Add support to talking to LDAP key servers.

* g10/call-dirmngr.c (record_output): New function. (ks_put_inq_cb): Use it here to generate a --with-colons like output instead of a custom format. * dirmngr/ks-action.c: Include "ldap-parse-uri.h". (ks_action_help): If the provided URI is an LDAP URI, then use ldap_parse_uri to parse. Call ks_ldap_help. (ks_action_search): If passed an LDAP URI, then call ks_ldap_search. (ks_action_get): Likewise. (ks_action_put): Likewise. Also, change data from a 'const void *' to a 'void *' and add info and infolen parameters. Add note that function may modify DATA. * dirmngr/ks-action.h (ks_action_put): Update declaration accordingly. * dirmngr/server.c: Include "ldap-parse-uri.h". (cmd_keyserver): If ITEM->URI is an LDAP URI, parse it using ldap_parse_uri. (hlp_ks_put): Improve documentation. (cmd_ks_put): Also pass info and infolen to ks_action_put. Improve documentation. * dirmngr/ks-engine.h (ks_ldap_help): New declaration. (ks_ldap_search): Likewise. (ks_ldap_get): Likewise. (ks_ldap_put): Likewise. * dirmngr/ks-engine-ldap.c: New file. * dirmngr/Makefile.am (dirmngr_SOURCES): Add ks-engine-ldap.c, ldap-parse-uri.c and ldap-parse-uri.h. (dirmngr_LDADD) [USE_LDAP]: Add $(ldaplibs). -- Signed-off-by: Neal H. Walfield <neal@g10code.de>
2025-07-02 22:46:30 +02:00 · 2015-03-19 11:02:46 +01:00 · 2015-03-19 11:02:46 +01:00 · 51341badb6
commit 51341badb6
parent 81e8306085
8 changed files with 2322 additions and 65 deletions
--- a/dirmngr/Makefile.am
+++ b/dirmngr/Makefile.am
@ -62,7 +62,9 @@ dirmngr_SOURCES = dirmngr.c dirmngr.h server.c crlcache.c crlfetch.c	\
 	cdb.h cdblib.c misc.c dirmngr-err.h  \
 	ocsp.c ocsp.h validate.c validate.h  \
 	ks-action.c ks-action.h ks-engine.h \
-        ks-engine-hkp.c ks-engine-http.c ks-engine-finger.c ks-engine-kdns.c
+        ks-engine-hkp.c ks-engine-http.c ks-engine-finger.c ks-engine-kdns.c \
+	ks-engine-ldap.c \
+	ldap-parse-uri.c ldap-parse-uri.h

 if USE_LDAP
 dirmngr_SOURCES += ldapserver.h ldapserver.c ldap.c w32-ldap-help.h \
@ -77,6 +79,9 @@ dirmngr_LDADD = $(libcommontlsnpth) $(libcommonpth) \
        $(DNSLIBS) $(LIBASSUAN_LIBS) \
 	$(LIBGCRYPT_LIBS) $(KSBA_LIBS) $(NPTH_LIBS) \
 	$(NTBTLS_LIBS) $(LIBGNUTLS_LIBS) $(LIBINTL) $(LIBICONV)
+if USE_LDAP
+dirmngr_LDADD += $(ldaplibs)
+endif
 if !USE_LDAPWRAPPER
 dirmngr_LDADD += $(ldaplibs)
 endif
@ -104,7 +109,8 @@ no-libgcrypt.c : $(top_srcdir)/tools/no-libgcrypt.c

 t_common_src = t-support.h
 # We need libcommontls, because we use the http functions.
-t_common_ldadd = $(libcommontls) $(libcommon) no-libgcrypt.o $(GPG_ERROR_LIBS)
+t_common_ldadd = $(libcommontls) $(libcommon) no-libgcrypt.o \
+	$(GPG_ERROR_LIBS) $(NTBTLS_LIBS) $(LIBGNUTLS_LIBS) $(DNSLIBS)

 module_tests = t-ldap-parse-uri
 t_ldap_parse_uri_SOURCES = \
--- a/dirmngr/ks-action.c
+++ b/dirmngr/ks-action.c
@ -1,6 +1,7 @@
 /* ks-action.c - OpenPGP keyserver actions
 * Copyright (C) 2011 Free Software Foundation, Inc.
 * Copyright (C) 2011, 2014 Werner Koch
+ * Copyright (C) 2015  g10 Code GmbH
 *
 * This file is part of GnuPG.
 *
@ -29,7 +30,7 @@
 #include "misc.h"
 #include "ks-engine.h"
 #include "ks-action.h"
-
+#include "ldap-parse-uri.h"

 /* Called by the engine's help functions to print the actual help.  */
 gpg_error_t
@ -72,7 +73,11 @@ ks_action_help (ctrl_t ctrl, const char *url)
    }
  else
    {
-      err = http_parse_uri (&parsed_uri, url, 1);
+      if (ldap_uri_p (url))
+	err = ldap_parse_uri (&parsed_uri, url);
+      else
+	err = http_parse_uri (&parsed_uri, url, 1);
+
      if (err)
        return err;
    }
@ -85,6 +90,8 @@ ks_action_help (ctrl_t ctrl, const char *url)
    err = ks_finger_help (ctrl, parsed_uri);
  if (!err)
    err = ks_kdns_help (ctrl, parsed_uri);
+  if (!err)
+    err = ks_ldap_help (ctrl, parsed_uri);

  if (!parsed_uri)
    ks_print_help (ctrl,
@ -142,10 +149,18 @@ ks_action_search (ctrl_t ctrl, strlist_t patterns, estream_t outfp)
     stop at the first error. */
  for (uri = ctrl->keyservers; !err && uri; uri = uri->next)
    {
-      if (uri->parsed_uri->is_http)
+      int is_http = uri->parsed_uri->is_http;
+      int is_ldap = (strcmp (uri->parsed_uri->scheme, "ldap") == 0
+		     || strcmp (uri->parsed_uri->scheme, "ldaps") == 0
+		     || strcmp (uri->parsed_uri->scheme, "ldapi") == 0);
+      if (is_http || is_ldap)
        {
          any_server = 1;
-          err = ks_hkp_search (ctrl, uri->parsed_uri, patterns->d, &infp);
+	  if (is_http)
+	    err = ks_hkp_search (ctrl, uri->parsed_uri, patterns->d, &infp);
+	  else if (is_ldap)
+	    err = ks_ldap_search (ctrl, uri->parsed_uri, patterns->d, &infp);
+
          if (!err)
            {
              err = copy_stream (infp, outfp);
@ -185,12 +200,20 @@ ks_action_get (ctrl_t ctrl, strlist_t patterns, estream_t outfp)
     Need to think about a better strategy.  */
  for (uri = ctrl->keyservers; !err && uri; uri = uri->next)
    {
-      if (uri->parsed_uri->is_http)
+      int is_http = uri->parsed_uri->is_http;
+      int is_ldap = (strcmp (uri->parsed_uri->scheme, "ldap") == 0
+		     || strcmp (uri->parsed_uri->scheme, "ldaps") == 0
+		     || strcmp (uri->parsed_uri->scheme, "ldapi") == 0);
+      if (is_http || is_ldap)
        {
          any_server = 1;
          for (sl = patterns; !err && sl; sl = sl->next)
            {
-              err = ks_hkp_get (ctrl, uri->parsed_uri, sl->d, &infp);
+	      if (is_http)
+		err = ks_hkp_get (ctrl, uri->parsed_uri, sl->d, &infp);
+	      else
+		err = ks_ldap_get (ctrl, uri->parsed_uri, sl->d, &infp);
+
              if (err)
                {
                  /* It is possible that a server does not carry a
@ -282,9 +305,14 @@ ks_action_fetch (ctrl_t ctrl, const char *url, estream_t outfp)


