* curl-shim.c (curl_easy_perform): Minor cleanup of proxy code.
[gnupg.git] / keyserver / gpgkeys_ldap.c
1 /* gpgkeys_ldap.c - talk to a LDAP keyserver
2  * Copyright (C) 2001, 2002, 2004, 2005, 2006 Free Software Foundation, Inc.
3  *
4  * This file is part of GnuPG.
5  *
6  * GnuPG is free software; you can redistribute it and/or modify
7  * it under the terms of the GNU General Public License as published by
8  * the Free Software Foundation; either version 2 of the License, or
9  * (at your option) any later version.
10  *
11  * GnuPG is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  * GNU General Public License for more details.
15  *
16  * You should have received a copy of the GNU General Public License
17  * along with this program; if not, write to the Free Software
18  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
19  * USA.
20  */
21
22 #include <config.h>
23 #include <stdio.h>
24 #include <string.h>
25 #include <time.h>
26 #include <unistd.h>
27 #ifdef HAVE_GETOPT_H
28 #include <getopt.h>
29 #endif
30 #include <stdlib.h>
31 #include <errno.h>
32
33 #ifdef _WIN32
34 #include <winsock2.h>
35 #include <winldap.h>
36 #else
37 #ifdef NEED_LBER_H
38 #include <lber.h>
39 #endif
40 /* For OpenLDAP, to enable the API that we're using. */
41 #define LDAP_DEPRECATED 1
42 #include <ldap.h>
43 #endif
44
45 #include "util.h"
46 #include "keyserver.h"
47 #include "ksutil.h"
48
49 #ifdef __riscos__
50 #include "util.h"
51 #endif
52
53 extern char *optarg;
54 extern int optind;
55
56 static int real_ldap=0;
57 static char *basekeyspacedn=NULL;
58 static char *pgpkeystr="pgpKey";
59 static FILE *input=NULL,*output=NULL,*console=NULL;
60 static LDAP *ldap=NULL;
61 static struct ks_options *opt;
62
63 #ifndef HAVE_TIMEGM
64 time_t timegm(struct tm *tm);
65 #endif
66
67 static int
68 ldap_err_to_gpg_err(int err)
69 {
70   int ret;
71
72   switch(err)
73     {
74     case LDAP_ALREADY_EXISTS:
75       ret=KEYSERVER_KEY_EXISTS;
76       break;
77
78     case LDAP_SERVER_DOWN:
79       ret=KEYSERVER_UNREACHABLE;
80       break;
81
82     default:
83       ret=KEYSERVER_GENERAL_ERROR;
84       break;
85     }
86
87   return ret;
88 }
89
90 static int
91 ldap_to_gpg_err(LDAP *ld)
92 {
93 #if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_ERROR_NUMBER)
94
95   int err;
96
97   if(ldap_get_option(ld,LDAP_OPT_ERROR_NUMBER,&err)==0)
98     return ldap_err_to_gpg_err(err);
99   else
100     return KEYSERVER_GENERAL_ERROR;
101
102 #elif defined(HAVE_LDAP_LD_ERRNO)
103
104   return ldap_err_to_gpg_err(ld->ld_errno);
105
106 #else
107
108   /* We should never get here since the LDAP library should always
109      have either ldap_get_option or ld_errno, but just in case... */
110   return KEYSERVER_GENERAL_ERROR;
111
112 #endif
113 }
114
115 static int
116 key_in_keylist(const char *key,struct keylist *list)
117 {
118   struct keylist *keyptr=list;
119
120   while(keyptr!=NULL)
121     {
122       if(strcasecmp(key,keyptr->str)==0)
123         return 1;
124
125       keyptr=keyptr->next;
126     }
127
128   return 0;
129 }
130
131 static int
132 add_key_to_keylist(const char *key,struct keylist **list)
133 {
134   struct keylist *keyptr=malloc(sizeof(struct keylist));
135
136   if(keyptr==NULL)
137     {
138       fprintf(console,"gpgkeys: out of memory when deduping "
139               "key list\n");
