diff options
| author | Jeff Davis | 2019-09-23 20:45:23 +0000 |
|---|---|---|
| committer | Jeff Davis | 2019-09-23 21:03:35 +0000 |
| commit | d6e612f837e235db0411e8b67558c9a6b3e9f41f (patch) | |
| tree | a677e3cfdfc4f086b5272dcae746af4243d3ea2e /src/test/ssl/t/002_scram.pl | |
| parent | 13cd97e6c8c9679a9b2384c22a4f0333b1a5cc55 (diff) | |
Add libpq parameter 'channel_binding'.
Allow clients to require channel binding to enhance security against
untrusted servers.
Author: Jeff Davis
Reviewed-by: Michael Paquier
Discussion: https://postgr.es/m/227015d8417f2b4fef03f8966dbfa5cbcc4f44da.camel%40j-davis.com
Diffstat (limited to 'src/test/ssl/t/002_scram.pl')
| -rw-r--r-- | src/test/ssl/t/002_scram.pl | 39 |
1 files changed, 36 insertions, 3 deletions
diff --git a/src/test/ssl/t/002_scram.pl b/src/test/ssl/t/002_scram.pl index 7c4b821cb78..5fa2dbde1c1 100644 --- a/src/test/ssl/t/002_scram.pl +++ b/src/test/ssl/t/002_scram.pl @@ -18,7 +18,7 @@ if ($ENV{with_openssl} ne 'yes') plan skip_all => 'SSL not supported by this build'; } -my $number_of_tests = 1; +my $number_of_tests = 9; # This is the hostname used to connect to the server. my $SERVERHOSTADDR = '127.0.0.1'; @@ -44,9 +44,42 @@ configure_test_server_for_ssl($node, $SERVERHOSTADDR, "scram-sha-256", switch_server_cert($node, 'server-cn-only'); $ENV{PGPASSWORD} = "pass"; $common_connstr = - "user=ssltestuser dbname=trustdb sslmode=require sslcert=invalid sslrootcert=invalid hostaddr=$SERVERHOSTADDR"; + "dbname=trustdb sslmode=require sslcert=invalid sslrootcert=invalid hostaddr=$SERVERHOSTADDR"; # Default settings -test_connect_ok($common_connstr, '', "Basic SCRAM authentication with SSL"); +test_connect_ok($common_connstr, "user=ssltestuser", + "Basic SCRAM authentication with SSL"); + +# Test channel_binding +test_connect_fails( + $common_connstr, + "user=ssltestuser channel_binding=invalid_value", + qr/invalid channel_binding value: "invalid_value"/, + "SCRAM with SSL and channel_binding=invalid_value"); +test_connect_ok( + $common_connstr, + "user=ssltestuser channel_binding=disable", + "SCRAM with SSL and channel_binding=disable"); +test_connect_ok( + $common_connstr, + "user=ssltestuser channel_binding=require", + "SCRAM with SSL and channel_binding=require"); + +# Now test when the user has an MD5-encrypted password; should fail +test_connect_fails( + $common_connstr, + "user=md5testuser channel_binding=require", + qr/Channel binding required but not supported by server's authentication request/, + "MD5 with SSL and channel_binding=require"); + +# Now test with auth method 'cert' by connecting to 'certdb'. Should +# fail, because channel binding is not performed. +copy("ssl/client.key", "ssl/client_tmp.key"); +chmod 0600, "ssl/client_tmp.key"; +test_connect_fails( + "sslcert=ssl/client.crt sslkey=ssl/client_tmp.key hostaddr=$SERVERHOSTADDR", + "dbname=certdb user=ssltestuser channel_binding=require", + qr/Channel binding required, but server authenticated client without channel binding/, + "Cert authentication and channel_binding=require"); done_testing($number_of_tests); |