security-and-privacy/gnupg
security-and-privacy
/
gnupg
mirror of git://git.gnupg.org/gnupg.git
1
0
Fork 0
Code Releases Activity

Add support to talking to LDAP key servers. 

* g10/call-dirmngr.c (record_output): New function.
(ks_put_inq_cb): Use it here to generate a --with-colons like output
instead of a custom format.
* dirmngr/ks-action.c: Include "ldap-parse-uri.h".
(ks_action_help): If the provided URI is an LDAP URI, then use
ldap_parse_uri to parse.  Call ks_ldap_help.
(ks_action_search): If passed an LDAP URI, then call ks_ldap_search.
(ks_action_get): Likewise.
(ks_action_put): Likewise.  Also, change data from a 'const void *' to
a 'void *' and add info and infolen parameters.  Add note that
function may modify DATA.
* dirmngr/ks-action.h (ks_action_put): Update declaration accordingly.
* dirmngr/server.c: Include "ldap-parse-uri.h".
(cmd_keyserver): If ITEM->URI is an LDAP URI, parse it using
ldap_parse_uri.
(hlp_ks_put): Improve documentation.
(cmd_ks_put): Also pass info and infolen to ks_action_put.  Improve
documentation.
* dirmngr/ks-engine.h (ks_ldap_help): New declaration.
(ks_ldap_search): Likewise.
(ks_ldap_get): Likewise.
(ks_ldap_put): Likewise.
* dirmngr/ks-engine-ldap.c: New file.
* dirmngr/Makefile.am (dirmngr_SOURCES): Add ks-engine-ldap.c,
ldap-parse-uri.c and ldap-parse-uri.h.
(dirmngr_LDADD) [USE_LDAP]: Add $(ldaplibs).

--
Signed-off-by: Neal H. Walfield <neal@g10code.de>
This commit is contained in:
Neal H. Walfield 2015-03-19 11:02:46 +01:00
parent 81e8306085
commit 51341badb6
8 changed files with 2322 additions and 65 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
dirmngr/Makefile.am
View File

@ -62,7 +62,9 @@ dirmngr_SOURCES = dirmngr.c dirmngr.h server.c crlcache.c crlfetch.c \
cdb.h cdblib.c misc.c dirmngr-err.h \
ocsp.c ocsp.h validate.c validate.h \
ks-action.c ks-action.h ks-engine.h \
ks-engine-hkp.c ks-engine-http.c ks-engine-finger.c ks-engine-kdns.c
ks-engine-hkp.c ks-engine-http.c ks-engine-finger.c ks-engine-kdns.c \
ks-engine-ldap.c \
ldap-parse-uri.c ldap-parse-uri.h
if USE_LDAP
dirmngr_SOURCES += ldapserver.h ldapserver.c ldap.c w32-ldap-help.h \
@ -77,6 +79,9 @@ dirmngr_LDADD = $(libcommontlsnpth) $(libcommonpth) \
$(DNSLIBS) $(LIBASSUAN_LIBS) \
$(LIBGCRYPT_LIBS) $(KSBA_LIBS) $(NPTH_LIBS) \
$(NTBTLS_LIBS) $(LIBGNUTLS_LIBS) $(LIBINTL) $(LIBICONV)
if USE_LDAP
dirmngr_LDADD += $(ldaplibs)
endif
if !USE_LDAPWRAPPER
dirmngr_LDADD += $(ldaplibs)
endif
@ -104,7 +109,8 @@ no-libgcrypt.c : $(top_srcdir)/tools/no-libgcrypt.c
t_common_src = t-support.h
# We need libcommontls, because we use the http functions.
t_common_ldadd = $(libcommontls) $(libcommon) no-libgcrypt.o $(GPG_ERROR_LIBS)
t_common_ldadd = $(libcommontls) $(libcommon) no-libgcrypt.o \
$(GPG_ERROR_LIBS) $(NTBTLS_LIBS) $(LIBGNUTLS_LIBS) $(DNSLIBS)
module_tests = t-ldap-parse-uri
t_ldap_parse_uri_SOURCES = \

