X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fdn.c;h=647468d92bffc5ba5804596c44278e2870f6b271;hb=e3b1020e7558dff26d8c87ebb2746f197775c24f;hp=38ecca3af38ce367eda11344b337473cb34c7fb9;hpb=d047cc854ed9b18fa76983db1fb8b9a85906c15a;p=openldap diff --git a/servers/slapd/dn.c b/servers/slapd/dn.c index 38ecca3af3..647468d92b 100644 --- a/servers/slapd/dn.c +++ b/servers/slapd/dn.c @@ -1,7 +1,7 @@ /* dn.c - routines for dealing with distinguished names */ /* $OpenLDAP$ */ /* - * Copyright 1998-2000 The OpenLDAP Foundation, All Rights Reserved. + * Copyright 1998-2003 The OpenLDAP Foundation, All Rights Reserved. * COPYING RESTRICTIONS APPLY, see COPYRIGHT file */ @@ -18,7 +18,7 @@ #include "slap.h" -#define SLAP_LDAPDN_PRETTY 0x1 +#include "lutil.h" /* * The DN syntax-related functions take advantage of the dn representation @@ -49,14 +49,14 @@ LDAPDN_validate( LDAPDN *dn ) assert( dn ); - for ( iRDN = 0; dn[ iRDN ]; iRDN++ ) { - LDAPRDN *rdn = dn[ iRDN ][ 0 ]; + for ( iRDN = 0; dn[ 0 ][ iRDN ]; iRDN++ ) { + LDAPRDN *rdn = dn[ 0 ][ iRDN ]; int iAVA; assert( rdn ); - for ( iAVA = 0; rdn[ iAVA ]; iAVA++ ) { - LDAPAVA *ava = rdn[ iAVA ][ 0 ]; + for ( iAVA = 0; rdn[ 0 ][ iAVA ]; iAVA++ ) { + LDAPAVA *ava = rdn[ 0 ][ iAVA ]; AttributeDescription *ad; slap_syntax_validate_func *validate = NULL; @@ -65,7 +65,7 @@ LDAPDN_validate( LDAPDN *dn ) if ( ( ad = AVA_PRIVATE( ava ) ) == NULL ) { const char *text = NULL; - rc = slap_bv2ad( ava->la_attr, &ad, &text ); + rc = slap_bv2ad( &ava->la_attr, &ad, &text ); if ( rc != LDAP_SUCCESS ) { return LDAP_INVALID_SYNTAX; } @@ -76,8 +76,7 @@ LDAPDN_validate( LDAPDN *dn ) /* * Replace attr oid/name with the canonical name */ - ber_bvfree( ava->la_attr ); - ava->la_attr = ber_bvdup( &ad->ad_cname ); + ava->la_attr = ad->ad_cname; validate = ad->ad_type->sat_syntax->ssyn_validate; @@ -86,7 +85,7 @@ LDAPDN_validate( LDAPDN *dn ) * validate value by validate function */ rc = ( *validate )( ad->ad_type->sat_syntax, - ava->la_value ); + &ava->la_value ); if ( rc != LDAP_SUCCESS ) { return LDAP_INVALID_SYNTAX; @@ -112,25 +111,30 @@ dnValidate( assert( in ); if ( in->bv_len == 0 ) { - return( LDAP_SUCCESS ); + return LDAP_SUCCESS; + + } else if ( in->bv_len > SLAP_LDAPDN_MAXLEN ) { + return LDAP_INVALID_SYNTAX; + } + + rc = ldap_bv2dn( in, &dn, LDAP_DN_FORMAT_LDAP ); + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; } - rc = ldap_str2dn( in->bv_val, &dn, LDAP_DN_FORMAT_LDAP ); + assert( strlen( in->bv_val ) == in->bv_len ); /* * Schema-aware validate */ - if ( rc == LDAP_SUCCESS ) { - rc = LDAPDN_validate( dn ); - } - + rc = LDAPDN_validate( dn ); ldap_dnfree( dn ); - + if ( rc != LDAP_SUCCESS ) { - return( LDAP_INVALID_SYNTAX ); + return LDAP_INVALID_SYNTAX; } - return( LDAP_SUCCESS ); + return LDAP_SUCCESS; } /* @@ -141,6 +145,9 @@ dnValidate( * (use memcmp, which implies alphabetical order in case of IA5 value; * this should guarantee the repeatability of the operation). * + * Note: the sorting can be slightly improved by sorting first + * by attribute type length, then by alphabetical order. + * * uses a linear search; should be fine since the number of AVAs in * a RDN should be limited. */ @@ -148,18 +155,18 @@ static void AVA_Sort( LDAPRDN *rdn, int iAVA ) { int i; - LDAPAVA *ava_in = rdn[ iAVA ][ 0 ]; + LDAPAVA *ava_in = rdn[ 0 ][ iAVA ]; assert( rdn ); assert( ava_in ); for ( i = 0; i < iAVA; i++ ) { - LDAPAVA *ava = rdn[ i ][ 0 ]; + LDAPAVA *ava = rdn[ 0 ][ i ]; int a, j; assert( ava ); - a = strcmp( ava_in->la_attr->bv_val, ava->la_attr->bv_val ); + a = strcmp( ava_in->la_attr.bv_val, ava->la_attr.bv_val ); if ( a > 0 ) { break; @@ -168,12 +175,12 @@ AVA_Sort( LDAPRDN *rdn, int iAVA ) while ( a == 0 ) { int v, d; - d = ava_in->la_value->bv_len - ava->la_value->bv_len; + d = ava_in->la_value.bv_len - ava->la_value.bv_len; - v = memcmp( ava_in->la_value->bv_val, - ava->la_value->bv_val, - d <= 0 ? ava_in->la_value->bv_len - : ava->la_value->bv_len ); + v = memcmp( ava_in->la_value.bv_val, + ava->la_value.bv_val, + d <= 0 ? ava_in->la_value.bv_len + : ava->la_value.bv_len ); if ( v == 0 && d != 0 ) { v = d; @@ -193,18 +200,18 @@ AVA_Sort( LDAPRDN *rdn, int iAVA ) return; } - ava = rdn[ i ][ 0 ]; - a = strcmp( ava_in->la_value->bv_val, - ava->la_value->bv_val ); + ava = rdn[ 0 ][ i ]; + a = strcmp( ava_in->la_attr.bv_val, + ava->la_attr.bv_val ); } /* * move ahead */ for ( j = iAVA; j > i; j-- ) { - rdn[ j ][ 0 ] = rdn[ j - 1 ][ 0 ]; + rdn[ 0 ][ j ] = rdn[ 0 ][ j - 1 ]; } - rdn[ i ][ 0 ] = ava_in; + rdn[ 0 ][ i ] = ava_in; return; } @@ -222,110 +229,170 @@ LDAPDN_rewrite( LDAPDN *dn, unsigned flags ) assert( dn ); - for ( iRDN = 0; dn[ iRDN ]; iRDN++ ) { - LDAPRDN *rdn = dn[ iRDN ][ 0 ]; + for ( iRDN = 0; dn[ 0 ][ iRDN ]; iRDN++ ) { + LDAPRDN *rdn = dn[ 0 ][ iRDN ]; int iAVA; assert( rdn ); - for ( iAVA = 0; rdn[ iAVA ]; iAVA++ ) { - LDAPAVA *ava = rdn[ iAVA ][ 0 ]; + for ( iAVA = 0; rdn[ 0 ][ iAVA ]; iAVA++ ) { + LDAPAVA *ava = rdn[ 0 ][ iAVA ]; AttributeDescription *ad; + slap_syntax_validate_func *validf = NULL; +#ifdef SLAP_NVALUES + slap_mr_normalize_func *normf = NULL; +#endif slap_syntax_transform_func *transf = NULL; - MatchingRule *mr; - struct berval *bv = NULL; + MatchingRule *mr = NULL; + struct berval bv = { 0, NULL }; + int do_sort = 0; assert( ava ); if ( ( ad = AVA_PRIVATE( ava ) ) == NULL ) { const char *text = NULL; - rc = slap_bv2ad( ava->la_attr, &ad, &text ); + rc = slap_bv2ad( &ava->la_attr, &ad, &text ); if ( rc != LDAP_SUCCESS ) { return LDAP_INVALID_SYNTAX; } ava->la_private = ( void * )ad; + do_sort = 1; } /* * Replace attr oid/name with the canonical name */ - ber_bvfree( ava->la_attr ); - ava->la_attr = ber_bvdup( &ad->ad_cname ); + ava->la_attr = ad->ad_cname; - if( flags & SLAP_LDAPDN_PRETTY ) { + if( ava->la_flags & LDAP_AVA_BINARY ) { + /* AVA is binary encoded, don't muck with it */ + } else if( flags & SLAP_LDAPDN_PRETTY ) { transf = ad->ad_type->sat_syntax->ssyn_pretty; - mr = NULL; - } else { - transf = ad->ad_type->sat_syntax->ssyn_normalize; + if( !transf ) { + validf = ad->ad_type->sat_syntax->ssyn_validate; + } + } else { /* normalization */ + validf = ad->ad_type->sat_syntax->ssyn_validate; mr = ad->ad_type->sat_equality; +#ifdef SLAP_NVALUES + if( mr ) normf = mr->smr_normalize; +#else + transf = ad->ad_type->sat_syntax->ssyn_normalize; +#endif + } + + if ( validf ) { + /* validate value before normalization */ + rc = ( *validf )( ad->ad_type->sat_syntax, + ava->la_value.bv_len + ? &ava->la_value + : (struct berval *) &slap_empty_bv ); + + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } } if ( transf ) { /* +#ifdef SLAP_NVALUES + * transform value by pretty function +#else * transform value by normalize/pretty function +#endif + * if value is empty, use empty_bv */ rc = ( *transf )( ad->ad_type->sat_syntax, - ava->la_value, &bv ); + ava->la_value.bv_len + ? &ava->la_value + : (struct berval *) &slap_empty_bv, + &bv ); if ( rc != LDAP_SUCCESS ) { return LDAP_INVALID_SYNTAX; } } - if( mr && ( mr->smr_usage & SLAP_MR_DN_FOLD ) ) { - struct berval *s = bv; +#ifdef SLAP_NVALUES + if ( normf ) { + /* + * normalize value + * if value is empty, use empty_bv + */ + rc = ( *normf )( + 0, + ad->ad_type->sat_syntax, + mr, + ava->la_value.bv_len + ? &ava->la_value + : (struct berval *) &slap_empty_bv, + &bv ); + + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + } - bv = ber_bvstr( UTF8normalize( bv ? bv : ava->la_value, - UTF8_CASEFOLD ) ); +#else + if( mr && ( mr->smr_usage & SLAP_MR_DN_FOLD ) ) { + char *s = bv.bv_val; - ber_bvfree( s ); + if ( UTF8bvnormalize( &bv, &bv, + LDAP_UTF8_CASEFOLD ) == NULL ) { + return LDAP_INVALID_SYNTAX; + } + free( s ); } +#endif - if( bv ) { - ber_bvfree( ava->la_value ); + if( bv.bv_val ) { + free( ava->la_value.bv_val ); ava->la_value = bv; } - AVA_Sort( rdn, iAVA ); + if( do_sort ) AVA_Sort( rdn, iAVA ); } } return LDAP_SUCCESS; } -/* - * dn normalize routine - */ int +#ifdef SLAP_NVALUES dnNormalize( - Syntax *syntax, - struct berval *val, - struct berval **normalized ) + slap_mask_t use, + Syntax *syntax, + MatchingRule *mr, + struct berval *val, + struct berval *out ) +#else +dnNormalize( + Syntax *syntax, + struct berval *val, + struct berval *out ) +#endif { - struct berval *out = NULL; - - Debug( LDAP_DEBUG_TRACE, ">>> dnNormalize: <%s>\n", val->bv_val, 0, 0 ); - assert( val ); - assert( normalized ); + assert( out ); - assert( *normalized == NULL ); + Debug( LDAP_DEBUG_TRACE, ">>> dnNormalize: <%s>\n", val->bv_val, 0, 0 ); if ( val->bv_len != 0 ) { LDAPDN *dn = NULL; - char *dn_out = NULL; int rc; /* * Go to structural representation */ - rc = ldap_str2dn( val->bv_val, &dn, LDAP_DN_FORMAT_LDAP ); + rc = ldap_bv2dn( val, &dn, LDAP_DN_FORMAT_LDAP ); if ( rc != LDAP_SUCCESS ) { return LDAP_INVALID_SYNTAX; } + assert( strlen( val->bv_val ) == val->bv_len ); + /* * Schema-aware rewrite */ @@ -337,27 +404,24 @@ dnNormalize( /* * Back to string representation */ - rc = ldap_dn2str( dn, &dn_out, LDAP_DN_FORMAT_LDAPV3 ); + rc = ldap_dn2bv( dn, out, + LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY ); ldap_dnfree( dn ); if ( rc != LDAP_SUCCESS ) { return LDAP_INVALID_SYNTAX; } - - out = ber_bvstr( dn_out ); - } else { - out = ber_bvdup( val ); + ber_dupbv( out, val ); } Debug( LDAP_DEBUG_TRACE, "<<< dnNormalize: <%s>\n", out->bv_val, 0, 0 ); - *normalized = out; - return LDAP_SUCCESS; } +#if 0 /* * dn "pretty"ing routine */ @@ -367,25 +431,54 @@ dnPretty( struct berval *val, struct berval **pretty) { - struct berval *out = NULL; + struct berval *out; + int rc; + + assert( pretty && *pretty == NULL ); + + out = ch_malloc( sizeof( struct berval ) ); + rc = dnPretty2( syntax, val, out ); + if ( rc != LDAP_SUCCESS ) + free( out ); + else + *pretty = out; + return rc; +} +#endif + +int +dnPretty2( + Syntax *syntax, + struct berval *val, + struct berval *out) +{ + assert( val ); + assert( out ); +#ifdef NEW_LOGGING + LDAP_LOG( OPERATION, ARGS, ">>> dnPretty: <%s>\n", val->bv_val, 0, 0 ); +#else Debug( LDAP_DEBUG_TRACE, ">>> dnPretty: <%s>\n", val->bv_val, 0, 0 ); +#endif - assert( val ); - assert( pretty ); - assert( *pretty == NULL ); + if ( val->bv_len == 0 ) { + ber_dupbv( out, val ); - if ( val->bv_len != 0 ) { + } else if ( val->bv_len > SLAP_LDAPDN_MAXLEN ) { + return LDAP_INVALID_SYNTAX; + + } else { LDAPDN *dn = NULL; - char *dn_out = NULL; int rc; /* FIXME: should be liberal in what we accept */ - rc = ldap_str2dn( val->bv_val, &dn, LDAP_DN_FORMAT_LDAP ); + rc = ldap_bv2dn( val, &dn, LDAP_DN_FORMAT_LDAP ); if ( rc != LDAP_SUCCESS ) { return LDAP_INVALID_SYNTAX; } + assert( strlen( val->bv_val ) == val->bv_len ); + /* * Schema-aware rewrite */ @@ -398,7 +491,7 @@ dnPretty( /* RE: the default is the form that is used as * an internal representation; the pretty form * is a variant */ - rc = ldap_dn2str( dn, &dn_out, + rc = ldap_dn2bv( dn, out, LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY ); ldap_dnfree( dn ); @@ -406,342 +499,269 @@ dnPretty( if ( rc != LDAP_SUCCESS ) { return LDAP_INVALID_SYNTAX; } - - out = ber_bvstr( dn_out ); - - } else { - out = ber_bvdup( val ); } Debug( LDAP_DEBUG_TRACE, "<<< dnPretty: <%s>\n", out->bv_val, 0, 0 ); - *pretty = out; - return LDAP_SUCCESS; } -/* - * dnMatch routine - * - * note: uses exact string match (strcmp) because it is supposed to work - * on normalized DNs. - */ int -dnMatch( - int *matchp, - slap_mask_t flags, +dnPrettyNormalDN( Syntax *syntax, - MatchingRule *mr, - struct berval *value, - void *assertedValue ) + struct berval *val, + LDAPDN **dn, + int flags ) { - int match; - struct berval *asserted = (struct berval *) assertedValue; - - assert( matchp ); - assert( value ); - assert( assertedValue ); - - match = value->bv_len - asserted->bv_len; - - if ( match == 0 ) { - match = strcmp( value->bv_val, asserted->bv_val ); - } + assert( val ); + assert( dn ); #ifdef NEW_LOGGING - LDAP_LOG(( "schema", LDAP_LEVEL_ENTRY, - "dnMatch: %d\n %s\n %s\n", match, - value->bv_val, asserted->bv_val )); + LDAP_LOG( OPERATION, ARGS, ">>> dn%sDN: <%s>\n", + flags == SLAP_LDAPDN_PRETTY ? "Pretty" : "Normal", + val->bv_val, 0 ); #else - Debug( LDAP_DEBUG_ARGS, "dnMatch %d\n\t\"%s\"\n\t\"%s\"\n", - match, value->bv_val, asserted->bv_val ); + Debug( LDAP_DEBUG_TRACE, ">>> dn%sDN: <%s>\n", + flags == SLAP_LDAPDN_PRETTY ? "Pretty" : "Normal", + val->bv_val, 0 ); #endif - *matchp = match; - return( LDAP_SUCCESS ); -} + if ( val->bv_len == 0 ) { + return LDAP_SUCCESS; -#ifdef SLAP_DN_MIGRATION -/* - * these routines are provided for migration purposes only! - * dn_validate is deprecated in favor of dnValidate - * dn_normalize is deprecated in favor of dnNormalize - * strcmp/strcasecmp for DNs is deprecated in favor of dnMatch - * - * other routines are likewise deprecated but may not yet have - * replacement functions. - */ + } else if ( val->bv_len > SLAP_LDAPDN_MAXLEN ) { + return LDAP_INVALID_SYNTAX; -/* - * dn_validate - validate and compress dn. the dn is - * compressed in place are returned if valid. - * Deprecated in favor of dnValidate() - */ -char * -dn_validate( char *dn ) -{ - struct berval val; - struct berval *pretty = NULL; - int rc; + } else { + int rc; - if ( dn == NULL || dn[0] == '\0' ) { - return dn; - } + /* FIXME: should be liberal in what we accept */ + rc = ldap_bv2dn( val, dn, LDAP_DN_FORMAT_LDAP ); + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } - val.bv_val = dn; - val.bv_len = strlen( dn ); + assert( strlen( val->bv_val ) == val->bv_len ); - rc = dnPretty( NULL, &val, &pretty ); - if ( rc != LDAP_SUCCESS ) { - return NULL; - } - - if ( val.bv_len < pretty->bv_len ) { - ber_bvfree( pretty ); - return NULL; + /* + * Schema-aware rewrite + */ + if ( LDAPDN_rewrite( *dn, flags ) != LDAP_SUCCESS ) { + ldap_dnfree( *dn ); + *dn = NULL; + return LDAP_INVALID_SYNTAX; + } } - AC_MEMCPY( dn, pretty->bv_val, pretty->bv_len + 1 ); - ber_bvfree( pretty ); + Debug( LDAP_DEBUG_TRACE, "<<< dn%sDN\n", + flags == SLAP_LDAPDN_PRETTY ? "Pretty" : "Normal", + 0, 0 ); - return dn; + return LDAP_SUCCESS; } /* - * dn_normalize - put dn into a canonical form suitable for storing - * in a hash database. this involves normalizing the case as well as - * the format. the dn is normalized in place as well as returned if valid. - * Deprecated in favor of dnNormalize() + * Combination of both dnPretty and dnNormalize */ -char * -dn_normalize( char *dn ) +int +dnPrettyNormal( + Syntax *syntax, + struct berval *val, + struct berval *pretty, + struct berval *normal) { - struct berval val; - struct berval *normalized = NULL; - int rc; +#ifdef NEW_LOGGING + LDAP_LOG ( OPERATION, ENTRY, ">>> dnPrettyNormal: <%s>\n", val->bv_val, 0, 0 ); +#else + Debug( LDAP_DEBUG_TRACE, ">>> dnPrettyNormal: <%s>\n", val->bv_val, 0, 0 ); +#endif - if ( dn == NULL || dn[0] == '\0' ) { - return dn; - } + assert( val ); + assert( pretty ); + assert( normal ); - val.bv_val = dn; - val.bv_len = strlen( dn ); + if ( val->bv_len == 0 ) { + ber_dupbv( pretty, val ); + ber_dupbv( normal, val ); - rc = dnNormalize( NULL, &val, &normalized ); - if ( rc != LDAP_SUCCESS ) { - return NULL; - } + } else if ( val->bv_len > SLAP_LDAPDN_MAXLEN ) { + /* too big */ + return LDAP_INVALID_SYNTAX; - if ( val.bv_len < normalized->bv_len ) { - ber_bvfree( normalized ); - return NULL; - } + } else { + LDAPDN *dn = NULL; + int rc; - AC_MEMCPY( dn, normalized->bv_val, normalized->bv_len + 1 ); - ber_bvfree( normalized ); + pretty->bv_val = NULL; + normal->bv_val = NULL; + pretty->bv_len = 0; + normal->bv_len = 0; - return dn; -} + /* FIXME: should be liberal in what we accept */ + rc = ldap_bv2dn( val, &dn, LDAP_DN_FORMAT_LDAP ); + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } -/* - * dnParent - dn's parent, in-place - */ -int -dnParent( - const char *dn, - const char **pdn ) -{ - LDAPRDN *tmpRDN; - const char *p; - int rc; + assert( strlen( val->bv_val ) == val->bv_len ); - rc = ldap_str2rdn( dn, &tmpRDN, &p, LDAP_DN_FORMAT_LDAP ); - if ( rc != LDAP_SUCCESS ) { - return rc; - } - ldap_rdnfree( tmpRDN ); + /* + * Schema-aware rewrite + */ + if ( LDAPDN_rewrite( dn, SLAP_LDAPDN_PRETTY ) != LDAP_SUCCESS ) { + ldap_dnfree( dn ); + return LDAP_INVALID_SYNTAX; + } - assert( DN_SEPARATOR( p[ 0 ] ) ); - p++; + rc = ldap_dn2bv( dn, pretty, + LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY ); - while ( ASCII_SPACE( p[ 0 ] ) ) { - p++; + if ( rc != LDAP_SUCCESS ) { + ldap_dnfree( dn ); + return LDAP_INVALID_SYNTAX; + } + + if ( LDAPDN_rewrite( dn, 0 ) != LDAP_SUCCESS ) { + ldap_dnfree( dn ); + free( pretty->bv_val ); + pretty->bv_val = NULL; + pretty->bv_len = 0; + return LDAP_INVALID_SYNTAX; + } + + rc = ldap_dn2bv( dn, normal, + LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY ); + + ldap_dnfree( dn ); + if ( rc != LDAP_SUCCESS ) { + free( pretty->bv_val ); + pretty->bv_val = NULL; + pretty->bv_len = 0; + return LDAP_INVALID_SYNTAX; + } } - *pdn = p; +#ifdef NEW_LOGGING + LDAP_LOG (OPERATION, RESULTS, "<<< dnPrettyNormal: <%s>, <%s>\n", + pretty->bv_val, normal->bv_val, 0 ); +#else + Debug( LDAP_DEBUG_TRACE, "<<< dnPrettyNormal: <%s>, <%s>\n", + pretty->bv_val, normal->bv_val, 0 ); +#endif return LDAP_SUCCESS; } /* - * dn_parent - return the dn's parent, in-place - * FIXME: should be replaced by dnParent() + * dnMatch routine */ -char * -dn_parent( - Backend *be, - const char *dn ) +int +dnMatch( + int *matchp, + slap_mask_t flags, + Syntax *syntax, + MatchingRule *mr, + struct berval *value, + void *assertedValue ) { -#if 0 - const char *s; - int inquote; - - if( dn == NULL ) { - return NULL; - } - - while(*dn != '\0' && ASCII_SPACE(*dn)) { - dn++; - } + int match; + struct berval *asserted = (struct berval *) assertedValue; - if( *dn == '\0' ) { - return NULL; - } + assert( matchp ); + assert( value ); + assert( assertedValue ); + + match = value->bv_len - asserted->bv_len; - if ( be != NULL && be_issuffix( be, dn ) ) { - return NULL; + if ( match == 0 ) { + match = memcmp( value->bv_val, asserted->bv_val, + value->bv_len ); } - /* - * assume it is an X.500-style name, which looks like - * foo=bar,sha=baz,... - */ +#ifdef NEW_LOGGING + LDAP_LOG( CONFIG, ENTRY, "dnMatch: %d\n %s\n %s\n", + match, value->bv_val, asserted->bv_val ); +#else + Debug( LDAP_DEBUG_ARGS, "dnMatch %d\n\t\"%s\"\n\t\"%s\"\n", + match, value->bv_val, asserted->bv_val ); +#endif - inquote = 0; - for ( s = dn; *s; s++ ) { - if ( *s == '\\' ) { - if ( *(s + 1) ) { - s++; - } - continue; - } - if ( inquote ) { - if ( *s == '"' ) { - inquote = 0; - } - } else { - if ( *s == '"' ) { - inquote = 1; - } else if ( DN_SEPARATOR( *s ) ) { - return (char *)s + 1; - } - } - } + *matchp = match; + return( LDAP_SUCCESS ); +} - return ""; -#endif - const char *pdn; +/* + * dnParent - dn's parent, in-place + * + * note: the incoming dn is assumed to be normalized/prettyfied, + * so that escaped rdn/ava separators are in '\'+hexpair form + */ +void +dnParent( + struct berval *dn, + struct