database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-12-21 05:21:08 +03:00
Code Activity

Revert "Add notBefore and notAfter to SSL cert info display"

Browse Source 
This reverts commit 6acb0a628e since
LibreSSL didn't support ASN1_TIME_diff until OpenBSD 7.1, leaving
the older OpenBSD animals in the buildfarm complaining.

Per plover in the buildfarm.

Discussion: https://postgr.es/m/F0DF7102-192D-4C21-96AE-9A01AE153AD1@yesql.se
This commit is contained in:
Daniel Gustafsson
2024-03-22 22:58:41 +01:00
parent 473182c952
commit 697f8d266c
19 changed files with 34 additions and 308 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/backend/catalog/system_views.sql
View File

@@ -992,9 +992,7 @@ CREATE VIEW pg_stat_ssl AS
S.sslbits AS bits,
S.ssl_client_dn AS client_dn,
S.ssl_client_serial AS client_serial,
S.ssl_issuer_dn AS issuer_dn,
S.ssl_not_before AS not_before,
S.ssl_not_after AS not_after
S.ssl_issuer_dn AS issuer_dn
FROM pg_stat_get_activity(NULL) AS S
WHERE S.client_port IS NOT NULL;

78
src/backend/libpq/be-secure-openssl.c
View File

@@ -27,7 +27,6 @@
#include <netinet/tcp.h>
#include <arpa/inet.h>
#include "common/int.h"
#include "common/string.h"
#include "libpq/libpq.h"
#include "miscadmin.h"
@@ -37,7 +36,6 @@
#include "tcop/tcopprot.h"
#include "utils/builtins.h"
#include "utils/memutils.h"
#include "utils/timestamp.h"
/*
* These SSL-related #includes must come after all system-provided headers.
@@ -74,7 +72,6 @@ static bool initialize_ecdh(SSL_CTX *context, bool isServerStart);
static const char *SSLerrmessage(unsigned long ecode);
static char *X509_NAME_to_cstring(X509_NAME *name);
static TimestampTz ASN1_TIME_to_timestamptz(ASN1_TIME *time);
static SSL_CTX *SSL_context = NULL;
static bool SSL_initialized = false;
@@ -1433,24 +1430,6 @@ be_tls_get_peer_issuer_name(Port *port, char *ptr, size_t len)
ptr[0] = '\0';
}
void
be_tls_get_peer_not_before(Port *port, TimestampTz *ptr)
{
if (port->peer)
*ptr = ASN1_TIME_to_timestamptz(X509_get_notBefore(port->peer));
else
*ptr = 0;
}
void
be_tls_get_peer_not_after(Port *port, TimestampTz *ptr)
{
if (port->peer)
*ptr = ASN1_TIME_to_timestamptz(X509_get_notAfter(port->peer));
else
*ptr = 0;
}
void
be_tls_get_peer_serial(Port *port, char *ptr, size_t len)
{
@@ -1594,63 +1573,6 @@ X509_NAME_to_cstring(X509_NAME *name)
return result;
}
/*
* Convert an ASN1_TIME to a Timestamptz. OpenSSL 1.0.2 doesn't expose a function
* to convert an ASN1_TIME to a tm struct, it's only available in 1.1.1 and
* onwards. Instead we can ask for the difference between the ASN1_TIME and a
* known timestamp and get the actual timestamp that way. Until support for
* OpenSSL 1.0.2 is retired we have to do it this way.
*/
static TimestampTz
ASN1_TIME_to_timestamptz(ASN1_TIME *ASN1_cert_ts)
{
int days;
int seconds;
const char postgres_epoch[] = "20000101000000Z";
ASN1_TIME *ASN1_epoch;
int64 result_days;
int64 result_seconds;
int64 result;
/* Create an epoch to compare against */
ASN1_epoch = ASN1_TIME_new();
if (!ASN1_epoch)
ereport(ERROR,
(errcode(ERRCODE_OUT_OF_MEMORY),
errmsg("could not allocate memory for ASN1 TIME structure")));
/*
* Calculate the diff from the epoch to the certificate timestamp.
* POSTGRES_EPOCH_JDATE cannot be used here since OpenSSL needs an epoch
* in the ASN.1 format.
*/
if (!ASN1_TIME_set_string(ASN1_epoch, postgres_epoch) ||
!ASN1_TIME_diff(&days, &seconds, ASN1_epoch, ASN1_cert_ts))
ereport(ERROR,
(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
errmsg("failed to read certificate validity")));
/*
* Unlike when freeing other OpenSSL memory structures, there is no error
* return on freeing ASN1 strings.
*/
ASN1_TIME_free(ASN1_epoch);
/*
* Convert the reported date into usecs to be used as a TimestampTz. The
* date should really not overflow an int64 but rather than trusting the
* certificate we take overflow into consideration.
*/
if (pg_mul_s64_overflow(days, USECS_PER_DAY, &result_days) ||
pg_mul_s64_overflow(seconds, USECS_PER_SEC, &result_seconds) ||
pg_add_s64_overflow(result_seconds, result_days, &result))
{
return 0;
}
return result;
}
/*
* Convert TLS protocol version GUC enum to OpenSSL values
*

