Implement ldap_dn_normalize and friends. Should be used by clients

to validate input dn's BEFORE sending dn's to server.
Also fixed getfilter to use REG_EXTENDED|REG_NOSUB.  (and fixed one
case where REG_BASIC was still used).
s/strdup/LDAP_STRDUP/
Added ldap_pvt_str2lower/upper

clients/ud/auth.c

@@ -294,17 +294,6 @@ auth( char *who, int implicit )
 #define FIVEMINS	( 5 * 60 )
 #define TGT		"krbtgt"
 
-static void
-str2upper( char *s )
-{
-	char	*p;
-
-	for ( p = s; *p != '\0'; ++p ) {
-		*p = TOUPPER( (unsigned char) *p );
-	}
-}
-
-
 static int
 valid_tgt( char **names )
 {
@@ -324,7 +313,7 @@ valid_tgt( char **names )
 		/*
 		 * realm must be uppercase for krb_ routines
 		 */
-		str2upper( realm );
+		ldap_pvt_str2upper( realm );
 #endif /* HAVE_AFS_KERBEROS */
 
 		/*
@@ -395,7 +384,7 @@ kinit( char *kname )
 	/*
 	 * realm must be uppercase for krb_ routines
 	 */
-	str2upper( realm );
+	ldap_pvt_str2upper( realm );
 #endif /* HAVE_AFS_KERBEROS */
 
 	rc = krb_get_in_tkt( name, inst, realm, TGT, realm,

include/ldap_pvt.h

@@ -77,6 +77,34 @@ ldap_str2charray LDAP_P((
 void ldap_pvt_hex_unescape LDAP_P(( char *s ));
 int ldap_pvt_unhex( int c );
 
+/* these macros assume 'x' is an ASCII x */
+#define LDAP_DNSEPARATOR(c)	((c) == ',' || (c) == ';')
+#define LDAP_SEPARATOR(c)	((c) == ',' || (c) == ';' || (c) == '+')
+#define LDAP_SPACE(c)		((c) == ' ' || (c) == '\n')
+
+#define LDAP_LOWER(c)		( (c) >= 'a' && (c) <= 'z' )
+#define LDAP_UPPER(c)		( (c) >= 'A' && (c) <= 'Z' )
+#define LDAP_ALPHA(c)		( LDAP_LOWER(c) || LDAP_UPPER(c) )
+#define LDAP_DIGIT(c)		( (c) >= '0' && (c) <= '9' )
+#define LDAP_ALNUM(c)		( LDAP_ALPHA(c) || LDAP_DIGIT(c) )
+
+#define LDAP_LEADKEYCHAR(c)	( LDAP_ALPHA(c) )
+#define LDAP_KEYCHAR(c)		( LDAP_ALNUM(c) || (c) == '-' )
+#define LDAP_LEADOIDCHAR(c)	( LDAP_DIGIT(c) )
+#define LDAP_OIDCHAR(c)		( LDAP_DIGIT(c) || (c) == '.' )
+
+#define LDAP_LEADATTRCHAR(c)	( LDAP_LEADKEYCHAR(c) || LDAP_LEADOIDCHAR(c) )
+#define LDAP_ATTRCHAR(c)		( LDAP_KEYCHAR((c)) || (c) == '.' )
+
+#define LDAP_NEEDSESCAPE(c)	((c) == '\\' || (c) == '"')
+
+/* string.c */
+LDAP_F( char * )
+ldap_pvt_str2upper LDAP_P(( char *str ));
+
+LDAP_F( char * )
+ldap_pvt_str2lower LDAP_P(( char *str ));
+
 LDAP_END_DECL
 
