* options.h, getkey.c (merge_selfsigs_subkey), gpg.c (main), sig-check.c
[gnupg.git] / g10 / keyserver.c
1 /* keyserver.c - generic keyserver code
2  * Copyright (C) 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc.
3  *
4  * This file is part of GnuPG.
5  *
6  * GnuPG is free software; you can redistribute it and/or modify
7  * it under the terms of the GNU General Public License as published by
8  * the Free Software Foundation; either version 2 of the License, or
9  * (at your option) any later version.
10  *
11  * GnuPG is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  * GNU General Public License for more details.
15  *
16  * You should have received a copy of the GNU General Public License
17  * along with this program; if not, write to the Free Software
18  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
19  * USA.
20  */
21
22 #include <config.h>
23 #include <ctype.h>
24 #include <stdio.h>
25 #include <string.h>
26 #include <stdlib.h>
27 #include <assert.h>
28 #ifdef HAVE_LIBCURL
29 #include <curl/curl.h>
30 #endif
31 #include "filter.h"
32 #include "keydb.h"
33 #include "status.h"
34 #include "exec.h"
35 #include "main.h"
36 #include "i18n.h"
37 #include "iobuf.h"
38 #include "memory.h"
39 #include "ttyio.h"
40 #include "options.h"
41 #include "packet.h"
42 #include "trustdb.h"
43 #include "keyserver-internal.h"
44 #include "util.h"
45
46 #define GET    0
47 #define SEND   1
48 #define SEARCH 2
49
50 #define GPGKEYS_PREFIX "gpgkeys_"
51
52 #if defined(HAVE_LIBCURL) || defined(FAKE_CURL)
53 #define GPGKEYS_CURL "gpgkeys_curl"
54 #endif
55
56 #ifdef GPGKEYS_CURL
57 #define GPGKEYS_PREFIX_LEN (strlen(GPGKEYS_PREFIX)+strlen(GPGKEYS_CURL))
58 #else
59 #define GPGKEYS_PREFIX_LEN (strlen(GPGKEYS_PREFIX))
60 #endif
61
62 struct keyrec
63 {
64   KEYDB_SEARCH_DESC desc;
65   u32 createtime,expiretime;
66   int size,flags;
67   byte type;
68   IOBUF uidbuf;
69   unsigned int lines;
70 };
71
72 /* Tell remote processes about these options */
73 #define REMOTE_TELL (KEYSERVER_INCLUDE_REVOKED|KEYSERVER_INCLUDE_SUBKEYS|KEYSERVER_TRY_DNS_SRV)
74
75 static struct parse_options keyserver_opts[]=
76   {
77     {"include-revoked",KEYSERVER_INCLUDE_REVOKED,NULL,
78      N_("include revoked keys in search results")},
79     {"include-subkeys",KEYSERVER_INCLUDE_SUBKEYS,NULL,
80      N_("include subkeys when searching by key ID")},
81     /* not a real option - just for the help message */
82     {"use-temp-files",0,NULL,
83      N_("use temporary files to pass data to keyserver helpers")},
84     {"keep-temp-files",KEYSERVER_KEEP_TEMP_FILES,NULL,
85      N_("do not delete temporary files after using them")},
86     {"refresh-add-fake-v3-keyids",KEYSERVER_ADD_FAKE_V3,NULL,
87      NULL},
88     {"auto-key-retrieve",KEYSERVER_AUTO_KEY_RETRIEVE,NULL,
89      N_("automatically retrieve keys when verifying signatures")},
90     {"auto-pka-retrieve",KEYSERVER_AUTO_PKA_RETRIEVE,NULL,
91      NULL},
92     {"try-dns-srv",KEYSERVER_TRY_DNS_SRV,NULL,
93      NULL},
94     {"honor-keyserver-url",KEYSERVER_HONOR_KEYSERVER_URL,NULL,
95      N_("honor the preferred keyserver URL set on the key")},
96     {NULL,0,NULL,NULL}
97   };
98
99 static int keyserver_work(int action,STRLIST list,KEYDB_SEARCH_DESC *desc,
100                           int count,struct keyserver_spec *keyserver);
101
102 int
103 parse_keyserver_options(char *options)
104 {
105   int ret=1;
106   char *tok;
107
108   while((tok=optsep(&options)))
109     {
110       if(tok[0]=='\0')
111         continue;
112
113       /* For backwards compatibility.  1.2.x used honor-http-proxy and
114          there are a good number of documents published that recommend
115          it. */
116       if(ascii_strcasecmp(tok,"honor-http-proxy")==0)
117         tok="http-proxy";
118       else if(ascii_strcasecmp(tok,"no-honor-http-proxy")==0)
119         tok="no-http-proxy";
120
121       /* We accept quite a few possible options here - some options to
122          handle specially, the keyserver_options list, and import and
123          export options that pertain to keyserver operations.  Note
124          that you must use strncasecmp here as there might be an
125          =argument attached which will foil the use of strcasecmp. */
126
127 #ifdef EXEC_TEMPFILE_ONLY
128       if(ascii_strncasecmp(tok,"use-temp-files",14)==0 ||
129               ascii_strncasecmp(tok,"no-use-temp-files",17)==0)
130         log_info(_("WARNING: keyserver option `%s' is not used"
131                    " on this platform\n"),tok);
132 #else
133       if(ascii_strncasecmp(tok,"use-temp-files",14)==0)
134         opt.keyserver_options.options|=KEYSERVER_USE_TEMP_FILES;
135       else if(ascii_strncasecmp(tok,"no-use-temp-files",17)==0)
136         opt.keyserver_options.options&=~KEYSERVER_USE_TEMP_FILES;
137 #endif
138       else if(!parse_options(tok,&opt.keyserver_options.options,
139                              keyserver_opts,0)
140          && !parse_import_options(tok,
141                                   &opt.keyserver_options.import_options,0)
142          && !parse_export_options(tok,
143                                   &opt.keyserver_options.export_options,0))
144         {
145           /* All of the standard options have failed, so the option is
146              destined for a keyserver plugin. */
147           char *arg=argsplit(tok);
148
149           if(arg)
150             {
151               char *joined;
152
153               joined=xmalloc(strlen(tok)+1+strlen(arg)+1);
154               /* Make a canonical name=value form with no
155                  spaces */
156               strcpy(joined,tok);
157               strcat(joined,"=");
158               strcat(joined,arg);
159               add_to_strlist(&opt.keyserver_options.other,joined);
160               xfree(joined);
161             }
162           else
163             add_to_strlist(&opt.keyserver_options.other,tok);
164         }
165     }
166
167   return ret;
168 }
169
170 void
171 free_keyserver_spec(struct keyserver_spec *keyserver)
172 {
173   xfree(keyserver->uri);
174   xfree(keyserver->scheme);
175   xfree(keyserver->auth);
176   xfree(keyserver->host);
177   xfree(keyserver->port);
178   xfree(keyserver->path);
179   xfree(keyserver->opaque);
180   xfree(keyserver);
181 }
182
183 /* TODO: once we cut over to an all-curl world, we don't need this
184    parser any longer so it can be removed, or at least moved to
185    keyserver/ksutil.c for limited use in gpgkeys_ldap or the like. */
186
187 struct keyserver_spec *
188 parse_keyserver_uri(const char *uri,int require_scheme,
189                     const char *configname,unsigned int configlineno)
190 {
191   int assume_hkp=0;
192   struct keyserver_spec *keyserver;
193   const char *idx;
194   int count;
195
196   assert(uri!=NULL);
197
198   keyserver=xmalloc_clear(sizeof(struct keyserver_spec));
199
200   keyserver->uri=xstrdup(uri);
