2000-06-28 20:30:16 +02:00
|
|
|
#-------------------------------------------------------------------------
|
|
|
|
#
|
|
|
|
# Makefile for src/interfaces/libpq library
|
|
|
|
#
|
|
|
|
# Copyright (c) 1994, Regents of the University of California
|
|
|
|
#
|
2002-07-18 05:59:49 +02:00
|
|
|
# $Header: /cvsroot/pgsql/src/interfaces/libpq/Makefile,v 1.63 2002/07/18 03:59:49 momjian Exp $
|
2000-06-28 20:30:16 +02:00
|
|
|
#
|
|
|
|
#-------------------------------------------------------------------------
|
|
|
|
|
|
|
|
subdir = src/interfaces/libpq
|
|
|
|
top_builddir = ../../..
|
2000-08-31 18:12:35 +02:00
|
|
|
include $(top_builddir)/src/Makefile.global
|
2000-06-28 20:30:16 +02:00
|
|
|
|
2002-07-18 05:59:49 +02:00
|
|
|
|
2000-06-28 20:30:16 +02:00
|
|
|
# shared library parameters
|
|
|
|
NAME= pq
|
|
|
|
SO_MAJOR_VERSION= 2
|
2001-05-11 03:46:33 +02:00
|
|
|
SO_MINOR_VERSION= 2
|
2000-06-28 20:30:16 +02:00
|
|
|
|
2001-02-20 20:20:30 +01:00
|
|
|
override CPPFLAGS := -I$(srcdir) $(CPPFLAGS) -DFRONTEND -DSYSCONFDIR='"$(sysconfdir)"'
|
2000-06-28 20:30:16 +02:00
|
|
|
|
|
|
|
OBJS= fe-auth.o fe-connect.o fe-exec.o fe-misc.o fe-print.o fe-lobj.o \
|
UPDATED PATCH:
Attached are a revised set of SSL patches. Many of these patches
are motivated by security concerns, it's not just bug fixes. The key
differences (from stock 7.2.1) are:
*) almost all code that directly uses the OpenSSL library is in two
new files,
src/interfaces/libpq/fe-ssl.c
src/backend/postmaster/be-ssl.c
in the long run, it would be nice to merge these two files.
*) the legacy code to read and write network data have been
encapsulated into read_SSL() and write_SSL(). These functions
should probably be renamed - they handle both SSL and non-SSL
cases.
the remaining code should eliminate the problems identified
earlier, albeit not very cleanly.
*) both front- and back-ends will send a SSL shutdown via the
new close_SSL() function. This is necessary for sessions to
work properly.
(Sessions are not yet fully supported, but by cleanly closing
the SSL connection instead of just sending a TCP FIN packet
other SSL tools will be much happier.)
*) The client certificate and key are now expected in a subdirectory
of the user's home directory. Specifically,
- the directory .postgresql must be owned by the user, and
allow no access by 'group' or 'other.'
- the file .postgresql/postgresql.crt must be a regular file
owned by the user.
- the file .postgresql/postgresql.key must be a regular file
owned by the user, and allow no access by 'group' or 'other'.
At the current time encrypted private keys are not supported.
There should also be a way to support multiple client certs/keys.
*) the front-end performs minimal validation of the back-end cert.
Self-signed certs are permitted, but the common name *must*
match the hostname used by the front-end. (The cert itself
should always use a fully qualified domain name (FDQN) in its
common name field.)
This means that
psql -h eris db
will fail, but
psql -h eris.example.com db
will succeed. At the current time this must be an exact match;
future patches may support any FQDN that resolves to the address
returned by getpeername(2).
Another common "problem" is expiring certs. For now, it may be
a good idea to use a very-long-lived self-signed cert.
As a compile-time option, the front-end can specify a file
containing valid root certificates, but it is not yet required.
*) the back-end performs minimal validation of the client cert.
It allows self-signed certs. It checks for expiration. It
supports a compile-time option specifying a file containing
valid root certificates.
*) both front- and back-ends default to TLSv1, not SSLv3/SSLv2.
*) both front- and back-ends support DSA keys. DSA keys are
moderately more expensive on startup, but many people consider
them preferable than RSA keys. (E.g., SSH2 prefers DSA keys.)
