#define SLAP_LDAPDN_PRETTY 0x1
+#define SLAP_LDAPDN_MAXLEN 8192
+
/*
* The DN syntax-related functions take advantage of the dn representation
* handling functions ldap_str2dn/ldap_dn2str. The latter are not schema-
assert( in );
if ( in->bv_len == 0 ) {
- return( LDAP_SUCCESS );
+ return LDAP_SUCCESS;
+
+ } else if ( in->bv_len > SLAP_LDAPDN_MAXLEN ) {
+ return LDAP_INVALID_SYNTAX;
}
rc = ldap_bv2dn( in, &dn, LDAP_DN_FORMAT_LDAP );
+ if ( rc != LDAP_SUCCESS ) {
+ return LDAP_INVALID_SYNTAX;
+ }
+
+ assert( strlen( in->bv_val ) == in->bv_len );
/*
* Schema-aware validate
*/
- if ( rc == LDAP_SUCCESS ) {
- rc = LDAPDN_validate( dn );
- ldap_dnfree( dn );
- }
-
+ rc = LDAPDN_validate( dn );
+ ldap_dnfree( dn );
+
if ( rc != LDAP_SUCCESS ) {
- return( LDAP_INVALID_SYNTAX );
+ return LDAP_INVALID_SYNTAX;
}
- return( LDAP_SUCCESS );
+ return LDAP_SUCCESS;
}
/*
for ( iAVA = 0; rdn[ 0 ][ iAVA ]; iAVA++ ) {
LDAPAVA *ava = rdn[ 0 ][ iAVA ];
AttributeDescription *ad;
+ slap_syntax_validate_func *validf = NULL;
slap_syntax_transform_func *transf = NULL;
MatchingRule *mr;
struct berval bv = { 0, NULL };
if( ava->la_flags & LDAP_AVA_BINARY ) {
/* AVA is binary encoded, don't muck with it */
+ validf = NULL;
transf = NULL;
mr = NULL;
-
} else if( flags & SLAP_LDAPDN_PRETTY ) {
+ validf = NULL;
transf = ad->ad_type->sat_syntax->ssyn_pretty;
mr = NULL;
} else {
+ validf = ad->ad_type->sat_syntax->ssyn_validate;
transf = ad->ad_type->sat_syntax->ssyn_normalize;
mr = ad->ad_type->sat_equality;
}
+ if ( validf ) {
+ /* validate value before normalization */
+ rc = ( *validf )( ad->ad_type->sat_syntax,
+ ava->la_value.bv_len
+ ? &ava->la_value
+ : (struct berval *) &slap_empty_bv );
+
+ if ( rc != LDAP_SUCCESS ) {
+ return LDAP_INVALID_SYNTAX;
+ }
+ }
+
if ( transf ) {
/*
* transform value by normalize/pretty function
if( mr && ( mr->smr_usage & SLAP_MR_DN_FOLD ) ) {
char *s = bv.bv_val;
- ber_str2bv( UTF8normalize( bv.bv_val ? &bv
- : &ava->la_value, LDAP_UTF8_CASEFOLD ),
- 0, 0, &bv );
+ if ( UTF8bvnormalize( &bv, &bv,
+ LDAP_UTF8_CASEFOLD ) == NULL ) {
+ return LDAP_INVALID_SYNTAX;
+ }
free( s );
}
return LDAP_INVALID_SYNTAX;
}
+ assert( strlen( val->bv_val ) == val->bv_len );
+
/*
* Schema-aware rewrite
*/
Debug( LDAP_DEBUG_TRACE, ">>> dnPretty: <%s>\n", val->bv_val, 0, 0 );
- if ( val->bv_len != 0 ) {
+ if ( val->bv_len == 0 ) {
+ ber_dupbv( out, val );
+
+ } else if ( val->bv_len > SLAP_LDAPDN_MAXLEN ) {
+ return LDAP_INVALID_SYNTAX;
+
+ } else {
LDAPDN *dn = NULL;
int rc;
return LDAP_INVALID_SYNTAX;
}
+ assert( strlen( val->bv_val ) == val->bv_len );
+
/*
* Schema-aware rewrite
*/
if ( rc != LDAP_SUCCESS ) {
return LDAP_INVALID_SYNTAX;
}
- } else {
- ber_dupbv( out, val );
}
Debug( LDAP_DEBUG_TRACE, "<<< dnPretty: <%s>\n", out->bv_val, 0, 0 );
assert( pretty );
assert( normal );
- if ( val->bv_len != 0 ) {
+ if ( val->bv_len == 0 ) {
+ ber_dupbv( pretty, val );
+ ber_dupbv( normal, val );
+
+ } else if ( val->bv_len > SLAP_LDAPDN_MAXLEN ) {
+ /* too big */
+ return LDAP_INVALID_SYNTAX;
+
+ } else {
LDAPDN *dn = NULL;
int rc;
return LDAP_INVALID_SYNTAX;
}
+ assert( strlen( val->bv_val ) == val->bv_len );
+
/*
* Schema-aware rewrite
*/
pretty->bv_len = 0;
return LDAP_INVALID_SYNTAX;
}
- } else {
- ber_dupbv( pretty, val );
- ber_dupbv( normal, val );
}
Debug( LDAP_DEBUG_TRACE, "<<< dnPrettyNormal: <%s>, <%s>\n",
match = value->bv_len - asserted->bv_len;
if ( match == 0 ) {
- match = strcmp( value->bv_val, asserted->bv_val );
+ match = memcmp( value->bv_val, asserted->bv_val,
+ value->bv_len );
}
#ifdef NEW_LOGGING
/* one-level dn */
if ( p == NULL ) {
- *pdn = slap_empty_bv;
+ pdn->bv_len = 0;
+ pdn->bv_val = dn->bv_val + dn->bv_len;
return;
}
* input is a pretty or normalized DN
* hence, we can just search for ','
*/
- if( rdn == NULL || rdn->bv_len == 0 ) {
+ if( rdn == NULL || rdn->bv_len == 0 ||
+ rdn->bv_len > SLAP_LDAPDN_MAXLEN )
+ {
return LDAP_INVALID_SYNTAX;
}
/* compare */
return( strcmp( dn->bv_val + d, suffix->bv_val ) == 0 );
}
+
+#ifdef HAVE_TLS
+/*
+ * Convert an X.509 DN into a normalized LDAP DN
+ */
+int
+dnX509normalize( void *x509_name, struct berval *out )
+{
+ /* Invoke the LDAP library's converter with our schema-rewriter */
+ return ldap_X509dn2bv( x509_name, out, LDAPDN_rewrite, 0 );
+}
+
+/*
+ * Get the TLS session's peer's DN into a normalized LDAP DN
+ */
+int
+dnX509peerNormalize( void *ssl, struct berval *dn )
+{
+
+ return ldap_pvt_tls_get_peer_dn( ssl, dn, (LDAPDN_rewrite_dummy *)LDAPDN_rewrite, 0 );
+}
+#endif