2006-09-04 23:07:46 +08:00
|
|
|
/*
|
|
|
|
* module for PostgreSQL to access client SSL certificate information
|
|
|
|
*
|
2006-09-15 04:50:51 +08:00
|
|
|
* Written by Victor B. Wagner <vitus@cryptocom.ru>, Cryptocom LTD
|
2006-09-04 23:07:46 +08:00
|
|
|
* This file is distributed under BSD-style license.
|
2006-10-01 02:44:37 +08:00
|
|
|
*
|
2010-09-21 04:08:53 +08:00
|
|
|
* contrib/sslinfo/sslinfo.c
|
2006-09-04 23:07:46 +08:00
|
|
|
*/
|
|
|
|
|
|
|
|
#include "postgres.h"
|
|
|
|
|
|
|
|
#include <openssl/x509.h>
|
2015-09-08 08:24:17 +08:00
|
|
|
#include <openssl/x509v3.h>
|
2006-09-04 23:07:46 +08:00
|
|
|
#include <openssl/asn1.h>
|
|
|
|
|
2015-09-08 08:24:17 +08:00
|
|
|
#include "access/htup_details.h"
|
|
|
|
#include "funcapi.h"
|
|
|
|
#include "libpq/libpq-be.h"
|
|
|
|
#include "miscadmin.h"
|
|
|
|
#include "utils/builtins.h"
|
|
|
|
|
2021-11-08 00:33:53 +08:00
|
|
|
/*
|
|
|
|
* On Windows, <wincrypt.h> includes a #define for X509_NAME, which breaks our
|
|
|
|
* ability to use OpenSSL's version of that symbol if <wincrypt.h> is pulled
|
|
|
|
* in after <openssl/ssl.h> ... and, at least on some builds, it is. We
|
|
|
|
* can't reliably fix that by re-ordering #includes, because libpq/libpq-be.h
|
|
|
|
* #includes <openssl/ssl.h>. Instead, just zap the #define again here.
|
|
|
|
*/
|
|
|
|
#ifdef X509_NAME
|
|
|
|
#undef X509_NAME
|
|
|
|
#endif
|
|
|
|
|
2006-09-04 23:07:46 +08:00
|
|
|
PG_MODULE_MAGIC;
|
|
|
|
|
2014-01-18 09:58:31 +08:00
|
|
|
static Datum X509_NAME_field_to_text(X509_NAME *name, text *fieldName);
|
|
|
|
static Datum ASN1_STRING_to_text(ASN1_STRING *str);
|
2006-09-04 23:07:46 +08:00
|
|
|
|
2015-09-08 08:24:17 +08:00
|
|
|
/*
|
|
|
|
* Function context for data persisting over repeated calls.
|
|
|
|
*/
|
|
|
|
typedef struct
|
|
|
|
{
|
|
|
|
TupleDesc tupdesc;
|
|
|
|
} SSLExtensionInfoContext;
|
2006-09-04 23:07:46 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Indicates whether current session uses SSL
|
|
|
|
*
|
|
|
|
* Function has no arguments. Returns bool. True if current session
|
|
|
|
* is SSL session and false if it is local or non-ssl session.
|
|
|
|
*/
|
|
|
|
PG_FUNCTION_INFO_V1(ssl_is_used);
|
|
|
|
Datum
|
|
|
|
ssl_is_used(PG_FUNCTION_ARGS)
|
|
|
|
{
|
2014-11-25 15:39:31 +08:00
|
|
|
PG_RETURN_BOOL(MyProcPort->ssl_in_use);
|
2006-09-04 23:07:46 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2010-07-28 07:43:42 +08:00
|
|
|
/*
|
2014-01-18 09:58:31 +08:00
|
|
|
* Returns SSL version currently in use.
|
2010-07-28 07:43:42 +08:00
|
|
|
*/
|
|
|
|
PG_FUNCTION_INFO_V1(ssl_version);
|
|
|
|
Datum
|
|
|
|
ssl_version(PG_FUNCTION_ARGS)
|
|
|
|
{
|
2020-11-03 16:47:36 +08:00
|
|
|
const char *version;
|
|
|
|
|
|
|
|
if (!MyProcPort->ssl_in_use)
|
|
|
|
PG_RETURN_NULL();
|
|
|
|
|
|
|
|
version = be_tls_get_version(MyProcPort);
|
|
|
|
if (version == NULL)
|
2010-07-28 07:43:42 +08:00
|
|
|
PG_RETURN_NULL();
|
2020-11-03 16:47:36 +08:00
|
|
|
|
|
|
|
PG_RETURN_TEXT_P(cstring_to_text(version));
|
2010-07-28 07:43:42 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Returns SSL cipher currently in use.
|
|
|
|
*/
|
|
|
|
PG_FUNCTION_INFO_V1(ssl_cipher);
|
|
|
|
Datum
|
|
|
|
ssl_cipher(PG_FUNCTION_ARGS)
|
|
|
|
{
|
2020-11-03 16:47:36 +08:00
|
|
|
const char *cipher;
|
|
|
|
|
|
|
|
if (!MyProcPort->ssl_in_use)
|
|
|
|
PG_RETURN_NULL();
|
|
|
|
|
|
|
|
cipher = be_tls_get_cipher(MyProcPort);
|
|
|
|
if (cipher == NULL)
|
2010-07-28 07:43:42 +08:00
|
|
|
PG_RETURN_NULL();
|
2020-11-03 16:47:36 +08:00
|
|
|
|
|
|
|
PG_RETURN_TEXT_P(cstring_to_text(cipher));
|
2010-07-28 07:43:42 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2006-09-04 23:07:46 +08:00
|
|
|
/*
|
2014-01-18 09:58:31 +08:00
|
|
|
* Indicates whether current client provided a certificate
|
2006-09-04 23:07:46 +08:00
|
|
|
*
|
|
|
|
* Function has no arguments. Returns bool. True if current session
|
|
|
|
* is SSL session and client certificate is verified, otherwise false.
|
|
|
|
*/
|
|
|
|
PG_FUNCTION_INFO_V1(ssl_client_cert_present);
|
|
|
|
Datum
|
|
|
|
ssl_client_cert_present(PG_FUNCTION_ARGS)
|
|
|
|
{
|
2020-11-03 16:47:36 +08:00
|
|
|
PG_RETURN_BOOL(MyProcPort->peer_cert_valid);
|
2006-09-04 23:07:46 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Returns serial number of certificate used to establish current
|
|
|
|
* session
|
|
|
|
*
|
|
|
|
* Function has no arguments. It returns the certificate serial
|
|
|
|
* number as numeric or null if current session doesn't use SSL or if
|
|
|
|
* SSL connection is established without sending client certificate.
|
|
|
|
*/
|
|
|
|
PG_FUNCTION_INFO_V1(ssl_client_serial);
|
|
|
|
Datum
|
|
|
|
ssl_client_serial(PG_FUNCTION_ARGS)
|
|
|
|
{
|
2020-11-03 16:47:36 +08:00
|
|
|
char decimal[NAMEDATALEN];
|
2006-09-04 23:07:46 +08:00
|
|
|
Datum result;
|
|
|
|
|
2020-11-03 16:47:36 +08:00
|
|
|
if (!MyProcPort->ssl_in_use || !MyProcPort->peer_cert_valid)
|
|
|
|
PG_RETURN_NULL();
|
|
|
|
|
|
|
|
be_tls_get_peer_serial(MyProcPort, decimal, NAMEDATALEN);
|
|
|
|
|
|
|
|
if (!*decimal)
|
2006-09-04 23:07:46 +08:00
|
|
|
PG_RETURN_NULL();
|
2006-10-04 08:30:14 +08:00
|
|
|
|
2006-09-04 23:07:46 +08:00
|
|
|
result = DirectFunctionCall3(numeric_in,
|
|
|
|
CStringGetDatum(decimal),
|
|
|
|
ObjectIdGetDatum(0),
|
|
|
|
Int32GetDatum(-1));
|
|
|
|
return result;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Converts OpenSSL ASN1_STRING structure into text
|
|
|
|
*
|
|
|
|
* Converts ASN1_STRING into text, converting all the characters into
|
|
|
|
* current database encoding if possible. Any invalid characters are
|
|
|
|
* replaced by question marks.
|
|
|
|
*
|
2012-04-24 10:43:09 +08:00
|
|
|
* Parameter: str - OpenSSL ASN1_STRING structure. Memory management
|
2006-09-04 23:07:46 +08:00
|
|
|
* of this structure is responsibility of caller.
|
|
|
|
*
|
|
|
|
* Returns Datum, which can be directly returned from a C language SQL
|
|
|
|
* function.
|
|
|
|
*/
|
2014-01-18 09:58:31 +08:00
|
|
|
static Datum
|
2006-09-04 23:07:46 +08:00
|
|
|
ASN1_STRING_to_text(ASN1_STRING *str)
|
|
|
|
{
|
2008-11-10 22:57:38 +08:00
|
|
|
BIO *membuf;
|
|
|
|
size_t size;
|
|
|
|
char nullterm;
|
2006-09-04 23:07:46 +08:00
|
|
|
char *sp;
|
|
|
|
char *dp;
|
|
|
|
text *result;
|
|
|
|
|
|
|
|
membuf = BIO_new(BIO_s_mem());
|
2015-09-08 06:18:29 +08:00
|
|
|
if (membuf == NULL)
|
|
|
|
ereport(ERROR,
|
|
|
|
(errcode(ERRCODE_OUT_OF_MEMORY),
|
2015-09-08 22:10:20 +08:00
|
|
|
errmsg("could not create OpenSSL BIO structure")));
|
2006-10-01 02:44:37 +08:00
|
|
|
(void) BIO_set_close(membuf, BIO_CLOSE);
|
2006-09-04 23:07:46 +08:00
|
|
|
ASN1_STRING_print_ex(membuf, str,
|
|
|
|
((ASN1_STRFLGS_RFC2253 & ~ASN1_STRFLGS_ESC_MSB)
|
|
|
|
| ASN1_STRFLGS_UTF8_CONVERT));
|
2008-11-10 22:57:38 +08:00
|
|
|
/* ensure null termination of the BIO's content */
|
|
|
|
nullterm = '\0';
|
|
|
|
BIO_write(membuf, &nullterm, 1);
|
2006-09-04 23:07:46 +08:00
|
|
|
size = BIO_get_mem_data(membuf, &sp);
|
2014-02-24 05:59:05 +08:00
|
|
|
dp = pg_any_to_server(sp, size - 1, PG_UTF8);
|
2008-03-26 06:42:46 +08:00
|
|
|
result = cstring_to_text(dp);
|
2006-09-04 23:07:46 +08:00
|
|
|
if (dp != sp)
|
|
|
|
pfree(dp);
|
2015-09-08 06:18:29 +08:00
|
|
|
if (BIO_free(membuf) != 1)
|
2015-09-08 22:10:20 +08:00
|
|
|
elog(ERROR, "could not free OpenSSL BIO structure");
|
2007-02-28 07:48:10 +08:00
|
|
|
|
2006-09-04 23:07:46 +08:00
|
|
|
PG_RETURN_TEXT_P(result);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Returns specified field of specified X509_NAME structure
|
|
|
|
*
|
|
|
|
* Common part of ssl_client_dn and ssl_issuer_dn functions.
|
|
|
|
*
|
|
|
|
* Parameter: X509_NAME *name - either subject or issuer of certificate
|
|
|
|
* Parameter: text fieldName - field name string like 'CN' or commonName
|
|
|
|
* to be looked up in the OpenSSL ASN1 OID database
|
|
|
|
*
|
|
|
|
* Returns result of ASN1_STRING_to_text applied to appropriate
|
|
|
|
* part of name
|
|
|
|
*/
|
2014-01-18 09:58:31 +08:00
|
|
|
static Datum
|
2006-09-04 23:07:46 +08:00
|
|
|
X509_NAME_field_to_text(X509_NAME *name, text *fieldName)
|
|
|
|
{
|
|
|
|
char *string_fieldname;
|
|
|
|
int nid,
|
2008-03-26 06:42:46 +08:00
|
|
|
index;
|
2006-09-04 23:07:46 +08:00
|
|
|
ASN1_STRING *data;
|
|
|
|
|
2008-03-26 06:42:46 +08:00
|
|
|
string_fieldname = text_to_cstring(fieldName);
|
2006-09-04 23:07:46 +08:00
|
|
|
nid = OBJ_txt2nid(string_fieldname);
|
|
|
|
if (nid == NID_undef)
|
|
|
|
ereport(ERROR,
|
|
|
|
(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
|
|
|
|
errmsg("invalid X.509 field name: \"%s\"",
|
|
|
|
string_fieldname)));
|
|
|
|
pfree(string_fieldname);
|
|
|
|
index = X509_NAME_get_index_by_NID(name, nid, -1);
|
|
|
|
if (index < 0)
|
|
|
|
return (Datum) 0;
|
|
|
|
data = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, index));
|
|
|
|
return ASN1_STRING_to_text(data);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Returns specified field of client certificate distinguished name
|
|
|
|
*
|
|
|
|
* Receives field name (like 'commonName' and 'emailAddress') and
|
|
|
|
* returns appropriate part of certificate subject converted into
|
|
|
|
* database encoding.
