X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fschema_init.c;h=eccdd53bafe1ff7c861a6567b49b5087fecf7b23;hb=0af650863210ae1faac95d7ca44bdeefa9e99843;hp=eef80beb30279966ba231ff6d1af3911b2c07fa6;hpb=e5091f5926f0331bc4cfd778cc557160d79ec123;p=openldap diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c index eef80beb30..eccdd53baf 100644 --- a/servers/slapd/schema_init.c +++ b/servers/slapd/schema_init.c @@ -1,7 +1,7 @@ /* schema_init.c - init builtin schema */ /* $OpenLDAP$ */ /* - * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved. + * Copyright 1998-2003 The OpenLDAP Foundation, All Rights Reserved. * COPYING RESTRICTIONS APPLY, see COPYRIGHT file */ @@ -28,96 +28,63 @@ #define HASH_Update(c,buf,len) lutil_HASHUpdate(c,buf,len) #define HASH_Final(d,c) lutil_HASHFinal(d,c) -/* recycled validatation routines */ -#define berValidate blobValidate +/* not yet implemented */ +#define uniqueMemberMatch NULL -/* unimplemented pretters */ -#define integerPretty NULL - -/* recycled matching routines */ -#define bitStringMatch octetStringMatch -#define numericStringMatch caseIgnoreIA5Match -#define objectIdentifierMatch caseIgnoreIA5Match -#define telephoneNumberMatch caseIgnoreIA5Match -#define telephoneNumberSubstringsMatch caseIgnoreIA5SubstringsMatch -#define generalizedTimeMatch caseIgnoreIA5Match -#define generalizedTimeOrderingMatch caseIgnoreIA5Match -#define uniqueMemberMatch dnMatch -#define integerFirstComponentMatch integerMatch +#define OpenLDAPaciMatch NULL /* approx matching rules */ #define directoryStringApproxMatchOID "1.3.6.1.4.1.4203.666.4.4" -#define directoryStringApproxMatch approxMatch +#define directoryStringApproxMatch approxMatch #define directoryStringApproxIndexer approxIndexer -#define directoryStringApproxFilter approxFilter +#define directoryStringApproxFilter approxFilter #define IA5StringApproxMatchOID "1.3.6.1.4.1.4203.666.4.5" #define IA5StringApproxMatch approxMatch #define IA5StringApproxIndexer approxIndexer #define IA5StringApproxFilter approxFilter -/* ordering matching rules */ -#define caseIgnoreOrderingMatch caseIgnoreMatch -#define caseExactOrderingMatch caseExactMatch -#define integerOrderingMatch integerMatch - -/* unimplemented matching routines */ -#define caseIgnoreListMatch NULL -#define caseIgnoreListSubstringsMatch NULL -#define protocolInformationMatch NULL - -#ifdef SLAPD_ACI_ENABLED -#define OpenLDAPaciMatch NULL -#endif -#ifdef SLAPD_AUTHPASSWD -#define authPasswordMatch NULL -#endif +static int +inValidate( + Syntax *syntax, + struct berval *in ) +{ + /* no value allowed */ + return LDAP_INVALID_SYNTAX; +} -/* recycled indexing/filtering routines */ -#define dnIndexer caseExactIgnoreIndexer -#define dnFilter caseExactIgnoreFilter -#define bitStringFilter octetStringFilter -#define bitStringIndexer octetStringIndexer - -#define telephoneNumberIndexer caseIgnoreIA5Indexer -#define telephoneNumberFilter caseIgnoreIA5Filter -#define telephoneNumberSubstringsIndexer caseIgnoreIA5SubstringsIndexer -#define telephoneNumberSubstringsFilter caseIgnoreIA5SubstringsFilter - -static MatchingRule *caseExactMatchingRule; -static MatchingRule *caseExactSubstringsMatchingRule; -static MatchingRule *integerFirstComponentMatchingRule; - -static const struct MatchingRulePtr { - const char *oid; - MatchingRule **mr; -} mr_ptr [] = { - /* must match OIDs below */ - { "2.5.13.5", &caseExactMatchingRule }, - { "2.5.13.7", &caseExactSubstringsMatchingRule }, - { "2.5.13.29", &integerFirstComponentMatchingRule } -}; +static int +blobValidate( + Syntax *syntax, + struct berval *in ) +{ + /* any value allowed */ + return LDAP_SUCCESS; +} +#define berValidate blobValidate -static char *bvcasechr( struct berval *bv, unsigned char c, ber_len_t *len ) +static int +octetStringMatch( + int *matchp, + slap_mask_t flags, + Syntax *syntax, + MatchingRule *mr, + struct berval *value, + void *assertedValue ) { - ber_len_t i; - char lower = TOLOWER( c ); - char upper = TOUPPER( c ); + struct berval *asserted = (struct berval *) assertedValue; + int match = value->bv_len - asserted->bv_len; - if( c == 0 ) return NULL; - - for( i=0; i < bv->bv_len; i++ ) { - if( upper == bv->bv_val[i] || lower == bv->bv_val[i] ) { - *len = i; - return &bv->bv_val[i]; - } + if( match == 0 ) { + match = memcmp( value->bv_val, asserted->bv_val, value->bv_len ); } - return NULL; + *matchp = match; + return LDAP_SUCCESS; } static int -octetStringMatch( +octetStringOrderingMatch( int *matchp, slap_mask_t flags, Syntax *syntax, @@ -125,33 +92,35 @@ octetStringMatch( struct berval *value, void *assertedValue ) { - int match = value->bv_len - ((struct berval *) assertedValue)->bv_len; + struct berval *asserted = (struct berval *) assertedValue; + ber_len_t v_len = value->bv_len; + ber_len_t av_len = asserted->bv_len; - if( match == 0 ) { - match = memcmp( value->bv_val, - ((struct berval *) assertedValue)->bv_val, - value->bv_len ); - } + int match = memcmp( value->bv_val, asserted->bv_val, + (v_len < av_len ? v_len : av_len) ); + + if( match == 0 ) match = v_len - av_len; *matchp = match; return LDAP_SUCCESS; } /* Index generation function */ -static int octetStringIndexer( +int octetStringIndexer( slap_mask_t use, slap_mask_t flags, Syntax *syntax, MatchingRule *mr, struct berval *prefix, BerVarray values, - BerVarray *keysp ) + BerVarray *keysp, + void *ctx ) { int i; size_t slen, mlen; BerVarray keys; - HASH_CONTEXT HASHcontext; - unsigned char HASHdigest[HASH_BYTES]; + HASH_CONTEXT HASHcontext; + unsigned char HASHdigest[HASH_BYTES]; struct berval digest; digest.bv_val = HASHdigest; digest.bv_len = sizeof(HASHdigest); @@ -163,7 +132,7 @@ static int octetStringIndexer( /* we should have at least one value at this point */ assert( i > 0 ); - keys = ch_malloc( sizeof( struct berval ) * (i+1) ); + keys = sl_malloc( sizeof( struct berval ) * (i+1), ctx ); slen = syntax->ssyn_oidlen; mlen = mr->smr_oidlen; @@ -182,10 +151,11 @@ static int octetStringIndexer( values[i].bv_val, values[i].bv_len ); HASH_Final( HASHdigest, &HASHcontext ); - ber_dupbv( &keys[i], &digest ); + ber_dupbv_x( &keys[i], &digest, ctx ); } keys[i].bv_val = NULL; + keys[i].bv_len = 0; *keysp = keys; @@ -193,20 +163,21 @@ static int octetStringIndexer( } /* Index generation function */ -static int octetStringFilter( +int octetStringFilter( slap_mask_t use, slap_mask_t flags, Syntax *syntax, MatchingRule *mr, struct berval *prefix, - void * assertValue, - BerVarray *keysp ) + void * assertedValue, + BerVarray *keysp, + void *ctx ) { size_t slen, mlen; BerVarray keys; - HASH_CONTEXT HASHcontext; - unsigned char HASHdigest[HASH_BYTES]; - struct berval *value = (struct berval *) assertValue; + HASH_CONTEXT HASHcontext; + unsigned char HASHdigest[HASH_BYTES]; + struct berval *value = (struct berval *) assertedValue; struct berval digest; digest.bv_val = HASHdigest; digest.bv_len = sizeof(HASHdigest); @@ -214,7 +185,7 @@ static int octetStringFilter( slen = syntax->ssyn_oidlen; mlen = mr->smr_oidlen; - keys = ch_malloc( sizeof( struct berval ) * 2 ); + keys = sl_malloc( sizeof( struct berval ) * 2, ctx ); HASH_Init( &HASHcontext ); if( prefix != NULL && prefix->bv_len > 0 ) { @@ -229,8 +200,9 @@ static int octetStringFilter( value->bv_val, value->bv_len ); HASH_Final( HASHdigest, &HASHcontext ); - ber_dupbv( keys, &digest ); + ber_dupbv_x( keys, &digest, ctx ); keys[1].bv_val = NULL; + keys[1].bv_len = 0; *keysp = keys; @@ -238,529 +210,621 @@ static int octetStringFilter( } static int -inValidate( +octetStringSubstringsMatch( + int *matchp, + slap_mask_t flags, Syntax *syntax, - struct berval *in ) + MatchingRule *mr, + struct berval *value, + void *assertedValue ) { - /* no value allowed */ - return LDAP_INVALID_SYNTAX; -} + int match = 0; + SubstringsAssertion *sub = assertedValue; + struct berval left = *value; + int i; + ber_len_t inlen = 0; -static int -blobValidate( - Syntax *syntax, - struct berval *in ) -{ - /* any value allowed */ - return LDAP_SUCCESS; -} + /* Add up asserted input length */ + if( sub->sa_initial.bv_val ) { + inlen += sub->sa_initial.bv_len; + } + if( sub->sa_any ) { + for(i=0; sub->sa_any[i].bv_val != NULL; i++) { + inlen += sub->sa_any[i].bv_len; + } + } + if( sub->sa_final.bv_val ) { + inlen += sub->sa_final.bv_len; + } -static int -bitStringValidate( - Syntax *syntax, - struct berval *in ) -{ - ber_len_t i; + if( sub->sa_initial.bv_val ) { + if( inlen > left.bv_len ) { + match = 1; + goto done; + } - /* very unforgiving validation, requires no normalization - * before simplistic matching - */ - if( in->bv_len < 3 ) { - return LDAP_INVALID_SYNTAX; - } + match = memcmp( sub->sa_initial.bv_val, left.bv_val, + sub->sa_initial.bv_len ); - /* - * rfc 2252 section 6.3 Bit String - * bitstring = "'" *binary-digit "'" - * binary-digit = "0" / "1" - * example: '0101111101'B - */ - - if( in->bv_val[0] != '\'' || - in->bv_val[in->bv_len-2] != '\'' || - in->bv_val[in->bv_len-1] != 'B' ) - { - return LDAP_INVALID_SYNTAX; + if( match != 0 ) { + goto done; + } + + left.bv_val += sub->sa_initial.bv_len; + left.bv_len -= sub->sa_initial.bv_len; + inlen -= sub->sa_initial.bv_len; } - for( i=in->bv_len-3; i>0; i-- ) { - if( in->bv_val[i] != '0' && in->bv_val[i] != '1' ) { - return LDAP_INVALID_SYNTAX; + if( sub->sa_final.bv_val ) { + if( inlen > left.bv_len ) { + match = 1; + goto done; + } + + match = memcmp( sub->sa_final.bv_val, + &left.bv_val[left.bv_len - sub->sa_final.bv_len], + sub->sa_final.bv_len ); + + if( match != 0 ) { + goto done; } + + left.bv_len -= sub->sa_final.bv_len; + inlen -= sub->sa_final.bv_len; } - return LDAP_SUCCESS; -} + if( sub->sa_any ) { + for(i=0; sub->sa_any[i].bv_val; i++) { + ber_len_t idx; + char *p; -static int -bitStringNormalize( - Syntax *syntax, - struct berval *val, - struct berval *normalized ) -{ - /* - * A normalized bitString is has no extaneous (leading) zero bits. - * That is, '00010'B is normalized to '10'B - * However, as a special case, '0'B requires no normalization. - */ - char *p; +retry: + if( inlen > left.bv_len ) { + /* not enough length */ + match = 1; + goto done; + } + + if( sub->sa_any[i].bv_len == 0 ) { + continue; + } - /* start at the first bit */ - p = &val->bv_val[1]; + p = memchr( left.bv_val, *sub->sa_any[i].bv_val, left.bv_len ); - /* Find the first non-zero bit */ - while ( *p == '0' ) p++; + if( p == NULL ) { + match = 1; + goto done; + } - if( *p == '\'' ) { - /* no non-zero bits */ - ber_str2bv( "\'0\'B", sizeof("\'0\'B") - 1, 1, normalized ); - goto done; - } + idx = p - left.bv_val; - normalized->bv_val = ch_malloc( val->bv_len + 1 ); + if( idx >= left.bv_len ) { + /* this shouldn't happen */ + return LDAP_OTHER; + } - normalized->bv_val[0] = '\''; - normalized->bv_len = 1; + left.bv_val = p; + left.bv_len -= idx; - for( ; *p != '\0'; p++ ) { - normalized->bv_val[normalized->bv_len++] = *p; - } + if( sub->sa_any[i].bv_len > left.bv_len ) { + /* not enough left */ + match = 1; + goto done; + } + + match = memcmp( left.bv_val, + sub->sa_any[i].bv_val, + sub->sa_any[i].bv_len ); + + if( match != 0 ) { + left.bv_val++; + left.bv_len--; + goto retry; + } - normalized->bv_val[normalized->bv_len] = '\0'; + left.bv_val += sub->sa_any[i].bv_len; + left.bv_len -= sub->sa_any[i].bv_len; + inlen -= sub->sa_any[i].bv_len; + } + } done: + *matchp = match; return LDAP_SUCCESS; } +/* Substrings Index generation function */ static int -nameUIDValidate( +octetStringSubstringsIndexer( + slap_mask_t use, + slap_mask_t flags, Syntax *syntax, - struct berval *in ) + MatchingRule *mr, + struct berval *prefix, + BerVarray values, + BerVarray *keysp, + void *ctx ) { - int rc; - struct berval dn; + ber_len_t i, j, nkeys; + size_t slen, mlen; + BerVarray keys; - if( in->bv_len == 0 ) return LDAP_SUCCESS; + HASH_CONTEXT HASHcontext; + unsigned char HASHdigest[HASH_BYTES]; + struct berval digest; + digest.bv_val = HASHdigest; + digest.bv_len = sizeof(HASHdigest); - ber_dupbv( &dn, in ); - if( !dn.bv_val ) return LDAP_OTHER; + nkeys=0; - if( dn.bv_val[dn.bv_len-1] == 'B' - && dn.bv_val[dn.bv_len-2] == '\'' ) - { - /* assume presence of optional UID */ - ber_len_t i; + for( i=0; values[i].bv_val != NULL; i++ ) { + /* count number of indices to generate */ + if( values[i].bv_len < SLAP_INDEX_SUBSTR_MINLEN ) { + continue; + } - for(i=dn.bv_len-3; i>1; i--) { - if( dn.bv_val[i] != '0' && dn.bv_val[i] != '1' ) { - break; + if( flags & SLAP_INDEX_SUBSTR_INITIAL ) { + if( values[i].bv_len >= SLAP_INDEX_SUBSTR_MAXLEN ) { + nkeys += SLAP_INDEX_SUBSTR_MAXLEN - + (SLAP_INDEX_SUBSTR_MINLEN - 1); + } else { + nkeys += values[i].bv_len - (SLAP_INDEX_SUBSTR_MINLEN - 1); } } - if( dn.bv_val[i] != '\'' || dn.bv_val[i-1] != '#' ) { - ber_memfree( dn.bv_val ); - return LDAP_INVALID_SYNTAX; + + if( flags & SLAP_INDEX_SUBSTR_ANY ) { + if( values[i].bv_len >= SLAP_INDEX_SUBSTR_MAXLEN ) { + nkeys += values[i].bv_len - (SLAP_INDEX_SUBSTR_MAXLEN - 1); + } } - /* trim the UID to allow use of dnValidate */ - dn.bv_val[i-1] = '\0'; - dn.bv_len = i-1; + if( flags & SLAP_INDEX_SUBSTR_FINAL ) { + if( values[i].bv_len >= SLAP_INDEX_SUBSTR_MAXLEN ) { + nkeys += SLAP_INDEX_SUBSTR_MAXLEN - + ( SLAP_INDEX_SUBSTR_MINLEN - 1); + } else { + nkeys += values[i].bv_len - (SLAP_INDEX_SUBSTR_MINLEN - 1); + } + } } - rc = dnValidate( NULL, &dn ); + if( nkeys == 0 ) { + /* no keys to generate */ + *keysp = NULL; + return LDAP_SUCCESS; + } - ber_memfree( dn.bv_val ); - return rc; -} + keys = sl_malloc( sizeof( struct berval ) * (nkeys+1), ctx ); -static int -nameUIDNormalize( - Syntax *syntax, - struct berval *val, - struct berval *normalized ) -{ - struct berval out; - int rc; - - ber_dupbv( &out, val ); - if( out.bv_len != 0 ) { - struct berval uidin = { 0, NULL }; - struct berval uidout = { 0, NULL }; + slen = syntax->ssyn_oidlen; + mlen = mr->smr_oidlen; - if( out.bv_val[out.bv_len-1] == 'B' - && out.bv_val[out.bv_len-2] == '\'' ) - { - /* assume presence of optional UID */ - uidin.bv_val = strrchr( out.bv_val, '#' ); + nkeys=0; + for( i=0; values[i].bv_val != NULL; i++ ) { + ber_len_t j,max; - if( uidin.bv_val == NULL ) { - free( out.bv_val ); - return LDAP_INVALID_SYNTAX; - } + if( values[i].bv_len < SLAP_INDEX_SUBSTR_MINLEN ) continue; - uidin.bv_len = out.bv_len - (uidin.bv_val - out.bv_val); - out.bv_len -= uidin.bv_len--; + if( ( flags & SLAP_INDEX_SUBSTR_ANY ) && + ( values[i].bv_len >= SLAP_INDEX_SUBSTR_MAXLEN ) ) + { + char pre = SLAP_INDEX_SUBSTR_PREFIX; + max = values[i].bv_len - (SLAP_INDEX_SUBSTR_MAXLEN - 1); - /* temporarily trim the UID */ - *(uidin.bv_val++) = '\0'; + for( j=0; jbv_len > 0 ) { + HASH_Update( &HASHcontext, + prefix->bv_val, prefix->bv_len ); + } - rc = bitStringNormalize( syntax, &uidin, &uidout ); + HASH_Update( &HASHcontext, + &pre, sizeof( pre ) ); + HASH_Update( &HASHcontext, + syntax->ssyn_oid, slen ); + HASH_Update( &HASHcontext, + mr->smr_oid, mlen ); + HASH_Update( &HASHcontext, + &values[i].bv_val[j], + SLAP_INDEX_SUBSTR_MAXLEN ); + HASH_Final( HASHdigest, &HASHcontext ); - if( rc != LDAP_SUCCESS ) { - free( out.bv_val ); - return LDAP_INVALID_SYNTAX; + ber_dupbv_x( &keys[nkeys++], &digest, ctx ); } } -#ifdef USE_DN_NORMALIZE - rc = dnNormalize2( NULL, &out, normalized ); -#else - rc = dnPretty2( NULL, &out, normalized ); -#endif + max = SLAP_INDEX_SUBSTR_MAXLEN < values[i].bv_len + ? SLAP_INDEX_SUBSTR_MAXLEN : values[i].bv_len; - if( rc != LDAP_SUCCESS ) { - free( out.bv_val ); - free( uidout.bv_val ); - return LDAP_INVALID_SYNTAX; - } + for( j=SLAP_INDEX_SUBSTR_MINLEN; j<=max; j++ ) { + char pre; - if( uidout.bv_len ) { - normalized->bv_val = ch_realloc( normalized->bv_val, - normalized->bv_len + uidout.bv_len + sizeof("#") ); + if( flags & SLAP_INDEX_SUBSTR_INITIAL ) { + pre = SLAP_INDEX_SUBSTR_INITIAL_PREFIX; + HASH_Init( &HASHcontext ); + if( prefix != NULL && prefix->bv_len > 0 ) { + HASH_Update( &HASHcontext, + prefix->bv_val, prefix->bv_len ); + } + HASH_Update( &HASHcontext, + &pre, sizeof( pre ) ); + HASH_Update( &HASHcontext, + syntax->ssyn_oid, slen ); + HASH_Update( &HASHcontext, + mr->smr_oid, mlen ); + HASH_Update( &HASHcontext, + values[i].bv_val, j ); + HASH_Final( HASHdigest, &HASHcontext ); - /* insert the separator */ - normalized->bv_val[normalized->bv_len++] = '#'; + ber_dupbv_x( &keys[nkeys++], &digest, ctx ); + } - /* append the UID */ - AC_MEMCPY( &normalized->bv_val[normalized->bv_len], - uidout.bv_val, uidout.bv_len ); - normalized->bv_len += uidout.bv_len; + if( flags & SLAP_INDEX_SUBSTR_FINAL ) { + pre = SLAP_INDEX_SUBSTR_FINAL_PREFIX; + HASH_Init( &HASHcontext ); + if( prefix != NULL && prefix->bv_len > 0 ) { + HASH_Update( &HASHcontext, + prefix->bv_val, prefix->bv_len ); + } + HASH_Update( &HASHcontext, + &pre, sizeof( pre ) ); + HASH_Update( &HASHcontext, + syntax->ssyn_oid, slen ); + HASH_Update( &HASHcontext, + mr->smr_oid, mlen ); + HASH_Update( &HASHcontext, + &values[i].bv_val[values[i].bv_len-j], j ); + HASH_Final( HASHdigest, &HASHcontext ); + + ber_dupbv_x( &keys[nkeys++], &digest, ctx ); + } - /* terminate */ - normalized->bv_val[normalized->bv_len] = '\0'; } - free( out.bv_val ); } - return LDAP_SUCCESS; -} - -/* - * Handling boolean syntax and matching is quite rigid. - * A more flexible approach would be to allow a variety - * of strings to be normalized and prettied into TRUE - * and FALSE. - */ -static int -booleanValidate( - Syntax *syntax, - struct berval *in ) -{ - /* very unforgiving validation, requires no normalization - * before simplistic matching - */ - - if( in->bv_len == 4 ) { - if( !memcmp( in->bv_val, "TRUE", 4 ) ) { - return LDAP_SUCCESS; - } - } else if( in->bv_len == 5 ) { - if( !memcmp( in->bv_val, "FALSE", 5 ) ) { - return LDAP_SUCCESS; - } + if( nkeys > 0 ) { + keys[nkeys].bv_val = NULL; + *keysp = keys; + } else { + ch_free( keys ); + *keysp = NULL; } - return LDAP_INVALID_SYNTAX; + return LDAP_SUCCESS; } static int -booleanMatch( - int *matchp, +octetStringSubstringsFilter ( + slap_mask_t use, slap_mask_t flags, Syntax *syntax, MatchingRule *mr, - struct berval *value, - void *assertedValue ) + struct berval *prefix, + void * assertedValue, + BerVarray *keysp, + void *ctx) { - /* simplistic matching allowed by rigid validation */ - struct berval *asserted = (struct berval *) assertedValue; - *matchp = value->bv_len != asserted->bv_len; - return LDAP_SUCCESS; -} + SubstringsAssertion *sa; + char pre; + ber_len_t nkeys = 0; + size_t slen, mlen, klen; + BerVarray keys; + HASH_CONTEXT HASHcontext; + unsigned char HASHdigest[HASH_BYTES]; + struct berval *value; + struct berval digest; -/*------------------------------------------------------------------- -LDAP/X.500 string syntax / matching rules have a few oddities. This -comment attempts to detail how slapd(8) treats them. + sa = (SubstringsAssertion *) assertedValue; -Summary: - StringSyntax X.500 LDAP Matching - DirectoryString CHOICE UTF8 i/e + ignore insignificant spaces - PrintableString subset subset i/e + ignore insignificant spaces - NumericString subset subset ignore all spaces - IA5String ASCII ASCII i/e + ignore insignificant spaces - TeletexString T.61 T.61 i/e + ignore insignificant spaces + if( flags & SLAP_INDEX_SUBSTR_INITIAL && sa->sa_initial.bv_val != NULL + && sa->sa_initial.bv_len >= SLAP_INDEX_SUBSTR_MINLEN ) + { + nkeys++; + } - TelephoneNumber subset subset i + ignore all spaces and "-" + if( flags & SLAP_INDEX_SUBSTR_ANY && sa->sa_any != NULL ) { + ber_len_t i; + for( i=0; sa->sa_any[i].bv_val != NULL; i++ ) { + if( sa->sa_any[i].bv_len >= SLAP_INDEX_SUBSTR_MAXLEN ) { + /* don't bother accounting for stepping */ + nkeys += sa->sa_any[i].bv_len - + ( SLAP_INDEX_SUBSTR_MAXLEN - 1 ); + } + } + } - See draft-ietf-ldapbis-strpro for details (once published). + if( flags & SLAP_INDEX_SUBSTR_FINAL && sa->sa_final.bv_val != NULL && + sa->sa_final.bv_len >= SLAP_INDEX_SUBSTR_MINLEN ) + { + nkeys++; + } + if( nkeys == 0 ) { + *keysp = NULL; + return LDAP_SUCCESS; + } -Directory String - - In X.500(93), a directory string can be either a PrintableString, - a bmpString, or a UniversalString (e.g., UCS (a subset of Unicode)). - In later versions, more CHOICEs were added. In all cases the string - must be non-empty. + digest.bv_val = HASHdigest; + digest.bv_len = sizeof(HASHdigest); - In LDPAv3, a directory string is a UTF-8 encoded UCS string. + slen = syntax->ssyn_oidlen; + mlen = mr->smr_oidlen; - For matching, there are both case ignore and exact rules. Both - also require that "insignificant" spaces be ignored. - spaces before the first non-space are ignored; - spaces after the last non-space are ignored; - spaces after a space are ignored. - Note: by these rules (and as clarified in X.520), a string of only - spaces is to be treated as if held one space, not empty (which - would be a syntax error). + keys = sl_malloc( sizeof( struct berval ) * (nkeys+1), ctx ); + nkeys = 0; -NumericString - In ASN.1, numeric string is just a string of digits and spaces - and could be empty. However, in X.500, all attribute values of - numeric string carry a non-empty constraint. For example: + if( flags & SLAP_INDEX_SUBSTR_INITIAL && sa->sa_initial.bv_val != NULL && + sa->sa_initial.bv_len >= SLAP_INDEX_SUBSTR_MINLEN ) + { + pre = SLAP_INDEX_SUBSTR_INITIAL_PREFIX; + value = &sa->sa_initial; - internationalISDNNumber ATTRIBUTE ::= { - WITH SYNTAX InternationalISDNNumber - EQUALITY MATCHING RULE numericStringMatch - SUBSTRINGS MATCHING RULE numericStringSubstringsMatch - ID id-at-internationalISDNNumber } - InternationalISDNNumber ::= - NumericString (SIZE(1..ub-international-isdn-number)) + klen = SLAP_INDEX_SUBSTR_MAXLEN < value->bv_len + ? SLAP_INDEX_SUBSTR_MAXLEN : value->bv_len; - Unforunately, some assertion values are don't carry the same - constraint (but its unclear how such an assertion could ever - be true). In LDAP, there is one syntax (numericString) not two - (numericString with constraint, numericString without constraint). - This should be treated as numericString with non-empty constraint. - Note that while someone may have no ISDN number, there are no ISDN - numbers which are zero length. + HASH_Init( &HASHcontext ); + if( prefix != NULL && prefix->bv_len > 0 ) { + HASH_Update( &HASHcontext, + prefix->bv_val, prefix->bv_len ); + } + HASH_Update( &HASHcontext, + &pre, sizeof( pre ) ); + HASH_Update( &HASHcontext, + syntax->ssyn_oid, slen ); + HASH_Update( &HASHcontext, + mr->smr_oid, mlen ); + HASH_Update( &HASHcontext, + value->bv_val, klen ); + HASH_Final( HASHdigest, &HASHcontext ); - In matching, spaces are ignored. + ber_dupbv_x( &keys[nkeys++], &digest, ctx ); + } -PrintableString - In ASN.1, Printable string is just a string of printable characters - and can be empty. In X.500, semantics much like NumericString (see - serialNumber for a like example) excepting uses insignificant space - handling instead of ignore all spaces. + if( flags & SLAP_INDEX_SUBSTR_ANY && sa->sa_any != NULL ) { + ber_len_t i, j; + pre = SLAP_INDEX_SUBSTR_PREFIX; + klen = SLAP_INDEX_SUBSTR_MAXLEN; -IA5String - Basically same as PrintableString. There are no examples in X.500, - but same logic applies. So we require them to be non-empty as - well. + for( i=0; sa->sa_any[i].bv_val != NULL; i++ ) { + if( sa->sa_any[i].bv_len < SLAP_INDEX_SUBSTR_MAXLEN ) { + continue; + } --------------------------------------------------------------------*/ + value = &sa->sa_any[i]; -static int -UTF8StringValidate( - Syntax *syntax, - struct berval *in ) -{ - ber_len_t count; - int len; - unsigned char *u = in->bv_val; + for(j=0; + j <= value->bv_len - SLAP_INDEX_SUBSTR_MAXLEN; + j += SLAP_INDEX_SUBSTR_STEP ) + { + HASH_Init( &HASHcontext ); + if( prefix != NULL && prefix->bv_len > 0 ) { + HASH_Update( &HASHcontext, + prefix->bv_val, prefix->bv_len ); + } + HASH_Update( &HASHcontext, + &pre, sizeof( pre ) ); + HASH_Update( &HASHcontext, + syntax->ssyn_oid, slen ); + HASH_Update( &HASHcontext, + mr->smr_oid, mlen ); + HASH_Update( &HASHcontext, + &value->bv_val[j], klen ); + HASH_Final( HASHdigest, &HASHcontext ); - if( !in->bv_len ) return LDAP_INVALID_SYNTAX; + ber_dupbv_x( &keys[nkeys++], &digest, ctx ); + } + } + } - for( count = in->bv_len; count > 0; count-=len, u+=len ) { - /* get the length indicated by the first byte */ - len = LDAP_UTF8_CHARLEN2( u, len ); + if( flags & SLAP_INDEX_SUBSTR_FINAL && sa->sa_final.bv_val != NULL && + sa->sa_final.bv_len >= SLAP_INDEX_SUBSTR_MINLEN ) + { + pre = SLAP_INDEX_SUBSTR_FINAL_PREFIX; + value = &sa->sa_final; - /* very basic checks */ - switch( len ) { - case 6: - if( (u[5] & 0xC0) != 0x80 ) { - return LDAP_INVALID_SYNTAX; - } - case 5: - if( (u[4] & 0xC0) != 0x80 ) { - return LDAP_INVALID_SYNTAX; - } - case 4: - if( (u[3] & 0xC0) != 0x80 ) { - return LDAP_INVALID_SYNTAX; - } - case 3: - if( (u[2] & 0xC0 )!= 0x80 ) { - return LDAP_INVALID_SYNTAX; - } - case 2: - if( (u[1] & 0xC0) != 0x80 ) { - return LDAP_INVALID_SYNTAX; - } - case 1: - /* CHARLEN already validated it */ - break; - default: - return LDAP_INVALID_SYNTAX; + klen = SLAP_INDEX_SUBSTR_MAXLEN < value->bv_len + ? SLAP_INDEX_SUBSTR_MAXLEN : value->bv_len; + + HASH_Init( &HASHcontext ); + if( prefix != NULL && prefix->bv_len > 0 ) { + HASH_Update( &HASHcontext, + prefix->bv_val, prefix->bv_len ); } + HASH_Update( &HASHcontext, + &pre, sizeof( pre ) ); + HASH_Update( &HASHcontext, + syntax->ssyn_oid, slen ); + HASH_Update( &HASHcontext, + mr->smr_oid, mlen ); + HASH_Update( &HASHcontext, + &value->bv_val[value->bv_len-klen], klen ); + HASH_Final( HASHdigest, &HASHcontext ); - /* make sure len corresponds with the offset - to the next character */ - if( LDAP_UTF8_OFFSET( u ) != len ) return LDAP_INVALID_SYNTAX; + ber_dupbv_x( &keys[nkeys++], &digest, ctx ); } - if( count != 0 ) return LDAP_INVALID_SYNTAX; + if( nkeys > 0 ) { + keys[nkeys].bv_val = NULL; + *keysp = keys; + } else { + ch_free( keys ); + *keysp = NULL; + } return LDAP_SUCCESS; } static int -UTF8StringNormalize( +bitStringValidate( Syntax *syntax, - struct berval *val, - struct berval *normalized ) + struct berval *in ) { - char *p, *q, *s, *e; - int len = 0; - - /* validator should have refused an empty string */ - assert( val->bv_len ); - - p = val->bv_val; + ber_len_t i; - /* Ignore initial whitespace */ - /* All space is ASCII. All ASCII is 1 byte */ - for ( ; p < val->bv_val + val->bv_len && ASCII_SPACE( p[ 0 ] ); p++ ); + /* very unforgiving validation, requires no normalization + * before simplistic matching + */ + if( in->bv_len < 3 ) { + return LDAP_INVALID_SYNTAX; + } - normalized->bv_len = val->bv_len - (p - val->bv_val); + /* + * RFC 2252 section 6.3 Bit String + * bitstring = "'" *binary-digit "'B" + * binary-digit = "0" / "1" + * example: '0101111101'B + */ + + if( in->bv_val[0] != '\'' || + in->bv_val[in->bv_len-2] != '\'' || + in->bv_val[in->bv_len-1] != 'B' ) + { + return LDAP_INVALID_SYNTAX; + } - if( !normalized->bv_len ) { - ber_mem2bv( " ", 1, 1, normalized ); - return LDAP_SUCCESS; + for( i=in->bv_len-3; i>0; i-- ) { + if( in->bv_val[i] != '0' && in->bv_val[i] != '1' ) { + return LDAP_INVALID_SYNTAX; + } } - ber_mem2bv( p, normalized->bv_len, 1, normalized ); - e = normalized->bv_val + normalized->bv_len; + return LDAP_SUCCESS; +} + +static int +nameUIDValidate( + Syntax *syntax, + struct berval *in ) +{ + int rc; + struct berval dn; - assert( normalized->bv_val ); + if( in->bv_len == 0 ) return LDAP_SUCCESS; - p = q = normalized->bv_val; - s = NULL; + ber_dupbv( &dn, in ); + if( !dn.bv_val ) return LDAP_OTHER; - while ( p < e ) { - q += len; - if ( ASCII_SPACE( *p ) ) { - s = q - len; - len = 1; - *q = *p++; + if( dn.bv_val[dn.bv_len-1] == 'B' + && dn.bv_val[dn.bv_len-2] == '\'' ) + { + /* assume presence of optional UID */ + ber_len_t i; - /* Ignore the extra whitespace */ - while ( ASCII_SPACE( *p ) ) { - p++; + for(i=dn.bv_len-3; i>1; i--) { + if( dn.bv_val[i] != '0' && dn.bv_val[i] != '1' ) { + break; } - } else { - len = LDAP_UTF8_COPY(q,p); - s=NULL; - p+=len; } + if( dn.bv_val[i] != '\'' || dn.bv_val[i-1] != '#' ) { + ber_memfree( dn.bv_val ); + return LDAP_INVALID_SYNTAX; + } + + /* trim the UID to allow use of dnValidate */ + dn.bv_val[i-1] = '\0'; + dn.bv_len = i-1; } - assert( normalized->bv_val <= p ); - assert( q+len <= p ); + rc = dnValidate( NULL, &dn ); - /* cannot start with a space */ - assert( !ASCII_SPACE( normalized->bv_val[0] ) ); + ber_memfree( dn.bv_val ); + return rc; +} - /* - * If the string ended in space, backup the pointer one - * position. One is enough because the above loop collapsed - * all whitespace to a single space. - */ +static int +uniqueMemberNormalize( + slap_mask_t usage, + Syntax *syntax, + MatchingRule *mr, + struct berval *val, + struct berval *normalized, + void *ctx ) +{ + struct berval out; + int rc; - if ( s != NULL ) { - len = q - s; - q = s; - } + ber_dupbv( &out, val ); + if( out.bv_len != 0 ) { + struct berval uid = { 0, NULL }; - /* cannot end with a space */ - assert( !ASCII_SPACE( *q ) ); + if( out.bv_val[out.bv_len-1] == 'B' + && out.bv_val[out.bv_len-2] == '\'' ) + { + /* assume presence of optional UID */ + uid.bv_val = strrchr( out.bv_val, '#' ); - q += len; + if( uid.bv_val == NULL ) { + free( out.bv_val ); + return LDAP_INVALID_SYNTAX; + } - /* null terminate */ - *q = '\0'; + uid.bv_len = out.bv_len - (uid.bv_val - out.bv_val); + out.bv_len -= uid.bv_len--; - normalized->bv_len = q - normalized->bv_val; + /* temporarily trim the UID */ + *(uid.bv_val++) = '\0'; + } - return LDAP_SUCCESS; -} + rc = dnNormalize( 0, NULL, NULL, &out, normalized, ctx ); -/* Returns Unicode canonically normalized copy of a substring assertion - * Skipping attribute description */ -static SubstringsAssertion * -UTF8SubstringsassertionNormalize( - SubstringsAssertion *sa, - unsigned casefold ) -{ - SubstringsAssertion *nsa; - int i; + if( rc != LDAP_SUCCESS ) { + free( out.bv_val ); + return LDAP_INVALID_SYNTAX; + } - nsa = (SubstringsAssertion *)ch_calloc( 1, sizeof(SubstringsAssertion) ); - if( nsa == NULL ) { - return NULL; - } + if( uid.bv_len ) { + normalized->bv_val = ch_realloc( normalized->bv_val, + normalized->bv_len + uid.bv_len + sizeof("#") ); - if( sa->sa_initial.bv_val != NULL ) { - UTF8bvnormalize( &sa->sa_initial, &nsa->sa_initial, casefold ); - if( nsa->sa_initial.bv_val == NULL ) { - goto err; - } - } + /* insert the separator */ + normalized->bv_val[normalized->bv_len++] = '#'; - if( sa->sa_any != NULL ) { - for( i=0; sa->sa_any[i].bv_val != NULL; i++ ) { - /* empty */ - } - nsa->sa_any = (struct berval *) - ch_malloc( (i + 1) * sizeof(struct berval) ); + /* append the UID */ + AC_MEMCPY( &normalized->bv_val[normalized->bv_len], + uid.bv_val, uid.bv_len ); + normalized->bv_len += uid.bv_len; - for( i=0; sa->sa_any[i].bv_val != NULL; i++ ) { - UTF8bvnormalize( &sa->sa_any[i], &nsa->sa_any[i], - casefold ); - if( nsa->sa_any[i].bv_val == NULL ) { - goto err; - } + /* terminate */ + normalized->bv_val[normalized->bv_len] = '\0'; } - nsa->sa_any[i].bv_val = NULL; - } - if( sa->sa_final.bv_val != NULL ) { - UTF8bvnormalize( &sa->sa_final, &nsa->sa_final, casefold ); - if( nsa->sa_final.bv_val == NULL ) { - goto err; - } + free( out.bv_val ); } - return nsa; - -err: - if ( nsa->sa_final.bv_val ) free( nsa->sa_final.bv_val ); - if ( nsa->sa_any ) ber_bvarray_free( nsa->sa_any ); - if ( nsa->sa_initial.bv_val ) free( nsa->sa_initial.bv_val ); - ch_free( nsa ); - return NULL; + return LDAP_SUCCESS; } -#ifndef SLAPD_APPROX_OLDSINGLESTRING +/* + * Handling boolean syntax and matching is quite rigid. + * A more flexible approach would be to allow a variety + * of strings to be normalized and prettied into TRUE + * and FALSE. + */ +static int +booleanValidate( + Syntax *syntax, + struct berval *in ) +{ + /* very unforgiving validation, requires no normalization + * before simplistic matching + */ + + if( in->bv_len == 4 ) { + if( bvmatch( in, &slap_true_bv ) ) { + return LDAP_SUCCESS; + } + } else if( in->bv_len == 5 ) { + if( bvmatch( in, &slap_false_bv ) ) { + return LDAP_SUCCESS; + } + } -#if defined(SLAPD_APPROX_INITIALS) -#define SLAPD_APPROX_DELIMITER "._ " -#define SLAPD_APPROX_WORDLEN 2 -#else -#define SLAPD_APPROX_DELIMITER " " -#define SLAPD_APPROX_WORDLEN 1 -#endif + return LDAP_INVALID_SYNTAX; +} static int -approxMatch( +booleanMatch( int *matchp, slap_mask_t flags, Syntax *syntax, @@ -768,2033 +832,220 @@ approxMatch( struct berval *value, void *assertedValue ) { - struct berval *nval, *assertv; - char *val, **values, **words, *c; - int i, count, len, nextchunk=0, nextavail=0; - - /* Yes, this is necessary */ - nval = UTF8bvnormalize( value, NULL, LDAP_UTF8_APPROX ); - if( nval == NULL ) { - *matchp = 1; - return LDAP_SUCCESS; - } + /* simplistic matching allowed by rigid validation */ + struct berval *asserted = (struct berval *) assertedValue; + *matchp = value->bv_len != asserted->bv_len; + return LDAP_SUCCESS; +} - /* Yes, this is necessary */ - assertv = UTF8bvnormalize( ((struct berval *)assertedValue), - NULL, LDAP_UTF8_APPROX ); - if( assertv == NULL ) { - ber_bvfree( nval ); - *matchp = 1; - return LDAP_SUCCESS; - } - - /* Isolate how many words there are */ - for ( c = nval->bv_val, count = 1; *c; c++ ) { - c = strpbrk( c, SLAPD_APPROX_DELIMITER ); - if ( c == NULL ) break; - *c = '\0'; - count++; - } - - /* Get a phonetic copy of each word */ - words = (char **)ch_malloc( count * sizeof(char *) ); - values = (char **)ch_malloc( count * sizeof(char *) ); - for ( c = nval->bv_val, i = 0; i < count; i++, c += strlen(c) + 1 ) { - words[i] = c; - values[i] = phonetic(c); - } - - /* Work through the asserted value's words, to see if at least some - of the words are there, in the same order. */ - len = 0; - while ( (ber_len_t) nextchunk < assertv->bv_len ) { - len = strcspn( assertv->bv_val + nextchunk, SLAPD_APPROX_DELIMITER); - if( len == 0 ) { - nextchunk++; - continue; - } -#if defined(SLAPD_APPROX_INITIALS) - else if( len == 1 ) { - /* Single letter words need to at least match one word's initial */ - for( i=nextavail; ibv_val + nextchunk, words[i], 1 )) { - nextavail=i+1; - break; - } - } -#endif - else { - /* Isolate the next word in the asserted value and phonetic it */ - assertv->bv_val[nextchunk+len] = '\0'; - val = phonetic( assertv->bv_val + nextchunk ); - - /* See if this phonetic chunk is in the remaining words of *value */ - for( i=nextavail; i= count ) { - nextavail=-1; - break; - } - - /* Go on to the next word in the asserted value */ - nextchunk += len+1; - } - - /* If some of the words were seen, call it a match */ - if( nextavail > 0 ) { - *matchp = 0; - } - else { - *matchp = 1; - } - - /* Cleanup allocs */ - ber_bvfree( assertv ); - for( i=0; i= SLAPD_APPROX_WORDLEN ) wordcount++; - c+= len; - if (*c == '\0') break; - *c = '\0'; - } - - /* Allocate/increase storage to account for new keys */ - newkeys = (struct berval *)ch_malloc( (keycount + wordcount + 1) - * sizeof(struct berval) ); - AC_MEMCPY( newkeys, keys, keycount * sizeof(struct berval) ); - if( keys ) ch_free( keys ); - keys = newkeys; - - /* Get a phonetic copy of each word */ - for( c = val.bv_val, i = 0; i < wordcount; c += len + 1 ) { - len = strlen( c ); - if( len < SLAPD_APPROX_WORDLEN ) continue; - ber_str2bv( phonetic( c ), 0, 0, &keys[keycount] ); - keycount++; - i++; - } - - ber_memfree( val.bv_val ); - } - keys[keycount].bv_val = NULL; - *keysp = keys; - - return LDAP_SUCCESS; -} - -static int -approxFilter( - slap_mask_t use, - slap_mask_t flags, - Syntax *syntax, - MatchingRule *mr, - struct berval *prefix, - void * assertValue, - BerVarray *keysp ) -{ - char *c; - int i, count, len; - struct berval *val; - BerVarray keys; - - /* Yes, this is necessary */ - val = UTF8bvnormalize( ((struct berval *)assertValue), - NULL, LDAP_UTF8_APPROX ); - if( val == NULL || val->bv_val == NULL ) { - keys = (struct berval *)ch_malloc( sizeof(struct berval) ); - keys[0].bv_val = NULL; - *keysp = keys; - ber_bvfree( val ); - return LDAP_SUCCESS; - } - - /* Isolate how many words there are. There will be a key for