sslinfo.c File Reference

#include "postgres.h"
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/asn1.h>
#include "access/htup_details.h"
#include "funcapi.h"
#include "libpq/libpq-be.h"
#include "miscadmin.h"
#include "utils/builtins.h"

Include dependency graph for sslinfo.c:

Go to the source code of this file.

Data Structures
struct	SSLExtensionInfoContext

Functions
static Datum	X509_NAME_field_to_text (X509_NAME *name, text *fieldName)
static Datum	X509_NAME_to_text (X509_NAME *name)
static Datum	ASN1_STRING_to_text (ASN1_STRING *str)
	PG_FUNCTION_INFO_V1 (ssl_is_used)
Datum	ssl_is_used (PG_FUNCTION_ARGS)
	PG_FUNCTION_INFO_V1 (ssl_version)
Datum	ssl_version (PG_FUNCTION_ARGS)
	PG_FUNCTION_INFO_V1 (ssl_cipher)
Datum	ssl_cipher (PG_FUNCTION_ARGS)
	PG_FUNCTION_INFO_V1 (ssl_client_cert_present)
Datum	ssl_client_cert_present (PG_FUNCTION_ARGS)
	PG_FUNCTION_INFO_V1 (ssl_client_serial)
Datum	ssl_client_serial (PG_FUNCTION_ARGS)
	PG_FUNCTION_INFO_V1 (ssl_client_dn_field)
Datum	ssl_client_dn_field (PG_FUNCTION_ARGS)
	PG_FUNCTION_INFO_V1 (ssl_issuer_field)
Datum	ssl_issuer_field (PG_FUNCTION_ARGS)
	PG_FUNCTION_INFO_V1 (ssl_client_dn)
Datum	ssl_client_dn (PG_FUNCTION_ARGS)
	PG_FUNCTION_INFO_V1 (ssl_issuer_dn)
Datum	ssl_issuer_dn (PG_FUNCTION_ARGS)
	PG_FUNCTION_INFO_V1 (ssl_extension_info)
Datum	ssl_extension_info (PG_FUNCTION_ARGS)

Variables
	PG_MODULE_MAGIC

Function Documentation

static Datum ASN1_STRING_to_text ( ASN1_STRING *  str )

static

Definition at line 139 of file sslinfo.c.

References cstring_to_text(), elog, ereport, errcode(), errmsg(), ERROR, pfree(), pg_any_to_server(), PG_RETURN_TEXT_P, PG_UTF8, and result.

Referenced by X509_NAME_field_to_text().

{
    BIO        *membuf;
    size_t      size;
    char        nullterm;
    char       *sp;
    char       *dp;
    text       *result;

    membuf = BIO_new(BIO_s_mem());
    if (membuf == NULL)
        ereport(ERROR,
                (errcode(ERRCODE_OUT_OF_MEMORY),
                 errmsg("could not create OpenSSL BIO structure")));
    (void) BIO_set_close(membuf, BIO_CLOSE);
    ASN1_STRING_print_ex(membuf, str,
                         ((ASN1_STRFLGS_RFC2253 & ~ASN1_STRFLGS_ESC_MSB)
                          | ASN1_STRFLGS_UTF8_CONVERT));
    /* ensure null termination of the BIO's content */
    nullterm = '\0';
    BIO_write(membuf, &nullterm, 1);
    size = BIO_get_mem_data(membuf, &sp);
    dp = pg_any_to_server(sp, size - 1, PG_UTF8);
    result = cstring_to_text(dp);
    if (dp != sp)
        pfree(dp);
    if (BIO_free(membuf) != 1)
        elog(ERROR, "could not free OpenSSL BIO structure");

    PG_RETURN_TEXT_P(result);
}

PG_FUNCTION_INFO_V1

(

ssl_is_used

)

PG_FUNCTION_INFO_V1

(

ssl_version

)

PG_FUNCTION_INFO_V1

(

ssl_cipher

)

PG_FUNCTION_INFO_V1

(

ssl_client_cert_present

)

PG_FUNCTION_INFO_V1

(

ssl_client_serial

)

PG_FUNCTION_INFO_V1

(

ssl_client_dn_field

)

PG_FUNCTION_INFO_V1

(

ssl_issuer_field

)

PG_FUNCTION_INFO_V1

(

ssl_client_dn

)

PG_FUNCTION_INFO_V1

(

ssl_issuer_dn

)

PG_FUNCTION_INFO_V1

(

ssl_extension_info

)

Datum ssl_cipher

(

PG_FUNCTION_ARGS

)

Definition at line 68 of file sslinfo.c.