|
|
|
|
*
|
|
|
|
* Parameter: fieldname text - will be looked up in OpenSSL object
|
|
|
|
* identifier database
|
|
|
|
*
|
|
|
|
* Returns text string with appropriate value.
|
|
|
|
*
|
|
|
|
* Throws an error if argument cannot be converted into ASN1 OID by
|
|
|
|
* OpenSSL. Returns null if no client certificate is present, or if
|
|
|
|
* there is no field with such name in the certificate.
|
|
|
|
*/
|
|
|
|
PG_FUNCTION_INFO_V1(ssl_client_dn_field);
|
|
|
|
Datum
|
|
|
|
ssl_client_dn_field(PG_FUNCTION_ARGS)
|
|
|
|
{
|
2017-03-13 07:35:34 +08:00
|
|
|
text *fieldname = PG_GETARG_TEXT_PP(0);
|
2006-09-04 23:07:46 +08:00
|
|
|
Datum result;
|
|
|
|
|
2020-11-03 16:47:36 +08:00
|
|
|
if (!MyProcPort->ssl_in_use || !MyProcPort->peer_cert_valid)
|
2006-09-04 23:07:46 +08:00
|
|
|
PG_RETURN_NULL();
|
|
|
|
|
|
|
|
result = X509_NAME_field_to_text(X509_get_subject_name(MyProcPort->peer), fieldname);
|
|
|
|
|
|
|
|
if (!result)
|
|
|
|
PG_RETURN_NULL();
|
|
|
|
else
|
|
|
|
return result;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Returns specified field of client certificate issuer name
|
|
|
|
*
|
|
|
|
* Receives field name (like 'commonName' and 'emailAddress') and
|
|
|
|
* returns appropriate part of certificate subject converted into
|
|
|
|
* database encoding.
|
|
|
|
*
|
|
|
|
* Parameter: fieldname text - would be looked up in OpenSSL object
|
|
|
|
* identifier database
|
|
|
|
*
|
|
|
|
* Returns text string with appropriate value.
|
|
|
|
*
|
|
|
|
* Throws an error if argument cannot be converted into ASN1 OID by
|
|
|
|
* OpenSSL. Returns null if no client certificate is present, or if
|
|
|
|
* there is no field with such name in the certificate.
|
|
|
|
*/
|
|
|
|
PG_FUNCTION_INFO_V1(ssl_issuer_field);
|
|
|
|
Datum
|
|
|
|
ssl_issuer_field(PG_FUNCTION_ARGS)
|
|
|
|
{
|
2017-03-13 07:35:34 +08:00
|
|
|
text *fieldname = PG_GETARG_TEXT_PP(0);
|
2006-09-04 23:07:46 +08:00
|
|
|
Datum result;
|
|
|
|
|
|
|
|
if (!(MyProcPort->peer))
|
|
|
|
PG_RETURN_NULL();
|
|
|
|
|
|
|
|
result = X509_NAME_field_to_text(X509_get_issuer_name(MyProcPort->peer), fieldname);
|
|
|
|
|
|
|
|
if (!result)
|
|
|
|
PG_RETURN_NULL();
|
|
|
|
else
|
|
|
|
return result;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Returns current client certificate subject as one string
|
|
|
|
*
|
|
|
|
* This function returns distinguished name (subject) of the client
|
|
|
|
* certificate used in the current SSL connection, converting it into
|
|
|
|
* the current database encoding.
