diff options
Diffstat (limited to 'src/test/ssl/t')
| -rw-r--r-- | src/test/ssl/t/001_ssltests.pl | 552 | ||||
| -rw-r--r-- | src/test/ssl/t/002_scram.pl | 108 | ||||
| -rw-r--r-- | src/test/ssl/t/SSLServer.pm | 213 |
3 files changed, 873 insertions, 0 deletions
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl new file mode 100644 index 0000000..c0680f3 --- /dev/null +++ b/src/test/ssl/t/001_ssltests.pl @@ -0,0 +1,552 @@ +use strict; +use warnings; +use PostgresNode; +use TestLib; +use Test::More; + +use File::Copy; + +use FindBin; +use lib $FindBin::RealBin; + +use SSLServer; + +if ($ENV{with_openssl} eq 'yes') +{ + plan tests => 93; +} +else +{ + plan skip_all => 'SSL not supported by this build'; +} + +#### Some configuration + +# This is the hostname used to connect to the server. This cannot be a +# hostname, because the server certificate is always for the domain +# postgresql-ssl-regression.test. +my $SERVERHOSTADDR = '127.0.0.1'; +# This is the pattern to use in pg_hba.conf to match incoming connections. +my $SERVERHOSTCIDR = '127.0.0.1/32'; + +# Allocation of base connection string shared among multiple tests. +my $common_connstr; + +# The client's private key must not be world-readable, so take a copy +# of the key stored in the code tree and update its permissions. +# +# This changes ssl/client.key to ssl/client_tmp.key etc for the rest +# of the tests. +my @keys = ( + "client", "client-revoked", + "client-der", "client-encrypted-pem", + "client-encrypted-der"); +foreach my $key (@keys) +{ + copy("ssl/${key}.key", "ssl/${key}_tmp.key") + or die + "couldn't copy ssl/${key}.key to ssl/${key}_tmp.key for permissions change: $!"; + chmod 0600, "ssl/${key}_tmp.key" + or die "failed to change permissions on ssl/${key}_tmp.key: $!"; +} + +# Also make a copy of that explicitly world-readable. We can't +# necessarily rely on the file in the source tree having those +# permissions. Add it to @keys to include it in the final clean +# up phase. +copy("ssl/client.key", "ssl/client_wrongperms_tmp.key"); +chmod 0644, "ssl/client_wrongperms_tmp.key"; +push @keys, 'client_wrongperms'; + +#### Set up the server. + +note "setting up data directory"; +my $node = get_new_node('master'); +$node->init; + +# PGHOST is enforced here to set up the node, subsequent connections +# will use a dedicated connection string. +$ENV{PGHOST} = $node->host; +$ENV{PGPORT} = $node->port; +$node->start; + +# Run this before we lock down access below. +my $result = $node->safe_psql('postgres', "SHOW ssl_library"); +is($result, 'OpenSSL', 'ssl_library parameter'); + +configure_test_server_for_ssl($node, $SERVERHOSTADDR, $SERVERHOSTCIDR, + 'trust'); + +note "testing password-protected keys"; + +open my $sslconf, '>', $node->data_dir . "/sslconfig.conf"; +print $sslconf "ssl=on\n"; +print $sslconf "ssl_cert_file='server-cn-only.crt'\n"; +print $sslconf "ssl_key_file='server-password.key'\n"; +print $sslconf "ssl_passphrase_command='echo wrongpassword'\n"; +close $sslconf; + +command_fails( + [ 'pg_ctl', '-D', $node->data_dir, '-l', $node->logfile, 'restart' ], + 'restart fails with password-protected key file with wrong password'); +$node->_update_pid(0); + +open $sslconf, '>', $node->data_dir . "/sslconfig.conf"; +print $sslconf "ssl=on\n"; +print $sslconf "ssl_cert_file='server-cn-only.crt'\n"; +print $sslconf "ssl_key_file='server-password.key'\n"; +print $sslconf "ssl_passphrase_command='echo secret1'\n"; +close $sslconf; + +command_ok( + [ 'pg_ctl', '-D', $node->data_dir, '-l', $node->logfile, 'restart' ], + 'restart succeeds with password-protected key file'); +$node->_update_pid(1); + +# Test compatibility of SSL protocols. +# TLSv1.1 is lower than TLSv1.2, so it won't work. +$node->append_conf( + 'postgresql.conf', + qq{ssl_min_protocol_version='TLSv1.2' +ssl_max_protocol_version='TLSv1.1'}); +command_fails( + [ 