opensourcemirror
/
postgresql
mirror of git://git.postgresql.org/git/postgresql.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Fix SSL test for libpq connection parameter channel_binding 

When compiling Postgres with OpenSSL 1.0.1 or older versions, SCRAM's
channel binding cannot be supported as X509_get_signature_nid() is
needed, which causes a regression test with channel_binding='require' to
fail as the server cannot publish SCRAM-SHA-256-PLUS as SASL mechanism
over an SSL connection.

Fix the issue by using a method similar to c3d41cc, making the test
result conditional.  The test passes if X509_get_signature_nid() is
present, and when missing we test for a connection failure.  Testing a
connection failure is more useful than skipping the test as we should
fail the connection if channel binding is required by the client but the
server does not support it.

Reported-by: Tom Lane, Michael Paquier
Author: Michael Paquier
Discussion: https://postgr.es/m/20190927024457.GA8485@paquier.xyz
Discussion: https://postgr.es/m/24857.1569775891@sss.pgh.pa.us
This commit is contained in:
Michael Paquier 2019-09-30 13:11:31 +09:00
parent 7acf8a876b
commit a12c75a104
1 changed files with 21 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
src/test/ssl/t/002_scram.pl
View File

@ -18,11 +18,15 @@ if ($ENV{with_openssl} ne 'yes')
plan skip_all => 'SSL not supported by this build';
}
my $number_of_tests = 9;
# This is the hostname used to connect to the server.
my $SERVERHOSTADDR = '127.0.0.1';
# Determine whether build supports tls-server-end-point.
my $supports_tls_server_end_point =
check_pg_config("#define HAVE_X509_GET_SIGNATURE_NID 1");
my $number_of_tests = $supports_tls_server_end_point ? 9 : 10;
# Allocation of base connection string shared among multiple tests.
my $common_connstr;
@ -60,10 +64,21 @@ test_connect_ok(
$common_connstr,
"user=ssltestuser channel_binding=disable",
"SCRAM with SSL and channel_binding=disable");
test_connect_ok(
$common_connstr,
"user=ssltestuser channel_binding=require",
"SCRAM with SSL and channel_binding=require");
if ($supports_tls_server_end_point)
{
test_connect_ok(
$common_connstr,
"user=ssltestuser channel_binding=require",
"SCRAM with SSL and channel_binding=require");
}
else
{
test_connect_fails(
$common_connstr,
"user=ssltestuser channel_binding=require",
qr/could not connect to server: channel binding is required, but server did not offer an authentication method that supports channel binding/,
"SCRAM with SSL and channel_binding=require");
}
# Now test when the user has an MD5-encrypted password; should fail
test_connect_fails(