Fix SSL test for libpq connection parameter channel_binding

When compiling Postgres with OpenSSL 1.0.1 or older versions, SCRAM's
channel binding cannot be supported as X509_get_signature_nid() is
needed, which causes a regression test with channel_binding='require' to
fail as the server cannot publish SCRAM-SHA-256-PLUS as SASL mechanism
over an SSL connection.

Fix the issue by using a method similar to c3d41cc, making the test
result conditional.  The test passes if X509_get_signature_nid() is
present, and when missing we test for a connection failure.  Testing a
connection failure is more useful than skipping the test as we should
fail the connection if channel binding is required by the client but the
server does not support it.

Reported-by: Tom Lane, Michael Paquier
Author: Michael Paquier
Discussion: https://postgr.es/m/20190927024457.GA8485@paquier.xyz
Discussion: https://postgr.es/m/24857.1569775891@sss.pgh.pa.us

diff --git a/src/test/ssl/t/002_scram.pl b/src/test/ssl/t/002_scram.pl
index 5fa2dbde1c144d80463c6034bcfcef19cf800cd9..c08aa19aee5affa621ee2febe7ab64141fe5120b 100644 (file)
--- a/src/test/ssl/t/002_scram.pl
+++ b/src/test/ssl/t/002_scram.pl
@@ -18,11 +18,15 @@ if ($ENV{with_openssl} ne 'yes')
        plan skip_all => 'SSL not supported by this build';
 }
 
-my $number_of_tests = 9;
-
 # This is the hostname used to connect to the server.
 my $SERVERHOSTADDR = '127.0.0.1';
 
+# Determine whether build supports tls-server-end-point.
+my $supports_tls_server_end_point =
+  check_pg_config("#define HAVE_X509_GET_SIGNATURE_NID 1");
+
+my $number_of_tests = $supports_tls_server_end_point ? 9 : 10;
+
 # Allocation of base connection string shared among multiple tests.
 my $common_connstr;
 
@@ -60,10 +64,21 @@ test_connect_ok(
        $common_connstr,
        "user=ssltestuser channel_binding=disable",
        "SCRAM with SSL and channel_binding=disable");
-test_connect_ok(
-       $common_connstr,
-       "user=ssltestuser channel_binding=require",
-       "SCRAM with SSL and channel_binding=require");
+if ($supports_tls_server_end_point)
+{
+       test_connect_ok(
+               $common_connstr,
+               "user=ssltestuser channel_binding=require",
+               "SCRAM with SSL and channel_binding=require");
+}
+else
+{
+       test_connect_fails(
+               $common_connstr,
+               "user=ssltestuser channel_binding=require",
+               qr/could not connect to server: channel binding is required, but server did not offer an authentication method that supports channel binding/,
+               "SCRAM with SSL and channel_binding=require");
+}
 
 # Now test when the user has an MD5-encrypted password; should fail
 test_connect_fails(