'pg_ctl', '-D', $node->data_dir, '-l', $node->logfile, 'restart' ], + 'restart fails with incorrect SSL protocol bounds'); +# Go back to the defaults, this works. +$node->append_conf( + 'postgresql.conf', + qq{ssl_min_protocol_version='TLSv1.2' +ssl_max_protocol_version=''}); +command_ok( + [ 'pg_ctl', '-D', $node->data_dir, '-l', $node->logfile, 'restart' ], + 'restart succeeds with correct SSL protocol bounds'); + +### Run client-side tests. +### +### Test that libpq accepts/rejects the connection correctly, depending +### on sslmode and whether the server's certificate looks correct. No +### client certificate is used in these tests. + +note "running client tests"; + +switch_server_cert($node, 'server-cn-only'); + +$common_connstr = + "user=ssltestuser dbname=trustdb sslcert=invalid hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test"; + +# The server should not accept non-SSL connections. +test_connect_fails( + $common_connstr, "sslmode=disable", + qr/\Qno pg_hba.conf entry\E/, + "server doesn't accept non-SSL connections"); + +# Try without a root cert. In sslmode=require, this should work. In verify-ca +# or verify-full mode it should fail. +test_connect_ok( + $common_connstr, + "sslrootcert=invalid sslmode=require", + "connect without server root cert sslmode=require"); +test_connect_fails( + $common_connstr, + "sslrootcert=invalid sslmode=verify-ca", + qr/root certificate file "invalid" does not exist/, + "connect without server root cert sslmode=verify-ca"); +test_connect_fails( + $common_connstr, + "sslrootcert=invalid sslmode=verify-full", + qr/root certificate file "invalid" does not exist/, + "connect without server root cert sslmode=verify-full"); + +# Try with wrong root cert, should fail. (We're using the client CA as the +# root, but the server's key is signed by the server CA.) +test_connect_fails($common_connstr, + "sslrootcert=ssl/client_ca.crt sslmode=require", + qr/SSL error/, "connect with wrong server root cert sslmode=require"); +test_connect_fails($common_connstr, + "sslrootcert=ssl/client_ca.crt sslmode=verify-ca", + qr/SSL error/, "connect with wrong server root cert sslmode=verify-ca"); +test_connect_fails($common_connstr, + "sslrootcert=ssl/client_ca.crt sslmode=verify-full", + qr/SSL error/, "connect with wrong server root cert sslmode=verify-full"); + +# Try with just the server CA's cert. This fails because the root file +# must contain the whole chain up to the root CA. +test_connect_fails($common_connstr, + "sslrootcert=ssl/server_ca.crt sslmode=verify-ca", + qr/SSL error/, "connect with server CA cert, without root CA"); + +# And finally, with the correct root cert. +test_connect_ok( + $common_connstr, + "sslrootcert=ssl/root+server_ca.crt sslmode=require", + "connect with correct server CA cert file sslmode=require"); +test_connect_ok( + $common_connstr, + "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca", + "connect with correct server CA cert file sslmode=verify-ca"); +test_connect_ok( + $common_connstr, + "sslrootcert=ssl/root+server_ca.crt sslmode=verify-full", + "connect with correct server CA cert file sslmode=verify-full"); + +# Test with cert root file that contains two certificates. The client should +# be able to pick the right one, regardless of the order in the file. +test_connect_ok( + $common_connstr, + "sslrootcert=ssl/both-cas-1.crt sslmode=verify-ca", + "cert root file that contains two certificates, order 1"); +test_connect_ok( + $common_connstr, + "sslrootcert=ssl/both-cas-2.crt sslmode=verify-ca", + "cert root file that contains two certificates, order 2"); + +# CRL tests + +# Invalid CRL filename is the same as no CRL, succeeds +test_connect_ok( + $common_connstr, + "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=invalid", + "sslcrl option with invalid file name"); + +# A CRL belonging to a different CA is not accepted, fails +test_connect_fails( + $common_connstr, + "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/client.crl", + qr/SSL error/, + "CRL belonging to a different CA"); + +# With the correct CRL, succeeds (this cert is not revoked) +test_connect_ok( + $common_connstr, + "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl", + "CRL with a non-revoked cert"); + +# Check that connecting with verify-full fails, when the hostname doesn't +# match the hostname in the server's certificate. +$common_connstr = + "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR"; + +test_connect_ok( + $common_connstr, + "sslmode=require host=wronghost.test", + "mismatch between host name and server certificate sslmode=require"); +test_connect_ok( + $common_connstr, + "sslmode=verify-ca host=wronghost.test", + "mismatch between host name and server certificate sslmode=verify-ca"); +test_connect_fails( + $common_connstr, + "sslmode=verify-full host=wronghost.test", + qr/\Qserver certificate for "common-name.pg-ssltest.test" does not match host name "wronghost.test"\E/, + "mismatch between host name and server certificate sslmode=verify-full"); + +# Test Subject Alternative Names. +switch_server_cert($node, 'server-multiple-alt-names'); + +$common_connstr = + "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full"; + +test_connect_ok( + $common_connstr, + "host=dns1.alt-name.pg-ssltest.test", + "host name matching with X.509 Subject Alternative Names 1"); +test_connect_ok( + $common_connstr, + "host=dns2.alt-name.pg-ssltest.test", + "host name matching with X.509 Subject Alternative Names 2"); +test_connect_ok( + $common_connstr, + "host=foo.wildcard.pg-ssltest.test", + "host name matching with X.509 Subject Alternative Names wildcard"); + +test_connect_fails( + $common_connstr, + "host=wronghost.alt-name.pg-ssltest.test", + qr/\Qserver certificate for "dns1.alt-name.pg-ssltest.test" (and 2 other names) does not match host name "wronghost.alt-name.pg-ssltest.test"\E/, + "host name not matching with X.509 Subject Alternative Names"); +test_connect_fails( + $common_connstr, + "host=deep.subdomain.wildcard.pg-ssltest.test", + qr/\Qserver certificate for "dns1.alt-name.pg-ssltest.test" (and 2 other names) does not match host name "deep.subdomain.wildcard.pg-ssltest.test"\E/, + "host name not matching with X.509 Subject Alternative Names wildcard"); + +# Test certificate with a single Subject Alternative Name. (this gives a +# slightly different error message, that's all) +switch_server_cert($node, 'server-single-alt-name'); + +$common_connstr = + "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full"; + +test_connect_ok( + $common_connstr, + "host=single.alt-name.pg-ssltest.test", + "host name matching with a single X.509 Subject Alternative Name"); + +test_connect_fails( + $common_connstr, + "host=wronghost.alt-name.pg-ssltest.test", + qr/\Qserver certificate for "single.alt-name.pg-ssltest.test" does not match host name "wronghost.alt-name.pg-ssltest.test"\E/, + "host name not matching with a single X.509 Subject Alternative Name"); +test_connect_fails( + $common_connstr, + "host=deep.subdomain.wildcard.pg-ssltest.test", + qr/\Qserver certificate for "single.alt-name.pg-ssltest.test" does not match host name "deep.subdomain.wildcard.pg-ssltest.test"\E/, + "host name not matching with a single X.509 Subject Alternative Name wildcard" +); + +# Test server certificate with a CN and SANs. Per RFCs 2818 and 6125, the CN +# should be ignored when the certificate has both. +switch_server_cert($node, 'server-cn-and-alt-names'); + +$common_connstr = + "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full"; + +test_connect_ok( + $common_connstr, + "host=dns1.alt-name.pg-ssltest.test", + "certificate with both a CN and SANs 1"); +test_connect_ok( + $common_connstr, + "host=dns2.alt-name.pg-ssltest.test", + "certificate with both