diff options
Diffstat (limited to 'src/test/ssl/t')
| -rw-r--r-- | src/test/ssl/t/001_ssltests.pl | 748 | ||||
| -rw-r--r-- | src/test/ssl/t/002_scram.pl | 152 | ||||
| -rw-r--r-- | src/test/ssl/t/003_sslinfo.pl | 165 | ||||
| -rw-r--r-- | src/test/ssl/t/SSL/Backend/OpenSSL.pm | 229 | ||||
| -rw-r--r-- | src/test/ssl/t/SSL/Server.pm | 356 |
5 files changed, 1650 insertions, 0 deletions
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl new file mode 100644 index 0000000..707f400 --- /dev/null +++ b/src/test/ssl/t/001_ssltests.pl @@ -0,0 +1,748 @@ + +# Copyright (c) 2021-2022, PostgreSQL Global Development Group + +use strict; +use warnings; +use Config qw ( %Config ); +use PostgreSQL::Test::Cluster; +use PostgreSQL::Test::Utils; +use Test::More; + +use FindBin; +use lib $FindBin::RealBin; + +use SSL::Server; + +if ($ENV{with_ssl} ne 'openssl') +{ + plan skip_all => 'OpenSSL not supported by this build'; +} + +my $ssl_server = SSL::Server->new(); + +sub sslkey +{ + return $ssl_server->sslkey(@_); +} + +sub switch_server_cert +{ + $ssl_server->switch_server_cert(@_); +} +#### Some configuration + +# This is the hostname used to connect to the server. This cannot be a +# hostname, because the server certificate is always for the domain +# postgresql-ssl-regression.test. +my $SERVERHOSTADDR = '127.0.0.1'; +# This is the pattern to use in pg_hba.conf to match incoming connections. +my $SERVERHOSTCIDR = '127.0.0.1/32'; + +# Allocation of base connection string shared among multiple tests. +my $common_connstr; + +#### Set up the server. + +note "setting up data directory"; +my $node = PostgreSQL::Test::Cluster->new('primary'); +$node->init; + +# PGHOST is enforced here to set up the node, subsequent connections +# will use a dedicated connection string. +$ENV{PGHOST} = $node->host; +$ENV{PGPORT} = $node->port; +$node->start; + +# Run this before we lock down access below. +my $result = $node->safe_psql('postgres', "SHOW ssl_library"); +is($result, $ssl_server->ssl_library(), 'ssl_library parameter'); + +$ssl_server->configure_test_server_for_ssl($node, $SERVERHOSTADDR, + $SERVERHOSTCIDR, 'trust'); + +note "testing password-protected keys"; + +switch_server_cert( + $node, + certfile => 'server-cn-only', + cafile => 'root+client_ca', + keyfile => 'server-password', + passphrase_cmd => 'echo wrongpassword', + restart => 'no'); + +command_fails( + [ 'pg_ctl', '-D', $node->data_dir, '-l', $node->logfile, 'restart' ], + 'restart fails with password-protected key file with wrong password'); +$node->_update_pid(0); + +switch_server_cert( + $node, + certfile => 'server-cn-only', + cafile => 'root+client_ca', + keyfile => 'server-password', + passphrase_cmd => 'echo secret1', + restart => 'no'); + +command_ok( + [ 'pg_ctl', '-D', $node->data_dir, '-l', $node->logfile, 'restart' ], + 'restart succeeds with password-protected key file'); +$node->_update_pid(1); + +# Test compatibility of SSL protocols. +# TLSv1.1 is lower than TLSv1.2, so it won't work. +$node->append_conf( + 'postgresql.conf', + qq{ssl_min_protocol_version='TLSv1.2' +ssl_max_protocol_version='TLSv1.1'}); +command_fails( + [ 'pg_ctl', '-D', $node->data_dir, '-l', $node->logfile, 'restart' ], + 'restart fails with incorrect SSL protocol bounds'); +# Go back to the defaults, this works. +$node->append_conf( + 'postgresql.conf', + qq{ssl_min_protocol_version='TLSv1.2' +ssl_max_protocol_version=''}); +command_ok( + [ 'pg_ctl', '-D', $node->data_dir, '-l', $node->logfile, 'restart' ], + 'restart succeeds with correct SSL protocol bounds'); + +### Run client-side tests. +### +### Test that libpq accepts/rejects the connection correctly, depending +### on sslmode and whether the server's certificate looks correct. No +### client certificate is used in these tests. + +note "running client tests"; + +switch_server_cert($node, certfile => 'server-cn-only'); + +# Set of default settings for SSL parameters in connection string. This +# makes the tests protected against any defaults the environment may have +# in ~/.postgresql/. +my $default_ssl_connstr = + "sslkey=invalid sslcert=invalid sslrootcert=invalid sslcrl=invalid sslcrldir=invalid"; + +$common_connstr = + "$default_ssl_connstr user=ssltestuser dbname=trustdb hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test"; + +# The server should not accept non-SSL connections. +$node->connect_fails( + "$common_connstr sslmode=disable", + "server doesn't accept non-SSL connections", + expected_stderr => qr/\Qno pg_hba.conf entry\E/); + +# Try without a root cert. In sslmode=require, this should work. In verify-ca +# or verify-full mode it should fail. +$node->connect_ok( + "$common_connstr sslrootcert=invalid sslmode=require", + "connect without server root cert sslmode=require"); +$node->connect_fails( + "$common_connstr sslrootcert=invalid sslmode=verify-ca", + "connect without server root cert sslmode=verify-ca", + expected_stderr => qr/root certificate file "invalid" does not exist/); +$node->connect_fails( + "$common_connstr sslrootcert=invalid sslmode=verify-full", + "connect without server root cert sslmode=verify-full", + expected_stderr => qr/root certificate file "invalid" does not exist/); + +# Try with wrong root cert, should fail. (We're using the client CA as the +# root, but the server's key is signed by the server CA.) +$node->connect_fails( + "$common_connstr sslrootcert=ssl/client_ca.crt sslmode=require", + "connect with wrong server root cert sslmode=require", + expected_stderr => qr/SSL error: certificate verify failed/); +$node->connect_fails( + "$common_connstr sslrootcert=ssl/client_ca.crt sslmode=verify-ca", + "connect with wrong server root cert sslmode=verify-ca", + expected_stderr => qr/SSL error: certificate verify failed/); +$node->connect_fails( + "$common_connstr sslrootcert=ssl/client_ca.crt sslmode=verify-full", + "connect with wrong server root cert sslmode=verify-full", + expected_stderr => qr/SSL error: certificate verify failed/); + +# Try with just the server CA's cert. This fails because the root file +# must contain the whole chain up to the root CA. +$node->connect_fails( + "$common_connstr sslrootcert=ssl/server_ca.crt sslmode=verify-ca", + "connect with server CA cert, without root CA", + expected_stderr => qr/SSL error: certificate verify failed/); + +# And finally, with the correct root cert. +$node->connect_ok( + "$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=require", + "connect with correct server CA cert file sslmode=require"); +$node->connect_ok( + "$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca", + "connect with correct server CA cert file sslmode=verify-ca"); +$node->connect_ok( + "$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-full", + "connect with correct server CA cert file sslmode=verify-full"); + +# Test with cert root file that contains two certificates. The client should +# be able to pick the right one, regardless of the order in the file. +$node->connect_ok( + "$common_connstr