diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-27 11:11:40 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-27 11:11:40 +0000 |
commit | 7731832751ab9f3c6ddeb66f186d3d7fa1934a6d (patch) | |
tree | e91015872543a59be2aad26c2fea02e41b57005d /servers/slapd/dn.c | |
parent | Initial commit. (diff) | |
download | openldap-upstream.tar.xz openldap-upstream.zip |
Adding upstream version 2.4.57+dfsg.upstream/2.4.57+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'servers/slapd/dn.c')
-rw-r--r-- | servers/slapd/dn.c | 1331 |
1 files changed, 1331 insertions, 0 deletions
diff --git a/servers/slapd/dn.c b/servers/slapd/dn.c new file mode 100644 index 0000000..07e4965 --- /dev/null +++ b/servers/slapd/dn.c @@ -0,0 +1,1331 @@ +/* dn.c - routines for dealing with distinguished names */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 1998-2021 The OpenLDAP Foundation. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ +/* Portions Copyright (c) 1995 Regents of the University of Michigan. + * All rights reserved. + * + * Redistribution and use in source and binary forms are permitted + * provided that this notice is preserved and that due credit is given + * to the University of Michigan at Ann Arbor. The name of the University + * may not be used to endorse or promote products derived from this + * software without specific prior written permission. This software + * is provided ``as is'' without express or implied warranty. + */ + +#include "portable.h" + +#include <stdio.h> + +#include <ac/ctype.h> +#include <ac/socket.h> +#include <ac/string.h> +#include <ac/time.h> + +#include "slap.h" +#include "lutil.h" + +/* + * The DN syntax-related functions take advantage of the dn representation + * handling functions ldap_str2dn/ldap_dn2str. The latter are not schema- + * aware, so the attributes and their values need be validated (and possibly + * normalized). In the current implementation the required validation/nor- + * malization/"pretty"ing are done on newly created DN structural represen- + * tations; however the idea is to move towards DN handling in structural + * representation instead of the current string representation. To this + * purpose, we need to do only the required operations and keep track of + * what has been done to minimize their impact on performances. + * + * Developers are strongly encouraged to use this feature, to speed-up + * its stabilization. + */ + +#define AVA_PRIVATE( ava ) ( ( AttributeDescription * )(ava)->la_private ) + +int slap_DN_strict = SLAP_AD_NOINSERT; + +static int +LDAPRDN_validate( LDAPRDN rdn ) +{ + int iAVA; + int rc; + + assert( rdn != NULL ); + + for ( iAVA = 0; rdn[ iAVA ]; iAVA++ ) { + LDAPAVA *ava = rdn[ iAVA ]; + AttributeDescription *ad; + slap_syntax_validate_func *validate = NULL; + + assert( ava != NULL ); + + if ( ( ad = AVA_PRIVATE( ava ) ) == NULL ) { + const char *text = NULL; + + rc = slap_bv2ad( &ava->la_attr, &ad, &text ); + if ( rc != LDAP_SUCCESS ) { + rc = slap_bv2undef_ad( &ava->la_attr, + &ad, &text, + SLAP_AD_PROXIED|slap_DN_strict ); + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + } + + ava->la_private = ( void * )ad; + } + + /* + * Do not allow X-ORDERED 'VALUES' naming attributes + */ + if ( ad->ad_type->sat_flags & SLAP_AT_ORDERED_VAL ) { + return LDAP_INVALID_SYNTAX; + } + + /* + * Replace attr oid/name with the canonical name + */ + ava->la_attr = ad->ad_cname; + + validate = ad->ad_type->sat_syntax->ssyn_validate; + + if ( validate ) { + /* + * validate value by validate function + */ + rc = ( *validate )( ad->ad_type->sat_syntax, + &ava->la_value ); + + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + } + } + + return LDAP_SUCCESS; +} + +/* + * In-place, schema-aware validation of the + * structural representation of a distinguished name. + */ +static int +LDAPDN_validate( LDAPDN dn ) +{ + int iRDN; + int rc; + + assert( dn != NULL ); + + for ( iRDN = 0; dn[ iRDN ]; iRDN++ ) { + rc = LDAPRDN_validate( dn[ iRDN ] ); + if ( rc != LDAP_SUCCESS ) { + return rc; + } + } + + return LDAP_SUCCESS; +} + +/* + * dn validate routine + */ +int +dnValidate( + Syntax *syntax, + struct berval *in ) +{ + int rc; + LDAPDN dn = NULL; + + assert( in != NULL ); + + if ( in->bv_len == 0 ) { + return LDAP_SUCCESS; + + } else if ( in->bv_len > SLAP_LDAPDN_MAXLEN ) { + return LDAP_INVALID_SYNTAX; + } + + rc = ldap_bv2dn( in, &dn, LDAP_DN_FORMAT_LDAP ); + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + + assert( strlen( in->bv_val ) == in->bv_len ); + + /* + * Schema-aware validate + */ + rc = LDAPDN_validate( dn ); + ldap_dnfree( dn ); + + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + + return LDAP_SUCCESS; +} + +int +rdnValidate( + Syntax *syntax, + struct berval *in ) +{ + int rc; + LDAPRDN rdn; + char* p; + + assert( in != NULL ); + if ( in->bv_len == 0 ) { + return LDAP_SUCCESS; + + } else if ( in->bv_len > SLAP_LDAPDN_MAXLEN ) { + return LDAP_INVALID_SYNTAX; + } + + rc = ldap_bv2rdn_x( in , &rdn, (char **) &p, + LDAP_DN_FORMAT_LDAP, NULL); + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + + assert( strlen( in->bv_val ) == in->bv_len ); + + /* + * Schema-aware validate + */ + rc = LDAPRDN_validate( rdn ); + ldap_rdnfree( rdn ); + + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + + return LDAP_SUCCESS; +} + + +/* + * AVA sorting inside a RDN + * + * Rule: sort attributeTypes in alphabetical order. + * + * Note: the sorting can be slightly improved by sorting first + * by attribute type length, then by alphabetical order. + * + * uses an insertion sort; should be fine since the number of AVAs in + * a RDN should be limited. + */ +static int +AVA_Sort( LDAPRDN rdn, int nAVAs ) +{ + LDAPAVA *ava_i; + int i; + int rc = LDAP_SUCCESS; + + assert( rdn != NULL ); + + for ( i = 1; i < nAVAs; i++ ) { + LDAPAVA *ava_j; + int j; + + ava_i = rdn[ i ]; + for ( j = i-1; j >=0; j-- ) { + int a; + + ava_j = rdn[ j ]; + a = strcmp( ava_i->la_attr.bv_val, ava_j->la_attr.bv_val ); + + /* RFC4512 does not allow multiple AVAs + * with the same attribute type in RDN (ITS#5968) */ + if ( a == 0 ) + rc = LDAP_INVALID_DN_SYNTAX; + + if ( a > 0 ) + break; + + rdn[ j+1 ] = rdn[ j ]; + } + rdn[ j+1 ] = ava_i; + } + return rc; +} + +static int +LDAPRDN_rewrite( LDAPRDN rdn, unsigned flags, void *ctx ) +{ + + int rc, iAVA, do_sort = 0; + + for ( iAVA = 0; rdn[ iAVA ]; iAVA++ ) { + LDAPAVA *ava = rdn[ iAVA ]; + AttributeDescription *ad; + slap_syntax_validate_func *validf = NULL; + slap_mr_normalize_func *normf = NULL; + slap_syntax_transform_func *transf = NULL; + MatchingRule *mr = NULL; + struct berval bv = BER_BVNULL; + + assert( ava != NULL ); + + if ( ( ad = AVA_PRIVATE( ava ) ) == NULL ) { + const char *text = NULL; + + rc = slap_bv2ad( &ava->la_attr, &ad, &text ); + if ( rc != LDAP_SUCCESS ) { + rc = slap_bv2undef_ad( &ava->la_attr, + &ad, &text, + SLAP_AD_PROXIED|slap_DN_strict ); + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + } + + ava->la_private = ( void * )ad; + do_sort = 1; + } + + /* + * Replace attr oid/name with the canonical name + */ + ava->la_attr = ad->ad_cname; + + if( ava->la_flags & LDAP_AVA_BINARY ) { + /* AVA is binary encoded, not supported */ + return LDAP_INVALID_SYNTAX; + + /* Do not allow X-ORDERED 'VALUES' naming attributes */ + } else if( ad->ad_type->sat_flags & SLAP_AT_ORDERED_VAL ) { + return LDAP_INVALID_SYNTAX; + + } else if( flags & SLAP_LDAPDN_PRETTY ) { + transf = ad->ad_type->sat_syntax->ssyn_pretty; + if( !transf ) { + validf = ad->ad_type->sat_syntax->ssyn_validate; + } + } else { /* normalization */ + validf = ad->ad_type->sat_syntax->ssyn_validate; + mr = ad->ad_type->sat_equality; + if( mr && (!( mr->smr_usage & SLAP_MR_MUTATION_NORMALIZER ))) { + normf = mr->smr_normalize; + } + } + + if ( validf ) { + /* validate value before normalization */ + rc = ( *validf )( ad->ad_type->sat_syntax, + ava->la_value.bv_len + ? &ava->la_value + : (struct berval *) &slap_empty_bv ); + + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + } + + if ( transf ) { + /* + * transform value by pretty function + * if value is empty, use empty_bv + */ + rc = ( *transf )( ad->ad_type->sat_syntax, + ava->la_value.bv_len + ? &ava->la_value + : (struct berval *) &slap_empty_bv, + &bv, ctx ); + + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + } + + if ( normf ) { + /* + * normalize value + * if value is empty, use empty_bv + */ + rc = ( *normf )( + SLAP_MR_VALUE_OF_ASSERTION_SYNTAX, + ad->ad_type->sat_syntax, + mr, + ava->la_value.bv_len + ? &ava->la_value + : (struct berval *) &slap_empty_bv, + &bv, ctx ); + + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + } + + + if( bv.bv_val ) { + if ( ava->la_flags & LDAP_AVA_FREE_VALUE ) + ber_memfree_x( ava->la_value.bv_val, ctx ); + ava->la_value = bv; + ava->la_flags |= LDAP_AVA_FREE_VALUE; + } + /* reject empty values */ + if (!ava->la_value.bv_len) { + return LDAP_INVALID_SYNTAX; + } + } + rc = LDAP_SUCCESS; + + if ( do_sort ) { + rc = AVA_Sort( rdn, iAVA ); + } + + return rc; +} + +/* + * In-place, schema-aware normalization / "pretty"ing of the + * structural representation of a distinguished name. + */ +static int +LDAPDN_rewrite( LDAPDN dn, unsigned flags, void *ctx ) +{ + int iRDN; + int rc; + + assert( dn != NULL ); + + for ( iRDN = 0; dn[ iRDN ]; iRDN++ ) { + rc = LDAPRDN_rewrite( dn[ iRDN ], flags, ctx ); + if ( rc != LDAP_SUCCESS ) { + return rc; + } + } + + return LDAP_SUCCESS; +} + +int +dnNormalize( + slap_mask_t use, + Syntax *syntax, + MatchingRule *mr, + struct berval *val, + struct berval *out, + void *ctx) +{ + assert( val != NULL ); + assert( out != NULL ); + + Debug( LDAP_DEBUG_TRACE, ">>> dnNormalize: <%s>\n", val->bv_val ? val->bv_val : "", 0, 0 ); + + if ( val->bv_len != 0 ) { + LDAPDN dn = NULL; + int rc; + + /* + * Go to structural representation + */ + rc = ldap_bv2dn_x( val, &dn, LDAP_DN_FORMAT_LDAP, ctx ); + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + + assert( strlen( val->bv_val ) == val->bv_len ); + + /* + * Schema-aware rewrite + */ + if ( LDAPDN_rewrite( dn, 0, ctx ) != LDAP_SUCCESS ) { + ldap_dnfree_x( dn, ctx ); + return LDAP_INVALID_SYNTAX; + } + + /* + * Back to string representation + */ + rc = ldap_dn2bv_x( dn, out, + LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY, ctx ); + + ldap_dnfree_x( dn, ctx ); + + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + } else { + ber_dupbv_x( out, val, ctx ); + } + + Debug( LDAP_DEBUG_TRACE, "<<< dnNormalize: <%s>\n", out->bv_val ? out->bv_val : "", 0, 0 ); + + return LDAP_SUCCESS; +} + +int +rdnNormalize( + slap_mask_t use, + Syntax *syntax, + MatchingRule *mr, + struct berval *val, + struct berval *out, + void *ctx) +{ + assert( val != NULL ); + assert( out != NULL ); + + Debug( LDAP_DEBUG_TRACE, ">>> dnNormalize: <%s>\n", val->bv_val ? val->bv_val : "", 0, 0 ); + if ( val->bv_len != 0 ) { + LDAPRDN rdn = NULL; + int rc; + char* p; + + /* + * Go to structural representation + */ + rc = ldap_bv2rdn_x( val , &rdn, (char **) &p, + LDAP_DN_FORMAT_LDAP, ctx); + + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + + assert( strlen( val->bv_val ) == val->bv_len ); + + /* + * Schema-aware rewrite + */ + if ( LDAPRDN_rewrite( rdn, 0, ctx ) != LDAP_SUCCESS ) { + ldap_rdnfree_x( rdn, ctx ); + return LDAP_INVALID_SYNTAX; + } + + /* + * Back to string representation + */ + rc = ldap_rdn2bv_x( rdn, out, + LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY, ctx ); + + ldap_rdnfree_x( rdn, ctx ); + + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + } else { + ber_dupbv_x( out, val, ctx ); + } + + Debug( LDAP_DEBUG_TRACE, "<<< dnNormalize: <%s>\n", out->bv_val ? out->bv_val : "", 0, 0 ); + + return LDAP_SUCCESS; +} + +int +dnPretty( + Syntax *syntax, + struct berval *val, + struct berval *out, + void *ctx) +{ + assert( val != NULL ); + assert( out != NULL ); + + Debug( LDAP_DEBUG_TRACE, ">>> dnPretty: <%s>\n", val->bv_val ? val->bv_val : "", 0, 0 ); + + if ( val->bv_len == 0 ) { + ber_dupbv_x( out, val, ctx ); + + } else if ( val->bv_len > SLAP_LDAPDN_MAXLEN ) { + return LDAP_INVALID_SYNTAX; + + } else { + LDAPDN dn = NULL; + int rc; + + /* FIXME: should be liberal in what we accept */ + rc = ldap_bv2dn_x( val, &dn, LDAP_DN_FORMAT_LDAP, ctx ); + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + + assert( strlen( val->bv_val ) == val->bv_len ); + + /* + * Schema-aware rewrite + */ + if ( LDAPDN_rewrite( dn, SLAP_LDAPDN_PRETTY, ctx ) != LDAP_SUCCESS ) { + ldap_dnfree_x( dn, ctx ); + return LDAP_INVALID_SYNTAX; + } + + /* FIXME: not sure why the default isn't pretty */ + /* RE: the default is the form that is used as + * an internal representation; the pretty form + * is a variant */ + rc = ldap_dn2bv_x( dn, out, + LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY, ctx ); + + ldap_dnfree_x( dn, ctx ); + + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + } + + Debug( LDAP_DEBUG_TRACE, "<<< dnPretty: <%s>\n", out->bv_val ? out->bv_val : "", 0, 0 ); + + return LDAP_SUCCESS; +} + +int +rdnPretty( + Syntax *syntax, + struct berval *val, + struct berval *out, + void *ctx) +{ + assert( val != NULL ); + assert( out != NULL ); + + Debug( LDAP_DEBUG_TRACE, ">>> rdnPretty: <%s>\n", val->bv_val ? val->bv_val : "", 0, 0 ); + + if ( val->bv_len == 0 ) { + ber_dupbv_x( out, val, ctx ); + + } else if ( val->bv_len > SLAP_LDAPDN_MAXLEN ) { + return LDAP_INVALID_SYNTAX; + + } else { + LDAPRDN rdn = NULL; + int rc; + char* p; + + /* FIXME: should be liberal in what we accept */ + rc = ldap_bv2rdn_x( val , &rdn, (char **) &p, + LDAP_DN_FORMAT_LDAP, ctx); + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + + assert( strlen( val->bv_val ) == val->bv_len ); + + /* + * Schema-aware rewrite + */ + if ( LDAPRDN_rewrite( rdn, SLAP_LDAPDN_PRETTY, ctx ) != LDAP_SUCCESS ) { + ldap_rdnfree_x( rdn, ctx ); + return LDAP_INVALID_SYNTAX; + } + + /* FIXME: not sure why the default isn't pretty */ + /* RE: the default is the form that is used as + * an