diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/backend/catalog/system_views.sql | 4 | ||||
| -rw-r--r-- | src/backend/libpq/be-secure-openssl.c | 47 | ||||
| -rw-r--r-- | src/backend/utils/activity/backend_status.c | 2 | ||||
| -rw-r--r-- | src/backend/utils/adt/pgstatfuncs.c | 46 | ||||
| -rw-r--r-- | src/include/catalog/catversion.h | 2 | ||||
| -rw-r--r-- | src/include/catalog/pg_proc.dat | 6 | ||||
| -rw-r--r-- | src/include/libpq/libpq-be.h | 2 | ||||
| -rw-r--r-- | src/include/utils/backend_status.h | 2 | ||||
| -rw-r--r-- | src/test/regress/expected/rules.out | 12 | ||||
| -rw-r--r-- | src/test/ssl/t/001_ssltests.pl | 8 | ||||
| -rw-r--r-- | src/test/ssl/t/003_sslinfo.pl | 14 |
11 files changed, 114 insertions, 31 deletions
diff --git a/src/backend/catalog/system_views.sql b/src/backend/catalog/system_views.sql index af65af6bdd5..f7c2cfb8cd5 100644 --- a/src/backend/catalog/system_views.sql +++ b/src/backend/catalog/system_views.sql @@ -970,7 +970,9 @@ CREATE VIEW pg_stat_ssl AS S.sslbits AS bits, S.ssl_client_dn AS client_dn, S.ssl_client_serial AS client_serial, - S.ssl_issuer_dn AS issuer_dn + S.ssl_issuer_dn AS issuer_dn, + S.ssl_not_before AS not_before, + S.ssl_not_after AS not_after FROM pg_stat_get_activity(NULL) AS S WHERE S.client_port IS NOT NULL; diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 658b09988d6..b3bbfb3c082 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -36,6 +36,7 @@ #include "tcop/tcopprot.h" #include "utils/builtins.h" #include "utils/memutils.h" +#include "utils/timestamp.h" /* * These SSL-related #includes must come after all system-provided headers. @@ -72,6 +73,7 @@ static bool initialize_ecdh(SSL_CTX *context, bool isServerStart); static const char *SSLerrmessage(unsigned long ecode); static char *X509_NAME_to_cstring(X509_NAME *name); +static Timestamp ASN1_TIME_to_timestamp(ASN1_TIME *time); static SSL_CTX *SSL_context = NULL; static bool SSL_initialized = false; @@ -1407,6 +1409,24 @@ be_tls_get_peer_issuer_name(Port *port, char *ptr, size_t len) } void +be_tls_get_peer_not_before(Port *port, Timestamp *ptr) +{ + if (port->peer) + *ptr = ASN1_TIME_to_timestamp(X509_get_notBefore(port->peer)); + else + *ptr = 0; +} + +void +be_tls_get_peer_not_after(Port *port, Timestamp *ptr) +{ + if (port->peer) + *ptr = ASN1_TIME_to_timestamp(X509_get_notAfter(port->peer)); + else + *ptr = 0; +} + +void be_tls_get_peer_serial(Port *port, char *ptr, size_t len) { if (port->peer) @@ -1550,6 +1570,33 @@ X509_NAME_to_cstring(X509_NAME *name) } /* + * Convert an ASN1_TIME to a Timestamp + */ +static Timestamp +ASN1_TIME_to_timestamp(ASN1_TIME * time) +{ + struct tm tm_time; + struct pg_tm pgtm_time; + Timestamp ts; + + ASN1_TIME_to_tm(time, &tm_time); + + pgtm_time.tm_sec = tm_time.tm_sec; + pgtm_time.tm_min = tm_time.tm_min; + pgtm_time.tm_hour = tm_time.tm_hour; + pgtm_time.tm_mday = tm_time.tm_mday; + pgtm_time.tm_mon = tm_time.tm_mon + 1; + pgtm_time.tm_year = tm_time.tm_year + 1900; + + if (tm2timestamp(&pgtm_time, 0, NULL, &ts)) + ereport(ERROR, + (errcode(ERRCODE_INVALID_PARAMETER_VALUE), + errmsg("timestamp out of range"))); + + return