diff --git a/dirmngr/dirmngr.h b/dirmngr/dirmngr.h
index d916cce5f..9f2157c0d 100644
--- a/dirmngr/dirmngr.h
+++ b/dirmngr/dirmngr.h
@@ -1,281 +1,282 @@
/* dirmngr.h - Common definitions for the dirmngr
* Copyright (C) 2002 Klarälvdalens Datakonsult AB
* Copyright (C) 2004, 2015 g10 Code GmbH
* Copyright (C) 2014 Werner Koch
*
* This file is part of GnuPG.
*
* GnuPG is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* GnuPG is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see .
*
* SPDX-License-Identifier: GPL-3.0+
*/
#ifndef DIRMNGR_H
#define DIRMNGR_H
#include "./dirmngr-err.h"
#define map_assuan_err(a) \
map_assuan_err_with_source (GPG_ERR_SOURCE_DEFAULT, (a))
#include
#include
#include
#include "../common/util.h"
#include "../common/membuf.h"
#include "../common/sysutils.h" /* (gnupg_fd_t) */
#include "../common/asshelp.h" /* (assuan_context_t) */
#include "../common/i18n.h"
#include "dirmngr-status.h"
#include "http.h" /* (parsed_uri_t) */
/* This objects keeps information about a particular LDAP server and
is used as item of a single linked list of servers. */
struct ldap_server_s
{
struct ldap_server_s* next;
char *host;
int port;
char *user;
char *pass;
char *base;
unsigned int starttls:1; /* Use STARTTLS. */
unsigned int ldap_over_tls:1; /* Use LDAP over an TLS tunnel */
unsigned int ntds:1; /* Use Active Directory authentication. */
+ unsigned int areconly:1; /* Set LDAP_OPT_AREC_EXCLUSIVE. */
};
typedef struct ldap_server_s *ldap_server_t;
/* This objects is used to build a list of URI consisting of the
original and the parsed URI. */
struct uri_item_s
{
struct uri_item_s *next;
parsed_uri_t parsed_uri; /* The broken down URI. */
char uri[1]; /* The original URI. */
};
typedef struct uri_item_s *uri_item_t;
/* A list of fingerprints. */
struct fingerprint_list_s;
typedef struct fingerprint_list_s *fingerprint_list_t;
struct fingerprint_list_s
{
fingerprint_list_t next;
char binlen; /* If this is not 0 hexfpr actually carries a binary fpr. */
char hexfpr[20+20+1];
};
/* A large struct named "opt" to keep global flags. */
EXTERN_UNLESS_MAIN_MODULE
struct
{
unsigned int debug; /* debug flags (DBG_foo_VALUE) */
int verbose; /* verbosity level */
int quiet; /* be as quiet as possible */
int dry_run; /* don't change any persistent data */
int batch; /* batch mode */
const char *homedir_cache; /* Dir for cache files (/var/cache/dirmngr). */
char *config_filename; /* Name of a config file, which will be
reread on a HUP if it is not NULL. */
char *ldap_wrapper_program; /* Override value for the LDAP wrapper
program. */
char *http_wrapper_program; /* Override value for the HTTP wrapper
program. */
int running_detached; /* We are running in detached mode. */
int allow_version_check; /* --allow-version-check is active. */
int force; /* Force loading outdated CRLs. */
unsigned int connect_timeout; /* Timeout for connect. */
unsigned int connect_quick_timeout; /* Shorter timeout for connect. */
int disable_http; /* Do not use HTTP at all. */
int disable_ldap; /* Do not use LDAP at all. */
int disable_ipv4; /* Do not use legacy IP addresses. */
int disable_ipv6; /* Do not use standard IP addresses. */
int honor_http_proxy; /* Honor the http_proxy env variable. */
const char *http_proxy; /* The default HTTP proxy. */
const char *ldap_proxy; /* Use given LDAP proxy. */
int only_ldap_proxy; /* Only use the LDAP proxy; no fallback. */
int ignore_http_dp; /* Ignore HTTP CRL distribution points. */
int ignore_ldap_dp; /* Ignore LDAP CRL distribution points. */
int ignore_ocsp_service_url; /* Ignore OCSP service URLs as given in
the certificate. */
/* A list of fingerprints of certififcates we should completely
* ignore. These are all stored in binary format. */
fingerprint_list_t ignored_certs;
/* A list of certificate extension OIDs which are ignored so that
one can claim that a critical extension has been handled. One
OID per string. */
strlist_t ignored_cert_extensions;
/* Allow expired certificates in the cache. */
int debug_cache_expired_certs;
int allow_ocsp; /* Allow using OCSP. */
int max_replies;
unsigned int ldaptimeout;
ldap_server_t ldapservers;
int add_new_ldapservers;
const char *ocsp_responder; /* Standard OCSP responder's URL. */
fingerprint_list_t ocsp_signer; /* The list of fingerprints with allowed
standard OCSP signer certificates. */
unsigned int ocsp_max_clock_skew; /* Allowed seconds of clocks skew. */
unsigned int ocsp_max_period; /* Seconds a response is at maximum
considered valid after thisUpdate. */
unsigned int ocsp_current_period; /* Seconds a response is considered
current after nextUpdate. */
strlist_t keyserver; /* List of default keyservers. */
} opt;
#define DBG_X509_VALUE 1 /* debug x.509 parsing */
#define DBG_CRYPTO_VALUE 4 /* debug low level crypto */
#define DBG_DNS_VALUE 16 /* debug DNS calls. */
#define DBG_MEMORY_VALUE 32 /* debug memory allocation stuff */
#define DBG_CACHE_VALUE 64 /* debug the caching */
#define DBG_MEMSTAT_VALUE 128 /* show memory statistics */
#define DBG_HASHING_VALUE 512 /* debug hashing operations */
#define DBG_IPC_VALUE 1024 /* debug assuan communication */
#define DBG_NETWORK_VALUE 2048 /* debug network I/O. */
#define DBG_LOOKUP_VALUE 8192 /* debug lookup details */
#define DBG_EXTPROG_VALUE 16384 /* debug external program calls */
#define DBG_X509 (opt.debug & DBG_X509_VALUE)
#define DBG_CRYPTO (opt.debug & DBG_CRYPTO_VALUE)
#define DBG_DNS (opt.debug & DBG_DNS_VALUE)
#define DBG_MEMORY (opt.debug & DBG_MEMORY_VALUE)
#define DBG_CACHE (opt.debug & DBG_CACHE_VALUE)
#define DBG_HASHING (opt.debug & DBG_HASHING_VALUE)
#define DBG_IPC (opt.debug & DBG_IPC_VALUE)
#define DBG_NETWORK (opt.debug & DBG_NETWORK_VALUE)
#define DBG_LOOKUP (opt.debug & DBG_LOOKUP_VALUE)
#define DBG_EXTPROG (opt.debug & DBG_EXTPROG_VALUE)
/* A simple list of certificate references. FIXME: Better use
certlist_t also for references (Store NULL at .cert) */
struct cert_ref_s
{
struct cert_ref_s *next;
unsigned char fpr[20];
};
typedef struct cert_ref_s *cert_ref_t;
/* Forward references; access only through server.c. */
struct server_local_s;
#if SIZEOF_UNSIGNED_LONG == 8
# define SERVER_CONTROL_MAGIC 0x6469726d6e677220
#else
# define SERVER_CONTROL_MAGIC 0x6469726d
#endif
/* Connection control structure. */
struct server_control_s
{
unsigned long magic;/* Always has SERVER_CONTROL_MAGIC. */
int refcount; /* Count additional references to this object. */
int no_server; /* We are not running under server control. */
int status_fd; /* Only for non-server mode. */
struct server_local_s *server_local;
int force_crl_refresh; /* Always load a fresh CRL. */
int check_revocations_nest_level; /* Internal to check_revovations. */
cert_ref_t ocsp_certs; /* Certificates from the current OCSP
response. */
int audit_events; /* Send audit events to client. */
char *http_proxy; /* The used http_proxy or NULL. */
unsigned int timeout; /* Timeout for connect calls in ms. */
unsigned int http_no_crl:1; /* Do not check CRLs for https. */
};
/*-- dirmngr.c --*/
void dirmngr_exit( int ); /* Wrapper for exit() */
void dirmngr_init_default_ctrl (ctrl_t ctrl);
void dirmngr_deinit_default_ctrl (ctrl_t ctrl);
void dirmngr_sighup_action (void);
const char* dirmngr_get_current_socket_name (void);
int dirmngr_use_tor (void);
int dirmngr_never_use_tor_p (void);
/*-- Various housekeeping functions. --*/
void ks_hkp_housekeeping (time_t curtime);
void ks_hkp_reload (void);
void ks_hkp_init (void);
/*-- server.c --*/
ldap_server_t get_ldapservers_from_ctrl (ctrl_t ctrl);
ksba_cert_t get_cert_local (ctrl_t ctrl, const char *issuer);
ksba_cert_t get_issuing_cert_local (ctrl_t ctrl, const char *issuer);
ksba_cert_t get_cert_local_ski (ctrl_t ctrl,
const char *name, ksba_sexp_t keyid);
gpg_error_t get_istrusted_from_client (ctrl_t ctrl, const char *hexfpr);
int dirmngr_assuan_log_monitor (assuan_context_t ctx, unsigned int cat,
const char *msg);
void start_command_handler (gnupg_fd_t fd, unsigned int session_id);
gpg_error_t dirmngr_tick (ctrl_t ctrl);
/*-- http-ntbtls.c --*/
/* Note that we don't use a callback for gnutls. */
gpg_error_t gnupg_http_tls_verify_cb (void *opaque,
http_t http,
http_session_t session,
unsigned int flags,
void *tls_context);
/*-- loadswdb.c --*/
gpg_error_t dirmngr_load_swdb (ctrl_t ctrl, int force);
/*-- domaininfo.c --*/
void domaininfo_print_stats (void);
int domaininfo_is_wkd_not_supported (const char *domain);
void domaininfo_set_no_name (const char *domain);
void domaininfo_set_wkd_supported (const char *domain);
void domaininfo_set_wkd_not_supported (const char *domain);
void domaininfo_set_wkd_not_found (const char *domain);
/*-- workqueue.c --*/
typedef const char *(*wqtask_t)(ctrl_t ctrl, const char *args);
void workqueue_dump_queue (ctrl_t ctrl);
gpg_error_t workqueue_add_task (wqtask_t func, const char *args,
unsigned int session_id, int need_network);
void workqueue_run_global_tasks (ctrl_t ctrl, int with_network);
void workqueue_run_post_session_tasks (unsigned int session_id);
#endif /*DIRMNGR_H*/
diff --git a/dirmngr/dirmngr_ldap.c b/dirmngr/dirmngr_ldap.c
index 9c9fcc508..c6a4dd11f 100644
--- a/dirmngr/dirmngr_ldap.c
+++ b/dirmngr/dirmngr_ldap.c
@@ -1,838 +1,853 @@
/* dirmngr-ldap.c - The LDAP helper for dirmngr.
* Copyright (C) 2004, 2021 g10 Code GmbH
* Copyright (C) 2010 Free Software Foundation, Inc.
*
* This file is part of GnuPG.
*
* GnuPG is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* GnuPG is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see .
* SPDX-License-Identifier: GPL-3.0-or-later
*/
#include
#include
#include
#include
#include
#include
#ifdef HAVE_SIGNAL_H
# include
#endif
#include
#include
#include
#ifdef HAVE_W32_SYSTEM
# include
# include
# include
# include
# include "ldap-url.h"
#else
/* For OpenLDAP, to enable the API that we're using. */
# define LDAP_DEPRECATED 1
# include
#endif
#include
#include "../common/logging.h"
#include "../common/stringhelp.h"
#include "../common/mischelp.h"
#include "../common/strlist.h"
#include "../common/util.h"
#include "../common/init.h"
#include "ldap-misc.h"
/* There is no need for the npth_unprotect and leave functions here;
* thus we redefine them to nops. We keep them in the code just for
* the case we ever want to reuse parts of the code in npth programs. */
static void npth_unprotect (void) { }
static void npth_protect (void) { }
#ifdef HAVE_W32_SYSTEM
typedef LDAP_TIMEVAL my_ldap_timeval_t;
#else
typedef struct timeval my_ldap_timeval_t;
#endif
#define DEFAULT_LDAP_TIMEOUT 15 /* Arbitrary long timeout. */
/* Constants for the options. */
enum
{
oQuiet = 'q',
oVerbose = 'v',
oTimeout = 500,
oMulti,
oProxy,
oHost,
oPort,
oUser,
oPass,
oEnvPass,
oBase,
oAttr,
oStartTLS,
oLdapTLS,
oNtds,
+ oARecOnly,
oOnlySearchTimeout,
oLogWithPID
};
/* The list of options as used by the argparse.c code. */
static gpgrt_opt_t opts[] = {
{ oVerbose, "verbose", 0, "verbose" },
{ oQuiet, "quiet", 0, "be somewhat more quiet" },
{ oTimeout, "timeout", 1, "|N|set LDAP timeout to N seconds"},
{ oMulti, "multi", 0, "return all values in"
" a record oriented format"},
{ oProxy, "proxy", 2,
"|NAME|ignore host part and connect through NAME"},
{ oStartTLS, "starttls", 0, "use STARTLS for the conenction"},
{ oLdapTLS, "ldaptls", 0, "use a TLS for the connection"},
{ oNtds, "ntds", 0, "authenticate using AD"},
+ { oARecOnly, "areconly", 0, "do only an A record lookup"},
{ oHost, "host", 2, "|NAME|connect to host NAME"},
{ oPort, "port", 1, "|N|connect to port N"},
{ oUser, "user", 2, "|NAME|use NAME for authentication"},
{ oPass, "pass", 2, "|PASS|use password PASS"
" for authentication"},
{ oEnvPass, "env-pass", 0, "take password from $DIRMNGR_LDAP_PASS"},
{ oBase, "base", 2, "|DN|Start query at DN"},
{ oAttr, "attr", 2, "|STRING|return the attribute STRING"},
{ oOnlySearchTimeout, "only-search-timeout", 0, "@"},
{ oLogWithPID,"log-with-pid", 0, "@"},
ARGPARSE_end ()
};
/* A structure with module options. */
static struct
{
int quiet;
int verbose;
my_ldap_timeval_t timeout;/* Timeout for the LDAP search functions. */
unsigned int alarm_timeout; /* And for the alarm based timeout. */
int multi;
int starttls;
int ldaptls;
int ntds;
+ int areconly;
estream_t outstream; /* Send output to this stream. */
/* Note that we can't use const for the strings because ldap_* are
not defined that way. */
char *proxy; /* Host and Port override. */
char *user; /* Authentication user. */
char *pass; /* Authentication password. */
char *host; /* Override host. */
int port; /* Override port. */
char *base; /* Override DN. */
char *attr; /* Override attribute. */
} opt;
/* Prototypes. */
#ifndef HAVE_W32_SYSTEM
static void catch_alarm (int dummy);
#endif
static gpg_error_t connect_ldap (LDAP **r_ld);
static gpg_error_t process_filter (LDAP *ld, const char *string);
/* Function called by argparse.c to display information. */
static const char *
my_strusage (int level)
{
const char *p;
switch (level)
{
case 9: p = "GPL-3.0-or-later"; break;
case 11: p = "dirmngr_ldap (@GNUPG@)";
break;
case 13: p = VERSION; break;
case 14: p = GNUPG_DEF_COPYRIGHT_LINE; break;
case 17: p = PRINTABLE_OS_NAME; break;
case 19: p = "Please report bugs to <@EMAIL@>.\n"; break;
case 49: p = PACKAGE_BUGREPORT; break;
case 1:
case 40: p =
"Usage: dirmngr_ldap [options] filters (-h for help)\n";
break;
case 41: p =
("Syntax: dirmngr_ldap [options] filters\n"
"Internal LDAP helper for Dirmngr\n"
"Interface and options may change without notice\n");
break;
default: p = NULL;
}
return p;
}
int
main (int argc, char **argv)
{
gpgrt_argparse_t pargs;
int any_err = 0;
char *p;
int only_search_timeout = 0;
char *malloced_buffer1 = NULL;
LDAP *ld;
early_system_init ();
gpgrt_set_strusage (my_strusage);
log_set_prefix ("dirmngr_ldap", GPGRT_LOG_WITH_PREFIX);
init_common_subsystems (&argc, &argv);
es_set_binary (es_stdout);
opt.outstream = es_stdout;
/* LDAP defaults */
opt.timeout.tv_sec = DEFAULT_LDAP_TIMEOUT;
opt.timeout.tv_usec = 0;
opt.alarm_timeout = 0;
/* Parse the command line. */
pargs.argc = &argc;
pargs.argv = &argv;
pargs.flags= ARGPARSE_FLAG_KEEP;
while (gpgrt_argparse (NULL, &pargs, opts))
{
switch (pargs.r_opt)
{
case oVerbose: opt.verbose++; break;
case oQuiet: opt.quiet++; break;
case oTimeout:
opt.timeout.tv_sec = pargs.r.ret_int;
opt.timeout.tv_usec = 0;
opt.alarm_timeout = pargs.r.ret_int;
break;
case oOnlySearchTimeout: only_search_timeout = 1; break;
case oStartTLS: opt.starttls = 1; opt.ldaptls = 0; break;
case oLdapTLS: opt.starttls = 0; opt.ldaptls = 1; break;
case oNtds: opt.ntds = 1; break;
+ case oARecOnly: opt.areconly = 1; break;
case oMulti: opt.multi = 1; break;
case oUser: opt.user = pargs.r.ret_str; break;
case oPass: opt.pass = pargs.r.ret_str; break;
case oEnvPass:
opt.pass = getenv ("DIRMNGR_LDAP_PASS");
break;
case oProxy: opt.proxy = pargs.r.ret_str; break;
case oHost: opt.host = pargs.r.ret_str; break;
case oPort: opt.port = pargs.r.ret_int; break;
case oBase: opt.base = pargs.r.ret_str; break;
case oAttr: opt.attr = pargs.r.ret_str; break;
case oLogWithPID:
{
unsigned int oldflags;
log_get_prefix (&oldflags);
log_set_prefix (NULL, oldflags | GPGRT_LOG_WITH_PID);
}
break;
default :
pargs.err = ARGPARSE_PRINT_ERROR;
break;
}
}
gpgrt_argparse (NULL, &pargs, NULL);
if (only_search_timeout)
opt.alarm_timeout = 0;
if (opt.proxy)
{
malloced_buffer1 = xtrystrdup (opt.proxy);
if (!malloced_buffer1)
{
log_error ("error copying string: %s\n", strerror (errno));
return 1;
}
opt.host = malloced_buffer1;
p = strchr (opt.host, ':');
if (p)
{
*p++ = 0;
opt.port = atoi (p);
}
if (!opt.port)
opt.port = 389; /* make sure ports gets overridden. */
}
if (opt.port < 0 || opt.port > 65535)
log_error ("invalid port number %d\n", opt.port);
if (!opt.port)
opt.port = opt.ldaptls? 636 : 389;
#ifndef HAVE_W32_SYSTEM
if (!opt.host)
opt.host = "localhost";
#endif
if (log_get_errorcount (0))
exit (2);
if (opt.alarm_timeout)
{
#ifndef HAVE_W32_SYSTEM
# if defined(HAVE_SIGACTION) && defined(HAVE_STRUCT_SIGACTION)
struct sigaction act;
act.sa_handler = catch_alarm;
sigemptyset (&act.sa_mask);
act.sa_flags = 0;
if (sigaction (SIGALRM,&act,NULL))
# else
if (signal (SIGALRM, catch_alarm) == SIG_ERR)
# endif
log_fatal ("unable to register timeout handler\n");
#endif
}
if (connect_ldap (&ld))
any_err = 1;
else
{
if (!argc)
{
if (process_filter (ld, "(objectClass=*)"))
any_err = 1;
}
else
{
for (; argc; argc--, argv++)
if (process_filter (ld, *argv))
any_err = 1;
}
ldap_unbind (ld);
}
xfree (malloced_buffer1);
return any_err;
}
#ifndef HAVE_W32_SYSTEM
static void
catch_alarm (int dummy)
{
(void)dummy;
_exit (10);
}
#endif
#ifdef HAVE_W32_SYSTEM
static DWORD CALLBACK
alarm_thread (void *arg)
{
HANDLE timer = arg;
WaitForSingleObject (timer, INFINITE);
_exit (10);
return 0;
}
#endif
static void
set_timeout (void)
{
if (opt.alarm_timeout)
{
#ifdef HAVE_W32_SYSTEM
static HANDLE timer;
LARGE_INTEGER due_time;
/* A negative value is a relative time. */
due_time.QuadPart = (unsigned long long)-10000000 * opt.alarm_timeout;
if (!timer)
{
SECURITY_ATTRIBUTES sec_attr;
DWORD tid;
memset (&sec_attr, 0, sizeof sec_attr);
sec_attr.nLength = sizeof sec_attr;
sec_attr.bInheritHandle = FALSE;
/* Create a manual resettable timer. */
timer = CreateWaitableTimer (NULL, TRUE, NULL);
/* Initially set the timer. */
SetWaitableTimer (timer, &due_time, 0, NULL, NULL, 0);
if (CreateThread (&sec_attr, 0, alarm_thread, timer, 0, &tid))
