NotificationsYou must be signed in to change notification settings
Fork5
Star26

Commitcb10467

committed

Add support for matching wildcard server certificates to the new SSL code.

This uses the function fnmatch() which is not available on all platforms(notably Windows), so import the implementation from NetBSD into src/port.

1 parenta378555 commitcb10467Copy full SHA for cb10467

File tree

8 files changed

+347

-12

lines changed

configure
configure.in
src
- include
  - fnmatchstub.h
  - pg_config.h.in
- interfaces/libpq
  - Makefile
  - fe-secure.c
- port
  - fnmatch.c
- tools/msvc
  - Mkvcbuild.pm

8 files changed

+347

-12

lines changed

`‎configure`

Lines changed: 92 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -24821,6 +24821,98 @@ esac`
`24821`	`24821`
`24822`	`24822`
`24823`	`24823`
	`24824`	`+# Check for fnmatch()`
	`24825`	`+{ echo "$as_me:$LINENO: checking for working POSIX fnmatch" >&5`
	`24826`	`+echo $ECHO_N "checking for working POSIX fnmatch... $ECHO_C" >&6; }`
	`24827`	`+if test "${ac_cv_func_fnmatch_works+set}" = set; then`
	`24828`	`+ echo $ECHO_N "(cached) $ECHO_C" >&6`
	`24829`	`+else`
	`24830`	`+ # Some versions of Solaris, SCO, and the GNU C Library`
	`24831`	`+ # have a broken or incompatible fnmatch.`
	`24832`	`+ # So we run a test program. If we are cross-compiling, take no chance.`
	`24833`	`+ # Thanks to John Oleynick, Franc,ois Pinard, and Paul Eggert for this test.`
	`24834`	`+ if test "$cross_compiling" = yes; then`
	`24835`	`+ ac_cv_func_fnmatch_works=cross`
	`24836`	`+else`
	`24837`	`+ cat >conftest.$ac_ext <<_ACEOF`
	`24838`	`+/* confdefs.h. */`
	`24839`	`+_ACEOF`
	`24840`	`+cat confdefs.h >>conftest.$ac_ext`
	`24841`	`+cat >>conftest.$ac_ext <<_ACEOF`
	`24842`	`+/* end confdefs.h. */`
	`24843`	`+#include <fnmatch.h>`
	`24844`	`+# define y(a, b, c) (fnmatch (a, b, c) == 0)`
	`24845`	`+# define n(a, b, c) (fnmatch (a, b, c) == FNM_NOMATCH)`
	`24846`	`+`
	`24847`	`+int`
	`24848`	`+main ()`
	`24849`	`+{`
	`24850`	`+return`
	`24851`	`+ (!(y ("a*", "abc", 0)`
	`24852`	`+ && n ("d/1", "d/s/1", FNM_PATHNAME)`
	`24853`	`+ && y ("a\\\\bc", "abc", 0)`
	`24854`	`+ && n ("a\\\\bc", "abc", FNM_NOESCAPE)`
	`24855`	`+ && y ("*x", ".x", 0)`
	`24856`	`+ && n ("*x", ".x", FNM_PERIOD)`
	`24857`	`+ && 1));`
	`24858`	`+ ;`
	`24859`	`+ return 0;`
	`24860`	`+}`
	`24861`	`+_ACEOF`
	`24862`	`+rm -f conftest$ac_exeext`
	`24863`	`+if { (ac_try="$ac_link"`
	`24864`	`+case "(($ac_try" in`
	`24865`	+ \" \| \` \| \\) ac_try_echo=\$ac_try;;
	`24866`	`+ *) ac_try_echo=$ac_try;;`
	`24867`	`+esac`
	`24868`	`+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5`
	`24869`	`+ (eval "$ac_link") 2>&5`
	`24870`	`+ ac_status=$?`
	`24871`	`+ echo "$as_me:$LINENO: \$? = $ac_status" >&5`
	`24872`	`+ (exit $ac_status); } && { ac_try='./conftest$ac_exeext'`
	`24873`	`+ { (case "(($ac_try" in`
	`24874`	+ \" \| \` \| \\) ac_try_echo=\$ac_try;;
	`24875`	`+ *) ac_try_echo=$ac_try;;`
	`24876`	`+esac`
	`24877`	`+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5`
	`24878`	`+ (eval "$ac_try") 2>&5`
	`24879`	`+ ac_status=$?`
	`24880`	`+ echo "$as_me:$LINENO: \$? = $ac_status" >&5`
	`24881`	`+ (exit $ac_status); }; }; then`
	`24882`	`+ ac_cv_func_fnmatch_works=yes`
	`24883`	`+else`
	`24884`	`+ echo "$as_me: program exited with status $ac_status" >&5`
	`24885`	`+echo "$as_me: failed program was:" >&5`
	`24886`	`+sed 's/^/\| /' conftest.$ac_ext >&5`
	`24887`	`+`
	`24888`	`+( exit $ac_status )`
	`24889`	`+ac_cv_func_fnmatch_works=no`
	`24890`	`+fi`
	`24891`	`+rm -f core .core core.conftest. gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext`
	`24892`	`+fi`
	`24893`	`+`
	`24894`	`+`
	`24895`	`+fi`
	`24896`	`+{ echo "$as_me:$LINENO: result: $ac_cv_func_fnmatch_works" >&5`
	`24897`	`+echo "${ECHO_T}$ac_cv_func_fnmatch_works" >&6; }`
	`24898`	`+if test $ac_cv_func_fnmatch_works = yes; then`
	`24899`	`+`
	`24900`	`+cat >>confdefs.h <<\_ACEOF`
	`24901`	`+#define HAVE_FNMATCH 1`
	`24902`	`+_ACEOF`
	`24903`	`+`
	`24904`	`+fi`
	`24905`	`+`
	`24906`	`+`
	`24907`	`+`
	`24908`	`+if test x"$ac_cv_func_fnmatch_works" != x"yes"; then`
	`24909`	`+ case " $LIBOBJS " in`
	`24910`	`+ " fnmatch.$ac_objext " ) ;;`
	`24911`	`+ *) LIBOBJS="$LIBOBJS fnmatch.$ac_objext"`
	`24912`	`+ ;;`
	`24913`	`+esac`
	`24914`	`+`
	`24915`	`+fi`
`24824`	`24916`
`24825`	`24917`	`# Select semaphore implementation type.`
`24826`	`24918`	`if test "$PORTNAME" != "win32"; then`

