schema_init.c 88.2 KB
Newer Older
1
2
/* schema_init.c - init builtin schema */
/* $OpenLDAP$ */
Kurt Zeilenga's avatar
Kurt Zeilenga committed
3
4
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
 *
Kurt Zeilenga's avatar
Kurt Zeilenga committed
5
 * Copyright 1998-2005 The OpenLDAP Foundation.
Kurt Zeilenga's avatar
Kurt Zeilenga committed
6
7
8
9
10
11
12
13
14
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted only as authorized by the OpenLDAP
 * Public License.
 *
 * A copy of this license is available in the file LICENSE in the
 * top-level directory of the distribution or, alternatively, at
 * <http://www.OpenLDAP.org/license.html>.
15
16
17
18
19
 */

#include "portable.h"

#include <stdio.h>
Kurt Zeilenga's avatar
Kurt Zeilenga committed
20
#include <limits.h>
21
22

#include <ac/ctype.h>
23
#include <ac/errno.h>
24
25
26
27
#include <ac/string.h>
#include <ac/socket.h>

#include "slap.h"
28

29
30
#include "ldap_utf8.h"

31
32
33
34
35
36
37
38
39
40
41
42
#ifdef HAVE_TLS
#include <openssl/x509.h>
#include <openssl/err.h>
#include <openssl/rsa.h>
#include <openssl/crypto.h>
#include <openssl/pem.h>
#include <openssl/bio.h>
#include <openssl/asn1.h>
#include <openssl/x509v3.h>
#include <openssl/ssl.h>
#endif

43
#include "lutil.h"
44
45
46
47
48
49
#include "lutil_hash.h"
#define HASH_BYTES				LUTIL_HASH_BYTES
#define HASH_CONTEXT			lutil_HASH_CTX
#define HASH_Init(c)			lutil_HASHInit(c)
#define HASH_Update(c,buf,len)	lutil_HASHUpdate(c,buf,len)
#define HASH_Final(d,c)			lutil_HASHFinal(d,c)
50

Pierangelo Masarati's avatar
Pierangelo Masarati committed
51
52
#define	OpenLDAPaciMatch			NULL

53
54
/* approx matching rules */
#define directoryStringApproxMatchOID	"1.3.6.1.4.1.4203.666.4.4"
55
#define directoryStringApproxMatch		approxMatch
Gary Williams's avatar
Gary Williams committed
56
#define directoryStringApproxIndexer	approxIndexer
57
#define directoryStringApproxFilter		approxFilter
58
#define IA5StringApproxMatchOID			"1.3.6.1.4.1.4203.666.4.5"
Gary Williams's avatar
Gary Williams committed
59
#define IA5StringApproxMatch			approxMatch
60
#define IA5StringApproxIndexer			approxIndexer
Gary Williams's avatar
Gary Williams committed
61
#define IA5StringApproxFilter			approxFilter
62

Howard Chu's avatar
Howard Chu committed
63
64
65
66
67
68
69
/* Change Sequence Number (CSN) - much of this will change */
#define csnValidate				blobValidate
#define csnMatch				octetStringMatch
#define csnOrderingMatch		octetStringOrderingMatch
#define csnIndexer				generalizedTimeIndexer
#define csnFilter				generalizedTimeFilter

70
71
72
73
74
unsigned int index_substr_if_minlen = SLAP_INDEX_SUBSTR_IF_MINLEN_DEFAULT;
unsigned int index_substr_if_maxlen = SLAP_INDEX_SUBSTR_IF_MAXLEN_DEFAULT;
unsigned int index_substr_any_len = SLAP_INDEX_SUBSTR_ANY_LEN_DEFAULT;
unsigned int index_substr_any_step = SLAP_INDEX_SUBSTR_ANY_STEP_DEFAULT;

Kurt Zeilenga's avatar
Kurt Zeilenga committed
75
76
77
78
static int
inValidate(
	Syntax *syntax,
	struct berval *in )
79
{
Kurt Zeilenga's avatar
Kurt Zeilenga committed
80
81
82
	/* no value allowed */
	return LDAP_INVALID_SYNTAX;
}
83

Kurt Zeilenga's avatar
Kurt Zeilenga committed
84
85
86
87
88
89
90
static int
blobValidate(
	Syntax *syntax,
	struct berval *in )
{
	/* any value allowed */
	return LDAP_SUCCESS;
91
}
92

Kurt Zeilenga's avatar
cleanup    
Kurt Zeilenga committed
93
94
#define berValidate blobValidate

95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
static int
sequenceValidate(
	Syntax *syntax,
	struct berval *in )
{
	if ( in->bv_len < 2 ) return LDAP_INVALID_SYNTAX;
	if ( in->bv_val[0] != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;

	return LDAP_SUCCESS;
}


#ifdef HAVE_TLS
static int certificateValidate( Syntax *syntax, struct berval *in )
{
	X509 *xcert=NULL;
111
	unsigned char *p = (unsigned char *)in->bv_val;
112
113
114
115
116
117
118
119
120
121
 
	xcert = d2i_X509(NULL, &p, in->bv_len);
	if ( !xcert ) return LDAP_INVALID_SYNTAX;
	X509_free(xcert);
	return LDAP_SUCCESS;
}
#else
#define certificateValidate sequenceValidate
#endif

122
123
124
static int
octetStringMatch(
	int *matchp,
125
	slap_mask_t flags,
126
127
128
129
130
	Syntax *syntax,
	MatchingRule *mr,
	struct berval *value,
	void *assertedValue )
{
Kurt Zeilenga's avatar
cleanup    
Kurt Zeilenga committed
131
132
	struct berval *asserted = (struct berval *) assertedValue;
	int match = value->bv_len - asserted->bv_len;
133
134

	if( match == 0 ) {
Kurt Zeilenga's avatar
cleanup    
Kurt Zeilenga committed
135
		match = memcmp( value->bv_val, asserted->bv_val, value->bv_len );
136
137
138
139
140
141
	}

	*matchp = match;
	return LDAP_SUCCESS;
}

142
143
144
145
146
147
148
149
150
static int
octetStringOrderingMatch(
	int *matchp,
	slap_mask_t flags,
	Syntax *syntax,
	MatchingRule *mr,
	struct berval *value,
	void *assertedValue )
{
Kurt Zeilenga's avatar
cleanup    
Kurt Zeilenga committed
151
	struct berval *asserted = (struct berval *) assertedValue;
152
	ber_len_t v_len  = value->bv_len;
Kurt Zeilenga's avatar
cleanup    
Kurt Zeilenga committed
153
	ber_len_t av_len = asserted->bv_len;
154

Kurt Zeilenga's avatar
cleanup    
Kurt Zeilenga committed
155
	int match = memcmp( value->bv_val, asserted->bv_val,
156
		(v_len < av_len ? v_len : av_len) );
157
158
159

	if( match == 0 ) match = v_len - av_len;

