sslinfo.c File Reference

#include "postgres.h"
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/asn1.h>
#include "access/htup_details.h"
#include "funcapi.h"
#include "libpq/libpq-be.h"
#include "miscadmin.h"
#include "utils/builtins.h"

Include dependency graph for sslinfo.c:

Go to the source code of this file.

Data Structures
struct	SSLExtensionInfoContext

Functions
static Datum	X509_NAME_field_to_text (X509_NAME *name, text *fieldName)
static Datum	ASN1_STRING_to_text (ASN1_STRING *str)
	PG_FUNCTION_INFO_V1 (ssl_is_used)
Datum	ssl_is_used (PG_FUNCTION_ARGS)
	PG_FUNCTION_INFO_V1 (ssl_version)
Datum	ssl_version (PG_FUNCTION_ARGS)
	PG_FUNCTION_INFO_V1 (ssl_cipher)
Datum	ssl_cipher (PG_FUNCTION_ARGS)
	PG_FUNCTION_INFO_V1 (ssl_client_cert_present)
Datum	ssl_client_cert_present (PG_FUNCTION_ARGS)
	PG_FUNCTION_INFO_V1 (ssl_client_serial)
Datum	ssl_client_serial (PG_FUNCTION_ARGS)
	PG_FUNCTION_INFO_V1 (ssl_client_dn_field)
Datum	ssl_client_dn_field (PG_FUNCTION_ARGS)
	PG_FUNCTION_INFO_V1 (ssl_issuer_field)
Datum	ssl_issuer_field (PG_FUNCTION_ARGS)
	PG_FUNCTION_INFO_V1 (ssl_client_dn)
Datum	ssl_client_dn (PG_FUNCTION_ARGS)
	PG_FUNCTION_INFO_V1 (ssl_issuer_dn)
Datum	ssl_issuer_dn (PG_FUNCTION_ARGS)
	PG_FUNCTION_INFO_V1 (ssl_extension_info)
Datum	ssl_extension_info (PG_FUNCTION_ARGS)

Variables
	PG_MODULE_MAGIC

Function Documentation

ASN1_STRING_to_text()

static Datum ASN1_STRING_to_text ( ASN1_STRING *  str )

static

Definition at line 148 of file sslinfo.c.

References cstring_to_text(), elog, ereport, errcode(), errmsg(), ERROR, pfree(), pg_any_to_server(), PG_RETURN_TEXT_P, and PG_UTF8.

Referenced by X509_NAME_field_to_text().

{
    BIO        *membuf;
    size_t      size;
    char        nullterm;
    char       *sp;
    char       *dp;
    text       *result;

    membuf = BIO_new(BIO_s_mem());
    if (membuf == NULL)
        ereport(ERROR,
                (errcode(ERRCODE_OUT_OF_MEMORY),
                 errmsg("could not create OpenSSL BIO structure")));
    (void) BIO_set_close(membuf, BIO_CLOSE);
    ASN1_STRING_print_ex(membuf, str,
                         ((ASN1_STRFLGS_RFC2253 & ~ASN1_STRFLGS_ESC_MSB)
                          | ASN1_STRFLGS_UTF8_CONVERT));
    /* ensure null termination of the BIO's content */
    nullterm = '\0';
    BIO_write(membuf, &nullterm, 1);
    size = BIO_get_mem_data(membuf, &sp);
    dp = pg_any_to_server(sp, size - 1, PG_UTF8);
    result = cstring_to_text(dp);
    if (dp != sp)
        pfree(dp);
    if (BIO_free(membuf) != 1)
        elog(ERROR, "could not free OpenSSL BIO structure");

    PG_RETURN_TEXT_P(result);
}

PG_FUNCTION_INFO_V1() [1/10]

PG_FUNCTION_INFO_V1

(

ssl_is_used

)

Referenced by ssl_cipher(), ssl_client_cert_present(), ssl_client_dn(), ssl_client_dn_field(), ssl_is_used(), ssl_issuer_dn(), ssl_issuer_field(), ssl_version(), and X509_NAME_field_to_text().