sslrootcert=ssl/both-cas-1.crt sslmode=verify-ca", + "cert root file that contains two certificates, order 1"); +$node->connect_ok( + "$common_connstr sslrootcert=ssl/both-cas-2.crt sslmode=verify-ca", + "cert root file that contains two certificates, order 2"); + +# CRL tests + +# Invalid CRL filename is the same as no CRL, succeeds +$node->connect_ok( + "$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=invalid", + "sslcrl option with invalid file name"); + +# A CRL belonging to a different CA is not accepted, fails +$node->connect_fails( + "$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/client.crl", + "CRL belonging to a different CA", + expected_stderr => qr/SSL error: certificate verify failed/); + +# The same for CRL directory. sslcrl='' is added here to override the +# invalid default, so as this does not interfere with this case. +$node->connect_fails( + "$common_connstr sslcrl='' sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrldir=ssl/client-crldir", + "directory CRL belonging to a different CA", + expected_stderr => qr/SSL error: certificate verify failed/); + +# With the correct CRL, succeeds (this cert is not revoked) +$node->connect_ok( + "$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl", + "CRL with a non-revoked cert"); + +# The same for CRL directory +$node->connect_ok( + "$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrldir=ssl/root+server-crldir", + "directory CRL with a non-revoked cert"); + +# Check that connecting with verify-full fails, when the hostname doesn't +# match the hostname in the server's certificate. +$common_connstr = + "$default_ssl_connstr user=ssltestuser dbname=trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR"; + +$node->connect_ok("$common_connstr sslmode=require host=wronghost.test", + "mismatch between host name and server certificate sslmode=require"); +$node->connect_ok( + "$common_connstr sslmode=verify-ca host=wronghost.test", + "mismatch between host name and server certificate sslmode=verify-ca"); +$node->connect_fails( + "$common_connstr sslmode=verify-full host=wronghost.test", + "mismatch between host name and server certificate sslmode=verify-full", + expected_stderr => + qr/\Qserver certificate for "common-name.pg-ssltest.test" does not match host name "wronghost.test"\E/ +); + +# Test with an IP address in the Common Name. This is a strange corner case that +# nevertheless is supported, as long as the address string matches exactly. +switch_server_cert($node, certfile => 'server-ip-cn-only'); + +$common_connstr = + "$default_ssl_connstr user=ssltestuser dbname=trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full"; + +$node->connect_ok("$common_connstr host=192.0.2.1", + "IP address in the Common Name"); + +$node->connect_fails( + "$common_connstr host=192.000.002.001", + "mismatch between host name and server certificate IP address", + expected_stderr => + qr/\Qserver certificate for "192.0.2.1" does not match host name "192.000.002.001"\E/ +); + +# Similarly, we'll also match an IP address in a dNSName SAN. (This is +# long-standing behavior.) +switch_server_cert($node, certfile => 'server-ip-in-dnsname'); + +$node->connect_ok("$common_connstr host=192.0.2.1", + "IP address in a dNSName"); + +# Test Subject Alternative Names. +switch_server_cert($node, certfile => 'server-multiple-alt-names'); + +$common_connstr = + "$default_ssl_connstr user=ssltestuser dbname=trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full"; + +$node->connect_ok( + "$common_connstr host=dns1.alt-name.pg-ssltest.test", + "host name matching with X.509 Subject Alternative Names 1"); +$node->connect_ok( + "$common_connstr host=dns2.alt-name.pg-ssltest.test", + "host name matching with X.509 Subject Alternative Names 2"); +$node->connect_ok("$common_connstr host=foo.wildcard.pg-ssltest.test", + "host name matching with X.509 Subject Alternative Names wildcard"); + +$node->connect_fails( + "$common_connstr host=wronghost.alt-name.pg-ssltest.test", + "host name not matching with X.509 Subject Alternative Names", + expected_stderr => + qr/\Qserver certificate for "dns1.alt-name.pg-ssltest.test" (and 2 other names) does not match host name "wronghost.alt-name.pg-ssltest.test"\E/ +); +$node->connect_fails( + "$common_connstr host=deep.subdomain.wildcard.pg-ssltest.test", + "host name not matching with X.509 Subject Alternative Names wildcard", + expected_stderr => + qr/\Qserver certificate for "dns1.alt-name.pg-ssltest.test" (and 2 other names) does not match host name "deep.subdomain.wildcard.pg-ssltest.test"\E/ +); + +# Test certificate with a single Subject Alternative Name. (this gives a +# slightly different error message, that's all) +switch_server_cert($node, certfile => 'server-single-alt-name'); + +$common_connstr = + "$default_ssl_connstr user=ssltestuser dbname=trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full"; + +$node->connect_ok( + "$common_connstr host=single.alt-name.pg-ssltest.test", + "host name matching with a single X.509 Subject Alternative Name"); + +$node->connect_fails( + "$common_connstr host=wronghost.alt-name.pg-ssltest.test", + "host name not matching with a single X.509 Subject Alternative Name", + expected_stderr => + qr/\Qserver certificate for "single.alt-name.pg-ssltest.test" does not match host name "wronghost.alt-name.pg-ssltest.test"\E/ +); +$node->connect_fails( + "$common_connstr host=deep.subdomain.wildcard.pg-ssltest.test", + "host name not matching with a single X.509 Subject Alternative Name wildcard", + expected_stderr => + qr/\Qserver certificate for "single.alt-name.pg-ssltest.test" does not match host name "deep.subdomain.wildcard.pg-ssltest.test"\E/ +); + +SKIP: +{ + skip 'IPv6 addresses in certificates not support on this platform', 1 + unless check_pg_config('#define HAVE_INET_PTON 1'); + + # Test certificate with IP addresses in the SANs. + switch_server_cert($node, certfile => 'server-ip-alt-names'); + + $node->connect_ok("$common_connstr host=192.0.2.1", + "host matching an IPv4 address (Subject Alternative Name 1)"); + + $node->connect_ok( + "$common_connstr host=192.000.002.001", + "host matching an IPv4 address in alternate form (Subject Alternative Name 1)" + ); + + $node->connect_fails( + "$common_connstr host=192.0.2.2", + "host not matching an IPv4 address (Subject Alternative Name 1)", + expected_stderr => + qr/\Qserver certificate for "192.0.2.1" (and 1 other name) does not match host name "192.0.2.2"\E/ + ); + + $node->connect_ok("$common_connstr host=2001:DB8::1", + "host matching an IPv6 address (Subject Alternative Name 2)"); + + $node->connect_ok( + "$common_connstr host=2001:db8:0:0:0:0:0:1", + "host matching an IPv6 address in alternate form (Subject Alternative Name 2)" + ); + + $node->connect_ok( + "$common_connstr host=2001:db8::0.0.0.1", + "host matching an IPv6 address in mixed form (Subject Alternative Name 2)" + ); + + $node->connect_fails( + "$common_connstr host=::1", + "host not matching an IPv6 address (Subject