References cstring_to_text(), MyProcPort, PG_RETURN_NULL, and PG_RETURN_TEXT_P.

{
    if (MyProcPort->ssl == NULL)
        PG_RETURN_NULL();
    PG_RETURN_TEXT_P(cstring_to_text(SSL_get_cipher(MyProcPort->ssl)));
}

Datum ssl_client_cert_present

(

PG_FUNCTION_ARGS

)

Definition at line 84 of file sslinfo.c.

References MyProcPort, and PG_RETURN_BOOL.

{
    PG_RETURN_BOOL(MyProcPort->peer != NULL);
}

Datum ssl_client_dn

(

PG_FUNCTION_ARGS

)

Definition at line 359 of file sslinfo.c.

References MyProcPort, PG_RETURN_NULL, and X509_NAME_to_text().

{
    if (!(MyProcPort->peer))
        PG_RETURN_NULL();
    return X509_NAME_to_text(X509_get_subject_name(MyProcPort->peer));
}

Datum ssl_client_dn_field

(

PG_FUNCTION_ARGS

)

Definition at line 226 of file sslinfo.c.

References MyProcPort, PG_GETARG_TEXT_PP, PG_RETURN_NULL, result, and X509_NAME_field_to_text().

{
    text       *fieldname = PG_GETARG_TEXT_PP(0);
    Datum       result;

    if (!(MyProcPort->peer))
        PG_RETURN_NULL();

    result = X509_NAME_field_to_text(X509_get_subject_name(MyProcPort->peer), fieldname);

    if (!result)
        PG_RETURN_NULL();
    else
        return result;
}

Datum ssl_client_serial

(

PG_FUNCTION_ARGS

)

Definition at line 100 of file sslinfo.c.

References CStringGetDatum, DirectFunctionCall3, Int32GetDatum, MyProcPort, numeric_in(), ObjectIdGetDatum, PG_RETURN_NULL, port, and result.

{
    Datum       result;
    Port       *port = MyProcPort;
    X509       *peer = port->peer;
    ASN1_INTEGER *serial = NULL;
    BIGNUM     *b;
    char       *decimal;

    if (!peer)
        PG_RETURN_NULL();
    serial = X509_get_serialNumber(peer);
    b = ASN1_INTEGER_to_BN(serial, NULL);
    decimal = BN_bn2dec(b);

    BN_free(b);
    result = DirectFunctionCall3(numeric_in,
                                 CStringGetDatum(decimal),
                                 ObjectIdGetDatum(0),
                                 Int32GetDatum(-1));
    OPENSSL_free(decimal);
    return result;
}

Datum ssl_extension_info

(

PG_FUNCTION_ARGS

)

Definition at line 396 of file sslinfo.c.

References BlessTupleDesc(), BoolGetDatum, buf, FuncCallContext::call_cntr, cstring_to_text_with_len(), CStringGetTextDatum, elog, ereport, errcode(), errmsg(), ERROR, get_call_result_type(), heap_form_tuple(), HeapTupleGetDatum, FuncCallContext::max_calls, MemoryContextSwitchTo(), FuncCallContext::multi_call_memory_ctx, MyProcPort, palloc(), PointerGetDatum, result, SRF_FIRSTCALL_INIT, SRF_IS_FIRSTCALL, SRF_PERCALL_SETUP, SRF_RETURN_DONE, SRF_RETURN_NEXT, SSLExtensionInfoContext::tupdesc, TYPEFUNC_COMPOSITE, FuncCallContext::user_fctx, and values.