a CN and SANs 2"); +test_connect_fails( + $common_connstr, + "host=common-name.pg-ssltest.test", + qr/\Qserver certificate for "dns1.alt-name.pg-ssltest.test" (and 1 other name) does not match host name "common-name.pg-ssltest.test"\E/, + "certificate with both a CN and SANs ignores CN"); + +# Finally, test a server certificate that has no CN or SANs. Of course, that's +# not a very sensible certificate, but libpq should handle it gracefully. +switch_server_cert($node, 'server-no-names'); +$common_connstr = + "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR"; + +test_connect_ok( + $common_connstr, + "sslmode=verify-ca host=common-name.pg-ssltest.test", + "server certificate without CN or SANs sslmode=verify-ca"); +test_connect_fails( + $common_connstr, + "sslmode=verify-full host=common-name.pg-ssltest.test", + qr/could not get server's host name from server certificate/, + "server certificate without CN or SANs sslmode=verify-full"); + +# Test that the CRL works +switch_server_cert($node, 'server-revoked'); + +$common_connstr = + "user=ssltestuser dbname=trustdb sslcert=invalid hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test"; + +# Without the CRL, succeeds. With it, fails. +test_connect_ok( + $common_connstr, + "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca", + "connects without client-side CRL"); +test_connect_fails( + $common_connstr, + "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl", + qr/SSL error/, + "does not connect with client-side CRL"); + +# pg_stat_ssl +command_like( + [ + 'psql', '-X', + '-A', '-F', + ',', '-P', + 'null=_null_', '-d', + "$common_connstr sslrootcert=invalid", '-c', + "SELECT * FROM pg_stat_ssl WHERE pid = pg_backend_pid()" + ], + qr{^pid,ssl,version,cipher,bits,compression,client_dn,client_serial,issuer_dn\r?\n + ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,f,_null_,_null_,_null_\r?$}mx, + 'pg_stat_ssl view without client certificate'); + +# Test min/max SSL protocol versions. +test_connect_ok( + $common_connstr, + "sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_min_protocol_version=TLSv1.2 ssl_max_protocol_version=TLSv1.2", + "connection success with correct range of TLS protocol versions"); +test_connect_fails( + $common_connstr, + "sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_min_protocol_version=TLSv1.2 ssl_max_protocol_version=TLSv1.1", + qr/invalid SSL protocol version range/, + "connection failure with incorrect range of TLS protocol versions"); +test_connect_fails( + $common_connstr, + "sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_min_protocol_version=incorrect_tls", + qr/invalid ssl_min_protocol_version value/, + "connection failure with an incorrect SSL protocol minimum bound"); +test_connect_fails( + $common_connstr, + "sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_max_protocol_version=incorrect_tls", + qr/invalid ssl_max_protocol_version value/, + "connection failure with an incorrect SSL protocol maximum bound"); + +### Server-side tests. +### +### Test certificate authorization. + +note "running server tests"; + +$common_connstr = + "sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR"; + +# no client cert +test_connect_fails( + $common_connstr, + "user=ssltestuser sslcert=invalid", + qr/connection requires a valid client certificate/, + "certificate authorization fails without client cert"); + +# correct client cert in unencrypted PEM +test_connect_ok( + $common_connstr, + "user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key", + "certificate authorization succeeds with correct client cert in PEM format" +); + +# correct client cert in unencrypted DER +test_connect_ok( + $common_connstr, + "user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client-der_tmp.key", + "certificate authorization succeeds with correct client cert in DER format" +); + +# correct