Alternative Name 2)", + expected_stderr => + qr/\Qserver certificate for "192.0.2.1" (and 1 other name) does not match host name "::1"\E/ + ); + + $node->connect_fails( + "$common_connstr host=2001:DB8::1/128", + "IPv6 host with CIDR mask does not match", + expected_stderr => + qr/\Qserver certificate for "192.0.2.1" (and 1 other name) does not match host name "2001:DB8::1\/128"\E/ + ); +} + +# Test server certificate with a CN and DNS SANs. Per RFCs 2818 and 6125, the CN +# should be ignored when the certificate has both. +switch_server_cert($node, certfile => 'server-cn-and-alt-names'); + +$common_connstr = + "$default_ssl_connstr user=ssltestuser dbname=trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full"; + +$node->connect_ok("$common_connstr host=dns1.alt-name.pg-ssltest.test", + "certificate with both a CN and SANs 1"); +$node->connect_ok("$common_connstr host=dns2.alt-name.pg-ssltest.test", + "certificate with both a CN and SANs 2"); +$node->connect_fails( + "$common_connstr host=common-name.pg-ssltest.test", + "certificate with both a CN and SANs ignores CN", + expected_stderr => + qr/\Qserver certificate for "dns1.alt-name.pg-ssltest.test" (and 1 other name) does not match host name "common-name.pg-ssltest.test"\E/ +); + +SKIP: +{ + skip 'IPv6 addresses in certificates not support on this platform', 1 + unless check_pg_config('#define HAVE_INET_PTON 1'); + + # But we will fall back to check the CN if the SANs contain only IP addresses. + switch_server_cert($node, certfile => 'server-cn-and-ip-alt-names'); + + $node->connect_ok( + "$common_connstr host=common-name.pg-ssltest.test", + "certificate with both a CN and IP SANs matches CN"); + $node->connect_ok("$common_connstr host=192.0.2.1", + "certificate with both a CN and IP SANs matches SAN 1"); + $node->connect_ok("$common_connstr host=2001:db8::1", + "certificate with both a CN and IP SANs matches SAN 2"); + + # And now the same tests, but with IP addresses and DNS names swapped. + switch_server_cert($node, certfile => 'server-ip-cn-and-alt-names'); + + $node->connect_ok("$common_connstr host=192.0.2.2", + "certificate with both an IP CN and IP SANs 1"); + $node->connect_ok("$common_connstr host=2001:db8::1", + "certificate with both an IP CN and IP SANs 2"); + $node->connect_fails( + "$common_connstr host=192.0.2.1", + "certificate with both an IP CN and IP SANs ignores CN", + expected_stderr => + qr/\Qserver certificate for "192.0.2.2" (and 1 other name) does not match host name "192.0.2.1"\E/ + ); +} + +switch_server_cert($node, certfile => 'server-ip-cn-and-dns-alt-names'); + +$node->connect_ok("$common_connstr host=192.0.2.1", + "certificate with both an IP CN and DNS SANs matches CN"); +$node->connect_ok( + "$common_connstr host=dns1.alt-name.pg-ssltest.test", + "certificate with both an IP CN and DNS SANs matches SAN 1"); +$node->connect_ok( + "$common_connstr host=dns2.alt-name.pg-ssltest.test", + "certificate with both an IP CN and DNS SANs matches SAN 2"); + +# Finally, test a server certificate that has no CN or SANs. Of course, that's +# not a very sensible certificate, but libpq should handle it gracefully. +switch_server_cert($node, certfile => 'server-no-names'); +$common_connstr = + "$default_ssl_connstr user=ssltestuser dbname=trustdb sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR"; + +$node->connect_ok( + "$common_connstr sslmode=verify-ca host=common-name.pg-ssltest.test", + "server certificate without CN or SANs sslmode=verify-ca"); +$node->connect_fails( + $common_connstr . " " + . "sslmode=verify-full host=common-name.pg-ssltest.test", + "server certificate without CN or SANs sslmode=verify-full", + expected_stderr => + qr/could not get server's host name from server certificate/); + +# Test that the CRL works +switch_server_cert($node, certfile => 'server-revoked'); + +$common_connstr = + "$default_ssl_connstr user=ssltestuser dbname=trustdb hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test"; + +# Without the CRL, succeeds. With it, fails. +$node->connect_ok( + "$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca", + "connects without client-side CRL"); +$node->connect_fails( + "$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl", + "does not connect with client-side CRL file", + expected_stderr => qr/SSL error: certificate verify failed/); +# sslcrl='' is added here to override the invalid default, so as this +# does not interfere with this case. +$node->connect_fails( + "$common_connstr sslcrl='' sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrldir=ssl/root+server-crldir", + "does not connect with client-side CRL directory", + expected_stderr => qr/SSL error: certificate verify failed/); + +# pg_stat_ssl +command_like( + [ + 'psql', '-X', + '-A', '-F', + ',', '-P', + 'null=_null_', '-d', + "$common_connstr sslrootcert=invalid", '-c', + "SELECT * FROM pg_stat_ssl WHERE pid = pg_backend_pid()" + ], + qr{^pid,ssl,version,cipher,bits,client_dn,client_serial,issuer_dn\r?\n + ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,_null_,_null_,_null_\r?$}mx, + 'pg_stat_ssl view without client certificate'); + +# Test min/max SSL protocol versions. +$node->connect_ok( + "$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_min_protocol_version=TLSv1.2 ssl_max_protocol_version=TLSv1.2", + "connection success with correct range of TLS protocol versions"); +$node->connect_fails( + "$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_min_protocol_version=TLSv1.2 ssl_max_protocol_version=TLSv1.1", + "connection failure with incorrect range of TLS protocol versions", + expected_stderr => qr/invalid SSL protocol version range/); +$node->connect_fails( + "$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_min_protocol_version=incorrect_tls", + "connection failure with an incorrect SSL protocol minimum bound", + expected_stderr => qr/invalid ssl_min_protocol_version value/); +$node->connect_fails( + "$common_connstr sslrootcert=ssl/root+server_ca.crt sslmode=require ssl_max_protocol_version=incorrect_tls", + "connection failure with an incorrect SSL protocol maximum bound", + expected_stderr => qr/invalid ssl_max_protocol_version value/); + +### Server-side tests. +### +### Test certificate authorization. + +note "running server tests"; + +$common_connstr = + "$default_ssl_connstr sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR host=localhost"; + +# no client cert +$node->connect_fails( + "$common_connstr user=ssltestuser sslcert=invalid", + "certificate authorization fails without client cert", + expected_stderr => qr/connection requires a valid client certificate/); + +# correct client cert in unencrypted PEM +$node->connect_ok( + "$common_connstr user=ssltestuser sslcert=ssl/client.crt " + . sslkey('client.key'), + "certificate authorization succeeds with correct client cert in PEM format" +); + +# correct client cert in unencrypted DER +$node->connect_ok( + "$common_connstr user=ssltestuser sslcert=ssl/client.crt " + . sslkey('client-der.key'), + "certificate authorization succeeds with correct client cert in DER format" +); + +# correct client cert in encrypted PEM +$node->connect_ok( + "$common_connstr user=ssltestuser sslcert=ssl/client.crt " + . sslkey('client-encrypted-pem.key') + . " sslpassword='dUmmyP^#+'", + "certificate authorization succeeds with correct client cert in encrypted PEM format" +); + +# correct client cert in encrypted DER +$node->connect_ok( + "$common_connstr user=ssltestuser sslcert=ssl/client.crt " + . sslkey('client-encrypted-der.key') + . " sslpassword='dUmmyP^#+'", + "certificate authorization succeeds with correct client cert in encrypted DER format" +); + +# correct client cert in encrypted PEM with wrong password +$node->connect_fails( + "$common_connstr user=ssltestuser sslcert=ssl/client.crt " + . sslkey('client-encrypted-pem.key') + . " sslpassword='wrong'", + "certificate authorization fails with correct client cert and wrong password in encrypted PEM format", + expected_stderr => + qr!private key file \".