NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit697f8d2

committed

Revert "Add notBefore and notAfter to SSL cert info display"

This reverts commit6acb0a6 sinceLibreSSL didn't support ASN1_TIME_diff until OpenBSD 7.1, leavingthe older OpenBSD animals in the buildfarm complaining.Per plover in the buildfarm.Discussion:https://postgr.es/m/F0DF7102-192D-4C21-96AE-9A01AE153AD1@yesql.se

1 parent473182c commit697f8d2Copy full SHA for 697f8d2

File tree

19 files changed

+34

-308

lines changed

contrib/sslinfo
doc/src/sgml
- monitoring.sgml
- sslinfo.sgml
src
- backend
  - catalog
    - system_views.sql
  - libpq
    - be-secure-openssl.c
  - utils
    - activity
      - backend_status.c
    - adt
      - pgstatfuncs.c
- include
  - catalog
    - catversion.h
    - pg_proc.dat
  - libpq
    - libpq-be.h
  - utils
    - backend_status.h
- test
  - regress/expected
    - rules.out
  - ssl/t
    - 001_ssltests.pl
    - 003_sslinfo.pl
- tools/pgindent
  - typedefs.list

19 files changed

+34

-308

lines changed

`‎contrib/sslinfo/Makefile`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@ OBJS = \`
`6`	`6`	`sslinfo.o`
`7`	`7`
`8`	`8`	`EXTENSION = sslinfo`
`9`		`-DATA = sslinfo--1.2--1.3.sql sslinfo--1.2.sql sslinfo--1.1--1.2.sql sslinfo--1.0--1.1.sql`
	`9`	`+DATA = sslinfo--1.2.sql sslinfo--1.1--1.2.sql sslinfo--1.0--1.1.sql`
`10`	`10`	`PGFILEDESC = "sslinfo - information about client SSL certificate"`
`11`	`11`
`12`	`12`	`ifdefUSE_PGXS`

`‎contrib/sslinfo/meson.build`

Lines changed: 0 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,6 @@ install_data(`
`26`	`26`	`'sslinfo--1.0--1.1.sql',`
`27`	`27`	`'sslinfo--1.1--1.2.sql',`
`28`	`28`	`'sslinfo--1.2.sql',`
`29`		`-'sslinfo--1.2--1.3.sql',`
`30`	`29`	`'sslinfo.control',`
`31`	`30`	`kwargs: contrib_data_args,`
`32`	`31`	`)`

`‎contrib/sslinfo/sslinfo--1.2--1.3.sql`

Lines changed: 0 additions & 12 deletions

This file was deleted.

