing it.
- */
-char *
-scram_build_verifier(const char *username, const char *password,
-					 int iterations)
-{
-	uint8		keybuf[SCRAM_KEY_LEN + 1];
-	char	   *encoded_storedkey;
-	char	   *encoded_serverkey;
-	char		salt[SCRAM_SALT_LEN];
-	char	   *encoded_salt;
-	int			encoded_len;
-	char	   *prep_password = NULL;
-	pg_saslprep_rc rc;
-
-	/*
-	 * Normalize the password with SASLprep.  If that doesn't work, because
-	 * the password isn't valid UTF-8 or contains prohibited characters, just
-	 * proceed with the original password.  (See comments at top of file.)
-	 */
-	rc = pg_saslprep(password, &prep_password);
-	if (rc == SASLPREP_SUCCESS)
-		password = (const char *) prep_password;
-
-	if (iterations <= 0)
-		iterations = SCRAM_ITERATIONS_DEFAULT;
-
-	if (!pg_backend_random(salt, SCRAM_SALT_LEN))
-	{
-		ereport(LOG,
-				(errcode(ERRCODE_INTERNAL_ERROR),
-				 errmsg("could not generate random salt")));
-		return NULL;
-	}
-
-	encoded_salt = palloc(pg_b64_enc_len(SCRAM_SALT_LEN) + 1);
-	encoded_len = pg_b64_encode(salt, SCRAM_SALT_LEN, encoded_salt);
-	encoded_salt[encoded_len] = '\0';
-
-	/* Calculate StoredKey, and encode it in base64 */
-	encoded_storedkey = palloc(pg_b64_enc_len(SCRAM_KEY_LEN) + 1);
-	scram_ClientOrServerKey(password, salt, SCRAM_SALT_LEN,
-							iterations, SCRAM_CLIENT_KEY_NAME, keybuf);
-	scram_H(keybuf, SCRAM_KEY_LEN, keybuf);		/* StoredKey */
-	encoded_len = pg_b64_encode((const char *) keybuf, SCRAM_KEY_LEN,
-								encoded_storedkey);
-	encoded_storedkey[encoded_len] = '\0';
-
-	/* And same for ServerKey */
-	encoded_serverkey = palloc(pg_b64_enc_len(SCRAM_KEY_LEN) + 1);
-	scram_ClientOrServerKey(password, salt, SCRAM_SALT_LEN, iterations,
-							SCRAM_SERVER_KEY_NAME, keybuf);
-	encoded_len = pg_b64_encode((const char *) keybuf, SCRAM_KEY_LEN,
-								encoded_serverkey);
-	encoded_serverkey[encoded_len] = '\0';
-
-	if (prep_password)
-		pfree(prep_password);
-
-	return psprintf("scram-sha-256:%s:%d:%s:%s", encoded_salt, iterations,
-					encoded_storedkey, encoded_serverkey);
-}
 
 /*
  * Verify a plaintext password against a SCRAM verifier.  This is used when
diff --git a/src/backend/libpq/crypt.c b/src/backend/libpq/crypt.c
index 34beab5334..a0426f5450 100644
--- a/src/backend/libpq/crypt.c
+++ b/src/backend/libpq/crypt.c
@@ -20,9 +20,11 @@
 
 #include "catalog/pg_authid.h"
 #include "common/md5.h"
+#include "common/scram-common.h"
 #include "libpq/crypt.h"
 #include "libpq/scram.h"
 #include "miscadmin.h"
+#include "utils/backend_random.h"
 #include "utils/builtins.h"
 #include "utils/syscache.h"
 #include "utils/timestamp.h"
@@ -156,8 +158,23 @@ encrypt_password(PasswordType target_type, const char *role,
 			switch (guessed_type)
 			{
 				case PASSWORD_TYPE_PLAINTEXT:
-					return scram_build_verifier(role, password, 0);
-
+				{
+					char salt[SCRAM_SALT_LEN];
+
+					if (!pg_backend_random(salt, SCRAM_SALT_LEN))
+					{
+						ereport(ERROR,
+								(errcode(ERRCODE_INTERNAL_ERROR),
+								 errmsg("could not generate random salt")));
+						return NULL;
+					}
+
+					encrypted_password = palloc(SCRAM_VERIFIER_LEN + 1);
+					if (!scram_build_verifier(role, password, salt, 0,
+											  encrypted_password))
+						elog(ERROR, "password encryption failed");
+					return encrypted_password;
+				}
 				case PASSWORD_TYPE_MD5:
 
 					/*
diff --git a/src/common/scram-common.c b/src/common/scram-common.c
index df9f0eaa90..2e5ec0c6c0 100644
--- a/src/common/scram-common.c
+++ b/src/common/scram-common.c
@@ -23,6 +23,7 @@
 #include <netinet/in.h>
 #include <arpa/inet.h>
 
+#include "common/saslprep.h"
 #include "common/scram-common.h"
 
 #define HMAC_IPAD 0x36
@@ -165,3 +166,80 @@ scram_ClientOrServerKey(const char *password,
 	scram_HMAC_update(&ctx, keystr, strlen(keystr));
 	scram_HMAC_final(result, &ctx);
 }
+
+/*
+ * Construct a verifier string for SCRAM, stored in pg_authid.rolpassword.
+ *
+ * If iterations is 0, default number of iterations is used.  The result is
+ * stored in "verifier" that caller is responsible to allocate a buffer of
+ * size SCRAM_VERIFIER_LEN.  Returns true if the verifier has been generated,
+ * false otherwise.  It is important for this routine to do no memory
+ * allocations (SASLprep is an exception to that as the prepared password's
+ * length is estimated locally). The salt defined by the caller needs to be a
+ * buffer pre-filled with random data of length SCRAM_SALT_LEN.
+ */
+bool
+scram_build_verifier(const char *username, const char *password,
+					 const char *salt, int iterations, char *verifier)
+{
+	uint8		keybuf[SCRAM_KEY_LEN + 1];
+	char		intbuf[12];
+	char	   *p;
+	char	   *prep_password = NULL;
+	pg_saslprep_rc rc;
+
+	/*
+	 * Normalize the password with SASLprep.  If that doesn't work, because
+	 * the password isn't valid UTF-8 or contains prohibited characters, just
+	 * proceed with the original password.  (See comments at top of
+	 * auth-scram.c.)
+	 */
+	rc = pg_saslprep(password, &prep_password);
+	if (rc == SASLPREP_SUCCESS)
+		password = (const char *) prep_password;
+
+	if (iterations <= 0)
+		iterations = SCRAM_ITERATIONS_DEFAULT;
+
+	/* Fill in the data of the verifier */
+	p = verifier;
+	memcpy(p, SCRAM_VERIFIER_PREFIX, strlen(SCRAM_VERIFIER_PREFIX));
+	p += strlen(SCRAM_VERIFIER_PREFIX);
+	*p++ = ':';
+
+	/* salt */
+	(void) pg_b64_encode(salt, SCRAM_SALT_LEN, p);
+	p += pg_b64_enc_len(SCRAM_SALT_LEN);
+	*p++ = ':';
+
+	/* iterations */
+	sprintf(intbuf, "%d", iterations);
+	memcpy(p, intbuf, strlen(intbuf));
+	p += strlen(intbuf);
+	*p++ = ':';
+
+	/* Calculate StoredKey, and encode it in base64 */
+	scram_ClientOrServerKey(password, salt, SCRAM_SALT_LEN,
+							iterations, SCRAM_CLIENT_KEY_NAME, keybuf);
+	scram_H(keybuf, SCRAM_KEY_LEN, keybuf);		/* StoredKey */
+	(void) pg_b64_encode((const char *) keybuf, SCRAM_KEY_LEN, p);
+	p += pg_b64_enc_len(SCRAM_KEY_LEN) - 1;
+	*p++ = ':';
+
+	/* And same for ServerKey */
+	scram_ClientOrServerKey(password, salt, SCRAM_SALT_LEN, iterations,
+							SCRAM_SERVER_KEY_NAME, keybuf);
+	(void) pg_b64_encode((const char *) keybuf, SCRAM_KEY_LEN, p);
+	p += pg_b64_enc_len(SCRAM_KEY_LEN) - 1;
+	*p++ = '\0';
+
+#ifndef FRONTEND
+	if (prep_password)
+		pfree(prep_password);
+#else
+	if (prep_password)
+		free(prep_password);
+#endif
+
+	return true;
+}
diff --git a/src/include/common/scram-common.h b/src/include/common/scram-common.h
index 6740069eee..fcf3b98ba6 100644
--- a/src/include/common/scram-common.h
+++ b/src/include/common/scram-common.h
@@ -13,6 +13,7 @@
 #ifndef SCRAM_COMMON_H
 #define SCRAM_COMMON_H
 
+#include "common/base64.h"
 #include "common/sha2.h"
 
 /* Length of SCRAM keys (client and server) */
@@ -38,6 +39,22 @@
 #define SCRAM_SERVER_KEY_NAME "Server Key"
 #define SCRAM_CLIENT_KEY_NAME "Client Key"
 
+#define SCRAM_VERIFIER_PREFIX "scram-sha-256"
+
+/*
+ * Length of a SCRAM verifier, which is made of the following five fields
+ * separated by a colon:
+ * - prefix "scram-sha-256", made of 13 characters.
+ * - 4 colon separators.
+ * - 32-bit number of interations, up to 11 characters.
+ * - base64-encoded salt of length SCRAM_SALT_LEN
+ * - base64-encoded stored key of length SCRAM_KEY_LEN
+ * - base64-encoded server key of length SCRAM_KEY_LEN
+ */
+#define SCRAM_VERIFIER_LEN (strlen("scram-sha-256") + 4 + 11 + \
+							pg_b64_enc_len(SCRAM_SALT_LEN) + \
+							pg_b64_enc_len(SCRAM_KEY_LEN) * 2)
+
 /*
  * Context data for HMAC used in SCRAM authentication.
  */
@@ -55,5 +72,8 @@ extern void scram_H(const uint8 *str, int len, uint8 *result);
 extern void scram_ClientOrServerKey(const char *password, const char *salt,
 						int saltlen, int iterations,
 						const char *keystr, uint8 *result);
+extern bool scram_build_verifier(const char *username, const char *password,
+								 const char *salt, int iterations,
+								 char *verifier);
 
 #endif   /* SCRAM_COMMON_H */
diff --git a/src/include/libpq/scram.h b/src/include/libpq/scram.h
index e373f0c07e..803fc4ef7a 100644
--- a/src/include/libpq/scram.h
+++ b/src/include/libpq/scram.h
@@ -26,10 +26,7 @@ extern void *pg_be_scram_init(const char *username, const char *shadow_pass);
 extern int pg_be_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen, char **logdetail);
 
-/* Routines to handle and check SCRAM-SHA-256 verifier */
-extern char *scram_build_verifier(const char *username,
-					 const char *password,
-					 int iterations);
+/* Routines to check SCRAM-SHA-256 verifier */
 extern bool is_scram_verifier(const char *verifier);
 extern bool scram_verify_plain_password(const char *username,
 							const char *password, const char *verifier);
-- 
2.12.2

