|
8 | 8 | */ |
9 | 9 |
|
10 | 10 | #include "postgres.h" |
11 | | -#include "fmgr.h" |
12 | | -#include "utils/numeric.h" |
13 | | -#include "libpq/libpq-be.h" |
14 | | -#include "miscadmin.h" |
15 | | -#include "utils/builtins.h" |
16 | | -#include "mb/pg_wchar.h" |
17 | 11 |
|
18 | 12 | #include <openssl/x509.h> |
| 13 | +#include <openssl/x509v3.h> |
19 | 14 | #include <openssl/asn1.h> |
20 | 15 |
|
| 16 | +#include "access/htup_details.h" |
| 17 | +#include "funcapi.h" |
| 18 | +#include "libpq/libpq-be.h" |
| 19 | +#include "miscadmin.h" |
| 20 | +#include "utils/builtins.h" |
| 21 | + |
21 | 22 | PG_MODULE_MAGIC; |
22 | 23 |
|
23 | 24 | static Datum X509_NAME_field_to_text(X509_NAME *name, text *fieldName); |
24 | 25 | static Datum X509_NAME_to_text(X509_NAME *name); |
25 | 26 | static Datum ASN1_STRING_to_text(ASN1_STRING *str); |
26 | 27 |
|
| 28 | +/* |
| 29 | + * Function context for data persisting over repeated calls. |
| 30 | + */ |
| 31 | +typedef struct |
| 32 | +{ |
| 33 | + TupleDesc tupdesc; |
| 34 | +} SSLExtensionInfoContext; |
27 | 35 |
|
28 | 36 | /* |
29 | 37 | * Indicates whether current session uses SSL |
@@ -373,3 +381,148 @@ ssl_issuer_dn(PG_FUNCTION_ARGS) |
373 | 381 | PG_RETURN_NULL(); |
374 | 382 | return X509_NAME_to_text(X509_get_issuer_name(MyProcPort->peer)); |
375 | 383 | } |
| 384 | + |
| 385 | + |
| 386 | +/* |
| 387 | + * Returns information about available SSL extensions. |
| 388 | + * |
| 389 | + * Returns setof record made of the following values: |
| 390 | + * - name of the extension. |
| 391 | + * - value of the extension. |
| 392 | + * - critical status of the extension. |
| 393 | + */ |
| 394 | +PG_FUNCTION_INFO_V1(ssl_extension_info); |
| 395 | +Datum |
| 396 | +ssl_extension_info(PG_FUNCTION_ARGS) |
| 397 | +{ |
| 398 | + X509 *cert = MyProcPort->peer; |
| 399 | + FuncCallContext *funcctx; |
| 400 | + int call_cntr; |
| 401 | + int max_calls; |
| 402 | + MemoryContext oldcontext; |
| 403 | + SSLExtensionInfoContext *fctx; |
| 404 | + |
| 405 | + STACK_OF(X509_EXTENSION) *ext_stack = NULL; |
| 406 | + |
| 407 | + if (SRF_IS_FIRSTCALL()) |
| 408 | + { |
| 409 | + |
| 410 | + TupleDesc tupdesc; |
| 411 | + |
| 412 | + /* create a function context for cross-call persistence */ |
| 413 | + funcctx = SRF_FIRSTCALL_INIT(); |
| 414 | + |
| 415 | + /* |
| 416 | + * Switch to memory context appropriate for multiple function calls |
| 417 | + */ |
| 418 | + oldcontext = MemoryContextSwitchTo(funcctx->multi_call_memory_ctx); |
| 419 | + |
| 420 | + /* Create a user function context for cross-call persistence */ |
| 421 | + fctx = (SSLExtensionInfoContext *) palloc(sizeof(SSLExtensionInfoContext)); |
| 422 | + |
| 423 | + /* Construct tuple descriptor */ |
| 424 | + if (get_call_result_type(fcinfo, NULL, &tupdesc) != TYPEFUNC_COMPOSITE) |
| 425 | + ereport(ERROR, |
| 426 | + (errcode(ERRCODE_FEATURE_NOT_SUPPORTED), |
| 427 | + errmsg("function returning record called in context that cannot accept type record"))); |
| 428 | + fctx->tupdesc = BlessTupleDesc(tupdesc); |
| 429 | + |
| 430 | + /* Get all extensions of certificate */ |
| 431 | + if (cert && cert->cert_info) |
| 432 | + ext_stack = cert->cert_info->extensions; |
| 433 | + |
| 434 | + /* Set max_calls as a count of extensions in certificate */ |
