diff options
| author | Heikki Linnakangas <heikki.linnakangas@iki.fi> | 2024-07-26 15:12:23 +0300 |
|---|---|---|
| committer | Heikki Linnakangas <heikki.linnakangas@iki.fi> | 2024-07-26 15:12:23 +0300 |
| commit | ef7fa900fb587cbaac9f3e943f789155b97aa02b (patch) | |
| tree | 89b457703c0ed098019c8a60e867cfd2b60a497c | |
| parent | 20e0e7da9bc0089433c70b2b53ddf6a340ab5df3 (diff) | |
| download | postgresql-ef7fa900fb587cbaac9f3e943f789155b97aa02b.tar.gz postgresql-ef7fa900fb587cbaac9f3e943f789155b97aa02b.zip | |
Add tests for errors during SSL or GSSAPI handshake
These test that libpq correctly falls back to a plaintext connection
on handshake error, in the "prefer" modes.
Reviewed-by: Michael Paquier
Discussion: https://www.postgresql.org/message-id/CAOYmi%2Bnwvu21mJ4DYKUa98HdfM_KZJi7B1MhyXtnsyOO-PB6Ww%40mail.gmail.com
| -rw-r--r-- | src/backend/libpq/be-secure-gssapi.c | 3 | ||||
| -rw-r--r-- | src/backend/libpq/be-secure.c | 3 | ||||
| -rw-r--r-- | src/interfaces/libpq/t/005_negotiate_encryption.pl | 20 |
3 files changed, 26 insertions, 0 deletions
diff --git a/src/backend/libpq/be-secure-gssapi.c b/src/backend/libpq/be-secure-gssapi.c index bc04e78abba..483636503c1 100644 --- a/src/backend/libpq/be-secure-gssapi.c +++ b/src/backend/libpq/be-secure-gssapi.c @@ -21,6 +21,7 @@ #include "libpq/pqformat.h" #include "miscadmin.h" #include "pgstat.h" +#include "utils/injection_point.h" #include "utils/memutils.h" @@ -499,6 +500,8 @@ secure_open_gssapi(Port *port) minor; gss_cred_id_t delegated_creds; + INJECTION_POINT("backend-gssapi-startup"); + /* * Allocate subsidiary Port data for GSSAPI operations. */ diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c index 1663f36b6b8..ef20ea755b7 100644 --- a/src/backend/libpq/be-secure.c +++ b/src/backend/libpq/be-secure.c @@ -30,6 +30,7 @@ #include "libpq/libpq.h" #include "miscadmin.h" #include "tcop/tcopprot.h" +#include "utils/injection_point.h" #include "utils/wait_event.h" char *ssl_library; @@ -129,6 +130,8 @@ secure_open_server(Port *port) } Assert(pq_buffer_remaining_data() == 0); + INJECTION_POINT("backend-ssl-startup"); + r = be_tls_open_server(port); if (port->raw_buf_remaining > 0) diff --git a/src/interfaces/libpq/t/005_negotiate_encryption.pl b/src/interfaces/libpq/t/005_negotiate_encryption.pl index 5fbab969008..157f23b8e83 100644 --- a/src/interfaces/libpq/t/005_negotiate_encryption.pl +++ b/src/interfaces/libpq/t/005_negotiate_encryption.pl @@ -339,6 +339,16 @@ nossluser . disable postgres connect, authok "user=testuser sslmode=prefer", 'connect, v2error -> fail'); $node->restart; + + $node->safe_psql( + 'postgres', + "SELECT injection_points_attach('backend-ssl-startup', 'error');", + connstr => "user=localuser host=$unixdir"); + connect_test( + $node, + "user=testuser sslmode=prefer", + 'connect, sslaccept, backenderror, reconnect, authok -> plain'); + $node->restart; } # Disable SSL again @@ -444,6 +454,16 @@ nogssuser disable disable postgres connect, authok "user=testuser gssencmode=prefer sslmode=disable", 'connect, v2error -> fail'); $node->restart; + + $node->safe_psql( + 'postgres', + "SELECT injection_points_attach('backend-gssapi-startup', 'error');", + connstr => "user=localuser host=$unixdir"); + connect_test( + $node, + "user=testuser gssencmode=prefer sslmode=disable", + 'connect, gssaccept, backenderror, reconnect, authok -> plain'); + $node->restart; } } |