tinyldap.c

From leitner, 11 Years ago, written in C.

URL http://geopaste.scratchbook.ch/view/ae9a2980

Embed

#define _FILE_OFFSET_BITS 64

#include <unistd.h>

#include <stdlib.h>

#include <string.h>

#include "str.h"

#include "case.h"

#include "byte.h"

#include "buffer.h"

#include "ldap.h"

#include "mduptab.h"

#include "ldif.h"

#include "open.h"

#include "mmap.h"

#include "uint32.h"

#include "auth.h"

#include "bstr.h"

#ifdef STANDALONE

#include "socket.h"

#include "ip6.h"

#ifdef __FreeBSD__

#include <sys/types.h>

#include <sys/wait.h>

#else

#include <wait.h>

#endif

#endif

#include "case.h"

#include <signal.h>

#include "uint16.h"

#include "acl.h"

#include <ctype.h>

#include <assert.h>

#include <fcntl.h>

#include "errmsg.h"

#include "textcode.h"

#include "fmt.h"

#include <sys/socket.h>

#include <netinet/in.h>

#include <netinet/tcp.h>

#ifdef DEBUG

#include <sys/poll.h>

#define verbose 1

#define debug 1

#else

#define verbose 0

#define debug 0

#endif

#define HUGE_SIZE_FOR_SANITY_CHECKS 1024*1024

/* basic operation: the whole data file is mmapped read-only at the beginning and stays there. */

char* map; /* where the file is mapped */

size_t filelen; /* how many bytes are mapped (the whole file) */

uint32 magic,attribute_count,record_count,indices_offset,size_of_string_table;

/* these are the first values from the file, see the file "FORMAT"

* basic counts and offsets needed to calculate the positions of

* the data structures in the file. */

/* We do queries with indexes by evaluating all the filters (subexpressions) that can be

* answered with an index, and then getting a bit vector, one bit for each record. */

/* how many longs are needed to have one bit for each record? */

uint32 record_set_length;

/* some pre-looked-up attribute offsets to speed up ldap_match_mapped */

uint32 dn_ofs,objectClass_ofs,userPassword_ofs,any_ofs;

/* journal hash structures */

struct attribute2 {

unsigned char* a,* v;

};

/* we have chained hashing (that's what next is for), but we also have a linear list of

* all the entries in the journal (that's what linear is for), so we can traverse the

* entries in the same order they were put in the journal */

struct hashnode {

struct hashnode* next,* linear;

unsigned long hashval;

unsigned char* dn;

size_t n;

int overwrite;

struct attribute2 a[1];

};

/* to avoid string compares, we don't work with char* but with uint32 (offsets within

* the mmapped file) whenever it's about values that will be mentioned in the file, such

* as attribute names. So, for each filter we get sent, we look up the attributes in the

* file, so we have the offsets to save the strcmp later.

* In the same step, we also get the attribute flags. tinyldap does not have LDAP

* schemas, so it does not know which attributes are case sensitive and which aren't. So,

* this is saved in a flag, which is currently set by addindex when a case insensitive

* index is created. */

/* This routine is called when we got a Filter and now want to look up the offsets for

* each attribute mentioned in it */

/* recursively fill in attrofs and attrflag */

static void fixup(struct Filter* f) {

if (!f) return;

switch (f->type) {

case EQUAL:

case SUBSTRING:

case GREATEQUAL:

case LESSEQUAL:

case PRESENT:

case APPROX:

{

char* x=map+5*4+size_of_string_table;

size_t i;

f->attrofs=f->attrflag=0;

for (i=0; i<attribute_count; ++i) {

uint32 j=uint32_read(x);

if (!matchcasestring(&f->ava.desc,map+j)) {

f->attrofs=j;

uint32_unpack(x+attribute_count*4,&f->attrflag);

break;

}

x+=4;

}

if (!f->attrofs) {

buffer_puts(buffer_2,"cannot find attribute \"");

buffer_put(buffer_2,f->ava.desc.s,f->ava.desc.l);

buffer_putsflush(buffer_2,"\"!\n");

}

}

case AND:

case OR:

case NOT:

if (f->x) fixup(f->x);

default:

break;

}

if (f->next) fixup(f->next);

}

static void fixupadl(struct AttributeDescriptionList* a) {

while (a) {

char* x=map+5*4+size_of_string_table;

size_t i;

a->attrofs=0;

for (i=0; i<attribute_count; ++i) {

uint32 j=uint32_read(x);

if (!matchcasestring(&a->a,map+j)) {

a->attrofs=j;

break;

}

x+=4;

}

if (!a->attrofs) {

buffer_puts(buffer_2,"cannot find attribute \"");

buffer_put(buffer_2,a->a.s,a->a.l);

buffer_putsflush(buffer_2,"\"!\n");

}

a=a->next;

}

}

/*

_ _

__ _ ___| | ___ _ _ _ __ _ __ ___ _ __| |_

/ _` |/ __| | / __| | | | '_ \| '_ \ / _ \| '__| __|

| (_| | (__| | \__ \ |_| | |_) | |_) | (_) | | | |_

\__,_|\___|_| |___/\__,_| .__/| .__/ \___/|_| \__|

|_| |_|

*/

uint32 filters,acls; /* number of filters and acls in the ACL section of the data file */

uint32 filtertab,acltab; /* offsets of the filter and acl table in the data file */

char* acl_ec_subjects; /* if the n'th byte here is nonzero, then the current subject

(the dn the user is logged in as) matches the n'th filter, i.e.

the ACLs with this subject need to be applied. */

struct Filter** Filters;

char Self[]="self";

char Any[]="*";

uint32 authenticated_as;

char* authenticated_as_str;

struct acl {

uint32 subject,object; /* index of filter for subject,object */

uint16 may,maynot;

uint32 attrs;

uint32 Attrs[1];

};

struct acl** Acls;

static void load_acls() {

struct acl** oldAcls=Acls;

size_t oldacls=acls;

uint32 ofs;

uint32 acl_ofs;

acl_ofs=0;

for (ofs=indices_offset+record_count*4; ofs<filelen;) {

uint32 index_type,next;

uint32_unpack(map+ofs,&index_type);

uint32_unpack(map+ofs+4,&next);

if (index_type==2) { acl_ofs=ofs; break; }

if (next<ofs || next>filelen) {

kaputt:

buffer_putsflush(buffer_1,"broken data file!\n");

exit(1);

}

ofs=next;

}

filters=acls=0; acl_ec_subjects=0;

if (acl_ofs) {

uint32 i;

ofs=acl_ofs+8;

filters=uint32_read(map+ofs);

acl_ec_subjects=malloc(2*filters);

filtertab=ofs+4;

ofs=filtertab+filters*4;

if (ofs<filtertab) goto kaputt;

Filters=malloc(sizeof(Filters[0])*filters);

if (!Filters) goto kaputt;

for (i=0; i<filters; ++i) {

struct Filter* f;

ofs=uint32_read(map+filtertab+i*4);

if (ofs<filtertab || ofs>filelen) goto kaputt;

if (byte_equal(map+ofs,4,"self"))

f=(struct Filter*)Self;

else if (byte_equal(map+ofs,2,"*"))

f=(struct Filter*)Any;

else if (scan_ldapsearchfilter(map+ofs,map+filelen,&f)!=0) {

fixup(f);

if (debug) {

size_t l=fmt_ldapsearchfilterstring(0,f);

char* buf=malloc(l+23);

if (!buf) goto kaputt;

buf[fmt_ldapsearchfilterstring(buf,f)]=0;

free(buf);

}

} else goto kaputt;

Filters[i]=f;

}

ofs=uint32_read(map+filtertab+filters*4);

if (ofs<filtertab || ofs>filelen-4) goto kaputt;

acls=uint32_read(map+ofs);

acltab=ofs+4;

Acls=malloc(sizeof(Acls[0])*acls);

if (!Acls) goto kaputt;

for (i=0; i<acls; ++i) {

uint32 j;

uint32 tmp,cnt;

ofs=uint32_read(map+acltab+i*4);

if (ofs>filelen-16) goto kaputt;

cnt=0;

for (tmp=ofs+12; tmp<filelen; tmp+=4) {

uint32 j=uint32_read(map+tmp);

if (j>tmp) goto kaputt;

if (!j) break;

++cnt;

}

Acls[i]=malloc(sizeof(struct acl)+cnt*sizeof(uint32));

if (!Acls[i]) goto kaputt;

Acls[i]->subject=uint32_read(map+ofs);

Acls[i]->object=uint32_read(map+ofs+4);

Acls[i]->may=uint16_read(map+ofs+8);

Acls[i]->maynot=uint16_read(map+ofs+10);

Acls[i]->attrs=cnt;

tmp=ofs+12;

for (j=0; j<cnt; ++j) {

uint32 x;

Acls[i]->Attrs[j]=x=uint32_read(map+tmp+4*j);

if (any_ofs==0 && map[x]=='*' && map[x+1]==0) any_ofs=x;

}

}

}

if (acls) {

uint32 i;

for (i=0; i<filters; ++i)

acl_ec_subjects[i]=(Filters[i]==(struct Filter*)Any);

}

if (oldAcls) {

size_t i;

for (i=0; i<oldacls; ++i)

free(oldAcls[i]);

free(oldAcls);

}

}

/* End of ACL code */

static const char* datafilename;

static struct stat ss_data;

static struct stat ss_journal;

void map_datafile(const char* filename) {

map=mmap_read(datafilename=filename,&filelen);

stat(datafilename,&ss_data);

if (!map) {

buffer_putsflush(buffer_2,"could not open data!\n");

exit(1);

}

uint32_unpack(map,&magic);

uint32_unpack(map+4,&attribute_count);

uint32_unpack(map+2*4,&record_count);

uint32_unpack(map+3*4,&indices_offset);

uint32_unpack(map+4*4,&size_of_string_table);

record_set_length=(record_count+sizeof(unsigned long)*8-1) / (sizeof(long)*8);

/* look up "dn" and "objectClass" */

{

char* x=map+5*4+size_of_string_table;

size_t i;

dn_ofs=objectClass_ofs=userPassword_ofs=any_ofs=0;

for (i=0; i<attribute_count; ++i) {

uint32 j;

j=uint32_read(x);

if (case_equals("dn",map+j))

dn_ofs=j;

else if (case_equals("objectClass",map+j))

objectClass_ofs=j;

else if (case_equals("userPassword",map+j))

userPassword_ofs=j;

x+=4;

}

if (!dn_ofs || !objectClass_ofs) {

buffer_putsflush(buffer_2,"can't happen error: dn or objectClass not there?!\n");

exit(0);

}

}

load_acls();

}

/*

_ _ _

__| | ___| |__ _ _ __ _ ___ ___ __| | ___

/ _` |/ _ \ '_ \| | | |/ _` | / __/ _ \ / _` |/ _ \

| (_| | __/ |_) | |_| | (_| | | (_| (_) | (_| | __/

\__,_|\___|_.__/ \__,_|\__, | \___\___/ \__,_|\___|

|___/

*/

#define BUFSIZE 8192

#if (debug != 0)

/* debugging support functions, adapted from t2.c */

static void printava(struct AttributeValueAssertion* a,const char* rel) {

buffer_puts(buffer_2,"[");

buffer_put(buffer_2,a->desc.s,a->desc.l);

buffer_puts(buffer_2," ");

buffer_puts(buffer_2,rel);

buffer_puts(buffer_2," ");

buffer_put(buffer_2,a->value.s,a->value.l);

buffer_puts(buffer_2,"]");

}

static void printal(struct AttributeDescriptionList* a) {

while (a) {

buffer_put(buffer_2,a->a.s,a->a.l);

a=a->next;

if (a) buffer_puts(buffer_2,",");

}

if (a) buffer_puts(buffer_2,"\n");

}

static void printfilter(struct Filter* f) {

switch (f->type) {

case AND:

buffer_puts(buffer_2,"&(");

mergesub:

printfilter(f->x);

buffer_puts(buffer_2,")\n");

break;

case OR:

buffer_puts(buffer_2,"|(");

goto mergesub;

break;

case NOT:

buffer_puts(buffer_2,"!(");

goto mergesub;

case EQUAL:

printava(&f->ava,"==");

break;

case SUBSTRING:

{

struct Substring* s=f->substrings;

int first=1;

buffer_put(buffer_2,f->ava.desc.s,f->ava.desc.l);

buffer_puts(buffer_2," has ");

while (s) {

if (!first) buffer_puts(buffer_2," and "); first=0;

switch(s->substrtype) {

case prefix: buffer_puts(buffer_2,"prefix \""); break;

case any: buffer_puts(buffer_2,"substr \""); break;

case suffix: buffer_puts(buffer_2,"suffix \""); break;

}

buffer_put(buffer_2,s->s.s,s->s.l);

buffer_puts(buffer_2,"\"");

s=s->next;

}

}

break;

case GREATEQUAL:

printava(&f->ava,">=");

break;

case LESSEQUAL:

printava(&f->ava,"<=");

break;

case PRESENT:

printava(&f->ava,"\\exist");

break;

case APPROX:

printava(&f->ava,"\\approx");

break;

case EXTENSIBLE:

buffer_puts(buffer_2,"[extensible]");

break;

}

if (f->next) {

buffer_puts(buffer_2,",");

printfilter(f->next);

}

buffer_flush(buffer_2);

}

#endif

/*

_ _ _

(_)_ __ __| | _____ __ ___ ___ __| | ___

| | '_ \ / _` |/ _ \ \/ / / __/ _ \ / _` |/ _ \

| | | | | (_| | __/> < | (_| (_) | (_| | __/

|_|_| |_|\__,_|\___/_/\_\ \___\___/ \__,_|\___|

*/

/* find out whether this filter can be accelerated with the indices */

static int indexable(struct Filter* f) {

struct Filter* y=f->x;

if (!f) return 0;

switch (f->type) {

case AND:

while (y) {

if (indexable(y)) return 1;

y=y->next;

}

return 0;

case OR:

while (y) {

if (!indexable(y)) return 0;

y=y->next;

}

/* fall through */

case PRESENT:

return 1;

#if 0

/* doesn't make much sense to try to speed up negated queries */

case NOT:

return indexable(y);

#endif

case SUBSTRING:

if (f->substrings->substrtype!=prefix) return 0;

/* fall through */

case EQUAL:

case LESSEQUAL:

case GREATEQUAL:

{

uint32 ofs;

for (ofs=indices_offset+record_count*4; ofs<filelen;) {

uint32 index_type,next,indexed_attribute;

index_type=uint32_read(map+ofs);

next=uint32_read(map+ofs+4);

indexed_attribute=uint32_read(map+ofs+8);

if (index_type<=1 || (index_type==3 && f->type==EQUAL))

if (!matchstring(&f->ava.desc,map+indexed_attribute))

return 1;

ofs=next;

}

}

/* fall through */

default:

return 0;

}

}

/* each record can have more than one attribute with the same name, i.e. two email

* addresses. Thus, the index can't just be a sorted list of pointers the records

* (because a record with two email addresses needs to be in the index twice, once for

* each email address). So our index is a sorted list of pointers to the attributes.

* Thus, a look-up in the index does not yield the record but the attribute. We need to

* be able to find the record for a given attribute. To do that, we exploit the fact that

* the strings in the string table are in the same order as the records, so we can do a

* binary search over the record table to find the record with the attribute. This does

* not work for objectClass, because the classes are stored in a different string table to

* remove duplicates. */

/* Yes, this is an evil kludge to keep index size small. However, it turned out that it

* also dominated lookup time for a relatively minor index size reduction. So index type

* 1 was added (flag f to addindex), which does not need this. The benefit is so big that

* tinyldap will drop support for type 0 indices sooner or later. Type 1 indexes are

* twice as large, and save the record number besides each index entry. */

/* find record given a data pointer */

static long findrec(uint32 dat) {

uint32* records=(uint32*)(map+indices_offset);

uint32 bottom=0;

uint32 top=record_count-1;

while ((top>=bottom)) {

uint32 mid=(top+bottom)/2;

uint32 l;

l=uint32_read(map+uint32_read((char*)(&records[mid]))+8);

if (l<=dat) {

if (mid>=record_count-1)

l=uint32_read(map+uint32_read((char*)(&records[0]))+12);

else

l=uint32_read(map+uint32_read((char*)(&records[mid+1]))+8);

if (l>dat) {

return mid; /* found! */

}

bottom=mid+1;

} else

if (mid)

top=mid-1;

else

break;

}

buffer_putsflush(buffer_2,"findrec failed!\n");

return -1;

}

#define RANGECHECK 1

struct bitfield {

unsigned long* bits;

#ifdef RANGECHECK

size_t n;

#endif

size_t first,last;

};

/* basic bit-set support: set all bits to 0 */

static inline void emptyset(struct bitfield* b) {

size_t i;

#ifdef RANGECHECK

b->n=

#endif

b->first=record_count;

b->last=0;

for (i=0; i<record_set_length; ++i) b->bits[i]=0;

}

/* basic bit-set support: set all bits to 1 */

static inline void fillset(struct bitfield* b) {

size_t i;

b->first=0;

#ifdef RANGECHECK

b->n=

#endif

b->last=record_count;

for (i=0; i<record_set_length; ++i) b->bits[i]=(unsigned long)-1;

}

/* basic bit-set support: set one bit to 1 */

static inline void setbit(struct bitfield* b,size_t bit) {

#ifdef RANGECHECK

if (bit<=b->n) {

#endif

if (bit<b->first) b->first=bit;

if (bit>b->last) b->last=bit;

b->bits[bit/(8*sizeof(long))] |= (1<<(bit&(8*sizeof(long)-1)));

#ifdef RANGECHECK

}

#endif

}

/* basic bit-set support: see if given bit is set */

static inline int isset(struct bitfield* b,size_t bit) {

#ifdef RANGECHECK

if (bit>b->n) return 0;

#endif

return b->bits[bit/(8*sizeof(long))] & (1<<(bit&(8*sizeof(long)-1)));

}

/* use index (sorted table of offsets to records) to do a binary search

* for all records that match the value in s. Set the corresponding

* bits to 1 in bitfield. */

static void tagmatches(uint32* index,size_t elements,struct string* s,

struct bitfield* b,int (*match)(struct string* s,const char* c),

uint32 index_type,enum FilterType ft) {

uint32 bottom=0;

uint32 top=elements;

uint32 mid,k,m;

long rec;

rec=0;

emptyset(b);

while ((top>=bottom)) {

int l;

mid=(top+bottom)/2;

k=uint32_read((char*)(&index[mid]));

#ifdef DEBUG

buffer_puts(buffer_2,"match[");

buffer_putulong(buffer_2,bottom);

buffer_puts(buffer_2,"..");

buffer_putulong(buffer_2,top);

buffer_puts(buffer_2,"]: ");

buffer_put(buffer_2,s->s,s->l);

buffer_puts(buffer_2," <-> ");

buffer_puts(buffer_2,map+k);

buffer_putsflush(buffer_2,": ");

#endif

if ((l=match(s,map+k))==0) {

/* match! */

#ifdef DEBUG

buffer_putsflush(buffer_2,"MATCH!\n");

#endif

if (index_type==0)

rec=findrec(k);

else if (index_type==1)

rec=uint32_read((char*)(&index[mid+elements]));

else {

buffer_puts(buffer_2,"unsupported index type ");

buffer_putulong(buffer_2,index_type);

buffer_puts(buffer_2," in tagmatches!\n");

return;

}

if (rec>=0)

setbit(b,rec);

/* there may be multiple matches.

* Look before and after mid, too */

if (mid) /* thx Andreas Stührk */

for (k=mid-1; k>0; --k) {

m=uint32_read((char*)(&index[k]));

if ((ft==LESSEQUAL) || (l=match(s,map+m))==0) {

if (index_type==0)

rec=findrec(m);

else if (index_type==1)

rec=uint32_read((char*)(&index[k+elements]));

if (rec>=0)

setbit(b,rec);

} else break;

}

for (k=mid+1; k<elements; ++k) {

m=uint32_read((char*)(&index[k]));

if ((ft==GREATEQUAL) || (l=match(s,map+m))==0) {

if (index_type==0)

rec=findrec(m);

else if (index_type==1)

rec=uint32_read((char*)(&index[k+elements]));

if (rec>=0)

setbit(b,rec);

} else break;

}

return;

}

if (l<0) {

#ifdef DEBUG

buffer_putsflush(buffer_2,"smaller!\n");

#endif

if (mid)

top=mid-1;

else

break; /* since our offsets are unsigned, we need to avoid the -1 case */

} else

#ifdef DEBUG

buffer_putsflush(buffer_2,"larger!\n"),

#endif

bottom=mid+1;

}

/* not found; we can still have matches if type==LESSEQUAL or

* type==GREATEQUAL */

if (ft==GREATEQUAL) {

for (k=mid; k<elements; ++k) {

m=uint32_read((char*)(&index[k]));

if (index_type==0)

rec=findrec(m);

else if (index_type==1)

rec=uint32_read((char*)(&index[k+elements]));

if (rec>=0)

setbit(b,rec);

}

} else if (ft==LESSEQUAL) {

for (k=0; k<=mid; ++k) {

m=uint32_read((char*)(&index[k]));

if (index_type==0)

rec=findrec(m);

else if (index_type==1)

rec=uint32_read((char*)(&index[k+elements]));

if (rec>=0)

setbit(b,rec);

}

}

}

static uint32 hash(const unsigned char* c,size_t keylen) {

size_t h=0,i;

for (i=0; i<keylen; ++i) {

/* from djb's cdb */

h += (h<<5);

h ^= c[i];

}

return (uint32)h;

}

static uint32 hash_tolower(const unsigned char* c,size_t keylen) {

size_t h=0,i;

for (i=0; i<keylen; ++i) {

/* from djb's cdb */

h += (h<<5);

h ^= tolower(c[i]);

}

return (uint32)h;

}

/* Use the indices to answer a query with the given filter.

