Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in / Register
Toggle navigation
Menu
Open sidebar
openldap
OpenLDAP
Commits
cee3e022
Commit
cee3e022
authored
Aug 13, 2009
by
Quanah Gibson-Mount
Browse files
ITS
#6241
parent
e0a6b692
Changes
2
Hide whitespace changes
Inline
Side-by-side
CHANGES
View file @
cee3e022
...
...
@@ -6,6 +6,7 @@ OpenLDAP 2.4.18 Engineering
Fixed libldap native getpass usage (ITS#4643)
Fixed libldap tls_check_hostname for OpenSSL and MozNSS (ITS#6239)
Fixed slapd allow mirrormode to be set to FALSE (ITS#5946)
Fixed slapd certificate parsing (ITS#6241)
Fixed slapd dncachesize behavior to unlimited by default (ITS#6222)
Fixed slapd incorrectly applying writetimeout when not set (ITS#6220)
Fixed slapd server URL matching (ITS#5942)
...
...
servers/slapd/schema_init.c
View file @
cee3e022
...
...
@@ -273,18 +273,25 @@ certificateValidate( Syntax *syntax, struct berval *in )
}
/* X.509 certificate list validation */
static
int
checkTime
(
struct
berval
*
in
,
struct
berval
*
out
);
static
int
certificateListValidate
(
Syntax
*
syntax
,
struct
berval
*
in
)
{
BerElementBuffer
berbuf
;
BerElement
*
ber
=
(
BerElement
*
)
&
berbuf
;
ber_tag_t
tag
;
ber_len_t
len
;
ber_len_t
len
,
wrapper_len
;
char
*
wrapper_start
;
int
wrapper_ok
=
0
;
ber_int_t
version
=
SLAP_X509_V1
;
struct
berval
bvdn
,
bvtu
;
ber_init2
(
ber
,
in
,
LBER_USE_DER
);
tag
=
ber_skip_tag
(
ber
,
&
len
);
/* Signed wrapper */
tag
=
ber_skip_tag
(
ber
,
&
wrapper_
len
);
/* Signed wrapper */
if
(
tag
!=
LBER_SEQUENCE
)
return
LDAP_INVALID_SYNTAX
;
wrapper_start
=
ber
->
ber_ptr
;
tag
=
ber_skip_tag
(
ber
,
&
len
);
/* Sequence */
if
(
tag
!=
LBER_SEQUENCE
)
return
LDAP_INVALID_SYNTAX
;
tag
=
ber_peek_tag
(
ber
,
&
len
);
...
...
@@ -297,12 +304,18 @@ certificateListValidate( Syntax *syntax, struct berval *in )
tag
=
ber_skip_tag
(
ber
,
&
len
);
/* Signature Algorithm */
if
(
tag
!=
LBER_SEQUENCE
)
return
LDAP_INVALID_SYNTAX
;
ber_skip_data
(
ber
,
len
);
tag
=
ber_
skip
_tag
(
ber
,
&
len
);
/* Issuer DN */
tag
=
ber_
peek
_tag
(
ber
,
&
len
);
/* Issuer DN */
if
(
tag
!=
LBER_SEQUENCE
)
return
LDAP_INVALID_SYNTAX
;
len
=
ber_ptrlen
(
ber
);
bvdn
.
bv_val
=
in
->
bv_val
+
len
;
bvdn
.
bv_len
=
in
->
bv_len
-
len
;
tag
=
ber_skip_tag
(
ber
,
&
len
);
ber_skip_data
(
ber
,
len
);
tag
=
ber_skip_tag
(
ber
,
&
len
);
/* thisUpdate */
/* Time is a CHOICE { UTCTime, GeneralizedTime } */
if
(
tag
!=
SLAP_TAG_UTCTIME
&&
tag
!=
SLAP_TAG_GENERALIZEDTIME
)
return
LDAP_INVALID_SYNTAX
;
bvtu
.
bv_val
=
(
char
*
)
ber
->
ber_ptr
;
bvtu
.
bv_len
=
len
;
ber_skip_data
(
ber
,
len
);
/* Optional nextUpdate */
tag
=
ber_skip_tag
(
ber
,
&
len
);
...
...
@@ -335,9 +348,44 @@ certificateListValidate( Syntax *syntax, struct berval *in )
/* Signature */
if
(
tag
!=
LBER_BITSTRING
)
return
LDAP_INVALID_SYNTAX
;
ber_skip_data
(
ber
,
len
);
if
(
ber
->
ber_ptr
==
wrapper_start
+
wrapper_len
)
wrapper_ok
=
1
;
tag
=
ber_skip_tag
(
ber
,
&
len
);
/* Must be at end now */
if
(
len
||
tag
!=
LBER_DEFAULT
)
return
LDAP_INVALID_SYNTAX
;
/* NOTE: OpenSSL tolerates CL with garbage past the end */
if
(
len
||
tag
!=
LBER_DEFAULT
)
{
struct
berval
issuer_dn
=
BER_BVNULL
,
thisUpdate
;
char
tubuf
[
STRLENOF
(
"YYYYmmddHHMMSSZ"
)
+
1
];
int
rc
;
if
(
!
wrapper_ok
)
{
return
LDAP_INVALID_SYNTAX
;
}
rc
=
dnX509normalize
(
&
bvdn
,
&
issuer_dn
);
if
(
rc
!=
LDAP_SUCCESS
)
{
rc
=
LDAP_INVALID_SYNTAX
;
goto
done
;
}
thisUpdate
.
bv_val
=
tubuf
;
thisUpdate
.
bv_len
=
sizeof
(
tubuf
);
if
(
checkTime
(
&
bvtu
,
&
thisUpdate
)
)
{
rc
=
LDAP_INVALID_SYNTAX
;
goto
done
;
}
Debug
(
LDAP_DEBUG_ANY
,
"certificateListValidate issuer=
\"
%s
\"
, thisUpdate=%s: extra cruft past end of certificateList
\n
"
,
issuer_dn
.
bv_val
,
thisUpdate
.
bv_val
,
0
);
done:
;
if
(
!
BER_BVISNULL
(
&
issuer_dn
)
)
{
ber_memfree
(
issuer_dn
.
bv_val
);
}
return
rc
;
}
return
LDAP_SUCCESS
;
}
...
...
@@ -3617,6 +3665,9 @@ checkTime( struct berval *in, struct berval *out )
rc
=
generalizedTimeValidate
(
NULL
,
&
bv
);
if
(
rc
==
LDAP_SUCCESS
&&
out
!=
NULL
)
{
if
(
out
->
bv_len
>
bv
.
bv_len
)
{
out
->
bv_val
[
bv
.
bv_len
]
=
'\0'
;
}
out
->
bv_len
=
bv
.
bv_len
;
}
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment