X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fdn.c;h=23aa4e78399eac50b14aee2a5505ef497439b452;hb=2f9b89b4afc2f8fc68ab3f2d1122c92ec53db926;hp=f871e38ce7526289fbd467303ca77840cbff3e0e;hpb=2a2d6cc93ed2320ecfea2bc49530e2dc83ad2719;p=openldap diff --git a/servers/slapd/dn.c b/servers/slapd/dn.c index f871e38ce7..23aa4e7839 100644 --- a/servers/slapd/dn.c +++ b/servers/slapd/dn.c @@ -22,6 +22,8 @@ const struct berval slap_empty_bv = { 0, "" }; #define SLAP_LDAPDN_PRETTY 0x1 +#define SLAP_LDAPDN_MAXLEN 8192 + /* * The DN syntax-related functions take advantage of the dn representation * handling functions ldap_str2dn/ldap_dn2str. The latter are not schema- @@ -113,29 +115,30 @@ dnValidate( assert( in ); if ( in->bv_len == 0 ) { - return( LDAP_SUCCESS ); + return LDAP_SUCCESS; + + } else if ( in->bv_len > SLAP_LDAPDN_MAXLEN ) { + return LDAP_INVALID_SYNTAX; } - /* FIXME: str2dn should take a bv and handle this */ - if( strlen( in->bv_val ) != in->bv_len ) { + rc = ldap_bv2dn( in, &dn, LDAP_DN_FORMAT_LDAP ); + if ( rc != LDAP_SUCCESS ) { return LDAP_INVALID_SYNTAX; } - rc = ldap_str2dn( in->bv_val, &dn, LDAP_DN_FORMAT_LDAP ); + assert( strlen( in->bv_val ) == in->bv_len ); /* * Schema-aware validate */ - if ( rc == LDAP_SUCCESS ) { - rc = LDAPDN_validate( dn ); - ldap_dnfree( dn ); - } - + rc = LDAPDN_validate( dn ); + ldap_dnfree( dn ); + if ( rc != LDAP_SUCCESS ) { - return( LDAP_INVALID_SYNTAX ); + return LDAP_INVALID_SYNTAX; } - return( LDAP_SUCCESS ); + return LDAP_SUCCESS; } /* @@ -239,6 +242,7 @@ LDAPDN_rewrite( LDAPDN *dn, unsigned flags ) for ( iAVA = 0; rdn[ 0 ][ iAVA ]; iAVA++ ) { LDAPAVA *ava = rdn[ 0 ][ iAVA ]; AttributeDescription *ad; + slap_syntax_validate_func *validf = NULL; slap_syntax_transform_func *transf = NULL; MatchingRule *mr; struct berval bv = { 0, NULL }; @@ -265,17 +269,31 @@ LDAPDN_rewrite( LDAPDN *dn, unsigned flags ) if( ava->la_flags & LDAP_AVA_BINARY ) { /* AVA is binary encoded, don't muck with it */ + validf = NULL; transf = NULL; mr = NULL; - } else if( flags & SLAP_LDAPDN_PRETTY ) { + validf = NULL; transf = ad->ad_type->sat_syntax->ssyn_pretty; mr = NULL; } else { + validf = ad->ad_type->sat_syntax->ssyn_validate; transf = ad->ad_type->sat_syntax->ssyn_normalize; mr = ad->ad_type->sat_equality; } + if ( validf ) { + /* validate value before normalization */ + rc = ( *validf )( ad->ad_type->sat_syntax, + ava->la_value.bv_len + ? &ava->la_value + : (struct berval *) &slap_empty_bv ); + + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + } + if ( transf ) { /* * transform value by normalize/pretty function @@ -295,9 +313,10 @@ LDAPDN_rewrite( LDAPDN *dn, unsigned flags ) if( mr && ( mr->smr_usage & SLAP_MR_DN_FOLD ) ) { char *s = bv.bv_val; - ber_str2bv( UTF8normalize( bv.bv_val ? &bv - : &ava->la_value, LDAP_UTF8_CASEFOLD ), - 0, 0, &bv ); + if ( UTF8bvnormalize( &bv, &bv, + LDAP_UTF8_CASEFOLD ) == NULL ) { + return LDAP_INVALID_SYNTAX; + } free( s ); } @@ -354,11 +373,13 @@ dnNormalize2( /* * Go to structural representation */ - rc = ldap_str2dn( val->bv_val, &dn, LDAP_DN_FORMAT_LDAP ); + rc = ldap_bv2dn( val, &dn, LDAP_DN_FORMAT_LDAP ); if ( rc != LDAP_SUCCESS ) { return LDAP_INVALID_SYNTAX; } + assert( strlen( val->bv_val ) == val->bv_len ); + /* * Schema-aware rewrite */ @@ -418,23 +439,30 @@ dnPretty2( assert( val ); assert( out ); +#ifdef NEW_LOGGING + LDAP_LOG( OPERATION, ARGS, ">>> dnPretty: <%s>\n", val->bv_val, 0, 0 ); +#else Debug( LDAP_DEBUG_TRACE, ">>> dnPretty: <%s>\n", val->bv_val, 0, 0 ); +#endif - if ( val->bv_len != 0 ) { + if ( val->bv_len == 0 ) { + ber_dupbv( out, val ); + + } else if ( val->bv_len > SLAP_LDAPDN_MAXLEN ) { + return LDAP_INVALID_SYNTAX; + + } else { LDAPDN *dn = NULL; int rc; - /* FIXME: str2dn should take a bv and handle this */ - if( strlen( val->bv_val ) != val->bv_len ) { - return LDAP_INVALID_SYNTAX; - } - /* FIXME: should be liberal in what we accept */ - rc = ldap_str2dn( val->bv_val, &dn, LDAP_DN_FORMAT_LDAP ); + rc = ldap_bv2dn( val, &dn, LDAP_DN_FORMAT_LDAP ); if ( rc != LDAP_SUCCESS ) { return LDAP_INVALID_SYNTAX; } + assert( strlen( val->bv_val ) == val->bv_len ); + /* * Schema-aware rewrite */ @@ -455,8 +483,6 @@ dnPretty2( if ( rc != LDAP_SUCCESS ) { return LDAP_INVALID_SYNTAX; } - } else { - ber_dupbv( out, val ); } Debug( LDAP_DEBUG_TRACE, "<<< dnPretty: <%s>\n", out->bv_val, 0, 0 ); @@ -474,13 +500,25 @@ dnPrettyNormal( struct berval *pretty, struct berval *normal) { +#ifdef NEW_LOGGING + LDAP_LOG ( OPERATION, ENTRY, ">>> dnPrettyNormal: <%s>\n", val->bv_val, 0, 0 ); +#else Debug( LDAP_DEBUG_TRACE, ">>> dnPrettyNormal: <%s>\n", val->bv_val, 0, 0 ); +#endif assert( val ); assert( pretty ); assert( normal ); - if ( val->bv_len != 0 ) { + if ( val->bv_len == 0 ) { + ber_dupbv( pretty, val ); + ber_dupbv( normal, val ); + + } else if ( val->bv_len > SLAP_LDAPDN_MAXLEN ) { + /* too big */ + return LDAP_INVALID_SYNTAX; + + } else { LDAPDN *dn = NULL; int rc; @@ -489,17 +527,14 @@ dnPrettyNormal( pretty->bv_len = 0; normal->bv_len = 0; - /* FIXME: str2dn should take a bv and handle this */ - if( strlen( val->bv_val ) != val->bv_len ) { - return LDAP_INVALID_SYNTAX; - } - /* FIXME: should be liberal in what we accept */ - rc = ldap_str2dn( val->bv_val, &dn, LDAP_DN_FORMAT_LDAP ); + rc = ldap_bv2dn( val, &dn, LDAP_DN_FORMAT_LDAP ); if ( rc != LDAP_SUCCESS ) { return LDAP_INVALID_SYNTAX; } + assert( strlen( val->bv_val ) == val->bv_len ); + /* * Schema-aware rewrite */ @@ -533,13 +568,15 @@ dnPrettyNormal( pretty->bv_len = 0; return LDAP_INVALID_SYNTAX; } - } else { - ber_dupbv( pretty, val ); - ber_dupbv( normal, val ); } +#ifdef NEW_LOGGING + LDAP_LOG (OPERATION, RESULTS, "<<< dnPrettyNormal: <%s>, <%s>\n", + pretty->bv_val, normal->bv_val, 0 ); +#else Debug( LDAP_DEBUG_TRACE, "<<< dnPrettyNormal: <%s>, <%s>\n", pretty->bv_val, normal->bv_val, 0 ); +#endif return LDAP_SUCCESS; } @@ -566,13 +603,13 @@ dnMatch( match = value->bv_len - asserted->bv_len; if ( match == 0 ) { - match = strcmp( value->bv_val, asserted->bv_val ); + match = memcmp( value->bv_val, asserted->bv_val, + value->bv_len ); } #ifdef NEW_LOGGING - LDAP_LOG(( "schema", LDAP_LEVEL_ENTRY, - "dnMatch: %d\n %s\n %s\n", match, - value->bv_val, asserted->bv_val )); + LDAP_LOG( CONFIG, ENTRY, "dnMatch: %d\n %s\n %s\n", + match, value->bv_val, asserted->bv_val ); #else Debug( LDAP_DEBUG_ARGS, "dnMatch %d\n\t\"%s\"\n\t\"%s\"\n", match, value->bv_val, asserted->bv_val ); @@ -599,7 +636,8 @@ dnParent( /* one-level dn */ if ( p == NULL ) { - *pdn = slap_empty_bv; + pdn->bv_len = 0; + pdn->bv_val = dn->bv_val + dn->bv_len; return; } @@ -629,7 +667,7 @@ dnExtractRdn( return LDAP_OTHER; } - rc = ldap_str2rdn( dn->bv_val, &tmpRDN, (char **)&p, LDAP_DN_FORMAT_LDAP ); + rc = ldap_bv2rdn( dn, &tmpRDN, (char **)&p, LDAP_DN_FORMAT_LDAP ); if ( rc != LDAP_SUCCESS ) { return rc; } @@ -686,7 +724,9 @@ rdnValidate( struct berval *rdn ) * input is a pretty or normalized DN * hence, we can just search for ',' */ - if( rdn == NULL || rdn->bv_len == 0 ) { + if( rdn == NULL || rdn->bv_len == 0 || + rdn->bv_len > SLAP_LDAPDN_MAXLEN ) + { return LDAP_INVALID_SYNTAX; } @@ -708,7 +748,7 @@ rdnValidate( struct berval *rdn ) /* * must be parsable */ - rc = ldap_str2rdn( rdn, &RDN, (char **)&p, LDAP_DN_FORMAT_LDAP ); + rc = ldap_bv2rdn( rdn, &RDN, (char **)&p, LDAP_DN_FORMAT_LDAP ); if ( rc != LDAP_SUCCESS ) { return 0; } @@ -759,7 +799,7 @@ build_new_dn( struct berval * new_dn, new_dn->bv_len = parent_dn->bv_len + newrdn->bv_len + 1; new_dn->bv_val = (char *) ch_malloc( new_dn->bv_len + 1 ); - ptr = slap_strcopy( new_dn->bv_val, newrdn->bv_val ); + ptr = lutil_strcopy( new_dn->bv_val, newrdn->bv_val ); *ptr++ = ','; strcpy( ptr, parent_dn->bv_val ); } @@ -802,3 +842,25 @@ dnIsSuffix( /* compare */ return( strcmp( dn->bv_val + d, suffix->bv_val ) == 0 ); } + +#ifdef HAVE_TLS +/* + * Convert an X.509 DN into a normalized LDAP DN + */ +int +dnX509normalize( void *x509_name, struct berval *out ) +{ + /* Invoke the LDAP library's converter with our schema-rewriter */ + return ldap_X509dn2bv( x509_name, out, LDAPDN_rewrite, 0 ); +} + +/* + * Get the TLS session's peer's DN into a normalized LDAP DN + */ +int +dnX509peerNormalize( void *ssl, struct berval *dn ) +{ + + return ldap_pvt_tls_get_peer_dn( ssl, dn, (LDAPDN_rewrite_dummy *)LDAPDN_rewrite, 0 ); +} +#endif