ts; +} + +/* * Convert TLS protocol version GUC enum to OpenSSL values * * This is a straightforward one-to-one mapping, but doing it this way makes diff --git a/src/backend/utils/activity/backend_status.c b/src/backend/utils/activity/backend_status.c index 38f91a495b8..02dc9d7931f 100644 --- a/src/backend/utils/activity/backend_status.c +++ b/src/backend/utils/activity/backend_status.c @@ -367,6 +367,8 @@ pgstat_bestart(void) be_tls_get_peer_subject_name(MyProcPort, lsslstatus.ssl_client_dn, NAMEDATALEN); be_tls_get_peer_serial(MyProcPort, lsslstatus.ssl_client_serial, NAMEDATALEN); be_tls_get_peer_issuer_name(MyProcPort, lsslstatus.ssl_issuer_dn, NAMEDATALEN); + be_tls_get_peer_not_before(MyProcPort, &lsslstatus.ssl_not_before); + be_tls_get_peer_not_after(MyProcPort, &lsslstatus.ssl_not_after); } else { diff --git a/src/backend/utils/adt/pgstatfuncs.c b/src/backend/utils/adt/pgstatfuncs.c index 2a4c8ef87ff..9071981f985 100644 --- a/src/backend/utils/adt/pgstatfuncs.c +++ b/src/backend/utils/adt/pgstatfuncs.c @@ -303,7 +303,7 @@ pg_stat_get_progress_info(PG_FUNCTION_ARGS) Datum pg_stat_get_activity(PG_FUNCTION_ARGS) { -#define PG_STAT_GET_ACTIVITY_COLS 31 +#define PG_STAT_GET_ACTIVITY_COLS 33 int num_backends = pgstat_fetch_stat_numbackends(); int curr_backend; int pid = PG_ARGISNULL(0) ? -1 : PG_GETARG_INT32(0); @@ -395,7 +395,7 @@ pg_stat_get_activity(PG_FUNCTION_ARGS) pfree(clipped_activity); /* leader_pid */ - nulls[29] = true; + nulls[31] = true; proc = BackendPidGetProc(beentry->st_procpid); @@ -432,8 +432,8 @@ pg_stat_get_activity(PG_FUNCTION_ARGS) */ if (leader && leader->pid != beentry->st_procpid) { - values[29] = Int32GetDatum(leader->pid); - nulls[29] = false; + values[31] = Int32GetDatum(leader->pid); + nulls[31] = false; } else if (beentry->st_backendType == B_BG_WORKER) { @@ -441,8 +441,8 @@ pg_stat_get_activity(PG_FUNCTION_ARGS) if (leader_pid != InvalidPid) { - values[29] = Int32GetDatum(leader_pid); - nulls[29] = false; + values[31] = Int32GetDatum(leader_pid); + nulls[31] = false; } } } @@ -587,35 +587,45 @@ pg_stat_get_activity(PG_FUNCTION_ARGS) values[24] = CStringGetTextDatum(beentry->st_sslstatus->ssl_issuer_dn); else nulls[24] = true; + + if (beentry->st_sslstatus->ssl_not_before != 0) + values[25] = TimestampGetDatum(beentry->st_sslstatus->ssl_not_before); + else + nulls[25] = true; + + if (beentry->st_sslstatus->ssl_not_after != 0) + values[26] = TimestampGetDatum(beentry->st_sslstatus->ssl_not_after); + else + nulls[26] = true; } else { values[18] = BoolGetDatum(false); /* ssl */ - nulls[19] = nulls[20] = nulls[21] = nulls[22] = nulls[23] = nulls[24] = true; + nulls[19] = nulls[20] = nulls[21] = nulls[22] = nulls[23] = nulls[24] = nulls[25] = nulls[26] = true; } /* GSSAPI information */ if (beentry->st_gss) { - values[25] = BoolGetDatum(beentry->st_gssstatus->gss_auth); /* gss_auth */ - values[26] = CStringGetTextDatum(beentry->st_gssstatus->gss_princ); - values[27] = BoolGetDatum(beentry->st_gssstatus->gss_enc); /* GSS Encryption in use */ - values[28] = BoolGetDatum(beentry->st_gssstatus->gss_delegation); /* GSS credentials + values[27] = BoolGetDatum(beentry->st_gssstatus->gss_auth); /* gss_auth */ + values[28] = CStringGetTextDatum(beentry->st_gssstatus->gss_princ); + values[29] = BoolGetDatum(beentry->st_gssstatus->gss_enc); /* GSS Encryption in use */ + values[30] = BoolGetDatum(beentry->st_gssstatus->gss_delegation); /* GSS credentials * delegated */ } else { - values[25] = BoolGetDatum(false); /* gss_auth */ - nulls[26] = true; /* No GSS principal */ - values[27] = BoolGetDatum(false); /* GSS Encryption not in + values[27] = BoolGetDatum(false); /* gss_auth */ + nulls[28] = true; /* No GSS principal */ + values[29] = BoolGetDatum(false); /* GSS Encryption not in * use */ - values[28] = BoolGetDatum(false); /* GSS credentials not + values[30] = BoolGetDatum(false); /* GSS credentials not * delegated */ } if (beentry->st_query_id == 0) - nulls[30] = true; + nulls[32] = true; else - values[30] = UInt64GetDatum(beentry->st_query_id); + values[32] = UInt64GetDatum(beentry->st_query_id); } else { @@ -645,6 +655,8 @@ pg_stat_get_activity(PG_FUNCTION_ARGS) nulls[28] = true; nulls[29] = true; nulls[30] = true; + nulls[31] = true; + nulls[32] = true; } tuplestore_putvalues(rsinfo->setResult, rsinfo->setDesc, values, nulls); diff --git a/src/include/catalog/catversion.h b/src/include/catalog/catversion.h index d5969e6aea2..d17b1d8f9a1 100644 --- a/src/include/catalog/catversion.h +++ b/src/include/catalog/catversion.h @@ -57,6 +57,6 @@ */ /* yyyymmddN */ -#define CATALOG_VERSION_NO 202307111 +#define CATALOG_VERSION_NO 202307201 #endif diff --git a/src/include/catalog/pg_proc.dat b/src/include/catalog/pg_proc.dat index 6996073989a..878c997e876 100644 --- a/src/include/catalog/pg_proc.dat +++ b/src/include/catalog/pg_proc.dat @@ -5413,9 +5413,9 @@ proname => 'pg_stat_get_activity', prorows => '100', proisstrict => 'f', proretset => 't', provolatile => 's', proparallel => 'r', prorettype => 'record', proargtypes => 'int4', - proallargtypes => '{int4,oid,int4,oid,text,text,text,text,text,timestamptz,timestamptz,timestamptz,timestamptz,inet,text,int4,xid,xid,text,bool,text,text,int4,text,numeric,text,bool,text,bool,bool,int4,int8}', - proargmodes => '{i,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o}', - proargnames => '{pid,datid,pid,usesysid,application_name,state,query,wait_event_type,wait_event,xact_start,query_start,backend_start,state_change,client_addr,client_hostname,client_port,backend_xid,backend_xmin,backend_type,ssl,sslversion,sslcipher,sslbits,ssl_client_dn,ssl_client_serial,ssl_issuer_dn,gss_auth,gss_princ,gss_enc,gss_delegation,leader_pid,query_id}', + proallargtypes => '{int4,oid,int4,oid,text,text,text,text,text,timestamptz,timestamptz,timestamptz,timestamptz,inet,text,int4,xid,xid,text,bool,text,text,int4,text,numeric,text,timestamp,timestamp,bool,text,bool,bool,int4,int8}', + proargmodes => '{i,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o,o}', + proargnames => '{pid,datid,pid,usesysid,application_name,state,query,wait_event_type,wait_event,xact_start,query_start,backend_start,state_change,client_addr,client_hostname,client_port,backend_xid,backend_xmin,backend_type,ssl,sslversion,sslcipher,sslbits,ssl_client_dn,ssl_client_serial,ssl_issuer_dn,ssl_not_before,ssl_not_after,gss_auth,gss_princ,gss_enc,gss_delegation,leader_pid,query_id}', prosrc => 'pg_stat_get_activity' }, { oid => '3318', descr => 'statistics: information about progress of backends running maintenance command', diff --git a/src/include/libpq/libpq-be.h b/src/include/libpq/libpq-be.h index a0b74c8095f..02765ba9d9d 100644 --- a/src/include/libpq/libpq-be.h +++ b/src/include/libpq/libpq-be.h @@ -298,6 +298,8 @@ extern const char *be_tls_get_cipher(Port *port); extern void be_tls_get_peer_subject_name(Port *port, char *ptr, size_t len); extern void be_tls_get_peer_issuer_name(Port *port, char *ptr, size_t len); extern void be_tls_get_peer_serial(Port *port, char *ptr, size_t len); +extern void be_tls_get_peer_not_before(Port *port, Timestamp *ptr); +extern void be_tls_get_peer_not_after(Port *port, Timestamp *ptr); /* * Get the server certificate hash for SCRAM channel binding type diff --git a/src/include/utils/backend_status.h b/src/include/utils/backend_status.h index 77939a0aede..1e4fedb6614 100644 --- a/src/include/utils/backend_status.h +++ b/src/include/utils/backend_status.h @@ -61,6 +61,8 @@ typedef struct PgBackendSSLStatus char ssl_client_serial[NAMEDATALEN]; char ssl_issuer_dn[NAMEDATALEN]; + Timestamp ssl_not_before; + Timestamp ssl_not_after; } PgBackendSSLStatus; /* diff --git a/src/test/regress/expected/rules.out b/src/test/regress/expected/rules.out index e07afcd4aa6..30108846c17 100644 --- a/src/test/regress/expected/rules.out +++ b/src/test/regress/expected/rules.out @@ -1760,7 +1760,7 @@ pg_stat_activity| SELECT s.datid, s.query_id, s.query, s.backend_type - FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id) + FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, ssl_not_before, ssl_not_after, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id) LEFT JOIN pg_database d ON ((s.datid = d.oid))) LEFT JOIN pg_authid u ON ((s.usesysid = u.oid))); pg_stat_all_indexes| SELECT c.oid AS relid, @@ -1878,7 +1878,7 @@ pg_stat_gssapi| SELECT pid, gss_princ AS principal, gss_enc AS encrypted, gss_delegation AS credentials_delegated - FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id) + FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, ssl_not_before, ssl_not_after, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id) WHERE (client_port IS NOT NULL); pg_stat_io| SELECT backend_type, object, @@ -2080,7 +2080,7 @@ pg_stat_replication| SELECT s.pid, w.sync_priority, w.sync_state, w.reply_time - FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id) + FROM ((pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, ssl_not_before, ssl_not_after, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id) JOIN pg_stat_get_wal_senders() w(pid, state, sent_lsn, write_lsn, flush_lsn, replay_lsn, write_lag, flush_lag, replay_lag, sync_priority, sync_state, reply_time) ON ((s.pid = w.pid))) LEFT JOIN pg_authid u ON ((s.usesysid = u.oid))); pg_stat_replication_slots| SELECT s.slot_name, @@ -2113,8 +2113,10 @@ pg_stat_ssl| SELECT pid, sslbits AS bits, ssl_client_dn AS client_dn, ssl_client_serial