security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2024-09-24 15:31:41 +02:00
Code Activity

* Makefile.am: Add automake conditionals to symlink gpgkeys_ldaps to

Browse Source 
gpgkeys_ldap when needed.

* gpgkeys_ldap.c (main): Add support for LDAPS and TLS connections.
These are only useful and usable when talking to real LDAP keyservers.
Add new "tls" option to tune TLS use from off, to try quietly, to try
loudly, or to require TLS.
This commit is contained in:
David Shaw 2004-02-19 20:09:12 +00:00
parent ce1e817dce
commit 21301028c4
3 changed files with 144 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
keyserver/ChangeLog
View File

@ -1,5 +1,13 @@
2004-02-19 David Shaw <dshaw@jabberwocky.com>
* Makefile.am: Add automake conditionals to symlink gpgkeys_ldaps
to gpgkeys_ldap when needed.
* gpgkeys_ldap.c (main): Add support for LDAPS and TLS
connections. These are only useful and usable when talking to
real LDAP keyservers. Add new "tls" option to tune TLS use from
off, to try quietly, to try loudly, or to require TLS.
* gpgkeys_ldap.c (find_basekeyspacedn): New function to figure out
what kind of LDAP server we're talking to (either real LDAP or the
LDAP keyserver), and return the baseKeySpaceDN to find keys under.

12
keyserver/Makefile.am
View File

@ -1,4 +1,4 @@
# Copyright (C) 2001, 2002 Free Software Foundation, Inc.
# Copyright (C) 2001, 2002, 2004 Free Software Foundation, Inc.
#
# This file is part of GnuPG.
#
@ -30,3 +30,13 @@ noinst_SCRIPTS = gpgkeys_test
gpgkeys_ldap_LDADD = @LDAPLIBS@ @NETLIBS@ @GETOPT@ @W32LIBS@
gpgkeys_hkp_LDADD = ../util/libutil.a @NETLIBS@ @SRVLIBS@ @LIBINTL@ \
@CAPLIBS@ @GETOPT@ @W32LIBS@
install-exec-hook:
if GPGKEYS_LDAP
-(cd $(libexecdir) && $(LN_S) gpgkeys_ldap$(EXEEXT) gpgkeys_ldaps$(EXEEXT))
endif
uninstall-hook:
if GPGKEYS_LDAP
rm -f $(libexecdir)/gpgkeys_ldaps$(EXEEXT)
endif

