security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2024-11-10 21:38:50 +01:00
Code Activity

gpg: Implement the LDAP AKL method.

Browse Source 
* g10/keyserver.c (keyserver_import_mbox): Add arg flags and change
callers.
(keyserver_import_ldap): Remove.  It has always returned a not
implemented error since 2.1.
* g10/getkey.c (get_pubkey_byname): Repurpose LDAP to do basically the
same as KEYSERVER.
--

The old LDAP mechanism to locate a server via SRV records has long
been gone (since 2014) due to the dropping of the keyserver helpers.
The new purpose better reflects reality and can be used in
environments where keys are provided by an in-house LDAP server.

(cherry picked from commit 068ebb6f1e)
This commit is contained in:
Werner Koch 2024-06-04 18:02:02 +02:00
parent 5746c944cd
commit 6551281ca3
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
6 changed files with 34 additions and 102 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
doc/gpg.texi
View File

@ -1981,15 +1981,15 @@ list. The default is "local,wkd".
Locate a key using the Web Key Directory protocol. Locate a key using the Web Key Directory protocol.
@item ldap @item ldap
Using DNS Service Discovery, check the domain in question for any LDAP Locate the key using the configured LDAP servers. This method is
keyservers to use. If this fails, attempt to locate the key using the similar to the @code{keyserver} mechanism but always uses only LDAP
PGP Universal method of checking @samp{ldap://keys.(thedomain)}. servers.
@item ntds @item ntds
Locate the key using the Active Directory (Windows only). This Locate the key using the Active Directory (Windows only). This
method also allows one to search by fingerprint using the command method also allows one to search by fingerprint using the command
@option{--locate-external-key}. Note that this mechanism is @option{--locate-external-key}. Note that this mechanism is
actually a shortcut for the mechanism @samp{keyserver} but using actually a shortcut for the mechanism @samp{ldap} using only
"ldap:///" as the keyserver. "ldap:///" as the keyserver.
@item keyserver @item keyserver

28
g10/getkey.c
View File

@ -1,7 +1,7 @@
/* getkey.c - Get a key from the database /* getkey.c - Get a key from the database
* Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006,
* 2007, 2008, 2010 Free Software Foundation, Inc. * 2007, 2008, 2010 Free Software Foundation, Inc.
* Copyright (C) 2015, 2016 g10 Code GmbH * Copyright (C) 2015, 2016, 2024 g10 Code GmbH
* *
* This file is part of GnuPG. * This file is part of GnuPG.
* *
@ -17,6 +17,7 @@
* *
* You should have received a copy of the GNU General Public License * You should have received a copy of the GNU General Public License
* along with this program; if not, see <https://www.gnu.org/licenses/>. * along with this program; if not, see <https://www.gnu.org/licenses/>.
* SPDX-License-Identifier: GPL-3.0-or-later
*/ */
#include <config.h> #include <config.h>
@ -1176,16 +1177,31 @@ get_pubkey_byname (ctrl_t ctrl, enum get_pubkey_modes mode,
break; break;
case AKL_LDAP: case AKL_LDAP:
if (is_fpr) if (!keyserver_any_configured (ctrl))
{ {
mechanism_string = ""; mechanism_string = "";
rc = GPG_ERR_NO_PUBKEY; rc = GPG_ERR_NO_PUBKEY;
} }
else else
{ {
mechanism_string = "LDAP"; mechanism_string = is_fpr? "ldap/fpr":"ldap/mbox";
glo_ctrl.in_auto_key_retrieve++; glo_ctrl.in_auto_key_retrieve++;
rc = keyserver_import_ldap (ctrl, name, &fpr, &fpr_len); if (is_fpr)
rc = keyserver_import_fprint (ctrl,
fprbuf.u.fpr, fprbuf.fprlen,
opt.keyserver,
KEYSERVER_IMPORT_FLAG_LDAP);
else
rc = keyserver_import_mbox (ctrl, name, &fpr, &fpr_len,
opt.keyserver,
KEYSERVER_IMPORT_FLAG_LDAP);
/* Map error codes because Dirmngr returns NO DATA
* if the keyserver does not have the requested key.
* It returns NO KEYSERVER if no LDAP keyservers are
* configured. */
if (gpg_err_code (rc) == GPG_ERR_NO_DATA
|| gpg_err_code (rc) == GPG_ERR_NO_KEYSERVER)
rc = gpg_error (GPG_ERR_NO_PUBKEY);
glo_ctrl.in_auto_key_retrieve--; glo_ctrl.in_auto_key_retrieve--;
} }
break; break;
@ -1227,7 +1243,7 @@ get_pubkey_byname (ctrl_t ctrl, enum get_pubkey_modes mode,
else else
{ {
rc = keyserver_import_mbox (ctrl, name, &fpr, &fpr_len, rc = keyserver_import_mbox (ctrl, name, &fpr, &fpr_len,
opt.keyserver); opt.keyserver, 0);
} }
glo_ctrl.in_auto_key_retrieve--; glo_ctrl.in_auto_key_retrieve--;
} }
@ -1258,7 +1274,7 @@ get_pubkey_byname (ctrl_t ctrl, enum get_pubkey_modes mode,
else else
{ {
rc = keyserver_import_mbox (ctrl, name, rc = keyserver_import_mbox (ctrl, name,
&fpr, &fpr_len, keyserver); &fpr, &fpr_len, keyserver, 0);
} }
glo_ctrl.in_auto_key_retrieve--; glo_ctrl.in_auto_key_retrieve--;
} }