* For all matching records, set the corresponding bit to 1 in bitfield.

* Note that this match can be approximate. Before answering, the

* matches are verified with ldap_match_mapped, so the index can also

* be used if it only helps eliminate some of the possible matches (for

* example an AND query where only one of the involved attributes has an

* index). */

static int useindex(struct Filter* f,struct bitfield* b) {

struct Filter* y=f->x;

if (!f) return 1;

if (f->type==EQUAL) { /* prefer a hash index if there is one */

uint32 ofs;

for (ofs=indices_offset+record_count*4; ofs<filelen;) {

uint32 index_type,next,indexed_attribute;

index_type=uint32_read(map+ofs);

next=uint32_read(map+ofs+4);

indexed_attribute=uint32_read(map+ofs+8);

if (index_type==3)

if (!matchstring(&f->ava.desc,map+indexed_attribute)) {

uint32 hashtabsize=uint32_read(map+ofs+12);

uint32 hashtab=ofs+16;

uint32 hashval=f->attrflag&1?hash_tolower((unsigned char*)f->ava.value.s,f->ava.value.l):hash((unsigned char*)f->ava.value.s,f->ava.value.l);

uint32 hashofs=uint32_read(map+hashtab+(hashval%hashtabsize)*4);

if (hashofs==0) return 1;

if (hashofs<ofs)

/* direct hit */

setbit(b,hashofs);

else {

uint32 n=uint32_read(map+hashofs);

hashofs+=4;

while (n) {

setbit(b,uint32_read(map+hashofs));

hashofs+=4;

--n;

}

}

return 1;

}

ofs=next;

}

}

switch (f->type) {

case AND:

{

struct bitfield tmp;

int ok=0;

tmp.bits=alloca(record_set_length*sizeof(unsigned long));

if (y) {

useindex(y,b);

y=y->next;

} else

fillset(b);

while (y) {

if (useindex(y,&tmp)) {

size_t i;

for (i=0; i<record_set_length; ++i)

b->bits[i] &= tmp.bits[i];

if (tmp.first>b->first) b->first=tmp.first;

if (tmp.last<b->last) b->last=tmp.last;

ok=1;

}

y=y->next;

}

return ok;

}

case OR:

{

struct bitfield tmp;

int ok=1;

tmp.bits=alloca(record_set_length*sizeof(unsigned long));

if (y) {

useindex(y,b);

y=y->next;

} else

emptyset(b);

while (y) {

if (useindex(y,&tmp)) {

size_t i;

for (i=0; i<record_set_length; ++i)

b->bits[i] |= tmp.bits[i];

if (tmp.first<b->first) b->first=tmp.first;

if (tmp.last>b->last) b->last=tmp.last;

} else

ok=0;

y=y->next;

}

return ok;

}

#if 0

/* doesn't make much sense to try to speed up negated queries */

case NOT:

return indexable(y);

#endif

case SUBSTRING:

if (f->substrings->substrtype!=prefix) return 0;

{

uint32 ofs;

for (ofs=indices_offset+record_count*4; ofs<filelen;) {

uint32 index_type,next,indexed_attribute;

index_type=uint32_read(map+ofs);

next=uint32_read(map+ofs+4);

indexed_attribute=uint32_read(map+ofs+8);

if (index_type<=1)

if (!matchstring(&f->ava.desc,map+indexed_attribute)) {

tagmatches((uint32*)(map+ofs+12),(next-ofs-12)/(4<<index_type),&f->substrings->s,b,

f->attrflag&1?matchcaseprefix:matchprefix,index_type,f->type);

return 1;

}

ofs=next;

}

}

return 0;

case PRESENT:

{

/* now this is not exactly using an index, but a linear search

* through the record table, but since each check is very cheap,

* we pretend it's indexed */

char* x=map+5*4+size_of_string_table+attribute_count*8;

size_t i;

emptyset(b);

for (i=0; i<record_count; ++i) {

if (ldap_match_present(x-map,f->attrofs))

setbit(b,i);

x+=uint32_read(x)*8;

}

return 1;

}

case LESSEQUAL:

case GREATEQUAL:

case EQUAL:

{

uint32 ofs;

for (ofs=indices_offset+record_count*4; ofs<filelen;) {

uint32 index_type,next,indexed_attribute;

index_type=uint32_read(map+ofs);

next=uint32_read(map+ofs+4);

indexed_attribute=uint32_read(map+ofs+8);

if (index_type<=1)

if (!matchstring(&f->ava.desc,map+indexed_attribute)) {

tagmatches((uint32*)(map+ofs+12),(next-ofs-12)/(4<<index_type),&f->ava.value,b,

f->attrflag&1?matchcasestring:matchstring,index_type,f->type);

return 1;

}

ofs=next;

}

}

/* fall through */

default:

return 0;

}

}

/*

_

__ _ _ _ ___ _ __ _ _ __ _ _ __ _____ _____ _ __(_)_ __ __ _

/ _` | | | |/ _ \ '__| | | | / _` | '_ \/ __\ \ /\ / / _ \ '__| | '_ \ / _` |

| (_| | |_| | __/ | | |_| | | (_| | | | \__ \\ V V / __/ | | | | | | (_| |

\__, |\__,_|\___|_| \__, | \__,_|_| |_|___/ \_/\_/ \___|_| |_|_| |_|\__, |

|_| |___/ |___/

*/

static int checkacl(uint32 recofs,uint32 attrofs,unsigned long operation,struct SearchResultEntry* sre) {

uint32 j;

for (j=0; j<acls; ++j) {

/* does the ACL subject apply? */

if (!acl_ec_subjects[Acls[j]->subject]) continue;

/* does the ACL even apply to the wanted operation? */

if ((Acls[j]->may | Acls[j]->maynot) & operation) {

uint32 k;

if (acl_ec_subjects[filters+Acls[j]->object]==-1) continue;

if (acl_ec_subjects[filters+Acls[j]->object]==0) {

int match=0;

if (Filters[Acls[j]->object]==(struct Filter*)Any)

match=1;

else if (Filters[Acls[j]->object]==(struct Filter*)Self) {

if (authenticated_as==0 && authenticated_as_str)

match=!strcmp(map+uint32_read(map+recofs+8),authenticated_as_str);

else

match=(recofs==authenticated_as);

} else if (recofs)

match=ldap_matchfilter_mapped(recofs,Filters[Acls[j]->object]);

else if (sre)

match=ldap_matchfilter_sre(sre,Filters[Acls[j]->object]);

else

match=-1;

if (match)

acl_ec_subjects[filters+Acls[j]->object]=1;

else {

acl_ec_subjects[filters+Acls[j]->object]=-1;

continue;

}

}

for (k=0; k<Acls[j]->attrs; ++k) {

if (Acls[j]->Attrs[k]==any_ofs || attrofs==Acls[j]->Attrs[k]) {

if (Acls[j]->may&operation)

return 1;

else

return -1;

break;

}

}

}

}

return 0;

}

static int ldap_matchfilter_hn(struct hashnode* hn,struct Filter* f);

static int checkacl_hn(struct hashnode* hn,const unsigned char* attr,unsigned long operation) {

uint32 j;

for (j=0; j<acls; ++j) {

/* does the ACL subject apply? */

if (!acl_ec_subjects[Acls[j]->subject]) continue;

/* does the ACL even apply to the wanted operation? */

if ((Acls[j]->may | Acls[j]->maynot) & operation) {

uint32 k;

if (acl_ec_subjects[filters+Acls[j]->object]==-1) continue;

if (acl_ec_subjects[filters+Acls[j]->object]==0) {

int match=0;

if (Filters[Acls[j]->object]==(struct Filter*)Any)

match=1;

else if (Filters[Acls[j]->object]==(struct Filter*)Self)

match=dn && !strcmp((char*)hn->dn,authenticated_as_str);

else if (dn)

match=ldap_matchfilter_hn(hn,Filters[Acls[j]->object]);

else

match=-1;

if (match)

acl_ec_subjects[filters+Acls[j]->object]=1;

else {

acl_ec_subjects[filters+Acls[j]->object]=-1;

continue;

}

}

for (k=0; k<Acls[j]->attrs; ++k) {

/* if (Acls[j]->Attrs[k]==any_ofs || !matchstring(&adl->a,map+Acls[j]->Attrs[k])) { */

if (Acls[j]->Attrs[k]==any_ofs || bstr_equal((char*)attr,map+Acls[j]->Attrs[k])) {

if (Acls[j]->may&operation)

return 1;

else

return -1;

break;

}

}

}

}

return 0;

}

static struct hashnode** dn_in_journal(unsigned char* dn);

static void answerwith_hn(struct hashnode* hn,struct SearchRequest* sr,long messageid,int out);

/* this routine is called for each record matched the query. It basically puts together

* an answer LDAP message from the record and the list of attributes the other side said

* it wanted to have. */

static void answerwith(uint32 ofs,struct SearchRequest* sr,long messageid,int out) {

struct SearchResultEntry sre;

struct PartialAttributeList** pal=&sre.attributes;

struct hashnode** hn;

if ((hn=dn_in_journal((unsigned char*)map+uint32_read(map+ofs+8))) && *hn) {

(*hn)->overwrite=1;

answerwith_hn(*hn,sr,messageid,out);

return;

}

#if (debug != 0)

if (debug) {

char* x=map+ofs;

uint32 j;

buffer_putulong(buffer_2,j=uint32_read(x));

buffer_puts(buffer_2," attributes:\n");

x+=8;

buffer_puts(buffer_2," dn: ");

buffer_puts(buffer_2,map+uint32_read(x));

buffer_puts(buffer_2,"\n objectClass: ");

x+=4;

buffer_puts(buffer_2,map+uint32_read(x));

buffer_puts(buffer_2,"\n");

x+=4;

for (; j>2; --j) {

buffer_puts(buffer_2," ");

buffer_puts(buffer_2,map+uint32_read(x));

buffer_puts(buffer_2,": ");

buffer_puts(buffer_2,map+uint32_read(x+4));

buffer_puts(buffer_2,"\n");

x+=8;

}

buffer_flush(buffer_2);

}

#endif

if (acls)

byte_zero(acl_ec_subjects+filters,filters);

if (acls && checkacl(ofs,dn_ofs,acl_read,0)!=1) return;

sre.objectName.l=bstrlen(sre.objectName.s=map+uint32_read(map+ofs+8));

sre.attributes=0;

/* now go through list of requested attributes */

{

struct AttributeDescriptionList* adl=sr->attributes;

if (!adl && attribute_count>2) {

/* did not ask for any attributes. send 'em all. */

/* to do that, construct a list of all attributes */

uint32 i;

char* x=map+5*4+size_of_string_table+4;

if (attribute_count>HUGE_SIZE_FOR_SANITY_CHECKS/sizeof(struct AttributeDescriptionList))

return;

adl=alloca((attribute_count)*sizeof(struct AttributeDescriptionList));

for (i=0; i<attribute_count-1; ++i) {

uint32 j;

uint32_unpack(x,&j);

x+=4;

adl[i].a.s=map+j;

adl[i].a.l=str_len(map+j);

adl[i].attrofs=j;

adl[i].next=adl+i+1;

}

adl[attribute_count-2].next=0;

}

while (adl) {

const char* val=0;

uint32 i=2,j;

if (!acls || checkacl(ofs,adl->attrofs,acl_read,0)==1) {

uint32_unpack(map+ofs,&j);

#if 0

buffer_puts(buffer_2,"looking for attribute \"");

buffer_put(buffer_2,adl->a.s,adl->a.l);

buffer_putsflush(buffer_2,"\"\n");

#endif

if (!matchstring(&adl->a,"dn")) val=sre.objectName.s; else

if (!matchstring(&adl->a,"objectClass"))

val=map+uint32_read(map+ofs+12);

else {

for (; i<j; ++i)

/* if (!matchstring(&adl->a,map+uint32_read(map+ofs+i*8))) { */

if (adl->attrofs == uint32_read(map+ofs+i*8)) {

val=map+uint32_read(map+ofs+i*8+4);

++i;

break;

}

}

if (val) {

*pal=malloc(sizeof(struct PartialAttributeList));

if (!*pal) {

nomem:

buffer_putsflush(buffer_2,"out of virtual memory!\n");

exit(1);

}

(*pal)->type=adl->a;

{

struct AttributeDescriptionList** a;

a=&(*pal)->values;

add_attribute:

*a=malloc(sizeof(struct AttributeDescriptionList));

if (!*a) goto nomem;

(*a)->a.s=bstrfirst(val);

(*a)->a.l=bstrlen(val);

for (;i<j; ++i)

/* if (!matchstring(&adl->a,map+uint32_read(map+ofs+i*8))) { */

if (adl->attrofs == uint32_read(map+ofs+i*8)) {

val=map+uint32_read(map+ofs+i*8+4);

++i;

a=&(*a)->next;

goto add_attribute;

}

(*a)->next=0;

}

(*pal)->next=0;

pal=&(*pal)->next;

}

}

adl=adl->next;

}

}

{

long l=fmt_ldapsearchresultentry(0,&sre);

char *buf;

long tmp;

if (l<=HUGE_SIZE_FOR_SANITY_CHECKS) {

buf=alloca(l+300); /* you never know ;) */

if (verbose) {

buffer_puts(buffer_2,"sre len ");

buffer_putulong(buffer_2,l);

buffer_putsflush(buffer_2,".\n");

}

tmp=fmt_ldapmessage(buf,messageid,SearchResultEntry,l);

fmt_ldapsearchresultentry(buf+tmp,&sre);

write(out,buf,l+tmp);

}

}

free_ldappal(sre.attributes);

}

/*

_ _ _ _ _ _ _

| |__ (_) __ _| |__ | | _____ _____| | | | __| | __ _ _ __

| '_ \| |/ _` | '_ \ | |/ _ \ \ / / _ \ | | |/ _` |/ _` | '_ \

| | | | | (_| | | | | | | __/\ V / __/ | | | (_| | (_| | |_) |

|_| |_|_|\__, |_| |_| |_|\___| \_/ \___|_| |_|\__,_|\__,_| .__/

|___/ |_|

*/

static int copystring(struct string* dest,struct string* src) {

dest->s=malloc(src->l+1);

if (!dest->s) return -1;

byte_copy((char*)dest->s,src->l,src->s);

dest->l=src->l;

return 0;

}

/* deep copy an attribute description list */

static int copyadl(struct AttributeDescriptionList** dest,struct AttributeDescriptionList* src) {

*dest=0;

while (src) {

if (!(*dest=malloc(sizeof(*src)))) return -1;

byte_zero(*dest,sizeof(*src));

if (copystring(&(*dest)->a,&src->a)) return -1;

(*dest)->attrofs=src->attrofs;

dest=&(*dest)->next;

src=src->next;

}

return 0;

}

/* semi-deep copy an attribute description list */

static int copyadl2(struct AttributeDescriptionList** dest,struct AttributeDescriptionList* src) {

*dest=0;

while (src) {

if (!(*dest=malloc(sizeof(*src)))) return -1;

byte_zero(*dest,sizeof(*src));

(*dest)->a=src->a;

(*dest)->attrofs=src->attrofs;

dest=&(*dest)->next;

src=src->next;

}

return 0;

}

#if 0

/* deep copy a partial attribute list */

static int copypal(struct PartialAttributeList** dest,struct PartialAttributeList* src) {

*dest=0;

while (src) {

if (!(*dest=malloc(sizeof(**dest)))) return -1;

byte_zero(*dest,sizeof(**dest));

if (copystring(&(*dest)->type,&src->type) ||

copyadl(&(*dest)->values,src->values)) return -1;

dest=&(*dest)->next;

src=src->next;

}

return 0;

}

#endif

/* small helper for addreq2sre */

static int ar2sreh1(struct PartialAttributeList** dest,struct Addition* src) {

*dest=0;

while (src) {

if (!(*dest=malloc(sizeof(**dest)))) return -1;

byte_zero(*dest,sizeof(**dest));

if (copystring(&(*dest)->type,&src->AttributeDescription) ||

copyadl(&(*dest)->values,&src->vals)) return -1;

dest=&(*dest)->next;

src=src->next;

}

return 0;

}

/* convert an AddRequest to a SearchResultEntry */

static int addreq2sre(struct SearchResultEntry* sre,struct AddRequest* ar) {

byte_zero(sre,sizeof(*sre));

if (copystring(&sre->objectName,&ar->entry) ||

!(sre->attributes=malloc(sizeof(*sre->attributes))) ||

ar2sreh1(&sre->attributes,&ar->a)) {

free_ldapsearchresultentry(sre);

return -1;

}

return 0;

}

/* small helper for modreq2sre */

static int mr2sreh1(struct PartialAttributeList** dest,struct Modification* src) {

*dest=0;

while (src) {

if (!(*dest=malloc(sizeof(**dest)))) return -1;

byte_zero(*dest,sizeof(**dest));

(*dest)->type=src->AttributeDescription;

if (copyadl2(&(*dest)->values,src->vals)) return -1;

dest=&(*dest)->next;

src=src->next;

}

return 0;

}

/* We need two versions for the modify request. The first one just creates a stupid

* SearchResultEntry out of just the changed attributes, which is then only used for ACL

* matching. The second version merges in the existing record to form the modified

* record. This is the first version for ACL checking. */

static int modreq2sre(struct SearchResultEntry* sre,struct ModifyRequest* mr) {

byte_zero(sre,sizeof(*sre));

sre->objectName=mr->object;

if (!(sre->attributes=malloc(sizeof(*sre->attributes))) ||

mr2sreh1(&sre->attributes,&mr->m)) {

free_ldapsearchresultentry(sre);

return -1;

}

return 0;

}

static int applymodreq(struct hashnode* hn,struct ModifyRequest* mr,struct SearchResultEntry* sre) {

struct PartialAttributeList** l;

struct Modification* m;

size_t i;

sre->objectName.l=strlen((char*)hn->dn);

sre->objectName.s=(char*)hn->dn;

sre->attributes=0;

l=&(sre->attributes);

/* go through all the attributes in the hash node and apply the modifications */

for (i=0; i<hn->n; ++i) {

enum { Keep, Drop } todo=Keep;

for (m=&mr->m; m; m=m->next) {

if (!matchstring(&m->AttributeDescription,(char*)hn->a[i].a)) {

/* same attribute */

if (m->operation==Add)

continue;

else if (m->operation==Delete) {

/* if it's delete, we need to check the value list */

struct AttributeDescriptionList* adl=m->vals;

if (!adl)

todo=Drop; /* if the list is empty, drop all */

else

for (adl=m->vals; adl; adl=adl->next) {

if (!matchstring(&adl->a,(char*)hn->a[i].v)) {

todo=Drop;

break;

}

}

} else

todo=Drop;

}

if (todo==Drop) break;

}

if (todo==Keep) {

*l=malloc(sizeof(**l));

if (!*l) return -1;

(*l)->next=0;

(*l)->type.s=bstrfirst((char*)hn->a[i].a);

(*l)->type.l=bstrlen((char*)hn->a[i].a);

if (!((*l)->values=malloc(sizeof(*(*l)->values)))) return -1;

(*l)->values->a.s=bstrfirst((char*)hn->a[i].v);

(*l)->values->a.l=bstrlen((char*)hn->a[i].v);

(*l)->values->attrofs=0;

(*l)->values->next=0;

l=&(*l)->next;

}

}

/* then add all the "replace" or "add" attributes */

for (m=&mr->m; m; m=m->next) {

if ((m->operation==Add || m->operation==Replace) && m->vals) {

*l=malloc(sizeof(**l));

if (!*l) return -1;

(*l)->next=0;

(*l)->type.s=m->AttributeDescription.s;

(*l)->type.l=m->AttributeDescription.l;

if (copyadl2(&(*l)->values,m->vals)==-1) return -1;

l=&(*l)->next;

}

}

return 0;

}

/* write a search result entry to a file */

static int writesretofd(int fd,struct SearchResultEntry* sre) {

/* we have no locking, but we open using O_APPEND, so the OS synchronizes for us as long

* as we write atomically. Therefore we have to buffer here. */

size_t i,l,nl;

char* c;

struct PartialAttributeList* pal=sre->attributes;

l=5+fmt_ldapescape(0,sre->objectName.s,sre->objectName.l); /* "\ndn: ...\n" */

if (l<=5) return -1;

while (pal) {

struct AttributeDescriptionList* adl=pal->values;

while (adl) {

nl=fmt_ldapescape(0,pal->type.s,pal->type.l);

if (nl>HUGE_SIZE_FOR_SANITY_CHECKS) return -1;

l+=nl;

nl=fmt_ldapescape(0,adl->a.s,adl->a.l);

if (nl>HUGE_SIZE_FOR_SANITY_CHECKS) return -1;

l+=nl;

if (l+3>HUGE_SIZE_FOR_SANITY_CHECKS) return -1;

l+=3;

adl=adl->next;

}

pal=pal->next;

}

c=alloca(l+1);

if (!c) return -1;

i=fmt_str(c,"dn: ");

i+=fmt_ldapescape(c+i,sre->objectName.s,sre->objectName.l);

i+=fmt_str(c+i,"\n");

pal=sre->attributes;

while (pal) {

struct AttributeDescriptionList* adl=pal->values;

while (adl) {

i+=fmt_ldapescape(c+i,pal->type.s,pal->type.l);

i+=fmt_str(c+i,": ");

i+=fmt_ldapescape(c+i,adl->a.s,adl->a.l);

i+=fmt_str(c+i,"\n");

adl=adl->next;

}

pal=pal->next;

}

i+=fmt_str(c+i,"\n");

return (write(fd,c,i)==(ssize_t)i)?0:-1;

}

/* This is the high level LDAP handling code. It reads queries from the socket at in, and

* then writes the answers to out. Normally in == out, but they are separate here so this

* can also be called with in=stdin and out=stdout. */

static void answerwithjournal(struct SearchRequest* sr,long messageid,int out);

static struct hashnode** dn_in_journal2(const char* dn,size_t dnlen);

static int lookupdn(struct string* dn,size_t* index, struct hashnode** hn) {

struct Filter f;

struct hashnode** tmphn;

if (dn->l<1 || !dn->s) {

buffer_putsflush(buffer_2,"lookupdn called for NULL dn!\n");

return -1;

}

if ((tmphn=dn_in_journal2(dn->s,dn->l)) && *tmphn) {

*hn=*tmphn;

*index=-1;

return (*hn)->n > 0;

}

*hn=0;

f.type=EQUAL;

f.ava.desc.l=2; f.ava.desc.s="dn";

f.ava.value=*dn;

f.next=f.x=0;

fixup(&f);

if (!indexable(&f)) {

buffer_putsflush(buffer_2,"no index for dn, lookup failed!\n");

return -1;

} else {

struct bitfield result;

size_t i;

result.bits=alloca(record_set_length*sizeof(unsigned long));

useindex(&f,&result);

if (result.first>result.last)

return 0;

// assert(result.last<=record_count);

for (i=result.first; i<=result.last; ) {

if (!result.bits[i/(8*sizeof(long))]) {

i+=8*sizeof(long);

continue;

}

for (; i<=result.last; ++i) {

if (isset(&result,i)) {

*index=i;

return 1;

}

}

}

}

return 0;

}

static void normalize_string_dn(struct string* s) {

/* OK this is a kludge. s->s is supposed to be read-only because it points into the

* buffer where we read it into from the network.