From e213a58dc4f4db062e3b589cc0bc70005d92dbab Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Fri, 7 Apr 2017 10:24:44 +0900
Subject: [PATCH 3/5] Refactor frontend-side random number generation

pg_frontend_random() is moved into its own file in libpq/ to give other
portions of the libpq code the ability to generate random numbers. This
will be used for the SCRAM verifier generation from clients.
---
 src/interfaces/libpq/Makefile        |  2 +-
 src/interfaces/libpq/fe-auth-scram.c | 53 -----------------------
 src/interfaces/libpq/libpq-int.h     |  1 +
 src/interfaces/libpq/libpq-random.c  | 84 ++++++++++++++++++++++++++++++++++++
 src/interfaces/libpq/libpq-random.h  | 17 ++++++++
 src/tools/msvc/Install.pm            |  2 +-
 6 files changed, 104 insertions(+), 55 deletions(-)
 create mode 100644 src/interfaces/libpq/libpq-random.c
 create mode 100644 src/interfaces/libpq/libpq-random.h

diff --git a/src/interfaces/libpq/Makefile b/src/interfaces/libpq/Makefile
index 87f22d242f..eb6777ef2b 100644
--- a/src/interfaces/libpq/Makefile
+++ b/src/interfaces/libpq/Makefile
@@ -33,7 +33,7 @@ LIBS := $(LIBS:-lpgport=)
 # OBJS from this file.
 OBJS=	fe-auth.o fe-auth-scram.o fe-connect.o fe-exec.o fe-misc.o fe-print.o fe-lobj.o \
 	fe-protocol2.o fe-protocol3.o pqexpbuffer.o fe-secure.o \
-	libpq-events.o
+	libpq-events.o libpq-random.o
 # libpgport C files we always use
 OBJS += chklocale.o inet_net_ntop.o noblock.o pgstrcasecmp.o pqsignal.o \
 	thread.o
diff --git a/src/interfaces/libpq/fe-auth-scram.c b/src/interfaces/libpq/fe-auth-scram.c
index c56e91e0e0..b453c6cc21 100644
--- a/src/interfaces/libpq/fe-auth-scram.c
+++ b/src/interfaces/libpq/fe-auth-scram.c
@@ -74,7 +74,6 @@ static bool verify_server_proof(fe_scram_state *state);
 static void calculate_client_proof(fe_scram_state *state,
 					   const char *client_final_message_without_proof,
 					   uint8 *result);
-static bool pg_frontend_random(char *dst, int len);
 
 /*
  * Initialize SCRAM exchange status.
@@ -609,55 +608,3 @@ verify_server_proof(fe_scram_state *state)
 
 	return true;
 }
-
-/*
- * Random number generator.
- */
-static bool
-pg_frontend_random(char *dst, int len)
-{
-#ifdef HAVE_STRONG_RANDOM
-	return pg_strong_random(dst, len);
-#else
-	int			i;
-	char	   *end = dst + len;
-
-	static unsigned short seed[3];
-	static int	mypid = 0;
-
-	pglock_thread();
-
-	if (mypid != getpid())
-	{
-		struct timeval now;
-
-		gettimeofday(&now, NULL);
-
-		seed[0] = now.tv_sec ^ getpid();
-		seed[1] = (unsigned short) (now.tv_usec);
-		seed[2] = (unsigned short) (now.tv_usec >> 16);
-	}
-
-	for (i = 0; dst < end; i++)
-	{
-		uint32		r;
-		int			j;
-
-		/*
-		 * pg_jrand48 returns a 32-bit integer.  Fill the next 4 bytes from
-		 * it.
-		 */
-		r = (uint32) pg_jrand48(seed);
-
-		for (j = 0; j < 4 && dst < end; j++)
-		{
-			*(dst++) = (char) (r & 0xFF);
-			r >>= 8;
-		}
-	}
-
-	pgunlock_thread();
-
-	return true;
-#endif
-}
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index b8ec3418c5..6b72a17a75 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -22,6 +22,7 @@
 
 /* We assume libpq-fe.h has already been included. */
 #include "libpq-events.h"
+#include "libpq-random.h"
 
 #include <time.h>
 #ifndef WIN32
diff --git a/src/interfaces/libpq/libpq-random.c b/src/interfaces/libpq/libpq-random.c
new file mode 100644
index 0000000000..5e788dc821
--- /dev/null
+++ b/src/interfaces/libpq/libpq-random.c
@@ -0,0 +1,84 @@
+/*-------------------------------------------------------------------------
+ *
+ * libpq-random.c
+ *	  Frontend random number generation routine for libpq.
+ *
+ * pg_frontend_random() function fills a buffer with random bytes. Normally,
+ * it is just a thin wrapper around pg_strong_random(), but when compiled
+ * with --disable-strong-random, there is a built-in implementation.
+ *
+ * The built-in implementation uses the standard erand48 algorithm, with
+ * a seed calculated using the process ID and a timestamp.
+ *
+ * Portions Copyright (c) 1996-2017, PostgreSQL Global Development Group
+ * Portions Copyright (c) 1994, Regents of the University of California
+ *
+ *
+ * IDENTIFICATION
+ *	  src/interfaces/libpq/libpq-random.c
+ *
+ *-------------------------------------------------------------------------
+ */
+
+#include "postgres_fe.h"
+
+#include "libpq-fe.h"
+#include "libpq-int.h"
+
+/* These are needed for getpid(), in the fallback implementation */
+#ifndef HAVE_STRONG_RANDOM
+#include <sys/types.h>
+#include <unistd.h>
+#endif
+
+/*
+ * Random number generator.
+ */
+bool
+pg_frontend_random(char *dst, int len)
+{
+#ifdef HAVE_STRONG_RANDOM
+	return pg_strong_random(dst, len);
+#else
+	int			i;
+	char	   *end = dst + len;
+
+	static unsigned short seed[3];
+	static int	mypid = 0;
+
+	pglock_thread();
+
+	if (mypid != getpid())
+	{
+		struct timeval now;
+
+		gettimeofday(&now, NULL);
+
+		seed[0] = now.tv_sec ^ getpid();
+		seed[1] = (unsigned short) (now.tv_usec);
+		seed[2] = (unsigned short) (now.tv_usec >> 16);
+	}
+
+	for (i = 0; dst < end; i++)
+	{
+		uint32		r;
+		int			j;
+
+		/*
+		 * pg_jrand48 returns a 32-bit integer.  Fill the next 4 bytes from
+		 * it.
+		 */
+		r = (uint32) pg_jrand48(seed);
+
+		for (j = 0; j < 4 && dst < end; j++)
+		{
+			*(dst++) = (char) (r & 0xFF);
+			r >>= 8;
+		}
+	}
+
+	pgunlock_thread();
+
+	return true;
+#endif
+}
diff --git a/src/interfaces/libpq/libpq-random.h b/src/interfaces/libpq/libpq-random.h
new file mode 100644
index 0000000000..054998b8d9
--- /dev/null
+++ b/src/interfaces/libpq/libpq-random.h
@@ -0,0 +1,17 @@
+/*-------------------------------------------------------------------------
+ *
+ * frontend_random.h
+ *	  Declarations for frontend random number generation
+ *
+ * Portions Copyright (c) 1996-2017, PostgreSQL Global Development Group
+ *
+ *	  src/interfaces/libpq/libpq-random.h
+ *
+ *-------------------------------------------------------------------------
+ */
+#ifndef LIBPQ_RANDOM_H
+#define LIBPQ_RANDOM_H
+
+extern bool pg_frontend_random(char *dst, int len);
+
+#endif   /* LIBPQ_RANDOM_H */
diff --git a/src/tools/msvc/Install.pm b/src/tools/msvc/Install.pm
index 35ad5b8a44..4acd6592ad 100644
--- a/src/tools/msvc/Install.pm
+++ b/src/tools/msvc/Install.pm
@@ -601,7 +601,7 @@ sub CopyIncludeFiles
 	CopyFiles(
 		'Libpq internal headers',
 		$target . '/include/internal/',
-		'src/interfaces/libpq/', 'libpq-int.h', 'pqexpbuffer.h');
+		'src/interfaces/libpq/', 'libpq-int.h', 'libpq-random.h', 'pqexpbuffer.h');
 
 	CopyFiles(
 		'Internal headers',
-- 
2.12.2

From 47f7fb16724ee43e36fe93256fc67b0fbbde4cd1 Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Fri, 7 Apr 2017 10:39:27 +0900
Subject: [PATCH 4/5] Extend PQencryptPassword with a hashing method

This extra argument can use the following values when hashing the
password:
- scram, for SCRAM-SHA-256 hashing.
- md5, for MD5 hashing.
- plain, for cleartext.
---
 doc/src/sgml/libpq.sgml         |  6 ++++-
 src/bin/psql/command.c          |  2 +-
 src/bin/scripts/createuser.c    |  3 ++-
 src/interfaces/libpq/fe-auth.c  | 54 ++++++++++++++++++++++++++++++++---------
 src/interfaces/libpq/libpq-fe.h |  3 ++-
 5 files changed, 52 insertions(+), 16 deletions(-)

diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index 4bc5bf3192..fc1aa4b5e5 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -5887,7 +5887,8 @@ void PQconninfoFree(PQconninfoOption *connOptions);
      <para>
       Prepares the encrypted form of a <productname>PostgreSQL</> password.
 <synopsis>
-char * PQencryptPassword(const char *passwd, const char *user);
+char * PQencryptPassword(const char *passwd, const char *user,
+                         const char *method);
 </synopsis>
       This function is intended to be used by client applications that
       wish to send commands like <literal>ALTER USER joe PASSWORD
@@ -5901,6 +5902,9 @@ char * PQencryptPassword(const char *passwd, const char *user);
       memory.  The caller can assume the string doesn't contain any
       special characters that would require escaping.  Use
       <function>PQfreemem</> to free the result when done with it.
+      The encryption method of the password can be specified as
+      <literal>md5</> for hashing with MD5, <literal>scram</> for
+      hashing with SCRAM-SHA-256 and <literal>plain</> for cleartext.
      </para>
     </listitem>
    </varlistentry>
diff --git a/src/bin/psql/command.c b/src/bin/psql/command.c
index 494f468575..9716c98fc2 100644
--- a/src/bin/psql/command.c
+++ b/src/bin/psql/command.c
@@ -1882,7 +1882,7 @@ exec_command_password(PsqlScanState scan_state, bool active_branch)
 			else
 				user = PQuser(pset.db);
 
-			encrypted_password = PQencryptPassword(pw1, user);
+			encrypted_password = PQencryptPassword(pw1, user, "md5");
 
 			if (!encrypted_password)
 			{
diff --git a/src/bin/scripts/createuser.c b/src/bin/scripts/createuser.c
index 3d74797a8f..5af263e34a 100644
--- a/src/bin/scripts/createuser.c
+++ b/src/bin/scripts/createuser.c
@@ -275,7 +275,8 @@ main(int argc, char *argv[])
 			char	   *encrypted_password;
 
 			encrypted_password = PQencryptPassword(newpassword,
-												   newuser);
+												   newuser,
+												   "md5");
 			if (!encrypted_password)
 			{
 				fprintf(stderr, _("Password encryption failed.\n"));
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index 5fe7e565a0..40d4be3ca6 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -39,6 +39,7 @@
 #endif
 
 #include "common/md5.h"
+#include "common/scram-common.h"
 #include "libpq-fe.h"
 #include "libpq/scram.h"
 #include "fe-auth.h"
@@ -919,27 +920,56 @@ pg_fe_getauthname(PQExpBuffer errorMessage)
  * be dependent on low-level details like whether the encryption is MD5
  * or something else.
  *
- * Arguments are the cleartext password, and the SQL name of the user it
- * is for.
+ * Arguments are the cleartext password, the SQL name of the user it
+ * is for, and the name of password hashing method:
+ * - "scram", to hash password using SCRAM-SHA-256.
+ * - "md5", to hash password using MD5.
+ * - "plain", to get a cleartext value of password.
  *
- * Return value is a malloc'd string, or NULL if out-of-memory.  The client
- * may assume the string doesn't contain any special characters that would
- * require escaping.
+ * Return value is a malloc'd string, or NULL if out-of-memory or in
+ * the event of an error.  The client may assume the string doesn't
+ * contain any special characters that would require escaping.
  */
 char *
-PQencryptPassword(const char *passwd, const char *user)
+PQencryptPassword(const char *passwd, const char *user, const char *method)
 {
 	char	   *crypt_pwd;
 
-	crypt_pwd = malloc(MD5_PASSWD_LEN + 1);
-	if (!crypt_pwd)
-		return NULL;
+	if (strcmp(method, "md5") == 0)
+	{
+		crypt_pwd = malloc(MD5_PASSWD_LEN + 1);
+		if (!crypt_pwd)
+			return NULL;
 
-	if (!pg_md5_encrypt(passwd, user, strlen(user), crypt_pwd))
+		if (!pg_md5_encrypt(passwd, user, strlen(user), crypt_pwd))
+		{
+			free(crypt_pwd);
+			return NULL;
+		}
+	}
+	else if (strcmp(method, "scram") == 0)
 	{
-		free(crypt_pwd);
-		return NULL;
+		char		salt[SCRAM_SALT_LEN];
+
+		crypt_pwd = malloc(SCRAM_VERIFIER_LEN + 1);
+		if (!crypt_pwd)
+			return NULL;
+
+		if (!pg_frontend_random(salt, SCRAM_SALT_LEN))
+			return NULL;
+
+		if (!scram_build_verifier(user, passwd, salt, 0, crypt_pwd))
+		{
+			free(crypt_pwd);
+			return NULL;
+		}
 	}
+	else if (strcmp(method, "plain") == 0)
+	{
+		crypt_pwd = strdup(passwd);
+	}
+	else
+		return NULL;
 
 	return crypt_pwd;
 }
diff --git a/src/interfaces/libpq/libpq-fe.h b/src/interfaces/libpq/libpq-fe.h
index 635af5b50e..c312dd0152 100644
--- a/src/interfaces/libpq/libpq-fe.h
+++ b/src/interfaces/libpq/libpq-fe.h
@@ -596,7 +596,8 @@ extern int	PQenv2encoding(void);
 
 /* === in fe-auth.c === */
 
-extern char *PQencryptPassword(const char *passwd, const char *user);
+extern char *PQencryptPassword(const char *passwd, const char *user,
+							   const char *method);
 
 /* === in encnames.c === */
 
-- 
2.12.2

From 7d527d12518501a68ceab2fec7dc1abc90e7272d Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Sat, 25 Mar 2017 14:07:16 +0900
Subject: [PATCH 5/5] Extend psql's \password and createuser to handle SCRAM
 verifier creation

Depending on the version of PostgreSQL those utilities are connected to,
generate MD5 verifiers when connecting to a server older than 10, and
MD5 otherwise.
---
 doc/src/sgml/ref/createuser.sgml |  6 ++++--
 doc/src/sgml/ref/psql-ref.sgml   |  4 +++-
 src/bin/psql/command.c           |  9 ++++++++-
 src/bin/scripts/createuser.c     | 16 +++++++++++++---
 4 files changed, 28 insertions(+), 7 deletions(-)

diff --git a/doc/src/sgml/ref/createuser.sgml b/doc/src/sgml/ref/createuser.sgml
index 4332008c68..4454591d79 100644
--- a/doc/src/sgml/ref/createuser.sgml
+++ b/doc/src/sgml/ref/createuser.sgml
@@ -125,7 +125,9 @@ PostgreSQL documentation
       <listitem>
        <para>
         Encrypts the user's password stored in the database. If not
-        specified, the default password behavior is used.
+        specified, the default password behavior is used. The password
+        is hashed using SCRAM-SHA-256 when connecting to a version of
+        <productname>PostgreSQL</> newer than 10, and MD5 otherwise.
        </para>
       </listitem>
      </varlistentry>
@@ -477,7 +479,7 @@ PostgreSQL documentation
 <prompt>$ </prompt><userinput>createuser -P -s -e joe</userinput>
 <computeroutput>Enter password for new role: </computeroutput><userinput>xyzzy</userinput>
 <computeroutput>Enter it again: </computeroutput><userinput>xyzzy</userinput>
-<computeroutput>CREATE ROLE joe PASSWORD 'md5b5f5ba1a423792b526f799ae4eb3d59e' SUPERUSER CREATEDB CREATEROLE INHERIT LOGIN;</computeroutput>
+<computeroutput>CREATE ROLE joe PASSWORD 'scram-sha-256:aPheg4yCAFhStg==:4096:TOHLPF8w+NzqtcxD2oz9w5wPISutHLOXWMKoe4HCvuo=:lTG0OiB/ZH5/hsfUqnndRwfMziY5j5C6FS8IAIwL2nA=' SUPERUSER CREATEDB CREATEROLE INHERIT LOGIN;</computeroutput>
 </screen>
     In the above example, the new password isn't actually echoed when typed,
     but we show what was typed for clarity.  As you see, the password is
diff --git a/doc/src/sgml/ref/psql-ref.sgml b/doc/src/sgml/ref/psql-ref.sgml
index 3b86612862..749221aa76 100644
--- a/doc/src/sgml/ref/psql-ref.sgml
+++ b/doc/src/sgml/ref/psql-ref.sgml
@@ -2380,7 +2380,9 @@ lo_import 152801
         user).  This command prompts for the new password, encrypts it, and
         sends it to the server as an <command>ALTER ROLE</> command.  This
         makes sure that the new password does not appear in cleartext in the
-        command history, the server log, or elsewhere.
+        command history, the server log, or elsewhere. The password is hashed
+        with SCRAM-SHA-256 when connecting to <productname>PostgreSQL</> 10
+        and newer versions, and with MD5 otherwise.
         </para>
         </listitem>
       </varlistentry>
diff --git a/src/bin/psql/command.c b/src/bin/psql/command.c
index 9716c98fc2..4e9b526e43 100644
--- a/src/bin/psql/command.c
+++ b/src/bin/psql/command.c
@@ -1882,7 +1882,14 @@ exec_command_password(PsqlScanState scan_state, bool active_branch)
 			else
 				user = PQuser(pset.db);
 
-			encrypted_password = PQencryptPassword(pw1, user, "md5");
+			/*
+			 * Hash password using SCRAM-SHA-256 when connecting to servers
+			 * newer than Postgres 10, and hash with MD5 otherwise.
+			 */
+			if (pset.sversion < 100000)
+				encrypted_password = PQencryptPassword(pw1, user, "md5");
+			else
+				encrypted_password = PQencryptPassword(pw1, user, "scram");
 
 			if (!encrypted_password)
 			{
diff --git a/src/bin/scripts/createuser.c b/src/bin/scripts/createuser.c
index 5af263e34a..0107497e23 100644
--- a/src/bin/scripts/createuser.c
+++ b/src/bin/scripts/createuser.c
@@ -274,9 +274,19 @@ main(int argc, char *argv[])
 		{
 			char	   *encrypted_password;
 
-			encrypted_password = PQencryptPassword(newpassword,
-												   newuser,
-												   "md5");
+			/*
+			 * Hash password using SCRAM-SHA-256 when connecting to servers
+			 * newer than Postgres 10, and hash with MD5 otherwise.
+			 */
+			if (PQserverVersion(conn) < 100000)
+				encrypted_password = PQencryptPassword(newpassword,
+													   newuser,
+													   "md5");
+			else
+				encrypted_password = PQencryptPassword(newpassword,
+													   newuser,
+													   "scram");
+
 			if (!encrypted_password)
 			{
 				fprintf(stderr, _("Password encryption failed.\n"));
-- 
2.12.2

From 371c057f7bbf6531c0e1d9850c411e64d4a0a6e5 Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Tue, 25 Apr 2017 13:58:40 +0900
Subject: [PATCH 1/4] Move routine to build SCRAM verifier into src/common/

This is aimed at being used by libpq to allow frontend-side creation
of SCRAM verifiers. The result is not anymore allocated by the routine
itself, the caller is responsible for that, similarly to md5.
---
 src/backend/libpq/auth-scram.c    | 91 ++++++---------------------------------
 src/backend/libpq/crypt.c         | 21 ++++++++-
 src/common/scram-common.c         | 78 +++++++++++++++++++++++++++++++++
 src/include/common/scram-common.h | 20 +++++++++
 src/include/libpq/scram.h         |  5 +--
 5 files changed, 130 insertions(+), 85 deletions(-)

diff --git a/src/backend/libpq/auth-scram.c b/src/backend/libpq/auth-scram.c
index 16bea446e3..1153631666 100644
--- a/src/backend/libpq/auth-scram.c
+++ b/src/backend/libpq/auth-scram.c
@@ -205,9 +205,18 @@ pg_be_scram_init(const char *username, const char *shadow_pass)
 			 * The stored password is in plain format.  Generate a fresh SCRAM
 			 * verifier from it, and proceed with that.
 			 */
-			char	   *verifier;
+			char	   *verifier = palloc(SCRAM_VERIFIER_LEN + 1);
+			char		salt[SCRAM_SALT_LEN];
 
-			verifier = scram_build_verifier(username, shadow_pass, 0);
+			if (!pg_backend_random(salt, SCRAM_SALT_LEN))
+			{
+				ereport(LOG,
+						(errcode(ERRCODE_INTERNAL_ERROR),
+						 errmsg("could not generate random salt")));
+				return NULL;
+			}
+
+			(void) scram_build_verifier(username, shadow_pass, salt, 0, verifier);
 
 			(void) parse_scram_verifier(verifier, &state->iterations, &state->salt,
 										state->StoredKey, state->ServerKey);
@@ -385,82 +394,6 @@ pg_be_scram_exchange(void *opaq, char *input, int inputlen,
 }
 
 /*
- * Construct a verifier string for SCRAM, stored in pg_authid.rolpassword.
- *
- * If iterations is 0, default number of iterations is used.  The result is
- * palloc'd, so caller is responsible for freeing it.
- */
-char *
-scram_build_verifier(const char *username, const char *password,
-					 int iterations)
-{
-	char	   *prep_password = NULL;
-	pg_saslprep_rc rc;
-	char		saltbuf[SCRAM_SALT_LEN];
-	uint8		keybuf[SCRAM_KEY_LEN];
-	char	   *encoded_salt;
-	char	   *encoded_storedkey;
-	char	   *encoded_serverkey;
-	int			encoded_len;
-	char	   *result;
-
-	/*
-	 * Normalize the password with SASLprep.  If that doesn't work, because
-	 * the password isn't valid UTF-8 or contains prohibited characters, just
-	 * proceed with the original password.  (See comments at top of file.)
-	 */
-	rc = pg_saslprep(password, &prep_password);
-	if (rc == SASLPREP_SUCCESS)
-		password = (const char *) prep_password;
-
-	if (iterations <= 0)
-		iterations = SCRAM_ITERATIONS_DEFAULT;
-
-	/* Generate salt, and encode it in base64 */
-	if (!pg_backend_random(saltbuf, SCRAM_SALT_LEN))
-	{
-		ereport(LOG,
-				(errcode(ERRCODE_INTERNAL_ERROR),
-				 errmsg("could not generate random salt")));
-		return NULL;
-	}
-
-	encoded_salt = palloc(pg_b64_enc_len(SCRAM_SALT_LEN) + 1);
-	encoded_len = pg_b64_encode(saltbuf, SCRAM_SALT_LEN, encoded_salt);
-	encoded_salt[encoded_len] = '\0';
-
-	/* Calculate StoredKey, and encode it in base64 */
-	scram_ClientOrServerKey(password, saltbuf, SCRAM_SALT_LEN,
-							iterations, SCRAM_CLIENT_KEY_NAME, keybuf);
-	scram_H(keybuf, SCRAM_KEY_LEN, keybuf);		/* StoredKey */
-
-	encoded_storedkey = palloc(pg_b64_enc_len(SCRAM_KEY_LEN) + 1);
-	encoded_len = pg_b64_encode((const char *) keybuf, SCRAM_KEY_LEN,
-								encoded_storedkey);
-	encoded_storedkey[encoded_len] = '\0';
-
-	/* And same for ServerKey */
-	scram_ClientOrServerKey(password, saltbuf, SCRAM_SALT_LEN, iterations,
-							SCRAM_SERVER_KEY_NAME, keybuf);
-
-	encoded_serverkey = palloc(pg_b64_enc_len(SCRAM_KEY_LEN) + 1);
-	encoded_len = pg_b64_encode((const char *) keybuf, SCRAM_KEY_LEN,
-								encoded_serverkey);
-	encoded_serverkey[encoded_len] = '\0';
-
-	result = psprintf("SCRAM-SHA-256$%d:%s$%s:%s", iterations, encoded_salt,
-					  encoded_storedkey, encoded_serverkey);
-
-	if (prep_password)
-		pfree(prep_password);
-	pfree(encoded_salt);
-	pfree(encoded_storedkey);
-	pfree(encoded_serverkey);
-
-	return result;
-}
-
-/*
  * Verify a plaintext password against a SCRAM verifier.  This is used when
  * performing plaintext password authentication for a user that has a SCRAM
  * verifier stored in pg_authid.
@@ -576,7 +509,7 @@ parse_scram_verifier(const char *verifier, int *iterations, char **salt,
 		goto invalid_verifier;
 