`‎contrib/sslinfo/sslinfo.c`

Lines changed: 0 additions & 95 deletions

Original file line number	Diff line number	Diff line change
`@@ -14,12 +14,10 @@`
`14`	`14`	`#include<openssl/asn1.h>`
`15`	`15`
`16`	`16`	`#include"access/htup_details.h"`
`17`		`-#include"common/int.h"`
`18`	`17`	`#include"funcapi.h"`
`19`	`18`	`#include"libpq/libpq-be.h"`
`20`	`19`	`#include"miscadmin.h"`
`21`	`20`	`#include"utils/builtins.h"`
`22`		`-#include"utils/timestamp.h"`
`23`	`21`
`24`	`22`	`/*`
`25`	`23`	`* On Windows, <wincrypt.h> includes a #define for X509_NAME, which breaks our`
`@@ -36,7 +34,6 @@ PG_MODULE_MAGIC;`
`36`	`34`
`37`	`35`	`staticDatumX509_NAME_field_to_text(X509_NAMEname,textfieldName);`
`38`	`36`	`staticDatumASN1_STRING_to_text(ASN1_STRING*str);`
`39`		`-staticDatumASN1_TIME_to_timestamptz(ASN1_TIME*time);`
`40`	`37`
`41`	`38`	`/*`
`42`	`39`	`* Function context for data persisting over repeated calls.`
`@@ -228,66 +225,6 @@ X509_NAME_field_to_text(X509_NAME name, text fieldName)`
`228`	`225`	`}`
`229`	`226`
`230`	`227`
`231`		`-/*`
`232`		`- * Converts OpenSSL ASN1_TIME structure into timestamptz`
`233`		`- *`
`234`		`- * OpenSSL 1.0.2 doesn't expose a function to convert an ASN1_TIME to a tm`
`235`		`- * struct, it's only available in 1.1.1 and onwards. Instead we can ask for the`
`236`		`- * difference between the ASN1_TIME and a known timestamp and get the actual`
`237`		`- * timestamp that way. Until support for OpenSSL 1.0.2 is retired we have to do`
`238`		`- * it this way.`
`239`		`- *`
`240`		`- * Parameter: time - OpenSSL ASN1_TIME structure.`
`241`		`- * Returns Datum, which can be directly returned from a C language SQL`
`242`		`- * function.`
`243`		`- */`
`244`		`-staticDatum`
`245`		`-ASN1_TIME_to_timestamptz(ASN1_TIME*ASN1_cert_ts)`
`246`		`-{`
`247`		`-intdays;`
`248`		`-intseconds;`
`249`		`-constcharpostgres_epoch[]="20000101000000Z";`
`250`		`-ASN1_TIME*ASN1_epoch;`
`251`		`-int64result_days;`
`252`		`-int64result_secs;`
`253`		`-int64result;`
`254`		`-`
`255`		`-/* Create an epoch to compare against */`
`256`		`-ASN1_epoch=ASN1_TIME_new();`
`257`		`-if (!ASN1_epoch)`
`258`		`-ereport(ERROR,`
`259`		`-(errcode(ERRCODE_OUT_OF_MEMORY),`
`260`		`-errmsg("could not allocate memory for ASN1 TIME structure")));`
`261`		`-`
`262`		`-/* Calculate the diff from the epoch to the certificate timestamp */`
`263`		`-if (!ASN1_TIME_set_string(ASN1_epoch,postgres_epoch)\|\|`
`264`		`-!ASN1_TIME_diff(&days,&seconds,ASN1_epoch,ASN1_cert_ts))`
`265`		`-ereport(ERROR,`
`266`		`-(errcode(ERRCODE_INVALID_PARAMETER_VALUE),`
`267`		`-errmsg("failed to read certificate validity")));`
`268`		`-`
`269`		`-/*`
`270`		`- * Unlike when freeing other OpenSSL memory structures, there is no error`
`271`		`- * return on freeing ASN1 strings.`
`272`		`- */`
`273`		`-ASN1_TIME_free(ASN1_epoch);`
`274`		`-`
`275`		`-/*`
`276`		`- * Convert the reported date into usecs to be used as a TimestampTz. The`
`277`		`- * date should really not overflow an int64 but rather than trusting the`
`278`		`- * certificate we take overflow into consideration.`
`279`		`- */`
`280`		`-if (pg_mul_s64_overflow(days,USECS_PER_DAY,&result_days)\|\|`
`281`		`-pg_mul_s64_overflow(seconds,USECS_PER_SEC,&result_secs)\|\|`
`282`		`-pg_add_s64_overflow(result_days,result_secs,&result))`
`283`		`-{`
`284`		`-returnTimestampTzGetDatum(0);`
`285`		`-}`
`286`		`-`
`287`		`-returnTimestampTzGetDatum(result);`
`288`		`-}`
`289`		`-`
`290`		`-`
`291`	`228`	`/*`
`292`	`229`	`* Returns specified field of client certificate distinguished name`
`293`	`230`	`*`
`@@ -545,35 +482,3 @@ ssl_extension_info(PG_FUNCTION_ARGS)`
`545`	`482`	`/* All done */`
`546`	`483`	`SRF_RETURN_DONE(funcctx);`
`547`	`484`	`}`
`548`		`-`
`549`		`-/*`
`550`		`- * Returns current client certificate notBefore timestamp in`
`551`		`- * timestamptz data type`
`552`		`- */`
`553`		`-PG_FUNCTION_INFO_V1(ssl_client_get_notbefore);`
`554`		`-Datum`
`555`		`-ssl_client_get_notbefore(PG_FUNCTION_ARGS)`
`556`		`-{`
`557`		`-X509*cert=MyProcPort->peer;`
`558`		`-`
`559`		`-if (!MyProcPort->ssl_in_use\|\| !MyProcPort->peer_cert_valid)`
`560`		`-PG_RETURN_NULL();`
`561`		`-`
`562`		`-returnASN1_TIME_to_timestamptz(X509_get_notBefore(cert));`
`563`		`-}`
`564`		`-`
`565`		`-/*`
`566`		`- * Returns current client certificate notAfter timestamp in`
`567`		`- * timestamptz data type`
`568`		`- */`
`569`		`-PG_FUNCTION_INFO_V1(ssl_client_get_notafter);`
`570`		`-Datum`
`571`		`-ssl_client_get_notafter(PG_FUNCTION_ARGS)`
`572`		`-{`
`573`		`-X509*cert=MyProcPort->peer;`
`574`		`-`
`575`		`-if (!MyProcPort->ssl_in_use\|\| !MyProcPort->peer_cert_valid)`
`576`		`-PG_RETURN_NULL();`
`577`		`-`
`578`		`-returnASN1_TIME_to_timestamptz(X509_get_notAfter(cert));`
`579`		`-}`