2
src/backend/utils/activity/backend_status.c
View File

@@ -348,8 +348,6 @@ pgstat_bestart(void)
be_tls_get_peer_subject_name(MyProcPort, lsslstatus.ssl_client_dn, NAMEDATALEN);
be_tls_get_peer_serial(MyProcPort, lsslstatus.ssl_client_serial, NAMEDATALEN);
be_tls_get_peer_issuer_name(MyProcPort, lsslstatus.ssl_issuer_dn, NAMEDATALEN);
be_tls_get_peer_not_before(MyProcPort, &lsslstatus.ssl_not_before);
be_tls_get_peer_not_after(MyProcPort, &lsslstatus.ssl_not_after);
}
else
{

46
src/backend/utils/adt/pgstatfuncs.c
View File

@@ -302,7 +302,7 @@ pg_stat_get_progress_info(PG_FUNCTION_ARGS)
Datum
pg_stat_get_activity(PG_FUNCTION_ARGS)
{
#define PG_STAT_GET_ACTIVITY_COLS 33
#define PG_STAT_GET_ACTIVITY_COLS 31
int num_backends = pgstat_fetch_stat_numbackends();
int curr_backend;
int pid = PG_ARGISNULL(0) ? -1 : PG_GETARG_INT32(0);
@@ -394,7 +394,7 @@ pg_stat_get_activity(PG_FUNCTION_ARGS)
pfree(clipped_activity);
/* leader_pid */
nulls[31] = true;
nulls[29] = true;
proc = BackendPidGetProc(beentry->st_procpid);
@@ -431,8 +431,8 @@ pg_stat_get_activity(PG_FUNCTION_ARGS)
*/
if (leader && leader->pid != beentry->st_procpid)
{
values[31] = Int32GetDatum(leader->pid);
nulls[31] = false;
values[29] = Int32GetDatum(leader->pid);
nulls[29] = false;
}
else if (beentry->st_backendType == B_BG_WORKER)
{
@@ -440,8 +440,8 @@ pg_stat_get_activity(PG_FUNCTION_ARGS)
if (leader_pid != InvalidPid)
{
values[31] = Int32GetDatum(leader_pid);
nulls[31] = false;
values[29] = Int32GetDatum(leader_pid);
nulls[29] = false;
}
}
}
@@ -586,45 +586,35 @@ pg_stat_get_activity(PG_FUNCTION_ARGS)
values[24] = CStringGetTextDatum(beentry->st_sslstatus->ssl_issuer_dn);
else
nulls[24] = true;
if (beentry->st_sslstatus->ssl_not_before != 0)
values[25] = TimestampTzGetDatum(beentry->st_sslstatus->ssl_not_before);
else
nulls[25] = true;
if (beentry->st_sslstatus->ssl_not_after != 0)
values[26] = TimestampTzGetDatum(beentry->st_sslstatus->ssl_not_after);
else