|
|
|
|
*
|
|
|
|
* Returns text datum.
|
|
|
|
*/
|
|
|
|
PG_FUNCTION_INFO_V1(ssl_client_dn);
|
|
|
|
Datum
|
|
|
|
ssl_client_dn(PG_FUNCTION_ARGS)
|
|
|
|
{
|
2020-11-03 16:47:36 +08:00
|
|
|
char subject[NAMEDATALEN];
|
|
|
|
|
|
|
|
if (!MyProcPort->ssl_in_use || !MyProcPort->peer_cert_valid)
|
|
|
|
PG_RETURN_NULL();
|
|
|
|
|
|
|
|
be_tls_get_peer_subject_name(MyProcPort, subject, NAMEDATALEN);
|
|
|
|
|
|
|
|
if (!*subject)
|
2006-09-04 23:07:46 +08:00
|
|
|
PG_RETURN_NULL();
|
2020-11-03 16:47:36 +08:00
|
|
|
|
|
|
|
PG_RETURN_TEXT_P(cstring_to_text(subject));
|
2006-09-04 23:07:46 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Returns current client certificate issuer as one string
|
|
|
|
*
|
|
|
|
* This function returns issuer's distinguished name of the client
|
|
|
|
* certificate used in the current SSL connection, converting it into
|
|
|
|
* the current database encoding.
|
|
|
|
*
|
|
|
|
* Returns text datum.
|
|
|
|
*/
|
|
|
|
PG_FUNCTION_INFO_V1(ssl_issuer_dn);
|
|
|
|
Datum
|
|
|
|
ssl_issuer_dn(PG_FUNCTION_ARGS)
|
|
|
|
{
|
2020-11-03 16:47:36 +08:00
|
|
|
char issuer[NAMEDATALEN];
|
|
|
|
|
|
|
|
if (!MyProcPort->ssl_in_use || !MyProcPort->peer_cert_valid)
|
2006-09-04 23:07:46 +08:00
|
|
|
PG_RETURN_NULL();
|
2020-11-03 16:47:36 +08:00
|
|
|
|
|
|
|
be_tls_get_peer_issuer_name(MyProcPort, issuer, NAMEDATALEN);
|
|
|
|
|
|
|
|
if (!*issuer)
|
|
|
|
PG_RETURN_NULL();
|
|
|
|
|
|
|
|
PG_RETURN_TEXT_P(cstring_to_text(issuer));
|
2006-09-04 23:07:46 +08:00
|
|
|
}
|
2015-09-08 08:24:17 +08:00
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Returns information about available SSL extensions.
|
|
|
|
*
|
|
|
|
* Returns setof record made of the following values:
|
|
|
|
* - name of the extension.
|
|
|
|
* - value of the extension.
|
|
|
|
* - critical status of the extension.
|
|
|
|
*/
|
|
|
|
PG_FUNCTION_INFO_V1(ssl_extension_info);
|
|
|
|
Datum
|
|
|
|
ssl_extension_info(PG_FUNCTION_ARGS)
|
|
|
|
{
|
|
|
|
X509 *cert = MyProcPort->peer;
|
|
|
|
FuncCallContext *funcctx;
|
|
|
|
int call_cntr;
|
|
|
|
int max_calls;
|
|
|
|
MemoryContext oldcontext;
|
|
|
|
SSLExtensionInfoContext *fctx;
|
|
|
|
|
|
|
|
if (SRF_IS_FIRSTCALL())
|
|
|
|
{
|
|
|
|
|
|
|
|
TupleDesc tupdesc;
|
|
|
|
|
|
|
|
/* create a function context for cross-call persistence */
|
|
|
|
funcctx = SRF_FIRSTCALL_INIT();
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Switch to memory context appropriate for multiple function calls
|
|
|
|
*/
|
|
|
|
oldcontext = MemoryContextSwitchTo(funcctx->multi_call_memory_ctx);
|
|
|
|
|
|
|
|
/* Create a user function context for cross-call persistence */
|
|
|
|
fctx = (SSLExtensionInfoContext *) palloc(sizeof(SSLExtensionInfoContext));
|
|
|
|
|
|
|
|
/* Construct tuple descriptor */
|
|
|
|
if (get_call_result_type(fcinfo, NULL, &tupdesc) != TYPEFUNC_COMPOSITE)
|
|
|
|
ereport(ERROR,
|
|
|
|
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
|
|
|
|
errmsg("function returning record called in context that cannot accept type record")));
|
|
|
|
fctx->tupdesc = BlessTupleDesc(tupdesc);
|
|
|
|
|
|
|
|
/* Set max_calls as a count of extensions in certificate */
|
|
|
|
max_calls = cert != NULL ? X509_get_ext_count(cert) : 0;
|
|
|
|
|
Support OpenSSL 1.1.0.