`‎contrib/sslinfo/sslinfo.control`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`# sslinfo extension`
`2`	`2`	`comment = 'information about SSL certificates'`
`3`		`-default_version = '1.3'`
	`3`	`+default_version = '1.2'`
`4`	`4`	`module_pathname = '$libdir/sslinfo'`
`5`	`5`	`relocatable = true`

`‎doc/src/sgml/monitoring.sgml`

Lines changed: 0 additions & 20 deletions

Original file line number	Diff line number	Diff line change
`@@ -2292,26 +2292,6 @@ description \| Waiting for a newly initialized WAL file to reach durable storage`
`2292`	`2292`	`This field is truncated like <structfield>client_dn</structfield>.`
`2293`	`2293`	`</para></entry>`
`2294`	`2294`	`</row>`
`2295`		`-`
`2296`		`- <row>`
`2297`		`- <entry role="catalog_table_entry"><para role="column_definition">`
`2298`		`- <structfield>not_before</structfield> <type>text</type>`
`2299`		`- </para>`
`2300`		`- <para>`
`2301`		`- Not before timestamp of the client certificate, or NULL if no client`
`2302`		`- certificate was supplied.`
`2303`		`- </para></entry>`
`2304`		`- </row>`
`2305`		`-`
`2306`		`- <row>`
`2307`		`- <entry role="catalog_table_entry"><para role="column_definition">`
`2308`		`- <structfield>not_after</structfield> <type>text</type>`
`2309`		`- </para>`
`2310`		`- <para>`
`2311`		`- Not after timestamp of the client certificate, or NULL if no client`
`2312`		`- certificate was supplied.`
`2313`		`- </para></entry>`
`2314`		`- </row>`
`2315`	`2295`	`</tbody>`
`2316`	`2296`	`</tgroup>`
`2317`	`2297`	`</table>`

`‎doc/src/sgml/sslinfo.sgml`

Lines changed: 0 additions & 30 deletions

Original file line number	Diff line number	Diff line change
`@@ -240,36 +240,6 @@ emailAddress`
`240`	`240`	`</para>`
`241`	`241`	`</listitem>`
`242`	`242`	`</varlistentry>`
`243`		`-`
`244`		`- <varlistentry>`
`245`		`- <term>`
`246`		`- <function>ssl_client_get_notbefore() returns timestamptz</function>`
`247`		`- <indexterm>`
`248`		`- <primary>ssl_client_get_notbefore</primary>`
`249`		`- </indexterm>`
`250`		`- </term>`
`251`		`- <listitem>`
`252`		`- <para>`
`253`		`- Return the <structfield>not before</structfield> timestamp of the client`
`254`		`- certificate.`
`255`		`- </para>`
`256`		`- </listitem>`
`257`		`- </varlistentry>`
`258`		`-`
`259`		`- <varlistentry>`
`260`		`- <term>`
`261`		`- <function>ssl_client_get_notafter() returns timestamptz</function>`
`262`		`- <indexterm>`
`263`		`- <primary>ssl_client_get_notafter</primary>`
`264`		`- </indexterm>`
`265`		`- </term>`
`266`		`- <listitem>`
`267`		`- <para>`
`268`		`- Return the <structfield>not after</structfield> timestamp of the client`
`269`		`- certificate.`
`270`		`- </para>`
`271`		`- </listitem>`
`272`		`- </varlistentry>`
`273`	`243`	`</variablelist>`
`274`	`244`	`</sect2>`
`275`	`245`