 #endif

libraries/libldap/dn.c

@@ -0,0 +1,333 @@
+/* dn.c - routines for dealing with distinguished names */
+/*
+ * Copyright 1998-1999 The OpenLDAP Foundation, All Rights Reserved.
+ * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
+ */
+
+#include "portable.h"
+
+#include <stdio.h>
+
+#include <ac/ctype.h>
+#include <ac/socket.h>
+#include <ac/string.h>
+#include <ac/time.h>
+
+#include "ldap-int.h"
+
+#define B4LEADTYPE		0
+#define B4TYPE			1
+#define INOIDTYPE		2
+#define INKEYTYPE		3
+#define B4EQUAL			4
+#define B4VALUE			5
+#define INVALUE			6
+#define INQUOTEDVALUE	7
+#define B4SEPARATOR		8
+
+/*
+ * ldap_dn_normalize - put dn into a canonical format
+ * and return it.
+ */
+
+char *
+ldap_dn_normalize( const char *dn )
+{
+	char	*d, *s;
+	int	state, gotesc;
+	char *ndn;
+
+	if( dn == NULL ) {
+		return NULL;
+	}
+
+	ndn = LDAP_STRDUP( dn );
+
+	if( ndn == NULL ) {
+		return NULL;
+	}
+
+	gotesc = 0;
+	state = B4LEADTYPE;
+	for ( d = s = ndn; *s; s++ ) {
+		switch ( state ) {
+		case B4LEADTYPE:
+		case B4TYPE:
+			if ( LDAP_LEADOIDCHAR(*s) ) {
+				state = INOIDTYPE;
+				*d++ = *s;
+			} else if ( LDAP_LEADKEYCHAR(*s) ) {
+				state = INKEYTYPE;
+				*d++ = *s;
+			} else if ( ! LDAP_SPACE( *s ) ) {
+				dn = NULL;
+				state = INKEYTYPE;
+				*d++ = *s;
+			}
+			break;
+
+		case INOIDTYPE:
+			if ( LDAP_OIDCHAR(*s) ) {
+				*d++ = *s;
+			} else if ( *s == '=' ) {
+				state = B4VALUE;
+				*d++ = *s;
+			} else if ( LDAP_SPACE( *s ) ) {
+				state = B4EQUAL;
+			} else {
+				dn = NULL;
+				*d++ = *s;
+			}
+			break;
+
+		case INKEYTYPE:
+			if ( LDAP_KEYCHAR(*s) ) {
+				*d++ = *s;
+			} else if ( *s == '=' ) {
+				state = B4VALUE;
+				*d++ = *s;
+			} else if ( LDAP_SPACE( *s ) ) {
+				state = B4EQUAL;
+			} else {
+				dn = NULL;
+				*d++ = *s;
+			}
+			break;
+
+		case B4EQUAL:
+			if ( *s == '=' ) {
+				state = B4VALUE;
+				*d++ = *s;
+			} else if ( ! LDAP_SPACE( *s ) ) {
+				/* not a valid dn - but what can we do here? */
+				*d++ = *s;
+				dn = NULL;
+			}
+			break;
+
+		case B4VALUE:
+			if ( *s == '"' ) {
+				state = INQUOTEDVALUE;
+				*d++ = *s;
+			} else if ( ! LDAP_SPACE( *s ) ) { 
+				state = INVALUE;
+				*d++ = *s;
+			}
+			break;
+
+		case INVALUE:
+			if ( !gotesc && LDAP_SEPARATOR( *s ) ) {
+				while ( LDAP_SPACE( *(d - 1) ) )
+					d--;
+				state = B4TYPE;
+				if ( *s == '+' ) {
+					*d++ = *s;
+				} else {
+					*d++ = ',';
+				}
+			} else if ( gotesc && !LDAP_NEEDSESCAPE( *s ) &&
+			    !LDAP_SEPARATOR( *s ) ) {
+				*--d = *s;
+				d++;
+			} else {
+				*d++ = *s;
+			}
+			break;
+
+		case INQUOTEDVALUE:
+			if ( !gotesc && *s == '"' ) {
+				state = B4SEPARATOR;
+				*d++ = *s;
+			} else if ( gotesc && !LDAP_NEEDSESCAPE( *s ) ) {
+				*--d = *s;
+				d++;
+			} else {
+				*d++ = *s;
+			}
+			break;
+		case B4SEPARATOR:
+			if ( LDAP_SEPARATOR( *s ) ) {
+				state = B4TYPE;
+				*d++ = *s;
+			}
+			break;
+		default:
+			dn = NULL;