140       return KEYSERVER_NO_MEMORY;
141     }
142
143   strncpy(keyptr->str,key,MAX_LINE);
144   keyptr->str[MAX_LINE-1]='\0';
145   keyptr->next=*list;
146   *list=keyptr;
147
148   return 0;
149 }
150
151 static void
152 free_keylist(struct keylist *list)
153 {
154   while(list!=NULL)
155     {
156       struct keylist *keyptr=list;
157
158       list=keyptr->next;
159       free(keyptr);
160     }
161 }
162
163 static time_t
164 ldap2epochtime(const char *timestr)
165 {
166   struct tm pgptime;
167   time_t answer;
168
169   memset(&pgptime,0,sizeof(pgptime));
170
171   /* YYYYMMDDHHmmssZ */
172
173   sscanf(timestr,"%4d%2d%2d%2d%2d%2d",
174          &pgptime.tm_year,
175          &pgptime.tm_mon,
176          &pgptime.tm_mday,
177          &pgptime.tm_hour,
178          &pgptime.tm_min,
179          &pgptime.tm_sec);
180
181   pgptime.tm_year-=1900;
182   pgptime.tm_isdst=-1;
183   pgptime.tm_mon--;
184
185   /* mktime() takes the timezone into account, so we use timegm() */
186
187   answer=timegm(&pgptime);
188
189   return answer;
190 }
191
192 /* Caller must free */
193 static char *
194 epoch2ldaptime(time_t stamp)
195 {
196   struct tm *ldaptime;
197   char buf[16];
198
199   ldaptime=gmtime(&stamp);
200
201   ldaptime->tm_year+=1900;
202   ldaptime->tm_mon++;
203
204   /* YYYYMMDDHHmmssZ */
205
206   sprintf(buf,"%04d%02d%02d%02d%02d%02dZ",
207           ldaptime->tm_year,
208           ldaptime->tm_mon,
209           ldaptime->tm_mday,
210           ldaptime->tm_hour,
211           ldaptime->tm_min,
212           ldaptime->tm_sec);
213
214   return strdup(buf);
215 }
216
217 /* Append two onto the end of one.  Two is not freed, but its pointers
218    are now part of one.  Make sure you don't free them both! */
219 static int
220 join_two_modlists(LDAPMod ***one,LDAPMod **two)
221 {
222   int i,one_count=0,two_count=0;
223   LDAPMod **grow;
224
225   for(grow=*one;*grow;grow++)
226     one_count++;
227
228   for(grow=two;*grow;grow++)
229     two_count++;
230
231   grow=realloc(*one,sizeof(LDAPMod *)*(one_count+two_count+1));
232   if(!grow)
233     return 0;
234
235   for(i=0;i<two_count;i++)
236     grow[one_count+i]=two[i];
237
238   grow[one_count+i]=NULL;
239
240   *one=grow;
241
242   return 1;
243 }
244
245 /* Passing a NULL for value effectively deletes that attribute.  This
246    doesn't mean "delete" in the sense of removing something from the
247    modlist, but "delete" in the LDAP sense of adding a modlist item
248    that specifies LDAP_MOD_REPLACE and a null attribute for the given
249    attribute.  LDAP_MOD_DELETE doesn't work here as we don't know if
250    the attribute in question exists or not. */
251
252 static int
253 make_one_attr(LDAPMod ***modlist,char *attr,const char *value)
254 {
255   LDAPMod **m;
256   int nummods=0;
257
258   /* Search modlist for the attribute we're playing with. */
259   for(m=*modlist;*m;m++)
260     {
261       if(strcasecmp((*m)->mod_type,attr)==0)
262         {
263           char **ptr=(*m)->mod_values;
264           int numvalues=0;
265
266           /* We have this attribute already, so when the REPLACE
267              happens, the server attributes will be replaced
268              anyway. */
269           if(!value)
270             return 1;
271
272           if(ptr)
273             for(ptr=(*m)->mod_values;*ptr;ptr++)
274               {