* Since normalize_dn ends up using less or equal space, and we are not interested in

* the non-normalized dn, we do the read-write cast and normalize in-place.

* Kids, don't do this at home. */

s->l=normalize_dn((char*)s->s,s->s,s->l);

}

static void update();

void reply_with_index(struct SearchRequest* sr,unsigned long* messageid,int out) {

size_t returned=0;

struct bitfield result;

size_t i;

#if (debug != 0)

if (debug) buffer_putsflush(buffer_2,"query can be answered with index!\n");

#endif

result.bits=alloca(record_set_length*sizeof(unsigned long));

/* Use the index to find matching data. Put the offsets

* of the matches in a table. Use findrec to locate

* the records that point to the data. */

useindex(sr->filter,&result);

// assert(result.last<=record_count);

for (i=result.first; i<=result.last; ) {

size_t ni=i+8*sizeof(long);

if (!result.bits[i/(8*sizeof(long))]) {

i=ni;

continue;

}

if (ni>record_count) ni=record_count;

for (; i<ni; ++i) {

if (isset(&result,i)) {

uint32 j;

uint32_unpack(map+indices_offset+4*i,&j);

if (ldap_match_mapped(j,sr)) {

if (sr->sizeLimit && sr->sizeLimit<++returned)

break;

answerwith(j,sr,*messageid,out);

}

}

}

}

}

/* a standard LDAP session looks like this:

* 1. connect to server

* 2. send a BindRequest

* get back a BindResponse

* 3. send a SearchRequest

* get back n SearchResultEntries

* get back a SearchResultDone

* 4. send an UnbindRequest

* 5. close

* tinyldap does not complain if you don't unbind before hanging up.

*/

static int handle(int in,int out) {

size_t len;

char buf[BUFSIZE];

for (len=0;;) {

int tmp=read(in,buf+len,BUFSIZE-len);

int res;

unsigned long messageid,op;

size_t Len;

if (tmp==0) {

close(in);

if (in!=out) close(out);

return 0;

// if (BUFSIZE-len) { return 0; }

}

if (tmp<0) { write(2,"error!\n",7); return 1; }

len+=tmp;

res=scan_ldapmessage(buf,buf+len,&messageid,&op,&Len);

if (res>0) {

if (verbose) {

buffer_puts(buffer_2,"got message of length ");

buffer_putulong(buffer_2,Len);

buffer_puts(buffer_2," with id ");

buffer_putulong(buffer_2,messageid);

buffer_puts(buffer_2,": op ");

buffer_putulong(buffer_2,op);

buffer_putsflush(buffer_2,".\n");

}

update();

switch (op) {

case BindRequest:

{

unsigned long version,method;

struct string name;

size_t tmp;

tmp=scan_ldapbindrequest(buf+res,buf+len,&version,&name,&method);

if (tmp>0) {

if (verbose) {

buffer_puts(buffer_2,"bind request: version ");

buffer_putulong(buffer_2,version);

buffer_puts(buffer_2," for name \"");

buffer_put(buffer_2,name.s,name.l);

buffer_puts(buffer_2,"\" with method ");

buffer_putulong(buffer_2,method);

buffer_putsflush(buffer_2,".\n");

}

if (name.l) {

struct string password;

size_t idx;

struct hashnode* hn;

int err=success;

scan_ldapstring(buf+res+tmp,buf+len,&password);

normalize_string_dn(&name);

switch (lookupdn(&name,&idx,&hn)) {

case -1: err=operationsError; break;

case 1: break;

case 0: err=noSuchObject; break;

default: err=operationsError;

}

if (err!=success)

goto authfailure;

else {

char* c=0;

uint32 authdn=0;

char* authdn_str=0;

if (idx==(size_t)-1) { // found in journal

size_t i;

for (i=0; i<hn->n; ++i)

if (!strcmp((char*)hn->a[i].a,"userPassword")) {

c=(char*)hn->a[i].v;

authdn=0;

authdn_str=(char*)hn->dn;

break;

}

} else { // found in db

uint32 j;

uint32_unpack(map+indices_offset+4*idx,&j);

uint32_unpack(map+j+8,&authdn);

authdn_str=map+authdn;

authdn=j;

if (!(j=ldap_find_attr_value(j,userPassword_ofs))) {

buffer_putsflush(buffer_2,"no userPassword attribute found, bind failed!\n");

goto authfailure;

}

c=map+j;

}

if (check_password(c,&password)) {

authenticated_as=authdn;

authenticated_as_str=authdn_str;

if (acls) {

size_t i;

for (i=0; i<filters; ++i)

acl_ec_subjects[i]=(Filters[i]==(struct Filter*)Any);

for (i=0; i<acls; ++i) {

size_t j=Acls[i]->subject;

if (!acl_ec_subjects[j]) {

if (authdn==0) // authenticated against hashnode

acl_ec_subjects[j]=ldap_matchfilter_hn(hn,Filters[j]);

else // authenticated against mapped db

acl_ec_subjects[j]=ldap_matchfilter_mapped(authdn,Filters[j]);

}

}

}

} else

authfailure:

{

char outbuf[1024];

size_t s=100;

size_t len=fmt_ldapbindresponse(outbuf+s,inappropriateAuthentication,"","authentication failure","");

size_t hlen=fmt_ldapmessage(0,messageid,BindResponse,len);

fmt_ldapmessage(outbuf+s-hlen,messageid,BindResponse,len);

write(out,outbuf+s-hlen,len+hlen);

continue;

}

}

}

{

char outbuf[1024];

size_t s=100;

size_t len=fmt_ldapbindresponse(outbuf+s,0,"","go ahead","");

size_t hlen=fmt_ldapmessage(0,messageid,BindResponse,len);

fmt_ldapmessage(outbuf+s-hlen,messageid,BindResponse,len);

write(out,outbuf+s-hlen,len+hlen);

}

}

}

break;

case SearchRequest:

{

struct SearchRequest sr;

size_t tmp;

#if 0

{

int fd=open_write("request");

write(fd,buf,res+len);

close(fd);

}

#endif

if ((tmp=scan_ldapsearchrequest(buf+res,buf+len,&sr))) {

size_t returned=0;

#if (debug != 0)

if (debug) {

const char* scopes[]={"baseObject","singleLevel","wholeSubtree"};

const char* alias[]={"neverDerefAliases","derefInSearching","derefFindingBaseObj","derefAlways"};

buffer_puts(buffer_2,"search request: baseObject \"");

buffer_put(buffer_2,sr.baseObject.s,sr.baseObject.l);

buffer_puts(buffer_2,"\", scope ");

buffer_puts(buffer_2,scopes[sr.scope]);

buffer_puts(buffer_2,", ");

buffer_puts(buffer_2,alias[sr.derefAliases]);

buffer_puts(buffer_2,"\nsize limit ");

buffer_putulong(buffer_2,sr.sizeLimit);

buffer_puts(buffer_2,", time limit ");

buffer_putulong(buffer_2,sr.timeLimit);

buffer_puts(buffer_2,"\n");

printfilter(sr.filter);

buffer_puts(buffer_2,"attributes: ");

printal(sr.attributes);

buffer_putsflush(buffer_2,"\n\n");

}

#endif

fixup(sr.filter);

fixupadl(sr.attributes);

if (indexable(sr.filter)) {

reply_with_index(&sr,&messageid,out);

} else {

char* x=map+5*4+size_of_string_table+attribute_count*8;

size_t i;

#if (debug != 0)

if (debug) buffer_putsflush(buffer_2,"query can NOT be answered with index!\n");

#endif

for (i=0; i<record_count; ++i) {

uint32 j;

uint32_unpack(x,&j);

if (ldap_match_mapped(x-map,&sr)) {

if (sr.sizeLimit && sr.sizeLimit<++returned)

break;

answerwith(x-map,&sr,messageid,out);

}

x+=j*8;

}

}

/* now answer with the results from the journal */

answerwithjournal(&sr,messageid,out);

free_ldapsearchrequest(&sr);

} else {

buffer_putsflush(buffer_2,"couldn't parse search request!\n");

exit(1);

}

{

char buf[1000];

size_t l=fmt_ldapsearchresultdone(buf+100,0,"","","");

size_t hlen=fmt_ldapmessage(0,messageid,SearchResultDone,l);

fmt_ldapmessage(buf+100-hlen,messageid,SearchResultDone,l);

write(out,buf+100-hlen,l+hlen);

}

}

break;

case UnbindRequest:

close(out); if (in!=out) close(in);

return 0;

case ModifyRequest:

{

struct ModifyRequest mr;

size_t tmp,err=success;

buffer_putsflush(buffer_2,"modifyrequest!\n");

if ((tmp=scan_ldapmodifyrequest(buf+res,buf+len,&mr))) {

struct SearchResultEntry sre;

if (verbose) {

buffer_puts(buffer_1,"modify request: dn \"");

buffer_put(buffer_1,mr.object.s,mr.object.l);

buffer_putsflush(buffer_1,"\"\n");

switch (mr.m.operation) {

case 0: buffer_puts(buffer_1,"Add\n"); break;

case 1: buffer_puts(buffer_1,"Delete\n"); break;

case 2: buffer_puts(buffer_1,"Replace\n"); break;

}

buffer_put(buffer_1,mr.m.AttributeDescription.s,mr.m.AttributeDescription.l);

buffer_puts(buffer_1,"\n");

{

struct AttributeDescriptionList* x=mr.m.vals;

do {

buffer_puts(buffer_1," -> \"");

buffer_put(buffer_1,x->a.s,x->a.l);

buffer_putsflush(buffer_1,"\"\n");

x=x->next;

} while (x);

}

}

normalize_string_dn(&mr.object);

if (acls) {

/* convert modifyrequest to searchresultentry */

modreq2sre(&sre,&mr);

/* 1. check ACLs */

if (checkacl(0,0,acl_write,&sre)!=1)

err=insufficientAccessRights;

free_ldapsearchresultentry(&sre);

} else

err=insufficientAccessRights;

if (err==success) {

/* 2. check if there already is a record with this dn */

struct hashnode* hn;

size_t idx;

switch (lookupdn(&mr.object,&idx,&hn)) {

case -1: err=operationsError; break;

case 1: break;

case 0: err=noSuchObject; break;

default: err=operationsError;

}

if (err==success) {

#if 1

/* 3. apply modifications to record to get new record */

if (!applymodreq(hn,&mr,&sre)) {

/* 4. write record to journal */

int fd=open("journal",O_WRONLY|O_APPEND|O_CREAT,0600);

if (fd==-1)

err=operationsError;

else {

if (writesretofd(fd,&sre)==-1)

err=operationsError;

close(fd);

}

} else

err=operationsError;

free_ldapsearchresultentry(&sre);

#else

err=operationsError;

#endif

}

}

} else {

buffer_putsflush(buffer_2,"could not parse modifyRequest!\n");

err=protocolError;

}

{

char outbuf[1024];

int s=100;

int len=fmt_ldapresult(outbuf+s,err,"","","");

int hlen=fmt_ldapmessage(0,messageid,AddResponse,len);

fmt_ldapmessage(outbuf+s-hlen,messageid,AddResponse,len);

write(out,outbuf+s-hlen,len+hlen);

}

free_ldapmodifyrequest(&mr);

}

break;

case AbandonRequest:

if (verbose) buffer_putsflush(buffer_2,"AbandonRequest!\n");

/* do nothing */

break;

case AddRequest:

{

int err=success;

struct AddRequest ar;

// buffer_putsflush(buffer_2,"AddRequest!\n");

if ((tmp=scan_ldapaddrequest(buf+res,buf+len,&ar))) {

struct SearchResultEntry sre;

normalize_string_dn(&ar.entry);

/* convert addrequest to searchresultentry */

addreq2sre(&sre,&ar);

/* 1. check ACLs */

if (checkacl(0,0,acl_add,&sre)==1) {

/* 2. check if there already is a record with this dn */

struct hashnode* hn;

size_t idx;

switch (lookupdn(&sre.objectName,&idx,&hn)) {

case -1: err=operationsError; break;

case 1: err=entryAlreadyExists; break;

case 0: break;

default: err=operationsError;

}

if (err==success) {

/* 3. write record to journal */

int fd=open("journal",O_WRONLY|O_APPEND|O_CREAT,0600);

if (fd==-1)

err=operationsError;

else {

if (writesretofd(fd,&sre)==-1)

err=operationsError;

close(fd);

}

}

} else

err=insufficientAccessRights;

} else

err=protocolError;

buffer_put(buffer_1,ar.entry.s,ar.entry.l);

buffer_putsflush(buffer_1,"\n");

if (verbose) { /* iterate all attributes */

struct Addition * x;

struct AttributeDescriptionList * y;

for (x = &ar.a;x;x=x->next) {

for (y = &x->vals;y;y=y->next) {

buffer_put(buffer_1,x->AttributeDescription.s,x->AttributeDescription.l);

buffer_puts(buffer_1,": ");

buffer_put(buffer_1,y->a.s,y->a.l);

buffer_putsflush(buffer_1,"\n");

}

}

}

free_ldapaddrequest(&ar);

{

char outbuf[1024];

size_t s=100;

size_t len=fmt_ldapresult(outbuf+s,err,"","","");

size_t hlen=fmt_ldapmessage(0,messageid,AddResponse,len);

fmt_ldapmessage(outbuf+s-hlen,messageid,AddResponse,len);

write(out,outbuf+s-hlen,len+hlen);

}

}

break;

case DelRequest:

{

struct string s;

size_t l=scan_ldapdeleterequest(buf+res,buf+len,&s);

if (l>0) {

struct SearchResultEntry sre;

int err=success;

if (verbose) {

buffer_puts(buffer_2,"Delete Request for DN \"");

buffer_put(buffer_2,s.s,s.l);

buffer_putsflush(buffer_2,"\".\n");

}

normalize_string_dn(&s);

/* convert modifyrequest to searchresultentry */

sre.objectName=s;

sre.attributes=0;

/* 1. check ACLs */

if (checkacl(0,0,acl_delete,&sre)!=1)

err=insufficientAccessRights;

if (err==success) {

/* 2. check if there already is a record with this dn */

struct hashnode* hn;

size_t idx;

switch (lookupdn(&s,&idx,&hn)) {

case -1: err=operationsError; break;

case 1: break;

case 0: err=noSuchObject; break;

default: err=operationsError;

}

if (err==success) {

/* 3. write record to journal */

int fd=open("journal",O_WRONLY|O_APPEND|O_CREAT,0600);

if (fd==-1)

err=operationsError;

else {

if (writesretofd(fd,&sre)==-1)

err=operationsError;

close(fd);

}

}

}

{

char outbuf[1024];

size_t s=100;

size_t len=fmt_ldapresult(outbuf+s,err,"","","");

size_t hlen=fmt_ldapmessage(0,messageid,DelResponse,len);

fmt_ldapmessage(outbuf+s-hlen,messageid,DelResponse,len);

write(out,outbuf+s-hlen,len+hlen);

}

}

}

break;

case ModifyDNRequest:

/* TODO */

default:

buffer_puts(buffer_2,"unknown request type ");

buffer_putulong(buffer_2,op);

buffer_putsflush(buffer_2,"\n");

return 0;

// exit(1);

}

Len+=res;

#if 0

buffer_puts(buffer_2,"byte_copy(buf,");

buffer_putulong(buffer_2,len-Len);

buffer_puts(buffer_2,",buf+");

buffer_putulong(buffer_2,Len);

buffer_putsflush(buffer_2,");\n");

#endif

if (Len<len) {

byte_copy(buf,len-Len,buf+Len);

len-=Len;

} else len=0;

} else

exit(2);

}

}

/* journal reading code */

extern int (*ldif_parse_callback)(struct ldaprec* l);

extern mstorage_t stringtable;

extern mduptab_t attributes,classes;

static unsigned long hash2(const unsigned char* c) {

unsigned long h=0;

if (*c==0) {

uint32 len=uint32_read((char*)c+1);

return hash(c+5,len);

}

while (*c) {

/* from djb's cdb */

h += (h<<5);

h ^= *c;

++c;

}

return (uint32)h;

}

#define HASHTABSIZE 8191

static unsigned char* bstrdup(unsigned char* c) {

size_t len;

unsigned char* x;

if (*c)

len=str_len((char*)c)+1;

else {

len=5+uint32_read((char*)c+1);

if (len<5) return 0;

}

x=malloc(len);

if (x) byte_copy(x,len,c);

return x;

}

static unsigned char* bstrdup_attrib(unsigned char* c) {

char* x=map+5*4+size_of_string_table;

size_t i,l;

if (*c)

l=str_len((char*)c)+1;

else {

l=uint32_read((char*)c+1);

c+=5;

}

for (i=0; i<attribute_count; ++i) {

uint32 j=uint32_read(x);

if (case_equalb(c,l,map+j))

return (unsigned char*)map+j;

x+=4;

}

return bstrdup(c);

}

struct hashnode* hashtab[HASHTABSIZE];

static struct hashnode** dn_in_journal(unsigned char* dn) {

unsigned long hashval;

struct hashnode** hn;

hashval=hash2(dn);

hn=hashtab+(hashval%HASHTABSIZE);

while (*hn) {

if ((*hn)->hashval==hashval) {

if (!bstr_diff((char*)(*hn)->dn,(char*)dn))

break;

}

hn=&((*hn)->next);

}

return hn;

}

static struct hashnode** dn_in_journal2(const char* dn,size_t dnlen) {

unsigned long hashval;

struct hashnode** hn;

hashval=hash((const unsigned char*)dn,dnlen);

// printf("lookup: \"%.*s\" -> %lu\n",dnlen,dn,hashval);

hn=hashtab+(hashval%HASHTABSIZE);

while (*hn) {

if ((*hn)->hashval==hashval) {

if (!bstr_diff2((char*)(*hn)->dn,dn,dnlen))

break;

}

hn=&((*hn)->next);

}

return hn;

}

struct hashnode* root;

static int parse_callback(struct ldaprec* l) {

static struct hashnode** nextinlinearlist=&root;

size_t i;

unsigned long hashval;

struct hashnode** hn;

if (l->dn==(uint32)-1)

return -1;

hashval=hash2((unsigned char*)stringtable.root+l->dn);

// printf("journal: \"%s\" -> %lu\n",stringtable.root+l->dn,hashval);

hn=hashtab+(hashval%HASHTABSIZE);

while (*hn) {

if ((*hn)->hashval==hashval) {

if (!bstr_diff((char*)(*hn)->dn,stringtable.root+l->dn))

break;

}

hn=&((*hn)->next);

}

if (*hn) {

/* a record with this dn exists */

/* adjust it to the new reality */

for (i=0; i<(*hn)->n; ++i) {

free((*hn)->a[i].a);

free((*hn)->a[i].v);

}

*hn = realloc(*hn,sizeof(**hn)-sizeof(struct attribute2)+l->n*sizeof(struct attribute2));

if (!*hn) nomem: die(1,"out of memory!");

} else {

*hn = malloc(sizeof(**hn)-sizeof(struct attribute2)+l->n*sizeof(struct attribute2));

if (!*hn) goto nomem;

if (!((*hn)->dn=bstrdup((unsigned char*)stringtable.root+l->dn))) goto nomem;

(*hn)->hashval=hashval;

(*hn)->next=0;

(*hn)->overwrite=0;

/* put new entry in the linear list */

*nextinlinearlist=*hn;

(*hn)->linear=0;

nextinlinearlist=&(*hn)->linear;

}

(*hn)->n=l->n;

for (i=0; i<l->n; ++i) {

if (!((*hn)->a[i].a=bstrdup_attrib((unsigned char*)attributes.strings.root+l->a[i].name)) ||

!((*hn)->a[i].v=bstrdup((unsigned char*)((*hn)->a[i].a==(unsigned char*)map+objectClass_ofs?classes.strings.root:stringtable.root)+l->a[i].value))) goto nomem;

}

stringtable.used=0;

return 0;

}

static void readjournal() {

ldif_parse_callback=parse_callback;

mduptab_init(&attributes);

mduptab_init(&classes);

if (ldif_parse("journal",0,&ss_journal)) {

buffer_putsflush(buffer_2,"Failed to parse journal!\n");

exit(1);

}

}

static void update() {

struct stat new_data,new_journal;

if (stat(datafilename,&new_data)==-1) {

/* no data file?! There is no way to salvage the situation. */

buffer_putsflush(buffer_2,"ABEND: data file suddenly gone.\n");

exit(1);

}

/* now see if the data file changed. If it did, map it anew. */

if (new_data.st_size!=ss_data.st_size ||

new_data.st_mtime!=ss_data.st_mtime ||

new_data.st_ino!=ss_data.st_ino) {

buffer_putsflush(buffer_2,"Data file changed, reloading.\n");

mmap_unmap(map,filelen);

/* If the new data file is corrupt, map_datafile calls exit.