PG_FUNCTION_INFO_V1() [2/10]

PG_FUNCTION_INFO_V1

(

ssl_version

)

PG_FUNCTION_INFO_V1() [3/10]

PG_FUNCTION_INFO_V1

(

ssl_cipher

)

PG_FUNCTION_INFO_V1() [4/10]

PG_FUNCTION_INFO_V1

(

ssl_client_cert_present

)

PG_FUNCTION_INFO_V1() [5/10]

PG_FUNCTION_INFO_V1

(

ssl_client_serial

)

PG_FUNCTION_INFO_V1() [6/10]

PG_FUNCTION_INFO_V1

(

ssl_client_dn_field

)

PG_FUNCTION_INFO_V1() [7/10]

PG_FUNCTION_INFO_V1

(

ssl_issuer_field

)

PG_FUNCTION_INFO_V1() [8/10]

PG_FUNCTION_INFO_V1

(

ssl_client_dn

)

PG_FUNCTION_INFO_V1() [9/10]

PG_FUNCTION_INFO_V1

(

ssl_issuer_dn

)

PG_FUNCTION_INFO_V1() [10/10]

PG_FUNCTION_INFO_V1

(

ssl_extension_info

)

ssl_cipher()

Datum ssl_cipher

(

PG_FUNCTION_ARGS

)

Definition at line 74 of file sslinfo.c.

References be_tls_get_cipher(), cstring_to_text(), MyProcPort, PG_FUNCTION_INFO_V1(), PG_RETURN_NULL, PG_RETURN_TEXT_P, ssl_client_cert_present(), and Port::ssl_in_use.

Referenced by ssl_version().

{
    const char *cipher;

    if (!MyProcPort->ssl_in_use)
        PG_RETURN_NULL();

    cipher = be_tls_get_cipher(MyProcPort);
    if (cipher == NULL)
        PG_RETURN_NULL();

    PG_RETURN_TEXT_P(cstring_to_text(cipher));
}

ssl_client_cert_present()

Datum ssl_client_cert_present

(

PG_FUNCTION_ARGS

)

Definition at line 97 of file sslinfo.c.

References MyProcPort, Port::peer_cert_valid, PG_FUNCTION_INFO_V1(), PG_RETURN_BOOL, and ssl_client_serial().

Referenced by ssl_cipher().

{
    PG_RETURN_BOOL(MyProcPort->peer_cert_valid);
}

ssl_client_dn()

Datum ssl_client_dn

(

PG_FUNCTION_ARGS

)

Definition at line 298 of file sslinfo.c.

References be_tls_get_peer_subject_name(), cstring_to_text(), MyProcPort, NAMEDATALEN, Port::peer_cert_valid, PG_FUNCTION_INFO_V1(), PG_RETURN_NULL, PG_RETURN_TEXT_P, Port::ssl_in_use, and ssl_issuer_dn().

Referenced by ssl_issuer_field().

{
    char        subject[NAMEDATALEN];

    if (!MyProcPort->ssl_in_use || !MyProcPort->peer_cert_valid)
        PG_RETURN_NULL();

    be_tls_get_peer_subject_name(MyProcPort, subject, NAMEDATALEN);

    if (!*subject)
        PG_RETURN_NULL();

    PG_RETURN_TEXT_P(cstring_to_text(subject));
}

ssl_client_dn_field()

Datum ssl_client_dn_field

(

PG_FUNCTION_ARGS

)

Definition at line 235 of file sslinfo.c.

References MyProcPort, Port::peer_cert_valid, PG_FUNCTION_INFO_V1(), PG_GETARG_TEXT_PP, PG_RETURN_NULL, Port::ssl_in_use, ssl_issuer_field(), and X509_NAME_field_to_text().

Referenced by X509_NAME_field_to_text().

{
    text       *fieldname = PG_GETARG_TEXT_PP(0);
    Datum       result;

    if (!MyProcPort->ssl_in_use || !MyProcPort->peer_cert_valid)
        PG_RETURN_NULL();

    result = X509_NAME_field_to_text(X509_get_subject_name(MyProcPort->peer), fieldname);

    if (!result)
        PG_RETURN_NULL();
    else
        return result;
}

ssl_client_serial()

Datum ssl_client_serial

(

PG_FUNCTION_ARGS

)

Definition at line 113 of file sslinfo.c.

References be_tls_get_peer_serial(), CStringGetDatum, DirectFunctionCall3, Int32GetDatum, MyProcPort, NAMEDATALEN, numeric_in(), ObjectIdGetDatum, Port::peer_cert_valid, PG_RETURN_NULL, and Port::ssl_in_use.

Referenced by ssl_client_cert_present().

