X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fdn.c;h=151d6d35cee0ee66e37c2791952ef72408d0be63;hb=9c550e7235830af9d031d8d7ba86b87f36dcc99f;hp=6702e8dc18816938c6e106dfdc6ca184257aa2f2;hpb=1372965d8941fbe3bb8d51ef9ce2a81e07a0c203;p=openldap diff --git a/servers/slapd/dn.c b/servers/slapd/dn.c index 6702e8dc18..151d6d35ce 100644 --- a/servers/slapd/dn.c +++ b/servers/slapd/dn.c @@ -34,7 +34,6 @@ #include #include "slap.h" -#include "ldap_pvt.h" /* must be after slap.h, to get ldap_bv2dn_x() & co */ #include "lutil.h" /* @@ -54,6 +53,55 @@ #define AVA_PRIVATE( ava ) ( ( AttributeDescription * )(ava)->la_private ) +static int +LDAPRDN_validate( LDAPRDN rdn ) +{ + int iAVA; + int rc; + + assert( rdn ); + + for ( iAVA = 0; rdn[ iAVA ]; iAVA++ ) { + LDAPAVA *ava = rdn[ iAVA ]; + AttributeDescription *ad; + slap_syntax_validate_func *validate = NULL; + + assert( ava ); + + if ( ( ad = AVA_PRIVATE( ava ) ) == NULL ) { + const char *text = NULL; + + rc = slap_bv2ad( &ava->la_attr, &ad, &text ); + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + + ava->la_private = ( void * )ad; + } + + /* + * Replace attr oid/name with the canonical name + */ + ava->la_attr = ad->ad_cname; + + validate = ad->ad_type->sat_syntax->ssyn_validate; + + if ( validate ) { + /* + * validate value by validate function + */ + rc = ( *validate )( ad->ad_type->sat_syntax, + &ava->la_value ); + + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + } + } + + return LDAP_SUCCESS; +} + /* * In-place, schema-aware validation of the * structural representation of a distinguished name. @@ -154,6 +202,45 @@ dnValidate( return LDAP_SUCCESS; } +int +rdnValidate( + Syntax *syntax, + struct berval *in ) +{ + int rc; + LDAPRDN rdn; + char* p; + + assert( in ); + if ( in->bv_len == 0 ) { + return LDAP_SUCCESS; + + } else if ( in->bv_len > SLAP_LDAPDN_MAXLEN ) { + return LDAP_INVALID_SYNTAX; + } + + rc = ldap_bv2rdn_x( in , &rdn, (char **) &p, + LDAP_DN_FORMAT_LDAP, NULL); + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + + assert( strlen( in->bv_val ) == in->bv_len ); + + /* + * Schema-aware validate + */ + rc = LDAPRDN_validate( rdn ); + ldap_rdnfree( rdn ); + + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + + return LDAP_SUCCESS; +} + + /* * AVA sorting inside a RDN * @@ -234,6 +321,119 @@ AVA_Sort( LDAPRDN rdn, int iAVA ) } } +static int +LDAPRDN_rewrite( LDAPRDN rdn, unsigned flags, void *ctx ) +{ + + int rc; + int iAVA; + for ( iAVA = 0; rdn[ iAVA ]; iAVA++ ) { + LDAPAVA *ava = rdn[ iAVA ]; + AttributeDescription *ad; + slap_syntax_validate_func *validf = NULL; + slap_mr_normalize_func *normf = NULL; + slap_syntax_transform_func *transf = NULL; + MatchingRule *mr = NULL; + struct berval bv = BER_BVNULL; + int do_sort = 0; + + assert( ava ); + + if ( ( ad = AVA_PRIVATE( ava ) ) == NULL ) { + const char *text = NULL; + + rc = slap_bv2ad( &ava->la_attr, &ad, &text ); + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + + ava->la_private = ( void * )ad; + do_sort = 1; + } + + /* + * Replace attr oid/name with the canonical name + */ + ava->la_attr = ad->ad_cname; + + if( ava->la_flags & LDAP_AVA_BINARY ) { + if( ava->la_value.bv_len == 0 ) { + /* BER encoding is empty */ + return LDAP_INVALID_SYNTAX; + } + + /* AVA is binary encoded, don't muck with it */ + } else if( flags & SLAP_LDAPDN_PRETTY ) { + transf = ad->ad_type->sat_syntax->ssyn_pretty; + if( !transf ) { + validf = ad->ad_type->sat_syntax->ssyn_validate; + } + } else { /* normalization */ + validf = ad->ad_type->sat_syntax->ssyn_validate; + mr = ad->ad_type->sat_equality; + if( mr ) normf = mr->smr_normalize; + } + + if ( validf ) { + /* validate value before normalization */ + rc = ( *validf )( ad->ad_type->sat_syntax, + ava->la_value.bv_len + ? &ava->la_value + : (struct berval *) &slap_empty_bv ); + + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + } + + if ( transf ) { + /* + * transform value by pretty function + * if value is empty, use empty_bv + */ + rc = ( *transf )( ad->ad_type->sat_syntax, + ava->la_value.bv_len + ? &ava->la_value + : (struct berval *) &slap_empty_bv, + &bv, ctx ); + + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + } + + if ( normf ) { + /* + * normalize value + * if value is empty, use empty_bv + */ + rc = ( *normf )( + SLAP_MR_VALUE_OF_ASSERTION_SYNTAX, + ad->ad_type->sat_syntax, + mr, + ava->la_value.bv_len + ? &ava->la_value + : (struct berval *) &slap_empty_bv, + &bv, ctx ); + + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + } + + + if( bv.bv_val ) { + if ( ava->la_flags & LDAP_AVA_FREE_VALUE ) + ber_memfree_x( ava->la_value.bv_val, ctx ); + ava->la_value = bv; + ava->la_flags |= LDAP_AVA_FREE_VALUE; + } + + if( do_sort ) AVA_Sort( rdn, iAVA ); + } + return LDAP_SUCCESS; +} + /* * In-place, schema-aware normalization / "pretty"ing of the * structural representation of a distinguished name. @@ -417,6 +617,64 @@ dnNormalize( return LDAP_SUCCESS; } +int +rdnNormalize( + slap_mask_t use, + Syntax *syntax, + MatchingRule *mr, + struct berval *val, + struct berval *out, + void *ctx) +{ + assert( val ); + assert( out ); + + Debug( LDAP_DEBUG_TRACE, ">>> dnNormalize: <%s>\n", val->bv_val, 0, 0 ); + if ( val->bv_len != 0 ) { + LDAPRDN rdn = NULL; + int rc; + char* p; + + /* + * Go to structural representation + */ + rc = ldap_bv2rdn_x( val , &rdn, (char **) &p, + LDAP_DN_FORMAT_LDAP, ctx); + + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + + assert( strlen( val->bv_val ) == val->bv_len ); + + /* + * Schema-aware rewrite + */ + if ( LDAPRDN_rewrite( rdn, 0, ctx ) != LDAP_SUCCESS ) { + ldap_rdnfree_x( rdn, ctx ); + return LDAP_INVALID_SYNTAX; + } + + /* + * Back to string representation + */ + rc = ldap_rdn2bv_x( rdn, out, + LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY, ctx ); + + ldap_rdnfree_x( rdn, ctx ); + + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + } else { + ber_dupbv_x( out, val, ctx ); + } + + Debug( LDAP_DEBUG_TRACE, "<<< dnNormalize: <%s>\n", out->bv_val, 0, 0 ); + + return LDAP_SUCCESS; +} + int dnPretty( Syntax *syntax, @@ -427,11 +685,7 @@ dnPretty( assert( val ); assert( out ); -#ifdef NEW_LOGGING - LDAP_LOG( OPERATION, ARGS, ">>> dnPretty: <%s>\n", val->bv_val, 0, 0 ); -#else Debug( LDAP_DEBUG_TRACE, ">>> dnPretty: <%s>\n", val->bv_val, 0, 0 ); -#endif if ( val->bv_len == 0 ) { ber_dupbv_x( out, val, ctx ); @@ -473,15 +727,71 @@ dnPretty( } } -#ifdef NEW_LOGGING - LDAP_LOG( OPERATION, ARGS, "<<< dnPretty: <%s>\n", out->bv_val, 0, 0 ); -#else Debug( LDAP_DEBUG_TRACE, "<<< dnPretty: <%s>\n", out->bv_val, 0, 0 ); -#endif return LDAP_SUCCESS; } +int +rdnPretty( + Syntax *syntax, + struct berval *val, + struct berval *out, + void *ctx) +{ + assert( val ); + assert( out ); + + Debug( LDAP_DEBUG_TRACE, ">>> dnPretty: <%s>\n", val->bv_val, 0, 0 ); + + if ( val->bv_len == 0 ) { + ber_dupbv_x( out, val, ctx ); + + } else if ( val->bv_len > SLAP_LDAPDN_MAXLEN ) { + return LDAP_INVALID_SYNTAX; + + } else { + LDAPRDN rdn = NULL; + int rc; + char* p; + + /* FIXME: should be liberal in what we accept */ + rc = ldap_bv2rdn_x( val , &rdn, (char **) &p, + LDAP_DN_FORMAT_LDAP, ctx); + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + + assert( strlen( val->bv_val ) == val->bv_len ); + + /* + * Schema-aware rewrite + */ + if ( LDAPRDN_rewrite( rdn, SLAP_LDAPDN_PRETTY, ctx ) != LDAP_SUCCESS ) { + ldap_rdnfree_x( rdn, ctx ); + return LDAP_INVALID_SYNTAX; + } + + /* FIXME: not sure why the default isn't pretty */ + /* RE: the default is the form that is used as + * an internal representation; the pretty form + * is a variant */ + rc = ldap_rdn2bv_x( rdn, out, + LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY, ctx ); + + ldap_rdnfree_x( rdn, ctx ); + + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + } + + Debug( LDAP_DEBUG_TRACE, "<<< dnPretty: <%s>\n", out->bv_val, 0, 0 ); + + return LDAP_SUCCESS; +} + + int dnPrettyNormalDN( Syntax *syntax, @@ -493,15 +803,9 @@ dnPrettyNormalDN( assert( val ); assert( dn ); -#ifdef NEW_LOGGING - LDAP_LOG( OPERATION, ARGS, ">>> dn%sDN: <%s>\n", - flags == SLAP_LDAPDN_PRETTY ? "Pretty" : "Normal", - val->bv_val, 0 ); -#else Debug( LDAP_DEBUG_TRACE, ">>> dn%sDN: <%s>\n", flags == SLAP_LDAPDN_PRETTY ? "Pretty" : "Normal", val->bv_val, 0 ); -#endif if ( val->bv_len == 0 ) { return LDAP_SUCCESS; @@ -548,11 +852,7 @@ dnPrettyNormal( struct berval *normal, void *ctx) { -#ifdef NEW_LOGGING - LDAP_LOG ( OPERATION, ENTRY, ">>> dnPrettyNormal: <%s>\n", val->bv_val, 0, 0 ); -#else Debug( LDAP_DEBUG_TRACE, ">>> dnPrettyNormal: <%s>\n", val->bv_val, 0, 0 ); -#endif assert( val ); assert( pretty ); @@ -619,13 +919,8 @@ dnPrettyNormal( } } -#ifdef NEW_LOGGING - LDAP_LOG (OPERATION, RESULTS, "<<< dnPrettyNormal: <%s>, <%s>\n", - pretty->bv_val, normal->bv_val, 0 ); -#else Debug( LDAP_DEBUG_TRACE, "<<< dnPrettyNormal: <%s>, <%s>\n", pretty->bv_val, normal->bv_val, 