2
g10/gpg.c
View File

@ -4743,8 +4743,6 @@ main (int argc, char **argv)
parse_auto_key_locate (DEFAULT_AKL_LIST); parse_auto_key_locate (DEFAULT_AKL_LIST);
} }
public_key_list (ctrl, sl, 1, cmd == aLocateExtKeys); public_key_list (ctrl, sl, 1, cmd == aLocateExtKeys);
free_strlist (sl); free_strlist (sl);
break; break;

7
g10/keyserver-internal.h
View File

@ -55,10 +55,9 @@ gpg_error_t keyserver_import_wkd (ctrl_t ctrl, const char *name,
unsigned char **fpr, size_t *fpr_len); unsigned char **fpr, size_t *fpr_len);
int keyserver_import_ntds (ctrl_t ctrl, const char *name, int keyserver_import_ntds (ctrl_t ctrl, const char *name,
unsigned char **fpr,size_t *fpr_len); unsigned char **fpr,size_t *fpr_len);
int keyserver_import_mbox (ctrl_t ctrl, const char *mbox, gpg_error_t keyserver_import_mbox (ctrl_t ctrl, const char *mbox,
unsigned char **fpr,size_t *fpr_len, unsigned char **fpr,size_t *fpr_len,
struct keyserver_spec *keyserver); struct keyserver_spec *keyserver,
int keyserver_import_ldap (ctrl_t ctrl, const char *name, unsigned int flags);
unsigned char **fpr,size_t *fpr_len);
#endif /* !_KEYSERVER_INTERNAL_H_ */ #endif /* !_KEYSERVER_INTERNAL_H_ */