log_error ("failed to create alarm thread\n");
}
else /* Retrigger the timer. */
SetWaitableTimer (timer, &due_time, 0, NULL, NULL, 0);
#else
alarm (opt.alarm_timeout);
#endif
}
}
/* Connect to the ldap server. On success the connection handle is
* stored at R_LD. */
static gpg_error_t
connect_ldap (LDAP **r_ld)
{
gpg_error_t err = 0;
int lerr;
LDAP *ld = NULL;
#ifndef HAVE_W32_SYSTEM
char *tmpstr;
#endif
*r_ld = NULL;
if (opt.starttls || opt.ldaptls)
{
#ifndef HAVE_LDAP_START_TLS_S
log_error ("ldap: can't connect to the server: no TLS support.");
err = GPG_ERR_LDAP_NOT_SUPPORTED;
goto leave;
#endif
}
set_timeout ();
#ifdef HAVE_W32_SYSTEM
npth_unprotect ();
ld = ldap_sslinit (opt.host, opt.port, opt.ldaptls);
npth_protect ();
if (!ld)
{
lerr = LdapGetLastError ();
err = ldap_err_to_gpg_err (lerr);
log_error ("error initializing LDAP '%s:%d': %s\n",
opt.host, opt.port, ldap_err2string (lerr));
goto leave;
}
+ if (opt.areconly)
+ {
+ lerr = ldap_set_option (ld, LDAP_OPT_AREC_EXCLUSIVE, LDAP_OPT_ON);
+ if (lerr != LDAP_SUCCESS)
+ {
+ log_error ("ldap: unable to set AREC_EXLUSIVE: %s\n",
+ ldap_err2string (lerr));
+ err = ldap_err_to_gpg_err (lerr);
+ goto leave;
+ }
+ }
#else /* Unix */
tmpstr = xtryasprintf ("%s://%s:%d",
opt.ldaptls? "ldaps" : "ldap",
opt.host, opt.port);
if (!tmpstr)
{
err = gpg_error_from_syserror ();
goto leave;
}
npth_unprotect ();
lerr = ldap_initialize (&ld, tmpstr);
npth_protect ();
if (lerr || !ld)
{
err = ldap_err_to_gpg_err (lerr);
log_error ("error initializing LDAP '%s': %s\n",
tmpstr, ldap_err2string (lerr));
xfree (tmpstr);
goto leave;
}
xfree (tmpstr);
#endif /* Unix */
if (opt.verbose)
log_info ("LDAP connected to '%s:%d'%s\n",
opt.host, opt.port,
opt.starttls? " using STARTTLS" :
opt.ldaptls? " using LDAP-over-TLS" : "");
#ifdef HAVE_LDAP_SET_OPTION
{
int ver = LDAP_VERSION3;
lerr = ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION, &ver);
if (lerr != LDAP_SUCCESS)
{
log_error ("unable to go to LDAP 3: %s\n", ldap_err2string (lerr));
err = ldap_err_to_gpg_err (lerr);
goto leave;
}
}
#endif
#ifdef HAVE_LDAP_START_TLS_S
if (opt.starttls)
{
#ifndef HAVE_W32_SYSTEM
int check_cert = LDAP_OPT_X_TLS_HARD; /* LDAP_OPT_X_TLS_NEVER */
lerr = ldap_set_option (ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &check_cert);
if (lerr)
{
log_error ("ldap: error setting an TLS option: %s\n",
ldap_err2string (lerr));
err = ldap_err_to_gpg_err (lerr);
goto leave;
}
#else
/* On Windows, the certificates are checked by default. If the
option to disable checking mentioned above is ever
implemented, the way to do that on Windows is to install a
callback routine using ldap_set_option (..,
LDAP_OPT_SERVER_CERTIFICATE, ..); */
#endif
npth_unprotect ();
lerr = ldap_start_tls_s (ld,
#ifdef HAVE_W32_SYSTEM
/* ServerReturnValue, result */
NULL, NULL,
#endif
/* ServerControls, ClientControls */
NULL, NULL);
npth_protect ();
if (lerr)
{
log_error ("ldap: error switching to STARTTLS mode: %s\n",
ldap_err2string (lerr));
err = ldap_err_to_gpg_err (lerr);
goto leave;
}
}
#endif
if (opt.ntds)
{
if (opt.verbose)
log_info ("binding to current user via AD\n");
#ifdef HAVE_W32_SYSTEM
npth_unprotect ();
lerr = ldap_bind_s (ld, NULL, NULL, LDAP_AUTH_NEGOTIATE);
npth_protect ();
if (lerr != LDAP_SUCCESS)
{
log_error ("error binding to LDAP via AD: %s\n",
ldap_err2string (lerr));
err = ldap_err_to_gpg_err (lerr);
goto leave;
}
#else /* Unix */
err = gpg_error (GPG_ERR_NOT_SUPPORTED);
goto leave;
#endif /* Unix */
}
else if (opt.user)
{
if (opt.verbose)
log_info ("LDAP bind to '%s', password '%s'\n",
opt.user, opt.pass ? ">not_shown<" : ">none<");
npth_unprotect ();
lerr = ldap_simple_bind_s (ld, opt.user, opt.pass);
npth_protect ();
if (lerr != LDAP_SUCCESS)
{
log_error ("error binding to LDAP: %s\n", ldap_err2string (lerr));
err = ldap_err_to_gpg_err (lerr);
goto leave;
}
}
else
{
/* By default we don't bind as there is usually no need to. */
}
leave:
if (err)
{
if (ld)
ldap_unbind (ld);
}
else
*r_ld = ld;
return err;
}
/* Helper for fetch_ldap(). */
static int
print_ldap_entries (LDAP *ld, LDAPMessage *msg, char *want_attr)
{
LDAPMessage *item;
int any = 0;
for (npth_unprotect (), item = ldap_first_entry (ld, msg), npth_protect ();
item;
npth_unprotect (), item = ldap_next_entry (ld, item), npth_protect ())
{
BerElement *berctx;
char *attr;
if (opt.verbose > 1)
log_info ("scanning result for attribute '%s'\n",
want_attr? want_attr : "[all]");
if (opt.multi)
{ /* Write item marker. */
if (es_fwrite ("I\0\0\0\0", 5, 1, opt.outstream) != 1)
{
log_error ("error writing to stdout: %s\n",
strerror (errno));
return -1;
}
}
for (npth_unprotect (), attr = ldap_first_attribute (ld, item, &berctx),
npth_protect ();
attr;
npth_unprotect (), attr = ldap_next_attribute (ld, item, berctx),
npth_protect ())
{
struct berval **values;
int idx;
if (opt.verbose > 1)
log_info (" available attribute '%s'\n", attr);
set_timeout ();
/* I case we want only one attribute we do a case
insensitive compare without the optional extension
(i.e. ";binary"). Case insensitive is not really correct
but the best we can do. */
if (want_attr)
{
char *cp1, *cp2;
int cmpres;
cp1 = strchr (want_attr, ';');
if (cp1)
*cp1 = 0;
cp2 = strchr (attr, ';');
if (cp2)
*cp2 = 0;
cmpres = ascii_strcasecmp (want_attr, attr);
if (cp1)
*cp1 = ';';
if (cp2)
*cp2 = ';';
if (cmpres)
{
ldap_memfree (attr);
continue; /* Not found: Try next attribute. */
}
}
npth_unprotect ();
values = ldap_get_values_len (ld, item, attr);
npth_protect ();
if (!values)
{
if (opt.verbose)
log_info ("attribute '%s' not found\n", attr);
ldap_memfree (attr);
continue;
}
if (opt.verbose)
{
log_info ("found attribute '%s'\n", attr);
if (opt.verbose > 1)
for (idx=0; values[idx]; idx++)
log_info (" length[%d]=%d\n",
idx, (int)values[0]->bv_len);
}
if (opt.multi)
{ /* Write attribute marker. */
unsigned char tmp[5];
size_t n = strlen (attr);
tmp[0] = 'A';
tmp[1] = (n >> 24);
tmp[2] = (n >> 16);
tmp[3] = (n >> 8);
tmp[4] = (n);
if (es_fwrite (tmp, 5, 1, opt.outstream) != 1
|| es_fwrite (attr, n, 1, opt.outstream) != 1)
{
log_error ("error writing to stdout: %s\n",
strerror (errno));
ldap_value_free_len (values);
ldap_memfree (attr);
ber_free (berctx, 0);
return -1;
}
}
for (idx=0; values[idx]; idx++)
{
if (opt.multi)
{ /* Write value marker. */
unsigned char tmp[5];
size_t n = values[0]->bv_len;
tmp[0] = 'V';
tmp[1] = (n >> 24);
tmp[2] = (n >> 16);
tmp[3] = (n >> 8);
tmp[4] = (n);
if (es_fwrite (tmp, 5, 1, opt.outstream) != 1)
{
log_error ("error writing to stdout: %s\n",
strerror (errno));
ldap_value_free_len (values);
ldap_memfree (attr);
ber_free (berctx, 0);
return -1;
}
}
if (es_fwrite (values[0]->bv_val, values[0]->bv_len,
1, opt.outstream) != 1)
{
log_error ("error writing to stdout: %s\n",
strerror (errno));
ldap_value_free_len (values);
ldap_memfree (attr);
ber_free (berctx, 0);
return -1;
}
any = 1;
if (!opt.multi)
break; /* Print only the first value. */
}
ldap_value_free_len (values);
ldap_memfree (attr);
if (want_attr || !opt.multi)
break; /* We only want to return the first attribute. */
}
ber_free (berctx, 0);
}
if (opt.verbose > 1 && any)
log_info ("result has been printed\n");
return any?0:-1;
}
/* Fetch data from the server at LD using FILTER. */
static int
fetch_ldap (LDAP *ld, const char *base, int scope, const char *filter)
{
gpg_error_t err;
int lerr;
LDAPMessage *msg;
char *attrs[2];
if (filter && !*filter)
filter = NULL;
if (opt.verbose)
{
log_info ("fetching using");
if (base)
log_printf (" base '%s'", base);
if (filter)
log_printf (" filter '%s'", filter);
log_printf ("\n");
}
attrs[0] = opt.attr;
attrs[1] = NULL;
set_timeout ();
npth_unprotect ();
lerr = ldap_search_st (ld, base, scope, filter,
attrs,
0,
&opt.timeout, &msg);
npth_protect ();
if (lerr == LDAP_SIZELIMIT_EXCEEDED && opt.multi)
{
if (es_fwrite ("E\0\0\0\x09truncated", 14, 1, opt.outstream) != 1)
{
log_error ("error writing to stdout: %s\n", strerror (errno));
return -1;
}
}
else if (lerr)
{
log_error ("searching '%s' failed: %s\n",
filter, ldap_err2string (lerr));
if (lerr != LDAP_NO_SUCH_OBJECT)
{
/* FIXME: Need deinit (ld)? */
/* Hmmm: Do we need to released MSG in case of an error? */
return -1;
}
}
err = print_ldap_entries (ld, msg, opt.multi? NULL:opt.attr);
ldap_msgfree (msg);
return err;
}
/* Main processing. Take the filter and run the LDAP query. The
* result is printed to stdout, errors are logged to the log stream.
* To allow searching with a different base it is possible to extend
* the filer. For example:
*
* ^CN=foo, OU=My Users&(objectClasses=*)
*
* Uses "CN=foo, OU=My Users" as base DN and "(objectClasses=*)" as
* filter. If the base prefix includes an ampersand, it needs to be
* doubled. The usual escaping rules for DNs (for the base) and
* filters apply. If no scope is given (see ldap_parse_extfilter for
* the syntax) subtree scope is used.
*/
static gpg_error_t
process_filter (LDAP *ld, const char *string)
{
gpg_error_t err;
char *base, *filter;
int scope = -1;
err = ldap_parse_extfilter (string, 0, &base, &scope, &filter);
if (!err)
err = fetch_ldap (ld,
base? base : opt.base,
scope == -1? LDAP_SCOPE_SUBTREE : scope,
filter);
xfree (base);
xfree (filter);
return err;
}
diff --git a/dirmngr/ks-engine-ldap.c b/dirmngr/ks-engine-ldap.c
index b3f7f8ff5..8f6144994 100644
--- a/dirmngr/ks-engine-ldap.c
+++ b/dirmngr/ks-engine-ldap.c
@@ -1,2209 +1,2225 @@
/* ks-engine-ldap.c - talk to a LDAP keyserver
* Copyright (C) 2001, 2002, 2004, 2005, 2006
* 2007 Free Software Foundation, Inc.
* Copyright (C) 2015, 2020 g10 Code GmbH
*
* This file is part of GnuPG.
*
* GnuPG is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* GnuPG is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see .
*/
#include
#include
#include
#include
#include
#include
#include
#include "dirmngr.h"
#include "misc.h"
#include "../common/userids.h"
#include "../common/mbox-util.h"
#include "ks-engine.h"
#include "ldap-misc.h"
#include "ldap-parse-uri.h"
#include "ldapserver.h"
/* Flags with infos from the connected server. */
#define SERVERINFO_REALLDAP 1 /* This is not the PGP keyserver. */
#define SERVERINFO_PGPKEYV2 2 /* Needs "pgpeyV2" instead of "pgpKey" */
#define SERVERINFO_SCHEMAV2 4 /* Version 2 of the Schema. */
#define SERVERINFO_NTDS 8 /* Server is an Active Directory. */
#ifndef HAVE_TIMEGM
time_t timegm(struct tm *tm);
#endif
�
static time_t
ldap2epochtime (const char *timestr)
{
struct tm pgptime;
time_t answer;
memset (&pgptime, 0, sizeof(pgptime));
/* YYYYMMDDHHmmssZ */
sscanf (timestr, "%4d%2d%2d%2d%2d%2d",
&pgptime.tm_year,
&pgptime.tm_mon,
&pgptime.tm_mday,
&pgptime.tm_hour,
&pgptime.tm_min,
&pgptime.tm_sec);
pgptime.tm_year -= 1900;
pgptime.tm_isdst = -1;
pgptime.tm_mon--;
/* mktime() takes the timezone into account, so we use timegm() */
answer = timegm (&pgptime);
return answer;
}
/* Caller must free the result. */
static char *
tm2ldaptime (struct tm *tm)
{
struct tm tmp = *tm;
char buf[16];
/* YYYYMMDDHHmmssZ */
tmp.tm_year += 1900;
tmp.tm_mon ++;
snprintf (buf, sizeof buf, "%04d%02d%02d%02d%02d%02dZ",
tmp.tm_year,
tmp.tm_mon,
tmp.tm_mday,
tmp.tm_hour,
tmp.tm_min,
tmp.tm_sec);
return xstrdup (buf);
}
#if 0
/* Caller must free */
static char *
epoch2ldaptime (time_t stamp)
{
struct tm tm;
if (gmtime_r (&stamp, &tm))
return tm2ldaptime (&tm);
else
return xstrdup ("INVALID TIME");
}
#endif
static void
my_ldap_value_free (char **vals)
{
if (vals)
ldap_value_free (vals);
}
�
/* Print a help output for the schemata supported by this module. */
gpg_error_t
ks_ldap_help (ctrl_t ctrl, parsed_uri_t uri)
{
const char data[] =
"Handler for LDAP URLs:\n"
" ldap://HOST:PORT/[BASEDN]????[bindname=BINDNAME,password=PASSWORD]\n"
"\n"
"Note: basedn, bindname and password need to be percent escaped. In\n"
"particular, spaces need to be replaced with %20 and commas with %2c.\n"
"Thus bindname will typically be of the form:\n"
"\n"
" uid=user%2cou=PGP%20Users%2cdc=EXAMPLE%2cdc=ORG\n"
"\n"
"The ldaps:// and ldapi:// schemes are also supported. If ldaps is used\n"
"then the server's certificate will be checked. If it is not valid, any\n"
"operation will be aborted. Note that ldaps means LDAP with STARTTLS\n"
"\n"
"As an alternative to an URL a string in this form may be used:\n"
"\n"
" HOST:PORT:BINDNAME:PASSWORD:BASEDN:FLAGS:\n"
"\n"
"The use of the percent sign or a colon in one of the string values is\n"
"currently not supported.\n"
"\n"
"Supported methods: search, get, put\n";
gpg_error_t err;
if(!uri)
err = ks_print_help (ctrl, " ldap");
else if (uri->is_ldap || uri->opaque)
err = ks_print_help (ctrl, data);
else
err = 0;
return err;
}
�
/* Convert a keyspec to a filter. Return an error if the keyspec is
bad or is not supported. The filter is escaped and returned in
*filter. It is the caller's responsibility to free *filter.
*filter is only set if this function returns success (i.e., 0). */
static gpg_error_t
keyspec_to_ldap_filter (const char *keyspec, char **filter, int only_exact,
unsigned int serverinfo)
{
/* Remove search type indicator and adjust PATTERN accordingly.
Note: don't include a preceding 0x when searching by keyid. */
/* XXX: Should we include disabled / revoke options? */
KEYDB_SEARCH_DESC desc;
char *f = NULL;
char *freeme = NULL;
char *p;
gpg_error_t err = classify_user_id (keyspec, &desc, 1);
if (err)
return err;
switch (desc.mode)
{
case KEYDB_SEARCH_MODE_EXACT:
f = xasprintf ("(pgpUserID=%s)",
(freeme = ldap_escape_filter (desc.u.name)));
break;
case KEYDB_SEARCH_MODE_SUBSTR:
if (! only_exact)
f = xasprintf ("(pgpUserID=*%s*)",
(freeme = ldap_escape_filter (desc.u.name)));
break;
case KEYDB_SEARCH_MODE_MAIL:
freeme = ldap_escape_filter (desc.u.name);
if (!freeme)
break;
if (*freeme == '<' && freeme[1] && freeme[2])
{
/* Strip angle brackets. Note that it is does not
* matter whether we work on the plan or LDAP escaped
* version of the mailbox. */
p = freeme + 1;
if (p[strlen(p)-1] == '>')
p[strlen(p)-1] = 0;
}
else
p = freeme;
if ((serverinfo & SERVERINFO_SCHEMAV2))
f = xasprintf ("(&(gpgMailbox=%s)(!(|(pgpRevoked=1)(pgpDisabled=1))))",
p);
else if (!only_exact)
f = xasprintf ("(pgpUserID=*<%s>*)", p);
break;
case KEYDB_SEARCH_MODE_MAILSUB:
if ((serverinfo & SERVERINFO_SCHEMAV2))
f = xasprintf("(&(gpgMailbox=*%s*)(!(|(pgpRevoked=1)(pgpDisabled=1))))",
(freeme = ldap_escape_filter (desc.u.name)));
else if (!only_exact)
f = xasprintf ("(pgpUserID=*<*%s*>*)",
(freeme = ldap_escape_filter (desc.u.name)));
break;
case KEYDB_SEARCH_MODE_MAILEND:
if ((serverinfo & SERVERINFO_SCHEMAV2))
f = xasprintf("(&(gpgMailbox=*%s)(!(|(pgpRevoked=1)(pgpDisabled=1))))",
(freeme = ldap_escape_filter (desc.u.name)));
else if (!only_exact)
f = xasprintf ("(pgpUserID=*<*%s>*)",
(freeme = ldap_escape_filter (desc.u.name)));
break;
case KEYDB_SEARCH_MODE_SHORT_KID:
f = xasprintf ("(pgpKeyID=%08lX)", (ulong) desc.u.kid[1]);
break;
case KEYDB_SEARCH_MODE_LONG_KID:
f = xasprintf ("(pgpCertID=%08lX%08lX)",
(ulong) desc.u.kid[0], (ulong) desc.u.kid[1]);
break;
case KEYDB_SEARCH_MODE_FPR:
if ((serverinfo & SERVERINFO_SCHEMAV2))
{
freeme = bin2hex (desc.u.fpr, desc.fprlen, NULL);
if (!freeme)
return gpg_error_from_syserror ();
f = xasprintf ("(|(gpgFingerprint=%s)(gpgSubFingerprint=%s))",
freeme, freeme);
/* FIXME: For an exact search and in case of a match on
* gpgSubFingerprint we need to check that there is only one
* matching value. */
}
break;
case KEYDB_SEARCH_MODE_ISSUER:
case KEYDB_SEARCH_MODE_ISSUER_SN:
case KEYDB_SEARCH_MODE_SN:
case KEYDB_SEARCH_MODE_SUBJECT:
case KEYDB_SEARCH_MODE_KEYGRIP:
case KEYDB_SEARCH_MODE_WORDS:
case KEYDB_SEARCH_MODE_FIRST:
case KEYDB_SEARCH_MODE_NEXT:
default:
break;
}
xfree (freeme);
if (! f)
{
log_error ("Unsupported search mode.\n");
return gpg_error (GPG_ERR_NOT_SUPPORTED);
}
*filter = f;
return 0;
}
static int
interrogate_ldap_dn (LDAP *ldap_conn, const char *basedn_search,
unsigned int *r_serverinfo, char **r_basedn)
{
int lerr;
char **vals;
LDAPMessage *si_res;
int is_gnupg = 0;
int result = 0;
char *basedn = NULL;
char *attr2[] = { "pgpBaseKeySpaceDN", "pgpVersion", "pgpSoftware", NULL };
char *object = xasprintf ("cn=pgpServerInfo,%s", basedn_search);
npth_unprotect ();
lerr = ldap_search_s (ldap_conn, object, LDAP_SCOPE_BASE,
"(objectClass=*)", attr2, 0, &si_res);
npth_protect ();
xfree (object);
if (lerr == LDAP_SUCCESS)
{
vals = ldap_get_values (ldap_conn, si_res, "pgpBaseKeySpaceDN");
if (vals && vals[0])
{
basedn = xtrystrdup (vals[0]);
}
my_ldap_value_free (vals);
vals = ldap_get_values (ldap_conn, si_res, "pgpSoftware");
if (vals && vals[0])
{
if (opt.debug)
log_debug ("Server: \t%s\n", vals[0]);
if (!ascii_strcasecmp (vals[0], "GnuPG"))
is_gnupg = 1;
}
my_ldap_value_free (vals);
vals = ldap_get_values (ldap_conn, si_res, "pgpVersion");
if (vals && vals[0])
{
if (opt.debug)
log_debug ("Version:\t%s\n", vals[0]);
if (is_gnupg)
{
const char *fields[2];
int nfields;
nfields = split_fields (vals[0], fields, DIM(fields));
if (nfields > 0 && atoi(fields[0]) > 1)
*r_serverinfo |= SERVERINFO_SCHEMAV2;
if (nfields > 1
&& !ascii_strcasecmp (fields[1], "ntds"))
*r_serverinfo |= SERVERINFO_NTDS;
}
}
my_ldap_value_free (vals);
}
/* From man ldap_search_s: "res parameter of
ldap_search_ext_s() and ldap_search_s() should be
freed with ldap_msgfree() regardless of return
value of these functions. */
ldap_msgfree (si_res);
if (r_basedn)
*r_basedn = basedn;
return result;
}
�
/* Connect to an LDAP server and interrogate it.