nulls[26] = true;
}
else
{
values[18] = BoolGetDatum(false); /* ssl */
nulls[19] = nulls[20] = nulls[21] = nulls[22] = nulls[23] = nulls[24] = nulls[25] = nulls[26] = true;
nulls[19] = nulls[20] = nulls[21] = nulls[22] = nulls[23] = nulls[24] = true;
}
/* GSSAPI information */
if (beentry->st_gss)
{
values[27] = BoolGetDatum(beentry->st_gssstatus->gss_auth); /* gss_auth */
values[28] = CStringGetTextDatum(beentry->st_gssstatus->gss_princ);
values[29] = BoolGetDatum(beentry->st_gssstatus->gss_enc); /* GSS Encryption in use */
values[30] = BoolGetDatum(beentry->st_gssstatus->gss_delegation); /* GSS credentials
values[25] = BoolGetDatum(beentry->st_gssstatus->gss_auth); /* gss_auth */
values[26] = CStringGetTextDatum(beentry->st_gssstatus->gss_princ);
values[27] = BoolGetDatum(beentry->st_gssstatus->gss_enc); /* GSS Encryption in use */
values[28] = BoolGetDatum(beentry->st_gssstatus->gss_delegation); /* GSS credentials
* delegated */
}
else
{
values[27] = BoolGetDatum(false); /* gss_auth */
nulls[28] = true; /* No GSS principal */
values[29] = BoolGetDatum(false); /* GSS Encryption not in
values[25] = BoolGetDatum(false); /* gss_auth */
nulls[26] = true; /* No GSS principal */
values[27] = BoolGetDatum(false); /* GSS Encryption not in
* use */
values[30] = BoolGetDatum(false); /* GSS credentials not
values[28] = BoolGetDatum(false); /* GSS credentials not
* delegated */
}
if (beentry->st_query_id == 0)
nulls[32] = true;
nulls[30] = true;
else
values[32] = UInt64GetDatum(beentry->st_query_id);
values[30] = UInt64GetDatum(beentry->st_query_id);
}
else
{
@@ -654,8 +644,6 @@ pg_stat_get_activity(PG_FUNCTION_ARGS)
nulls[28] = true;
nulls[29] = true;
nulls[30] = true;
nulls[31] = true;
nulls[32] = true;
}
tuplestore_putvalues(rsinfo->setResult, rsinfo->setDesc, values, nulls);

2
src/include/catalog/catversion.h
View File

@@ -57,6 +57,6 @@
*/
/* yyyymmddN */
#define CATALOG_VERSION_NO 202403223
#define CATALOG_VERSION_NO 202403222
#endif

