* misc.c (openpgp_pk_algo_usage): Default to allowing CERT for signing
[gnupg.git] / g10 / keyserver.c
1 /* keyserver.c - generic keyserver code
2  * Copyright (C) 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc.
3  *
4  * This file is part of GnuPG.
5  *
6  * GnuPG is free software; you can redistribute it and/or modify
7  * it under the terms of the GNU General Public License as published by
8  * the Free Software Foundation; either version 2 of the License, or
9  * (at your option) any later version.
10  *
11  * GnuPG is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  * GNU General Public License for more details.
15  *
16  * You should have received a copy of the GNU General Public License
17  * along with this program; if not, write to the Free Software
18  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
19  * USA.
20  */
21
22 #include <config.h>
23 #include <ctype.h>
24 #include <stdio.h>
25 #include <string.h>
26 #include <stdlib.h>
27 #include <assert.h>
28 #ifdef HAVE_LIBCURL
29 #include <curl/curl.h>
30 #endif
31 #include "filter.h"
32 #include "keydb.h"
33 #include "status.h"
34 #include "exec.h"
35 #include "main.h"
36 #include "i18n.h"
37 #include "iobuf.h"
38 #include "memory.h"
39 #include "ttyio.h"
40 #include "options.h"
41 #include "packet.h"
42 #include "trustdb.h"
43 #include "keyserver-internal.h"
44 #include "util.h"
45
46 #define GET    0
47 #define SEND   1
48 #define SEARCH 2
49
50 #define GPGKEYS_PREFIX "gpgkeys_"
51
52 #if defined(HAVE_LIBCURL) || defined(FAKE_CURL)
53 #define GPGKEYS_CURL "gpgkeys_curl"
54 #endif
55
56 #ifdef GPGKEYS_CURL
57 #define GPGKEYS_PREFIX_LEN (strlen(GPGKEYS_PREFIX)+strlen(GPGKEYS_CURL))
58 #else
59 #define GPGKEYS_PREFIX_LEN (strlen(GPGKEYS_PREFIX))
60 #endif
61
62 struct keyrec
63 {
64   KEYDB_SEARCH_DESC desc;
65   u32 createtime,expiretime;
66   int size,flags;
67   byte type;
68   IOBUF uidbuf;
69   unsigned int lines;
70 };
71
72 /* Tell remote processes about these options */
73 #define REMOTE_TELL (KEYSERVER_INCLUDE_REVOKED|KEYSERVER_INCLUDE_SUBKEYS|KEYSERVER_TRY_DNS_SRV)
74
75 static struct parse_options keyserver_opts[]=
76   {
77     {"include-revoked",KEYSERVER_INCLUDE_REVOKED,NULL},      
78     {"include-subkeys",KEYSERVER_INCLUDE_SUBKEYS,NULL},
79     {"keep-temp-files",KEYSERVER_KEEP_TEMP_FILES,NULL},
80     {"refresh-add-fake-v3-keyids",KEYSERVER_ADD_FAKE_V3,NULL},
81     {"auto-key-retrieve",KEYSERVER_AUTO_KEY_RETRIEVE,NULL},
82     {"auto-pka-retrieve",KEYSERVER_AUTO_PKA_RETRIEVE,NULL},
83     {"try-dns-srv",KEYSERVER_TRY_DNS_SRV,NULL},
84     {"honor-keyserver-url",KEYSERVER_HONOR_KEYSERVER_URL,NULL},
85     {NULL,0,NULL}
86   };
87
88 static int keyserver_work(int action,STRLIST list,KEYDB_SEARCH_DESC *desc,
89                           int count,struct keyserver_spec *keyserver);
90
91 int
92 parse_keyserver_options(char *options)
93 {
94   int ret=1;
95   char *tok;
96
97   while((tok=optsep(&options)))
98     {
99       if(tok[0]=='\0')
100         continue;
101
102       /* For backwards compatibility.  1.2.x used honor-http-proxy and
103          there are a good number of documents published that recommend
104          it. */
105       if(ascii_strcasecmp(tok,"honor-http-proxy")==0)
106         tok="http-proxy";
107       else if(ascii_strcasecmp(tok,"no-honor-http-proxy")==0)
108         tok="no-http-proxy";
109
110       /* We accept quite a few possible options here - some options to
111          handle specially, the keyserver_options list, and import and
112          export options that pertain to keyserver operations.  Note
113          that you must use strncasecmp here as there might be an
114          =argument attached which will foil the use of strcasecmp. */
115
116 #ifdef EXEC_TEMPFILE_ONLY
117       if(ascii_strncasecmp(tok,"use-temp-files",14)==0 ||
118               ascii_strncasecmp(tok,"no-use-temp-files",17)==0)
119         log_info(_("WARNING: keyserver option `%s' is not used"
120                    " on this platform\n"),tok);
121 #else
122       if(ascii_strncasecmp(tok,"use-temp-files",14)==0)
123         opt.keyserver_options.options|=KEYSERVER_USE_TEMP_FILES;
124       else if(ascii_strncasecmp(tok,"no-use-temp-files",17)==0)
125         opt.keyserver_options.options&=~KEYSERVER_USE_TEMP_FILES;
126 #endif
127       else if(!parse_options(tok,&opt.keyserver_options.options,
128                              keyserver_opts,0)
129          && !parse_import_options(tok,
130                                   &opt.keyserver_options.import_options,0)
131          && !parse_export_options(tok,
132                                   &opt.keyserver_options.export_options,0))
133         {
134           /* All of the standard options have failed, so the option is
135              destined for a keyserver plugin. */
136           char *arg=argsplit(tok);
137
138           if(arg)
139             {
140               char *joined;
141
142               joined=xmalloc(strlen(tok)+1+strlen(arg)+1);
143               /* Make a canonical name=value form with no
144                  spaces */
145               strcpy(joined,tok);
146               strcat(joined,"=");
147               strcat(joined,arg);
148               add_to_strlist(&opt.keyserver_options.other,joined);
149               xfree(joined);
150             }
151           else
152             add_to_strlist(&opt.keyserver_options.other,tok);
153         }
154     }
155
156   return ret;
157 }
158
159 void
160 free_keyserver_spec(struct keyserver_spec *keyserver)
161 {
162   xfree(keyserver->uri);
163   xfree(keyserver->scheme);
164   xfree(keyserver->auth);
165   xfree(keyserver->host);
166   xfree(keyserver->port);
167   xfree(keyserver->path);
168   xfree(keyserver->opaque);
169   xfree(keyserver);
170 }
171
172 /* TODO: once we cut over to an all-curl world, we don't need this
173    parser any longer so it can be removed, or at least moved to
174    keyserver/ksutil.c for limited use in gpgkeys_ldap or the like. */
175
176 struct keyserver_spec *
177 parse_keyserver_uri(const char *uri,int require_scheme,
178                     const char *configname,unsigned int configlineno)
179 {
180   int assume_hkp=0;
181   struct keyserver_spec *keyserver;
182   const char *idx;
183   int count;
184
185   assert(uri!=NULL);
186
187   keyserver=xmalloc_clear(sizeof(struct keyserver_spec));
188
189   keyserver->uri=xstrdup(uri);
190
191   /* Get the scheme */
192
193   for(idx=uri,count=0;*idx && *idx!=':';idx++)
194     {
195       count++;
196
197       /* Do we see the start of an RFC-2732 ipv6 address here?  If so,
198          there clearly isn't a scheme so get out early. */
199       if(*idx=='[')
200         {
201           /* Was the '[' the first thing in the string?  If not, we