- uri describes the server to connect to and various options
including whether to use TLS and the username and password (see
ldap_parse_uri for a description of the various fields).
This function returns:
- The ldap connection handle in *LDAP_CONNP.
- The base DN for the PGP key space by querying the
pgpBaseKeySpaceDN attribute (This is normally
'ou=PGP Keys,dc=EXAMPLE,dc=ORG').
- The attribute to lookup to find the pgp key. This is either
'pgpKey' or 'pgpKeyV2'.
- Whether this is a real ldap server. (It's unclear what this
exactly means.)
The values are returned in the passed variables. If you pass NULL,
then the value won't be returned. It is the caller's
responsibility to release *LDAP_CONNP with ldap_unbind and xfree
*BASEDNP.
If this function successfully interrogated the server, it returns
0. If there was an LDAP error, it returns the LDAP error code. If
an error occurred, *basednp, etc., are undefined (and don't need to
be freed.)
R_SERVERINFO receives information about the server.
If no LDAP error occurred, you still need to check that *basednp is
valid. If it is NULL, then the server does not appear to be an
OpenPGP Keyserver. */
static gpg_error_t
my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp,
char **r_basedn, char **r_host, int *r_use_tls,
unsigned int *r_serverinfo)
{
gpg_error_t err = 0;
int lerr;
ldap_server_t server = NULL;
LDAP *ldap_conn = NULL;
char *basedn = NULL;
char *host = NULL; /* Host to use. */
int port; /* Port to use. */
int use_tls; /* 1 = starttls, 2 = ldap-over-tls */
int use_ntds; /* Use Active Directory authentication. */
+ int use_areconly; /* Lookup only via A record (Windows). */
const char *bindname;
const char *password;
const char *basedn_arg;
#ifndef HAVE_W32_SYSTEM
char *tmpstr;
#endif
if (r_basedn)
*r_basedn = NULL;
if (r_host)
*r_host = NULL;
if (r_use_tls)
*r_use_tls = 0;
*r_serverinfo = 0;
if (uri->opaque)
{
server = ldapserver_parse_one (uri->path, NULL, 0);
if (!server)
return gpg_error (GPG_ERR_LDAP_OTHER);
host = server->host;
port = server->port;
bindname = server->user;
password = bindname? server->pass : NULL;
basedn_arg = server->base;
use_tls = server->starttls? 1 : server->ldap_over_tls? 2 : 0;
use_ntds = server->ntds;
+ use_areconly = server->areconly;
}
else
{
host = uri->host;
port = uri->port;
bindname = uri->auth;
password = bindname? uri_query_value (uri, "password") : NULL;
basedn_arg = uri->path;
use_tls = uri->use_tls ? 1 : 0;
use_ntds = uri->ad_current;
+ use_areconly = 0;
}
if (!port)
port = use_tls == 2? 636 : 389;
if (host)
{
host = xtrystrdup (host);
if (!host)
{
err = gpg_error_from_syserror ();
goto out;
}
}
if (opt.verbose)
- log_info ("ldap connect to '%s:%d:%s:%s:%s:%s%s'\n",
+ log_info ("ldap connect to '%s:%d:%s:%s:%s:%s%s%s'\n",
host, port,
basedn_arg ? basedn_arg : "",
bindname ? bindname : "",
password ? "*****" : "",
use_tls == 1? "starttls" : use_tls == 2? "ldaptls" : "plain",
- use_ntds ? ",ntds":"");
+ use_ntds ? ",ntds":"",
+ use_areconly? ",areconly":"");
/* If the uri specifies a secure connection and we don't support
TLS, then fail; don't silently revert to an insecure
connection. */
if (use_tls)
{
#ifndef HAVE_LDAP_START_TLS_S
log_error ("ldap: can't connect to the server: no TLS support.");
err = GPG_ERR_LDAP_NOT_SUPPORTED;
goto out;
#endif
}
#ifdef HAVE_W32_SYSTEM
/* Note that host==NULL uses the default domain controller. */
npth_unprotect ();
ldap_conn = ldap_sslinit (host, port, (use_tls == 2));
npth_protect ();
if (!ldap_conn)
{
lerr = LdapGetLastError ();
err = ldap_err_to_gpg_err (lerr);
log_error ("error initializing LDAP '%s:%d': %s\n",
host, port, ldap_err2string (lerr));
goto out;
}
+ if (use_areconly)
+ {
+ lerr = ldap_set_option (ldap_conn, LDAP_OPT_AREC_EXCLUSIVE, LDAP_OPT_ON);
+ if (lerr != LDAP_SUCCESS)
+ {
+ log_error ("ks-ldap: unable to set LDAP_OPT_AREC_EXLUSIVE: %s\n",
+ ldap_err2string (lerr));
+ err = ldap_err_to_gpg_err (lerr);
+ goto out;
+ }
+ }
+
#else /* Unix */
tmpstr = xtryasprintf ("%s://%s:%d",
use_tls == 2? "ldaps" : "ldap",
host, port);
if (!tmpstr)
{
err = gpg_error_from_syserror ();
goto out;
}
npth_unprotect ();
lerr = ldap_initialize (&ldap_conn, tmpstr);
npth_protect ();
if (lerr != LDAP_SUCCESS || !ldap_conn)
{
err = ldap_err_to_gpg_err (lerr);
log_error ("error initializing LDAP '%s': %s\n",
tmpstr, ldap_err2string (lerr));
xfree (tmpstr);
goto out;
}
xfree (tmpstr);
#endif /* Unix */
#ifdef HAVE_LDAP_SET_OPTION
{
int ver = LDAP_VERSION3;
lerr = ldap_set_option (ldap_conn, LDAP_OPT_PROTOCOL_VERSION, &ver);
if (lerr != LDAP_SUCCESS)
{
log_error ("ks-ldap: unable to go to LDAP 3: %s\n",
ldap_err2string (lerr));
err = ldap_err_to_gpg_err (lerr);
goto out;
}
}
if (opt.ldaptimeout)
{
int ver = opt.ldaptimeout;
lerr = ldap_set_option (ldap_conn, LDAP_OPT_TIMELIMIT, &ver);
if (lerr != LDAP_SUCCESS)
{
log_error ("ks-ldap: unable to set LDAP timelimit to %us: %s\n",
opt.ldaptimeout, ldap_err2string (lerr));
err = ldap_err_to_gpg_err (lerr);
goto out;
}
if (opt.verbose)
log_info ("ldap timeout set to %us\n", opt.ldaptimeout);
}
#endif
#ifdef HAVE_LDAP_START_TLS_S
if (use_tls == 1)
{
#ifndef HAVE_W32_SYSTEM
int check_cert = LDAP_OPT_X_TLS_HARD; /* LDAP_OPT_X_TLS_NEVER */
lerr = ldap_set_option (ldap_conn,
LDAP_OPT_X_TLS_REQUIRE_CERT, &check_cert);
if (lerr)
{
log_error ("ldap: error setting an TLS option: %s\n",
ldap_err2string (lerr));
err = ldap_err_to_gpg_err (lerr);
goto out;
}
#else
/* On Windows, the certificates are checked by default. If the
option to disable checking mentioned above is ever
implemented, the way to do that on Windows is to install a
callback routine using ldap_set_option (..,
LDAP_OPT_SERVER_CERTIFICATE, ..); */
#endif
npth_unprotect ();
lerr = ldap_start_tls_s (ldap_conn,
#ifdef HAVE_W32_SYSTEM
/* ServerReturnValue, result */
NULL, NULL,
#endif
/* ServerControls, ClientControls */
NULL, NULL);
npth_protect ();
if (lerr)
{
log_error ("ldap: error switching to STARTTLS mode: %s\n",
ldap_err2string (lerr));
err = ldap_err_to_gpg_err (lerr);
goto out;
}
}
#endif
if (use_ntds)
{
#ifdef HAVE_W32_SYSTEM
npth_unprotect ();
lerr = ldap_bind_s (ldap_conn, NULL, NULL, LDAP_AUTH_NEGOTIATE);
npth_protect ();
if (lerr != LDAP_SUCCESS)
{
log_error ("error binding to LDAP via AD: %s\n",
ldap_err2string (lerr));
err = ldap_err_to_gpg_err (lerr);
goto out;
}
#else
log_error ("ldap: no Active Directory support but 'ntds' requested\n");
err = gpg_error (GPG_ERR_NOT_SUPPORTED);
goto out;
#endif
}
else if (bindname)
{
npth_unprotect ();
lerr = ldap_simple_bind_s (ldap_conn, bindname, password);
npth_protect ();
if (lerr != LDAP_SUCCESS)
{
log_error ("error binding to LDAP: %s\n", ldap_err2string (lerr));
err = ldap_err_to_gpg_err (lerr);
goto out;
}
}
else
{
/* By default we don't bind as there is usually no need to. */
}
if (basedn_arg && *basedn_arg)
{
/* User specified base DN. In this case we know the server is a
* real LDAP server. */
basedn = xtrystrdup (basedn_arg);
if (!basedn)
{
err = gpg_error_from_syserror ();
goto out;
}
*r_serverinfo |= SERVERINFO_REALLDAP;
}
else
{ /* Look for namingContexts. */
LDAPMessage *res = NULL;
char *attr[] = { "namingContexts", NULL };
npth_unprotect ();
lerr = ldap_search_s (ldap_conn, "", LDAP_SCOPE_BASE,
"(objectClass=*)", attr, 0, &res);
npth_protect ();
if (lerr == LDAP_SUCCESS)
{
char **context;
npth_unprotect ();
context = ldap_get_values (ldap_conn, res, "namingContexts");
npth_protect ();
if (context)
{
/* We found some, so try each namingContext as the
* search base and look for pgpBaseKeySpaceDN. Because
* we found this, we know we're talking to a regular-ish
* LDAP server and not an LDAP keyserver. */
int i;
*r_serverinfo |= SERVERINFO_REALLDAP;
for (i = 0; context[i] && !basedn; i++)
interrogate_ldap_dn (ldap_conn, context[i], r_serverinfo,
&basedn);
ldap_value_free (context);
}
}
else /* ldap_search failed. */
{
/* We don't have an answer yet, which means the server might
be a PGP.com keyserver. */
char **vals;
LDAPMessage *si_res = NULL;
char *attr2[] = { "pgpBaseKeySpaceDN", "version", "software", NULL };
npth_unprotect ();
lerr = ldap_search_s (ldap_conn, "cn=pgpServerInfo", LDAP_SCOPE_BASE,
"(objectClass=*)", attr2, 0, &si_res);
npth_protect ();
if (lerr == LDAP_SUCCESS)
{
/* For the PGP LDAP keyserver, this is always
* "OU=ACTIVE,O=PGP KEYSPACE,C=US", but it might not be
* in the future. */
vals = ldap_get_values (ldap_conn, si_res, "baseKeySpaceDN");
if (vals && vals[0])
{
basedn = xtrystrdup (vals[0]);
}
my_ldap_value_free (vals);
vals = ldap_get_values (ldap_conn, si_res, "software");
if (vals && vals[0])
{
if (opt.debug)
log_debug ("ks-ldap: PGP Server: \t%s\n", vals[0]);
}
my_ldap_value_free (vals);
vals = ldap_get_values (ldap_conn, si_res, "version");
if (vals && vals[0])
{
if (opt.debug)
log_debug ("ks-ldap: PGP Server Version:\t%s\n", vals[0]);
/* If the version is high enough, use the new
pgpKeyV2 attribute. This design is iffy at best,
but it matches how PGP does it. I figure the NAI
folks assumed that there would never be an LDAP
keyserver vendor with a different numbering
scheme. */
if (atoi (vals[0]) > 1)
*r_serverinfo |= SERVERINFO_PGPKEYV2;
}
my_ldap_value_free (vals);
}
ldap_msgfree (si_res);
}
/* From man ldap_search_s: "res parameter of ldap_search_ext_s()
and ldap_search_s() should be freed with ldap_msgfree()
regardless of return value of these functions. */
ldap_msgfree (res);
}
out:
if (!err && opt.debug)
{
log_debug ("ldap_conn: %p\n", ldap_conn);
log_debug ("server_type: %s\n", ((*r_serverinfo & SERVERINFO_REALLDAP)
? "LDAP" : "PGP.com keyserver") );
log_debug ("basedn: %s\n", basedn);
log_debug ("pgpkeyattr: %s\n",
(*r_serverinfo & SERVERINFO_PGPKEYV2)? "pgpKeyV2":"pgpKey");
}
ldapserver_list_free (server);
if (err)
{
xfree (basedn);
if (ldap_conn)
ldap_unbind (ldap_conn);
}
else
{
if (r_basedn)
*r_basedn = basedn;
else
xfree (basedn);
if (r_host)
*r_host = host;
else
xfree (host);
*ldap_connp = ldap_conn;
}
return err;
}
/* Extract keys from an LDAP reply and write them out to the output
stream OUTPUT in a format GnuPG can import (either the OpenPGP
binary format or armored format). */
static void
extract_keys (estream_t output,
LDAP *ldap_conn, const char *certid, LDAPMessage *message)
{
char **vals;
es_fprintf (output, "INFO %s BEGIN\n", certid);
/* Note: ldap_get_values returns a NULL terminated array of
strings. */
vals = ldap_get_values (ldap_conn, message, "gpgfingerprint");
if (vals && vals[0] && vals[0][0])
es_fprintf (output, "pub:%s:", vals[0]);
else
es_fprintf (output, "pub:%s:", certid);
my_ldap_value_free (vals);
vals = ldap_get_values (ldap_conn, message, "pgpkeytype");
if (vals && vals[0])
{
if (strcmp (vals[0], "RSA") == 0)
es_fprintf (output, "1");
else if (strcmp (vals[0],"DSS/DH") == 0)
es_fprintf (output, "17");
}
my_ldap_value_free (vals);
es_fprintf (output, ":");
vals = ldap_get_values (ldap_conn, message, "pgpkeysize");
if (vals && vals[0])
{
int v = atoi (vals[0]);
if (v > 0)
es_fprintf (output, "%d", v);
}
my_ldap_value_free (vals);
es_fprintf (output, ":");
vals = ldap_get_values (ldap_conn, message, "pgpkeycreatetime");
if (vals && vals[0])
{
if (strlen (vals[0]) == 15)
es_fprintf (output, "%u", (unsigned int) ldap2epochtime (vals[0]));
}
my_ldap_value_free (vals);
es_fprintf (output, ":");
vals = ldap_get_values (ldap_conn, message, "pgpkeyexpiretime");
if (vals && vals[0])
{
if (strlen (vals[0]) == 15)
es_fprintf (output, "%u", (unsigned int) ldap2epochtime (vals[0]));
}
my_ldap_value_free (vals);
es_fprintf (output, ":");
vals = ldap_get_values (ldap_conn, message, "pgprevoked");
if (vals && vals[0])
{
if (atoi (vals[0]) == 1)
es_fprintf (output, "r");
}
my_ldap_value_free (vals);
es_fprintf (output, "\n");
vals = ldap_get_values (ldap_conn, message, "pgpuserid");
if (vals && vals[0])
{
int i;
for (i = 0; vals[i]; i++)
es_fprintf (output, "uid:%s\n", vals[i]);
}
my_ldap_value_free (vals);
es_fprintf (output, "INFO %s END\n", certid);
}
/* For now we do not support LDAP over Tor. */
static gpg_error_t
no_ldap_due_to_tor (ctrl_t ctrl)
{
gpg_error_t err = gpg_error (GPG_ERR_NOT_SUPPORTED);
const char *msg = _("LDAP access not possible due to Tor mode");
log_error ("%s", msg);
dirmngr_status_printf (ctrl, "NOTE", "no_ldap_due_to_tor %u %s", err, msg);
return gpg_error (GPG_ERR_NOT_SUPPORTED);
}
/* Get the key described key the KEYSPEC string from the keyserver
identified by URI. On success R_FP has an open stream to read the
data. */
gpg_error_t
ks_ldap_get (ctrl_t ctrl, parsed_uri_t uri, const char *keyspec,
estream_t *r_fp)
{
gpg_error_t err = 0;
int ldap_err;
unsigned int serverinfo;
char *host = NULL;
int use_tls;
char *filter = NULL;
LDAP *ldap_conn = NULL;
char *basedn = NULL;
estream_t fp = NULL;
LDAPMessage *message = NULL;
(void) ctrl;
if (dirmngr_use_tor ())
{
return no_ldap_due_to_tor (ctrl);
}
/* Make sure we are talking to an OpenPGP LDAP server. */
err = my_ldap_connect (uri, &ldap_conn,
&basedn, &host, &use_tls, &serverinfo);
if (err || !basedn)
{
if (!err)
err = gpg_error (GPG_ERR_GENERAL);
goto out;
}
/* Now that we have information about the server we can construct a
* query best suited for the capabilities of the server. */
err = keyspec_to_ldap_filter (keyspec, &filter, 1, serverinfo);
if (err)
goto out;
if (opt.debug)
log_debug ("ks-ldap: using filter: %s\n", filter);
{
/* The ordering is significant. Specifically, "pgpcertid" needs
to be the second item in the list, since everything after it
may be discarded if we aren't in verbose mode. */
char *attrs[] =
{
"dummy",
"pgpcertid", "pgpuserid", "pgpkeyid", "pgprevoked", "pgpdisabled",
"pgpkeycreatetime", "modifytimestamp", "pgpkeysize", "pgpkeytype",
"gpgfingerprint",
NULL
};
/* 1 if we want just attribute types; 0 if we want both attribute
* types and values. */
int attrsonly = 0;
int count;
/* Replace "dummy". */
attrs[0] = (serverinfo & SERVERINFO_PGPKEYV2)? "pgpKeyV2" : "pgpKey";
npth_unprotect ();
ldap_err = ldap_search_s (ldap_conn, basedn, LDAP_SCOPE_SUBTREE,
filter, attrs, attrsonly, &message);
npth_protect ();
if (ldap_err)
{
err = ldap_err_to_gpg_err (ldap_err);
log_error ("ks-ldap: LDAP search error: %s\n",
ldap_err2string (ldap_err));
goto out;
}
count = ldap_count_entries (ldap_conn, message);
if (count < 1)
{
log_info ("ks-ldap: key %s not found on keyserver\n", keyspec);
if (count == -1)
err = ldap_to_gpg_err (ldap_conn);
else
err = gpg_error (GPG_ERR_NO_DATA);
goto out;
}
{
/* There may be more than one unique result for a given keyID,
so we should fetch them all (test this by fetching short key
id 0xDEADBEEF). */
/* The set of entries that we've seen. */
strlist_t seen = NULL;
LDAPMessage *each;
int anykey = 0;
for (npth_unprotect (),
each = ldap_first_entry (ldap_conn, message),
npth_protect ();
each;
npth_unprotect (),
each = ldap_next_entry (ldap_conn, each),
npth_protect ())
{
char **vals;
char **certid;
/* Use the long keyid to remove duplicates. The LDAP
server returns the same keyid more than once if there
are multiple user IDs on the key. Note that this does
NOT mean that a keyid that exists multiple times on the
keyserver will not be fetched. It means that each KEY,
no matter how many user IDs share its keyid, will be
fetched only once. If a keyid that belongs to more
than one key is fetched, the server quite properly
responds with all matching keys. -ds */
certid = ldap_get_values (ldap_conn, each, "pgpcertid");
if (certid && certid[0])
{
if (! strlist_find (seen, certid[0]))
{
/* It's not a duplicate, add it */
add_to_strlist (&seen, certid[0]);
if (! fp)
fp = es_fopenmem(0, "rw");
extract_keys (fp, ldap_conn, certid[0], each);
vals = ldap_get_values (ldap_conn, each, attrs[0]);
if (! vals)
{
err = ldap_to_gpg_err (ldap_conn);
log_error("ks-ldap: unable to retrieve key %s "
"from keyserver\n", certid[0]);
goto out;
}
else
{
/* We should strip the new lines. */
es_fprintf (fp, "KEY 0x%s BEGIN\n", certid[0]);
es_fputs (vals[0], fp);
es_fprintf (fp, "\nKEY 0x%s END\n", certid[0]);
ldap_value_free (vals);
anykey = 1;
}
}
}
my_ldap_value_free (certid);
}
free_strlist (seen);
if (! fp)
err = gpg_error (GPG_ERR_NO_DATA);
if (!err && anykey)
err = dirmngr_status_printf (ctrl, "SOURCE", "%s://%s",
use_tls? "ldaps" : "ldap",
host? host:"");
}
}
out:
if (message)
ldap_msgfree (message);
if (err)
{
if (fp)
es_fclose (fp);
}
else
{
if (fp)
es_fseek (fp, 0, SEEK_SET);
*r_fp = fp;
}
xfree (basedn);
xfree (host);
if (ldap_conn)
ldap_unbind (ldap_conn);
xfree (filter);
return err;
}
/* Search the keyserver identified by URI for keys matching PATTERN.
On success R_FP has an open stream to read the data. */
gpg_error_t
ks_ldap_search (ctrl_t ctrl, parsed_uri_t uri, const char *pattern,
estream_t *r_fp)
{
gpg_error_t err;
int ldap_err;
unsigned int serverinfo;
char *filter = NULL;
LDAP *ldap_conn = NULL;
char *basedn = NULL;
estream_t fp = NULL;
(void) ctrl;
if (dirmngr_use_tor ())
{
return no_ldap_due_to_tor (ctrl);
}
/* Make sure we are talking to an OpenPGP LDAP server. */
err = my_ldap_connect (uri, &ldap_conn, &basedn, NULL, NULL, &serverinfo);
if (err || !basedn)
{
if (!err)
err = GPG_ERR_GENERAL;
goto out;
}
/* Now that we have information about the server we can construct a
* query best suited for the capabilities of the server. */
err = keyspec_to_ldap_filter (pattern, &filter, 0, serverinfo);
if (err)
{
log_error ("Bad search pattern: '%s'\n", pattern);
goto out;
}
/* Even if we have no results, we want to return a stream. */
fp = es_fopenmem(0, "rw");
if (!fp)
{
err = gpg_error_from_syserror ();
goto out;
}
{
char **vals;
LDAPMessage *res, *each;
int count = 0;
strlist_t dupelist = NULL;
/* The maximum size of the search, including the optional stuff
and the trailing \0 */
char *attrs[] =
{
"pgpcertid", "pgpuserid", "pgprevoked", "pgpdisabled",
"pgpkeycreatetime", "pgpkeyexpiretime", "modifytimestamp",
"pgpkeysize", "pgpkeytype", "gpgfingerprint",
NULL
};
if (opt.debug)
log_debug ("SEARCH '%s' => '%s' BEGIN\n", pattern, filter);
npth_unprotect ();
ldap_err = ldap_search_s (ldap_conn, basedn,
LDAP_SCOPE_SUBTREE, filter, attrs, 0, &res);
npth_protect ();
xfree (filter);
filter = NULL;
if (ldap_err != LDAP_SUCCESS && ldap_err != LDAP_SIZELIMIT_EXCEEDED)
{
err = ldap_err_to_gpg_err (ldap_err);
log_error ("SEARCH %s FAILED %d\n", pattern, err);
log_error ("ks-ldap: LDAP search error: %s\n",
ldap_err2string (err));
goto out;
}
/* The LDAP server doesn't return a real count of unique keys, so we
can't use ldap_count_entries here. */
for (npth_unprotect (),
each = ldap_first_entry (ldap_conn, res),
npth_protect ();
each;
npth_unprotect (),
each = ldap_next_entry (ldap_conn, each),
npth_protect ())
{
char **certid = ldap_get_values (ldap_conn, each, "pgpcertid");
if (certid && certid[0] && ! strlist_find (dupelist, certid[0]))
{
add_to_strlist (&dupelist, certid[0]);
count++;
}
my_ldap_value_free (certid);
}
if (ldap_err == LDAP_SIZELIMIT_EXCEEDED)
{
if (count == 1)
log_error ("ks-ldap: search results exceeded server limit."
" First 1 result shown.\n");
else
log_error ("ks-ldap: search results exceeded server limit."
" First %d results shown.\n", count);
}
free_strlist (dupelist);
dupelist = NULL;
if (count < 1)
es_fputs ("info:1:0\n", fp);
else
{
es_fprintf (fp, "info:1:%d\n", count);
for (each = ldap_first_entry (ldap_conn, res);
each;
each = ldap_next_entry (ldap_conn, each))
{
char **certid;
LDAPMessage *uids;
certid = ldap_get_values (ldap_conn, each, "pgpcertid");
if (!certid || !certid[0])
{
my_ldap_value_free (certid);
continue;
}
/* Have we seen this certid before? */
if (! strlist_find (dupelist, certid[0]))
{
add_to_strlist (&dupelist, certid[0]);
vals = ldap_get_values (ldap_conn, each, "gpgfingerprint");
if (vals && vals[0] && vals[0][0])
es_fprintf (fp, "pub:%s:", vals[0]);
else
es_fprintf (fp, "pub:%s:", certid[0]);
my_ldap_value_free (vals);
vals = ldap_get_values (ldap_conn, each, "pgpkeytype");
if (vals && vals[0])
{
/* The LDAP server doesn't exactly handle this
well. */
if (strcasecmp (vals[0], "RSA") == 0)
es_fputs ("1", fp);
else if (strcasecmp (vals[0], "DSS/DH") == 0)
es_fputs ("17", fp);
}
my_ldap_value_free (vals);
es_fputc (':', fp);
vals = ldap_get_values (ldap_conn, each, "pgpkeysize");
if (vals && vals[0])
{
/* Not sure why, but some keys are listed with a
key size of 0. Treat that like an unknown. */
if (atoi (vals[0]) > 0)
es_fprintf (fp, "%d", atoi (vals[0]));
}
my_ldap_value_free (vals);
es_fputc (':', fp);
/* YYYYMMDDHHmmssZ */
vals = ldap_get_values (ldap_conn, each, "pgpkeycreatetime");
if(vals && vals[0] && strlen (vals[0]) == 15)
{
es_fprintf (fp, "%u",
(unsigned int) ldap2epochtime(vals[0]));
}
my_ldap_value_free (vals);
es_fputc (':', fp);
vals = ldap_get_values (ldap_conn, each, "pgpkeyexpiretime");
if (vals && vals[0] && strlen (vals[0]) == 15)
{
es_fprintf (fp, "%u",
(unsigned int) ldap2epochtime (vals[0]));
}
my_ldap_value_free (vals);
es_fputc (':', fp);
vals = ldap_get_values (ldap_conn, each, "pgprevoked");
if (vals && vals[0])
{
if (atoi (vals[0]) == 1)
es_fprintf (fp, "r");
}
my_ldap_value_free (vals);
vals = ldap_get_values (ldap_conn, each, "pgpdisabled");
if (vals && vals[0])
{
if (atoi (vals[0]) ==1)
es_fprintf (fp, "d");
}
my_ldap_value_free (vals);
#if 0
/* This is not yet specified in the keyserver
protocol, but may be someday. */
es_fputc (':', fp);
vals = ldap_get_values (ldap_conn, each, "modifytimestamp");
if(vals && vals[0] strlen (vals[0]) == 15)
{
es_fprintf (fp, "%u",
(unsigned int) ldap2epochtime (vals[0]));
}
my_ldap_value_free (vals);
#endif
es_fprintf (fp, "\n");
/* Now print all the uids that have this certid */
for (uids = ldap_first_entry (ldap_conn, res);
uids;
uids = ldap_next_entry (ldap_conn, uids))
{
vals = ldap_get_values (ldap_conn, uids, "pgpcertid");
if (!vals || !vals[0])
{
my_ldap_value_free (vals);
continue;
}
if (!ascii_strcasecmp (certid[0], vals[0]))
{
char **uidvals;
es_fprintf (fp, "uid:");
uidvals = ldap_get_values (ldap_conn,
uids, "pgpuserid");
if (uidvals)
{
/* Need to percent escape any colons */
char *quoted = try_percent_escape (uidvals[0],
NULL);
if (quoted)
es_fputs (quoted, fp);
xfree (quoted);
}
my_ldap_value_free (uidvals);
es_fprintf (fp, "\n");
}
ldap_value_free(vals);
}
}
my_ldap_value_free (certid);
}
}
ldap_msgfree (res);
free_strlist (dupelist);
}
if (opt.debug)
log_debug ("SEARCH %s END\n", pattern);
out:
if (err)
{
es_fclose (fp);
}
else
{
/* Return the read stream. */
if (fp)
es_fseek (fp, 0, SEEK_SET);
*r_fp = fp;
}
xfree (basedn);
if (ldap_conn)
ldap_unbind (ldap_conn);
xfree (filter);
return err;
}
�
/* A modlist describes a set of changes to an LDAP entry. (An entry
consists of 1 or more attributes. Attributes are
pairs. Note: an attribute may be multi-valued in which case
multiple values are associated with a single name.)
A modlist is a NULL terminated array of struct LDAPMod's.
Thus, if we have:
LDAPMod **modlist;
Then:
modlist[i]
Is the ith modification.
Each LDAPMod describes a change to a single attribute. Further,
there is one modification for each attribute that we want to
change. The attribute's new value is stored in LDAPMod.mod_values.
If the attribute is multi-valued, we still only use a single
LDAPMod structure: mod_values is a NULL-terminated array of
strings. To delete an attribute from an entry, we set mod_values
to NULL.
Thus, if:
modlist[i]->mod_values == NULL
then we remove the attribute.
(Using LDAP_MOD_DELETE doesn't work here as we don't know if the
attribute in question exists or not.)
Note: this function does NOT copy or free ATTR. It does copy
VALUE. */
static void
modlist_add (LDAPMod ***modlistp, char *attr, const char *value)
{
LDAPMod **modlist = *modlistp;
LDAPMod **m;
int nummods = 0;
/* Search modlist for the attribute we're playing with. If modlist
is NULL, then the list is empty. Recall: modlist is a NULL
terminated array. */
for (m = modlist; m && *m; m++, nummods ++)
{
/* The attribute is already on the list. */
char **ptr;
int numvalues = 0;
if (strcasecmp ((*m)->mod_type, attr) != 0)
continue;
/* We have this attribute already, so when the REPLACE happens,
the server attributes will be replaced anyway. */
if (! value)
return;
/* Attributes can be multi-valued. See if the value is already
present. mod_values is a NULL terminated array of pointers.
Note: mod_values can be NULL. */
for (ptr = (*m)->mod_values; ptr && *ptr; ptr++)
{
if (strcmp (*ptr, value) == 0)
/* Duplicate value, we're done. */
return;
numvalues ++;
}
/* Append the value. */
ptr = xrealloc ((*m)->mod_values, sizeof (char *) * (numvalues + 2));
(*m)->mod_values = ptr;
ptr[numvalues] = xstrdup (value);
ptr[numvalues + 1] = NULL;
return;
}
/* We didn't find the attr, so make one and add it to the end */
/* Like attribute values, the list of attributes is NULL terminated
array of pointers. */
modlist = xrealloc (modlist, sizeof (LDAPMod *) * (nummods + 2));
*modlistp = modlist;
modlist[nummods] = xmalloc (sizeof (LDAPMod));
modlist[nummods]->mod_op = LDAP_MOD_REPLACE;
modlist[nummods]->mod_type = attr;
if (value)
{
modlist[nummods]->mod_values = xmalloc (sizeof(char *) * 2);
modlist[nummods]->mod_values[0] = xstrdup (value);
modlist[nummods]->mod_values[1] = NULL;
}
else
modlist[nummods]->mod_values = NULL;
modlist[nummods + 1] = NULL;
return;
}
/* Look up the value of an attribute in the specified modlist. If the
attribute is not on the mod list, returns NULL. The result is a
NULL-terminated array of strings. Don't change it. */
static char **
modlist_lookup (LDAPMod **modlist, const char *attr)
{
LDAPMod **m;
for (m = modlist; m && *m; m++)
{
if (strcasecmp ((*m)->mod_type, attr) != 0)
continue;
return (*m)->mod_values;
}
return NULL;
}
/* Dump a modlist to a file. This is useful for debugging. */
static estream_t modlist_dump (LDAPMod **modlist, estream_t output)
GPGRT_ATTR_USED;
static estream_t
modlist_dump (LDAPMod **modlist, estream_t output)
{
LDAPMod **m;
int opened = 0;
if (! output)
{
output = es_fopenmem (0, "rw");
if (!output)
return NULL;
opened = 1;
}
for (m = modlist; m && *m; m++)
{
es_fprintf (output, " %s:", (*m)->mod_type);
if (! (*m)->mod_values)
es_fprintf(output, " delete.\n");
else
{
char **ptr;
int i;
int multi = 0;
if ((*m)->mod_values[0] && (*m)->mod_values[1])
/* Have at least 2. */
multi = 1;
if (multi)
es_fprintf (output, "\n");
for ((ptr = (*m)->mod_values), (i = 1); ptr && *ptr; ptr++, i ++)
{
/* Assuming terminals are about 80 characters wide,
display at most about 10 lines of debugging
output. If we do trim the buffer, append '...' to
the end. */
const int max_len = 10 * 70;
size_t value_len = strlen (*ptr);
int elide = value_len > max_len;
if (multi)
es_fprintf (output, " %d. ", i);
es_fprintf (output, "`%.*s", max_len, *ptr);
if (elide)
es_fprintf (output, "...' (%zd bytes elided)",
value_len - max_len);
else
es_fprintf (output, "'");
es_fprintf (output, "\n");
}
}
}
if (opened)
es_fseek (output, 0, SEEK_SET);
return output;
}
/* Free all of the memory allocated by the mod list. This assumes
that the attribute names don't have to be freed, but the attributes
values do. (Which is what modlist_add does.) */
static void
modlist_free (LDAPMod **modlist)
{
LDAPMod **ml;
if (! modlist)
return;
/* Unwind and free the whole modlist structure */
/* The modlist is a NULL terminated array of pointers. */
for (ml = modlist; *ml; ml++)
{
LDAPMod *mod = *ml;
char **ptr;
/* The list of values is a NULL termianted array of pointers.
If the list is NULL, there are no values. */
if (mod->mod_values)
{
for (ptr = mod->mod_values; *ptr; ptr++)
xfree (*ptr);
xfree (mod->mod_values);
}
xfree (mod);
}
xfree (modlist);
}
/* Append two onto the end of one. Two is not freed, but its pointers
are now part of one. Make sure you don't free them both!
As long as you don't add anything to ONE, TWO is still valid.
After that all bets are off. */
static void
modlists_join (LDAPMod ***one, LDAPMod **two)
{
int i, one_count = 0, two_count = 0;
LDAPMod **grow;
if (!*two)
/* two is empty. Nothing to do. */
return;
if (!*one)
/* one is empty. Just set it equal to *two. */
{
*one = two;
return;
}
for (grow = *one; *grow; grow++)
one_count ++;
for (grow = two; *grow; grow++)
two_count ++;
grow = xrealloc (*one, sizeof(LDAPMod *) * (one_count + two_count + 1));
for (i = 0; i < two_count; i++)
grow[one_count + i] = two[i];
grow[one_count + i] = NULL;
*one = grow;
}
/* Given a string, unescape C escapes. In particular, \xXX. This
modifies the string in place. */
static void
uncescape (char *str)
{
size_t r = 0;
size_t w = 0;
char *first = strchr (str, '\\');
if (! first)
/* No backslashes => no escaping. We're done. */
return;
/* Start at the first '\\'. */
r = w = (uintptr_t) first - (uintptr_t) str;
while (str[r])
{
/* XXX: What to do about bad escapes?
XXX: hextobyte already checks the string thus the hexdigitp
could be removed. */
if (str[r] == '\\' && str[r + 1] == 'x'
&& str[r+2] && str[r+3]
&& hexdigitp (str + r + 2)
&& hexdigitp (str + r + 3))
{
int x = hextobyte (&str[r + 2]);
log_assert (0 <= x && x <= 0xff);
str[w] = x;
/* We consumed 4 characters and wrote 1. */
r += 4;
w ++;
}
else
str[w ++] = str[r ++];
}
str[w] = '\0';
}
/* Given one line from an info block (`gpg --list-{keys,sigs}
--with-colons KEYID'), pull it apart and fill in the modlist with
the relevant (for the LDAP schema) attributes. EXTRACT_STATE
should initally be set to 0 by the caller. SCHEMAV2 is set if the
server supports the version 2 schema. */
static void
extract_attributes (LDAPMod ***modlist, int *extract_state,
char *line, int schemav2)
{
int field_count;
char **fields;
char *keyid;
int is_pub, is_sub, is_uid, is_sig;
/* Remove trailing whitespace */
trim_trailing_spaces (line);
fields = strsplit (line, ':', '\0', &field_count);
if (field_count == 1)
/* We only have a single field. There is definitely nothing to
do. */
goto out;
if (field_count < 7)
goto out;
is_pub = !ascii_strcasecmp ("pub", fields[0]);
is_sub = !ascii_strcasecmp ("sub", fields[0]);
is_uid = !ascii_strcasecmp ("uid", fields[0]);
is_sig = !ascii_strcasecmp ("sig", fields[0]);
if (!ascii_strcasecmp ("fpr", fields[0]))
{
/* Special treatment for a fingerprint. */
if (!(*extract_state & 1))
goto out; /* Stray fingerprint line - ignore. */
*extract_state &= ~1;
if (field_count >= 10 && schemav2)
{
if ((*extract_state & 2))
modlist_add (modlist, "gpgFingerprint", fields[9]);
else
modlist_add (modlist, "gpgSubFingerprint", fields[9]);
}
goto out;
}
*extract_state &= ~(1|2);
if (is_pub)
*extract_state |= (1|2);
else if (is_sub)
*extract_state |= 1;
if (!is_pub && !is_sub && !is_uid && !is_sig)
goto out; /* Not a relevant line. */
keyid = fields[4];
if (is_uid && strlen (keyid) == 0)
; /* The uid record type can have an empty keyid. */
else if (strlen (keyid) == 16
&& strspn (keyid, "0123456789aAbBcCdDeEfF") == 16)
; /* Otherwise, we expect exactly 16 hex characters. */
else
{
log_error ("malformed record!\n");
goto out;
}
if (is_pub)
{
int disabled = 0;
int revoked = 0;
char *flags;
for (flags = fields[1]; *flags; flags ++)
switch (*flags)
{
case 'r':
case 'R':
revoked = 1;
break;
case 'd':
case 'D':
disabled = 1;
break;
}
/* Note: we always create the pgpDisabled and pgpRevoked
attributes, regardless of whether the key is disabled/revoked
or not. This is because a very common search is like
"(&(pgpUserID=*isabella*)(pgpDisabled=0))" */
if (is_pub)
{
modlist_add (modlist,"pgpDisabled", disabled ? "1" : "0");
modlist_add (modlist,"pgpRevoked", revoked ? "1" : "0");
}
}
if (is_pub || is_sub)
{
char padded[6];
int val;
val = atoi (fields[2]);
if (val < 99999 && val > 0)
{
/* We zero pad this on the left to make PGP happy. */
snprintf (padded, sizeof padded, "%05u", val);
modlist_add (modlist, "pgpKeySize", padded);
}
}
if (is_pub)
{
char *algo = fields[3];
int val = atoi (algo);
switch (val)
{
case 1:
algo = "RSA";
break;
case 17:
algo = "DSS/DH";
break;
default:
algo = NULL;
break;
}
if (algo)
modlist_add (modlist, "pgpKeyType", algo);
}
if (is_pub || is_sub || is_sig)
{
if (is_pub)
{
modlist_add (modlist, "pgpCertID", keyid); /* Long keyid(!) */
modlist_add (modlist, "pgpKeyID", &keyid[8]); /* Short keyid */
}
if (is_sub)
modlist_add (modlist, "pgpSubKeyID", keyid); /* Long keyid(!) */
}
if (is_pub)
{
char *create_time = fields[5];
if (strlen (create_time) == 0)
create_time = NULL;
else
{
char *create_time_orig = create_time;
struct tm tm;
time_t t;
char *end;
memset (&tm, 0, sizeof (tm));
/* parse_timestamp handles both seconds fromt he epoch and
ISO 8601 format. We also need to handle YYYY-MM-DD
format (as generated by gpg1 --with-colons --list-key).
Check that first and then if it fails, then try
parse_timestamp. */
if (!isodate_human_to_tm (create_time, &tm))
create_time = tm2ldaptime (&tm);
else if ((t = parse_timestamp (create_time, &end)) != (time_t) -1
&& *end == '\0')
{
if (!gnupg_gmtime (&t, &tm))
create_time = NULL;
else
create_time = tm2ldaptime (&tm);
}
else
create_time = NULL;
if (! create_time)
/* Failed to parse string. */
log_error ("Failed to parse creation time ('%s')",
create_time_orig);
}
if (create_time)
{
modlist_add (modlist, "pgpKeyCreateTime", create_time);
xfree (create_time);
}
}
if (is_pub)
{
char *expire_time = fields[6];
if (strlen (expire_time) == 0)
expire_time = NULL;
else
{
char *expire_time_orig = expire_time;
struct tm tm;
time_t t;
char *end;
memset (&tm, 0, sizeof (tm));
/* parse_timestamp handles both seconds fromt he epoch and
ISO 8601 format. We also need to handle YYYY-MM-DD
format (as generated by gpg1 --with-colons --list-key).
Check that first and then if it fails, then try
parse_timestamp. */
if (!isodate_human_to_tm (expire_time, &tm))
expire_time = tm2ldaptime (&tm);
else if ((t = parse_timestamp (expire_time, &end)) != (time_t) -1
&& *end == '\0')
{
if (!gnupg_gmtime (&t, &tm))
expire_time = NULL;
else
expire_time = tm2ldaptime (&tm);
}
else
expire_time = NULL;
if (! expire_time)
/* Failed to parse string. */
log_error ("Failed to parse creation time ('%s')",
expire_time_orig);
}
if (expire_time)
{
modlist_add (modlist, "pgpKeyExpireTime", expire_time);
xfree (expire_time);
}
}
if (is_uid && field_count >= 10)
{
char *uid = fields[9];
char *mbox;
uncescape (uid);
modlist_add (modlist, "pgpUserID", uid);
if (schemav2 && (mbox = mailbox_from_userid (uid, 0)))
{
modlist_add (modlist, "gpgMailbox", mbox);
xfree (mbox);
}
}
out:
xfree (fields);
}
/* Send the key in {KEY,KEYLEN} with the metadata {INFO,INFOLEN} to
the keyserver identified by URI. See server.c:cmd_ks_put for the
format of the data and metadata. */
gpg_error_t
ks_ldap_put (ctrl_t ctrl, parsed_uri_t uri,
void *data, size_t datalen,
void *info, size_t infolen)
{
gpg_error_t err = 0;
int ldap_err;
unsigned int serverinfo;
LDAP *ldap_conn = NULL;
char *basedn = NULL;
LDAPMod **modlist = NULL;
LDAPMod **addlist = NULL;
char *data_armored = NULL;
int extract_state;
/* The last byte of the info block. */
const char *infoend = (const char *) info + infolen - 1;
/* Enable this code to dump the modlist to /tmp/modlist.txt. */
#if 0
# warning Disable debug code before checking in.
const int dump_modlist = 1;
#else
const int dump_modlist = 0;
#endif
estream_t dump = NULL;
/* Elide a warning. */
(void) ctrl;
if (dirmngr_use_tor ())
{
return no_ldap_due_to_tor (ctrl);
}
err = my_ldap_connect (uri, &ldap_conn, &basedn, NULL, NULL, &serverinfo);
if (err || !basedn)
{
if (!err)
err = GPG_ERR_GENERAL;
goto out;
}
if (!(serverinfo & SERVERINFO_REALLDAP))
{
/* We appear to have a PGP.com Keyserver, which can unpack the
* key on its own (not just a dump LDAP server). This will
* rarely be the case these days. */
LDAPMod mod;
LDAPMod *attrs[2];
char *key[2];
char *dn;
key[0] = data;
key[1] = NULL;
memset (&mod, 0, sizeof (mod));
mod.mod_op = LDAP_MOD_ADD;
mod.mod_type = (serverinfo & SERVERINFO_PGPKEYV2)? "pgpKeyV2":"pgpKey";
mod.mod_values = key;
attrs[0] = &mod;
attrs[1] = NULL;
dn = xtryasprintf ("pgpCertid=virtual,%s", basedn);
if (!dn)
{
err = gpg_error_from_syserror ();
goto out;
}
ldap_err = ldap_add_s (ldap_conn, dn, attrs);
xfree (dn);
if (ldap_err != LDAP_SUCCESS)
{
err = ldap_err_to_gpg_err (err);
goto out;
}
goto out;
}
modlist = xtrymalloc (sizeof (LDAPMod *));
if (!modlist)
{
err = gpg_error_from_syserror ();
goto out;
}
*modlist = NULL;
if (dump_modlist)
{
dump = es_fopen("/tmp/modlist.txt", "w");
if (! dump)
log_error ("failed to open /tmp/modlist.txt: %s\n",
gpg_strerror (gpg_error_from_syserror ()));
if (dump)
{
es_fprintf(dump, "data (%zd bytes)\n", datalen);
es_fprintf(dump, "info (%zd bytes): '\n", infolen);
es_fwrite(info, infolen, 1, dump);
es_fprintf(dump, "'\n");
}
}
/* Start by nulling out all attributes. We try and do a modify
operation first, so this ensures that we don't leave old
attributes lying around. */
modlist_add (&modlist, "pgpDisabled", NULL);
modlist_add (&modlist, "pgpKeyID", NULL);
modlist_add (&modlist, "pgpKeyType", NULL);
modlist_add (&modlist, "pgpUserID", NULL);
modlist_add (&modlist, "pgpKeyCreateTime", NULL);
modlist_add (&modlist, "pgpRevoked", NULL);
modlist_add (&modlist, "pgpSubKeyID", NULL);
modlist_add (&modlist, "pgpKeySize", NULL);
modlist_add (&modlist, "pgpKeyExpireTime", NULL);
modlist_add (&modlist, "pgpCertID", NULL);
if ((serverinfo & SERVERINFO_SCHEMAV2))
{
modlist_add (&modlist, "gpgFingerprint", NULL);
modlist_add (&modlist, "gpgSubFingerprint", NULL);
modlist_add (&modlist, "gpgMailbox", NULL);
}
/* Assemble the INFO stuff into LDAP attributes */
extract_state = 0;
while (infolen > 0)
{
char *temp = NULL;
char *newline = memchr (info, '\n', infolen);
if (! newline)
/* The last line is not \n terminated! Make a copy so we can
add a NUL terminator. */
{
temp = xmalloc (infolen + 1);
memcpy (temp, info, infolen);
info = temp;
newline = (char *) info + infolen;
}
*newline = '\0';
extract_attributes (&addlist, &extract_state, info,
(serverinfo & SERVERINFO_SCHEMAV2));
infolen = infolen - ((uintptr_t) newline - (uintptr_t) info + 1);
info = newline + 1;
/* Sanity check. */
if (! temp)
log_assert ((char *) info + infolen - 1 == infoend);
else
{
log_assert (infolen == -1);
xfree (temp);
}
}
modlist_add (&addlist, "objectClass", "pgpKeyInfo");
err = armor_data (&data_armored, data, datalen);
if (err)
goto out;
modlist_add (&addlist,
(serverinfo & SERVERINFO_PGPKEYV2)? "pgpKeyV2":"pgpKey",
data_armored);
/* Now append addlist onto modlist. */
modlists_join (&modlist, addlist);
if (dump)
{
estream_t input = modlist_dump (modlist, NULL);
if (input)
{
copy_stream (input, dump);
es_fclose (input);
}
}
/* Going on the assumption that modify operations are more frequent
than adds, we try a modify first. If it's not there, we just
turn around and send an add command for the same key. Otherwise,
the modify brings the server copy into compliance with our copy.
Note that unlike the LDAP keyserver (and really, any other
keyserver) this does NOT merge signatures, but replaces the whole
key. This should make some people very happy. */
{
char **attrval;
char *dn;
if ((serverinfo & SERVERINFO_NTDS))
{
/* The modern way using a CN RDN with the fingerprint. This
* has the advantage that we won't have duplicate 64 bit
* keyids in the store. In particular NTDS requires the
* DN to be unique. */
attrval = modlist_lookup (addlist, "gpgFingerprint");
/* We should have exactly one value. */
if (!attrval || !(attrval[0] && !attrval[1]))
{
log_error ("ks-ldap: bad gpgFingerprint provided\n");
err = GPG_ERR_GENERAL;
goto out;
}
dn = xtryasprintf ("CN=%s,%s", attrval[0], basedn);
}
else /* The old style way. */
{
attrval = modlist_lookup (addlist, "pgpCertID");
/* We should have exactly one value. */
if (!attrval || !(attrval[0] && !attrval[1]))
{
log_error ("ks-ldap: bad pgpCertID provided\n");
err = GPG_ERR_GENERAL;
goto out;
}
dn = xtryasprintf ("pgpCertID=%s,%s", attrval[0], basedn);
}
if (!dn)
{
err = gpg_error_from_syserror ();
goto out;
}
if (opt.debug)
log_debug ("ks-ldap: using DN: %s\n", dn);
npth_unprotect ();
err = ldap_modify_s (ldap_conn, dn, modlist);
if (err == LDAP_NO_SUCH_OBJECT)
err = ldap_add_s (ldap_conn, dn, addlist);
npth_protect ();
xfree (dn);
if (err != LDAP_SUCCESS)
{
log_error ("ks-ldap: error adding key to keyserver: %s\n",
ldap_err2string (err));
err = ldap_err_to_gpg_err (err);
}
}
out:
if (dump)
es_fclose (dump);
if (ldap_conn)
ldap_unbind (ldap_conn);
xfree (basedn);
modlist_free (modlist);
xfree (addlist);
xfree (data_armored);
return err;
}
diff --git a/dirmngr/ldap.c b/dirmngr/ldap.c
index 174c6d93f..f9f6d5f1a 100644
--- a/dirmngr/ldap.c
+++ b/dirmngr/ldap.c
@@ -1,1019 +1,1027 @@
/* ldap.c - LDAP access
* Copyright (C) 2002 Klarälvdalens Datakonsult AB
* Copyright (C) 2003, 2004, 2005, 2007, 2008, 2010, 2021 g10 Code GmbH
*
* This file is part of GnuPG.
*
* GnuPG is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* DirMngr is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see .
* SPDX-License-Identifier: GPL-3.0-or-later
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include "dirmngr.h"
#include "../common/exechelp.h"
#include "crlfetch.h"
#include "ldapserver.h"
#include "misc.h"
#include "ldap-wrapper.h"
#include "ldap-url.h"
#include "../common/host2net.h"
#define UNENCODED_URL_CHARS "abcdefghijklmnopqrstuvwxyz" \
"ABCDEFGHIJKLMNOPQRSTUVWXYZ" \
"01234567890" \
"$-_.+!*'(),"
#define USERCERTIFICATE "userCertificate"
#define CACERTIFICATE "caCertificate"
#define X509CACERT "x509caCert"
#define USERSMIMECERTIFICATE "userSMIMECertificate"
/* Definition for the context of the cert fetch functions. */
struct cert_fetch_context_s
{
ksba_reader_t reader; /* The reader used (shallow copy). */
unsigned char *tmpbuf; /* Helper buffer. */
size_t tmpbufsize; /* Allocated size of tmpbuf. */
int truncated; /* Flag to indicate a truncated output. */
};
�
/* Add HOST and PORT to our list of LDAP servers. Fixme: We should
better use an extra list of servers. */
static void
add_server_to_servers (const char *host, int port)
{
ldap_server_t server;
ldap_server_t last = NULL;
const char *s;
if (!port)
port = 389;
for (server=opt.ldapservers; server; server = server->next)
{
if (!strcmp (server->host, host) && server->port == port)
return; /* already in list... */
last = server;
}
/* We assume that the host names are all supplied by our
configuration files and thus are sane. To keep this assumption
we must reject all invalid host names. */
for (s=host; *s; s++)
if (!strchr ("abcdefghijklmnopqrstuvwxyz"
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"01234567890.-", *s))
{
log_error (_("invalid char 0x%02x in host name - not added\n"), *s);
return;
}
log_info (_("adding '%s:%d' to the ldap server list\n"), host, port);
server = xtrycalloc (1, sizeof *s);
if (!server)
log_error (_("malloc failed: %s\n"), strerror (errno));
else
{
server->host = xstrdup (host);
server->port = port;
if (last)
last->next = server;
else
opt.ldapservers = server;
}
}
/* Perform an LDAP query. Returns an gpg error code or 0 on success.
The function returns a new reader object at READER. */
static gpg_error_t
run_ldap_wrapper (ctrl_t ctrl,
int ignore_timeout,
int multi_mode,
int tls_mode,
int ntds,
+ int areconly,
const char *proxy,
const char *host, int port,
const char *user, const char *pass,
const char *base, const char *filter, const char *attr,
ksba_reader_t *reader)
{
- const char *argv[50];
+ const char *argv[51];
int argc;
char portbuf[30], timeoutbuf[30];
*reader = NULL;
argc = 0;
if (pass && *pass) /* Note, that the password must be the first item. */
{
argv[argc++] = "--pass";
argv[argc++] = pass;
}
if (DBG_LOOKUP)
argv[argc++] = "-vv";
else if (DBG_EXTPROG)
argv[argc++] = "-v";
argv[argc++] = "--log-with-pid";
if (multi_mode)
argv[argc++] = "--multi";
if (tls_mode == 1)
argv[argc++] = "--starttls";
else if (tls_mode)
argv[argc++] = "--ldaptls";
if (ntds)
argv[argc++] = "--ntds";
+ if (areconly)
+ argv[argc++] = "--areconly";
+
if (opt.ldaptimeout)
{
snprintf (timeoutbuf, sizeof timeoutbuf, "%u", opt.ldaptimeout);
argv[argc++] = "--timeout";
argv[argc++] = timeoutbuf;
if (ignore_timeout)
argv[argc++] = "--only-search-timeout";
}
if (proxy)
{
argv[argc++] = "--proxy";
argv[argc++] = proxy;
}
if (host && *host)
{
argv[argc++] = "--host";
argv[argc++] = host;
}
if (port)
{
sprintf (portbuf, "%d", port);
argv[argc++] = "--port";
argv[argc++] = portbuf;
}
if (user && *user)
{
argv[argc++] = "--user";
argv[argc++] = user;
}
if (base && *base)
{
argv[argc++] = "--base";
argv[argc++] = base;
}
if (attr)
{
argv[argc++] = "--attr";
argv[argc++] = attr;
}
if (filter)
argv[argc++] = filter;
argv[argc] = NULL;
return ldap_wrapper (ctrl, reader, argv);
}
/* Perform a LDAP query using a given URL. On success a new ksba
reader is returned. If HOST or PORT are not 0, they are used to
override the values from the URL. */
gpg_error_t
url_fetch_ldap (ctrl_t ctrl, const char *url, ksba_reader_t *reader)
{
gpg_error_t err;
LDAPURLDesc *ludp = NULL;
int tls_mode;
if (!ldap_is_ldap_url (url))
{
log_error (_("'%s' is not an LDAP URL\n"), url);
return gpg_error (GPG_ERR_INV_URI);
}
if (ldap_url_parse (url, &ludp))
{
log_error (_("'%s' is an invalid LDAP URL\n"), url);
return gpg_error (GPG_ERR_INV_URI);
}
if (ludp->lud_filter && ludp->lud_filter[0] != '(')
{
if (!strcmp (ludp->lud_filter, "objectClass=cRLDistributionPoint"))
{
/* Hack for broken DPs in DGN certs. */
log_info ("fixing broken LDAP URL\n");
free (ludp->lud_filter);
ludp->lud_filter
= strdup ("(objectClass=cRLDistributionPoint)");
if (!ludp->lud_filter)
{
err = gpg_error_from_syserror ();
goto leave;
}
}
else
{
log_error (_("'%s' is an invalid LDAP URL\n"), url);
err = gpg_error (GPG_ERR_BAD_URI);
goto leave;
}
}
if (ludp->lud_scheme && !strcmp (ludp->lud_scheme, "ldaps"))
tls_mode = 2; /* LDAP-over-TLS here becuase we get it from certs. */
else
tls_mode = 0;
err = run_ldap_wrapper (ctrl,
1, /* Ignore explicit timeout because CRLs
might be very large. */
0, /* No Multi-mode. */
tls_mode,
0, /* No AD authentication. */
+ 0, /* No areconly. */
opt.ldap_proxy,
ludp->lud_host, ludp->lud_port,
NULL, NULL, /* user, password */
ludp->lud_dn, /* Base DN */
ludp->lud_filter,
ludp->lud_attrs? ludp->lud_attrs[0] : NULL,
reader);
/* FIXME: This option might be used for DoS attacks. Because it
will enlarge the list of servers to consult without a limit and
all LDAP queries w/o a host are will then try each host in
turn. */
if (!err && opt.add_new_ldapservers && !opt.ldap_proxy)
{
if (ludp->lud_host)
add_server_to_servers (ludp->lud_host, ludp->lud_port);
}
/* If the lookup failed and we are not only using the proxy, we try
again using our default list of servers. */
if (err && !(opt.ldap_proxy && opt.only_ldap_proxy))
{
struct ldapserver_iter iter;
if (DBG_LOOKUP)
log_debug ("no hostname in URL or query failed; "
"trying all default hostnames\n");
for (ldapserver_iter_begin (&iter, ctrl);
err && ! ldapserver_iter_end_p (&iter);
ldapserver_iter_next (&iter))
{
ldap_server_t server = iter.server;
if (server->starttls)
tls_mode = 1;
else if (server->ldap_over_tls)
tls_mode = 2;
else
tls_mode = 0;
err = run_ldap_wrapper (ctrl,
0,
0, /* No Multi-mode */
tls_mode,
server->ntds,
+ server->areconly,
NULL,
server->host, server->port,
server->user, server->pass,
server->base,
ludp->lud_filter,
ludp->lud_attrs? ludp->lud_attrs[0] : NULL,
reader);
if (!err)
break;
}
}
leave:
ldap_free_urldesc (ludp);
return err;
}
/* Perform an LDAP query on all configured servers. On error the
error code of the last try is returned. */
gpg_error_t
attr_fetch_ldap (ctrl_t ctrl,
const char *dn, const char *attr, ksba_reader_t *reader)
{
gpg_error_t err = gpg_error (GPG_ERR_CONFIGURATION);
struct ldapserver_iter iter;
*reader = NULL;
/* FIXME; we might want to look at the Base DN to try matching
servers first. */
for (ldapserver_iter_begin (&iter, ctrl); ! ldapserver_iter_end_p (&iter);
ldapserver_iter_next (&iter))
{
ldap_server_t server = iter.server;
int tls_mode;
if (server->starttls)
tls_mode = 1;
else if (server->ldap_over_tls)
tls_mode = 2;
else
tls_mode = 0;
err = run_ldap_wrapper (ctrl,
0,
0,
tls_mode,
server->ntds,
+ server->areconly,
opt.ldap_proxy,
server->host, server->port,
server->user, server->pass,
dn,
"(objectClass=*)",
attr,
reader);
if (!err)
break; /* Probably found a result. Ready. */
}
return err;
}
�
/* Return true if VALUE needs escaping. */
static int
rfc2254_need_escape (const char *value)
{
/* NUL needs to be escaped as well but we can represent that in
* VALUE, so no need for it. */
return !!strpbrk (value, "*()\\");
}
/* Escape VALUE using RFC-2254 rules. Returns NULL on error. */
static char *
rfc2254_escape (const char *value)
{
const char *s;
char *buffer, *p;
size_t length = 0;
for (s=value; *s; s++)
switch (*s)
{
case '*':
case '(':
case ')':
case '\\': length += 3; break;
default: length++; break;
}
buffer = xtrymalloc (length+1);
if (!buffer)
return NULL;
p = buffer;
for (s=value; *s; s++)
switch (*s)
{
case '*': p = stpcpy (p, "\\2a"); break;
case '(': p = stpcpy (p, "\\28"); break;
case ')': p = stpcpy (p, "\\29"); break;
case '\\': p = stpcpy (p, "\\5c"); break;
default: *p++ = *s; break;
}
*p = 0;
return buffer;
}
/* Return true if VALUE needs escaping. */
static int
extfilt_need_escape (const char *value)
{
/* NUL needs to be escaped as well but we can represent that in
* VALUE, so no need for it. */
return !!strchr (value, '&');
}
/* Escape VALUE using our extended filter rules from dirmngr_ldap.c.
* Returns NULL on error. */
static char *
extfilt_escape (const char *value)
{
const char *s;
char *buffer, *p;
size_t length = 0;
for (s=value; *s; s++)
{
length++;
if (*s == '&')
length++;
}
buffer = xtrymalloc (length+1);
if (!buffer)
return NULL;
p = buffer;
for (s=value; *s; s++)
{
*p++ = *s;
if (*s == '&')
*p++ = '&';
}
*p = 0;
return buffer;
}
/* Parse PATTERN and return a new filter expression for an LDAP query.
* The extended filter syntax as known by dirmngr_ldap.c is used.
* Caller must release the returned value. R_RESULT is set to NULL on
* error.
*
* Supported patterns:
*
* | Ok | gpg style user id type |
* |-----+------------------------------------------------------|
* | no | KeyID |
* | no | Fingerprint |
* | no | OpenPGP userid |
* | yes | Email address Indicated by a left angle bracket. |
* | no | Exact word match in user id or subj. name |
* | yes | Subj. DN indicated by a leading slash |
* | no | Issuer DN |
* | no | Serial number + subj. DN |
* | yes | Substring match indicated by a leading '*; (default) |
*/
static gpg_error_t
make_one_filter (const char *pattern, char **r_result)
{
gpg_error_t err = 0;
char *pattern_buffer = NULL;
char *result = NULL;
size_t n;
*r_result = NULL;
switch (*pattern)
{
case '<': /* Email. */
{
pattern++;
if (rfc2254_need_escape (pattern)
&& !(pattern = pattern_buffer = rfc2254_escape (pattern)))
{
err = gpg_error_from_syserror ();
goto leave;
}
result = strconcat ("(mail=", pattern, ")", NULL);
if (!result)
{
err = gpg_error_from_syserror ();
goto leave;
}
n = strlen (result);
if (result[n-2] == '>') /* Strip trailing '>' */
{
result[n-2] = ')';
result[n-1] = 0;
}
break;
}
case '/': /* Subject DN. */
pattern++;
if (*pattern)
{
/* We need just the BaseDN. This assumes that the Subject
* is correcly stored in the DT. This is however not always
* the case and the actual DN is different ffrom the
* subject. In this case we won't find anything. */
if (extfilt_need_escape (pattern)
&& !(pattern = pattern_buffer = extfilt_escape (pattern)))
{
err = gpg_error_from_syserror ();
goto leave;
}
result = strconcat ("^", pattern, "&base&", NULL);
if (!result)
{
err = gpg_error_from_syserror ();
goto leave;
}
}
break;
case '#': /* Issuer DN - Not yet working. */
pattern++;
if (*pattern == '/') /* Just issuer DN. */
{
pattern++;
if (extfilt_need_escape (pattern)
&& !(pattern = pattern_buffer = extfilt_escape (pattern)))
{
err = gpg_error_from_syserror ();
goto leave;
}
result = strconcat ("^", pattern, "&base&", NULL);
if (!result)
{
err = gpg_error_from_syserror ();
goto leave;
}
}
else /* Serial number + issuer DN */
{
}
break;
case '*':
pattern++;
/* fall through */
default: /* Take as substring match. */
if (*pattern)
{
if (rfc2254_need_escape (pattern)
&& !(pattern = pattern_buffer = rfc2254_escape (pattern)))
{
err = gpg_error_from_syserror ();
goto leave;
}
result = strconcat ("(|(sn=*", pattern,
"*)(|(cn=*", pattern,
"*)(mail=*", pattern,
"*)))", NULL);
if (!result)
{
err = gpg_error_from_syserror ();
goto leave;
}
}
break;
}
if (!result)
err = gpg_error (GPG_ERR_INV_USER_ID);
leave:
xfree (pattern_buffer);
if (err)
xfree (result);
else
*r_result = result;
return err;
}
/* Prepare an LDAP query to return the cACertificate attribute for DN.
* All configured default servers are queried until one responds.
* This function returns an error code or 0 and stored a newly
* allocated contect object at CONTEXT on success. */
gpg_error_t
start_cacert_fetch_ldap (ctrl_t ctrl, cert_fetch_context_t *r_context,
const char *dn)
{
gpg_error_t err;
struct ldapserver_iter iter;
*r_context = xtrycalloc (1, sizeof **r_context);
if (!*r_context)
return gpg_error_from_errno (errno);
/* FIXME; we might want to look at the Base DN to try matching
servers first. */
err = gpg_error (GPG_ERR_CONFIGURATION);
for (ldapserver_iter_begin (&iter, ctrl); ! ldapserver_iter_end_p (&iter);
ldapserver_iter_next (&iter))
{
ldap_server_t server = iter.server;
err = run_ldap_wrapper (ctrl,
0,
1, /* --multi (record format) */
0, /* No TLS */
0, /* No AD authentication. */
+ server->areconly,
opt.ldap_proxy,
server->host, server->port,
server->user, server->pass,
dn, "objectClass=*", "cACertificate",
&(*r_context)->reader);
if (!err)
break; /* Probably found a result. */
}
if (err)
{
xfree (*r_context);
*r_context = NULL;
}
return err;
}
/* Prepare an LDAP query to return certificates matching PATTERNS
* using the SERVER. This function returns an error code or 0 and
* stores a newly allocated object at R_CONTEXT on success. */
gpg_error_t
start_cert_fetch_ldap (ctrl_t ctrl, cert_fetch_context_t *r_context,
strlist_t patterns, const ldap_server_t server)
{
gpg_error_t err;
char *proxy = NULL;
char *host = NULL;
int port;
char *user = NULL;
char *pass = NULL;
char *base = NULL;
char *argv[50];
int argc = 0;
int argc_malloced = 0;
char portbuf[30], timeoutbuf[30];
int starttls, ldaptls, ntds;
*r_context = NULL;
if (opt.ldap_proxy && !(proxy = xtrystrdup (opt.ldap_proxy)))
{
err = gpg_error_from_syserror ();
goto leave;
}
if (server)
{
if (server->host && !(host = xtrystrdup (server->host)))
{
err = gpg_error_from_syserror ();
goto leave;
}
port = server->port;
if (server->user && !(user = xtrystrdup (server->user)))
{
err = gpg_error_from_syserror ();
goto leave;
}
if (server->pass && !(pass = xtrystrdup (server->pass)))
{
err = gpg_error_from_syserror ();
goto leave;
}
if (server->base && !(base = xtrystrdup (server->base)))
{
err = gpg_error_from_syserror ();
goto leave;
}
starttls = server->starttls;
ldaptls = server->ldap_over_tls;
ntds = server->ntds;
}
else /* Use a default server. */
{
err = gpg_error (GPG_ERR_NOT_IMPLEMENTED);
goto leave;
}
if (pass && *pass) /* Note: Must be the first item. */
{
argv[argc++] = "--pass";
argv[argc++] = pass;
}
if (DBG_LOOKUP)
argv[argc++] = "-vv";
else if (DBG_EXTPROG)
argv[argc++] = "-v";
argv[argc++] = "--log-with-pid";
argv[argc++] = "--multi";
if (starttls)
argv[argc++] = "--starttls";
else if (ldaptls)
argv[argc++] = "--ldaptls";
if (ntds)
argv[argc++] = "--ntds";
if (opt.ldaptimeout)
{
snprintf (timeoutbuf, sizeof timeoutbuf, "%u", opt.ldaptimeout);
argv[argc++] = "--timeout";
argv[argc++] = timeoutbuf;
}
if (proxy && *proxy)
{
argv[argc++] = "--proxy";
argv[argc++] = proxy;
}
if (host && *host)
{
argv[argc++] = "--host";
argv[argc++] = host;
}
if (port)
{
snprintf (portbuf, sizeof portbuf, "%d", port);
argv[argc++] = "--port";
argv[argc++] = portbuf;
}
if (user && *user)
{
argv[argc++] = "--user";
argv[argc++] = user;
}
if (base && *base)
{
argv[argc++] = "--base";
argv[argc++] = base;
}
/* All entries in argv from this index on are malloc'ed. */
argc_malloced = argc;
for (; patterns; patterns = patterns->next)
{
if (argc >= DIM (argv) - 1)
{
/* Too many patterns. It does not make sense to allow an
arbitrary number of patters because the length of the
command line is limited anyway. */
err = gpg_error (GPG_ERR_RESOURCE_LIMIT);
goto leave;
}
if (*patterns->d)
{
err = make_one_filter (patterns->d, &argv[argc]);
if (err)
goto leave;
argc++;
}
}
argv[argc] = NULL;
*r_context = xtrycalloc (1, sizeof **r_context);
if (!*r_context)
{
err = gpg_error_from_syserror ();
goto leave;
}
err = ldap_wrapper (ctrl, &(*r_context)->reader, (const char**)argv);
if (err)
{
xfree (*r_context);
*r_context = NULL;
}
leave:
for (; argc_malloced < argc; argc_malloced++)
xfree (argv[argc_malloced]);
xfree (proxy);
xfree (host);
xfree (base);
xfree (user);
xfree (pass);
return err;
}
/* Read a fixed amount of data from READER into BUFFER. */
static gpg_error_t
read_buffer (ksba_reader_t reader, unsigned char *buffer, size_t count)
{
gpg_error_t err;
size_t nread;
while (count)
{
err = ksba_reader_read (reader, buffer, count, &nread);
if (err)
return err;
buffer += nread;
count -= nread;
}
return 0;
}
/* Fetch the next certificate. Return 0 on success, GPG_ERR_EOF if no
(more) certificates are available or any other error
code. GPG_ERR_TRUNCATED may be returned to indicate that the result
has been truncated. */
gpg_error_t
fetch_next_cert_ldap (cert_fetch_context_t context,
unsigned char **value, size_t *valuelen)
{
gpg_error_t err;
unsigned char hdr[5];
char *p, *pend;
unsigned long n;
int okay = 0;
/* int is_cms = 0; */
*value = NULL;
*valuelen = 0;
err = 0;
while (!err)
{
err = read_buffer (context->reader, hdr, 5);
if (err)
break;
n = buf32_to_ulong (hdr+1);
if (*hdr == 'V' && okay)
{
#if 0 /* That code to extra a cert from a CMS object is not yet ready. */
if (is_cms)
{
/* The certificate needs to be parsed from CMS data. */
ksba_cms_t cms;
ksba_stop_reason_t stopreason;
int i;
err = ksba_cms_new (&cms);
if (err)
goto leave;
err = ksba_cms_set_reader_writer (cms, context->reader, NULL);
if (err)
{
log_error ("ksba_cms_set_reader_writer failed: %s\n",
gpg_strerror (err));
goto leave;
}
do
{
err = ksba_cms_parse (cms, &stopreason);
if (err)
{
log_error ("ksba_cms_parse failed: %s\n",
gpg_strerror (err));
goto leave;
}
if (stopreason == KSBA_SR_BEGIN_DATA)
log_error ("userSMIMECertificate is not "
"a certs-only message\n");
}
while (stopreason != KSBA_SR_READY);
for (i=0; (cert=ksba_cms_get_cert (cms, i)); i++)
{
check_and_store (ctrl, stats, cert, 0);
ksba_cert_release (cert);
cert = NULL;
}
if (!i)
log_error ("no certificate found\n");
else
any = 1;
}
else
#endif /* End unfinished code to extract from a CMS object. */
{
*value = xtrymalloc (n);
if (!*value)
return gpg_error_from_errno (errno);
*valuelen = n;
err = read_buffer (context->reader, *value, n);
break; /* Ready or error. */
}
}
else if (!n && *hdr == 'A')
okay = 0;
else if (n)
{
if (n > context->tmpbufsize)
{
xfree (context->tmpbuf);
context->tmpbufsize = 0;
context->tmpbuf = xtrymalloc (n+1);
if (!context->tmpbuf)
return gpg_error_from_errno (errno);
context->tmpbufsize = n;
}
err = read_buffer (context->reader, context->tmpbuf, n);
if (err)
break;
if (*hdr == 'A')
{
p = context->tmpbuf;
p[n] = 0; /*(we allocated one extra byte for this.)*/
/* fixme: is_cms = 0; */
if ( (pend = strchr (p, ';')) )
*pend = 0; /* Strip off the extension. */
if (!ascii_strcasecmp (p, USERCERTIFICATE))
{
if (DBG_LOOKUP)
log_debug ("fetch_next_cert_ldap: got attribute '%s'\n",
USERCERTIFICATE);
okay = 1;
}
else if (!ascii_strcasecmp (p, CACERTIFICATE))
{
if (DBG_LOOKUP)
log_debug ("fetch_next_cert_ldap: got attribute '%s'\n",
CACERTIFICATE);
okay = 1;
}
else if (!ascii_strcasecmp (p, X509CACERT))
{
if (DBG_LOOKUP)
log_debug ("fetch_next_cert_ldap: got attribute '%s'\n",
CACERTIFICATE);
okay = 1;
}
/* else if (!ascii_strcasecmp (p, USERSMIMECERTIFICATE)) */
/* { */
/* if (DBG_LOOKUP) */
/* log_debug ("fetch_next_cert_ldap: got attribute '%s'\n", */
/* USERSMIMECERTIFICATE); */
/* okay = 1; */
/* is_cms = 1; */
/* } */
else
{
if (DBG_LOOKUP)
log_debug ("fetch_next_cert_ldap: got attribute '%s'"
" - ignored\n", p);
okay = 0;
}
}
else if (*hdr == 'E')
{
p = context->tmpbuf;
p[n] = 0; /*(we allocated one extra byte for this.)*/
if (!strcmp (p, "truncated"))
{
context->truncated = 1;
log_info (_("ldap_search hit the size limit of"
" the server\n"));
}
}
}
}
if (err)
{
xfree (*value);
*value = NULL;
*valuelen = 0;
if (gpg_err_code (err) == GPG_ERR_EOF && context->truncated)
{
context->truncated = 0; /* So that the next call would return EOF. */
err = gpg_error (GPG_ERR_TRUNCATED);
}
}
return err;
}
void
end_cert_fetch_ldap (cert_fetch_context_t context)
{
if (context)
{
ksba_reader_t reader = context->reader;
xfree (context->tmpbuf);
xfree (context);
ldap_wrapper_release_context (reader);
ksba_reader_release (reader);
}
}
diff --git a/dirmngr/ldapserver.c b/dirmngr/ldapserver.c
index 4ef28431c..14f87efb1 100644
--- a/dirmngr/ldapserver.c
+++ b/dirmngr/ldapserver.c
@@ -1,211 +1,216 @@
/* dirmngr.c - LDAP access
Copyright (C) 2008 g10 Code GmbH
This file is part of DirMngr.
DirMngr is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
DirMngr is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
02110-1301, USA. */
#ifdef HAVE_CONFIG_H
# include
#endif
#include "dirmngr.h"
#include "ldapserver.h"
�
/* Release the list of SERVERS. As usual it is okay to call this
function with SERVERS passed as NULL. */
void
ldapserver_list_free (ldap_server_t servers)
{
while (servers)
{
ldap_server_t tmp = servers->next;
xfree (servers->host);
xfree (servers->user);
if (servers->pass)
memset (servers->pass, 0, strlen (servers->pass));
xfree (servers->pass);
xfree (servers->base);
xfree (servers);
servers = tmp;
}
}
/* Parse a single LDAP server configuration line. Returns the server
* or NULL in case of errors. The configuration line is assumed to be
* colon separated with these fields:
*
* 1. field: Hostname
* 2. field: Portnumber
* 3. field: Username
* 4. field: Password
* 5. field: Base DN
* 6. field: Flags
*
* Flags are:
*
* starttls := Use STARTTLS with a default port of 389
* ldaptls := Tunnel LDAP trough a TLS tunnel with default port 636
* plain := Switch to plain unsecured LDAP.
* (The last of these 3 flags is the effective one)
* ntds := Use Active Directory authentication
+ * areconly := Use option LDAP_OPT_AREC_EXCLUSIVE
*
* FILENAME and LINENO are used for diagnostic purposes only.
*/
ldap_server_t
ldapserver_parse_one (char *line,
const char *filename, unsigned int lineno)
{
char *p;
char *endp;
const char *s;
ldap_server_t server;
int fieldno;
int fail = 0;
int i;
/* Parse the colon separated fields. */
server = xtrycalloc (1, sizeof *server);
if (!server)
{
fail = 1;
goto leave;
}
for (fieldno = 1, p = line; p; p = endp, fieldno++ )
{
endp = strchr (p, ':');
if (endp)
*endp++ = '\0';
trim_spaces (p);
switch (fieldno)
{
case 1:
server->host = xtrystrdup (p);
if (!server->host)
fail = 1;
break;
case 2:
if (*p)
server->port = atoi (p);
break;
case 3:
server->user = xtrystrdup (p);
if (!server->user)
fail = 1;
break;
case 4:
if (*p && !server->user)
{
if (filename)
log_error (_("%s:%u: password given without user\n"),
filename, lineno);
else
log_error ("ldap: password given without user ('%s')\n", line);
fail = 1;
}
else if (*p)
{
server->pass = xtrystrdup (p);
if (!server->pass)
fail = 1;
}
break;
case 5:
if (*p)
{
server->base = xtrystrdup (p);
if (!server->base)
fail = 1;;
}
break;
case 6:
{
char **flags = NULL;
flags = strtokenize (p, ",");
if (!flags)
{
log_error ("strtokenize failed: %s\n",
gpg_strerror (gpg_error_from_syserror ()));
fail = 1;
break;
}
for (i=0; (s = flags[i]); i++)
{
if (!*s)
;
else if (!ascii_strcasecmp (s, "starttls"))
{
server->starttls = 1;
server->ldap_over_tls = 0;
}
else if (!ascii_strcasecmp (s, "ldaptls"))
{
server->starttls = 0;
server->ldap_over_tls = 1;
}
else if (!ascii_strcasecmp (s, "plain"))
{
server->starttls = 0;
server->ldap_over_tls = 0;
}
else if (!ascii_strcasecmp (s, "ntds"))
{
server->ntds = 1;
}
+ else if (!ascii_strcasecmp (s, "areconly"))
+ {
+ server->areconly = 1;
+ }
else
{
if (filename)
log_info (_("%s:%u: ignoring unknown flag '%s'\n"),
filename, lineno, s);
else
log_info ("ldap: unknown flag '%s' ignored in (%s)\n",
s, line);
}
}
xfree (flags);
}
break;
default:
/* (We silently ignore extra fields.) */
break;
}
}
leave:
if (fail)
{
if (filename)
log_info (_("%s:%u: skipping this line\n"), filename, lineno);
else
log_info ("ldap: error in server spec ('%s')\n", line);
ldapserver_list_free (server);
server = NULL;
}
return server;
}
diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi
index 6c1c59b82..aaa30ec50 100644
--- a/doc/dirmngr.texi
+++ b/doc/dirmngr.texi
@@ -1,1335 +1,1338 @@
@c Copyright (C) 2002 Klar"alvdalens Datakonsult AB
@c Copyright (C) 2004, 2005, 2006, 2007 g10 Code GmbH
@c This is part of the GnuPG manual.
@c For copying conditions, see the file gnupg.texi.
@include defs.inc
@node Invoking DIRMNGR
@chapter Invoking DIRMNGR
@cindex DIRMNGR command options
@cindex command options
@cindex options, DIRMNGR command
@manpage dirmngr.8
@ifset manverb
.B dirmngr
\- GnuPG's network access daemon
@end ifset
@mansect synopsis
@ifset manverb
.B dirmngr
.RI [ options ]
.I command
.RI [ args ]
@end ifset
@mansect description
Since version 2.1 of GnuPG, @command{dirmngr} takes care of accessing
the OpenPGP keyservers. As with previous versions it is also used as
a server for managing and downloading certificate revocation lists
(CRLs) for X.509 certificates, downloading X.509 certificates, and
providing access to OCSP providers. Dirmngr is invoked internally by
@command{gpg}, @command{gpgsm}, or via the @command{gpg-connect-agent}
tool.
@manpause
@noindent
@xref{Option Index},for an index to @command{DIRMNGR}'s commands and
options.
@mancont
@menu
* Dirmngr Commands:: List of all commands.
* Dirmngr Options:: List of all options.
* Dirmngr Configuration:: Configuration files.
* Dirmngr Signals:: Use of signals.
* Dirmngr Examples:: Some usage examples.
* Dirmngr Protocol:: The protocol dirmngr uses.
@end menu
@node Dirmngr Commands
@section Commands
@mansect commands
Commands are not distinguished from options except for the fact that
only one command is allowed.
@table @gnupgtabopt
@item --version
@opindex version
Print the program version and licensing information. Note that you cannot
abbreviate this command.
@item --help, -h
@opindex help
Print a usage message summarizing the most useful command-line options.
Note that you cannot abbreviate this command.
@item --dump-options
@opindex dump-options
Print a list of all available options and commands. Note that you cannot
abbreviate this command.
@item --server
@opindex server
Run in server mode and wait for commands on the @code{stdin}. The
default mode is to create a socket and listen for commands there.
This is only used for testing.
@item --daemon
@opindex daemon
Run in background daemon mode and listen for commands on a socket.
This is the way @command{dirmngr} is started on demand by the other
GnuPG components. To force starting @command{dirmngr} it is in
general best to use @code{gpgconf --launch dirmngr}.
@item --supervised
@opindex supervised
Run in the foreground, sending logs to stderr, and listening on file
descriptor 3, which must already be bound to a listening socket. This
option is deprecated and not supported on Windows.
@item --list-crls
@opindex list-crls
List the contents of the CRL cache on @code{stdout}. This is probably
only useful for debugging purposes.
@item --load-crl @var{file}
@opindex load-crl
This command requires a filename as additional argument, and it will
make Dirmngr try to import the CRL in @var{file} into it's cache.
Note, that this is only possible if Dirmngr is able to retrieve the
CA's certificate directly by its own means. In general it is better
to use @code{gpgsm}'s @code{--call-dirmngr loadcrl filename} command
so that @code{gpgsm} can help dirmngr.
@item --fetch-crl @var{url}
@opindex fetch-crl
This command requires an URL as additional argument, and it will make
dirmngr try to retrieve and import the CRL from that @var{url} into
it's cache. This is mainly useful for debugging purposes. The
@command{dirmngr-client} provides the same feature for a running dirmngr.
@item --shutdown
@opindex shutdown
This commands shuts down an running instance of Dirmngr. This command
has currently no effect.
@item --flush
@opindex flush
This command removes all CRLs from Dirmngr's cache. Client requests
will thus trigger reading of fresh CRLs.
@end table
@mansect options
@node Dirmngr Options
@section Option Summary
Note that all long options with the exception of @option{--options}
and @option{--homedir} may also be given in the configuration file
after stripping off the two leading dashes.
@table @gnupgtabopt
@item --options @var{file}
@opindex options
Reads configuration from @var{file} instead of from the default
per-user configuration file. The default configuration file is named
@file{dirmngr.conf} and expected in the home directory.
@item --homedir @var{dir}
@opindex options
Set the name of the home directory to @var{dir}. This option is only
effective when used on the command line. The default is
the directory named @file{.gnupg} directly below the home directory
of the user unless the environment variable @code{GNUPGHOME} has been set
in which case its value will be used. Many kinds of data are stored within
this directory.
@item -v
@item --verbose
@opindex v
@opindex verbose
Outputs additional information while running.
You can increase the verbosity by giving several
verbose commands to @sc{dirmngr}, such as @option{-vv}.
@item --log-file @var{file}
@opindex log-file
Append all logging output to @var{file}. This is very helpful in
seeing what the agent actually does. Use @file{socket://} to log to
socket.
@item --debug-level @var{level}
@opindex debug-level
Select the debug level for investigating problems. @var{level} may be a
numeric value or by a keyword:
@table @code
@item none
No debugging at all. A value of less than 1 may be used instead of
the keyword.
@item basic
Some basic debug messages. A value between 1 and 2 may be used
instead of the keyword.
@item advanced
More verbose debug messages. A value between 3 and 5 may be used
instead of the keyword.
@item expert
Even more detailed messages. A value between 6 and 8 may be used
instead of the keyword.
@item guru
All of the debug messages you can get. A value greater than 8 may be
used instead of the keyword. The creation of hash tracing files is
only enabled if the keyword is used.
@end table
How these messages are mapped to the actual debugging flags is not
specified and may change with newer releases of this program. They are
however carefully selected to best aid in debugging.
@item --debug @var{flags}
@opindex debug
Set debug flags. All flags are or-ed and @var{flags} may be given in
C syntax (e.g. 0x0042) or as a comma separated list of flag names. To
get a list of all supported flags the single word "help" can be used.
This option is only useful for debugging and the behavior may change
at any time without notice.
@item --debug-all
@opindex debug-all
Same as @code{--debug=0xffffffff}
@item --tls-debug @var{level}
@opindex tls-debug
Enable debugging of the TLS layer at @var{level}. The details of the
debug level depend on the used TLS library and are not set in stone.
@item --debug-wait @var{n}
@opindex debug-wait
When running in server mode, wait @var{n} seconds before entering the
actual processing loop and print the pid. This gives time to attach a
debugger.
@item --disable-check-own-socket
@opindex disable-check-own-socket
On some platforms @command{dirmngr} is able to detect the removal of
its socket file and shutdown itself. This option disable this
self-test for debugging purposes.
@item -s
@itemx --sh
@itemx -c
@itemx --csh
@opindex s
@opindex sh
@opindex c
@opindex csh
Format the info output in daemon mode for use with the standard Bourne
shell respective the C-shell. The default is to guess it based on the
environment variable @code{SHELL} which is in almost all cases
sufficient.
@item --force
@opindex force
Enabling this option forces loading of expired CRLs; this is only
useful for debugging.
@item --use-tor
@itemx --no-use-tor
@opindex use-tor
@opindex no-use-tor
The option @option{--use-tor} switches Dirmngr and thus GnuPG into
``Tor mode'' to route all network access via Tor (an anonymity
network). Certain other features are disabled in this mode. The
effect of @option{--use-tor} cannot be overridden by any other command
or even by reloading dirmngr. The use of @option{--no-use-tor}
disables the use of Tor. The default is to use Tor if it is available
on startup or after reloading dirmngr. The test on the availability of
Tor is done by trying to connect to a SOCKS proxy at either port 9050
or 9150; if another type of proxy is listening on one of these ports,
you should use @option{--no-use-tor}.
@item --standard-resolver
@opindex standard-resolver
This option forces the use of the system's standard DNS resolver code.
This is mainly used for debugging. Note that on Windows a standard
resolver is not used and all DNS access will return the error ``Not
Implemented'' if this option is used. Using this together with enabled
Tor mode returns the error ``Not Enabled''.
@item --recursive-resolver
@opindex recursive-resolver
When possible use a recursive resolver instead of a stub resolver.
@item --resolver-timeout @var{n}
@opindex resolver-timeout
Set the timeout for the DNS resolver to N seconds. The default are 30
seconds.
@item --connect-timeout @var{n}
@item --connect-quick-timeout @var{n}
@opindex connect-timeout
@opindex connect-quick-timeout
Set the timeout for HTTP and generic TCP connection attempts to N
seconds. The value set with the quick variant is used when the
--quick option has been given to certain Assuan commands. The quick
value is capped at the value of the regular connect timeout. The
default values are 15 and 2 seconds. Note that the timeout values are
for each connection attempt; the connection code will attempt to
connect all addresses listed for a server.
@item --listen-backlog @var{n}
@opindex listen-backlog
Set the size of the queue for pending connections. The default is 64.
@item --allow-version-check
@opindex allow-version-check
Allow Dirmngr to connect to @code{https://versions.gnupg.org} to get
the list of current software versions. If this option is enabled
the list is retrieved in case the local
copy does not exist or is older than 5 to 7 days. See the option
@option{--query-swdb} of the command @command{gpgconf} for more
details. Note, that regardless of this option a version check can
always be triggered using this command:
@example
gpg-connect-agent --dirmngr 'loadswdb --force' /bye
@end example
@item --keyserver @var{name}
@opindex keyserver
Use @var{name} as your keyserver. This is the server that @command{gpg}
communicates with to receive keys, send keys, and search for
keys. The format of the @var{name} is a URI:
`scheme:[//]keyservername[:port]' The scheme is the type of keyserver:
"hkp" for the HTTP (or compatible) keyservers, "ldap" for the LDAP
keyservers, or "mailto" for the Graff email keyserver. Note that your
particular installation of GnuPG may have other keyserver types
available as well. Keyserver schemes are case-insensitive. After the
keyserver name, optional keyserver configuration options may be
provided. These are the same as the @option{--keyserver-options} of
@command{gpg}, but apply only to this particular keyserver.
Most keyservers synchronize with each other, so there is generally no
need to send keys to more than one server. Somes keyservers use round
robin DNS to give a different keyserver each time you use it.
If exactly two keyservers are configured and only one is a Tor hidden
service (.onion), Dirmngr selects the keyserver to use depending on
whether Tor is locally running or not. The check for a running Tor is
done for each new connection.
If no keyserver is explicitly configured, dirmngr will use the
built-in default of @code{https://keyserver.ubuntu.com}.
Windows users with a keyserver running on their Active Directory
may use the short form @code{ldap:///} for @var{name} to access this directory.
For accessing anonymous LDAP keyservers @var{name} is in general just
a @code{ldaps://ldap.example.com}. A BaseDN parameter should never be
specified. If authentication is required things are more complicated
and two methods are available:
The modern method (since version 2.2.28) is to use the very same syntax
as used with the option @option{--ldapserver}. Please see over
there for details; here is an example:
@example
keyserver ldap:ldap.example.com::uid=USERNAME,ou=GnuPG Users,
dc=example,dc=com:PASSWORD::starttls
@end example
The other method is to use a full URL for @var{name}; for example:
@example
keyserver ldaps://ldap.example.com/????bindname=uid=USERNAME
%2Cou=GnuPG%20Users%2Cdc=example%2Cdc=com,password=PASSWORD
@end example
Put this all on one line without any spaces and keep the '%2C'
as given. Replace USERNAME, PASSWORD, and the 'dc' parts
according to the instructions received from your LDAP
administrator. Note that only simple authentication
(i.e. cleartext passwords) is supported and thus using ldaps is
strongly suggested (since 2.2.28 "ldaps" defaults to port 389
and uses STARTTLS). On Windows authentication via AD can be
requested by adding @code{gpgNtds=1} after the fourth question
mark instead of the bindname and password parameter.
@item --nameserver @var{ipaddr}
@opindex nameserver
In ``Tor mode'' Dirmngr uses a public resolver via Tor to resolve DNS
names. If the default public resolver, which is @code{8.8.8.8}, shall
not be used a different one can be given using this option. Note that
a numerical IP address must be given (IPv6 or IPv4) and that no error
checking is done for @var{ipaddr}.
@item --disable-ipv4
@item --disable-ipv6
@opindex disable-ipv4
@opindex disable-ipv6
Disable the use of all IPv4 or IPv6 addresses.
@item --disable-ldap
@opindex disable-ldap
Entirely disables the use of LDAP.
@item --disable-http
@opindex disable-http
Entirely disables the use of HTTP.
@item --ignore-http-dp
@opindex ignore-http-dp
When looking for the location of a CRL, the to be tested certificate
usually contains so called @dfn{CRL Distribution Point} (DP) entries
which are URLs describing the way to access the CRL. The first found DP
entry is used. With this option all entries using the @acronym{HTTP}
scheme are ignored when looking for a suitable DP.
@item --ignore-ldap-dp
@opindex ignore-ldap-dp
This is similar to @option{--ignore-http-dp} but ignores entries using
the @acronym{LDAP} scheme. Both options may be combined resulting in
ignoring DPs entirely.
@item --ignore-ocsp-service-url
@opindex ignore-ocsp-service-url
Ignore all OCSP URLs contained in the certificate. The effect is to
force the use of the default responder.
@item --honor-http-proxy
@opindex honor-http-proxy
If the environment variable @env{http_proxy} has been set, use its
value to access HTTP servers.
@item --http-proxy @var{host}[:@var{port}]
@opindex http-proxy
@efindex http_proxy
Use @var{host} and @var{port} to access HTTP servers. The use of this
option overrides the environment variable @env{http_proxy} regardless
whether @option{--honor-http-proxy} has been set.
@item --ldap-proxy @var{host}[:@var{port}]
@opindex ldap-proxy
Use @var{host} and @var{port} to connect to LDAP servers. If @var{port}
is omitted, port 389 (standard LDAP port) is used. This overrides any
specified host and port part in a LDAP URL and will also be used if host
and port have been omitted from the URL.
@item --only-ldap-proxy
@opindex only-ldap-proxy
Never use anything else but the LDAP "proxy" as configured with
@option{--ldap-proxy}. Usually @command{dirmngr} tries to use other
configured LDAP server if the connection using the "proxy" failed.
@item --ldapserverlist-file @var{file}
@opindex ldapserverlist-file
Read the list of LDAP servers to consult for CRLs and X.509 certificates from
file instead of the default per-user ldap server list file. The default
value for @var{file} is @file{dirmngr_ldapservers.conf}.
This server list file contains one LDAP server per line in the format
@sc{hostname:port:username:password:base_dn:flags}
Lines starting with a @samp{#} are comments.
Note that as usual all strings entered are expected to be UTF-8 encoded.
Obviously this will lead to problems if the password has originally been
encoded as Latin-1. There is no other solution here than to put such a
password in the binary encoding into the file (i.e. non-ascii characters
won't show up readable).@footnote{The @command{gpgconf} tool might be
helpful for frontends as it enables editing this configuration file using
percent-escaped strings.}
@item --ldapserver @var{spec}
@opindex ldapserver
This is an alternative way to specify LDAP servers for CRL and X.509
certificate retrieval. If this option is used the servers configured
in @file{dirmngr_ldapservers.conf} (or the file given by
@option{--ldapserverlist-file}) are cleared. Note that
@file{dirmngr_ldapservers.conf} is not read again by a reload
signal. However, @option{--ldapserver} options are read again.
@var{spec} is either a proper LDAP URL or a colon delimited list of
the form
@sc{hostname:port:username:password:base_dn:flags:}
with an optional prefix of @code{ldap:} (but without the two slashes
which would turn this into a proper LDAP URL). @sc{flags} is a list
of one or more comma delimited keywords:
@table @code
@item plain
The default: Do not use a TLS secured connection at all; the default
port is 389.
@item starttls
Use STARTTLS to secure the connection; the default port is 389.
@item ldaptls
Tunnel LDAP through a TLS connection; the default port is 636.
@item ntds
On Windows authenticate the LDAP connection using the Active Directory
with the current user.
+@item areconly
+On Windows use only the A or AAAA record when resolving the LDAP
+server name.
@end table
Note that in an URL style specification the scheme @code{ldaps://}
refers to STARTTLS and _not_ to LDAP-over-TLS.
@item --ldaptimeout @var{secs}
@opindex ldaptimeout
Specify the number of seconds to wait for an LDAP query before timing
out. The default are 15 seconds. 0 will never timeout.
@item --add-servers
@opindex add-servers
This option makes dirmngr add any servers it discovers when validating
certificates against CRLs to the internal list of servers to consult for
certificates and CRLs. This option should in general not be used.
This option might be useful when trying to validate a certificate that
has a CRL distribution point that points to a server that is not
already listed in the ldapserverlist. Dirmngr will always go to this
server and try to download the CRL, but chances are high that the
certificate used to sign the CRL is located on the same server. So if
dirmngr doesn't add that new server to list, it will often not be able
to verify the signature of the CRL unless the @code{--add-servers}
option is used.
Caveat emptor: Using this option may enable denial-of-service attacks
and leak search requests to unknown third parties. This is because
arbitrary servers are added to the internal list of LDAP servers which
in turn is used for all unspecific LDAP queries as well as a fallback
for queries which did not return a result.
@item --allow-ocsp
@opindex allow-ocsp
This option enables OCSP support if requested by the client.
OCSP requests are rejected by default because they may violate the
privacy of the user; for example it is possible to track the time when
a user is reading a mail.
@item --ocsp-responder @var{url}
@opindex ocsp-responder
Use @var{url} as the default OCSP Responder if the certificate does
not contain information about an assigned responder. Note, that
@code{--ocsp-signer} must also be set to a valid certificate.
@item --ocsp-signer @var{fpr}|@var{file}
@opindex ocsp-signer
Use the certificate with the fingerprint @var{fpr} to check the
responses of the default OCSP Responder. Alternatively a filename can be
given in which case the response is expected to be signed by one of the
certificates described in that file. Any argument which contains a
slash, dot or tilde is considered a filename. Usual filename expansion
takes place: A tilde at the start followed by a slash is replaced by the
content of @env{HOME}, no slash at start describes a relative filename
which will be searched at the home directory. To make sure that the
@var{file} is searched in the home directory, either prepend the name
with "./" or use a name which contains a dot.
If a response has been signed by a certificate described by these
fingerprints no further check upon the validity of this certificate is
done.
The format of the @var{FILE} is a list of SHA-1 fingerprint, one per
line with optional colons between the bytes. Empty lines and lines
prefix with a hash mark are ignored.
@item --ocsp-max-clock-skew @var{n}
@opindex ocsp-max-clock-skew
The number of seconds a skew between the OCSP responder and them local
clock is accepted. Default is 600 (10 minutes).
@item --ocsp-max-period @var{n}
@opindex ocsp-max-period
Seconds a response is at maximum considered valid after the time given
in the thisUpdate field. Default is 7776000 (90 days).
@item --ocsp-current-period @var{n}
@opindex ocsp-current-period
The number of seconds an OCSP response is considered valid after the
time given in the NEXT_UPDATE datum. Default is 10800 (3 hours).
@item --max-replies @var{n}
@opindex max-replies
Do not return more that @var{n} items in one query. The default is
10.
@item --ignore-cert-extension @var{oid}
@opindex ignore-cert-extension
Add @var{oid} to the list of ignored certificate extensions. The
@var{oid} is expected to be in dotted decimal form, like
@code{2.5.29.3}. This option may be used more than once. Critical
flagged certificate extensions matching one of the OIDs in the list
are treated as if they are actually handled and thus the certificate
won't be rejected due to an unknown critical extension. Use this
option with care because extensions are usually flagged as critical
for a reason.
@item --ignore-cert @var{fpr}|@var{file}
@opindex ignore-cert
Entirely ignore certificates with the fingerprint @var{fpr}. As an
alternative to the fingerprint a filename can be given in which case
all certificates described in that file are ignored. Any argument
which contains a slash, dot or tilde is considered a filename. Usual
filename expansion takes place: A tilde at the start followed by a
slash is replaced by the content of @env{HOME}, no slash at start
describes a relative filename which will be searched at the home
directory. To make sure that the @var{file} is searched in the home
directory, either prepend the name with "./" or use a name which
contains a dot. The format of such a file is a list of SHA-1
fingerprint, one per line with optional colons between the bytes.
Empty lines and lines prefixed with a hash mark are ignored.
This option is useful as a quick workaround to exclude certain
certificates from the system store.
@item --hkp-cacert @var{file}
Use the root certificates in @var{file} for verification of the TLS
certificates used with @code{hkps} (keyserver access over TLS). If
the file is in PEM format a suffix of @code{.pem} is expected for
@var{file}. This option may be given multiple times to add more
root certificates. Tilde expansion is supported.
If no @code{hkp-cacert} directive is present, dirmngr will use the
system CAs.
@end table
@c
@c Dirmngr Configuration
@c
@mansect files
@node Dirmngr Configuration
@section Configuration
Dirmngr makes use of several directories when running in daemon mode:
There are a few configuration files to control the operation of
dirmngr. By default they may all be found in the current home
directory (@pxref{option --homedir}).
@table @file
@item dirmngr.conf
@efindex dirmngr.conf
This is the standard configuration file read by @command{dirmngr} on
startup. It may contain any valid long option; the leading two dashes
may not be entered and the option may not be abbreviated. This file
is also read after a @code{SIGHUP} however not all options will
actually have an effect. This default name may be changed on the
command line (@pxref{option --options}). You should backup this file.
@item /etc/gnupg/trusted-certs
This directory should be filled with certificates of Root CAs you
are trusting in checking the CRLs and signing OCSP Responses.
Usually these are the same certificates you use with the applications
making use of dirmngr. It is expected that each of these certificate
files contain exactly one @acronym{DER} encoded certificate in a file
with the suffix @file{.crt} or @file{.der}. @command{dirmngr} reads
those certificates on startup and when given a SIGHUP. Certificates
which are not readable or do not make up a proper X.509 certificate
are ignored; see the log file for details.
Applications using dirmngr (e.g. gpgsm) can request these
certificates to complete a trust chain in the same way as with the
extra-certs directory (see below).
Note that for OCSP responses the certificate specified using the option
@option{--ocsp-signer} is always considered valid to sign OCSP requests.
@item /etc/gnupg/extra-certs
This directory may contain extra certificates which are preloaded
into the internal cache on startup. Applications using dirmngr (e.g. gpgsm)
can request cached certificates to complete a trust chain.
This is convenient in cases you have a couple intermediate CA certificates
or certificates usually used to sign OCSP responses.
These certificates are first tried before going
out to the net to look for them. These certificates must also be
@acronym{DER} encoded and suffixed with @file{.crt} or @file{.der}.
@item ~/.gnupg/crls.d
This directory is used to store cached CRLs. The @file{crls.d}
part will be created by dirmngr if it does not exists but you need to
make sure that the upper directory exists.
@end table
Several options control the use of trusted certificates for TLS and
CRLs. Here is an Overview on the use and origin of those Root CA
certificates:
@table @asis
@item System
These System root certificates are used by: FIXME
The origin of the system provided certificates depends on the
platform. On Windows all certificates from the Windows System Stores
@code{ROOT} and @code{CA} are used.
On other platforms the certificates are read from the first file found
form this list: @file{/etc/ssl/ca-bundle.pem},
@file{/etc/ssl/certs/ca-certificates.crt},
@file{/etc/pki/tls/cert.pem},
@file{/usr/local/share/certs/ca-root-nss.crt},
@file{/etc/ssl/cert.pem}.
@item GnuPG
The GnuPG specific certificates stored in the directory
@file{/etc/gnupg/trusted-certs} are only used to validate CRLs.
@c Note that dirmngr's VALIDATE command also uses them but that
@c command is anyway only intended for debugging.
@item OpenPGP keyserver
For accessing the OpenPGP keyservers the only certificates used are
those set with the configuration option @option{hkp-cacert}.
@item OpenPGP keyserver pool
This is usually only one certificate read from the file
@file{@value{DATADIR}/gnupg/sks-keyservers.netCA.pem}. If this
certificate exists it is used to access the special keyservers
@code{hkps.pool.sks-keyservers.net} (or @file{hkps://keys.gnupg.net}).
@end table
Please note that @command{gpgsm} accepts Root CA certificates for its
own purposes only if they are listed in its file @file{trustlist.txt}.
@command{dirmngr} does not make use of this list - except FIXME.
@mansect notes
To be able to see diagnostics it is often useful to put at least the
following lines into the configuration file
@file{~/gnupg/dirmngr.conf}:
@example
log-file ~/dirmngr.log
verbose
@end example
You may want to check the log file to see whether all desired root CA
certificates are correctly loaded.
To be able to perform OCSP requests you probably want to add the line:
@example
allow-ocsp
@end example
To make sure that new options are read or that after the installation
of a new GnuPG versions the right dirmngr version is running, you
should kill an existing dirmngr so that a new instance is started as
needed by the otehr components:
@example
gpgconf --kill dirmngr
@end example
Direct interfaction with the dirmngr is possible by using the command
@example
gpg-connect-agent --dirmngr
@end example
Enter @code{HELP} at the prompt to see a list of commands and enter
@code{HELP} followed by a command name to get help on that command.
@c
@c Dirmngr Signals
@c
@mansect signals
@node Dirmngr Signals
@section Use of signals
A running @command{dirmngr} may be controlled by signals, i.e. using
the @command{kill} command to send a signal to the process.
Here is a list of supported signals:
@table @gnupgtabopt
@item SIGHUP
@cpindex SIGHUP
This signal flushes all internally cached CRLs as well as any cached
certificates. Then the certificate cache is reinitialized as on
startup. Options are re-read from the configuration file. Instead of
sending this signal it is better to use
@example
gpgconf --reload dirmngr
@end example
@item SIGTERM
@cpindex SIGTERM
Shuts down the process but waits until all current requests are
fulfilled. If the process has received 3 of these signals and requests
are still pending, a shutdown is forced. You may also use
@example
gpgconf --kill dirmngr
@end example
instead of this signal
@item SIGINT
@cpindex SIGINT
Shuts down the process immediately.
@item SIGUSR1
@cpindex SIGUSR1
This prints some caching statistics to the log file.
@end table
@c
@c Examples
@c
@mansect examples
@node Dirmngr Examples
@section Examples
Here is an example on how to show dirmngr's internal table of OpenPGP
keyserver addresses. The output is intended for debugging purposes
and not part of a defined API.
@example
gpg-connect-agent --dirmngr 'keyserver --hosttable' /bye
@end example
To inhibit the use of a particular host you have noticed in one of the
keyserver pools, you may use
@example
gpg-connect-agent --dirmngr 'keyserver --dead pgpkeys.bnd.de' /bye
@end example
The description of the @code{keyserver} command can be printed using
@example
gpg-connect-agent --dirmngr 'help keyserver' /bye
@end example
@c
@c Assuan Protocol
@c
@manpause
@node Dirmngr Protocol
@section Dirmngr's Assuan Protocol
Assuan is the IPC protocol used to access dirmngr. This is a
description of the commands implemented by dirmngr.
@menu
* Dirmngr LOOKUP:: Look up a certificate via LDAP
* Dirmngr ISVALID:: Validate a certificate using a CRL or OCSP.
* Dirmngr CHECKCRL:: Validate a certificate using a CRL.
* Dirmngr CHECKOCSP:: Validate a certificate using OCSP.
* Dirmngr CACHECERT:: Put a certificate into the internal cache.
* Dirmngr VALIDATE:: Validate a certificate for debugging.
@end menu
@node Dirmngr LOOKUP
@subsection Return the certificate(s) found
Lookup certificate. To allow multiple patterns (which are ORed)
quoting is required: Spaces are to be translated into "+" or into
"%20"; obviously this requires that the usual escape quoting rules
are applied. The server responds with:
@example
S: D
S: END
S: D
S: END
S: OK
@end example
In this example 2 certificates are returned. The server may return
any number of certificates; OK will also be returned when no
certificates were found. The dirmngr might return a status line
@example
S: S TRUNCATED
@end example
To indicate that the output was truncated to N items due to a
limitation of the server or by an arbitrary set limit.
The option @option{--url} may be used if instead of a search pattern a
complete URL to the certificate is known:
@example
C: LOOKUP --url CN%3DWerner%20Koch,o%3DIntevation%20GmbH,c%3DDE?userCertificate
@end example
If the option @option{--cache-only} is given, no external lookup is done
so that only certificates from the cache are returned.
With the option @option{--single}, the first and only the first match
will be returned. Unless option @option{--cache-only} is also used, no
local lookup will be done in this case.
@node Dirmngr ISVALID
@subsection Validate a certificate using a CRL or OCSP
@example
ISVALID [--only-ocsp] [--force-default-responder] @var{certid}|@var{certfpr}
@end example
Check whether the certificate described by the @var{certid} has been
revoked. Due to caching, the Dirmngr is able to answer immediately in
most cases.
The @var{certid} is a hex encoded string consisting of two parts,
delimited by a single dot. The first part is the SHA-1 hash of the
issuer name and the second part the serial number.
Alternatively the certificate's SHA-1 fingerprint @var{certfpr} may be
given in which case an OCSP request is done before consulting the CRL.
If the option @option{--only-ocsp} is given, no fallback to a CRL check
will be used. If the option @option{--force-default-responder} is
given, only the default OCSP responder will be used and any other
methods of obtaining an OCSP responder URL won't be used.
@noindent
Common return values are:
@table @code
@item GPG_ERR_NO_ERROR (0)
This is the positive answer: The certificate is not revoked and we have
an up-to-date revocation list for that certificate. If OCSP was used
the responder confirmed that the certificate has not been revoked.
@item GPG_ERR_CERT_REVOKED
This is the negative answer: The certificate has been revoked. Either
it is in a CRL and that list is up to date or an OCSP responder informed
us that it has been revoked.
@item GPG_ERR_NO_CRL_KNOWN
No CRL is known for this certificate or the CRL is not valid or out of
date.
@item GPG_ERR_NO_DATA
The OCSP responder returned an ``unknown'' status. This means that it
is not aware of the certificate's status.
@item GPG_ERR_NOT_SUPPORTED
This is commonly seen if OCSP support has not been enabled in the
configuration.
@end table
If DirMngr has not enough information about the given certificate (which
is the case for not yet cached certificates), it will inquire the
missing data:
@example
S: INQUIRE SENDCERT
C: D
C: END
@end example
A client should be aware that DirMngr may ask for more than one
certificate.
If Dirmngr has a certificate but the signature of the certificate
could not been validated because the root certificate is not known to
dirmngr as trusted, it may ask back to see whether the client trusts
this the root certificate:
@example
S: INQUIRE ISTRUSTED
C: D 1
C: END
@end example
Only this answer will let Dirmngr consider the certificate as valid.
@node Dirmngr CHECKCRL
@subsection Validate a certificate using a CRL
Check whether the certificate with FINGERPRINT (SHA-1 hash of the
entire X.509 certificate blob) is valid or not by consulting the CRL
responsible for this certificate. If the fingerprint has not been
given or the certificate is not known, the function inquires the
certificate using:
@example
S: INQUIRE TARGETCERT
C: D
C: END
@end example
Thus the caller is expected to return the certificate for the request
(which should match FINGERPRINT) as a binary blob. Processing then
takes place without further interaction; in particular dirmngr tries
to locate other required certificate by its own mechanism which
includes a local certificate store as well as a list of trusted root
certificates.
@noindent
The return code is 0 for success; i.e. the certificate has not been
revoked or one of the usual error codes from libgpg-error.
@node Dirmngr CHECKOCSP
@subsection Validate a certificate using OCSP
@example
CHECKOCSP [--force-default-responder] [@var{fingerprint}]
@end example
Check whether the certificate with @var{fingerprint} (the SHA-1 hash of
the entire X.509 certificate blob) is valid by consulting the appropriate
OCSP responder. If the fingerprint has not been given or the
certificate is not known by Dirmngr, the function inquires the
certificate using:
@example
S: INQUIRE TARGETCERT
C: D
C: END
@end example
Thus the caller is expected to return the certificate for the request
(which should match @var{fingerprint}) as a binary blob. Processing
then takes place without further interaction; in particular dirmngr
tries to locate other required certificates by its own mechanism which
includes a local certificate store as well as a list of trusted root
certificates.
If the option @option{--force-default-responder} is given, only the
default OCSP responder is used. This option is the per-command variant
of the global option @option{--ignore-ocsp-service-url}.
@noindent
The return code is 0 for success; i.e. the certificate has not been
revoked or one of the usual error codes from libgpg-error.
@node Dirmngr CACHECERT
@subsection Put a certificate into the internal cache
Put a certificate into the internal cache. This command might be
useful if a client knows in advance certificates required for a test and
wants to make sure they get added to the internal cache. It is also
helpful for debugging. To get the actual certificate, this command
immediately inquires it using
@example
S: INQUIRE TARGETCERT
C: D
C: END
@end example
Thus the caller is expected to return the certificate for the request
as a binary blob.
@noindent
The return code is 0 for success; i.e. the certificate has not been
successfully cached or one of the usual error codes from libgpg-error.
@node Dirmngr VALIDATE
@subsection Validate a certificate for debugging
Validate a certificate using the certificate validation function used
internally by dirmngr. This command is only useful for debugging. To
get the actual certificate, this command immediately inquires it using
@example
S: INQUIRE TARGETCERT
C: D
C: END
@end example
Thus the caller is expected to return the certificate for the request
as a binary blob.
@mansect see also
@ifset isman
@command{gpgsm}(1),
@command{dirmngr-client}(1)
@end ifset
@include see-also-note.texi
@c
@c !!! UNDER CONSTRUCTION !!!
@c
@c
@c @section Verifying a Certificate
@c
@c There are several ways to request services from Dirmngr. Almost all of
@c them are done using the Assuan protocol. What we describe here is the
@c Assuan command CHECKCRL as used for example by the dirmnr-client tool if
@c invoked as
@c
@c @example
@c dirmngr-client foo.crt
@c @end example
@c
@c This command will send an Assuan request to an already running Dirmngr
@c instance. foo.crt is expected to be a standard X.509 certificate and
@c dirmngr will receive the Assuan command
@c
@c @example
@c CHECKCRL @var [{fingerprint}]
@c @end example
@c
@c @var{fingerprint} is optional and expected to be the SHA-1 has of the
@c DER encoding of the certificate under question. It is to be HEX
@c encoded. The rationale for sending the fingerprint is that it allows
@c dirmngr to reply immediately if it has already cached such a request. If
@c this is not the case and no certificate has been found in dirmngr's
@c internal certificate storage, dirmngr will request the certificate using
@c the Assuan inquiry
@c
@c @example
@c INQUIRE TARGETCERT
@c @end example
@c
@c The caller (in our example dirmngr-client) is then expected to return
@c the certificate for the request (which should match @var{fingerprint})
@c as a binary blob.
@c
@c Dirmngr now passes control to @code{crl_cache_cert_isvalid}. This
@c function checks whether a CRL item exists for target certificate. These
@c CRL items are kept in a database of already loaded and verified CRLs.
@c This mechanism is called the CRL cache. Obviously timestamps are kept
@c there with each item to cope with the expiration date of the CRL. The
@c possible return values are: @code{0} to indicate that a valid CRL is
@c available for the certificate and the certificate itself is not listed
@c in this CRL, @code{GPG_ERR_CERT_REVOKED} to indicate that the certificate is
@c listed in the CRL or @code{GPG_ERR_NO_CRL_KNOWN} in cases where no CRL or no
@c information is available. The first two codes are immediately returned to
@c the caller and the processing of this request has been done.
@c
@c Only the @code{GPG_ERR_NO_CRL_KNOWN} needs more attention: Dirmngr now
@c calls @code{clr_cache_reload_crl} and if this succeeds calls
@c @code{crl_cache_cert_isvald) once more. All further errors are
@c immediately returned to the caller.
@c
@c @code{crl_cache_reload_crl} is the actual heart of the CRL management.
@c It locates the corresponding CRL for the target certificate, reads and
@c verifies this CRL and stores it in the CRL cache. It works like this:
@c
@c * Loop over all crlDPs in the target certificate.
@c * If the crlDP is invalid immediately terminate the loop.
@c * Loop over all names in the current crlDP.
@c * If the URL scheme is unknown or not enabled
@c (--ignore-http-dp, --ignore-ldap-dp) continues with
@c the next name.
@c * @code{crl_fetch} is called to actually retrieve the CRL.
@c In case of problems this name is ignore and we continue with
@c the next name. Note that @code{crl_fetch} does only return
@c a descriptor for the CRL for further reading so does the CRL
@c does not yet end up in memory.
@c * @code{crl_cache_insert} is called with that descriptor to
@c actually read the CRL into the cache. See below for a
@c description of this function. If there is any error (e.g. read
@c problem, CRL not correctly signed or verification of signature
@c not possible), this descriptor is rejected and we continue
@c with the next name. If the CRL has been successfully loaded,
@c the loop is terminated.
@c * If no crlDP has been found in the previous loop use a default CRL.
@c Note, that if any crlDP has been found but loading of the CRL failed,
@c this condition is not true.
@c * Try to load a CRL from all configured servers (ldapservers.conf)
@c in turn. The first server returning a CRL is used.
@c * @code(crl_cache_insert) is then used to actually insert the CRL
@c into the cache. If this failed we give up immediately without
@c checking the rest of the servers from the first step.
@c * Ready.
@c
@c
@c The @code{crl_cache_insert} function takes care of reading the bulk of
@c the CRL, parsing it and checking the signature. It works like this: A
@c new database file is created using a temporary file name. The CRL
@c parsing machinery is started and all items of the CRL are put into
@c this database file. At the end the issuer certificate of the CRL
@c needs to be retrieved. Three cases are to be distinguished:
@c
@c a) An authorityKeyIdentifier with an issuer and serialno exits: The
@c certificate is retrieved using @code{find_cert_bysn}. If
@c the certificate is in the certificate cache, it is directly
@c returned. Then the requester (i.e. the client who requested the
@c CRL check) is asked via the Assuan inquiry ``SENDCERT'' whether
@c he can provide this certificate. If this succeed the returned
@c certificate gets cached and returned. Note, that dirmngr does not
@c verify in any way whether the expected certificate is returned.
@c It is in the interest of the client to return a useful certificate
@c as otherwise the service request will fail due to a bad signature.
@c The last way to get the certificate is by looking it up at
@c external resources. This is done using the @code{ca_cert_fetch}
@c and @code{fetch_next_ksba_cert} and comparing the returned
@c certificate to match the requested issuer and seriano (This is
@c needed because the LDAP layer may return several certificates as
@c LDAP as no standard way to retrieve by serial number).
@c
@c b) An authorityKeyIdentifier with a key ID exists: The certificate is
@c retrieved using @code{find_cert_bysubject}. If the certificate is
@c in the certificate cache, it is directly returned. Then the
@c requester is asked via the Assuan inquiry ``SENDCERT_SKI'' whether
@c he can provide this certificate. If this succeed the returned
@c certificate gets cached and returned. Note, that dirmngr does not
@c verify in any way whether the expected certificate is returned.
@c It is in the interest of the client to return a useful certificate
@c as otherwise the service request will fail due to a bad signature.
@c The last way to get the certificate is by looking it up at
@c external resources. This is done using the @code{ca_cert_fetch}
@c and @code{fetch_next_ksba_cert} and comparing the returned
@c certificate to match the requested subject and key ID.
@c
@c c) No authorityKeyIdentifier exits: The certificate is retrieved
@c using @code{find_cert_bysubject} without the key ID argument. If
@c the certificate is in the certificate cache the first one with a
@c matching subject is directly returned. Then the requester is
@c asked via the Assuan inquiry ``SENDCERT'' and an exact
@c specification of the subject whether he can
@c provide this certificate. If this succeed the returned
@c certificate gets cached and returned. Note, that dirmngr does not
@c verify in any way whether the expected certificate is returned.
@c It is in the interest of the client to return a useful certificate
@c as otherwise the service request will fail due to a bad signature.
@c The last way to get the certificate is by looking it up at
@c external resources. This is done using the @code{ca_cert_fetch}
@c and @code{fetch_next_ksba_cert} and comparing the returned
@c certificate to match the requested subject; the first certificate
@c with a matching subject is then returned.
@c
@c If no certificate was found, the function returns with the error
@c GPG_ERR_MISSING_CERT. Now the signature is verified. If this fails,
@c the error is returned. On success the @code{validate_cert_chain} is
@c used to verify that the certificate is actually valid.
@c
@c Here we may encounter a recursive situation:
@c @code{validate_cert_chain} needs to look at other certificates and
@c also at CRLs to check whether these other certificates and well, the
@c CRL issuer certificate itself are not revoked. FIXME: We need to make
@c sure that @code{validate_cert_chain} does not try to lookup the CRL we
@c are currently processing. This would be a catch-22 and may indicate a
@c broken PKI. However, due to overlapping expiring times and imprecise
@c clocks this may actually happen.
@c
@c For historical reasons the Assuan command ISVALID is a bit different
@c to CHECKCRL but this is mainly due to different calling conventions.
@c In the end the same fucntionality is used, albeit hidden by a couple
@c of indirection and argument and result code mangling. It furthere
@c ingetrages OCSP checking depending on options are the way it is
@c called. GPGSM still uses this command but might eventually switch over
@c to CHECKCRL and CHECKOCSP so that ISVALID can be retired.
@c
@c
@c @section Validating a certificate
@c
@c We describe here how the internal function @code{validate_cert_chain}
@c works. Note that mainly testing purposes this functionality may be
@c called directly using @cmd{dirmngr-client --validate @file{foo.crt}}.
@c
@c The function takes the target certificate and a mode argument as
@c parameters and returns an error code and optionally the closes
@c expiration time of all certificates in the chain.
@c
@c We first check that the certificate may be used for the requested
@c purpose (i.e. OCSP or CRL signing). If this is not the case
@c GPG_ERR_WRONG_KEY_USAGE is returned.
@c
@c The next step is to find the trust anchor (root certificate) and to
@c assemble the chain in memory: Starting with the target certificate,
@c the expiration time is checked against the current date, unknown
@c critical extensions are detected and certificate policies are matched
@c (We only allow 2.289.9.9 but I have no clue about that OID and from
@c where I got it - it does not even seem to be assigned - debug cruft?).
@c
@c Now if this certificate is a self-signed one, we have reached the
@c trust anchor. In this case we check that the signature is good, the
@c certificate is allowed to act as a CA, that it is a trusted one (by
@c checking whether it is has been put into the trusted-certs
@c configuration directory) and finally prepend into to our list
@c representing the certificate chain. This steps ends then.
@c
@c If it is not a self-signed certificate, we check that the chain won't
@c get too long (current limit is 100), if this is the case we terminate
@c with the error GPG_ERR_BAD_CERT_CHAIN.
@c
@c Now the issuer's certificate is looked up: If an
@c authorityKeyIdentifier is available, this one is used to locate the
@c certificate either using issuer and serialnumber or subject DN
@c (i.e. the issuer's DN) and the keyID. The functions
@c @code{find_cert_bysn) and @code{find_cert_bysubject} are used
@c respectively. The have already been described above under the
@c description of @code{crl_cache_insert}. If no certificate was found
@c or with no authorityKeyIdentifier, only the cache is consulted using
@c @code{get_cert_bysubject}. The latter is done under the assumption
@c that a matching certificate has explicitly been put into the
@c certificate cache. If the issuer's certificate could not be found,
@c the validation terminates with the error code @code{GPG_ERR_MISSING_CERT}.
@c
@c If the issuer's certificate has been found, the signature of the
@c actual certificate is checked and in case this fails the error
@c #code{GPG_ERR_BAD_CERT_CHAIN} is returned. If the signature checks out, the
@c maximum chain length of the issuing certificate is checked as well as
@c the capability of the certificate (i.e. whether he may be used for
@c certificate signing). Then the certificate is prepended to our list
@c representing the certificate chain. Finally the loop is continued now
@c with the issuer's certificate as the current certificate.
@c
@c After the end of the loop and if no error as been encountered
@c (i.e. the certificate chain has been assempled correctly), a check is
@c done whether any certificate expired or a critical policy has not been
@c met. In any of these cases the validation terminates with an
@c appropriate error.
@c
@c Finally the function @code{check_revocations} is called to verify no
@c certificate in the assempled chain has been revoked: This is an
@c recursive process because a CRL has to be checked for each certificate
@c in the chain except for the root certificate, of which we already know
@c that it is trusted and we avoid checking a CRL here due to common
@c setup problems and the assumption that a revoked root certificate has
@c been removed from the list of trusted certificates.
@c
@c
@c
@c
@c @section Looking up certificates through LDAP.
@c
@c This describes the LDAP layer to retrieve certificates.
@c the functions @code{ca_cert_fetch} and @code{fetch_next_ksba_cert} are
@c used for this. The first one starts a search and the second one is
@c used to retrieve certificate after certificate.
@c