dirmngr: Allow building without LDAP support.

* configure.ac: Add option --disable-ldap. (USE_LDAP): New ac_define and am_conditional. * dirmngr/Makefile.am: Take care of USE_LDAP. * dirmngr/dirmngr.c (!USE_LDAP): Make all ldap options dummy options and do not call any ldap function. * dirmngr/server.c (!USE_LDAP): Do not call any ldap function. * dirmngr/crlfetch.c (!USE_LDAP): Ditto. Signed-off-by: Werner Koch <wk@gnupg.org>
2024-12-22 10:19:57 +01:00 · 2014-10-17 15:59:45 +02:00 · 2014-10-17 15:59:45 +02:00 · 6d9491842d
commit 6d9491842d
parent a13705f4c1
6 changed files with 178 additions and 42 deletions
--- a/2
+++ b/2
@ -1,6 +1,8 @@
 Noteworthy changes in version 2.1.0 (unreleased)
 ------------------------------------------------

+ * Dirmngr may now be build without support for LDAP.
+
 * For a complete list of changes see the lists of changes for the
   2.1.0 beta versions below.

--- a/configure.ac
+++ b/configure.ac
@ -716,11 +716,6 @@ if test "$run_tests" = yes; then
 fi
 AM_CONDITIONAL(RUN_TESTS, test "$run_tests" = yes)

-if test "$use_ldapwrapper" = yes; then
-   AC_DEFINE(USE_LDAPWRAPPER,1, [Build dirmngr with LDAP wrapper process])
-fi
-AM_CONDITIONAL(USE_LDAPWRAPPER, test "$use_ldapwrapper" = yes)
-

 # (These need to go after AC_PROG_CC so that $EXEEXT is defined)
 AC_DEFINE_UNQUOTED(EXEEXT,"$EXEEXT",[The executable file extension, if any])
@ -1049,16 +1044,45 @@ AM_CONDITIONAL(USE_DNS_SRV, test x"$use_dns_srv" = xyes)
 #
 # Note that running the check changes the variable
 # gnupg_have_ldap from "n/a" to "no" or "yes".
-if test "$build_dirmngr" = "yes" ; then
-   GNUPG_CHECK_LDAP($NETLIBS)
-   AC_CHECK_LIB(lber, ber_free,
-                [ LBER_LIBS="$LBER_LIBS -llber"
-                  AC_DEFINE(HAVE_LBER,1,
-                           [defined if liblber is available])
-                  have_lber=yes
-               ])
+
+AC_ARG_ENABLE(ldap,
+    AC_HELP_STRING([--disable-ldap],[disable LDAP support]),
+    [if test "$enableval" = "no"; then gnupg_have_ldap=no; fi])
+
+if test "$gnupg_have_ldap" != "no" ; then
+  if test "$build_dirmngr" = "yes" ; then
+     GNUPG_CHECK_LDAP($NETLIBS)
+     AC_CHECK_LIB(lber, ber_free,
+                  [ LBER_LIBS="$LBER_LIBS -llber"
+                    AC_DEFINE(HAVE_LBER,1,
+                             [defined if liblber is available])
+                    have_lber=yes
+                 ])
+  fi
 fi
 AC_SUBST(LBER_LIBS)
+if test "$gnupg_have_ldap" = "no"; then
+    AC_MSG_WARN([[
+***
+*** Building without LDAP support.
+*** No CRL access or X.509 certificate search available.
+***]])
+fi
+
+AM_CONDITIONAL(USE_LDAP, [test "$gnupg_have_ldap" = yes])
+if test "$gnupg_have_ldap" = yes ; then
+  AC_DEFINE(USE_LDAP,1,[Defined if LDAP is support])
+else
+ use_ldapwrapper=no
+fi
+
+if test "$use_ldapwrapper" = yes; then
+   AC_DEFINE(USE_LDAPWRAPPER,1, [Build dirmngr with LDAP wrapper process])
+fi
+AM_CONDITIONAL(USE_LDAPWRAPPER, test "$use_ldapwrapper" = yes)
+
+
+

