diff --git a/NEWS b/NEWS index fe80aabcf..ffe77337e 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,8 @@ Noteworthy changes in version 2.1.0 (unreleased) ------------------------------------------------ + * Dirmngr may now be build without support for LDAP. + * For a complete list of changes see the lists of changes for the 2.1.0 beta versions below. diff --git a/configure.ac b/configure.ac index 7ce8c097b..ce328e654 100644 --- a/configure.ac +++ b/configure.ac @@ -716,11 +716,6 @@ if test "$run_tests" = yes; then fi AM_CONDITIONAL(RUN_TESTS, test "$run_tests" = yes) -if test "$use_ldapwrapper" = yes; then - AC_DEFINE(USE_LDAPWRAPPER,1, [Build dirmngr with LDAP wrapper process]) -fi -AM_CONDITIONAL(USE_LDAPWRAPPER, test "$use_ldapwrapper" = yes) - # (These need to go after AC_PROG_CC so that $EXEEXT is defined) AC_DEFINE_UNQUOTED(EXEEXT,"$EXEEXT",[The executable file extension, if any]) @@ -1049,16 +1044,45 @@ AM_CONDITIONAL(USE_DNS_SRV, test x"$use_dns_srv" = xyes) # # Note that running the check changes the variable # gnupg_have_ldap from "n/a" to "no" or "yes". -if test "$build_dirmngr" = "yes" ; then - GNUPG_CHECK_LDAP($NETLIBS) - AC_CHECK_LIB(lber, ber_free, - [ LBER_LIBS="$LBER_LIBS -llber" - AC_DEFINE(HAVE_LBER,1, - [defined if liblber is available]) - have_lber=yes - ]) + +AC_ARG_ENABLE(ldap, + AC_HELP_STRING([--disable-ldap],[disable LDAP support]), + [if test "$enableval" = "no"; then gnupg_have_ldap=no; fi]) + +if test "$gnupg_have_ldap" != "no" ; then + if test "$build_dirmngr" = "yes" ; then + GNUPG_CHECK_LDAP($NETLIBS) + AC_CHECK_LIB(lber, ber_free, + [ LBER_LIBS="$LBER_LIBS -llber" + AC_DEFINE(HAVE_LBER,1, + [defined if liblber is available]) + have_lber=yes + ]) + fi fi AC_SUBST(LBER_LIBS) +if test "$gnupg_have_ldap" = "no"; then + AC_MSG_WARN([[ +*** +*** Building without LDAP support. +*** No CRL access or X.509 certificate search available. +***]]) +fi + +AM_CONDITIONAL(USE_LDAP, [test "$gnupg_have_ldap" = yes]) +if test "$gnupg_have_ldap" = yes ; then + AC_DEFINE(USE_LDAP,1,[Defined if LDAP is support]) +else + use_ldapwrapper=no +fi + +if test "$use_ldapwrapper" = yes; then + AC_DEFINE(USE_LDAPWRAPPER,1, [Build dirmngr with LDAP wrapper process]) +fi +AM_CONDITIONAL(USE_LDAPWRAPPER, test "$use_ldapwrapper" = yes) + + + # # Check for sendmail @@ -1703,16 +1727,8 @@ if test "$have_ksba" = "no"; then *** (at least version $NEED_KSBA_VERSION using API $NEED_KSBA_API is required). ***]]) fi -if test "$gnupg_have_ldap" = "no"; then - die=yes - AC_MSG_NOTICE([[ -*** -*** The Dirmngr part requires an LDAP library -*** Check out -*** http://www.openldap.org -*** for a suitable implementation. -***]]) - if test "$have_w32ce_system" = yes; then +if test "$gnupg_have_ldap" = yes; then + if test "$have_w32ce_system" = yes; then AC_MSG_NOTICE([[ *** Note that CeGCC might be broken, a package fixing this is: *** http://files.kolab.org/local/windows-ce/ @@ -1804,6 +1820,7 @@ echo " Dirmngr auto start: $dirmngr_auto_start Readline support: $gnupg_cv_have_readline + LDAP support: $gnupg_have_ldap DNS SRV support: $use_dns_srv TLS support: $use_tls_library " diff --git a/dirmngr/Makefile.am b/dirmngr/Makefile.am index 632e52582..0e9a7c757 100644 --- a/dirmngr/Makefile.am +++ b/dirmngr/Makefile.am @@ -44,19 +44,27 @@ else ldap_url = endif +if USE_LDAPWRAPPER +extraldap_src = ldap-wrapper.c +else +extraldap_src = ldap-wrapper-ce.c dirmngr_ldap.c +endif + noinst_HEADERS = dirmngr.h crlcache.h crlfetch.h misc.h dirmngr_SOURCES = dirmngr.c dirmngr.h server.c crlcache.c crlfetch.c \ - ldapserver.h ldapserver.c certcache.c certcache.h \ - cdb.h cdblib.c ldap.c misc.c dirmngr-err.h w32-ldap-help.h \ - ocsp.c ocsp.h validate.c validate.h ldap-wrapper.h $(ldap_url) \ + certcache.c certcache.h \ + cdb.h cdblib.c misc.c dirmngr-err.h \ + ocsp.c ocsp.h validate.c validate.h \ ks-action.c ks-action.h ks-engine.h \ ks-engine-hkp.c ks-engine-http.c ks-engine-finger.c ks-engine-kdns.c -if USE_LDAPWRAPPER -dirmngr_SOURCES += ldap-wrapper.c +if USE_LDAP +dirmngr_SOURCES += ldapserver.h ldapserver.c ldap.c w32-ldap-help.h \ + ldap-wrapper.h $(ldap_url) $(extraldap_src) +ldaplibs = $(LDAPLIBS) else -dirmngr_SOURCES += ldap-wrapper-ce.c dirmngr_ldap.c +ldaplibs = endif @@ -65,7 +73,7 @@ dirmngr_LDADD = $(libcommontlsnpth) $(libcommonpth) \ $(LIBGCRYPT_LIBS) $(KSBA_LIBS) $(NPTH_LIBS) \ $(NTBTLS_LIBS) $(LIBGNUTLS_LIBS) $(LIBINTL) $(LIBICONV) if !USE_LDAPWRAPPER -dirmngr_LDADD += $(LDAPLIBS) +dirmngr_LDADD += $(ldaplibs) endif dirmngr_LDFLAGS = $(extra_bin_ldflags) diff --git a/dirmngr/crlfetch.c b/dirmngr/crlfetch.c index f335de8c7..2471ca2f0 100644 --- a/dirmngr/crlfetch.c +++ b/dirmngr/crlfetch.c @@ -29,8 +29,9 @@ #include "misc.h" #include "http.h" -#include "ldap-wrapper.h" - +#if USE_LDAP +# include "ldap-wrapper.h" +#endif /* For detecting armored CRLs received via HTTP (yes, such CRLS really exits, e.g. http://grid.fzk.de/ca/gridka-crl.pem at least in June @@ -156,6 +157,10 @@ crl_fetch (ctrl_t ctrl, const char *url, ksba_reader_t *reader) char *free_this = NULL; int redirects_left = 2; /* We allow for 2 redirect levels. */ +#ifndef USE_LDAP + (void)ctrl; +#endif + *reader = NULL; once_more: @@ -286,7 +291,13 @@ crl_fetch (ctrl_t ctrl, const char *url, ksba_reader_t *reader) err = gpg_error (GPG_ERR_NOT_SUPPORTED); } else - err = url_fetch_ldap (ctrl, url, NULL, 0, reader); + { +# if USE_LDAP + err = url_fetch_ldap (ctrl, url, NULL, 0, reader); +# else /*!USE_LDAP*/ + err = gpg_error (GPG_ERR_NOT_IMPLEMENTED); +# endif /*!USE_LDAP*/ + } } xfree (free_this); @@ -305,8 +316,15 @@ crl_fetch_default (ctrl_t ctrl, const char *issuer, ksba_reader_t *reader) "LDAP"); return gpg_error (GPG_ERR_NOT_SUPPORTED); } +#if USE_LDAP return attr_fetch_ldap (ctrl, issuer, "certificateRevocationList", reader); +#else + (void)ctrl; + (void)issuer; + (void)reader; + return