berval *pdn ) +{ + char *p; - if ( dn == NULL ) { - return NULL; - } + p = strchr( dn->bv_val, ',' ); - while ( dn[ 0 ] != '\0' && ASCII_SPACE( dn[ 0 ] ) ) { - dn++; + /* one-level dn */ + if ( p == NULL ) { + pdn->bv_len = 0; + pdn->bv_val = dn->bv_val + dn->bv_len; + return; } - if ( dn[ 0 ] == '\0' ) { - return NULL; - } + assert( DN_SEPARATOR( p[ 0 ] ) ); + p++; - if ( be != NULL && be_issuffix( be, dn ) ) { - return NULL; - } + assert( ATTR_LEADCHAR( p[ 0 ] ) ); + pdn->bv_val = p; + pdn->bv_len = dn->bv_len - (p - dn->bv_val); - if ( dnParent( dn, &pdn ) != LDAP_SUCCESS ) { - return NULL; - } - - return ( char * )pdn; + return; } int dnExtractRdn( - const char *dn, - struct berval **rdn ) + struct berval *dn, + struct berval *rdn ) { LDAPRDN *tmpRDN; const char *p; - char *rdnout; int rc; assert( dn ); assert( rdn ); - rc = ldap_str2rdn( dn, &tmpRDN, &p, LDAP_DN_FORMAT_LDAP ); + if( dn->bv_len == 0 ) { + return LDAP_OTHER; + } + + rc = ldap_bv2rdn( dn, &tmpRDN, (char **)&p, LDAP_DN_FORMAT_LDAP ); if ( rc != LDAP_SUCCESS ) { return rc; } - rc = ldap_rdn2str( tmpRDN, &rdnout, LDAP_DN_FORMAT_LDAPV3 ); + rc = ldap_rdn2bv( tmpRDN, rdn, LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY ); + ldap_rdnfree( tmpRDN ); if ( rc != LDAP_SUCCESS ) { return rc; } - *rdn = ber_bvstr( rdnout ); - if ( *rdn == NULL ) { - free( rdnout ); - return LDAP_NO_MEMORY; - } - return LDAP_SUCCESS; } /* - * FIXME: should be replaced by dnExtractRdn() (together with dn_rdn) + * We can assume the input is a prettied or normalized DN */ int dn_rdnlen( Backend *be, - const char *dn_in ) + struct berval *dn_in ) { -#if 0 - char *s; - int inquote; - - if( dn_in == NULL ) { - return 0; - } - - while(*dn_in && ASCII_SPACE(*dn_in)) { - dn_in++; - } - - if( *dn_in == '\0' ) { - return( 0 ); - } - - if ( be != NULL && be_issuffix( be, dn_in ) ) { - return( 0 ); - } - - inquote = 0; - - for ( s = (char *)dn_in; *s; s++ ) { - if ( *s == '\\' ) { - if ( *(s + 1) ) { - s++; - } - continue; - } - if ( inquote ) { - if ( *s == '"' ) { - inquote = 0; - } - } else { - if ( *s == '"' ) { - inquote = 1; - } else if ( DN_SEPARATOR( *s ) ) { - break; - } - } - } - - return( s - dn_in ); -#endif - struct berval *rdn = NULL; - int retval = 0; + const char *p; assert( dn_in ); @@ -749,11 +769,7 @@ dn_rdnlen( return 0; } - while ( dn_in[ 0 ] && ASCII_SPACE( dn_in[ 0 ] ) ) { - dn_in++; - } - - if ( dn_in[ 0 ] == '\0' ) { + if ( !dn_in->bv_len ) { return 0; } @@ -761,315 +777,74 @@ dn_rdnlen( return 0; } - if ( dnExtractRdn( dn_in, &rdn ) != LDAP_SUCCESS ) { - ber_bvfree( rdn ); - return 0; - } - - retval = rdn->bv_len; - ber_bvfree( rdn ); - - return retval; -} - -/* - * FIXME: should be replaced by dnExtractRdn() (together with dn_rdnlen) - */ -char * dn_rdn( - Backend *be, - const char *dn_in ) -{ -#if 0 - char *rdn; - int i = dn_rdnlen( be, dn_in ); - - rdn = ch_malloc( i + 1 ); - strncpy(rdn, dn_in, i); - rdn[i] = '\0'; - return rdn; -#endif - struct berval *rdn = NULL; - char *retval; - - assert( dn_in ); - - if ( dn_in == NULL ) { - return NULL; - } - - while ( dn_in[ 0 ] && ASCII_SPACE( dn_in[ 0 ] ) ) { - dn_in++; - } - - if ( dn_in[ 0 ] == '\0' ) { - return NULL; - } - - if ( be != NULL && be_issuffix( be, dn_in ) ) { - return NULL; - } - - if ( dnExtractRdn( dn_in, &rdn ) != LDAP_SUCCESS ) { - ber_bvfree( rdn ); - return NULL; - } - - retval = rdn->bv_val; - free( rdn ); + p = strchr( dn_in->bv_val, ',' ); - return retval; + return p ? p - dn_in->bv_val : dn_in->bv_len; } -/* - * return a charray of all subtrees to which the DN resides in - */ -char **dn_subtree( - Backend *be, - const char *dn ) -{ - char **subtree = NULL; - - do { - charray_add( &subtree, dn ); - - dn = dn_parent( be, dn ); - - } while ( dn != NULL ); - return