201
202   /* Get the scheme */
203
204   for(idx=uri,count=0;*idx && *idx!=':';idx++)
205     {
206       count++;
207
208       /* Do we see the start of an RFC-2732 ipv6 address here?  If so,
209          there clearly isn't a scheme so get out early. */
210       if(*idx=='[')
211         {
212           /* Was the '[' the first thing in the string?  If not, we
213              have a mangled scheme with a [ in it so fail. */
214           if(count==1)
215             break;
216           else
217             goto fail;
218         }
219     }
220
221   if(count==0)
222     goto fail;
223
224   if(*idx=='\0' || *idx=='[')
225     {
226       if(require_scheme)
227         return NULL;
228
229       /* Assume HKP if there is no scheme */
230       assume_hkp=1;
231       keyserver->scheme=xstrdup("hkp");
232     }
233   else
234     {
235       int i;
236
237       keyserver->scheme=xmalloc(count+1);
238
239       /* Force to lowercase */
240       for(i=0;i<count;i++)
241         keyserver->scheme[i]=ascii_tolower(uri[i]);
242
243       keyserver->scheme[i]='\0';
244
245       /* Skip past the scheme and colon */
246       uri+=count+1;
247     }
248
249   if(ascii_strcasecmp(keyserver->scheme,"x-broken-hkp")==0)
250     {
251       deprecated_warning(configname,configlineno,"x-broken-hkp",
252                          "--keyserver-options ","broken-http-proxy");
253       xfree(keyserver->scheme);
254       keyserver->scheme=xstrdup("hkp");
255       add_to_strlist(&opt.keyserver_options.other,"broken-http-proxy");
256     }
257   else if(ascii_strcasecmp(keyserver->scheme,"x-hkp")==0)
258     {
259       /* Canonicalize this to "hkp" so it works with both the internal
260          and external keyserver interface. */
261       xfree(keyserver->scheme);
262       keyserver->scheme=xstrdup("hkp");
263     }
264
265   if(assume_hkp || (uri[0]=='/' && uri[1]=='/'))
266     {
267       /* Two slashes means network path. */
268
269       /* Skip over the "//", if any */
270       if(!assume_hkp)
271         uri+=2;
272
273       /* Do we have userinfo auth data present? */
274       for(idx=uri,count=0;*idx && *idx!='@' && *idx!='/';idx++)
275         count++;
276
277       /* We found a @ before the slash, so that means everything
278          before the @ is auth data. */
279       if(*idx=='@')
280         {
281           if(count==0)
282             goto fail;
283
284           keyserver->auth=xmalloc(count+1);
285           strncpy(keyserver->auth,uri,count);
286           keyserver->auth[count]='\0';
287           uri+=count+1;
288         }
289
290       /* Is it an RFC-2732 ipv6 [literal address] ? */
291       if(*uri=='[')
292         {
293           for(idx=uri+1,count=1;*idx
294                 && ((isascii (*idx) && isxdigit(*idx))
295                     || *idx==':' || *idx=='.');idx++)
296             count++;
297
298           /* Is the ipv6 literal address terminated? */
299           if(*idx==']')
300             count++;
301           else
302             goto fail;
303         }
304       else
305         for(idx=uri,count=0;*idx && *idx!=':' && *idx!='/';idx++)
306           count++;
307
308       if(count==0)
309         goto fail;
310
311       keyserver->host=xmalloc(count+1);
312       strncpy(keyserver->host,uri,count);
313       keyserver->host[count]='\0';
314
315       /* Skip past the host */
316       uri+=count;
317
318       if(*uri==':')
319         {
320           /* It would seem to be reasonable to limit the range of the
321              ports to values between 1-65535, but RFC 1738 and 1808
322              imply there is no limit.  Of course, the real world has
323              limits. */
324
325           for(idx=uri+1,count=0;*idx && *idx!='/';idx++)
326             {
327               count++;
328
329               /* Ports are digits only */
330               if(!digitp(idx))
331                 goto fail;
332             }
333
334           keyserver->port=xmalloc(count+1);
335           strncpy(keyserver->port,uri+1,count);
336           keyserver->port[count]='\0';
337
338           /* Skip past the colon and port number */
339           uri+=1+count;
340         }
341
342       /* Everything else is the path */
343       if(*uri)
344         keyserver->path=xstrdup(uri);
345       else
346         keyserver->path=xstrdup("/");
347     }
348   else if(uri[0]!='/')
349     {
350       /* No slash means opaque.  Just record the opaque blob and get
351          out. */
352       keyserver->opaque=xstrdup(uri);
353     }
354   else
355     {
356       /* One slash means absolute path.  We don't need to support that
357          yet. */
358       goto fail;
359     }
360
361   return keyserver;
362
363  fail:
364   free_keyserver_spec(keyserver);
365
366   return NULL;
367 }
368
369 struct keyserver_spec *
370 parse_preferred_keyserver(PKT_signature *sig)
371 {
372   struct keyserver_spec *spec=NULL;
373   const byte *p;
374   size_t plen;
375
376   p=parse_sig_subpkt(sig->hashed,SIGSUBPKT_PREF_KS,&plen);
377   if(p && plen)
378     {
379       byte *dupe=xmalloc(plen+1);
380
381       memcpy(dupe,p,plen);
382       dupe[plen]='\0';
383       spec=parse_keyserver_uri(dupe,1,NULL,0);
384       xfree(dupe);
385     }
386
387   return spec;
388 }
389
390 static void
391 print_keyrec(int number,struct keyrec *keyrec)
392 {
393   int i;
394
395   iobuf_writebyte(keyrec->uidbuf,0);
396   iobuf_flush_temp(keyrec->uidbuf);
397   printf("(%d)\t%s  ",number,iobuf_get_temp_buffer(keyrec->uidbuf));
398
399   if(keyrec->size>0)
400     printf("%d bit ",keyrec->size);
401
402   if(keyrec->type)
403     {
404       const char *str=pubkey_algo_to_string(keyrec->type);
405
406       if(str)
407         printf("%s ",str);
408       else
409         printf("unknown ");
410     }
411
412   switch(keyrec->desc.mode)
413     {
414       /* If the keyserver helper gave us a short keyid, we have no
415          choice but to use it.  Do check --keyid-format to add a 0x if
416          needed. */
417     case KEYDB_SEARCH_MODE_SHORT_KID:
418       printf("key %s%08lX",
419              (opt.keyid_format==KF_0xSHORT
420               || opt.keyid_format==KF_0xLONG)?"0x":"",
421              (ulong)keyrec->desc.u.kid[1]);
422       break;
423
424       /* However, if it gave us a long keyid, we can honor
425          --keyid-format */
426     case KEYDB_SEARCH_MODE_LONG_KID:
427       printf("key %s",keystr(keyrec->desc.u.kid));
428       break;
429
430     case KEYDB_SEARCH_MODE_FPR16:
431       printf("key ");
432       for(i=0;i<16;i++)
433         printf("%02X",keyrec->desc.u.fpr[i]);
434       break;
435
436     case KEYDB_SEARCH_MODE_FPR20:
437       printf("key ");
438       for(i=0;i<20;i++)
439         printf("%02X",keyrec->desc.u.fpr[i]);
440       break;
441
442     default:
443       BUG();
444       break;
445     }
446
447   if(keyrec->createtime>0)
448     {
449       printf(", ");