6
src/include/catalog/pg_proc.dat
View File

@@ -5440,9 +5440,9 @@
proname => 'pg_stat_get_activity', prorows => '100', proisstrict => 'f',
proretset => 't', provolatile => 's', proparallel => 'r',
prorettype => 'record', proargtypes => 'int4',
proallargtypes => '{int4,oid,int4,oid,text,text,text,text,text,timestamptz,timestamptz,timestamptz,timestamptz,inet,text,int4,xid,xid,text,bool,text,text,int4,text,numeric,text,timestamptz,timestamptz,bool,text,bool,bool,int4,int8}',
proargmodes => '{i,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o}',
proargnames => '{pid,datid,pid,usesysid,application_name,state,query,wait_event_type,wait_event,xact_start,query_start,backend_start,state_change,client_addr,client_hostname,client_port,backend_xid,backend_xmin,backend_type,ssl,sslversion,sslcipher,sslbits,ssl_client_dn,ssl_client_serial,ssl_issuer_dn,ssl_not_before,ssl_not_after,gss_auth,gss_princ,gss_enc,gss_delegation,leader_pid,query_id}',
proallargtypes => '{int4,oid,int4,oid,text,text,text,text,text,timestamptz,timestamptz,timestamptz,timestamptz,inet,text,int4,xid,xid,text,bool,text,text,int4,text,numeric,text,bool,text,bool,bool,int4,int8}',
proargmodes => '{i,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o}',
proargnames => '{pid,datid,pid,usesysid,application_name,state,query,wait_event_type,wait_event,xact_start,query_start,backend_start,state_change,client_addr,client_hostname,client_port,backend_xid,backend_xmin,backend_type,ssl,sslversion,sslcipher,sslbits,ssl_client_dn,ssl_client_serial,ssl_issuer_dn,gss_auth,gss_princ,gss_enc,gss_delegation,leader_pid,query_id}',
prosrc => 'pg_stat_get_activity' },
{ oid => '8403', descr => 'describe wait events',
proname => 'pg_get_wait_events', procost => '10', prorows => '250',

2
src/include/libpq/libpq-be.h
View File

@@ -294,8 +294,6 @@ extern const char *be_tls_get_cipher(Port *port);
extern void be_tls_get_peer_subject_name(Port *port, char *ptr, size_t len);
extern void be_tls_get_peer_issuer_name(Port *port, char *ptr, size_t len);
extern void be_tls_get_peer_serial(Port *port, char *ptr, size_t len);
extern void be_tls_get_peer_not_before(Port *port, TimestampTz *ptr);
extern void be_tls_get_peer_not_after(Port *port, TimestampTz *ptr);
/*
* Get the server certificate hash for SCRAM channel binding type

3
src/include/utils/backend_status.h
View File

@@ -61,9 +61,6 @@ typedef struct PgBackendSSLStatus
char ssl_client_serial[NAMEDATALEN];
char ssl_issuer_dn[NAMEDATALEN];
/* Certificate validity in postgres epoch format */
TimestampTz ssl_not_before;
TimestampTz ssl_not_after;
} PgBackendSSLStatus;
/*

12
src/test/regress/expected/rules.out
View File

@@ -1763,7 +1763,7 @@ pg_stat_activity| SELECT s.datid,
s.query_id,
s.query,
s.backend_type
FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, ssl_not_before, ssl_not_after, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id)
FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id)
LEFT JOIN pg_database d ON ((s.datid = d.oid)))
LEFT JOIN pg_authid u ON ((s.usesysid = u.oid)));
pg_stat_all_indexes| SELECT c.oid AS relid,
@@ -1883,7 +1883,7 @@ pg_stat_gssapi| SELECT pid,
gss_princ AS principal,
gss_enc AS encrypted,
gss_delegation AS credentials_delegated
FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, ssl_not_before, ssl_not_after, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id)
FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id)
WHERE (client_port IS NOT NULL);
pg_stat_io| SELECT backend_type,
object,
@@ -2086,7 +2086,7 @@ pg_stat_replication| SELECT s.pid,
w.sync_priority,
w.sync_state,
w.reply_time
FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, ssl_not_before, ssl_not_after, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id)
FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id)
JOIN pg_stat_get_wal_senders() w(pid, state, sent_lsn, write_lsn, flush_lsn, replay_lsn, write_lag, flush_lag, replay_lag, sync_priority, sync_state, reply_time) ON ((s.pid = w.pid)))
LEFT JOIN pg_authid u ON ((s.usesysid = u.oid)));
pg_stat_replication_slots| SELECT s.slot_name,
@@ -2119,10 +2119,8 @@ pg_stat_ssl| SELECT pid,
sslbits AS bits,
ssl_client_dn AS client_dn,
ssl_client_serial AS client_serial,
ssl_issuer_dn AS issuer_dn,
ssl_not_before AS not_before,
ssl_not_after AS not_after
FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, ssl_not_before, ssl_not_after, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id)
ssl_issuer_dn AS issuer_dn
FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id)
WHERE (client_port IS NOT NULL);
pg_stat_subscription| SELECT su.oid AS subid,
su.subname,