* I don't believe in limping on. If something is broken on such a fundamental level,

* it's better to bail so that the problem does not go unnoticed and things get even

* worse. */

map_datafile(datafilename);

/* OK, now that we have the datafile reloaded, we need to clean our idea of a journal

* and reload the journal from scratch. */

resetjournal:

mduptab_reset(&attributes);

mduptab_reset(&classes);

readjournal();

return;

}

/* the data file did not change. Maybe the journal did. */

if (stat("journal",&new_journal)==-1) {

/* no journal; that means:

* a) there never was one, totaly read-only data

* b) there was one, but it has now been incorporated into the main database

* in this case: delete journal data

*/

mduptab_reset(&attributes);

mduptab_reset(&classes);

return;

}

if (new_journal.st_size!=ss_journal.st_size ||

new_journal.st_mtime!=ss_journal.st_mtime ||

new_journal.st_ino!=ss_journal.st_ino) {

/* Journal changed. Since all we ever do is append, we just read the part from how

* far we got last time, which happens to be ss_journal.st_size. */

/* On the other hand, we should make a valiant effort to not break if someone edits

* his journal manually. After all, that's why our journal is in text form.

* We look for two clues that someone edited his journal:

* 1. size is identical or smaller

* 2. journal does not end with "\n\n"

* If we detect meddling we just throw away our journal and read the new one. */

int notkosher=0;

if (new_journal.st_size>ss_journal.st_size && ss_journal.st_size>2) {

int fd;

fd=open("journal",O_RDONLY);

if (fd!=-1) {

char buf[2];

lseek(fd,ss_journal.st_size-2,SEEK_SET);

if (read(fd,buf,2)!=2)

if (buf[0]=='\n' && buf[1]=='\n')

notkosher=1;

close(fd);

}

}

if (notkosher) {

buffer_putsflush(buffer_2,"Unsanctioned journal editing detected! Re-reading journal.\n");

goto resetjournal;

}

if (ldif_parse("journal",ss_journal.st_size,&ss_journal)) {

buffer_putsflush(buffer_2,"Failed to parse journal!\n");

exit(1);

}

ss_data=new_data;

}

}

static int ldap_matchfilter_hn(struct hashnode* hn,struct Filter* f) {

struct Filter* y=f->x;

size_t i;

if (!hn->n) return 0;

if (!f) return 1;

switch (f->type) {

case AND:

while (y) {

if (!ldap_matchfilter_hn(hn,y)) return 0;

y=y->next;

}

return 1;

case OR:

while (y) {

if (ldap_matchfilter_hn(hn,y)) return 1;

y=y->next;

}

return 0;

case NOT:

return !ldap_matchfilter_hn(hn,y);

case PRESENT:

if (f->attrofs==dn_ofs)

return 1;

for (i=0; i<hn->n; ++i)

if (!matchstring(&f->ava.desc,(char*)hn->a[i].a))

return 1;

return 0;

case EQUAL:

case LESSEQUAL:

case GREATEQUAL:

if (f->attrofs==dn_ofs)

return matchint(f,(char*)hn->dn);

for (i=0; i<hn->n; ++i)

if (!matchstring(&f->ava.desc,(char*)hn->a[i].a) &&

matchint(f,(char*)hn->a[i].v)) return 1;

return 0;

case SUBSTRING:

if (f->attrofs==dn_ofs)

return substringmatch(f->substrings,(char*)hn->dn,f->attrflag&1);

for (i=0; i<hn->n; ++i)

if (!matchstring(&f->ava.desc,(char*)hn->a[i].a) &&

substringmatch(f->substrings,(char*)hn->a[i].v,f->attrflag&1)) return 1;

return 0;

default:

write(2,"unsupported query type\n",23);

return 0;

}

return 1;

}

/* return 0 if they didn't match, otherwise return length in b */

static int match(const char* a,int len,const char* b) {

const char* A=a+len;

const char* B=b+str_len(b);

while (len>0 && A>a && B>b) {

--A; --B; --len;

while (*A==' ' && A>a) { --A; --len; }

while (*B==' ' && B>b) --B;

if (tolower(*A) != tolower(*B))

return 0;

}

return str_len(B);

}

static int matchhashnode(struct hashnode* hn,struct SearchRequest* sr) {

size_t i,len=bstrlen((char*)hn->dn);

unsigned char* c;

if (sr->baseObject.l>len)

/* baseObject is longer than dn */

return 0;

if (sr->baseObject.l && !match(sr->baseObject.s,sr->baseObject.l,(char*)hn->dn))

/* baseObject is not a suffix of dn */

return 0;

switch (sr->scope) {

case wholeSubtree: break;

case baseObject: if (len==sr->baseObject.l) break; return 0;

default:

c=hn->dn+bstrstart((char*)hn->dn);

for (i=0; i<len; ++i)

if (c[i]==',')

break;

if (i+2>=len-sr->baseObject.l) break;

return 0;

}

return ldap_matchfilter_hn(hn,sr->filter);

}

static void answerwith_hn(struct hashnode* hn,struct SearchRequest* sr,long messageid,int out) {

struct SearchResultEntry sre;

struct PartialAttributeList** pal=&sre.attributes;

if (!hn->n) return;

if (acls)

byte_zero(acl_ec_subjects+filters,filters);

if (acls && checkacl_hn(hn,(unsigned char*)map+dn_ofs,acl_read)!=1) return;

sre.objectName.l=bstrlen(sre.objectName.s=(char*)hn->dn);

sre.attributes=0;

/* now go through list of requested attributes */

{

struct AttributeDescriptionList* adl=sr->attributes;

if (!adl && hn->n && hn->n<HUGE_SIZE_FOR_SANITY_CHECKS/sizeof(*adl)) {

/* did not ask for any attributes. send 'em all. */

/* to do that, construct a list of all attributes */

uint32 i,j,k;

adl=alloca(hn->n*sizeof(*adl));

for (i=k=0; i<hn->n; ++i) {

adl[k].a.s=(char*)hn->a[i].a;

adl[k].a.l=str_len((char*)hn->a[i].a);

adl[k].attrofs=0;

adl[k].next=adl+k+1;

for (j=0; j<i; ++j) {

if (!strcmp((char*)hn->a[i].a,(char*)hn->a[j].a)) {

--k;

break;

}

}

++k;

}

if (k) adl[k-1].next=0;

}

while (adl) {

const unsigned char* val=0;

uint32 i=0;

if (!acls || checkacl_hn(hn,(unsigned char*)adl->a.s,acl_read)==1) {

if (!matchstring(&adl->a,"dn"))

val=hn->dn;

else {

for (; i<hn->n; ++i)

if (!matchstring(&adl->a,(char*)hn->a[i].a)) {

val=hn->a[i].v;

++i;

break;

}

}

if (val) {

*pal=malloc(sizeof(struct PartialAttributeList));

if (!*pal) {

nomem:

buffer_putsflush(buffer_2,"out of virtual memory!\n");

exit(1);

}

(*pal)->type=adl->a;

{

struct AttributeDescriptionList** a;

a=&(*pal)->values;

add_attribute:

*a=malloc(sizeof(struct AttributeDescriptionList));

if (!*a) goto nomem;

(*a)->a.s=bstrfirst((char*)val);

(*a)->a.l=bstrlen((char*)val);

for (;i<hn->n; ++i)

if (!matchstring(&adl->a,(char*)hn->a[i].a)) {

val=hn->a[i].v;

++i;

a=&(*a)->next;

goto add_attribute;

}

(*a)->next=0;

}

(*pal)->next=0;

pal=&(*pal)->next;

}

}

adl=adl->next;

}

}

{

long l=fmt_ldapsearchresultentry(0,&sre);

char *buf;

long tmp;

if (l<HUGE_SIZE_FOR_SANITY_CHECKS) {

buf=alloca(l+300); /* you never know ;) */

if (verbose) {

buffer_puts(buffer_2,"sre len ");

buffer_putulong(buffer_2,l);

buffer_putsflush(buffer_2,".\n");

}

tmp=fmt_ldapmessage(buf,messageid,SearchResultEntry,l);

fmt_ldapsearchresultentry(buf+tmp,&sre);

write(out,buf,l+tmp);

}

}

free_ldappal(sre.attributes);

}

static void answerwithjournal(struct SearchRequest* sr,long messageid,int out) {

struct hashnode* hn=root;

while (hn) {

if (!hn->overwrite && matchhashnode(hn,sr))

answerwith_hn(hn,sr,messageid,out);

hn=hn->linear;

}

}

/*

_

_ __ ___ __ _(_)_ __

| '_ ` _ \ / _` | | '_ \

| | | | | | (_| | | | | |

|_| |_| |_|\__,_|_|_| |_|

*/

int main(int argc,char* argv[]) {

#ifdef STANDALONE

int sock;

#endif

errmsg_iam("tinyldap");

signal(SIGPIPE,SIG_IGN);

map_datafile(argc>1?argv[1]:"data");

readjournal();

#if 0

ldif_parse("exp.ldif");

if (!first) {

buffer_putsflush(buffer_2,"no data?!");

}

#endif

#ifdef STANDALONE

if ((sock=socket_tcp6b())==-1) {

buffer_putsflush(buffer_2,"socket failed!\n");

exit(1);

}

{

char ip[16];

char* IP=(char*)V6any;

char* x=getenv("IP");

if (x && !x[scan_ip6(x,ip)])

IP=ip;

if (socket_bind6_reuse(sock,IP,389,0)) {

buffer_putsflush(buffer_2,"bind failed!\n");

exit(1);

}

}

if (socket_listen(sock,32)) {

buffer_putsflush(buffer_2,"listen failed!\n");

exit(1);

}

for (;;) {

char ip[16];

uint16 port;

uint32 scope_id;

int asock;

{

int status;

while ((status=waitpid(-1,0,WNOHANG))!=0 && status!=(pid_t)-1); /* reap zombies */

}

#ifdef DEBUG

again:

#endif

asock=socket_accept6(sock,ip,&port,&scope_id);

if (asock==-1) {

buffer_putsflush(buffer_2,"accept failed!\n");

exit(1);

}

{

int one=1;

setsockopt(asock,IPPROTO_TCP,TCP_NODELAY,&one,sizeof(one));

}

update();

#ifdef DEBUG

{

struct pollfd p;

p.fd=0;

p.events=POLLIN;

if (poll(&p,1,1)==1) return 0;

}

handle(asock,asock);

goto again;

// exit(0);

#else

#endif

switch (fork()) {

case -1: buffer_putsflush(buffer_2,"fork failed!\n"); exit(1);

case 0: /* child */

handle(asock,asock);

exit(0); /* not reached */

default:

close(asock);

}

}

#else

{

int one=1;

setsockopt(1,IPPROTO_TCP,TCP_NODELAY,&one,sizeof(one));

}

handle(0,1);

#endif

return 0;

}

/* vim:tw=90:

*/

Author

Title

Language

Your paste - Paste your paste here

#define _FILE_OFFSET_BITS 64
#include &lt;unistd.h&gt;
#include &lt;stdlib.h&gt;
#include &lt;string.h&gt;
#include &quot;str.h&quot;
#include &quot;case.h&quot;
#include &quot;byte.h&quot;
#include &quot;buffer.h&quot;
#include &quot;ldap.h&quot;
#include &quot;mduptab.h&quot;
#include &quot;ldif.h&quot;
#include &quot;open.h&quot;
#include &quot;mmap.h&quot;
#include &quot;uint32.h&quot;
#include &quot;auth.h&quot;
#include &quot;bstr.h&quot;
#ifdef STANDALONE
#include &quot;socket.h&quot;
#include &quot;ip6.h&quot;
#ifdef __FreeBSD__
#include &lt;sys/types.h&gt;
#include &lt;sys/wait.h&gt;
#else
#include &lt;wait.h&gt;
#endif
#endif
#include &quot;case.h&quot;
#include &lt;signal.h&gt;
#include &quot;uint16.h&quot;
#include &quot;acl.h&quot;
#include &lt;ctype.h&gt;
#include &lt;assert.h&gt;
#include &lt;fcntl.h&gt;
#include &quot;errmsg.h&quot;
#include &quot;textcode.h&quot;
#include &quot;fmt.h&quot;
#include &lt;sys/socket.h&gt;
#include &lt;netinet/in.h&gt;
#include &lt;netinet/tcp.h&gt;

#ifdef DEBUG
#include &lt;sys/poll.h&gt;
#define verbose 1
#define debug 1
#else
#define verbose 0
#define debug 0
#endif

#define HUGE_SIZE_FOR_SANITY_CHECKS 1024*1024

/* basic operation: the whole data file is mmapped read-only at the beginning and stays there. */
char* map;	/* where the file is mapped */
size_t filelen;	/* how many bytes are mapped (the whole file) */
uint32 magic,attribute_count,record_count,indices_offset,size_of_string_table;
		/* these are the first values from the file, see the file &quot;FORMAT&quot;
		 * basic counts and offsets needed to calculate the positions of
		 * the data structures in the file. */

/* We do queries with indexes by evaluating all the filters (subexpressions) that can be
 * answered with an index, and then getting a bit vector, one bit for each record. */

/* how many longs are needed to have one bit for each record? */
uint32 record_set_length;

/* some pre-looked-up attribute offsets to speed up ldap_match_mapped */
uint32 dn_ofs,objectClass_ofs,userPassword_ofs,any_ofs;

/* journal hash structures */
struct attribute2 {
  unsigned char* a,* v;
};

/* we have chained hashing (that's what next is for), but we also have a linear list of
 * all the entries in the journal (that's what linear is for), so we can traverse the
 * entries in the same order they were put in the journal */
struct hashnode {
  struct hashnode* next,* linear;
  unsigned long hashval;
  unsigned char* dn;
  size_t n;
  int overwrite;
  struct attribute2 a[1];
};

/* to avoid string compares, we don't work with char* but with uint32 (offsets within
 * the mmapped file) whenever it's about values that will be mentioned in the file, such
 * as attribute names.  So, for each filter we get sent, we look up the attributes in the
 * file, so we have the offsets to save the strcmp later.
 * In the same step, we also get the attribute flags.  tinyldap does not have LDAP
 * schemas, so it does not know which attributes are case sensitive and which aren't.  So,
 * this is saved in a flag, which is currently set by addindex when a case insensitive
 * index is created. */

/* This routine is called when we got a Filter and now want to look up the offsets for
 * each attribute mentioned in it */

/* recursively fill in attrofs and attrflag */
static void fixup(struct Filter* f) {
  if (!f) return;
  switch (f-&gt;type) {
  case EQUAL:
  case SUBSTRING:
  case GREATEQUAL:
  case LESSEQUAL:
  case PRESENT:
  case APPROX:
    {
      char* x=map+5*4+size_of_string_table;
      size_t i;
      f-&gt;attrofs=f-&gt;attrflag=0;
      for (i=0; i&lt;attribute_count; ++i) {
	uint32 j=uint32_read(x);
	if (!matchcasestring(&amp;f-&gt;ava.desc,map+j)) {
	  f-&gt;attrofs=j;
	  uint32_unpack(x+attribute_count*4,&amp;f-&gt;attrflag);
	  break;
	}
	x+=4;
      }
      if (!f-&gt;attrofs) {
	buffer_puts(buffer_2,&quot;cannot find attribute \&quot;&quot;);
	buffer_put(buffer_2,f-&gt;ava.desc.s,f-&gt;ava.desc.l);
	buffer_putsflush(buffer_2,&quot;\&quot;!\n&quot;);
      }
    }
  case AND:
  case OR:
  case NOT:
    if (f-&gt;x) fixup(f-&gt;x);
  default:
    break;
  }
  if (f-&gt;next) fixup(f-&gt;next);
}

static void fixupadl(struct AttributeDescriptionList* a) {
  while (a) {
    char* x=map+5*4+size_of_string_table;
    size_t i;
    a-&gt;attrofs=0;
    for (i=0; i&lt;attribute_count; ++i) {
      uint32 j=uint32_read(x);
      if (!matchcasestring(&amp;a-&gt;a,map+j)) {
	a-&gt;attrofs=j;
	break;
      }
      x+=4;
    }
    if (!a-&gt;attrofs) {
      buffer_puts(buffer_2,&quot;cannot find attribute \&quot;&quot;);
      buffer_put(buffer_2,a-&gt;a.s,a-&gt;a.l);
      buffer_putsflush(buffer_2,&quot;\&quot;!\n&quot;);
    }
    a=a-&gt;next;
  }
}

/*
            _                                    _
  __ _  ___| |  ___ _   _ _ __  _ __   ___  _ __| |_
 / _` |/ __| | / __| | | | '_ \| '_ \ / _ \| '__| __|
| (_| | (__| | \__ \ |_| | |_) | |_) | (_) | |  | |_
 \__,_|\___|_| |___/\__,_| .__/| .__/ \___/|_|   \__|
                         |_|   |_|
*/

uint32 filters,acls;		/* number of filters and acls in the ACL section of the data file */
uint32 filtertab,acltab;	/* offsets of the filter and acl table in the data file */
char* acl_ec_subjects;		/* if the n'th byte here is nonzero, then the current subject
				   (the dn the user is logged in as) matches the n'th filter, i.e.
				   the ACLs with this subject need to be applied. */
struct Filter** Filters;
char Self[]=&quot;self&quot;;
char Any[]=&quot;*&quot;;
uint32 authenticated_as;
char* authenticated_as_str;

struct acl {
  uint32 subject,object;	/* index of filter for subject,object */
  uint16 may,maynot;
  uint32 attrs;
  uint32 Attrs[1];
};

struct acl** Acls;

static void load_acls() {
  struct acl** oldAcls=Acls;
  size_t oldacls=acls;
  uint32 ofs;
  uint32 acl_ofs;
  acl_ofs=0;
  for (ofs=indices_offset+record_count*4; ofs&lt;filelen;) {
    uint32 index_type,next;
    uint32_unpack(map+ofs,&amp;index_type);
    uint32_unpack(map+ofs+4,&amp;next);
    if (index_type==2) { acl_ofs=ofs; break; }
    if (next&lt;ofs || next&gt;filelen) {
kaputt:
      buffer_putsflush(buffer_1,&quot;broken data file!\n&quot;);
      exit(1);
    }
    ofs=next;
  }
  filters=acls=0; acl_ec_subjects=0;
  if (acl_ofs) {
    uint32 i;
    ofs=acl_ofs+8;
    filters=uint32_read(map+ofs);
    acl_ec_subjects=malloc(2*filters);
    filtertab=ofs+4;
    ofs=filtertab+filters*4;
    if (ofs&lt;filtertab) goto kaputt;
    Filters=malloc(sizeof(Filters[0])*filters);
    if (!Filters) goto kaputt;
    for (i=0; i&lt;filters; ++i) {
      struct Filter* f;
      ofs=uint32_read(map+filtertab+i*4);
      if (ofs&lt;filtertab || ofs&gt;filelen) goto kaputt;
      if (byte_equal(map+ofs,4,&quot;self&quot;))
	f=(struct Filter*)Self;
      else if (byte_equal(map+ofs,2,&quot;*&quot;))
	f=(struct Filter*)Any;
      else if (scan_ldapsearchfilter(map+ofs,map+filelen,&amp;f)!=0) {
	fixup(f);
	if (debug) {
	  size_t l=fmt_ldapsearchfilterstring(0,f);
	  char* buf=malloc(l+23);
	  if (!buf) goto kaputt;
	  buf[fmt_ldapsearchfilterstring(buf,f)]=0;
	  free(buf);
	}
      } else goto kaputt;
      Filters[i]=f;
    }
    ofs=uint32_read(map+filtertab+filters*4);
    if (ofs&lt;filtertab || ofs&gt;filelen-4) goto kaputt;
    acls=uint32_read(map+ofs);
    acltab=ofs+4;
    Acls=malloc(sizeof(Acls[0])*acls);
    if (!Acls) goto kaputt;
    for (i=0; i&lt;acls; ++i) {
      uint32 j;
      uint32 tmp,cnt;
      ofs=uint32_read(map+acltab+i*4);
      if (ofs&gt;filelen-16) goto kaputt;
      cnt=0;
      for (tmp=ofs+12; tmp&lt;filelen; tmp+=4) {
	uint32 j=uint32_read(map+tmp);
	if (j&gt;tmp) goto kaputt;
	if (!j) break;
	++cnt;
      }
      Acls[i]=malloc(sizeof(struct acl)+cnt*sizeof(uint32));
      if (!Acls[i]) goto kaputt;
      Acls[i]-&gt;subject=uint32_read(map+ofs);
      Acls[i]-&gt;object=uint32_read(map+ofs+4);
      Acls[i]-&gt;may=uint16_read(map+ofs+8);
      Acls[i]-&gt;maynot=uint16_read(map+ofs+10);
      Acls[i]-&gt;attrs=cnt;

tmp=ofs+12;
      for (j=0; j&lt;cnt; ++j) {
	uint32 x;
	Acls[i]-&gt;Attrs[j]=x=uint32_read(map+tmp+4*j);
	if (any_ofs==0 &amp;&amp; map[x]=='*' &amp;&amp; map[x+1]==0) any_ofs=x;
      }
    }
  }
  if (acls) {
    uint32 i;
    for (i=0; i&lt;filters; ++i)
      acl_ec_subjects[i]=(Filters[i]==(struct Filter*)Any);
  }
  if (oldAcls) {
    size_t i;
    for (i=0; i&lt;oldacls; ++i)
      free(oldAcls[i]);
    free(oldAcls);
  }
}