58
dirmngr/ks-action.c
View File

@ -1,6 +1,7 @@
/* ks-action.c - OpenPGP keyserver actions
* Copyright (C) 2011 Free Software Foundation, Inc.
* Copyright (C) 2011, 2014 Werner Koch
* Copyright (C) 2015 g10 Code GmbH
*
* This file is part of GnuPG.
*
@ -29,7 +30,7 @@
#include "misc.h"
#include "ks-engine.h"
#include "ks-action.h"
#include "ldap-parse-uri.h"
/* Called by the engine's help functions to print the actual help. */
gpg_error_t
@ -72,7 +73,11 @@ ks_action_help (ctrl_t ctrl, const char *url)
}
else
{
err = http_parse_uri (&parsed_uri, url, 1);
if (ldap_uri_p (url))
err = ldap_parse_uri (&parsed_uri, url);
else
err = http_parse_uri (&parsed_uri, url, 1);
if (err)
return err;
}
@ -85,6 +90,8 @@ ks_action_help (ctrl_t ctrl, const char *url)
err = ks_finger_help (ctrl, parsed_uri);
if (!err)
err = ks_kdns_help (ctrl, parsed_uri);
if (!err)
err = ks_ldap_help (ctrl, parsed_uri);
if (!parsed_uri)
ks_print_help (ctrl,
@ -142,10 +149,18 @@ ks_action_search (ctrl_t ctrl, strlist_t patterns, estream_t outfp)
stop at the first error. */
for (uri = ctrl->keyservers; !err && uri; uri = uri->next)
{
if (uri->parsed_uri->is_http)
int is_http = uri->parsed_uri->is_http;
int is_ldap = (strcmp (uri->parsed_uri->scheme, "ldap") == 0
|| strcmp (uri->parsed_uri->scheme, "ldaps") == 0
|| strcmp (uri->parsed_uri->scheme, "ldapi") == 0);
if (is_http || is_ldap)
{
any_server = 1;
err = ks_hkp_search (ctrl, uri->parsed_uri, patterns->d, &infp);
if (is_http)
err = ks_hkp_search (ctrl, uri->parsed_uri, patterns->d, &infp);
else if (is_ldap)
err = ks_ldap_search (ctrl, uri->parsed_uri, patterns->d, &infp);
if (!err)
{
err = copy_stream (infp, outfp);
@ -185,12 +200,20 @@ ks_action_get (ctrl_t ctrl, strlist_t patterns, estream_t outfp)
Need to think about a better strategy. */
for (uri = ctrl->keyservers; !err && uri; uri = uri->next)
{
if (uri->parsed_uri->is_http)
int is_http = uri->parsed_uri->is_http;
int is_ldap = (strcmp (uri->parsed_uri->scheme, "ldap") == 0
|| strcmp (uri->parsed_uri->scheme, "ldaps") == 0
|| strcmp (uri->parsed_uri->scheme, "ldapi") == 0);
if (is_http || is_ldap)
{
any_server = 1;
for (sl = patterns; !err && sl; sl = sl->next)
{
err = ks_hkp_get (ctrl, uri->parsed_uri, sl->d, &infp);
if (is_http)
err = ks_hkp_get (ctrl, uri->parsed_uri, sl->d, &infp);
else
err = ks_ldap_get (ctrl, uri->parsed_uri, sl->d, &infp);
if (err)
{
/* It is possible that a server does not carry a
@ -282,9 +305,14 @@ ks_action_fetch (ctrl_t ctrl, const char *url, estream_t outfp)
/* Send an OpenPGP key to all keyservers. The key in {DATA,DATALEN}
is expected in OpenPGP binary transport format. */
is expected to be in OpenPGP binary transport format. The metadata
in {INFO,INFOLEN} is in colon-separated format (concretely, it is
the output of 'for x in keys sigs; do gpg --list-$x --with-colons
KEYID; done'. This function may modify DATA and INFO. If this is
a problem, then the caller should create a copy. */
gpg_error_t
ks_action_put (ctrl_t ctrl, const void *data, size_t datalen)
ks_action_put (ctrl_t ctrl, void *data, size_t datalen,
void *info, size_t infolen)
{
gpg_error_t err = 0;
gpg_error_t first_err = 0;
@ -293,10 +321,20 @@ ks_action_put (ctrl_t ctrl, const void *data, size_t datalen)
for (uri = ctrl->keyservers; !err && uri; uri = uri->next)
{
if (uri->parsed_uri->is_http)
int is_http = uri->parsed_uri->is_http;
int is_ldap = (strcmp (uri->parsed_uri->scheme, "ldap") == 0
|| strcmp (uri->parsed_uri->scheme, "ldaps") == 0
|| strcmp (uri->parsed_uri->scheme, "ldapi") == 0);
if (is_http || is_ldap)
{
any_server = 1;
err = ks_hkp_put (ctrl, uri->parsed_uri, data, datalen);
if (is_http)
err = ks_hkp_put (ctrl, uri->parsed_uri, data, datalen);
else
err = ks_ldap_put (ctrl, uri->parsed_uri, data, datalen,
info, infolen);
if (err)
{
first_err = err;