202              have a mangled scheme with a [ in it so fail. */
203           if(count==1)
204             break;
205           else
206             goto fail;
207         }
208     }
209
210   if(count==0)
211     goto fail;
212
213   if(*idx=='\0' || *idx=='[')
214     {
215       if(require_scheme)
216         return NULL;
217
218       /* Assume HKP if there is no scheme */
219       assume_hkp=1;
220       keyserver->scheme=xstrdup("hkp");
221     }
222   else
223     {
224       int i;
225
226       keyserver->scheme=xmalloc(count+1);
227
228       /* Force to lowercase */
229       for(i=0;i<count;i++)
230         keyserver->scheme[i]=ascii_tolower(uri[i]);
231
232       keyserver->scheme[i]='\0';
233
234       /* Skip past the scheme and colon */
235       uri+=count+1;
236     }
237
238   if(ascii_strcasecmp(keyserver->scheme,"x-broken-hkp")==0)
239     {
240       deprecated_warning(configname,configlineno,"x-broken-hkp",
241                          "--keyserver-options ","broken-http-proxy");
242       xfree(keyserver->scheme);
243       keyserver->scheme=xstrdup("hkp");
244       add_to_strlist(&opt.keyserver_options.other,"broken-http-proxy");
245     }
246   else if(ascii_strcasecmp(keyserver->scheme,"x-hkp")==0)
247     {
248       /* Canonicalize this to "hkp" so it works with both the internal
249          and external keyserver interface. */
250       xfree(keyserver->scheme);
251       keyserver->scheme=xstrdup("hkp");
252     }
253
254   if(assume_hkp || (uri[0]=='/' && uri[1]=='/'))
255     {
256       /* Two slashes means network path. */
257
258       /* Skip over the "//", if any */
259       if(!assume_hkp)
260         uri+=2;
261
262       /* Do we have userinfo auth data present? */
263       for(idx=uri,count=0;*idx && *idx!='@' && *idx!='/';idx++)
264         count++;
265
266       /* We found a @ before the slash, so that means everything
267          before the @ is auth data. */
268       if(*idx=='@')
269         {
270           if(count==0)
271             goto fail;
272
273           keyserver->auth=xmalloc(count+1);
274           strncpy(keyserver->auth,uri,count);
275           keyserver->auth[count]='\0';
276           uri+=count+1;
277         }
278
279       /* Is it an RFC-2732 ipv6 [literal address] ? */
280       if(*uri=='[')
281         {
282           for(idx=uri+1,count=1;*idx
283                 && ((isascii (*idx) && isxdigit(*idx))
284                     || *idx==':' || *idx=='.');idx++)
285             count++;
286
287           /* Is the ipv6 literal address terminated? */
288           if(*idx==']')
289             count++;
290           else
291             goto fail;
292         }
293       else
294         for(idx=uri,count=0;*idx && *idx!=':' && *idx!='/';idx++)
295           count++;
296
297       if(count==0)
298         goto fail;
299
300       keyserver->host=xmalloc(count+1);
301       strncpy(keyserver->host,uri,count);
302       keyserver->host[count]='\0';
303
304       /* Skip past the host */
305       uri+=count;
306
307       if(*uri==':')
308         {
309           /* It would seem to be reasonable to limit the range of the
310              ports to values between 1-65535, but RFC 1738 and 1808
311              imply there is no limit.  Of course, the real world has
312              limits. */
313
314           for(idx=uri+1,count=0;*idx && *idx!='/';idx++)
315             {
316               count++;
317
318               /* Ports are digits only */
319               if(!digitp(idx))
320                 goto fail;
321             }
322
323           keyserver->port=xmalloc(count+1);
324           strncpy(keyserver->port,uri+1,count);
325           keyserver->port[count]='\0';
326
327           /* Skip past the colon and port number */
328           uri+=1+count;
329         }
330
331       /* Everything else is the path */
332       if(*uri)
333         keyserver->path=xstrdup(uri);
334       else
335         keyserver->path=xstrdup("/");
336     }
337   else if(uri[0]!='/')
338     {
339       /* No slash means opaque.  Just record the opaque blob and get
340          out. */
341       keyserver->opaque=xstrdup(uri);
342     }
343   else
344     {
345       /* One slash means absolute path.  We don't need to support that
346          yet. */
347       goto fail;
348     }
349
350   return keyserver;
351
352  fail:
353   free_keyserver_spec(keyserver);
354
355   return NULL;
356 }
357
358 struct keyserver_spec *
359 parse_preferred_keyserver(PKT_signature *sig)
360 {
361   struct keyserver_spec *spec=NULL;
362   const byte *p;
363   size_t plen;
364
365   p=parse_sig_subpkt(sig->hashed,SIGSUBPKT_PREF_KS,&plen);
366   if(p && plen)
367     {
368       byte *dupe=xmalloc(plen+1);
369
370       memcpy(dupe,p,plen);
371       dupe[plen]='\0';
372       spec=parse_keyserver_uri(dupe,1,NULL,0);
373       xfree(dupe);
374     }
375
376   return spec;
377 }
378
379 static void
380 print_keyrec(int number,struct keyrec *keyrec)
381 {
382   int i;
383
384   iobuf_writebyte(keyrec->uidbuf,0);
385   iobuf_flush_temp(keyrec->uidbuf);
386   printf("(%d)\t%s  ",number,iobuf_get_temp_buffer(keyrec->uidbuf));
387
388   if(keyrec->size>0)
389     printf("%d bit ",keyrec->size);
390
391   if(keyrec->type)
392     {
393       const char *str=pubkey_algo_to_string(keyrec->type);
394
395       if(str)
396         printf("%s ",str);
397       else
398         printf("unknown ");
399     }
400
401   switch(keyrec->desc.mode)
402     {
403       /* If the keyserver helper gave us a short keyid, we have no
404          choice but to use it.  Do check --keyid-format to add a 0x if
405          needed. */
406     case KEYDB_SEARCH_MODE_SHORT_KID:
407       printf("key %s%08lX",
408              (opt.keyid_format==KF_0xSHORT
409               || opt.keyid_format==KF_0xLONG)?"0x":"",
410              (ulong)keyrec->desc.u.kid[1]);
411       break;
412
413       /* However, if it gave us a long keyid, we can honor
414          --keyid-format */
415     case KEYDB_SEARCH_MODE_LONG_KID:
416       printf("key %s",keystr(keyrec->desc.u.kid));
417       break;
418
419     case KEYDB_SEARCH_MODE_FPR16:
420       printf("key ");
421       for(i=0;i<16;i++)
422         printf("%02X",keyrec->desc.u.fpr[i]);
423       break;
424
425     case KEYDB_SEARCH_MODE_FPR20:
426       printf("key ");
427       for(i=0;i<20;i++)
428         printf("%02X",keyrec->desc.u.fpr[i]);
429       break;
430
431     default:
432       BUG();
433       break;
434     }
435
436   if(keyrec->createtime>0)
437     {
438       printf(", ");
439       printf(_("created: %s"),strtimestamp(keyrec->createtime));
440     }
441
442   if(keyrec->expiretime>0)
443     {
444       printf(", ");
445       printf(_("expires: %s"),strtimestamp(keyrec->expiretime));
446     }
447
448   if(keyrec->flags&1)