+			Debug( LDAP_DEBUG_ANY,
+			    "dn_normalize - unknown state %d\n", state, 0, 0 );
+			break;
+		}
+		if ( *s == '\\' ) {
+			gotesc = 1;
+		} else {
+			gotesc = 0;
+		}
+	}
+	*d = '\0';
+
+	if( gotesc ) {
+		/* shouldn't be left in escape */
+		dn = NULL;
+	}
+
+	/* check end state */
+	switch( state ) {
+	case B4LEADTYPE:	/* looking for first type */
+	case B4SEPARATOR:	/* looking for separator */
+	case INVALUE:		/* inside value */
+		break;
+	default:
+		dn = NULL;
+	}
+
+	if( dn == NULL ) {
+		return( ndn );
+		ndn = NULL;
+	}
+
+	return( ndn );
+}
+
+/*
+ * ldap_dn_parent - return a copy of the dn of dn's parent
+ */
+
+char *
+ldap_dn_parent(
+    const char *dn
+)
+{
+	const char	*s;
+	int	inquote;
+
+	if( dn == NULL ) {
+		return NULL;
+	}
+
+	while(*dn && LDAP_SPACE(*dn)) {
+		dn++;
+	}
+
+	if( *dn == '\0' ) {
+		return( NULL );
+	}
+
+	/*
+	 * no =, assume it is a dns name, like blah@some.domain.name
+	 * if the blah@ part is there, return some.domain.name.  if
+	 * it's just some.domain.name, return domain.name.
+	 */
+	if ( strchr( dn, '=' ) == NULL ) {
+		if ( (s = strchr( dn, '@' )) == NULL ) {
+			if ( (s = strchr( dn, '.' )) == NULL ) {
+				return( NULL );
+			}
+		}
+		if ( *(s + 1) == '\0' ) {
+			return( NULL );
+		} else {
+			return( LDAP_STRDUP( &s[1] ) );
+		}
+	}
+
+	/*
+	 * else assume it is an X.500-style name, which looks like
+	 * foo=bar,sha=baz,...
+	 */
+
+	inquote = 0;
+	for ( s = dn; *s; s++ ) {
+		if ( *s == '\\' ) {
+			if ( *(s + 1) ) {
+				s++;
+			}
+			continue;
+		}
+		if ( inquote ) {
+			if ( *s == '"' ) {
+				inquote = 0;
+			}
+		} else {
+			if ( *s == '"' ) {
+				inquote = 1;
+			} else if ( LDAP_DNSEPARATOR( *s ) ) {
+				return( LDAP_STRDUP( &s[1] ) );
+			}
+		}
+	}
+
+	return( LDAP_STRDUP( "" ) );
+}
+
+char * ldap_dn_rdn( 
+    const char	*dn )
+{
+	char	*s;
+	char	*rdn;
+	int	inquote;
+
+	if( dn == NULL ) {
+		return NULL;
+	}
+
+	while(*dn && LDAP_SPACE(*dn)) {
+		dn++;
+	}
+
+	if( *dn == '\0' ) {
+		return( NULL );
+	}
+
+	rdn = LDAP_STRDUP( dn );
+
+	if( rdn == NULL ) {
+		return NULL;
+	}
+
+#ifdef DNS_DN
+	/*
+	 * no =, assume it is a dns name, like blah@some.domain.name
+	 * if the blah@ part is there, return some.domain.name.  if
+	 * it's just some.domain.name, return domain.name.
+	 */
+	if ( strchr( rdn, '=' ) == NULL ) {
+		if ( (s = strchr( rdn, '@' )) == NULL ) {
+			if ( (s = strchr( rdn, '.' )) == NULL ) {
+				return( rdn );
+			}
+		}
+		*s = '\0';
+		return( rdn );
+	}
+#endif
+
+	/*
+	 * else assume it is an X.500-style name, which looks like
+	 * foo=bar,sha=baz,...
+	 */
+
+	inquote = 0;
+
+	for ( s = rdn; *s; s++ ) {
+		if ( *s == '\\' ) {
+			if ( *(s + 1) ) {
+				s++;
+			}
+			continue;
+		}
+		if ( inquote ) {
+			if ( *s == '"' ) {
+				inquote = 0;
+			}
+		} else {
+			if ( *s == '"' ) {
+				inquote = 1;
+			} else if ( LDAP_DNSEPARATOR( *s ) ) {
+				*s = '\0';
+				return( rdn );
+			}
+		}
+	}
+
+	return( rdn );
+}

libraries/libldap/getdn.c

@@ -54,8 +54,13 @@ ldap_dn2ufn( LDAP_CONST char *dn )
 
 	Debug( LDAP_DEBUG_TRACE, "ldap_dn2ufn\n", 0, 0, 0 );
 
-	if ( ldap_is_dns_dn( dn ) || ( p = strchr( dn, '=' )) == NULL )
+	if( dn == NULL ) {
+		return NULL;
+	}
+
+	if ( ldap_is_dns_dn( dn ) ) {
 		return( LDAP_STRDUP( dn ) );
+	}
 
 	ufn = LDAP_STRDUP( ++p );
 
@@ -279,7 +284,9 @@ explode_name( const char *name, int notypes, int is_dn )
 int
 ldap_is_dns_dn( LDAP_CONST char *dn )
 {
-	return( dn[ 0 ] != '\0' && strchr( dn, '=' ) == NULL &&
-	    strchr( dn, ',' ) == NULL );
+	return( dn[ 0 ] != '\0'
+		&& strchr( dn, '=' ) == NULL
+		&& strchr( dn, ',' ) == NULL
+		&& strchr( dn, ';' ) == NULL );
 }
 

libraries/libldap/getfilter.c

@@ -243,17 +243,17 @@ ldap_getfirstfilter(
 
 	for ( flp = lfdp->lfd_filtlist; flp != NULL; flp = flp->lfl_next ) {
 		/* compile tagpat, continue if we fail */
-		if (regcomp(&re, tagpat, 0) != 0)
+		if (regcomp(&re, tagpat, REG_EXTENDED|REG_NOSUB) != 0)
 			continue;
 
-		/* match tagpatern and tag, continue if we fail */
+		/* match tagpattern and tag, continue if we fail */
 		rc = regexec(&re, flp->lfl_tag, 0, NULL, 0);
 		regfree(&re);
 		if (rc != 0)
 			continue;
 
 		/* compile flp->ifl_pattern, continue if we fail */
-		if (regcomp(&re, flp->lfl_pattern, REG_EXTENDED) != 0)
+		if (regcomp(&re, flp->lfl_pattern, REG_EXTENDED|REG_NOSUB) != 0)
 			continue;
 
 		/* match ifl_pattern and lfd_curval, continue if we fail */

libraries/libldap/libldap.dsp

@@ -179,6 +179,10 @@ SOURCE=..\..\include\disptmpl.h
 # End Source File
 # Begin Source File
 
+SOURCE=.\dn.c
+# End Source File
+# Begin Source File
+
 SOURCE=.\dsparse.c
 # End Source File
 # Begin Source File

libraries/libldap/string.c

@@ -8,6 +8,7 @@
 #include <ac/stdlib.h>
 #include <ac/string.h>
 #include <ac/time.h>
+#include <ac/ctype.h>
 
 #include "ldap-int.h"
 
@@ -103,3 +104,29 @@ char *
 	memcpy( p, s, len );
 	return( p );
 }
+
+char *
+ldap_pvt_str2upper( char *str )
+{
+	char    *s;
+
+	/* to upper */
+	for ( s = str; *s; s++ ) {
+		*s = TOUPPER( (unsigned char) *s );
+	}
+
+	return( str );
+}
+
+char *
+ldap_pvt_str2lower( char *str )
+{
+	char    *s;
+
+	/* to lower */
+	for ( s = str; *s; s++ ) {
+		*s = TOLOWER( (unsigned char) *s );
+	}
+
+	return( str );
+}