AS client_serial, - ssl_issuer_dn AS issuer_dn - FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id) + ssl_issuer_dn AS issuer_dn, + ssl_not_before AS not_before, + ssl_not_after AS not_after + FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, wait_event_type, wait_event, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port, backend_xid, backend_xmin, backend_type, ssl, sslversion, sslcipher, sslbits, ssl_client_dn, ssl_client_serial, ssl_issuer_dn, ssl_not_before, ssl_not_after, gss_auth, gss_princ, gss_enc, gss_delegation, leader_pid, query_id) WHERE (client_port IS NOT NULL); pg_stat_subscription| SELECT su.oid AS subid, su.subname, diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl index 76442de063f..bad41cacc8a 100644 --- a/src/test/ssl/t/001_ssltests.pl +++ b/src/test/ssl/t/001_ssltests.pl @@ -543,8 +543,8 @@ command_like( "$common_connstr sslrootcert=invalid", '-c', "SELECT * FROM pg_stat_ssl WHERE pid = pg_backend_pid()" ], - qr{^pid,ssl,version,cipher,bits,client_dn,client_serial,issuer_dn\r?\n - ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,_null_,_null_,_null_\r?$}mx, + qr{^pid,ssl,version,cipher,bits,client_dn,client_serial,issuer_dn,not_before,not_after\r?\n + ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,_null_,_null_,_null_,_null_,_null_\r?$}mx, 'pg_stat_ssl view without client certificate'); # Test min/max SSL protocol versions. @@ -745,8 +745,8 @@ command_like( '-c', "SELECT * FROM pg_stat_ssl WHERE pid = pg_backend_pid()" ], - qr{^pid,ssl,version,cipher,bits,client_dn,client_serial,issuer_dn\r?\n - ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,/?CN=ssltestuser,$serialno,/?\QCN=Test CA for PostgreSQL SSL regression test client certs\E\r?$}mx, + qr{^pid,ssl,version,cipher,bits,client_dn,client_serial,issuer_dn,not_before,not_after\r?\n + ^\d+,t,TLSv[\d.]+,[\w-]+,\d+,/?CN=ssltestuser,$serialno,/?\QCN=Test CA for PostgreSQL SSL regression test client certs\E,\Q2023-06-29 01:01:01\E,\Q2050-01-01 01:01:01\E\r?$}mx, 'pg_stat_ssl with client certificate'); # client key with wrong permissions diff --git a/src/test/ssl/t/003_sslinfo.pl b/src/test/ssl/t/003_sslinfo.pl index 5306aad8023..f050a6f4f96 100644 --- a/src/test/ssl/t/003_sslinfo.pl +++ b/src/test/ssl/t/003_sslinfo.pl @@ -167,6 +167,20 @@ is($result, 't', "ssl_issuer_field() for commonName"); $result = $node->safe_psql( "certdb", + "SELECT ssl_client_get_notbefore() = not_before, " + . "not_before = '2023-06-29 01:01:01' FROM pg_stat_ssl WHERE pid = pg_backend_pid();", + connstr => $common_connstr); +is($result, 't|t', "ssl_client_get_notbefore() for not_before timestamp"); + +$result = $node->safe_psql( + "certdb", + "SELECT ssl_client_get_notafter() = not_after, " + . "not_after = '2050-01-01 01:01:01' FROM pg_stat_ssl WHERE pid = pg_backend_pid();", + connstr => $common_connstr); +is($result, 't|t', "ssl_client_get_notafter() for not_after timestamp"); + +$result = $node->safe_psql( + "certdb", "SELECT value, critical FROM ssl_extension_info() WHERE name = 'basicConstraints';", connstr => $common_connstr); is($result, 'CA:FALSE|t', 'extract extension from cert'); |