160
161
162
163
	*matchp = match;
	return LDAP_SUCCESS;
}

164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
hashDigestify(
	HASH_CONTEXT *HASHcontext,
	unsigned char *HASHdigest,
	struct berval *prefix,
	char pre,
	Syntax *syntax,
	MatchingRule *mr,
	unsigned char *value,
	int value_len)
{
	HASH_Init(HASHcontext);
	if(prefix && prefix->bv_len > 0) {
		HASH_Update(HASHcontext,
			(unsigned char *)prefix->bv_val, prefix->bv_len);
	}
	if(pre) HASH_Update(HASHcontext, (unsigned char*)&pre, sizeof(pre));
	HASH_Update(HASHcontext, (unsigned char*)syntax->ssyn_oid, syntax->ssyn_oidlen);
	HASH_Update(HASHcontext, (unsigned char*)mr->smr_oid, mr->smr_oidlen);
	HASH_Update(HASHcontext, value, value_len);
	HASH_Final(HASHdigest, HASHcontext);
	return;
}

187
/* Index generation function */
188
int octetStringIndexer(
189
190
	slap_mask_t use,
	slap_mask_t flags,
191
192
193
	Syntax *syntax,
	MatchingRule *mr,
	struct berval *prefix,
194
	BerVarray values,
Howard Chu's avatar
Howard Chu committed
195
196
	BerVarray *keysp,
	void *ctx )
197
198
199
{
	int i;
	size_t slen, mlen;
200
	BerVarray keys;
Kurt Zeilenga's avatar
cleanup    
Kurt Zeilenga committed
201
202
	HASH_CONTEXT HASHcontext;
	unsigned char HASHdigest[HASH_BYTES];
203
	struct berval digest;
204
	digest.bv_val = (char *)HASHdigest;
205
	digest.bv_len = sizeof(HASHdigest);
206

207
	for( i=0; values[i].bv_val != NULL; i++ ) {
208
209
210
		/* just count them */
	}

Kurt Zeilenga's avatar
Kurt Zeilenga committed
211
212
213
	/* we should have at least one value at this point */
	assert( i > 0 );

214
	keys = slap_sl_malloc( sizeof( struct berval ) * (i+1), ctx );
215

216
217
	slen = syntax->ssyn_oidlen;
	mlen = mr->smr_oidlen;
218

219
	for( i=0; values[i].bv_val != NULL; i++ ) {
220
221
		hashDigestify( &HASHcontext, HASHdigest, prefix, 0,
			syntax, mr, (unsigned char *)values[i].bv_val, values[i].bv_len );
Howard Chu's avatar
Howard Chu committed
222
		ber_dupbv_x( &keys[i], &digest, ctx );
223
224
	}

225
	keys[i].bv_val = NULL;
226
	keys[i].bv_len = 0;
227
228
229
230
231
232
233

	*keysp = keys;

	return LDAP_SUCCESS;
}

/* Index generation function */
234
int octetStringFilter(
235
236
	slap_mask_t use,
	slap_mask_t flags,
237
238
239
	Syntax *syntax,
	MatchingRule *mr,
	struct berval *prefix,
240
	void * assertedValue,
Howard Chu's avatar
Howard Chu committed
241
242
	BerVarray *keysp,
	void *ctx )
243
244
{
	size_t slen, mlen;
245
	BerVarray keys;
Kurt Zeilenga's avatar
cleanup    
Kurt Zeilenga committed
246
247
	HASH_CONTEXT HASHcontext;
	unsigned char HASHdigest[HASH_BYTES];
248
	struct berval *value = (struct berval *) assertedValue;
249
	struct berval digest;
250
	digest.bv_val = (char *)HASHdigest;
251
	digest.bv_len = sizeof(HASHdigest);
252

253
254
	slen = syntax->ssyn_oidlen;
	mlen = mr->smr_oidlen;
255

256
	keys = slap_sl_malloc( sizeof( struct berval ) * 2, ctx );
257

258
259
	hashDigestify( &HASHcontext, HASHdigest, prefix, 0,
		syntax, mr, (unsigned char *)value->bv_val, value->bv_len );
260

Howard Chu's avatar
Howard Chu committed
261
	ber_dupbv_x( keys, &digest, ctx );
262
	keys[1].bv_val = NULL;
263
	keys[1].bv_len = 0;
264
265
266
267
268

	*keysp = keys;

	return LDAP_SUCCESS;
}
269

270
static int
Kurt Zeilenga's avatar
cleanup    
Kurt Zeilenga committed
271
octetStringSubstringsMatch(
Kurt Zeilenga's avatar
Kurt Zeilenga committed
272
273
	int *matchp,
	slap_mask_t flags,
274
	Syntax *syntax,
Kurt Zeilenga's avatar
Kurt Zeilenga committed
275
276
277
	MatchingRule *mr,
	struct berval *value,
	void *assertedValue )
278
{
Kurt Zeilenga's avatar
Kurt Zeilenga committed
279
280
281
282
	int match = 0;
	SubstringsAssertion *sub = assertedValue;
	struct berval left = *value;
	int i;
Kurt Zeilenga's avatar
cleanup    
Kurt Zeilenga committed
283
	ber_len_t inlen = 0;
284

Kurt Zeilenga's avatar
Kurt Zeilenga committed
285
286
287
	/* Add up asserted input length */
	if( sub->sa_initial.bv_val ) {
		inlen += sub->sa_initial.bv_len;
288
	}
Kurt Zeilenga's avatar
Kurt Zeilenga committed
289
290
291
292
293
294
295
	if( sub->sa_any ) {
		for(i=0; sub->sa_any[i].bv_val != NULL; i++) {
			inlen += sub->sa_any[i].bv_len;
		}
	}
	if( sub->sa_final.bv_val ) {
		inlen += sub->sa_final.bv_len;
296
297
	}

Kurt Zeilenga's avatar
Kurt Zeilenga committed
298
299
300
301
	if( sub->sa_initial.bv_val ) {
		if( inlen > left.bv_len ) {
			match = 1;
			goto done;
302
303
		}

Kurt Zeilenga's avatar
Kurt Zeilenga committed
304
305
		match = memcmp( sub->sa_initial.bv_val, left.bv_val,
			sub->sa_initial.bv_len );
306

Kurt Zeilenga's avatar
Kurt Zeilenga committed
307
308
309
		if( match != 0 ) {
			goto done;
		}
310

Kurt Zeilenga's avatar
Kurt Zeilenga committed
311
312
313
314
		left.bv_val += sub->sa_initial.bv_len;
		left.bv_len -= sub->sa_initial.bv_len;
		inlen -= sub->sa_initial.bv_len;
	}
315

Kurt Zeilenga's avatar
Kurt Zeilenga committed
316
317
318
319
320
	if( sub->sa_final.bv_val ) {
		if( inlen > left.bv_len ) {
			match = 1;
			goto done;
		}
321

