Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to content

Commit 697f8d2

Browse files
Revert "Add notBefore and notAfter to SSL cert info display"
This reverts commit 6acb0a6 since LibreSSL didn't support ASN1_TIME_diff until OpenBSD 7.1, leaving the older OpenBSD animals in the buildfarm complaining. Per plover in the buildfarm. Discussion: https://postgr.es/m/F0DF7102-192D-4C21-96AE-9A01AE153AD1@yesql.se
1 parent 473182c commit 697f8d2

File tree

19 files changed

+34
-308
lines changed

19 files changed

+34
-308
lines changed

contrib/sslinfo/Makefile

+1-1
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ OBJS = \
66
sslinfo.o
77

88
EXTENSION = sslinfo
9-
DATA = sslinfo--1.2--1.3.sql sslinfo--1.2.sql sslinfo--1.1--1.2.sql sslinfo--1.0--1.1.sql
9+
DATA = sslinfo--1.2.sql sslinfo--1.1--1.2.sql sslinfo--1.0--1.1.sql
1010
PGFILEDESC = "sslinfo - information about client SSL certificate"
1111

1212
ifdef USE_PGXS

contrib/sslinfo/meson.build

-1
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,6 @@ install_data(
2626
'sslinfo--1.0--1.1.sql',
2727
'sslinfo--1.1--1.2.sql',
2828
'sslinfo--1.2.sql',
29-
'sslinfo--1.2--1.3.sql',
3029
'sslinfo.control',
3130
kwargs: contrib_data_args,
3231
)

contrib/sslinfo/sslinfo--1.2--1.3.sql

-12
This file was deleted.

contrib/sslinfo/sslinfo.c

-95
Original file line numberDiff line numberDiff line change
@@ -14,12 +14,10 @@
1414
#include <openssl/asn1.h>
1515

1616
#include "access/htup_details.h"
17-
#include "common/int.h"
1817
#include "funcapi.h"
1918
#include "libpq/libpq-be.h"
2019
#include "miscadmin.h"
2120
#include "utils/builtins.h"
22-
#include "utils/timestamp.h"
2321

2422
/*
2523
* On Windows, <wincrypt.h> includes a #define for X509_NAME, which breaks our
@@ -36,7 +34,6 @@ PG_MODULE_MAGIC;
3634

3735
static Datum X509_NAME_field_to_text(X509_NAME *name, text *fieldName);
3836
static Datum ASN1_STRING_to_text(ASN1_STRING *str);
39-
static Datum ASN1_TIME_to_timestamptz(ASN1_TIME *time);
4037

4138
/*
4239
* Function context for data persisting over repeated calls.
@@ -228,66 +225,6 @@ X509_NAME_field_to_text(X509_NAME *name, text *fieldName)
228225
}
229226