 #
 # Check for sendmail
@ -1703,16 +1727,8 @@ if test "$have_ksba" = "no"; then
 *** (at least version $NEED_KSBA_VERSION using API $NEED_KSBA_API is required).
 ***]])
 fi
-if test "$gnupg_have_ldap" = "no"; then
-    die=yes
-    AC_MSG_NOTICE([[
-***
-*** The Dirmngr part requires an LDAP library
-*** Check out
-***    http://www.openldap.org
-*** for a suitable implementation.
-***]])
-   if test "$have_w32ce_system" = yes; then
+if test "$gnupg_have_ldap" = yes; then
+  if test "$have_w32ce_system" = yes; then
    AC_MSG_NOTICE([[
 *** Note that CeGCC might be broken, a package fixing this is:
 ***    http://files.kolab.org/local/windows-ce/
@ -1804,6 +1820,7 @@ echo "

        Dirmngr auto start:  $dirmngr_auto_start
        Readline support:    $gnupg_cv_have_readline
+        LDAP support:        $gnupg_have_ldap
        DNS SRV support:     $use_dns_srv
        TLS support:         $use_tls_library
 "
--- a/dirmngr/Makefile.am
+++ b/dirmngr/Makefile.am
@ -44,19 +44,27 @@ else
 ldap_url =
 endif

+if USE_LDAPWRAPPER
+extraldap_src = ldap-wrapper.c
+else
+extraldap_src = ldap-wrapper-ce.c  dirmngr_ldap.c
+endif
+
 noinst_HEADERS = dirmngr.h crlcache.h crlfetch.h misc.h

 dirmngr_SOURCES = dirmngr.c dirmngr.h server.c crlcache.c crlfetch.c	\
-	ldapserver.h ldapserver.c certcache.c certcache.h \
-	cdb.h cdblib.c ldap.c misc.c dirmngr-err.h w32-ldap-help.h \
-	ocsp.c ocsp.h validate.c validate.h ldap-wrapper.h $(ldap_url) \
+	certcache.c certcache.h \
+	cdb.h cdblib.c misc.c dirmngr-err.h  \
+	ocsp.c ocsp.h validate.c validate.h  \
 	ks-action.c ks-action.h ks-engine.h \
        ks-engine-hkp.c ks-engine-http.c ks-engine-finger.c ks-engine-kdns.c

-if USE_LDAPWRAPPER
-dirmngr_SOURCES += ldap-wrapper.c
+if USE_LDAP
+dirmngr_SOURCES += ldapserver.h ldapserver.c ldap.c w32-ldap-help.h \
+                   ldap-wrapper.h $(ldap_url) $(extraldap_src)
+ldaplibs = $(LDAPLIBS)
 else
-dirmngr_SOURCES += ldap-wrapper-ce.c  dirmngr_ldap.c
+ldaplibs =
 endif


@ -65,7 +73,7 @@ dirmngr_LDADD = $(libcommontlsnpth) $(libcommonpth) \
 	$(LIBGCRYPT_LIBS) $(KSBA_LIBS) $(NPTH_LIBS) \
 	$(NTBTLS_LIBS) $(LIBGNUTLS_LIBS) $(LIBINTL) $(LIBICONV)
 if !USE_LDAPWRAPPER
-dirmngr_LDADD += $(LDAPLIBS)
+dirmngr_LDADD += $(ldaplibs)
 endif
 dirmngr_LDFLAGS = $(extra_bin_ldflags)

--- a/dirmngr/crlfetch.c
+++ b/dirmngr/crlfetch.c
@ -29,8 +29,9 @@
 #include "misc.h"
 #include "http.h"

-#include "ldap-wrapper.h"
-
+#if USE_LDAP
+# include "ldap-wrapper.h"
+#endif

 /* For detecting armored CRLs received via HTTP (yes, such CRLS really
   exits, e.g. http://grid.fzk.de/ca/gridka-crl.pem at least in June
@ -156,6 +157,10 @@ crl_fetch (ctrl_t ctrl, const char *url, ksba_reader_t *reader)
  char *free_this = NULL;
  int redirects_left = 2; /* We allow for 2 redirect levels.  */

+#ifndef USE_LDAP
+  (void)ctrl;
+#endif
+
  *reader = NULL;

 once_more:
@ -286,7 +291,13 @@ crl_fetch (ctrl_t ctrl, const char *url, ksba_reader_t *reader)
          err = gpg_error (GPG_ERR_NOT_SUPPORTED);
        }
      else
-        err = url_fetch_ldap (ctrl, url, NULL, 0, reader);
+        {
+#       if USE_LDAP
+          err = url_fetch_ldap (ctrl, url, NULL, 0, reader);
+#       else /*!USE_LDAP*/
+          err = gpg_error (GPG_ERR_NOT_IMPLEMENTED);
+#       endif /*!USE_LDAP*/
+        }
    }

  xfree (free_this);
@ -305,8 +316,15 @@ crl_fetch_default (ctrl_t ctrl, const char *issuer, ksba_reader_t *reader)
                 "LDAP");
      return gpg_error (GPG_ERR_NOT_SUPPORTED);
    }
+#if USE_LDAP
  return attr_fetch_ldap (ctrl, issuer, "certificateRevocationList",
                          reader);
+#else
+  (void)ctrl;
+  (void)issuer;
+  (void)reader;
+  return gpg_error (GPG_ERR_NOT_IMPLEMENTED);
+#endif
 }