 /* Send an OpenPGP key to all keyservers.  The key in {DATA,DATALEN}
-   is expected in OpenPGP binary transport format.  */
+   is expected to be in OpenPGP binary transport format.  The metadata
+   in {INFO,INFOLEN} is in colon-separated format (concretely, it is
+   the output of 'for x in keys sigs; do gpg --list-$x --with-colons
+   KEYID; done'.  This function may modify DATA and INFO.  If this is
+   a problem, then the caller should create a copy.  */
 gpg_error_t
-ks_action_put (ctrl_t ctrl, const void *data, size_t datalen)
+ks_action_put (ctrl_t ctrl, void *data, size_t datalen,
+	       void *info, size_t infolen)
 {
  gpg_error_t err = 0;
  gpg_error_t first_err = 0;
@ -293,10 +321,20 @@ ks_action_put (ctrl_t ctrl, const void *data, size_t datalen)

  for (uri = ctrl->keyservers; !err && uri; uri = uri->next)
    {
-      if (uri->parsed_uri->is_http)
+      int is_http = uri->parsed_uri->is_http;
+      int is_ldap = (strcmp (uri->parsed_uri->scheme, "ldap") == 0
+		     || strcmp (uri->parsed_uri->scheme, "ldaps") == 0
+		     || strcmp (uri->parsed_uri->scheme, "ldapi") == 0);
+
+      if (is_http || is_ldap)
        {
          any_server = 1;
-          err = ks_hkp_put (ctrl, uri->parsed_uri, data, datalen);
+	  if (is_http)
+	    err = ks_hkp_put (ctrl, uri->parsed_uri, data, datalen);
+	  else
+	    err = ks_ldap_put (ctrl, uri->parsed_uri, data, datalen,
+			       info, infolen);
+
          if (err)
            {
              first_err = err;
--- a/dirmngr/ks-action.h
+++ b/dirmngr/ks-action.h
@ -1,5 +1,6 @@
 /* ks-action.h - OpenPGP keyserver actions definitions
 * Copyright (C) 2011 Free Software Foundation, Inc.
+ *               2015 g10 Code GmbH
 *
 * This file is part of GnuPG.
 *
@ -25,7 +26,8 @@ gpg_error_t ks_action_resolve (ctrl_t ctrl);
 gpg_error_t ks_action_search (ctrl_t ctrl, strlist_t patterns, estream_t outfp);
 gpg_error_t ks_action_get (ctrl_t ctrl, strlist_t patterns, estream_t outfp);
 gpg_error_t ks_action_fetch (ctrl_t ctrl, const char *url, estream_t outfp);
-gpg_error_t ks_action_put (ctrl_t ctrl, const void *data, size_t datalen);
+gpg_error_t ks_action_put (ctrl_t ctrl, void *data, size_t datalen,
+			   void *info, size_t infolen);


 #endif /*DIRMNGR_KS_ACTION_H*/
--- a/dirmngr/ks-engine-ldap.c
+++ b/dirmngr/ks-engine-ldap.c
--- a/dirmngr/ks-engine.h
+++ b/dirmngr/ks-engine.h
@ -1,5 +1,6 @@
 /* ks-engine.h - Keyserver engines definitions
 * Copyright (C) 2011 Free Software Foundation, Inc.
+ * Copyright (C) 2015  g10 Code GmbH
 *
 * This file is part of GnuPG.
 *
@ -52,6 +53,15 @@ gpg_error_t ks_finger_fetch (ctrl_t ctrl, parsed_uri_t uri, estream_t *r_fp);
 gpg_error_t ks_kdns_help (ctrl_t ctrl, parsed_uri_t uri);
 gpg_error_t ks_kdns_fetch (ctrl_t ctrl, parsed_uri_t uri, estream_t *r_fp);

+/*-- ks-engine-ldap.c --*/
+gpg_error_t ks_ldap_help (ctrl_t ctrl, parsed_uri_t uri);
+gpg_error_t ks_ldap_search (ctrl_t ctrl, parsed_uri_t uri, const char *pattern,
+			    estream_t *r_fp);
+gpg_error_t ks_ldap_get (ctrl_t ctrl, parsed_uri_t uri,
+			 const char *keyspec, estream_t *r_fp);
+gpg_error_t ks_ldap_put (ctrl_t ctrl, parsed_uri_t uri,
+			 void *data, size_t datalen,
+			 void *info, size_t infolen);