client cert in encrypted PEM +test_connect_ok( + $common_connstr, + "user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client-encrypted-pem_tmp.key sslpassword='dUmmyP^#+'", + "certificate authorization succeeds with correct client cert in encrypted PEM format" +); + +# correct client cert in encrypted DER +test_connect_ok( + $common_connstr, + "user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client-encrypted-der_tmp.key sslpassword='dUmmyP^#+'", + "certificate authorization succeeds with correct client cert in encrypted DER format" +); + +# correct client cert in encrypted PEM with wrong password +test_connect_fails( + $common_connstr, + "user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client-encrypted-pem_tmp.key sslpassword='wrong'", + qr!\Qprivate key file "ssl/client-encrypted-pem_tmp.key": bad decrypt\E!, + "certificate authorization fails with correct client cert and wrong password in encrypted PEM format" +); + +TODO: +{ + # these tests are left here waiting on us to get better pty support + # so they don't hang. For now they are not performed. + + todo_skip "Need Pty support", 4; + + # correct client cert in encrypted PEM with empty password + test_connect_fails( + $common_connstr, + "user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client-encrypted-pem_tmp.key sslpassword=''", + qr!\Qprivate key file "ssl/client-encrypted-pem_tmp.key": processing error\E!, + "certificate authorization fails with correct client cert and empty password in encrypted PEM format" + ); + + # correct client cert in encrypted PEM with no password + test_connect_fails( + $common_connstr, + "user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client-encrypted-pem_tmp.key", + qr!\Qprivate key file "ssl/client-encrypted-pem_tmp.key": processing error\E!, + "certificate authorization fails with correct client cert and no password in encrypted PEM format" + ); + +} + +# pg_stat_ssl +command_like( + [ + 'psql', + '-X', + '-A', + '-F', + ',', + '-P', + 'null=_null_', + '-d', + "$common_connstr user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key", + '-c', + "SELECT * FROM pg_stat_ssl WHERE pid = pg_backend_pid()" + ], + qr{^pid,ssl,version,cipher,bits,compression,client_dn,client_serial,issuer_dn\r?\n + ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,f,/CN=ssltestuser,1,\Q/CN=Test CA for PostgreSQL SSL regression test client certs\E\r?$}mx, + 'pg_stat_ssl with client certificate'); + +# client key with wrong permissions +SKIP: +{ + skip "Permissions check not enforced on Windows", 2 if ($windows_os); + + test_connect_fails( + $common_connstr, + "user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client_wrongperms_tmp.key", + qr!\Qprivate key file "ssl/client_wrongperms_tmp.key" has group or world access\E!, + "certificate authorization fails because of file permissions"); +} + +# client cert belonging to another user +test_connect_fails( + $common_connstr, + "user=anotheruser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key", + qr/certificate authentication failed for user "anotheruser"/, + "certificate authorization fails with client cert belonging to another user" +); + +# revoked client cert +test_connect_fails( + $common_connstr, + "user=ssltestuser sslcert=ssl/client-revoked.crt sslkey=ssl/client-revoked_tmp.key", + qr/SSL error/, + "certificate authorization fails with revoked client cert"); + +# Check that connecting with auth-option verify-full in pg_hba: +# works, iff username matches Common Name +# fails, iff username doesn't match Common Name. +$common_connstr = + "sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=verifydb hostaddr=$SERVERHOSTADDR"; + +test_connect_ok( + $common_connstr, + "user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key", + "auth_option clientcert=verify-full succeeds with matching username and Common