449     printf(" (%s)",_("revoked"));
450   if(keyrec->flags&2)
451     printf(" (%s)",_("disabled"));
452   if(keyrec->flags&4)
453     printf(" (%s)",_("expired"));
454
455   printf("\n");
456 }
457
458 /* Returns a keyrec (which must be freed) once a key is complete, and
459    NULL otherwise.  Call with a NULL keystring once key parsing is
460    complete to return any unfinished keys. */
461 static struct keyrec *
462 parse_keyrec(char *keystring)
463 {
464   static struct keyrec *work=NULL;
465   struct keyrec *ret=NULL;
466   char *record;
467   int i;
468
469   if(keystring==NULL)
470     {
471       if(work==NULL)
472         return NULL;
473       else if(work->desc.mode==KEYDB_SEARCH_MODE_NONE)
474         {
475           xfree(work);
476           return NULL;
477         }
478       else
479         {
480           ret=work;
481           work=NULL;
482           return ret;
483         }
484     }
485
486   if(work==NULL)
487     {
488       work=xmalloc_clear(sizeof(struct keyrec));
489       work->uidbuf=iobuf_temp();
490     }
491
492   /* Remove trailing whitespace */
493   for(i=strlen(keystring);i>0;i--)
494     if(ascii_isspace(keystring[i-1]))
495       keystring[i-1]='\0';
496     else
497       break;
498
499   if((record=strsep(&keystring,":"))==NULL)
500     return ret;
501
502   if(ascii_strcasecmp("pub",record)==0)
503     {
504       char *tok;
505
506       if(work->desc.mode)
507         {
508           ret=work;
509           work=xmalloc_clear(sizeof(struct keyrec));
510           work->uidbuf=iobuf_temp();
511         }
512
513       if((tok=strsep(&keystring,":"))==NULL)
514         return ret;
515
516       classify_user_id(tok,&work->desc);
517       if(work->desc.mode!=KEYDB_SEARCH_MODE_SHORT_KID
518          && work->desc.mode!=KEYDB_SEARCH_MODE_LONG_KID
519          && work->desc.mode!=KEYDB_SEARCH_MODE_FPR16
520          && work->desc.mode!=KEYDB_SEARCH_MODE_FPR20)
521         {
522           work->desc.mode=KEYDB_SEARCH_MODE_NONE;
523           return ret;
524         }
525
526       /* Note all items after this are optional.  This allows us to
527          have a pub line as simple as pub:keyid and nothing else. */
528
529       work->lines++;
530
531       if((tok=strsep(&keystring,":"))==NULL)
532         return ret;
533
534       work->type=atoi(tok);
535
536       if((tok=strsep(&keystring,":"))==NULL)
537         return ret;
538
539       work->size=atoi(tok);
540
541       if((tok=strsep(&keystring,":"))==NULL)
542         return ret;
543
544       if(atoi(tok)<=0)
545         work->createtime=0;
546       else
547         work->createtime=atoi(tok);
548
549       if((tok=strsep(&keystring,":"))==NULL)
550         return ret;
551
552       if(atoi(tok)<=0)
553         work->expiretime=0;
554       else
555         {
556           work->expiretime=atoi(tok);
557           /* Force the 'e' flag on if this key is expired. */
558           if(work->expiretime<=make_timestamp())
559             work->flags|=4;
560         }
561
562       if((tok=strsep(&keystring,":"))==NULL)
563         return ret;
564
565       while(*tok)
566         switch(*tok++)
567           {
568           case 'r':
569           case 'R':
570             work->flags|=1;
571             break;
572             
573           case 'd':
574           case 'D':
575             work->flags|=2;
576             break;
577
578           case 'e':
579           case 'E':
580             work->flags|=4;
581             break;
582           }
583     }
584   else if(ascii_strcasecmp("uid",record)==0 && work->desc.mode)
585     {
586       char *userid,*tok,*decoded;
587
588       if((tok=strsep(&keystring,":"))==NULL)
589         return ret;
590
591       if(strlen(tok)==0)
592         return ret;
593
594       userid=tok;
595
596       /* By definition, de-%-encoding is always smaller than the
597          original string so we can decode in place. */
598
599       i=0;
600
601       while(*tok)
602         if(tok[0]=='%' && tok[1] && tok[2])
603           {
604             if((userid[i]=hextobyte(&tok[1]))==-1)
605               userid[i]='?';
606
607             i++;
608             tok+=3;
609           }
610         else
611           userid[i++]=*tok++;
612
613       /* We don't care about the other info provided in the uid: line
614          since no keyserver supports marking userids with timestamps
615          or revoked/expired/disabled yet. */
616
617       /* No need to check for control characters, as utf8_to_native
618          does this for us. */
619
620       decoded=utf8_to_native(userid,i,0);
621       if(strlen(decoded)>opt.screen_columns-10)
622         decoded[opt.screen_columns-10]='\0';
623       iobuf_writestr(work->uidbuf,decoded);
624       xfree(decoded);
625       iobuf_writestr(work->uidbuf,"\n\t");
626       work->lines++;
627     }
628
629   /* Ignore any records other than "pri" and "uid" for easy future
630      growth. */
631
632   return ret;
633 }
634
635 /* TODO: do this as a list sent to keyserver_work rather than calling
636    it once for each key to get the correct counts after the import
637    (cosmetics, really) and to better take advantage of the keyservers
638    that can do multiple fetches in one go (LDAP). */
639 static int
640 show_prompt(KEYDB_SEARCH_DESC *desc,int numdesc,int count,const char *search)
641 {
642   char *answer;
643
644   if(count && opt.command_fd==-1)
645     {
646       static int from=1;
647       tty_printf("Keys %d-%d of %d for \"%s\".  ",from,numdesc,count,search);
648       from=numdesc+1;
649     }
650
651   answer=cpr_get_no_help("keysearch.prompt",
652                          _("Enter number(s), N)ext, or Q)uit > "));
653   /* control-d */
654   if(answer[0]=='\x04')
655     {
656       printf("Q\n");
657       answer[0]='q';
658     }
659
660   if(answer[0]=='q' || answer[0]=='Q')
661     {
662       xfree(answer);
663       return 1;
664     }
665   else if(atoi(answer)>=1 && atoi(answer)<=numdesc)
666     {
667       char *split=answer,*num;
668
669       while((num=strsep(&split," ,"))!=NULL)
670         if(atoi(num)>=1 && atoi(num)<=numdesc)
671           keyserver_work(GET,NULL,&desc[atoi(num)-1],1,opt.keyserver);
672
673       xfree(answer);
674       return 1;
675     }
676
677   return 0;
678 }
679
680 /* Count and searchstr are just for cosmetics.  If the count is too
681    small, it will grow safely.  If negative it disables the "Key x-y
682    of z" messages.  searchstr should be UTF-8 (rather than native). */
683 static void
684 keyserver_search_prompt(IOBUF buffer,const char *searchstr)
685 {
686   int i=0,validcount=0,started=0,header=0,count=1;
687   unsigned int maxlen,buflen,numlines=0;
688   KEYDB_SEARCH_DESC *desc;
689   byte *line=NULL;
690   char *localstr=NULL;