`‎src/backend/catalog/system_views.sql`

Lines changed: 1 addition & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -992,9 +992,7 @@ CREATE VIEW pg_stat_ssl AS`
`992`	`992`	`S.sslbitsAS bits,`
`993`	`993`	`S.ssl_client_dnAS client_dn,`
`994`	`994`	`S.ssl_client_serialAS client_serial,`
`995`		`-S.ssl_issuer_dnAS issuer_dn,`
`996`		`-S.ssl_not_beforeAS not_before,`
`997`		`-S.ssl_not_afterAS not_after`
	`995`	`+S.ssl_issuer_dnAS issuer_dn`
`998`	`996`	`FROM pg_stat_get_activity(NULL)AS S`
`999`	`997`	`WHERES.client_portIS NOT NULL;`
`1000`	`998`

`‎src/backend/libpq/be-secure-openssl.c`

Lines changed: 0 additions & 78 deletions

Original file line number	Diff line number	Diff line change
`@@ -27,7 +27,6 @@`
`27`	`27`	`#include<netinet/tcp.h>`
`28`	`28`	`#include<arpa/inet.h>`
`29`	`29`
`30`		`-#include"common/int.h"`
`31`	`30`	`#include"common/string.h"`
`32`	`31`	`#include"libpq/libpq.h"`
`33`	`32`	`#include"miscadmin.h"`
`@@ -37,7 +36,6 @@`
`37`	`36`	`#include"tcop/tcopprot.h"`
`38`	`37`	`#include"utils/builtins.h"`
`39`	`38`	`#include"utils/memutils.h"`
`40`		`-#include"utils/timestamp.h"`
`41`	`39`
`42`	`40`	`/*`
`43`	`41`	`* These SSL-related #includes must come after all system-provided headers.`
`@@ -74,7 +72,6 @@ static bool initialize_ecdh(SSL_CTX *context, bool isServerStart);`
`74`	`72`	`staticconstchar*SSLerrmessage(unsigned longecode);`
`75`	`73`
`76`	`74`	`staticcharX509_NAME_to_cstring(X509_NAMEname);`
`77`		`-staticTimestampTzASN1_TIME_to_timestamptz(ASN1_TIME*time);`
`78`	`75`
`79`	`76`	`staticSSL_CTX*SSL_context=NULL;`
`80`	`77`	`staticboolSSL_initialized= false;`
`@@ -1433,24 +1430,6 @@ be_tls_get_peer_issuer_name(Port port, char ptr, size_t len)`
`1433`	`1430`	`ptr[0]='\0';`
`1434`	`1431`	`}`
`1435`	`1432`
`1436`		`-void`
`1437`		`-be_tls_get_peer_not_before(Portport,TimestampTzptr)`
`1438`		`-{`
`1439`		`-if (port->peer)`
`1440`		`-*ptr=ASN1_TIME_to_timestamptz(X509_get_notBefore(port->peer));`
`1441`		`-else`
`1442`		`-*ptr=0;`
`1443`		`-}`
`1444`		`-`
`1445`		`-void`
`1446`		`-be_tls_get_peer_not_after(Portport,TimestampTzptr)`
`1447`		`-{`
`1448`		`-if (port->peer)`
`1449`		`-*ptr=ASN1_TIME_to_timestamptz(X509_get_notAfter(port->peer));`
`1450`		`-else`
`1451`		`-*ptr=0;`
`1452`		`-}`
`1453`		`-`
`1454`	`1433`	`void`
`1455`	`1434`	`be_tls_get_peer_serial(Portport,charptr,size_tlen)`
`1456`	`1435`	`{`
`@@ -1594,63 +1573,6 @@ X509_NAME_to_cstring(X509_NAME *name)`
`1594`	`1573`	`returnresult;`
`1595`	`1574`	`}`
`1596`	`1575`
`1597`		`-/*`
`1598`		`- * Convert an ASN1_TIME to a Timestamptz. OpenSSL 1.0.2 doesn't expose a function`
`1599`		`- * to convert an ASN1_TIME to a tm struct, it's only available in 1.1.1 and`
`1600`		`- * onwards. Instead we can ask for the difference between the ASN1_TIME and a`
`1601`		`- * known timestamp and get the actual timestamp that way. Until support for`
`1602`		`- * OpenSSL 1.0.2 is retired we have to do it this way.`
`1603`		`- */`
`1604`		`-staticTimestampTz`
`1605`		`-ASN1_TIME_to_timestamptz(ASN1_TIME*ASN1_cert_ts)`
`1606`		`-{`
`1607`		`-intdays;`
`1608`		`-intseconds;`
`1609`		`-constcharpostgres_epoch[]="20000101000000Z";`
`1610`		`-ASN1_TIME*ASN1_epoch;`
`1611`		`-int64result_days;`
`1612`		`-int64result_seconds;`
`1613`		`-int64result;`
`1614`		`-`
`1615`		`-/* Create an epoch to compare against */`
`1616`		`-ASN1_epoch=ASN1_TIME_new();`
`1617`		`-if (!ASN1_epoch)`
`1618`		`-ereport(ERROR,`
`1619`		`-(errcode(ERRCODE_OUT_OF_MEMORY),`
`1620`		`-errmsg("could not allocate memory for ASN1 TIME structure")));`
`1621`		`-`
`1622`		`-/*`
`1623`		`- * Calculate the diff from the epoch to the certificate timestamp.`
`1624`		`- * POSTGRES_EPOCH_JDATE cannot be used here since OpenSSL needs an epoch`
`1625`		`- * in the ASN.1 format.`
`1626`		`- */`
`1627`		`-if (!ASN1_TIME_set_string(ASN1_epoch,postgres_epoch)\|\|`
`1628`		`-!ASN1_TIME_diff(&days,&seconds,ASN1_epoch,ASN1_cert_ts))`
`1629`		`-ereport(ERROR,`
`1630`		`-(errcode(ERRCODE_INVALID_PARAMETER_VALUE),`
`1631`		`-errmsg("failed to read certificate validity")));`
`1632`		`-`
`1633`		`-/*`
`1634`		`- * Unlike when freeing other OpenSSL memory structures, there is no error`
`1635`		`- * return on freeing ASN1 strings.`
`1636`		`- */`
`1637`		`-ASN1_TIME_free(ASN1_epoch);`
`1638`		`-`
`1639`		`-/*`
`1640`		`- * Convert the reported date into usecs to be used as a TimestampTz. The`
`1641`		`- * date should really not overflow an int64 but rather than trusting the`
`1642`		`- * certificate we take overflow into consideration.`
`1643`		`- */`
`1644`		`-if (pg_mul_s64_overflow(days,USECS_PER_DAY,&result_days)\|\|`
`1645`		`-pg_mul_s64_overflow(seconds,USECS_PER_SEC,&result_seconds)\|\|`
`1646`		`-pg_add_s64_overflow(result_seconds,result_days,&result))`
`1647`		`-{`
`1648`		`-return0;`
`1649`		`-}`
`1650`		`-`
`1651`		`-returnresult;`
`1652`		`-}`
`1653`		`-`
`1654`	`1576`	`/*`
`1655`	`1577`	`* Convert TLS protocol version GUC enum to OpenSSL values`
`1656`	`1578`	`*`

