diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/include/fnmatchstub.h | 27 | ||||
-rw-r--r-- | src/include/pg_config.h.in | 3 | ||||
-rw-r--r-- | src/interfaces/libpq/Makefile | 8 | ||||
-rw-r--r-- | src/interfaces/libpq/fe-secure.c | 60 | ||||
-rw-r--r-- | src/port/fnmatch.c | 198 | ||||
-rw-r--r-- | src/tools/msvc/Mkvcbuild.pm | 4 |
6 files changed, 54 insertions, 246 deletions
diff --git a/src/include/fnmatchstub.h b/src/include/fnmatchstub.h deleted file mode 100644 index fb23d8f98ce..00000000000 --- a/src/include/fnmatchstub.h +++ /dev/null @@ -1,27 +0,0 @@ -/*------------------------------------------------------------------------- - * - * fnmatchstub.h - * Stubs for fnmatch() in port/fnmatch.c - * - * - * Portions Copyright (c) 1996-2008, PostgreSQL Global Development Group - * Portions Copyright (c) 1994, Regents of the University of California - * - * $PostgreSQL: pgsql/src/include/fnmatchstub.h,v 1.1 2008/11/24 09:15:16 mha Exp $ - * - *------------------------------------------------------------------------- - */ -#ifndef FNMATCHSTUB_H -#define FNMATCHSTUB_H - -extern int fnmatch(const char *, const char *, int); -#define FNM_NOMATCH 1 /* Match failed. */ -#define FNM_NOSYS 2 /* Function not implemented. */ -#define FNM_NOESCAPE 0x01 /* Disable backslash escaping. */ -#define FNM_PATHNAME 0x02 /* Slash must be matched by slash. */ -#define FNM_PERIOD 0x04 /* Period must be matched by period. */ -#define FNM_CASEFOLD 0x08 /* Pattern is matched case-insensitive */ -#define FNM_LEADING_DIR 0x10 /* Ignore /<tail> after Imatch. */ - - -#endif diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in index 1064d155260..9f6f21bf817 100644 --- a/src/include/pg_config.h.in +++ b/src/include/pg_config.h.in @@ -143,9 +143,6 @@ /* Define to 1 if you have the `fdatasync' function. */ #undef HAVE_FDATASYNC -/* Define to 1 if your system has a working POSIX `fnmatch' function. */ -#undef HAVE_FNMATCH - /* Define to 1 if you have the `fpclass' function. */ #undef HAVE_FPCLASS diff --git a/src/interfaces/libpq/Makefile b/src/interfaces/libpq/Makefile index 82a7fc26c17..5a899d27894 100644 --- a/src/interfaces/libpq/Makefile +++ b/src/interfaces/libpq/Makefile @@ -5,7 +5,7 @@ # Portions Copyright (c) 1996-2008, PostgreSQL Global Development Group # Portions Copyright (c) 1994, Regents of the University of California # -# $PostgreSQL: pgsql/src/interfaces/libpq/Makefile,v 1.169 2008/11/24 09:15:16 mha Exp $ +# $PostgreSQL: pgsql/src/interfaces/libpq/Makefile,v 1.170 2008/12/02 10:39:30 mha Exp $ # #------------------------------------------------------------------------- @@ -34,7 +34,7 @@ OBJS= fe-auth.o fe-connect.o fe-exec.o fe-misc.o fe-print.o fe-lobj.o \ fe-protocol2.o fe-protocol3.o pqexpbuffer.o pqsignal.o fe-secure.o \ libpq-events.o \ md5.o ip.o wchar.o encnames.o noblock.o pgstrcasecmp.o thread.o \ - $(filter crypt.o fnmatch.o getaddrinfo.o inet_aton.o open.o snprintf.o strerror.o strlcpy.o win32error.o, $(LIBOBJS)) + $(filter crypt.o getaddrinfo.o inet_aton.o open.o snprintf.o strerror.o strlcpy.o win32error.o, $(LIBOBJS)) ifeq ($(PORTNAME), cygwin) override shlib = cyg$(NAME)$(DLSUFFIX) @@ -80,7 +80,7 @@ backend_src = $(top_srcdir)/src/backend # For port modules, this only happens if configure decides the module # is needed (see filter hack in OBJS, above). -crypt.c fnmatch.c getaddrinfo.c inet_aton.c noblock.c open.c pgstrcasecmp.c snprintf.c strerror.c strlcpy.c thread.c win32error.c pgsleep.c: % : $(top_srcdir)/src/port/% +crypt.c getaddrinfo.c inet_aton.c noblock.c open.c pgstrcasecmp.c snprintf.c strerror.c strlcpy.c thread.c win32error.c pgsleep.c: % : $(top_srcdir)/src/port/% rm -f $@ && $(LN_S) $< . md5.c ip.c: % : $(backend_src)/libpq/% @@ -123,7 +123,7 @@ uninstall: uninstall-lib rm -f '$(DESTDIR)$(datadir)/pg_service.conf.sample' clean distclean: clean-lib - rm -f $(OBJS) pg_config_paths.h crypt.c fnmatch.c getaddrinfo.c inet_aton.c noblock.c open.c pgstrcasecmp.c snprintf.c strerror.c strlcpy.c thread.c md5.c ip.c encnames.c wchar.c win32error.c pgsleep.c pthread.h libpq.rc + rm -f $(OBJS) pg_config_paths.h crypt.c getaddrinfo.c inet_aton.c noblock.c open.c pgstrcasecmp.c snprintf.c strerror.c strlcpy.c thread.c md5.c ip.c encnames.c wchar.c win32error.c pgsleep.c pthread.h libpq.rc # Might be left over from a Win32 client-only build rm -f pg_config_paths.h diff --git a/src/interfaces/libpq/fe-secure.c b/src/interfaces/libpq/fe-secure.c index 9f6781be476..5d1747821bf 100644 --- a/src/interfaces/libpq/fe-secure.c +++ b/src/interfaces/libpq/fe-secure.c @@ -11,7 +11,7 @@ * * * IDENTIFICATION - * $PostgreSQL: pgsql/src/interfaces/libpq/fe-secure.c,v 1.109 2008/11/24 19:19:46 mha Exp $ + * $PostgreSQL: pgsql/src/interfaces/libpq/fe-secure.c,v 1.110 2008/12/02 10:39:30 mha Exp $ * * NOTES * @@ -55,6 +55,7 @@ #endif #ifdef USE_SSL + #include <openssl/ssl.h> #include <openssl/bio.h> #if (SSLEAY_VERSION_NUMBER >= 0x00907000L) @@ -64,16 +65,6 @@ #include <openssl/engine.h> #endif -/* fnmatch() needed for client certificate checking */ -#ifdef HAVE_FNMATCH -#include <fnmatch.h> -#else -#include "fnmatchstub.h" -#endif -#endif /* USE_SSL */ - - -#ifdef USE_SSL #ifndef WIN32 #define USER_CERT_FILE ".postgresql/postgresql.crt" @@ -443,6 +434,51 @@ verify_cb(int ok, X509_STORE_CTX *ctx) return ok; } + +/* + * Check if a wildcard certificate matches the server hostname. + * + * The rule for this is: + * 1. We only match the '*' character as wildcard + * 2. We match only wildcards at the start of the string + * 3. The '*' character does *not* match '.', meaning that we match only + * a single pathname component. + * 4. We don't support more than one '*' in a single pattern. + * + * This is roughly in line with RFC2818, but contrary to what most browsers + * appear to be implementing (point 3 being the difference) + * + * Matching is always cone case-insensitive, since DNS is case insensitive. + */ +static int +wildcard_certificate_match(const char *pattern, const char *string) +{ + int lenpat = strlen(pattern); + int lenstr = strlen(string); + + /* If we don't start with a wildcard, it's not a match (rule 1 & 2) */ + if (lenpat < 3 || + pattern[0] != '*' || + pattern[1] != '.') + return 0; + + if (lenpat > lenstr) + /* If pattern is longer than the string, we can never match */ + return 0; + + if (pg_strcasecmp(pattern+1, string+lenstr-lenpat+1) != 0) + /* If string does not end in pattern (minus the wildcard), we don't match */ + return 0; + + if (strchr(string, '.') < string+lenstr-lenpat) + /* If there is a dot left of where the pattern started to match, we don't match (rule 3) */ + return 0; + + /* String ended with pattern, and didn't have a dot before, so we match */ + return 1; +} + + /* * Verify that common name resolves to peer. */ @@ -472,7 +508,7 @@ verify_peer_name_matches_certificate(PGconn *conn) if (pg_strcasecmp(conn->peer_cn, conn->pghost) == 0) /* Exact name match */ return true; - else if (fnmatch(conn->peer_cn, conn->pghost, FNM_NOESCAPE/* | FNM_CASEFOLD*/) == 0) + else if (wildcard_certificate_match(conn->peer_cn, conn->pghost)) /* Matched wildcard certificate */ return true; else diff --git a/src/port/fnmatch.c b/src/port/fnmatch.c deleted file mode 100644 index c7fbc54a317..00000000000 --- a/src/port/fnmatch.c +++ /dev/null @@ -1,198 +0,0 @@ -/*------------------------------------------------------------------------- - * - * fnmatch.c - * fnmatch() - wildcard matching function - * - * Portions Copyright (c) 1996-2008, PostgreSQL Global Development Group - * - * - * IDENTIFICATION - * $PostgreSQL: pgsql/src/port/fnmatch.c,v 1.1 2008/11/24 09:15:16 mha Exp $ - * - * This file was taken from NetBSD and is used on platforms that don't - * provide fnmatch(). The NetBSD copyright terms follow. - *------------------------------------------------------------------------- - */ - -/* $NetBSD: fnmatch.c,v 1.21 2005/12/24 21:11:16 perry Exp $ */ - -/* - * Copyright (c) 1989, 1993, 1994 - * The Regents of the University of California. All rights reserved. - * - * This code is derived from software contributed to Berkeley by - * Guido van Rossum. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * Function fnmatch() as specified in POSIX 1003.2-1992, section B.6. - * Compares a filename or pathname to a pattern. - */ - -#include "c.h" -#include "fnmatchstub.h" - -#define EOS '\0' - -static const char *rangematch (const char *, int, int); - -static inline int -foldcase(int ch, int flags) -{ - - if ((flags & FNM_CASEFOLD) != 0 && isupper(ch)) - return (tolower(ch)); - return (ch); -} - -#define FOLDCASE(ch, flags) foldcase((unsigned char)(ch), (flags)) - -int -fnmatch(pattern, string, flags) - const char *pattern, *string; - int flags; -{ - const char *stringstart; - char c, test; - - for (stringstart = string;;) - switch (c = FOLDCASE(*pattern++, flags)) { - case EOS: - if ((flags & FNM_LEADING_DIR) && *string == '/') - return (0); - return (*string == EOS ? 0 : FNM_NOMATCH); - case '?': - if (*string == EOS) - return (FNM_NOMATCH); - if (*string == '/' && (flags & FNM_PATHNAME)) - return (FNM_NOMATCH); - if (*string == '.' && (flags & FNM_PERIOD) && - (string == stringstart || - ((flags & FNM_PATHNAME) && *(string - 1) == '/'))) - return (FNM_NOMATCH); - ++string; - break; - case '*': - c = FOLDCASE(*pattern, flags); - /* Collapse multiple stars. */ - while (c == '*') - c = FOLDCASE(*++pattern, flags); - - if (*string == '.' && (flags & FNM_PERIOD) && - (string == stringstart || - ((flags & FNM_PATHNAME) && *(string - 1) == '/'))) - return (FNM_NOMATCH); - - /* Optimize for pattern with * at end or before /. */ - if (c == EOS) { - if (flags & FNM_PATHNAME) - return ((flags & FNM_LEADING_DIR) || - strchr(string, '/') == NULL ? - 0 : FNM_NOMATCH); - else - return (0); - } else if (c == '/' && flags & FNM_PATHNAME) { - if ((string = strchr(string, '/')) == NULL) - return (FNM_NOMATCH); - break; - } - - /* General case, use recursion. */ - while ((test = FOLDCASE(*string, flags)) != EOS) { - if (!fnmatch(pattern, string, - flags & ~FNM_PERIOD)) - return (0); - if (test == '/' && flags & FNM_PATHNAME) - break; - ++string; - } - return (FNM_NOMATCH); - case '[': - if (*string == EOS) - return (FNM_NOMATCH); - if (*string == '/' && flags & FNM_PATHNAME) - return (FNM_NOMATCH); - if ((pattern = - rangematch(pattern, FOLDCASE(*string, flags), - flags)) == NULL) - return (FNM_NOMATCH); - ++string; - break; - case '\\': - if (!(flags & FNM_NOESCAPE)) { - if ((c = FOLDCASE(*pattern++, flags)) == EOS) { - c = '\\'; - --pattern; - } - } - /* FALLTHROUGH */ - default: - if (c != FOLDCASE(*string++, flags)) - return (FNM_NOMATCH); - break; - } - /* NOTREACHED */ -} - -static const char * -rangematch(pattern, test, flags) - const char *pattern; - int test, flags; -{ - int negate, ok; - char c, c2; - - /* - * A bracket expression starting with an unquoted circumflex - * character produces unspecified results (IEEE 1003.2-1992, - * 3.13.2). This implementation treats it like '!', for - * consistency with the regular expression syntax. - * J.T. Conklin (conklin@ngai.kaleida.com) - */ - if ((negate = (*pattern == '!' || *pattern == '^')) != 0) - ++pattern; - - for (ok = 0; (c = FOLDCASE(*pattern++, flags)) != ']';) { - if (c == '\\' && !(flags & FNM_NOESCAPE)) - c = FOLDCASE(*pattern++, flags); - if (c == EOS) - return (NULL); - if (*pattern == '-' - && (c2 = FOLDCASE(*(pattern+1), flags)) != EOS && - c2 != ']') { - pattern += 2; - if (c2 == '\\' && !(flags & FNM_NOESCAPE)) - c2 = FOLDCASE(*pattern++, flags); - if (c2 == EOS) - return (NULL); - if (c <= test && test <= c2) - ok = 1; - } else if (c == test) - ok = 1; - } - return (ok == negate ? NULL : pattern); -} diff --git a/src/tools/msvc/Mkvcbuild.pm b/src/tools/msvc/Mkvcbuild.pm index 172ce6ef93a..c890bb53736 100644 --- a/src/tools/msvc/Mkvcbuild.pm +++ b/src/tools/msvc/Mkvcbuild.pm @@ -3,7 +3,7 @@ package Mkvcbuild; # # Package that generates build files for msvc build # -# $PostgreSQL: pgsql/src/tools/msvc/Mkvcbuild.pm,v 1.33 2008/11/24 09:15:16 mha Exp $ +# $PostgreSQL: pgsql/src/tools/msvc/Mkvcbuild.pm,v 1.34 2008/12/02 10:39:31 mha Exp $ # use Carp; use Win32; @@ -43,7 +43,7 @@ sub mkvcbuild $solution = new Solution($config); our @pgportfiles = qw( - chklocale.c crypt.c fseeko.c fnmatch.c getrusage.c inet_aton.c random.c srandom.c + chklocale.c crypt.c fseeko.c getrusage.c inet_aton.c random.c srandom.c unsetenv.c getaddrinfo.c gettimeofday.c kill.c open.c rand.c snprintf.c strlcat.c strlcpy.c copydir.c dirmod.c exec.c noblock.c path.c pipe.c pgsleep.c pgstrcasecmp.c qsort.c qsort_arg.c sprompt.c thread.c |