| 435 | + max_calls = cert != NULL ? X509_get_ext_count(cert) : 0; |
| 436 | + |
| 437 | + if (cert != NULL && |
| 438 | + ext_stack != NULL && |
| 439 | + max_calls > 0) |
| 440 | + { |
| 441 | + /* got results, keep track of them */ |
| 442 | + funcctx->max_calls = max_calls; |
| 443 | + funcctx->user_fctx = fctx; |
| 444 | + } |
| 445 | + else |
| 446 | + { |
| 447 | + /* fast track when no results */ |
| 448 | + MemoryContextSwitchTo(oldcontext); |
| 449 | + SRF_RETURN_DONE(funcctx); |
| 450 | + } |
| 451 | + |
| 452 | + MemoryContextSwitchTo(oldcontext); |
| 453 | + } |
| 454 | + |
| 455 | + /* stuff done on every call of the function */ |
| 456 | + funcctx = SRF_PERCALL_SETUP(); |
| 457 | + |
| 458 | + /* |
| 459 | + * Initialize per-call variables. |
| 460 | + */ |
| 461 | + call_cntr = funcctx->call_cntr; |
| 462 | + max_calls = funcctx->max_calls; |
| 463 | + fctx = funcctx->user_fctx; |
| 464 | + |
| 465 | + ext_stack = cert->cert_info->extensions; |
| 466 | + |
| 467 | + /* do while there are more left to send */ |
| 468 | + if (call_cntr < max_calls) |
| 469 | + { |
| 470 | + Datum values[3]; |
| 471 | + bool nulls[3]; |
| 472 | + char *buf; |
| 473 | + HeapTuple tuple; |
| 474 | + Datum result; |
| 475 | + BIO *membuf; |
| 476 | + X509_EXTENSION *ext; |
| 477 | + ASN1_OBJECT *obj; |
| 478 | + int nid; |
| 479 | + int len; |
| 480 | + |
| 481 | + /* need a BIO for this */ |
| 482 | + membuf = BIO_new(BIO_s_mem()); |
| 483 | + if (membuf == NULL) |
| 484 | + ereport(ERROR, |
| 485 | + (errcode(ERRCODE_OUT_OF_MEMORY), |
| 486 | + errmsg("could not create OpenSSL BIO structure"))); |
| 487 | + |
| 488 | + /* Get the extension from the certificate */ |
| 489 | + ext = sk_X509_EXTENSION_value(ext_stack, call_cntr); |
| 490 | + obj = X509_EXTENSION_get_object(ext); |
| 491 | + |
| 492 | + /* Get the extension name */ |
| 493 | + nid = OBJ_obj2nid(obj); |
| 494 | + if (nid == NID_undef) |
| 495 | + ereport(ERROR, |
| 496 | + (errcode(ERRCODE_FEATURE_NOT_SUPPORTED), |
| 497 | + errmsg("unknown OpenSSL extension in certificate at position %d", |
| 498 | + call_cntr))); |
| 499 | + values[0] = CStringGetTextDatum(OBJ_nid2sn(nid)); |
| 500 | + nulls[0] = false; |
| 501 | + |
| 502 | + /* Get the extension value */ |
| 503 | + if (X509V3_EXT_print(membuf, ext, 0, 0) <= 0) |
| 504 | + ereport(ERROR, |
| 505 | + (errcode(ERRCODE_FEATURE_NOT_SUPPORTED), |
| 506 | + errmsg("could not print extension value in certificate at position %d", |
| 507 | + call_cntr))); |
| 508 | + len = BIO_get_mem_data(membuf, &buf); |
| 509 | + values[1] = PointerGetDatum(cstring_to_text_with_len(buf, len)); |
| 510 | + nulls[1] = false; |
| 511 | + |
| 512 | + /* Get critical status */ |
| 513 | + values[2] = BoolGetDatum(X509_EXTENSION_get_critical(ext)); |
| 514 | + nulls[2] = false; |
| 515 | + |
| 516 | + /* Build tuple */ |
| 517 | + tuple = heap_form_tuple(fctx->tupdesc, values, nulls); |
| 518 | + result = HeapTupleGetDatum(tuple); |
| 519 | + |
| 520 | + if (BIO_free(membuf) != 1) |
| 521 | + elog(ERROR, "could not free OpenSSL BIO structure"); |
| 522 | + |
| 523 | + SRF_RETURN_NEXT(funcctx, result); |
| 524 | + } |
| 525 | + |
| 526 | + /* Do when there is no more left */ |
| 527 | + SRF_RETURN_DONE(funcctx); |
| 528 | +} |
0 commit comments