gpg_error (GPG_ERR_NOT_IMPLEMENTED); +#endif } @@ -323,7 +341,14 @@ ca_cert_fetch (ctrl_t ctrl, cert_fetch_context_t *context, const char *dn) "LDAP"); return gpg_error (GPG_ERR_NOT_SUPPORTED); } +#if USE_LDAP return start_default_fetch_ldap (ctrl, context, dn, "cACertificate"); +#else + (void)ctrl; + (void)context; + (void)dn; + return gpg_error (GPG_ERR_NOT_IMPLEMENTED); +#endif } @@ -337,7 +362,15 @@ start_cert_fetch (ctrl_t ctrl, cert_fetch_context_t *context, "LDAP"); return gpg_error (GPG_ERR_NOT_SUPPORTED); } +#if USE_LDAP return start_cert_fetch_ldap (ctrl, context, patterns, server); +#else + (void)ctrl; + (void)context; + (void)patterns; + (void)server; + return gpg_error (GPG_ERR_NOT_IMPLEMENTED); +#endif } @@ -345,7 +378,14 @@ gpg_error_t fetch_next_cert (cert_fetch_context_t context, unsigned char **value, size_t * valuelen) { +#if USE_LDAP return fetch_next_cert_ldap (context, value, valuelen); +#else + (void)context; + (void)value; + (void)valuelen; + return gpg_error (GPG_ERR_NOT_IMPLEMENTED); +#endif } @@ -361,9 +401,14 @@ fetch_next_ksba_cert (cert_fetch_context_t context, ksba_cert_t *r_cert) *r_cert = NULL; +#if USE_LDAP err = fetch_next_cert_ldap (context, &value, &valuelen); if (!err && !value) err = gpg_error (GPG_ERR_BUG); +#else + (void)context; + err = gpg_error (GPG_ERR_NOT_IMPLEMENTED); +#endif if (err) return err; @@ -389,7 +434,11 @@ fetch_next_ksba_cert (cert_fetch_context_t context, ksba_cert_t *r_cert) void end_cert_fetch (cert_fetch_context_t context) { - return end_cert_fetch_ldap (context); +#if USE_LDAP + end_cert_fetch_ldap (context); +#else + (void)context; +#endif } @@ -410,7 +459,13 @@ fetch_cert_by_url (ctrl_t ctrl, const char *url, reader = NULL; cert = NULL; +#if USE_LDAP err = url_fetch_ldap (ctrl, url, NULL, 0, &reader); +#else + (void)ctrl; + (void)url; + err = gpg_error (GPG_ERR_NOT_IMPLEMENTED); +#endif /*USE_LDAP*/ if (err) goto leave; @@ -442,7 +497,9 @@ fetch_cert_by_url (ctrl_t ctrl, const char *url, leave: ksba_cert_release (cert); +#if USE_LDAP ldap_wrapper_release_context (reader); +#endif /*USE_LDAP*/ return err; } @@ -472,7 +529,11 @@ crl_close_reader (ksba_reader_t reader) xfree (cb_ctx); } else /* This is an ldap wrapper context (Currently not used). */ - ldap_wrapper_release_context (reader); + { +#if USE_LDAP + ldap_wrapper_release_context (reader); +#endif /*USE_LDAP*/ + } /* Now get rid of the reader object. */ ksba_reader_release (reader); diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c index f629cfdea..95f90584e 100644 --- a/dirmngr/dirmngr.c +++ b/dirmngr/dirmngr.c @@ -60,9 +60,13 @@ #include "crlcache.h" #include "crlfetch.h" #include "misc.h" -#include "ldapserver.h" +#if USE_LDAP +# include "ldapserver.h" +#endif #include "asshelp.h" -#include "ldap-wrapper.h" +#if USE_LDAP +# include "ldap-wrapper.h" +#endif #include "../common/init.h" #include "gc-opt-flags.h" @@ -294,7 +298,9 @@ static int my_tlskey_current_fd; /* Prototypes. */ static void cleanup (void); +#if USE_LDAP static ldap_server_t parse_ldapserver_file (const char* filename); +#endif /*USE_LDAP*/ static fingerprint_list_t parse_ocsp_signer (const char *string); static void handle_connections (assuan_fd_t listen_fd); @@ -445,7 +451,9 @@ wrong_args (const char *text) static void shutdown_reaper (void) { +#if USE_LDAP ldap_wrapper_wait_connections (); +#endif } @@ -627,7 +635,9 @@ main (int argc, char **argv) int nodetach = 0; int csh_style = 0; char *logfile = NULL; +#if USE_LDAP char *ldapfile = NULL; +#endif /*USE_LDAP*/ int debug_wait = 0; int rc; int homedir_seen = 0; @@ -869,7 +879,11 @@ main (int argc, char **argv) case oLogFile: logfile = pargs.r.ret_str; break; case oCsh: csh_style = 1; break; case oSh: csh_style = 0; break; - case oLDAPFile: ldapfile = pargs.r.ret_str; break; + case oLDAPFile: +# if USE_LDAP + ldapfile = pargs.r.ret_str; +# endif /*USE_LDAP*/ + break; case oLDAPAddServers: opt.add_new_ldapservers = 1; break; case oLDAPTimeout: opt.ldaptimeout = pargs.r.ret_int; @@ -948,6 +962,7 @@ main (int argc, char **argv) set_debug (); /* Get LDAP server list from file. */ +#if USE_LDAP if (!ldapfile) { ldapfile = make_filename (opt.homedir, @@ -959,6 +974,7 @@ main (int argc, char **argv) } else opt.ldapservers = parse_ldapserver_file (ldapfile); +#endif /*USE_LDAP*/ #ifndef HAVE_W32_SYSTEM /* We need to ignore the PIPE signal because the we might log to a @@ -995,7 +1011,10 @@ main (int argc, char **argv) log_debug ("... okay\n"); } +#if USE_LDAP ldap_wrapper_launch_thread (); +#endif /*USE_LDAP*/ + cert_cache_init (); crl_cache_init (); start_command_handler (ASSUAN_INVALID_FD); @@ -1170,7 +1189,10 @@ main (int argc, char **argv) } #endif +#if USE_LDAP ldap_wrapper_launch_thread (); +#endif /*USE_LDAP*/ + cert_cache_init (); crl_cache_init (); #ifdef USE_W32_SERVICE @@ -1196,7 +1218,9 @@ main (int argc, char **argv) /* Just list the CRL cache and exit. */ if (argc) wrong_args ("--list-crls"); +#if USE_LDAP ldap_wrapper_launch_thread (); +#endif /*USE_LDAP*/ crl_cache_init (); crl_cache_list (es_stdout); } @@ -1207,7 +1231,9 @@ main (int argc, char **argv) memset (&ctrlbuf, 0, sizeof ctrlbuf); dirmngr_init_default_ctrl (&ctrlbuf); +#if USE_LDAP ldap_wrapper_launch_thread (); +#endif /*USE_LDAP*/ cert_cache_init (); crl_cache_init (); if (!argc) @@ -1229,7 +1255,9 @@ main (int argc, char **argv) memset (&ctrlbuf, 0, sizeof ctrlbuf); dirmngr_init_default_ctrl (&ctrlbuf); +#if USE_LDAP ldap_wrapper_launch_thread (); +#endif /*USE_LDAP*/ cert_cache_init (); crl_cache_init (); rc = crl_fetch (&ctrlbuf, argv[0], &reader); @@ -1376,7 +1404,9 @@ cleanup (void) crl_cache_deinit (); cert_cache_deinit (1); +#if USE_LDAP ldapserver_list_free (opt.ldapservers); +#endif /*USE_LDAP*/ opt.ldapservers = NULL; if (cleanup_socket) @@ -1419,6 +1449,7 @@ dirmngr_init_default_ctrl (ctrl_t ctrl) 5. field: Base DN */ +#if USE_LDAP static ldap_server_t parse_ldapserver_file (const char* filename) { @@ -1475,7 +1506,7 @@ parse_ldapserver_file (const char* filename) return serverstart; } - +#endif /*USE_LDAP*/ static fingerprint_list_t parse_ocsp_signer (const char *string) diff --git a/dirmngr/server.c b/dirmngr/server.c index 6cf4dd668..9b4cdb243 100644 --- a/dirmngr/server.c +++ b/dirmngr/server.c @@ -36,12 +36,16 @@ #include "crlcache.h" #include "crlfetch.h" -#include "ldapserver.h" +#if USE_LDAP +# include "ldapserver.h" +#endif #include "ocsp.h" #include "certcache.h" #include "validate.h" #include "misc.h" -#include "ldap-wrapper.h" +#if USE_LDAP +# include "ldap-wrapper.h" +#endif #include "ks-action.h" #include "ks-engine.h" /* (ks_hkp_print_hosttable) */ @@ -595,6 +599,7 @@ static const char hlp_ldapserver[] = static gpg_error_t cmd_ldapserver (assuan_context_t ctx, char *line) { +#if USE_LDAP ctrl_t ctrl = assuan_get_pointer (ctx); ldap_server_t server; ldap_server_t *last_next_p; @@ -613,6 +618,10 @@ cmd_ldapserver (assuan_context_t ctx, char *line) last_next_p = &(*last_next_p)->next; *last_next_p = server; return leave_cmd (ctx, 0); +#else + (void)line; + return leave_cmd (ctx, gpg_error (GPG_ERR_NOT_IMPLEMENTED)); +#endif } @@ -991,17 +1000,19 @@ static int lookup_cert_by_pattern (assuan_context_t ctx, char *line, int single, int cache_only) { - ctrl_t ctrl = assuan_get_pointer (ctx); gpg_error_t err = 0; char *p; strlist_t sl, list = NULL; int truncated = 0, truncation_forced = 0; int count = 0; int local_count = 0; +#if USE_LDAP + ctrl_t ctrl = assuan_get_pointer (ctx); unsigned char *value = NULL; size_t valuelen; struct ldapserver_iter ldapserver_iter; cert_fetch_context_t fetch_context; +#endif /*USE_LDAP*/ int any_no_data = 0; /* Break the line down into an STRLIST */ @@ -1060,6 +1071,7 @@ lookup_cert_by_pattern (assuan_context_t ctx, char *line, /* Loop over all configured servers unless we want only the certificates from the cache. */ +#if USE_LDAP for (ldapserver_iter_begin (&ldapserver_iter, ctrl); !cache_only && !ldapserver_iter_end_p (&ldapserver_iter) && ldapserver_iter.server->host && !truncation_forced; @@ -1152,6 +1164,7 @@ lookup_cert_by_pattern (assuan_context_t ctx, char *line, end_cert_fetch (fetch_context); } +#endif /*USE_LDAP*/ ready: if (truncated || truncation_forced) @@ -1916,7 +1929,9 @@ reset_notify (assuan_context_t ctx, char *line) ctrl_t ctrl = assuan_get_pointer (ctx); (void)line; +#if USE_LDAP ldapserver_list_free (ctrl->server_local->ldapservers); +#endif /*USE_LDAP*/ ctrl->server_local->ldapservers = NULL; return 0; } @@ -2042,9 +2057,11 @@ start_command_handler (assuan_fd_t fd) } } +#if USE_LDAP ldap_wrapper_connection_cleanup (ctrl); ldapserver_list_free (ctrl->server_local->ldapservers); +#endif /*USE_LDAP*/ ctrl->server_local->ldapservers = NULL; ctrl->server_local->assuan_ctx = NULL;