 	/* Parse the fields */
-	if (strcmp(scheme_str, "SCRAM-SHA-256") != 0)
+	if (strcmp(scheme_str, SCRAM_VERIFIER_PREFIX) != 0)
 		goto invalid_verifier;
 
 	errno = 0;
diff --git a/src/backend/libpq/crypt.c b/src/backend/libpq/crypt.c
index d0030f2b6d..397b559604 100644
--- a/src/backend/libpq/crypt.c
+++ b/src/backend/libpq/crypt.c
@@ -20,9 +20,11 @@
 
 #include "catalog/pg_authid.h"
 #include "common/md5.h"
+#include "common/scram-common.h"
 #include "libpq/crypt.h"
 #include "libpq/scram.h"
 #include "miscadmin.h"
+#include "utils/backend_random.h"
 #include "utils/builtins.h"
 #include "utils/syscache.h"
 #include "utils/timestamp.h"
@@ -156,8 +158,23 @@ encrypt_password(PasswordType target_type, const char *role,
 			switch (guessed_type)
 			{
 				case PASSWORD_TYPE_PLAINTEXT:
-					return scram_build_verifier(role, password, 0);
-
+				{
+					char salt[SCRAM_SALT_LEN];
+
+					if (!pg_backend_random(salt, SCRAM_SALT_LEN))
+					{
+						ereport(ERROR,
+								(errcode(ERRCODE_INTERNAL_ERROR),
+								 errmsg("could not generate random salt")));
+						return NULL;
+					}
+
+					encrypted_password = palloc(SCRAM_VERIFIER_LEN + 1);
+					if (!scram_build_verifier(role, password, salt, 0,
+											  encrypted_password))
+						elog(ERROR, "password encryption failed");
+					return encrypted_password;
+				}
 				case PASSWORD_TYPE_MD5:
 
 					/*
diff --git a/src/common/scram-common.c b/src/common/scram-common.c
index df9f0eaa90..4b730a3311 100644
--- a/src/common/scram-common.c
+++ b/src/common/scram-common.c
@@ -23,6 +23,7 @@
 #include <netinet/in.h>
 #include <arpa/inet.h>
 
+#include "common/saslprep.h"
 #include "common/scram-common.h"
 
 #define HMAC_IPAD 0x36
@@ -165,3 +166,80 @@ scram_ClientOrServerKey(const char *password,
 	scram_HMAC_update(&ctx, keystr, strlen(keystr));
 	scram_HMAC_final(result, &ctx);
 }
+
+/*
+ * Construct a verifier string for SCRAM, stored in pg_authid.rolpassword.
+ *
+ * If iterations is 0, default number of iterations is used.  The result is
+ * stored in "verifier" that caller is responsible to allocate a buffer of
+ * size SCRAM_VERIFIER_LEN.  Returns true if the verifier has been generated,
+ * false otherwise.  It is important for this routine to do no memory
+ * allocations (SASLprep is an exception to that as the prepared password's
+ * length is estimated locally). The salt defined by the caller needs to be a
+ * buffer pre-filled with random data of length SCRAM_SALT_LEN.
+ */
+bool
+scram_build_verifier(const char *username, const char *password,
+					 const char *salt, int iterations, char *verifier)
+{
+	uint8		keybuf[SCRAM_KEY_LEN + 1];
+	char		intbuf[12];
+	char	   *p;
+	char	   *prep_password = NULL;
+	pg_saslprep_rc rc;
+
+	/*
+	 * Normalize the password with SASLprep.  If that doesn't work, because
+	 * the password isn't valid UTF-8 or contains prohibited characters, just
+	 * proceed with the original password.  (See comments at top of
+	 * auth-scram.c.)
+	 */
+	rc = pg_saslprep(password, &prep_password);
+	if (rc == SASLPREP_SUCCESS)
+		password = (const char *) prep_password;
+
+	if (iterations <= 0)
+		iterations = SCRAM_ITERATIONS_DEFAULT;
+
+	/* Fill in the data of the verifier */
+	p = verifier;
+	memcpy(p, SCRAM_VERIFIER_PREFIX, strlen(SCRAM_VERIFIER_PREFIX));
+	p += strlen(SCRAM_VERIFIER_PREFIX);
+	*p++ = '$';
+
+	/* iterations */
+	sprintf(intbuf, "%d", iterations);
+	memcpy(p, intbuf, strlen(intbuf));
+	p += strlen(intbuf);
+	*p++ = ':';
+
+	/* salt */
+	(void) pg_b64_encode(salt, SCRAM_SALT_LEN, p);
+	p += pg_b64_enc_len(SCRAM_SALT_LEN);
+	*p++ = '$';
+
+	/* Calculate StoredKey, and encode it in base64 */
+	scram_ClientOrServerKey(password, salt, SCRAM_SALT_LEN,
+							iterations, SCRAM_CLIENT_KEY_NAME, keybuf);
+	scram_H(keybuf, SCRAM_KEY_LEN, keybuf);		/* StoredKey */
+	(void) pg_b64_encode((const char *) keybuf, SCRAM_KEY_LEN, p);
+	p += pg_b64_enc_len(SCRAM_KEY_LEN) - 1;
+	*p++ = ':';
+
+	/* And same for ServerKey */
+	scram_ClientOrServerKey(password, salt, SCRAM_SALT_LEN, iterations,
+							SCRAM_SERVER_KEY_NAME, keybuf);
+	(void) pg_b64_encode((const char *) keybuf, SCRAM_KEY_LEN, p);
+	p += pg_b64_enc_len(SCRAM_KEY_LEN) - 1;
+	*p++ = '\0';
+
+#ifndef FRONTEND
+	if (prep_password)
+		pfree(prep_password);
+#else
+	if (prep_password)
+		free(prep_password);
+#endif
+
+	return true;
+}
diff --git a/src/include/common/scram-common.h b/src/include/common/scram-common.h
index 6740069eee..36249a83f3 100644
--- a/src/include/common/scram-common.h
+++ b/src/include/common/scram-common.h
@@ -13,6 +13,7 @@
 #ifndef SCRAM_COMMON_H
 #define SCRAM_COMMON_H
 
+#include "common/base64.h"
 #include "common/sha2.h"
 
 /* Length of SCRAM keys (client and server) */
@@ -38,6 +39,22 @@
 #define SCRAM_SERVER_KEY_NAME "Server Key"
 #define SCRAM_CLIENT_KEY_NAME "Client Key"
 
+#define SCRAM_VERIFIER_PREFIX "SCRAM-SHA-256"
+
+/*
+ * Length of a SCRAM verifier, which is made of the following five fields
+ * separated by a colon:
+ * - prefix "SCRAM-SHA-256", made of 13 characters.
+ * - 4 colon separators.
+ * - 32-bit number of interations, up to 11 characters.
+ * - base64-encoded salt of length SCRAM_SALT_LEN
+ * - base64-encoded stored key of length SCRAM_KEY_LEN
+ * - base64-encoded server key of length SCRAM_KEY_LEN
+ */
+#define SCRAM_VERIFIER_LEN (strlen(SCRAM_VERIFIER_PREFIX) + 4 + 11 +	\
+							pg_b64_enc_len(SCRAM_SALT_LEN) +			\
+							pg_b64_enc_len(SCRAM_KEY_LEN) * 2)
+
 /*
  * Context data for HMAC used in SCRAM authentication.
  */
@@ -55,5 +72,8 @@ extern void scram_H(const uint8 *str, int len, uint8 *result);
 extern void scram_ClientOrServerKey(const char *password, const char *salt,
 						int saltlen, int iterations,
 						const char *keystr, uint8 *result);
+extern bool scram_build_verifier(const char *username, const char *password,
+								 const char *salt, int iterations,
+								 char *verifier);
 
 #endif   /* SCRAM_COMMON_H */
diff --git a/src/include/libpq/scram.h b/src/include/libpq/scram.h
index e373f0c07e..803fc4ef7a 100644
--- a/src/include/libpq/scram.h
+++ b/src/include/libpq/scram.h
@@ -26,10 +26,7 @@ extern void *pg_be_scram_init(const char *username, const char *shadow_pass);
 extern int pg_be_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen, char **logdetail);
 
-/* Routines to handle and check SCRAM-SHA-256 verifier */
-extern char *scram_build_verifier(const char *username,
-					 const char *password,
-					 int iterations);
+/* Routines to check SCRAM-SHA-256 verifier */
 extern bool is_scram_verifier(const char *verifier);
 extern bool scram_verify_plain_password(const char *username,
 							const char *password, const char *verifier);
-- 
2.12.2

From 78068e010bac158bea0e5550e7b2bd3e08dec137 Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Fri, 7 Apr 2017 10:24:44 +0900
Subject: [PATCH 2/4] Refactor frontend-side random number generation

pg_frontend_random() is moved into its own file in libpq/ to give other
portions of the libpq code the ability to generate random numbers. This
will be used for the SCRAM verifier generation from clients.
---
 src/interfaces/libpq/Makefile        |  2 +-
 src/interfaces/libpq/fe-auth-scram.c | 53 -----------------------
 src/interfaces/libpq/libpq-int.h     |  1 +
 src/interfaces/libpq/libpq-random.c  | 84 ++++++++++++++++++++++++++++++++++++
 src/interfaces/libpq/libpq-random.h  | 17 ++++++++
 src/tools/msvc/Install.pm            |  2 +-
 6 files changed, 104 insertions(+), 55 deletions(-)
 create mode 100644 src/interfaces/libpq/libpq-random.c
 create mode 100644 src/interfaces/libpq/libpq-random.h

diff --git a/src/interfaces/libpq/Makefile b/src/interfaces/libpq/Makefile
index 87f22d242f..eb6777ef2b 100644
--- a/src/interfaces/libpq/Makefile
+++ b/src/interfaces/libpq/Makefile
@@ -33,7 +33,7 @@ LIBS := $(LIBS:-lpgport=)
 # OBJS from this file.
 OBJS=	fe-auth.o fe-auth-scram.o fe-connect.o fe-exec.o fe-misc.o fe-print.o fe-lobj.o \
 	fe-protocol2.o fe-protocol3.o pqexpbuffer.o fe-secure.o \
-	libpq-events.o
+	libpq-events.o libpq-random.o
 # libpgport C files we always use
 OBJS += chklocale.o inet_net_ntop.o noblock.o pgstrcasecmp.o pqsignal.o \
 	thread.o
diff --git a/src/interfaces/libpq/fe-auth-scram.c b/src/interfaces/libpq/fe-auth-scram.c
index c56e91e0e0..b453c6cc21 100644
--- a/src/interfaces/libpq/fe-auth-scram.c
+++ b/src/interfaces/libpq/fe-auth-scram.c
@@ -74,7 +74,6 @@ static bool verify_server_proof(fe_scram_state *state);
 static void calculate_client_proof(fe_scram_state *state,
 					   const char *client_final_message_without_proof,
 					   uint8 *result);
-static bool pg_frontend_random(char *dst, int len);
 