@ -323,7 +341,14 @@ ca_cert_fetch (ctrl_t ctrl, cert_fetch_context_t *context, const char *dn)
                 "LDAP");
      return gpg_error (GPG_ERR_NOT_SUPPORTED);
    }
+#if USE_LDAP
  return start_default_fetch_ldap (ctrl, context, dn, "cACertificate");
+#else
+  (void)ctrl;
+  (void)context;
+  (void)dn;
+  return gpg_error (GPG_ERR_NOT_IMPLEMENTED);
+#endif
 }


@ -337,7 +362,15 @@ start_cert_fetch (ctrl_t ctrl, cert_fetch_context_t *context,
                 "LDAP");
      return gpg_error (GPG_ERR_NOT_SUPPORTED);
    }
+#if USE_LDAP
  return start_cert_fetch_ldap (ctrl, context, patterns, server);
+#else
+  (void)ctrl;
+  (void)context;
+  (void)patterns;
+  (void)server;
+  return gpg_error (GPG_ERR_NOT_IMPLEMENTED);
+#endif
 }


@ -345,7 +378,14 @@ gpg_error_t
 fetch_next_cert (cert_fetch_context_t context,
                 unsigned char **value, size_t * valuelen)
 {
+#if USE_LDAP
  return fetch_next_cert_ldap (context, value, valuelen);
+#else
+  (void)context;
+  (void)value;
+  (void)valuelen;
+  return gpg_error (GPG_ERR_NOT_IMPLEMENTED);
+#endif
 }


@ -361,9 +401,14 @@ fetch_next_ksba_cert (cert_fetch_context_t context, ksba_cert_t *r_cert)

  *r_cert = NULL;

+#if USE_LDAP
  err = fetch_next_cert_ldap (context, &value, &valuelen);
  if (!err && !value)
    err = gpg_error (GPG_ERR_BUG);
+#else
+  (void)context;
+  err = gpg_error (GPG_ERR_NOT_IMPLEMENTED);
+#endif
  if (err)
    return err;

@ -389,7 +434,11 @@ fetch_next_ksba_cert (cert_fetch_context_t context, ksba_cert_t *r_cert)
 void
 end_cert_fetch (cert_fetch_context_t context)
 {
-  return end_cert_fetch_ldap (context);
+#if USE_LDAP
+  end_cert_fetch_ldap (context);
+#else
+  (void)context;
+#endif
 }


@ -410,7 +459,13 @@ fetch_cert_by_url (ctrl_t ctrl, const char *url,
  reader = NULL;
  cert = NULL;

+#if USE_LDAP
  err = url_fetch_ldap (ctrl, url, NULL, 0, &reader);
+#else
+  (void)ctrl;
+  (void)url;
+  err = gpg_error (GPG_ERR_NOT_IMPLEMENTED);
+#endif /*USE_LDAP*/
  if (err)
    goto leave;

@ -442,7 +497,9 @@ fetch_cert_by_url (ctrl_t ctrl, const char *url,
 leave:

  ksba_cert_release (cert);
+#if USE_LDAP
  ldap_wrapper_release_context (reader);
+#endif /*USE_LDAP*/

  return err;
 }
@ -472,7 +529,11 @@ crl_close_reader (ksba_reader_t reader)
      xfree (cb_ctx);
    }
  else /* This is an ldap wrapper context (Currently not used). */
-    ldap_wrapper_release_context (reader);
+    {
+#if USE_LDAP
+      ldap_wrapper_release_context (reader);
+#endif /*USE_LDAP*/
+    }