/* End of ACL code */

static const char* datafilename;
static struct stat ss_data;
static struct stat ss_journal;

void map_datafile(const char* filename) {
  map=mmap_read(datafilename=filename,&amp;filelen);
  stat(datafilename,&amp;ss_data);
  if (!map) {
    buffer_putsflush(buffer_2,&quot;could not open data!\n&quot;);
    exit(1);
  }
  uint32_unpack(map,&amp;magic);
  uint32_unpack(map+4,&amp;attribute_count);
  uint32_unpack(map+2*4,&amp;record_count);
  uint32_unpack(map+3*4,&amp;indices_offset);
  uint32_unpack(map+4*4,&amp;size_of_string_table);
  record_set_length=(record_count+sizeof(unsigned long)*8-1) / (sizeof(long)*8);

/* look up &quot;dn&quot; and &quot;objectClass&quot; */
  {
    char* x=map+5*4+size_of_string_table;
    size_t i;
    dn_ofs=objectClass_ofs=userPassword_ofs=any_ofs=0;
    for (i=0; i&lt;attribute_count; ++i) {
      uint32 j;
      j=uint32_read(x);
      if (case_equals(&quot;dn&quot;,map+j))
	dn_ofs=j;
      else if (case_equals(&quot;objectClass&quot;,map+j))
	objectClass_ofs=j;
      else if (case_equals(&quot;userPassword&quot;,map+j))
	userPassword_ofs=j;
      x+=4;
    }
    if (!dn_ofs || !objectClass_ofs) {
      buffer_putsflush(buffer_2,&quot;can't happen error: dn or objectClass not there?!\n&quot;);
      exit(0);
    }
  }
  load_acls();
}

/*
     _      _                                 _
  __| | ___| |__  _   _  __ _    ___ ___   __| | ___
 / _` |/ _ \ '_ \| | | |/ _` |  / __/ _ \ / _` |/ _ \
| (_| |  __/ |_) | |_| | (_| | | (_| (_) | (_| |  __/
 \__,_|\___|_.__/ \__,_|\__, |  \___\___/ \__,_|\___|
                        |___/
*/

#define BUFSIZE 8192

#if (debug != 0)
/* debugging support functions, adapted from t2.c */
static void printava(struct AttributeValueAssertion* a,const char* rel) {
  buffer_puts(buffer_2,&quot;[&quot;);
  buffer_put(buffer_2,a-&gt;desc.s,a-&gt;desc.l);
  buffer_puts(buffer_2,&quot; &quot;);
  buffer_puts(buffer_2,rel);
  buffer_puts(buffer_2,&quot; &quot;);
  buffer_put(buffer_2,a-&gt;value.s,a-&gt;value.l);
  buffer_puts(buffer_2,&quot;]&quot;);
}

static void printal(struct AttributeDescriptionList* a) {
  while (a) {
    buffer_put(buffer_2,a-&gt;a.s,a-&gt;a.l);
    a=a-&gt;next;
    if (a) buffer_puts(buffer_2,&quot;,&quot;);
  }
  if (a) buffer_puts(buffer_2,&quot;\n&quot;);
}

static void printfilter(struct Filter* f) {
  switch (f-&gt;type) {
  case AND:
    buffer_puts(buffer_2,&quot;&amp;(&quot;);
mergesub:
    printfilter(f-&gt;x);
    buffer_puts(buffer_2,&quot;)\n&quot;);
    break;
  case OR:
    buffer_puts(buffer_2,&quot;|(&quot;);
    goto mergesub;
    break;
  case NOT:
    buffer_puts(buffer_2,&quot;!(&quot;);
    goto mergesub;
  case EQUAL:
    printava(&amp;f-&gt;ava,&quot;==&quot;);
    break;
  case SUBSTRING:
    {
      struct Substring* s=f-&gt;substrings;
      int first=1;
      buffer_put(buffer_2,f-&gt;ava.desc.s,f-&gt;ava.desc.l);
      buffer_puts(buffer_2,&quot; has &quot;);
      while (s) {
	if (!first) buffer_puts(buffer_2,&quot; and &quot;); first=0;
	switch(s-&gt;substrtype) {
	case prefix: buffer_puts(buffer_2,&quot;prefix \&quot;&quot;); break;
	case any: buffer_puts(buffer_2,&quot;substr \&quot;&quot;); break;
	case suffix: buffer_puts(buffer_2,&quot;suffix \&quot;&quot;); break;
	}
	buffer_put(buffer_2,s-&gt;s.s,s-&gt;s.l);
	buffer_puts(buffer_2,&quot;\&quot;&quot;);
	s=s-&gt;next;
      }
    }
    break;
  case GREATEQUAL:
    printava(&amp;f-&gt;ava,&quot;&gt;=&quot;);
    break;
  case LESSEQUAL:
    printava(&amp;f-&gt;ava,&quot;&lt;=&quot;);
    break;
  case PRESENT:
    printava(&amp;f-&gt;ava,&quot;\\exist&quot;);
    break;
  case APPROX:
    printava(&amp;f-&gt;ava,&quot;\\approx&quot;);
    break;
  case EXTENSIBLE:
    buffer_puts(buffer_2,&quot;[extensible]&quot;);
    break;
  }
  if (f-&gt;next) {
    buffer_puts(buffer_2,&quot;,&quot;);
    printfilter(f-&gt;next);
  }
  buffer_flush(buffer_2);
}
#endif

/*
 _           _                           _
(_)_ __   __| | _____  __   ___ ___   __| | ___
| | '_ \ / _` |/ _ \ \/ /  / __/ _ \ / _` |/ _ \
| | | | | (_| |  __/&gt;  &lt;  | (_| (_) | (_| |  __/
|_|_| |_|\__,_|\___/_/\_\  \___\___/ \__,_|\___|
*/

/* find out whether this filter can be accelerated with the indices */
static int indexable(struct Filter* f) {
  struct Filter* y=f-&gt;x;
  if (!f) return 0;
  switch (f-&gt;type) {
  case AND:
    while (y) {
      if (indexable(y)) return 1;
      y=y-&gt;next;
    }
    return 0;
  case OR:
    while (y) {
      if (!indexable(y)) return 0;
      y=y-&gt;next;
    }
    /* fall through */
  case PRESENT:
    return 1;
#if 0
  /* doesn't make much sense to try to speed up negated queries */
  case NOT:
    return indexable(y);
#endif
  case SUBSTRING:
    if (f-&gt;substrings-&gt;substrtype!=prefix) return 0;
    /* fall through */
  case EQUAL:
  case LESSEQUAL:
  case GREATEQUAL:
    {
      uint32 ofs;
      for (ofs=indices_offset+record_count*4; ofs&lt;filelen;) {
	uint32 index_type,next,indexed_attribute;
	index_type=uint32_read(map+ofs);
	next=uint32_read(map+ofs+4);
	indexed_attribute=uint32_read(map+ofs+8);
	if (index_type&lt;=1 || (index_type==3 &amp;&amp; f-&gt;type==EQUAL))
	  if (!matchstring(&amp;f-&gt;ava.desc,map+indexed_attribute))
	    return 1;
	ofs=next;
      }
    }
    /* fall through */
  default:
    return 0;
  }
}

/* each record can have more than one attribute with the same name, i.e.  two email
 * addresses.  Thus, the index can't just be a sorted list of pointers the records
 * (because a record with two email addresses needs to be in the index twice, once for
 * each email address).  So our index is a sorted list of pointers to the attributes.
 * Thus, a look-up in the index does not yield the record but the attribute.  We need to
 * be able to find the record for a given attribute.  To do that, we exploit the fact that
 * the strings in the string table are in the same order as the records, so we can do a
 * binary search over the record table to find the record with the attribute.  This does
 * not work for objectClass, because the classes are stored in a different string table to
 * remove duplicates. */

/* Yes, this is an evil kludge to keep index size small.  However, it turned out that it
 * also dominated lookup time for a relatively minor index size reduction.  So index type
 * 1 was added (flag f to addindex), which does not need this.  The benefit is so big that
 * tinyldap will drop support for type 0 indices sooner or later.  Type 1 indexes are
 * twice as large, and save the record number besides each index entry. */

/* find record given a data pointer */
static long findrec(uint32 dat) {
  uint32* records=(uint32*)(map+indices_offset);
  uint32 bottom=0;
  uint32 top=record_count-1;

while ((top&gt;=bottom)) {
    uint32 mid=(top+bottom)/2;
    uint32 l;

l=uint32_read(map+uint32_read((char*)(&amp;records[mid]))+8);
    if (l&lt;=dat) {
      if (mid&gt;=record_count-1)
	l=uint32_read(map+uint32_read((char*)(&amp;records[0]))+12);
      else
	l=uint32_read(map+uint32_read((char*)(&amp;records[mid+1]))+8);
      if (l&gt;dat) {
	return mid;	/* found! */
      }
      bottom=mid+1;
    } else
      if (mid)
	top=mid-1;
      else
	break;
  }
  buffer_putsflush(buffer_2,&quot;findrec failed!\n&quot;);
  return -1;
}

#define RANGECHECK 1

struct bitfield {
  unsigned long* bits;
#ifdef RANGECHECK
  size_t n;
#endif
  size_t first,last;
};

/* basic bit-set support: set all bits to 0 */
static inline void emptyset(struct bitfield* b) {
  size_t i;
#ifdef RANGECHECK
  b-&gt;n=
#endif
    b-&gt;first=record_count;
  b-&gt;last=0;
  for (i=0; i&lt;record_set_length; ++i) b-&gt;bits[i]=0;
}

/* basic bit-set support: set all bits to 1 */
static inline void fillset(struct bitfield* b) {
  size_t i;
  b-&gt;first=0;
#ifdef RANGECHECK
  b-&gt;n=
#endif
  b-&gt;last=record_count;
  for (i=0; i&lt;record_set_length; ++i) b-&gt;bits[i]=(unsigned long)-1;
}

/* basic bit-set support: set one bit to 1 */
static inline void setbit(struct bitfield* b,size_t bit) {
#ifdef RANGECHECK
  if (bit&lt;=b-&gt;n) {
#endif
    if (bit&lt;b-&gt;first) b-&gt;first=bit;
    if (bit&gt;b-&gt;last) b-&gt;last=bit;
    b-&gt;bits[bit/(8*sizeof(long))] |= (1&lt;&lt;(bit&amp;(8*sizeof(long)-1)));
#ifdef RANGECHECK
  }
#endif
}

/* basic bit-set support: see if given bit is set */
static inline int isset(struct bitfield* b,size_t bit) {
#ifdef RANGECHECK
  if (bit&gt;b-&gt;n) return 0;
#endif
  return b-&gt;bits[bit/(8*sizeof(long))] &amp; (1&lt;&lt;(bit&amp;(8*sizeof(long)-1)));
}

/* use index (sorted table of offsets to records) to do a binary search
 * for all records that match the value in s.  Set the corresponding
 * bits to 1 in bitfield. */
static void tagmatches(uint32* index,size_t elements,struct string* s,
		       struct bitfield* b,int (*match)(struct string* s,const char* c),
		       uint32 index_type,enum FilterType ft) {
  uint32 bottom=0;
  uint32 top=elements;
  uint32 mid,k,m;
  long rec;
  rec=0;
  emptyset(b);

while ((top&gt;=bottom)) {
    int l;

mid=(top+bottom)/2;
    k=uint32_read((char*)(&amp;index[mid]));
#ifdef DEBUG
    buffer_puts(buffer_2,&quot;match[&quot;);
    buffer_putulong(buffer_2,bottom);
    buffer_puts(buffer_2,&quot;..&quot;);
    buffer_putulong(buffer_2,top);
    buffer_puts(buffer_2,&quot;]: &quot;);
    buffer_put(buffer_2,s-&gt;s,s-&gt;l);
    buffer_puts(buffer_2,&quot; &lt;-&gt; &quot;);
    buffer_puts(buffer_2,map+k);
    buffer_putsflush(buffer_2,&quot;: &quot;);
#endif
    if ((l=match(s,map+k))==0) {
      /* match! */
#ifdef DEBUG
      buffer_putsflush(buffer_2,&quot;MATCH!\n&quot;);
#endif
      if (index_type==0)
	rec=findrec(k);
      else if (index_type==1)
	rec=uint32_read((char*)(&amp;index[mid+elements]));
      else {
	buffer_puts(buffer_2,&quot;unsupported index type &quot;);
	buffer_putulong(buffer_2,index_type);
	buffer_puts(buffer_2,&quot; in tagmatches!\n&quot;);
	return;
      }
      if (rec&gt;=0)
	setbit(b,rec);
      /* there may be multiple matches.
	* Look before and after mid, too */
      if (mid)	/* thx Andreas Stührk */
	for (k=mid-1; k&gt;0; --k) {
	  m=uint32_read((char*)(&amp;index[k]));
	  if ((ft==LESSEQUAL) || (l=match(s,map+m))==0) {
	    if (index_type==0)
	      rec=findrec(m);
	    else if (index_type==1)
	      rec=uint32_read((char*)(&amp;index[k+elements]));
	    if (rec&gt;=0)
	      setbit(b,rec);
	  } else break;
	}
      for (k=mid+1; k&lt;elements; ++k) {
	m=uint32_read((char*)(&amp;index[k]));
	if ((ft==GREATEQUAL) || (l=match(s,map+m))==0) {
	  if (index_type==0)
	    rec=findrec(m);
	  else if (index_type==1)
	    rec=uint32_read((char*)(&amp;index[k+elements]));
	  if (rec&gt;=0)
	    setbit(b,rec);
	} else break;
      }
      return;
    }

if (l&lt;0) {
#ifdef DEBUG
      buffer_putsflush(buffer_2,&quot;smaller!\n&quot;);
#endif
      if (mid)
	top=mid-1;
      else
	break;	/* since our offsets are unsigned, we need to avoid the -1 case */
    } else
#ifdef DEBUG
      buffer_putsflush(buffer_2,&quot;larger!\n&quot;),
#endif
      bottom=mid+1;
  }
  /* not found; we can still have matches if type==LESSEQUAL or
   * type==GREATEQUAL */
  if (ft==GREATEQUAL) {
    for (k=mid; k&lt;elements; ++k) {
      m=uint32_read((char*)(&amp;index[k]));
      if (index_type==0)
	rec=findrec(m);
      else if (index_type==1)
	rec=uint32_read((char*)(&amp;index[k+elements]));
      if (rec&gt;=0)
	setbit(b,rec);
    }
  } else if (ft==LESSEQUAL) {
    for (k=0; k&lt;=mid; ++k) {
      m=uint32_read((char*)(&amp;index[k]));
      if (index_type==0)
	rec=findrec(m);
      else if (index_type==1)
	rec=uint32_read((char*)(&amp;index[k+elements]));
      if (rec&gt;=0)
	setbit(b,rec);
    }
  }
}

static uint32 hash(const unsigned char* c,size_t keylen) {
  size_t h=0,i;
  for (i=0; i&lt;keylen; ++i) {
    /* from djb's cdb */
    h += (h&lt;&lt;5);
    h ^= c[i];
  }
  return (uint32)h;
}

static uint32 hash_tolower(const unsigned char* c,size_t keylen) {
  size_t h=0,i;
  for (i=0; i&lt;keylen; ++i) {
    /* from djb's cdb */
    h += (h&lt;&lt;5);
    h ^= tolower(c[i]);
  }
  return (uint32)h;
}

/* Use the indices to answer a query with the given filter.
 * For all matching records, set the corresponding bit to 1 in bitfield.
 * Note that this match can be approximate.  Before answering, the
 * matches are verified with ldap_match_mapped, so the index can also
 * be used if it only helps eliminate some of the possible matches (for
 * example an AND query where only one of the involved attributes has an
 * index). */
static int useindex(struct Filter* f,struct bitfield* b) {
  struct Filter* y=f-&gt;x;
  if (!f) return 1;

if (f-&gt;type==EQUAL) {		/* prefer a hash index if there is one */
    uint32 ofs;
    for (ofs=indices_offset+record_count*4; ofs&lt;filelen;) {
      uint32 index_type,next,indexed_attribute;
      index_type=uint32_read(map+ofs);
      next=uint32_read(map+ofs+4);
      indexed_attribute=uint32_read(map+ofs+8);
      if (index_type==3)
	if (!matchstring(&amp;f-&gt;ava.desc,map+indexed_attribute)) {
	  uint32 hashtabsize=uint32_read(map+ofs+12);
	  uint32 hashtab=ofs+16;
	  uint32 hashval=f-&gt;attrflag&amp;1?hash_tolower((unsigned char*)f-&gt;ava.value.s,f-&gt;ava.value.l):hash((unsigned char*)f-&gt;ava.value.s,f-&gt;ava.value.l);
	  uint32 hashofs=uint32_read(map+hashtab+(hashval%hashtabsize)*4);
	  if (hashofs==0) return 1;
	  if (hashofs&lt;ofs)
	    /* direct hit */
	    setbit(b,hashofs);
	  else {
	    uint32 n=uint32_read(map+hashofs);
	    hashofs+=4;
	    while (n) {
	      setbit(b,uint32_read(map+hashofs));
	      hashofs+=4;
	      --n;
	    }
	  }
	  return 1;
	}
      ofs=next;
    }
  }

switch (f-&gt;type) {
  case AND:
    {
      struct bitfield tmp;
      int ok=0;
      tmp.bits=alloca(record_set_length*sizeof(unsigned long));
      if (y) {
	useindex(y,b);
	y=y-&gt;next;
      } else
	fillset(b);
      while (y) {
	if (useindex(y,&amp;tmp)) {
	  size_t i;
	  for (i=0; i&lt;record_set_length; ++i)
	    b-&gt;bits[i] &amp;= tmp.bits[i];
	  if (tmp.first&gt;b-&gt;first) b-&gt;first=tmp.first;
	  if (tmp.last&lt;b-&gt;last) b-&gt;last=tmp.last;
	  ok=1;
	}
	y=y-&gt;next;
      }
      return ok;
    }
  case OR:
    {
      struct bitfield tmp;
      int ok=1;
      tmp.bits=alloca(record_set_length*sizeof(unsigned long));
      if (y) {
	useindex(y,b);
	y=y-&gt;next;
      } else
	emptyset(b);
      while (y) {
	if (useindex(y,&amp;tmp)) {
	  size_t i;
	  for (i=0; i&lt;record_set_length; ++i)
	    b-&gt;bits[i] |= tmp.bits[i];
	  if (tmp.first&lt;b-&gt;first) b-&gt;first=tmp.first;
	  if (tmp.last&gt;b-&gt;last) b-&gt;last=tmp.last;
	} else
	  ok=0;
	y=y-&gt;next;
      }
      return ok;
    }
#if 0
  /* doesn't make much sense to try to speed up negated queries */
  case NOT:
    return indexable(y);
#endif
  case SUBSTRING:
    if (f-&gt;substrings-&gt;substrtype!=prefix) return 0;
    {
      uint32 ofs;
      for (ofs=indices_offset+record_count*4; ofs&lt;filelen;) {
	uint32 index_type,next,indexed_attribute;
	index_type=uint32_read(map+ofs);
	next=uint32_read(map+ofs+4);
	indexed_attribute=uint32_read(map+ofs+8);
	if (index_type&lt;=1)
	  if (!matchstring(&amp;f-&gt;ava.desc,map+indexed_attribute)) {
	    tagmatches((uint32*)(map+ofs+12),(next-ofs-12)/(4&lt;&lt;index_type),&amp;f-&gt;substrings-&gt;s,b,
		       f-&gt;attrflag&amp;1?matchcaseprefix:matchprefix,index_type,f-&gt;type);
	    return 1;
	  }
	ofs=next;
      }
    }
    return 0;
  case PRESENT:
    {
      /* now this is not exactly using an index, but a linear search
       * through the record table, but since each check is very cheap,
       * we pretend it's indexed */
      char* x=map+5*4+size_of_string_table+attribute_count*8;
      size_t i;
      emptyset(b);
      for (i=0; i&lt;record_count; ++i) {
	if (ldap_match_present(x-map,f-&gt;attrofs))
	  setbit(b,i);
	x+=uint32_read(x)*8;
      }
      return 1;
    }
  case LESSEQUAL:
  case GREATEQUAL:
  case EQUAL:
    {
      uint32 ofs;
      for (ofs=indices_offset+record_count*4; ofs&lt;filelen;) {
	uint32 index_type,next,indexed_attribute;
	index_type=uint32_read(map+ofs);
	next=uint32_read(map+ofs+4);
	indexed_attribute=uint32_read(map+ofs+8);
	if (index_type&lt;=1)
	  if (!matchstring(&amp;f-&gt;ava.desc,map+indexed_attribute)) {
	    tagmatches((uint32*)(map+ofs+12),(next-ofs-12)/(4&lt;&lt;index_type),&amp;f-&gt;ava.value,b,
		       f-&gt;attrflag&amp;1?matchcasestring:matchstring,index_type,f-&gt;type);
	    return 1;
	  }
	ofs=next;
      }
    }
    /* fall through */
  default:
    return 0;
  }
}