`‎src/backend/utils/activity/backend_status.c`

Lines changed: 0 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -348,8 +348,6 @@ pgstat_bestart(void)`
`348`	`348`	`be_tls_get_peer_subject_name(MyProcPort,lsslstatus.ssl_client_dn,NAMEDATALEN);`
`349`	`349`	`be_tls_get_peer_serial(MyProcPort,lsslstatus.ssl_client_serial,NAMEDATALEN);`
`350`	`350`	`be_tls_get_peer_issuer_name(MyProcPort,lsslstatus.ssl_issuer_dn,NAMEDATALEN);`
`351`		`-be_tls_get_peer_not_before(MyProcPort,&lsslstatus.ssl_not_before);`
`352`		`-be_tls_get_peer_not_after(MyProcPort,&lsslstatus.ssl_not_after);`
`353`	`351`	`}`
`354`	`352`	`else`
`355`	`353`	`{`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit697f8d2

File tree

19 files changed

19 files changed

`‎contrib/sslinfo/Makefile`

`‎contrib/sslinfo/meson.build`

`‎contrib/sslinfo/sslinfo--1.2--1.3.sql`

`‎contrib/sslinfo/sslinfo.c`

`‎contrib/sslinfo/sslinfo.control`

`‎doc/src/sgml/monitoring.sgml`

`‎doc/src/sgml/sslinfo.sgml`

`‎src/backend/catalog/system_views.sql`

`‎src/backend/libpq/be-secure-openssl.c`

`‎src/backend/utils/activity/backend_status.c`

0 commit comments