Name" +); + +test_connect_fails( + $common_connstr, + "user=anotheruser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key", + qr/FATAL/, + "auth_option clientcert=verify-full fails with mismatching username and Common Name" +); + +# Check that connecting with auth-optionverify-ca in pg_hba : +# works, when username doesn't match Common Name +test_connect_ok( + $common_connstr, + "user=yetanotheruser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key", + "auth_option clientcert=verify-ca succeeds with mismatching username and Common Name" +); + +# intermediate client_ca.crt is provided by client, and isn't in server's ssl_ca_file +switch_server_cert($node, 'server-cn-only', 'root_ca'); +$common_connstr = + "user=ssltestuser dbname=certdb sslkey=ssl/client_tmp.key sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR"; + +test_connect_ok( + $common_connstr, + "sslmode=require sslcert=ssl/client+client_ca.crt", + "intermediate client certificate is provided by client"); +test_connect_fails($common_connstr, "sslmode=require sslcert=ssl/client.crt", + qr/SSL error/, "intermediate client certificate is missing"); + +# clean up +foreach my $key (@keys) +{ + unlink("ssl/${key}_tmp.key"); +} diff --git a/src/test/ssl/t/002_scram.pl b/src/test/ssl/t/002_scram.pl new file mode 100644 index 0000000..d1e8d88 --- /dev/null +++ b/src/test/ssl/t/002_scram.pl @@ -0,0 +1,108 @@ +# Test SCRAM authentication and TLS channel binding types + +use strict; +use warnings; +use PostgresNode; +use TestLib; +use Test::More; + +use File::Copy; + +use FindBin; +use lib $FindBin::RealBin; + +use SSLServer; + +if ($ENV{with_openssl} ne 'yes') +{ + plan skip_all => 'SSL not supported by this build'; +} + +# This is the hostname used to connect to the server. +my $SERVERHOSTADDR = '127.0.0.1'; +# This is the pattern to use in pg_hba.conf to match incoming connections. +my $SERVERHOSTCIDR = '127.0.0.1/32'; + +# Determine whether build supports tls-server-end-point. +my $supports_tls_server_end_point = + check_pg_config("#define HAVE_X509_GET_SIGNATURE_NID 1"); + +my $number_of_tests = $supports_tls_server_end_point ? 9 : 10; + +# Allocation of base connection string shared among multiple tests. +my $common_connstr; + +# Set up the server. + +note "setting up data directory"; +my $node = get_new_node('master'); +$node->init; + +# PGHOST is enforced here to set up the node, subsequent connections +# will use a dedicated connection string. +$ENV{PGHOST} = $node->host; +$ENV{PGPORT} = $node->port; +$node->start; + +# Configure server for SSL connections, with password handling. +configure_test_server_for_ssl($node, $SERVERHOSTADDR, $SERVERHOSTCIDR, + "scram-sha-256", "pass", "scram-sha-256"); +switch_server_cert($node, 'server-cn-only'); +$ENV{PGPASSWORD} = "pass"; +$common_connstr = + "dbname=trustdb sslmode=require sslcert=invalid sslrootcert=invalid hostaddr=$SERVERHOSTADDR"; + +# Default settings +test_connect_ok($common_connstr, "user=ssltestuser", + "Basic SCRAM authentication with SSL"); + +# Test channel_binding +test_connect_fails( + $common_connstr, + "user=ssltestuser channel_binding=invalid_value", + qr/invalid channel_binding value: "invalid_value"/, + "SCRAM with SSL and channel_binding=invalid_value"); +test_connect_ok( + $common_connstr, + "user=ssltestuser channel_binding=disable", + "SCRAM with SSL and channel_binding=disable"); +if ($supports_tls_server_end_point) +{ + test_connect_ok( + $common_connstr, + "user=ssltestuser channel_binding=require", + "SCRAM with SSL and channel_binding=require"); +} +else +{ + test_connect_fails( + $common_connstr, + "user=ssltestuser channel_binding=require", + qr/channel binding is required, but server did not offer an authentication method that supports channel binding/, + "SCRAM with SSL and channel_binding=require"); +} + +# Now test when the user has an MD5-encrypted password; should