On Sun, Aug 23, 2015 at 10:21 PM, Michael Paquier wrote:
> By the way, perhaps it would be worth doing similar things for the
> other calls of BIO_free and BIO_new, no? I have attached a second
> patch.
And... This second patch had a stupid mistake making for example
ssl_client_dn() fail, so here they are again.
--
Michael
From eabb75a8cdaa81303de8c74b8d097bf3e0138d38 Mon Sep 17 00:00:00 2001
From: Michael Paquier <mich...@otacoo.com>
Date: Sun, 23 Aug 2015 21:24:22 +0900
Subject: [PATCH 1/2] Add function for SSL extension information in sslinfo
This is done with the addition of a new function called ssl_extension_info.
---
contrib/sslinfo/Makefile | 3 +-
contrib/sslinfo/sslinfo--1.0--1.1.sql | 13 ++
.../sslinfo/{sslinfo--1.0.sql => sslinfo--1.1.sql} | 12 +-
contrib/sslinfo/sslinfo.c | 169 ++++++++++++++++++++-
contrib/sslinfo/sslinfo.control | 2 +-
doc/src/sgml/sslinfo.sgml | 19 +++
6 files changed, 212 insertions(+), 6 deletions(-)
create mode 100644 contrib/sslinfo/sslinfo--1.0--1.1.sql
rename contrib/sslinfo/{sslinfo--1.0.sql => sslinfo--1.1.sql} (81%)
diff --git a/contrib/sslinfo/Makefile b/contrib/sslinfo/Makefile
index 86cbf05..f6c1472 100644
--- a/contrib/sslinfo/Makefile
+++ b/contrib/sslinfo/Makefile
@@ -4,7 +4,8 @@ MODULE_big = sslinfo
OBJS = sslinfo.o $(WIN32RES)
EXTENSION = sslinfo
-DATA = sslinfo--1.0.sql sslinfo--unpackaged--1.0.sql
+DATA = sslinfo--1.0--1.1.sql sslinfo--1.1.sql \
+ sslinfo--unpackaged--1.0.sql
PGFILEDESC = "sslinfo - information about client SSL certificate"
ifdef USE_PGXS
diff --git a/contrib/sslinfo/sslinfo--1.0--1.1.sql b/contrib/sslinfo/sslinfo--1.0--1.1.sql
new file mode 100644
index 0000000..c98a3ae
--- /dev/null
+++ b/contrib/sslinfo/sslinfo--1.0--1.1.sql
@@ -0,0 +1,13 @@
+/* contrib/sslinfo/sslinfo--1.0--1.1.sql */
+
+-- complain if script is sourced in psql, rather than via CREATE EXTENSION
+\echo Use "ALTER EXTENSION sslinfo UPDATE TO '1.1'" to load this file. \quit
+
+CREATE OR REPLACE FUNCTION ssl_extension_info(
+ OUT name text,
+ OUT value text,
+ OUT iscritical boolean
+)
+RETURNS SETOF record
+AS 'MODULE_PATHNAME', 'ssl_extension_info'
+LANGUAGE C STRICT;
diff --git a/contrib/sslinfo/sslinfo--1.0.sql b/contrib/sslinfo/sslinfo--1.1.sql
similarity index 81%
rename from contrib/sslinfo/sslinfo--1.0.sql
rename to contrib/sslinfo/sslinfo--1.1.sql
index 79ce656..d63ddd5 100644
--- a/contrib/sslinfo/sslinfo--1.0.sql
+++ b/contrib/sslinfo/sslinfo--1.1.sql
@@ -1,4 +1,4 @@
-/* contrib/sslinfo/sslinfo--1.0.sql */
+/* contrib/sslinfo/sslinfo--1.1.sql */
-- complain if script is sourced in psql, rather than via CREATE EXTENSION