*client-encrypted-pem\.key\": bad decrypt!,); + + +# correct client cert using whole DN +my $dn_connstr = "$common_connstr dbname=certdb_dn"; + +$node->connect_ok( + "$dn_connstr user=ssltestuser sslcert=ssl/client-dn.crt " + . sslkey('client-dn.key'), + "certificate authorization succeeds with DN mapping", + log_like => [ + qr/connection authenticated: identity="CN=ssltestuser-dn,OU=Testing,OU=Engineering,O=PGDG" method=cert/ + ],); + +# same thing but with a regex +$dn_connstr = "$common_connstr dbname=certdb_dn_re"; + +$node->connect_ok( + "$dn_connstr user=ssltestuser sslcert=ssl/client-dn.crt " + . sslkey('client-dn.key'), + "certificate authorization succeeds with DN regex mapping"); + +# same thing but using explicit CN +$dn_connstr = "$common_connstr dbname=certdb_cn"; + +$node->connect_ok( + "$dn_connstr user=ssltestuser sslcert=ssl/client-dn.crt " + . sslkey('client-dn.key'), + "certificate authorization succeeds with CN mapping", + # the full DN should still be used as the authenticated identity + log_like => [ + qr/connection authenticated: identity="CN=ssltestuser-dn,OU=Testing,OU=Engineering,O=PGDG" method=cert/ + ],); + + + +TODO: +{ + # these tests are left here waiting on us to get better pty support + # so they don't hang. For now they are not performed. + + todo_skip "Need Pty support", 4; + + # correct client cert in encrypted PEM with empty password + $node->connect_fails( + "$common_connstr user=ssltestuser sslcert=ssl/client.crt " + . sslkey('client-encrypted-pem.key') + . " sslpassword=''", + "certificate authorization fails with correct client cert and empty password in encrypted PEM format", + expected_stderr => + qr!private key file \".*client-encrypted-pem\.key\": processing error! + ); + + # correct client cert in encrypted PEM with no password + $node->connect_fails( + "$common_connstr user=ssltestuser sslcert=ssl/client.crt " + . sslkey('client-encrypted-pem.key'), + "certificate authorization fails with correct client cert and no password in encrypted PEM format", + expected_stderr => + qr!private key file \".*client-encrypted-pem\.key\": processing error! + ); + +} + +# pg_stat_ssl + +my $serialno = `openssl x509 -serial -noout -in ssl/client.crt`; +if ($? == 0) +{ + # OpenSSL prints serial numbers in hexadecimal and converting the serial + # from hex requires a 64-bit capable Perl as the serialnumber is based on + # the current timestamp. On 32-bit fall back to checking for it being an + # integer like how we do when grabbing the serial fails. + if ($Config{ivsize} == 8) + { + $serialno =~ s/^serial=//; + $serialno =~ s/\s+//g; + $serialno = hex($serialno); + } + else + { + $serialno = '\d+'; + } +} +else +{ + # OpenSSL isn't functioning on the user's PATH. This probably isn't worth + # skipping the test over, so just fall back to a generic integer match. + warn 'couldn\'t run `openssl x509` to get client cert serialno'; + $serialno = '\d+'; +} + +command_like( + [ + 'psql', + '-X', + '-A', + '-F', + ',', + '-P', + 'null=_null_', + '-d', + "$common_connstr user=ssltestuser sslcert=ssl/client.crt " + . sslkey('client.key'), + '-c', + "SELECT * FROM pg_stat_ssl WHERE pid = pg_backend_pid()" + ], + qr{^pid,ssl,version,cipher,bits,client_dn,client_serial,issuer_dn\r?\n + ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,/?CN=ssltestuser,$serialno,/?\QCN=Test CA for PostgreSQL SSL regression test client certs\E\r?$}mx, + 'pg_stat_ssl with client certificate'); + +# client key with wrong permissions +SKIP: +{ + skip "Permissions check not enforced on Windows", 2 if ($windows_os); + + $node->connect_fails( + "$common_connstr user=ssltestuser sslcert=ssl/client.crt " + . sslkey('client_wrongperms.key'), + "certificate authorization fails because of file permissions", + expected_stderr => + qr!private key file \".*client_wrongperms\.key\" has group or world access! + ); +} + +# client cert belonging to another user +$node->connect_fails( + "$common_connstr user=anotheruser sslcert=ssl/client.crt " + . sslkey('client.key'), + "certificate authorization fails with client cert belonging to another user", + expected_stderr => + qr/certificate authentication failed for user "anotheruser"/, + # certificate authentication should be logged even on failure + log_like => + [qr/connection authenticated: identity="CN=ssltestuser" method=cert/],); + +# revoked client cert +$node->connect_fails( + "$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt " + . sslkey('client-revoked.key'), + "certificate authorization fails with revoked client cert", + expected_stderr => qr/SSL error: sslv3 alert certificate revoked/, + # revoked certificates should not authenticate the user + log_unlike => [qr/connection authenticated:/],); + +# Check that connecting with auth-option verify-full in pg_hba: +# works, iff username matches Common Name +# fails, iff username doesn't match Common Name. +$common_connstr = + "$default_ssl_connstr sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=verifydb hostaddr=$SERVERHOSTADDR host=localhost"; + +$node->connect_ok( + "$common_connstr user=ssltestuser sslcert=ssl/client.crt " + . sslkey('client.key'), + "auth_option clientcert=verify-full succeeds with matching username and Common Name", + # verify-full does not provide authentication + log_unlike => [qr/connection authenticated:/],); + +$node->connect_fails( + "$common_connstr user=anotheruser sslcert=ssl/client.crt " + . sslkey('client.key'), + "auth_option clientcert=verify-full fails with mismatching username and Common Name", + expected_stderr => + qr/FATAL: .