security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00
Code Activity

dirmngr: Fix default port for our redefinition of ldaps.

Browse Source 
* dirmngr/server.c (make_keyserver_item): Fix default port for ldaps.
Move a tmpstr out of the blocks.
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Improve diagnostics.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 8de9d54ac83fa20cb52b847b643311841be4d6dc)
This commit is contained in:
Werner Koch 2021-05-28 15:20:57 +02:00
parent 3e05f99e8d
commit 58e4c82512
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
2 changed files with 43 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
dirmngr/ks-engine-ldap.c
View File

@ -571,15 +571,14 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
} }
} }
if (opt.debug) if (opt.verbose)
log_debug ("my_ldap_connect(%s:%d/%s????%s%s%s%s%s)\n", log_info ("ldap connect to '%s:%d:%s:%s:%s:%s%s'\n",
host, port, host, port,
basedn_arg ? basedn_arg : "", basedn_arg ? basedn_arg : "",
bindname ? "bindname=" : "", bindname ? bindname : "",
bindname ? bindname : "", password ? "*****" : "",
password ? "," : "", use_tls == 1? "starttls" : use_tls == 2? "ldaptls" : "plain",
password ? "password=>not_shown<" : "", use_ntds ? ",ntds":"");
use_ntds ? " auth=>current_user<":"");
/* If the uri specifies a secure connection and we don't support /* If the uri specifies a secure connection and we don't support
@ -596,6 +595,7 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
#ifdef HAVE_W32_SYSTEM #ifdef HAVE_W32_SYSTEM
/* Note that host==NULL uses the default domain controller. */
npth_unprotect (); npth_unprotect ();
ldap_conn = ldap_sslinit (host, port, (use_tls == 2)); ldap_conn = ldap_sslinit (host, port, (use_tls == 2));
npth_protect (); npth_protect ();
@ -619,7 +619,7 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
npth_unprotect (); npth_unprotect ();
lerr = ldap_initialize (&ldap_conn, tmpstr); lerr = ldap_initialize (&ldap_conn, tmpstr);
npth_protect (); npth_protect ();
if (lerr || !ldap_conn) if (lerr != LDAP_SUCCESS || !ldap_conn)
{ {
err = ldap_err_to_gpg_err (lerr); err = ldap_err_to_gpg_err (lerr);
log_error ("error initializing LDAP '%s': %s\n", log_error ("error initializing LDAP '%s': %s\n",
@ -655,7 +655,8 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
err = ldap_err_to_gpg_err (lerr); err = ldap_err_to_gpg_err (lerr);
goto out; goto out;
} }
if (opt.verbose)
log_info ("ldap timeout set to %us\n", opt.ldaptimeout);
} }
#endif #endif
@ -704,8 +705,6 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
if (use_ntds) if (use_ntds)
{ {
if (opt.debug)
log_debug ("ldap: binding to current user via AD\n");
#ifdef HAVE_W32_SYSTEM #ifdef HAVE_W32_SYSTEM
npth_unprotect (); npth_unprotect ();
lerr = ldap_bind_s (ldap_conn, NULL, NULL, LDAP_AUTH_NEGOTIATE); lerr = ldap_bind_s (ldap_conn, NULL, NULL, LDAP_AUTH_NEGOTIATE);
@ -718,16 +717,13 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
goto out; goto out;
} }
#else #else
log_error ("ldap: no Active Directory support but 'ntds' requested\n");
err = gpg_error (GPG_ERR_NOT_SUPPORTED); err = gpg_error (GPG_ERR_NOT_SUPPORTED);
goto out; goto out;
#endif #endif
} }
else if (bindname) else if (bindname)
{ {
if (opt.debug)
log_debug ("LDAP bind to '%s', password '%s'\n",
bindname, password ? ">not_shown<" : ">none<");
npth_unprotect (); npth_unprotect ();
lerr = ldap_simple_bind_s (ldap_conn, bindname, password); lerr = ldap_simple_bind_s (ldap_conn, bindname, password);
npth_protect (); npth_protect ();