\echo Use "CREATE EXTENSION sslinfo" to load this file. \quit
@@ -38,3 +38,13 @@ LANGUAGE C STRICT;
CREATE FUNCTION ssl_issuer_dn() RETURNS text
AS 'MODULE_PATHNAME', 'ssl_issuer_dn'
LANGUAGE C STRICT;
+
+/* new in 1.1 */
+CREATE OR REPLACE FUNCTION ssl_extension_info(
+ OUT name text,
+ OUT value text,
+ OUT iscritical boolean
+)
+RETURNS SETOF record
+AS 'MODULE_PATHNAME', 'ssl_extension_info'
+LANGUAGE C STRICT;
diff --git a/contrib/sslinfo/sslinfo.c b/contrib/sslinfo/sslinfo.c
index da201bd..959c628 100644
--- a/contrib/sslinfo/sslinfo.c
+++ b/contrib/sslinfo/sslinfo.c
@@ -9,13 +9,18 @@
#include "postgres.h"
#include "fmgr.h"
-#include "utils/numeric.h"
-#include "libpq/libpq-be.h"
+#include "funcapi.h"
#include "miscadmin.h"
-#include "utils/builtins.h"
+
+#include "access/htup_details.h"
+#include "catalog/pg_type.h"
+#include "libpq/libpq-be.h"
#include "mb/pg_wchar.h"
+#include "utils/builtins.h"
+#include "utils/numeric.h"
#include <openssl/x509.h>
+#include <openssl/x509v3.h>
#include <openssl/asn1.h>
PG_MODULE_MAGIC;
@@ -24,6 +29,13 @@ static Datum X509_NAME_field_to_text(X509_NAME *name, text *fieldName);
static Datum X509_NAME_to_text(X509_NAME *name);
static Datum ASN1_STRING_to_text(ASN1_STRING *str);
+/*
+ * Function context for data persisting over repeated calls.
+ */
+typedef struct
+{
+ TupleDesc tupdesc;
+} SSLExtensionInfoContext;
/*
* Indicates whether current session uses SSL
@@ -354,3 +366,154 @@ ssl_issuer_dn(PG_FUNCTION_ARGS)
PG_RETURN_NULL();
return X509_NAME_to_text(X509_get_issuer_name(MyProcPort->peer));
}
+
+
+/*
+ * Returns information about available SSL extensions.
+ *
+ * Returns setof record made of the following values:
+ * - name of the extension.
+ * - value of the extension.
+ * - critical status of the extension.
+ */
+PG_FUNCTION_INFO_V1(ssl_extension_info);
+Datum
+ssl_extension_info(PG_FUNCTION_ARGS)
+{
+ X509 *cert = MyProcPort->peer;
+ FuncCallContext *funcctx;
+ STACK_OF(X509_EXTENSION) *ext_stack = NULL;
+ int call_cntr;
+ int max_calls;
+ MemoryContext oldcontext;
+ SSLExtensionInfoContext *fctx; /* User function context. */
+
+ if (SRF_IS_FIRSTCALL())
+ {
+
+ TupleDesc tupdesc;
+
+ /* create a function context for cross-call persistence */
+ funcctx = SRF_FIRSTCALL_INIT();
+
+ /*
+ * Switch to memory context appropriate for multiple function calls
+ */
+ oldcontext = MemoryContextSwitchTo(funcctx->multi_call_memory_ctx);
+
+ /* Create a user function context for cross-call persistence */
+ fctx = (SSLExtensionInfoContext *) palloc(sizeof(SSLExtensionInfoContext));
+
+ /*
+ * Need a tuple descriptor representing one INT and one TEXT column.
+ */
+ tupdesc = CreateTemplateTupleDesc(3, false);
+ TupleDescInitEntry(tupdesc, (AttrNumber) 1, "name",
+ TEXTOID, -1, 0);
+ TupleDescInitEntry(tupdesc, (AttrNumber) 2, "value",
+ TEXTOID, -1, 0);
+ TupleDescInitEntry(tupdesc, (AttrNumber) 3, "is_critical",
+ BOOLOID, -1, 0);
+
+ fctx->tupdesc = BlessTupleDesc(tupdesc);
+
+ if (get_call_result_type(fcinfo, NULL, &tupdesc) != TYPEFUNC_COMPOSITE)
+ ereport(ERROR,
+ (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
+ errmsg("function returning record called in context "
+ "that cannot accept type record")));
+
+ /* Get all extensions of certificate */
+ if (cert && cert->cert_info)
+ ext_stack = cert->cert_info->extensions;
+
+ /* Set max_calls as a count of extensions in certificate */
+ max_calls = cert != NULL ? X509_get_ext_count(cert) : 0;
+
+ if (cert != NULL &&
+ ext_stack != NULL &&
+ max_calls > 0)
+ {
+ /* got results, keep track of them */
+ funcctx->max_calls = max_calls;
+ funcctx->user_fctx = fctx;
+ }
+ else
+ {
+ /* fast track when no results */
+ MemoryContextSwitchTo(oldcontext);
+ SRF_RETURN_DONE(funcctx);
+ }
+
+ MemoryContextSwitchTo(oldcontext);
+ }
+
+ /* stuff done on every call of the function */
+ funcctx = SRF_PERCALL_SETUP();
+
+ /*
+ * Initialize per-call variables.
+ */
+ call_cntr = funcctx->call_cntr;
+ max_calls = funcctx->max_calls;
+ fctx = funcctx->user_fctx;
+
+ Assert(cert != NULL && cert->cert_info != NULL);
+ ext_stack = cert->cert_info->extensions;
+
+ /* do when there is more left to send */
+ if (call_cntr < max_calls)
+ {
+ Datum values[3];
+ bool nulls[3];
+ char *buf;
+ HeapTuple tuple;
+ Datum result;
+ BIO *membuf = NULL;
+ X509_EXTENSION *ext = NULL;
+ ASN1_OBJECT *obj = NULL;
+ int nid;
+ char nullterm = '\0';
+
+ /* Get extension from certificate */
+ ext = sk_X509_EXTENSION_value(ext_stack, call_cntr);
+ obj = X509_EXTENSION_get_object(ext);
+ nid = OBJ_obj2nid(obj);
+ if (nid == NID_undef)
+ ereport(ERROR,
+ (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
+ errmsg("Unknown extension at position %d",
+ call_cntr)));
+
+ /* Get extension name */
+ values[0] = CStringGetTextDatum(OBJ_nid2sn(nid));
+ nulls[0] = false;
+
+ /* Get next the extension value */
+ membuf = BIO_new(BIO_s_mem());
+ if (membuf == NULL)
+ elog(ERROR, "Failed to create BIO");
+ if (X509V3_EXT_print(membuf, ext, 0, 0) <= 0)
+ elog(ERROR, "Failed to print extension");
+ BIO_write(membuf, &nullterm, 1);
+ BIO_get_mem_data(membuf, &buf);
+ values[1] = CStringGetTextDatum(buf);
+ nulls[1] = false;
+
+ /* Get critical status */
+ values[2] = BoolGetDatum(X509_EXTENSION_get_critical(ext));
+ nulls[2] = false;
+
+ /* Build tuple */
+ tuple = heap_form_tuple(fctx->tupdesc, values, nulls);
+ result = HeapTupleGetDatum(tuple);
+
+ if (BIO_free(membuf) == 0)
+ elog(ERROR, "Failed to free BIO");
+
+ SRF_RETURN_NEXT(funcctx, result);
+ }
+
+ /* Do when there is no more left */
+ SRF_RETURN_DONE(funcctx);
+}
diff --git a/contrib/sslinfo/sslinfo.control b/contrib/sslinfo/sslinfo.control
index 1d2f058..dfcf17e 100644
--- a/contrib/sslinfo/sslinfo.control
+++ b/contrib/sslinfo/sslinfo.control
@@ -1,5 +1,5 @@
# sslinfo extension
comment = 'information about SSL certificates'