0 ); -#endif return LDAP_SUCCESS; } @@ -648,6 +943,8 @@ dnMatch( assert( matchp ); assert( value ); assert( assertedValue ); + assert( !BER_BVISNULL( value ) ); + assert( !BER_BVISNULL( asserted ) ); match = value->bv_len - asserted->bv_len; @@ -656,21 +953,149 @@ dnMatch( value->bv_len ); } -#ifdef NEW_LOGGING - LDAP_LOG( CONFIG, ENTRY, "dnMatch: %d\n %s\n %s\n", - match, value->bv_val, asserted->bv_val ); -#else Debug( LDAP_DEBUG_ARGS, "dnMatch %d\n\t\"%s\"\n\t\"%s\"\n", match, value->bv_val, asserted->bv_val ); -#endif *matchp = match; - return( LDAP_SUCCESS ); + return LDAP_SUCCESS; +} + +/* + * dnRelativeMatch routine + */ +int +dnRelativeMatch( + int *matchp, + slap_mask_t flags, + Syntax *syntax, + MatchingRule *mr, + struct berval *value, + void *assertedValue ) +{ + int match; + struct berval *asserted = (struct berval *) assertedValue; + + assert( matchp ); + assert( value ); + assert( assertedValue ); + assert( !BER_BVISNULL( value ) ); + assert( !BER_BVISNULL( asserted ) ); + + if( mr == slap_schema.si_mr_dnSubtreeMatch ) { + if( asserted->bv_len > value->bv_len ) { + match = -1; + } else if ( asserted->bv_len == value->bv_len ) { + match = memcmp( value->bv_val, asserted->bv_val, + value->bv_len ); + } else { + if( DN_SEPARATOR( + value->bv_val[value->bv_len - asserted->bv_len - 1] )) + { + match = memcmp( + &value->bv_val[value->bv_len - asserted->bv_len], + asserted->bv_val, + asserted->bv_len ); + } else { + return 1; + } + } + + *matchp = match; + return LDAP_SUCCESS; + + } + + if( mr == slap_schema.si_mr_dnSuperiorMatch ) { + asserted = value; + value = (struct berval *) assertedValue; + mr = slap_schema.si_mr_dnSubordinateMatch; + } + + if( mr == slap_schema.si_mr_dnSubordinateMatch ) { + if( asserted->bv_len >= value->bv_len ) { + match = -1; + } else { + if( DN_SEPARATOR( + value->bv_val[value->bv_len - asserted->bv_len - 1] )) + { + match = memcmp( + &value->bv_val[value->bv_len - asserted->bv_len], + asserted->bv_val, + asserted->bv_len ); + } else { + return 1; + } + } + + *matchp = match; + return LDAP_SUCCESS; + } + + if( mr == slap_schema.si_mr_dnOneLevelMatch ) { + if( asserted->bv_len >= value->bv_len ) { + match = -1; + } else { + if( DN_SEPARATOR( + value->bv_val[value->bv_len - asserted->bv_len - 1] )) + { + match = memcmp( + &value->bv_val[value->bv_len - asserted->bv_len], + asserted->bv_val, + asserted->bv_len ); + + if( !match ) { + struct berval rdn; + rdn.bv_val = value->bv_val; + rdn.bv_len = value->bv_len - asserted->bv_len - 1; + match = dnIsOneLevelRDN( &rdn ) ? 