  /* Now get rid of the reader object. */
  ksba_reader_release (reader);
--- a/dirmngr/dirmngr.c
+++ b/dirmngr/dirmngr.c
@ -60,9 +60,13 @@
 #include "crlcache.h"
 #include "crlfetch.h"
 #include "misc.h"
-#include "ldapserver.h"
+#if USE_LDAP
+# include "ldapserver.h"
+#endif
 #include "asshelp.h"
-#include "ldap-wrapper.h"
+#if USE_LDAP
+# include "ldap-wrapper.h"
+#endif
 #include "../common/init.h"
 #include "gc-opt-flags.h"

@ -294,7 +298,9 @@ static int my_tlskey_current_fd;

 /* Prototypes. */
 static void cleanup (void);
+#if USE_LDAP
 static ldap_server_t parse_ldapserver_file (const char* filename);
+#endif /*USE_LDAP*/
 static fingerprint_list_t parse_ocsp_signer (const char *string);
 static void handle_connections (assuan_fd_t listen_fd);

@ -445,7 +451,9 @@ wrong_args (const char *text)
 static void
 shutdown_reaper (void)
 {
+#if USE_LDAP
  ldap_wrapper_wait_connections ();
+#endif
 }


@ -627,7 +635,9 @@ main (int argc, char **argv)
  int nodetach = 0;
  int csh_style = 0;
  char *logfile = NULL;
+#if USE_LDAP
  char *ldapfile = NULL;
+#endif /*USE_LDAP*/
  int debug_wait = 0;
  int rc;
  int homedir_seen = 0;
@ -869,7 +879,11 @@ main (int argc, char **argv)
        case oLogFile: logfile = pargs.r.ret_str; break;
        case oCsh: csh_style = 1; break;
        case oSh: csh_style = 0; break;
-	case oLDAPFile: ldapfile = pargs.r.ret_str; break;
+	case oLDAPFile:
+#        if USE_LDAP
+          ldapfile = pargs.r.ret_str;
+#        endif /*USE_LDAP*/
+          break;
 	case oLDAPAddServers: opt.add_new_ldapservers = 1; break;
 	case oLDAPTimeout:
 	  opt.ldaptimeout = pargs.r.ret_int;
@ -948,6 +962,7 @@ main (int argc, char **argv)
  set_debug ();

  /* Get LDAP server list from file. */
+#if USE_LDAP
  if (!ldapfile)
    {
      ldapfile = make_filename (opt.homedir,
@ -959,6 +974,7 @@ main (int argc, char **argv)
    }
  else
      opt.ldapservers = parse_ldapserver_file (ldapfile);
+#endif /*USE_LDAP*/

 #ifndef HAVE_W32_SYSTEM
  /* We need to ignore the PIPE signal because the we might log to a
@ -995,7 +1011,10 @@ main (int argc, char **argv)
          log_debug ("... okay\n");
        }

+#if USE_LDAP
      ldap_wrapper_launch_thread ();
+#endif /*USE_LDAP*/
+
      cert_cache_init ();
      crl_cache_init ();
      start_command_handler (ASSUAN_INVALID_FD);
@ -1170,7 +1189,10 @@ main (int argc, char **argv)
        }
 #endif

+#if USE_LDAP
      ldap_wrapper_launch_thread ();
+#endif /*USE_LDAP*/
+
      cert_cache_init ();
      crl_cache_init ();
 #ifdef USE_W32_SERVICE
@ -1196,7 +1218,9 @@ main (int argc, char **argv)
      /* Just list the CRL cache and exit. */
      if (argc)
        wrong_args ("--list-crls");
+#if USE_LDAP
      ldap_wrapper_launch_thread ();
+#endif /*USE_LDAP*/
      crl_cache_init ();
      crl_cache_list (es_stdout);
    }
@ -1207,7 +1231,9 @@ main (int argc, char **argv)
      memset (&ctrlbuf, 0, sizeof ctrlbuf);
      dirmngr_init_default_ctrl (&ctrlbuf);

+#if USE_LDAP
      ldap_wrapper_launch_thread ();
+#endif /*USE_LDAP*/
      cert_cache_init ();
      crl_cache_init ();
      if (!argc)
@ -1229,7 +1255,9 @@ main (int argc, char **argv)
      memset (&ctrlbuf, 0, sizeof ctrlbuf);
      dirmngr_init_default_ctrl (&ctrlbuf);

+#if USE_LDAP
      ldap_wrapper_launch_thread ();
+#endif /*USE_LDAP*/
      cert_cache_init ();
      crl_cache_init ();
      rc = crl_fetch (&ctrlbuf, argv[0], &reader);
@ -1376,7 +1404,9 @@ cleanup (void)
  crl_cache_deinit ();
  cert_cache_deinit (1);