 /*
  * Initialize SCRAM exchange status.
@@ -609,55 +608,3 @@ verify_server_proof(fe_scram_state *state)
 
 	return true;
 }
-
-/*
- * Random number generator.
- */
-static bool
-pg_frontend_random(char *dst, int len)
-{
-#ifdef HAVE_STRONG_RANDOM
-	return pg_strong_random(dst, len);
-#else
-	int			i;
-	char	   *end = dst + len;
-
-	static unsigned short seed[3];
-	static int	mypid = 0;
-
-	pglock_thread();
-
-	if (mypid != getpid())
-	{
-		struct timeval now;
-
-		gettimeofday(&now, NULL);
-
-		seed[0] = now.tv_sec ^ getpid();
-		seed[1] = (unsigned short) (now.tv_usec);
-		seed[2] = (unsigned short) (now.tv_usec >> 16);
-	}
-
-	for (i = 0; dst < end; i++)
-	{
-		uint32		r;
-		int			j;
-
-		/*
-		 * pg_jrand48 returns a 32-bit integer.  Fill the next 4 bytes from
-		 * it.
-		 */
-		r = (uint32) pg_jrand48(seed);
-
-		for (j = 0; j < 4 && dst < end; j++)
-		{
-			*(dst++) = (char) (r & 0xFF);
-			r >>= 8;
-		}
-	}
-
-	pgunlock_thread();
-
-	return true;
-#endif
-}
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index 34d049262f..65aa51cfc1 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -22,6 +22,7 @@
 
 /* We assume libpq-fe.h has already been included. */
 #include "libpq-events.h"
+#include "libpq-random.h"
 
 #include <time.h>
 #ifndef WIN32
diff --git a/src/interfaces/libpq/libpq-random.c b/src/interfaces/libpq/libpq-random.c
new file mode 100644
index 0000000000..5e788dc821
--- /dev/null
+++ b/src/interfaces/libpq/libpq-random.c
@@ -0,0 +1,84 @@
+/*-------------------------------------------------------------------------
+ *
+ * libpq-random.c
+ *	  Frontend random number generation routine for libpq.
+ *
+ * pg_frontend_random() function fills a buffer with random bytes. Normally,
+ * it is just a thin wrapper around pg_strong_random(), but when compiled
+ * with --disable-strong-random, there is a built-in implementation.
+ *
+ * The built-in implementation uses the standard erand48 algorithm, with
+ * a seed calculated using the process ID and a timestamp.
+ *
+ * Portions Copyright (c) 1996-2017, PostgreSQL Global Development Group
+ * Portions Copyright (c) 1994, Regents of the University of California
+ *
+ *
+ * IDENTIFICATION
+ *	  src/interfaces/libpq/libpq-random.c
+ *
+ *-------------------------------------------------------------------------
+ */
+
+#include "postgres_fe.h"
+
+#include "libpq-fe.h"
+#include "libpq-int.h"
+
+/* These are needed for getpid(), in the fallback implementation */
+#ifndef HAVE_STRONG_RANDOM
+#include <sys/types.h>
+#include <unistd.h>
+#endif
+
+/*
+ * Random number generator.
+ */
+bool
+pg_frontend_random(char *dst, int len)
+{
+#ifdef HAVE_STRONG_RANDOM
+	return pg_strong_random(dst, len);
+#else
+	int			i;
+	char	   *end = dst + len;
+
+	static unsigned short seed[3];
+	static int	mypid = 0;
+
+	pglock_thread();
+
+	if (mypid != getpid())
+	{
+		struct timeval now;
+
+		gettimeofday(&now, NULL);
+
+		seed[0] = now.tv_sec ^ getpid();
+		seed[1] = (unsigned short) (now.tv_usec);
+		seed[2] = (unsigned short) (now.tv_usec >> 16);
+	}
+
+	for (i = 0; dst < end; i++)
+	{
+		uint32		r;
+		int			j;
+
+		/*
+		 * pg_jrand48 returns a 32-bit integer.  Fill the next 4 bytes from
+		 * it.
+		 */
+		r = (uint32) pg_jrand48(seed);
+
+		for (j = 0; j < 4 && dst < end; j++)
+		{
+			*(dst++) = (char) (r & 0xFF);
+			r >>= 8;
+		}
+	}
+
+	pgunlock_thread();
+
+	return true;
+#endif
+}
diff --git a/src/interfaces/libpq/libpq-random.h b/src/interfaces/libpq/libpq-random.h
new file mode 100644
index 0000000000..054998b8d9
--- /dev/null
+++ b/src/interfaces/libpq/libpq-random.h
@@ -0,0 +1,17 @@
+/*-------------------------------------------------------------------------
+ *
+ * frontend_random.h
+ *	  Declarations for frontend random number generation
+ *
+ * Portions Copyright (c) 1996-2017, PostgreSQL Global Development Group
+ *
+ *	  src/interfaces/libpq/libpq-random.h
+ *
+ *-------------------------------------------------------------------------
+ */
+#ifndef LIBPQ_RANDOM_H
+#define LIBPQ_RANDOM_H
+
+extern bool pg_frontend_random(char *dst, int len);
+
+#endif   /* LIBPQ_RANDOM_H */
diff --git a/src/tools/msvc/Install.pm b/src/tools/msvc/Install.pm
index 35ad5b8a44..4acd6592ad 100644
--- a/src/tools/msvc/Install.pm
+++ b/src/tools/msvc/Install.pm
@@ -601,7 +601,7 @@ sub CopyIncludeFiles
 	CopyFiles(
 		'Libpq internal headers',
 		$target . '/include/internal/',
-		'src/interfaces/libpq/', 'libpq-int.h', 'pqexpbuffer.h');
+		'src/interfaces/libpq/', 'libpq-int.h', 'libpq-random.h', 'pqexpbuffer.h');
 
 	CopyFiles(
 		'Internal headers',
-- 
2.12.2

From d19217ea67fbe27a4c5f5d693f0e09ddc83aa69a Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Fri, 7 Apr 2017 10:39:27 +0900
Subject: [PATCH 3/4] Extend PQencryptPassword with a hashing method

This extra argument can use the following values when hashing the
password:
- scram, for SCRAM-SHA-256 hashing.
- md5, for MD5 hashing.
- plain, for cleartext.
---
 doc/src/sgml/libpq.sgml         |  6 ++++-
 src/bin/psql/command.c          |  2 +-
 src/bin/scripts/createuser.c    |  3 ++-
 src/interfaces/libpq/fe-auth.c  | 54 ++++++++++++++++++++++++++++++++---------
 src/interfaces/libpq/libpq-fe.h |  3 ++-
 5 files changed, 52 insertions(+), 16 deletions(-)

diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index 4bc5bf3192..fc1aa4b5e5 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -5887,7 +5887,8 @@ void PQconninfoFree(PQconninfoOption *connOptions);
      <para>
       Prepares the encrypted form of a <productname>PostgreSQL</> password.
 <synopsis>
-char * PQencryptPassword(const char *passwd, const char *user);
+char * PQencryptPassword(const char *passwd, const char *user,
+                         const char *method);
 </synopsis>
       This function is intended to be used by client applications that
       wish to send commands like <literal>ALTER USER joe PASSWORD
@@ -5901,6 +5902,9 @@ char * PQencryptPassword(const char *passwd, const char *user);
       memory.  The caller can assume the string doesn't contain any
       special characters that would require escaping.  Use
       <function>PQfreemem</> to free the result when done with it.
+      The encryption method of the password can be specified as
+      <literal>md5</> for hashing with MD5, <literal>scram</> for
+      hashing with SCRAM-SHA-256 and <literal>plain</> for cleartext.
      </para>
     </listitem>
    </varlistentry>
diff --git a/src/bin/psql/command.c b/src/bin/psql/command.c
index 859ded71f6..ccea7a5fd0 100644
--- a/src/bin/psql/command.c
+++ b/src/bin/psql/command.c
@@ -1878,7 +1878,7 @@ exec_command_password(PsqlScanState scan_state, bool active_branch)
 			else
 				user = PQuser(pset.db);
 
-			encrypted_password = PQencryptPassword(pw1, user);
+			encrypted_password = PQencryptPassword(pw1, user, "md5");
 
 			if (!encrypted_password)
 			{
diff --git a/src/bin/scripts/createuser.c b/src/bin/scripts/createuser.c
index 3d74797a8f..5af263e34a 100644
--- a/src/bin/scripts/createuser.c
+++ b/src/bin/scripts/createuser.c
@@ -275,7 +275,8 @@ main(int argc, char *argv[])
 			char	   *encrypted_password;
 
 			encrypted_password = PQencryptPassword(newpassword,
-												   newuser);
+												   newuser,
+												   "md5");
 			if (!encrypted_password)
 			{
 				fprintf(stderr, _("Password encryption failed.\n"));
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index d81ee4f944..cdd46a216b 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -39,6 +39,7 @@
 #endif
 
 #include "common/md5.h"
+#include "common/scram-common.h"
 #include "libpq-fe.h"
 #include "libpq/scram.h"
 #include "fe-auth.h"
@@ -1087,27 +1088,56 @@ pg_fe_getauthname(PQExpBuffer errorMessage)
  * be dependent on low-level details like whether the encryption is MD5
  * or something else.
  *
- * Arguments are the cleartext password, and the SQL name of the user it
- * is for.
+ * Arguments are the cleartext password, the SQL name of the user it
+ * is for, and the name of password hashing method:
+ * - "scram", to hash password using SCRAM-SHA-256.
+ * - "md5", to hash password using MD5.
+ * - "plain", to get a cleartext value of password.
  *
- * Return value is a malloc'd string, or NULL if out-of-memory.  The client
- * may assume the string doesn't contain any special characters that would
- * require escaping.
+ * Return value is a malloc'd string, or NULL if out-of-memory or in
+ * the event of an error.  The client may assume the string doesn't
+ * contain any special characters that would require escaping.
  */
 char *
-PQencryptPassword(const char *passwd, const char *user)
+PQencryptPassword(const char *passwd, const char *user, const char *method)
 {
 	char	   *crypt_pwd;
 
-	crypt_pwd = malloc(MD5_PASSWD_LEN + 1);
-	if (!crypt_pwd)
-		return NULL;
+	if (strcmp(method, "md5") == 0)
+	{
+		crypt_pwd = malloc(MD5_PASSWD_LEN + 1);
+		if (!crypt_pwd)
+			return NULL;
 
