diff options
| author | Daniel Gustafsson <dgustafsson@postgresql.org> | 2023-07-20 17:18:12 +0200 |
|---|---|---|
| committer | Daniel Gustafsson <dgustafsson@postgresql.org> | 2023-07-20 17:18:12 +0200 |
| commit | 29a0ccbce97978e5d65b8f96c85a00611bb403c4 (patch) | |
| tree | 3cd35231b78358a33e7d5161a93d8b965542455a /src | |
| parent | 75ec5e7bec700577d39d653c316e3ae6c505842c (diff) | |
| download | postgresql-29a0ccbce97978e5d65b8f96c85a00611bb403c4.tar.gz postgresql-29a0ccbce97978e5d65b8f96c85a00611bb403c4.zip | |
Revert "Add notBefore and notAfter to SSL cert info display"
Due to an oversight in reviewing, this used functionality not
compatible with old versions of OpenSSL.
This reverts commit 75ec5e7bec700577d39d653c316e3ae6c505842c.
Diffstat (limited to 'src')
| -rw-r--r-- | src/backend/catalog/system_views.sql | 4 | ||||
| -rw-r--r-- | src/backend/libpq/be-secure-openssl.c | 47 | ||||
| -rw-r--r-- | src/backend/utils/activity/backend_status.c | 2 | ||||
| -rw-r--r-- | src/backend/utils/adt/pgstatfuncs.c | 46 | ||||
| -rw-r--r-- | src/include/catalog/catversion.h | 2 | ||||
| -rw-r--r-- | src/include/catalog/pg_proc.dat | 6 | ||||
| -rw-r--r-- | src/include/libpq/libpq-be.h | 2 | ||||
| -rw-r--r-- | src/include/utils/backend_status.h | 2 | ||||
| -rw-r--r-- | src/test/regress/expected/rules.out | 12 | ||||
| -rw-r--r-- | src/test/ssl/t/001_ssltests.pl | 8 | ||||
| -rw-r--r-- | src/test/ssl/t/003_sslinfo.pl | 14 |
11 files changed, 31 insertions, 114 deletions
diff --git a/src/backend/catalog/system_views.sql b/src/backend/catalog/system_views.sql index f7c2cfb8cd5..af65af6bdd5 100644 --- a/src/backend/catalog/system_views.sql +++ b/src/backend/catalog/system_views.sql @@ -970,9 +970,7 @@ CREATE VIEW pg_stat_ssl AS S.sslbits AS bits, S.ssl_client_dn AS client_dn, S.ssl_client_serial AS client_serial, - S.ssl_issuer_dn AS issuer_dn, - S.ssl_not_before AS not_before, - S.ssl_not_after AS not_after + S.ssl_issuer_dn AS issuer_dn FROM pg_stat_get_activity(NULL) AS S WHERE S.client_port IS NOT NULL; diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index b3bbfb3c082..658b09988d6 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -36,7 +36,6 @@ #include "tcop/tcopprot.h" #include "utils/builtins.h" #include "utils/memutils.h" -#include "utils/timestamp.h" /* * These SSL-related #includes must come after all system-provided headers. @@ -73,7 +72,6 @@ static bool initialize_ecdh(SSL_CTX *context, bool isServerStart); static const char *SSLerrmessage(unsigned long ecode); static char *X509_NAME_to_cstring(X509_NAME *name); -static Timestamp ASN1_TIME_to_timestamp(ASN1_TIME *time); static SSL_CTX *SSL_context = NULL; static bool SSL_initialized = false; @@ -1409,24 +1407,6 @@ be_tls_get_peer_issuer_name(Port *port, char *ptr, size_t len) } void -be_tls_get_peer_not_before(Port *port, Timestamp *ptr) -{ - if (port->peer) - *ptr = ASN1_TIME_to_timestamp(X509_get_notBefore(port->peer)); - else - *ptr = 0; -} - -void -be_tls_get_peer_not_after(Port *port, Timestamp *ptr) -{ - if (port->peer) - *ptr = ASN1_TIME_to_timestamp(X509_get_notAfter(port->peer)); - else - *ptr = 0; -} - -void be_tls_get_peer_serial(Port *port, char *ptr, size_t len) { if (port->peer) @@ -1570,33 +1550,6 @@ X509_NAME_to_cstring(X509_NAME *name) } /* - * Convert an ASN1_TIME to a Timestamp - */ -static Timestamp -ASN1_TIME_to_timestamp(ASN1_TIME * time) -{ - struct tm tm_time; - struct pg_tm pgtm_time; - Timestamp ts; - - ASN1_TIME_to_tm(time, &tm_time); - - pgtm_time.tm_sec = tm_time.tm_sec; - pgtm_time.tm_min = tm_time.tm_min; - pgtm_time.tm_hour = tm_time.tm_hour; - pgtm_time.tm_mday = tm_time.tm_mday; - pgtm_time.tm_mon = tm_time.tm_mon + 1; - pgtm_time.tm_year = tm_time.tm_year + 1900; - - if (tm2timestamp(&pgtm_time, 0, NULL, &ts)) - ereport(ERROR, - (errcode(ERRCODE_INVALID_PARAMETER_VALUE), - errmsg("timestamp out of range"))); - - return ts; -} - -/* * Convert TLS protocol version GUC enum to OpenSSL values * * This is a straightforward one-to-one mapping, but doing it this way makes diff --git a/src/backend/utils/activity/backend_status.c b/src/backend/utils/activity/backend_status.c index 02dc9d7931f..38f91a495b8 100644 --- a/src/backend/utils/activity/backend_status.c +++ b/src/backend/utils/activity/backend_status.c @@ -367,8 +367,6 @@ pgstat_bestart(void) be_tls_get_peer_subject_name(MyProcPort, lsslstatus.ssl_client_dn, NAMEDATALEN); be_tls_get_peer_serial(MyProcPort, lsslstatus.ssl_client_serial, NAMEDATALEN); be_tls_get_peer_issuer_name(MyProcPort, lsslstatus.ssl_issuer_dn, NAMEDATALEN); - be_tls_get_peer_not_before(MyProcPort, &lsslstatus.ssl_not_before); - be_tls_get_peer_not_after(MyProcPort, &lsslstatus.ssl_not_after); } else { diff --git a/src/backend/utils/adt/pgstatfuncs.c b/src/backend/utils/adt/pgstatfuncs.c index 9071981f985..2a4c8ef87ff 100644 --- a/src/backend/utils/adt/pgstatfuncs.c +++ b/src/backend/utils/adt/pgstatfuncs.c @@ -303,7 +303,7 @@ pg_stat_get_progress_info(PG_FUNCTION_ARGS) Datum pg_stat_get_activity(PG_FUNCTION_ARGS) { -#define PG_STAT_GET_ACTIVITY_COLS 33 +#define PG_STAT_GET_ACTIVITY_COLS 31 int num_backends = pgstat_fetch_stat_numbackends(); int curr_backend; int pid = PG_ARGISNULL(0) ? -1 : PG_GETARG_INT32(0); @@ -395,7 +395,7 @@ pg_stat_get_activity(PG_FUNCTION_ARGS) pfree(clipped_activity); /* leader_pid */ - nulls[31] = true; + nulls[29] = true; proc = BackendPidGetProc(beentry->st_procpid); @@ -432,8 +432,8 @@ pg_stat_get_activity(PG_FUNCTION_ARGS) */ if (leader && leader->pid != beentry->st_procpid) { - values[31] = Int32GetDatum(leader->pid); - nulls[31] = false; + values[29] = Int32GetDatum(leader->pid); + nulls[29] = false; } else if (beentry->st_backendType == B_BG_WORKER) { @@ -441,8 +441,8 @@ pg_stat_get_activity(PG_FUNCTION_ARGS) if (leader_pid != InvalidPid) { - values[31] = Int32GetDatum(leader_pid); - nulls[31] = false; + values[29] = Int32GetDatum(leader_pid); + nulls[29] = false; } } } @@ -587,45 +587,35 @@ pg_stat_get_activity(PG_FUNCTION_ARGS) values[24] = CStringGetTextDatum(beentry->st_sslstatus->ssl_issuer_dn); else nulls[24] = true; - - if (beentry->st_sslstatus->ssl_not_before != 0) - values[25] = TimestampGetDatum(beentry->st_sslstatus->ssl_not_before); - else - nulls[25] = true; - - if (beentry->st_sslstatus->ssl_not_after != 0) - values[26] = TimestampGetDatum(beentry->st_sslstatus->ssl_not_after); - else - nulls[26] = true; } else { values[18] = BoolGetDatum(false); /* ssl */ - nulls[19] = nulls[20] = nulls[21] = nulls[22] = nulls[23] = nulls[24] = nulls[25] = nulls[26] = true; + nulls[19] = nulls[20] = nulls[21] = nulls[22] = nulls[23] = nulls[24] = true; } /* GSSAPI information */ if (beentry->st_gss) { - values[27] = BoolGetDatum(beentry->st_gssstatus->gss_auth); /* gss_auth */ - values[28] = CStringGetTextDatum(beentry->st_gssstatus->gss_princ); - values[29] = BoolGetDatum(beentry->st_gssstatus->gss_enc); /* GSS Encryption in use */ - values[30] = BoolGetDatum(beentry->st_gssstatus->gss_delegation); /* GSS credentials + values[25] = BoolGetDatum(beentry->st_gssstatus->gss_auth); /* gss_auth */ + values[26] = CStringGetTextDatum(beentry->st_gssstatus->gss_princ); + values[27] = BoolGetDatum(beentry->st_gssstatus->gss_enc); /* GSS Encryption in use */ + values[28] = BoolGetDatum(beentry->st_gssstatus->gss_delegation); /* GSS credentials * delegated */ } else { - values[27] = BoolGetDatum(false); /* gss_auth */ - nulls[28] = true; /* No GSS principal */ - values[29] = BoolGetDatum(false); /* GSS Encryption not in + values[25] = BoolGetDatum(false); /* gss_auth */ + nulls[26] = true; /* No GSS principal */ + values[27] = BoolGetDatum(false); /* GSS Encryption not in * use */ - values[30] = BoolGetDatum(false); /* GSS credentials not + values[28] = BoolGetDatum(false); /* GSS credentials not * delegated */ } if (beentry->st_query_id == 0) - nulls[32] = true; + nulls[30] = true; else - values[32] = UInt64GetDatum(beentry->st_query_id); + values[30] = UInt64GetDatum(beentry->st_query_id); } else { @@ -655,8 +645,6 @@ pg_stat_get_activity(PG_FUNCTION_ARGS) nulls[28] = true; nulls[29] = true; nulls[30] = true; - nulls[31] = true; - nulls[32] = true; } tuplestore_putvalues(rsinfo->setResult, rsinfo->setDesc, values, nulls); diff --git a/src/include/catalog/catversion.h b/src/include/catalog/catversion.h index d17b1d8f9a1..d5969e6aea2 100644 --- a/src/include/catalog/catversion.h +++ b/src/include/catalog/catversion.h @@ -57,6 +57,6 @@ */ /* yyyymmddN */ -#define CATALOG_VERSION_NO 202307201 +#define CATALOG_VERSION_NO 202307111 #endif diff --git a/src/include/catalog/pg_proc.dat b/src/include/catalog/pg_proc.dat index 878c997e876..6996073989a 100644 --- a/src/include/catalog/pg_proc.dat +++ b/src/include/catalog/pg_proc.dat @@ -5413,9 +5413,9 @@ proname => 'pg_stat_get_activity', prorows => '100', proisstrict => 'f', proretset => 't', provolatile => 's', proparallel => 'r', prorettype => 'record', proargtypes => 'int4', - proallargtypes => '{int4,oid,int4,oid,text,text,text,text,text,timestamptz,timestamptz,timestamptz,timestamptz,inet,text,int4,xid,xid,text,bool,text,text,int4,text,numeric,text,timestamp,timestamp,bool,text,bool,bool,int4,int8}', - proargmodes => '{i,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o}', - proargnames => '{pid,datid,pid,usesysid,application_name,state,query,wait_event_type,wait_event,xact_start,query_start,backend_start,state_change,client_addr,client_hostname,client_port,backend_xid,backend_xmin,backend_type,ssl,sslversion,sslcipher,sslbits,ssl_client_dn,ssl_client_serial,ssl_issuer_dn,ssl_not_before,ssl_not_after,gss_auth,gss_princ,gss_enc,gss_delegation,leader_pid,query_id}', + proallargtypes => '{int4,oid,int4,oid,text,text,text,text,text,timestamptz,timestamptz,timestamptz,timestamptz,inet,text,int4,xid,xid,text,bool,text,text,int4,text,numeric,text,bool,text,bool,bool,int4,int8}', + proargmodes => '{i,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o}', + proargnames => '{pid,datid,pid,usesysid,application_name,state,query,wait_event_type,wait_event,xact_start,query_start,backend_start,state_change,client_addr,client_hostname,client_port,backend_xid,backend_xmin,backend_type,ssl,sslversion,sslcipher,sslbits,ssl_client_dn,ssl_client_serial,ssl_issuer_dn,gss_auth,gss_princ,gss_enc,gss_delegation,leader_pid,query_id}', prosrc => 'pg_stat_get_activity' }, { oid => '3318', descr => 'statistics: information about progress of backends running maintenance command', diff --git a/src/include/libpq/libpq-be.h b/src/include/libpq/libpq-be.h index 02765ba9d9d..a0b74c8095f 100644 --- a/src/include/libpq/libpq-be.h +++ b/src/include/libpq/libpq-be.h @@ -298,8 +298,6 @@ extern const char *be_tls_get_cipher(Port *port); extern void be_tls_get_peer_subject_name(Port *port, char *ptr, size_t len); extern void be_tls_get_peer_issuer_name(Port *port, char *ptr, size_t len); extern void be_tls_get_peer_serial(Port *port, char *ptr, size_t len); -extern void be_tls_get_peer_not_before(Port *port, Timestamp *ptr); -extern void be_tls_get_peer_not_after(Port *port, Timestamp *ptr); /* * Get the server certificate hash for SCRAM channel binding type diff --git a/src/include/utils/backend_status.h b/src/include/utils/backend_status.h index 1e4fedb6614..77939a0aede 100644 --- a/src/include/utils/backend_status.h +++ b/src/include/utils/backend_status.h @@ -61,8 +61,6 @@ typedef struct PgBackendSSLStatus char ssl_client_serial[NAMEDATALEN]; char ssl_issuer_dn[NAMEDATALEN]; - Timestamp ssl_not_before; - Timestamp ssl_not_after; } PgBackendSSLStatus; /* diff --git a/src/test/regress/expected/rules.out b/src/test/regress/expected/rules.out index 30108846c17..e07afcd4aa6 100644 --- a/src/test/regress/expected/rules.out +++ b/src/test/regress/expected/rules.out @@ -1760,7 +1760,7 @@ pg_stat_activity| SELECT s.datid, s.query_id, s.query, s.backend_type - FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, ssl_not_before, ssl_not_after, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id) + FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id) LEFT JOIN pg_database d ON ((s.datid = d.oid))) LEFT JOIN pg_authid u ON ((s.usesysid = u.oid))); pg_stat_all_indexes| SELECT c.oid AS relid, @@ -1878,7 +1878,7 @@ pg_stat_gssapi| SELECT pid, gss_princ AS principal, gss_enc AS encrypted, gss_delegation AS credentials_delegated - FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, ssl_not_before, ssl_not_after, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id) + FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id) WHERE (client_port IS NOT NULL); pg_stat_io| SELECT backend_type, object, @@ -2080,7 +2080,7 @@ pg_stat_replication| SELECT s.pid, w.sync_priority, w.sync_state, w.reply_time - FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, ssl_not_before, ssl_not_after, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id) + FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id) JOIN