fail +test_connect_fails( + $common_connstr, + "user=md5testuser channel_binding=require", + qr/channel binding required but not supported by server's authentication request/, + "MD5 with SSL and channel_binding=require"); + +# Now test with auth method 'cert' by connecting to 'certdb'. Should fail, +# because channel binding is not performed. Note that ssl/client.key may +# be used in a different test, so the name of this temporary client key +# is chosen here to be unique. +my $client_tmp_key = "ssl/client_scram_tmp.key"; +copy("ssl/client.key", $client_tmp_key); +chmod 0600, $client_tmp_key; +test_connect_fails( + "sslcert=ssl/client.crt sslkey=$client_tmp_key sslrootcert=invalid hostaddr=$SERVERHOSTADDR", + "dbname=certdb user=ssltestuser channel_binding=require", + qr/channel binding required, but server authenticated client without channel binding/, + "Cert authentication and channel_binding=require"); + +# clean up +unlink($client_tmp_key); + +done_testing($number_of_tests); diff --git a/src/test/ssl/t/SSLServer.pm b/src/test/ssl/t/SSLServer.pm new file mode 100644 index 0000000..1e392b8 --- /dev/null +++ b/src/test/ssl/t/SSLServer.pm @@ -0,0 +1,213 @@ +# This module sets up a test server, for the SSL regression tests. +# +# The server is configured as follows: +# +# - SSL enabled, with the server certificate specified by argument to +# switch_server_cert function. +# - ssl/root+client_ca.crt as the CA root for validating client certs. +# - reject non-SSL connections +# - a database called trustdb that lets anyone in +# - another database called certdb that uses certificate authentication, ie. +# the client must present a valid certificate signed by the client CA +# - two users, called ssltestuser and anotheruser. +# +# The server is configured to only accept connections from localhost. If you +# want to run the client from another host, you'll have to configure that +# manually. +# +# Note: Someone running these test could have key or certificate files +# in their ~/.postgresql/, which would interfere with the tests. The +# way to override that is to specify sslcert=invalid and/or +# sslrootcert=invalid if no actual certificate is used for a +# particular test. libpq will ignore specifications that name +# nonexisting files. (sslkey and sslcrl do not need to specified +# explicitly because an invalid sslcert or sslrootcert, respectively, +# causes those to be ignored.) + +package SSLServer; + +use strict; +use warnings; +use PostgresNode; +use TestLib; +use File::Basename; +use File::Copy; +use Test::More; + +use Exporter 'import'; +our @EXPORT = qw( + configure_test_server_for_ssl + switch_server_cert + test_connect_fails + test_connect_ok +); + +# Define a couple of helper functions to test connecting to the server. + +# The first argument is a base connection string to use for connection. +# The second argument is a complementary connection string. +sub test_connect_ok +{ + local $Test::Builder::Level = $Test::Builder::Level + 1; + + my ($common_connstr, $connstr, $test_name) = @_; + + my $cmd = [ + 'psql', '-X', '-A', '-t', '-c', + "SELECT \$\$connected with $connstr\$\$", + '-d', "$common_connstr $connstr" + ]; + + command_ok($cmd, $test_name); + return; +} + +sub test_connect_fails +{ + local $Test::Builder::Level = $Test::Builder::Level + 1; + + my ($common_connstr, $connstr, $expected_stderr, $test_name) = @_; + + my $cmd = [ + 'psql', '-X', '-A', '-t', '-c', + "SELECT \$\$connected with $connstr\$\$", + '-d', "$common_connstr $connstr" + ]; + + command_fails_like($cmd, $expected_stderr, $test_name); + return; +} + +# Copy a set of files, taking into account wildcards +sub copy_files +{ + my $orig = shift; + my $dest = shift; + + my @orig_files = glob $orig; + foreach my $orig_file (@orig_files) + { + my $base_file = basename($orig_file); + copy($orig_file, "$dest/$base_file") + or