275                 /* Duplicate value */
276                 if(strcmp(*ptr,value)==0)
277                   return 1;
278                 numvalues++;
279               }
280
281           ptr=realloc((*m)->mod_values,sizeof(char *)*(numvalues+2));
282           if(!ptr)
283             return 0;
284
285           (*m)->mod_values=ptr;
286           ptr[numvalues]=strdup(value);
287           if(!ptr[numvalues])
288             return 0;
289
290           ptr[numvalues+1]=NULL;
291           break;
292         }
293
294       nummods++;
295     }
296
297   /* We didn't find the attr, so make one and add it to the end */
298   if(!*m)
299     {
300       LDAPMod **grow;
301
302       grow=realloc(*modlist,sizeof(LDAPMod *)*(nummods+2));
303       if(!grow)
304         return 0;
305
306       *modlist=grow;
307       grow[nummods]=malloc(sizeof(LDAPMod));
308       if(!grow[nummods])
309         return 0;
310       grow[nummods]->mod_op=LDAP_MOD_REPLACE;
311       grow[nummods]->mod_type=attr;
312       if(value)
313         {
314           grow[nummods]->mod_values=malloc(sizeof(char *)*2);
315           if(!grow[nummods]->mod_values)
316             {
317               grow[nummods]=NULL;
318               return 0;
319             }
320
321           /* Is this the right thing?  Can a UTF8-encoded user ID have
322              embedded nulls? */
323           grow[nummods]->mod_values[0]=strdup(value);
324           if(!grow[nummods]->mod_values[0])
325             {
326               free(grow[nummods]->mod_values);
327               grow[nummods]=NULL;
328               return 0;
329             }
330
331           grow[nummods]->mod_values[1]=NULL;
332         }
333       else
334         grow[nummods]->mod_values=NULL;
335
336       grow[nummods+1]=NULL;
337     }
338
339   return 1;
340 }
341
342 static void
343 build_attrs(LDAPMod ***modlist,char *line)
344 {
345   char *record;
346   int i;
347
348   /* Remove trailing whitespace */
349   for(i=strlen(line);i>0;i--)
350     if(ascii_isspace(line[i-1]))
351       line[i-1]='\0';
352     else
353       break;
354
355   if((record=strsep(&line,":"))==NULL)
356     return;
357
358   if(ascii_strcasecmp("pub",record)==0)
359     {
360       char *tok;
361       int disabled=0,revoked=0;
362
363       /* The long keyid */
364       if((tok=strsep(&line,":"))==NULL)
365         return;
366
367       if(strlen(tok)==16)
368         {
369           make_one_attr(modlist,"pgpCertID",tok);
370           make_one_attr(modlist,"pgpKeyID",&tok[8]);
371         }
372       else
373         return;
374
375       /* The primary pubkey algo */
376       if((tok=strsep(&line,":"))==NULL)
377         return;
378
379       switch(atoi(tok))
380         {
381         case 1:
382           make_one_attr(modlist,"pgpKeyType","RSA");
383           break;
384
385         case 17:
386           make_one_attr(modlist,"pgpKeyType","DSS/DH");
387           break;
388         }
389
390       /* Size of primary key */
391       if((tok=strsep(&line,":"))==NULL)
392         return;
393
394       if(atoi(tok)>0)
395         {
396           char padded[6];
397           int val=atoi(tok);
398
399           /* We zero pad this on the left to make PGP happy. */
400
401           if(val<99999 && val>0)
402             {
403               sprintf(padded,"%05u",atoi(tok));
404               make_one_attr(modlist,"pgpKeySize",padded);