Kurt Zeilenga's avatar
Kurt Zeilenga committed
322
323
324
		match = memcmp( sub->sa_final.bv_val,
			&left.bv_val[left.bv_len - sub->sa_final.bv_len],
			sub->sa_final.bv_len );
325

Kurt Zeilenga's avatar
Kurt Zeilenga committed
326
327
		if( match != 0 ) {
			goto done;
328
329
		}

Kurt Zeilenga's avatar
Kurt Zeilenga committed
330
331
		left.bv_len -= sub->sa_final.bv_len;
		inlen -= sub->sa_final.bv_len;
332
333
	}

Kurt Zeilenga's avatar
Kurt Zeilenga committed
334
335
336
337
	if( sub->sa_any ) {
		for(i=0; sub->sa_any[i].bv_val; i++) {
			ber_len_t idx;
			char *p;
338

Kurt Zeilenga's avatar
Kurt Zeilenga committed
339
340
341
342
343
344
retry:
			if( inlen > left.bv_len ) {
				/* not enough length */
				match = 1;
				goto done;
			}
345

Kurt Zeilenga's avatar
Kurt Zeilenga committed
346
347
348
			if( sub->sa_any[i].bv_len == 0 ) {
				continue;
			}
349

Kurt Zeilenga's avatar
Kurt Zeilenga committed
350
			p = memchr( left.bv_val, *sub->sa_any[i].bv_val, left.bv_len );
351

Kurt Zeilenga's avatar
Kurt Zeilenga committed
352
353
354
			if( p == NULL ) {
				match = 1;
				goto done;
355
356
			}

Kurt Zeilenga's avatar
Kurt Zeilenga committed
357
			idx = p - left.bv_val;
358

Kurt Zeilenga's avatar
Kurt Zeilenga committed
359
360
361
362
			if( idx >= left.bv_len ) {
				/* this shouldn't happen */
				return LDAP_OTHER;
			}
363

Kurt Zeilenga's avatar
Kurt Zeilenga committed
364
365
			left.bv_val = p;
			left.bv_len -= idx;
366

Kurt Zeilenga's avatar
Kurt Zeilenga committed
367
368
369
370
371
			if( sub->sa_any[i].bv_len > left.bv_len ) {
				/* not enough left */
				match = 1;
				goto done;
			}
372

Kurt Zeilenga's avatar
Kurt Zeilenga committed
373
374
375
			match = memcmp( left.bv_val,
				sub->sa_any[i].bv_val,
				sub->sa_any[i].bv_len );
376

Kurt Zeilenga's avatar
Kurt Zeilenga committed
377
378
379
380
381
			if( match != 0 ) {
				left.bv_val++;
				left.bv_len--;
				goto retry;
			}
382

Kurt Zeilenga's avatar
Kurt Zeilenga committed
383
384
385
			left.bv_val += sub->sa_any[i].bv_len;
			left.bv_len -= sub->sa_any[i].bv_len;
			inlen -= sub->sa_any[i].bv_len;
386
387
388
		}
	}

Kurt Zeilenga's avatar
Kurt Zeilenga committed
389
390
done:
	*matchp = match;
391
392
393
	return LDAP_SUCCESS;
}

Kurt Zeilenga's avatar
Kurt Zeilenga committed
394
395
/* Substrings Index generation function */
static int
Kurt Zeilenga's avatar
cleanup    
Kurt Zeilenga committed
396
octetStringSubstringsIndexer(
Kurt Zeilenga's avatar
Kurt Zeilenga committed
397
398
399
400
401
402
	slap_mask_t use,
	slap_mask_t flags,
	Syntax *syntax,
	MatchingRule *mr,
	struct berval *prefix,
	BerVarray values,
Howard Chu's avatar
Howard Chu committed
403
404
	BerVarray *keysp,
	void *ctx )
Kurt Zeilenga's avatar
Kurt Zeilenga committed
405
{
406
	ber_len_t i, j, len, nkeys;
Kurt Zeilenga's avatar
Kurt Zeilenga committed
407
408
409
	size_t slen, mlen;
	BerVarray keys;

Kurt Zeilenga's avatar
cleanup    
Kurt Zeilenga committed
410
411
	HASH_CONTEXT HASHcontext;
	unsigned char HASHdigest[HASH_BYTES];
Kurt Zeilenga's avatar
Kurt Zeilenga committed
412
	struct berval digest;
413
	digest.bv_val = (char *)HASHdigest;
Kurt Zeilenga's avatar
Kurt Zeilenga committed
414
415
416
417
418
419
420
	digest.bv_len = sizeof(HASHdigest);

	nkeys=0;

	for( i=0; values[i].bv_val != NULL; i++ ) {
		/* count number of indices to generate */
		if( flags & SLAP_INDEX_SUBSTR_INITIAL ) {
421
422
423
424
425
			if( values[i].bv_len >= index_substr_if_maxlen ) {
				nkeys += index_substr_if_maxlen -
					(index_substr_if_minlen - 1);
			} else if( values[i].bv_len >= index_substr_if_minlen ) {
				nkeys += values[i].bv_len - (index_substr_if_minlen - 1);
Kurt Zeilenga's avatar
Kurt Zeilenga committed
426
427
428
429
			}
		}

		if( flags & SLAP_INDEX_SUBSTR_ANY ) {
430
431
			if( values[i].bv_len >= index_substr_any_len ) {
				nkeys += values[i].bv_len - (index_substr_any_len - 1);
Kurt Zeilenga's avatar
Kurt Zeilenga committed
432
433
434
435
			}
		}

		if( flags & SLAP_INDEX_SUBSTR_FINAL ) {
436
437
438
439
440
			if( values[i].bv_len >= index_substr_if_maxlen ) {
				nkeys += index_substr_if_maxlen -
					(index_substr_if_minlen - 1);
			} else if( values[i].bv_len >= index_substr_if_minlen ) {
				nkeys += values[i].bv_len - (index_substr_if_minlen - 1);
Kurt Zeilenga's avatar
Kurt Zeilenga committed
441
442
443
444
445
446
447
448
449
450
			}
		}
	}

	if( nkeys == 0 ) {
		/* no keys to generate */
		*keysp = NULL;
		return LDAP_SUCCESS;
	}

451
	keys = slap_sl_malloc( sizeof( struct berval ) * (nkeys+1), ctx );
Kurt Zeilenga's avatar
Kurt Zeilenga committed
452
453
454
455
456
457
458
459
460

	slen = syntax->ssyn_oidlen;
	mlen = mr->smr_oidlen;

	nkeys=0;
	for( i=0; values[i].bv_val != NULL; i++ ) {
		ber_len_t j,max;

		if( ( flags & SLAP_INDEX_SUBSTR_ANY ) &&
461
			( values[i].bv_len >= index_substr_any_len ) )
Kurt Zeilenga's avatar
Kurt Zeilenga committed
462
463
		{
			char pre = SLAP_INDEX_SUBSTR_PREFIX;
464
			max = values[i].bv_len - (index_substr_any_len - 1);
Kurt Zeilenga's avatar
Kurt Zeilenga committed
465
466

			for( j=0; j<max; j++ ) {
467
				hashDigestify( &HASHcontext, HASHdigest, prefix, pre,
468
					syntax, mr, (unsigned char *)&values[i].bv_val[j], index_substr_any_len);
Howard Chu's avatar
Howard Chu committed
469
				ber_dupbv_x( &keys[nkeys++], &digest, ctx );
Kurt Zeilenga's avatar
Kurt Zeilenga committed
470
471
472
			}
		}

