diff options
| author | Peter Eisentraut <peter@eisentraut.org> | 2023-11-17 14:40:13 +0100 |
|---|---|---|
| committer | Peter Eisentraut <peter@eisentraut.org> | 2023-11-17 16:52:46 +0100 |
| commit | 284cbaea7c4b89ce8685a148baeaf1d7896a900e (patch) | |
| tree | 22a9be4bb30c7873862599cd75c22ce560365bdc /src/test/ssl/t | |
| parent | 795592865c96b58016a883ac6390c985f140918d (diff) | |
| download | postgresql-284cbaea7c4b89ce8685a148baeaf1d7896a900e.tar.gz postgresql-284cbaea7c4b89ce8685a148baeaf1d7896a900e.zip | |
Allow tests to pass in OpenSSL FIPS mode (TAP tests)
Some tests using md5 authentication have to be skipped. In other
cases, we can rewrite the tests to use a different authentication
method.
Reviewed-by: Tom Lane <tgl@sss.pgh.pa.us>
Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
Discussion: https://www.postgresql.org/message-id/flat/dbbd927f-ef1f-c9a1-4ec6-c759778ac852%40enterprisedb.com
Diffstat (limited to 'src/test/ssl/t')
| -rw-r--r-- | src/test/ssl/t/002_scram.pl | 35 |
1 files changed, 23 insertions, 12 deletions
diff --git a/src/test/ssl/t/002_scram.pl b/src/test/ssl/t/002_scram.pl index 27abd02abf1..91e771ec47d 100644 --- a/src/test/ssl/t/002_scram.pl +++ b/src/test/ssl/t/002_scram.pl @@ -64,6 +64,9 @@ $ENV{PGHOST} = $node->host; $ENV{PGPORT} = $node->port; $node->start; +# could fail in FIPS mode +my $md5_works = ($node->psql('postgres', "select md5('')") == 0); + # Configure server for SSL connections, with password handling. $ssl_server->configure_test_server_for_ssl( $node, $SERVERHOSTADDR, $SERVERHOSTCIDR, @@ -91,12 +94,16 @@ $node->connect_ok("$common_connstr user=ssltestuser channel_binding=require", "SCRAM with SSL and channel_binding=require"); # Now test when the user has an MD5-encrypted password; should fail -$node->connect_fails( - "$common_connstr user=md5testuser channel_binding=require", - "MD5 with SSL and channel_binding=require", - expected_stderr => - qr/channel binding required but not supported by server's authentication request/ -); +SKIP: +{ + skip "MD5 not supported" unless $md5_works; + $node->connect_fails( + "$common_connstr user=md5testuser channel_binding=require", + "MD5 with SSL and channel_binding=require", + expected_stderr => + qr/channel binding required but not supported by server's authentication request/ + ); +} # Now test with auth method 'cert' by connecting to 'certdb'. Should fail, # because channel binding is not performed. Note that ssl/client.key may @@ -130,12 +137,16 @@ $node->connect_ok( "$common_connstr user=ssltestuser channel_binding=disable require_auth=scram-sha-256", "SCRAM with SSL, channel_binding=disable, and require_auth=scram-sha-256" ); -$node->connect_fails( - "$common_connstr user=md5testuser require_auth=md5 channel_binding=require", - "channel_binding can fail even when require_auth succeeds", - expected_stderr => - qr/channel binding required but not supported by server's authentication request/ -); +SKIP: +{ + skip "MD5 not supported" unless $md5_works; + $node->connect_fails( + "$common_connstr user=md5testuser require_auth=md5 channel_binding=require", + "channel_binding can fail even when require_auth succeeds", + expected_stderr => + qr/channel binding required but not supported by server's authentication request/ + ); +} $node->connect_ok( "$common_connstr user=ssltestuser channel_binding=require require_auth=scram-sha-256", "SCRAM with SSL, channel_binding=require, and require_auth=scram-sha-256" |