136
keyserver/gpgkeys_ldap.c
View File

@ -28,9 +28,6 @@
#endif
#include <stdlib.h>
#include <errno.h>
#ifdef NEED_LBER_H
#include <lber.h>
#endif
#include <ldap.h>
#include "keyserver.h"
@ -46,13 +43,14 @@ extern int optind;
#define SEARCH 2
#define MAX_LINE 80
int verbose=0,include_disabled=0,include_revoked=0,include_subkeys=0;
char *basekeyspacedn=NULL;
char host[80]={'\0'};
char portstr[10]={'\0'};
char *pgpkeystr="pgpKey";
FILE *input=NULL,*output=NULL,*console=NULL;
LDAP *ldap=NULL;
static int verbose=0,include_disabled=0,include_revoked=0,include_subkeys=0;
static int real_ldap=0;
static char *basekeyspacedn=NULL;
static char host[80]={'\0'};
static char portstr[10]={'\0'};
static char *pgpkeystr="pgpKey";
static FILE *input=NULL,*output=NULL,*console=NULL;
static LDAP *ldap=NULL;
struct keylist
{
@ -811,6 +809,8 @@ find_basekeyspacedn(void)
attr[1]="pgpVersion";
attr[2]="pgpSoftware";
real_ldap=1;
/* We found some, so try each namingContext as the search base
and look for pgpBaseKeySpaceDN. Because we found this, we
know we're talking to a regular-ish LDAP server and not a
@ -919,7 +919,7 @@ main(int argc,char *argv[])
{
int port=0,arg,err,action=-1,ret=KEYSERVER_INTERNAL_ERROR;
char line[MAX_LINE];
int version,failed=0;
int version,failed=0,use_ssl=0,use_tls=0;
struct keylist *keylist=NULL,*keyptr=NULL;
console=stderr;
@ -973,6 +973,7 @@ main(int argc,char *argv[])
{
char commandstr[7];
char optionstr[30];
char schemestr[80];
char hash;
if(line[0]=='\n')
@ -1008,6 +1009,17 @@ main(int argc,char *argv[])
continue;
}
if(sscanf(line,"SCHEME %79s\n",schemestr)==1)
{
schemestr[79]='\0';
if(strcasecmp(schemestr,"ldaps")==0)
{
port=636;
use_ssl=1;
}
continue;
}
if(sscanf(line,"VERSION %d\n",&version)==1)
{
if(version!=KEYSERVER_PROTO_VERSION)
@ -1060,6 +1072,26 @@ main(int argc,char *argv[])
else
include_subkeys=1;
}
else if(strncasecmp(start,"tls",3)==0)
{
if(no)
use_tls=0;
else if(start[3]=='=')
{
if(strcasecmp(&start[4],"no")==0)
use_tls=0;
else if(strcasecmp(&start[4],"try")==0)
use_tls=1;
else if(strcasecmp(&start[4],"warn")==0)
use_tls=2;
else if(strcasecmp(&start[4],"require")==0)
use_tls=3;
else
use_tls=1;
}
else if(start[3]=='\0')
use_tls=1;
}
continue;
}
@ -1141,6 +1173,88 @@ main(int argc,char *argv[])
goto fail;
}
if(use_ssl)
{
if(!real_ldap)
{
fprintf(console,"gpgkeys: unable to make SSL connection: %s\n",
"not supported by the NAI LDAP keyserver");
fail_all(keylist,action,KEYSERVER_INTERNAL_ERROR);
goto fail;
}
else
{
#if defined(LDAP_OPT_X_TLS_HARD) && defined(HAVE_LDAP_SET_OPTION)
int ssl=LDAP_OPT_X_TLS_HARD;
err=ldap_set_option(ldap,LDAP_OPT_X_TLS,&ssl);
if(err!=LDAP_SUCCESS)
{
fprintf(console,"gpgkeys: unable to make SSL connection: %s\n",
ldap_err2string(err));
fail_all(keylist,action,ldap_err_to_gpg_err(err));
goto fail;
}
#else
fprintf(console,"gpgkeys: unable to make SSL connection: %s\n",
"not built with LDAPS support");
fail_all(keylist,action,KEYSERVER_INTERNAL_ERROR);
goto fail;
#endif
}
}
/* use_tls: 0=don't use, 1=try silently to use, 2=try loudly to use,
3=force use. */
if(use_tls)
{
if(!real_ldap && use_tls)
{
if(use_tls>=2)
fprintf(console,"gpgkeys: unable to start TLS: %s\n",
"not supported by the NAI LDAP keyserver");
if(use_tls==3)
{
fail_all(keylist,action,KEYSERVER_INTERNAL_ERROR);
goto fail;
}
}
else
{
#if defined(HAVE_LDAP_START_TLS_S) && defined(HAVE_LDAP_SET_OPTION)
int ver=LDAP_VERSION3;
err=LDAP_SUCCESS;
err=ldap_set_option(ldap,LDAP_OPT_PROTOCOL_VERSION,&ver);
if(err==LDAP_SUCCESS)
err=ldap_start_tls_s(ldap,NULL,NULL);
if(err!=LDAP_SUCCESS && use_tls>=2)
{
fprintf(console,"gpgkeys: unable to start TLS: %s\n",
ldap_err2string(err));
/* Are we forcing it? */
if(use_tls==3)
{
fail_all(keylist,action,ldap_err_to_gpg_err(err));
goto fail;
}
}
else if(verbose>1)
fprintf(console,"gpgkeys: TLS started successfully.\n");
#else
if(use_tls>=2)
fprintf(console,"gpgkeys: unable to start TLS: %s\n",
"not built with TLS support");
if(use_tls==3)
{
fail_all(keylist,action,KEYSERVER_INTERNAL_ERROR);
goto fail;
}
#endif
}
}
err=ldap_simple_bind_s(ldap,NULL,NULL);
if(err!=0)
{