473
		/* skip if too short */ 
474
		if( values[i].bv_len < index_substr_if_minlen ) continue;
Kurt Zeilenga's avatar
Kurt Zeilenga committed
475

476
477
		max = index_substr_if_maxlen < values[i].bv_len
			? index_substr_if_maxlen : values[i].bv_len;
478

479
		for( j=index_substr_if_minlen; j<=max; j++ ) {
Kurt Zeilenga's avatar
Kurt Zeilenga committed
480
481
482
483
			char pre;

			if( flags & SLAP_INDEX_SUBSTR_INITIAL ) {
				pre = SLAP_INDEX_SUBSTR_INITIAL_PREFIX;
484
485
				hashDigestify( &HASHcontext, HASHdigest, prefix, pre,
					syntax, mr, (unsigned char *)values[i].bv_val, j );
Howard Chu's avatar
Howard Chu committed
486
				ber_dupbv_x( &keys[nkeys++], &digest, ctx );
Kurt Zeilenga's avatar
Kurt Zeilenga committed
487
488
489
490
			}

			if( flags & SLAP_INDEX_SUBSTR_FINAL ) {
				pre = SLAP_INDEX_SUBSTR_FINAL_PREFIX;
491
492
				hashDigestify( &HASHcontext, HASHdigest, prefix, pre,
					syntax, mr, (unsigned char *)&values[i].bv_val[values[i].bv_len-j], j );
Howard Chu's avatar
Howard Chu committed
493
				ber_dupbv_x( &keys[nkeys++], &digest, ctx );
Kurt Zeilenga's avatar
Kurt Zeilenga committed
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
			}

		}
	}

	if( nkeys > 0 ) {
		keys[nkeys].bv_val = NULL;
		*keysp = keys;
	} else {
		ch_free( keys );
		*keysp = NULL;
	}

	return LDAP_SUCCESS;
}

static int
octetStringSubstringsFilter (
	slap_mask_t use,
	slap_mask_t flags,
	Syntax *syntax,
	MatchingRule *mr,
	struct berval *prefix,
	void * assertedValue,
Howard Chu's avatar
Howard Chu committed
518
519
	BerVarray *keysp,
	void *ctx)
Kurt Zeilenga's avatar
Kurt Zeilenga committed
520
521
522
{
	SubstringsAssertion *sa;
	char pre;
523
	ber_len_t len, max, nkeys = 0;
Kurt Zeilenga's avatar
Kurt Zeilenga committed
524
525
	size_t slen, mlen, klen;
	BerVarray keys;
Kurt Zeilenga's avatar
cleanup    
Kurt Zeilenga committed
526
527
	HASH_CONTEXT HASHcontext;
	unsigned char HASHdigest[HASH_BYTES];
Kurt Zeilenga's avatar
Kurt Zeilenga committed
528
529
530
531
532
	struct berval *value;
	struct berval digest;

	sa = (SubstringsAssertion *) assertedValue;

533
534
	if( flags & SLAP_INDEX_SUBSTR_INITIAL &&
		sa->sa_initial.bv_val != NULL &&
535
		sa->sa_initial.bv_len >= index_substr_if_minlen )
Kurt Zeilenga's avatar
Kurt Zeilenga committed
536
537
	{
		nkeys++;
538
		if ( sa->sa_initial.bv_len > index_substr_if_maxlen &&
539
540
			( flags & SLAP_INDEX_SUBSTR_ANY ))
		{
541
			nkeys += (sa->sa_initial.bv_len - index_substr_if_maxlen) / index_substr_any_step;
542
		}
Kurt Zeilenga's avatar
Kurt Zeilenga committed
543
544
545
546
547
	}

	if( flags & SLAP_INDEX_SUBSTR_ANY && sa->sa_any != NULL ) {
		ber_len_t i;
		for( i=0; sa->sa_any[i].bv_val != NULL; i++ ) {
548
			if( sa->sa_any[i].bv_len >= index_substr_any_len ) {
549
				/* don't bother accounting with stepping */
Kurt Zeilenga's avatar
Kurt Zeilenga committed
550
				nkeys += sa->sa_any[i].bv_len -
551
					( index_substr_any_len - 1 );
Kurt Zeilenga's avatar
Kurt Zeilenga committed
552
553
554
555
			}
		}
	}

556
557
	if( flags & SLAP_INDEX_SUBSTR_FINAL &&
		sa->sa_final.bv_val != NULL &&
558
		sa->sa_final.bv_len >= index_substr_if_minlen )
Kurt Zeilenga's avatar
Kurt Zeilenga committed
559
560
	{
		nkeys++;
561
		if ( sa->sa_final.bv_len > index_substr_if_maxlen &&
562
563
			( flags & SLAP_INDEX_SUBSTR_ANY ))
		{
564
			nkeys += (sa->sa_final.bv_len - index_substr_if_maxlen) / index_substr_any_step;
565
		}
Kurt Zeilenga's avatar
Kurt Zeilenga committed
566
567
568
569
570
571
572
	}

	if( nkeys == 0 ) {
		*keysp = NULL;
		return LDAP_SUCCESS;
	}

573
	digest.bv_val = (char *)HASHdigest;
Kurt Zeilenga's avatar
Kurt Zeilenga committed
574
575
576
577
578
	digest.bv_len = sizeof(HASHdigest);

	slen = syntax->ssyn_oidlen;
	mlen = mr->smr_oidlen;

579
	keys = slap_sl_malloc( sizeof( struct berval ) * (nkeys+1), ctx );
Kurt Zeilenga's avatar
Kurt Zeilenga committed
580
581
	nkeys = 0;

582
583
	if( flags & SLAP_INDEX_SUBSTR_INITIAL &&
		sa->sa_initial.bv_val != NULL &&
584
		sa->sa_initial.bv_len >= index_substr_if_minlen )
Kurt Zeilenga's avatar
Kurt Zeilenga committed
585
586
587
588
	{
		pre = SLAP_INDEX_SUBSTR_INITIAL_PREFIX;
		value = &sa->sa_initial;

589
590
		klen = index_substr_if_maxlen < value->bv_len
			? index_substr_if_maxlen : value->bv_len;
Kurt Zeilenga's avatar
Kurt Zeilenga committed
591