`‎configure.in`

Lines changed: 6 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`dnl Process this file with autoconf to produce a configure script.`
`2`		`-dnl $PostgreSQL: pgsql/configure.in,v 1.572 2008/11/18 13:10:20 petere Exp $`
	`2`	`+dnl $PostgreSQL: pgsql/configure.in,v 1.573 2008/11/24 09:15:15 mha Exp $`
`3`	`3`	`dnl`
`4`	`4`	`dnl Developers, please strive to achieve this order:`
`5`	`5`	`dnl`
`@@ -1625,6 +1625,11 @@ fi`
`1625`	`1625`	`# SunOS doesn't handle negative byte comparisons properly with +/- return`
`1626`	`1626`	`AC_FUNC_MEMCMP`
`1627`	`1627`
	`1628`	`+# Check for fnmatch()`
	`1629`	`+AC_FUNC_FNMATCH`
	`1630`	`+if test x"$ac_cv_func_fnmatch_works" != x"yes"; then`
	`1631`	`+ AC_LIBOBJ(fnmatch)`
	`1632`	`+fi`
`1628`	`1633`
`1629`	`1634`	`# Select semaphore implementation type.`
`1630`	`1635`	`if test "$PORTNAME" != "win32"; then`

`‎src/include/fnmatchstub.h`

Lines changed: 27 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,27 @@`
	`1`	`+/*-------------------------------------------------------------------------`
	`2`	`+ *`
	`3`	`+ * fnmatchstub.h`
	`4`	`+ * Stubs for fnmatch() in port/fnmatch.c`
	`5`	`+ *`
	`6`	`+ *`
	`7`	`+ * Portions Copyright (c) 1996-2008, PostgreSQL Global Development Group`
	`8`	`+ * Portions Copyright (c) 1994, Regents of the University of California`
	`9`	`+ *`
	`10`	`+ * $PostgreSQL: pgsql/src/include/fnmatchstub.h,v 1.1 2008/11/24 09:15:16 mha Exp $`
	`11`	`+ *`
	`12`	`+ *-------------------------------------------------------------------------`
	`13`	`+ */`
	`14`	`+#ifndefFNMATCHSTUB_H`
	`15`	`+#defineFNMATCHSTUB_H`
	`16`	`+`
	`17`	`+externintfnmatch(constchar,constchar,int);`
	`18`	`+#defineFNM_NOMATCH1/* Match failed. */`
	`19`	`+#defineFNM_NOSYS2/* Function not implemented. */`
	`20`	`+#defineFNM_NOESCAPE0x01/* Disable backslash escaping. */`
	`21`	`+#defineFNM_PATHNAME0x02/* Slash must be matched by slash. */`
	`22`	`+#defineFNM_PERIOD0x04/* Period must be matched by period. */`
	`23`	`+#defineFNM_CASEFOLD0x08/* Pattern is matched case-insensitive */`
	`24`	`+#defineFNM_LEADING_DIR0x10/* Ignore /<tail> after Imatch. */`
	`25`	`+`
	`26`	`+`
	`27`	`+#endif`

`‎src/include/pg_config.h.in`

Lines changed: 3 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -143,6 +143,9 @@`
`143`	`143`	/* Define to 1 if you have the `fdatasync' function. */
`144`	`144`	`#undef HAVE_FDATASYNC`
`145`	`145`
	`146`	+/* Define to 1 if your system has a working POSIX `fnmatch' function. */
	`147`	`+#undef HAVE_FNMATCH`
	`148`	`+`
`146`	`149`	/* Define to 1 if you have the `fpclass' function. */