405             }
406         }
407
408       /* pk timestamp */
409       if((tok=strsep(&line,":"))==NULL)
410         return;
411
412       if(atoi(tok)>0)
413         {
414           char *stamp=epoch2ldaptime(atoi(tok));
415           if(stamp)
416             {
417               make_one_attr(modlist,"pgpKeyCreateTime",stamp);
418               free(stamp);
419             }
420         }
421
422       /* pk expire */
423       if((tok=strsep(&line,":"))==NULL)
424         return;
425
426       if(atoi(tok)>0)
427         {
428           char *stamp=epoch2ldaptime(atoi(tok));
429           if(stamp)
430             {
431               make_one_attr(modlist,"pgpKeyExpireTime",stamp);
432               free(stamp);
433             }
434         }
435
436       /* flags */
437       if((tok=strsep(&line,":"))==NULL)
438         return;
439
440       while(*tok)
441         switch(*tok++)
442           {
443           case 'r':
444           case 'R':
445             revoked=1;
446             break;
447             
448           case 'd':
449           case 'D':
450             disabled=1;
451             break;
452           }
453
454       /*
455         Note that we always create the pgpDisabled and pgpRevoked
456         attributes, regardless of whether the key is disabled/revoked
457         or not.  This is because a very common search is like
458         "(&(pgpUserID=*isabella*)(pgpDisabled=0))"
459       */
460
461       make_one_attr(modlist,"pgpDisabled",disabled?"1":"0");
462       make_one_attr(modlist,"pgpRevoked",revoked?"1":"0");
463     }
464   else if(ascii_strcasecmp("sub",record)==0)
465     {
466       char *tok;
467
468       /* The long keyid */
469       if((tok=strsep(&line,":"))==NULL)
470         return;
471
472       if(strlen(tok)==16)
473         make_one_attr(modlist,"pgpSubKeyID",tok);
474       else
475         return;
476
477       /* The subkey algo */
478       if((tok=strsep(&line,":"))==NULL)
479         return;
480
481       /* Size of subkey */
482       if((tok=strsep(&line,":"))==NULL)
483         return;
484
485       if(atoi(tok)>0)
486         {
487           char padded[6];
488           int val=atoi(tok);
489
490           /* We zero pad this on the left to make PGP happy. */
491
492           if(val<99999 && val>0)
493             {
494               sprintf(padded,"%05u",atoi(tok));
495               make_one_attr(modlist,"pgpKeySize",padded);
496             }
497         }
498
499       /* Ignore the rest of the items for subkeys since the LDAP
500          schema doesn't store them. */
501     }
502   else if(ascii_strcasecmp("uid",record)==0)
503     {
504       char *userid,*tok;
505
506       /* The user ID string */
507       if((tok=strsep(&line,":"))==NULL)
508         return;
509
510       if(strlen(tok)==0)
511         return;
512
513       userid=tok;
514
515       /* By definition, de-%-encoding is always smaller than the
516          original string so we can decode in place. */
517
518       i=0;
519
520       while(*tok)
521         if(tok[0]=='%' && tok[1] && tok[2])
522           {
523             if((userid[i]=hextobyte(&tok[1]))==-1)
524               userid[i]='?';
525
526             i++;
527             tok+=3;
528           }
529         else
530           userid[i++]=*tok++;
531
532       userid[i]='\0';
533
534       /* We don't care about the other info provided in the uid: line
535          since the LDAP schema doesn't need it. */
536
537       make_one_attr(modlist,"pgpUserID",userid);
538     }
539   else if(ascii_strcasecmp("sig",record)==0)
540     {
541       char *tok;
542
543       if((tok=strsep(&line,":"))==NULL)
544         return;
545
546       if(strlen(tok)==16)
547         make_one_attr(modlist,"pgpSignerID",tok);
548     }
549 }
550
551 static void
552 free_mod_values(LDAPMod *mod)
553 {
554   char **ptr;
555
556   if(!mod->mod_values)
557     return;
558
559   for(ptr=mod->mod_values;*ptr;ptr++)
560     free(*ptr);
561
562   free(mod->mod_values);
563 }
564
565 static int
566 send_key(int *eof)
567 {
568   int err,begin=0,end=0,keysize=1,ret=KEYSERVER_INTERNAL_ERROR;
569   char *dn=NULL,line[MAX_LINE],*key=NULL;
570   char keyid[17],state[6];
571   LDAPMod **modlist,**addlist,**ml;
572
573   modlist=malloc(sizeof(LDAPMod *));
574   if(!modlist)
575     {
576       fprintf(console,"gpgkeys: can't allocate memory for keyserver record\n");
577       ret=KEYSERVER_NO_MEMORY;
578       goto fail;
579     }
580
581   *modlist=NULL;
582
583   addlist=malloc(sizeof(LDAPMod *));
584   if(!addlist)
585     {
586       fprintf(console,"gpgkeys: can't allocate memory for keyserver record\n");
587       ret=KEYSERVER_NO_MEMORY;
588       goto fail;
589     }
590
591   *addlist=NULL;
592
593   /* Start by nulling out all attributes.  We try and do a modify
594      operation first, so this ensures that we don't leave old
595      attributes lying around. */
596   make_one_attr(&modlist,"pgpDisabled",NULL);
597   make_one_attr(&modlist,"pgpKeyID",NULL);
598   make_one_attr(&modlist,"pgpKeyType",NULL);
599   make_one_attr(&modlist,"pgpUserID",NULL);
600   make_one_attr(&modlist,"pgpKeyCreateTime",NULL);
601   make_one_attr(&modlist,"pgpSignerID",NULL);
602   make_one_attr(&modlist,"pgpRevoked",NULL);
603   make_one_attr(&modlist,"pgpSubKeyID",NULL);
604   make_one_attr(&modlist,"pgpKeySize",NULL);
605   make_one_attr(&modlist,"pgpKeyExpireTime",NULL);
606   make_one_attr(&modlist,"pgpCertID",NULL);
607
608   /* Assemble the INFO stuff into LDAP attributes */
609
610   while(fgets(line,MAX_LINE,input)!=NULL)
611     if(sscanf(line,"INFO%*[ ]%16s%*[ ]%5s\n",keyid,state)==2
612        && strcmp(state,"BEGIN")==0)
613       {
614         begin=1;
615         break;
616       }
617
618   if(!begin)
619     {
620       /* i.e. eof before the INFO BEGIN was found.  This isn't an
621          error. */
622       *eof=1;
623       ret=KEYSERVER_OK;
624       goto fail;
625     }
626
627   if(strlen(keyid)!=16)
628     {
629       *eof=1;
630       ret=KEYSERVER_KEY_INCOMPLETE;
631       goto fail;
632     }
633
634   dn=malloc(strlen("pgpCertID=")+16+1+strlen(basekeyspacedn)+1);
635   if(dn==NULL)
636     {
637       fprintf(console,"gpgkeys: can't allocate memory for keyserver record\n");
638       ret=KEYSERVER_NO_MEMORY;
639       goto fail;
640     }
641
642   sprintf(dn,"pgpCertID=%s,%s",keyid,basekeyspacedn);
643
644   key=malloc(1);
645   if(!key)
646     {
647       fprintf(console,"gpgkeys: unable to allocate memory for key\n");
648       ret=KEYSERVER_NO_MEMORY;
649       goto fail;
650     }
651
652   key[0]='\0';
653
654   /* Now parse each line until we see the END */
655
656   while(fgets(line,MAX_LINE,input)!=NULL)
657     if(sscanf(line,"INFO%*[ ]%16s%*[ ]%3s\n",keyid,state)==2
658        && strcmp(state,"END")==0)
659       {
660         end=1;
661         break;
662       }
663     else
664       build_attrs(&addlist,line);
665
666   if(!end)
667     {
668       fprintf(console,"gpgkeys: no INFO %s END found\n",keyid);
669       *eof=1;
670       ret=KEYSERVER_KEY_INCOMPLETE;
671       goto fail;
672     }
673
674   begin=end=0;
675
676   /* Read and throw away stdin until we see the BEGIN */
677
678   while(fgets(line,MAX_LINE,input)!=NULL)
679     if(sscanf(line,"KEY%*[ ]%16s%*[ ]%5s\n",keyid,state)==2
680        && strcmp(state,"BEGIN")==0)
681       {
682         begin=1;
683         break;
684       }
685
686   if(!begin)
687     {
688       /* i.e. eof before the KEY BEGIN was found.  This isn't an
689          error. */
690       *eof=1;
691       ret=KEYSERVER_OK;
692       goto fail;
693     }
694
695   /* Now slurp up everything until we see the END */
696
697   while(fgets(line,MAX_LINE,input)!=NULL)
698     if(sscanf(line,"KEY%*[ ]%16s%*[ ]%3s\n",keyid,state)==2
699        && strcmp(state,"END")==0)
700       {
701         end=1;
702         break;
703       }
704     else
705       {
706         char *tempkey;
707         keysize+=strlen(line);
708         tempkey=realloc(key,keysize);
709         if(tempkey==NULL)
710           {
711             fprintf(console,"gpgkeys: unable to reallocate for key\n");
712             ret=KEYSERVER_NO_MEMORY;
713             goto fail;
714           }
715         else
716           key=tempkey;
717
718         strcat(key,line);
719       }
720
721   if(!end)
722     {
723       fprintf(console,"gpgkeys: no KEY %s END found\n",keyid);
724       *eof=1;
725       ret=KEYSERVER_KEY_INCOMPLETE;
726       goto fail;
727     }
728
729   make_one_attr(&addlist,"objectClass","pgpKeyInfo");
730   make_one_attr(&addlist,"pgpKey",key);
731
732   /* Now append addlist onto modlist */
733   if(!join_two_modlists(&modlist,addlist))
734     {
735       fprintf(console,"gpgkeys: unable to merge LDAP modification lists\n");
736       ret=KEYSERVER_NO_MEMORY;
737       goto fail;
738     }
739
740   /* Going on the assumption that modify operations are more frequent
741      than adds, we try a modify first.  If it's not there, we just
742      turn around and send an add command for the same key.  Otherwise,
743      the modify brings the server copy into compliance with our copy.
744      Note that unlike the LDAP keyserver (and really, any other
745      keyserver) this does NOT merge signatures, but replaces the whole
746      key.  This should make some people very happy. */
747
748   err=ldap_modify_s(ldap,dn,modlist);
749   if(err==LDAP_NO_SUCH_OBJECT)
750     err=ldap_add_s(ldap,dn,addlist);
751
752   if(err!=LDAP_SUCCESS)
753     {
754       fprintf(console,"gpgkeys: error adding key %s to keyserver: %s\n",
755               keyid,ldap_err2string(err));
756       ret=ldap_err_to_gpg_err(err);
757       goto fail;
758     }
759
760   ret=KEYSERVER_OK;
761
762  fail:
763   /* Unwind and free the whole modlist structure */
764   for(ml=modlist;*ml;ml++)
765     {
766       free_mod_values(*ml);
767       free(*ml);
768     }
769
770   free(modlist);
771   free(addlist);
772   free(dn);
773
774   if(ret!=0 && begin)
775     fprintf(output,"KEY %s FAILED %d\n",keyid,ret);
776