4
dirmngr/ks-action.h
View File

@ -1,5 +1,6 @@
/* ks-action.h - OpenPGP keyserver actions definitions
* Copyright (C) 2011 Free Software Foundation, Inc.
* 2015 g10 Code GmbH
*
* This file is part of GnuPG.
*
@ -25,7 +26,8 @@ gpg_error_t ks_action_resolve (ctrl_t ctrl);
gpg_error_t ks_action_search (ctrl_t ctrl, strlist_t patterns, estream_t outfp);
gpg_error_t ks_action_get (ctrl_t ctrl, strlist_t patterns, estream_t outfp);
gpg_error_t ks_action_fetch (ctrl_t ctrl, const char *url, estream_t outfp);
gpg_error_t ks_action_put (ctrl_t ctrl, const void *data, size_t datalen);
gpg_error_t ks_action_put (ctrl_t ctrl, void *data, size_t datalen,
void *info, size_t infolen);
#endif /*DIRMNGR_KS_ACTION_H*/

2055
dirmngr/ks-engine-ldap.c Normal file
View File

File diff suppressed because it is too large Load Diff

10
dirmngr/ks-engine.h
View File

@ -1,5 +1,6 @@
/* ks-engine.h - Keyserver engines definitions
* Copyright (C) 2011 Free Software Foundation, Inc.
* Copyright (C) 2015 g10 Code GmbH
*
* This file is part of GnuPG.
*
@ -52,6 +53,15 @@ gpg_error_t ks_finger_fetch (ctrl_t ctrl, parsed_uri_t uri, estream_t *r_fp);
gpg_error_t ks_kdns_help (ctrl_t ctrl, parsed_uri_t uri);
gpg_error_t ks_kdns_fetch (ctrl_t ctrl, parsed_uri_t uri, estream_t *r_fp);
/*-- ks-engine-ldap.c --*/
gpg_error_t ks_ldap_help (ctrl_t ctrl, parsed_uri_t uri);
gpg_error_t ks_ldap_search (ctrl_t ctrl, parsed_uri_t uri, const char *pattern,
estream_t *r_fp);
gpg_error_t ks_ldap_get (ctrl_t ctrl, parsed_uri_t uri,
const char *keyspec, estream_t *r_fp);
gpg_error_t ks_ldap_put (ctrl_t ctrl, parsed_uri_t uri,
void *data, size_t datalen,
void *info, size_t infolen);
#endif /*DIRMNGR_KS_ENGINE_H*/

35
dirmngr/ldap-parse-uri.c
View File

@ -127,7 +127,7 @@ ldap_parse_uri (parsed_uri_t *purip, const char *uri)
len = 0;
#define add(s) ({ if (s) len += strlen (s) + 1; })
#define add(s) { if (s) len += strlen (s) + 1; }
add (scheme);
add (host);
@ -144,27 +144,30 @@ ldap_parse_uri (parsed_uri_t *purip, const char *uri)
buffer = puri->buffer;
#define copy(s) \
({ \
char *copy_result = NULL; \
if (s) \
{ \
copy_result = buffer; \
buffer = stpcpy (buffer, s) + 1; \
} \
copy_result; \
})
#define copy(to, s) \
do \
{ \
if (s) \
{ \
to = buffer; \
buffer = stpcpy (buffer, s) + 1; \
} \
} \
while (0)
puri->scheme = ascii_strlwr (copy (scheme));
puri->host = copy (host);
puri->path = copy (dn);
puri->auth = copy (bindname);
copy (puri->scheme, scheme);
/* Make sure the scheme is lower case. */
ascii_strlwr (puri->scheme);
copy (puri->host, host);
copy (puri->path, dn);
copy (puri->auth, bindname);
if (password)
{
puri->query = calloc (sizeof (*puri->query), 1);
puri->query->name = "password";
puri->query->value = copy (password);
copy (puri->query->value, password);
puri->query->valuelen = strlen (password) + 1;
}