88
g10/keyserver.c
View File

@ -946,17 +946,17 @@ keyserver_any_configured (ctrl_t ctrl)
/* Import all keys that exactly match MBOX */ /* Import all keys that exactly match MBOX */
int gpg_error_t
keyserver_import_mbox (ctrl_t ctrl, const char *mbox, keyserver_import_mbox (ctrl_t ctrl, const char *mbox,
unsigned char **fpr, size_t *fprlen, unsigned char **fpr, size_t *fprlen,
struct keyserver_spec *keyserver) struct keyserver_spec *keyserver, unsigned int flags)
{ {
KEYDB_SEARCH_DESC desc = { 0 }; KEYDB_SEARCH_DESC desc = { 0 };
desc.mode = KEYDB_SEARCH_MODE_MAIL; desc.mode = KEYDB_SEARCH_MODE_MAIL;
desc.u.name = mbox; desc.u.name = mbox;
return keyserver_get (ctrl, &desc, 1, keyserver, 0, fpr, fprlen); return keyserver_get (ctrl, &desc, 1, keyserver, flags, fpr, fprlen);
} }
@ -1867,85 +1867,3 @@ keyserver_import_wkd (ctrl_t ctrl, const char *name, unsigned int flags,
xfree (mbox); xfree (mbox);
return err; return err;
} }
/* Import a key by name using LDAP */
int
keyserver_import_ldap (ctrl_t ctrl,
const char *name, unsigned char **fpr, size_t *fprlen)
{
(void)ctrl;
(void)name;
(void)fpr;
(void)fprlen;
return gpg_error (GPG_ERR_NOT_IMPLEMENTED); /*FIXME*/
#if 0
char *domain;
struct keyserver_spec *keyserver;
strlist_t list=NULL;
int rc,hostlen=1;
struct srventry *srvlist=NULL;
int srvcount,i;
char srvname[MAXDNAME];
/* Parse out the domain */
domain=strrchr(name,'@');
if(!domain)
return GPG_ERR_GENERAL;
domain++;
keyserver=xmalloc_clear(sizeof(struct keyserver_spec));
keyserver->scheme=xstrdup("ldap");
keyserver->host=xmalloc(1);
keyserver->host[0]='\0';
snprintf(srvname,MAXDNAME,"_pgpkey-ldap._tcp.%s",domain);
FIXME("network related - move to dirmngr or drop the code");
srvcount=getsrv(srvname,&srvlist);
for(i=0;i<srvcount;i++)
{
hostlen+=strlen(srvlist[i].target)+1;
keyserver->host=xrealloc(keyserver->host,hostlen);
strcat(keyserver->host,srvlist[i].target);
if(srvlist[i].port!=389)
{
char port[7];
hostlen+=6; /* a colon, plus 5 digits (unsigned 16-bit value) */
keyserver->host=xrealloc(keyserver->host,hostlen);
snprintf(port,7,":%u",srvlist[i].port);
strcat(keyserver->host,port);
}
strcat(keyserver->host," ");
}
free(srvlist);
/* If all else fails, do the PGP Universal trick of
ldap://keys.(domain) */
hostlen+=5+strlen(domain);
keyserver->host=xrealloc(keyserver->host,hostlen);
strcat(keyserver->host,"keys.");
strcat(keyserver->host,domain);
append_to_strlist(&list,name);
rc = gpg_error (GPG_ERR_NOT_IMPLEMENTED); /*FIXME*/
/* keyserver_work (ctrl, KS_GETNAME, list, NULL, */
/* 0, fpr, fpr_len, keyserver); */
free_strlist(list);
free_keyserver_spec(keyserver);
return rc;
#endif
}

1
g10/main.h
View File

@ -327,6 +327,7 @@ gpg_error_t make_backsig (ctrl_t ctrl,
PKT_signature *sig, PKT_public_key *pk, PKT_signature *sig, PKT_public_key *pk,
PKT_public_key *sub_pk, PKT_public_key *sub_psk, PKT_public_key *sub_pk, PKT_public_key *sub_psk,
u32 timestamp, const char *cache_nonce); u32 timestamp, const char *cache_nonce);
void keygen_prepare_new_key_adsks (void);
gpg_error_t generate_subkeypair (ctrl_t ctrl, kbnode_t keyblock, gpg_error_t generate_subkeypair (ctrl_t ctrl, kbnode_t keyblock,
const char *algostr, const char *algostr,
const char *usagestr, const char *usagestr,