From 568be2607fd93079beb5fc2e918f2acf20ab42ed Mon Sep 17 00:00:00 2001 From: Quanah Gibson-Mount Date: Sat, 8 Nov 2008 00:28:24 +0000 Subject: [PATCH] ITS#5700 --- CHANGES | 1 + servers/slapd/schema_init.c | 519 +++++++++++++++++++++++++++++++++++- 2 files changed, 517 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index 51d682ecef..9ae1d45026 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,7 @@ OpenLDAP 2.4 Change Log OpenLDAP 2.4.13 Engineering Fixed liblutil hex conversion (ITS#5699) + Added slapd support for certificateListExactMatch from RFC4523 (ITS#5700) Fixed slapd-bdb/hdb invalid db crash (ITS#5698) Added slapo-translucent try local bind when remote fails (ITS#5656) diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c index 563c8cf7d7..9f5e88e7b5 100644 --- a/servers/slapd/schema_init.c +++ b/servers/slapd/schema_init.c @@ -74,6 +74,13 @@ generalizedTimeValidate( Syntax *syntax, struct berval *in ); +#ifdef SUPPORT_OBSOLETE_UTC_SYNTAX +static int +utcTimeValidate( + Syntax *syntax, + struct berval *in ); +#endif /* SUPPORT_OBSOLETE_UTC_SYNTAX */ + static int inValidate( Syntax *syntax, @@ -3429,6 +3436,494 @@ done: return rc; } +/* X.509 PKI certificateList stuff */ +static int +checkTime( struct berval *in, struct berval *out ) +{ + int i; + char buf[STRLENOF("YYYYmmddHHMMSSZ") + 1]; + struct berval bv; + + assert( in != NULL ); + assert( !BER_BVISNULL( in ) ); + assert( !BER_BVISEMPTY( in ) ); + + if ( in->bv_len < STRLENOF( "YYmmddHHMMSSZ" ) ) { + return -1; + } + + if ( out != NULL ) { + assert( !BER_BVISNULL( out ) ); + assert( out->bv_len >= sizeof( buf ) ); + bv.bv_val = out->bv_val; + + } else { + bv.bv_val = buf; + } + + for ( i = 0; i < STRLENOF( "YYYYmmddHHMMSS" ); i++ ) { + if ( !ASCII_DIGIT( in->bv_val[i] ) ) break; + } + + if ( in->bv_val[i] != 'Z' ) { + return -1; + } + i++; + + if ( i != in->bv_len ) { + return -1; + } + + if ( i == STRLENOF( "YYYYmmddHHMMSSZ" ) ) { + lutil_strncopy( bv.bv_val, in->bv_val, i ); + bv.bv_len = i; + + } else if ( i == STRLENOF( "YYmmddHHMMSSZ" ) ) { + char *p = bv.bv_val; + if ( in->bv_val[0] < '7' ) { + p = lutil_strcopy( p, "20" ); + + } else { + p = lutil_strcopy( p, "19" ); + } + lutil_strncopy( p, in->bv_val, i ); + bv.bv_len = 2 + i; + + } else { + return -1; + } + + i = generalizedTimeValidate( NULL, &bv ); + if ( i == LDAP_SUCCESS && out != NULL ) { + out->bv_len = bv.bv_len; + } + + return i != LDAP_SUCCESS; +} + +static int +issuerAndThisUpdateCheck( + struct berval *in, + struct berval *is, + struct berval *tu, + void *ctx ) +{ + int numdquotes = 0; + struct berval x = *in; + struct berval ni = BER_BVNULL; + /* Parse GSER format */ + enum { + HAVE_NONE = 0x0, + HAVE_ISSUER = 0x1, + HAVE_THISUPDATE = 0x2, + HAVE_ALL = ( HAVE_ISSUER | HAVE_THISUPDATE ) + } have = HAVE_NONE; + + + if ( in->bv_len < STRLENOF( "{issuer \"\",thisUpdate \"YYMMDDhhmmssZ\"}" ) ) return LDAP_INVALID_SYNTAX; + + if ( in->bv_val[0] != '{' && in->bv_val[in->bv_len-1] != '}' ) { + return LDAP_INVALID_SYNTAX; + } + + x.bv_val++; + x.bv_len -= STRLENOF("{}"); + + do { + /* eat leading spaces */ + for ( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len-- ) { + /* empty */; + } + + /* should be at issuer or thisUpdate */ + if ( strncasecmp( x.bv_val, "issuer", STRLENOF("issuer") ) == 0 ) { + if ( have & HAVE_ISSUER ) return LDAP_INVALID_SYNTAX; + + /* parse issuer */ + x.bv_val += STRLENOF("issuer"); + x.bv_len -= STRLENOF("issuer"); + + if ( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX; + x.bv_val++; + x.bv_len--; + + /* eat leading spaces */ + for ( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len-- ) { + /* empty */; + } + + /* For backward compatibility, this part is optional */ + if ( strncasecmp( x.bv_val, "rdnSequence:", STRLENOF("rdnSequence:") ) != 0 ) { + return LDAP_INVALID_SYNTAX; + } + x.bv_val += STRLENOF("rdnSequence:"); + x.bv_len -= STRLENOF("rdnSequence:"); + + if ( x.bv_val[0] != '"' ) return LDAP_INVALID_SYNTAX; + x.bv_val++; + x.bv_len--; + + is->bv_val = x.bv_val; + is->bv_len = 0; + + for ( ; is->bv_len < x.bv_len; ) { + if ( is->bv_val[is->bv_len] != '"' ) { + is->bv_len++; + continue; + } + if ( is->bv_val[is->bv_len+1] == '"' ) { + /* double dquote */ + is->bv_len += 2; + continue; + } + break; + } + x.bv_val += is->bv_len + 1; + x.bv_len -= is->bv_len + 1; + + have |= HAVE_ISSUER; + + } else if ( strncasecmp( x.bv_val, "thisUpdate", STRLENOF("thisUpdate") ) == 0 ) + { + if ( have & HAVE_THISUPDATE ) return LDAP_INVALID_SYNTAX; + + /* parse thisUpdate */ + x.bv_val += STRLENOF("thisUpdate"); + x.bv_len -= STRLENOF("thisUpdate"); + + if ( x.bv_val[0] != ' ' ) return LDAP_INVALID_SYNTAX; + x.bv_val++; + x.bv_len--; + + /* eat leading spaces */ + for ( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len-- ) { + /* empty */; + } + + if ( x.bv_val[0] != '"' ) return LDAP_INVALID_SYNTAX; + x.bv_val++; + x.bv_len--; + + tu->bv_val = x.bv_val; + tu->bv_len = 0; + + for ( ; tu->bv_len < x.bv_len; tu->bv_len++ ) { + if ( tu->bv_val[tu->bv_len] == '"' ) { + break; + } + } + x.bv_val += tu->bv_len + 1; + x.bv_len -= tu->bv_len + 1; + + have |= HAVE_THISUPDATE; + + } else { + return LDAP_INVALID_SYNTAX; + } + + /* eat leading spaces */ + for ( ; (x.bv_val[0] == ' ') && x.bv_len; x.bv_val++, x.bv_len-- ) { + /* empty */; + } + + if ( have == HAVE_ALL ) { + break; + } + + if ( x.bv_val[0] != ',' ) { + return LDAP_INVALID_SYNTAX; + } + + x.bv_val++; + x.bv_len--; + } while ( 1 ); + + /* should have no characters left... */ + if ( x.bv_len ) return LDAP_INVALID_SYNTAX; + + if ( numdquotes == 0 ) { + ber_dupbv_x( &ni, is, ctx ); + + } else { + ber_int_t src, dst; + + ni.bv_len = is->bv_len - numdquotes; + ni.bv_val = ber_memalloc_x( ni.bv_len + 1, ctx ); + for ( src = 0, dst = 0; src < is->bv_len; src++, dst++ ) { + if ( is->bv_val[src] == '"' ) { + src++; + } + ni.bv_val[dst] = is->bv_val[src]; + } + ni.bv_val[dst] = '\0'; + } + + *is = ni; + + return 0; +} + +static int +issuerAndThisUpdateValidate( + Syntax *syntax, + struct berval *in ) +{ + int rc; + struct berval i, tu; + + Debug( LDAP_DEBUG_TRACE, ">>> issuerAndThisUpdateValidate: <%s>\n", + in->bv_val, 0, 0 ); + + rc = issuerAndThisUpdateCheck( in, &i, &tu, NULL ); + if ( rc ) { + goto done; + } + + /* validate DN -- doesn't handle double dquote */ + rc = dnValidate( NULL, &i ); + if ( rc ) { + rc = LDAP_INVALID_SYNTAX; + + } else if ( checkTime( &tu, NULL ) ) { + rc = LDAP_INVALID_SYNTAX; + } + + if ( in->bv_val[0] == '{' && in->bv_val[in->bv_len-1] == '}' ) { + slap_sl_free( i.bv_val, NULL ); + } + + Debug( LDAP_DEBUG_TRACE, "<<< issuerAndThisUpdateValidate: <%s> err=%d\n", + in->bv_val, rc, 0 ); + +done:; + return rc; +} + +static int +issuerAndThisUpdatePretty( + Syntax *syntax, + struct berval *in, + struct berval *out, + void *ctx ) +{ + int rc; + struct berval i, tu, ni = BER_BVNULL; + char *p; + + assert( in != NULL ); + assert( out != NULL ); + + BER_BVZERO( out ); + + Debug( LDAP_DEBUG_TRACE, ">>> issuerAndThisUpdatePretty: <%s>\n", + in->bv_val, 0, 0 ); + + rc = issuerAndThisUpdateCheck( in, &i, &tu, ctx ); + if ( rc ) { + goto done; + } + + rc = dnPretty( syntax, &i, &ni, ctx ); + + if ( in->bv_val[0] == '{' && in->bv_val[in->bv_len-1] == '}' ) { + slap_sl_free( i.bv_val, ctx ); + } + + if ( rc || checkTime( &tu, NULL ) ) { + rc = LDAP_INVALID_SYNTAX; + goto done; + } + + /* make room */ + out->bv_len = STRLENOF("{ issuer rdnSequence:\"\", thisUpdate \"\" }") + + ni.bv_len + tu.bv_len; + out->bv_val = slap_sl_malloc( out->bv_len + 1, ctx ); + + if ( out->bv_val == NULL ) { + out->bv_len = 0; + rc = LDAP_OTHER; + goto done; + } + + p = out->bv_val; + p = lutil_strcopy( p, "{ issuer rdnSequence:\"" /*}*/ ); + p = lutil_strncopy( p, ni.bv_val, ni.bv_len ); + p = lutil_strcopy( p, "\", thisUpdate \"" ); + p = lutil_strncopy( p, tu.bv_val, tu.bv_len ); + p = lutil_strcopy( p, /*{*/ "\" }" ); + + assert( p - out->bv_val == out->bv_len ); + +done:; + Debug( LDAP_DEBUG_TRACE, "<<< issuerAndThisUpdatePretty: <%s> => <%s>\n", + in->bv_val, rc == LDAP_SUCCESS ? out->bv_val : "(err)", 0 ); + + slap_sl_free( ni.bv_val, ctx ); + + return rc; +} + +static int +issuerAndThisUpdateNormalize( + slap_mask_t usage, + Syntax *syntax, + MatchingRule *mr, + struct berval *in, + struct berval *out, + void *ctx ) +{ + struct berval i, ni, tu, tu2; + char sbuf[STRLENOF("YYYYmmddHHMMSSZ") + 1]; + char *p; + int rc; + + assert( in != NULL ); + assert( out != NULL ); + + Debug( LDAP_DEBUG_TRACE, ">>> issuerAndThisUpdateNormalize: <%s>\n", + in->bv_val, 0, 0 ); + + rc = issuerAndThisUpdateCheck( in, &i, &tu, ctx ); + if ( rc ) { + return rc; + } + + rc = dnNormalize( usage, syntax, mr, &i, &ni, ctx ); + + if ( in->bv_val[0] == '{' && in->bv_val[in->bv_len-1] == '}' ) { + slap_sl_free( i.bv_val, ctx ); + } + + tu2.bv_val = sbuf; + tu2.bv_len = sizeof( sbuf ); + if ( rc || checkTime( &tu, &tu2 ) ) { + return LDAP_INVALID_SYNTAX; + } + + out->bv_len = STRLENOF( "{ issuer rdnSequence:\"\", thisUpdate \"\" }" ) + + ni.bv_len + tu2.bv_len; + out->bv_val = slap_sl_malloc( out->bv_len + 1, ctx ); + + if ( out->bv_val == NULL ) { + out->bv_len = 0; + rc = LDAP_OTHER; + goto func_leave; + } + + p = out->bv_val; + + p = lutil_strcopy( p, "{ issuer rdnSequence:\"" /*}*/ ); + p = lutil_strncopy( p, ni.bv_val, ni.bv_len ); + p = lutil_strcopy( p, "\", thisUpdate \"" ); + p = lutil_strncopy( p, tu2.bv_val, tu2.bv_len ); + p = lutil_strcopy( p, /*{*/ "\" }" ); + + assert( p - out->bv_val == out->bv_len ); + +func_leave: + Debug( LDAP_DEBUG_TRACE, "<<< issuerAndThisUpdateNormalize: <%s> => <%s>\n", + in->bv_val, rc == LDAP_SUCCESS ? out->bv_val : "(err)", 0 ); + + slap_sl_free( ni.bv_val, ctx ); + + return rc; +} + +static int +certificateListExactNormalize( + slap_mask_t usage, + Syntax *syntax, + MatchingRule *mr, + struct berval *val, + struct berval *normalized, + void *ctx ) +{ + BerElementBuffer berbuf; + BerElement *ber = (BerElement *)&berbuf; + ber_tag_t tag; + ber_len_t len; + ber_int_t version; + struct berval issuer_dn = BER_BVNULL, bvdn, + thisUpdate, bvtu; + char *p, tubuf[STRLENOF("YYYYmmddHHMMSSZ") + 1]; + int rc = LDAP_INVALID_SYNTAX; + + assert( val != NULL ); + + Debug( LDAP_DEBUG_TRACE, ">>> certificateListExactNormalize: <%p, %lu>\n", + val->bv_val, val->bv_len, 0 ); + + if ( BER_BVISEMPTY( val ) ) goto done; + + if ( SLAP_MR_IS_VALUE_OF_ASSERTION_SYNTAX(usage) ) { + return issuerAndThisUpdateNormalize( 0, NULL, NULL, val, normalized, ctx ); + } + + assert( SLAP_MR_IS_VALUE_OF_ATTRIBUTE_SYNTAX(usage) != 0 ); + + ber_init2( ber, val, LBER_USE_DER ); + tag = ber_skip_tag( ber, &len ); /* Signed wrapper */ + if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX; + tag = ber_skip_tag( ber, &len ); /* Sequence */ + if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX; + tag = ber_peek_tag( ber, &len ); + /* Optional version */ + if ( tag == LBER_INTEGER ) { + tag = ber_get_int( ber, &version ); + assert( tag == LBER_INTEGER ); + if ( version != SLAP_X509_V2 ) return LDAP_INVALID_SYNTAX; + } + tag = ber_skip_tag( ber, &len ); /* Signature Algorithm */ + if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX; + ber_skip_data( ber, len ); + + tag = ber_peek_tag( ber, &len ); /* IssuerDN */ + if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX; + len = ber_ptrlen( ber ); + bvdn.bv_val = val->bv_val + len; + bvdn.bv_len = val->bv_len - len; + tag = ber_skip_tag( ber, &len ); + ber_skip_data( ber, len ); + + tag = ber_skip_tag( ber, &len ); /* thisUpdate */ + /* Time is a CHOICE { UTCTime, GeneralizedTime } */ + if ( tag != SLAP_TAG_UTCTIME && tag != SLAP_TAG_GENERALIZEDTIME ) return LDAP_INVALID_SYNTAX; + bvtu.bv_val = (char *)ber->ber_ptr; + bvtu.bv_len = len; + + rc = dnX509normalize( &bvdn, &issuer_dn ); + if ( rc != LDAP_SUCCESS ) goto done; + + thisUpdate.bv_val = tubuf; + thisUpdate.bv_len = sizeof(tubuf); + if ( checkTime( &bvtu, &thisUpdate ) ) { + rc = LDAP_INVALID_SYNTAX; + goto done; + } + + normalized->bv_len = STRLENOF( "{ issuer rdnSequence:\"\", thisUpdate \"\" }" ) + + issuer_dn.bv_len + thisUpdate.bv_len; + normalized->bv_val = ch_malloc( normalized->bv_len + 1 ); + + p = normalized->bv_val; + + p = lutil_strcopy( p, "{ issuer rdnSequence:\"" ); + p = lutil_strncopy( p, issuer_dn.bv_val, issuer_dn.bv_len ); + p = lutil_strcopy( p, "\", thisUpdate \"" ); + p = lutil_strncopy( p, thisUpdate.bv_val, thisUpdate.bv_len ); + p = lutil_strcopy( p, /*{*/ "\" }" ); + + rc = LDAP_SUCCESS; + +done: + Debug( LDAP_DEBUG_TRACE, "<<< certificateListExactNormalize: <%p, %lu> => <%s>\n", + val->bv_val, val->bv_len, rc == LDAP_SUCCESS ? normalized->bv_val : "(err)" ); + + if ( issuer_dn.bv_val ) ber_memfree( issuer_dn.bv_val ); + + return rc; +} + static int hexValidate( Syntax *syntax, @@ -4816,7 +5311,9 @@ static slap_syntax_defs_rec syntax_defs[] = { {"( 1.3.6.1.1.15.4 DESC 'Certificate Pair Assertion' )", SLAP_SYNTAX_HIDE, NULL, NULL, NULL}, {"( 1.3.6.1.1.15.5 DESC 'Certificate List Exact Assertion' )", - SLAP_SYNTAX_HIDE, NULL, NULL, NULL}, + SLAP_SYNTAX_HIDE, NULL, + issuerAndThisUpdateValidate, + issuerAndThisUpdatePretty}, {"( 1.3.6.1.1.15.6 DESC 'Certificate List Assertion' )", SLAP_SYNTAX_HIDE, NULL, NULL, NULL}, {"( 1.3.6.1.1.15.7 DESC 'Algorithm Identifier' )", @@ -4856,9 +5353,14 @@ char *certificateExactMatchSyntaxes[] = { "1.3.6.1.4.1.1466.115.121.1.8" /* certificate */, NULL }; +char *certificateListExactMatchSyntaxes[] = { + "1.3.6.1.4.1.1466.115.121.1.9" /* certificateList */, + NULL +}; #ifdef LDAP_COMP_MATCH char *componentFilterMatchSyntaxes[] = { "1.3.6.1.4.1.1466.115.121.1.8" /* certificate */, + "1.3.6.1.4.1.1466.115.121.1.9" /* certificateList */, NULL }; #endif @@ -4893,8 +5395,6 @@ char *objectIdentifierFirstComponentMatchSyntaxes[] = { * 2.5.13.33* keywordMatch * 2.5.13.36+ certificatePairExactMatch * 2.5.13.37+ certificatePairMatch - * 2.5.13.38+ certificateListExactMatch - * 2.5.13.39+ certificateListMatch * 2.5.13.40+ algorithmIdentifierMatch * 2.5.13.41* storedPrefixMatch * 2.5.13.42 attributeCertificateMatch @@ -5199,6 +5699,19 @@ static slap_mrule_defs_rec mrule_defs[] = { NULL, NULL, NULL, NULL, NULL, NULL }, + {"( 2.5.13.38 NAME 'certificateListExactMatch' " + "SYNTAX 1.3.6.1.1.15.5 )", + SLAP_MR_EQUALITY | SLAP_MR_EXT, certificateListExactMatchSyntaxes, + NULL, certificateListExactNormalize, octetStringMatch, + octetStringIndexer, octetStringFilter, + NULL }, + + {"( 2.5.13.39 NAME 'certificateListMatch' " + "SYNTAX 1.3.6.1.1.15.6 )", + SLAP_MR_EQUALITY | SLAP_MR_EXT, NULL, + NULL, NULL, NULL, NULL, NULL, + NULL }, + {"( 1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )", SLAP_MR_EQUALITY | SLAP_MR_EXT, NULL, -- 2.39.5