691
692   if(searchstr)
693     localstr=utf8_to_native(searchstr,strlen(searchstr),0);
694
695   desc=xmalloc(count*sizeof(KEYDB_SEARCH_DESC));
696
697   for(;;)
698     {
699       struct keyrec *keyrec;
700       int rl;
701
702       maxlen=1024;
703       rl=iobuf_read_line(buffer,&line,&buflen,&maxlen);
704
705       if(opt.with_colons)
706         {
707           if(!header && ascii_strncasecmp("SEARCH ",line,7)==0
708              && ascii_strncasecmp(" BEGIN",&line[strlen(line)-7],6)==0)
709             {
710               header=1;
711               continue;
712             }
713           else if(ascii_strncasecmp("SEARCH ",line,7)==0
714                   && ascii_strncasecmp(" END",&line[strlen(line)-5],4)==0)
715             continue;
716
717           printf("%s",line);
718         }
719
720       /* Look for an info: line.  The only current info: values
721          defined are the version and key count. */
722       if(!started && rl>0 && ascii_strncasecmp("info:",line,5)==0)
723         {
724           char *tok,*str=&line[5];
725
726           if((tok=strsep(&str,":"))!=NULL)
727             {
728               int version;
729
730               if(sscanf(tok,"%d",&version)!=1)
731                 version=1;
732
733               if(version!=1)
734                 {
735                   log_error(_("invalid keyserver protocol "
736                               "(us %d!=handler %d)\n"),1,version);
737                   break;
738                 }
739             }
740
741           if((tok=strsep(&str,":"))!=NULL && sscanf(tok,"%d",&count)==1)
742             {
743               if(count==0)
744                 goto notfound;
745               else if(count<0)
746                 count=10;
747               else
748                 validcount=1;
749
750               desc=xrealloc(desc,count*sizeof(KEYDB_SEARCH_DESC));
751             }
752
753           started=1;
754           continue;
755         }
756
757       if(rl==0)
758         {
759           keyrec=parse_keyrec(NULL);
760
761           if(keyrec==NULL)
762             {
763               if(i==0)
764                 {
765                   count=0;
766                   break;
767                 }
768
769               if(i!=count)
770                 validcount=0;
771
772               for(;;)
773                 {
774                   if(show_prompt(desc,i,validcount?count:0,localstr))
775                     break;
776                   validcount=0;
777                 }
778
779               break;
780             }
781         }
782       else
783         keyrec=parse_keyrec(line);
784
785       if(i==count)
786         {
787           /* keyserver helper sent more keys than they claimed in the
788              info: line. */
789           count+=10;
790           desc=xrealloc(desc,count*sizeof(KEYDB_SEARCH_DESC));
791           validcount=0;
792         }
793
794       if(keyrec)
795         {
796           desc[i]=keyrec->desc;
797
798           if(!opt.with_colons)
799             {
800               /* screen_lines - 1 for the prompt. */
801               if(numlines+keyrec->lines>opt.screen_lines-1)
802                 {
803                   if(show_prompt(desc,i,validcount?count:0,localstr))
804                     break;
805                   else
806                     numlines=0;
807                 }
808
809               print_keyrec(i+1,keyrec);
810             }
811
812           numlines+=keyrec->lines;
813           iobuf_close(keyrec->uidbuf);
814           xfree(keyrec);
815
816           started=1;
817           i++;
818         }
819     }
820
821  notfound:
822   /* Leave this commented out or now, and perhaps for a very long
823      time.  All HKPish servers return HTML error messages for
824      no-key-found. */
825   /* 
826      if(!started)
827      log_info(_("keyserver does not support searching\n"));
828      else
829   */
830   if(count==0)
831     {
832       if(localstr)
833         log_info(_("key \"%s\" not found on keyserver\n"),localstr);
834       else
835         log_info(_("key not found on keyserver\n"));
836     }
837
838   xfree(localstr);
839   xfree(desc);
840   xfree(line);
841 }
842
843 /* We sometimes want to use a different gpgkeys_xxx for a given
844    protocol (for example, ldaps is handled by gpgkeys_ldap).  Map
845    these here. */
846 static const char *
847 keyserver_typemap(const char *type)
848 {
849   if(strcmp(type,"ldaps")==0)
850     return "ldap";
851   else
852     return type;
853 }
854
855 #ifdef GPGKEYS_CURL
856 /* The PGP LDAP and the curl fetch-a-LDAP-object methodologies are
857    sufficiently different that we can't use curl to do LDAP. */
858 static int
859 curl_cant_handle(const char *scheme)
860 {
861   if(strcmp(scheme,"ldap")==0 || strcmp(scheme,"ldaps")==0)
862     return 1;
863
864   return 0;
865 }
866 #endif
867
868 #define KEYSERVER_ARGS_KEEP " -o \"%O\" \"%I\""
869 #define KEYSERVER_ARGS_NOKEEP " -o \"%o\" \"%i\""
870
871 static int 
872 keyserver_spawn(int action,STRLIST list,KEYDB_SEARCH_DESC *desc,
873                 int count,int *prog,struct keyserver_spec *keyserver)
874 {
875   int ret=0,i,gotversion=0,outofband=0;
876   STRLIST temp;
877   unsigned int maxlen,buflen;
878   char *command,*end,*searchstr=NULL;
879   byte *line=NULL;
880   struct parse_options *kopts;
881   struct exec_info *spawn;
882   const char *scheme;
883   const char *libexecdir = get_libexecdir ();
884
885   assert(keyserver);
886
887 #ifdef EXEC_TEMPFILE_ONLY
888   opt.keyserver_options.options|=KEYSERVER_USE_TEMP_FILES;
889 #endif
890
891   /* Build the filename for the helper to execute */
892   scheme=keyserver_typemap(keyserver->scheme);
893
894 #ifdef DISABLE_KEYSERVER_PATH
895   /* Destroy any path we might have.  This is a little tricky,
896      portability-wise.  It's not correct to delete the PATH
897      environment variable, as that may fall back to a system built-in
898      PATH.  Similarly, it is not correct to set PATH to the null
899      string (PATH="") since this actually deletes the PATH environment
900      variable under MinGW.  The safest thing to do here is to force
901      PATH to be GNUPG_LIBEXECDIR.  All this is not that meaningful on
902      Unix-like systems (since we're going to give a full path to
903      gpgkeys_foo), but on W32 it prevents loading any DLLs from
904      directories in %PATH%.
905
906      After some more thinking about this we came to the conclusion
907      that it is better to load the helpers from the directory where
908      the program of this process lives.  Fortunately Windows provides
909      a way to retrieve this and our get_libexecdir function has been
910      modified to return just this.  Setting the exec-path is not
911      anymore required.  