{
    char decimal[NAMEDATALEN];
    Datum       result;

    if (!MyProcPort->ssl_in_use || !MyProcPort->peer_cert_valid)
        PG_RETURN_NULL();

    be_tls_get_peer_serial(MyProcPort, decimal, NAMEDATALEN);

    if (!*decimal)
        PG_RETURN_NULL();

    result = DirectFunctionCall3(numeric_in,
                                 CStringGetDatum(decimal),
                                 ObjectIdGetDatum(0),
                                 Int32GetDatum(-1));
    return result;
}

ssl_extension_info()

Datum ssl_extension_info

(

PG_FUNCTION_ARGS

)

Definition at line 351 of file sslinfo.c.

References BlessTupleDesc(), BoolGetDatum, buf, FuncCallContext::call_cntr, cstring_to_text_with_len(), CStringGetTextDatum, elog, ereport, errcode(), errmsg(), ERROR, get_call_result_type(), heap_form_tuple(), HeapTupleGetDatum, FuncCallContext::max_calls, MemoryContextSwitchTo(), FuncCallContext::multi_call_memory_ctx, MyProcPort, palloc(), PointerGetDatum, SRF_FIRSTCALL_INIT, SRF_IS_FIRSTCALL, SRF_PERCALL_SETUP, SRF_RETURN_DONE, SRF_RETURN_NEXT, SSLExtensionInfoContext::tupdesc, TYPEFUNC_COMPOSITE, FuncCallContext::user_fctx, and values.

Referenced by ssl_issuer_dn().

{
    X509       *cert = MyProcPort->peer;
    FuncCallContext *funcctx;
    int         call_cntr;
    int         max_calls;
    MemoryContext oldcontext;
    SSLExtensionInfoContext *fctx;

    if (SRF_IS_FIRSTCALL())
    {

        TupleDesc   tupdesc;

        /* create a function context for cross-call persistence */
        funcctx = SRF_FIRSTCALL_INIT();

        /*
         * Switch to memory context appropriate for multiple function calls
         */
        oldcontext = MemoryContextSwitchTo(funcctx->multi_call_memory_ctx);

        /* Create a user function context for cross-call persistence */
        fctx = (SSLExtensionInfoContext *) palloc(sizeof(SSLExtensionInfoContext));

        /* Construct tuple descriptor */
        if (get_call_result_type(fcinfo, NULL, &tupdesc) != TYPEFUNC_COMPOSITE)
            ereport(ERROR,
                    (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
                     errmsg("function returning record called in context that cannot accept type record")));
        fctx->tupdesc = BlessTupleDesc(tupdesc);

        /* Set max_calls as a count of extensions in certificate */
        max_calls = cert != NULL ? X509_get_ext_count(cert) : 0;

        if (max_calls > 0)
        {
            /* got results, keep track of them */
            funcctx->max_calls = max_calls;
            funcctx->user_fctx = fctx;
        }
        else
        {
            /* fast track when no results */
            MemoryContextSwitchTo(oldcontext);
            SRF_RETURN_DONE(funcctx);
        }

        MemoryContextSwitchTo(oldcontext);
    }

    /* stuff done on every call of the function */
    funcctx = SRF_PERCALL_SETUP();

    /*
     * Initialize per-call variables.
     */
    call_cntr = funcctx->call_cntr;
    max_calls = funcctx->max_calls;
    fctx = funcctx->user_fctx;

    /* do while there are more left to send */
    if (call_cntr < max_calls)
    {
        Datum       values[3];
        bool        nulls[3];
        char       *buf;
        HeapTuple   tuple;
        Datum       result;
        BIO        *membuf;
        X509_EXTENSION *ext;
        ASN1_OBJECT *obj;
        int         nid;
        int         len;

        /* need a BIO for this */
        membuf = BIO_new(BIO_s_mem());
        if (membuf == NULL)
            ereport(ERROR,
                    (errcode(ERRCODE_OUT_OF_MEMORY),
                     errmsg("could not create OpenSSL BIO structure")));

        /* Get the extension from the certificate */
        ext = X509_get_ext(cert, call_cntr);
        obj = X509_EXTENSION_get_object(ext);

        /* Get the extension name */
        nid = OBJ_obj2nid(obj);
        if (nid == NID_undef)
            ereport(ERROR,
                    (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
                     errmsg("unknown OpenSSL extension in certificate at position %d",
                            call_cntr)));
        values[0] = CStringGetTextDatum(OBJ_nid2sn(nid));
        nulls[0] = false;

        /* Get the extension value */
        if (X509V3_EXT_print(membuf, ext, 0, 0) <= 0)
            ereport(ERROR,
                    (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
                     errmsg("could not print extension value in certificate at position %d",
                            call_cntr)));
        len = BIO_get_mem_data(membuf, &buf);
        values[1] = PointerGetDatum(cstring_to_text_with_len(buf, len));
        nulls[1] = false;