/*
                                                                 _
  __ _ _   _  ___ _ __ _   _    __ _ _ __  _____      _____ _ __(_)_ __   __ _
 / _` | | | |/ _ \ '__| | | |  / _` | '_ \/ __\ \ /\ / / _ \ '__| | '_ \ / _` |
| (_| | |_| |  __/ |  | |_| | | (_| | | | \__ \\ V  V /  __/ |  | | | | | (_| |
 \__, |\__,_|\___|_|   \__, |  \__,_|_| |_|___/ \_/\_/ \___|_|  |_|_| |_|\__, |
    |_|                |___/                                             |___/
*/

static int checkacl(uint32 recofs,uint32 attrofs,unsigned long operation,struct SearchResultEntry* sre) {
  uint32 j;
  for (j=0; j&lt;acls; ++j) {
    /* does the ACL subject apply? */
    if (!acl_ec_subjects[Acls[j]-&gt;subject]) continue;
    /* does the ACL even apply to the wanted operation? */
    if ((Acls[j]-&gt;may | Acls[j]-&gt;maynot) &amp; operation) {
      uint32 k;
      if (acl_ec_subjects[filters+Acls[j]-&gt;object]==-1) continue;
      if (acl_ec_subjects[filters+Acls[j]-&gt;object]==0) {
	int match=0;
	if (Filters[Acls[j]-&gt;object]==(struct Filter*)Any)
	  match=1;
	else if (Filters[Acls[j]-&gt;object]==(struct Filter*)Self) {
	  if (authenticated_as==0 &amp;&amp; authenticated_as_str)
	    match=!strcmp(map+uint32_read(map+recofs+8),authenticated_as_str);
	  else
	    match=(recofs==authenticated_as);
	} else if (recofs)
	  match=ldap_matchfilter_mapped(recofs,Filters[Acls[j]-&gt;object]);
	else if (sre)
	  match=ldap_matchfilter_sre(sre,Filters[Acls[j]-&gt;object]);
	else
	  match=-1;
	if (match)
	  acl_ec_subjects[filters+Acls[j]-&gt;object]=1;
	else {
	  acl_ec_subjects[filters+Acls[j]-&gt;object]=-1;
	  continue;
	}
      }
      for (k=0; k&lt;Acls[j]-&gt;attrs; ++k) {
	if (Acls[j]-&gt;Attrs[k]==any_ofs || attrofs==Acls[j]-&gt;Attrs[k]) {
	  if (Acls[j]-&gt;may&amp;operation)
	    return 1;
	  else
	    return -1;
	  break;
	}
      }
    }
  }
  return 0;
}

static int ldap_matchfilter_hn(struct hashnode* hn,struct Filter* f);

static int checkacl_hn(struct hashnode* hn,const unsigned char* attr,unsigned long operation) {
  uint32 j;
  for (j=0; j&lt;acls; ++j) {
    /* does the ACL subject apply? */
    if (!acl_ec_subjects[Acls[j]-&gt;subject]) continue;
    /* does the ACL even apply to the wanted operation? */
    if ((Acls[j]-&gt;may | Acls[j]-&gt;maynot) &amp; operation) {
      uint32 k;
      if (acl_ec_subjects[filters+Acls[j]-&gt;object]==-1) continue;
      if (acl_ec_subjects[filters+Acls[j]-&gt;object]==0) {
	int match=0;
	if (Filters[Acls[j]-&gt;object]==(struct Filter*)Any)
	  match=1;
	else if (Filters[Acls[j]-&gt;object]==(struct Filter*)Self)
	  match=dn &amp;&amp; !strcmp((char*)hn-&gt;dn,authenticated_as_str);
	else if (dn)
	  match=ldap_matchfilter_hn(hn,Filters[Acls[j]-&gt;object]);
	else
	  match=-1;
	if (match)
	  acl_ec_subjects[filters+Acls[j]-&gt;object]=1;
	else {
	  acl_ec_subjects[filters+Acls[j]-&gt;object]=-1;
	  continue;
	}
      }
      for (k=0; k&lt;Acls[j]-&gt;attrs; ++k) {
/*	    if (Acls[j]-&gt;Attrs[k]==any_ofs || !matchstring(&amp;adl-&gt;a,map+Acls[j]-&gt;Attrs[k])) { */
	if (Acls[j]-&gt;Attrs[k]==any_ofs || bstr_equal((char*)attr,map+Acls[j]-&gt;Attrs[k])) {
	  if (Acls[j]-&gt;may&amp;operation)
	    return 1;
	  else
	    return -1;
	  break;
	}
      }
    }
  }
  return 0;
}

static struct hashnode** dn_in_journal(unsigned char* dn);

static void answerwith_hn(struct hashnode* hn,struct SearchRequest* sr,long messageid,int out);

/* this routine is called for each record matched the query.  It basically puts together
 * an answer LDAP message from the record and the list of attributes the other side said
 * it wanted to have. */
static void answerwith(uint32 ofs,struct SearchRequest* sr,long messageid,int out) {
  struct SearchResultEntry sre;
  struct PartialAttributeList** pal=&amp;sre.attributes;
  struct hashnode** hn;

if ((hn=dn_in_journal((unsigned char*)map+uint32_read(map+ofs+8))) &amp;&amp; *hn) {
    (*hn)-&gt;overwrite=1;
    answerwith_hn(*hn,sr,messageid,out);
    return;
  }

#if (debug != 0)
  if (debug) {
    char* x=map+ofs;
    uint32 j;
    buffer_putulong(buffer_2,j=uint32_read(x));
    buffer_puts(buffer_2,&quot; attributes:\n&quot;);
    x+=8;
    buffer_puts(buffer_2,&quot;  dn: &quot;);
    buffer_puts(buffer_2,map+uint32_read(x));
    buffer_puts(buffer_2,&quot;\n  objectClass: &quot;);
    x+=4;
    buffer_puts(buffer_2,map+uint32_read(x));
    buffer_puts(buffer_2,&quot;\n&quot;);
    x+=4;
    for (; j&gt;2; --j) {
      buffer_puts(buffer_2,&quot;  &quot;);
      buffer_puts(buffer_2,map+uint32_read(x));
      buffer_puts(buffer_2,&quot;: &quot;);
      buffer_puts(buffer_2,map+uint32_read(x+4));
      buffer_puts(buffer_2,&quot;\n&quot;);
      x+=8;
    }
    buffer_flush(buffer_2);
  }
#endif

if (acls)
    byte_zero(acl_ec_subjects+filters,filters);

if (acls &amp;&amp; checkacl(ofs,dn_ofs,acl_read,0)!=1) return;

sre.objectName.l=bstrlen(sre.objectName.s=map+uint32_read(map+ofs+8));
  sre.attributes=0;

/* now go through list of requested attributes */
  {
    struct AttributeDescriptionList* adl=sr-&gt;attributes;
    if (!adl &amp;&amp; attribute_count&gt;2) {
      /* did not ask for any attributes.  send 'em all. */
      /* to do that, construct a list of all attributes */

uint32 i;
      char* x=map+5*4+size_of_string_table+4;
      if (attribute_count&gt;HUGE_SIZE_FOR_SANITY_CHECKS/sizeof(struct AttributeDescriptionList))
	return;
      adl=alloca((attribute_count)*sizeof(struct AttributeDescriptionList));
      for (i=0; i&lt;attribute_count-1; ++i) {
	uint32 j;
	uint32_unpack(x,&amp;j);
	x+=4;
	adl[i].a.s=map+j;
	adl[i].a.l=str_len(map+j);
	adl[i].attrofs=j;
	adl[i].next=adl+i+1;
      }
      adl[attribute_count-2].next=0;
    }
    while (adl) {
      const char* val=0;
      uint32 i=2,j;

if (!acls || checkacl(ofs,adl-&gt;attrofs,acl_read,0)==1) {
	uint32_unpack(map+ofs,&amp;j);
#if 0
	buffer_puts(buffer_2,&quot;looking for attribute \&quot;&quot;);
	buffer_put(buffer_2,adl-&gt;a.s,adl-&gt;a.l);
	buffer_putsflush(buffer_2,&quot;\&quot;\n&quot;);
#endif
	if (!matchstring(&amp;adl-&gt;a,&quot;dn&quot;)) val=sre.objectName.s; else
	if (!matchstring(&amp;adl-&gt;a,&quot;objectClass&quot;))
	  val=map+uint32_read(map+ofs+12);
	else {
	  for (; i&lt;j; ++i)
/*	    if (!matchstring(&amp;adl-&gt;a,map+uint32_read(map+ofs+i*8))) { */
	    if (adl-&gt;attrofs == uint32_read(map+ofs+i*8)) {
	      val=map+uint32_read(map+ofs+i*8+4);
	      ++i;
	      break;
	    }
	}
	if (val) {
	  *pal=malloc(sizeof(struct PartialAttributeList));
	  if (!*pal) {
nomem:
	    buffer_putsflush(buffer_2,&quot;out of virtual memory!\n&quot;);
	    exit(1);
	  }
	  (*pal)-&gt;type=adl-&gt;a;
	  {
	    struct AttributeDescriptionList** a;
	    a=&amp;(*pal)-&gt;values;
add_attribute:
	    *a=malloc(sizeof(struct AttributeDescriptionList));
	    if (!*a) goto nomem;
	    (*a)-&gt;a.s=bstrfirst(val);
	    (*a)-&gt;a.l=bstrlen(val);
	    for (;i&lt;j; ++i)
/*	      if (!matchstring(&amp;adl-&gt;a,map+uint32_read(map+ofs+i*8))) { */
	      if (adl-&gt;attrofs == uint32_read(map+ofs+i*8)) {
		val=map+uint32_read(map+ofs+i*8+4);
		++i;
		a=&amp;(*a)-&gt;next;
		goto add_attribute;
	      }
	    (*a)-&gt;next=0;
	  }
	  (*pal)-&gt;next=0;
	  pal=&amp;(*pal)-&gt;next;
	}
      }
      adl=adl-&gt;next;
    }
  }
  {
    long l=fmt_ldapsearchresultentry(0,&amp;sre);
    char *buf;
    long tmp;
    if (l&lt;=HUGE_SIZE_FOR_SANITY_CHECKS) {
      buf=alloca(l+300); /* you never know ;) */
      if (verbose) {
	buffer_puts(buffer_2,&quot;sre len &quot;);
	buffer_putulong(buffer_2,l);
	buffer_putsflush(buffer_2,&quot;.\n&quot;);
      }
      tmp=fmt_ldapmessage(buf,messageid,SearchResultEntry,l);
      fmt_ldapsearchresultentry(buf+tmp,&amp;sre);
      write(out,buf,l+tmp);
    }
  }
  free_ldappal(sre.attributes);
}

/*
 _     _       _       _                _   _     _
| |__ (_) __ _| |__   | | _____   _____| | | | __| | __ _ _ __
| '_ \| |/ _` | '_ \  | |/ _ \ \ / / _ \ | | |/ _` |/ _` | '_ \
| | | | | (_| | | | | | |  __/\ V /  __/ | | | (_| | (_| | |_) |
|_| |_|_|\__, |_| |_| |_|\___| \_/ \___|_| |_|\__,_|\__,_| .__/
         |___/                                           |_|
*/

static int copystring(struct string* dest,struct string* src) {
  dest-&gt;s=malloc(src-&gt;l+1);
  if (!dest-&gt;s) return -1;
  byte_copy((char*)dest-&gt;s,src-&gt;l,src-&gt;s);
  dest-&gt;l=src-&gt;l;
  return 0;
}

/* deep copy an attribute description list */
static int copyadl(struct AttributeDescriptionList** dest,struct AttributeDescriptionList* src) {
  *dest=0;
  while (src) {
    if (!(*dest=malloc(sizeof(*src)))) return -1;
    byte_zero(*dest,sizeof(*src));
    if (copystring(&amp;(*dest)-&gt;a,&amp;src-&gt;a)) return -1;
    (*dest)-&gt;attrofs=src-&gt;attrofs;
    dest=&amp;(*dest)-&gt;next;
    src=src-&gt;next;
  }
  return 0;
}

/* semi-deep copy an attribute description list */
static int copyadl2(struct AttributeDescriptionList** dest,struct AttributeDescriptionList* src) {
  *dest=0;
  while (src) {
    if (!(*dest=malloc(sizeof(*src)))) return -1;
    byte_zero(*dest,sizeof(*src));
    (*dest)-&gt;a=src-&gt;a;
    (*dest)-&gt;attrofs=src-&gt;attrofs;
    dest=&amp;(*dest)-&gt;next;
    src=src-&gt;next;
  }
  return 0;
}

#if 0
/* deep copy a partial attribute list */
static int copypal(struct PartialAttributeList** dest,struct PartialAttributeList* src) {
  *dest=0;
  while (src) {
    if (!(*dest=malloc(sizeof(**dest)))) return -1;
    byte_zero(*dest,sizeof(**dest));
    if (copystring(&amp;(*dest)-&gt;type,&amp;src-&gt;type) ||
	copyadl(&amp;(*dest)-&gt;values,src-&gt;values)) return -1;
    dest=&amp;(*dest)-&gt;next;
    src=src-&gt;next;
  }
  return 0;
}
#endif

/* small helper for addreq2sre */
static int ar2sreh1(struct PartialAttributeList** dest,struct Addition* src) {
  *dest=0;
  while (src) {
    if (!(*dest=malloc(sizeof(**dest)))) return -1;
    byte_zero(*dest,sizeof(**dest));
    if (copystring(&amp;(*dest)-&gt;type,&amp;src-&gt;AttributeDescription) ||
	copyadl(&amp;(*dest)-&gt;values,&amp;src-&gt;vals)) return -1;
    dest=&amp;(*dest)-&gt;next;
    src=src-&gt;next;
  }
  return 0;
}

/* convert an AddRequest to a SearchResultEntry */
static int addreq2sre(struct SearchResultEntry* sre,struct AddRequest* ar) {
  byte_zero(sre,sizeof(*sre));
  if (copystring(&amp;sre-&gt;objectName,&amp;ar-&gt;entry) ||
      !(sre-&gt;attributes=malloc(sizeof(*sre-&gt;attributes))) ||
      ar2sreh1(&amp;sre-&gt;attributes,&amp;ar-&gt;a)) {
    free_ldapsearchresultentry(sre);
    return -1;
  }
  return 0;
}

/* small helper for modreq2sre */
static int mr2sreh1(struct PartialAttributeList** dest,struct Modification* src) {
  *dest=0;
  while (src) {
    if (!(*dest=malloc(sizeof(**dest)))) return -1;
    byte_zero(*dest,sizeof(**dest));
    (*dest)-&gt;type=src-&gt;AttributeDescription;
    if (copyadl2(&amp;(*dest)-&gt;values,src-&gt;vals)) return -1;
    dest=&amp;(*dest)-&gt;next;
    src=src-&gt;next;
  }
  return 0;
}

/* We need two versions for the modify request.  The first one just creates a stupid
 * SearchResultEntry out of just the changed attributes, which is then only used for ACL
 * matching.  The second version merges in the existing record to form the modified
 * record.  This is the first version for ACL checking. */
static int modreq2sre(struct SearchResultEntry* sre,struct ModifyRequest* mr) {
  byte_zero(sre,sizeof(*sre));
  sre-&gt;objectName=mr-&gt;object;
  if (!(sre-&gt;attributes=malloc(sizeof(*sre-&gt;attributes))) ||
      mr2sreh1(&amp;sre-&gt;attributes,&amp;mr-&gt;m)) {
    free_ldapsearchresultentry(sre);
    return -1;
  }
  return 0;
}

static int applymodreq(struct hashnode* hn,struct ModifyRequest* mr,struct SearchResultEntry* sre) {
  struct PartialAttributeList** l;
  struct Modification* m;
  size_t i;
  sre-&gt;objectName.l=strlen((char*)hn-&gt;dn);
  sre-&gt;objectName.s=(char*)hn-&gt;dn;
  sre-&gt;attributes=0;
  l=&amp;(sre-&gt;attributes);
  /* go through all the attributes in the hash node and apply the modifications */
  for (i=0; i&lt;hn-&gt;n; ++i) {
    enum { Keep, Drop } todo=Keep;
    for (m=&amp;mr-&gt;m; m; m=m-&gt;next) {
      if (!matchstring(&amp;m-&gt;AttributeDescription,(char*)hn-&gt;a[i].a)) {
	/* same attribute */
	if (m-&gt;operation==Add)
	  continue;
	else if (m-&gt;operation==Delete) {
	  /* if it's delete, we need to check the value list */
	  struct AttributeDescriptionList* adl=m-&gt;vals;
	  if (!adl)
	    todo=Drop;	/* if the list is empty, drop all */
	  else
	    for (adl=m-&gt;vals; adl; adl=adl-&gt;next) {
	      if (!matchstring(&amp;adl-&gt;a,(char*)hn-&gt;a[i].v)) {
		todo=Drop;
		break;
	      }
	    }
	} else
	  todo=Drop;
      }
      if (todo==Drop) break;
    }
    if (todo==Keep) {
      *l=malloc(sizeof(**l));
      if (!*l) return -1;
      (*l)-&gt;next=0;
      (*l)-&gt;type.s=bstrfirst((char*)hn-&gt;a[i].a);
      (*l)-&gt;type.l=bstrlen((char*)hn-&gt;a[i].a);
      if (!((*l)-&gt;values=malloc(sizeof(*(*l)-&gt;values)))) return -1;
      (*l)-&gt;values-&gt;a.s=bstrfirst((char*)hn-&gt;a[i].v);
      (*l)-&gt;values-&gt;a.l=bstrlen((char*)hn-&gt;a[i].v);
      (*l)-&gt;values-&gt;attrofs=0;
      (*l)-&gt;values-&gt;next=0;
      l=&amp;(*l)-&gt;next;
    }
  }
  /* then add all the &quot;replace&quot; or &quot;add&quot; attributes */
  for (m=&amp;mr-&gt;m; m; m=m-&gt;next) {
    if ((m-&gt;operation==Add || m-&gt;operation==Replace) &amp;&amp; m-&gt;vals) {
      *l=malloc(sizeof(**l));
      if (!*l) return -1;
      (*l)-&gt;next=0;
      (*l)-&gt;type.s=m-&gt;AttributeDescription.s;
      (*l)-&gt;type.l=m-&gt;AttributeDescription.l;
      if (copyadl2(&amp;(*l)-&gt;values,m-&gt;vals)==-1) return -1;
      l=&amp;(*l)-&gt;next;
    }
  }
  return 0;
}