subtree; -} - -/* - * dn_issuffix - tells whether suffix is a suffix of dn. - * Both dn and suffix must be normalized. - * deprecated in favor of dnIsSuffix() - */ -int -dn_issuffix( - const char *dn, - const char *suffix -) -{ - struct berval bvdn, bvsuffix; - - assert( dn ); - assert( suffix ); - - bvdn.bv_val = (char *) dn; - bvdn.bv_len = strlen( dn ); - bvsuffix.bv_val = (char *) suffix; - bvsuffix.bv_len = strlen( suffix ); - - return dnIsSuffix( &bvdn, &bvsuffix ); -} - -/* - * get_next_substring(), rdn_attr_type(), rdn_attr_value(), and - * build_new_dn(). - * - * Copyright 1999, Juan C. Gomez, All rights reserved. - * This software is not subject to any license of Silicon Graphics - * Inc. or Purdue University. - * - * Redistribution and use in source and binary forms are permitted - * without restriction or fee of any kind as long as this notice - * is preserved. - * - */ - -/* get_next_substring: - * - * Gets next substring in s, using d (or the end of the string '\0') as a - * string delimiter, and places it in a duplicated memory space. Leading - * spaces are ignored. String s **must** be null-terminated. - */ - -static char * -get_next_substring( const char * s, char d ) -{ - - char *str, *r; - - r = str = ch_malloc( strlen(s) + 1 ); - - /* Skip leading spaces */ - - while ( *s && ASCII_SPACE(*s) ) { - s++; - } - - /* Copy word */ - - while ( *s && (*s != d) ) { - - /* Don't stop when you see trailing spaces may be a multi-word - * string, i.e. name=John Doe! - */ - - *str++ = *s++; - } - - *str = '\0'; - - return r; - -} - - -/* rdn_attr_type: +/* rdnValidate: * - * Given a string (i.e. an rdn) of the form: - * "attribute_type = attribute_value" - * this function returns the type of an attribute, that is the - * string "attribute_type" which is placed in newly allocated - * memory. The returned string will be null-terminated. + * LDAP_SUCCESS if rdn is a legal rdn; + * LDAP_INVALID_SYNTAX otherwise (including a sequence of rdns) */ - -char * rdn_attr_type( const char * s ) -{ - return get_next_substring( s, '=' ); -} - - -/* rdn_attr_value: - * - * Given a string (i.e. an rdn) of the form: - * "attribute_type = attribute_value" - * this function returns "attribute_type" which is placed in newly allocated - * memory. The returned string will be null-terminated and may contain - * spaces (i.e. "John Doe\0"). - */ - -char * -rdn_attr_value( const char * rdn ) -{ - - const char *str; - - if ( (str = strchr( rdn, '=' )) != NULL ) { - return get_next_substring(++str, '\0'); - } - - return NULL; - -} - - -/* rdn_attrs: - * - * Given a string (i.e. an rdn) of the form: - * "attribute_type=attribute_value[+attribute_type=attribute_value[...]]" - * this function stores the types of the attributes in ptypes, that is the - * array of strings "attribute_type" which is placed in newly allocated - * memory, and the values of the attributes in pvalues, that is the - * array of strings "attribute_value" which is placed in newly allocated - * memory. Returns 0 on success, -1 on failure. - * - * note: got part of the code from dn_validate - */ - int -rdn_attrs( const char * rdn_in, char ***ptypes, char ***pvalues) +rdnValidate( struct berval *rdn ) { - char **parts, **p; - - *ptypes = NULL; - *pvalues = NULL; - - /* - * explode the rdn in parts +#if 1 + /* Major cheat! + * input is a pretty or normalized DN + * hence, we can just search for ',' */ - parts = ldap_explode_rdn( rdn_in, 0 ); - - if ( parts == NULL ) { - return( -1 ); + if( rdn == NULL || rdn->bv_len == 0 || + rdn->bv_len > SLAP_LDAPDN_MAXLEN ) + { + return LDAP_INVALID_SYNTAX; } - for ( p = parts; p[0]; p++ ) { - char *s, *e, *d; - - /* split each rdn part in type value */ - s = strchr( p[0], '=' ); - if ( s == NULL ) { - charray_free( *ptypes ); - charray_free( *pvalues ); - charray_free( parts ); - return( -1 ); - } - - /* type should be fine */ - charray_add_n( ptypes, p[0], ( s-p[0] ) ); - - /* value needs to be unescaped - * (maybe this should be moved to ldap_explode_rdn?) */ - for ( e = d = s + 1; e[0]; e++ ) { - if ( *e != '\\' ) { - *d++ = *e; - } - } - d[0] = '\0'; - charray_add( pvalues, s + 1 ); - } - - /* free array */ - charray_free( parts ); - - return( 0 ); -} - - -/* rdn_validate: - * - * 1 if rdn is a legal rdn; - * 0 otherwise (including a sequence of rdns) - * - * note: got it from dn_rdn; it should be rewritten - * according to dn_validate - */ -int -rdn_validate( const char * rdn ) -{ - int inquote; + return strchr( rdn->bv_val, ',' ) == NULL + ? LDAP_SUCCESS : LDAP_INVALID_SYNTAX; - if ( rdn == NULL ) { - return( 0 ); - } +#else + LDAPRDN *RDN, **DN[ 2 ] = { &RDN, NULL }; + const char *p; + int rc; - if ( strchr( rdn, '=' ) == NULL ) { - return( 0 ); + /* + * must be non-empty + */ + if ( rdn == NULL || rdn == '\0' ) { + return 0; } - while ( *rdn && ASCII_SPACE( *rdn ) ) { - rdn++; + /* + * must be parsable + */ + rc = ldap_bv2rdn( rdn, &RDN, (char **)&p, LDAP_DN_FORMAT_LDAP ); + if ( rc != LDAP_SUCCESS ) { + return 0; } - if( *rdn == '\0' ) { - return( 0 ); + /* + * Must be one-level + */ + if ( p[ 0 ] != '\0' ) { + return 0; } - inquote = 0; - - for ( ; *rdn; rdn++ ) { - if ( *rdn == '\\' ) { - if ( *(rdn + 1) ) { - rdn++; - } - continue; - } - if ( inquote ) { - if ( *rdn == '"' ) { - inquote = 0; - } - } else { - if ( *rdn == '"' ) { - inquote = 1; - } else if ( DN_SEPARATOR( *rdn ) ) { - return( 0 ); - } - } + /* + * Schema-aware validate + */ + if ( rc == LDAP_SUCCESS ) { + rc = LDAPDN_validate( DN ); } + ldap_rdnfree( RDN ); - return( 1 ); + /* + * Must validate (there's a repeated parsing ...) + */ + return ( rc == LDAP_SUCCESS ); +#endif } @@ -1078,30 +853,29 @@ rdn_validate( const char * rdn ) * Used by ldbm/bdb2 back_modrdn to create the new dn of entries being * renamed. * - * new_dn = parent (p_dn) + separator(s) + rdn (newrdn) + null. + * new_dn = parent (p_dn) + separator + rdn (newrdn) + null. */ void -build_new_dn( char ** new_dn, - const char * entry_dn, - const char * parent_dn, - const char * newrdn ) +build_new_dn( struct berval * new_dn, + struct berval * parent_dn, + struct berval * newrdn ) { + char *ptr; if ( parent_dn == NULL ) { - *new_dn = ch_strdup( newrdn ); + ber_dupbv( new_dn, newrdn ); return; } - *new_dn = (char *) ch_malloc( - strlen( parent_dn ) + strlen( newrdn ) + 3 ); + new_dn->bv_len = parent_dn->bv_len + newrdn->bv_len + 1; + new_dn->bv_val = (char *) ch_malloc( new_dn->bv_len + 1 ); - strcpy( *new_dn, newrdn ); - strcat( *new_dn, "," ); - strcat( *new_dn, parent_dn ); + ptr = lutil_strcopy( new_dn->bv_val, newrdn->bv_val ); + *ptr++ = ','; + strcpy( ptr, parent_dn->bv_val ); } -#endif /* SLAP_DN_MIGRATION */ /* * dnIsSuffix - tells whether suffix is a suffix of dn. @@ -1128,8 +902,7 @@ dnIsSuffix( } /* no rdn separator or escaped rdn separator */ - if ( d > 1 && ( !DN_SEPARATOR( dn->bv_val[ d - 1 ] ) - || DN_ESCAPE( dn->bv_val[ d - 2 ] ) ) ) { + if ( d > 1 && !DN_SEPARATOR( dn->bv_val[ d - 1 ] ) ) { return 0; } @@ -1141,3 +914,25 @@ dnIsSuffix( /* compare */ return( strcmp( dn->bv_val + d, suffix->bv_val ) == 0 ); } + +#ifdef HAVE_TLS +/* + * Convert an X.509 DN into a normalized LDAP DN + */ +int +dnX509normalize( void *x509_name, struct berval *out ) +{ + /* Invoke the LDAP library's converter with our schema-rewriter */ + return ldap_X509dn2bv( x509_name, out, LDAPDN_rewrite, 0 ); +} + +/* + * Get the TLS session's peer's DN into a normalized LDAP DN + */ +int +dnX509peerNormalize( void *ssl, struct berval *dn ) +{ + + return ldap_pvt_tls_get_peer_dn( ssl, dn, (LDAPDN_rewrite_dummy *)LDAPDN_rewrite, 0 ); +} +#endif