security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-07-03 22:56:33 +02:00
Code Activity

dirmngr: Allow for non-URL specified ldap keyservers.

Browse source 
* dirmngr/server.c (cmd_ldapserver): Strip an optional prefix.
(make_keyserver_item): Handle non-URL ldap specs.
* dirmngr/dirmngr.h (struct ldap_server_s): Add fields starttls,
ldap_over_tls, and ntds.

* dirmngr/ldapserver.c (ldapserver_parse_one): Add for an empty host
string.  Improve error messages for the non-file case.  Support flags.
* dirmngr/ks-action.c (ks_action_help): Handle non-URL ldap specs.
(ks_action_search, ks_action_get, ks_action_put): Ditto.
* dirmngr/ks-engine-ldap.c: Include ldapserver.h.
(ks_ldap_help): Handle non-URL ldap specs.
(my_ldap_connect): Add args r_host and r_use_tls.  Rewrite to support
URLs and non-URL specified keyservers.
(ks_ldap_get): Adjust for changes in my_ldap_connect.
(ks_ldap_search): Ditto.
(ks_ldap_put): Ditto.
--

The idea here is to unify our use of URLS or colon delimited ldap
keyserver specification.  The requirement for percent escaping, for
example the bindname in an URLs, is cumbersome and prone to errors.
This we allow our classic colon delimited format as an alternative.
That format makes it also easy to specify flags to tell dirmngr
whether to use starttls or ldap-over-tls.  The code is nearly 100%
compatible to existing specification.  There is one ambiguity if the
hostname for CRL/X509 searches is just "ldap"; this can be solved by
prefixing it with "ldap:" (already implemented in gpgsm).

GnuPG-bug-id: 5405, 5452
This commit is contained in:
Werner Koch 2021-05-26 14:48:27 +02:00
parent 9f586700ec
commit 2b4cddf908
No known key found for this signature in database
GPG key ID: E3FDFF218E45B72B
6 changed files with 378 additions and 147 deletions
Download patch file Download diff file Expand all files Collapse all files

111
dirmngr/ldapserver.c
View file

@ -55,6 +55,15 @@ ldapserver_list_free (ldap_server_t servers)
3. field: Username
4. field: Password
5. field: Base DN
6. field: Flags
Flags are:
starttls := Use STARTTLS with a default port of 389
ldaptls := Tunnel LDAP trough a TLS tunnel with default port 636
plain := Switch to plain unsecured LDAP.
(The last of these 3 flags is the effective one)
ntds := Use Active Directory authentication
FILENAME and LINENO are used for diagnostic purposes only.
*/
@ -69,7 +78,13 @@ ldapserver_parse_one (char *line,
int fail = 0;
/* Parse the colon separated fields. */
server = xcalloc (1, sizeof *server);
server = xtrycalloc (1, sizeof *server);
if (!server)
{
fail = 1;
goto leave;
}
for (fieldno = 1, p = line; p; p = endp, fieldno++ )
{
endp = strchr (p, ':');
@ -79,14 +94,9 @@ ldapserver_parse_one (char *line,
switch (fieldno)
{
case 1:
if (*p)
server->host = xstrdup (p);
else
{
log_error (_("%s:%u: no hostname given\n"),
filename, lineno);
fail = 1;
}
server->host = xtrystrdup (p);
if (!server->host)
fail = 1;
break;
case 2:
@ -95,35 +105,104 @@ ldapserver_parse_one (char *line,
break;
case 3:
if (*p)
server->user = xstrdup (p);
server->user = xtrystrdup (p);
if (!server->user)
fail = 1;
break;
case 4:
if (*p && !server->user)
{
log_error (_("%s:%u: password given without user\n"),
filename, lineno);
if (filename)
log_error (_("%s:%u: password given without user\n"),
filename, lineno);
else
log_error ("ldap: password given without user ('%s')\n", line);
fail = 1;
}
else if (*p)
server->pass = xstrdup (p);
{
server->pass = xtrystrdup (p);
if (!server->pass)
fail = 1;
}
break;
case 5:
if (*p)
server->base = xstrdup (p);
{
server->base = xtrystrdup (p);
if (!server->base)
fail = 1;;
}
break;
case 6:
{
char **flags = NULL;
int i;
const char *s;
flags = strtokenize (p, ",");
if (!flags)
{
log_error ("strtokenize failed: %s\n",
gpg_strerror (gpg_error_from_syserror ()));
fail = 1;
break;
}
for (i=0; (s = flags[i]); i++)
{
if (!*s)
;
else if (!ascii_strcasecmp (s, "starttls"))
{
server->starttls = 1;
server->ldap_over_tls = 0;
}
else if (!ascii_strcasecmp (s, "ldaptls"))
{
server->starttls = 0;
server->ldap_over_tls = 1;
}
else if (!ascii_strcasecmp (s, "plain"))
{
server->starttls = 0;
server->ldap_over_tls = 0;
}
else if (!ascii_strcasecmp (s, "ntds"))
{
server->ntds = 1;
}
else
{
if (filename)
log_info (_("%s:%u: ignoring unknown flag '%s'\n"),
filename, lineno, s);
else
log_info ("ldap: unknown flag '%s' ignored in (%s)\n",
s, line);
}
}
xfree (flags);
}
break;
default:
/* (We silently ignore extra fields.) */
break;
}
}
leave:
if (fail)
{
log_info (_("%s:%u: skipping this line\n"), filename, lineno);
if (filename)
log_info (_("%s:%u: skipping this line\n"), filename, lineno);
else
log_info ("ldap: error in server spec ('%s')\n", line);
ldapserver_list_free (server);
server = NULL;
}