592
593
		hashDigestify( &HASHcontext, HASHdigest, prefix, pre,
			syntax, mr, (unsigned char *)value->bv_val, klen );
Howard Chu's avatar
Howard Chu committed
594
		ber_dupbv_x( &keys[nkeys++], &digest, ctx );
595
596
597
598

		/* If initial is too long and we have subany indexed, use it
		 * to match the excess...
		 */
599
		if (value->bv_len > index_substr_if_maxlen && (flags & SLAP_INDEX_SUBSTR_ANY))
600
601
602
		{
			ber_len_t j;
			pre = SLAP_INDEX_SUBSTR_PREFIX;
603
			for ( j=index_substr_if_maxlen-1; j <= value->bv_len - index_substr_any_len; j+=index_substr_any_step )
604
605
			{
				hashDigestify( &HASHcontext, HASHdigest, prefix, pre,
606
					syntax, mr, (unsigned char *)&value->bv_val[j], index_substr_any_len );
607
608
609
				ber_dupbv_x( &keys[nkeys++], &digest, ctx );
			}
		}
Kurt Zeilenga's avatar
Kurt Zeilenga committed
610
611
612
613
614
	}

	if( flags & SLAP_INDEX_SUBSTR_ANY && sa->sa_any != NULL ) {
		ber_len_t i, j;
		pre = SLAP_INDEX_SUBSTR_PREFIX;
615
		klen = index_substr_any_len;
Kurt Zeilenga's avatar
Kurt Zeilenga committed
616
617

		for( i=0; sa->sa_any[i].bv_val != NULL; i++ ) {
618
			if( sa->sa_any[i].bv_len < index_substr_any_len ) {
Kurt Zeilenga's avatar
Kurt Zeilenga committed
619
620
621
622
623
624
				continue;
			}

			value = &sa->sa_any[i];

			for(j=0;
625
626
				j <= value->bv_len - index_substr_any_len;
				j += index_substr_any_step )
Kurt Zeilenga's avatar
Kurt Zeilenga committed
627
			{
628
629
				hashDigestify( &HASHcontext, HASHdigest, prefix, pre,
					syntax, mr, (unsigned char *)&value->bv_val[j], klen ); 
Howard Chu's avatar
Howard Chu committed
630
				ber_dupbv_x( &keys[nkeys++], &digest, ctx );
Kurt Zeilenga's avatar
Kurt Zeilenga committed
631
632
633
634
			}
		}
	}

635
636
	if( flags & SLAP_INDEX_SUBSTR_FINAL &&
		sa->sa_final.bv_val != NULL &&
637
		sa->sa_final.bv_len >= index_substr_if_minlen )
Kurt Zeilenga's avatar
Kurt Zeilenga committed
638
639
640
641
	{
		pre = SLAP_INDEX_SUBSTR_FINAL_PREFIX;
		value = &sa->sa_final;

642
643
		klen = index_substr_if_maxlen < value->bv_len
			? index_substr_if_maxlen : value->bv_len;
Kurt Zeilenga's avatar
Kurt Zeilenga committed
644

645
646
		hashDigestify( &HASHcontext, HASHdigest, prefix, pre,
			syntax, mr, (unsigned char *)&value->bv_val[value->bv_len-klen], klen );
Howard Chu's avatar
Howard Chu committed
647
		ber_dupbv_x( &keys[nkeys++], &digest, ctx );
648
649
650
651

		/* If final is too long and we have subany indexed, use it
		 * to match the excess...
		 */
652
		if (value->bv_len > index_substr_if_maxlen && (flags & SLAP_INDEX_SUBSTR_ANY))
653
654
655
		{
			ber_len_t j;
			pre = SLAP_INDEX_SUBSTR_PREFIX;
656
			for ( j=0; j <= value->bv_len - index_substr_if_maxlen; j+=index_substr_any_step )
657
658
			{
				hashDigestify( &HASHcontext, HASHdigest, prefix, pre,
659
					syntax, mr, (unsigned char *)&value->bv_val[j], index_substr_any_len );
660
661
662
				ber_dupbv_x( &keys[nkeys++], &digest, ctx );
			}
		}
Kurt Zeilenga's avatar
Kurt Zeilenga committed
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
	}

	if( nkeys > 0 ) {
		keys[nkeys].bv_val = NULL;
		*keysp = keys;
	} else {
		ch_free( keys );
		*keysp = NULL;
	}

	return LDAP_SUCCESS;
}

static int
bitStringValidate(
	Syntax *syntax,
	struct berval *in )
{
	ber_len_t i;

	/* very unforgiving validation, requires no normalization
	 * before simplistic matching
	 */
	if( in->bv_len < 3 ) {
		return LDAP_INVALID_SYNTAX;
	}

	/*
Kurt Zeilenga's avatar
cleanup    
Kurt Zeilenga committed
691
692
693
	 * RFC 2252 section 6.3 Bit String
	 *	bitstring = "'" *binary-digit "'B"
	 *	binary-digit = "0" / "1"
Kurt Zeilenga's avatar
Kurt Zeilenga committed
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
	 * example: '0101111101'B
	 */
	
	if( in->bv_val[0] != '\'' ||
		in->bv_val[in->bv_len-2] != '\'' ||
		in->bv_val[in->bv_len-1] != 'B' )
	{
		return LDAP_INVALID_SYNTAX;
	}

	for( i=in->bv_len-3; i>0; i-- ) {
		if( in->bv_val[i] != '0' && in->bv_val[i] != '1' ) {
			return LDAP_INVALID_SYNTAX;
		}
	}

	return LDAP_SUCCESS;
}

713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
/*
 * Syntax is [RFC2252]:
 *

6.3. Bit String

   ( 1.3.6.1.4.1.1466.115.121.1.6 DESC 'Bit String' )

   Values in this syntax are encoded according to the following BNF:

      bitstring = "'" *binary-digit "'B"

      binary-digit = "0" / "1"

   ... 

6.21. Name And Optional UID

   ( 1.3.6.1.4.1.1466.115.121.1.34 DESC 'Name And Optional UID' )

   Values in this syntax are encoded according to the following BNF:

      NameAndOptionalUID = DistinguishedName [ "#" bitstring ]

   Although the '#' character may occur in a string representation of a
   distinguished name, no additional special quoting is done.  This
   syntax has been added subsequent to RFC 1778.

   Example:

      1.3.6.1.4.1.1466.0=#04024869,O=Test,C=GB#'0101'B

 *
 * draft-ietf-ldapbis-syntaxes-xx.txt says:
 *

3.3.2.  Bit String

   A value of the Bit String syntax is a sequence of binary digits.  The
   LDAP-specific encoding of a value of this syntax is defined by the
   following ABNF:

      BitString    = SQUOTE *binary-digit SQUOTE "B"

      binary-digit = "0" / "1"

   The <SQUOTE> rule is defined in [MODELS].

      Example:
         '0101111101'B

   The LDAP definition for the Bit String syntax is:

      ( 1.3.6.1.4.1.1466.115.121.1.6 DESC 'Bit String' )

   This syntax corresponds to the BIT STRING ASN.1 type from [ASN.1].

