From a12c75a1048295f03cf85533d6dcab5072ba262b Mon Sep 17 00:00:00 2001 From: Michael Paquier Date: Mon, 30 Sep 2019 13:11:31 +0900 Subject: [PATCH] Fix SSL test for libpq connection parameter channel_binding When compiling Postgres with OpenSSL 1.0.1 or older versions, SCRAM's channel binding cannot be supported as X509_get_signature_nid() is needed, which causes a regression test with channel_binding='require' to fail as the server cannot publish SCRAM-SHA-256-PLUS as SASL mechanism over an SSL connection. Fix the issue by using a method similar to c3d41cc, making the test result conditional. The test passes if X509_get_signature_nid() is present, and when missing we test for a connection failure. Testing a connection failure is more useful than skipping the test as we should fail the connection if channel binding is required by the client but the server does not support it. Reported-by: Tom Lane, Michael Paquier Author: Michael Paquier Discussion: https://postgr.es/m/20190927024457.GA8485@paquier.xyz Discussion: https://postgr.es/m/24857.1569775891@sss.pgh.pa.us --- src/test/ssl/t/002_scram.pl | 27 +++++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/src/test/ssl/t/002_scram.pl b/src/test/ssl/t/002_scram.pl index 5fa2dbde1c..c08aa19aee 100644 --- a/src/test/ssl/t/002_scram.pl +++ b/src/test/ssl/t/002_scram.pl @@ -18,11 +18,15 @@ if ($ENV{with_openssl} ne 'yes') plan skip_all => 'SSL not supported by this build'; } -my $number_of_tests = 9; - # This is the hostname used to connect to the server. my $SERVERHOSTADDR = '127.0.0.1'; +# Determine whether build supports tls-server-end-point. +my $supports_tls_server_end_point = + check_pg_config("#define HAVE_X509_GET_SIGNATURE_NID 1"); + +my $number_of_tests = $supports_tls_server_end_point ? 9 : 10; + # Allocation of base connection string shared among multiple tests. my $common_connstr; @@ -60,10 +64,21 @@ test_connect_ok( $common_connstr, "user=ssltestuser channel_binding=disable", "SCRAM with SSL and channel_binding=disable"); -test_connect_ok( - $common_connstr, - "user=ssltestuser channel_binding=require", - "SCRAM with SSL and channel_binding=require"); +if ($supports_tls_server_end_point) +{ + test_connect_ok( + $common_connstr, + "user=ssltestuser channel_binding=require", + "SCRAM with SSL and channel_binding=require"); +} +else +{ + test_connect_fails( + $common_connstr, + "user=ssltestuser channel_binding=require", + qr/could not connect to server: channel binding is required, but server did not offer an authentication method that supports channel binding/, + "SCRAM with SSL and channel_binding=require"); +} # Now test when the user has an MD5-encrypted password; should fail test_connect_fails(