777   return ret;
778 }
779
780 static int
781 send_key_keyserver(int *eof)
782 {
783   int err,begin=0,end=0,keysize=1,ret=KEYSERVER_INTERNAL_ERROR;
784   char *dn=NULL,line[MAX_LINE],*key[2]={NULL,NULL};
785   char keyid[17],state[6];
786   LDAPMod mod, *attrs[2];
787
788   memset(&mod,0,sizeof(mod));
789   mod.mod_op=LDAP_MOD_ADD;
790   mod.mod_type=pgpkeystr;
791   mod.mod_values=key;
792   attrs[0]=&mod;
793   attrs[1]=NULL;
794
795   dn=malloc(strlen("pgpCertid=virtual,")+strlen(basekeyspacedn)+1);
796   if(dn==NULL)
797     {
798       fprintf(console,"gpgkeys: can't allocate memory for keyserver record\n");
799       ret=KEYSERVER_NO_MEMORY;
800       goto fail;
801     }
802
803   strcpy(dn,"pgpCertid=virtual,");
804   strcat(dn,basekeyspacedn);
805
806   key[0]=malloc(1);
807   if(key[0]==NULL)
808     {
809       fprintf(console,"gpgkeys: unable to allocate memory for key\n");
810       ret=KEYSERVER_NO_MEMORY;
811       goto fail;
812     }
813
814   key[0][0]='\0';
815
816   /* Read and throw away stdin until we see the BEGIN */
817
818   while(fgets(line,MAX_LINE,input)!=NULL)
819     if(sscanf(line,"KEY%*[ ]%16s%*[ ]%5s\n",keyid,state)==2
820        && strcmp(state,"BEGIN")==0)
821       {
822         begin=1;
823         break;
824       }
825
826   if(!begin)
827     {
828       /* i.e. eof before the KEY BEGIN was found.  This isn't an
829          error. */
830       *eof=1;
831       ret=KEYSERVER_OK;
832       goto fail;
833     }
834
835   /* Now slurp up everything until we see the END */
836
837   while(fgets(line,MAX_LINE,input)!=NULL)
838     if(sscanf(line,"KEY%*[ ]%16s%*[ ]%3s\n",keyid,state)==2
839        && strcmp(state,"END")==0)
840       {
841         end=1;
842         break;
843       }
844     else
845       {
846         keysize+=strlen(line);
847         key[0]=realloc(key[0],keysize);
848         if(key[0]==NULL)
849           {
850             fprintf(console,"gpgkeys: unable to reallocate for key\n");
851             ret=KEYSERVER_NO_MEMORY;
852             goto fail;
853           }
854
855         strcat(key[0],line);
856       }
857
858   if(!end)
859     {
860       fprintf(console,"gpgkeys: no KEY %s END found\n",keyid);
861       *eof=1;
862       ret=KEYSERVER_KEY_INCOMPLETE;
863       goto fail;
864     }
865
866   err=ldap_add_s(ldap,dn,attrs);
867   if(err!=LDAP_SUCCESS)
868     {
869       fprintf(console,"gpgkeys: error adding key %s to keyserver: %s\n",
870               keyid,ldap_err2string(err));
871       ret=ldap_err_to_gpg_err(err);
872       goto fail;
873     }
874
875   ret=KEYSERVER_OK;
876
877  fail:
878
879   free(key[0]);
880   free(dn);
881
882   if(ret!=0 && begin)
883     fprintf(output,"KEY %s FAILED %d\n",keyid,ret);
884
885   /* Not a fatal error */
886   if(ret==KEYSERVER_KEY_EXISTS)
887     ret=KEYSERVER_OK;
888
889   return ret;
890 }
891
892 static void
893 build_info(const char *certid,LDAPMessage *each)
894 {
895   char **vals;
896
897   fprintf(output,"INFO %s BEGIN\n",certid);
898
899   fprintf(output,"pub:%s:",certid);
900
901   vals=ldap_get_values(ldap,each,"pgpkeytype");
902   if(vals!=NULL)
903     {
904       if(strcmp(vals[0],"RSA")==0)
905         fprintf(output,"1");
906       else if(strcmp(vals[0],"DSS/DH")==0)
907         fprintf(output,"17");
908       ldap_value_free(vals);
909     }
910
911   fprintf(output,":");
912