/* write a search result entry to a file */
static int writesretofd(int fd,struct SearchResultEntry* sre) {
  /* we have no locking, but we open using O_APPEND, so the OS synchronizes for us as long
   * as we write atomically.  Therefore we have to buffer here. */
  size_t i,l,nl;
  char* c;
  struct PartialAttributeList* pal=sre-&gt;attributes;
  l=5+fmt_ldapescape(0,sre-&gt;objectName.s,sre-&gt;objectName.l);	/* &quot;\ndn: ...\n&quot; */
  if (l&lt;=5) return -1;
  while (pal) {
    struct AttributeDescriptionList* adl=pal-&gt;values;
    while (adl) {
      nl=fmt_ldapescape(0,pal-&gt;type.s,pal-&gt;type.l);
      if (nl&gt;HUGE_SIZE_FOR_SANITY_CHECKS) return -1;
      l+=nl;
      nl=fmt_ldapescape(0,adl-&gt;a.s,adl-&gt;a.l);
      if (nl&gt;HUGE_SIZE_FOR_SANITY_CHECKS) return -1;
      l+=nl;
      if (l+3&gt;HUGE_SIZE_FOR_SANITY_CHECKS) return -1;
      l+=3;
      adl=adl-&gt;next;
    }
    pal=pal-&gt;next;
  }
  c=alloca(l+1);
  if (!c) return -1;
  i=fmt_str(c,&quot;dn: &quot;);
  i+=fmt_ldapescape(c+i,sre-&gt;objectName.s,sre-&gt;objectName.l);
  i+=fmt_str(c+i,&quot;\n&quot;);
  pal=sre-&gt;attributes;
  while (pal) {
    struct AttributeDescriptionList* adl=pal-&gt;values;
    while (adl) {
      i+=fmt_ldapescape(c+i,pal-&gt;type.s,pal-&gt;type.l);
      i+=fmt_str(c+i,&quot;: &quot;);
      i+=fmt_ldapescape(c+i,adl-&gt;a.s,adl-&gt;a.l);
      i+=fmt_str(c+i,&quot;\n&quot;);
      adl=adl-&gt;next;
    }
    pal=pal-&gt;next;
  }
  i+=fmt_str(c+i,&quot;\n&quot;);

return (write(fd,c,i)==(ssize_t)i)?0:-1;
}

/* This is the high level LDAP handling code.  It reads queries from the socket at in, and
 * then writes the answers to out.  Normally in == out, but they are separate here so this
 * can also be called with in=stdin and out=stdout. */

static void answerwithjournal(struct SearchRequest* sr,long messageid,int out);
static struct hashnode** dn_in_journal2(const char* dn,size_t dnlen);

static int lookupdn(struct string* dn,size_t* index, struct hashnode** hn) {
  struct Filter f;
  struct hashnode** tmphn;
  if (dn-&gt;l&lt;1 || !dn-&gt;s) {
    buffer_putsflush(buffer_2,&quot;lookupdn called for NULL dn!\n&quot;);
    return -1;
  }
  if ((tmphn=dn_in_journal2(dn-&gt;s,dn-&gt;l)) &amp;&amp; *tmphn) {
    *hn=*tmphn;
    *index=-1;
    return (*hn)-&gt;n &gt; 0;
  }
  *hn=0;
  f.type=EQUAL;
  f.ava.desc.l=2; f.ava.desc.s=&quot;dn&quot;;
  f.ava.value=*dn;
  f.next=f.x=0;
  fixup(&amp;f);
  if (!indexable(&amp;f)) {
    buffer_putsflush(buffer_2,&quot;no index for dn, lookup failed!\n&quot;);
    return -1;
  } else {
    struct bitfield result;
    size_t i;
    result.bits=alloca(record_set_length*sizeof(unsigned long));
    useindex(&amp;f,&amp;result);
    if (result.first&gt;result.last)
      return 0;
//    assert(result.last&lt;=record_count);
    for (i=result.first; i&lt;=result.last; ) {
      if (!result.bits[i/(8*sizeof(long))]) {
	i+=8*sizeof(long);
	continue;
      }
      for (; i&lt;=result.last; ++i) {
	if (isset(&amp;result,i)) {
	  *index=i;
	  return 1;
	}
      }
    }
  }
  return 0;
}

static void normalize_string_dn(struct string* s) {
  /* OK this is a kludge.  s-&gt;s is supposed to be read-only because it points into the
   * buffer where we read it into from the network.
   * Since normalize_dn ends up using less or equal space, and we are not interested in
   * the non-normalized dn, we do the read-write cast and normalize in-place.
   * Kids, don't do this at home. */
  s-&gt;l=normalize_dn((char*)s-&gt;s,s-&gt;s,s-&gt;l);
}

static void update();

void reply_with_index(struct SearchRequest* sr,unsigned long* messageid,int out) {
  size_t returned=0;
  struct bitfield result;
  size_t i;
#if (debug != 0)
  if (debug) buffer_putsflush(buffer_2,&quot;query can be answered with index!\n&quot;);
#endif
  result.bits=alloca(record_set_length*sizeof(unsigned long));
  /* Use the index to find matching data.  Put the offsets
    * of the matches in a table.  Use findrec to locate
    * the records that point to the data. */
  useindex(sr-&gt;filter,&amp;result);
//	      assert(result.last&lt;=record_count);
  for (i=result.first; i&lt;=result.last; ) {
    size_t ni=i+8*sizeof(long);
    if (!result.bits[i/(8*sizeof(long))]) {
      i=ni;
      continue;
    }
    if (ni&gt;record_count) ni=record_count;
    for (; i&lt;ni; ++i) {
      if (isset(&amp;result,i)) {
	uint32 j;
	uint32_unpack(map+indices_offset+4*i,&amp;j);
	if (ldap_match_mapped(j,sr)) {
	  if (sr-&gt;sizeLimit &amp;&amp; sr-&gt;sizeLimit&lt;++returned)
	    break;
	  answerwith(j,sr,*messageid,out);
	}
      }
    }
  }
}

/* a standard LDAP session looks like this:
 *   1. connect to server
 *   2. send a BindRequest
 *      get back a BindResponse
 *   3. send a SearchRequest
 *      get back n SearchResultEntries
 *      get back a SearchResultDone
 *   4. send an UnbindRequest
 *   5. close
 * tinyldap does not complain if you don't unbind before hanging up.
 */
static int handle(int in,int out) {
  size_t len;
  char buf[BUFSIZE];
  for (len=0;;) {
    int tmp=read(in,buf+len,BUFSIZE-len);
    int res;
    unsigned long messageid,op;
    size_t Len;
    if (tmp==0) {
      close(in);
      if (in!=out) close(out); 
      return 0;
//      if (BUFSIZE-len) { return 0; }
    }
    if (tmp&lt;0) { write(2,&quot;error!\n&quot;,7); return 1; }
    len+=tmp;
    res=scan_ldapmessage(buf,buf+len,&amp;messageid,&amp;op,&amp;Len);
    if (res&gt;0) {
      if (verbose) {
	buffer_puts(buffer_2,&quot;got message of length &quot;);
	buffer_putulong(buffer_2,Len);
	buffer_puts(buffer_2,&quot; with id &quot;);
	buffer_putulong(buffer_2,messageid);
	buffer_puts(buffer_2,&quot;: op &quot;);
	buffer_putulong(buffer_2,op);
	buffer_putsflush(buffer_2,&quot;.\n&quot;);
      }
      update();
      switch (op) {
      case BindRequest:
	{
	  unsigned long version,method;
	  struct string name;
	  size_t tmp;
	  tmp=scan_ldapbindrequest(buf+res,buf+len,&amp;version,&amp;name,&amp;method);
	  if (tmp&gt;0) {
	    if (verbose) {
	      buffer_puts(buffer_2,&quot;bind request: version &quot;);
	      buffer_putulong(buffer_2,version);
	      buffer_puts(buffer_2,&quot; for name \&quot;&quot;);
	      buffer_put(buffer_2,name.s,name.l);
	      buffer_puts(buffer_2,&quot;\&quot; with method &quot;);
	      buffer_putulong(buffer_2,method);
	      buffer_putsflush(buffer_2,&quot;.\n&quot;);
	    }
	    if (name.l) {
	      struct string password;
	      size_t idx;
	      struct hashnode* hn;
	      int err=success;

scan_ldapstring(buf+res+tmp,buf+len,&amp;password);

normalize_string_dn(&amp;name);
	      switch (lookupdn(&amp;name,&amp;idx,&amp;hn)) {
	      case -1: err=operationsError; break;
	      case 1: break;
	      case 0: err=noSuchObject; break;
	      default: err=operationsError;
	      }
	      if (err!=success)
		goto authfailure;
	      else {
		char* c=0;
		uint32 authdn=0;
		char* authdn_str=0;
		if (idx==(size_t)-1) {	// found in journal
		  size_t i;
		  for (i=0; i&lt;hn-&gt;n; ++i)
		    if (!strcmp((char*)hn-&gt;a[i].a,&quot;userPassword&quot;)) {
		      c=(char*)hn-&gt;a[i].v;
		      authdn=0;
		      authdn_str=(char*)hn-&gt;dn;
		      break;
		    }
		} else {	// found in db
		  uint32 j;
		  uint32_unpack(map+indices_offset+4*idx,&amp;j);
		  uint32_unpack(map+j+8,&amp;authdn);
		  authdn_str=map+authdn;
		  authdn=j;
		  if (!(j=ldap_find_attr_value(j,userPassword_ofs))) {
		    buffer_putsflush(buffer_2,&quot;no userPassword attribute found, bind failed!\n&quot;);
		    goto authfailure;
		  }
		  c=map+j;
		}

if (check_password(c,&amp;password)) {
		  authenticated_as=authdn;
		  authenticated_as_str=authdn_str;
		  if (acls) {
		    size_t i;
		    for (i=0; i&lt;filters; ++i)
		      acl_ec_subjects[i]=(Filters[i]==(struct Filter*)Any);
		    for (i=0; i&lt;acls; ++i) {
		      size_t j=Acls[i]-&gt;subject;
		      if (!acl_ec_subjects[j]) {
			if (authdn==0)	// authenticated against hashnode
			  acl_ec_subjects[j]=ldap_matchfilter_hn(hn,Filters[j]);
			else	// authenticated against mapped db
			  acl_ec_subjects[j]=ldap_matchfilter_mapped(authdn,Filters[j]);
		      }
		    }
		  }
		} else
authfailure:
		{
		  char outbuf[1024];
		  size_t s=100;
		  size_t len=fmt_ldapbindresponse(outbuf+s,inappropriateAuthentication,&quot;&quot;,&quot;authentication failure&quot;,&quot;&quot;);
		  size_t hlen=fmt_ldapmessage(0,messageid,BindResponse,len);
		  fmt_ldapmessage(outbuf+s-hlen,messageid,BindResponse,len);
		  write(out,outbuf+s-hlen,len+hlen);
		  continue;
		}
	      }
	    }
	    {
	      char outbuf[1024];
	      size_t s=100;
	      size_t len=fmt_ldapbindresponse(outbuf+s,0,&quot;&quot;,&quot;go ahead&quot;,&quot;&quot;);
	      size_t hlen=fmt_ldapmessage(0,messageid,BindResponse,len);
	      fmt_ldapmessage(outbuf+s-hlen,messageid,BindResponse,len);
	      write(out,outbuf+s-hlen,len+hlen);
	    }
	  }
	}
	break;
      case SearchRequest:
	{
	  struct SearchRequest sr;
	  size_t tmp;
#if 0
	  {
	    int fd=open_write(&quot;request&quot;);
	    write(fd,buf,res+len);
	    close(fd);
	  }
#endif
	  if ((tmp=scan_ldapsearchrequest(buf+res,buf+len,&amp;sr))) {
	    size_t returned=0;

#if (debug != 0)
	    if (debug) {
	      const char* scopes[]={&quot;baseObject&quot;,&quot;singleLevel&quot;,&quot;wholeSubtree&quot;};
	      const char* alias[]={&quot;neverDerefAliases&quot;,&quot;derefInSearching&quot;,&quot;derefFindingBaseObj&quot;,&quot;derefAlways&quot;};
	      buffer_puts(buffer_2,&quot;search request: baseObject \&quot;&quot;);
	      buffer_put(buffer_2,sr.baseObject.s,sr.baseObject.l);
	      buffer_puts(buffer_2,&quot;\&quot;, scope &quot;);
	      buffer_puts(buffer_2,scopes[sr.scope]);
	      buffer_puts(buffer_2,&quot;, &quot;);
	      buffer_puts(buffer_2,alias[sr.derefAliases]);
	      buffer_puts(buffer_2,&quot;\nsize limit &quot;);
	      buffer_putulong(buffer_2,sr.sizeLimit);
	      buffer_puts(buffer_2,&quot;, time limit &quot;);
	      buffer_putulong(buffer_2,sr.timeLimit);
	      buffer_puts(buffer_2,&quot;\n&quot;);
	      printfilter(sr.filter);
	      buffer_puts(buffer_2,&quot;attributes: &quot;);
	      printal(sr.attributes);
	      buffer_putsflush(buffer_2,&quot;\n\n&quot;);
	    }
#endif
	    fixup(sr.filter);
	    fixupadl(sr.attributes);
	    if (indexable(sr.filter)) {
	      reply_with_index(&amp;sr,&amp;messageid,out);
	    } else {
	      char* x=map+5*4+size_of_string_table+attribute_count*8;
	      size_t i;
#if (debug != 0)
	      if (debug) buffer_putsflush(buffer_2,&quot;query can NOT be answered with index!\n&quot;);
#endif
	      for (i=0; i&lt;record_count; ++i) {
		uint32 j;
		uint32_unpack(x,&amp;j);
		if (ldap_match_mapped(x-map,&amp;sr)) {
		  if (sr.sizeLimit &amp;&amp; sr.sizeLimit&lt;++returned)
		    break;
		  answerwith(x-map,&amp;sr,messageid,out);
		}
		x+=j*8;
	      }
	    }

/* now answer with the results from the journal */
	    answerwithjournal(&amp;sr,messageid,out);
	    free_ldapsearchrequest(&amp;sr);
	  } else {
	    buffer_putsflush(buffer_2,&quot;couldn't parse search request!\n&quot;);
	    exit(1);
	  }
	  {
	    char buf[1000];
	    size_t l=fmt_ldapsearchresultdone(buf+100,0,&quot;&quot;,&quot;&quot;,&quot;&quot;);
	    size_t hlen=fmt_ldapmessage(0,messageid,SearchResultDone,l);
	    fmt_ldapmessage(buf+100-hlen,messageid,SearchResultDone,l);
	    write(out,buf+100-hlen,l+hlen);
	  }
	}
	break;
      case UnbindRequest:
	close(out); if (in!=out) close(in);
	return 0;
      case ModifyRequest:
	{
	  struct ModifyRequest mr;
	  size_t tmp,err=success;
	  buffer_putsflush(buffer_2,&quot;modifyrequest!\n&quot;);
	  if ((tmp=scan_ldapmodifyrequest(buf+res,buf+len,&amp;mr))) {
	    struct SearchResultEntry sre;
	    if (verbose) {
	      buffer_puts(buffer_1,&quot;modify request: dn \&quot;&quot;);
	      buffer_put(buffer_1,mr.object.s,mr.object.l);
	      buffer_putsflush(buffer_1,&quot;\&quot;\n&quot;);
	      switch (mr.m.operation) {
	      case 0: buffer_puts(buffer_1,&quot;Add\n&quot;); break;
	      case 1: buffer_puts(buffer_1,&quot;Delete\n&quot;); break;
	      case 2: buffer_puts(buffer_1,&quot;Replace\n&quot;); break;
	      }
	      buffer_put(buffer_1,mr.m.AttributeDescription.s,mr.m.AttributeDescription.l);
	      buffer_puts(buffer_1,&quot;\n&quot;);
	      {
		struct AttributeDescriptionList* x=mr.m.vals;
		do {
		  buffer_puts(buffer_1,&quot; -&gt; \&quot;&quot;);
		  buffer_put(buffer_1,x-&gt;a.s,x-&gt;a.l);
		  buffer_putsflush(buffer_1,&quot;\&quot;\n&quot;);
		  x=x-&gt;next;
		} while (x);
	      }
	    }

normalize_string_dn(&amp;mr.object);

if (acls) {
	      /* convert modifyrequest to searchresultentry */
	      modreq2sre(&amp;sre,&amp;mr);
	      /* 1. check ACLs */
	      if (checkacl(0,0,acl_write,&amp;sre)!=1)
		err=insufficientAccessRights;
	      free_ldapsearchresultentry(&amp;sre);
	    } else
	      err=insufficientAccessRights;
	    if (err==success) {
	      /* 2. check if there already is a record with this dn */
	      struct hashnode* hn;
	      size_t idx;
	      switch (lookupdn(&amp;mr.object,&amp;idx,&amp;hn)) {
	      case -1: err=operationsError; break;
	      case 1: break;
	      case 0: err=noSuchObject; break;
	      default: err=operationsError;
	      }
	      if (err==success) {
#if 1
		/* 3. apply modifications to record to get new record */
		if (!applymodreq(hn,&amp;mr,&amp;sre)) {
		  /* 4. write record to journal */
		  int fd=open(&quot;journal&quot;,O_WRONLY|O_APPEND|O_CREAT,0600);
		  if (fd==-1)
		    err=operationsError;
		  else {
		    if (writesretofd(fd,&amp;sre)==-1)
		      err=operationsError;
		    close(fd);
		  }
		} else
		  err=operationsError;
		free_ldapsearchresultentry(&amp;sre);
#else
		err=operationsError;
#endif
	      }
	    }
	  } else {
	    buffer_putsflush(buffer_2,&quot;could not parse modifyRequest!\n&quot;);
	    err=protocolError;
	  }

{
	    char outbuf[1024];
	    int s=100;
	    int len=fmt_ldapresult(outbuf+s,err,&quot;&quot;,&quot;&quot;,&quot;&quot;);
	    int hlen=fmt_ldapmessage(0,messageid,AddResponse,len);
	    fmt_ldapmessage(outbuf+s-hlen,messageid,AddResponse,len);
	    write(out,outbuf+s-hlen,len+hlen);
	  }

free_ldapmodifyrequest(&amp;mr);
	}
	break;
      case AbandonRequest:
	if (verbose) buffer_putsflush(buffer_2,&quot;AbandonRequest!\n&quot;);
	/* do nothing */
	break;
      case AddRequest:
        {
	  int err=success;
	  struct AddRequest ar;
//          buffer_putsflush(buffer_2,&quot;AddRequest!\n&quot;);
          if ((tmp=scan_ldapaddrequest(buf+res,buf+len,&amp;ar))) {
	    struct SearchResultEntry sre;
	    normalize_string_dn(&amp;ar.entry);
	    /* convert addrequest to searchresultentry */
	    addreq2sre(&amp;sre,&amp;ar);

/* 1. check ACLs */
	    if (checkacl(0,0,acl_add,&amp;sre)==1) {
	      /* 2. check if there already is a record with this dn */
	      struct hashnode* hn;
	      size_t idx;
	      switch (lookupdn(&amp;sre.objectName,&amp;idx,&amp;hn)) {
	      case -1: err=operationsError; break;
	      case 1: err=entryAlreadyExists; break;
	      case 0: break;
	      default: err=operationsError;
	      }
	      if (err==success) {
		/* 3. write record to journal */
		int fd=open(&quot;journal&quot;,O_WRONLY|O_APPEND|O_CREAT,0600);
		if (fd==-1)
		  err=operationsError;
		else {
		  if (writesretofd(fd,&amp;sre)==-1)
		    err=operationsError;
		  close(fd);
		}
	      }
	    } else
	      err=insufficientAccessRights;
	  } else
	    err=protocolError;

buffer_put(buffer_1,ar.entry.s,ar.entry.l);
	  buffer_putsflush(buffer_1,&quot;\n&quot;);
	  if (verbose) { /* iterate all attributes */
	    struct Addition * x;
	    struct AttributeDescriptionList * y;
	    for (x = &amp;ar.a;x;x=x-&gt;next) {
	      for (y = &amp;x-&gt;vals;y;y=y-&gt;next) {
		buffer_put(buffer_1,x-&gt;AttributeDescription.s,x-&gt;AttributeDescription.l);
		buffer_puts(buffer_1,&quot;: &quot;);
		buffer_put(buffer_1,y-&gt;a.s,y-&gt;a.l);
		buffer_putsflush(buffer_1,&quot;\n&quot;);
	      }
	    }
	  }

free_ldapaddrequest(&amp;ar);