   ...

3.3.21.  Name and Optional UID

   A value of the Name and Optional UID syntax is the distinguished name
   [MODELS] of an entity optionally accompanied by a unique identifier
   that serves to differentiate the entity from others with an identical
   distinguished name.

   The LDAP-specific encoding of a value of this syntax is defined by
   the following ABNF:

       NameAndOptionalUID = distinguishedName [ SHARP BitString ]

   The <BitString> rule is defined in Section 3.3.2.  The
   <distinguishedName> rule is defined in [LDAPDN].  The <SHARP> rule is
   defined in [MODELS].

   Note that although the '#' character may occur in the string
   representation of a distinguished name, no additional escaping of
   this character is performed when a <distinguishedName> is encoded in
   a <NameAndOptionalUID>.

      Example:
         1.3.6.1.4.1.1466.0=#04024869,O=Test,C=GB#'0101'B

   The LDAP definition for the Name and Optional UID syntax is:

      ( 1.3.6.1.4.1.1466.115.121.1.34 DESC 'Name And Optional UID' )

   This syntax corresponds to the NameAndOptionalUID ASN.1 type from
   [X.520].

 *
 * draft-ietf-ldapbis-models-xx.txt [MODELS] says:
 *

1.4. Common ABNF Productions

  ...
      SHARP   = %x23 ; octothorpe (or sharp sign) ("#")
  ...
      SQUOTE  = %x27 ; single quote ("'")
  ...
      
 *
 * Note: normalization strips any leading "0"s, unless the
 * bit string is exactly "'0'B", so the normalized example,
 * in slapd, would result in
 * 
 * 1.3.6.1.4.1.1466.0=#04024869,o=test,c=gb#'101'B
 * 
 * Since draft-ietf-ldapbis-dn-xx.txt clarifies that SHARP,
 * i.e. "#", doesn't have to be escaped except when at the
 * beginning of a value, the definition of Name and Optional
 * UID appears to be flawed, because there is no clear means
 * to determine whether the UID part is present or not.
 *
 * Example:
 *
 * 	cn=Someone,dc=example,dc=com#'1'B
 *
 * could be either a NameAndOptionalUID with trailing UID, i.e.
 *
 * 	DN = "cn=Someone,dc=example,dc=com"
 * 	UID = "'1'B"
 * 
 * or a NameAndOptionalUID with no trailing UID, and the AVA
 * in the last RDN made of
 *
 * 	attributeType = dc 
 * 	attributeValue = com#'1'B
 *
 * in fact "com#'1'B" is a valid IA5 string.
 *
 * As a consequence, current slapd code assumes that the
 * presence of portions of a BitString at the end of the string 
 * representation of a NameAndOptionalUID means a BitString
 * is expected, and cause an error otherwise.  This is quite
 * arbitrary, and might change in the future.
 */


Kurt Zeilenga's avatar
Kurt Zeilenga committed
853
854
855
856
857
858
static int
nameUIDValidate(
	Syntax *syntax,
	struct berval *in )
{
	int rc;
859
	struct berval dn, uid;
Kurt Zeilenga's avatar
Kurt Zeilenga committed
860
861
862
863
864
865

	if( in->bv_len == 0 ) return LDAP_SUCCESS;

	ber_dupbv( &dn, in );
	if( !dn.bv_val ) return LDAP_OTHER;

866
867
868
869
870
871
872
873
874
875
876
877
	/* if there's a "#", try bitStringValidate()... */
	uid.bv_val = strrchr( dn.bv_val, '#' );
	if ( uid.bv_val ) {
		uid.bv_val++;
		uid.bv_len = dn.bv_len - ( uid.bv_val - dn.bv_val );

		rc = bitStringValidate( NULL, &uid );
		if ( rc == LDAP_SUCCESS ) {
			/* in case of success, trim the UID,
			 * otherwise treat it as part of the DN */
			dn.bv_len -= uid.bv_len + 1;
			uid.bv_val[-1] = '\0';
Kurt Zeilenga's avatar
Kurt Zeilenga committed
878
879
880
881
882
883
884
885
886
		}
	}

	rc = dnValidate( NULL, &dn );

	ber_memfree( dn.bv_val );
	return rc;
}

887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
int
nameUIDPretty(
	Syntax *syntax,
	struct berval *val,
	struct berval *out,
	void *ctx )
{
	assert( val );
	assert( out );


	Debug( LDAP_DEBUG_TRACE, ">>> nameUIDPretty: <%s>\n", val->bv_val, 0, 0 );

	if( val->bv_len == 0 ) {
		ber_dupbv_x( out, val, ctx );

	} else if ( val->bv_len > SLAP_LDAPDN_MAXLEN ) {
		return LDAP_INVALID_SYNTAX;

	} else {
907
908
909
		int		rc;
		struct berval	dnval = *val;
		struct berval	uidval = BER_BVNULL;
910

911
912
913
914
		uidval.bv_val = strrchr( val->bv_val, '#' );
		if ( uidval.bv_val ) {
			uidval.bv_val++;
			uidval.bv_len = val->bv_len - ( uidval.bv_val - val->bv_val );
915

916
			rc = bitStringValidate( NULL, &uidval );
917

918
919
920
921
			if ( rc == LDAP_SUCCESS ) {
				ber_dupbv_x( &dnval, val, ctx );
				dnval.bv_len -= uidval.bv_len + 1;
				dnval.bv_val[dnval.bv_len] = '\0';
922

923
924
925
			} else {
				uidval.bv_val = NULL;
			}
926
927
928
		}

		rc = dnPretty( syntax, &dnval, out, ctx );
929
930
931
932
933
934
		if ( dnval.bv_val != val->bv_val ) {
			slap_sl_free( dnval.bv_val, ctx );
		}
		if( rc != LDAP_SUCCESS ) {
			return rc;
		}
935
936

		if( uidval.bv_val ) {
937
938
939
			int	i, c, got1;
			char	*tmp;

940
941
			tmp = slap_sl_realloc( out->bv_val, out->bv_len 
				+ STRLENOF( "#" ) + uidval.bv_len + 1,
Kurt Zeilenga's avatar
cleanup    
Kurt Zeilenga committed
942
				ctx );
943
944
945
946
			if( tmp == NULL ) {
				ber_memfree_x( out->bv_val, ctx );
				return LDAP_OTHER;
			}
947
			out->bv_val = tmp;
948
			out->bv_val[out->bv_len++] = '#';
949
			out->bv_val[out->bv_len++] = '\'';
950
951

			got1 = uidval.bv_len < sizeof("'0'B"); 
952
			for( i = 1; i < uidval.bv_len - 2; i++ ) {
953
954
955
956
957
958
959
960
				c = uidval.bv_val[i];
				switch(c) {
					case '0':
						if( got1 ) out->bv_val[out->bv_len++] = c;
						break;
					case '1':
						got1 = 1;
						out->bv_val[out->bv_len++] = c;
961
						break;
962
963
964
				}
			}

965
966
			out->bv_val[out->bv_len++] = '\'';
			out->bv_val[out->bv_len++] = 'B';
967
968
969
970
971
972
973
974
975
			out->bv_val[out->bv_len] = '\0';
		}
	}

	Debug( LDAP_DEBUG_TRACE, "<<< nameUIDPretty: <%s>\n", out->bv_val, 0, 0 );

	return LDAP_SUCCESS;
}

Kurt Zeilenga's avatar
Kurt Zeilenga committed
976
977
978
979
980
981
static int
uniqueMemberNormalize(
	slap_mask_t usage,
	Syntax *syntax,
	MatchingRule *mr,
	struct berval *val,
Howard Chu's avatar
Howard Chu committed
982
983
	struct berval *normalized,
	void *ctx )
Kurt Zeilenga's avatar
Kurt Zeilenga committed
984
985
986
987
{
	struct berval out;
	int rc;

988
989
	assert( SLAP_MR_IS_VALUE_OF_SYNTAX( usage ));

Pierangelo Masarati's avatar
Pierangelo Masarati committed
990
991
	ber_dupbv_x( &out, val, ctx );
	if ( BER_BVISEMPTY( &out ) ) {
992
993
994
		*normalized = out;

	} else {
Kurt Zeilenga's avatar
Kurt Zeilenga committed
995
		struct berval uid = BER_BVNULL;
Kurt Zeilenga's avatar
Kurt Zeilenga committed
996

997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
		uid.bv_val = strrchr( out.bv_val, '#' );
		if ( uid.bv_val ) {
			uid.bv_val++;
			uid.bv_len = out.bv_len - ( uid.bv_val - out.bv_val );

			rc = bitStringValidate( NULL, &uid );
			if ( rc == LDAP_SUCCESS ) {
				uid.bv_val[-1] = '\0';
				out.bv_len -= uid.bv_len + 1;
			} else {
				uid.bv_val = NULL;
Kurt Zeilenga's avatar
Kurt Zeilenga committed
1008
1009
1010
			}
		}

Kurt Zeilenga's avatar
Kurt Zeilenga committed
1011
		rc = dnNormalize( 0, NULL, NULL, &out, normalized, ctx );
Kurt Zeilenga's avatar
Kurt Zeilenga committed
1012
1013

		if( rc != LDAP_SUCCESS ) {
Pierangelo Masarati's avatar
Pierangelo Masarati committed
1014
			slap_sl_free( out.bv_val, ctx );
Kurt Zeilenga's avatar
Kurt Zeilenga committed
1015
1016
1017
			return LDAP_INVALID_SYNTAX;
		}

1018
1019
1020
1021
		if( uid.bv_val ) {
			char	*tmp;

			tmp = ch_realloc( normalized->bv_val,
1022
1023
				normalized->bv_len + uid.bv_len
				+ STRLENOF("#") + 1 );
1024
1025
1026
1027
1028
1029
			if ( tmp == NULL ) {
				ber_memfree_x( normalized->bv_val, ctx );
				return LDAP_OTHER;
			}

			normalized->bv_val = tmp;
Kurt Zeilenga's avatar
Kurt Zeilenga committed
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042

			/* insert the separator */
			normalized->bv_val[normalized->bv_len++] = '#';

			/* append the UID */
			AC_MEMCPY( &normalized->bv_val[normalized->bv_len],
				uid.bv_val, uid.bv_len );
			normalized->bv_len += uid.bv_len;

			/* terminate */
			normalized->bv_val[normalized->bv_len] = '\0';
		}

Pierangelo Masarati's avatar
Pierangelo Masarati committed
1043
		slap_sl_free( out.bv_val, ctx );
Kurt Zeilenga's avatar
Kurt Zeilenga committed
1044
1045
1046
1047
1048
	}

	return LDAP_SUCCESS;
}

1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
static int
uniqueMemberMatch(
	int *matchp,
	slap_mask_t flags,
	Syntax *syntax,
	MatchingRule *mr,
	struct berval *value,
	void *assertedValue )
{
	int match;
	struct berval *asserted = (struct berval *) assertedValue;
1060
	struct berval assertedDN = *asserted;
Kurt Zeilenga's avatar
Kurt Zeilenga committed
1061
1062
1063
	struct berval assertedUID = BER_BVNULL;
	struct berval valueDN = BER_BVNULL;
	struct berval valueUID = BER_BVNULL;
1064

1065
	if ( !BER_BVISEMPTY( asserted ) ) {
1066
1067
1068
1069
1070
		assertedUID.bv_val = strrchr( assertedDN.bv_val, '#' );
		if ( !BER_BVISNULL( &assertedUID ) ) {
			assertedUID.bv_val++;
			assertedUID.bv_len = assertedDN.bv_len
				- ( assertedUID.bv_val - assertedDN.bv_val );
1071

1072
1073
			if ( bitStringValidate( NULL, &assertedUID ) == LDAP_SUCCESS ) {
				assertedDN.bv_len -= assertedUID.bv_len + 1;
1074

1075
1076
1077
			} else {
				BER_BVZERO( &assertedUID );
			}
1078
1079
1080
		}
	}

1081
	if ( !BER_BVISEMPTY( value ) ) {
1082
1083
		valueDN = *value;

1084
1085
1086
1087
1088
		valueUID.bv_val = strrchr( valueDN.bv_val, '#' );
		if ( !BER_BVISNULL( &valueUID ) ) {
			valueUID.bv_val++;
			valueUID.bv_len = valueDN.bv_len
				- ( valueUID.bv_val - valueDN.bv_val );
1089

1090
1091
			if ( bitStringValidate( NULL, &valueUID ) == LDAP_SUCCESS ) {
				valueDN.bv_len -= valueUID.bv_len + 1;
1092

1093
1094
1095
			} else {
				BER_BVZERO( &valueUID );
			}
1096
1097
1098
1099
		}
	}

	if( valueUID.bv_len && assertedUID.bv_len ) {
1100
1101
1102
1103
1104
1105
		match = valueUID.bv_len - assertedUID.bv_len;
		if ( match ) {
			*matchp = match;
			return LDAP_SUCCESS;
		}