912        set_exec_path(libexecdir);
913  */
914 #else
915   if(opt.exec_path_set)
916     {
917       /* If exec-path was set, and DISABLE_KEYSERVER_PATH is
918          undefined, then don't specify a full path to gpgkeys_foo, so
919          that the PATH can work. */
920       command=xmalloc(GPGKEYS_PREFIX_LEN+strlen(scheme)+1);
921       command[0]='\0';
922     }
923   else
924 #endif
925     {
926       /* Specify a full path to gpgkeys_foo. */
927       command=xmalloc(strlen(libexecdir)+strlen(DIRSEP_S)+
928                       GPGKEYS_PREFIX_LEN+strlen(scheme)+1);
929       strcpy(command,libexecdir);
930       strcat(command,DIRSEP_S);
931     }
932
933   end=command+strlen(command);
934
935   strcat(command,GPGKEYS_PREFIX); 
936   strcat(command,scheme);
937
938 #ifdef GPGKEYS_CURL
939   if(!curl_cant_handle(scheme) && path_access(command,X_OK)!=0)
940     strcpy(end,GPGKEYS_CURL);
941 #endif
942
943   if(opt.keyserver_options.options&KEYSERVER_USE_TEMP_FILES)
944     {
945       if(opt.keyserver_options.options&KEYSERVER_KEEP_TEMP_FILES)
946         {
947           command=xrealloc(command,strlen(command)+
948                             strlen(KEYSERVER_ARGS_KEEP)+1);
949           strcat(command,KEYSERVER_ARGS_KEEP);
950         }
951       else
952         {
953           command=xrealloc(command,strlen(command)+
954                             strlen(KEYSERVER_ARGS_NOKEEP)+1);
955           strcat(command,KEYSERVER_ARGS_NOKEEP);  
956         }
957
958       ret=exec_write(&spawn,NULL,command,NULL,0,0);
959     }
960   else
961     ret=exec_write(&spawn,command,NULL,NULL,0,0);
962
963   xfree(command);
964
965   if(ret)
966     return ret;
967
968   fprintf(spawn->tochild,
969           "# This is a GnuPG %s keyserver communications file\n",VERSION);
970   fprintf(spawn->tochild,"VERSION %d\n",KEYSERVER_PROTO_VERSION);
971   fprintf(spawn->tochild,"PROGRAM %s\n",VERSION);
972   fprintf(spawn->tochild,"SCHEME %s\n",keyserver->scheme);
973
974   if(keyserver->opaque)
975     fprintf(spawn->tochild,"OPAQUE %s\n",keyserver->opaque);
976   else
977     {
978       if(keyserver->auth)
979         fprintf(spawn->tochild,"AUTH %s\n",keyserver->auth);
980
981       if(keyserver->host)
982         fprintf(spawn->tochild,"HOST %s\n",keyserver->host);
983
984       if(keyserver->port)
985         fprintf(spawn->tochild,"PORT %s\n",keyserver->port);
986
987       if(keyserver->path)
988         fprintf(spawn->tochild,"PATH %s\n",keyserver->path);
989     }
990
991   /* Write options */
992
993   for(i=0,kopts=keyserver_opts;kopts[i].name;i++)
994     if(opt.keyserver_options.options & kopts[i].bit & REMOTE_TELL)
995       fprintf(spawn->tochild,"OPTION %s\n",kopts[i].name);
996
997   for(temp=opt.keyserver_options.other;temp;temp=temp->next)
998     fprintf(spawn->tochild,"OPTION %s\n",temp->d);
999
1000   switch(action)
1001     {
1002     case GET:
1003       {
1004         fprintf(spawn->tochild,"COMMAND GET\n\n");
1005
1006         /* Which keys do we want? */
1007
1008         for(i=0;i<count;i++)
1009           {
1010             if(desc[i].mode==KEYDB_SEARCH_MODE_FPR20)
1011               {
1012                 int f;
1013
1014                 fprintf(spawn->tochild,"0x");
1015
1016                 for(f=0;f<MAX_FINGERPRINT_LEN;f++)
1017                   fprintf(spawn->tochild,"%02X",desc[i].u.fpr[f]);
1018
1019                 fprintf(spawn->tochild,"\n");
1020               }
1021             else if(desc[i].mode==KEYDB_SEARCH_MODE_FPR16)
1022               {
1023                 int f;
1024
1025                 fprintf(spawn->tochild,"0x");
1026
1027                 for(f=0;f<16;f++)
1028                   fprintf(spawn->tochild,"%02X",desc[i].u.fpr[f]);
1029
1030                 fprintf(spawn->tochild,"\n");
1031               }
1032             else if(desc[i].mode==KEYDB_SEARCH_MODE_LONG_KID)
1033               fprintf(spawn->tochild,"0x%08lX%08lX\n",
1034                       (ulong)desc[i].u.kid[0],
1035                       (ulong)desc[i].u.kid[1]);
1036             else if(desc[i].mode==KEYDB_SEARCH_MODE_SHORT_KID)
1037               fprintf(spawn->tochild,"0x%08lX\n",
1038                       (ulong)desc[i].u.kid[1]);
1039             else if(desc[i].mode==KEYDB_SEARCH_MODE_NONE)
1040               continue;
1041             else
1042               BUG();
1043
1044             if(keyserver->host)
1045               log_info(_("requesting key %s from %s server %s\n"),
1046                        keystr_from_desc(&desc[i]),
1047                        keyserver->scheme,keyserver->host);
1048             else
1049               log_info(_("requesting key %s from %s\n"),
1050                        keystr_from_desc(&desc[i]),keyserver->uri);
1051           }
1052
1053         fprintf(spawn->tochild,"\n");
1054
1055         break;
1056       }
1057
1058     case SEND:
1059       {
1060         STRLIST key;
1061
1062         /* Note the extra \n here to send an empty keylist block */
1063         fprintf(spawn->tochild,"COMMAND SEND\n\n\n");
1064
1065         for(key=list;key!=NULL;key=key->next)
1066           {
1067             armor_filter_context_t afx;
1068             IOBUF buffer=iobuf_temp();
1069             KBNODE block;
1070
1071             temp=NULL;
1072             add_to_strlist(&temp,key->d);
1073
1074             memset(&afx,0,sizeof(afx));
1075             afx.what=1;
1076             /* Tell the armor filter to use Unix-style \n line
1077                endings, since we're going to fprintf this to a file
1078                that (on Win32) is open in text mode.  The win32 stdio
1079                will transform the \n to \r\n and we'll end up with the
1080                proper line endings on win32.  This is a no-op on
1081                Unix. */
1082             afx.eol[0]='\n';
1083             iobuf_push_filter(buffer,armor_filter,&afx);
1084
1085             /* TODO: Remove Comment: lines from keys exported this
1086                way? */
1087
1088             if(export_pubkeys_stream(buffer,temp,&block,
1089                                      opt.keyserver_options.export_options)==-1)
1090               iobuf_close(buffer);
1091             else
1092               {
1093                 KBNODE node;
1094
1095                 iobuf_flush_temp(buffer);
1096
1097                 merge_keys_and_selfsig(block);
1098
1099                 fprintf(spawn->tochild,"INFO %08lX%08lX BEGIN\n",
1100                         (ulong)block->pkt->pkt.public_key->keyid[0],
1101                         (ulong)block->pkt->pkt.public_key->keyid[1]);
1102
1103                 for(node=block;node;node=node->next)
1104                   {
1105                     switch(node->pkt->pkttype)
1106                       {
1107                       default:
1108                         continue;
1109
1110                       case PKT_PUBLIC_KEY:
1111                       case PKT_PUBLIC_SUBKEY:
1112                         {
1113                           PKT_public_key *pk=node->pkt->pkt.public_key;
1114
1115                           keyid_from_pk(pk,NULL);
1116
1117                           fprintf(spawn->tochild,"%sb:%08lX%08lX:%u:%u:%u:%u:",
1118                                   node->pkt->pkttype==PKT_PUBLIC_KEY?"pu":"su",
1119                                   (ulong)pk->keyid[0],(ulong)pk->keyid[1],
1120                                   pk->pubkey_algo,
1121                                   nbits_from_pk(pk),
1122                                   pk->timestamp,