-	if (!pg_md5_encrypt(passwd, user, strlen(user), crypt_pwd))
+		if (!pg_md5_encrypt(passwd, user, strlen(user), crypt_pwd))
+		{
+			free(crypt_pwd);
+			return NULL;
+		}
+	}
+	else if (strcmp(method, "scram") == 0)
 	{
-		free(crypt_pwd);
-		return NULL;
+		char		salt[SCRAM_SALT_LEN];
+
+		crypt_pwd = malloc(SCRAM_VERIFIER_LEN + 1);
+		if (!crypt_pwd)
+			return NULL;
+
+		if (!pg_frontend_random(salt, SCRAM_SALT_LEN))
+			return NULL;
+
+		if (!scram_build_verifier(user, passwd, salt, 0, crypt_pwd))
+		{
+			free(crypt_pwd);
+			return NULL;
+		}
 	}
+	else if (strcmp(method, "plain") == 0)
+	{
+		crypt_pwd = strdup(passwd);
+	}
+	else
+		return NULL;
 
 	return crypt_pwd;
 }
diff --git a/src/interfaces/libpq/libpq-fe.h b/src/interfaces/libpq/libpq-fe.h
index 635af5b50e..c312dd0152 100644
--- a/src/interfaces/libpq/libpq-fe.h
+++ b/src/interfaces/libpq/libpq-fe.h
@@ -596,7 +596,8 @@ extern int	PQenv2encoding(void);
 
 /* === in fe-auth.c === */
 
-extern char *PQencryptPassword(const char *passwd, const char *user);
+extern char *PQencryptPassword(const char *passwd, const char *user,
+							   const char *method);
 
 /* === in encnames.c === */
 
-- 
2.12.2

From 12667b9848de6905478dae84581e4691ade5fe32 Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Sat, 25 Mar 2017 14:07:16 +0900
Subject: [PATCH 4/4] Extend psql's \password and createuser to handle SCRAM
 verifier creation

Depending on the version of PostgreSQL those utilities are connected to,
generate MD5 verifiers when connecting to a server older than 10, and
MD5 otherwise.
---
 doc/src/sgml/ref/createuser.sgml |  6 ++++--
 doc/src/sgml/ref/psql-ref.sgml   |  4 +++-
 src/bin/psql/command.c           |  9 ++++++++-
 src/bin/scripts/createuser.c     | 16 +++++++++++++---
 4 files changed, 28 insertions(+), 7 deletions(-)

diff --git a/doc/src/sgml/ref/createuser.sgml b/doc/src/sgml/ref/createuser.sgml
index 4332008c68..4454591d79 100644
--- a/doc/src/sgml/ref/createuser.sgml
+++ b/doc/src/sgml/ref/createuser.sgml
@@ -125,7 +125,9 @@ PostgreSQL documentation
       <listitem>
        <para>
         Encrypts the user's password stored in the database. If not
-        specified, the default password behavior is used.
+        specified, the default password behavior is used. The password
+        is hashed using SCRAM-SHA-256 when connecting to a version of
+        <productname>PostgreSQL</> newer than 10, and MD5 otherwise.
        </para>
       </listitem>
      </varlistentry>
@@ -477,7 +479,7 @@ PostgreSQL documentation
 <prompt>$ </prompt><userinput>createuser -P -s -e joe</userinput>
 <computeroutput>Enter password for new role: </computeroutput><userinput>xyzzy</userinput>
 <computeroutput>Enter it again: </computeroutput><userinput>xyzzy</userinput>
-<computeroutput>CREATE ROLE joe PASSWORD 'md5b5f5ba1a423792b526f799ae4eb3d59e' SUPERUSER CREATEDB CREATEROLE INHERIT LOGIN;</computeroutput>
+<computeroutput>CREATE ROLE joe PASSWORD 'scram-sha-256:aPheg4yCAFhStg==:4096:TOHLPF8w+NzqtcxD2oz9w5wPISutHLOXWMKoe4HCvuo=:lTG0OiB/ZH5/hsfUqnndRwfMziY5j5C6FS8IAIwL2nA=' SUPERUSER CREATEDB CREATEROLE INHERIT LOGIN;</computeroutput>
 </screen>
     In the above example, the new password isn't actually echoed when typed,
     but we show what was typed for clarity.  As you see, the password is
diff --git a/doc/src/sgml/ref/psql-ref.sgml b/doc/src/sgml/ref/psql-ref.sgml
index 3b86612862..749221aa76 100644
--- a/doc/src/sgml/ref/psql-ref.sgml
+++ b/doc/src/sgml/ref/psql-ref.sgml
@@ -2380,7 +2380,9 @@ lo_import 152801
         user).  This command prompts for the new password, encrypts it, and
         sends it to the server as an <command>ALTER ROLE</> command.  This
         makes sure that the new password does not appear in cleartext in the
-        command history, the server log, or elsewhere.
+        command history, the server log, or elsewhere. The password is hashed
+        with SCRAM-SHA-256 when connecting to <productname>PostgreSQL</> 10
+        and newer versions, and with MD5 otherwise.
         </para>
         </listitem>
       </varlistentry>
diff --git a/src/bin/psql/command.c b/src/bin/psql/command.c
index ccea7a5fd0..4d575657d4 100644
--- a/src/bin/psql/command.c
+++ b/src/bin/psql/command.c
@@ -1878,7 +1878,14 @@ exec_command_password(PsqlScanState scan_state, bool active_branch)
 			else
 				user = PQuser(pset.db);
 
-			encrypted_password = PQencryptPassword(pw1, user, "md5");
+			/*
+			 * Hash password using SCRAM-SHA-256 when connecting to servers
+			 * newer than Postgres 10, and hash with MD5 otherwise.
+			 */
+			if (pset.sversion < 100000)
+				encrypted_password = PQencryptPassword(pw1, user, "md5");
+			else
+				encrypted_password = PQencryptPassword(pw1, user, "scram");
 
 			if (!encrypted_password)
 			{
diff --git a/src/bin/scripts/createuser.c b/src/bin/scripts/createuser.c
index 5af263e34a..0107497e23 100644
--- a/src/bin/scripts/createuser.c
+++ b/src/bin/scripts/createuser.c
@@ -274,9 +274,19 @@ main(int argc, char *argv[])
 		{
 			char	   *encrypted_password;
 
-			encrypted_password = PQencryptPassword(newpassword,
-												   newuser,
-												   "md5");
+			/*
+			 * Hash password using SCRAM-SHA-256 when connecting to servers
+			 * newer than Postgres 10, and hash with MD5 otherwise.
+			 */
+			if (PQserverVersion(conn) < 100000)
+				encrypted_password = PQencryptPassword(newpassword,
+													   newuser,
+													   "md5");
+			else
+				encrypted_password = PQencryptPassword(newpassword,
+													   newuser,
+													   "scram");
+
 			if (!encrypted_password)
 			{
 				fprintf(stderr, _("Password encryption failed.\n"));
-- 
2.12.2

From a656e0ab2aaed016ed5244c7bb79752acf5b71b7 Mon Sep 17 00:00:00 2001
From: Heikki Linnakangas <heikki.linnakangas@iki.fi>
Date: Wed, 26 Apr 2017 12:53:49 +0300
Subject: [PATCH 1/3] Move scram_build_verifier to src/common.

This is in preparation for the next patch to add support for building
SCRAM verifiers to libpq.

Michael Paquier and me

Discussion: https://www.postgresql.org/message-id/CAMkU%3D1wfBgFPbfAMYZQE78p%3DVhZX7nN86aWkp0QcCp%3D%2BKxZ%3Dbg%40mail.gmail.com
---
 src/backend/libpq/auth-scram.c    | 62 ++++++++------------------------------
 src/backend/libpq/crypt.c         |  2 +-
 src/common/scram-common.c         | 63 +++++++++++++++++++++++++++++++++++++++
 src/include/common/scram-common.h |  7 +++--
 src/include/libpq/scram.h         |  4 +--
 5 files changed, 83 insertions(+), 55 deletions(-)

diff --git a/src/backend/libpq/auth-scram.c b/src/backend/libpq/auth-scram.c
index 16bea446e3..56b8935847 100644
--- a/src/backend/libpq/auth-scram.c
+++ b/src/backend/libpq/auth-scram.c
@@ -207,7 +207,7 @@ pg_be_scram_init(const char *username, const char *shadow_pass)
 			 */
 			char	   *verifier;
 
-			verifier = scram_build_verifier(username, shadow_pass, 0);
+			verifier = pg_be_scram_build_verifier(shadow_pass);
 
 			(void) parse_scram_verifier(verifier, &state->iterations, &state->salt,
 										state->StoredKey, state->ServerKey);
@@ -387,21 +387,14 @@ pg_be_scram_exchange(void *opaq, char *input, int inputlen,
 /*
  * Construct a verifier string for SCRAM, stored in pg_authid.rolpassword.
  *
- * If iterations is 0, default number of iterations is used.  The result is
- * palloc'd, so caller is responsible for freeing it.
+ * The result is palloc'd, so caller is responsible for freeing it.
  */
 char *
-scram_build_verifier(const char *username, const char *password,
-					 int iterations)
+pg_be_scram_build_verifier(const char *password)
 {
 	char	   *prep_password = NULL;
 	pg_saslprep_rc rc;
-	char		saltbuf[SCRAM_SALT_LEN];
-	uint8		keybuf[SCRAM_KEY_LEN];
-	char	   *encoded_salt;
-	char	   *encoded_storedkey;
-	char	   *encoded_serverkey;
-	int			encoded_len;
+	char		saltbuf[SCRAM_DEFAULT_SALT_LEN];
 	char	   *result;
 
 	/*
@@ -413,11 +406,8 @@ scram_build_verifier(const char *username, const char *password,
 	if (rc == SASLPREP_SUCCESS)
 		password = (const char *) prep_password;
 
-	if (iterations <= 0)
-		iterations = SCRAM_ITERATIONS_DEFAULT;
-
-	/* Generate salt, and encode it in base64 */
-	if (!pg_backend_random(saltbuf, SCRAM_SALT_LEN))
+	/* Generate salt */
+	if (!pg_backend_random(saltbuf, SCRAM_DEFAULT_SALT_LEN))
 	{
 		ereport(LOG,
 				(errcode(ERRCODE_INTERNAL_ERROR),
@@ -425,37 +415,11 @@ scram_build_verifier(const char *username, const char *password,
 		return NULL;
 	}
 
-	encoded_salt = palloc(pg_b64_enc_len(SCRAM_SALT_LEN) + 1);
-	encoded_len = pg_b64_encode(saltbuf, SCRAM_SALT_LEN, encoded_salt);
-	encoded_salt[encoded_len] = '\0';
-
-	/* Calculate StoredKey, and encode it in base64 */
-	scram_ClientOrServerKey(password, saltbuf, SCRAM_SALT_LEN,
-							iterations, SCRAM_CLIENT_KEY_NAME, keybuf);
-	scram_H(keybuf, SCRAM_KEY_LEN, keybuf);		/* StoredKey */
-
-	encoded_storedkey = palloc(pg_b64_enc_len(SCRAM_KEY_LEN) + 1);
-	encoded_len = pg_b64_encode((const char *) keybuf, SCRAM_KEY_LEN,
-								encoded_storedkey);
-	encoded_storedkey[encoded_len] = '\0';
-
-	/* And same for ServerKey */
-	scram_ClientOrServerKey(password, saltbuf, SCRAM_SALT_LEN, iterations,
-							SCRAM_SERVER_KEY_NAME, keybuf);
-
-	encoded_serverkey = palloc(pg_b64_enc_len(SCRAM_KEY_LEN) + 1);
-	encoded_len = pg_b64_encode((const char *) keybuf, SCRAM_KEY_LEN,
-								encoded_serverkey);
-	encoded_serverkey[encoded_len] = '\0';
-
-	result = psprintf("SCRAM-SHA-256$%d:%s$%s:%s", iterations, encoded_salt,
-					  encoded_storedkey, encoded_serverkey);
+	result = scram_build_verifier(saltbuf, SCRAM_DEFAULT_SALT_LEN,
+								  SCRAM_DEFAULT_ITERATIONS, password);
 
 	if (prep_password)
 		pfree(prep_password);
-	pfree(encoded_salt);
-	pfree(encoded_storedkey);
-	pfree(encoded_serverkey);
 
 	return result;
 }
@@ -630,12 +594,12 @@ mock_scram_verifier(const char *username, int *iterations, char **salt,
 	/* Generate deterministic salt */
 	raw_salt = scram_MockSalt(username);
 