libraries/libldap/tls.c

@@ -414,19 +414,19 @@ ldap_pvt_tls_get_option( struct ldapoptions *lo, int option, void *arg )
 		break;
 	case LDAP_OPT_X_TLS_CACERTFILE:
 		*(char **)arg = tls_opt_cacertfile ?
-			strdup( tls_opt_cacertfile ) : NULL;
+			LDAP_STRDUP( tls_opt_cacertfile ) : NULL;
 		break;
 	case LDAP_OPT_X_TLS_CACERTDIR:
 		*(char **)arg = tls_opt_cacertdir ?
-			strdup( tls_opt_cacertdir ) : NULL;
+			LDAP_STRDUP( tls_opt_cacertdir ) : NULL;
 		break;
 	case LDAP_OPT_X_TLS_CERTFILE:
 		*(char **)arg = tls_opt_certfile ?
-			strdup( tls_opt_certfile ) : NULL;
+			LDAP_STRDUP( tls_opt_certfile ) : NULL;
 		break;
 	case LDAP_OPT_X_TLS_KEYFILE:
 		*(char **)arg = tls_opt_keyfile ?
-			strdup( tls_opt_keyfile ) : NULL;
+			LDAP_STRDUP( tls_opt_keyfile ) : NULL;
 		break;
 	case LDAP_OPT_X_TLS_REQUIRE_CERT:
 		*(int *)arg = tls_opt_require_cert;
@@ -466,26 +466,26 @@ ldap_pvt_tls_set_option( struct ldapoptions *lo, int option, void *arg )
 	switch( option ) {
 	case LDAP_OPT_X_TLS_CACERTFILE:
 		if ( tls_opt_cacertfile ) free( tls_opt_cacertfile );
-		tls_opt_cacertfile = arg ? strdup( (char *) arg ) : NULL;
+		tls_opt_cacertfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
 		break;
 	case LDAP_OPT_X_TLS_CACERTDIR:
 		if ( tls_opt_cacertdir ) free( tls_opt_cacertdir );
-		tls_opt_cacertdir = arg ? strdup( (char *) arg ) : NULL;
+		tls_opt_cacertdir = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
 		break;
 	case LDAP_OPT_X_TLS_CERTFILE:
 		if ( tls_opt_certfile ) free( tls_opt_certfile );
-		tls_opt_certfile = arg ? strdup( (char *) arg ) : NULL;
+		tls_opt_certfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
 		break;
 	case LDAP_OPT_X_TLS_KEYFILE:
 		if ( tls_opt_keyfile ) free( tls_opt_keyfile );
-		tls_opt_keyfile = arg ? strdup( (char *) arg ) : NULL;
+		tls_opt_keyfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
 		break;
 	case LDAP_OPT_X_TLS_REQUIRE_CERT:
 		tls_opt_require_cert = * (int *) arg;
 		break;
 	case LDAP_OPT_X_TLS_CIPHER_SUITE:
 		if ( tls_opt_ciphersuite ) free( tls_opt_ciphersuite );
-		tls_opt_ciphersuite = arg ? strdup( (char *) arg ) : NULL;
+		tls_opt_ciphersuite = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
 		break;
 	default:
 		return -1;

servers/slapd/attr.c

@@ -22,6 +22,7 @@
 #include <sys/param.h>
 #endif
 
+#include "ldap_pvt.h"
 #include "ldap_defaults.h"
 #include "slap.h"
 
@@ -111,7 +112,7 @@ attr_normalize( char *s )
 {
 	assert( s != NULL );
 
-	return( str2lower( s ) );
+	return( ldap_pvt_str2lower( s ) );
 }
 
 /*

servers/slapd/config.c

@@ -15,6 +15,7 @@
 #include <ac/ctype.h>
 #include <ac/socket.h>
 
+#include "ldap_pvt.h"
 #include "ldap_defaults.h"
 #include "slap.h"
 
@@ -235,7 +236,7 @@ read_config( const char *fname )
 				char *dn = ch_strdup( cargv[1] );
 				(void) dn_normalize( dn );
 				charray_add( &be->be_suffix, dn );
-				(void) str2upper( dn );
+				(void) ldap_pvt_str2upper( dn );
 				charray_add( &be->be_nsuffix, dn );
 				free( dn );
 			}

servers/slapd/daemon.c

@@ -15,6 +15,7 @@
 #include <ac/time.h>
 #include <ac/unistd.h>
 
+#include "ldap_pvt.h"
 #include "ldap_defaults.h"
 #include "slap.h"
 
