← Back to branch summary

~ttx/openldap/lucid-gssapi-495418

« back to all changes in this revision

Viewing changes to servers/slapd/schema_init.c

  • Committer: Bazaar Package Importer
  • Author(s): Mathias Gug
  • Date: 2009-09-07 13:41:10 UTC
  • mfrom: (1.1.5 upstream)
  • Revision ID: james.westby@ubuntu.com-20090907134110-rsnlhy8b0r21p9bg
Tags: 2.4.18-0ubuntu1
https://launchpad.net/bugs/419515
https://launchpad.net/bugs/417163
* New upstream release: (LP: #419515):
  + pcache overlay supports disconnected mode.
* Fix nss overlay load (LP: #417163).

Show diffs side-by-side

added added

removed removed

Lines of Context:
servers/slapd/schema_init.c
1
1
/* schema_init.c - init builtin schema */
2
 
/* $OpenLDAP: pkg/ldap/servers/slapd/schema_init.c,v 1.386.2.33 2009/05/08 00:27:00 quanah Exp $ */
 
2
/* $OpenLDAP: pkg/ldap/servers/slapd/schema_init.c,v 1.386.2.36 2009/08/13 00:35:54 quanah Exp $ */
3
3
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
4
4
 *
5
5
 * Copyright 1998-2009 The OpenLDAP Foundation.
274
274
 
275
275
/* X.509 certificate list validation */
276
276
static int
 
277
checkTime( struct berval *in, struct berval *out );
 
278
 
 
279
static int
277
280
certificateListValidate( Syntax *syntax, struct berval *in )
278
281
{
279
282
        BerElementBuffer berbuf;
280
283
        BerElement *ber = (BerElement *)&berbuf;
281
284
        ber_tag_t tag;
282
 
        ber_len_t len;
 
285
        ber_len_t len, wrapper_len;
 
286
        char *wrapper_start;
 
287
        int wrapper_ok = 0;
283
288
        ber_int_t version = SLAP_X509_V1;
 
289
        struct berval bvdn, bvtu;
284
290
 
285
291
        ber_init2( ber, in, LBER_USE_DER );
286
 
        tag = ber_skip_tag( ber, &len );        /* Signed wrapper */
 
292
        tag = ber_skip_tag( ber, &wrapper_len );        /* Signed wrapper */
287
293
        if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
 
294
        wrapper_start = ber->ber_ptr;
288
295
        tag = ber_skip_tag( ber, &len );        /* Sequence */
289
296
        if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
290
297
        tag = ber_peek_tag( ber, &len );
297
304
        tag = ber_skip_tag( ber, &len );        /* Signature Algorithm */
298
305
        if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
299
306
        ber_skip_data( ber, len );
300
 
        tag = ber_skip_tag( ber, &len );        /* Issuer DN */
 
307
        tag = ber_peek_tag( ber, &len );        /* Issuer DN */
301
308
        if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
 
309
        len = ber_ptrlen( ber );
 
310
        bvdn.bv_val = in->bv_val + len;
 
311
        bvdn.bv_len = in->bv_len - len;
 
312
        tag = ber_skip_tag( ber, &len );
302
313
        ber_skip_data( ber, len );
303
314
        tag = ber_skip_tag( ber, &len );        /* thisUpdate */
304
315
        /* Time is a CHOICE { UTCTime, GeneralizedTime } */
305
316
        if ( tag != SLAP_TAG_UTCTIME && tag != SLAP_TAG_GENERALIZEDTIME ) return LDAP_INVALID_SYNTAX;
 
317
        bvtu.bv_val = (char *)ber->ber_ptr;
 
318
        bvtu.bv_len = len;
306
319
        ber_skip_data( ber, len );
307
320
        /* Optional nextUpdate */
308
321
        tag = ber_skip_tag( ber, &len );
319
332
                        tag = ber_skip_tag( ber, &len );
320
333
                }
321
334
        }
322
 
        /* Optional Extensions */
 
335
        /* Optional Extensions - Sequence of Sequence */
323
336
        if ( tag == SLAP_X509_OPT_CL_CRLEXTENSIONS ) { /* ? */
 
337
                ber_len_t seqlen;
324
338
                if ( version != SLAP_X509_V2 ) return LDAP_INVALID_SYNTAX;
325
 
                tag = ber_skip_tag( ber, &len );
 
339
                tag = ber_peek_tag( ber, &seqlen );
326
340
                if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
327
341
                ber_skip_data( ber, len );
328
342
                tag = ber_skip_tag( ber, &len );
334
348
        /* Signature */
335
349
        if ( tag != LBER_BITSTRING ) return LDAP_INVALID_SYNTAX; 
336
350
        ber_skip_data( ber, len );
 
351
        if ( ber->ber_ptr == wrapper_start + wrapper_len ) wrapper_ok = 1;
337
352
        tag = ber_skip_tag( ber, &len );
338
353
        /* Must be at end now */
339
 
        if ( len || tag != LBER_DEFAULT ) return LDAP_INVALID_SYNTAX;
 
354
        /* NOTE: OpenSSL tolerates CL with garbage past the end */
 
355
        if ( len || tag != LBER_DEFAULT ) {
 
356
                struct berval issuer_dn = BER_BVNULL, thisUpdate;
 
357
                char tubuf[STRLENOF("YYYYmmddHHMMSSZ") + 1];
 
358
                int rc;
 
359
 
 
360
                if ( ! wrapper_ok ) {
 
361
                        return LDAP_INVALID_SYNTAX;
 
362
                }
 
363
 
 
364
                rc = dnX509normalize( &bvdn, &issuer_dn );
 
365
                if ( rc != LDAP_SUCCESS ) {
 
366
                        rc = LDAP_INVALID_SYNTAX;
 
367
                        goto done;
 
368
                }
 
369
 
 
370
                thisUpdate.bv_val = tubuf;
 
371
                thisUpdate.bv_len = sizeof(tubuf); 
 
372
                if ( checkTime( &bvtu, &thisUpdate ) ) {
 
373
                        rc = LDAP_INVALID_SYNTAX;
 
374
                        goto done;
 
375
                }
 
376
 
 
377
                Debug( LDAP_DEBUG_ANY,
 
378
                        "certificateListValidate issuer=\"%s\", thisUpdate=%s: extra cruft past end of certificateList\n",
 
379
                        issuer_dn.bv_val, thisUpdate.bv_val, 0 );
 
380
 
 
381
done:;
 
382
                if ( ! BER_BVISNULL( &issuer_dn ) ) {
 
383
                        ber_memfree( issuer_dn.bv_val );
 
384
                }
 
385
 
 
386
                return rc;
 
387
        }
 
388
 
340
389
        return LDAP_SUCCESS;
341
390
}
342
391
 
388
437
        if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
389
438
        ber_skip_data( ber, len );
390
439
 
391
 
        ber_peek_tag( ber, &len );
 
440
        tag = ber_peek_tag( ber, &len );
392
441
 
393
442
        if ( tag == LBER_BITSTRING ) {  /* issuerUniqueID */
394
443
                tag = ber_skip_tag( ber, &len );
3616
3665
 
3617
3666
        rc = generalizedTimeValidate( NULL, &bv );
3618
3667
        if ( rc == LDAP_SUCCESS && out != NULL ) {
 
3668
                if ( out->bv_len > bv.bv_len ) {
 
3669
                        out->bv_val[ bv.bv_len ] = '\0';
 
3670
                }
3619
3671
                out->bv_len = bv.bv_len;
3620
3672
        }
3621
3673
 
6626
6678
        {"( 1.3.6.1.4.1.4203.666.11.2.3 NAME 'CSNOrderingMatch' "
6627
6679
                "SYNTAX 1.3.6.1.4.1.4203.666.11.2.1 )",
6628
6680
                SLAP_MR_HIDE | SLAP_MR_ORDERING | SLAP_MR_ORDERED_INDEX, NULL,
6629
 
                NULL, NULL, csnOrderingMatch,
 
6681
                NULL, csnNormalize, csnOrderingMatch,
6630
6682
                NULL, NULL,
6631
6683
                "CSNMatch" },
6632
6684