{
	    char outbuf[1024];
	    size_t s=100;
	    size_t len=fmt_ldapresult(outbuf+s,err,&quot;&quot;,&quot;&quot;,&quot;&quot;);
	    size_t hlen=fmt_ldapmessage(0,messageid,AddResponse,len);
	    fmt_ldapmessage(outbuf+s-hlen,messageid,AddResponse,len);
	    write(out,outbuf+s-hlen,len+hlen);
	  }
	}
	break;
      case DelRequest:
	{
	  struct string s;
	  size_t l=scan_ldapdeleterequest(buf+res,buf+len,&amp;s);
	  if (l&gt;0) {
	    struct SearchResultEntry sre;
	    int err=success;
	    if (verbose) {
	      buffer_puts(buffer_2,&quot;Delete Request for DN \&quot;&quot;);
	      buffer_put(buffer_2,s.s,s.l);
	      buffer_putsflush(buffer_2,&quot;\&quot;.\n&quot;);
	    }
	    normalize_string_dn(&amp;s);
	    /* convert modifyrequest to searchresultentry */
	    sre.objectName=s;
	    sre.attributes=0;
	    /* 1. check ACLs */
	    if (checkacl(0,0,acl_delete,&amp;sre)!=1)
	      err=insufficientAccessRights;
	    if (err==success) {
	      /* 2. check if there already is a record with this dn */
	      struct hashnode* hn;
	      size_t idx;
	      switch (lookupdn(&amp;s,&amp;idx,&amp;hn)) {
	      case -1: err=operationsError; break;
	      case 1: break;
	      case 0: err=noSuchObject; break;
	      default: err=operationsError;
	      }
	      if (err==success) {
		/* 3. write record to journal */
		int fd=open(&quot;journal&quot;,O_WRONLY|O_APPEND|O_CREAT,0600);
		if (fd==-1)
		  err=operationsError;
		else {
		  if (writesretofd(fd,&amp;sre)==-1)
		    err=operationsError;
		  close(fd);
		}
	      }
	    }
	    {
	      char outbuf[1024];
	      size_t s=100;
	      size_t len=fmt_ldapresult(outbuf+s,err,&quot;&quot;,&quot;&quot;,&quot;&quot;);
	      size_t hlen=fmt_ldapmessage(0,messageid,DelResponse,len);
	      fmt_ldapmessage(outbuf+s-hlen,messageid,DelResponse,len);
	      write(out,outbuf+s-hlen,len+hlen);
	    }
	  }
	}
	break;
      case ModifyDNRequest:
	/* TODO */
      default:
	buffer_puts(buffer_2,&quot;unknown request type &quot;);
	buffer_putulong(buffer_2,op);
	buffer_putsflush(buffer_2,&quot;\n&quot;);
	return 0;
//	exit(1);
      }
      Len+=res;
#if 0
      buffer_puts(buffer_2,&quot;byte_copy(buf,&quot;);
      buffer_putulong(buffer_2,len-Len);
      buffer_puts(buffer_2,&quot;,buf+&quot;);
      buffer_putulong(buffer_2,Len);
      buffer_putsflush(buffer_2,&quot;);\n&quot;);
#endif
      if (Len&lt;len) {
	byte_copy(buf,len-Len,buf+Len);
	len-=Len;
      } else len=0;
    } else
      exit(2);
  }
}

/* journal reading code */

extern int (*ldif_parse_callback)(struct ldaprec* l);

extern mstorage_t stringtable;
extern mduptab_t attributes,classes;

static unsigned long hash2(const unsigned char* c) {
  unsigned long h=0;
  if (*c==0) {
    uint32 len=uint32_read((char*)c+1);
    return hash(c+5,len);
  }
  while (*c) {
    /* from djb's cdb */
    h += (h&lt;&lt;5);
    h ^= *c;
    ++c;
  }
  return (uint32)h;
}

#define HASHTABSIZE 8191

static unsigned char* bstrdup(unsigned char* c) {
  size_t len;
  unsigned char* x;
  if (*c)
    len=str_len((char*)c)+1;
  else {
    len=5+uint32_read((char*)c+1);
    if (len&lt;5) return 0;
  }
  x=malloc(len);
  if (x) byte_copy(x,len,c);
  return x;
}

static unsigned char* bstrdup_attrib(unsigned char* c) {
  char* x=map+5*4+size_of_string_table;
  size_t i,l;
  if (*c)
    l=str_len((char*)c)+1;
  else {
    l=uint32_read((char*)c+1);
    c+=5;
  }
  for (i=0; i&lt;attribute_count; ++i) {
    uint32 j=uint32_read(x);
    if (case_equalb(c,l,map+j))
      return (unsigned char*)map+j;
    x+=4;
  }
  return bstrdup(c);
}

struct hashnode* hashtab[HASHTABSIZE];

static struct hashnode** dn_in_journal(unsigned char* dn) {
  unsigned long hashval;
  struct hashnode** hn;
  hashval=hash2(dn);
  hn=hashtab+(hashval%HASHTABSIZE);
  while (*hn) {
    if ((*hn)-&gt;hashval==hashval) {
      if (!bstr_diff((char*)(*hn)-&gt;dn,(char*)dn))
	break;
    }
    hn=&amp;((*hn)-&gt;next);
  }
  return hn;
}

static struct hashnode** dn_in_journal2(const char* dn,size_t dnlen) {
  unsigned long hashval;
  struct hashnode** hn;
  hashval=hash((const unsigned char*)dn,dnlen);
//  printf(&quot;lookup: \&quot;%.*s\&quot; -&gt; %lu\n&quot;,dnlen,dn,hashval);
  hn=hashtab+(hashval%HASHTABSIZE);
  while (*hn) {
    if ((*hn)-&gt;hashval==hashval) {
      if (!bstr_diff2((char*)(*hn)-&gt;dn,dn,dnlen))
	break;
    }
    hn=&amp;((*hn)-&gt;next);
  }
  return hn;
}

struct hashnode* root;

static int parse_callback(struct ldaprec* l) {
  static struct hashnode** nextinlinearlist=&amp;root;
  size_t i;
  unsigned long hashval;
  struct hashnode** hn;
  if (l-&gt;dn==(uint32)-1)
    return -1;
  hashval=hash2((unsigned char*)stringtable.root+l-&gt;dn);
//  printf(&quot;journal: \&quot;%s\&quot; -&gt; %lu\n&quot;,stringtable.root+l-&gt;dn,hashval);
  hn=hashtab+(hashval%HASHTABSIZE);
  while (*hn) {
    if ((*hn)-&gt;hashval==hashval) {
      if (!bstr_diff((char*)(*hn)-&gt;dn,stringtable.root+l-&gt;dn))
	break;
    }
    hn=&amp;((*hn)-&gt;next);
  }
  if (*hn) {
    /* a record with this dn exists */
    /* adjust it to the new reality */
    for (i=0; i&lt;(*hn)-&gt;n; ++i) {
      free((*hn)-&gt;a[i].a);
      free((*hn)-&gt;a[i].v);
    }
    *hn = realloc(*hn,sizeof(**hn)-sizeof(struct attribute2)+l-&gt;n*sizeof(struct attribute2));
    if (!*hn) nomem: die(1,&quot;out of memory!&quot;);
  } else {
    *hn = malloc(sizeof(**hn)-sizeof(struct attribute2)+l-&gt;n*sizeof(struct attribute2));
    if (!*hn) goto nomem;
    if (!((*hn)-&gt;dn=bstrdup((unsigned char*)stringtable.root+l-&gt;dn))) goto nomem;
    (*hn)-&gt;hashval=hashval;
    (*hn)-&gt;next=0;

(*hn)-&gt;overwrite=0;
    /* put new entry in the linear list */
    *nextinlinearlist=*hn;
    (*hn)-&gt;linear=0;
    nextinlinearlist=&amp;(*hn)-&gt;linear;
  }
  (*hn)-&gt;n=l-&gt;n;
  for (i=0; i&lt;l-&gt;n; ++i) {
    if (!((*hn)-&gt;a[i].a=bstrdup_attrib((unsigned char*)attributes.strings.root+l-&gt;a[i].name)) ||
	!((*hn)-&gt;a[i].v=bstrdup((unsigned char*)((*hn)-&gt;a[i].a==(unsigned char*)map+objectClass_ofs?classes.strings.root:stringtable.root)+l-&gt;a[i].value))) goto nomem;
  }
  stringtable.used=0;
  return 0;
}

static void readjournal() {
  ldif_parse_callback=parse_callback;
  mduptab_init(&amp;attributes);
  mduptab_init(&amp;classes);
  if (ldif_parse(&quot;journal&quot;,0,&amp;ss_journal)) {
    buffer_putsflush(buffer_2,&quot;Failed to parse journal!\n&quot;);
    exit(1);
  }
}

static void update() {
  struct stat new_data,new_journal;
  if (stat(datafilename,&amp;new_data)==-1) {
    /* no data file?!  There is no way to salvage the situation. */
    buffer_putsflush(buffer_2,&quot;ABEND: data file suddenly gone.\n&quot;);
    exit(1);
  }
  /* now see if the data file changed.  If it did, map it anew. */
  if (new_data.st_size!=ss_data.st_size ||
      new_data.st_mtime!=ss_data.st_mtime ||
      new_data.st_ino!=ss_data.st_ino) {
    buffer_putsflush(buffer_2,&quot;Data file changed, reloading.\n&quot;);
    mmap_unmap(map,filelen);
    /* If the new data file is corrupt, map_datafile calls exit.
     * I don't believe in limping on.  If something is broken on such a fundamental level,
     * it's better to bail so that the problem does not go unnoticed and things get even
     * worse. */
    map_datafile(datafilename);
    /* OK, now that we have the datafile reloaded, we need to clean our idea of a journal
     * and reload the journal from scratch. */
resetjournal:
    mduptab_reset(&amp;attributes);
    mduptab_reset(&amp;classes);
    readjournal();
    return;
  }
  /* the data file did not change.  Maybe the journal did. */
  if (stat(&quot;journal&quot;,&amp;new_journal)==-1) {
    /* no journal; that means:
     * a) there never was one, totaly read-only data
     * b) there was one, but it has now been incorporated into the main database
     *    in this case: delete journal data
     */
    mduptab_reset(&amp;attributes);
    mduptab_reset(&amp;classes);
    return;
  }
  if (new_journal.st_size!=ss_journal.st_size ||
      new_journal.st_mtime!=ss_journal.st_mtime ||
      new_journal.st_ino!=ss_journal.st_ino) {
    /* Journal changed.  Since all we ever do is append, we just read the part from how
     * far we got last time, which happens to be ss_journal.st_size. */

/* On the other hand, we should make a valiant effort to not break if someone edits
     * his journal manually. After all, that's why our journal is in text form.
     * We look for two clues that someone edited his journal:
     *   1. size is identical or smaller
     *   2. journal does not end with &quot;\n\n&quot;
     * If we detect meddling we just throw away our journal and read the new one. */
    int notkosher=0;
    if (new_journal.st_size&gt;ss_journal.st_size &amp;&amp; ss_journal.st_size&gt;2) {
      int fd;
      fd=open(&quot;journal&quot;,O_RDONLY);
      if (fd!=-1) {
	char buf[2];
	lseek(fd,ss_journal.st_size-2,SEEK_SET);
	if (read(fd,buf,2)!=2) 
	  if (buf[0]=='\n' &amp;&amp; buf[1]=='\n')
	    notkosher=1;
	close(fd);
      }
    }
    if (notkosher) {
      buffer_putsflush(buffer_2,&quot;Unsanctioned journal editing detected!  Re-reading journal.\n&quot;);
      goto resetjournal;
    }
    if (ldif_parse(&quot;journal&quot;,ss_journal.st_size,&amp;ss_journal)) {
      buffer_putsflush(buffer_2,&quot;Failed to parse journal!\n&quot;);
      exit(1);
    }
    ss_data=new_data;
  }
}

static int ldap_matchfilter_hn(struct hashnode* hn,struct Filter* f) {
  struct Filter* y=f-&gt;x;
  size_t i;
  if (!hn-&gt;n) return 0;
  if (!f) return 1;
  switch (f-&gt;type) {
  case AND:
    while (y) {
      if (!ldap_matchfilter_hn(hn,y)) return 0;
      y=y-&gt;next;
    }
    return 1;
  case OR:
    while (y) {
      if (ldap_matchfilter_hn(hn,y)) return 1;
      y=y-&gt;next;
    }
    return 0;
  case NOT:
    return !ldap_matchfilter_hn(hn,y);
  case PRESENT:
    if (f-&gt;attrofs==dn_ofs)
      return 1;
    for (i=0; i&lt;hn-&gt;n; ++i)
      if (!matchstring(&amp;f-&gt;ava.desc,(char*)hn-&gt;a[i].a))
	return 1;
    return 0;
  case EQUAL:
  case LESSEQUAL:
  case GREATEQUAL:
    if (f-&gt;attrofs==dn_ofs)
      return matchint(f,(char*)hn-&gt;dn);
    for (i=0; i&lt;hn-&gt;n; ++i)
      if (!matchstring(&amp;f-&gt;ava.desc,(char*)hn-&gt;a[i].a) &amp;&amp;
	  matchint(f,(char*)hn-&gt;a[i].v)) return 1;
    return 0;
  case SUBSTRING:
    if (f-&gt;attrofs==dn_ofs)
      return substringmatch(f-&gt;substrings,(char*)hn-&gt;dn,f-&gt;attrflag&amp;1);
    for (i=0; i&lt;hn-&gt;n; ++i)
      if (!matchstring(&amp;f-&gt;ava.desc,(char*)hn-&gt;a[i].a) &amp;&amp;
	  substringmatch(f-&gt;substrings,(char*)hn-&gt;a[i].v,f-&gt;attrflag&amp;1)) return 1;
    return 0;
  default:
    write(2,&quot;unsupported query type\n&quot;,23);
    return 0;
  }
  return 1;
}

/* return 0 if they didn't match, otherwise return length in b */
static int match(const char* a,int len,const char* b) {
  const char* A=a+len;
  const char* B=b+str_len(b);
  while (len&gt;0 &amp;&amp; A&gt;a &amp;&amp; B&gt;b) {
    --A; --B; --len;
    while (*A==' ' &amp;&amp; A&gt;a) { --A; --len; }
    while (*B==' ' &amp;&amp; B&gt;b) --B;
    if (tolower(*A) != tolower(*B))
      return 0;
  }
  return str_len(B);
}

static int matchhashnode(struct hashnode* hn,struct SearchRequest* sr) {
  size_t i,len=bstrlen((char*)hn-&gt;dn);
  unsigned char* c;
  if (sr-&gt;baseObject.l&gt;len)
    /* baseObject is longer than dn */
    return 0;
  if (sr-&gt;baseObject.l &amp;&amp; !match(sr-&gt;baseObject.s,sr-&gt;baseObject.l,(char*)hn-&gt;dn))
    /* baseObject is not a suffix of dn */
    return 0;
  switch (sr-&gt;scope) {
  case wholeSubtree: break;
  case baseObject: if (len==sr-&gt;baseObject.l) break; return 0;
  default:
    c=hn-&gt;dn+bstrstart((char*)hn-&gt;dn);
    for (i=0; i&lt;len; ++i)
      if (c[i]==',')
	break;
    if (i+2&gt;=len-sr-&gt;baseObject.l) break;
    return 0;
  }
  return ldap_matchfilter_hn(hn,sr-&gt;filter);
}

static void answerwith_hn(struct hashnode* hn,struct SearchRequest* sr,long messageid,int out) {
  struct SearchResultEntry sre;
  struct PartialAttributeList** pal=&amp;sre.attributes;

if (!hn-&gt;n) return;
  if (acls)
    byte_zero(acl_ec_subjects+filters,filters);

if (acls &amp;&amp; checkacl_hn(hn,(unsigned char*)map+dn_ofs,acl_read)!=1) return;

sre.objectName.l=bstrlen(sre.objectName.s=(char*)hn-&gt;dn);
  sre.attributes=0;

/* now go through list of requested attributes */
  {
    struct AttributeDescriptionList* adl=sr-&gt;attributes;
    if (!adl &amp;&amp; hn-&gt;n &amp;&amp; hn-&gt;n&lt;HUGE_SIZE_FOR_SANITY_CHECKS/sizeof(*adl)) {
      /* did not ask for any attributes.  send 'em all. */
      /* to do that, construct a list of all attributes */

uint32 i,j,k;
      adl=alloca(hn-&gt;n*sizeof(*adl));
      for (i=k=0; i&lt;hn-&gt;n; ++i) {
	adl[k].a.s=(char*)hn-&gt;a[i].a;
	adl[k].a.l=str_len((char*)hn-&gt;a[i].a);
	adl[k].attrofs=0;
	adl[k].next=adl+k+1;
	for (j=0; j&lt;i; ++j) {
	  if (!strcmp((char*)hn-&gt;a[i].a,(char*)hn-&gt;a[j].a)) {
	    --k;
	    break;
	  }
	}
	++k;
      }
      if (k) adl[k-1].next=0;
    }
    while (adl) {
      const unsigned char* val=0;
      uint32 i=0;

if (!acls || checkacl_hn(hn,(unsigned char*)adl-&gt;a.s,acl_read)==1) {
	if (!matchstring(&amp;adl-&gt;a,&quot;dn&quot;))
	  val=hn-&gt;dn;
	else {
	  for (; i&lt;hn-&gt;n; ++i)
	    if (!matchstring(&amp;adl-&gt;a,(char*)hn-&gt;a[i].a)) {
	      val=hn-&gt;a[i].v;
	      ++i;
	      break;
	    }
	}
	if (val) {
	  *pal=malloc(sizeof(struct PartialAttributeList));
	  if (!*pal) {
nomem:
	    buffer_putsflush(buffer_2,&quot;out of virtual memory!\n&quot;);
	    exit(1);
	  }
	  (*pal)-&gt;type=adl-&gt;a;
	  {
	    struct AttributeDescriptionList** a;
	    a=&amp;(*pal)-&gt;values;
add_attribute:
	    *a=malloc(sizeof(struct AttributeDescriptionList));
	    if (!*a) goto nomem;
	    (*a)-&gt;a.s=bstrfirst((char*)val);
	    (*a)-&gt;a.l=bstrlen((char*)val);
	    for (;i&lt;hn-&gt;n; ++i)
	      if (!matchstring(&amp;adl-&gt;a,(char*)hn-&gt;a[i].a)) {
		val=hn-&gt;a[i].v;
		++i;
		a=&amp;(*a)-&gt;next;
		goto add_attribute;
	      }
	    (*a)-&gt;next=0;
	  }
	  (*pal)-&gt;next=0;
	  pal=&amp;(*pal)-&gt;next;
	}
      }
      adl=adl-&gt;next;
    }
  }
  {
    long l=fmt_ldapsearchresultentry(0,&amp;sre);
    char *buf;
    long tmp;
    if (l&lt;HUGE_SIZE_FOR_SANITY_CHECKS) {
      buf=alloca(l+300); /* you never know ;) */
      if (verbose) {
	buffer_puts(buffer_2,&quot;sre len &quot;);
	buffer_putulong(buffer_2,l);
	buffer_putsflush(buffer_2,&quot;.\n&quot;);
      }
      tmp=fmt_ldapmessage(buf,messageid,SearchResultEntry,l);
      fmt_ldapsearchresultentry(buf+tmp,&amp;sre);
      write(out,buf,l+tmp);
    }
  }
  free_ldappal(sre.attributes);
}

static void answerwithjournal(struct SearchRequest* sr,long messageid,int out) {
  struct hashnode* hn=root;
  while (hn) {
    if (!hn-&gt;overwrite &amp;&amp; matchhashnode(hn,sr))
      answerwith_hn(hn,sr,messageid,out);
    hn=hn-&gt;linear;
  }
}

/*
                 _
 _ __ ___   __ _(_)_ __
| '_ ` _ \ / _` | | '_ \
| | | | | | (_| | | | | |
|_| |_| |_|\__,_|_|_| |_|
*/

int main(int argc,char* argv[]) {
#ifdef STANDALONE
  int sock;
#endif

errmsg_iam(&quot;tinyldap&quot;);

signal(SIGPIPE,SIG_IGN);

map_datafile(argc&gt;1?argv[1]:&quot;data&quot;);

readjournal();

#if 0
  ldif_parse(&quot;exp.ldif&quot;);
  if (!first) {
    buffer_putsflush(buffer_2,&quot;no data?!&quot;);
  }
#endif

#ifdef STANDALONE
  if ((sock=socket_tcp6b())==-1) {
    buffer_putsflush(buffer_2,&quot;socket failed!\n&quot;);
    exit(1);
  }
  {
    char ip[16];
    char* IP=(char*)V6any;
    char* x=getenv(&quot;IP&quot;);
    if (x &amp;&amp; !x[scan_ip6(x,ip)])
      IP=ip;
    if (socket_bind6_reuse(sock,IP,389,0)) {
      buffer_putsflush(buffer_2,&quot;bind failed!\n&quot;);
      exit(1);
    }
  }
  if (socket_listen(sock,32)) {
    buffer_putsflush(buffer_2,&quot;listen failed!\n&quot;);
    exit(1);
  }
  for (;;) {
    char ip[16];
    uint16 port;
    uint32 scope_id;
    int asock;
    {
      int status;
      while ((status=waitpid(-1,0,WNOHANG))!=0 &amp;&amp; status!=(pid_t)-1); /* reap zombies */
    }
#ifdef DEBUG
again:
#endif
    asock=socket_accept6(sock,ip,&amp;port,&amp;scope_id);
    if (asock==-1) {
      buffer_putsflush(buffer_2,&quot;accept failed!\n&quot;);
      exit(1);
    }
    {
      int one=1;
      setsockopt(asock,IPPROTO_TCP,TCP_NODELAY,&amp;one,sizeof(one));
    }
    update();
#ifdef DEBUG
    {
      struct pollfd p;
      p.fd=0;
      p.events=POLLIN;
      if (poll(&amp;p,1,1)==1) return 0;
    }
    handle(asock,asock);
    goto again;
//    exit(0);
#else
#endif
    switch (fork()) {
    case -1: buffer_putsflush(buffer_2,&quot;fork failed!\n&quot;); exit(1);
    case 0: /* child */
      handle(asock,asock);
      exit(0); /* not reached */
    default:
      close(asock);
    }
  }
#else
  {
    int one=1;
    setsockopt(1,IPPROTO_TCP,TCP_NODELAY,&amp;one,sizeof(one));
  }
  handle(0,1);
#endif
  return 0;
}

/* vim:tw=90:
 */

Create Shorturl - Create a shorter url that redirects to your paste?

Private - Private paste aren't shown in recent listings.

Delete After - When should we delete your paste?

A PHP Error was encountered

Reply to "tinyldap.c"