X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fschema_init.c;h=b51ce53e3c0f2ea0bb3bc4ab5c2f21ec25222915;hb=57253688b381375ae8b5a1ffce7a2d2d369bb743;hp=fe3db715c8b5ee715c349d5e01c45f2d9c136921;hpb=1705fa7e553201d5415513a85925268d21575c99;p=openldap diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c index fe3db715c8..b51ce53e3c 100644 --- a/servers/slapd/schema_init.c +++ b/servers/slapd/schema_init.c @@ -2,7 +2,7 @@ /* $OpenLDAP$ */ /* This work is part of OpenLDAP Software . * - * Copyright 1998-2015 The OpenLDAP Foundation. + * Copyright 1998-2017 The OpenLDAP Foundation. * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -593,6 +593,41 @@ attributeCertificateValidate( Syntax *syntax, struct berval *in ) return LDAP_SUCCESS; } +/* accept a PKCS#8 private key */ +static int +privateKeyValidate( + Syntax *syntax, + struct berval *val ) +{ + BerElementBuffer berbuf; + BerElement *ber = (BerElement *)&berbuf; + ber_tag_t tag; + ber_len_t len; + ber_int_t version; + + ber_init2( ber, val, LBER_USE_DER ); + tag = ber_skip_tag( ber, &len ); /* Sequence */ + if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX; + tag = ber_peek_tag( ber, &len ); + if ( tag != LBER_INTEGER ) return LDAP_INVALID_SYNTAX; + tag = ber_get_int( ber, &version ); + tag = ber_skip_tag( ber, &len ); /* AlgorithmIdentifier */ + if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX; + ber_skip_data( ber, len ); + tag = ber_skip_tag( ber, &len ); /* PrivateKey */ + if ( tag != LBER_OCTETSTRING ) return LDAP_INVALID_SYNTAX; + ber_skip_data( ber, len ); + tag = ber_skip_tag( ber, &len ); + if ( tag == LBER_SET ) { /* Optional Attributes */ + ber_skip_data( ber, len ); + tag = ber_skip_tag( ber, &len ); + } + + /* Must be at end now */ + if ( len || tag != LBER_DEFAULT ) return LDAP_INVALID_SYNTAX; + return LDAP_SUCCESS; +} + int octetStringMatch( int *matchp, @@ -686,7 +721,6 @@ int octetStringIndexer( void *ctx ) { int i; - size_t slen, mlen; BerVarray keys; HASH_CONTEXT HASHcontext; unsigned char HASHdigest[HASH_BYTES]; @@ -703,9 +737,6 @@ int octetStringIndexer( keys = slap_sl_malloc( sizeof( struct berval ) * (i+1), ctx ); - slen = syntax->ssyn_oidlen; - mlen = mr->smr_oidlen; - hashPreset( &HASHcontext, prefix, 0, syntax, mr); for( i=0; !BER_BVISNULL( &values[i] ); i++ ) { hashIter( &HASHcontext, HASHdigest, @@ -731,7 +762,6 @@ int octetStringFilter( BerVarray *keysp, void *ctx ) { - size_t slen, mlen; BerVarray keys; HASH_CONTEXT HASHcontext; unsigned char HASHdigest[HASH_BYTES]; @@ -740,9 +770,6 @@ int octetStringFilter( digest.bv_val = (char *)HASHdigest; digest.bv_len = HASH_LEN; - slen = syntax->ssyn_oidlen; - mlen = mr->smr_oidlen; - keys = slap_sl_malloc( sizeof( struct berval ) * 2, ctx ); hashPreset( &HASHcontext, prefix, 0, syntax, mr ); @@ -894,7 +921,6 @@ octetStringSubstringsIndexer( void *ctx ) { ber_len_t i, nkeys; - size_t slen, mlen; BerVarray keys; HASH_CONTEXT HCany, HCini, HCfin; @@ -940,9 +966,6 @@ octetStringSubstringsIndexer( keys = slap_sl_malloc( sizeof( struct berval ) * (nkeys+1), ctx ); - slen = syntax->ssyn_oidlen; - mlen = mr->smr_oidlen; - if ( flags & SLAP_INDEX_SUBSTR_ANY ) hashPreset( &HCany, prefix, SLAP_INDEX_SUBSTR_PREFIX, syntax, mr ); if( flags & SLAP_INDEX_SUBSTR_INITIAL ) @@ -1016,7 +1039,7 @@ octetStringSubstringsFilter ( SubstringsAssertion *sa; char pre; ber_len_t nkeys = 0; - size_t slen, mlen, klen; + size_t klen; BerVarray keys; HASH_CONTEXT HASHcontext; unsigned char HASHdigest[HASH_BYTES]; @@ -1068,9 +1091,6 @@ octetStringSubstringsFilter ( digest.bv_val = (char *)HASHdigest; digest.bv_len = HASH_LEN; - slen = syntax->ssyn_oidlen; - mlen = mr->smr_oidlen; - keys = slap_sl_malloc( sizeof( struct berval ) * (nkeys+1), ctx ); nkeys = 0; @@ -1781,7 +1801,7 @@ UTF8StringValidate( struct berval *in ) { int len; - unsigned char *u = (unsigned char *)in->bv_val, *end = in->bv_val + in->bv_len; + unsigned char *u = (unsigned char *)in->bv_val, *end = (unsigned char *)in->bv_val + in->bv_len; if( BER_BVISEMPTY( in ) && syntax == slap_schema.si_syn_directoryString ) { /* directory strings cannot be empty */ @@ -2270,7 +2290,7 @@ approxFilter( return LDAP_SUCCESS; } -/* Remove all spaces and '-' characters */ +/* Remove all spaces and '-' characters, unless the result would be empty */ static int telephoneNumberNormalize( slap_mask_t usage, @@ -2284,8 +2304,11 @@ telephoneNumberNormalize( assert( SLAP_MR_IS_VALUE_OF_SYNTAX( usage ) != 0 ); - /* validator should have refused an empty string */ - assert( !BER_BVISEMPTY( val ) ); + /* Ensure q is big enough, though validator should have caught this */ + if ( BER_BVISEMPTY( val )) { + BER_BVZERO( normalized ); + return LDAP_INVALID_SYNTAX; + } q = normalized->bv_val = slap_sl_malloc( val->bv_len + 1, ctx ); @@ -2294,16 +2317,13 @@ telephoneNumberNormalize( *q++ = *p; } } + if ( q == normalized->bv_val ) { + *q++ = ' '; + } *q = '\0'; normalized->bv_len = q - normalized->bv_val; - if( BER_BVISEMPTY( normalized ) ) { - slap_sl_free( normalized->bv_val, ctx ); - BER_BVZERO( normalized ); - return LDAP_INVALID_SYNTAX; - } - return LDAP_SUCCESS; } @@ -6364,6 +6384,9 @@ static slap_syntax_defs_rec syntax_defs[] = { {"( 1.3.6.1.4.1.4203.666.2.7 DESC 'OpenLDAP authz' )", SLAP_SYNTAX_HIDE, NULL, authzValidate, authzPretty}, + /* PKCS#8 Private Keys for X.509 certificates */ + {"( 1.3.6.1.4.1.4203.666.2.13 DESC 'OpenLDAP privateKey' )", + SLAP_SYNTAX_BINARY|SLAP_SYNTAX_BER, NULL, privateKeyValidate, NULL}, {NULL, 0, NULL, NULL, NULL} }; @@ -6851,6 +6874,13 @@ static slap_mrule_defs_rec mrule_defs[] = { NULL, NULL, NULL}, + {"( 1.3.6.1.4.1.4203.666.4.13 NAME 'privateKeyMatch' " + "SYNTAX 1.3.6.1.4.1.4203.666.2.13 )", /* OpenLDAP privateKey */ + SLAP_MR_HIDE | SLAP_MR_EQUALITY, NULL, + NULL, NULL, octetStringMatch, + NULL, NULL, + NULL}, + {NULL, SLAP_MR_NONE, NULL, NULL, NULL, NULL, NULL, NULL, NULL }