diff options
Diffstat (limited to 'src/test/ssl')
-rw-r--r-- | src/test/ssl/t/001_ssltests.pl | 105 | ||||
-rw-r--r-- | src/test/ssl/t/002_scram.pl | 11 | ||||
-rw-r--r-- | src/test/ssl/t/003_sslinfo.pl | 103 | ||||
-rw-r--r-- | src/test/ssl/t/SSL/Backend/OpenSSL.pm | 13 | ||||
-rw-r--r-- | src/test/ssl/t/SSL/Server.pm | 29 |
5 files changed, 166 insertions, 95 deletions
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl index 58d2bc336f..c0b4a5739c 100644 --- a/src/test/ssl/t/001_ssltests.pl +++ b/src/test/ssl/t/001_ssltests.pl @@ -19,10 +19,12 @@ if ($ENV{with_ssl} ne 'openssl') } my $ssl_server = SSL::Server->new(); + sub sslkey { return $ssl_server->sslkey(@_); } + sub switch_server_cert { $ssl_server->switch_server_cert(@_); @@ -56,28 +58,30 @@ my $result = $node->safe_psql('postgres', "SHOW ssl_library"); is($result, $ssl_server->ssl_library(), 'ssl_library parameter'); $ssl_server->configure_test_server_for_ssl($node, $SERVERHOSTADDR, - $SERVERHOSTCIDR, 'trust'); + $SERVERHOSTCIDR, 'trust'); note "testing password-protected keys"; -switch_server_cert($node, - certfile => 'server-cn-only', - cafile => 'root+client_ca', - keyfile => 'server-password', +switch_server_cert( + $node, + certfile => 'server-cn-only', + cafile => 'root+client_ca', + keyfile => 'server-password', passphrase_cmd => 'echo wrongpassword', - restart => 'no' ); + restart => 'no'); command_fails( [ 'pg_ctl', '-D', $node->data_dir, '-l', $node->logfile, 'restart' ], 'restart fails with password-protected key file with wrong password'); $node->_update_pid(0); -switch_server_cert($node, - certfile => 'server-cn-only', - cafile => 'root+client_ca', - keyfile => 'server-password', +switch_server_cert( + $node, + certfile => 'server-cn-only', + cafile => 'root+client_ca', + keyfile => 'server-password', passphrase_cmd => 'echo secret1', - restart => 'no'); + restart => 'no'); command_ok( [ 'pg_ctl', '-D', $node->data_dir, '-l', $node->logfile, 'restart' ], @@ -115,7 +119,8 @@ switch_server_cert($node, certfile => 'server-cn-only'); # Set of default settings for SSL parameters in connection string. This # makes the tests protected against any defaults the environment may have # in ~/.postgresql/. -my $default_ssl_connstr = "sslkey=invalid sslcert=invalid sslrootcert=invalid sslcrl=invalid sslcrldir=invalid"; +my $default_ssl_connstr = + "sslkey=invalid sslcert=invalid sslrootcert=invalid sslcrl=invalid sslcrldir=invalid"; $common_connstr = "$default_ssl_connstr user=ssltestuser dbname=trustdb hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test"; @@ -416,9 +421,11 @@ switch_server_cert($node, certfile => 'server-ip-cn-and-dns-alt-names'); $node->connect_ok("$common_connstr host=192.0.2.1", "certificate with both an IP CN and DNS SANs matches CN"); -$node->connect_ok("$common_connstr host=dns1.alt-name.pg-ssltest.test", +$node->connect_ok( + "$common_connstr host=dns1.alt-name.pg-ssltest.test", "certificate with both an IP CN and DNS SANs matches SAN 1"); -$node->connect_ok("$common_connstr host=dns2.alt-name.pg-ssltest.test", +$node->connect_ok( + "$common_connstr host=dns2.alt-name.pg-ssltest.test", "certificate with both an IP CN and DNS SANs matches SAN 2"); # Finally, test a server certificate that has no CN or SANs. Of course, that's @@ -506,42 +513,50 @@ $node->connect_fails( # correct client cert in unencrypted PEM $node->connect_ok( - "$common_connstr user=ssltestuser sslcert=ssl/client.crt " . sslkey('client.key'), + "$common_connstr