44
dirmngr/server.c
View File

@ -1193,7 +1193,7 @@ cmd_ldapserver (assuan_context_t ctx, char *line)
server->host? server->host : "", server->host? server->host : "",
portstr, portstr,
server->user? server->user : "", server->user? server->user : "",
server->pass? "[not_shown]": "", server->pass? "*****": "",
server->base? server->base : "", server->base? server->base : "",
server->starttls ? "starttls" : server->starttls ? "starttls" :
server->ldap_over_tls ? "ldaptls" : "none", server->ldap_over_tls ? "ldaptls" : "none",
@ -2119,6 +2119,7 @@ make_keyserver_item (const char *uri, uri_item_t *r_item)
gpg_error_t err; gpg_error_t err;
uri_item_t item; uri_item_t item;
const char *s; const char *s;
char *tmpstr = NULL;
*r_item = NULL; *r_item = NULL;
@ -2164,7 +2165,6 @@ make_keyserver_item (const char *uri, uri_item_t *r_item)
#if USE_LDAP #if USE_LDAP
if (!strncmp (uri, "ldap:", 5) && !(uri[5] == '/' && uri[6] == '/')) if (!strncmp (uri, "ldap:", 5) && !(uri[5] == '/' && uri[6] == '/'))
{ {
char *tmpstr;
/* Special ldap scheme given. This differs from a valid ldap /* Special ldap scheme given. This differs from a valid ldap
* scheme in that no double slash follows.. Use http_parse_uri * scheme in that no double slash follows.. Use http_parse_uri
* to put it as opaque value into parsed_uri. */ * to put it as opaque value into parsed_uri. */
@ -2172,39 +2172,55 @@ make_keyserver_item (const char *uri, uri_item_t *r_item)
if (!tmpstr) if (!tmpstr)
err = gpg_error_from_syserror (); err = gpg_error_from_syserror ();
else else
{ err = http_parse_uri (&item->parsed_uri, tmpstr, 0);
log_debug ("tmpstr='%s'\n", tmpstr);
err = http_parse_uri (&item->parsed_uri, tmpstr, 0);
xfree (tmpstr);
}
} }
else if ((s=strchr (uri, ':')) && !(s[1] == '/' && s[2] == '/')) else if ((s=strchr (uri, ':')) && !(s[1] == '/' && s[2] == '/'))
{ {
char *tmpstr;
/* No valid scheme given. Use http_parse_uri to put the string /* No valid scheme given. Use http_parse_uri to put the string
* as opaque value into parsed_uri. */ * as opaque value into parsed_uri. */
tmpstr = strconcat ("opaque:", uri, NULL); tmpstr = strconcat ("opaque:", uri, NULL);
if (!tmpstr) if (!tmpstr)
err = gpg_error_from_syserror (); err = gpg_error_from_syserror ();
else else
{ err = http_parse_uri (&item->parsed_uri, tmpstr, 0);
log_debug ("tmpstr2='%s'\n", tmpstr);
err = http_parse_uri (&item->parsed_uri, tmpstr, 0);
xfree (tmpstr);
}
} }
else if (ldap_uri_p (uri)) else if (ldap_uri_p (uri))
{ {
int fixup = 0;
/* Fixme: We should get rid of that parser and replace it with /* Fixme: We should get rid of that parser and replace it with
* our generic (http) URI parser. */ * our generic (http) URI parser. */
/* If no port has been specified and the scheme ist ldaps we use
* our idea of the default port because the standard LDAP URL
* parser would use 636 here. This is because we redefined
* ldaps to mean starttls. */
#ifdef HAVE_W32_SYSTEM
if (!strcmp (uri, "ldap:///"))
fixup = 1;
else
#endif
if (!http_parse_uri (&item->parsed_uri,uri,HTTP_PARSE_NO_SCHEME_CHECK))
{
if (!item->parsed_uri->port
&& !strcmp (item->parsed_uri->scheme, "ldaps"))
fixup = 2;
http_release_parsed_uri (item->parsed_uri);
item->parsed_uri = NULL;
}
err = ldap_parse_uri (&item->parsed_uri, uri); err = ldap_parse_uri (&item->parsed_uri, uri);
if (!err && fixup == 1)
item->parsed_uri->ad_current = 1;
else if (!err && fixup == 2)
item->parsed_uri->port = 389;
} }
else else
#endif #endif /* USE_LDAP */
{ {
err = http_parse_uri (&item->parsed_uri, uri, HTTP_PARSE_NO_SCHEME_CHECK); err = http_parse_uri (&item->parsed_uri, uri, HTTP_PARSE_NO_SCHEME_CHECK);
} }
xfree (tmpstr);
if (err) if (err)
xfree (item); xfree (item);
else else