{
    X509       *cert = MyProcPort->peer;
    FuncCallContext *funcctx;
    int         call_cntr;
    int         max_calls;
    MemoryContext oldcontext;
    SSLExtensionInfoContext *fctx;

    if (SRF_IS_FIRSTCALL())
    {

        TupleDesc   tupdesc;

        /* create a function context for cross-call persistence */
        funcctx = SRF_FIRSTCALL_INIT();

        /*
         * Switch to memory context appropriate for multiple function calls
         */
        oldcontext = MemoryContextSwitchTo(funcctx->multi_call_memory_ctx);

        /* Create a user function context for cross-call persistence */
        fctx = (SSLExtensionInfoContext *) palloc(sizeof(SSLExtensionInfoContext));

        /* Construct tuple descriptor */
        if (get_call_result_type(fcinfo, NULL, &tupdesc) != TYPEFUNC_COMPOSITE)
            ereport(ERROR,
                    (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
                     errmsg("function returning record called in context that cannot accept type record")));
        fctx->tupdesc = BlessTupleDesc(tupdesc);

        /* Set max_calls as a count of extensions in certificate */
        max_calls = cert != NULL ? X509_get_ext_count(cert) : 0;

        if (max_calls > 0)
        {
            /* got results, keep track of them */
            funcctx->max_calls = max_calls;
            funcctx->user_fctx = fctx;
        }
        else
        {
            /* fast track when no results */
            MemoryContextSwitchTo(oldcontext);
            SRF_RETURN_DONE(funcctx);
        }

        MemoryContextSwitchTo(oldcontext);
    }

    /* stuff done on every call of the function */
    funcctx = SRF_PERCALL_SETUP();

    /*
     * Initialize per-call variables.
     */
    call_cntr = funcctx->call_cntr;
    max_calls = funcctx->max_calls;
    fctx = funcctx->user_fctx;

    /* do while there are more left to send */
    if (call_cntr < max_calls)
    {
        Datum       values[3];
        bool        nulls[3];
        char       *buf;
        HeapTuple   tuple;
        Datum       result;
        BIO        *membuf;
        X509_EXTENSION *ext;
        ASN1_OBJECT *obj;
        int         nid;
        int         len;

        /* need a BIO for this */
        membuf = BIO_new(BIO_s_mem());
        if (membuf == NULL)
            ereport(ERROR,
                    (errcode(ERRCODE_OUT_OF_MEMORY),
                     errmsg("could not create OpenSSL BIO structure")));

        /* Get the extension from the certificate */
        ext = X509_get_ext(cert, call_cntr);
        obj = X509_EXTENSION_get_object(ext);

        /* Get the extension name */
        nid = OBJ_obj2nid(obj);
        if (nid == NID_undef)
            ereport(ERROR,
                    (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
                     errmsg("unknown OpenSSL extension in certificate at position %d",
                            call_cntr)));
        values[0] = CStringGetTextDatum(OBJ_nid2sn(nid));
        nulls[0] = false;

        /* Get the extension value */
        if (X509V3_EXT_print(membuf, ext, 0, 0) <= 0)
            ereport(ERROR,
                    (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
                     errmsg("could not print extension value in certificate at position %d",
                            call_cntr)));
        len = BIO_get_mem_data(membuf, &buf);
        values[1] = PointerGetDatum(cstring_to_text_with_len(buf, len));
        nulls[1] = false;

        /* Get critical status */
        values[2] = BoolGetDatum(X509_EXTENSION_get_critical(ext));
        nulls[2] = false;

        /* Build tuple */
        tuple = heap_form_tuple(fctx->tupdesc, values, nulls);
        result = HeapTupleGetDatum(tuple);

        if (BIO_free(membuf) != 1)
            elog(ERROR, "could not free OpenSSL BIO structure");

        SRF_RETURN_NEXT(funcctx, result);
    }

    /* All done */
    SRF_RETURN_DONE(funcctx);
}

Datum ssl_is_used

(

PG_FUNCTION_ARGS

)

Definition at line 44 of file sslinfo.c.

References MyProcPort, PG_RETURN_BOOL, and Port::ssl_in_use.

{
    PG_RETURN_BOOL(MyProcPort->ssl_in_use);
}

Datum ssl_issuer_dn

(

PG_FUNCTION_ARGS

)

Definition at line 378 of file sslinfo.c.

References MyProcPort, PG_RETURN_NULL, and X509_NAME_to_text().

{
    if (!(MyProcPort->peer))
        PG_RETURN_NULL();
    return X509_NAME_to_text(X509_get_issuer_name(MyProcPort->peer));
}

Datum ssl_issuer_field

(

PG_FUNCTION_ARGS

)

Definition at line 261 of file sslinfo.c.

References MyProcPort, PG_GETARG_TEXT_PP, PG_RETURN_NULL, result, and X509_NAME_field_to_text().