die "Could not copy $orig_file to $dest"; + } + return; +} + +# serverhost: what to put in listen_addresses, e.g. '127.0.0.1' +# servercidr: what to put in pg_hba.conf, e.g. '127.0.0.1/32' +sub configure_test_server_for_ssl +{ + my ($node, $serverhost, $servercidr, $authmethod, $password, + $password_enc) = @_; + + my $pgdata = $node->data_dir; + + # Create test users and databases + $node->psql('postgres', "CREATE USER ssltestuser"); + $node->psql('postgres', "CREATE USER md5testuser"); + $node->psql('postgres', "CREATE USER anotheruser"); + $node->psql('postgres', "CREATE USER yetanotheruser"); + $node->psql('postgres', "CREATE DATABASE trustdb"); + $node->psql('postgres', "CREATE DATABASE certdb"); + $node->psql('postgres', "CREATE DATABASE verifydb"); + + # Update password of each user as needed. + if (defined($password)) + { + $node->psql('postgres', + "SET password_encryption='$password_enc'; ALTER USER ssltestuser PASSWORD '$password';" + ); + # A special user that always has an md5-encrypted password + $node->psql('postgres', + "SET password_encryption='md5'; ALTER USER md5testuser PASSWORD '$password';" + ); + $node->psql('postgres', + "SET password_encryption='$password_enc'; ALTER USER anotheruser PASSWORD '$password';" + ); + } + + # enable logging etc. + open my $conf, '>>', "$pgdata/postgresql.conf"; + print $conf "fsync=off\n"; + print $conf "log_connections=on\n"; + print $conf "log_hostname=on\n"; + print $conf "listen_addresses='$serverhost'\n"; + print $conf "log_statement=all\n"; + + # enable SSL and set up server key + print $conf "include 'sslconfig.conf'\n"; + + close $conf; + + # ssl configuration will be placed here + open my $sslconf, '>', "$pgdata/sslconfig.conf"; + close $sslconf; + + # Copy all server certificates and keys, and client root cert, to the data dir + copy_files("ssl/server-*.crt", $pgdata); + copy_files("ssl/server-*.key", $pgdata); + chmod(0600, glob "$pgdata/server-*.key") or die $!; + copy_files("ssl/root+client_ca.crt", $pgdata); + copy_files("ssl/root_ca.crt", $pgdata); + copy_files("ssl/root+client.crl", $pgdata); + + # Stop and restart server to load new listen_addresses. + $node->restart; + + # Change pg_hba after restart because hostssl requires ssl=on + configure_hba_for_ssl($node, $servercidr, $authmethod); + + return; +} + +# Change the configuration to use given server cert file, and reload +# the server so that the configuration takes effect. +sub switch_server_cert +{ + my $node = $_[0]; + my $certfile = $_[1]; + my $cafile = $_[2] || "root+client_ca"; + my $pgdata = $node->data_dir; + + open my $sslconf, '>', "$pgdata/sslconfig.conf"; + print $sslconf "ssl=on\n"; + print $sslconf "ssl_ca_file='$cafile.crt'\n"; + print $sslconf "ssl_cert_file='$certfile.crt'\n"; + print $sslconf "ssl_key_file='$certfile.key'\n"; + print $sslconf "ssl_crl_file='root+client.crl'\n"; + close $sslconf; + + $node->restart; + return; +} + +sub configure_hba_for_ssl +{ + my ($node, $servercidr, $authmethod) = @_; + my $pgdata = $node->data_dir; + + # Only accept SSL connections from $servercidr. Our tests don't depend on this + # but seems best to keep it as narrow as possible for security reasons. + # + # When connecting to certdb, also check the client certificate. + open my $hba, '>', "$pgdata/pg_hba.conf"; + print $hba + "# TYPE DATABASE USER ADDRESS METHOD OPTIONS\n"; + print $hba + "hostssl trustdb md5testuser $servercidr md5\n"; + print $hba + "hostssl trustdb all $servercidr $authmethod\n"; + print $hba + "hostssl verifydb ssltestuser $servercidr $authmethod clientcert=verify-full\n"; + print $hba + "hostssl verifydb anotheruser $servercidr $authmethod clientcert=verify-full\n"; + print $hba + "hostssl verifydb yetanotheruser $servercidr $authmethod clientcert=verify-ca\n"; + print $hba + "hostssl certdb all $servercidr cert\n"; + close $hba; + return; +} + +1; |