pg_stat_get_wal_senders() w(pid, state, sent_lsn, write_lsn, flush_lsn, replay_lsn, write_lag, flush_lag, replay_lag, sync_priority, sync_state, reply_time) ON ((s.pid = w.pid))) LEFT JOIN pg_authid u ON ((s.usesysid = u.oid))); pg_stat_replication_slots| SELECT s.slot_name, @@ -2113,10 +2113,8 @@ pg_stat_ssl| SELECT pid, sslbits AS bits, ssl_client_dn AS client_dn, ssl_client_serial AS client_serial, - ssl_issuer_dn AS issuer_dn, - ssl_not_before AS not_before, - ssl_not_after AS not_after - FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, ssl_not_before, ssl_not_after, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id) + ssl_issuer_dn AS issuer_dn + FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id) WHERE (client_port IS NOT NULL); pg_stat_subscription| SELECT su.oid AS subid, su.subname, diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl index bad41cacc8a..76442de063f 100644 --- a/src/test/ssl/t/001_ssltests.pl +++ b/src/test/ssl/t/001_ssltests.pl @@ -543,8 +543,8 @@ command_like( "$common_connstr sslrootcert=invalid", '-c', "SELECT * FROM pg_stat_ssl WHERE pid = pg_backend_pid()" ], - qr{^pid,ssl,version,cipher,bits,client_dn,client_serial,issuer_dn,not_before,not_after\r?\n - ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,_null_,_null_,_null_,_null_,_null_\r?$}mx, + qr{^pid,ssl,version,cipher,bits,client_dn,client_serial,issuer_dn\r?\n + ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,_null_,_null_,_null_\r?$}mx, 'pg_stat_ssl view without client certificate'); # Test min/max SSL protocol versions. @@ -745,8 +745,8 @@ command_like( '-c', "SELECT * FROM pg_stat_ssl WHERE pid = pg_backend_pid()" ], - qr{^pid,ssl,version,cipher,bits,client_dn,client_serial,issuer_dn,not_before,not_after\r?\n - ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,/?CN=ssltestuser,$serialno,/?\QCN=Test CA for PostgreSQL SSL regression test client certs\E,\Q2023-06-29 01:01:01\E,\Q2050-01-01 01:01:01\E\r?$}mx, + qr{^pid,ssl,version,cipher,bits,client_dn,client_serial,issuer_dn\r?\n + ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,/?CN=ssltestuser,$serialno,/?\QCN=Test CA for PostgreSQL SSL regression test client certs\E\r?$}mx, 'pg_stat_ssl with client certificate'); # client key with wrong permissions diff --git a/src/test/ssl/t/003_sslinfo.pl b/src/test/ssl/t/003_sslinfo.pl index f050a6f4f96..5306aad8023 100644 --- a/src/test/ssl/t/003_sslinfo.pl +++ b/src/test/ssl/t/003_sslinfo.pl @@ -167,20 +167,6 @@ is($result, 't', "ssl_issuer_field() for commonName"); $result = $node->safe_psql( "certdb", - "SELECT ssl_client_get_notbefore() = not_before, " - . "not_before = '2023-06-29 01:01:01' FROM pg_stat_ssl WHERE pid = pg_backend_pid();", - connstr => $common_connstr); -is($result, 't|t', "ssl_client_get_notbefore() for not_before timestamp"); - -$result = $node->safe_psql( - "certdb", - "SELECT ssl_client_get_notafter() = not_after, " - . "not_after = '2050-01-01 01:01:01' FROM pg_stat_ssl WHERE pid = pg_backend_pid();", - connstr => $common_connstr); -is($result, 't|t', "ssl_client_get_notafter() for not_after timestamp"); - -$result = $node->safe_psql( - "certdb", "SELECT value, critical FROM ssl_extension_info() WHERE name = 'basicConstraints';", connstr => $common_connstr); is($result, 'CA:FALSE|t', 'extract extension from cert'); |