* "trust" authentication failed for user "anotheruser"/, + # verify-full does not provide authentication + log_unlike => [qr/connection authenticated:/],); + +# Check that connecting with auth-option verify-ca in pg_hba : +# works, when username doesn't match Common Name +$node->connect_ok( + "$common_connstr user=yetanotheruser sslcert=ssl/client.crt " + . sslkey('client.key'), + "auth_option clientcert=verify-ca succeeds with mismatching username and Common Name", + # verify-full does not provide authentication + log_unlike => [qr/connection authenticated:/],); + +# intermediate client_ca.crt is provided by client, and isn't in server's ssl_ca_file +switch_server_cert($node, certfile => 'server-cn-only', cafile => 'root_ca'); +$common_connstr = + "$default_ssl_connstr user=ssltestuser dbname=certdb " + . sslkey('client.key') + . " sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR host=localhost"; + +$node->connect_ok( + "$common_connstr sslmode=require sslcert=ssl/client+client_ca.crt", + "intermediate client certificate is provided by client"); +$node->connect_fails( + $common_connstr . " " . "sslmode=require sslcert=ssl/client.crt", + "intermediate client certificate is missing", + expected_stderr => qr/SSL error: tlsv1 alert unknown ca/); + +# test server-side CRL directory +switch_server_cert( + $node, + certfile => 'server-cn-only', + crldir => 'root+client-crldir'); + +# revoked client cert +$node->connect_fails( + "$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt " + . sslkey('client-revoked.key'), + "certificate authorization fails with revoked client cert with server-side CRL directory", + expected_stderr => qr/SSL error: sslv3 alert certificate revoked/); + +done_testing(); diff --git a/src/test/ssl/t/002_scram.pl b/src/test/ssl/t/002_scram.pl new file mode 100644 index 0000000..566cb12 --- /dev/null +++ b/src/test/ssl/t/002_scram.pl @@ -0,0 +1,152 @@ + +# Copyright (c) 2021-2022, PostgreSQL Global Development Group + +# Test SCRAM authentication and TLS channel binding types + +use strict; +use warnings; +use PostgreSQL::Test::Cluster; +use PostgreSQL::Test::Utils; +use Test::More; + +use File::Copy; + +use FindBin; +use lib $FindBin::RealBin; + +use SSL::Server; + +if ($ENV{with_ssl} ne 'openssl') +{ + plan skip_all => 'OpenSSL not supported by this build'; +} + +my $ssl_server = SSL::Server->new(); + +sub sslkey +{ + return $ssl_server->sslkey(@_); +} + +sub switch_server_cert +{ + $ssl_server->switch_server_cert(@_); +} + + +# This is the hostname used to connect to the server. +my $SERVERHOSTADDR = '127.0.0.1'; +# This is the pattern to use in pg_hba.conf to match incoming connections. +my $SERVERHOSTCIDR = '127.0.0.1/32'; + +# Determine whether build supports tls-server-end-point. +my $supports_tls_server_end_point = + check_pg_config("#define HAVE_X509_GET_SIGNATURE_NID 1"); +# Determine whether build supports detection of hash algorithms for +# RSA-PSS certificates. +my $supports_rsapss_certs = + check_pg_config("#define HAVE_X509_GET_SIGNATURE_INFO 1"); + +# Allocation of base connection string shared among multiple tests. +my $common_connstr; + +# Set up the server. + +note "setting up data directory"; +my $node = PostgreSQL::Test::Cluster->new('primary'); +$node->init; + +# PGHOST is enforced here to set up the node, subsequent connections +# will use a dedicated connection string. +$ENV{PGHOST} = $node->host; +$ENV{PGPORT} = $node->port; +$node->start; + +# Configure server for SSL connections, with password handling. +$ssl_server->configure_test_server_for_ssl( + $node, $SERVERHOSTADDR, $SERVERHOSTCIDR, + "scram-sha-256", + 'password' => "pass", + 'password_enc' => "scram-sha-256"); +switch_server_cert($node, certfile => 'server-cn-only'); +$ENV{PGPASSWORD} = "pass"; +$common_connstr = + "dbname=trustdb sslmode=require sslcert=invalid sslrootcert=invalid hostaddr=$SERVERHOSTADDR host=localhost"; + +# Default settings +$node->connect_ok( + "$common_connstr user=ssltestuser", + "Basic SCRAM authentication with SSL"); + +# Test channel_binding +$node->connect_fails( + "$common_connstr user=ssltestuser channel_binding=invalid_value", + "SCRAM with SSL and channel_binding=invalid_value", + expected_stderr => qr/invalid channel_binding value: "invalid_value"/); +$node->connect_ok("$common_connstr user=ssltestuser channel_binding=disable", + "SCRAM with SSL and channel_binding=disable"); +if ($supports_tls_server_end_point) +{ + $node->connect_ok( + "$common_connstr user=ssltestuser channel_binding=require", + "SCRAM with SSL and channel_binding=require"); +} +else +{ + $node->connect_fails( + "$common_connstr user=ssltestuser channel_binding=require", + "SCRAM with SSL and channel_binding=require", + expected_stderr => + qr/channel binding is required, but server did not offer an authentication method that supports channel binding/ + ); +} + +# Now test when the user has an MD5-encrypted password; should fail +$node->connect_fails( + "$common_connstr user=md5testuser channel_binding=require", + "MD5 with SSL and channel_binding=require", + expected_stderr => + qr/channel binding required but not supported by server's authentication request/ +); + +# Now test with auth method 'cert' by connecting to 'certdb'. Should fail, +# because channel binding is not performed. Note that ssl/client.key may +# be used in a different test, so the name of this temporary client key +# is chosen here to be unique. +my $cert_tempdir = PostgreSQL::Test::Utils::tempdir(); +my $client_tmp_key = "$cert_tempdir/client_scram.key"; +copy("ssl/client.key", "$cert_tempdir/client_scram.key") + or die + "couldn't copy ssl/client_key to $cert_tempdir/client_scram.key for permission change: $!"; +chmod 0600, "$cert_tempdir/client_scram.key" + or die "failed to change permissions on $cert_tempdir/client_scram.key: $!"; +$client_tmp_key =~ s!\\!/!g if $PostgreSQL::Test::Utils::windows_os; +$node->connect_fails( + "sslcert=ssl/client.crt sslkey=$client_tmp_key sslrootcert=invalid hostaddr=$SERVERHOSTADDR host=localhost dbname=certdb user=ssltestuser channel_binding=require", + "Cert authentication and channel_binding=require", + expected_stderr => + qr/channel binding required, but server authenticated client without channel binding/ +); + +# Certificate verification at the connection level should still work fine. +$node->connect_ok( + "sslcert=ssl/client.crt sslkey=$client_tmp_key sslrootcert=invalid hostaddr=$SERVERHOSTADDR host=localhost dbname=verifydb user=ssltestuser", + "SCRAM with clientcert=verify-full", + log_like => [ + qr/connection authenticated: identity="ssltestuser" method=scram-sha-256/ + ]); + +# Now test with a server certificate that uses the RSA-PSS algorithm. +# This checks that the certificate can be loaded and that channel binding +# works. (see bug #17760) +if ($supports_rsapss_certs) +{ + switch_server_cert($node, certfile => 'server-rsapss'); + $node->connect_ok( + "$common_connstr user=ssltestuser channel_binding=require", + "SCRAM with SSL and channel_binding=require, server certificate uses 'rsassaPss'", + log_like => [ + qr/connection authenticated: identity="ssltestuser" method=scram-sha-256/ + ]); +} +done_testing(); diff --git a/src/test/ssl/t/003_sslinfo.pl b/src/test/ssl/t/003_sslinfo.pl new file mode 100644 index 0000000..87fb18a --- /dev/null +++ b/src/test/ssl/t/003_sslinfo.pl @@ -0,0 +1,165 @@ + +# Copyright (c) 2021-2022, PostgreSQL