{
    text       *fieldname = PG_GETARG_TEXT_PP(0);
    Datum       result;

    if (!(MyProcPort->peer))
        PG_RETURN_NULL();

    result = X509_NAME_field_to_text(X509_get_issuer_name(MyProcPort->peer), fieldname);

    if (!result)
        PG_RETURN_NULL();
    else
        return result;
}

Datum ssl_version

(

PG_FUNCTION_ARGS

)

Definition at line 55 of file sslinfo.c.

References cstring_to_text(), MyProcPort, PG_RETURN_NULL, and PG_RETURN_TEXT_P.

{
    if (MyProcPort->ssl == NULL)
        PG_RETURN_NULL();
    PG_RETURN_TEXT_P(cstring_to_text(SSL_get_version(MyProcPort->ssl)));
}

static Datum X509_NAME_field_to_text ( X509_NAME *  name, text *  fieldName  )

static

Definition at line 185 of file sslinfo.c.

References ASN1_STRING_to_text(), ereport, errcode(), errmsg(), ERROR, pfree(), and text_to_cstring().

Referenced by ssl_client_dn_field(), and ssl_issuer_field().

{
    char       *string_fieldname;
    int         nid,
                index;
    ASN1_STRING *data;

    string_fieldname = text_to_cstring(fieldName);
    nid = OBJ_txt2nid(string_fieldname);
    if (nid == NID_undef)
        ereport(ERROR,
                (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
                 errmsg("invalid X.509 field name: \"%s\"",
                        string_fieldname)));
    pfree(string_fieldname);
    index = X509_NAME_get_index_by_NID(name, nid, -1);
    if (index < 0)
        return (Datum) 0;
    data = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, index));
    return ASN1_STRING_to_text(data);
}

static Datum X509_NAME_to_text ( X509_NAME *  name )

static

Definition at line 290 of file sslinfo.c.

References cstring_to_text(), elog, ereport, errcode(), errmsg(), ERROR, i, pfree(), pg_any_to_server(), PG_RETURN_TEXT_P, PG_UTF8, and result.

Referenced by ssl_client_dn(), and ssl_issuer_dn().

{
    BIO        *membuf = BIO_new(BIO_s_mem());
    int         i,
                nid,
                count = X509_NAME_entry_count(name);
    X509_NAME_ENTRY *e;
    ASN1_STRING *v;
    const char *field_name;
    size_t      size;
    char        nullterm;
    char       *sp;
    char       *dp;
    text       *result;

    if (membuf == NULL)
        ereport(ERROR,
                (errcode(ERRCODE_OUT_OF_MEMORY),
                 errmsg("could not create OpenSSL BIO structure")));

    (void) BIO_set_close(membuf, BIO_CLOSE);
    for (i = 0; i < count; i++)
    {
        e = X509_NAME_get_entry(name, i);
        nid = OBJ_obj2nid(X509_NAME_ENTRY_get_object(e));
        if (nid == NID_undef)
            ereport(ERROR,
                    (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
                     errmsg("could not get NID for ASN1_OBJECT object")));
        v = X509_NAME_ENTRY_get_data(e);
        field_name = OBJ_nid2sn(nid);
        if (field_name == NULL)
            field_name = OBJ_nid2ln(nid);
        if (field_name == NULL)
            ereport(ERROR,
                    (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
                     errmsg("could not convert NID %d to an ASN1_OBJECT structure", nid)));
        BIO_printf(membuf, "/%s=", field_name);
        ASN1_STRING_print_ex(membuf, v,
                             ((ASN1_STRFLGS_RFC2253 & ~ASN1_STRFLGS_ESC_MSB)
                              | ASN1_STRFLGS_UTF8_CONVERT));
    }

    /* ensure null termination of the BIO's content */
    nullterm = '\0';
    BIO_write(membuf, &nullterm, 1);
    size = BIO_get_mem_data(membuf, &sp);
    dp = pg_any_to_server(sp, size - 1, PG_UTF8);
    result = cstring_to_text(dp);
    if (dp != sp)
        pfree(dp);
    if (BIO_free(membuf) != 1)
        elog(ERROR, "could not free OpenSSL BIO structure");

    PG_RETURN_TEXT_P(result);
}

Variable Documentation

PG_MODULE_MAGIC

Definition at line 22 of file sslinfo.c.