10
src/test/ssl/t/001_ssltests.pl
View File

@@ -538,8 +538,8 @@ command_like(
"$common_connstr sslrootcert=invalid", '-c',
"SELECT * FROM pg_stat_ssl WHERE pid = pg_backend_pid()"
],
qr{^pid,ssl,version,cipher,bits,client_dn,client_serial,issuer_dn,not_before,not_after\r?\n
^\d+,t,TLSv[\d.]+,[\w-]+,\d+,_null_,_null_,_null_,_null_,_null_\r?$}mx,
qr{^pid,ssl,version,cipher,bits,client_dn,client_serial,issuer_dn\r?\n
^\d+,t,TLSv[\d.]+,[\w-]+,\d+,_null_,_null_,_null_\r?$}mx,
'pg_stat_ssl view without client certificate');
# Test min/max SSL protocol versions.
@@ -740,10 +740,10 @@ command_like(
"$common_connstr user=ssltestuser sslcert=ssl/client.crt "
. sslkey('client.key'),
'-c',
"SELECT ssl,version,cipher,bits,client_dn,client_serial,issuer_dn,not_before AT TIME ZONE 'UTC' AS not_before,not_after AT TIME ZONE 'UTC' AS not_after FROM pg_stat_ssl WHERE pid = pg_backend_pid()"
"SELECT * FROM pg_stat_ssl WHERE pid = pg_backend_pid()"
],
qr{^ssl,version,cipher,bits,client_dn,client_serial,issuer_dn,not_before,not_after\r?\n
^t,TLSv[\d.]+,[\w-]+,\d+,/?CN=ssltestuser,$serialno,/?\QCN=Test CA for PostgreSQL SSL regression test client certs,2023-06-29 01:01:01,2050-01-01 01:01:01\E\r?$}mx,
qr{^pid,ssl,version,cipher,bits,client_dn,client_serial,issuer_dn\r?\n
^\d+,t,TLSv[\d.]+,[\w-]+,\d+,/?CN=ssltestuser,$serialno,/?\QCN=Test CA for PostgreSQL SSL regression test client certs\E\r?$}mx,
'pg_stat_ssl with client certificate');
# client key with wrong permissions

14
src/test/ssl/t/003_sslinfo.pl
View File

@@ -165,20 +165,6 @@ $result = $node->safe_psql(
connstr => $common_connstr);
is($result, 't', "ssl_issuer_field() for commonName");
$result = $node->safe_psql(
"certdb",
"SELECT ssl_client_get_notbefore() = not_before, "
. "not_before AT TIME ZONE 'UTC' = '2023-06-29 01:01:01' FROM pg_stat_ssl WHERE pid = pg_backend_pid();",
connstr => $common_connstr);
is($result, 't|t', "ssl_client_get_notbefore() for not_before timestamp");
$result = $node->safe_psql(
"certdb",
"SELECT ssl_client_get_notafter() = not_after, "
. "not_after AT TIME ZONE 'UTC' = '2050-01-01 01:01:01' FROM pg_stat_ssl WHERE pid = pg_backend_pid();",
connstr => $common_connstr);
is($result, 't|t', "ssl_client_get_notafter() for not_after timestamp");
$result = $node->safe_psql(
"certdb",
"SELECT value, critical FROM ssl_extension_info() WHERE name = 'basicConstraints';",

1
src/tools/pgindent/typedefs.list
View File

@@ -6,7 +6,6 @@ ASN1_INTEGER
ASN1_OBJECT
ASN1_OCTET_STRING
ASN1_STRING
ASN1_TIME
AV
A_ArrayExpr
A_Const