security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-07-02 22:46:30 +02:00
Code Activity

dirmngr: Allow for non-URL specified ldap keyservers.

Browse source 
* dirmngr/server.c (cmd_ldapserver): Strip an optional prefix.
(make_keyserver_item): Handle non-URL ldap specs.
* dirmngr/dirmngr.h (struct ldap_server_s): Add fields starttls,
ldap_over_tls, and ntds.

* dirmngr/ldapserver.c (ldapserver_parse_one): Add for an empty host
string.  Improve error messages for the non-file case.  Support flags.
* dirmngr/ks-action.c (ks_action_help): Handle non-URL ldap specs.
(ks_action_search, ks_action_get, ks_action_put): Ditto.
* dirmngr/ks-engine-ldap.c: Include ldapserver.h.
(ks_ldap_help): Handle non-URL ldap specs.
(my_ldap_connect): Add args r_host and r_use_tls.  Rewrite to support
URLs and non-URL specified keyservers.
(ks_ldap_get): Adjust for changes in my_ldap_connect.
(ks_ldap_search): Ditto.
(ks_ldap_put): Ditto.
--

The idea here is to unify our use of URLS or colon delimited ldap
keyserver specification.  The requirement for percent escaping, for
example the bindname in an URLs, is cumbersome and prone to errors.
This we allow our classic colon delimited format as an alternative.
That format makes it also easy to specify flags to tell dirmngr
whether to use starttls or ldap-over-tls.  The code is nearly 100%
compatible to existing specification.  There is one ambiguity if the
hostname for CRL/X509 searches is just "ldap"; this can be solved by
prefixing it with "ldap:" (already implemented in gpgsm).

GnuPG-bug-id: 5405, 5452
This commit is contained in:
Werner Koch 2021-05-26 14:48:27 +02:00
parent 9f586700ec
commit 2b4cddf908
No known key found for this signature in database
GPG key ID: E3FDFF218E45B72B
6 changed files with 378 additions and 147 deletions
Download patch file Download diff file Expand all files Collapse all files

52
dirmngr/ks-action.c
View file

@ -67,6 +67,8 @@ ks_action_help (ctrl_t ctrl, const char *url)
{
gpg_error_t err;
parsed_uri_t parsed_uri; /* The broken down URI. */
char *tmpstr;
const char *s;
if (!url || !*url)
{
@ -76,7 +78,34 @@ ks_action_help (ctrl_t ctrl, const char *url)
else
{
#if USE_LDAP
if (ldap_uri_p (url))
if (!strncmp (url, "ldap:", 5) && !(url[5] == '/' && url[6] == '/'))
{
/* Special ldap scheme given. This differs from a valid
* ldap scheme in that no double slash follows. Use
* http_parse_uri to put it as opaque value into parsed_uri. */
tmpstr = strconcat ("opaque:", url+5, NULL);
if (!tmpstr)
err = gpg_error_from_syserror ();
else
{
err = http_parse_uri (&parsed_uri, tmpstr, 0);
xfree (tmpstr);
}
}
else if ((s=strchr (url, ':')) && !(s[1] == '/' && s[2] == '/'))
{
/* No scheme given. Use http_parse_uri to put the string as
* opaque value into parsed_uri. */
tmpstr = strconcat ("opaque:", url, NULL);
if (!tmpstr)
err = gpg_error_from_syserror ();
else
{
err = http_parse_uri (&parsed_uri, tmpstr, 0);
xfree (tmpstr);
}
}
else if (ldap_uri_p (url))
err = ldap_parse_uri (&parsed_uri, url);
else
#endif
@ -164,9 +193,10 @@ ks_action_search (ctrl_t ctrl, uri_item_t keyservers,
int is_ldap = 0;
unsigned int http_status = 0;
#if USE_LDAP
is_ldap = (strcmp (uri->parsed_uri->scheme, "ldap") == 0
|| strcmp (uri->parsed_uri->scheme, "ldaps") == 0
|| strcmp (uri->parsed_uri->scheme, "ldapi") == 0);
is_ldap = (!strcmp (uri->parsed_uri->scheme, "ldap")
|| !strcmp (uri->parsed_uri->scheme, "ldaps")
|| !strcmp (uri->parsed_uri->scheme, "ldapi")
|| uri->parsed_uri->opaque);
#endif
if (is_http || is_ldap)
{
@ -242,9 +272,10 @@ ks_action_get (ctrl_t ctrl, uri_item_t keyservers,
is_hkp_s = is_http_s = 0;
#if USE_LDAP
is_ldap = (strcmp (uri->parsed_uri->scheme, "ldap") == 0
|| strcmp (uri->parsed_uri->scheme, "ldaps") == 0
|| strcmp (uri->parsed_uri->scheme, "ldapi") == 0);
is_ldap = (!strcmp (uri->parsed_uri->scheme, "ldap")
|| !strcmp (uri->parsed_uri->scheme, "ldaps")
|| !strcmp (uri->parsed_uri->scheme, "ldapi")
|| uri->parsed_uri->opaque);
#endif
if (is_hkp_s || is_http_s || is_ldap)
@ -382,9 +413,10 @@ ks_action_put (ctrl_t ctrl, uri_item_t keyservers,
int is_ldap = 0;
#if USE_LDAP
is_ldap = (strcmp (uri->parsed_uri->scheme, "ldap") == 0
|| strcmp (uri->parsed_uri->scheme, "ldaps") == 0
|| strcmp (uri->parsed_uri->scheme, "ldapi") == 0);
is_ldap = (!strcmp (uri->parsed_uri->scheme, "ldap")
|| !strcmp (uri->parsed_uri->scheme, "ldaps")
|| !strcmp (uri->parsed_uri->scheme, "ldapi")
|| uri->parsed_uri->opaque);
#endif
if (is_http || is_ldap)