each */ - for( count = 0,c = val->bv_val; *c; c++) { - len = strcspn(c, SLAPD_APPROX_DELIMITER); - if( len >= SLAPD_APPROX_WORDLEN ) count++; - c+= len; - if (*c == '\0') break; - *c = '\0'; - } - - /* Allocate storage for new keys */ - keys = (struct berval *)ch_malloc( (count + 1) * sizeof(struct berval) ); - - /* Get a phonetic copy of each word */ - for( c = val->bv_val, i = 0; i < count; c += len + 1 ) { - len = strlen(c); - if( len < SLAPD_APPROX_WORDLEN ) continue; - ber_str2bv( phonetic( c ), 0, 0, &keys[i] ); - i++; - } - - ber_bvfree( val ); - - keys[count].bv_val = NULL; - *keysp = keys; - - return LDAP_SUCCESS; -} - - -#else -/* No other form of Approximate Matching is defined */ - -static int -approxMatch( - int *matchp, - slap_mask_t flags, - Syntax *syntax, - MatchingRule *mr, - struct berval *value, - void *assertedValue ) -{ - char *vapprox, *avapprox; - char *s, *t; - - /* Yes, this is necessary */ - s = UTF8normalize( value, UTF8_NOCASEFOLD ); - if( s == NULL ) { - *matchp = 1; - return LDAP_SUCCESS; - } - - /* Yes, this is necessary */ - t = UTF8normalize( ((struct berval *)assertedValue), - UTF8_NOCASEFOLD ); - if( t == NULL ) { - free( s ); - *matchp = -1; - return LDAP_SUCCESS; - } - - vapprox = phonetic( strip8bitChars( s ) ); - avapprox = phonetic( strip8bitChars( t ) ); - - free( s ); - free( t ); - - *matchp = strcmp( vapprox, avapprox ); - - ch_free( vapprox ); - ch_free( avapprox ); - - return LDAP_SUCCESS; -} - -static int -approxIndexer( - slap_mask_t use, - slap_mask_t flags, - Syntax *syntax, - MatchingRule *mr, - struct berval *prefix, - BerVarray values, - BerVarray *keysp ) -{ - int i; - BerVarray *keys; - char *s; - - for( i=0; values[i].bv_val != NULL; i++ ) { - /* empty - just count them */ - } - - /* we should have at least one value at this point */ - assert( i > 0 ); - - keys = (struct berval *)ch_malloc( sizeof( struct berval ) * (i+1) ); - - /* Copy each value and run it through phonetic() */ - for( i=0; values[i].bv_val != NULL; i++ ) { - /* Yes, this is necessary */ - s = UTF8normalize( &values[i], UTF8_NOCASEFOLD ); - - /* strip 8-bit chars and run through phonetic() */ - ber_str2bv( phonetic( strip8bitChars( s ) ), 0, 0, &keys[i] ); - free( s ); - } - keys[i].bv_val = NULL; - - *keysp = keys; - return LDAP_SUCCESS; -} - - -static int -approxFilter( - slap_mask_t use, - slap_mask_t flags, - Syntax *syntax, - MatchingRule *mr, - struct berval *prefix, - void * assertValue, - BerVarray *keysp ) -{ - BerVarray keys; - char *s; - - keys = (struct berval *)ch_malloc( sizeof( struct berval * ) * 2 ); - - /* Yes, this is necessary */ - s = UTF8normalize( ((struct berval *)assertValue), - UTF8_NOCASEFOLD ); - if( s == NULL ) { - keys[0] = NULL; - } else { - /* strip 8-bit chars and run through phonetic() */ - keys[0] = ber_bvstr( phonetic( strip8bitChars( s ) ) ); - free( s ); - keys[1] = NULL; - } - - *keysp = keys; - return LDAP_SUCCESS; -} -#endif - - -static int -caseExactMatch( - int *matchp, - slap_mask_t flags, - Syntax *syntax, - MatchingRule *mr, - struct berval *value, - void *assertedValue ) -{ - *matchp = UTF8bvnormcmp( value, - (struct berval *) assertedValue, - LDAP_UTF8_NOCASEFOLD ); - return LDAP_SUCCESS; -} - -static int -caseExactIgnoreSubstringsMatch( - int *matchp, - slap_mask_t flags, - Syntax *syntax, - MatchingRule *mr, - struct berval *value, - void *assertedValue ) -{ - int match = 0; - SubstringsAssertion *sub = NULL; - struct berval left = { 0, NULL }; - int i; - ber_len_t inlen=0; - char *nav = NULL; - unsigned casefold; - - casefold = ( mr != caseExactSubstringsMatchingRule ) - ? LDAP_UTF8_CASEFOLD : LDAP_UTF8_NOCASEFOLD; - - if ( UTF8bvnormalize( value, &left, casefold ) == NULL ) { - match = 1; - goto done; - } - nav = left.bv_val; - - sub = UTF8SubstringsassertionNormalize( assertedValue, casefold ); - if( sub == NULL ) { - match = -1; - goto done; - } - - /* Add up asserted input length */ - if( sub->sa_initial.bv_val ) { - inlen += sub->sa_initial.bv_len; - } - if( sub->sa_any ) { - for(i=0; sub->sa_any[i].bv_val != NULL; i++) { - inlen += sub->sa_any[i].bv_len; - } - } - if( sub->sa_final.bv_val ) { - inlen += sub->sa_final.bv_len; - } - - if( sub->sa_initial.bv_val ) { - if( inlen > left.bv_len ) { - match = 1; - goto done; - } - - match = memcmp( sub->sa_initial.bv_val, left.bv_val, - sub->sa_initial.bv_len ); - - if( match != 0 ) { - goto done; - } - - left.bv_val += sub->sa_initial.bv_len; - left.bv_len -= sub->sa_initial.bv_len; - inlen -= sub->sa_initial.bv_len; - } - - if( sub->sa_final.bv_val ) { - if( inlen > left.bv_len ) { - match = 1; - goto done; - } - - match = memcmp( sub->sa_final.bv_val, - &left.bv_val[left.bv_len - sub->sa_final.bv_len], - sub->sa_final.bv_len ); - - if( match != 0 ) { - goto done; - } - - left.bv_len -= sub->sa_final.bv_len; - inlen -= sub->sa_final.bv_len; - } - - if( sub->sa_any ) { - for(i=0; sub->sa_any[i].bv_val; i++) { - ber_len_t idx; - char *p; - -retry: - if( inlen > left.bv_len ) { - /* not enough length */ - match = 1; - goto done; - } - - if( sub->sa_any[i].bv_len == 0 ) { - continue; - } - - p = ber_bvchr( &left, *sub->sa_any[i].bv_val ); - if ( p == NULL ) { - match = 1; - goto done; - } - - idx = p - left.bv_val; - - if( idx >= left.bv_len ) { - /* this shouldn't happen */ - free( nav ); - if ( sub->sa_final.bv_val ) - ch_free( sub->sa_final.bv_val ); - if ( sub->sa_any ) - ber_bvarray_free( sub->sa_any ); - if ( sub->sa_initial.bv_val ) - ch_free( sub->sa_initial.bv_val ); - ch_free( sub ); - return LDAP_OTHER; - } - - left.bv_val = p; - left.bv_len -= idx; - - if( sub->sa_any[i].bv_len > left.bv_len ) { - /* not enough left */ - match = 1; - goto done; - } - - match = memcmp( left.bv_val, - sub->sa_any[i].bv_val, - sub->sa_any[i].bv_len ); - - if( match != 0 ) { - left.bv_val++; - left.bv_len--; - goto retry; - } - - left.bv_val += sub->sa_any[i].bv_len; - left.bv_len -= sub->sa_any[i].bv_len; - inlen -= sub->sa_any[i].bv_len; - } - } - -done: - free( nav ); - if( sub != NULL ) { - if ( sub->sa_final.bv_val ) free( sub->sa_final.bv_val ); - if ( sub->sa_any ) ber_bvarray_free( sub->sa_any ); - if ( sub->sa_initial.bv_val ) free( sub->sa_initial.bv_val ); - ch_free( sub ); - } - *matchp = match; - return LDAP_SUCCESS; -} - -/* Index generation function */ -static int caseExactIgnoreIndexer( - slap_mask_t use, - slap_mask_t flags, - Syntax *syntax, - MatchingRule *mr, - struct berval *prefix, - BerVarray values, - BerVarray *keysp ) -{ - int i; - unsigned casefold; - size_t slen, mlen; - BerVarray keys; - HASH_CONTEXT HASHcontext; - unsigned char HASHdigest[HASH_BYTES]; - struct berval digest; - digest.bv_val = HASHdigest; - digest.bv_len = sizeof(HASHdigest); - - for( i=0; values[i].bv_val != NULL; i++ ) { - /* empty - just count them */ - } - - /* we should have at least one value at this point */ - assert( i > 0 ); - - keys = ch_malloc( sizeof( struct berval ) * (i+1) ); - - slen = syntax->ssyn_oidlen; - mlen = mr->smr_oidlen; - - casefold = ( mr != caseExactMatchingRule ) - ? LDAP_UTF8_CASEFOLD : LDAP_UTF8_NOCASEFOLD; - - for( i=0; values[i].bv_val != NULL; i++ ) { - struct berval value; - UTF8bvnormalize( &values[i], &value, casefold ); - - HASH_Init( &HASHcontext ); - if( prefix != NULL && prefix->bv_len > 0 ) { - HASH_Update( &HASHcontext, - prefix->bv_val, prefix->bv_len ); - } - HASH_Update( &HASHcontext, - syntax->ssyn_oid, slen ); - HASH_Update( &HASHcontext, - mr->smr_oid, mlen ); - HASH_Update( &HASHcontext, - value.bv_val, value.bv_len ); - HASH_Final( HASHdigest, &HASHcontext ); - - free( value.bv_val ); - - ber_dupbv( &keys[i], &digest ); - } - - keys[i].bv_val = NULL; - *keysp = keys; - return LDAP_SUCCESS; -} - -/* Index generation function */ -static int caseExactIgnoreFilter( - slap_mask_t use, - slap_mask_t flags, - Syntax *syntax, - MatchingRule *mr, - struct berval *prefix, - void * assertValue, - BerVarray *keysp ) -{ - unsigned casefold; - size_t slen, mlen; - BerVarray keys; - HASH_CONTEXT HASHcontext; - unsigned char HASHdigest[HASH_BYTES]; - struct berval value = { 0, NULL }; - struct berval digest; - - digest.bv_val = HASHdigest; - digest.bv_len = sizeof(HASHdigest); - - slen = syntax->ssyn_oidlen; - mlen = mr->smr_oidlen; - - casefold = ( mr != caseExactMatchingRule ) - ? LDAP_UTF8_CASEFOLD : LDAP_UTF8_NOCASEFOLD; - - UTF8bvnormalize( (struct berval *) assertValue, &value, casefold ); - /* This usually happens if filter contains bad UTF8 */ - if( value.bv_val == NULL ) { - keys = ch_malloc( sizeof( struct berval ) ); - keys[0].bv_val = NULL; - return LDAP_SUCCESS; - } - - keys = ch_malloc( sizeof( struct berval ) * 2 ); - - HASH_Init( &HASHcontext ); - if( prefix != NULL && prefix->bv_len > 0 ) { - HASH_Update( &HASHcontext, - prefix->bv_val, prefix->bv_len ); - } - HASH_Update( &HASHcontext, - syntax->ssyn_oid, slen ); - HASH_Update( &HASHcontext, - mr->smr_oid, mlen ); - HASH_Update( &HASHcontext, - value.bv_val, value.bv_len ); - HASH_Final( HASHdigest, &HASHcontext ); - - ber_dupbv( keys, &digest ); - keys[1].bv_val = NULL; - - free( value.bv_val ); - - *keysp = keys; - return LDAP_SUCCESS; -} - -/* Substrings Index generation function */ -static int caseExactIgnoreSubstringsIndexer( - slap_mask_t use, - slap_mask_t flags, - Syntax *syntax, - MatchingRule *mr, - struct berval *prefix, - BerVarray values, - BerVarray *keysp ) -{ - unsigned casefold; - ber_len_t i, nkeys; - size_t slen, mlen; - BerVarray keys; - BerVarray nvalues; - - HASH_CONTEXT HASHcontext; - unsigned char HASHdigest[HASH_BYTES]; - struct berval digest; - digest.bv_val = HASHdigest; - digest.bv_len = sizeof(HASHdigest); - - nkeys=0; - - for( i=0; values[i].bv_val != NULL; i++ ) { - /* empty - just count them */ - } - - /* we should have at least one value at this point */ - assert( i > 0 ); - - casefold = ( mr != caseExactSubstringsMatchingRule ) - ? LDAP_UTF8_CASEFOLD : LDAP_UTF8_NOCASEFOLD; - - nvalues = ch_malloc( sizeof( struct berval ) * (i+1) ); - for( i=0; values[i].bv_val != NULL; i++ ) { - UTF8bvnormalize( &values[i], &nvalues[i], casefold ); - } - nvalues[i].bv_val = NULL; - values = nvalues; - - for( i=0; values[i].bv_val != NULL; i++ ) { - /* count number of indices to generate */ - if( values[i].bv_len < SLAP_INDEX_SUBSTR_MINLEN ) { - continue; - } - - if( flags & SLAP_INDEX_SUBSTR_INITIAL ) { - if( values[i].bv_len >= SLAP_INDEX_SUBSTR_MAXLEN ) { - nkeys += SLAP_INDEX_SUBSTR_MAXLEN - - ( SLAP_INDEX_SUBSTR_MINLEN - 1); - } else { - nkeys += values[i].bv_len - ( SLAP_INDEX_SUBSTR_MINLEN - 1 ); - } - } - - if( flags & SLAP_INDEX_SUBSTR_ANY ) { - if( values[i].bv_len >= SLAP_INDEX_SUBSTR_MAXLEN ) { - nkeys += values[i].bv_len - ( SLAP_INDEX_SUBSTR_MAXLEN - 1 ); - } - } - - if( flags & SLAP_INDEX_SUBSTR_FINAL ) { - if( values[i].bv_len >= SLAP_INDEX_SUBSTR_MAXLEN ) { - nkeys += SLAP_INDEX_SUBSTR_MAXLEN - - ( SLAP_INDEX_SUBSTR_MINLEN - 1); - } else { - nkeys += values[i].bv_len - ( SLAP_INDEX_SUBSTR_MINLEN - 1 ); - } - } - } - - if( nkeys == 0 ) { - /* no keys to generate */ - *keysp = NULL; - ber_bvarray_free( nvalues ); - return LDAP_SUCCESS; - } - - keys = ch_malloc( sizeof( struct berval ) * (nkeys+1) ); - - slen = syntax->ssyn_oidlen; - mlen = mr->smr_oidlen; - - nkeys=0; - for( i=0; values[i].bv_val != NULL; i++ ) { - ber_len_t j,max; - - if( values[i].bv_len < SLAP_INDEX_SUBSTR_MINLEN ) continue; - - if( ( flags & SLAP_INDEX_SUBSTR_ANY ) && - ( values[i].bv_len >= SLAP_INDEX_SUBSTR_MAXLEN ) ) - { - char pre = SLAP_INDEX_SUBSTR_PREFIX; - max = values[i].bv_len - ( SLAP_INDEX_SUBSTR_MAXLEN - 1); - - for( j=0; jbv_len > 0 ) { - HASH_Update( &HASHcontext, - prefix->bv_val, prefix->bv_len ); - } - - HASH_Update( &HASHcontext, - &pre, sizeof( pre ) ); - HASH_Update( &HASHcontext, - syntax->ssyn_oid, slen ); - HASH_Update( &HASHcontext, - mr->smr_oid, mlen ); - HASH_Update( &HASHcontext, - &values[i].bv_val[j], - SLAP_INDEX_SUBSTR_MAXLEN ); - HASH_Final( HASHdigest, &HASHcontext ); - - ber_dupbv( &keys[nkeys++], &digest ); - } - } - - max = SLAP_INDEX_SUBSTR_MAXLEN < values[i].bv_len - ? SLAP_INDEX_SUBSTR_MAXLEN : values[i].bv_len; - - for( j=SLAP_INDEX_SUBSTR_MINLEN; j<=max; j++ ) { - char pre; - - if( flags & SLAP_INDEX_SUBSTR_INITIAL ) { - pre = SLAP_INDEX_SUBSTR_INITIAL_PREFIX; - HASH_Init( &HASHcontext ); - if( prefix != NULL && prefix->bv_len > 0 ) { - HASH_Update( &HASHcontext, - prefix->bv_val, prefix->bv_len ); - } - HASH_Update( &HASHcontext, - &pre, sizeof( pre ) ); - HASH_Update( &HASHcontext, - syntax->ssyn_oid, slen ); - HASH_Update( &HASHcontext, - mr->smr_oid, mlen ); - HASH_Update( &HASHcontext, - values[i].bv_val, j ); - HASH_Final( HASHdigest, &HASHcontext ); - - ber_dupbv( &keys[nkeys++], &digest ); - } - - if( flags & SLAP_INDEX_SUBSTR_FINAL ) { - pre = SLAP_INDEX_SUBSTR_FINAL_PREFIX; - HASH_Init( &HASHcontext ); - if( prefix != NULL && prefix->bv_len > 0 ) { - HASH_Update( &HASHcontext, - prefix->bv_val, prefix->bv_len ); - } - HASH_Update( &HASHcontext, - &pre, sizeof( pre ) ); - HASH_Update( &HASHcontext, - syntax->ssyn_oid, slen ); - HASH_Update( &HASHcontext, - mr->smr_oid, mlen ); - HASH_Update( &HASHcontext, - &values[i].bv_val[values[i].bv_len-j], j ); - HASH_Final( HASHdigest, &HASHcontext ); - - ber_dupbv( &keys[nkeys++], &digest ); - } - - } - - } - - if( nkeys > 0 ) { - keys[nkeys].bv_val = NULL; - *keysp = keys; - } else { - ch_free( keys ); - *keysp = NULL; - } - - ber_bvarray_free( nvalues ); - - return LDAP_SUCCESS; -} - -static int caseExactIgnoreSubstringsFilter( - slap_mask_t use, - slap_mask_t flags, - Syntax *syntax, - MatchingRule *mr, - struct berval *prefix, - void * assertValue, - BerVarray *keysp ) -{ - SubstringsAssertion *sa; - char pre; - unsigned casefold; - ber_len_t nkeys = 0; - size_t slen, mlen, klen; - BerVarray keys; - HASH_CONTEXT HASHcontext; - unsigned char HASHdigest[HASH_BYTES]; - struct berval *value; - struct berval digest; - - casefold = ( mr != caseExactSubstringsMatchingRule ) - ? LDAP_UTF8_CASEFOLD : LDAP_UTF8_NOCASEFOLD; - - sa = UTF8SubstringsassertionNormalize( assertValue, casefold ); - if( sa == NULL ) { - *keysp = NULL; - return LDAP_SUCCESS; - } - - if( flags & SLAP_INDEX_SUBSTR_INITIAL && sa->sa_initial.bv_val != NULL && - sa->sa_initial.bv_len >= SLAP_INDEX_SUBSTR_MINLEN ) - { - nkeys++; - } - - if( flags & SLAP_INDEX_SUBSTR_ANY && sa->sa_any != NULL ) { - ber_len_t i; - for( i=0; sa->sa_any[i].bv_val != NULL; i++ ) { - if( sa->sa_any[i].bv_len >= SLAP_INDEX_SUBSTR_MAXLEN ) { - /* don't bother accounting for stepping */ - nkeys += sa->sa_any[i].bv_len - - ( SLAP_INDEX_SUBSTR_MAXLEN - 1 ); - } - } - } - - if( flags & SLAP_INDEX_SUBSTR_FINAL && sa->sa_final.bv_val != NULL && - sa->sa_final.bv_len >= SLAP_INDEX_SUBSTR_MINLEN ) - { - nkeys++; - } - - if( nkeys == 0 ) { - if ( sa->sa_final.bv_val ) free( sa->sa_final.bv_val ); - if ( sa->sa_any ) ber_bvarray_free( sa->sa_any ); - if ( sa->sa_initial.bv_val ) free( sa->sa_initial.bv_val ); - ch_free( sa ); - *keysp = NULL; - return LDAP_SUCCESS; - } - - digest.bv_val = HASHdigest; - digest.bv_len = sizeof(HASHdigest); - - slen = syntax->ssyn_oidlen; - mlen = mr->smr_oidlen; - - keys = ch_malloc( sizeof( struct berval ) * (nkeys+1) ); - nkeys = 0; - - if( flags & SLAP_INDEX_SUBSTR_INITIAL && sa->sa_initial.bv_val != NULL && - sa->sa_initial.bv_len >= SLAP_INDEX_SUBSTR_MINLEN ) - { - pre = SLAP_INDEX_SUBSTR_INITIAL_PREFIX; - value = &sa->sa_initial; - - klen = SLAP_INDEX_SUBSTR_MAXLEN < value->bv_len - ? SLAP_INDEX_SUBSTR_MAXLEN : value->bv_len; - - HASH_Init( &HASHcontext ); - if( prefix != NULL && prefix->bv_len > 0 ) { - HASH_Update( &HASHcontext, - prefix->bv_val, prefix->bv_len ); - } - HASH_Update( &HASHcontext, - &pre, sizeof( pre ) ); - HASH_Update( &HASHcontext, - syntax->ssyn_oid, slen ); - HASH_Update( &HASHcontext, - mr->smr_oid, mlen ); - HASH_Update( &HASHcontext, - value->bv_val, klen ); - HASH_Final( HASHdigest, &HASHcontext ); - - ber_dupbv( &keys[nkeys++], &digest ); - } - - if( flags & SLAP_INDEX_SUBSTR_ANY && sa->sa_any != NULL ) { - ber_len_t i, j; - pre = SLAP_INDEX_SUBSTR_PREFIX; - klen = SLAP_INDEX_SUBSTR_MAXLEN; - - for( i=0; sa->sa_any[i].bv_val != NULL; i++ ) { - if( sa->sa_any[i].bv_len < SLAP_INDEX_SUBSTR_MAXLEN ) { - continue; - } - - value = &sa->sa_any[i]; - - for(j=0; - j <= value->bv_len - SLAP_INDEX_SUBSTR_MAXLEN; - j += SLAP_INDEX_SUBSTR_STEP ) - { - HASH_Init( &HASHcontext ); - if( prefix != NULL && prefix->bv_len > 0 ) { - HASH_Update( &HASHcontext, - prefix->bv_val, prefix->bv_len ); - } - HASH_Update( &HASHcontext, - &pre, sizeof( pre ) ); - HASH_Update( &HASHcontext, - syntax->ssyn_oid, slen ); - HASH_Update( &HASHcontext, - mr->smr_oid, mlen ); - HASH_Update( &HASHcontext, - &value->bv_val[j], klen ); - HASH_Final( HASHdigest, &HASHcontext ); - - ber_dupbv( &keys[nkeys++], &digest ); - } - - } - } - - if( flags & SLAP_INDEX_SUBSTR_FINAL && sa->sa_final.bv_val != NULL && - sa->sa_final.bv_len >= SLAP_INDEX_SUBSTR_MINLEN ) - { - pre = SLAP_INDEX_SUBSTR_FINAL_PREFIX; - value = &sa->sa_final; - - klen = SLAP_INDEX_SUBSTR_MAXLEN < value->bv_len - ? SLAP_INDEX_SUBSTR_MAXLEN : value->bv_len; - - HASH_Init( &HASHcontext ); - if( prefix != NULL && prefix->bv_len > 0 ) { - HASH_Update( &HASHcontext, - prefix->bv_val, prefix->bv_len ); - } - HASH_Update( &HASHcontext, - &pre, sizeof( pre ) ); - HASH_Update( &HASHcontext, - syntax->ssyn_oid, slen ); - HASH_Update( &HASHcontext, - mr->smr_oid, mlen ); - HASH_Update( &HASHcontext, - &value->bv_val[value->bv_len-klen], klen ); - HASH_Final( HASHdigest, &HASHcontext ); - - ber_dupbv( &keys[nkeys++], &digest ); - } - - if( nkeys > 0 ) { - keys[nkeys].bv_val = NULL; - *keysp = keys; - } else { - ch_free( keys ); - *keysp = NULL; - } - if ( sa->sa_final.bv_val ) free( sa->sa_final.bv_val ); - if ( sa->sa_any ) ber_bvarray_free( sa->sa_any ); - if ( sa->sa_initial.bv_val ) free( sa->sa_initial.bv_val ); - ch_free( sa ); - - return LDAP_SUCCESS; -} - -static int -caseIgnoreMatch( - int *matchp, - slap_mask_t