diff options
Diffstat (limited to 'src/backend')
| -rw-r--r-- | src/backend/catalog/system_views.sql | 4 | ||||
| -rw-r--r-- | src/backend/libpq/be-secure-openssl.c | 78 | ||||
| -rw-r--r-- | src/backend/utils/activity/backend_status.c | 2 | ||||
| -rw-r--r-- | src/backend/utils/adt/pgstatfuncs.c | 46 |
4 files changed, 112 insertions, 18 deletions
diff --git a/src/backend/catalog/system_views.sql b/src/backend/catalog/system_views.sql index f69b7f55801..72d5caa5357 100644 --- a/src/backend/catalog/system_views.sql +++ b/src/backend/catalog/system_views.sql @@ -992,7 +992,9 @@ CREATE VIEW pg_stat_ssl AS S.sslbits AS bits, S.ssl_client_dn AS client_dn, S.ssl_client_serial AS client_serial, - S.ssl_issuer_dn AS issuer_dn + S.ssl_issuer_dn AS issuer_dn, + S.ssl_not_before AS not_before, + S.ssl_not_after AS not_after FROM pg_stat_get_activity(NULL) AS S WHERE S.client_port IS NOT NULL; diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 72e43af3537..c6cc681b2e7 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -27,6 +27,7 @@ #include <netinet/tcp.h> #include <arpa/inet.h> +#include "common/int.h" #include "common/string.h" #include "libpq/libpq.h" #include "miscadmin.h" @@ -36,6 +37,7 @@ #include "tcop/tcopprot.h" #include "utils/builtins.h" #include "utils/memutils.h" +#include "utils/timestamp.h" /* * These SSL-related #includes must come after all system-provided headers. @@ -72,6 +74,7 @@ static bool initialize_ecdh(SSL_CTX *context, bool isServerStart); static const char *SSLerrmessage(unsigned long ecode); static char *X509_NAME_to_cstring(X509_NAME *name); +static TimestampTz ASN1_TIME_to_timestamptz(ASN1_TIME *time); static SSL_CTX *SSL_context = NULL; static bool SSL_initialized = false; @@ -1431,6 +1434,24 @@ be_tls_get_peer_issuer_name(Port *port, char *ptr, size_t len) } void +be_tls_get_peer_not_before(Port *port, TimestampTz *ptr) +{ + if (port->peer) + *ptr = ASN1_TIME_to_timestamptz(X509_get_notBefore(port->peer)); + else + *ptr = 0; +} + +void +be_tls_get_peer_not_after(Port *port, TimestampTz *ptr) +{ + if (port->peer) + *ptr = ASN1_TIME_to_timestamptz(X509_get_notAfter(port->peer)); + else + *ptr = 0; +} + +void be_tls_get_peer_serial(Port *port, char *ptr, size_t len) { if (port->peer) @@ -1574,6 +1595,63 @@ X509_NAME_to_cstring(X509_NAME *name) } /* + * Convert an ASN1_TIME to a Timestamptz. OpenSSL 1.0.2 doesn't expose a function + * to convert an ASN1_TIME to a tm struct, it's only available in 1.1.1 and + * onwards. Instead we can ask for the difference between the ASN1_TIME and a + * known timestamp and get the actual timestamp that way. Until support for + * OpenSSL 1.0.2 is retired we have to do it this way. + */ +static TimestampTz +ASN1_TIME_to_timestamptz(ASN1_TIME *ASN1_cert_ts) +{ + int days; + int seconds; + const char postgres_epoch[] = "20000101000000Z"; + ASN1_TIME *ASN1_epoch; + int64 result_days; + int64 result_seconds; + int64 result; + + /* Create an epoch to compare against */ + ASN1_epoch = ASN1_TIME_new(); + if (!ASN1_epoch) + ereport(ERROR, + (errcode(ERRCODE_OUT_OF_MEMORY), + errmsg("could not allocate memory for ASN1 TIME structure"))); + + /* + * Calculate the diff from the epoch to the certificate timestamp. + * POSTGRES_EPOCH_JDATE cannot be used here since OpenSSL needs an epoch + * in the ASN.1 format. + */ + if (!ASN1_TIME_set_string(ASN1_epoch, postgres_epoch) || + !ASN1_TIME_diff(&days, &seconds, ASN1_epoch, ASN1_cert_ts)) + ereport(ERROR, + (errcode(ERRCODE_INVALID_PARAMETER_VALUE), + errmsg("failed to read certificate validity"))); + + /* + * Unlike when freeing other OpenSSL memory structures, there is no error + * return on freeing ASN1 strings. + */ + ASN1_TIME_free(ASN1_epoch); + + /* + * Convert the reported date into usecs to be used as a TimestampTz. The + * date should really not overflow an int64 but rather than trusting the + * certificate we take overflow into consideration. + */ + if (pg_mul_s64_overflow(days, USECS_PER_DAY, &result_days) || + pg_mul_s64_overflow(seconds, USECS_PER_SEC, &result_seconds) || + pg_add_s64_overflow(result_seconds, result_days, &result)) + { + return 0; + } + + return result; +} + +/* * Convert TLS protocol version GUC enum to OpenSSL values * * This is a straightforward