internal representation; the pretty form + * is a variant */ + rc = ldap_rdn2bv_x( rdn, out, + LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY, ctx ); + + ldap_rdnfree_x( rdn, ctx ); + + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + } + + Debug( LDAP_DEBUG_TRACE, "<<< dnPretty: <%s>\n", out->bv_val ? out->bv_val : "", 0, 0 ); + + return LDAP_SUCCESS; +} + + +int +dnPrettyNormalDN( + Syntax *syntax, + struct berval *val, + LDAPDN *dn, + int flags, + void *ctx ) +{ + assert( val != NULL ); + assert( dn != NULL ); + + Debug( LDAP_DEBUG_TRACE, ">>> dn%sDN: <%s>\n", + flags == SLAP_LDAPDN_PRETTY ? "Pretty" : "Normal", + val->bv_val ? val->bv_val : "", 0 ); + + if ( val->bv_len == 0 ) { + return LDAP_SUCCESS; + + } else if ( val->bv_len > SLAP_LDAPDN_MAXLEN ) { + return LDAP_INVALID_SYNTAX; + + } else { + int rc; + + /* FIXME: should be liberal in what we accept */ + rc = ldap_bv2dn_x( val, dn, LDAP_DN_FORMAT_LDAP, ctx ); + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + + assert( strlen( val->bv_val ) == val->bv_len ); + + /* + * Schema-aware rewrite + */ + if ( LDAPDN_rewrite( *dn, flags, ctx ) != LDAP_SUCCESS ) { + ldap_dnfree_x( *dn, ctx ); + *dn = NULL; + return LDAP_INVALID_SYNTAX; + } + } + + Debug( LDAP_DEBUG_TRACE, "<<< dn%sDN\n", + flags == SLAP_LDAPDN_PRETTY ? "Pretty" : "Normal", + 0, 0 ); + + return LDAP_SUCCESS; +} + +/* + * Combination of both dnPretty and dnNormalize + */ +int +dnPrettyNormal( + Syntax *syntax, + struct berval *val, + struct berval *pretty, + struct berval *normal, + void *ctx) +{ + assert( val != NULL ); + assert( pretty != NULL ); + assert( normal != NULL ); + Debug( LDAP_DEBUG_TRACE, ">>> dnPrettyNormal: <%s>\n", val->bv_val ? val->bv_val : "", 0, 0 ); + + if ( val->bv_len == 0 ) { + ber_dupbv_x( pretty, val, ctx ); + ber_dupbv_x( normal, val, ctx ); + + } else if ( val->bv_len > SLAP_LDAPDN_MAXLEN ) { + /* too big */ + return LDAP_INVALID_SYNTAX; + + } else { + LDAPDN dn = NULL; + int rc; + + pretty->bv_val = NULL; + normal->bv_val = NULL; + pretty->bv_len = 0; + normal->bv_len = 0; + + /* FIXME: should be liberal in what we accept */ + rc = ldap_bv2dn_x( val, &dn, LDAP_DN_FORMAT_LDAP, ctx ); + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + + assert( strlen( val->bv_val ) == val->bv_len ); + + /* + * Schema-aware rewrite + */ + if ( LDAPDN_rewrite( dn, SLAP_LDAPDN_PRETTY, ctx ) != LDAP_SUCCESS ) { + ldap_dnfree_x( dn, ctx ); + return LDAP_INVALID_SYNTAX; + } + + rc = ldap_dn2bv_x( dn, pretty, + LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY, ctx ); + + if ( rc != LDAP_SUCCESS ) { + ldap_dnfree_x( dn, ctx ); + return LDAP_INVALID_SYNTAX; + } + + if ( LDAPDN_rewrite( dn, 0, ctx ) != LDAP_SUCCESS ) { + ldap_dnfree_x( dn, ctx ); + ber_memfree_x( pretty->bv_val, ctx ); + pretty->bv_val = NULL; + pretty->bv_len = 0; + return LDAP_INVALID_SYNTAX; + } + + rc = ldap_dn2bv_x( dn, normal, + LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY, ctx ); + + ldap_dnfree_x( dn, ctx ); + if ( rc != LDAP_SUCCESS ) { + ber_memfree_x( pretty->bv_val, ctx ); + pretty->bv_val = NULL; + pretty->bv_len = 0; + return LDAP_INVALID_SYNTAX; + } + } + + Debug( LDAP_DEBUG_TRACE, "<<< dnPrettyNormal: <%s>, <%s>\n", + pretty->bv_val ? pretty->bv_val : "", + normal->bv_val ? normal->bv_val : "", 0 ); + + return LDAP_SUCCESS; +} + +/* + * dnMatch routine + */ +int +dnMatch( + int *matchp, + slap_mask_t flags, + Syntax *syntax, + MatchingRule *mr, + struct berval *value, + void *assertedValue ) +{ + int match; + struct berval *asserted = (struct berval *) assertedValue; + + assert( matchp != NULL ); + assert( value != NULL ); + assert( assertedValue != NULL ); + assert( !BER_BVISNULL( value ) ); + assert( !BER_BVISNULL( asserted ) ); + + match = value->bv_len - asserted->bv_len; + + if ( match == 0 ) { + match = memcmp( value->bv_val, asserted->bv_val, + value->bv_len ); + } + + Debug( LDAP_DEBUG_ARGS, "dnMatch %d\n\t\"%s\"\n\t\"%s\"\n", + match, value->bv_val, asserted->bv_val ); + + *matchp = match; + return LDAP_SUCCESS; +} + +/* + * dnRelativeMatch routine + */ +int +dnRelativeMatch( + int *matchp, + slap_mask_t flags, + Syntax *syntax, + MatchingRule *mr, + struct berval *value, + void *assertedValue ) +{ + int match; + struct berval *asserted = (struct berval *) assertedValue; + + assert( matchp != NULL ); + assert( value != NULL ); + assert( assertedValue != NULL ); + assert( !BER_BVISNULL( value ) ); + assert( !BER_BVISNULL( asserted ) ); + + if( mr == slap_schema.si_mr_dnSubtreeMatch ) { + if( asserted->bv_len > value->bv_len ) { + match = -1; + } else if ( asserted->bv_len == value->bv_len ) { + match = memcmp( value->bv_val, asserted->bv_val, + value->bv_len ); + } else { + if( DN_SEPARATOR( + value->bv_val[value->bv_len - asserted->bv_len - 1] )) + { + match = memcmp( + &value->bv_val[value->bv_len - asserted->bv_len], + asserted->bv_val, + asserted->bv_len ); + } else { + match = 1; + } + } + + *matchp = match; + return LDAP_SUCCESS; + } + + if( mr == slap_schema.si_mr_dnSuperiorMatch ) { + asserted = value; + value = (struct berval *) assertedValue; + mr = slap_schema.si_mr_dnSubordinateMatch; + } + + if( mr == slap_schema.si_mr_dnSubordinateMatch ) { + if( asserted->bv_len >= value->bv_len ) { + match = -1; + } else { + if( DN_SEPARATOR( + value->bv_val[value->bv_len - asserted->bv_len - 1] )) + { + match = memcmp( + &value->bv_val[value->bv_len - asserted->bv_len], + asserted->bv_val, + asserted->bv_len ); + } else { + match = 1; + } + } + + *matchp = match; + return LDAP_SUCCESS; + } + + if( mr == slap_schema.si_mr_dnOneLevelMatch ) { + if( asserted->bv_len >= value->bv_len ) { + match = -1; + } else { + if( DN_SEPARATOR( + value->bv_val[value->bv_len - asserted->bv_len - 1] )) + { + match = memcmp( + &value->bv_val[value->bv_len - asserted->bv_len], + asserted->bv_val, + asserted->bv_len ); + + if( !match ) { + struct berval rdn; + rdn.bv_val = value->bv_val; + rdn.bv_len = value->bv_len - asserted->bv_len - 1; + match = dnIsOneLevelRDN( &rdn ) ? 0 : 1; + } + } else { + match = 1; + } + } + + *matchp = match; + return LDAP_SUCCESS; + } + + /* should not be reachable */ + assert( 0 ); + return LDAP_OTHER; +} + +int +rdnMatch( + int *matchp, + slap_mask_t flags, + Syntax *syntax, + MatchingRule *mr, + struct berval *value, + void *assertedValue ) +{ + int match; + struct berval *asserted = (struct berval *) assertedValue; + + assert( matchp != NULL ); + assert( value != NULL ); + assert( assertedValue != NULL ); + + match = value->bv_len - asserted->bv_len; + + if ( match == 0 ) { + match = memcmp( value->bv_val, asserted->bv_val, + value->bv_len ); + } + + Debug( LDAP_DEBUG_ARGS, "rdnMatch %d\n\t\"%s\"\n\t\"%s\"\n", + match, value->bv_val, asserted->bv_val ); + + *matchp = match; + return LDAP_SUCCESS; +} + + +/* + * dnParent - dn's parent, in-place + * note: the incoming dn is assumed to be normalized/prettyfied, + * so that escaped rdn/ava separators are in '\'+hexpair form + * + * note: "dn" and "pdn" can point to the same berval; + * beware that, in this case, the pointer to the original buffer + * will get lost. + */ +void +dnParent( + struct berval *dn, + struct berval *pdn ) +{ + char *p; + + p = ber_bvchr( dn, ',' ); + + /* one-level dn */ + if ( p == NULL ) { + pdn->bv_val = dn->bv_val + dn->bv_len; + pdn->bv_len = 0; + return; + } + + assert( DN_SEPARATOR( p[ 0 ] ) ); + p++; + + assert( ATTR_LEADCHAR( p[ 0 ] ) ); + pdn->bv_len = dn->bv_len - (p - dn->bv_val); + pdn->bv_val = p; + + return; +} + +/* + * dnRdn - dn's rdn, in-place + * note: the incoming dn is assumed to be normalized/prettyfied, + * so that escaped rdn/ava separators are in '\'+hexpair form + */ +void +dnRdn( + struct berval *dn, + struct berval *rdn ) +{ + char *p; + + *rdn = *dn; + p = ber_bvchr( dn, ',' ); + + /* one-level dn */ + if ( p == NULL ) { + return; + } + + assert( DN_SEPARATOR( p[ 0 ] ) ); + assert( ATTR_LEADCHAR( p[ 1 ] ) ); + rdn->bv_len = p - dn->bv_val; + + return; +} + +int +dnExtractRdn( + struct berval *dn, + struct berval *rdn, + void *ctx ) +{ + LDAPRDN tmpRDN; + const char *p; + int rc; + + assert( dn != NULL ); + assert( rdn != NULL ); + + if( dn->bv_len == 0 ) { + return LDAP_OTHER; + } + + rc = ldap_bv2rdn_x( dn, &tmpRDN, (char **)&p, LDAP_DN_FORMAT_LDAP, ctx ); + if ( rc != LDAP_SUCCESS ) { + return rc; + } + + rc = ldap_rdn2bv_x( tmpRDN, rdn, LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PRETTY, + ctx ); + + ldap_rdnfree_x( tmpRDN, ctx ); + return rc; +} + +/* + * We can assume the input is a prettied or normalized DN + */ +ber_len_t +dn_rdnlen( + Backend *be, + struct berval *dn_in ) +{ + const char *p; + + assert( dn_in != NULL ); + + if ( dn_in == NULL ) { + return 0; + } + + if ( !dn_in->bv_len ) { + return 0; + } + + if ( be != NULL && be_issuffix( be, dn_in ) ) { + return 0; + } + + p = ber_bvchr( dn_in, ',' ); + + return p ? (ber_len_t) (p - dn_in->bv_val) : dn_in->bv_len; +} + + +/* rdnValidate: + * + * LDAP_SUCCESS if rdn is a legal rdn; + * LDAP_INVALID_SYNTAX otherwise (including a sequence of rdns) + */ +int +rdn_validate( struct berval *rdn ) +{ +#if 1 + /* Major cheat! + * input is a pretty or normalized DN + * hence, we can just search for ',' + */ + if( rdn == NULL || rdn->bv_len == 0 || + rdn->bv_len > SLAP_LDAPDN_MAXLEN ) + { + return LDAP_INVALID_SYNTAX; + } + return ber_bvchr( rdn, ',' ) == NULL + ? LDAP_SUCCESS : LDAP_INVALID_SYNTAX; + +#else + LDAPRDN *RDN, **DN[ 2 ] = { &RDN, NULL }; + const char *p; + int rc; + + /* + * must be non-empty + */ + if ( rdn == NULL || rdn == '\0' ) { + return 0; + } + + /* + * must be parsable + */ + rc = ldap_bv2rdn( rdn, &RDN, (char **)&p, LDAP_DN_FORMAT_LDAP ); + if ( rc != LDAP_SUCCESS ) { + return 0; + } + + /* + * Must be one-level + */ + if ( p[ 0 ] != '\0' ) { + return 0; + } + + /* + * Schema-aware validate + */ + if ( rc == LDAP_SUCCESS ) { + rc = LDAPDN_validate( DN ); + } + ldap_rdnfree( RDN ); + + /* + * Must validate (there's a repeated parsing ...) + */ + return ( rc == LDAP_SUCCESS ); +#endif +} + + +/* build_new_dn: + * + * Used by back-bdb back_modrdn to create the new dn of entries being + * renamed. + * + * new_dn = parent (p_dn) + separator + rdn (newrdn) + null. + */ + +void +build_new_dn( struct berval * new_dn, + struct berval * parent_dn, + struct berval * newrdn, + void *memctx ) +{ + char *ptr; + + if ( parent_dn == NULL || parent_dn->bv_len == 0 ) { + ber_dupbv_x( new_dn, newrdn, memctx ); + return; + } + + new_dn->bv_len = parent_dn->bv_len + newrdn->bv_len + 1; + new_dn->bv_val = (char *) slap_sl_malloc( new_dn->bv_len + 1, memctx ); + + ptr = lutil_strncopy( new_dn->bv_val, newrdn->bv_val, newrdn->bv_len ); + *ptr++ = ','; + strcpy( ptr, parent_dn->bv_val ); +} + + +/* + * dnIsSuffix - tells whether suffix is a suffix of dn. + * Both dn and suffix must be normalized. + */ +int +dnIsSuffix( + const struct berval *dn, + const struct berval *suffix ) +{ + int d; + + assert( dn != NULL ); + assert( suffix != NULL ); + + d = dn->bv_len - suffix->bv_len; + + /* empty suffix matches any dn */ + if ( suffix->bv_len == 0 ) { + return 1; + } + + /* suffix longer than dn */ + if ( d < 0 ) { + return 0; + } + + /* no rdn separator or escaped rdn separator */ + if ( d > 1 && !DN_SEPARATOR( dn->bv_val[ d - 1 ] ) ) { + return 0; + } + + /* no possible match or malformed dn */ + if ( d == 1 ) { + return 0; + } + + /* compare */ + return( strncmp( dn->bv_val + d, suffix->bv_val, suffix->bv_len ) == 0 ); +} + +/* + * In place; assumes: + * - ndn is normalized + * - nbase is normalized + * - dnIsSuffix( ndn, nbase ) == TRUE + * - LDAP_SCOPE_DEFAULT == LDAP_SCOPE_SUBTREE + */ +int +dnIsWithinScope( struct berval *ndn, struct berval *nbase, int scope ) +{ + assert( ndn != NULL ); + assert( nbase != NULL ); + assert( !BER_BVISNULL( ndn ) ); + assert( !BER_BVISNULL( nbase ) ); + + switch ( scope ) { + case LDAP_SCOPE_DEFAULT: + case LDAP_SCOPE_SUBTREE: + break; + + case LDAP_SCOPE_BASE: + if ( ndn->bv_len != nbase->bv_len ) { + return 0; + } + break; + + case LDAP_SCOPE_ONELEVEL: { + struct berval pndn; + dnParent( ndn, &pndn ); + if ( pndn.bv_len != nbase->bv_len ) { + return 0; + } + } break; + + case LDAP_SCOPE_SUBORDINATE: + if ( ndn->bv_len == nbase->bv_len ) { + return 0; + } + break; + + /* unknown scope */ + default: + return -1; + } + + return 1; +} + +/* + * In place; assumes: + * - ndn is normalized + * - nbase is normalized + * - LDAP_SCOPE_DEFAULT == LDAP_SCOPE_SUBTREE + */ +int +dnIsSuffixScope( struct berval *ndn, struct berval *nbase, int scope ) +{ + if ( !dnIsSuffix( ndn, nbase ) ) { + return 0; + } + + return dnIsWithinScope( ndn, nbase, scope ); +} + +int +dnIsOneLevelRDN( struct berval *rdn ) +{ + ber_len_t len = rdn->bv_len; + for ( ; len--; ) { + if ( DN_SEPARATOR( rdn->bv_val[ len ] ) ) { + return 0; + } + } + + return 1; +} + +#ifdef HAVE_TLS +static SLAP_CERT_MAP_FN *DNX509PeerNormalizeCertMap = NULL; +#endif + +int register_certificate_map_function(SLAP_CERT_MAP_FN *fn) +{ +#ifdef HAVE_TLS + if ( DNX509PeerNormalizeCertMap == NULL ) { + DNX509PeerNormalizeCertMap = fn; + return 0; + } +#endif + + return -1; +} + +/* + * Convert an X.509 DN into a normalized LDAP DN + */ +int +dnX509normalize( void *x509_name, struct berval *out ) +{ + /* Invoke the LDAP library's converter with our schema-rewriter */ + int rc = ldap_X509dn2bv( x509_name, out, LDAPDN_rewrite, 0 ); + + Debug( LDAP_DEBUG_TRACE, + "dnX509Normalize: <%s> (%d)\n", + BER_BVISNULL( out ) ? "(null)" : out->bv_val, rc, 0 ); + + return rc; +} + +#ifdef HAVE_TLS +/* + * Get the TLS session's peer's DN into a normalized LDAP DN + */ +int +dnX509peerNormalize( void *ssl, struct berval *dn ) +{ + int rc = LDAP_INVALID_CREDENTIALS; + + if ( DNX509PeerNormalizeCertMap != NULL ) + rc = (*DNX509PeerNormalizeCertMap)( ssl, dn ); + + if ( rc != LDAP_SUCCESS ) { + rc = ldap_pvt_tls_get_peer_dn( ssl, dn, + (LDAPDN_rewrite_dummy *)LDAPDN_rewrite, 0 ); + } + + return rc; +} +#endif |