15
dirmngr/server.c
View File

@ -2,6 +2,7 @@
* Copyright (C) 2002 Klarälvdalens Datakonsult AB
* Copyright (C) 2003, 2004, 2005, 2007, 2008, 2009, 2011 g10 Code GmbH
* Copyright (C) 2014 Werner Koch
* Copyright (C) 2015 g10 Code GmbH
*
* This file is part of GnuPG.
*
@ -48,6 +49,7 @@
#endif
#include "ks-action.h"
#include "ks-engine.h" /* (ks_hkp_print_hosttable) */
#include "ldap-parse-uri.h"
/* To avoid DoS attacks we limit the size of a certificate to
something reasonable. */
@ -1524,7 +1526,10 @@ cmd_keyserver (assuan_context_t ctx, char *line)
item->parsed_uri = NULL;
strcpy (item->uri, line);
err = http_parse_uri (&item->parsed_uri, line, 1);
if (ldap_uri_p (item->uri))
err = ldap_parse_uri (&item->parsed_uri, line);
else
err = http_parse_uri (&item->parsed_uri, line, 1);
if (err)
{
xfree (item);
@ -1709,13 +1714,15 @@ static const char hlp_ks_put[] =
"\n"
" INQUIRE KEYBLOCK\n"
"\n"
"The client shall respond with a binary version of the keyblock. For LDAP\n"
"The client shall respond with a binary version of the keyblock (e.g.,\n"
"the output of `gpg --export KEYID'). For LDAP\n"
"keyservers Dirmngr may ask for meta information of the provided keyblock\n"
"using:\n"
"\n"
" INQUIRE KEYBLOCK_INFO\n"
"\n"
"The client shall respond with a colon delimited info lines";
"The client shall respond with a colon delimited info lines (the output\n"
"of 'for x in keys sigs; do gpg --list-$x --with-colons KEYID; done').\n";
static gpg_error_t
cmd_ks_put (assuan_context_t ctx, char *line)
{
@ -1755,7 +1762,7 @@ cmd_ks_put (assuan_context_t ctx, char *line)
}
/* Send the key. */
err = ks_action_put (ctrl, value, valuelen);
err = ks_action_put (ctrl, value, valuelen, info, infolen);
leave:
xfree (info);