Global Development Group + +use strict; +use warnings; +use PostgreSQL::Test::Cluster; +use PostgreSQL::Test::Utils; +use Test::More; + +use File::Copy; + +use FindBin; +use lib $FindBin::RealBin; + +use SSL::Server; + +if ($ENV{with_ssl} ne 'openssl') +{ + plan skip_all => 'OpenSSL not supported by this build'; +} + +#### Some configuration +my $ssl_server = SSL::Server->new(); + +sub sslkey +{ + return $ssl_server->sslkey(@_); +} + +sub switch_server_cert +{ + $ssl_server->switch_server_cert(@_); +} + +# This is the hostname used to connect to the server. This cannot be a +# hostname, because the server certificate is always for the domain +# postgresql-ssl-regression.test. +my $SERVERHOSTADDR = '127.0.0.1'; +# This is the pattern to use in pg_hba.conf to match incoming connections. +my $SERVERHOSTCIDR = '127.0.0.1/32'; + +# Allocation of base connection string shared among multiple tests. +my $common_connstr; + +#### Set up the server. + +note "setting up data directory"; +my $node = PostgreSQL::Test::Cluster->new('primary'); +$node->init; + +# PGHOST is enforced here to set up the node, subsequent connections +# will use a dedicated connection string. +$ENV{PGHOST} = $node->host; +$ENV{PGPORT} = $node->port; +$node->start; + +$ssl_server->configure_test_server_for_ssl($node, $SERVERHOSTADDR, + $SERVERHOSTCIDR, 'trust', extensions => [qw(sslinfo)]); + +# We aren't using any CRL's in this suite so we can keep using server-revoked +# as server certificate for simple client.crt connection much like how the +# 001 test does. +switch_server_cert($node, certfile => 'server-revoked'); + +# Set of default settings for SSL parameters in connection string. This +# makes the tests protected against any defaults the environment may have +# in ~/.postgresql/. +my $default_ssl_connstr = + "sslkey=invalid sslcert=invalid sslrootcert=invalid sslcrl=invalid sslcrldir=invalid"; + +$common_connstr = + "$default_ssl_connstr sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR host=localhost " + . "user=ssltestuser sslcert=ssl/client_ext.crt " + . sslkey('client_ext.key'); + +# Make sure we can connect even though previous test suites have established this +$node->connect_ok( + $common_connstr, + "certificate authorization succeeds with correct client cert in PEM format", +); + +my $result; + +$result = $node->safe_psql( + "certdb", + "SELECT ssl_is_used();", + connstr => $common_connstr); +is($result, 't', "ssl_is_used() for TLS connection"); + +$result = $node->safe_psql( + "certdb", + "SELECT ssl_version();", + connstr => $common_connstr + . " ssl_min_protocol_version=TLSv1.2 " + . "ssl_max_protocol_version=TLSv1.2"); +is($result, 'TLSv1.2', "ssl_version() correctly returning TLS protocol"); + +$result = $node->safe_psql( + "certdb", + "SELECT ssl_cipher() = cipher FROM pg_stat_ssl WHERE pid = pg_backend_pid();", + connstr => $common_connstr); +is($result, 't', "ssl_cipher() compared with pg_stat_ssl"); + +$result = $node->safe_psql( + "certdb", + "SELECT ssl_client_cert_present();", + connstr => $common_connstr); +is($result, 't', "ssl_client_cert_present() for connection with cert"); + +$result = $node->safe_psql( + "trustdb", + "SELECT ssl_client_cert_present();", + connstr => + "$default_ssl_connstr sslrootcert=ssl/root+server_ca.crt sslmode=require " + . "dbname=trustdb hostaddr=$SERVERHOSTADDR user=ssltestuser host=localhost" +); +is($result, 'f', "ssl_client_cert_present() for connection without cert"); + +$result = $node->safe_psql( + "certdb", + "SELECT ssl_client_serial() = client_serial FROM pg_stat_ssl WHERE pid = pg_backend_pid();", + connstr => $common_connstr); +is($result, 't', "ssl_client_serial() compared with pg_stat_ssl"); + +# Must not use safe_psql since we expect an error here +$result = $node->psql( + "certdb", + "SELECT ssl_client_dn_field('invalid');", + connstr => $common_connstr); +is($result, '3', "ssl_client_dn_field() for an invalid field"); + +$result = $node->safe_psql( + "trustdb", + "SELECT ssl_client_dn_field('commonName');", + connstr => + "$default_ssl_connstr sslrootcert=ssl/root+server_ca.crt sslmode=require " + . "dbname=trustdb hostaddr=$SERVERHOSTADDR user=ssltestuser host=localhost" +); +is($result, '', "ssl_client_dn_field() for connection without cert"); + +$result = $node->safe_psql( + "certdb", + "SELECT '/CN=' || ssl_client_dn_field('commonName') = client_dn FROM pg_stat_ssl WHERE pid = pg_backend_pid();", + connstr => $common_connstr); +is($result, 't', "ssl_client_dn_field() for commonName"); + +$result = $node->safe_psql( + "certdb", + "SELECT ssl_issuer_dn() = issuer_dn FROM pg_stat_ssl WHERE pid = pg_backend_pid();", + connstr => $common_connstr); +is($result, 't', "ssl_issuer_dn() for connection with cert"); + +$result = $node->safe_psql( + "certdb", + "SELECT '/CN=' || ssl_issuer_field('commonName') = issuer_dn FROM pg_stat_ssl WHERE pid = pg_backend_pid();", + connstr => $common_connstr); +is($result, 't', "ssl_issuer_field() for commonName"); + +$result = $node->safe_psql( + "certdb", + "SELECT value, critical FROM ssl_extension_info() WHERE name = 'basicConstraints';", + connstr => $common_connstr); +is($result, 'CA:FALSE|t', 'extract extension from cert'); + +done_testing(); diff --git a/src/test/ssl/t/SSL/Backend/OpenSSL.pm b/src/test/ssl/t/SSL/Backend/OpenSSL.pm new file mode 100644 index 0000000..aed6005 --- /dev/null +++ b/src/test/ssl/t/SSL/Backend/OpenSSL.pm @@ -0,0 +1,229 @@ + +# Copyright (c) 2021-2022, PostgreSQL Global Development Group + +=pod + +=head1 NAME + +SSL::Backend::OpenSSL + +=head1 SYNOPSIS + + use SSL::Backend::OpenSSL; + + my $backend = SSL::Backend::OpenSSL->new(); + + $backend->init($pgdata); + +=head1 DESCRIPTION + +SSL::Backend::OpenSSL implements the library specific parts in SSL::Server +for a PostgreSQL cluster compiled against OpenSSL. + +=cut + +package SSL::Backend::OpenSSL; + +use strict; +use warnings; +use File::Basename; +use File::Copy; + +=pod + +=head1 METHODS + +=over + +=item SSL::Backend::OpenSSL->new() + +Create a new instance of the OpenSSL backend. + +=cut + +sub new +{ + my ($class) = @_; + + my $self = { _library => 'OpenSSL', key => {} }; + + bless $self, $class; + + return $self; +} + +=pod + +=item $backend->init(pgdata) + +Install certificates, keys and CRL files required to run the tests against an +OpenSSL backend. + +=cut + +sub init +{ + my ($self, $pgdata) = @_; + + # Install server certificates and keys into the cluster data directory. + _copy_files("ssl/server-*.crt", $pgdata); + _copy_files("ssl/server-*.key", $pgdata); + chmod(0600, glob "$pgdata/server-*.key") + or die "failed to change permissions on server keys: $!"; + _copy_files("ssl/root+client_ca.crt", $pgdata); + _copy_files("ssl/root_ca.crt", $pgdata); + _copy_files("ssl/root+client.crl", $pgdata); + mkdir("$pgdata/root+client-crldir") + or die "unable to create server CRL dir $pgdata/root+client-crldir: $!"; + _copy_files("ssl/root+client-crldir/*", "$pgdata/root+client-crldir/"); + + # The client's private key must not be world-readable, so take a copy + # of the key stored in the code tree and update its permissions. + # + # This changes to using keys stored in a temporary path for the rest of + # the tests. To get the full path for inclusion in connection strings, the + # %key hash can be interrogated. + my $cert_tempdir = PostgreSQL::Test::Utils::tempdir(); + my @keys = ( + "client.key", "client-revoked.key", + "client-der.key", "client-encrypted-pem.key", + "client-encrypted-der.key", "client-dn.key", + "client_ext.key"); + foreach my $keyfile (@keys) + { + copy("ssl/$keyfile", "$cert_tempdir/$keyfile") + or die + "couldn't copy ssl/$keyfile to $cert_tempdir/$keyfile for permissions change: $!"; + chmod 0600, "$cert_tempdir/$keyfile" + or die "failed to change permissions on $cert_tempdir/$keyfile: $!"; + $self->{key}->{$keyfile} = "$cert_tempdir/$keyfile"; + $self->{key}->{$keyfile} =~ s!