`147`	`150`	`#undef HAVE_FPCLASS`
`148`	`151`

`‎src/interfaces/libpq/Makefile`

Lines changed: 4 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,7 @@`
`5`	`5`	`# Portions Copyright (c) 1996-2008, PostgreSQL Global Development Group`
`6`	`6`	`# Portions Copyright (c) 1994, Regents of the University of California`
`7`	`7`	`#`
`8`		`-# $PostgreSQL: pgsql/src/interfaces/libpq/Makefile,v 1.168 2008/10/0115:35:32 mha Exp $`
	`8`	`+# $PostgreSQL: pgsql/src/interfaces/libpq/Makefile,v 1.169 2008/11/24 09:15:16 mha Exp $`
`9`	`9`	`#`
`10`	`10`	`#-------------------------------------------------------------------------`
`11`	`11`
`@@ -34,7 +34,7 @@ OBJS=fe-auth.o fe-connect.o fe-exec.o fe-misc.o fe-print.o fe-lobj.o \`
`34`	`34`	`fe-protocol2.o fe-protocol3.o pqexpbuffer.o pqsignal.o fe-secure.o\`
`35`	`35`	`libpq-events.o\`
`36`	`36`	`md5.o ip.o wchar.o encnames.o noblock.o pgstrcasecmp.o thread.o\`
`37`		`-$(filter crypt.o getaddrinfo.o inet_aton.o open.o snprintf.o strerror.o strlcpy.o win32error.o,$(LIBOBJS))`
	`37`	`+$(filter crypt.ofnmatch.ogetaddrinfo.o inet_aton.o open.o snprintf.o strerror.o strlcpy.o win32error.o,$(LIBOBJS))`
`38`	`38`
`39`	`39`	`ifeq ($(PORTNAME), cygwin)`
`40`	`40`	`overrideshlib = cyg$(NAME)$(DLSUFFIX)`
`@@ -80,7 +80,7 @@ backend_src = $(top_srcdir)/src/backend`
`80`	`80`	`# For port modules, this only happens if configure decides the module`
`81`	`81`	`# is needed (see filter hack in OBJS, above).`
`82`	`82`
`83`		`-crypt.cgetaddrinfo.cinet_aton.cnoblock.copen.cpgstrcasecmp.csnprintf.cstrerror.cstrlcpy.cthread.cwin32error.cpgsleep.c:% :$(top_srcdir)/src/port/%`
	`83`	`+crypt.cfnmatch.cgetaddrinfo.cinet_aton.cnoblock.copen.cpgstrcasecmp.csnprintf.cstrerror.cstrlcpy.cthread.cwin32error.cpgsleep.c:% :$(top_srcdir)/src/port/%`
`84`	`84`	`rm -f$@&&$(LN_S)$<.`
`85`	`85`
`86`	`86`	`md5.cip.c:% :$(backend_src)/libpq/%`
`@@ -123,7 +123,7 @@ uninstall: uninstall-lib`
`123`	`123`	`rm -f'$(DESTDIR)$(datadir)/pg_service.conf.sample'`
`124`	`124`
`125`	`125`	`cleandistclean: clean-lib`
`126`		`-rm -f$(OBJS) pg_config_paths.h crypt.c getaddrinfo.c inet_aton.c noblock.c open.c pgstrcasecmp.c snprintf.c strerror.c strlcpy.c thread.c md5.c ip.c encnames.c wchar.c win32error.c pgsleep.c pthread.h libpq.rc`
	`126`	`+rm -f$(OBJS) pg_config_paths.h crypt.cfnmatch.cgetaddrinfo.c inet_aton.c noblock.c open.c pgstrcasecmp.c snprintf.c strerror.c strlcpy.c thread.c md5.c ip.c encnames.c wchar.c win32error.c pgsleep.c pthread.h libpq.rc`
`127`	`127`	`# Might be left over from a Win32 client-only build`
`128`	`128`	`rm -f pg_config_paths.h`
`129`	`129`