200
g10/call-dirmngr.c
View File

@ -1,5 +1,6 @@
/* call-dirmngr.c - GPG operations to the Dirmngr.
* Copyright (C) 2011 Free Software Foundation, Inc.
* Copyright (C) 2015 g10 Code GmbH
*
* This file is part of GnuPG.
*
@ -585,6 +586,117 @@ gpg_dirmngr_ks_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp)
static void
record_output (estream_t output,
pkttype_t type,
const char *validity,
/* The public key length or -1. */
int pub_key_length,
/* The public key algo or -1. */
int pub_key_algo,
/* 2 ulongs or NULL. */
const u32 *keyid,
/* The creation / expiration date or 0. */
u32 creation_date,
u32 expiration_date,
const char *userid)
{
const char *type_str = NULL;
char *pub_key_length_str = NULL;
char *pub_key_algo_str = NULL;
char *keyid_str = NULL;
char *creation_date_str = NULL;
char *expiration_date_str = NULL;
char *userid_escaped = NULL;
switch (type)
{
case PKT_PUBLIC_KEY:
type_str = "pub";
break;
case PKT_PUBLIC_SUBKEY:
type_str = "sub";
break;
case PKT_USER_ID:
type_str = "uid";
break;
case PKT_SIGNATURE:
type_str = "sig";
break;
default:
assert (! "Unhandled type.");
}
if (pub_key_length > 0)
pub_key_length_str = xasprintf ("%d", pub_key_length);
if (pub_key_algo != -1)
pub_key_algo_str = xasprintf ("%d", pub_key_algo);
if (keyid)
keyid_str = xasprintf ("%08lX%08lX", (ulong) keyid[0], (ulong) keyid[1]);
if (creation_date)
creation_date_str = xstrdup (colon_strtime (creation_date));
if (expiration_date)
expiration_date_str = xstrdup (colon_strtime (expiration_date));
/* Quote ':', '%', and any 8-bit characters. */
if (userid)
{
int r;
int w = 0;
int len = strlen (userid);
/* A 100k character limit on the uid should be way more than
enough. */
if (len > 100 * 1024)
len = 100 * 1024;
/* The minimum amount of space that we need. */
userid_escaped = xmalloc (len * 3 + 1);
for (r = 0; r < len; r++)
{
if (userid[r] == ':' || userid[r]== '%' || (userid[r] & 0x80))
{
sprintf (&userid_escaped[w], "%%%02X", (byte) userid[r]);
w += 3;
}
else
userid_escaped[w ++] = userid[r];
}
userid_escaped[w] = '\0';
}
es_fprintf (output, "%s:%s:%s:%s:%s:%s:%s:%s:%s:%s:%s:%s:%s:%s:%s:%s:%s\n",
type_str,
validity ?: "",
pub_key_length_str ?: "",
pub_key_algo_str ?: "",
keyid_str ?: "",
creation_date_str ?: "",
expiration_date_str ?: "",
"" /* Certificate S/N */,
"" /* Ownertrust. */,
userid_escaped ?: "",
"" /* Signature class. */,
"" /* Key capabilities. */,
"" /* Issuer certificate fingerprint. */,
"" /* Flag field. */,
"" /* S/N of a token. */,
"" /* Hash algo. */,
"" /* Curve name. */);
xfree (userid_escaped);
xfree (expiration_date_str);
xfree (creation_date_str);
xfree (keyid_str);
xfree (pub_key_algo_str);
xfree (pub_key_length_str);
}
/* Handle the KS_PUT inquiries. */
static gpg_error_t
ks_put_inq_cb (void *opaque, const char *line)
@ -607,53 +719,80 @@ ks_put_inq_cb (void *opaque, const char *line)
if (!fp)
err = gpg_error_from_syserror ();
/* Note: the output format for the INFO block follows the colon
format as described in doc/DETAILS. We don't actually reuse
the functionality from g10/keylist.c to produce the output,
because we don't need all of it and some of it is quite
expensive to generate.
The fields are (the starred fields are the ones we need):
* Field 1 - Type of record
* Field 2 - Validity
* Field 3 - Key length
* Field 4 - Public key algorithm
* Field 5 - KeyID
* Field 6 - Creation date
* Field 7 - Expiration date
Field 8 - Certificate S/N, UID hash, trust signature info
Field 9 - Ownertrust
* Field 10 - User-ID
Field 11 - Signature class
Field 12 - Key capabilities
Field 13 - Issuer certificate fingerprint or other info
Field 14 - Flag field
Field 15 - S/N of a token
Field 16 - Hash algorithm
Field 17 - Curve name
*/
for (node = parm->keyblock; !err && node; node=node->next)
{
switch(node->pkt->pkttype)
switch (node->pkt->pkttype)
{
case PKT_PUBLIC_KEY:
case PKT_PUBLIC_SUBKEY:
{
PKT_public_key *pk = node->pkt->pkt.public_key;
char validity[3];
int i;
i = 0;
if (pk->flags.revoked)
validity[i ++] = 'r';
if (pk->has_expired)
validity[i ++] = 'e';
validity[i] = '\0';
keyid_from_pk (pk, NULL);
es_fprintf (fp, "%s:%08lX%08lX:%u:%u:%u:%u:%s%s:\n",
node->pkt->pkttype==PKT_PUBLIC_KEY? "pub" : "sub",
(ulong)pk->keyid[0], (ulong)pk->keyid[1],
pk->pubkey_algo,
nbits_from_pk (pk),
pk->timestamp,
pk->expiredate,
pk->flags.revoked? "r":"",
pk->has_expired? "e":"");
record_output (fp, node->pkt->pkttype, validity,
nbits_from_pk (pk), pk->pubkey_algo,
pk->keyid, pk->timestamp, pk->expiredate,
NULL);
}
break;
case PKT_USER_ID:
{
PKT_user_id *uid = node->pkt->pkt.user_id;
int r;
if (!uid->attrib_data)
{
es_fprintf (fp, "uid:");
char validity[3];
int i;
/* Quote ':', '%', and any 8-bit characters. */
for (r=0; r < uid->len; r++)
{
if (uid->name[r] == ':'
|| uid->name[r]== '%'
|| (uid->name[r]&0x80))
es_fprintf (fp, "%%%02X", (byte)uid->name[r]);
else
es_putc (uid->name[r], fp);
}
i = 0;
if (uid->is_revoked)
validity[i ++] = 'r';
if (uid->is_expired)
validity[i ++] = 'e';
validity[i] = '\0';
es_fprintf (fp, ":%u:%u:%s%s:\n",
uid->created,uid->expiredate,
uid->is_revoked? "r":"",
uid->is_expired? "e":"");
record_output (fp, node->pkt->pkttype, validity,
-1, -1, NULL,
uid->created, uid->expiredate,
uid->name);
}
}
break;
@ -667,12 +806,9 @@ ks_put_inq_cb (void *opaque, const char *line)
PKT_signature *sig = node->pkt->pkt.signature;
if (IS_UID_SIG (sig))
{
es_fprintf (fp, "sig:%08lX%08lX:%X:%u:%u:\n",
(ulong)sig->keyid[0],(ulong)sig->keyid[1],
sig->sig_class, sig->timestamp,
sig->expiredate);
}
record_output (fp, node->pkt->pkttype, NULL,
-1, -1, sig->keyid,
sig->timestamp, sig->expiredate, NULL);
}
break;