230227

231-
/*
232-
* Converts OpenSSL ASN1_TIME structure into timestamptz
233-
*
234-
* OpenSSL 1.0.2 doesn't expose a function to convert an ASN1_TIME to a tm
235-
* struct, it's only available in 1.1.1 and onwards. Instead we can ask for the
236-
* difference between the ASN1_TIME and a known timestamp and get the actual
237-
* timestamp that way. Until support for OpenSSL 1.0.2 is retired we have to do
238-
* it this way.
239-
*
240-
* Parameter: time - OpenSSL ASN1_TIME structure.
241-
* Returns Datum, which can be directly returned from a C language SQL
242-
* function.
243-
*/
244-
static Datum
245-
ASN1_TIME_to_timestamptz(ASN1_TIME *ASN1_cert_ts)
246-
{
247-
int days;
248-
int seconds;
249-
const char postgres_epoch[] = "20000101000000Z";
250-
ASN1_TIME *ASN1_epoch;
251-
int64 result_days;
252-
int64 result_secs;
253-
int64 result;
254-
255-
/* Create an epoch to compare against */
256-
ASN1_epoch = ASN1_TIME_new();
257-
if (!ASN1_epoch)
258-
ereport(ERROR,
259-
(errcode(ERRCODE_OUT_OF_MEMORY),
260-
errmsg("could not allocate memory for ASN1 TIME structure")));
261-
262-
/* Calculate the diff from the epoch to the certificate timestamp */
263-
if (!ASN1_TIME_set_string(ASN1_epoch, postgres_epoch) ||
264-
!ASN1_TIME_diff(&days, &seconds, ASN1_epoch, ASN1_cert_ts))
265-
ereport(ERROR,
266-
(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
267-
errmsg("failed to read certificate validity")));
268-
269-
/*
270-
* Unlike when freeing other OpenSSL memory structures, there is no error
271-
* return on freeing ASN1 strings.
272-
*/
273-
ASN1_TIME_free(ASN1_epoch);
274-
275-
/*
276-
* Convert the reported date into usecs to be used as a TimestampTz. The
277-
* date should really not overflow an int64 but rather than trusting the
278-
* certificate we take overflow into consideration.
279-
*/
280-
if (pg_mul_s64_overflow(days, USECS_PER_DAY, &result_days) ||
281-
pg_mul_s64_overflow(seconds, USECS_PER_SEC, &result_secs) ||
282-
pg_add_s64_overflow(result_days, result_secs, &result))
283-
{
284-
return TimestampTzGetDatum(0);
285-
}
286-
287-
return TimestampTzGetDatum(result);
288-
}
289-
290-
291228
/*
292229
* Returns specified field of client certificate distinguished name
293230
*
@@ -545,35 +482,3 @@ ssl_extension_info(PG_FUNCTION_ARGS)
545482
/* All done */
546483
SRF_RETURN_DONE(funcctx);
547484
}
548-
549-
/*
550-
* Returns current client certificate notBefore timestamp in
551-
* timestamptz data type
552-
*/
553-
PG_FUNCTION_INFO_V1(ssl_client_get_notbefore);
554-
Datum
555-
ssl_client_get_notbefore(PG_FUNCTION_ARGS)
556-
{
557-
X509 *cert = MyProcPort->peer;
558-
559-
if (!MyProcPort->ssl_in_use || !MyProcPort->peer_cert_valid)
560-
PG_RETURN_NULL();
561-
562-
return ASN1_TIME_to_timestamptz(X509_get_notBefore(cert));
563-
}
564-
565-
/*
566-
* Returns current client certificate notAfter timestamp in
567-
* timestamptz data type
568-
*/
569-
PG_FUNCTION_INFO_V1(ssl_client_get_notafter);
570-
Datum
571-
ssl_client_get_notafter(PG_FUNCTION_ARGS)
572-
{
573-
X509 *cert = MyProcPort->peer;
574-
575-
if (!MyProcPort->ssl_in_use || !MyProcPort->peer_cert_valid)
576-
PG_RETURN_NULL();
577-
578-
return ASN1_TIME_to_timestamptz(X509_get_notAfter(cert));
579-
}

contrib/sslinfo/sslinfo.control

+1-1
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
# sslinfo extension
22
comment = 'information about SSL certificates'
3-
default_version = '1.3'
3+
default_version = '1.2'
44
module_pathname = '$libdir/sslinfo'
55
relocatable = true

doc/src/sgml/monitoring.sgml

-20
Original file line numberDiff line numberDiff line change
@@ -2292,26 +2292,6 @@ description | Waiting for a newly initialized WAL file to reach durable storage
22922292
This field is truncated like <structfield>client_dn</structfield>.
22932293
</para></entry>
22942294
</row>
2295-
2296-
<row>
2297-
<entry role="catalog_table_entry"><para role="column_definition">
2298-
<structfield>not_before</structfield> <type>text</type>
2299-
</para>
2300-
<para>
2301-
Not before timestamp of the client certificate, or NULL if no client
2302-
certificate was supplied.
2303-
</para></entry>
2304-
</row>
2305-
2306-
<row>
2307-
<entry role="catalog_table_entry"><para role="column_definition">
2308-
<structfield>not_after</structfield> <type>text</type>
2309-
</para>
2310-
<para>
2311-
Not after timestamp of the client certificate, or NULL if no client
2312-
certificate was supplied.
2313-
</para></entry>
2314-
</row>
23152295
</tbody>
23162296
</tgroup>
23172297
</table>