flags, - Syntax *syntax, - MatchingRule *mr, - struct berval *value, - void *assertedValue ) -{ - *matchp = UTF8bvnormcmp( value, - (struct berval *) assertedValue, - LDAP_UTF8_CASEFOLD ); - return LDAP_SUCCESS; -} - -/* Remove all spaces and '-' characters */ -static int -telephoneNumberNormalize( - Syntax *syntax, - struct berval *val, - struct berval *normalized ) -{ - char *p, *q; - - /* validator should have refused an empty string */ - assert( val->bv_len ); - - q = normalized->bv_val = ch_malloc( val->bv_len + 1 ); - - for( p = val->bv_val; *p; p++ ) { - if ( ! ( ASCII_SPACE( *p ) || *p == '-' )) { - *q++ = *p; - } - } - *q = '\0'; - - normalized->bv_len = q - normalized->bv_val; - - if( normalized->bv_len == 0 ) { - free( normalized->bv_val ); - return LDAP_INVALID_SYNTAX; - } - - return LDAP_SUCCESS; -} - -static int -oidValidate( - Syntax *syntax, - struct berval *val ) -{ - ber_len_t i; - - if( val->bv_len == 0 ) { - /* disallow empty strings */ - return LDAP_INVALID_SYNTAX; - } - - if( OID_LEADCHAR(val->bv_val[0]) ) { - int dot = 0; - for(i=1; i < val->bv_len; i++) { - if( OID_SEPARATOR( val->bv_val[i] ) ) { - if( dot++ ) return 1; - } else if ( OID_CHAR( val->bv_val[i] ) ) { - dot = 0; - } else { - return LDAP_INVALID_SYNTAX; - } - } - - return !dot ? LDAP_SUCCESS : LDAP_INVALID_SYNTAX; - - } else if( DESC_LEADCHAR(val->bv_val[0]) ) { - for(i=1; i < val->bv_len; i++) { - if( !DESC_CHAR(val->bv_val[i] ) ) { - return LDAP_INVALID_SYNTAX; - } - } - - return LDAP_SUCCESS; - } - - return LDAP_INVALID_SYNTAX; -} - -static int -integerMatch( - int *matchp, - slap_mask_t flags, - Syntax *syntax, - MatchingRule *mr, - struct berval *value, - void *assertedValue ) -{ - char *v, *av; - int vsign = 1, avsign = 1; /* default sign = '+' */ - struct berval *asserted; - ber_len_t vlen, avlen; - int match; - - /* Skip leading space/sign/zeroes, and get the sign of the *value number */ - v = value->bv_val; - vlen = value->bv_len; - if( mr == integerFirstComponentMatchingRule ) { - char *tmp = memchr( v, '$', vlen ); - if( tmp ) - vlen = tmp - v; - while( vlen && ASCII_SPACE( v[vlen-1] )) - vlen--; - } - for( ; vlen && ( *v < '1' || '9' < *v ); v++, vlen-- ) /* ANSI 2.2.1 */ - if( *v == '-' ) - vsign = -1; - if( vlen == 0 ) - vsign = 0; - - /* Do the same with the *assertedValue number */ - asserted = (struct berval *) assertedValue; - av = asserted->bv_val; - avlen = asserted->bv_len; - for( ; avlen && ( *av < '1' || '9' < *av ); av++, avlen-- ) - if( *av == '-' ) - avsign = -1; - if( avlen == 0 ) - avsign = 0; - - match = vsign - avsign; - if( match == 0 ) { - match = (vlen != avlen - ? ( vlen < avlen ? -1 : 1 ) - : memcmp( v, av, vlen )); - if( vsign < 0 ) - match = -match; - } - - *matchp = match; - return LDAP_SUCCESS; -} - -static int -integerValidate( - Syntax *syntax, - struct berval *val ) -{ - ber_len_t i; - - if( !val->bv_len ) return LDAP_INVALID_SYNTAX; - - if(( val->bv_val[0] == '+' ) || ( val->bv_val[0] == '-' )) { - if( val->bv_len < 2 ) return LDAP_INVALID_SYNTAX; - } else if( !ASCII_DIGIT(val->bv_val[0]) ) { - return LDAP_INVALID_SYNTAX; - } - - for( i=1; i < val->bv_len; i++ ) { - if( !ASCII_DIGIT(val->bv_val[i]) ) return LDAP_INVALID_SYNTAX; - } - - return LDAP_SUCCESS; -} - -static int -integerNormalize( - Syntax *syntax, - struct berval *val, - struct berval *normalized ) -{ - char *p; - int negative=0; - ber_len_t len; - - - p = val->bv_val; - len = val->bv_len; - - /* Ignore leading spaces */ - while ( len && ( *p == ' ' )) { - p++; - len--; - } - - /* save sign */ - if( len ) { - negative = ( *p == '-' ); - if(( *p == '-' ) || ( *p == '+' )) { - p++; - len--; - } - } - - /* Ignore leading zeros */ - while ( len && ( *p == '0' )) { - p++; - len--; - } - - /* If there are no non-zero digits left, the number is zero, otherwise - allocate space for the number and copy it into the buffer */ - if( len == 0 ) { - normalized->bv_val = ch_strdup("0"); - normalized->bv_len = 1; - } - else { - normalized->bv_len = len+negative; - normalized->bv_val = ch_malloc( normalized->bv_len + 1 ); - if( negative ) { - normalized->bv_val[0] = '-'; - } - AC_MEMCPY( normalized->bv_val + negative, p, len ); - normalized->bv_val[len+negative] = '\0'; - } - - return LDAP_SUCCESS; -} - -/* Index generation function */ -static int integerIndexer( - slap_mask_t use, - slap_mask_t flags, - Syntax *syntax, - MatchingRule *mr, - struct berval *prefix, - BerVarray values, - BerVarray *keysp ) -{ - int i; - size_t slen, mlen; - BerVarray keys; - HASH_CONTEXT HASHcontext; - unsigned char HASHdigest[HASH_BYTES]; - struct berval digest; - digest.bv_val = HASHdigest; - digest.bv_len = sizeof(HASHdigest); - - for( i=0; values[i].bv_val != NULL; i++ ) { - /* empty - just count them */ - } - - /* we should have at least one value at this point */ - assert( i > 0 ); - - keys = ch_malloc( sizeof( struct berval ) * (i+1) ); - - slen = syntax->ssyn_oidlen; - mlen = mr->smr_oidlen; - - for( i=0; values[i].bv_val != NULL; i++ ) { - struct berval norm; - integerNormalize( syntax, &values[i], &norm ); - - HASH_Init( &HASHcontext ); - if( prefix != NULL && prefix->bv_len > 0 ) { - HASH_Update( &HASHcontext, - prefix->bv_val, prefix->bv_len ); - } - HASH_Update( &HASHcontext, - syntax->ssyn_oid, slen ); - HASH_Update( &HASHcontext, - mr->smr_oid, mlen ); - HASH_Update( &HASHcontext, - norm.bv_val, norm.bv_len ); - HASH_Final( HASHdigest, &HASHcontext ); - - ber_dupbv( &keys[i], &digest ); - ch_free( norm.bv_val ); - } - - keys[i].bv_val = NULL; - *keysp = keys; - return LDAP_SUCCESS; -} - -/* Index generation function */ -static int integerFilter( - slap_mask_t use, - slap_mask_t flags, - Syntax *syntax, - MatchingRule *mr, - struct berval *prefix, - void * assertValue, - BerVarray *keysp ) -{ - size_t slen, mlen; - BerVarray keys; - HASH_CONTEXT HASHcontext; - unsigned char HASHdigest[HASH_BYTES]; - struct berval norm; - struct berval digest; - digest.bv_val = HASHdigest; - digest.bv_len = sizeof(HASHdigest); - - slen = syntax->ssyn_oidlen; - mlen = mr->smr_oidlen; - - integerNormalize( syntax, assertValue, &norm ); - - keys = ch_malloc( sizeof( struct berval ) * 2 ); - - HASH_Init( &HASHcontext ); - if( prefix != NULL && prefix->bv_len > 0 ) { - HASH_Update( &HASHcontext, - prefix->bv_val, prefix->bv_len ); - } - HASH_Update( &HASHcontext, - syntax->ssyn_oid, slen ); - HASH_Update( &HASHcontext, - mr->smr_oid, mlen ); - HASH_Update( &HASHcontext, - norm.bv_val, norm.bv_len ); - HASH_Final( HASHdigest, &HASHcontext ); - - ber_dupbv( &keys[0], &digest ); - keys[1].bv_val = NULL; - ch_free( norm.bv_val ); - - *keysp = keys; - return LDAP_SUCCESS; -} - - -static int -countryStringValidate( - Syntax *syntax, - struct berval *val ) -{ - if( val->bv_len != 2 ) return LDAP_INVALID_SYNTAX; - - if( !SLAP_PRINTABLE(val->bv_val[0]) ) { - return LDAP_INVALID_SYNTAX; - } - if( !SLAP_PRINTABLE(val->bv_val[1]) ) { - return LDAP_INVALID_SYNTAX; - } - - return LDAP_SUCCESS; -} - -static int -printableStringValidate( - Syntax *syntax, - struct berval *val ) -{ - ber_len_t i; - - if( val->bv_len == 0 ) return LDAP_INVALID_SYNTAX; - - for(i=0; i < val->bv_len; i++) { - if( !SLAP_PRINTABLE(val->bv_val[i]) ) { - return LDAP_INVALID_SYNTAX; - } - } - - return LDAP_SUCCESS; -} - -static int -printablesStringValidate( - Syntax *syntax, - struct berval *val ) -{ - ber_len_t i, len; - - if( val->bv_len == 0 ) return LDAP_INVALID_SYNTAX; - - for(i=0,len=0; i < val->bv_len; i++) { - int c = val->bv_val[i]; - - if( c == '$' ) { - if( len == 0 ) { - return LDAP_INVALID_SYNTAX; - } - len = 0; - - } else if ( SLAP_PRINTABLE(c) ) { - len++; - } else { - return LDAP_INVALID_SYNTAX; - } - } - - if( len == 0 ) { - return LDAP_INVALID_SYNTAX; - } - - return LDAP_SUCCESS; -} - -static int -IA5StringValidate( - Syntax *syntax, - struct berval *val ) -{ - ber_len_t i; - - if( val->bv_len == 0 ) return LDAP_INVALID_SYNTAX; - - for(i=0; i < val->bv_len; i++) { - if( !LDAP_ASCII(val->bv_val[i]) ) { - return LDAP_INVALID_SYNTAX; - } - } - - return LDAP_SUCCESS; -} - -static int -IA5StringNormalize( - Syntax *syntax, - struct berval *val, - struct berval *normalized ) -{ - char *p, *q; - - assert( val->bv_len ); - - p = val->bv_val; - - /* Ignore initial whitespace */ - while ( ASCII_SPACE( *p ) ) { - p++; - } - - normalized->bv_val = ch_strdup( p ); - p = q = normalized->bv_val; - - while ( *p ) { - if ( ASCII_SPACE( *p ) ) { - *q++ = *p++; - - /* Ignore the extra whitespace */ - while ( ASCII_SPACE( *p ) ) { - p++; - } - } else { - *q++ = *p++; - } - } - - assert( normalized->bv_val <= p ); - assert( q <= p ); - - /* - * If the string ended in space, backup the pointer one - * position. One is enough because the above loop collapsed - * all whitespace to a single space. - */ - - if ( ASCII_SPACE( q[-1] ) ) { - --q; - } - - /* null terminate */ - *q = '\0'; - - normalized->bv_len = q - normalized->bv_val; - - if( normalized->bv_len == 0 ) { - normalized->bv_val = ch_realloc( normalized->bv_val, 2 ); - normalized->bv_val[0] = ' '; - normalized->bv_val[1] = '\0'; - normalized->bv_len = 1; - } - - return LDAP_SUCCESS; -} - -static int -caseExactIA5Match( - int *matchp, - slap_mask_t flags, - Syntax *syntax, - MatchingRule *mr, - struct berval *value, - void *assertedValue ) -{ - int match = value->bv_len - ((struct berval *) assertedValue)->bv_len; - - if( match == 0 ) { - match = strncmp( value->bv_val, - ((struct berval *) assertedValue)->bv_val, - value->bv_len ); - } - - *matchp = match; - return LDAP_SUCCESS; -} - -static int -caseExactIA5SubstringsMatch( - int *matchp, - slap_mask_t flags, - Syntax *syntax, - MatchingRule *mr, - struct berval *value, - void *assertedValue ) -{ - int match = 0; - SubstringsAssertion *sub = assertedValue; - struct berval left = *value; - int i; - ber_len_t inlen=0; - - /* Add up asserted input length */ - if( sub->sa_initial.bv_val ) { - inlen += sub->sa_initial.bv_len; - } - if( sub->sa_any ) { - for(i=0; sub->sa_any[i].bv_val != NULL; i++) { - inlen += sub->sa_any[i].bv_len; - } - } - if( sub->sa_final.bv_val ) { - inlen += sub->sa_final.bv_len; - } - - if( sub->sa_initial.bv_val ) { - if( inlen > left.bv_len ) { - match = 1; - goto done; - } - - match = strncmp( sub->sa_initial.bv_val, left.bv_val, - sub->sa_initial.bv_len ); - - if( match != 0 ) { - goto done; - } - - left.bv_val += sub->sa_initial.bv_len; - left.bv_len -= sub->sa_initial.bv_len; - inlen -= sub->sa_initial.bv_len; - } - - if( sub->sa_final.bv_val ) { - if( inlen > left.bv_len ) { - match = 1; - goto done; - } - - match = strncmp( sub->sa_final.bv_val, - &left.bv_val[left.bv_len - sub->sa_final.bv_len], - sub->sa_final.bv_len ); - - if( match != 0 ) { - goto done; - } - - left.bv_len -= sub->sa_final.bv_len; - inlen -= sub->sa_final.bv_len; - } - - if( sub->sa_any ) { - for(i=0; sub->sa_any[i].bv_val; i++) { - ber_len_t idx; - char *p; - -retry: - if( inlen > left.bv_len ) { - /* not enough length */ - match = 1; - goto done; - } - - if( sub->sa_any[i].bv_len == 0 ) { - continue; - } - - p = strchr( left.bv_val, *sub->sa_any[i].bv_val ); - - if( p == NULL ) { - match = 1; - goto done; - } - - idx = p - left.bv_val; - - if( idx >= left.bv_len ) { - /* this shouldn't happen */ - return LDAP_OTHER; - } - - left.bv_val = p; - left.bv_len -= idx; - - if( sub->sa_any[i].bv_len > left.bv_len ) { - /* not enough left */ - match = 1; - goto done; - } - - match = strncmp( left.bv_val, - sub->sa_any[i].bv_val, - sub->sa_any[i].bv_len ); - - if( match != 0 ) { - left.bv_val++; - left.bv_len--; - goto retry; - } - - left.bv_val += sub->sa_any[i].bv_len; - left.bv_len -= sub->sa_any[i].bv_len; - inlen -= sub->sa_any[i].bv_len; - } - } - -done: - *matchp = match; - return LDAP_SUCCESS; -} - -/* Index generation function */ -static int caseExactIA5Indexer( - slap_mask_t use, - slap_mask_t flags, - Syntax *syntax, - MatchingRule *mr, - struct berval *prefix, - BerVarray values, - BerVarray *keysp ) -{ - int i; - size_t slen, mlen; - BerVarray keys; - HASH_CONTEXT HASHcontext; - unsigned char HASHdigest[HASH_BYTES]; - struct berval digest; - digest.bv_val = HASHdigest; - digest.bv_len = sizeof(HASHdigest); - - for( i=0; values[i].bv_val != NULL; i++ ) { - /* empty - just count them */ - } - - /* we should have at least one value at this point */ - assert( i > 0 ); - - keys = ch_malloc( sizeof( struct berval ) * (i+1) ); - - slen = syntax->ssyn_oidlen; - mlen = mr->smr_oidlen; - - for( i=0; values[i].bv_val != NULL; i++ ) { - struct berval *value = &values[i]; - - HASH_Init( &HASHcontext ); - if( prefix != NULL && prefix->bv_len > 0 ) { - HASH_Update( &HASHcontext, - prefix->bv_val, prefix->bv_len ); - } - HASH_Update( &HASHcontext, - syntax->ssyn_oid, slen ); - HASH_Update( &HASHcontext, - mr->smr_oid, mlen ); - HASH_Update( &HASHcontext, - value->bv_val, value->bv_len ); - HASH_Final( HASHdigest, &HASHcontext ); - - ber_dupbv( &keys[i], &digest ); - } - - keys[i].bv_val = NULL; - *keysp = keys; - return LDAP_SUCCESS; -} - -/* Index generation function */ -static int caseExactIA5Filter( - slap_mask_t use, - slap_mask_t flags, - Syntax *syntax, - MatchingRule *mr, - struct berval *prefix, - void * assertValue, - BerVarray *keysp ) -{ - size_t slen, mlen; - BerVarray keys; - HASH_CONTEXT HASHcontext; - unsigned char HASHdigest[HASH_BYTES]; - struct berval *value; - struct berval digest; - digest.bv_val = HASHdigest; - digest.bv_len = sizeof(HASHdigest); - - slen = syntax->ssyn_oidlen; - mlen = mr->smr_oidlen; - - value = (struct berval *) assertValue; - - keys = ch_malloc( sizeof( struct berval ) * 2 ); - - HASH_Init( &HASHcontext ); - if( prefix != NULL && prefix->bv_len > 0 ) { - HASH_Update( &HASHcontext, - prefix->bv_val, prefix->bv_len ); - } - HASH_Update( &HASHcontext, - syntax->ssyn_oid, slen ); - HASH_Update( &HASHcontext, - mr->smr_oid, mlen ); - HASH_Update( &HASHcontext, - value->bv_val, value->bv_len ); - HASH_Final( HASHdigest, &HASHcontext ); - - ber_dupbv( &keys[0], &digest ); - keys[1].bv_val = NULL; - - *keysp = keys; - return LDAP_SUCCESS; -} - -/* Substrings Index generation function */ -static int caseExactIA5SubstringsIndexer( - slap_mask_t use, - slap_mask_t flags, - Syntax *syntax, - MatchingRule *mr, - struct berval *prefix, - BerVarray values, - BerVarray *keysp ) -{ - ber_len_t i, nkeys; - size_t slen, mlen; - BerVarray keys; - HASH_CONTEXT HASHcontext; - unsigned char HASHdigest[HASH_BYTES]; - struct berval digest; - digest.bv_val = HASHdigest; - digest.bv_len = sizeof(HASHdigest); - - /* we should have at least one value at this point */ - assert( values != NULL && values[0].bv_val != NULL ); - - nkeys=0; - for( i=0; values[i].bv_val != NULL; i++ ) { - /* count number of indices to generate */ - if( values[i].bv_len < SLAP_INDEX_SUBSTR_MINLEN ) { - continue; - } - - if( flags & SLAP_INDEX_SUBSTR_INITIAL ) { - if( values[i].bv_len >= SLAP_INDEX_SUBSTR_MAXLEN ) { - nkeys += SLAP_INDEX_SUBSTR_MAXLEN - - ( SLAP_INDEX_SUBSTR_MINLEN - 1); - } else { - nkeys += values[i].bv_len - ( SLAP_INDEX_SUBSTR_MINLEN - 1 ); - } - } - - if( flags & SLAP_INDEX_SUBSTR_ANY ) { - if( values[i].bv_len >= SLAP_INDEX_SUBSTR_MAXLEN ) { - nkeys += values[i].bv_len - ( SLAP_INDEX_SUBSTR_MAXLEN - 1 ); - } - } - - if( flags & SLAP_INDEX_SUBSTR_FINAL ) { - if( values[i].bv_len >= SLAP_INDEX_SUBSTR_MAXLEN ) { - nkeys += SLAP_INDEX_SUBSTR_MAXLEN - - ( SLAP_INDEX_SUBSTR_MINLEN - 1); - } else { - nkeys += values[i].bv_len - ( SLAP_INDEX_SUBSTR_MINLEN - 1 ); - } - } - } - - if( nkeys == 0 ) { - /* no keys to generate */ - *keysp = NULL; - return LDAP_SUCCESS; - } - - keys = ch_malloc( sizeof( struct berval ) * (nkeys+1) ); - - slen = syntax->ssyn_oidlen; - mlen = mr->smr_oidlen; - - nkeys=0; - for( i=0; values[i].bv_val != NULL; i++ ) { - ber_len_t j,max; - struct berval *value; - - value = &values[i]; - if( value->bv_len < SLAP_INDEX_SUBSTR_MINLEN ) continue; - - if( ( flags & SLAP_INDEX_SUBSTR_ANY ) && - ( value->bv_len >= SLAP_INDEX_SUBSTR_MAXLEN ) ) - { - char pre = SLAP_INDEX_SUBSTR_PREFIX; - max = value->bv_len - ( SLAP_INDEX_SUBSTR_MAXLEN - 1); - - for( j=0; jbv_len > 0 ) { - HASH_Update( &HASHcontext, - prefix->bv_val, prefix->bv_len ); - } - - HASH_Update( &HASHcontext, - &pre, sizeof( pre ) ); - HASH_Update( &HASHcontext, - syntax->ssyn_oid, slen ); - HASH_Update( &HASHcontext, - mr->smr_oid, mlen ); - HASH_Update( &HASHcontext, - &value->bv_val[j], - SLAP_INDEX_SUBSTR_MAXLEN ); - HASH_Final( HASHdigest, &HASHcontext ); - - ber_dupbv( &keys[nkeys++], &digest ); - } - } - - max = SLAP_INDEX_SUBSTR_MAXLEN < value->bv_len - ? SLAP_INDEX_SUBSTR_MAXLEN : value->bv_len; - - for( j=SLAP_INDEX_SUBSTR_MINLEN; j<=max; j++ ) { - char pre; - - if( flags & SLAP_INDEX_SUBSTR_INITIAL ) { - pre = SLAP_INDEX_SUBSTR_INITIAL_PREFIX; - HASH_Init( &HASHcontext ); - if( prefix != NULL && prefix->bv_len > 0 ) { - HASH_Update( &HASHcontext, - prefix->bv_val, prefix->bv_len ); - } - HASH_Update( &HASHcontext, - &pre, sizeof( pre ) ); - HASH_Update( &HASHcontext, - syntax->ssyn_oid, slen ); - HASH_Update( &HASHcontext, - mr->smr_oid, mlen ); - HASH_Update( &HASHcontext, - value->bv_val, j ); - HASH_Final( HASHdigest, &HASHcontext ); - - ber_dupbv( &keys[nkeys++], &digest ); - } - - if( flags & SLAP_INDEX_SUBSTR_FINAL ) { - pre = SLAP_INDEX_SUBSTR_FINAL_PREFIX; - HASH_Init( &HASHcontext ); - if( prefix != NULL && prefix->bv_len > 0 ) { - HASH_Update( &HASHcontext, - prefix->bv_val, prefix->bv_len ); - } - HASH_Update( &HASHcontext, - &pre, sizeof( pre ) ); - HASH_Update( &HASHcontext, - syntax->ssyn_oid, slen ); - HASH_Update( &HASHcontext, - mr->smr_oid, mlen ); - HASH_Update( &HASHcontext, - &value->bv_val[value->bv_len-j], j ); - HASH_Final( HASHdigest, &HASHcontext ); +/*------------------------------------------------------------------- +LDAP/X.500 string syntax / matching rules have a few oddities. This +comment attempts to detail how slapd(8) treats them. - ber_dupbv( &keys[nkeys++], &digest ); - } +Summary: + StringSyntax X.500 