450       printf(_("created: %s"),strtimestamp(keyrec->createtime));
451     }
452
453   if(keyrec->expiretime>0)
454     {
455       printf(", ");
456       printf(_("expires: %s"),strtimestamp(keyrec->expiretime));
457     }
458
459   if(keyrec->flags&1)
460     printf(" (%s)",_("revoked"));
461   if(keyrec->flags&2)
462     printf(" (%s)",_("disabled"));
463   if(keyrec->flags&4)
464     printf(" (%s)",_("expired"));
465
466   printf("\n");
467 }
468
469 /* Returns a keyrec (which must be freed) once a key is complete, and
470    NULL otherwise.  Call with a NULL keystring once key parsing is
471    complete to return any unfinished keys. */
472 static struct keyrec *
473 parse_keyrec(char *keystring)
474 {
475   static struct keyrec *work=NULL;
476   struct keyrec *ret=NULL;
477   char *record;
478   int i;
479
480   if(keystring==NULL)
481     {
482       if(work==NULL)
483         return NULL;
484       else if(work->desc.mode==KEYDB_SEARCH_MODE_NONE)
485         {
486           xfree(work);
487           return NULL;
488         }
489       else
490         {
491           ret=work;
492           work=NULL;
493           return ret;
494         }
495     }
496
497   if(work==NULL)
498     {
499       work=xmalloc_clear(sizeof(struct keyrec));
500       work->uidbuf=iobuf_temp();
501     }
502
503   /* Remove trailing whitespace */
504   for(i=strlen(keystring);i>0;i--)
505     if(ascii_isspace(keystring[i-1]))
506       keystring[i-1]='\0';
507     else
508       break;
509
510   if((record=strsep(&keystring,":"))==NULL)
511     return ret;
512
513   if(ascii_strcasecmp("pub",record)==0)
514     {
515       char *tok;
516
517       if(work->desc.mode)
518         {
519           ret=work;
520           work=xmalloc_clear(sizeof(struct keyrec));
521           work->uidbuf=iobuf_temp();
522         }
523
524       if((tok=strsep(&keystring,":"))==NULL)
525         return ret;
526
527       classify_user_id(tok,&work->desc);
528       if(work->desc.mode!=KEYDB_SEARCH_MODE_SHORT_KID
529          && work->desc.mode!=KEYDB_SEARCH_MODE_LONG_KID
530          && work->desc.mode!=KEYDB_SEARCH_MODE_FPR16
531          && work->desc.mode!=KEYDB_SEARCH_MODE_FPR20)
532         {
533           work->desc.mode=KEYDB_SEARCH_MODE_NONE;
534           return ret;
535         }
536
537       /* Note all items after this are optional.  This allows us to
538          have a pub line as simple as pub:keyid and nothing else. */
539
540       work->lines++;
541
542       if((tok=strsep(&keystring,":"))==NULL)
543         return ret;
544
545       work->type=atoi(tok);
546
547       if((tok=strsep(&keystring,":"))==NULL)
548         return ret;
549
550       work->size=atoi(tok);
551
552       if((tok=strsep(&keystring,":"))==NULL)
553         return ret;
554
555       if(atoi(tok)<=0)
556         work->createtime=0;
557       else
558         work->createtime=atoi(tok);
559
560       if((tok=strsep(&keystring,":"))==NULL)
561         return ret;
562
563       if(atoi(tok)<=0)
564         work->expiretime=0;
565       else
566         {
567           work->expiretime=atoi(tok);
568           /* Force the 'e' flag on if this key is expired. */
569           if(work->expiretime<=make_timestamp())
570             work->flags|=4;
571         }
572
573       if((tok=strsep(&keystring,":"))==NULL)
574         return ret;
575
576       while(*tok)
577         switch(*tok++)
578           {
579           case 'r':
580           case 'R':
581             work->flags|=1;
582             break;
583             
584           case 'd':
585           case 'D':
586             work->flags|=2;
587             break;
588
589           case 'e':
590           case 'E':
591             work->flags|=4;
592             break;
593           }
594     }
595   else if(ascii_strcasecmp("uid",record)==0 && work->desc.mode)
596     {
597       char *userid,*tok,*decoded;
598
599       if((tok=strsep(&keystring,":"))==NULL)
600         return ret;
601
602       if(strlen(tok)==0)
603         return ret;
604
605       userid=tok;
606
607       /* By definition, de-%-encoding is always smaller than the
608          original string so we can decode in place. */
609
610       i=0;
611
612       while(*tok)
613         if(tok[0]=='%' && tok[1] && tok[2])
614           {
615             if((userid[i]=hextobyte(&tok[1]))==-1)
616               userid[i]='?';
617
618             i++;
619             tok+=3;
620           }
621         else
622           userid[i++]=*tok++;
623
624       /* We don't care about the other info provided in the uid: line
625          since no keyserver supports marking userids with timestamps
626          or revoked/expired/disabled yet. */
627
628       /* No need to check for control characters, as utf8_to_native
629          does this for us. */
630
631       decoded=utf8_to_native(userid,i,0);
632       if(strlen(decoded)>opt.screen_columns-10)
633         decoded[opt.screen_columns-10]='\0';
634       iobuf_writestr(work->uidbuf,decoded);
635       xfree(decoded);
636       iobuf_writestr(work->uidbuf,"\n\t");
637       work->lines++;
638     }
639
640   /* Ignore any records other than "pri" and "uid" for easy future
641      growth. */
642
643   return ret;
644 }
645
646 /* TODO: do this as a list sent to keyserver_work rather than calling
647    it once for each key to get the correct counts after the import
648    (cosmetics, really) and to better take advantage of the keyservers
649    that can do multiple fetches in one go (LDAP). */
650 static int
651 show_prompt(KEYDB_SEARCH_DESC *desc,int numdesc,int count,const char *search)
652 {
653   char *answer;
654
655   if(count && opt.command_fd==-1)
656     {
657       static int from=1;
658       tty_printf("Keys %d-%d of %d for \"%s\".  ",from,numdesc,count,search);
659       from=numdesc+1;
660     }
661
662   answer=cpr_get_no_help("keysearch.prompt",
663                          _("Enter number(s), N)ext, or Q)uit > "));
664   /* control-d */
665   if(answer[0]=='\x04')
666     {
667       printf("Q\n");
668       answer[0]='q';
669     }
670
671   if(answer[0]=='q' || answer[0]=='Q')
672     {
673       xfree(answer);
674       return 1;
675     }
676   else if(atoi(answer)>=1 && atoi(answer)<=numdesc)
677     {
678       char *split=answer,*num;
679
680       while((num=strsep(&split," ,"))!=NULL)
681         if(atoi(num)>=1 && atoi(num)<=numdesc)
682           keyserver_work(GET,NULL,&desc[atoi(num)-1],1,opt.keyserver);
683
684       xfree(answer);
685       return 1;
686     }
687
688   return 0;
689 }
690
691 /* Count and searchstr are just for cosmetics.  If the count is too
692    small, it will grow safely.  If negative it disables the "Key x-y
693    of z" messages.  searchstr should be UTF-8 (rather than native). */
694 static void
695 keyserver_search_prompt(IOBUF buffer,const char *searchstr)
696 {
697   int i=0,validcount=0,started=0,header=0,count=1;
698   unsigned int maxlen,buflen,numlines=0;
699   KEYDB_SEARCH_DESC *desc;
700   byte *line=NULL;
701   char *localstr=NULL;
702
703   if(searchstr)
704     localstr=utf8_to_native(searchstr,strlen(searchstr),0);
705
706   desc=xmalloc(count*sizeof(KEYDB_SEARCH_DESC));
707
708   for(;;)
709     {
710       struct keyrec *keyrec;
711       int rl;
712
713       maxlen=1024;
714       rl=iobuf_read_line(buffer,&line,&buflen,&maxlen);
715
716       if(opt.with_colons)
717         {
718           if(!header && ascii_strncasecmp("SEARCH ",line,7)==0
719              && ascii_strncasecmp(" BEGIN",&line[strlen(line)-7],6)==0)
720             {
721               header=1;
722               continue;
723             }
724           else if(ascii_strncasecmp("SEARCH ",line,7)==0
725                   && ascii_strncasecmp(" END",&line[strlen(line)-5],4)==0)
726             continue;
727
728           printf("%s",line);
729         }
730
731       /* Look for an info: line.  The only current info: values
732          defined are the version and key count. */
733       if(!started && rl>0 && ascii_strncasecmp("info:",line,5)==0)
734         {
735           char *tok,*str=&line[5];
736
737           if((tok=strsep(&str,":"))!=NULL)
738             {
739               int version;
740
741               if(sscanf(tok,"%d",&version)!=1)
742                 version=1;
743
744               if(version!=1)
745                 {
746                   log_error(_("invalid keyserver protocol "
747                               "(us %d!=handler %d)\n"),1,version);
748                   break;
749                 }
750             }
751
752           if((tok=strsep(&str,":"))!=NULL && sscanf(tok,"%d",&count)==1)
753             {
754               if(count==0)
755                 goto notfound;
756               else if(count<0)
757                 count=10;
758               else
759                 validcount=1;
760
761               desc=xrealloc(desc,count*sizeof(KEYDB_SEARCH_DESC));
762             }
763
764           started=1;
765           continue;
766         }
767
768       if(rl==0)
769         {
770           keyrec=parse_keyrec(NULL);
771
772           if(keyrec==NULL)
773             {
774               if(i==0)
775                 {
776                   count=0;
777                   break;
778                 }
779
780               if(i!=count)
781                 validcount=0;
782
783               for(;;)
784                 {
785                   if(show_prompt(desc,i,validcount?count:0,localstr))
786                     break;
787                   validcount=0;
788                 }
789
790               break;
791             }
792         }
793       else
794         keyrec=parse_keyrec(line);
795
796       if(i==count)
797         {
798           /* keyserver helper sent more keys than they claimed in the
799              info: line. */
800           count+=10;
801           desc=xrealloc(desc,count*sizeof(KEYDB_SEARCH_DESC));
802           validcount=0;
803         }
804
805       if(keyrec)
806         {
807           desc[i]=keyrec->desc;
808
809           if(!opt.with_colons)
810             {
811               /* screen_lines - 1 for the prompt. */
812               if(numlines+keyrec->lines>opt.screen_lines-1)
813                 {
814                   if(show_prompt(desc,i,validcount?count:0,localstr))
815                     break;
816                   else
817                     numlines=0;
818                 }
819
820               print_keyrec(i+1,keyrec);
821             }
822
823           numlines+=keyrec->lines;
824           iobuf_close(keyrec->uidbuf);
825           xfree(keyrec);
826
827           started=1;
828           i++;
829         }
830     }
831
832  notfound:
833   /* Leave this commented out or now, and perhaps for a very long
834      time.  All HKPish servers return HTML error messages for
835      no-key-found. */
836   /* 
837      if(!started)
838      log_info(_("keyserver does not support searching\n"));
839      else
840   */
841   if(count==0)
842     {
843       if(localstr)
844         log_info(_("key \"%s\" not found on keyserver\n"),localstr);
845       else
846         log_info(_("key not found on keyserver\n"));
847     }
848
849   xfree(localstr);
850   xfree(desc);
851   xfree(line);
852 }
853
854 /* We sometimes want to use a different gpgkeys_xxx for a given
855    protocol (for example, ldaps is handled by gpgkeys_ldap).  Map
856    these here. */
857 static const char *
858 keyserver_typemap(const char *type)
859 {
860   if(strcmp(type,"ldaps")==0)
861     return "ldap";
862   else
863     return type;
864 }
865
866 #ifdef GPGKEYS_CURL
867 /* The PGP LDAP and the curl fetch-a-LDAP-object methodologies are
868    sufficiently different that we can't use curl to do LDAP. */
869 static int
870 curl_cant_handle(const char *scheme)
871 {
872   if(strcmp(scheme,"ldap")==0 || strcmp(scheme,"ldaps")==0)
873     return 1;
874
875   return 0;
876 }
877 #endif
878
879 #define KEYSERVER_ARGS_KEEP " -o \"%O\" \"%I\""
880 #define KEYSERVER_ARGS_NOKEEP " -o \"%o\" \"%i\""
881
882 static int 
883 keyserver_spawn(int action,STRLIST list,KEYDB_SEARCH_DESC *desc,
884                 int count,int *prog,struct keyserver_spec *keyserver)
885 {
886   int ret=0,i,gotversion=0,outofband=0;
887   STRLIST temp;
888   unsigned int maxlen,buflen;
889   char *command,*end,*searchstr=NULL;
890   byte *line=NULL;
891   struct parse_options *kopts;
892   struct exec_info *spawn;
893   const char *scheme;
894   const char *libexecdir = get_libexecdir ();
895
896   assert(keyserver);
897
898 #ifdef EXEC_TEMPFILE_ONLY
899   opt.keyserver_options.options|=KEYSERVER_USE_TEMP_FILES;
900 #endif
901
902   /* Build the filename for the helper to execute */
903   scheme=keyserver_typemap(keyserver->scheme);
904
905 #ifdef DISABLE_KEYSERVER_PATH
906   /* Destroy any path we might have.  This is a little tricky,
907      portability-wise.  It's not correct to delete the PATH
908      environment variable, as that may fall back to a system built-in
909      PATH.  Similarly, it is not correct to set PATH to the null
910      string (PATH="") since this actually deletes the PATH environment
911      variable under MinGW.  The safest thing to do here is to force
912      PATH to be GNUPG_LIBEXECDIR.  All this is not that meaningful on
913      Unix-like systems (since we're going to give a full path to
914      gpgkeys_foo), but on W32 it prevents loading any DLLs from
915      directories in %PATH%.
916
917      After some more thinking about this we came to the conclusion
918      that it is better to load the helpers from the directory where
919      the program of this process lives.  Fortunately Windows provides
920      a way to retrieve this and our get_libexecdir function has been
921      modified to return just this.  Setting the exec-path is not
922      anymore required.  
923        set_exec_path(libexecdir);
924  */
925 #else
926   if(opt.exec_path_set)
927     {
928       /* If exec-path was set, and DISABLE_KEYSERVER_PATH is
929          undefined, then don't specify a full path to gpgkeys_foo, so
930          that the PATH can work. */
931       command=xmalloc(GPGKEYS_PREFIX_LEN+strlen(scheme)+1);
932       command[0]='\0';
933     }
934   else
935 #endif
936     {
937       /* Specify a full path to gpgkeys_foo. */
938       command=xmalloc(strlen(libexecdir)+strlen(DIRSEP_S)+
939                       GPGKEYS_PREFIX_LEN+strlen(scheme)+1);
940       strcpy(command,libexecdir);
941       strcat(command,DIRSEP_S);
942     }
943
944   end=command+strlen(command);
945
946   strcat(command,GPGKEYS_PREFIX); 
947   strcat(command,scheme);
948
949 #ifdef GPGKEYS_CURL
950   if(!curl_cant_handle(scheme) && path_access(command,X_OK)!=0)
951     strcpy(end,GPGKEYS_CURL);
952 #endif
953
954   if(opt.keyserver_options.options&KEYSERVER_USE_TEMP_FILES)
955     {
956       if(opt.keyserver_options.options&KEYSERVER_KEEP_TEMP_FILES)
957         {
958           command=xrealloc(command,strlen(command)+
959                             strlen(KEYSERVER_ARGS_KEEP)+1);
960           strcat(command,KEYSERVER_ARGS_KEEP);
961         }
962       else
963         {
964           command=xrealloc(command,strlen(command)+
965                             strlen(KEYSERVER_ARGS_NOKEEP)+1);
966           strcat(command,KEYSERVER_ARGS_NOKEEP);  
967         }
968
969       ret=exec_write(&spawn,NULL,command,NULL,0,0);
970     }
971   else
972     ret=exec_write(&spawn,command,NULL,NULL,0,0);
973
974   xfree(command);
975
976   if(ret)
977     return ret;
978
979   fprintf(spawn->tochild,
980           "# This is a GnuPG %s keyserver communications file\n",VERSION);
981   fprintf(spawn->tochild,"VERSION %d\n",KEYSERVER_PROTO_VERSION);
982   fprintf(spawn->tochild,"PROGRAM %s\n",VERSION);
983   fprintf(spawn->tochild,"SCHEME %s\n",keyserver->scheme);
984
985   if(keyserver->opaque)
986     fprintf(spawn->tochild,"OPAQUE %s\n",keyserver->opaque);
987   else
988     {
989       if(keyserver->auth)
990         fprintf(spawn->tochild,"AUTH %s\n",keyserver->auth);
991
992       if(keyserver->host)
993         fprintf(spawn->tochild,"HOST %s\n",keyserver->host);
994
995       if(keyserver->port)
996         fprintf(spawn->tochild,"PORT %s\n",keyserver->port);
997
998       if(keyserver->path)
999         fprintf(spawn->tochild,"PATH %s\n",keyserver->path);
1000     }
1001
1002   /* Write options */
1003
1004   for(i=0,kopts=keyserver_opts;kopts[i].name;i++)
1005     if(opt.keyserver_options.options & kopts[i].bit & REMOTE_TELL)
1006       fprintf(spawn->tochild,"OPTION %s\n",kopts[i].name);
1007
1008   for(temp=opt.keyserver_options.other;temp;temp=temp->next)
1009     fprintf(spawn->tochild,"OPTION %s\n",temp->d);
1010
1011   switch(action)
1012     {
1013     case GET:
1014       {
1015         fprintf(spawn->tochild,"COMMAND GET\n\n");
1016
1017         /* Which keys do we want? */
1018
1019         for(i=0;i<count;i++)
1020           {
1021             if(desc[i].mode==KEYDB_SEARCH_MODE_FPR20)
1022               {
1023                 int f;
1024
1025                 fprintf(spawn->tochild,"0x");
1026
1027                 for(f=0;f<MAX_FINGERPRINT_LEN;f++)
1028                   fprintf(spawn->tochild,"%02X",desc[i].u.fpr[f]);
1029
1030                 fprintf(spawn->tochild,"\n");
1031               }
1032             else if(desc[i].mode==KEYDB_SEARCH_MODE_FPR16)
1033               {
1034                 int f;
1035
1036                 fprintf(spawn->tochild,"0x");
1037
1038                 for(f=0;f<16;f++)
1039                   fprintf(spawn->tochild,"%02X",desc[i].u.fpr[f]);
1040
1041                 fprintf(spawn->tochild,"\n");
1042               }
1043             else if(desc[i].mode==KEYDB_SEARCH_MODE_LONG_KID)
1044               fprintf(spawn->tochild,"0x%08lX%08lX\n",
1045                       (ulong)desc[i].u.kid[0],
1046                       (ulong)desc[i].u.kid[1]);
1047             else if(desc[i].mode==KEYDB_SEARCH_MODE_SHORT_KID)
1048               fprintf(spawn->tochild,"0x%08lX\n",
1049                       (ulong)desc[i].u.kid[1]);
1050             else if(desc[i].mode==KEYDB_SEARCH_MODE_NONE)
1051               continue;
1052             else
1053               BUG();
1054
1055             if(keyserver->host)
1056               log_info(_("requesting key %s from %s server %s\n"),
1057                        keystr_from_desc(&desc[i]),
1058                        keyserver->scheme,keyserver->host);
1059             else
1060               log_info(_("requesting key %s from %s\n"),
1061                        keystr_from_desc(&desc[i]),keyserver->uri);
1062           }
1063
1064         fprintf(spawn->tochild,"\n");
1065
1066         break;
1067       }
1068
1069     case SEND:
1070       {
1071         STRLIST key;
1072
1073         /* Note the extra \n here to send an empty keylist block */
1074         fprintf(spawn->tochild,"COMMAND SEND\n\n\n");
1075
1076         for(key=list;key!=NULL;key=key->next)
1077           {
1078             armor_filter_context_t afx;
1079             IOBUF buffer=iobuf_temp();
1080             KBNODE block;
1081
1082             temp=NULL;
1083             add_to_strlist(&temp,key->d);
1084
1085             memset(&afx,0,sizeof(afx));
1086             afx.what=1;
1087             /* Tell the armor filter to use Unix-style \n line
1088                endings, since we're going to fprintf this to a file
1089                that (on Win32) is open in text mode.  The win32 stdio
1090                will transform the \n to \r\n and we'll end up with the
1091                proper line endings on win32.  This is a no-op on
1092                Unix. */
1093             afx.eol[0]='\n';
1094             iobuf_push_filter(buffer,armor_filter,&afx);
1095
1096             /* TODO: Remove Comment: lines from keys exported this
1097                way? */
1098
1099             if(export_pubkeys_stream(buffer,temp,&block,
1100                                      opt.keyserver_options.export_options)==-1)
1101               iobuf_close(buffer);
1102             else
1103               {
1104                 KBNODE node;
1105
1106                 iobuf_flush_temp(buffer);
1107
1108                 merge_keys_and_selfsig(block);
1109
1110                 fprintf(spawn->tochild,"INFO %08lX%08lX BEGIN\n",
1111                         (ulong)block->pkt->pkt.public_key->keyid[0],
1112                         (ulong)block->pkt->pkt.public_key->keyid[1]);
1113
1114                 for(node=block;node;node=node->next)
1115                   {
1116                     switch(node->pkt->pkttype)
1117                       {
1118                       default:
1119                         continue;
1120
1121                       case PKT_PUBLIC_KEY:
1122                       case PKT_PUBLIC_SUBKEY:
1123                         {
1124                           PKT_public_key *pk=node->pkt->pkt.public_key;
1125
1126                           keyid_from_pk(pk,NULL);
1127
1128                           fprintf(spawn->tochild,"%sb:%08lX%08lX:%u:%u:%u:%u:",
1129                                   node->pkt->pkttype==PKT_PUBLIC_KEY?"pu":"su",
1130                                   (ulong)pk->keyid[0],(ulong)pk->keyid[1],
1131                                   pk->pubkey_algo,
1132                                   nbits_from_pk(pk),
1133                                   pk->timestamp,
1134                                   pk->expiredate);
1135
1136                           if(pk->is_revoked)
1137                             fprintf(spawn->tochild,"r");
1138                           if(pk->has_expired)
1139                             fprintf(spawn->tochild,"e");
1140
1141                           fprintf(spawn->tochild,"\n");
1142                         }
1143                         break;
1144
1145                       case PKT_USER_ID:
1146                         {
1147                           PKT_user_id *uid=node->pkt->pkt.user_id;
1148                           int r;
1149
1150                           if(uid->attrib_data)
1151                             continue;
1152
1153                           fprintf(spawn->tochild,"uid:");
1154
1155                           /* Quote ':', '%', and any 8-bit
1156                              characters */
1157                           for(r=0;r<uid->len;r++)
1158                             {
1159                               if(uid->name[r]==':' || uid->name[r]=='%'
1160                                  || uid->name[r]&0x80)
1161                                 fprintf(spawn->tochild,"%%%02X",
1162                                         (byte)uid->name[r]);
1163                               else
1164                                 fprintf(spawn->tochild,"%c",uid->name[r]);
1165                             }
1166
1167                           fprintf(spawn->tochild,":%u:%u:",
1168                                   uid->created,uid->expiredate);
1169
1170                           if(uid->is_revoked)
1171                             fprintf(spawn->tochild,"r");
1172                           if(uid->is_expired)
1173                             fprintf(spawn->tochild,"e");
1174
1175                           fprintf(spawn->tochild,"\n");
1176                         }
1177                         break;
1178
1179                         /* This bit is really for the benefit of
1180                            people who store their keys in LDAP
1181                            servers.  It makes it easy to do queries
1182                            for things like "all keys signed by
1183                            Isabella". */
1184                       case PKT_SIGNATURE:
1185                         {
1186                           PKT_signature *sig=node->pkt->pkt.signature;
1187
1188                           if(!IS_UID_SIG(sig))
1189                             continue;
1190
1191                           fprintf(spawn->tochild,"sig:%08lX%08lX:%X:%u:%u\n",
1192                                   (ulong)sig->keyid[0],(ulong)sig->keyid[1],
1193                                   sig->sig_class,sig->timestamp,
1194                                   sig->expiredate);
1195                         }
1196                         break;
1197                       }
1198                   }
1199
1200                 fprintf(spawn->tochild,"INFO %08lX%08lX END\n",
1201                         (ulong)block->pkt->pkt.public_key->keyid[0],
1202                         (ulong)block->pkt->pkt.public_key->keyid[1]);
1203
1204                 fprintf(spawn->tochild,"KEY %s BEGIN\n",key->d);
1205                 fwrite(iobuf_get_temp_buffer(buffer),
1206                        iobuf_get_temp_length(buffer),1,spawn->tochild);
1207                 fprintf(spawn->tochild,"KEY %s END\n",key->d);
1208
1209                 iobuf_close(buffer);
1210
1211                 if(keyserver->host)
1212                   log_info(_("sending key %s to %s server %s\n"),
1213                            keystr(block->pkt->pkt.public_key->keyid),
1214                            keyserver->scheme,keyserver->host);
1215                 else
1216                   log_info(_("sending key %s to %s\n"),
1217                            keystr(block->pkt->pkt.public_key->keyid),
1218                            keyserver->uri);
1219
1220                 release_kbnode(block);
1221               }
1222
1223             free_strlist(temp);
1224           }
1225
1226         break;
1227       }
1228
1229     case SEARCH:
1230       {
1231         STRLIST key;
1232
1233         fprintf(spawn->tochild,"COMMAND SEARCH\n\n");
1234
1235         /* Which keys do we want?  Remember that the gpgkeys_ program
1236            is going to lump these together into a search string. */
1237
1238         for(key=list;key!=NULL;key=key->next)
1239           {
1240             fprintf(spawn->tochild,"%s\n",key->d);
1241             if(key!=list)
1242               {
1243                 searchstr=xrealloc(searchstr,
1244                                     strlen(searchstr)+strlen(key->d)+2);
1245                 strcat(searchstr," ");
1246               }
1247             else
1248               {
1249                 searchstr=xmalloc(strlen(key->d)+1);
1250                 searchstr[0]='\0';
1251               }
1252
1253             strcat(searchstr,key->d);
1254           }
1255
1256         fprintf(spawn->tochild,"\n");
1257
1258         if(keyserver->host)
1259           log_info(_("searching for \"%s\" from %s server %s\n"),
1260                    searchstr,keyserver->scheme,keyserver->host);
1261         else
1262           log_info(_("searching for \"%s\" from %s\n"),
1263                    searchstr,keyserver->uri);
1264
1265         break;
1266       }
1267
1268     default:
1269       log_fatal(_("no keyserver action!\n"));
1270       break;
1271     }
1272
1273   /* Done sending, so start reading. */
1274   ret=exec_read(spawn);
1275   if(ret)
1276     goto fail;
1277
1278   /* Now handle the response */
1279
1280   for(;;)
1281     {
1282       int plen;
1283       char *ptr;
1284
1285       maxlen=1024;
1286       if(iobuf_read_line(spawn->fromchild,&line,&buflen,&maxlen)==0)
1287         {
1288           ret=G10ERR_READ_FILE;
1289           goto fail; /* i.e. EOF */
1290         }
1291
1292       ptr=line;
1293
1294       /* remove trailing whitespace */
1295       plen=strlen(ptr);
1296       while(plen>0 && ascii_isspace(ptr[plen-1]))
1297         plen--;
1298       plen[ptr]='\0';
1299
1300       if(*ptr=='\0')
1301         break;
1302
1303       if(ascii_strncasecmp(ptr,"VERSION ",8)==0)
1304         {
1305           gotversion=1;
1306
1307           if(atoi(&ptr[8])!=KEYSERVER_PROTO_VERSION)
1308             {
1309               log_error(_("invalid keyserver protocol (us %d!=handler %d)\n"),
1310                         KEYSERVER_PROTO_VERSION,atoi(&ptr[8]));
1311               goto fail;
1312             }
1313         }
1314       else if(ascii_strncasecmp(ptr,"PROGRAM ",8)==0)
1315         {
1316           if(ascii_strncasecmp(&ptr[8],VERSION,strlen(VERSION))!=0)
1317             log_info(_("WARNING: keyserver handler from a different"
1318                        " version of GnuPG (%s)\n"),&ptr[8]);
1319         }
1320       else if(ascii_strncasecmp(ptr,"OPTION OUTOFBAND",16)==0)
1321         outofband=1; /* Currently the only OPTION */
1322     }
1323
1324   if(!gotversion)
1325     {
1326       log_error(_("keyserver did not send VERSION\n"));
1327       goto fail;
1328     }
1329
1330   if(!outofband)
1331     switch(action)
1332       {
1333       case GET:
1334         {
1335           void *stats_handle;
1336
1337           stats_handle=import_new_stats_handle();
1338
1339           /* Slurp up all the key data.  In the future, it might be
1340              nice to look for KEY foo OUTOFBAND and FAILED indicators.
1341              It's harmless to ignore them, but ignoring them does make
1342              gpg complain about "no valid OpenPGP data found".  One
1343              way to do this could be to continue parsing this
1344              line-by-line and make a temp iobuf for each key. */
1345
1346           import_keys_stream(spawn->fromchild,stats_handle,
1347                              opt.keyserver_options.import_options);
1348
1349           import_print_stats(stats_handle);
1350           import_release_stats_handle(stats_handle);
1351
1352           break;
1353         }
1354
1355         /* Nothing to do here */
1356       case SEND:
1357         break;
1358
1359       case SEARCH:
1360         keyserver_search_prompt(spawn->fromchild,searchstr);
1361         break;
1362
1363       default:
1364         log_fatal(_("no keyserver action!\n"));
1365         break;
1366       }
1367
1368  fail:
1369   xfree(line);
1370   xfree(searchstr);
1371
1372
1373   *prog=exec_finish(spawn);
1374
1375   return ret;
1376 }
1377
1378 static int 
1379 keyserver_work(int action,STRLIST list,KEYDB_SEARCH_DESC *desc,
1380                int count,struct keyserver_spec *keyserver)
1381 {
1382   int rc=0,ret=0;
1383
1384   if(!keyserver)
1385     {
1386       log_error(_("no keyserver known (use option --keyserver)\n"));
1387       return G10ERR_BAD_URI;
1388     }
1389
1390 #ifdef DISABLE_KEYSERVER_HELPERS
1391
1392   log_error(_("external keyserver calls are not supported in this build\n"));
1393   return G10ERR_KEYSERVER;
1394
1395 #else
1396   /* Spawn a handler */
1397
1398   rc=keyserver_spawn(action,list,desc,count,&ret,keyserver);
1399   if(ret)
1400     {
1401       switch(ret)
1402         {
1403         case KEYSERVER_SCHEME_NOT_FOUND:
1404           log_error(_("no handler for keyserver scheme `%s'\n"),
1405                     keyserver->scheme);
1406           break;
1407
1408         case KEYSERVER_NOT_SUPPORTED:
1409           log_error(_("action `%s' not supported with keyserver "
1410                       "scheme `%s'\n"),
1411                     action==GET?"get":action==SEND?"send":
1412                     action==SEARCH?"search":"unknown",
1413                     keyserver->scheme);
1414           break;
1415
1416         case KEYSERVER_VERSION_ERROR:
1417           log_error(_(GPGKEYS_PREFIX "%s does not support"
1418                       " handler version %d\n"),
1419                     keyserver_typemap(keyserver->scheme),
1420                     KEYSERVER_PROTO_VERSION);
1421           break;
1422
1423         case KEYSERVER_TIMEOUT:
1424           log_error(_("keyserver timed out\n"));
1425           break;
1426
1427         case KEYSERVER_INTERNAL_ERROR:
1428         default:
1429           log_error(_("keyserver internal error\n"));
1430           break;
1431         }
1432
1433       return G10ERR_KEYSERVER;
1434     }
1435
1436   if(rc)
1437     {
1438       log_error(_("keyserver communications error: %s\n"),g10_errstr(rc));
1439
1440       return rc;
1441     }
1442
1443   return 0;
1444 #endif /* ! DISABLE_KEYSERVER_HELPERS*/
1445 }
1446
1447 int 
1448 keyserver_export(STRLIST users)
1449 {
1450   STRLIST sl=NULL;
1451   KEYDB_SEARCH_DESC desc;
1452   int rc=0;
1453
1454   /* Weed out descriptors that we don't support sending */
1455   for(;users;users=users->next)
1456     {
1457       classify_user_id (users->d, &desc);
1458       if(desc.mode!=KEYDB_SEARCH_MODE_SHORT_KID &&
1459          desc.mode!=KEYDB_SEARCH_MODE_LONG_KID &&
1460          desc.mode!=KEYDB_SEARCH_MODE_FPR16 &&
1461          desc.mode!=KEYDB_SEARCH_MODE_FPR20)
1462         {
1463           log_error(_("\"%s\" not a key ID: skipping\n"),users->d);
1464           continue;
1465         }
1466       else
1467         append_to_strlist(&sl,users->d);
1468     }
1469
1470   if(sl)
1471     {
1472       rc=keyserver_work(SEND,sl,NULL,0,opt.keyserver);
1473       free_strlist(sl);
1474     }
1475
1476   return rc;
1477 }
1478
1479 int 
1480 keyserver_import(STRLIST users)
1481 {
1482   KEYDB_SEARCH_DESC *desc;
1483   int num=100,count=0;
1484   int rc=0;
1485
1486   /* Build a list of key ids */
1487   desc=xmalloc(sizeof(KEYDB_SEARCH_DESC)*num);
1488
1489   for(;users;users=users->next)
1490     {
1491       classify_user_id (users->d, &desc[count]);
1492       if(desc[count].mode!=KEYDB_SEARCH_MODE_SHORT_KID &&
1493          desc[count].mode!=KEYDB_SEARCH_MODE_LONG_KID &&
1494          desc[count].mode!=KEYDB_SEARCH_MODE_FPR16 &&
1495          desc[count].mode!=KEYDB_SEARCH_MODE_FPR20)
1496         {
1497           log_error(_("\"%s\" not a key ID: skipping\n"),users->d);
1498           continue;
1499         }
1500
1501       count++;
1502       if(count==num)
1503         {
1504           num+=100;
1505           desc=xrealloc(desc,sizeof(KEYDB_SEARCH_DESC)*num);
1506         }
1507     }
1508
1509   if(count>0)
1510     rc=keyserver_work(GET,NULL,desc,count,opt.keyserver);
1511
1512   xfree(desc);
1513
1514   return rc;
1515 }
1516
1517 int
1518 keyserver_import_fprint(const byte *fprint,size_t fprint_len,
1519                         struct keyserver_spec *keyserver)
1520 {
1521   KEYDB_SEARCH_DESC desc;
1522
1523   memset(&desc,0,sizeof(desc));
1524
1525   if(fprint_len==16)
1526     desc.mode=KEYDB_SEARCH_MODE_FPR16;
1527   else if(fprint_len==20)
1528     desc.mode=KEYDB_SEARCH_MODE_FPR20;
1529   else
1530     return -1;
1531
1532   memcpy(desc.u.fpr,fprint,fprint_len);
1533
1534   return keyserver_work(GET,NULL,&desc,1,keyserver);
1535 }
1536
1537 int 
1538 keyserver_import_keyid(u32 *keyid,struct keyserver_spec *keyserver)
1539 {
1540   KEYDB_SEARCH_DESC desc;
1541
1542   memset(&desc,0,sizeof(desc));
1543
1544   desc.mode=KEYDB_SEARCH_MODE_LONG_KID;
1545   desc.u.kid[0]=keyid[0];
1546   desc.u.kid[1]=keyid[1];
1547
1548   return keyserver_work(GET,NULL,&desc,1,keyserver);
1549 }
1550
1551 /* code mostly stolen from do_export_stream */
1552 static int 
1553 keyidlist(STRLIST users,KEYDB_SEARCH_DESC **klist,int *count,int fakev3)
1554 {
1555   int rc=0,ndesc,num=100;
1556   KBNODE keyblock=NULL,node;
1557   KEYDB_HANDLE kdbhd;
1558   KEYDB_SEARCH_DESC *desc;
1559   STRLIST sl;
1560
1561   *count=0;
1562
1563   *klist=xmalloc(sizeof(KEYDB_SEARCH_DESC)*num);
1564
1565   kdbhd=keydb_new(0);
1566
1567   if(!users)
1568     {
1569       ndesc = 1;
1570       desc = xmalloc_clear ( ndesc * sizeof *desc);
1571       desc[0].mode = KEYDB_SEARCH_MODE_FIRST;
1572     }
1573   else
1574     {
1575       for (ndesc=0, sl=users; sl; sl = sl->next, ndesc++) 
1576         ;
1577       desc = xmalloc ( ndesc * sizeof *desc);
1578         
1579       for (ndesc=0, sl=users; sl; sl = sl->next)
1580         {
1581           if(classify_user_id (sl->d, desc+ndesc))
1582             ndesc++;
1583           else
1584             log_error (_("key \"%s\" not found: %s\n"),
1585                        sl->d, g10_errstr (G10ERR_INV_USER_ID));
1586         }
1587     }
1588
1589   while (!(rc = keydb_search (kdbhd, desc, ndesc)))
1590     {
1591       if (!users) 
1592         desc[0].mode = KEYDB_SEARCH_MODE_NEXT;
1593
1594       /* read the keyblock */
1595       rc = keydb_get_keyblock (kdbhd, &keyblock );
1596       if( rc )
1597         {
1598           log_error (_("error reading keyblock: %s\n"), g10_errstr(rc) );
1599           goto leave;
1600         }
1601
1602       if((node=find_kbnode(keyblock,PKT_PUBLIC_KEY)))
1603         {
1604           /* This is to work around a bug in some keyservers (pksd and
1605              OKS) that calculate v4 RSA keyids as if they were v3 RSA.
1606              The answer is to refresh both the correct v4 keyid
1607              (e.g. 99242560) and the fake v3 keyid (e.g. 68FDDBC7).
1608              This only happens for key refresh using the HKP scheme
1609              and if the refresh-add-fake-v3-keyids keyserver option is
1610              set. */
1611           if(fakev3 && is_RSA(node->pkt->pkt.public_key->pubkey_algo) &&
1612              node->pkt->pkt.public_key->version>=4)
1613             {
1614               (*klist)[*count].mode=KEYDB_SEARCH_MODE_LONG_KID;
1615               mpi_get_keyid(node->pkt->pkt.public_key->pkey[0],
1616                             (*klist)[*count].u.kid);
1617               (*count)++;
1618
1619               if(*count==num)
1620                 {
1621                   num+=100;
1622                   *klist=xrealloc(*klist,sizeof(KEYDB_SEARCH_DESC)*num);
1623                 }
1624             }
1625
1626           /* v4 keys get full fingerprints.  v3 keys get long keyids.
1627              This is because it's easy to calculate any sort of keyid
1628              from a v4 fingerprint, but not a v3 fingerprint. */
1629
1630           if(node->pkt->pkt.public_key->version<4)
1631             {
1632               (*klist)[*count].mode=KEYDB_SEARCH_MODE_LONG_KID;
1633               keyid_from_pk(node->pkt->pkt.public_key,
1634                             (*klist)[*count].u.kid);
1635             }
1636           else
1637             {
1638               size_t dummy;
1639
1640               (*klist)[*count].mode=KEYDB_SEARCH_MODE_FPR20;
1641               fingerprint_from_pk(node->pkt->pkt.public_key,
1642                                   (*klist)[*count].u.fpr,&dummy);
1643             }
1644
1645           /* This is a little hackish, using the skipfncvalue as a
1646              void* pointer to the keyserver spec, but we don't need
1647              the skipfnc here, and it saves having an additional field
1648              for this (which would be wasted space most of the
1649              time). */
1650
1651           (*klist)[*count].skipfncvalue=NULL;
1652
1653           /* Are we honoring preferred keyservers? */
1654           if(opt.keyserver_options.options&KEYSERVER_HONOR_KEYSERVER_URL)
1655             {
1656               PKT_user_id *uid=NULL;
1657               PKT_signature *sig=NULL;
1658
1659               merge_keys_and_selfsig(keyblock);
1660
1661               for(node=node->next;node;node=node->next)
1662                 {
1663                   if(node->pkt->pkttype==PKT_USER_ID
1664                      && node->pkt->pkt.user_id->is_primary)
1665                     uid=node->pkt->pkt.user_id;
1666                   else if(node->pkt->pkttype==PKT_SIGNATURE
1667                           && node->pkt->pkt.signature->
1668                           flags.chosen_selfsig && uid)
1669                     {
1670                       sig=node->pkt->pkt.signature;
1671                       break;
1672                     }
1673                 }
1674
1675               /* Try and parse the keyserver URL.  If it doesn't work,
1676                  then we end up writing NULL which indicates we are
1677                  the same as any other key. */
1678               if(uid && sig)
1679                 (*klist)[*count].skipfncvalue=parse_preferred_keyserver(sig);
1680             }
1681
1682           (*count)++;
1683
1684           if(*count==num)
1685             {
1686               num+=100;
1687               *klist=xrealloc(*klist,sizeof(KEYDB_SEARCH_DESC)*num);
1688             }
1689         }
1690     }
1691
1692   if(rc==-1)
1693     rc=0;
1694   
1695  leave:
1696   if(rc)
1697     xfree(*klist);
1698   xfree(desc);
1699   keydb_release(kdbhd);
1700   release_kbnode(keyblock);
1701
1702   return rc;
1703 }
1704
1705 /* Note this is different than the original HKP refresh.  It allows
1706    usernames to refresh only part of the keyring. */
1707
1708 int 
1709 keyserver_refresh(STRLIST users)
1710 {
1711   int rc,count,numdesc,fakev3=0;
1712   KEYDB_SEARCH_DESC *desc;
1713   unsigned int options=opt.keyserver_options.import_options;
1714
1715   /* We switch merge-only on during a refresh, as 'refresh' should
1716      never import new keys, even if their keyids match. */
1717   opt.keyserver_options.import_options|=IMPORT_MERGE_ONLY;
1718
1719   /* Similarly, we switch on fast-import, since refresh may make
1720      multiple import sets (due to preferred keyserver URLs).  We don't
1721      want each set to rebuild the trustdb.  Instead we do it once at
1722      the end here. */
1723   opt.keyserver_options.import_options|=IMPORT_FAST;
1724
1725   /* If refresh_add_fake_v3_keyids is on and it's a HKP or MAILTO
1726      scheme, then enable fake v3 keyid generation. */
1727   if((opt.keyserver_options.options&KEYSERVER_ADD_FAKE_V3) && opt.keyserver
1728      && (ascii_strcasecmp(opt.keyserver->scheme,"hkp")==0 ||
1729          ascii_strcasecmp(opt.keyserver->scheme,"mailto")==0))
1730     fakev3=1;
1731
1732   rc=keyidlist(users,&desc,&numdesc,fakev3);
1733   if(rc)
1734     return rc;
1735
1736   count=numdesc;
1737   if(count>0)
1738     {
1739       int i;
1740
1741       /* Try to handle preferred keyserver keys first */
1742       for(i=0;i<count;i++)
1743         {
1744           if(desc[i].skipfncvalue)
1745             {
1746               struct keyserver_spec *keyserver=desc[i].skipfncvalue;
1747
1748               /* We use the keyserver structure we parsed out before.
1749                  Note that a preferred keyserver without a scheme://
1750                  will be interpreted as hkp:// */
1751
1752               rc=keyserver_work(GET,NULL,&desc[i],1,keyserver);
1753               if(rc)
1754                 log_info(_("WARNING: unable to refresh key %s"
1755                            " via %s: %s\n"),keystr_from_desc(&desc[i]),
1756                          keyserver->uri,g10_errstr(rc));
1757               else
1758                 {
1759                   /* We got it, so mark it as NONE so we don't try and
1760                      get it again from the regular keyserver. */
1761
1762                   desc[i].mode=KEYDB_SEARCH_MODE_NONE;
1763                   count--;
1764                 }
1765
1766               free_keyserver_spec(keyserver);
1767             }
1768         }
1769     }
1770
1771   if(count>0)
1772     {
1773       if(opt.keyserver)
1774         {
1775           if(count==1)
1776             log_info(_("refreshing 1 key from %s\n"),opt.keyserver->uri);
1777           else
1778             log_info(_("refreshing %d keys from %s\n"),
1779                      count,opt.keyserver->uri);
1780         }
1781
1782       rc=keyserver_work(GET,NULL,desc,numdesc,opt.keyserver);
1783     }
1784
1785   xfree(desc);
1786
1787   opt.keyserver_options.import_options=options;
1788
1789   /* If the original options didn't have fast import, and the trustdb
1790      is dirty, rebuild. */
1791   if(!(opt.keyserver_options.import_options&IMPORT_FAST))
1792     trustdb_check_or_update();
1793
1794   return rc;
1795 }
1796
1797 int
1798 keyserver_search(STRLIST tokens)
1799 {
1800   if(tokens)
1801     return keyserver_work(SEARCH,tokens,NULL,0,opt.keyserver);
1802   else
1803     return 0;
1804 }