Postgres Pro
Downloads
Home   >   mailing lists

Re: sslinfo extension - add notbefore and notafter timestamps - Mailing list pgsql-hackers

From Cary Huang
Subject Re: sslinfo extension - add notbefore and notafter timestamps
Date
Msg-id 193e04fc3a4.e77ee69b4866014.9008993441543238140@highgo.ca
Whole thread Raw
In response to Re: sslinfo extension - add notbefore and notafter timestamps  (Cary Huang <cary.huang@highgo.ca>)
List pgsql-hackers
Tree view 
 > > The recent bump in minmum required versions of OpenSSL and LibreSSL made me
 > > remember to revisit this patch which was previously reverted due to library
 > > incompatibility (with *both* OpenSSL and LibreSSL on different APIs).
 > > 
 > > The attached removes the timestamp conversion workaround which is no longer
 > > needed.
 > 
 > The patch was marked as ready for committer and is currently failing
 > in the CI.  I've moved it to next CF waiting on author.  Could you
 > provide a rebase?

Since the minimum OpenSSL version is now 1.1.1, the v13 patch would fail the CI because
it uses the old APIs to obtain notBefore and notAfter timestamps:

- X509_get_notBefore
- X509_get_notAfter

which where deprecated in OpenSSL 1.1.0...
Instead, it should use:

- X509_get0_notBefore
- X509_get0_notAfter

which are available in version 1.1.1 and beyond. These APIs now return a "const ASN1_TIME*"
instead of "ASN1_TIME*".

The changes below should remove the CI failing when applied to v13 patch:

---   a/contrib/sslinfo/sslinfo.c
+++ b/contrib/sslinfo/sslinfo.c

-static Datum ASN1_TIME_to_timestamptz(ASN1_TIME *time);
+static Datum ASN1_TIME_to_timestamptz(const ASN1_TIME *time);

-ASN1_TIME_to_timestamptz(ASN1_TIME *ASN1_cert_ts)
+ASN1_TIME_to_timestamptz(const ASN1_TIME *ASN1_cert_ts)

-       return ASN1_TIME_to_timestamptz(X509_get_notBefore(cert));
+      return ASN1_TIME_to_timestamptz(X509_get0_notBefore(cert));

-       return ASN1_TIME_to_timestamptz(X509_get_notAfter(cert));
+      return ASN1_TIME_to_timestamptz(X509_get0_notAfter(cert));


---   a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c

-static TimestampTz ASN1_TIME_to_timestamptz(ASN1_TIME *time);
+static TimestampTz ASN1_TIME_to_timestamptz(const ASN1_TIME *time);

-ASN1_TIME_to_timestamptz(ASN1_TIME *ASN1_cert_ts)
+ASN1_TIME_to_timestamptz(const ASN1_TIME *ASN1_cert_ts)

-    *ptr = ASN1_TIME_to_timestamptz(X509_get_notBefore(port->peer));
+    *ptr = ASN1_TIME_to_timestamptz(X509_get0_notBefore(port->peer));

-      *ptr = ASN1_TIME_to_timestamptz(X509_get_notAfter(port->peer));
+     *ptr = ASN1_TIME_to_timestamptz(X509_get0_notAfter(port->peer));

can you make a rebase with the above changes?


Cary Huang
-------------
HighGo Software Inc. (Canada)
cary.huang@highgo.ca
www.highgo.ca

pgsql-hackers by date:

Previous
From: Jeff Davis
Date:
Subject: Re: Add CASEFOLD() function.
Next
From: Masahiko Sawada
Date:
Subject: Re: Skip collecting decoded changes of already-aborted transactions