user=ssltestuser sslcert=ssl/client.crt " + . sslkey('client.key'), "certificate authorization succeeds with correct client cert in PEM format" ); # correct client cert in unencrypted DER $node->connect_ok( - "$common_connstr user=ssltestuser sslcert=ssl/client.crt " . sslkey('client-der.key'), + "$common_connstr user=ssltestuser sslcert=ssl/client.crt " + . sslkey('client-der.key'), "certificate authorization succeeds with correct client cert in DER format" ); # correct client cert in encrypted PEM $node->connect_ok( - "$common_connstr user=ssltestuser sslcert=ssl/client.crt " . sslkey('client-encrypted-pem.key') . " sslpassword='dUmmyP^#+'", + "$common_connstr user=ssltestuser sslcert=ssl/client.crt " + . sslkey('client-encrypted-pem.key') + . " sslpassword='dUmmyP^#+'", "certificate authorization succeeds with correct client cert in encrypted PEM format" ); # correct client cert in encrypted DER $node->connect_ok( - "$common_connstr user=ssltestuser sslcert=ssl/client.crt " . sslkey('client-encrypted-der.key') . " sslpassword='dUmmyP^#+'", + "$common_connstr user=ssltestuser sslcert=ssl/client.crt " + . sslkey('client-encrypted-der.key') + . " sslpassword='dUmmyP^#+'", "certificate authorization succeeds with correct client cert in encrypted DER format" ); # correct client cert in encrypted PEM with wrong password $node->connect_fails( - "$common_connstr user=ssltestuser sslcert=ssl/client.crt " . sslkey('client-encrypted-pem.key') . " sslpassword='wrong'", + "$common_connstr user=ssltestuser sslcert=ssl/client.crt " + . sslkey('client-encrypted-pem.key') + . " sslpassword='wrong'", "certificate authorization fails with correct client cert and wrong password in encrypted PEM format", expected_stderr => - qr!private key file \".*client-encrypted-pem\.key\": bad decrypt!, -); + qr!private key file \".*client-encrypted-pem\.key\": bad decrypt!,); # correct client cert using whole DN my $dn_connstr = "$common_connstr dbname=certdb_dn"; $node->connect_ok( - "$dn_connstr user=ssltestuser sslcert=ssl/client-dn.crt " . sslkey('client-dn.key'), + "$dn_connstr user=ssltestuser sslcert=ssl/client-dn.crt " + . sslkey('client-dn.key'), "certificate authorization succeeds with DN mapping", log_like => [ qr/connection authenticated: identity="CN=ssltestuser-dn,OU=Testing,OU=Engineering,O=PGDG" method=cert/ @@ -551,14 +566,16 @@ $node->connect_ok( $dn_connstr = "$common_connstr dbname=certdb_dn_re"; $node->connect_ok( - "$dn_connstr user=ssltestuser sslcert=ssl/client-dn.crt " . sslkey('client-dn.key'), + "$dn_connstr user=ssltestuser sslcert=ssl/client-dn.crt " + . sslkey('client-dn.key'), "certificate authorization succeeds with DN regex mapping"); # same thing but using explicit CN $dn_connstr = "$common_connstr dbname=certdb_cn"; $node->connect_ok( - "$dn_connstr user=ssltestuser sslcert=ssl/client-dn.crt " . sslkey('client-dn.key'), + "$dn_connstr user=ssltestuser sslcert=ssl/client-dn.crt " + . sslkey('client-dn.key'), "certificate authorization succeeds with CN mapping", # the full DN should still be used as the authenticated identity log_like => [ @@ -576,7 +593,9 @@ TODO: # correct client cert in encrypted PEM with empty password $node->connect_fails( - "$common_connstr user=ssltestuser sslcert=ssl/client.crt " . sslkey('client-encrypted-pem.key') . " sslpassword=''", + "$common_connstr user=ssltestuser sslcert=ssl/client.crt " + . sslkey('client-encrypted-pem.key') + . " sslpassword=''", "certificate authorization fails with correct client cert and empty password in encrypted PEM format", expected_stderr => qr!private key file \".