\\!/!g + if $PostgreSQL::Test::Utils::windows_os; + } + + # Also make a copy of client.key explicitly world-readable in order to be + # able to test incorrect permissions. We can't necessarily rely on the + # file in the source tree having those permissions. + copy("ssl/client.key", "$cert_tempdir/client_wrongperms.key") + or die + "couldn't copy ssl/client_key to $cert_tempdir/client_wrongperms.key for permission change: $!"; + chmod 0644, "$cert_tempdir/client_wrongperms.key" + or die + "failed to change permissions on $cert_tempdir/client_wrongperms.key: $!"; + $self->{key}->{'client_wrongperms.key'} = + "$cert_tempdir/client_wrongperms.key"; + $self->{key}->{'client_wrongperms.key'} =~ s!\\!/!g + if $PostgreSQL::Test::Utils::windows_os; +} + +=pod + +=item $backend->get_sslkey(key) + +Get an 'sslkey' connection string parameter for the specified B<key> which has +the correct path for direct inclusion in a connection string. + +=cut + +sub get_sslkey +{ + my ($self, $keyfile) = @_; + + return " sslkey=$self->{key}->{$keyfile}"; +} + +=pod + +=item $backend->set_server_cert(params) + +Change the configuration to use given server cert, key and crl file(s). The +following parameters are supported: + +=over + +=item cafile => B<value> + +The CA certificate file to use for the C<ssl_ca_file> GUC. If omitted it will +default to 'root+client_ca.crt'. + +=item certfile => B<value> + +The server certificate file to use for the C<ssl_cert_file> GUC. + +=item keyfile => B<value> + +The private key file to use for the C<ssl_key_file GUC>. If omitted it will +default to the B<certfile>.key. + +=item crlfile => B<value> + +The CRL file to use for the C<ssl_crl_file> GUC. If omitted it will default to +'root+client.crl'. + +=item crldir => B<value> + +The CRL directory to use for the C<ssl_crl_dir> GUC. If omitted, +C<no ssl_crl_dir> configuration parameter will be set. + +=back + +=cut + +sub set_server_cert +{ + my ($self, $params) = @_; + + $params->{cafile} = 'root+client_ca' unless defined $params->{cafile}; + $params->{crlfile} = 'root+client.crl' unless defined $params->{crlfile}; + $params->{keyfile} = $params->{certfile} + unless defined $params->{keyfile}; + + my $sslconf = + "ssl_ca_file='$params->{cafile}.crt'\n" + . "ssl_cert_file='$params->{certfile}.crt'\n" + . "ssl_key_file='$params->{keyfile}.key'\n" + . "ssl_crl_file='$params->{crlfile}'\n"; + $sslconf .= "ssl_crl_dir='$params->{crldir}'\n" + if defined $params->{crldir}; + + return $sslconf; +} + +=pod + +=item $backend->get_library() + +Returns the name of the SSL library, in this case "OpenSSL". + +=cut + +sub get_library +{ + my ($self) = @_; + + return $self->{_library}; +} + +# Internal method for copying a set of files, taking into account wildcards +sub _copy_files +{ + my $orig = shift; + my $dest = shift; + + my @orig_files = glob $orig; + foreach my $orig_file (@orig_files) + { + my $base_file = basename($orig_file); + copy($orig_file, "$dest/$base_file") + or die "Could not copy $orig_file to $dest"; + } + return; +} + +=pod + +=back + +=cut + +1; diff --git a/src/test/ssl/t/SSL/Server.pm b/src/test/ssl/t/SSL/Server.pm new file mode 100644 index 0000000..9520578 --- /dev/null +++ b/src/test/ssl/t/SSL/Server.pm @@ -0,0 +1,356 @@ + +# Copyright (c) 2021-2022, PostgreSQL Global Development Group + +=pod + +=head1 NAME + +SSL::Server - Class for setting up SSL in a PostgreSQL Cluster + +=head1 SYNOPSIS + + use PostgreSQL::Test::Cluster; + use SSL::Server; + + # Create a new cluster + my $node = PostgreSQL::Test::Cluster->new('primary'); + + # Initialize and start the new cluster + $node->init; + $node->start; + + # Initialize SSL Server functionality for the cluster + my $ssl_server = SSL::Server->new(); + + # Configure SSL on the newly formed cluster + $server->configure_test_server_for_ssl($node, '127.0.0.1', '127.0.0.1/32', 'trust'); + +=head1 DESCRIPTION + +SSL::Server configures an existing test cluster, for the SSL regression tests. + +The server is configured as follows: + +=over + +=item * SSL enabled, with the server certificate specified by arguments to switch_server_cert function. + +=item * reject non-SSL connections + +=item * a database called trustdb that lets anyone in + +=item * another database called certdb that uses certificate authentication, ie. the client must present a valid certificate signed by the client CA + +=back + +The server is configured to only accept connections from localhost. If you +want to run the client from another host, you'll have to configure that +manually. + +Note: Someone running these test could have key or certificate files in their +~/.postgresql/, which would interfere with the tests. The way to override that +is to specify sslcert=invalid and/or sslrootcert=invalid if no actual +certificate is used for a particular test. libpq will ignore specifications +that name nonexisting files. (sslkey and sslcrl do not need to specified +explicitly because an invalid sslcert or sslrootcert, respectively, causes +those to be ignored.) + +The SSL::Server module presents a SSL library abstraction to the test writer, +which in turn use modules in SSL::Backend which implements the SSL library +specific infrastructure. Currently only OpenSSL is supported. + +=cut + +package SSL::Server; + +use strict; +use warnings; +use PostgreSQL::Test::Cluster; +use PostgreSQL::Test::Utils; +use Test::More; +use SSL::Backend::OpenSSL; + +=pod + +=head1 METHODS + +=over + +=item SSL::Server->new(flavor) + +Create a new SSL Server object for configuring a PostgreSQL test cluster +node for accepting SSL connections using the with B<flavor> selected SSL +backend. If B<flavor> isn't set, the C<with_ssl> environment variable will +be used for selecting backend. Currently only C<openssl> is supported. + +=cut + +sub new +{ + my $class = shift; + my $flavor = shift || $ENV{with_ssl}; + die "SSL flavor not defined" unless $flavor; + my $self = {}; + bless $self, $class; + if ($flavor =~ /\Aopenssl\z/i) + { + $self->{flavor} = 'openssl'; + $self->{backend} = SSL::Backend::OpenSSL->new(); + } + else + { + die "SSL flavor $flavor unknown"; + } + return $self; +} + +=pod + +=item sslkey(filename) + +Return a C<sslkey> construct for the specified key for use in a connection +string. + +=cut + +sub sslkey +{ + my $self = shift; + my $keyfile = shift; + my $backend = $self->{backend}; + + return $backend->get_sslkey($keyfile); +} + +=pod + +=item $server->configure_test_server_for_ssl(node, host, cidr, auth, params) + +Configure the cluster specified by B<node> or listening on SSL connections. +The following databases will be created in the cluster: trustdb, certdb, +certdb_dn, certdb_dn_re, certdb_cn, verifydb. The following users will be +created in the cluster: ssltestuser, md5testuser, anotheruser, yetanotheruser. +If B<< $params{password} >> is set, it will be used as password for all users +with the password encoding B<< $params{password_enc} >> (except for md5testuser +which always have MD5). Extensions defined in B<< @{$params{extension}} >> +will be created in all the above created databases. B<host> is used for +C<listen_addresses> and B<cidr> for configuring C<pg_hba.conf>. + +=cut + +sub configure_test_server_for_ssl +{ + my $self = shift; + my ($node, $serverhost, $servercidr, $authmethod, %params) = @_; + my $backend = $self->{backend}; + my $pgdata = $node->data_dir; + + my @databases = ( + 'trustdb', 'certdb', 'certdb_dn', 'certdb_dn_re', + 'certdb_cn', 'verifydb'); + + # Create test users and databases + $node->psql('postgres', "CREATE USER ssltestuser"); + $node->psql('postgres', "CREATE USER md5testuser"); + $node->psql('postgres', "CREATE USER anotheruser"); + $node->psql('postgres', "CREATE USER yetanotheruser"); + + foreach my $db (@databases) + { + $node->psql('postgres', "CREATE DATABASE $db"); + } + + # Update password of each user as needed. + if (defined($params{password})) + { + die "Password encryption must be specified when password is set" + unless defined($params{password_enc}); + + $node->psql('postgres', + "SET password_encryption='$params{password_enc}'; ALTER USER ssltestuser PASSWORD '$params{password}';" + ); + # A special user that always has an md5-encrypted password + $node->psql('postgres', + "SET password_encryption='md5'; ALTER USER md5testuser PASSWORD '$params{password}';" + ); + $node->psql('postgres', + "SET password_encryption='$params{password_enc}'; ALTER USER anotheruser PASSWORD '$params{password}';" + ); + } + + # Create any extensions requested in the setup + if (defined($params{extensions})) + { + foreach my $extension (@{ $params{extensions} }) + { + foreach my $db (@databases) + { + $node->psql($db, "CREATE EXTENSION $extension CASCADE;"); + } + } + } + + # enable logging etc. + open my $conf, '>>', "$pgdata/postgresql.conf"; + print $conf "fsync=off\n"; + print $conf "log_connections=on\n"; + print $conf "log_hostname=on\n"; + print $conf "listen_addresses='$serverhost'\n"; + print $conf "log_statement=all\n"; + + # enable SSL and set up server key + print $conf "include 'sslconfig.conf'\n"; + + close $conf; + + # SSL configuration will be placed here + open my $sslconf, '>', "$pgdata/sslconfig.conf"; + close $sslconf; + + # Perform backend specific configuration + $backend->init($pgdata); + + # Stop and restart server to load new listen_addresses. + $node->restart; + + # Change pg_hba after restart because hostssl requires ssl=on + _configure_hba_for_ssl($node, $servercidr, $authmethod); + + return; +} + +=pod + +=item $server->ssl_library() + +Get the name of the currently used SSL backend. + +=cut + +sub ssl_library +{ + my $self = shift; + my $backend = $self->{backend}; + + return $backend->get_library(); +} + +=pod + +=item switch_server_cert(params) + +Change the configuration to use the given set of certificate, key, ca and +CRL, and potentially reload the configuration by restarting the server so +that the configuration takes effect. Restarting is the default, passing +B<< $params{restart} >> => 'no' opts out of it leaving the server running. +The following params are supported: + +=over + +=item cafile => B<value> + +The CA certificate to use. Implementation is SSL backend specific. + +=item certfile => B<value> + +The certificate file to use. Implementation is SSL backend specific. + +=item keyfile => B<value> + +The private key to use. Implementation is SSL backend specific. + +=item crlfile => B<value> + +The CRL file to use. Implementation is SSL backend specific. + +=item crldir => B<value> + +The CRL directory to use. Implementation is SSL backend specific. + +=item passphrase_cmd => B<value> + +The passphrase command to use. If not set, an empty passphrase command will +be set. + +=item restart => B<value> + +If set to 'no', the server won't be restarted after updating the settings. +If omitted, or any other value is passed, the server will be restarted before +returning. + +=back + +=cut + +sub switch_server_cert +{ + my $self = shift; + my $node = shift; + my $backend = $self->{backend}; + my %params = @_; + my $pgdata = $node->data_dir; + + open my $sslconf, '>', "$pgdata/sslconfig.conf"; + print $sslconf "ssl=on\n"; + print $sslconf $backend->set_server_cert(\%params); + print $sslconf "ssl_passphrase_command='" + . $params{passphrase_cmd} . "'\n" + if defined $params{passphrase_cmd}; + close $sslconf; + + return if (defined($params{restart}) && $params{restart} eq 'no'); + + $node->restart; + return; +} + + +# Internal function for configuring pg_hba.conf for SSL connections. +sub _configure_hba_for_ssl +{ + my ($node, $servercidr, $authmethod) = @_; + my $pgdata = $node->data_dir; + + # Only accept SSL connections from $servercidr. Our tests don't depend on this + # but seems best to keep it as narrow as possible for security reasons. + # + # When connecting to certdb, also check the client certificate. + open my $hba, '>', "$pgdata/pg_hba.conf"; + print $hba + "# TYPE DATABASE USER ADDRESS METHOD OPTIONS\n"; + print $hba + "hostssl trustdb md5testuser $servercidr md5\n"; + print $hba + "hostssl trustdb all $servercidr $authmethod\n"; + print $hba + "hostssl verifydb ssltestuser $servercidr $authmethod clientcert=verify-full\n"; + print $hba + "hostssl verifydb anotheruser $servercidr $authmethod clientcert=verify-full\n"; + print $hba + "hostssl verifydb yetanotheruser $servercidr $authmethod clientcert=verify-ca\n"; + print $hba + "hostssl certdb all $servercidr cert\n"; + print $hba + "hostssl certdb_dn all $servercidr cert clientname=DN map=dn\n", + "hostssl certdb_dn_re all $servercidr cert clientname=DN map=dnre\n", + "hostssl certdb_cn all $servercidr cert clientname=CN map=cn\n"; + close $hba; + + # Also set the ident maps. Note: fields with commas must be quoted + open my $map, ">", "$pgdata/pg_ident.conf"; + print $map + "# MAPNAME SYSTEM-USERNAME PG-USERNAME\n", + "dn \"CN=ssltestuser-dn,OU=Testing,OU=Engineering,O=PGDG\" ssltestuser\n", + "dnre \"/^.*OU=Testing,.*\$\" ssltestuser\n", + "cn ssltestuser-dn ssltestuser\n"; + + return; +} + +=pod + +=back + +=cut + +1; |