database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-07-30 11:03:19 +03:00
Code Activity

Add libpq parameter 'channel_binding'.

Browse Source 
Allow clients to require channel binding to enhance security against
untrusted servers.

Author: Jeff Davis
Reviewed-by: Michael Paquier
Discussion: https://postgr.es/m/227015d8417f2b4fef03f8966dbfa5cbcc4f44da.camel%40j-davis.com
This commit is contained in:
Jeff Davis
2019-09-23 13:45:23 -07:00
parent 13cd97e6c8
commit d6e612f837
9 changed files with 233 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
src/test/ssl/t/002_scram.pl
View File

@ -18,7 +18,7 @@ if ($ENV{with_openssl} ne 'yes')
plan skip_all => 'SSL not supported by this build';
}
my $number_of_tests = 1;
my $number_of_tests = 9;
# This is the hostname used to connect to the server.
my $SERVERHOSTADDR = '127.0.0.1';
@ -44,9 +44,42 @@ configure_test_server_for_ssl($node, $SERVERHOSTADDR, "scram-sha-256",
switch_server_cert($node, 'server-cn-only');
$ENV{PGPASSWORD} = "pass";
$common_connstr =
"user=ssltestuser dbname=trustdb sslmode=require sslcert=invalid sslrootcert=invalid hostaddr=$SERVERHOSTADDR";
"dbname=trustdb sslmode=require sslcert=invalid sslrootcert=invalid hostaddr=$SERVERHOSTADDR";
# Default settings
test_connect_ok($common_connstr, '', "Basic SCRAM authentication with SSL");
test_connect_ok($common_connstr, "user=ssltestuser",
"Basic SCRAM authentication with SSL");
# Test channel_binding
test_connect_fails(
$common_connstr,
"user=ssltestuser channel_binding=invalid_value",
qr/invalid channel_binding value: "invalid_value"/,
"SCRAM with SSL and channel_binding=invalid_value");
test_connect_ok(
$common_connstr,
"user=ssltestuser channel_binding=disable",
"SCRAM with SSL and channel_binding=disable");
test_connect_ok(
$common_connstr,
"user=ssltestuser channel_binding=require",
"SCRAM with SSL and channel_binding=require");
# Now test when the user has an MD5-encrypted password; should fail
test_connect_fails(
$common_connstr,
"user=md5testuser channel_binding=require",
qr/Channel binding required but not supported by server's authentication request/,
"MD5 with SSL and channel_binding=require");
# Now test with auth method 'cert' by connecting to 'certdb'. Should
# fail, because channel binding is not performed.
copy("ssl/client.key", "ssl/client_tmp.key");
chmod 0600, "ssl/client_tmp.key";
test_connect_fails(
"sslcert=ssl/client.crt sslkey=ssl/client_tmp.key hostaddr=$SERVERHOSTADDR",
"dbname=certdb user=ssltestuser channel_binding=require",
qr/Channel binding required, but server authenticated client without channel binding/,
"Cert authentication and channel_binding=require");
done_testing($number_of_tests);