*client-encrypted-pem\.key\": processing error! @@ -584,7 +603,8 @@ TODO: # correct client cert in encrypted PEM with no password $node->connect_fails( - "$common_connstr user=ssltestuser sslcert=ssl/client.crt " . sslkey('client-encrypted-pem.key'), + "$common_connstr user=ssltestuser sslcert=ssl/client.crt " + . sslkey('client-encrypted-pem.key'), "certificate authorization fails with correct client cert and no password in encrypted PEM format", expected_stderr => qr!private key file \".*client-encrypted-pem\.key\": processing error! @@ -630,7 +650,8 @@ command_like( '-P', 'null=_null_', '-d', - "$common_connstr user=ssltestuser sslcert=ssl/client.crt " . sslkey('client.key'), + "$common_connstr user=ssltestuser sslcert=ssl/client.crt " + . sslkey('client.key'), '-c', "SELECT * FROM pg_stat_ssl WHERE pid = pg_backend_pid()" ], @@ -644,7 +665,8 @@ SKIP: skip "Permissions check not enforced on Windows", 2 if ($windows_os); $node->connect_fails( - "$common_connstr user=ssltestuser sslcert=ssl/client.crt " . sslkey('client_wrongperms.key'), + "$common_connstr user=ssltestuser sslcert=ssl/client.crt " + . sslkey('client_wrongperms.key'), "certificate authorization fails because of file permissions", expected_stderr => qr!private key file \".*client_wrongperms\.key\" has group or world access! @@ -653,7 +675,8 @@ SKIP: # client cert belonging to another user $node->connect_fails( - "$common_connstr user=anotheruser sslcert=ssl/client.crt " . sslkey('client.key'), + "$common_connstr user=anotheruser sslcert=ssl/client.crt " + . sslkey('client.key'), "certificate authorization fails with client cert belonging to another user", expected_stderr => qr/certificate authentication failed for user "anotheruser"/, @@ -663,7 +686,8 @@ $node->connect_fails( # revoked client cert $node->connect_fails( - "$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt " . sslkey('client-revoked.key'), + "$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt " + . sslkey('client-revoked.key'), "certificate authorization fails with revoked client cert", expected_stderr => qr/SSL error: sslv3 alert certificate revoked/, # revoked certificates should not authenticate the user @@ -676,13 +700,15 @@ $common_connstr = "$default_ssl_connstr sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=verifydb hostaddr=$SERVERHOSTADDR host=localhost"; $node->connect_ok( - "$common_connstr user=ssltestuser sslcert=ssl/client.crt " . sslkey('client.key'), + "$common_connstr user=ssltestuser sslcert=ssl/client.crt " + . sslkey('client.key'), "auth_option clientcert=verify-full succeeds with matching username and Common Name", # verify-full does not provide authentication log_unlike => [qr/connection authenticated:/],); $node->connect_fails( - "$common_connstr user=anotheruser sslcert=ssl/client.crt " . sslkey('client.key'), + "$common_connstr user=anotheruser sslcert=ssl/client.crt " + . sslkey('client.key'), "auth_option clientcert=verify-full fails with mismatching username and Common Name", expected_stderr => qr/FATAL: .