0 : 1; + } + } else { + return 1; + } + } + + *matchp = match; + return LDAP_SUCCESS; + } + + /* should not be reachable */ + assert( 0 ); + return LDAP_OTHER; +} + +int +rdnMatch( + int *matchp, + slap_mask_t flags, + Syntax *syntax, + MatchingRule *mr, + struct berval *value, + void *assertedValue ) +{ + int match; + struct berval *asserted = (struct berval *) assertedValue; + + assert( matchp ); + assert( value ); + assert( assertedValue ); + + match = value->bv_len - asserted->bv_len; + + if ( match == 0 ) { + match = memcmp( value->bv_val, asserted->bv_val, + value->bv_len ); + } + + Debug( LDAP_DEBUG_ARGS, "rdnMatch %d\n\t\"%s\"\n\t\"%s\"\n", + match, value->bv_val, asserted->bv_val ); + + *matchp = match; + return LDAP_SUCCESS; } + /* * dnParent - dn's parent, in-place - * * note: the incoming dn is assumed to be normalized/prettyfied, * so that escaped rdn/ava separators are in '\'+hexpair form */ @@ -700,6 +1125,33 @@ dnParent( return; } +/* + * dnRdn - dn's rdn, in-place + * note: the incoming dn is assumed to be normalized/prettyfied, + * so that escaped rdn/ava separators are in '\'+hexpair form + */ +void +dnRdn( + struct berval *dn, + struct berval *rdn ) +{ + char *p; + + *rdn = *dn; + p = strchr( dn->bv_val, ',' ); + + /* one-level dn */ + if ( p == NULL ) { + return; + } + + assert( DN_SEPARATOR( p[ 0 ] ) ); + assert( ATTR_LEADCHAR( p[ 1 ] ) ); + rdn->bv_len = p - dn->bv_val; + + return; +} + int dnExtractRdn( struct berval *dn, @@ -722,14 +1174,11 @@ dnExtractRdn( return rc; } - rc = ldap_rdn2bv_x( tmpRDN, rdn, LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY, ctx ); + rc = ldap_rdn2bv_x( tmpRDN, rdn, LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY, + ctx ); ldap_rdnfree_x( tmpRDN, ctx ); - if ( rc != LDAP_SUCCESS ) { - return rc; - } - - return LDAP_SUCCESS; + return rc; } /* @@ -768,7 +1217,7 @@ dn_rdnlen( * LDAP_INVALID_SYNTAX otherwise (including a sequence of rdns) */ int -rdnValidate( struct berval *rdn ) +rdn_validate( struct berval *rdn ) { #if 1 /* Major cheat! @@ -780,7 +1229,6 @@ rdnValidate( struct berval *rdn ) { return LDAP_INVALID_SYNTAX; } - return strchr( rdn->bv_val, ',' ) == NULL ? LDAP_SUCCESS : LDAP_INVALID_SYNTAX; @@ -895,6 +1343,35 @@ dnIsSuffix( return( strcmp( dn->bv_val + d, suffix->bv_val ) == 0 ); } +int +dnIsOneLevelRDN( struct berval *rdn ) +{ + ber_len_t len = rdn->bv_len; + for ( ; len--; ) { + if ( DN_SEPARATOR( rdn->bv_val[ len ] ) ) { + return 0; + } + } + + return 1; +} + +#ifdef HAVE_TLS +static SLAP_CERT_MAP_FN *DNX509PeerNormalizeCertMap = NULL; +#endif + +int register_certificate_map_function(SLAP_CERT_MAP_FN *fn) +{ +#ifdef HAVE_TLS + if ( DNX509PeerNormalizeCertMap == NULL ) { + DNX509PeerNormalizeCertMap = fn; + return 0; + } +#endif + + return -1; +} + #ifdef HAVE_TLS /* * Convert an X.509 DN into a normalized LDAP DN @@ -917,7 +1394,16 @@ dnX509normalize( void *x509_name, struct berval *out ) int dnX509peerNormalize( void *ssl, struct berval *dn ) { + int rc = LDAP_INVALID_CREDENTIALS; - return ldap_pvt_tls_get_peer_dn( ssl, dn, (LDAPDN_rewrite_dummy *)LDAPDN_rewrite, 0 ); + if ( DNX509PeerNormalizeCertMap != NULL ) + rc = (*DNX509PeerNormalizeCertMap)( ssl, dn ); + + if ( rc != LDAP_SUCCESS ) { + rc = ldap_pvt_tls_get_peer_dn( ssl, dn, + (LDAPDN_rewrite_dummy *)LDAPDN_rewrite, 0 ); + } + + return rc; } #endif