LDAP Matching/Comments + DirectoryString CHOICE UTF8 i/e + ignore insignificant spaces + PrintableString subset subset i/e + ignore insignificant spaces + PrintableString subset subset i/e + ignore insignificant spaces + NumericString subset subset ignore all spaces + IA5String ASCII ASCII i/e + ignore insignificant spaces + TeletexString T.61 T.61 i/e + ignore insignificant spaces - } - } + TelephoneNumber subset subset i + ignore all spaces and "-" - if( nkeys > 0 ) { - keys[nkeys].bv_val = NULL; - *keysp = keys; - } else { - ch_free( keys ); - *keysp = NULL; - } + See draft-ietf-ldapbis-strpro for details (once published). - return LDAP_SUCCESS; -} -static int caseExactIA5SubstringsFilter( - slap_mask_t use, - slap_mask_t flags, - Syntax *syntax, - MatchingRule *mr, - struct berval *prefix, - void * assertValue, - BerVarray *keysp ) -{ - SubstringsAssertion *sa = assertValue; - char pre; - ber_len_t nkeys = 0; - size_t slen, mlen, klen; - BerVarray keys; - HASH_CONTEXT HASHcontext; - unsigned char HASHdigest[HASH_BYTES]; - struct berval *value; - struct berval digest; +Directory String - + In X.500(93), a directory string can be either a PrintableString, + a bmpString, or a UniversalString (e.g., UCS (a subset of Unicode)). + In later versions, more CHOICEs were added. In all cases the string + must be non-empty. - if( flags & SLAP_INDEX_SUBSTR_INITIAL && sa->sa_initial.bv_val != NULL && - sa->sa_initial.bv_len >= SLAP_INDEX_SUBSTR_MINLEN ) - { - nkeys++; - } + In LDAPv3, a directory string is a UTF-8 encoded UCS string. + A directory string cannot be zero length. - if( flags & SLAP_INDEX_SUBSTR_ANY && sa->sa_any != NULL ) { - ber_len_t i; - for( i=0; sa->sa_any[i].bv_val != NULL; i++ ) { - if( sa->sa_any[i].bv_len >= SLAP_INDEX_SUBSTR_MAXLEN ) { - /* don't bother accounting for stepping */ - nkeys += sa->sa_any[i].bv_len - - ( SLAP_INDEX_SUBSTR_MAXLEN - 1 ); - } - } - } + For matching, there are both case ignore and exact rules. Both + also require that "insignificant" spaces be ignored. + spaces before the first non-space are ignored; + spaces after the last non-space are ignored; + spaces after a space are ignored. + Note: by these rules (and as clarified in X.520), a string of only + spaces is to be treated as if held one space, not empty (which + would be a syntax error). - if( flags & SLAP_INDEX_SUBSTR_FINAL && sa->sa_final.bv_val != NULL && - sa->sa_final.bv_len >= SLAP_INDEX_SUBSTR_MINLEN ) - { - nkeys++; - } +NumericString + In ASN.1, numeric string is just a string of digits and spaces + and could be empty. However, in X.500, all attribute values of + numeric string carry a non-empty constraint. For example: - if( nkeys == 0 ) { - *keysp = NULL; - return LDAP_SUCCESS; - } + internationalISDNNumber ATTRIBUTE ::= { + WITH SYNTAX InternationalISDNNumber + EQUALITY MATCHING RULE numericStringMatch + SUBSTRINGS MATCHING RULE numericStringSubstringsMatch + ID id-at-internationalISDNNumber } + InternationalISDNNumber ::= + NumericString (SIZE(1..ub-international-isdn-number)) - digest.bv_val = HASHdigest; - digest.bv_len = sizeof(HASHdigest); + Unforunately, some assertion values are don't carry the same + constraint (but its unclear how such an assertion could ever + be true). In LDAP, there is one syntax (numericString) not two + (numericString with constraint, numericString without constraint). + This should be treated as numericString with non-empty constraint. + Note that while someone may have no ISDN number, there are no ISDN + numbers which are zero length. - slen = syntax->ssyn_oidlen; - mlen = mr->smr_oidlen; + In matching, spaces are ignored. - keys = ch_malloc( sizeof( struct berval ) * (nkeys+1) ); - nkeys = 0; +PrintableString + In ASN.1, Printable string is just a string of printable characters + and can be empty. In X.500, semantics much like NumericString (see + serialNumber for a like example) excepting uses insignificant space + handling instead of ignore all spaces. - if( flags & SLAP_INDEX_SUBSTR_INITIAL && sa->sa_initial.bv_val != NULL && - sa->sa_initial.bv_len >= SLAP_INDEX_SUBSTR_MINLEN ) - { - pre = SLAP_INDEX_SUBSTR_INITIAL_PREFIX; - value = &sa->sa_initial; +IA5String + Basically same as PrintableString. There are no examples in X.500, + but same logic applies. So we require them to be non-empty as + well. - klen = SLAP_INDEX_SUBSTR_MAXLEN < value->bv_len - ? SLAP_INDEX_SUBSTR_MAXLEN : value->bv_len; +-------------------------------------------------------------------*/ - HASH_Init( &HASHcontext ); - if( prefix != NULL && prefix->bv_len > 0 ) { - HASH_Update( &HASHcontext, - prefix->bv_val, prefix->bv_len ); - } - HASH_Update( &HASHcontext, - &pre, sizeof( pre ) ); - HASH_Update( &HASHcontext, - syntax->ssyn_oid, slen ); - HASH_Update( &HASHcontext, - mr->smr_oid, mlen ); - HASH_Update( &HASHcontext, - value->bv_val, klen ); - HASH_Final( HASHdigest, &HASHcontext ); +static int +UTF8StringValidate( + Syntax *syntax, + struct berval *in ) +{ + ber_len_t count; + int len; + unsigned char *u = in->bv_val; - ber_dupbv( &keys[nkeys++], &digest ); + if( in->bv_len == 0 && syntax == slap_schema.si_syn_directoryString ) { + /* directory strings cannot be empty */ + return LDAP_INVALID_SYNTAX; } - if( flags & SLAP_INDEX_SUBSTR_ANY && sa->sa_any != NULL ) { - ber_len_t i, j; - pre = SLAP_INDEX_SUBSTR_PREFIX; - klen = SLAP_INDEX_SUBSTR_MAXLEN; - - for( i=0; sa->sa_any[i].bv_val != NULL; i++ ) { - if( sa->sa_any[i].bv_len < SLAP_INDEX_SUBSTR_MAXLEN ) { - continue; - } - - value = &sa->sa_any[i]; + for( count = in->bv_len; count > 0; count-=len, u+=len ) { + /* get the length indicated by the first byte */ + len = LDAP_UTF8_CHARLEN2( u, len ); - for(j=0; - j <= value->bv_len - SLAP_INDEX_SUBSTR_MAXLEN; - j += SLAP_INDEX_SUBSTR_STEP ) - { - HASH_Init( &HASHcontext ); - if( prefix != NULL && prefix->bv_len > 0 ) { - HASH_Update( &HASHcontext, - prefix->bv_val, prefix->bv_len ); + /* very basic checks */ + switch( len ) { + case 6: + if( (u[5] & 0xC0) != 0x80 ) { + return LDAP_INVALID_SYNTAX; } - HASH_Update( &HASHcontext, - &pre, sizeof( pre ) ); - HASH_Update( &HASHcontext, - syntax->ssyn_oid, slen ); - HASH_Update( &HASHcontext, - mr->smr_oid, mlen ); - HASH_Update( &HASHcontext, - &value->bv_val[j], klen ); - HASH_Final( HASHdigest, &HASHcontext ); - - ber_dupbv( &keys[nkeys++], &digest ); - } - } - } - - if( flags & SLAP_INDEX_SUBSTR_FINAL && sa->sa_final.bv_val != NULL && - sa->sa_final.bv_len >= SLAP_INDEX_SUBSTR_MINLEN ) - { - pre = SLAP_INDEX_SUBSTR_FINAL_PREFIX; - value = &sa->sa_final; - - klen = SLAP_INDEX_SUBSTR_MAXLEN < value->bv_len - ? SLAP_INDEX_SUBSTR_MAXLEN : value->bv_len; - - HASH_Init( &HASHcontext ); - if( prefix != NULL && prefix->bv_len > 0 ) { - HASH_Update( &HASHcontext, - prefix->bv_val, prefix->bv_len ); + case 5: + if( (u[4] & 0xC0) != 0x80 ) { + return LDAP_INVALID_SYNTAX; + } + case 4: + if( (u[3] & 0xC0) != 0x80 ) { + return LDAP_INVALID_SYNTAX; + } + case 3: + if( (u[2] & 0xC0 )!= 0x80 ) { + return LDAP_INVALID_SYNTAX; + } + case 2: + if( (u[1] & 0xC0) != 0x80 ) { + return LDAP_INVALID_SYNTAX; + } + case 1: + /* CHARLEN already validated it */ + break; + default: + return LDAP_INVALID_SYNTAX; } - HASH_Update( &HASHcontext, - &pre, sizeof( pre ) ); - HASH_Update( &HASHcontext, - syntax->ssyn_oid, slen ); - HASH_Update( &HASHcontext, - mr->smr_oid, mlen ); - HASH_Update( &HASHcontext, - &value->bv_val[value->bv_len-klen], klen ); - HASH_Final( HASHdigest, &HASHcontext ); - - ber_dupbv( &keys[nkeys++], &digest ); - } - if( nkeys > 0 ) { - keys[nkeys].bv_val = NULL; - *keysp = keys; - } else { - ch_free( keys ); - *keysp = NULL; + /* make sure len corresponds with the offset + to the next character */ + if( LDAP_UTF8_OFFSET( u ) != len ) return LDAP_INVALID_SYNTAX; + } + + if( count != 0 ) { + return LDAP_INVALID_SYNTAX; } return LDAP_SUCCESS; } - + static int -caseIgnoreIA5Match( - int *matchp, - slap_mask_t flags, +UTF8StringNormalize( + slap_mask_t use, Syntax *syntax, MatchingRule *mr, - struct berval *value, - void *assertedValue ) + struct berval *val, + struct berval *normalized, + void *ctx ) { - int match = value->bv_len - ((struct berval *) assertedValue)->bv_len; + struct berval tmp, nvalue; + int flags; + int i, wasspace; - if( match == 0 && value->bv_len ) { - match = strncasecmp( value->bv_val, - ((struct berval *) assertedValue)->bv_val, - value->bv_len ); + if( val->bv_val == NULL ) { + /* assume we're dealing with a syntax (e.g., UTF8String) + * which allows empty strings + */ + normalized->bv_len = 0; + normalized->bv_val = NULL; + return LDAP_SUCCESS; } - *matchp = match; + flags = SLAP_MR_ASSOCIATED( mr, slap_schema.si_mr_caseExactMatch ) + ? LDAP_UTF8_NOCASEFOLD : LDAP_UTF8_CASEFOLD; + flags |= ( ( use & SLAP_MR_EQUALITY_APPROX ) == SLAP_MR_EQUALITY_APPROX ) + ? LDAP_UTF8_APPROX : 0; + + val = UTF8bvnormalize( val, &tmp, flags, ctx ); + if( val == NULL ) { + return LDAP_OTHER; + } + + /* collapse spaces (in place) */ + nvalue.bv_len = 0; + nvalue.bv_val = tmp.bv_val; + + wasspace=1; /* trim leading spaces */ + for( i=0; isa_initial.bv_val ) { - inlen += sub->sa_initial.bv_len; - } - if( sub->sa_any ) { - for(i=0; sub->sa_any[i].bv_val != NULL; i++) { - inlen += sub->sa_any[i].bv_len; - } - } - if( sub->sa_final.bv_val ) { - inlen += sub->sa_final.bv_len; + /* Yes, this is necessary */ + nval = UTF8bvnormalize( value, NULL, LDAP_UTF8_APPROX, NULL ); + if( nval == NULL ) { + *matchp = 1; + return LDAP_SUCCESS; } - if( sub->sa_initial.bv_val ) { - if( inlen > left.bv_len ) { - match = 1; - goto done; - } - - match = strncasecmp( sub->sa_initial.bv_val, left.bv_val, - sub->sa_initial.bv_len ); + /* Yes, this is necessary */ + assertv = UTF8bvnormalize( ((struct berval *)assertedValue), + NULL, LDAP_UTF8_APPROX, NULL ); + if( assertv == NULL ) { + ber_bvfree( nval ); + *matchp = 1; + return LDAP_SUCCESS; + } - if( match != 0 ) { - goto done; - } + /* Isolate how many words there are */ + for ( c = nval->bv_val, count = 1; *c; c++ ) { + c = strpbrk( c, SLAPD_APPROX_DELIMITER ); + if ( c == NULL ) break; + *c = '\0'; + count++; + } - left.bv_val += sub->sa_initial.bv_len; - left.bv_len -= sub->sa_initial.bv_len; - inlen -= sub->sa_initial.bv_len; + /* Get a phonetic copy of each word */ + words = (char **)ch_malloc( count * sizeof(char *) ); + values = (char **)ch_malloc( count * sizeof(char *) ); + for ( c = nval->bv_val, i = 0; i < count; i++, c += strlen(c) + 1 ) { + words[i] = c; + values[i] = phonetic(c); } - if( sub->sa_final.bv_val ) { - if( inlen > left.bv_len ) { - match = 1; - goto done; + /* Work through the asserted value's words, to see if at least some + of the words are there, in the same order. */ + len = 0; + while ( (ber_len_t) nextchunk < assertv->bv_len ) { + len = strcspn( assertv->bv_val + nextchunk, SLAPD_APPROX_DELIMITER); + if( len == 0 ) { + nextchunk++; + continue; } - - match = strncasecmp( sub->sa_final.bv_val, - &left.bv_val[left.bv_len - sub->sa_final.bv_len], - sub->sa_final.bv_len ); - - if( match != 0 ) { - goto done; +#if defined(SLAPD_APPROX_INITIALS) + else if( len == 1 ) { + /* Single letter words need to at least match one word's initial */ + for( i=nextavail; ibv_val + nextchunk, words[i], 1 )) { + nextavail=i+1; + break; + } } +#endif + else { + /* Isolate the next word in the asserted value and phonetic it */ + assertv->bv_val[nextchunk+len] = '\0'; + val = phonetic( assertv->bv_val + nextchunk ); - left.bv_len -= sub->sa_final.bv_len; - inlen -= sub->sa_final.bv_len; - } - - if( sub->sa_any ) { - for(i=0; sub->sa_any[i].bv_val; i++) { - ber_len_t idx; - char *p; - -retry: - if( inlen > left.bv_len ) { - /* not enough length */ - match = 1; - goto done; - } - - if( sub->sa_any[i].bv_len == 0 ) { - continue; - } - - p = bvcasechr( &left, *sub->sa_any[i].bv_val, &idx ); - - if( p == NULL ) { - match = 1; - goto done; - } - - assert( idx < left.bv_len ); - if( idx >= left.bv_len ) { - /* this shouldn't happen */ - return LDAP_OTHER; - } - - left.bv_val = p; - left.bv_len -= idx; - - if( sub->sa_any[i].bv_len > left.bv_len ) { - /* not enough left */ - match = 1; - goto done; + /* See if this phonetic chunk is in the remaining words of *value */ + for( i=nextavail; isa_any[i].bv_val, - sub->sa_any[i].bv_len ); + /* This chunk in the asserted value was NOT within the *value. */ + if( i >= count ) { + nextavail=-1; + break; + } - if( match != 0 ) { - left.bv_val++; - left.bv_len--; + /* Go on to the next word in the asserted value */ + nextchunk += len+1; + } - goto retry; - } + /* If some of the words were seen, call it a match */ + if( nextavail > 0 ) { + *matchp = 0; + } + else { + *matchp = 1; + } - left.bv_val += sub->sa_any[i].bv_len; - left.bv_len -= sub->sa_any[i].bv_len; - inlen -= sub->sa_any[i].bv_len; - } + /* Cleanup allocs */ + ber_bvfree( assertv ); + for( i=0; issyn_oidlen; - mlen = mr->smr_oidlen; - - for( i=0; values[i].bv_val != NULL; i++ ) { - struct berval value; - - if( mr->smr_normalize ) { - rc = (mr->smr_normalize)( use, syntax, mr, &values[i], &value ); - if( rc != LDAP_SUCCESS ) { - break; - } - } else if ( mr->smr_syntax->ssyn_normalize ) { - rc = (mr->smr_syntax->ssyn_normalize)( syntax, &values[i], &value ); - if( rc != LDAP_SUCCESS ) { - break; - } - } else { - ber_dupbv( &value, &values[i] ); - } + char *c; + int i,j, len, wordcount, keycount=0; + struct berval *newkeys; + BerVarray keys=NULL; - ldap_pvt_str2lower( value.bv_val ); + for( j=0; values[j].bv_val != NULL; j++ ) { + struct berval val = { 0, NULL }; + /* Yes, this is necessary */ + UTF8bvnormalize( &values[j], &val, LDAP_UTF8_APPROX, NULL ); + assert( val.bv_val != NULL ); - HASH_Init( &HASHcontext ); - if( prefix != NULL && prefix->bv_len > 0 ) { - HASH_Update( &HASHcontext, - prefix->bv_val, prefix->bv_len ); + /* Isolate how many words there are. There will be a key for each */ + for( wordcount = 0, c = val.bv_val; *c; c++) { + len = strcspn(c, SLAPD_APPROX_DELIMITER); + if( len >= SLAPD_APPROX_WORDLEN ) wordcount++; + c+= len; + if (*c == '\0') break; + *c = '\0'; } - HASH_Update( &HASHcontext, - syntax->ssyn_oid, slen ); - HASH_Update( &HASHcontext, - mr->smr_oid, mlen ); - HASH_Update( &HASHcontext, - value.bv_val, value.bv_len ); - HASH_Final( HASHdigest, &HASHcontext ); - free( value.bv_val ); + /* Allocate/increase storage to account for new keys */ + newkeys = (struct berval *)ch_malloc( (keycount + wordcount + 1) + * sizeof(struct berval) ); + AC_MEMCPY( newkeys, keys, keycount * sizeof(struct berval) ); + if( keys ) ch_free( keys ); + keys = newkeys; - ber_dupbv( &keys[i], &digest ); - } + /* Get a phonetic copy of each word */ + for( c = val.bv_val, i = 0; i < wordcount; c += len + 1 ) { + len = strlen( c ); + if( len < SLAPD_APPROX_WORDLEN ) continue; + ber_str2bv( phonetic( c ), 0, 0, &keys[keycount] ); + keycount++; + i++; + } - keys[i].bv_val = NULL; - if( rc != LDAP_SUCCESS ) { - ber_bvarray_free( keys ); - keys = NULL; + ber_memfree( val.bv_val ); } + keys[keycount].bv_val = NULL; *keysp = keys; - return rc; + + return LDAP_SUCCESS; } -/* Index generation function */ -static int caseIgnoreIA5Filter( +static int +approxFilter( slap_mask_t use, slap_mask_t flags, Syntax *syntax, MatchingRule *mr, struct berval *prefix, - void * assertValue, - BerVarray *keysp ) + void * assertedValue, + BerVarray *keysp, + void *ctx ) { - size_t slen, mlen; + char *c; + int i, count, len; + struct berval *val; BerVarray keys; - HASH_CONTEXT HASHcontext; - unsigned char HASHdigest[HASH_BYTES]; - struct berval value; - struct berval digest; - digest.bv_val = HASHdigest; - digest.bv_len = sizeof(HASHdigest); - slen = syntax->ssyn_oidlen; - mlen = mr->smr_oidlen; + /* Yes, this is necessary */ + val = UTF8bvnormalize( ((struct berval *)assertedValue), + NULL, LDAP_UTF8_APPROX, NULL ); + if( val == NULL || val->bv_val == NULL ) { + keys = (struct berval *)ch_malloc( sizeof(struct berval) ); + keys[0].bv_val = NULL; + *keysp = keys; + ber_bvfree( val ); + return LDAP_SUCCESS; + } - ber_dupbv( &value, (struct berval *) assertValue ); - ldap_pvt_str2lower( value.bv_val ); + /* Isolate how many words there are. There will be a key for each */ + for( count = 0,c = val->bv_val; *c; c++) { + len = strcspn(c, SLAPD_APPROX_DELIMITER); + if( len >= SLAPD_APPROX_WORDLEN ) count++; + c+= len; + if (*c == '\0') break; + *c = '\0'; + } - keys = ch_malloc( sizeof( struct berval ) * 2 ); + /* Allocate storage for new keys */ + keys = (struct berval *)ch_malloc( (count + 1) * sizeof(struct berval) ); - HASH_Init( &HASHcontext ); - if( prefix != NULL && prefix->bv_len > 0 ) { - HASH_Update( &HASHcontext, - prefix->bv_val, prefix->bv_len ); + /* Get a phonetic copy of each word */ + for( c = val->bv_val, i = 0; i < count; c += len + 1 ) { + len = strlen(c); + if( len < SLAPD_APPROX_WORDLEN ) continue; + ber_str2bv( phonetic( c ), 0, 0, &keys[i] ); + i++; } - HASH_Update( &HASHcontext, - syntax->ssyn_oid, slen ); - HASH_Update( &HASHcontext, - mr->smr_oid, mlen ); - HASH_Update( &HASHcontext, - value.bv_val, value.bv_len ); - HASH_Final( HASHdigest, &HASHcontext ); - - ber_dupbv( &keys[0], &digest ); - keys[1].bv_val = NULL; - free( value.bv_val ); + ber_bvfree( val ); + keys[count].bv_val = NULL; *keysp = keys; return LDAP_SUCCESS; } -/* Substrings Index generation function */ -static int caseIgnoreIA5SubstringsIndexer( - slap_mask_t use, - slap_mask_t flags, +/* Remove all spaces and '-' characters */ +static int +telephoneNumberNormalize( + slap_mask_t usage, Syntax *syntax, MatchingRule *mr, - struct berval *prefix, - BerVarray values, - BerVarray *keysp ) + struct berval *val, + struct berval *normalized, + void *ctx ) { - ber_len_t i, nkeys; - size_t slen, mlen; - BerVarray keys; - HASH_CONTEXT HASHcontext; - unsigned char HASHdigest[HASH_BYTES]; - struct berval digest; - digest.bv_val = HASHdigest; - digest.bv_len = sizeof(HASHdigest); + char *p, *q; - /* we should have at least one value at this point */ - assert( values != NULL && values[0].bv_val != NULL ); + /* validator should have refused an empty string */ + assert( val->bv_len ); - nkeys=0; - for( i=0; values[i].bv_val != NULL; i++ ) { - /* count number of indices to generate */ - if( values[i].bv_len < SLAP_INDEX_SUBSTR_MINLEN ) { - continue; + q = normalized->bv_val = sl_malloc( val->bv_len + 1, ctx ); + + for( p = val->bv_val; *p; p++ ) { + if ( ! ( ASCII_SPACE( *p ) || *p == '-' )) { + *q++ = *p; } + } + *q = '\0'; - if( flags & SLAP_INDEX_SUBSTR_INITIAL ) { - if( values[i].bv_len >= SLAP_INDEX_SUBSTR_MAXLEN ) { - nkeys += SLAP_INDEX_SUBSTR_MAXLEN - - ( SLAP_INDEX_SUBSTR_MINLEN - 1); - } else { - nkeys += values[i].bv_len - ( SLAP_INDEX_SUBSTR_MINLEN - 1 ); - } + normalized->bv_len = q - normalized->bv_val; + + if( normalized->bv_len == 0 ) { + sl_free( normalized->bv_val, ctx ); + return LDAP_INVALID_SYNTAX; + } + + return LDAP_SUCCESS; +} + +static int +numericoidValidate( + Syntax *syntax, + struct berval *in ) +{ + struct berval val = *in; + + if( val.bv_len == 0 ) { + /* disallow empty strings */ + return LDAP_INVALID_SYNTAX; + } + + while( OID_LEADCHAR( val.bv_val[0] ) ) { + if ( val.bv_len == 1 ) { + return LDAP_SUCCESS; } - if( flags & SLAP_INDEX_SUBSTR_ANY ) { - if( values[i].bv_len >= SLAP_INDEX_SUBSTR_MAXLEN ) { - nkeys += values[i].bv_len - ( SLAP_INDEX_SUBSTR_MAXLEN - 1 ); - } + if ( val.bv_val[0] == '0' ) { + break; } - if( flags & SLAP_INDEX_SUBSTR_FINAL ) { - if( values[i].bv_len >= SLAP_INDEX_SUBSTR_MAXLEN ) { - nkeys += SLAP_INDEX_SUBSTR_MAXLEN - - ( SLAP_INDEX_SUBSTR_MINLEN - 1); - } else { - nkeys += values[i].bv_len - ( SLAP_INDEX_SUBSTR_MINLEN - 1 ); + val.bv_val++; + val.bv_len--; + + while ( OID_LEADCHAR( val.bv_val[0] )) { + val.bv_val++; + val.bv_len--; + + if ( val.bv_len == 0 ) { + return LDAP_SUCCESS; } } - } - if( nkeys == 0 ) { - /* no keys to generate */ - *keysp = NULL; - return LDAP_SUCCESS; + if( !OID_SEPARATOR( val.bv_val[0] )) { + break; + } + + val.bv_val++; + val.bv_len--; } - keys = ch_malloc( sizeof( struct berval ) * (nkeys+1) ); + return LDAP_INVALID_SYNTAX; +} - slen = syntax->ssyn_oidlen; - mlen = mr->smr_oidlen; +static int +integerValidate( + Syntax *syntax, + struct berval *in ) +{ + ber_len_t i; + struct berval val = *in; - nkeys=0; - for( i=0; values[i].bv_val != NULL; i++ ) { - int j,max; - struct berval value; + if( val.bv_len == 0 ) return LDAP_INVALID_SYNTAX; - if( values[i].bv_len < SLAP_INDEX_SUBSTR_MINLEN ) continue; + if ( val.bv_val[0] == '-' ) { + val.bv_len--; + val.bv_val++; - ber_dupbv( &value, &values[i] ); - ldap_pvt_str2lower( value.bv_val ); + if( val.bv_len == 0 ) { /* bare "-" */ + return LDAP_INVALID_SYNTAX; + } - if( ( flags & SLAP_INDEX_SUBSTR_ANY ) && - ( value.bv_len >= SLAP_INDEX_SUBSTR_MAXLEN ) ) - { - char pre = SLAP_INDEX_SUBSTR_PREFIX; - max = value.bv_len - ( SLAP_INDEX_SUBSTR_MAXLEN - 1); + if( val.bv_val[0] == '0' ) { /* "-0" */ + return LDAP_INVALID_SYNTAX; + } - for( j=0; jbv_len > 0 ) { - HASH_Update( &HASHcontext, - prefix->bv_val, prefix->bv_len ); - } + } else if ( val.bv_val[0] == '0' ) { + if( val.bv_len > 1 ) { /* "0" */ + return LDAP_INVALID_SYNTAX; + } - HASH_Update( &HASHcontext, - &pre, sizeof( pre ) ); - HASH_Update( &HASHcontext, - syntax->ssyn_oid, slen ); - HASH_Update( &HASHcontext, - mr->smr_oid, mlen ); - HASH_Update( &HASHcontext, - &value.bv_val[j], - SLAP_INDEX_SUBSTR_MAXLEN ); - HASH_Final( HASHdigest, &HASHcontext ); + return LDAP_SUCCESS; + } - ber_dupbv( &keys[nkeys++], &digest ); - } + for( i=0; i < val.bv_len; i++ ) { + if( !ASCII_DIGIT(val.bv_val[i]) ) { + return LDAP_INVALID_SYNTAX; } + } - max = SLAP_INDEX_SUBSTR_MAXLEN < value.bv_len - ? SLAP_INDEX_SUBSTR_MAXLEN : value.bv_len; + return LDAP_SUCCESS; +} - for( j=SLAP_INDEX_SUBSTR_MINLEN; j<=max; j++ ) { - char pre; +static int +integerMatch( + int *matchp, + slap_mask_t flags, + Syntax *syntax, + MatchingRule *mr, + struct berval *value, + void *assertedValue ) +{ + struct berval *asserted = (struct berval *) assertedValue; + int vsign = 1, asign = 1; /* default sign = '+' */ + struct berval v, a; + int match; - if( flags & SLAP_INDEX_SUBSTR_INITIAL ) { - pre = SLAP_INDEX_SUBSTR_INITIAL_PREFIX; - HASH_Init( &HASHcontext ); - if( prefix != NULL && prefix->bv_len > 0 ) { - HASH_Update( &HASHcontext, - prefix->bv_val, prefix->bv_len ); - } - HASH_Update( &HASHcontext, - &pre, sizeof( pre ) ); - HASH_Update( &HASHcontext, - syntax->ssyn_oid, slen ); - HASH_Update( &HASHcontext, - mr->smr_oid, mlen ); - HASH_Update( &HASHcontext, - value.bv_val, j ); - HASH_Final( HASHdigest, &HASHcontext ); + v = *value; + if( v.bv_val[0] == '-' ) { + vsign = -1; + v.bv_val++; + v.bv_len--; + } - ber_dupbv( &keys[nkeys++], &digest ); - } + if( v.bv_len == 0 ) vsign = 0; - if( flags & SLAP_INDEX_SUBSTR_FINAL ) { - pre = SLAP_INDEX_SUBSTR_FINAL_PREFIX; - HASH_Init( &HASHcontext ); - if( prefix != NULL && prefix->bv_len > 0 ) { - HASH_Update( &HASHcontext, - prefix->bv_val, prefix->bv_len ); - } - HASH_Update( &HASHcontext, - &pre, sizeof( pre ) ); - HASH_Update( &HASHcontext, - syntax->ssyn_oid, slen ); - HASH_Update( &HASHcontext, - mr->smr_oid, mlen ); - HASH_Update( &HASHcontext, - &value.bv_val[value.bv_len-j], j ); - HASH_Final( HASHdigest, &HASHcontext ); + a = *asserted; + if( a.bv_val[0] == '-' ) { + asign = -1; + a.bv_val++; + a.bv_len--; + } - ber_dupbv( &keys[nkeys++], &digest ); - } + if( a.bv_len == 0 ) vsign = 0; + + match = vsign - asign; + if( match == 0 ) { + match = ( v.bv_len != a.bv_len + ? ( v.bv_len < a.bv_len ? -1 : 1 ) + : memcmp( v.bv_val, a.bv_val, v.bv_len )); + if( vsign < 0 ) match = -match; + } + + *matchp = match; + return LDAP_SUCCESS; +} + +static int +countryStringValidate( + Syntax *syntax, + struct berval *val ) +{ + if( val->bv_len != 2 ) return LDAP_INVALID_SYNTAX; + + if( !SLAP_PRINTABLE(val->bv_val[0]) ) { + return LDAP_INVALID_SYNTAX; + } + if( !SLAP_PRINTABLE(val->bv_val[1]) ) { + return LDAP_INVALID_SYNTAX; + } + + return LDAP_SUCCESS; +} - } +static int +printableStringValidate( + Syntax *syntax, + struct berval *val ) +{ + ber_len_t i; - free( value.bv_val ); - } + if( val->bv_len == 0 ) return LDAP_INVALID_SYNTAX; - if( nkeys > 0 ) { - keys[nkeys].bv_val = NULL; - *keysp = keys; - } else { - ch_free( keys ); - *keysp = NULL; + for(i=0; i < val->bv_len; i++) { + if( !SLAP_PRINTABLE(val->bv_val[i]) ) { + return LDAP_INVALID_SYNTAX; + } } return LDAP_SUCCESS; } -static int caseIgnoreIA5SubstringsFilter( - slap_mask_t use, - slap_mask_t flags, +static int +printablesStringValidate( Syntax *syntax, - MatchingRule *mr, - struct berval *prefix, - void * assertValue, - BerVarray *keysp ) + struct berval *val ) { - SubstringsAssertion *sa = assertValue; - char pre; - ber_len_t nkeys = 0; - size_t slen, mlen, klen; - BerVarray keys; - HASH_CONTEXT HASHcontext; - unsigned char HASHdigest[HASH_BYTES]; - struct berval value; - struct berval digest; + ber_len_t i, len; - if((flags & SLAP_INDEX_SUBSTR_INITIAL) && sa->sa_initial.bv_val != NULL && - sa->sa_initial.bv_len >= SLAP_INDEX_SUBSTR_MINLEN ) - { - nkeys++; - } + if( val->bv_len == 0 ) return LDAP_INVALID_SYNTAX; - if((flags & SLAP_INDEX_SUBSTR_ANY) && sa->sa_any != NULL ) { - ber_len_t i; - for( i=0; sa->sa_any[i].bv_val != NULL; i++ ) { - if( sa->sa_any[i].bv_len >= SLAP_INDEX_SUBSTR_MAXLEN ) { - /* don't bother accounting for stepping */ - nkeys += sa->sa_any[i].bv_len - - ( SLAP_INDEX_SUBSTR_MAXLEN - 1 ); + for(i=0,len=0; i < val->bv_len; i++) { + int c = val->bv_val[i]; + + if( c == '$' ) { + if( len == 0 ) { + return LDAP_INVALID_SYNTAX; } - } - } + len = 0; - if((flags & SLAP_INDEX_SUBSTR_FINAL) && sa->sa_final.bv_val != NULL && - sa->sa_final.bv_len >= SLAP_INDEX_SUBSTR_MINLEN ) - { - nkeys++; + } else if ( SLAP_PRINTABLE(c) ) { + len++; + } else { + return LDAP_INVALID_SYNTAX; + } } - if( nkeys == 0 ) { - *keysp = NULL; - return LDAP_SUCCESS; + if( len == 0 ) { + return LDAP_INVALID_SYNTAX; } - digest.bv_val = HASHdigest; - digest.bv_len = sizeof(HASHdigest); + return LDAP_SUCCESS; +} - slen = syntax->ssyn_oidlen; - mlen = mr->smr_oidlen; +static int +IA5StringValidate( + Syntax *syntax, + struct berval *val ) +{ + ber_len_t i; - keys = ch_malloc( sizeof( struct berval ) * (nkeys+1) ); - nkeys = 0; + if( val->bv_len == 0 ) return LDAP_INVALID_SYNTAX; - if((flags & SLAP_INDEX_SUBSTR_INITIAL) && sa->sa_initial.bv_val != NULL && - sa->sa_initial.bv_len >= SLAP_INDEX_SUBSTR_MINLEN ) - { - pre = SLAP_INDEX_SUBSTR_INITIAL_PREFIX; - ber_dupbv( &value, &sa->sa_initial ); - ldap_pvt_str2lower( value.bv_val ); + for(i=0; i < val->bv_len; i++) { + if( !LDAP_ASCII(val->bv_val[i]) ) { + return LDAP_INVALID_SYNTAX; + } + } - klen = SLAP_INDEX_SUBSTR_MAXLEN < value.bv_len - ? SLAP_INDEX_SUBSTR_MAXLEN : value.bv_len; + return LDAP_SUCCESS; +} - HASH_Init( &HASHcontext ); - if( prefix != NULL && prefix->bv_len > 0 ) { - HASH_Update( &HASHcontext, - prefix->bv_val, prefix->bv_len ); - } - HASH_Update( &HASHcontext, - &pre, sizeof( pre ) ); - HASH_Update( &HASHcontext, - syntax->ssyn_oid, slen ); - HASH_Update( &HASHcontext, - mr->smr_oid, mlen ); - HASH_Update( &HASHcontext, - value.bv_val, klen ); - HASH_Final( HASHdigest, &HASHcontext ); +static int +IA5StringNormalize( + slap_mask_t use, + Syntax *syntax, + MatchingRule *mr, + struct berval *val, + struct berval *normalized, + void *ctx ) +{ + char *p, *q; + int casefold = SLAP_MR_ASSOCIATED(mr, slap_schema.si_mr_caseExactIA5Match); - free( value.bv_val ); - ber_dupbv( &keys[nkeys++], &digest ); - } + assert( val->bv_len ); - if((flags & SLAP_INDEX_SUBSTR_ANY) && sa->sa_any != NULL ) { - ber_len_t i, j; - pre = SLAP_INDEX_SUBSTR_PREFIX; - klen = SLAP_INDEX_SUBSTR_MAXLEN; + p = val->bv_val; - for( i=0; sa->sa_any[i].bv_val != NULL; i++ ) { - if( sa->sa_any[i].bv_len < SLAP_INDEX_SUBSTR_MAXLEN ) { - continue; - } + /* Ignore initial whitespace */ + while ( ASCII_SPACE( *p ) ) p++; - ber_dupbv( &value, &sa->sa_any[i] ); - ldap_pvt_str2lower( value.bv_val ); + normalized->bv_val = ber_strdup_x( p, ctx ); + p = q = normalized->bv_val; - for(j=0; - j <= value.bv_len - SLAP_INDEX_SUBSTR_MAXLEN; - j += SLAP_INDEX_SUBSTR_STEP ) - { - HASH_Init( &HASHcontext ); - if( prefix != NULL && prefix->bv_len > 0 ) { - HASH_Update( &HASHcontext, - prefix->bv_val, prefix->bv_len ); - } - HASH_Update( &HASHcontext, - &pre, sizeof( pre ) ); - HASH_Update( &HASHcontext, - syntax->ssyn_oid, slen ); - HASH_Update( &HASHcontext, - mr->smr_oid, mlen ); - HASH_Update( &HASHcontext, - &value.bv_val[j], klen ); - HASH_Final( HASHdigest, &HASHcontext ); + while ( *p ) { + if ( ASCII_SPACE( *p ) ) { + *q++ = *p++; - ber_dupbv( &keys[nkeys++], &digest ); + /* Ignore the extra whitespace */ + while ( ASCII_SPACE( *p ) ) { + p++; } - free( value.bv_val ); + } else if ( casefold ) { + /* Most IA5 rules require casefolding */ + *q++ = TOLOWER(*p++); + + } else { + *q++ = *p++; } } - if((flags & SLAP_INDEX_SUBSTR_FINAL) && sa->sa_final.bv_val != NULL && - sa->sa_final.bv_len >= SLAP_INDEX_SUBSTR_MINLEN ) - { - pre = SLAP_INDEX_SUBSTR_FINAL_PREFIX; - ber_dupbv( &value, &sa->sa_final ); - ldap_pvt_str2lower( value.bv_val ); - - klen = SLAP_INDEX_SUBSTR_MAXLEN < value.bv_len - ? SLAP_INDEX_SUBSTR_MAXLEN : value.bv_len; + assert( normalized->bv_val <= p ); + assert( q <= p ); - HASH_Init( &HASHcontext ); - if( prefix != NULL && prefix->bv_len > 0 ) { - HASH_Update( &HASHcontext, - prefix->bv_val, prefix->bv_len ); - } - HASH_Update( &HASHcontext, - &pre, sizeof( pre ) ); - HASH_Update( &HASHcontext, - syntax->ssyn_oid, slen ); - HASH_Update( &HASHcontext, - mr->smr_oid, mlen ); - HASH_Update( &HASHcontext, - &value.bv_val[value.bv_len-klen], klen ); - HASH_Final( HASHdigest, &HASHcontext ); + /* + * If the string ended in space, backup the pointer one + * position. One is enough because the above loop collapsed + * all whitespace to a single space. + */ + if ( ASCII_SPACE( q[-1] ) ) --q; - free( value.bv_val ); - ber_dupbv( &keys[nkeys++], &digest ); - } + /* null terminate */ + *q = '\0'; - if( nkeys > 0 ) { - keys[nkeys].bv_val = NULL; - *keysp = keys; - } else { - ch_free( keys ); - *keysp = NULL; + normalized->bv_len = q - normalized->bv_val; + if( normalized->bv_len == 0 ) { + normalized->bv_val = sl_realloc( normalized->bv_val, 2, ctx ); + normalized->bv_val[0] = ' '; + normalized->bv_val[1] = '\0'; + normalized->bv_len = 1; } return LDAP_SUCCESS; } - + static int numericStringValidate( Syntax *syntax, @@ -3394,16 +1593,19 @@ numericStringValidate( static int numericStringNormalize( + slap_mask_t usage, Syntax *syntax, + MatchingRule *mr, struct berval *val, - struct berval *normalized ) + struct berval *normalized, + void *ctx ) { /* removal all spaces */ char *p, *q; assert( val->bv_len ); - normalized->bv_val = ch_malloc( val->bv_len + 1 ); + normalized->bv_val = sl_malloc( val->bv_len + 1, ctx ); p = val->bv_val; q = normalized->bv_val; @@ -3426,7 +1628,7 @@ numericStringNormalize( normalized->bv_len = q - normalized->bv_val; if( normalized->bv_len == 0 ) { - normalized->bv_val = ch_realloc( normalized->bv_val, 2 ); + normalized->bv_val = sl_realloc( normalized->bv_val, 2, ctx ); normalized->bv_val[0] = ' '; normalized->bv_val[1] = '\0'; normalized->bv_len = 1; @@ -3436,7 +1638,7 @@ numericStringNormalize( } static int -objectIdentifierFirstComponentMatch( +integerBitAndMatch( int *matchp, slap_mask_t flags, Syntax *syntax, @@ -3444,87 +1646,27 @@ objectIdentifierFirstComponentMatch( struct berval *value, void *assertedValue ) { - int rc = LDAP_SUCCESS; - int match; - struct berval *asserted = (struct berval *) assertedValue; - ber_len_t i; - struct berval oid; - - if( value->bv_len == 0 || value->bv_val[0] != '(' /*')'*/ ) { - return LDAP_INVALID_SYNTAX; - } - - /* trim leading white space */ - for( i=1; ASCII_SPACE(value->bv_val[i]) && i < value->bv_len; i++ ) { - /* empty */ - } + long lValue, lAssertedValue; - /* grab next word */ - oid.bv_val = &value->bv_val[i]; - oid.bv_len = value->bv_len - i; - for( i=1; ASCII_SPACE(value->bv_val[i]) && i < oid.bv_len; i++ ) { - /* empty */ + /* safe to assume integers are NUL terminated? */ + lValue = strtol(value->bv_val, NULL, 10); + if(( lValue == LONG_MIN || lValue == LONG_MAX) && errno == ERANGE ) { + return LDAP_CONSTRAINT_VIOLATION; } - oid.bv_len = i; - /* insert attributeTypes, objectclass check here */ - if( OID_LEADCHAR(asserted->bv_val[0]) ) { - rc = objectIdentifierMatch( &match, flags, syntax, mr, &oid, asserted ); - - } else { - if ( !strcmp( syntax->ssyn_oid, SLAP_SYNTAX_MATCHINGRULES_OID ) ) { - MatchingRule *asserted_mr = mr_bvfind( asserted ); - MatchingRule *stored_mr = mr_bvfind( &oid ); - - if( asserted_mr == NULL ) { - rc = SLAPD_COMPARE_UNDEFINED; - } else { - match = asserted_mr != stored_mr; - } - - } else if ( !strcmp( syntax->ssyn_oid, - SLAP_SYNTAX_ATTRIBUTETYPES_OID ) ) - { - AttributeType *asserted_at = at_bvfind( asserted ); - AttributeType *stored_at = at_bvfind( &oid ); - - if( asserted_at == NULL ) { - rc = SLAPD_COMPARE_UNDEFINED; - } else { - match = asserted_at != stored_at; - } - - } else if ( !strcmp( syntax->ssyn_oid, - SLAP_SYNTAX_OBJECTCLASSES_OID ) ) - { - ObjectClass *asserted_oc = oc_bvfind( asserted ); - ObjectClass *stored_oc = oc_bvfind( &oid ); - - if( asserted_oc == NULL ) { - rc = SLAPD_COMPARE_UNDEFINED; - } else { - match = asserted_oc != stored_oc; - } - } + lAssertedValue = strtol(((struct berval *)assertedValue)->bv_val, NULL, 10); + if(( lAssertedValue == LONG_MIN || lAssertedValue == LONG_MAX) + && errno == ERANGE ) + { + return LDAP_CONSTRAINT_VIOLATION; } -#ifdef NEW_LOGGING - LDAP_LOG( CONFIG, ENTRY, - "objectIdentifierFirstComponentMatch: %d\n %s\n %s\n", - match, value->bv_val, asserted->bv_val ); -#else - Debug( LDAP_DEBUG_ARGS, "objectIdentifierFirstComponentMatch " - "%d\n\t\"%s\"\n\t\"%s\"\n", - match, value->bv_val, asserted->bv_val ); -#endif - - - if( rc == LDAP_SUCCESS ) *matchp = match; - return rc; + *matchp = (lValue & lAssertedValue) ? 0 : 1; + return LDAP_SUCCESS; } static int -integerBitAndMatch( +integerBitOrMatch( int *matchp, slap_mask_t flags, Syntax *syntax, @@ -3534,47 +1676,98 @@ integerBitAndMatch( { long lValue, lAssertedValue; - /* safe to assume integers are NUL terminated? */ - lValue = strtoul(value->bv_val, NULL, 10); - if(( lValue == LONG_MIN || lValue == LONG_MAX) && errno == ERANGE ) - return LDAP_CONSTRAINT_VIOLATION; + /* safe to assume integers are NUL terminated? */ + lValue = strtol(value->bv_val, NULL, 10); + if(( lValue == LONG_MIN || lValue == LONG_MAX) && errno == ERANGE ) { + return LDAP_CONSTRAINT_VIOLATION; + } + + lAssertedValue = strtol(((struct berval *)assertedValue)->bv_val, NULL, 10); + if(( lAssertedValue == LONG_MIN || lAssertedValue == LONG_MAX) + && errno == ERANGE ) + { + return LDAP_CONSTRAINT_VIOLATION; + } + + *matchp = (lValue | lAssertedValue) ? 0 : -1; + return LDAP_SUCCESS; +} + +static int +serialNumberAndIssuerValidate( + Syntax *syntax, + struct berval *in ) +{ + int rc = LDAP_INVALID_SYNTAX; + struct berval serialNumber, issuer; + + serialNumber.bv_val = in->bv_val; + for( serialNumber.bv_len = 0; + serialNumber.bv_len < in->bv_len; + serialNumber.bv_len++ ) + { + if ( serialNumber.bv_val[serialNumber.bv_len] == '$' ) { + issuer.bv_val = &serialNumber.bv_val[serialNumber.bv_len+1]; + issuer.bv_len = in->bv_len - (serialNumber.bv_len+1); + + if( serialNumber.bv_len == 0 || issuer.bv_len == 0 ) break; + + rc = integerValidate( NULL, &serialNumber ); + if( rc ) break; - lAssertedValue = strtol(((struct berval *)assertedValue)->bv_val, NULL, 10); - if(( lAssertedValue == LONG_MIN || lAssertedValue == LONG_MAX) && errno == ERANGE ) - return LDAP_CONSTRAINT_VIOLATION; + rc = dnValidate( NULL, &issuer ); + break; + } + } - *matchp = (lValue & lAssertedValue); - return LDAP_SUCCESS; + return rc; } static int -integerBitOrMatch( - int *matchp, - slap_mask_t flags, +serialNumberAndIssuerNormalize( + slap_mask_t usage, Syntax *syntax, MatchingRule *mr, - struct berval *value, - void *assertedValue ) + struct berval *val, + struct berval *normalized, + void *ctx ) { - long lValue, lAssertedValue; + int rc = LDAP_INVALID_SYNTAX; + struct berval serialNumber, issuer, nissuer; - /* safe to assume integers are NUL terminated? */ - lValue = strtoul(value->bv_val, NULL, 10); - if(( lValue == LONG_MIN || lValue == LONG_MAX) && errno == ERANGE ) - return LDAP_CONSTRAINT_VIOLATION; + serialNumber.bv_val = val->bv_val; + for( serialNumber.bv_len = 0; + serialNumber.bv_len < val->bv_len; + serialNumber.bv_len++ ) + { + if ( serialNumber.bv_val[serialNumber.bv_len] == '$' ) { + issuer.bv_val = &serialNumber.bv_val[serialNumber.bv_len+1]; + issuer.bv_len = val->bv_len - (serialNumber.bv_len+1); - lAssertedValue = strtol(((struct berval *)assertedValue)->bv_val, NULL, 10); - if(( lAssertedValue == LONG_MIN || lAssertedValue == LONG_MAX) && errno == ERANGE ) - return LDAP_CONSTRAINT_VIOLATION; + if( serialNumber.bv_len == 0 || issuer.bv_len == 0 ) break; - *matchp = (lValue | lAssertedValue); - return LDAP_SUCCESS; + rc = dnNormalize( usage, syntax, mr, &issuer, &nissuer, ctx ); + if( rc ) break; + + normalized->bv_len = serialNumber.bv_len + 1 + nissuer.bv_len; + normalized->bv_val = ch_malloc( normalized->bv_len + 1); + + AC_MEMCPY( normalized->bv_val, + serialNumber.bv_val, serialNumber.bv_len ); + normalized->bv_val[serialNumber.bv_len] = '$'; + AC_MEMCPY( &normalized->bv_val[serialNumber.bv_len+1], + nissuer.bv_val, nissuer.bv_len ); + normalized->bv_val[normalized->bv_len] = '\0'; + break; + } + } + + return rc; } #ifdef HAVE_TLS #include #include -char digit[] = "0123456789"; /* * Next function returns a string representation of a ASN1_INTEGER. @@ -3586,6 +1779,7 @@ asn1_integer2str(ASN1_INTEGER *a, struct berval *bv) { char buf[256]; char *p; + static char digit[] = "0123456789"; /* We work backwards, make it fill from the end of buf */ p = buf + sizeof(buf) - 1; @@ -3628,8 +1822,8 @@ asn1_integer2str(ASN1_INTEGER *a, struct berval *bv) return NULL; } *--p = digit[carry]; - if (copy[base] == 0) - base++; + + if (copy[base] == 0) base++; } free(copy); } @@ -3650,6 +1844,7 @@ certificateExactConvert( struct berval * in, struct berval * out ) { + int rc; X509 *xcert; unsigned char *p = in->bv_val; struct berval serial; @@ -3673,7 +1868,9 @@ certificateExactConvert( X509_free(xcert); return LDAP_INVALID_SYNTAX; } - if ( dnX509normalize(X509_get_issuer_name(xcert), &issuer_dn ) != LDAP_SUCCESS ) { + + rc = dnX509normalize(X509_get_issuer_name(xcert), &issuer_dn ); + if( rc != LDAP_SUCCESS ) { X509_free(xcert); ber_memfree(serial.bv_val); return LDAP_INVALID_SYNTAX; @@ -3708,232 +1905,28 @@ certificateExactConvert( } static int -serial_and_issuer_parse( - struct berval *assertion, - struct berval *serial, - struct berval *issuer_dn -) -{ - char *begin; - char *end; - char *p; - struct berval bv; - - begin = assertion->bv_val; - end = assertion->bv_val+assertion->bv_len-1; - for (p=begin; p<=end && *p != '$'; p++) - ; - if ( p > end ) - return LDAP_INVALID_SYNTAX; - - /* p now points at the $ sign, now use begin and end to delimit the - serial number */ - while (ASCII_SPACE(*begin)) - begin++; - end = p-1; - while (ASCII_SPACE(*end)) - end--; - - bv.bv_len = end-begin+1; - bv.bv_val = begin; - ber_dupbv(serial, &bv); - - /* now extract the issuer, remember p was at the dollar sign */ - if ( issuer_dn ) { - begin = p+1; - end = assertion->bv_val+assertion->bv_len-1; - while (ASCII_SPACE(*begin)) - begin++; - /* should we trim spaces at the end too? is it safe always? */ - - bv.bv_len = end-begin+1; - bv.bv_val = begin; - dnNormalize2( NULL, &bv, issuer_dn ); - } - - return LDAP_SUCCESS; -} - -static int -certificateExactMatch( - int *matchp, - slap_mask_t flags, - Syntax *syntax, - MatchingRule *mr, - struct berval *value, - void *assertedValue ) -{ - X509 *xcert; - unsigned char *p = value->bv_val; - struct berval serial; - struct berval issuer_dn; - struct berval asserted_serial; - struct berval asserted_issuer_dn; - int ret; - - xcert = d2i_X509(NULL, &p, value->bv_len); - if ( !xcert ) { -#ifdef NEW_LOGGING - LDAP_LOG( CONFIG, ENTRY, - "certificateExactMatch: error parsing cert: %s\n", - ERR_error_string(ERR_get_error(),NULL), 0, 0 ); -#else - Debug( LDAP_DEBUG_ARGS, "certificateExactMatch: " - "error parsing cert: %s\n", - ERR_error_string(ERR_get_error(),NULL), NULL, NULL ); -#endif - return LDAP_INVALID_SYNTAX; - } - - asn1_integer2str(xcert->cert_info->serialNumber, &serial); - dnX509normalize(X509_get_issuer_name(xcert), &issuer_dn); - - X509_free(xcert); - - serial_and_issuer_parse(assertedValue, - &asserted_serial, - &asserted_issuer_dn); - - ret = integerMatch( - matchp, - flags, - slap_schema.si_syn_integer, - slap_schema.si_mr_integerMatch, - &serial, - &asserted_serial); - if ( ret == LDAP_SUCCESS ) { - if ( *matchp == 0 ) { - /* We need to normalize everything for dnMatch */ - ret = dnMatch( - matchp, - flags, - slap_schema.si_syn_distinguishedName, - slap_schema.si_mr_distinguishedNameMatch, - &issuer_dn, - &asserted_issuer_dn); - } - } - -#ifdef NEW_LOGGING - LDAP_LOG( CONFIG, ARGS, "certificateExactMatch " - "%d\n\t\"%s $ %s\"\n", - *matchp, serial.bv_val, issuer_dn.bv_val ); - LDAP_LOG( CONFIG, ARGS, "\t\"%s $ %s\"\n", - asserted_serial.bv_val, asserted_issuer_dn.bv_val, - 0 ); -#else - Debug( LDAP_DEBUG_ARGS, "certificateExactMatch " - "%d\n\t\"%s $ %s\"\n", - *matchp, serial.bv_val, issuer_dn.bv_val ); - Debug( LDAP_DEBUG_ARGS, "\t\"%s $ %s\"\n", - asserted_serial.bv_val, asserted_issuer_dn.bv_val, - NULL ); -#endif - - ber_memfree(serial.bv_val); - ber_memfree(issuer_dn.bv_val); - ber_memfree(asserted_serial.bv_val); - ber_memfree(asserted_issuer_dn.bv_val); - - return ret; -} - -/* - * Index generation function - * We just index the serials, in most scenarios the issuer DN is one of - * a very small set of values. - */ -static int certificateExactIndexer( - slap_mask_t use, - slap_mask_t flags, +certificateExactNormalize( + slap_mask_t usage, Syntax *syntax, MatchingRule *mr, - struct berval *prefix, - BerVarray values, - BerVarray *keysp ) + struct berval *val, + struct berval *normalized, + void *ctx ) { - int i; - BerVarray keys; - X509 *xcert; - unsigned char *p; - struct berval serial; - - /* we should have at least one value at this point */ - assert( values != NULL && values[0].bv_val != NULL ); - - for( i=0; values[i].bv_val != NULL; i++ ) { - /* empty -- just count them */ - } - - keys = ch_malloc( sizeof( struct berval ) * (i+1) ); + int rc; - for( i=0; values[i].bv_val != NULL; i++ ) { - p = values[i].bv_val; - xcert = d2i_X509(NULL, &p, values[i].bv_len); - if ( !xcert ) { -#ifdef NEW_LOGGING - LDAP_LOG( CONFIG, ENTRY, - "certificateExactIndexer: error parsing cert: %s\n", - ERR_error_string(ERR_get_error(),NULL), 0, 0); -#else - Debug( LDAP_DEBUG_ARGS, "certificateExactIndexer: " - "error parsing cert: %s\n", - ERR_error_string(ERR_get_error(),NULL), - NULL, NULL ); -#endif - /* Do we leak keys on error? */ - return LDAP_INVALID_SYNTAX; - } + if( SLAP_MR_IS_VALUE_OF_ASSERTION_SYNTAX( usage ) ) { + rc = serialNumberAndIssuerNormalize( usage, syntax, mr, + val, normalized, ctx ); - asn1_integer2str(xcert->cert_info->serialNumber, &serial); - X509_free(xcert); - integerNormalize( slap_schema.si_syn_integer, - &serial, - &keys[i] ); - ber_memfree(serial.bv_val); -#ifdef NEW_LOGGING - LDAP_LOG( CONFIG, ENTRY, - "certificateExactIndexer: returning: %s\n", keys[i].bv_val, 0, 0); -#else - Debug( LDAP_DEBUG_ARGS, "certificateExactIndexer: " - "returning: %s\n", - keys[i].bv_val, - NULL, NULL ); -#endif + } else { + rc = certificateExactConvert( val, normalized ); } - keys[i].bv_val = NULL; - *keysp = keys; - return LDAP_SUCCESS; + return rc; } +#endif /* HAVE_TLS */ -/* Index generation function */ -/* We think this is always called with a value in matching rule syntax */ -static int certificateExactFilter( - slap_mask_t use, - slap_mask_t flags, - Syntax *syntax, - MatchingRule *mr, - struct berval *prefix, - void * assertValue, - BerVarray *keysp ) -{ - BerVarray keys; - struct berval asserted_serial; - - serial_and_issuer_parse(assertValue, - &asserted_serial, - NULL); - - keys = ch_malloc( sizeof( struct berval ) * 2 ); - integerNormalize( syntax, &asserted_serial, &keys[0] ); - keys[1].bv_val = NULL; - *keysp = keys; - - ber_memfree(asserted_serial.bv_val); - return LDAP_SUCCESS; -} -#endif static int check_time_syntax (struct berval *val, @@ -4102,7 +2095,7 @@ check_time_syntax (struct berval *val, #ifdef SUPPORT_OBSOLETE_UTC_SYNTAX static int -utcTimeNormalize( +xutcTimeNormalize( Syntax *syntax, struct berval *val, struct berval *normalized ) @@ -4126,16 +2119,13 @@ utcTimeNormalize( return LDAP_SUCCESS; } -#endif -#ifdef SUPPORT_OBSOLETE_UTC_SYNTAX static int utcTimeValidate( Syntax *syntax, struct berval *in ) { int parts[9]; - return check_time_syntax(in, 1, parts); } #endif @@ -4146,15 +2136,17 @@ generalizedTimeValidate( struct berval *in ) { int parts[9]; - return check_time_syntax(in, 0, parts); } static int generalizedTimeNormalize( + slap_mask_t usage, Syntax *syntax, + MatchingRule *mr, struct berval *val, - struct berval *normalized ) + struct berval *normalized, + void *ctx ) { int parts[9], rc; @@ -4163,7 +2155,7 @@ generalizedTimeNormalize( return rc; } - normalized->bv_val = ch_malloc( 16 ); + normalized->bv_val = sl_malloc( sizeof("YYYYmmddHHMMSSZ"), ctx ); if ( normalized->bv_val == NULL ) { return LBER_ERROR_MEMORY; } @@ -4266,171 +2258,249 @@ bootParameterValidate( return LDAP_SUCCESS; } +static int +firstComponentNormalize( + slap_mask_t usage, + Syntax *syntax, + MatchingRule *mr, + struct berval *val, + struct berval *normalized, + void *ctx ) +{ + int rc; + struct berval oid; + ber_len_t len; + + if( val->bv_len < 3 ) return LDAP_INVALID_SYNTAX; + + if( val->bv_val[0] != '(' /*')'*/ && + val->bv_val[0] != '{' /*'}'*/ ) + { + return LDAP_INVALID_SYNTAX; + } + + /* trim leading white space */ + for( len=1; + len < val->bv_len && ASCII_SPACE(val->bv_val[len]); + len++ ) + { + /* empty */ + } + + /* grab next word */ + oid.bv_val = &val->bv_val[len]; + len = val->bv_len - len; + for( oid.bv_len=0; + !ASCII_SPACE(oid.bv_val[oid.bv_len]) && oid.bv_len < len; + oid.bv_len++ ) + { + /* empty */ + } + + if( mr == slap_schema.si_mr_objectIdentifierFirstComponentMatch ) { + rc = numericoidValidate( NULL, &oid ); + } else if( mr == slap_schema.si_mr_integerFirstComponentMatch ) { + rc = integerValidate( NULL, &oid ); + } else { + rc = LDAP_INVALID_SYNTAX; + } + + + if( rc == LDAP_SUCCESS ) { + ber_dupbv_x( normalized, &oid, ctx ); + } + + return rc; +} + #define X_BINARY "X-BINARY-TRANSFER-REQUIRED 'TRUE' " #define X_NOT_H_R "X-NOT-HUMAN-READABLE 'TRUE' " static slap_syntax_defs_rec syntax_defs[] = { {"( 1.3.6.1.4.1.1466.115.121.1.1 DESC 'ACI Item' " X_BINARY X_NOT_H_R ")", - SLAP_SYNTAX_BINARY|SLAP_SYNTAX_BER, NULL, NULL, NULL}, + SLAP_SYNTAX_BINARY|SLAP_SYNTAX_BER, NULL, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.2 DESC 'Access Point' " X_NOT_H_R ")", - 0, NULL, NULL, NULL}, + 0, NULL, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.3 DESC 'Attribute Type Description' )", - 0, NULL, NULL, NULL}, + 0, NULL, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.4 DESC 'Audio' " X_NOT_H_R ")", - SLAP_SYNTAX_BLOB, blobValidate, NULL, NULL}, + SLAP_SYNTAX_BLOB, blobValidate, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.5 DESC 'Binary' " X_NOT_H_R ")", - SLAP_SYNTAX_BER, berValidate, NULL, NULL}, + SLAP_SYNTAX_BER, berValidate, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.6 DESC 'Bit String' )", - 0, bitStringValidate, bitStringNormalize, NULL }, + 0, bitStringValidate, NULL }, {"( 1.3.6.1.4.1.1466.115.121.1.7 DESC 'Boolean' )", - 0, booleanValidate, NULL, NULL}, + 0, booleanValidate, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.8 DESC 'Certificate' " X_BINARY X_NOT_H_R ")", - SLAP_SYNTAX_BINARY|SLAP_SYNTAX_BER, berValidate, NULL, NULL}, + SLAP_SYNTAX_BINARY|SLAP_SYNTAX_BER, berValidate, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.9 DESC 'Certificate List' " X_BINARY X_NOT_H_R ")", - SLAP_SYNTAX_BINARY|SLAP_SYNTAX_BER, berValidate, NULL, NULL}, + SLAP_SYNTAX_BINARY|SLAP_SYNTAX_BER, berValidate, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.10 DESC 'Certificate Pair' " X_BINARY X_NOT_H_R ")", - SLAP_SYNTAX_BINARY|SLAP_SYNTAX_BER, berValidate, NULL, NULL}, + SLAP_SYNTAX_BINARY|SLAP_SYNTAX_BER, berValidate, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.11 DESC 'Country String' )", - 0, countryStringValidate, IA5StringNormalize, NULL}, + 0, countryStringValidate, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.12 DESC 'Distinguished Name' )", - 0, dnValidate, dnNormalize2, dnPretty2}, + 0, dnValidate, dnPretty}, {"( 1.3.6.1.4.1.1466.115.121.1.13 DESC 'Data Quality' )", - 0, NULL, NULL, NULL}, + 0, NULL, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.14 DESC 'Delivery Method' )", - 0, NULL, NULL, NULL}, + 0, NULL, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.15 DESC 'Directory String' )", - 0, UTF8StringValidate, UTF8StringNormalize, NULL}, + 0, UTF8StringValidate, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.16 DESC 'DIT Content Rule Description' )", - 0, NULL, NULL, NULL}, + 0, NULL, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.17 DESC 'DIT Structure Rule Description' )", - 0, NULL, NULL, NULL}, + 0, NULL, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.19 DESC 'DSA Quality' )", - 0, NULL, NULL, NULL}, + 0, NULL, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.20 DESC 'DSE Type' )", - 0, NULL, NULL, NULL}, + 0, NULL, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.21 DESC 'Enhanced Guide' )", - 0, NULL, NULL, NULL}, + 0, NULL, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.22 DESC 'Facsimile Telephone Number' )", - 0, printablesStringValidate, telephoneNumberNormalize, NULL}, + 0, printablesStringValidate, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.23 DESC 'Fax' " X_NOT_H_R ")", - SLAP_SYNTAX_BLOB, NULL, NULL, NULL}, + SLAP_SYNTAX_BLOB, NULL, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.24 DESC 'Generalized Time' )", - 0, generalizedTimeValidate, generalizedTimeNormalize, NULL}, + 0, generalizedTimeValidate, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.25 DESC 'Guide' )", - 0, NULL, NULL, NULL}, + 0, NULL, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.26 DESC 'IA5 String' )", - 0, IA5StringValidate, IA5StringNormalize, NULL}, + 0, IA5StringValidate, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.27 DESC 'Integer' )", - 0, integerValidate, integerNormalize, NULL}, + 0, integerValidate, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.28 DESC 'JPEG' " X_NOT_H_R ")", - SLAP_SYNTAX_BLOB, blobValidate, NULL, NULL}, + SLAP_SYNTAX_BLOB, blobValidate, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.29 DESC 'Master And Shadow Access Points' )", - 0, NULL, NULL, NULL}, + 0, NULL, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.30 DESC 'Matching Rule Description' )", - 0, NULL, NULL, NULL}, + 0, NULL, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.31 DESC 'Matching Rule Use Description' )", - 0, NULL, NULL, NULL}, + 0, NULL, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.32 DESC 'Mail Preference' )", - 0, NULL, NULL, NULL}, + 0, NULL, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.33 DESC 'MHS OR Address' )", - 0, NULL, NULL, NULL}, + 0, NULL, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.34 DESC 'Name And Optional UID' )", - 0, nameUIDValidate, nameUIDNormalize, NULL}, + 0, nameUIDValidate, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.35 DESC 'Name Form Description' )", - 0, NULL, NULL, NULL}, + 0, NULL, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.36 DESC 'Numeric String' )", - 0, numericStringValidate, numericStringNormalize, NULL}, + 0, numericStringValidate, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.37 DESC 'Object Class Description' )", - 0, NULL, NULL, NULL}, + 0, NULL, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.38 DESC 'OID' )", - 0, oidValidate, NULL, NULL}, + 0, numericoidValidate, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.39 DESC 'Other Mailbox' )", - 0, IA5StringValidate, IA5StringNormalize, NULL}, + 0, IA5StringValidate, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.40 DESC 'Octet String' )", - 0, blobValidate, NULL, NULL}, + 0, blobValidate, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.41 DESC 'Postal Address' )", - 0, UTF8StringValidate, UTF8StringNormalize, NULL}, + 0, UTF8StringValidate, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.42 DESC 'Protocol Information' )", - 0, NULL, NULL, NULL}, + 0, NULL, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.43 DESC 'Presentation Address' )", - 0, NULL, NULL, NULL}, + 0, NULL, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.44 DESC 'Printable String' )", - 0, printableStringValidate, IA5StringNormalize, NULL}, - {"( 1.3.6.1.4.1.1466.115.121.1.45 DESC 'SubtreeSpecification' " - X_BINARY X_NOT_H_R ")", - SLAP_SYNTAX_BINARY|SLAP_SYNTAX_BER, NULL, NULL, NULL}, + 0, printableStringValidate, NULL}, + {"( 1.3.6.1.4.1.1466.115.121.1.45 DESC 'SubtreeSpecification' )", +#define subtreeSpecificationValidate UTF8StringValidate /* FIXME */ + 0, subtreeSpecificationValidate, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.49 DESC 'Supported Algorithm' " X_BINARY X_NOT_H_R ")", - SLAP_SYNTAX_BINARY|SLAP_SYNTAX_BER, berValidate, NULL, NULL}, + SLAP_SYNTAX_BINARY|SLAP_SYNTAX_BER, berValidate, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.50 DESC 'Telephone Number' )", - 0, printableStringValidate, telephoneNumberNormalize, NULL}, + 0, printableStringValidate, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.51 DESC 'Teletex Terminal Identifier' )", - 0, NULL, NULL, NULL}, + 0, NULL, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.52 DESC 'Telex Number' )", - 0, printablesStringValidate, IA5StringNormalize, NULL}, + 0, printablesStringValidate, NULL}, #ifdef SUPPORT_OBSOLETE_UTC_SYNTAX {"( 1.3.6.1.4.1.1466.115.121.1.53 DESC 'UTC Time' )", - 0, utcTimeValidate, utcTimeNormalize, NULL}, + 0, utcTimeValidate, NULL}, #endif {"( 1.3.6.1.4.1.1466.115.121.1.54 DESC 'LDAP Syntax Description' )", - 0, NULL, NULL, NULL}, + 0, NULL, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.55 DESC 'Modify Rights' )", - 0, NULL, NULL, NULL}, + 0, NULL, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.56 DESC 'LDAP Schema Definition' )", - 0, NULL, NULL, NULL}, + 0, NULL, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.57 DESC 'LDAP Schema Description' )", - 0, NULL, NULL, NULL}, + 0, NULL, NULL}, {"( 1.3.6.1.4.1.1466.115.121.1.58 DESC 'Substring Assertion' )", - 0, NULL, NULL, NULL}, + 0, NULL, NULL}, /* RFC 2307 NIS Syntaxes */ {"( 1.3.6.1.1.1.0.0 DESC 'RFC2307 NIS Netgroup Triple' )", - 0, nisNetgroupTripleValidate, NULL, NULL}, + 0, nisNetgroupTripleValidate, NULL}, {"( 1.3.6.1.1.1.0.1 DESC 'RFC2307 Boot Parameter' )", - 0, bootParameterValidate, NULL, NULL}, + 0, bootParameterValidate, NULL}, -#ifdef HAVE_TLS /* From PKIX */ /* These OIDs are not published yet, but will be in the next * I-D for PKIX LDAPv3 schema as have been advanced by David * Chadwick in private mail. */ {"( 1.2.826.0.1.3344810.7.1 DESC 'Serial Number and Issuer' )", - 0, NULL, NULL, NULL}, -#endif + 0, serialNumberAndIssuerValidate, NULL}, /* OpenLDAP Experimental Syntaxes */ #ifdef SLAPD_ACI_ENABLED {"( 1.3.6.1.4.1.4203.666.2.1 DESC 'OpenLDAP Experimental ACI' )", SLAP_SYNTAX_HIDE, UTF8StringValidate /* THIS WILL CHANGE FOR NEW ACI SYNTAX */, - NULL, NULL}, + NULL}, #endif #ifdef SLAPD_AUTHPASSWD /* needs updating */ {"( 1.3.6.1.4.1.4203.666.2.2 DESC 'OpenLDAP authPassword' )", - SLAP_SYNTAX_HIDE, NULL, NULL, NULL}, + SLAP_SYNTAX_HIDE, NULL, NULL}, #endif /* OpenLDAP Void Syntax */ {"( 1.3.6.1.4.1.4203.1.1.1 DESC 'OpenLDAP void' )" , - SLAP_SYNTAX_HIDE, inValidate, NULL, NULL}, - {NULL, 0, NULL, NULL, NULL} + SLAP_SYNTAX_HIDE, inValidate, NULL}, + {NULL, 0, NULL, NULL} +}; + +#ifdef HAVE_TLS +char *certificateExactMatchSyntaxes[] = { + "1.3.6.1.4.1.1466.115.121.1.8" /* certificate */, + NULL +}; +#endif +char *directoryStringSyntaxes[] = { + "1.3.6.1.4.1.1466.115.121.1.44" /* printableString */, + NULL +}; +char *integerFirstComponentMatchSyntaxes[] = { + "1.3.6.1.4.1.1466.115.121.1.27" /* INTEGER */, + "1.3.6.1.4.1.1466.115.121.1.17" /* ditStructureRuleDescription */, + NULL +}; +char *objectIdentifierFirstComponentMatchSyntaxes[] = { + "1.3.6.1.4.1.1466.115.121.1.38" /* OID */, + "1.3.6.1.4.1.1466.115.121.1.3" /* attributeTypeDescription */, + "1.3.6.1.4.1.1466.115.121.1.16" /* ditContentRuleDescription */, + "1.3.6.1.4.1.1466.115.121.1.54" /* ldapSyntaxDescription */, + "1.3.6.1.4.1.1466.115.121.1.30" /* matchingRuleDescription */, + "1.3.6.1.4.1.1466.115.121.1.31" /* matchingRuleUseDescription */, + "1.3.6.1.4.1.1466.115.121.1.35" /* nameFormDescription */, + "1.3.6.1.4.1.1466.115.121.1.37" /* objectClassDescription */, + NULL }; /* * Other matching rules in X.520 that we do not use (yet): * * 2.5.13.9 numericStringOrderingMatch - * 2.5.13.18 octetStringOrderingMatch - * 2.5.13.19 octetStringSubstringsMatch * 2.5.13.25 uTCTimeMatch * 2.5.13.26 uTCTimeOrderingMatch * 2.5.13.31 directoryStringFirstComponentMatch @@ -4454,20 +2524,16 @@ static slap_mrule_defs_rec mrule_defs[] = { */ {"( " directoryStringApproxMatchOID " NAME 'directoryStringApproxMatch' " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )", - SLAP_MR_HIDE | SLAP_MR_EQUALITY_APPROX | SLAP_MR_EXT, - NULL, NULL, - directoryStringApproxMatch, - directoryStringApproxIndexer, - directoryStringApproxFilter, + SLAP_MR_HIDE | SLAP_MR_EQUALITY_APPROX | SLAP_MR_EXT, NULL, + NULL, NULL, directoryStringApproxMatch, + directoryStringApproxIndexer, directoryStringApproxFilter, NULL}, {"( " IA5StringApproxMatchOID " NAME 'IA5StringApproxMatch' " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )", - SLAP_MR_HIDE | SLAP_MR_EQUALITY_APPROX | SLAP_MR_EXT, - NULL, NULL, - IA5StringApproxMatch, - IA5StringApproxIndexer, - IA5StringApproxFilter, + SLAP_MR_HIDE | SLAP_MR_EQUALITY_APPROX | SLAP_MR_EXT, NULL, + NULL, NULL, IA5StringApproxMatch, + IA5StringApproxIndexer, IA5StringApproxFilter, NULL}, /* @@ -4476,281 +2542,276 @@ static slap_mrule_defs_rec mrule_defs[] = { {"( 2.5.13.0 NAME 'objectIdentifierMatch' " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )", - SLAP_MR_EQUALITY | SLAP_MR_EXT, - NULL, NULL, - objectIdentifierMatch, caseIgnoreIA5Indexer, caseIgnoreIA5Filter, - NULL}, + SLAP_MR_EQUALITY | SLAP_MR_EXT, NULL, + NULL, NULL, octetStringMatch, + octetStringIndexer, octetStringFilter, + NULL }, {"( 2.5.13.1 NAME 'distinguishedNameMatch' " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )", - SLAP_MR_EQUALITY | SLAP_MR_EXT, - NULL, NULL, - dnMatch, dnIndexer, dnFilter, - NULL}, + SLAP_MR_EQUALITY | SLAP_MR_EXT, NULL, + NULL, dnNormalize, dnMatch, + octetStringIndexer, octetStringFilter, + NULL }, {"( 2.5.13.2 NAME 'caseIgnoreMatch' " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )", - SLAP_MR_EQUALITY | SLAP_MR_EXT | SLAP_MR_DN_FOLD, - NULL, NULL, - caseIgnoreMatch, caseExactIgnoreIndexer, caseExactIgnoreFilter, + SLAP_MR_EQUALITY | SLAP_MR_EXT, directoryStringSyntaxes, + NULL, UTF8StringNormalize, octetStringMatch, + octetStringIndexer, octetStringFilter, directoryStringApproxMatchOID }, {"( 2.5.13.3 NAME 'caseIgnoreOrderingMatch' " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )", - SLAP_MR_ORDERING, + SLAP_MR_ORDERING, directoryStringSyntaxes, + NULL, UTF8StringNormalize, octetStringOrderingMatch, NULL, NULL, - caseIgnoreOrderingMatch, NULL, NULL, - NULL}, + "caseIgnoreMatch" }, {"( 2.5.13.4 NAME 'caseIgnoreSubstringsMatch' " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 )", - SLAP_MR_SUBSTR | SLAP_MR_EXT, - NULL, NULL, - caseExactIgnoreSubstringsMatch, - caseExactIgnoreSubstringsIndexer, - caseExactIgnoreSubstringsFilter, - NULL}, + SLAP_MR_SUBSTR, NULL, + NULL, UTF8StringNormalize, octetStringSubstringsMatch, + octetStringSubstringsIndexer, octetStringSubstringsFilter, + "caseIgnoreMatch" }, {"( 2.5.13.5 NAME 'caseExactMatch' " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )", - SLAP_MR_EQUALITY | SLAP_MR_EXT, - NULL, NULL, - caseExactMatch, caseExactIgnoreIndexer, caseExactIgnoreFilter, + SLAP_MR_EQUALITY | SLAP_MR_EXT, directoryStringSyntaxes, + NULL, UTF8StringNormalize, octetStringMatch, + octetStringIndexer, octetStringFilter, directoryStringApproxMatchOID }, {"( 2.5.13.6 NAME 'caseExactOrderingMatch' " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )", - SLAP_MR_ORDERING, + SLAP_MR_ORDERING, directoryStringSyntaxes, + NULL, UTF8StringNormalize, octetStringOrderingMatch, NULL, NULL, - caseExactOrderingMatch, NULL, NULL, - NULL}, + "caseExactMatch" }, {"( 2.5.13.7 NAME 'caseExactSubstringsMatch' " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 )", - SLAP_MR_SUBSTR | SLAP_MR_EXT, - NULL, NULL, - caseExactIgnoreSubstringsMatch, - caseExactIgnoreSubstringsIndexer, - caseExactIgnoreSubstringsFilter, - NULL}, + SLAP_MR_SUBSTR, directoryStringSyntaxes, + NULL, UTF8StringNormalize, octetStringSubstringsMatch, + octetStringSubstringsIndexer, octetStringSubstringsFilter, + "caseExactMatch" }, {"( 2.5.13.8 NAME 'numericStringMatch' " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 )", - SLAP_MR_EQUALITY | SLAP_MR_EXT | SLAP_MR_DN_FOLD, - NULL, NULL, - caseIgnoreIA5Match, - caseIgnoreIA5Indexer, - caseIgnoreIA5Filter, - NULL}, + SLAP_MR_EQUALITY | SLAP_MR_EXT, NULL, + NULL, numericStringNormalize, octetStringSubstringsMatch, + octetStringSubstringsIndexer, octetStringSubstringsFilter, + NULL }, {"( 2.5.13.10 NAME 'numericStringSubstringsMatch' " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 )", - SLAP_MR_SUBSTR | SLAP_MR_EXT, - NULL, NULL, - caseIgnoreIA5SubstringsMatch, - caseIgnoreIA5SubstringsIndexer, - caseIgnoreIA5SubstringsFilter, - NULL}, + SLAP_MR_SUBSTR, NULL, + NULL, numericStringNormalize, octetStringSubstringsMatch, + octetStringSubstringsIndexer, octetStringSubstringsFilter, + "numericStringMatch" }, {"( 2.5.13.11 NAME 'caseIgnoreListMatch' " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )", - SLAP_MR_EQUALITY | SLAP_MR_EXT | SLAP_MR_DN_FOLD, - NULL, NULL, - caseIgnoreListMatch, NULL, NULL, - NULL}, + SLAP_MR_EQUALITY | SLAP_MR_EXT, NULL, + NULL, NULL, NULL, NULL, NULL, NULL }, {"( 2.5.13.12 NAME 'caseIgnoreListSubstringsMatch' " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 )", - SLAP_MR_SUBSTR | SLAP_MR_EXT, - NULL, NULL, - caseIgnoreListSubstringsMatch, NULL, NULL, - NULL}, + SLAP_MR_SUBSTR, NULL, + NULL, NULL, NULL, NULL, NULL, + "caseIgnoreListMatch" }, {"( 2.5.13.13 NAME 'booleanMatch' " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )", - SLAP_MR_EQUALITY | SLAP_MR_EXT, - NULL, NULL, - booleanMatch, NULL, NULL, - NULL}, + SLAP_MR_EQUALITY | SLAP_MR_EXT, NULL, + NULL, NULL, booleanMatch, + octetStringIndexer, octetStringFilter, + NULL }, {"( 2.5.13.14 NAME 'integerMatch' " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )", - SLAP_MR_EQUALITY | SLAP_MR_EXT, - NULL, NULL, - integerMatch, integerIndexer, integerFilter, - NULL}, + SLAP_MR_EQUALITY | SLAP_MR_EXT, NULL, + NULL, NULL, integerMatch, + octetStringIndexer, octetStringFilter, + NULL }, {"( 2.5.13.15 NAME 'integerOrderingMatch' " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )", - SLAP_MR_ORDERING, + SLAP_MR_ORDERING, NULL, + NULL, NULL, integerMatch, NULL, NULL, - integerOrderingMatch, NULL, NULL, - NULL}, + "integerMatch" }, {"( 2.5.13.16 NAME 'bitStringMatch' " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 )", - SLAP_MR_EQUALITY | SLAP_MR_EXT, - NULL, NULL, - bitStringMatch, bitStringIndexer, bitStringFilter, - NULL}, + SLAP_MR_EQUALITY | SLAP_MR_EXT, NULL, + NULL, NULL, octetStringMatch, + octetStringIndexer, octetStringFilter, + NULL }, {"( 2.5.13.17 NAME 'octetStringMatch' " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )", - SLAP_MR_EQUALITY | SLAP_MR_EXT, + SLAP_MR_EQUALITY | SLAP_MR_EXT, NULL, + NULL, NULL, octetStringMatch, + octetStringIndexer, octetStringFilter, + NULL }, + + {"( 2.5.13.18 NAME 'octetStringOrderingMatch' " + "SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )", + SLAP_MR_ORDERING, NULL, + NULL, NULL, octetStringOrderingMatch, NULL, NULL, - octetStringMatch, octetStringIndexer, octetStringFilter, - NULL}, + "octetStringMatch" }, + + {"( 2.5.13.19 NAME 'octetStringSubstringsMatch' " + "SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )", + SLAP_MR_SUBSTR, NULL, + NULL, NULL, octetStringSubstringsMatch, + octetStringSubstringsIndexer, octetStringSubstringsFilter, + "octetStringMatch" }, {"( 2.5.13.20 NAME 'telephoneNumberMatch' " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 )", - SLAP_MR_EQUALITY | SLAP_MR_EXT | SLAP_MR_DN_FOLD, - NULL, NULL, - telephoneNumberMatch, - telephoneNumberIndexer, - telephoneNumberFilter, - NULL}, + SLAP_MR_EQUALITY | SLAP_MR_EXT, NULL, + NULL, + telephoneNumberNormalize, octetStringMatch, + octetStringIndexer, octetStringFilter, + NULL }, {"( 2.5.13.21 NAME 'telephoneNumberSubstringsMatch' " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.58 )", - SLAP_MR_SUBSTR | SLAP_MR_EXT, - NULL, NULL, - telephoneNumberSubstringsMatch, - telephoneNumberSubstringsIndexer, - telephoneNumberSubstringsFilter, - NULL}, + SLAP_MR_SUBSTR, NULL, + NULL, telephoneNumberNormalize, octetStringSubstringsMatch, + octetStringSubstringsIndexer, octetStringSubstringsFilter, + "telephoneNumberMatch" }, {"( 2.5.13.22 NAME 'presentationAddressMatch' " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.43 )", - SLAP_MR_EQUALITY | SLAP_MR_EXT, - NULL, NULL, - NULL, NULL, NULL, - NULL}, + SLAP_MR_EQUALITY | SLAP_MR_EXT, NULL, + NULL, NULL, NULL, NULL, NULL, NULL }, {"( 2.5.13.23 NAME 'uniqueMemberMatch' " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 )", - SLAP_MR_EQUALITY | SLAP_MR_EXT, + SLAP_MR_EQUALITY | SLAP_MR_EXT, NULL, + NULL, uniqueMemberNormalize, uniqueMemberMatch, NULL, NULL, - uniqueMemberMatch, NULL, NULL, - NULL}, + NULL }, {"( 2.5.13.24 NAME 'protocolInformationMatch' " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.42 )", - SLAP_MR_EQUALITY | SLAP_MR_EXT, - NULL, NULL, - protocolInformationMatch, NULL, NULL, - NULL}, + SLAP_MR_EQUALITY | SLAP_MR_EXT, NULL, + NULL, NULL, NULL, NULL, NULL, NULL }, {"( 2.5.13.27 NAME 'generalizedTimeMatch' " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )", - SLAP_MR_EQUALITY | SLAP_MR_EXT, + SLAP_MR_EQUALITY | SLAP_MR_EXT, NULL, + NULL, generalizedTimeNormalize, octetStringMatch, NULL, NULL, - generalizedTimeMatch, NULL, NULL, - NULL}, + NULL }, {"( 2.5.13.28 NAME 'generalizedTimeOrderingMatch' " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )", - SLAP_MR_ORDERING, + SLAP_MR_ORDERING, NULL, + NULL, generalizedTimeNormalize, octetStringOrderingMatch, NULL, NULL, - generalizedTimeOrderingMatch, NULL, NULL, - NULL}, + "generalizedTimeMatch" }, {"( 2.5.13.29 NAME 'integerFirstComponentMatch' " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )", SLAP_MR_EQUALITY | SLAP_MR_EXT, - NULL, NULL, - integerFirstComponentMatch, NULL, NULL, - NULL}, + integerFirstComponentMatchSyntaxes, + NULL, firstComponentNormalize, integerMatch, + octetStringIndexer, octetStringFilter, + NULL }, {"( 2.5.13.30 NAME 'objectIdentifierFirstComponentMatch' " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )", SLAP_MR_EQUALITY | SLAP_MR_EXT, - NULL, NULL, - objectIdentifierFirstComponentMatch, NULL, NULL, - NULL}, + objectIdentifierFirstComponentMatchSyntaxes, + NULL, firstComponentNormalize, octetStringMatch, + octetStringIndexer, octetStringFilter, + NULL }, #ifdef HAVE_TLS {"( 2.5.13.34 NAME 'certificateExactMatch' " "SYNTAX 1.2.826.0.1.3344810.7.1 )", - SLAP_MR_EQUALITY | SLAP_MR_EXT, - certificateExactConvert, NULL, - certificateExactMatch, - certificateExactIndexer, certificateExactFilter, - NULL}, + SLAP_MR_EQUALITY | SLAP_MR_EXT, certificateExactMatchSyntaxes, + NULL, certificateExactNormalize, octetStringMatch, + octetStringIndexer, octetStringFilter, + NULL }, #endif {"( 1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )", - SLAP_MR_EQUALITY | SLAP_MR_EXT, - NULL, NULL, - caseExactIA5Match, caseExactIA5Indexer, caseExactIA5Filter, + SLAP_MR_EQUALITY | SLAP_MR_EXT, NULL, + NULL, IA5StringNormalize, octetStringMatch, + octetStringIndexer, octetStringFilter, IA5StringApproxMatchOID }, {"( 1.3.6.1.4.1.1466.109.114.2 NAME 'caseIgnoreIA5Match' " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )", - SLAP_MR_EQUALITY | SLAP_MR_EXT | SLAP_MR_DN_FOLD, - NULL, NULL, - caseIgnoreIA5Match, caseIgnoreIA5Indexer, caseIgnoreIA5Filter, + SLAP_MR_EQUALITY | SLAP_MR_EXT, NULL, + NULL, IA5StringNormalize, octetStringMatch, + octetStringIndexer, octetStringFilter, IA5StringApproxMatchOID }, {"( 1.3.6.1.4.1.1466.109.114.3 NAME 'caseIgnoreIA5SubstringsMatch' " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )", - SLAP_MR_SUBSTR, - NULL, NULL, - caseIgnoreIA5SubstringsMatch, - caseIgnoreIA5SubstringsIndexer, - caseIgnoreIA5SubstringsFilter, - NULL}, + SLAP_MR_SUBSTR, NULL, + NULL, IA5StringNormalize, octetStringSubstringsMatch, + octetStringSubstringsIndexer, octetStringSubstringsFilter, + "caseIgnoreIA5Match" }, {"( 1.3.6.1.4.1.4203.1.2.1 NAME 'caseExactIA5SubstringsMatch' " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )", - SLAP_MR_SUBSTR, - NULL, NULL, - caseExactIA5SubstringsMatch, - caseExactIA5SubstringsIndexer, - caseExactIA5SubstringsFilter, - NULL}, + SLAP_MR_SUBSTR, NULL, + NULL, IA5StringNormalize, octetStringSubstringsMatch, + octetStringSubstringsIndexer, octetStringSubstringsFilter, + "caseExactIA5Match" }, #ifdef SLAPD_AUTHPASSWD /* needs updating */ {"( 1.3.6.1.4.1.4203.666.4.1 NAME 'authPasswordMatch' " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )", - SLAP_MR_EQUALITY, + SLAP_MR_EQUALITY, NULL, + NULL, NULL, authPasswordMatch, NULL, NULL, - authPasswordMatch, NULL, NULL, NULL}, #endif #ifdef SLAPD_ACI_ENABLED {"( 1.3.6.1.4.1.4203.666.4.2 NAME 'OpenLDAPaciMatch' " "SYNTAX 1.3.6.1.4.1.4203.666.2.1 )", - SLAP_MR_EQUALITY, + SLAP_MR_EQUALITY, NULL, + NULL, NULL, OpenLDAPaciMatch, NULL, NULL, - OpenLDAPaciMatch, NULL, NULL, NULL}, #endif {"( 1.2.840.113556.1.4.803 NAME 'integerBitAndMatch' " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )", - SLAP_MR_EXT, + SLAP_MR_EXT, NULL, + NULL, NULL, integerBitAndMatch, NULL, NULL, - integerBitAndMatch, NULL, NULL, - NULL}, + "integerMatch" }, {"( 1.2.840.113556.1.4.804 NAME 'integerBitOrMatch' " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )", - SLAP_MR_EXT, + SLAP_MR_EXT, NULL, + NULL, NULL, integerBitOrMatch, NULL, NULL, - integerBitOrMatch, NULL, NULL, - NULL}, + "integerMatch" }, - {NULL, SLAP_MR_NONE, NULL, NULL, NULL, NULL} + {NULL, SLAP_MR_NONE, NULL, + NULL, NULL, NULL, NULL, NULL, + NULL } }; int slap_schema_init( void ) { int res; - int i = 0; + int i; /* we should only be called once (from main) */ assert( schema_init_done == 0 ); @@ -4766,9 +2827,11 @@ slap_schema_init( void ) } for ( i=0; mrule_defs[i].mrd_desc != NULL; i++ ) { - if( mrule_defs[i].mrd_usage == SLAP_MR_NONE ) { + if( mrule_defs[i].mrd_usage == SLAP_MR_NONE && + mrule_defs[i].mrd_compat_syntaxes == NULL ) + { fprintf( stderr, - "slap_schema_init: Ingoring unusable matching rule %s\n", + "slap_schema_init: Ignoring unusable matching rule %s\n", mrule_defs[i].mrd_desc ); continue; } @@ -4783,9 +2846,6 @@ slap_schema_init( void ) } } - for ( i=0; i < (int)(sizeof(mr_ptr)/sizeof(mr_ptr[0])); i++ ) - *mr_ptr[i].mr = mr_find( mr_ptr[i].oid ); - res = slap_schema_load(); schema_init_done = 1; return res; @@ -4794,12 +2854,10 @@ slap_schema_init( void ) void schema_destroy( void ) { - int i; oidm_destroy(); oc_destroy(); at_destroy(); - for ( i=0; i < (int)(sizeof(mr_ptr)/sizeof(mr_ptr[0])); i++ ) - *mr_ptr[i].mr = NULL; mr_destroy(); + mru_destroy(); syn_destroy(); }