Changes needed to build at all:
- Check for SSL_new in configure, now that SSL_library_init is a macro.
- Do not access struct members directly. This includes some new code in
pgcrypto, to use the resource owner mechanism to ensure that we don't
leak OpenSSL handles, now that we can't embed them in other structs
anymore.
- RAND_SSLeay() -> RAND_OpenSSL()
Changes that were needed to silence deprecation warnings, but were not
strictly necessary:
- RAND_pseudo_bytes() -> RAND_bytes().
- SSL_library_init() and OpenSSL_config() -> OPENSSL_init_ssl()
- ASN1_STRING_data() -> ASN1_STRING_get0_data()
- DH_generate_parameters() -> DH_generate_parameters()
- Locking callbacks are not needed with OpenSSL 1.1.0 anymore. (Good
riddance!)
Also change references to SSLEAY_VERSION_NUMBER with OPENSSL_VERSION_NUMBER,
for the sake of consistency. OPENSSL_VERSION_NUMBER has existed since time
immemorial.
Fix SSL test suite to work with OpenSSL 1.1.0. CA certificates must have
the "CA:true" basic constraint extension now, or OpenSSL will refuse them.
Regenerate the test certificates with that. The "openssl" binary, used to
generate the certificates, is also now more picky, and throws an error
if an X509 extension is specified in "req_extensions", but that section
is empty.
Backpatch to all supported branches, per popular demand. In back-branches,
we still support OpenSSL 0.9.7 and above. OpenSSL 0.9.6 should still work
too, but I didn't test it. In master, we only support 0.9.8 and above.
Patch by Andreas Karlsson, with additional changes by me.
Discussion: <20160627151604.GD1051@msg.df7cb.de>
2016-09-15 17:36:21 +08:00
|
|
|
if (max_calls > 0)
|
2015-09-08 08:24:17 +08:00
|
|
|
{
|
|
|
|
/* got results, keep track of them */
|
|
|
|
funcctx->max_calls = max_calls;
|
|
|
|
funcctx->user_fctx = fctx;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
/* fast track when no results */
|
|
|
|
MemoryContextSwitchTo(oldcontext);
|
|
|
|
SRF_RETURN_DONE(funcctx);
|
|
|
|
}
|
|
|
|
|
|
|
|
MemoryContextSwitchTo(oldcontext);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* stuff done on every call of the function */
|
|
|
|
funcctx = SRF_PERCALL_SETUP();
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Initialize per-call variables.
|
|
|
|
*/
|
|
|
|
call_cntr = funcctx->call_cntr;
|
|
|
|
max_calls = funcctx->max_calls;
|
|
|
|
fctx = funcctx->user_fctx;
|
|
|
|
|
|
|
|
/* do while there are more left to send */
|
|
|
|
if (call_cntr < max_calls)
|
|
|
|
{
|
|
|
|
Datum values[3];
|
|
|
|
bool nulls[3];
|
|
|
|
char *buf;
|
|
|
|
HeapTuple tuple;
|
|
|
|
Datum result;
|
|
|
|
BIO *membuf;
|
|
|
|
X509_EXTENSION *ext;
|
|
|
|
ASN1_OBJECT *obj;
|
|
|
|
int nid;
|
|
|
|
int len;
|
|
|
|
|
|
|
|
/* need a BIO for this */
|
|
|
|
membuf = BIO_new(BIO_s_mem());
|
|
|
|
if (membuf == NULL)
|
|
|
|
ereport(ERROR,
|
|
|
|
(errcode(ERRCODE_OUT_OF_MEMORY),
|
|
|
|
errmsg("could not create OpenSSL BIO structure")));
|
|
|
|
|
|
|
|
/* Get the extension from the certificate */
|
Support OpenSSL 1.1.0.