-default_version = '1.0'
+default_version = '1.1'
module_pathname = '$libdir/sslinfo'
relocatable = true
diff --git a/doc/src/sgml/sslinfo.sgml b/doc/src/sgml/sslinfo.sgml
index 22ef439..bcc27d4 100644
--- a/doc/src/sgml/sslinfo.sgml
+++ b/doc/src/sgml/sslinfo.sgml
@@ -219,6 +219,21 @@ emailAddress
</para>
</listitem>
</varlistentry>
+
+ <varlistentry>
+ <term>
+ <function>ssl_extension_info() returns setof record</function>
+ <indexterm>
+ <primary>ssl_extension_info</primary>
+ </indexterm>
+ </term>
+ <listitem>
+ <para>
+ Provide information about extensions of client certificate: extension name,
+ extension value, and if it is a critical extension.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</sect2>
@@ -228,6 +243,10 @@ emailAddress
<para>
Victor Wagner <email>vi...@cryptocom.ru</email>, Cryptocom LTD
</para>
+
+ <para>
+ Dmitry Voronin <email>carriingfat...@yandex.ru</email>
+ </para>
<para>
E-Mail of Cryptocom OpenSSL development group:
--
2.5.0
From 0b19c86eb5e2cbfe169959298f2cc147f5a83bf1 Mon Sep 17 00:00:00 2001
From: Michael Paquier <mich...@otacoo.com>
Date: Sun, 23 Aug 2015 22:15:48 +0900
Subject: [PATCH 2/2] Add more sanity checks in sslinfo
Those are more cosmetic changes, and an error in those code paths is
unlikely to happen, still it looks better to fail properly should an
error happen in those code paths when calling openssl routines related
to BIO manipulation.
---
contrib/sslinfo/sslinfo.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/contrib/sslinfo/sslinfo.c b/contrib/sslinfo/sslinfo.c
index 959c628..5a1162c 100644
--- a/contrib/sslinfo/sslinfo.c
+++ b/contrib/sslinfo/sslinfo.c
@@ -150,6 +150,8 @@ ASN1_STRING_to_text(ASN1_STRING *str)
text *result;
membuf = BIO_new(BIO_s_mem());
+ if (membuf == NULL)
+ elog(ERROR, "Failed to create BIO");
(void) BIO_set_close(membuf, BIO_CLOSE);
ASN1_STRING_print_ex(membuf, str,
((ASN1_STRFLGS_RFC2253 & ~ASN1_STRFLGS_ESC_MSB)
@@ -162,7 +164,8 @@ ASN1_STRING_to_text(ASN1_STRING *str)
result = cstring_to_text(dp);
if (dp != sp)
pfree(dp);
- BIO_free(membuf);
+ if (BIO_free(membuf) == 0)
+ elog(ERROR, "Failed to free BIO");
PG_RETURN_TEXT_P(result);
}
@@ -301,15 +304,24 @@ X509_NAME_to_text(X509_NAME *name)
char *dp;
text *result;
+ if (membuf == NULL)
+ elog(ERROR, "Failed to create BIO");
+
(void) BIO_set_close(membuf, BIO_CLOSE);
for (i = 0; i < count; i++)
{
e = X509_NAME_get_entry(name, i);
nid = OBJ_obj2nid(X509_NAME_ENTRY_get_object(e));
+ if (nid == NID_undef)
+ elog(ERROR, "Failed to get NID for ASN1_OBJECT object");
v = X509_NAME_ENTRY_get_data(e);
field_name = OBJ_nid2sn(nid);
- if (!field_name)
+ if (field_name == NULL)
field_name = OBJ_nid2ln(nid);
+ if (field_name == NULL)
+ elog(ERROR,
+ "Failed to convert the NID %d to an ASN1_OBJECT structure",
+ nid);
BIO_printf(membuf, "/%s=", field_name);
ASN1_STRING_print_ex(membuf, v,
((ASN1_STRFLGS_RFC2253 & ~ASN1_STRFLGS_ESC_MSB)
@@ -324,7 +336,8 @@ X509_NAME_to_text(X509_NAME *name)
result = cstring_to_text(dp);
if (dp != sp)
pfree(dp);
- BIO_free(membuf);
+ if (BIO_free(membuf) == 0)
+ elog(ERROR, "Failed to free BIO");
PG_RETURN_TEXT_P(result);
}
--
2.5.0
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