*) if /dev/urandom exists, both client and server will read 16k
of randomization data from it.
*) the server can read empheral DH parameters from the files
$DataDir/dh512.pem
$DataDir/dh1024.pem
$DataDir/dh2048.pem
$DataDir/dh4096.pem
if none are provided, the server will default to hardcoded
parameter files provided by the OpenSSL project.
Remaining tasks:
*) the select() clauses need to be revisited - the SSL abstraction
layer may need to absorb more of the current code to avoid rare
deadlock conditions. This also touches on a true solution to
the pg_eof() problem.
*) the SIGPIPE signal handler may need to be revisited.
*) support encrypted private keys.
*) sessions are not yet fully supported. (SSL sessions can span
multiple "connections," and allow the client and server to avoid
costly renegotiations.)
*) makecert - a script that creates back-end certs.
*) pgkeygen - a tool that creates front-end certs.
*) the whole protocol issue, SASL, etc.
*) certs are fully validated - valid root certs must be available.
This is a hassle, but it means that you *can* trust the identity
of the server.
*) the client library can handle hardcoded root certificates, to
avoid the need to copy these files.
*) host name of server cert must resolve to IP address, or be a
recognized alias. This is more liberal than the previous
iteration.
*) the number of bytes transferred is tracked, and the session
key is periodically renegotiated.
*) basic cert generation scripts (mkcert.sh, pgkeygen.sh). The
configuration files have reasonable defaults for each type
of use.
Bear Giles
2002-06-14 06:23:17 +02:00
|
|
|
pqexpbuffer.o dllist.o md5.o pqsignal.o fe-secure.o \
|
2002-07-18 05:59:49 +02:00
|
|
|
$(notdir $(INET_ATON)) $(notdir $(SNPRINTF)) $(notdir $(STRERROR))
|
2000-06-28 20:30:16 +02:00
|
|
|
|
|
|
|
ifdef MULTIBYTE
|
Commit Karel's patch.
-------------------------------------------------------------------
Subject: Re: [PATCHES] encoding names
From: Karel Zak <zakkr@zf.jcu.cz>
To: Peter Eisentraut <peter_e@gmx.net>
Cc: pgsql-patches <pgsql-patches@postgresql.org>
Date: Fri, 31 Aug 2001 17:24:38 +0200
On Thu, Aug 30, 2001 at 01:30:40AM +0200, Peter Eisentraut wrote:
> > - convert encoding 'name' to 'id'
>
> I thought we decided not to add functions returning "new" names until we
> know exactly what the new names should be, and pending schema
Ok, the patch not to add functions.
> better
>
> ...(): encoding name too long
Fixed.
I found new bug in command/variable.c in parse_client_encoding(), nobody
probably never see this error:
if (pg_set_client_encoding(encoding))
{
elog(ERROR, "Conversion between %s and %s is not supported",
value, GetDatabaseEncodingName());
}
because pg_set_client_encoding() returns -1 for error and 0 as true.
It's fixed too.
IMHO it can be apply.
Karel
PS:
* following files are renamed:
src/utils/mb/Unicode/KOI8_to_utf8.map -->
src/utils/mb/Unicode/koi8r_to_utf8.map
src/utils/mb/Unicode/WIN_to_utf8.map -->
src/utils/mb/Unicode/win1251_to_utf8.map
src/utils/mb/Unicode/utf8_to_KOI8.map -->
src/utils/mb/Unicode/utf8_to_koi8r.map
src/utils/mb/Unicode/utf8_to_WIN.map -->
src/utils/mb/Unicode/utf8_to_win1251.map
* new file:
src/utils/mb/encname.c
* removed file:
src/utils/mb/common.c
--
Karel Zak <zakkr@zf.jcu.cz>
http://home.zf.jcu.cz/~zakkr/
C, PostgreSQL, PHP, WWW, http://docs.linux.cz, http://mape.jcu.cz
2001-09-06 06:57:30 +02:00
|
|
|
OBJS+= wchar.o encnames.o
|
2000-06-28 20:30:16 +02:00
|
|
|
endif
|
|
|
|
|
2002-07-18 05:59:49 +02:00
|
|
|
|
2000-10-25 18:13:52 +02:00
|
|
|
# Add libraries that libpq depends (or might depend) on into the
|
|
|
|
# shared library link. (The order in which you list them here doesn't
|
|
|
|
# matter.)
|
2001-09-23 00:54:33 +02:00
|
|
|
SHLIB_LINK += $(filter -lcrypt -ldes -lkrb -lcom_err -lcrypto -lk5crypto -lkrb5 -lssl -lsocket -lnsl -lresolv -lintl, $(LIBS))
|
2000-06-28 20:30:16 +02:00
|
|
|
|
|
|
|
|
2001-08-28 16:20:28 +02:00
|
|
|
all: all-lib
|
2000-06-28 20:30:16 +02:00
|
|
|
|
|
|
|
# Shared library stuff
|
|
|
|
include $(top_srcdir)/src/Makefile.shlib
|
|
|
|
backend_src = $(top_srcdir)/src/backend
|
|
|
|
|
2002-07-18 05:59:49 +02:00
|
|
|
|
2000-06-28 20:30:16 +02:00
|
|
|
dllist.c: $(backend_src)/lib/dllist.c
|
|
|
|
rm -f $@ && $(LN_S) $< .
|
|
|
|
|
2001-08-15 20:42:16 +02:00
|
|
|
md5.c: $(backend_src)/libpq/md5.c
|
|
|
|
rm -f $@ && $(LN_S) $< .
|
|
|
|
|
2002-07-18 05:59:49 +02:00
|
|
|
# We use several backend modules verbatim, but since we need to
|
|
|
|
# compile with appropriate options to build a shared lib, we can't
|
|
|
|
# necessarily use the same object files as the backend uses. Instead,
|
|
|
|
# symlink the source files in here and build our own object file.
|
2001-01-21 00:07:27 +01:00
|
|
|
# this only gets done if configure finds system doesn't have inet_aton()
|
2002-07-18 05:59:49 +02:00
|
|
|
|
|
|
|
ifdef INET_ATON
|
|
|
|
$(basename $(notdir $(INET_ATON))).c: $(basename $(INET_ATON)).c
|
2001-01-21 00:07:27 +01:00
|
|
|
rm -f $@ && $(LN_S) $< .
|
2002-07-18 05:59:49 +02:00
|
|
|
endif
|
2001-01-21 00:07:27 +01:00
|
|
|
|
2002-07-18 05:59:49 +02:00
|
|
|
ifdef SNPRINTF
|
|
|
|
$(basename $(notdir $(SNPRINTF))).c: $(basename $(SNPRINTF)).c
|
2000-06-28 20:30:16 +02:00
|
|
|
rm -f $@ && $(LN_S) $< .
|
2002-07-18 05:59:49 +02:00
|
|
|
endif
|
2000-06-28 20:30:16 +02:00
|
|
|
|
2002-07-18 05:59:49 +02:00
|
|
|
ifdef STRERROR
|
|
|
|
$(basename $(notdir $(STRERROR))).c: $(basename $(STRERROR)).c
|
2000-06-28 20:30:16 +02:00
|
|
|
rm -f $@ && $(LN_S) $< .
|
2002-07-18 05:59:49 +02:00
|
|
|
endif
|
2000-06-28 20:30:16 +02:00
|
|
|
|
|
|
|
ifdef MULTIBYTE
|
2001-02-11 02:52:11 +01:00
|
|
|
wchar.c : % : $(backend_src)/utils/mb/%
|
2000-06-28 20:30:16 +02:00
|
|
|
rm -f $@ && $(LN_S) $< .
|
Commit Karel's patch.
-------------------------------------------------------------------
Subject: Re: [PATCHES] encoding names
From: Karel Zak <zakkr@zf.jcu.cz>
To: Peter Eisentraut <peter_e@gmx.net>
Cc: pgsql-patches <pgsql-patches@postgresql.org>
Date: Fri, 31 Aug 2001 17:24:38 +0200
On Thu, Aug 30, 2001 at 01:30:40AM +0200, Peter Eisentraut wrote:
> > - convert encoding 'name' to 'id'
>
> I thought we decided not to add functions returning "new" names until we
> know exactly what the new names should be, and pending schema
Ok, the patch not to add functions.
> better
>
> ...(): encoding name too long
Fixed.