doc/src/sgml/sslinfo.sgml

-30
Original file line numberDiff line numberDiff line change
@@ -240,36 +240,6 @@ emailAddress
240240
</para>
241241
</listitem>
242242
</varlistentry>
243-
244-
<varlistentry>
245-
<term>
246-
<function>ssl_client_get_notbefore() returns timestamptz</function>
247-
<indexterm>
248-
<primary>ssl_client_get_notbefore</primary>
249-
</indexterm>
250-
</term>
251-
<listitem>
252-
<para>
253-
Return the <structfield>not before</structfield> timestamp of the client
254-
certificate.
255-
</para>
256-
</listitem>
257-
</varlistentry>
258-
259-
<varlistentry>
260-
<term>
261-
<function>ssl_client_get_notafter() returns timestamptz</function>
262-
<indexterm>
263-
<primary>ssl_client_get_notafter</primary>
264-
</indexterm>
265-
</term>
266-
<listitem>
267-
<para>
268-
Return the <structfield>not after</structfield> timestamp of the client
269-
certificate.
270-
</para>
271-
</listitem>
272-
</varlistentry>
273243
</variablelist>
274244
</sect2>
275245

src/backend/catalog/system_views.sql

+1-3
Original file line numberDiff line numberDiff line change
@@ -992,9 +992,7 @@ CREATE VIEW pg_stat_ssl AS
992992
S.sslbits AS bits,
993993
S.ssl_client_dn AS client_dn,
994994
S.ssl_client_serial AS client_serial,
995-
S.ssl_issuer_dn AS issuer_dn,
996-
S.ssl_not_before AS not_before,
997-
S.ssl_not_after AS not_after
995+
S.ssl_issuer_dn AS issuer_dn
998996
FROM pg_stat_get_activity(NULL) AS S
999997
WHERE S.client_port IS NOT NULL;
1000998

src/backend/libpq/be-secure-openssl.c

-78
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,6 @@
2727
#include <netinet/tcp.h>
2828
#include <arpa/inet.h>
2929

30-
#include "common/int.h"
3130
#include "common/string.h"
3231
#include "libpq/libpq.h"
3332
#include "miscadmin.h"
@@ -37,7 +36,6 @@
3736
#include "tcop/tcopprot.h"
3837
#include "utils/builtins.h"
3938
#include "utils/memutils.h"
40-
#include "utils/timestamp.h"
4139

4240
/*
4341
* These SSL-related #includes must come after all system-provided headers.
@@ -74,7 +72,6 @@ static bool initialize_ecdh(SSL_CTX *context, bool isServerStart);
7472
static const char *SSLerrmessage(unsigned long ecode);
7573

7674
static char *X509_NAME_to_cstring(X509_NAME *name);
77-
static TimestampTz ASN1_TIME_to_timestamptz(ASN1_TIME *time);
7875

7976
static SSL_CTX *SSL_context = NULL;
8077
static bool SSL_initialized = false;
@@ -1433,24 +1430,6 @@ be_tls_get_peer_issuer_name(Port *port, char *ptr, size_t len)
14331430
ptr[0] = '\0';
14341431
}
14351432

1436-
void
1437-
be_tls_get_peer_not_before(Port *port, TimestampTz *ptr)
1438-
{
1439-
if (port->peer)
1440-
*ptr = ASN1_TIME_to_timestamptz(X509_get_notBefore(port->peer));
1441-
else
1442-
*ptr = 0;
1443-
}
1444-
1445-
void
1446-
be_tls_get_peer_not_after(Port *port, TimestampTz *ptr)
1447-
{
1448-
if (port->peer)
1449-
*ptr = ASN1_TIME_to_timestamptz(X509_get_notAfter(port->peer));
1450-
else
1451-
*ptr = 0;
1452-
}
1453-
14541433
void
14551434
be_tls_get_peer_serial(Port *port, char *ptr, size_t len)
14561435
{
@@ -1594,63 +1573,6 @@ X509_NAME_to_cstring(X509_NAME *name)
15941573
return result;
15951574
}
15961575