 #endif /*DIRMNGR_KS_ENGINE_H*/
--- a/dirmngr/ldap-parse-uri.c
+++ b/dirmngr/ldap-parse-uri.c
@ -127,7 +127,7 @@ ldap_parse_uri (parsed_uri_t *purip, const char *uri)

  len = 0;

-#define add(s) ({ if (s) len += strlen (s) + 1; })
+#define add(s) { if (s) len += strlen (s) + 1; }

  add (scheme);
  add (host);
@ -144,27 +144,30 @@ ldap_parse_uri (parsed_uri_t *purip, const char *uri)

  buffer = puri->buffer;

-#define copy(s)					\
-  ({						\
-    char *copy_result = NULL;			\
-    if (s)					\
-      {						\
-	copy_result = buffer;			\
-	buffer = stpcpy (buffer, s) + 1;	\
-      }						\
-    copy_result;				\
-  })
+#define copy(to, s)				\
+  do						\
+    {						\
+      if (s)					\
+	{					\
+	  to = buffer;				\
+	  buffer = stpcpy (buffer, s) + 1;	\
+	}					\
+    }						\
+  while (0)

-  puri->scheme = ascii_strlwr (copy (scheme));
-  puri->host = copy (host);
-  puri->path = copy (dn);
-  puri->auth = copy (bindname);
+  copy (puri->scheme, scheme);
+  /* Make sure the scheme is lower case.  */
+  ascii_strlwr (puri->scheme);
+
+  copy (puri->host, host);
+  copy (puri->path, dn);
+  copy (puri->auth, bindname);

  if (password)
    {
      puri->query = calloc (sizeof (*puri->query), 1);
      puri->query->name = "password";
-      puri->query->value = copy (password);
+      copy (puri->query->value, password);
      puri->query->valuelen = strlen (password) + 1;
    }

--- a/dirmngr/server.c
+++ b/dirmngr/server.c
@ -2,6 +2,7 @@
 * Copyright (C) 2002 Klarälvdalens Datakonsult AB
 * Copyright (C) 2003, 2004, 2005, 2007, 2008, 2009, 2011 g10 Code GmbH
 * Copyright (C) 2014 Werner Koch
+ * Copyright (C) 2015  g10 Code GmbH
 *
 * This file is part of GnuPG.
 *
@ -48,6 +49,7 @@
 #endif
 #include "ks-action.h"
 #include "ks-engine.h"  /* (ks_hkp_print_hosttable) */
+#include "ldap-parse-uri.h"

 /* To avoid DoS attacks we limit the size of a certificate to
   something reasonable. */
@ -1524,7 +1526,10 @@ cmd_keyserver (assuan_context_t ctx, char *line)
      item->parsed_uri = NULL;
      strcpy (item->uri, line);

-      err = http_parse_uri (&item->parsed_uri, line, 1);
+      if (ldap_uri_p (item->uri))
+	err = ldap_parse_uri (&item->parsed_uri, line);
+      else
+	err = http_parse_uri (&item->parsed_uri, line, 1);
      if (err)
        {
          xfree (item);
@ -1709,13 +1714,15 @@ static const char hlp_ks_put[] =
  "\n"
  "  INQUIRE KEYBLOCK\n"
  "\n"
-  "The client shall respond with a binary version of the keyblock.  For LDAP\n"
+  "The client shall respond with a binary version of the keyblock (e.g.,\n"
+  "the output of `gpg --export KEYID').  For LDAP\n"
  "keyservers Dirmngr may ask for meta information of the provided keyblock\n"
  "using:\n"
  "\n"
  "  INQUIRE KEYBLOCK_INFO\n"
  "\n"
-  "The client shall respond with a colon delimited info lines";
+  "The client shall respond with a colon delimited info lines (the output\n"
+  "of 'for x in keys sigs; do gpg --list-$x --with-colons KEYID; done').\n";
 static gpg_error_t
 cmd_ks_put (assuan_context_t ctx, char *line)
 {
@ -1755,7 +1762,7 @@ cmd_ks_put (assuan_context_t ctx, char *line)
    }

  /* Send the key.  */
-  err = ks_action_put (ctrl, value, valuelen);
+  err = ks_action_put (ctrl, value, valuelen, info, infolen);

 leave:
  xfree (info);