Changes needed to build at all:
- Check for SSL_new in configure, now that SSL_library_init is a macro.
- Do not access struct members directly. This includes some new code in
pgcrypto, to use the resource owner mechanism to ensure that we don't
leak OpenSSL handles, now that we can't embed them in other structs
anymore.
- RAND_SSLeay() -> RAND_OpenSSL()
Changes that were needed to silence deprecation warnings, but were not
strictly necessary:
- RAND_pseudo_bytes() -> RAND_bytes().
- SSL_library_init() and OpenSSL_config() -> OPENSSL_init_ssl()
- ASN1_STRING_data() -> ASN1_STRING_get0_data()
- DH_generate_parameters() -> DH_generate_parameters()
- Locking callbacks are not needed with OpenSSL 1.1.0 anymore. (Good
riddance!)
Also change references to SSLEAY_VERSION_NUMBER with OPENSSL_VERSION_NUMBER,
for the sake of consistency. OPENSSL_VERSION_NUMBER has existed since time
immemorial.
Fix SSL test suite to work with OpenSSL 1.1.0. CA certificates must have
the "CA:true" basic constraint extension now, or OpenSSL will refuse them.
Regenerate the test certificates with that. The "openssl" binary, used to
generate the certificates, is also now more picky, and throws an error
if an X509 extension is specified in "req_extensions", but that section
is empty.
Backpatch to all supported branches, per popular demand. In back-branches,
we still support OpenSSL 0.9.7 and above. OpenSSL 0.9.6 should still work
too, but I didn't test it. In master, we only support 0.9.8 and above.
Patch by Andreas Karlsson, with additional changes by me.
Discussion: <20160627151604.GD1051@msg.df7cb.de>
2016-09-15 17:36:21 +08:00
|
|
|
ext = X509_get_ext(cert, call_cntr);
|
2015-09-08 08:24:17 +08:00
|
|
|
obj = X509_EXTENSION_get_object(ext);
|
|
|
|
|
|
|
|
/* Get the extension name */
|
|
|
|
nid = OBJ_obj2nid(obj);
|
|
|
|
if (nid == NID_undef)
|
|
|
|
ereport(ERROR,
|
|
|
|
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
|
|
|
|
errmsg("unknown OpenSSL extension in certificate at position %d",
|
|
|
|
call_cntr)));
|
|
|
|
values[0] = CStringGetTextDatum(OBJ_nid2sn(nid));
|
|
|
|
nulls[0] = false;
|
|
|
|
|
|
|
|
/* Get the extension value */
|
|
|
|
if (X509V3_EXT_print(membuf, ext, 0, 0) <= 0)
|
|
|
|
ereport(ERROR,
|
|
|
|
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
|
|
|
|
errmsg("could not print extension value in certificate at position %d",
|
|
|
|
call_cntr)));
|
|
|
|
len = BIO_get_mem_data(membuf, &buf);
|
|
|
|
values[1] = PointerGetDatum(cstring_to_text_with_len(buf, len));
|
|
|
|
nulls[1] = false;
|
|
|
|
|
|
|
|
/* Get critical status */
|
|
|
|
values[2] = BoolGetDatum(X509_EXTENSION_get_critical(ext));
|
|
|
|
nulls[2] = false;
|
|
|
|
|
|
|
|
/* Build tuple */
|
|
|
|
tuple = heap_form_tuple(fctx->tupdesc, values, nulls);
|
|
|
|
result = HeapTupleGetDatum(tuple);
|
|
|
|
|
|
|
|
if (BIO_free(membuf) != 1)
|
|
|
|
elog(ERROR, "could not free OpenSSL BIO structure");
|
|
|
|
|
|
|
|
SRF_RETURN_NEXT(funcctx, result);
|
|
|
|
}
|
|
|
|
|
2015-09-08 22:10:20 +08:00
|
|
|
/* All done */
|
2015-09-08 08:24:17 +08:00
|
|
|
SRF_RETURN_DONE(funcctx);
|
|
|
|
}
|