-	encoded_salt = (char *) palloc(pg_b64_enc_len(SCRAM_SALT_LEN) + 1);
-	encoded_len = pg_b64_encode(raw_salt, SCRAM_SALT_LEN, encoded_salt);
+	encoded_salt = (char *) palloc(pg_b64_enc_len(SCRAM_DEFAULT_SALT_LEN) + 1);
+	encoded_len = pg_b64_encode(raw_salt, SCRAM_DEFAULT_SALT_LEN, encoded_salt);
 	encoded_salt[encoded_len] = '\0';
 
 	*salt = encoded_salt;
-	*iterations = SCRAM_ITERATIONS_DEFAULT;
+	*iterations = SCRAM_DEFAULT_ITERATIONS;
 
 	/* StoredKey and ServerKey are not used in a doomed authentication */
 	memset(stored_key, 0, SCRAM_KEY_LEN);
@@ -1192,9 +1156,9 @@ scram_MockSalt(const char *username)
 	 * Generate salt using a SHA256 hash of the username and the cluster's
 	 * mock authentication nonce.  (This works as long as the salt length is
 	 * not larger the SHA256 digest length. If the salt is smaller, the caller
-	 * will just ignore the extra data))
+	 * will just ignore the extra data.)
 	 */
-	StaticAssertStmt(PG_SHA256_DIGEST_LENGTH >= SCRAM_SALT_LEN,
+	StaticAssertStmt(PG_SHA256_DIGEST_LENGTH >= SCRAM_DEFAULT_SALT_LEN,
 					 "salt length greater than SHA256 digest length");
 
 	pg_sha256_init(&ctx);
diff --git a/src/backend/libpq/crypt.c b/src/backend/libpq/crypt.c
index d0030f2b6d..9fe79b4894 100644
--- a/src/backend/libpq/crypt.c
+++ b/src/backend/libpq/crypt.c
@@ -156,7 +156,7 @@ encrypt_password(PasswordType target_type, const char *role,
 			switch (guessed_type)
 			{
 				case PASSWORD_TYPE_PLAINTEXT:
-					return scram_build_verifier(role, password, 0);
+					return pg_be_scram_build_verifier(password);
 
 				case PASSWORD_TYPE_MD5:
 
diff --git a/src/common/scram-common.c b/src/common/scram-common.c
index df9f0eaa90..38a23de73e 100644
--- a/src/common/scram-common.c
+++ b/src/common/scram-common.c
@@ -23,6 +23,7 @@
 #include <netinet/in.h>
 #include <arpa/inet.h>
 
+#include "common/base64.h"
 #include "common/scram-common.h"
 
 #define HMAC_IPAD 0x36
@@ -165,3 +166,65 @@ scram_ClientOrServerKey(const char *password,
 	scram_HMAC_update(&ctx, keystr, strlen(keystr));
 	scram_HMAC_final(result, &ctx);
 }
+
+
+/*
+ * Construct a verifier string for SCRAM, stored in pg_authid.rolpassword.
+ *
+ * The password should already have been processed with SASLprep, if necessary!
+ *
+ * If iterations is 0, default number of iterations is used.  The result is
+ * palloc'd or malloc'd, so caller is responsible for freeing it.
+ */
+char *
+scram_build_verifier(const char *salt, int saltlen, int iterations,
+					 const char *password)
+{
+	uint8		storedkeybuf[SCRAM_KEY_LEN];
+	uint8		serverkeybuf[SCRAM_KEY_LEN];
+	char	   *result;
+	char	   *p;
+	int			maxlen;
+
+	if (iterations <= 0)
+		iterations = SCRAM_DEFAULT_ITERATIONS;
+
+	/* Calculate StoredKey and ServerKey */
+	scram_ClientOrServerKey(password, salt, saltlen,
+							iterations, SCRAM_CLIENT_KEY_NAME, storedkeybuf);
+	scram_H(storedkeybuf, SCRAM_KEY_LEN, storedkeybuf);
+
+	scram_ClientOrServerKey(password, salt, saltlen, iterations,
+							SCRAM_SERVER_KEY_NAME, serverkeybuf);
+
+	/*
+	 * The format is:
+	 * SCRAM-SHA-256$<iteration count>:<salt>$<StoredKey>:<ServerKey>
+	 */
+	maxlen = strlen("SCRAM-SHA-256") + 1
+		+ 10 + 1								/* iteration count */
+		+ pg_b64_enc_len(saltlen) + 1			/* Base64-encoded salt */
+		+ pg_b64_enc_len(SCRAM_KEY_LEN) + 1		/* Base64-encoded StoredKey */
+		+ pg_b64_enc_len(SCRAM_KEY_LEN) + 1;	/* Base64-encoded ServerKey */
+
+#ifdef FRONTEND
+	result = malloc(maxlen);
+	if (!result)
+		return NULL;
+#else
+	result = palloc(maxlen);
+#endif
+
+	p = result + sprintf(result, "SCRAM-SHA-256$%d:", iterations);
+
+	p += pg_b64_encode(salt, saltlen, p);
+	*(p++) = '$';
+	p += pg_b64_encode((char *) storedkeybuf, SCRAM_KEY_LEN, p);
+	*(p++) = ':';
+	p += pg_b64_encode((char *) serverkeybuf, SCRAM_KEY_LEN, p);
+	*(p++) = '\0';
+
+	Assert(p - result <= maxlen);
+
+	return result;
+}
diff --git a/src/include/common/scram-common.h b/src/include/common/scram-common.h
index 6740069eee..cc69aafade 100644
--- a/src/include/common/scram-common.h
+++ b/src/include/common/scram-common.h
@@ -29,10 +29,10 @@
 #define SCRAM_RAW_NONCE_LEN			10
 
 /* length of salt when generating new verifiers */
-#define SCRAM_SALT_LEN				10
+#define SCRAM_DEFAULT_SALT_LEN		10
 
 /* default number of iterations when generating verifier */
-#define SCRAM_ITERATIONS_DEFAULT	4096
+#define SCRAM_DEFAULT_ITERATIONS	4096
 
 /* Base name of keys used for proof generation */
 #define SCRAM_SERVER_KEY_NAME "Server Key"
@@ -56,4 +56,7 @@ extern void scram_ClientOrServerKey(const char *password, const char *salt,
 						int saltlen, int iterations,
 						const char *keystr, uint8 *result);
 
+extern char *scram_build_verifier(const char *salt, int saltlen, int iterations,
+					 const char *password);
+
 #endif   /* SCRAM_COMMON_H */
diff --git a/src/include/libpq/scram.h b/src/include/libpq/scram.h
index e373f0c07e..060b8af69e 100644
--- a/src/include/libpq/scram.h
+++ b/src/include/libpq/scram.h
@@ -27,9 +27,7 @@ extern int pg_be_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen, char **logdetail);
 
 /* Routines to handle and check SCRAM-SHA-256 verifier */
-extern char *scram_build_verifier(const char *username,
-					 const char *password,
-					 int iterations);
+extern char *pg_be_scram_build_verifier(const char *password);
 extern bool is_scram_verifier(const char *verifier);
 extern bool scram_verify_plain_password(const char *username,
 							const char *password, const char *verifier);
-- 
2.11.0

From eea84c48129a613e6385facb76d5a19978906b7a Mon Sep 17 00:00:00 2001
From: Heikki Linnakangas <heikki.linnakangas@iki.fi>
Date: Wed, 26 Apr 2017 12:55:35 +0300
Subject: [PATCH 2/3] Add PQencryptPasswordConn function to libpq.

The new function supports creating SCRAM verifiers, in addition to md5
hashes. The algorithm is chosen based on password_encryption, by default.

Michael Paquier and me

Discussion: https://www.postgresql.org/message-id/CAMkU%3D1wfBgFPbfAMYZQE78p%3DVhZX7nN86aWkp0QcCp%3D%2BKxZ%3Dbg%40mail.gmail.com
---
 doc/src/sgml/libpq.sgml              |  66 +++++++++++++++---
 src/interfaces/libpq/exports.txt     |   1 +
 src/interfaces/libpq/fe-auth-scram.c |  32 +++++++++
 src/interfaces/libpq/fe-auth.c       | 125 +++++++++++++++++++++++++++++++----
 src/interfaces/libpq/fe-auth.h       |   1 +
 src/interfaces/libpq/libpq-fe.h      |   1 +
 6 files changed, 203 insertions(+), 23 deletions(-)

diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index 4bc5bf3192..2228386eea 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -5875,11 +5875,11 @@ void PQconninfoFree(PQconninfoOption *connOptions);
     </listitem>
    </varlistentry>
 
-   <varlistentry id="libpq-pqencryptpassword">
+   <varlistentry id="libpq-pqencryptpasswordconn">
     <term>
-     <function>PQencryptPassword</function>
+     <function>PQencryptPasswordConn</function>
      <indexterm>
-      <primary>PQencryptPassword</primary>
+      <primary>PQencryptPasswordConn</primary>
      </indexterm>
     </term>
 
@@ -5887,20 +5887,64 @@ void PQconninfoFree(PQconninfoOption *connOptions);
      <para>
       Prepares the encrypted form of a <productname>PostgreSQL</> password.
 <synopsis>
-char * PQencryptPassword(const char *passwd, const char *user);
+char *PQencryptPasswordConn(PGconn *conn, const char *passwd, const char *user, const char *algorithm);
 </synopsis>
       This function is intended to be used by client applications that
       wish to send commands like <literal>ALTER USER joe PASSWORD
       'pwd'</>.  It is good practice not to send the original cleartext
       password in such a command, because it might be exposed in command
       logs, activity displays, and so on.  Instead, use this function to
-      convert the password to encrypted form before it is sent.  The
-      arguments are the cleartext password, and the SQL name of the user
-      it is for.  The return value is a string allocated by
-      <function>malloc</function>, or <symbol>NULL</symbol> if out of
-      memory.  The caller can assume the string doesn't contain any
-      special characters that would require escaping.  Use
-      <function>PQfreemem</> to free the result when done with it.
+      convert the password to encrypted form before it is sent.
+     </para>
+
+     <para>
+      The <parameter>passwd</> and <parameter>user</> arguments
+      are the cleartext password, and the SQL name of the user it is for.
+      <parameter>algorithm</> specifies the encryption algorithm
+      to use to encrypt the password. Currently supported algorithms are
+      <literal>md5</> and <literal>scram-sha-256</>. <literal>scram-sha-256</>
+      was introduced in <productname>PostgreSQL</> version 10, and will
+      not work correctly with older server versions. If <parameter>algorithm</>
+      is <symbol>NULL</>, this function will query the server for the current
+      value of the <xref linkend="guc-password-encryption"> setting. That can
+      block, and will fail if the current transaction is aborted, or if the
+      connection is busy executing another query. If you wish to use the
+      default algorithm for the server but want to avoid blocking, query
+      <varname>password_encryption</> yourself before calling
+      <function>PQencryptPasswordConn</>, and pass that value as the
+      <parameter>algorithm</>.
+     </para>
+
+     <para>
+      The return value is a string allocated by <function>malloc</>.
+      The caller can assume the string doesn't contain any special characters
+      that would require escaping.  Use <function>PQfreemem</> to free the
+      result when done with it. On error, returns <symbol>NULL</>, and
+      a suitable message is stored in the connection object.
+     </para>
+
+    </listitem>
+   </varlistentry>
+
+   <varlistentry id="libpq-pqencryptpassword">
+    <term>
+     <function>PQencryptPassword</function>
+     <indexterm>
+      <primary>PQencryptPassword</primary>
+     </indexterm>
+    </term>
+
+    <listitem>
+     <para>
+      Prepares the md5-encrypted form of a <productname>PostgreSQL</> password.
+ <synopsis>
+char *PQencryptPassword(const char *passwd, const char *user);
+ </synopsis>
+      <function>PQencryptPassword</> is an older, deprecated version of 
+      <function>PQencryptPasswodConn</>. The difference is that
+      <function>PQencryptPassword</> does not 
+      require a connection object, and <literal>md5</> is always used as the
+      encryption algorithm.
      </para>
     </listitem>
    </varlistentry>
diff --git a/src/interfaces/libpq/exports.txt b/src/interfaces/libpq/exports.txt
index 21dd772ca9..d6a38d0df8 100644
--- a/src/interfaces/libpq/exports.txt
+++ b/src/interfaces/libpq/exports.txt
@@ -171,3 +171,4 @@ PQsslAttributeNames       168
 PQsslAttribute            169
 PQsetErrorContextVisibility 170
 PQresultVerboseErrorMessage 171
+PQencryptPasswordConn     172
diff --git a/src/interfaces/libpq/fe-auth-scram.c b/src/interfaces/libpq/fe-auth-scram.c
index c56e91e0e0..6910c1e6db 100644
--- a/src/interfaces/libpq/fe-auth-scram.c
+++ b/src/interfaces/libpq/fe-auth-scram.c
@@ -610,6 +610,38 @@ verify_server_proof(fe_scram_state *state)
 	return true;
 }
 