I found new bug in command/variable.c in parse_client_encoding(), nobody
probably never see this error:
if (pg_set_client_encoding(encoding))
{
elog(ERROR, "Conversion between %s and %s is not supported",
value, GetDatabaseEncodingName());
}
because pg_set_client_encoding() returns -1 for error and 0 as true.
It's fixed too.
IMHO it can be apply.
Karel
PS:
* following files are renamed:
src/utils/mb/Unicode/KOI8_to_utf8.map -->
src/utils/mb/Unicode/koi8r_to_utf8.map
src/utils/mb/Unicode/WIN_to_utf8.map -->
src/utils/mb/Unicode/win1251_to_utf8.map
src/utils/mb/Unicode/utf8_to_KOI8.map -->
src/utils/mb/Unicode/utf8_to_koi8r.map
src/utils/mb/Unicode/utf8_to_WIN.map -->
src/utils/mb/Unicode/utf8_to_win1251.map
* new file:
src/utils/mb/encname.c
* removed file:
src/utils/mb/common.c
--
Karel Zak <zakkr@zf.jcu.cz>
http://home.zf.jcu.cz/~zakkr/
C, PostgreSQL, PHP, WWW, http://docs.linux.cz, http://mape.jcu.cz
2001-09-06 06:57:30 +02:00
|
|
|
encnames.c : % : $(backend_src)/utils/mb/%
|
|
|
|
rm -f $@ && $(LN_S) $< .
|
2000-06-28 20:30:16 +02:00
|
|
|
endif
|
|
|
|
|
|
|
|
|
2001-08-28 16:20:28 +02:00
|
|
|
install: all installdirs install-lib
|
Support for DESTDIR make variable. This is used as in `make install
DESTDIR=/else/where' and prepends the value of DESTDIR to the full
installation paths (e.g., /else/where/usr/local/pgsql/bin). This allows
users to install the package into a location different from the one that
was configured and hard-coded into various scripts, e.g., for creating
binary packages.
DESTDIR is in many cases preferrable over `make install
prefix=/else/where' because
a) `prefix' affects the path that is hard-coded into the files, which can
lead to a `make install prefix=xxx' (as done by the regression test
driver) corrupting the files in the source tree with wrong paths.
b) it doesn't work at all if a directory was overridden to not depend on
`prefix', e.g., --sysconfdir=/etc.
(Updating the regression test driver to use DESTDIR is a separate
undertaking.)
See also autoconf@gnu.org, From: Akim Demaille <akim@epita.fr>, Date: 08
Sep 2000 12:48:59 +0200, Message-ID:
<mv4em2vb1lw.fsf@nostromo.lrde.epita.fr>, Subject: Re: HTML format
documentation.
2000-09-17 15:02:52 +02:00
|
|
|
$(INSTALL_DATA) $(srcdir)/libpq-fe.h $(DESTDIR)$(includedir)
|
2001-08-28 16:20:28 +02:00
|
|
|
$(INSTALL_DATA) $(srcdir)/libpq-int.h $(DESTDIR)$(includedir_internal)
|
|
|
|
$(INSTALL_DATA) $(srcdir)/pqexpbuffer.h $(DESTDIR)$(includedir_internal)
|
2000-06-28 20:30:16 +02:00
|
|
|
|
|
|
|
installdirs:
|
2001-08-28 16:20:28 +02:00
|
|
|
$(mkinstalldirs) $(DESTDIR)$(libdir) $(DESTDIR)$(includedir) $(DESTDIR)$(includedir_internal)
|
2000-06-28 20:30:16 +02:00
|
|
|
|
|
|
|
uninstall: uninstall-lib
|
2001-08-28 16:20:28 +02:00
|
|
|
rm -f $(DESTDIR)$(includedir)/libpq-fe.h $(DESTDIR)$(includedir_internal)/libpq-int.h $(includedir_internal)/pqexpbuffer.h
|
2000-06-28 20:30:16 +02:00
|
|
|
|
|
|
|
clean distclean maintainer-clean: clean-lib
|
2001-09-21 22:31:49 +02:00
|
|
|
rm -f $(OBJS) dllist.c md5.c wchar.c encnames.c
|
2001-01-21 00:07:27 +01:00
|
|
|
rm -f $(OBJS) inet_aton.c snprintf.c strerror.c
|