1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
		match = memcmp( valueUID.bv_val, assertedUID.bv_val, valueUID.bv_len );
		if( match ) {
			*matchp = match;
			return LDAP_SUCCESS;
		}
	}

	return dnMatch( matchp, flags, syntax, mr, &valueDN, &assertedDN );
}

Kurt Zeilenga's avatar
Kurt Zeilenga committed
1116
1117
1118
1119
1120
1121
/*
 * Handling boolean syntax and matching is quite rigid.
 * A more flexible approach would be to allow a variety
 * of strings to be normalized and prettied into TRUE
 * and FALSE.
 */
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
static int
booleanValidate(
	Syntax *syntax,
	struct berval *in )
{
	/* very unforgiving validation, requires no normalization
	 * before simplistic matching
	 */

	if( in->bv_len == 4 ) {
1132
		if( bvmatch( in, &slap_true_bv ) ) {
1133
1134
1135
			return LDAP_SUCCESS;
		}
	} else if( in->bv_len == 5 ) {
1136
		if( bvmatch( in, &slap_false_bv ) ) {
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
			return LDAP_SUCCESS;
		}
	}

	return LDAP_INVALID_SYNTAX;
}

static int
booleanMatch(
	int *matchp,
1147
	slap_mask_t flags,
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
	Syntax *syntax,
	MatchingRule *mr,
	struct berval *value,
	void *assertedValue )
{
	/* simplistic matching allowed by rigid validation */
	struct berval *asserted = (struct berval *) assertedValue;
	*matchp = value->bv_len != asserted->bv_len;
	return LDAP_SUCCESS;
}

1159
1160
1161
1162
1163
/*-------------------------------------------------------------------
LDAP/X.500 string syntax / matching rules have a few oddities.  This
comment attempts to detail how slapd(8) treats them.

Summary:
1164
  StringSyntax		X.500	LDAP	Matching/Comments
1165
1166
  DirectoryString	CHOICE	UTF8	i/e + ignore insignificant spaces
  PrintableString	subset	subset	i/e + ignore insignificant spaces
1167
  PrintableString	subset	subset	i/e + ignore insignificant spaces
Kurt Zeilenga's avatar
cleanup    
Kurt Zeilenga committed
1168
  NumericString		subset	subset	ignore all spaces
1169
1170
1171
  IA5String			ASCII	ASCII	i/e + ignore insignificant spaces
  TeletexString		T.61	T.61	i/e + ignore insignificant spaces

Kurt Zeilenga's avatar
cleanup    
Kurt Zeilenga committed
1172
  TelephoneNumber	subset	subset	i + ignore all spaces and "-"
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182

  See draft-ietf-ldapbis-strpro for details (once published).


Directory String -
  In X.500(93), a directory string can be either a PrintableString,
  a bmpString, or a UniversalString (e.g., UCS (a subset of Unicode)).
  In later versions, more CHOICEs were added.  In all cases the string
  must be non-empty.

1183
  In LDAPv3, a directory string is a UTF-8 encoded UCS string.
1184
  A directory string cannot be zero length.
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230

  For matching, there are both case ignore and exact rules.  Both
  also require that "insignificant" spaces be ignored.
	spaces before the first non-space are ignored;
	spaces after the last non-space are ignored;
	spaces after a space are ignored.
  Note: by these rules (and as clarified in X.520), a string of only
  spaces is to be treated as if held one space, not empty (which
  would be a syntax error).

NumericString
  In ASN.1, numeric string is just a string of digits and spaces
  and could be empty.  However, in X.500, all attribute values of
  numeric string carry a non-empty constraint.  For example:

	internationalISDNNumber ATTRIBUTE ::= {
		WITH SYNTAX InternationalISDNNumber
		EQUALITY MATCHING RULE numericStringMatch
		SUBSTRINGS MATCHING RULE numericStringSubstringsMatch
		ID id-at-internationalISDNNumber }
	InternationalISDNNumber ::=
	    NumericString (SIZE(1..ub-international-isdn-number))

  Unforunately, some assertion values are don't carry the same
  constraint (but its unclear how such an assertion could ever
  be true). In LDAP, there is one syntax (numericString) not two
  (numericString with constraint, numericString without constraint).
  This should be treated as numericString with non-empty constraint.
  Note that while someone may have no ISDN number, there are no ISDN
  numbers which are zero length.

  In matching, spaces are ignored.

PrintableString
  In ASN.1, Printable string is just a string of printable characters
  and can be empty.  In X.500, semantics much like NumericString (see
  serialNumber for a like example) excepting uses insignificant space
  handling instead of ignore all spaces.  

IA5String
  Basically same as PrintableString.  There are no examples in X.500,
  but same logic applies.  So we require them to be non-empty as
  well.

-------------------------------------------------------------------*/

1231
1232
1233
1234
1235
1236
1237
static int
UTF8StringValidate(
	Syntax *syntax,
	struct berval *in )
{
	ber_len_t count;
	int len;
1238
	unsigned char *u = (unsigned char *)in->bv_val;
1239

1240
1241
1242
1243
	if( in->bv_len == 0 && syntax == slap_schema.si_syn_directoryString ) {
		/* directory strings cannot be empty */
		return LDAP_INVALID_SYNTAX;
	}
1244

1245
	for( count = in->bv_len; count > 0; count-=len, u+=len ) {
1246
		/* get the length indicated by the first byte */
1247
		len = LDAP_UTF8_CHARLEN2( u, len );
1248

Kurt Zeilenga's avatar
Kurt Zeilenga committed
1249
1250
1251
		/* very basic checks */
		switch( len ) {
			case 6:
1252
				if( (u[5] & 0xC0) != 0x80 ) {
Kurt Zeilenga's avatar
Kurt Zeilenga committed
1253
1254
1255
					return LDAP_INVALID_SYNTAX;
				}
			case 5:
1256
				if( (u[4] & 0xC0) != 0x80 ) {
Kurt Zeilenga's avatar
Kurt Zeilenga committed
1257
1258
1259
					return LDAP_INVALID_SYNTAX;
				}
			case 4:
1260
				if( (u[3] & 0xC0) != 0x80 ) {
Kurt Zeilenga's avatar
Kurt Zeilenga committed
1261
1262
1263
					return LDAP_INVALID_SYNTAX;
				}
			case 3:
1264
				if( (u[2] & 0xC0 )!= 0x80 ) {
Kurt Zeilenga's avatar
Kurt Zeilenga committed
1265
1266
1267
					return LDAP_INVALID_SYNTAX;
				}
			case 2:
1268
				if( (u[1] & 0xC0) != 0x80 ) {
Kurt Zeilenga's avatar
Kurt Zeilenga committed
1269
1270
1271
					return LDAP_INVALID_SYNTAX;
				}
			case 1:
1272
				/* CHARLEN already validated it */
Kurt Zeilenga's avatar
Kurt Zeilenga committed
1273
1274
1275
1276
				break;
			default:
				return LDAP_INVALID_SYNTAX;
		}
1277
1278
1279

		/* make sure len corresponds with the offset
			to the next character */
1280
		if( LDAP_UTF8_OFFSET( (char *)u ) != len ) return LDAP_INVALID_SYNTAX;
1281
1282
	}

1283
1284
1285
	if( count != 0 ) {
		return LDAP_INVALID_SYNTAX;
	}
1286

1287
	return LDAP_SUCCESS;
1288
1289
}

1290
1291
1292
1293
1294
1295
static int
UTF8StringNormalize(
	slap_mask_t use,