+char *
+pg_fe_scram_build_verifier(const char *password)
+{
+	char	   *prep_password = NULL;
+	pg_saslprep_rc rc;
+	char		saltbuf[SCRAM_DEFAULT_SALT_LEN];
+	char	   *result;
+
+	/*
+	 * Normalize the password with SASLprep.  If that doesn't work, because
+	 * the password isn't valid UTF-8 or contains prohibited characters, just
+	 * proceed with the original password.  (See comments at top of file.)
+	 */
+	rc = pg_saslprep(password, &prep_password);
+	if (rc == SASLPREP_OOM)
+		return NULL;
+	if (rc == SASLPREP_SUCCESS)
+		password = (const char *) prep_password;
+
+	/* Generate salt */
+	if (!pg_frontend_random(saltbuf, SCRAM_DEFAULT_SALT_LEN))
+		return NULL;
+
+	result = scram_build_verifier(saltbuf, SCRAM_DEFAULT_SALT_LEN,
+								  SCRAM_DEFAULT_ITERATIONS, password);
+
+	if (prep_password)
+		free(prep_password);
+
+	return result;
+}
+
 /*
  * Random number generator.
  */
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index d81ee4f944..517854a305 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -1077,7 +1077,33 @@ pg_fe_getauthname(PQExpBuffer errorMessage)
 
 
 /*
- * PQencryptPassword -- exported routine to encrypt a password
+ * PQencryptPassword -- exported routine to encrypt a password with MD5
+ *
+ * This function is equivalent to calling PQencryptPasswordConn with
+ * "md5" as the encryption method, except that this doesn't require
+ * a connection object. This function is deprecated, use
+ * PQencryptPasswordConn instead.
+ */
+char *
+PQencryptPassword(const char *passwd, const char *user)
+{
+	char	   *crypt_pwd;
+
+	crypt_pwd = malloc(MD5_PASSWD_LEN + 1);
+	if (!crypt_pwd)
+		return NULL;
+
+	if (!pg_md5_encrypt(passwd, user, strlen(user), crypt_pwd))
+	{
+		free(crypt_pwd);
+		return NULL;
+	}
+
+	return crypt_pwd;
+}
+
+/*
+ * PQencryptPasswordConn -- exported routine to encrypt a password
  *
  * This is intended to be used by client applications that wish to send
  * commands like ALTER USER joe PASSWORD 'pwd'.  The password need not
@@ -1087,27 +1113,102 @@ pg_fe_getauthname(PQExpBuffer errorMessage)
  * be dependent on low-level details like whether the encryption is MD5
  * or something else.
  *
- * Arguments are the cleartext password, and the SQL name of the user it
- * is for.
+ * Arguments are a connection object, the cleartext password, the SQL
+ * name of the user it is for, and a string indicating the algorithm to
+ * use for encrypting the password. If algorithm is NULL, this queries
+ * the server for the current 'password_encryption' value. If you wish
+ * to avoid that, e.g. to avoid blocking, you can execute
+ * 'show password_encryption' yourself before calling this function, and pass
+ * it as the algorithm.
  *
- * Return value is a malloc'd string, or NULL if out-of-memory.  The client
- * may assume the string doesn't contain any special characters that would
- * require escaping.
+ * Return value is a malloc'd string. The client may assume the string
+ * doesn't contain any special characters that would require escaping.
+ * On error, an error message is stored in the connection object, and
+ * returns NULL.
  */
 char *
-PQencryptPassword(const char *passwd, const char *user)
+PQencryptPasswordConn(PGconn *conn, const char *passwd, const char *user,
+					  const char *algorithm)
 {
-	char	   *crypt_pwd;
+#define MAX_ALGORITHM_NAME_LEN 50
+	char		algobuf[MAX_ALGORITHM_NAME_LEN + 1];
+	char	   *crypt_pwd = NULL;
 
-	crypt_pwd = malloc(MD5_PASSWD_LEN + 1);
-	if (!crypt_pwd)
+	if (!conn)
 		return NULL;
 
-	if (!pg_md5_encrypt(passwd, user, strlen(user), crypt_pwd))
+	/* If no algorithm was given, ask the server. */
+	if (algorithm == NULL)
 	{
-		free(crypt_pwd);
+		PGresult   *res;
+		char	   *val;
+
+		res = PQexec(conn, "show password_encryption");
+		if (res == NULL)
+		{
+			/* PQexec() should've set conn->errorMessage already */
+			return NULL;
+		}
+		if (PQresultStatus(res) != PGRES_TUPLES_OK)
+		{
+			/* PQexec() should've set conn->errorMessage already */
+			PQclear(res);
+			return NULL;
+		}
+		if (PQntuples(res) != 1 || PQnfields(res) != 1)
+		{
+			PQclear(res);
+			printfPQExpBuffer(&conn->errorMessage,
+							  libpq_gettext("unexpected shape of result set returned for SHOW\n"));
+			return NULL;
+		}
+		val = PQgetvalue(res, 0, 0);
+
+		if (strlen(val) > MAX_ALGORITHM_NAME_LEN)
+		{
+			PQclear(res);
+			printfPQExpBuffer(&conn->errorMessage,
+							  libpq_gettext("password_encryption value too long\n"));
+			return NULL;
+		}
+		strcpy(algobuf, val);
+		PQclear(res);
+
+		algorithm = algobuf;
+	}
+
+	/* Ok, now we know what algorithm to use */
+
+	if (strcmp(algorithm, "scram-sha-256") == 0)
+	{
+		crypt_pwd = pg_fe_scram_build_verifier(passwd);
+	}
+	else if (strcmp(algorithm, "md5") == 0)
+	{
+		crypt_pwd = malloc(MD5_PASSWD_LEN + 1);
+		if (crypt_pwd)
+		{
+			if (!pg_md5_encrypt(passwd, user, strlen(user), crypt_pwd))
+			{
+				free(crypt_pwd);
+				crypt_pwd = NULL;
+			}
+		}
+	}
+	else if (strcmp(algorithm, "plain") == 0)
+	{
+		crypt_pwd = strdup(passwd);
+	}
+	else
+	{
+		printfPQExpBuffer(&conn->errorMessage,
+						  libpq_gettext("unknown password encryption algorithm\n"));
 		return NULL;
 	}
 
+	if (!crypt_pwd)
+		printfPQExpBuffer(&conn->errorMessage,
+						  libpq_gettext("out of memory\n"));
+
 	return crypt_pwd;
 }
diff --git a/src/interfaces/libpq/fe-auth.h b/src/interfaces/libpq/fe-auth.h
index a5c739f01a..9f4c2a50d8 100644
--- a/src/interfaces/libpq/fe-auth.h
+++ b/src/interfaces/libpq/fe-auth.h
@@ -28,5 +28,6 @@ extern void pg_fe_scram_free(void *opaq);
 extern void pg_fe_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen,
 					 bool *done, bool *success, PQExpBuffer errorMessage);
+extern char *pg_fe_scram_build_verifier(const char *password);
 
 #endif   /* FE_AUTH_H */
diff --git a/src/interfaces/libpq/libpq-fe.h b/src/interfaces/libpq/libpq-fe.h
index 635af5b50e..c1497f00b6 100644
--- a/src/interfaces/libpq/libpq-fe.h
+++ b/src/interfaces/libpq/libpq-fe.h
@@ -597,6 +597,7 @@ extern int	PQenv2encoding(void);
 /* === in fe-auth.c === */
 
 extern char *PQencryptPassword(const char *passwd, const char *user);
+extern char *PQencryptPasswordConn(PGconn *conn, const char *passwd, const char *user, const char *method);
 
 /* === in encnames.c === */
 
-- 
2.11.0

From a335389bbe31fdf365250fdbdf1f5d01940dad86 Mon Sep 17 00:00:00 2001
From: Heikki Linnakangas <heikki.linnakangas@iki.fi>
Date: Wed, 26 Apr 2017 12:57:12 +0300
Subject: [PATCH 3/3] Use new PQencryptPasswordConn function in psql and
 createuser

This fixes the issue reported by Jeff Janes, that there was previously
no way to create a SCRAM verifier with "\password".

Michael Paquier and me

Discussion: https://www.postgresql.org/message-id/CAMkU%3D1wfBgFPbfAMYZQE78p%3DVhZX7nN86aWkp0QcCp%3D%2BKxZ%3Dbg%40mail.gmail.com
---
 src/bin/psql/command.c       | 2 +-
 src/bin/scripts/createuser.c | 6 ++++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/bin/psql/command.c b/src/bin/psql/command.c
index 859ded71f6..51bd8f9cc9 100644
--- a/src/bin/psql/command.c
+++ b/src/bin/psql/command.c
@@ -1878,7 +1878,7 @@ exec_command_password(PsqlScanState scan_state, bool active_branch)
 			else
 				user = PQuser(pset.db);
 
-			encrypted_password = PQencryptPassword(pw1, user);
+			encrypted_password = PQencryptPasswordConn(pset.db, pw1, user, NULL);
 
 			if (!encrypted_password)
 			{
diff --git a/src/bin/scripts/createuser.c b/src/bin/scripts/createuser.c
index 3d74797a8f..087a5ca05f 100644
--- a/src/bin/scripts/createuser.c
+++ b/src/bin/scripts/createuser.c
@@ -274,8 +274,10 @@ main(int argc, char *argv[])
 		{
 			char	   *encrypted_password;
 
-			encrypted_password = PQencryptPassword(newpassword,
-												   newuser);
+			encrypted_password = PQencryptPasswordConn(conn,
+													   newpassword,
+													   newuser,
+													   NULL);
 			if (!encrypted_password)
 			{
 				fprintf(stderr, _("Password encryption failed.\n"));
-- 
2.11.0