@@ -708,7 +709,7 @@ slapd_daemon_task(
 			    sizeof(from.sin_addr.s_addr), AF_INET );
 
 			if(hp) {
-				dnsname = str2lower( hp->h_name );
+				dnsname = ldap_pvt_str2lower( hp->h_name );
 
 			} else {
 				dnsname = NULL;

servers/slapd/dn.c

@@ -13,6 +13,8 @@
 #include <ac/string.h>
 #include <ac/time.h>
 
+#include "ldap_pvt.h"
+
 #include "slap.h"
 
 #define B4LEADTYPE		0
@@ -181,7 +183,7 @@ dn_normalize( char *dn )
 char *
 dn_normalize_case( char *dn )
 {
-	str2upper( dn );
+	ldap_pvt_str2upper( dn );
 
 	/* normalize format */
 	dn = dn_normalize( dn );
@@ -219,6 +221,7 @@ dn_parent(
 		return( NULL );
 	}
 
+#ifdef DNS_DN
 	/*
 	 * no =, assume it is a dns name, like blah@some.domain.name
 	 * if the blah@ part is there, return some.domain.name.  if
@@ -236,6 +239,7 @@ dn_parent(
 			return( ch_strdup( &s[1] ) );
 		}
 	}
+#endif
 
 	/*
 	 * else assume it is an X.500-style name, which looks like
@@ -407,33 +411,6 @@ dn_type( char *dn )
 }
 #endif
 
-char *
-str2upper( char *str )
-{
-	char    *s;
-
-	/* normalize case */
-	for ( s = str; *s; s++ ) {
-		*s = TOUPPER( (unsigned char) *s );
-	}
-
-	return( str );
-}
-
-char *
-str2lower( char *str )
-{
-	char    *s;
-
-	/* normalize case */
-	for ( s = str; *s; s++ ) {
-		*s = TOLOWER( (unsigned char) *s );
-	}
-
-	return( str );
-}
-
-
 /*
  * get_next_substring(), rdn_attr_type(), rdn_attr_value(), and
  * build_new_dn().

servers/slapd/main.c

@@ -75,15 +75,15 @@ typedef struct _str2intDispatch {
 
 /* table to compute syslog-options to integer */
 static STRDISP  syslog_types[] = {
-    { "LOCAL0",         6, LOG_LOCAL0 },
-    { "LOCAL1",         6, LOG_LOCAL1 },
-    { "LOCAL2",         6, LOG_LOCAL2 },
-    { "LOCAL3",         6, LOG_LOCAL3 },
-    { "LOCAL4",         6, LOG_LOCAL4 },
-    { "LOCAL5",         6, LOG_LOCAL5 },
-    { "LOCAL6",         6, LOG_LOCAL6 },
-    { "LOCAL7",         6, LOG_LOCAL7 },
-    { NULL }
+	{ "LOCAL0", sizeof("LOCAL0"), LOG_LOCAL0 },
+	{ "LOCAL1", sizeof("LOCAL1"), LOG_LOCAL1 },
+	{ "LOCAL2", sizeof("LOCAL2"), LOG_LOCAL2 },
+	{ "LOCAL3", sizeof("LOCAL3"), LOG_LOCAL3 },
+	{ "LOCAL4", sizeof("LOCAL4"), LOG_LOCAL4 },
+	{ "LOCAL5", sizeof("LOCAL5"), LOG_LOCAL5 },
+	{ "LOCAL6", sizeof("LOCAL6"), LOG_LOCAL6 },
+	{ "LOCAL7", sizeof("LOCAL7"), LOG_LOCAL7 },
+	{ NULL }
 };
 
 static int   cnvt_str2int( char *, STRDISP_P, int );

servers/slapd/proto-slap.h

@@ -213,8 +213,6 @@ int dn_issuffix LDAP_P(( char *dn, char *suffix ));
 #ifdef DNS_DN
 int dn_type LDAP_P(( char *dn ));
 #endif
-char * str2upper LDAP_P(( char *str ));
-char * str2lower LDAP_P(( char *str ));
 int rdn_validate LDAP_P(( const char* str ));
 char * rdn_attr_value LDAP_P(( char * rdn ));
 char * rdn_attr_type LDAP_P(( char * rdn ));