* "trust" authentication failed for user "anotheruser"/, @@ -692,7 +718,8 @@ $node->connect_fails( # Check that connecting with auth-option verify-ca in pg_hba : # works, when username doesn't match Common Name $node->connect_ok( - "$common_connstr user=yetanotheruser sslcert=ssl/client.crt " . sslkey('client.key'), + "$common_connstr user=yetanotheruser sslcert=ssl/client.crt " + . sslkey('client.key'), "auth_option clientcert=verify-ca succeeds with mismatching username and Common Name", # verify-full does not provide authentication log_unlike => [qr/connection authenticated:/],); @@ -700,7 +727,9 @@ $node->connect_ok( # intermediate client_ca.crt is provided by client, and isn't in server's ssl_ca_file switch_server_cert($node, certfile => 'server-cn-only', cafile => 'root_ca'); $common_connstr = - "$default_ssl_connstr user=ssltestuser dbname=certdb " . sslkey('client.key') . " sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR host=localhost"; + "$default_ssl_connstr user=ssltestuser dbname=certdb " + . sslkey('client.key') + . " sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR host=localhost"; $node->connect_ok( "$common_connstr sslmode=require sslcert=ssl/client+client_ca.crt", @@ -711,11 +740,15 @@ $node->connect_fails( expected_stderr => qr/SSL error: tlsv1 alert unknown ca/); # test server-side CRL directory -switch_server_cert($node, certfile => 'server-cn-only', crldir => 'root+client-crldir'); +switch_server_cert( + $node, + certfile => 'server-cn-only', + crldir => 'root+client-crldir'); # revoked client cert $node->connect_fails( - "$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt " . sslkey('client-revoked.key'), + "$common_connstr user=ssltestuser sslcert=ssl/client-revoked.crt " + . sslkey('client-revoked.key'), "certificate authorization fails with revoked client cert with server-side CRL directory", expected_stderr => qr/SSL error: sslv3 alert certificate revoked/); diff --git a/src/test/ssl/t/002_scram.pl b/src/test/ssl/t/002_scram.pl index 4354901f53..588f47a39b 100644 --- a/src/test/ssl/t/002_scram.pl +++ b/src/test/ssl/t/002_scram.pl @@ -22,10 +22,12 @@ if ($ENV{with_ssl} ne 'openssl') } my $ssl_server = SSL::Server->new(); + sub sslkey { return $ssl_server->sslkey(@_); } + sub switch_server_cert { $ssl_server->switch_server_cert(@_); @@ -57,8 +59,11 @@ $ENV{PGPORT} = $node->port; $node->start; # Configure server for SSL connections, with password handling. -$ssl_server->configure_test_server_for_ssl($node, $SERVERHOSTADDR, $SERVERHOSTCIDR, - "scram-sha-256", 'password' => "pass", 'password_enc' => "scram-sha-256"); +$ssl_server->configure_test_server_for_ssl( + $node, $SERVERHOSTADDR, $SERVERHOSTCIDR, + "scram-sha-256", + 'password' => "pass", + 'password_enc' => "scram-sha-256"); switch_server_cert($node, certfile => 'server-cn-only'); $ENV{PGPASSWORD} = "pass"; $common_connstr = @@ -104,7 +109,7 @@ $node->connect_fails( # because channel binding is not performed. Note that ssl/client.key may # be used in a different test, so the name of this temporary client key # is chosen here to be unique. -my $cert_tempdir = PostgreSQL::Test::Utils::tempdir(); +my $cert_tempdir = PostgreSQL::Test::Utils::tempdir(); my $client_tmp_key = "$cert_tempdir/client_scram.key"; copy("ssl/client.key", "$cert_tempdir/client_scram.key") or die diff --git a/src/test/ssl/t/003_sslinfo.pl b/src/test/ssl/t/003_sslinfo.pl index 96a5db8672..87fb18a31e 100644 --- a/src/test/ssl/t/003_sslinfo.pl +++ b/src/test/ssl/t/003_sslinfo.pl @@ -21,10 +21,12 @@ if ($ENV{with_ssl} ne 'openssl') #### Some configuration my $ssl_server = SSL::Server->new(); + sub sslkey { return $ssl_server->sslkey(@_); } + sub switch_server_cert { $ssl_server->switch_server_cert(@_); @@ -52,8 +54,8 @@ $ENV{PGHOST} = $node->host; $ENV{PGPORT} = $node->port; $node->start; -$ssl_server->configure_test_server_for_ssl($node, $SERVERHOSTADDR, $SERVERHOSTCIDR, - 'trust', extensions => [ qw(sslinfo) ]); +$ssl_server->configure_test_server_for_ssl($node, $SERVERHOSTADDR, + $SERVERHOSTCIDR, 'trust', extensions => [qw(sslinfo)]); # We aren't using any CRL's in this suite so we can keep using server-revoked # as server certificate for simple client.crt connection much like how the @@ -63,11 +65,13 @@ switch_server_cert($node, certfile => 'server-revoked'); # Set of default settings for SSL parameters in connection string. This # makes the tests protected against any defaults the environment may have # in ~/.postgresql/. -my $default_ssl_connstr = "sslkey=invalid sslcert=invalid sslrootcert=invalid sslcrl=invalid sslcrldir=invalid"; +my $default_ssl_connstr = + "sslkey=invalid sslcert=invalid sslrootcert=invalid sslcrl=invalid sslcrldir=invalid"; $common_connstr = - "$default_ssl_connstr sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR host=localhost " . - "user=ssltestuser sslcert=ssl/client_ext.crt " . sslkey('client_ext.key'); + "$default_ssl_connstr sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR host=localhost " + . "user=ssltestuser sslcert=ssl/client_ext.crt " + . sslkey('client_ext.key'); # Make sure we can connect even though previous test suites have established this $node->connect_ok( @@ -77,62 +81,85 @@ $node->connect_ok( my $result; -$result = $node->safe_psql("certdb", "SELECT ssl_is_used();", - connstr => $common_connstr); +$result = $node->safe_psql( + "certdb", + "SELECT ssl_is_used();", + connstr => $common_connstr); is($result, 't', "ssl_is_used() for TLS connection"); -$result = $node->safe_psql("certdb", "SELECT ssl_version();", - connstr => $common_connstr . " ssl_min_protocol_version=TLSv1.2 " . - "ssl_max_protocol_version=TLSv1.2"); +$result = $node->safe_psql( + "certdb", + "SELECT ssl_version();", + connstr => $common_connstr + . " ssl_min_protocol_version=TLSv1.2 " + . "ssl_max_protocol_version=TLSv1.2"); is($result, 'TLSv1.2', "ssl_version() correctly returning TLS protocol"); -$result = $node->safe_psql("certdb", - "SELECT ssl_cipher() = cipher FROM pg_stat_ssl WHERE pid = pg_backend_pid();", - connstr => $common_connstr); +$result = $node->safe_psql( + "certdb", + "SELECT ssl_cipher() = cipher FROM pg_stat_ssl WHERE pid = pg_backend_pid();", + connstr => $common_connstr); is($result, 't', "ssl_cipher() compared with pg_stat_ssl"); -$result = $node->safe_psql("certdb", "SELECT ssl_client_cert_present();", - connstr => $common_connstr); +$result = $node->safe_psql( + "certdb", + "SELECT ssl_client_cert_present();", + connstr => $common_connstr); is($result, 't', "ssl_client_cert_present() for connection with cert"); -$result = $node->safe_psql("trustdb", "SELECT ssl_client_cert_present();", - connstr => "$default_ssl_connstr sslrootcert=ssl/root+server_ca.crt sslmode=require " . - "dbname=trustdb hostaddr=$SERVERHOSTADDR user=ssltestuser host=localhost"); +$result = $node->safe_psql( + "trustdb", + "SELECT ssl_client_cert_present();", + connstr => + "$default_ssl_connstr sslrootcert=ssl/root+server_ca.crt sslmode=require " + . "dbname=trustdb hostaddr=$SERVERHOSTADDR user=ssltestuser host=localhost" +); is($result, 'f', "ssl_client_cert_present() for connection without cert"); -$result = $node->safe_psql("certdb", - "SELECT ssl_client_serial() = client_serial FROM pg_stat_ssl WHERE pid = pg_backend_pid();", - connstr => $common_connstr); +$result = $node->safe_psql( + "certdb", + "SELECT ssl_client_serial() = client_serial FROM pg_stat_ssl WHERE pid = pg_backend_pid();", + connstr => $common_connstr); is($result, 't', "ssl_client_serial() compared with pg_stat_ssl"); # Must not use safe_psql since we expect an error here -$result = $node->psql("certdb", "SELECT ssl_client_dn_field('invalid');", - connstr => $common_connstr); +$result = $node->psql( + "certdb", + "SELECT ssl_client_dn_field('invalid');", + connstr => $common_connstr); is($result, '3', "ssl_client_dn_field() for an invalid field"); -$result = $node->safe_psql("trustdb", "SELECT ssl_client_dn_field('commonName');", - connstr => "$default_ssl_connstr sslrootcert=ssl/root+server_ca.crt sslmode=require " . - "dbname=trustdb hostaddr=$SERVERHOSTADDR user=ssltestuser host=localhost"); +$result = $node->safe_psql( + "trustdb", + "SELECT ssl_client_dn_field('commonName');", + connstr => + "$default_ssl_connstr sslrootcert=ssl/root+server_ca.crt sslmode=require " + . "dbname=trustdb hostaddr=$SERVERHOSTADDR user=ssltestuser host=localhost" +); is($result, '', "ssl_client_dn_field() for connection without cert"); -$result = $node->safe_psql("certdb", - "SELECT '/CN=' || ssl_client_dn_field('commonName') = client_dn FROM pg_stat_ssl WHERE pid = pg_backend_pid();", - connstr => $common_connstr); +$result = $node->safe_psql( + "certdb", + "SELECT '/CN=' || ssl_client_dn_field('commonName') = client_dn FROM pg_stat_ssl WHERE pid = pg_backend_pid();", + connstr => $common_connstr); is($result, 't', "ssl_client_dn_field() for commonName"); -$result = $node->safe_psql("certdb", - "SELECT ssl_issuer_dn() = issuer_dn FROM pg_stat_ssl WHERE pid = pg_backend_pid();", - connstr => $common_connstr); +$result = $node->safe_psql( + "certdb", + "SELECT ssl_issuer_dn() = issuer_dn FROM pg_stat_ssl WHERE pid = pg_backend_pid();", + connstr => $common_connstr); is($result, 't', "ssl_issuer_dn() for connection with cert"); -$result = $node->safe_psql("certdb", - "SELECT '/CN=' || ssl_issuer_field('commonName') = issuer_dn FROM pg_stat_ssl WHERE pid = pg_backend_pid();", - connstr => $common_connstr); +$result = $node->safe_psql( + "certdb", + "SELECT '/CN=' || ssl_issuer_field('commonName') = issuer_dn FROM pg_stat_ssl WHERE pid = pg_backend_pid();", + connstr => $common_connstr); is($result, 't', "ssl_issuer_field() for commonName"); -$result = $node->safe_psql("certdb", - "SELECT value, critical FROM ssl_extension_info() WHERE name = 'basicConstraints';", - connstr => $common_connstr); +$result = $node->safe_psql( + "certdb", + "SELECT value, critical FROM ssl_extension_info() WHERE name = 'basicConstraints';", + connstr => $common_connstr); is($result, 'CA:FALSE|t', 'extract extension from cert'); done_testing(); diff --git a/src/test/ssl/t/SSL/Backend/OpenSSL.pm b/src/test/ssl/t/SSL/Backend/OpenSSL.pm index d6d99fa636..aed6005b43 100644 --- a/src/test/ssl/t/SSL/Backend/OpenSSL.pm +++ b/src/test/ssl/t/SSL/Backend/OpenSSL.pm @@ -84,7 +84,7 @@ sub init # the tests. To get the full path for inclusion in connection strings, the # %key hash can be interrogated. my $cert_tempdir = PostgreSQL::Test::Utils::tempdir(); - my @keys = ( + my @keys = ( "client.key", "client-revoked.key", "client-der.key", "client-encrypted-pem.key", "client-encrypted-der.key", "client-dn.key", @@ -108,8 +108,10 @@ sub init or die "couldn't copy ssl/client_key to $cert_tempdir/client_wrongperms.key for permission change: $!"; chmod 0644, "$cert_tempdir/client_wrongperms.key" - or die "failed to change permissions on $cert_tempdir/client_wrongperms.key: $!"; - $self->{key}->{'client_wrongperms.key'} = "$cert_tempdir/client_wrongperms.key"; + or die + "failed to change permissions on $cert_tempdir/client_wrongperms.key: $!"; + $self->{key}->{'client_wrongperms.key'} = + "$cert_tempdir/client_wrongperms.key"; $self->{key}->{'client_wrongperms.key'} =~ s!\\!/!g if $PostgreSQL::Test::Utils::windows_os; } @@ -171,9 +173,10 @@ sub set_server_cert { my ($self, $params) = @_; - $params->{cafile} = 'root+client_ca' unless defined $params->{cafile}; + $params->{cafile} = 'root+client_ca' unless defined $params->{cafile}; $params->{crlfile} = 'root+client.crl' unless defined $params->{crlfile}; - $params->{keyfile} = $params->{certfile} unless defined $params->{keyfile}; + $params->{keyfile} = $params->{certfile} + unless defined $params->{keyfile}; my $sslconf = "ssl_ca_file='$params->{cafile}.crt'\n" diff --git a/src/test/ssl/t/SSL/Server.pm b/src/test/ssl/t/SSL/Server.pm index de460c2d96..62f54dcbf1 100644 --- a/src/test/ssl/t/SSL/Server.pm +++ b/src/test/ssl/t/SSL/Server.pm @@ -94,7 +94,7 @@ sub new bless $self, $class; if ($flavor =~ /\Aopenssl\z/i) { - $self->{flavor} = 'openssl'; + $self->{flavor} = 'openssl'; $self->{backend} = SSL::Backend::OpenSSL->new(); } else @@ -115,7 +115,7 @@ string. sub sslkey { - my $self = shift; + my $self = shift; my $keyfile = shift; my $backend = $self->{backend}; @@ -140,12 +140,14 @@ C<listen_addresses> and B<cidr> for configuring C<pg_hba.conf>. sub configure_test_server_for_ssl { - my $self=shift; + my $self = shift; my ($node, $serverhost, $servercidr, $authmethod, %params) = @_; my $backend = $self->{backend}; - my $pgdata = $node->data_dir; + my $pgdata = $node->data_dir; - my @databases = ( 'trustdb', 'certdb', 'certdb_dn', 'certdb_dn_re', 'certdb_cn', 'verifydb' ); + my @databases = ( + 'trustdb', 'certdb', 'certdb_dn', 'certdb_dn_re', + 'certdb_cn', 'verifydb'); # Create test users and databases $node->psql('postgres', "CREATE USER ssltestuser"); @@ -162,7 +164,7 @@ sub configure_test_server_for_ssl if (defined($params{password})) { die "Password encryption must be specified when password is set" - unless defined($params{password_enc}); + unless defined($params{password_enc}); $node->psql('postgres', "SET password_encryption='$params{password_enc}'; ALTER USER ssltestuser PASSWORD '$params{password}';" @@ -179,7 +181,7 @@ sub configure_test_server_for_ssl # Create any extensions requested in the setup if (defined($params{extensions})) { - foreach my $extension (@{$params{extensions}}) + foreach my $extension (@{ $params{extensions} }) { foreach my $db (@databases) { @@ -227,7 +229,7 @@ Get the name of the currently used SSL backend. sub ssl_library { - my $self = shift; + my $self = shift; my $backend = $self->{backend}; return $backend->get_library(); @@ -282,16 +284,17 @@ returning. sub switch_server_cert { - my $self = shift; - my $node = shift; + my $self = shift; + my $node = shift; my $backend = $self->{backend}; - my %params = @_; - my $pgdata = $node->data_dir; + my %params = @_; + my $pgdata = $node->data_dir; open my $sslconf, '>', "$pgdata/sslconfig.conf"; print $sslconf "ssl=on\n"; print $sslconf $backend->set_server_cert(\%params); - print $sslconf "ssl_passphrase_command='" . $params{passphrase_cmd} . "'\n" + print $sslconf "ssl_passphrase_command='" + . $params{passphrase_cmd} . "'\n" if defined $params{passphrase_cmd}; close $sslconf; |