1123                                   pk->expiredate);
1124
1125                           if(pk->is_revoked)
1126                             fprintf(spawn->tochild,"r");
1127                           if(pk->has_expired)
1128                             fprintf(spawn->tochild,"e");
1129
1130                           fprintf(spawn->tochild,"\n");
1131                         }
1132                         break;
1133
1134                       case PKT_USER_ID:
1135                         {
1136                           PKT_user_id *uid=node->pkt->pkt.user_id;
1137                           int r;
1138
1139                           if(uid->attrib_data)
1140                             continue;
1141
1142                           fprintf(spawn->tochild,"uid:");
1143
1144                           /* Quote ':', '%', and any 8-bit
1145                              characters */
1146                           for(r=0;r<uid->len;r++)
1147                             {
1148                               if(uid->name[r]==':' || uid->name[r]=='%'
1149                                  || uid->name[r]&0x80)
1150                                 fprintf(spawn->tochild,"%%%02X",
1151                                         (byte)uid->name[r]);
1152                               else
1153                                 fprintf(spawn->tochild,"%c",uid->name[r]);
1154                             }
1155
1156                           fprintf(spawn->tochild,":%u:%u:",
1157                                   uid->created,uid->expiredate);
1158
1159                           if(uid->is_revoked)
1160                             fprintf(spawn->tochild,"r");
1161                           if(uid->is_expired)
1162                             fprintf(spawn->tochild,"e");
1163
1164                           fprintf(spawn->tochild,"\n");
1165                         }
1166                         break;
1167
1168                         /* This bit is really for the benefit of
1169                            people who store their keys in LDAP
1170                            servers.  It makes it easy to do queries
1171                            for things like "all keys signed by
1172                            Isabella". */
1173                       case PKT_SIGNATURE:
1174                         {
1175                           PKT_signature *sig=node->pkt->pkt.signature;
1176
1177                           if(!IS_UID_SIG(sig))
1178                             continue;
1179
1180                           fprintf(spawn->tochild,"sig:%08lX%08lX:%X:%u:%u\n",
1181                                   (ulong)sig->keyid[0],(ulong)sig->keyid[1],
1182                                   sig->sig_class,sig->timestamp,
1183                                   sig->expiredate);
1184                         }
1185                         break;
1186                       }
1187                   }
1188
1189                 fprintf(spawn->tochild,"INFO %08lX%08lX END\n",
1190                         (ulong)block->pkt->pkt.public_key->keyid[0],
1191                         (ulong)block->pkt->pkt.public_key->keyid[1]);
1192
1193                 fprintf(spawn->tochild,"KEY %s BEGIN\n",key->d);
1194                 fwrite(iobuf_get_temp_buffer(buffer),
1195                        iobuf_get_temp_length(buffer),1,spawn->tochild);
1196                 fprintf(spawn->tochild,"KEY %s END\n",key->d);
1197
1198                 iobuf_close(buffer);
1199
1200                 if(keyserver->host)
1201                   log_info(_("sending key %s to %s server %s\n"),
1202                            keystr(block->pkt->pkt.public_key->keyid),
1203                            keyserver->scheme,keyserver->host);
1204                 else
1205                   log_info(_("sending key %s to %s\n"),
1206                            keystr(block->pkt->pkt.public_key->keyid),
1207                            keyserver->uri);
1208
1209                 release_kbnode(block);
1210               }
1211
1212             free_strlist(temp);
1213           }
1214
1215         break;
1216       }
1217
1218     case SEARCH:
1219       {
1220         STRLIST key;
1221
1222         fprintf(spawn->tochild,"COMMAND SEARCH\n\n");
1223
1224         /* Which keys do we want?  Remember that the gpgkeys_ program
1225            is going to lump these together into a search string. */
1226
1227         for(key=list;key!=NULL;key=key->next)
1228           {
1229             fprintf(spawn->tochild,"%s\n",key->d);
1230             if(key!=list)
1231               {
1232                 searchstr=xrealloc(searchstr,
1233                                     strlen(searchstr)+strlen(key->d)+2);
1234                 strcat(searchstr," ");
1235               }
1236             else
1237               {
1238                 searchstr=xmalloc(strlen(key->d)+1);
1239                 searchstr[0]='\0';
1240               }
1241
1242             strcat(searchstr,key->d);
1243           }
1244
1245         fprintf(spawn->tochild,"\n");
1246
1247         if(keyserver->host)
1248           log_info(_("searching for \"%s\" from %s server %s\n"),
1249                    searchstr,keyserver->scheme,keyserver->host);
1250         else
1251           log_info(_("searching for \"%s\" from %s\n"),
1252                    searchstr,keyserver->uri);
1253
1254         break;
1255       }
1256
1257     default:
1258       log_fatal(_("no keyserver action!\n"));
1259       break;
1260     }
1261
1262   /* Done sending, so start reading. */
1263   ret=exec_read(spawn);
1264   if(ret)
1265     goto fail;
1266
1267   /* Now handle the response */
1268
1269   for(;;)
1270     {
1271       int plen;
1272       char *ptr;
1273
1274       maxlen=1024;
1275       if(iobuf_read_line(spawn->fromchild,&line,&buflen,&maxlen)==0)
1276         {
1277           ret=G10ERR_READ_FILE;
1278           goto fail; /* i.e. EOF */
1279         }
1280
1281       ptr=line;
1282
1283       /* remove trailing whitespace */
1284       plen=strlen(ptr);
1285       while(plen>0 && ascii_isspace(ptr[plen-1]))
1286         plen--;
1287       plen[ptr]='\0';
1288
1289       if(*ptr=='\0')
1290         break;
1291
1292       if(ascii_strncasecmp(ptr,"VERSION ",8)==0)
1293         {
1294           gotversion=1;
1295
1296           if(atoi(&ptr[8])!=KEYSERVER_PROTO_VERSION)
1297             {
1298               log_error(_("invalid keyserver protocol (us %d!=handler %d)\n"),
1299                         KEYSERVER_PROTO_VERSION,atoi(&ptr[8]));
1300               goto fail;
1301             }
1302         }
1303       else if(ascii_strncasecmp(ptr,"PROGRAM ",8)==0)
1304         {
1305           if(ascii_strncasecmp(&ptr[8],VERSION,strlen(VERSION))!=0)
1306             log_info(_("WARNING: keyserver handler from a different"
1307                        " version of GnuPG (%s)\n"),&ptr[8]);
1308         }
1309       else if(ascii_strncasecmp(ptr,"OPTION OUTOFBAND",16)==0)
1310         outofband=1; /* Currently the only OPTION */
1311     }
1312
1313   if(!gotversion)
1314     {
1315       log_error(_("keyserver did not send VERSION\n"));
1316       goto fail;
1317     }
1318
1319   if(!outofband)
1320     switch(action)
1321       {
1322       case GET:
1323         {
1324           void *stats_handle;
1325
1326           stats_handle=import_new_stats_handle();
1327
1328           /* Slurp up all the key data.  In the future, it might be
1329              nice to look for KEY foo OUTOFBAND and FAILED indicators.