1597-
/*
1598-
* Convert an ASN1_TIME to a Timestamptz. OpenSSL 1.0.2 doesn't expose a function
1599-
* to convert an ASN1_TIME to a tm struct, it's only available in 1.1.1 and
1600-
* onwards. Instead we can ask for the difference between the ASN1_TIME and a
1601-
* known timestamp and get the actual timestamp that way. Until support for
1602-
* OpenSSL 1.0.2 is retired we have to do it this way.
1603-
*/
1604-
static TimestampTz
1605-
ASN1_TIME_to_timestamptz(ASN1_TIME *ASN1_cert_ts)
1606-
{
1607-
int days;
1608-
int seconds;
1609-
const char postgres_epoch[] = "20000101000000Z";
1610-
ASN1_TIME *ASN1_epoch;
1611-
int64 result_days;
1612-
int64 result_seconds;
1613-
int64 result;
1614-
1615-
/* Create an epoch to compare against */
1616-
ASN1_epoch = ASN1_TIME_new();
1617-
if (!ASN1_epoch)
1618-
ereport(ERROR,
1619-
(errcode(ERRCODE_OUT_OF_MEMORY),
1620-
errmsg("could not allocate memory for ASN1 TIME structure")));
1621-
1622-
/*
1623-
* Calculate the diff from the epoch to the certificate timestamp.
1624-
* POSTGRES_EPOCH_JDATE cannot be used here since OpenSSL needs an epoch
1625-
* in the ASN.1 format.
1626-
*/
1627-
if (!ASN1_TIME_set_string(ASN1_epoch, postgres_epoch) ||
1628-
!ASN1_TIME_diff(&days, &seconds, ASN1_epoch, ASN1_cert_ts))
1629-
ereport(ERROR,
1630-
(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
1631-
errmsg("failed to read certificate validity")));
1632-
1633-
/*
1634-
* Unlike when freeing other OpenSSL memory structures, there is no error
1635-
* return on freeing ASN1 strings.
1636-
*/
1637-
ASN1_TIME_free(ASN1_epoch);
1638-
1639-
/*
1640-
* Convert the reported date into usecs to be used as a TimestampTz. The
1641-
* date should really not overflow an int64 but rather than trusting the
1642-
* certificate we take overflow into consideration.
1643-
*/
1644-
if (pg_mul_s64_overflow(days, USECS_PER_DAY, &result_days) ||
1645-
pg_mul_s64_overflow(seconds, USECS_PER_SEC, &result_seconds) ||
1646-
pg_add_s64_overflow(result_seconds, result_days, &result))
1647-
{
1648-
return 0;
1649-
}
1650-
1651-
return result;
1652-
}
1653-
16541576
/*
16551577
* Convert TLS protocol version GUC enum to OpenSSL values
16561578
*

src/backend/utils/activity/backend_status.c

-2
Original file line numberDiff line numberDiff line change
@@ -348,8 +348,6 @@ pgstat_bestart(void)
348348
be_tls_get_peer_subject_name(MyProcPort, lsslstatus.ssl_client_dn, NAMEDATALEN);
349349
be_tls_get_peer_serial(MyProcPort, lsslstatus.ssl_client_serial, NAMEDATALEN);
350350
be_tls_get_peer_issuer_name(MyProcPort, lsslstatus.ssl_issuer_dn, NAMEDATALEN);
351-
be_tls_get_peer_not_before(MyProcPort, &lsslstatus.ssl_not_before);
352-
be_tls_get_peer_not_after(MyProcPort, &lsslstatus.ssl_not_after);
353351
}
354352
else
355353
{

0 commit comments

Comments
 (0)