`‎src/interfaces/libpq/fe-secure.c`

Lines changed: 15 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@`
`11`	`11`	`*`
`12`	`12`	`*`
`13`	`13`	`* IDENTIFICATION`
`14`		`- * $PostgreSQL: pgsql/src/interfaces/libpq/fe-secure.c,v 1.107 2008/11/13 09:45:25 mha Exp $`
	`14`	`+ * $PostgreSQL: pgsql/src/interfaces/libpq/fe-secure.c,v 1.108 2008/11/24 09:15:16 mha Exp $`
`15`	`15`	`*`
`16`	`16`	`* NOTES`
`17`	`17`	`*`
`@@ -63,6 +63,13 @@`
`63`	`63`	`#if (SSLEAY_VERSION_NUMBER >=0x00907000L)&& !defined(OPENSSL_NO_ENGINE)`
`64`	`64`	`#include<openssl/engine.h>`
`65`	`65`	`#endif`
	`66`	`+`
	`67`	`+/* fnmatch() needed for client certificate checking */`
	`68`	`+#ifdefHAVE_FNMATCH`
	`69`	`+#include<fnmatch.h>`
	`70`	`+#else`
	`71`	`+#include"fnmatchstub.h"`
	`72`	`+#endif`
`66`	`73`	`#endif/* USE_SSL */`
`67`	`74`
`68`	`75`
`@@ -461,17 +468,20 @@ verify_peer_name_matches_certificate(PGconn *conn)`
`461`	`468`	`* Connect by hostname.`
`462`	`469`	`*`
`463`	`470`	`* XXX: Should support alternate names here`
`464`		`- * XXX: Should support wildcard certificates here`
`465`	`471`	`*/`
`466`		`-if (pg_strcasecmp(conn->peer_cn,conn->pghost)!=0)`
	`472`	`+if (pg_strcasecmp(conn->peer_cn,conn->pghost)==0)`
	`473`	`+/* Exact name match */`
	`474`	`+return true;`
	`475`	`+elseif (fnmatch(conn->peer_cn,conn->pghost,FNM_NOESCAPE \|FNM_CASEFOLD)==0)`
	`476`	`+/* Matched wildcard certificate */`
	`477`	`+return true;`
	`478`	`+else`
`467`	`479`	`{`
`468`	`480`	`printfPQExpBuffer(&conn->errorMessage,`
`469`	`481`	`libpq_gettext("server common name '%s' does not match hostname '%s'"),`
`470`	`482`	`conn->peer_cn,conn->pghost);`
`471`	`483`	`return false;`
`472`	`484`	`}`
`473`		`-else`
`474`		`-return true;`
`475`	`485`	`}`
`476`	`486`	`}`
`477`	`487`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitcb10467

File tree

8 files changed

8 files changed

`‎configure`

`‎configure.in`

`‎src/include/fnmatchstub.h`

`‎src/include/pg_config.h.in`

`‎src/interfaces/libpq/Makefile`

`‎src/interfaces/libpq/fe-secure.c`

0 commit comments