Add support for matching wildcard server certificates to the new SSL code.

This uses the function fnmatch() which is not available on all platforms
(notably Windows), so import the implementation from NetBSD into src/port.

2 files changed, 19 insertions, 9 deletions

diff --git a/src/interfaces/libpq/Makefile b/src/interfaces/libpq/Makefile
index 3d2646b883..82a7fc26c1 100644
--- a/src/interfaces/libpq/Makefile
+++ b/src/interfaces/libpq/Makefile
@@ -5,7 +5,7 @@
 # Portions Copyright (c) 1996-2008, PostgreSQL Global Development Group
 # Portions Copyright (c) 1994, Regents of the University of California
 #
-# $PostgreSQL: pgsql/src/interfaces/libpq/Makefile,v 1.168 2008/10/01 15:35:32 mha Exp $
+# $PostgreSQL: pgsql/src/interfaces/libpq/Makefile,v 1.169 2008/11/24 09:15:16 mha Exp $
 #
 #-------------------------------------------------------------------------
 
@@ -34,7 +34,7 @@ OBJS=	fe-auth.o fe-connect.o fe-exec.o fe-misc.o fe-print.o fe-lobj.o \
 	fe-protocol2.o fe-protocol3.o pqexpbuffer.o pqsignal.o fe-secure.o \
 	libpq-events.o \
 	md5.o ip.o wchar.o encnames.o noblock.o pgstrcasecmp.o thread.o \
-	$(filter crypt.o getaddrinfo.o inet_aton.o open.o snprintf.o strerror.o strlcpy.o win32error.o, $(LIBOBJS))
+	$(filter crypt.o fnmatch.o getaddrinfo.o inet_aton.o open.o snprintf.o strerror.o strlcpy.o win32error.o, $(LIBOBJS))
 
 ifeq ($(PORTNAME), cygwin)
 override shlib = cyg$(NAME)$(DLSUFFIX)
@@ -80,7 +80,7 @@ backend_src = $(top_srcdir)/src/backend
 # For port modules, this only happens if configure decides the module
 # is needed (see filter hack in OBJS, above).
 
-crypt.c getaddrinfo.c inet_aton.c noblock.c open.c pgstrcasecmp.c snprintf.c strerror.c strlcpy.c thread.c win32error.c pgsleep.c: % : $(top_srcdir)/src/port/%
+crypt.c fnmatch.c getaddrinfo.c inet_aton.c noblock.c open.c pgstrcasecmp.c snprintf.c strerror.c strlcpy.c thread.c win32error.c pgsleep.c: % : $(top_srcdir)/src/port/%
 	rm -f $@ && $(LN_S) $< .
 
 md5.c ip.c: % : $(backend_src)/libpq/%
@@ -123,7 +123,7 @@ uninstall: uninstall-lib
 	rm -f '$(DESTDIR)$(datadir)/pg_service.conf.sample'
 
 clean distclean: clean-lib
-	rm -f $(OBJS) pg_config_paths.h crypt.c getaddrinfo.c inet_aton.c noblock.c open.c pgstrcasecmp.c snprintf.c strerror.c strlcpy.c thread.c md5.c ip.c encnames.c wchar.c win32error.c pgsleep.c pthread.h libpq.rc
+	rm -f $(OBJS) pg_config_paths.h crypt.c fnmatch.c getaddrinfo.c inet_aton.c noblock.c open.c pgstrcasecmp.c snprintf.c strerror.c strlcpy.c thread.c md5.c ip.c encnames.c wchar.c win32error.c pgsleep.c pthread.h libpq.rc
 # Might be left over from a Win32 client-only build
 	rm -f pg_config_paths.h
 
diff --git a/src/interfaces/libpq/fe-secure.c b/src/interfaces/libpq/fe-secure.c
index 1cc7c5cbfb..c72feeb0b2 100644
--- a/src/interfaces/libpq/fe-secure.c
+++ b/src/interfaces/libpq/fe-secure.c
@@ -11,7 +11,7 @@
  *
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/interfaces/libpq/fe-secure.c,v 1.107 2008/11/13 09:45:25 mha Exp $
+ *	  $PostgreSQL: pgsql/src/interfaces/libpq/fe-secure.c,v 1.108 2008/11/24 09:15:16 mha Exp $
  *
  * NOTES
  *
@@ -63,6 +63,13 @@
 #if (SSLEAY_VERSION_NUMBER >= 0x00907000L) && !defined(OPENSSL_NO_ENGINE)
 #include <openssl/engine.h>
 #endif
+
+/* fnmatch() needed for client certificate checking */
+#ifdef HAVE_FNMATCH
+#include <fnmatch.h>
+#else
+#include "fnmatchstub.h"
+#endif
 #endif   /* USE_SSL */
 
 
@@ -461,17 +468,20 @@ verify_peer_name_matches_certificate(PGconn *conn)
 		 * Connect by hostname.
 		 *
 		 * XXX: Should support alternate names here
-		 * XXX: Should support wildcard certificates here
 		 */
-		if (pg_strcasecmp(conn->peer_cn, conn->pghost) != 0)
+		if (pg_strcasecmp(conn->peer_cn, conn->pghost) == 0)
+			/* Exact name match */
+			return true;
+		else if (fnmatch(conn->peer_cn, conn->pghost, FNM_NOESCAPE | FNM_CASEFOLD) == 0)
+			/* Matched wildcard certificate */
+			return true;
+		else
 		{
 			printfPQExpBuffer(&conn->errorMessage,
 							  libpq_gettext("server common name '%s' does not match hostname '%s'"),
 							  conn->peer_cn, conn->pghost);
 			return false;
 		}
-		else
-			return true;
 	}
 }