one-to-one mapping, but doing it this way makes diff --git a/src/backend/utils/activity/backend_status.c b/src/backend/utils/activity/backend_status.c index 1ccf4c6d839..121ec8956f1 100644 --- a/src/backend/utils/activity/backend_status.c +++ b/src/backend/utils/activity/backend_status.c @@ -348,6 +348,8 @@ pgstat_bestart(void) be_tls_get_peer_subject_name(MyProcPort, lsslstatus.ssl_client_dn, NAMEDATALEN); be_tls_get_peer_serial(MyProcPort, lsslstatus.ssl_client_serial, NAMEDATALEN); be_tls_get_peer_issuer_name(MyProcPort, lsslstatus.ssl_issuer_dn, NAMEDATALEN); + be_tls_get_peer_not_before(MyProcPort, &lsslstatus.ssl_not_before); + be_tls_get_peer_not_after(MyProcPort, &lsslstatus.ssl_not_after); } else { diff --git a/src/backend/utils/adt/pgstatfuncs.c b/src/backend/utils/adt/pgstatfuncs.c index 3876339ee1b..61522642cba 100644 --- a/src/backend/utils/adt/pgstatfuncs.c +++ b/src/backend/utils/adt/pgstatfuncs.c @@ -302,7 +302,7 @@ pg_stat_get_progress_info(PG_FUNCTION_ARGS) Datum pg_stat_get_activity(PG_FUNCTION_ARGS) { -#define PG_STAT_GET_ACTIVITY_COLS 31 +#define PG_STAT_GET_ACTIVITY_COLS 33 int num_backends = pgstat_fetch_stat_numbackends(); int curr_backend; int pid = PG_ARGISNULL(0) ? -1 : PG_GETARG_INT32(0); @@ -394,7 +394,7 @@ pg_stat_get_activity(PG_FUNCTION_ARGS) pfree(clipped_activity); /* leader_pid */ - nulls[29] = true; + nulls[31] = true; proc = BackendPidGetProc(beentry->st_procpid); @@ -431,8 +431,8 @@ pg_stat_get_activity(PG_FUNCTION_ARGS) */ if (leader && leader->pid != beentry->st_procpid) { - values[29] = Int32GetDatum(leader->pid); - nulls[29] = false; + values[31] = Int32GetDatum(leader->pid); + nulls[31] = false; } else if (beentry->st_backendType == B_BG_WORKER) { @@ -440,8 +440,8 @@ pg_stat_get_activity(PG_FUNCTION_ARGS) if (leader_pid != InvalidPid) { - values[29] = Int32GetDatum(leader_pid); - nulls[29] = false; + values[31] = Int32GetDatum(leader_pid); + nulls[31] = false; } } } @@ -586,35 +586,45 @@ pg_stat_get_activity(PG_FUNCTION_ARGS) values[24] = CStringGetTextDatum(beentry->st_sslstatus->ssl_issuer_dn); else nulls[24] = true; + + if (beentry->st_sslstatus->ssl_not_before != 0) + values[25] = TimestampTzGetDatum(beentry->st_sslstatus->ssl_not_before); + else + nulls[25] = true; + + if (beentry->st_sslstatus->ssl_not_after != 0) + values[26] = TimestampTzGetDatum(beentry->st_sslstatus->ssl_not_after); + else + nulls[26] = true; } else { values[18] = BoolGetDatum(false); /* ssl */ - nulls[19] = nulls[20] = nulls[21] = nulls[22] = nulls[23] = nulls[24] = true; + nulls[19] = nulls[20] = nulls[21] = nulls[22] = nulls[23] = nulls[24] = nulls[25] = nulls[26] = true; } /* GSSAPI information */ if (beentry->st_gss) { - values[25] = BoolGetDatum(beentry->st_gssstatus->gss_auth); /* gss_auth */ - values[26] = CStringGetTextDatum(beentry->st_gssstatus->gss_princ); - values[27] = BoolGetDatum(beentry->st_gssstatus->gss_enc); /* GSS Encryption in use */ - values[28] = BoolGetDatum(beentry->st_gssstatus->gss_delegation); /* GSS credentials + values[27] = BoolGetDatum(beentry->st_gssstatus->gss_auth); /* gss_auth */ + values[28] = CStringGetTextDatum(beentry->st_gssstatus->gss_princ); + values[29] = BoolGetDatum(beentry->st_gssstatus->gss_enc); /* GSS Encryption in use */ + values[30] = BoolGetDatum(beentry->st_gssstatus->gss_delegation); /* GSS credentials * delegated */ } else { - values[25] = BoolGetDatum(false); /* gss_auth */ - nulls[26] = true; /* No GSS principal */ - values[27] = BoolGetDatum(false); /* GSS Encryption not in + values[27] = BoolGetDatum(false); /* gss_auth */ + nulls[28] = true; /* No GSS principal */ + values[29] = BoolGetDatum(false); /* GSS Encryption not in * use */ - values[28] = BoolGetDatum(false); /* GSS credentials not + values[30] = BoolGetDatum(false); /* GSS credentials not * delegated */ } if (beentry->st_query_id == 0) - nulls[30] = true; + nulls[32] = true; else - values[30] = UInt64GetDatum(beentry->st_query_id); + values[32] = UInt64GetDatum(beentry->st_query_id); } else { @@ -644,6 +654,8 @@ pg_stat_get_activity(PG_FUNCTION_ARGS) nulls[28] = true; nulls[29] = true; nulls[30] = true; + nulls[31] = true; + nulls[32] = true; } tuplestore_putvalues(rsinfo->setResult, rsinfo->setDesc, values, nulls); |