1330              It's harmless to ignore them, but ignoring them does make
1331              gpg complain about "no valid OpenPGP data found".  One
1332              way to do this could be to continue parsing this
1333              line-by-line and make a temp iobuf for each key. */
1334
1335           import_keys_stream(spawn->fromchild,stats_handle,
1336                              opt.keyserver_options.import_options);
1337
1338           import_print_stats(stats_handle);
1339           import_release_stats_handle(stats_handle);
1340
1341           break;
1342         }
1343
1344         /* Nothing to do here */
1345       case SEND:
1346         break;
1347
1348       case SEARCH:
1349         keyserver_search_prompt(spawn->fromchild,searchstr);
1350         break;
1351
1352       default:
1353         log_fatal(_("no keyserver action!\n"));
1354         break;
1355       }
1356
1357  fail:
1358   xfree(line);
1359   xfree(searchstr);
1360
1361
1362   *prog=exec_finish(spawn);
1363
1364   return ret;
1365 }
1366
1367 static int 
1368 keyserver_work(int action,STRLIST list,KEYDB_SEARCH_DESC *desc,
1369                int count,struct keyserver_spec *keyserver)
1370 {
1371   int rc=0,ret=0;
1372
1373   if(!keyserver)
1374     {
1375       log_error(_("no keyserver known (use option --keyserver)\n"));
1376       return G10ERR_BAD_URI;
1377     }
1378
1379 #ifdef DISABLE_KEYSERVER_HELPERS
1380
1381   log_error(_("external keyserver calls are not supported in this build\n"));
1382   return G10ERR_KEYSERVER;
1383
1384 #else
1385   /* Spawn a handler */
1386
1387   rc=keyserver_spawn(action,list,desc,count,&ret,keyserver);
1388   if(ret)
1389     {
1390       switch(ret)
1391         {
1392         case KEYSERVER_SCHEME_NOT_FOUND:
1393           log_error(_("no handler for keyserver scheme `%s'\n"),
1394                     keyserver->scheme);
1395           break;
1396
1397         case KEYSERVER_NOT_SUPPORTED:
1398           log_error(_("action `%s' not supported with keyserver "
1399                       "scheme `%s'\n"),
1400                     action==GET?"get":action==SEND?"send":
1401                     action==SEARCH?"search":"unknown",
1402                     keyserver->scheme);
1403           break;
1404
1405         case KEYSERVER_VERSION_ERROR:
1406           log_error(_(GPGKEYS_PREFIX "%s does not support"
1407                       " handler version %d\n"),
1408                     keyserver_typemap(keyserver->scheme),
1409                     KEYSERVER_PROTO_VERSION);
1410           break;
1411
1412         case KEYSERVER_TIMEOUT:
1413           log_error(_("keyserver timed out\n"));
1414           break;
1415
1416         case KEYSERVER_INTERNAL_ERROR:
1417         default:
1418           log_error(_("keyserver internal error\n"));
1419           break;
1420         }
1421
1422       return G10ERR_KEYSERVER;
1423     }
1424
1425   if(rc)
1426     {
1427       log_error(_("keyserver communications error: %s\n"),g10_errstr(rc));
1428
1429       return rc;
1430     }
1431
1432   return 0;
1433 #endif /* ! DISABLE_KEYSERVER_HELPERS*/
1434 }
1435
1436 int 
1437 keyserver_export(STRLIST users)
1438 {
1439   STRLIST sl=NULL;
1440   KEYDB_SEARCH_DESC desc;
1441   int rc=0;
1442
1443   /* Weed out descriptors that we don't support sending */
1444   for(;users;users=users->next)
1445     {
1446       classify_user_id (users->d, &desc);
1447       if(desc.mode!=KEYDB_SEARCH_MODE_SHORT_KID &&
1448          desc.mode!=KEYDB_SEARCH_MODE_LONG_KID &&
1449          desc.mode!=KEYDB_SEARCH_MODE_FPR16 &&
1450          desc.mode!=KEYDB_SEARCH_MODE_FPR20)
1451         {
1452           log_error(_("\"%s\" not a key ID: skipping\n"),users->d);
1453           continue;
1454         }
1455       else
1456         append_to_strlist(&sl,users->d);
1457     }
1458
1459   if(sl)
1460     {
1461       rc=keyserver_work(SEND,sl,NULL,0,opt.keyserver);
1462       free_strlist(sl);
1463     }
1464
1465   return rc;
1466 }
1467
1468 int 
1469 keyserver_import(STRLIST users)
1470 {
1471   KEYDB_SEARCH_DESC *desc;
1472   int num=100,count=0;
1473   int rc=0;
1474
1475   /* Build a list of key ids */
1476   desc=xmalloc(sizeof(KEYDB_SEARCH_DESC)*num);
1477
1478   for(;users;users=users->next)
1479     {
1480       classify_user_id (users->d, &desc[count]);
1481       if(desc[count].mode!=KEYDB_SEARCH_MODE_SHORT_KID &&
1482          desc[count].mode!=KEYDB_SEARCH_MODE_LONG_KID &&
1483          desc[count].mode!=KEYDB_SEARCH_MODE_FPR16 &&
1484          desc[count].mode!=KEYDB_SEARCH_MODE_FPR20)
1485         {
1486           log_error(_("\"%s\" not a key ID: skipping\n"),users->d);
1487           continue;
1488         }
1489
1490       count++;
1491       if(count==num)
1492         {
1493           num+=100;
1494           desc=xrealloc(desc,sizeof(KEYDB_SEARCH_DESC)*num);
1495         }
1496     }
1497
1498   if(count>0)
1499     rc=keyserver_work(GET,NULL,desc,count,opt.keyserver);
1500
1501   xfree(desc);
1502
1503   return rc;
1504 }
1505
1506 int
1507 keyserver_import_fprint(const byte *fprint,size_t fprint_len,
1508                         struct keyserver_spec *keyserver)
1509 {
1510   KEYDB_SEARCH_DESC desc;
1511
1512   memset(&desc,0,sizeof(desc));
1513
1514   if(fprint_len==16)
1515     desc.mode=KEYDB_SEARCH_MODE_FPR16;
1516   else if(fprint_len==20)
1517     desc.mode=KEYDB_SEARCH_MODE_FPR20;
1518   else
1519     return -1;
1520
1521   memcpy(desc.u.fpr,fprint,fprint_len);
1522
1523   return keyserver_work(GET,NULL,&desc,1,keyserver);
1524 }
1525
1526 int 
1527 keyserver_import_keyid(u32 *keyid,struct keyserver_spec *keyserver)
1528 {
1529   KEYDB_SEARCH_DESC desc;
1530
1531   memset(&desc,0,sizeof(desc));
1532
1533   desc.mode=KEYDB_SEARCH_MODE_LONG_KID;
1534   desc.u.kid[0]=keyid[0];
1535   desc.u.kid[1]=keyid[1];
1536
1537   return keyserver_work(GET,NULL,&desc,1,keyserver);
1538 }
1539
1540 /* code mostly stolen from do_export_stream */
1541 static int 
1542 keyidlist(STRLIST users,KEYDB_SEARCH_DESC **klist,int *count,int fakev3)
1543 {
1544   int rc=0,ndesc,num=100;
1545   KBNODE keyblock=NULL,node;
1546   KEYDB_HANDLE kdbhd;
1547   KEYDB_SEARCH_DESC *desc;
1548   STRLIST sl;
1549
1550   *count=0;
1551
1552   *klist=xmalloc(sizeof(KEYDB_SEARCH_DESC)*num);
1553
1554   kdbhd=keydb_new(0);
1555
1556   if(!users)
1557     {
1558       ndesc = 1;
1559       desc = xmalloc_clear ( ndesc * sizeof *desc);
1560       desc[0].mode = KEYDB_SEARCH_MODE_FIRST;
1561     }
1562   else
1563     {
1564       for (ndesc=0, sl=users; sl; sl = sl->next, ndesc++) 
1565         ;
1566       desc = xmalloc ( ndesc * sizeof *desc);
1567         
1568       for (ndesc=0, sl=users; sl; sl = sl->next)
1569         {
1570           if(classify_user_id (sl->d, desc+ndesc))
1571             ndesc++;
1572           else
1573             log_error (_("key \"%s\" not found: %s\n"),
1574                        sl->d, g10_errstr (G10ERR_INV_USER_ID));
1575         }
1576     }
1577
1578   while (!(rc = keydb_search (kdbhd, desc, ndesc)))
1579     {
1580       if (!users) 
1581         desc[0].mode = KEYDB_SEARCH_MODE_NEXT;
1582
1583       /* read the keyblock */
1584       rc = keydb_get_keyblock (kdbhd, &keyblock );
1585       if( rc )
1586         {
1587           log_error (_("error reading keyblock: %s\n"), g10_errstr(rc) );
1588           goto leave;
1589         }
1590
1591       if((node=find_kbnode(keyblock,PKT_PUBLIC_KEY)))
1592         {
1593           /* This is to work around a bug in some keyservers (pksd and
1594              OKS) that calculate v4 RSA keyids as if they were v3 RSA.
1595              The answer is to refresh both the correct v4 keyid
1596              (e.g. 99242560) and the fake v3 keyid (e.g. 68FDDBC7).