        /* Get critical status */
        values[2] = BoolGetDatum(X509_EXTENSION_get_critical(ext));
        nulls[2] = false;

        /* Build tuple */
        tuple = heap_form_tuple(fctx->tupdesc, values, nulls);
        result = HeapTupleGetDatum(tuple);

        if (BIO_free(membuf) != 1)
            elog(ERROR, "could not free OpenSSL BIO structure");

        SRF_RETURN_NEXT(funcctx, result);
    }

    /* All done */
    SRF_RETURN_DONE(funcctx);
}

ssl_is_used()

Datum ssl_is_used

(

PG_FUNCTION_ARGS

)

Definition at line 43 of file sslinfo.c.

References MyProcPort, PG_FUNCTION_INFO_V1(), PG_RETURN_BOOL, Port::ssl_in_use, and ssl_version().

{
    PG_RETURN_BOOL(MyProcPort->ssl_in_use);
}

ssl_issuer_dn()

Datum ssl_issuer_dn

(

PG_FUNCTION_ARGS

)

Definition at line 325 of file sslinfo.c.

References be_tls_get_peer_issuer_name(), cstring_to_text(), MyProcPort, NAMEDATALEN, Port::peer_cert_valid, PG_FUNCTION_INFO_V1(), PG_RETURN_NULL, PG_RETURN_TEXT_P, ssl_extension_info(), and Port::ssl_in_use.

Referenced by ssl_client_dn().

{
    char        issuer[NAMEDATALEN];

    if (!MyProcPort->ssl_in_use || !MyProcPort->peer_cert_valid)
        PG_RETURN_NULL();

    be_tls_get_peer_issuer_name(MyProcPort, issuer, NAMEDATALEN);

    if (!*issuer)
        PG_RETURN_NULL();

    PG_RETURN_TEXT_P(cstring_to_text(issuer));
}

ssl_issuer_field()

Datum ssl_issuer_field

(

PG_FUNCTION_ARGS

)

Definition at line 270 of file sslinfo.c.

References MyProcPort, PG_FUNCTION_INFO_V1(), PG_GETARG_TEXT_PP, PG_RETURN_NULL, ssl_client_dn(), and X509_NAME_field_to_text().

Referenced by ssl_client_dn_field().

{
    text       *fieldname = PG_GETARG_TEXT_PP(0);
    Datum       result;

    if (!(MyProcPort->peer))
        PG_RETURN_NULL();

    result = X509_NAME_field_to_text(X509_get_issuer_name(MyProcPort->peer), fieldname);

    if (!result)
        PG_RETURN_NULL();
    else
        return result;
}

ssl_version()

Datum ssl_version

(

PG_FUNCTION_ARGS

)

Definition at line 54 of file sslinfo.c.

References be_tls_get_version(), cstring_to_text(), MyProcPort, PG_FUNCTION_INFO_V1(), PG_RETURN_NULL, PG_RETURN_TEXT_P, ssl_cipher(), and Port::ssl_in_use.

Referenced by ssl_is_used().

{
    const char *version;

    if (!MyProcPort->ssl_in_use)
        PG_RETURN_NULL();

    version = be_tls_get_version(MyProcPort);
    if (version == NULL)
        PG_RETURN_NULL();

    PG_RETURN_TEXT_P(cstring_to_text(version));
}

X509_NAME_field_to_text()

static Datum X509_NAME_field_to_text ( X509_NAME *  name, text *  fieldName  )

static

Definition at line 194 of file sslinfo.c.

References ASN1_STRING_to_text(), ereport, errcode(), errmsg(), ERROR, pfree(), PG_FUNCTION_INFO_V1(), ssl_client_dn_field(), and text_to_cstring().

Referenced by ssl_client_dn_field(), and ssl_issuer_field().

{
    char       *string_fieldname;
    int         nid,
                index;
    ASN1_STRING *data;

    string_fieldname = text_to_cstring(fieldName);
    nid = OBJ_txt2nid(string_fieldname);
    if (nid == NID_undef)
        ereport(ERROR,
                (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
                 errmsg("invalid X.509 field name: \"%s\"",
                        string_fieldname)));
    pfree(string_fieldname);
    index = X509_NAME_get_index_by_NID(name, nid, -1);
    if (index < 0)
        return (Datum) 0;
    data = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, index));
    return ASN1_STRING_to_text(data);
}

Variable Documentation

PG_MODULE_MAGIC

PG_MODULE_MAGIC

Definition at line 22 of file sslinfo.c.