| From: | Cary Huang <cary(dot)huang(at)highgo(dot)ca> |
|---|---|
| To: | "Michael Paquier" <michael(at)paquier(dot)xyz> |
| Cc: | "Daniel Gustafsson" <daniel(at)yesql(dot)se>, "Jacob Champion" <jacob(dot)champion(at)enterprisedb(dot)com>, "PostgreSQL Hackers" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: sslinfo extension - add notbefore and notafter timestamps |
| Date: | 2024-12-19 19:05:44 |
| Message-ID: | 193e04fc3a4.e77ee69b4866014.9008993441543238140@highgo.ca |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
> > The recent bump in minmum required versions of OpenSSL and LibreSSL made me
> > remember to revisit this patch which was previously reverted due to library
> > incompatibility (with *both* OpenSSL and LibreSSL on different APIs).
> >
> > The attached removes the timestamp conversion workaround which is no longer
> > needed.
>
> The patch was marked as ready for committer and is currently failing
> in the CI. I've moved it to next CF waiting on author. Could you
> provide a rebase?
Since the minimum OpenSSL version is now 1.1.1, the v13 patch would fail the CI because
it uses the old APIs to obtain notBefore and notAfter timestamps:
- X509_get_notBefore
- X509_get_notAfter
which where deprecated in OpenSSL 1.1.0...
Instead, it should use:
- X509_get0_notBefore
- X509_get0_notAfter
which are available in version 1.1.1 and beyond. These APIs now return a "const ASN1_TIME*"
instead of "ASN1_TIME*".
The changes below should remove the CI failing when applied to v13 patch:
--- a/contrib/sslinfo/sslinfo.c
+++ b/contrib/sslinfo/sslinfo.c
-static Datum ASN1_TIME_to_timestamptz(ASN1_TIME *time);
+static Datum ASN1_TIME_to_timestamptz(const ASN1_TIME *time);
-ASN1_TIME_to_timestamptz(ASN1_TIME *ASN1_cert_ts)
+ASN1_TIME_to_timestamptz(const ASN1_TIME *ASN1_cert_ts)
- return ASN1_TIME_to_timestamptz(X509_get_notBefore(cert));
+ return ASN1_TIME_to_timestamptz(X509_get0_notBefore(cert));
- return ASN1_TIME_to_timestamptz(X509_get_notAfter(cert));
+ return ASN1_TIME_to_timestamptz(X509_get0_notAfter(cert));
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
-static TimestampTz ASN1_TIME_to_timestamptz(ASN1_TIME *time);
+static TimestampTz ASN1_TIME_to_timestamptz(const ASN1_TIME *time);
-ASN1_TIME_to_timestamptz(ASN1_TIME *ASN1_cert_ts)
+ASN1_TIME_to_timestamptz(const ASN1_TIME *ASN1_cert_ts)
- *ptr = ASN1_TIME_to_timestamptz(X509_get_notBefore(port->peer));
+ *ptr = ASN1_TIME_to_timestamptz(X509_get0_notBefore(port->peer));
- *ptr = ASN1_TIME_to_timestamptz(X509_get_notAfter(port->peer));
+ *ptr = ASN1_TIME_to_timestamptz(X509_get0_notAfter(port->peer));
can you make a rebase with the above changes?
Cary Huang
-------------
HighGo Software Inc. (Canada)
cary(dot)huang(at)highgo(dot)ca
www.highgo.ca
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Masahiko Sawada | 2024-12-19 19:11:50 | Re: Skip collecting decoded changes of already-aborted transactions |
| Previous Message | Yugo Nagata | 2024-12-19 18:22:26 | Allow ILIKE forward matching to use btree index |