1597              This only happens for key refresh using the HKP scheme
1598              and if the refresh-add-fake-v3-keyids keyserver option is
1599              set. */
1600           if(fakev3 && is_RSA(node->pkt->pkt.public_key->pubkey_algo) &&
1601              node->pkt->pkt.public_key->version>=4)
1602             {
1603               (*klist)[*count].mode=KEYDB_SEARCH_MODE_LONG_KID;
1604               mpi_get_keyid(node->pkt->pkt.public_key->pkey[0],
1605                             (*klist)[*count].u.kid);
1606               (*count)++;
1607
1608               if(*count==num)
1609                 {
1610                   num+=100;
1611                   *klist=xrealloc(*klist,sizeof(KEYDB_SEARCH_DESC)*num);
1612                 }
1613             }
1614
1615           /* v4 keys get full fingerprints.  v3 keys get long keyids.
1616              This is because it's easy to calculate any sort of keyid
1617              from a v4 fingerprint, but not a v3 fingerprint. */
1618
1619           if(node->pkt->pkt.public_key->version<4)
1620             {
1621               (*klist)[*count].mode=KEYDB_SEARCH_MODE_LONG_KID;
1622               keyid_from_pk(node->pkt->pkt.public_key,
1623                             (*klist)[*count].u.kid);
1624             }
1625           else
1626             {
1627               size_t dummy;
1628
1629               (*klist)[*count].mode=KEYDB_SEARCH_MODE_FPR20;
1630               fingerprint_from_pk(node->pkt->pkt.public_key,
1631                                   (*klist)[*count].u.fpr,&dummy);
1632             }
1633
1634           /* This is a little hackish, using the skipfncvalue as a
1635              void* pointer to the keyserver spec, but we don't need
1636              the skipfnc here, and it saves having an additional field
1637              for this (which would be wasted space most of the
1638              time). */
1639
1640           (*klist)[*count].skipfncvalue=NULL;
1641
1642           /* Are we honoring preferred keyservers? */
1643           if(opt.keyserver_options.options&KEYSERVER_HONOR_KEYSERVER_URL)
1644             {
1645               PKT_user_id *uid=NULL;
1646               PKT_signature *sig=NULL;
1647
1648               merge_keys_and_selfsig(keyblock);
1649
1650               for(node=node->next;node;node=node->next)
1651                 {
1652                   if(node->pkt->pkttype==PKT_USER_ID
1653                      && node->pkt->pkt.user_id->is_primary)
1654                     uid=node->pkt->pkt.user_id;
1655                   else if(node->pkt->pkttype==PKT_SIGNATURE
1656                           && node->pkt->pkt.signature->
1657                           flags.chosen_selfsig && uid)
1658                     {
1659                       sig=node->pkt->pkt.signature;
1660                       break;
1661                     }
1662                 }
1663
1664               /* Try and parse the keyserver URL.  If it doesn't work,
1665                  then we end up writing NULL which indicates we are
1666                  the same as any other key. */
1667               if(uid && sig)
1668                 (*klist)[*count].skipfncvalue=parse_preferred_keyserver(sig);
1669             }
1670
1671           (*count)++;
1672
1673           if(*count==num)
1674             {
1675               num+=100;
1676               *klist=xrealloc(*klist,sizeof(KEYDB_SEARCH_DESC)*num);
1677             }
1678         }
1679     }
1680
1681   if(rc==-1)
1682     rc=0;
1683   
1684  leave:
1685   if(rc)
1686     xfree(*klist);
1687   xfree(desc);
1688   keydb_release(kdbhd);
1689   release_kbnode(keyblock);
1690
1691   return rc;
1692 }
1693
1694 /* Note this is different than the original HKP refresh.  It allows
1695    usernames to refresh only part of the keyring. */
1696
1697 int 
1698 keyserver_refresh(STRLIST users)
1699 {
1700   int rc,count,numdesc,fakev3=0;
1701   KEYDB_SEARCH_DESC *desc;
1702   unsigned int options=opt.keyserver_options.import_options;
1703
1704   /* We switch merge-only on during a refresh, as 'refresh' should
1705      never import new keys, even if their keyids match. */
1706   opt.keyserver_options.import_options|=IMPORT_MERGE_ONLY;
1707
1708   /* Similarly, we switch on fast-import, since refresh may make
1709      multiple import sets (due to preferred keyserver URLs).  We don't
1710      want each set to rebuild the trustdb.  Instead we do it once at
1711      the end here. */
1712   opt.keyserver_options.import_options|=IMPORT_FAST;
1713
1714   /* If refresh_add_fake_v3_keyids is on and it's a HKP or MAILTO
1715      scheme, then enable fake v3 keyid generation. */
1716   if((opt.keyserver_options.options&KEYSERVER_ADD_FAKE_V3) && opt.keyserver
1717      && (ascii_strcasecmp(opt.keyserver->scheme,"hkp")==0 ||
1718          ascii_strcasecmp(opt.keyserver->scheme,"mailto")==0))
1719     fakev3=1;
1720
1721   rc=keyidlist(users,&desc,&numdesc,fakev3);
1722   if(rc)
1723     return rc;
1724
1725   count=numdesc;
1726   if(count>0)
1727     {
1728       int i;
1729
1730       /* Try to handle preferred keyserver keys first */
1731       for(i=0;i<count;i++)
1732         {
1733           if(desc[i].skipfncvalue)
1734             {
1735               struct keyserver_spec *keyserver=desc[i].skipfncvalue;
1736
1737               /* We use the keyserver structure we parsed out before.
1738                  Note that a preferred keyserver without a scheme://
1739                  will be interpreted as hkp:// */
1740
1741               rc=keyserver_work(GET,NULL,&desc[i],1,keyserver);
1742               if(rc)
1743                 log_info(_("WARNING: unable to refresh key %s"
1744                            " via %s: %s\n"),keystr_from_desc(&desc[i]),
1745                          keyserver->uri,g10_errstr(rc));
1746               else
1747                 {
1748                   /* We got it, so mark it as NONE so we don't try and
1749                      get it again from the regular keyserver. */
1750
1751                   desc[i].mode=KEYDB_SEARCH_MODE_NONE;
1752                   count--;
1753                 }
1754
1755               free_keyserver_spec(keyserver);
1756             }
1757         }
1758     }
1759
1760   if(count>0)
1761     {
1762       if(opt.keyserver)
1763         {
1764           if(count==1)
1765             log_info(_("refreshing 1 key from %s\n"),opt.keyserver->uri);
1766           else
1767             log_info(_("refreshing %d keys from %s\n"),
1768                      count,opt.keyserver->uri);
1769         }
1770
1771       rc=keyserver_work(GET,NULL,desc,numdesc,opt.keyserver);
1772     }
1773
1774   xfree(desc);
1775
1776   opt.keyserver_options.import_options=options;
1777
1778   /* If the original options didn't have fast import, and the trustdb
1779      is dirty, rebuild. */
1780   if(!(opt.keyserver_options.import_options&IMPORT_FAST))
1781     trustdb_check_or_update();
1782
1783   return rc;
1784 }
1785
1786 int
1787 keyserver_search(STRLIST tokens)
1788 {
1789   if(tokens)
1790     return keyserver_work(SEARCH,tokens,NULL,0,opt.keyserver);
1791   else
1792     return 0;
1793 }