+#if USE_LDAP
  ldapserver_list_free (opt.ldapservers);
+#endif /*USE_LDAP*/
  opt.ldapservers = NULL;

  if (cleanup_socket)
@ -1419,6 +1449,7 @@ dirmngr_init_default_ctrl (ctrl_t ctrl)
   5. field: Base DN

 */
+#if USE_LDAP
 static ldap_server_t
 parse_ldapserver_file (const char* filename)
 {
@ -1475,7 +1506,7 @@ parse_ldapserver_file (const char* filename)

  return serverstart;
 }
-
+#endif /*USE_LDAP*/

 static fingerprint_list_t
 parse_ocsp_signer (const char *string)
--- a/dirmngr/server.c
+++ b/dirmngr/server.c
@ -36,12 +36,16 @@

 #include "crlcache.h"
 #include "crlfetch.h"
-#include "ldapserver.h"
+#if USE_LDAP
+# include "ldapserver.h"
+#endif
 #include "ocsp.h"
 #include "certcache.h"
 #include "validate.h"
 #include "misc.h"
-#include "ldap-wrapper.h"
+#if USE_LDAP
+# include "ldap-wrapper.h"
+#endif
 #include "ks-action.h"
 #include "ks-engine.h"  /* (ks_hkp_print_hosttable) */

@ -595,6 +599,7 @@ static const char hlp_ldapserver[] =
 static gpg_error_t
 cmd_ldapserver (assuan_context_t ctx, char *line)
 {
+#if USE_LDAP
  ctrl_t ctrl = assuan_get_pointer (ctx);
  ldap_server_t server;
  ldap_server_t *last_next_p;
@ -613,6 +618,10 @@ cmd_ldapserver (assuan_context_t ctx, char *line)
    last_next_p = &(*last_next_p)->next;
  *last_next_p = server;
  return leave_cmd (ctx, 0);
+#else
+  (void)line;
+  return leave_cmd (ctx, gpg_error (GPG_ERR_NOT_IMPLEMENTED));
+#endif
 }


@ -991,17 +1000,19 @@ static int
 lookup_cert_by_pattern (assuan_context_t ctx, char *line,
                        int single, int cache_only)
 {
-  ctrl_t ctrl = assuan_get_pointer (ctx);
  gpg_error_t err = 0;
  char *p;
  strlist_t sl, list = NULL;
  int truncated = 0, truncation_forced = 0;
  int count = 0;
  int local_count = 0;
+#if USE_LDAP
+  ctrl_t ctrl = assuan_get_pointer (ctx);
  unsigned char *value = NULL;
  size_t valuelen;
  struct ldapserver_iter ldapserver_iter;
  cert_fetch_context_t fetch_context;
+#endif /*USE_LDAP*/
  int any_no_data = 0;

  /* Break the line down into an STRLIST */
@ -1060,6 +1071,7 @@ lookup_cert_by_pattern (assuan_context_t ctx, char *line,

  /* Loop over all configured servers unless we want only the
     certificates from the cache.  */
+#if USE_LDAP
  for (ldapserver_iter_begin (&ldapserver_iter, ctrl);
       !cache_only && !ldapserver_iter_end_p (&ldapserver_iter)
 	 && ldapserver_iter.server->host && !truncation_forced;
@ -1152,6 +1164,7 @@ lookup_cert_by_pattern (assuan_context_t ctx, char *line,

      end_cert_fetch (fetch_context);
    }
+#endif /*USE_LDAP*/

 ready:
  if (truncated || truncation_forced)
@ -1916,7 +1929,9 @@ reset_notify (assuan_context_t ctx, char *line)
  ctrl_t ctrl = assuan_get_pointer (ctx);
  (void)line;

+#if USE_LDAP
  ldapserver_list_free (ctrl->server_local->ldapservers);
+#endif /*USE_LDAP*/
  ctrl->server_local->ldapservers = NULL;
  return 0;
 }
@ -2042,9 +2057,11 @@ start_command_handler (assuan_fd_t fd)
        }
    }

+#if USE_LDAP
  ldap_wrapper_connection_cleanup (ctrl);

  ldapserver_list_free (ctrl->server_local->ldapservers);
+#endif /*USE_LDAP*/
  ctrl->server_local->ldapservers = NULL;

  ctrl->server_local->assuan_ctx = NULL;