913   vals=ldap_get_values(ldap,each,"pgpkeysize");
914   if(vals!=NULL)
915     {
916       if(atoi(vals[0])>0)
917         fprintf(output,"%d",atoi(vals[0]));
918       ldap_value_free(vals);
919     }
920
921   fprintf(output,":");
922
923   vals=ldap_get_values(ldap,each,"pgpkeycreatetime");
924   if(vals!=NULL)
925     {
926       if(strlen(vals[0])==15)
927         fprintf(output,"%u",(unsigned int)ldap2epochtime(vals[0]));
928       ldap_value_free(vals);
929     }
930
931   fprintf(output,":");
932
933   vals=ldap_get_values(ldap,each,"pgpkeyexpiretime");
934   if(vals!=NULL)
935     {
936       if(strlen(vals[0])==15)
937         fprintf(output,"%u",(unsigned int)ldap2epochtime(vals[0]));
938       ldap_value_free(vals);
939     }
940
941   fprintf(output,":");
942
943   vals=ldap_get_values(ldap,each,"pgprevoked");
944   if(vals!=NULL)
945     {
946       if(atoi(vals[0])==1)
947         fprintf(output,"r");
948       ldap_value_free(vals);
949     }
950
951   fprintf(output,"\n");
952
953   vals=ldap_get_values(ldap,each,"pgpuserid");
954   if(vals!=NULL)
955     {
956       int i;
957
958       for(i=0;vals[i];i++)
959         fprintf(output,"uid:%s\n",vals[i]);
960       ldap_value_free(vals);
961     }
962
963   fprintf(output,"INFO %s END\n",certid);
964 }
965
966 /* Note that key-not-found is not a fatal error */
967 static int
968 get_key(char *getkey)
969 {
970   LDAPMessage *res,*each;
971   int ret=KEYSERVER_INTERNAL_ERROR,err,count;
972   struct keylist *dupelist=NULL;
973   char search[62];
974   /* This ordering is significant - specifically, "pgpcertid" needs to
975      be the second item in the list, since everything after it may be
976      discarded if the user isn't in verbose mode. */
977   char *attrs[]={"replaceme","pgpcertid","pgpuserid","pgpkeyid","pgprevoked",
978                  "pgpdisabled","pgpkeycreatetime","modifytimestamp",
979                  "pgpkeysize","pgpkeytype",NULL};
980   attrs[0]=pgpkeystr; /* Some compilers don't like using variables as
981                          array initializers. */
982
983   /* Build the search string */
984
985   /* GPG can send us a v4 fingerprint, a v3 or v4 long key id, or a v3
986      or v4 short key id */
987
988   if(strncmp(getkey,"0x",2)==0)
989     getkey+=2;
990
991   if(strlen(getkey)==32)
992     {
993       fprintf(console,
994               "gpgkeys: LDAP keyservers do not support v3 fingerprints\n");
995       fprintf(output,"KEY 0x%s BEGIN\n",getkey);
996       fprintf(output,"KEY 0x%s FAILED %d\n",getkey,KEYSERVER_NOT_SUPPORTED);
997       return KEYSERVER_NOT_SUPPORTED;
998     }
999
1000   if(strlen(getkey)>16)
1001     {
1002       char *offset=&getkey[strlen(getkey)-16];
1003
1004       /* fingerprint.  Take the last 16 characters and treat it like a
1005          long key id */
1006
1007       if(opt->flags.include_subkeys)
1008         sprintf(search,"(|(pgpcertid=%.16s)(pgpsubkeyid=%.16s))",
1009                 offset,offset);
1010       else
1011         sprintf(search,"(pgpcertid=%.16s)",offset);
1012     }
1013   else if(strlen(getkey)>8)
1014     {
1015       /* long key id */
1016
1017       if(opt->flags.include_subkeys)
1018         sprintf(search,"(|(pgpcertid=%.16s)(pgpsubkeyid=%.16s))",
1019                 getkey,getkey);
1020       else
1021         sprintf(search,"(pgpcertid=%.16s)",getkey);
1022     }
1023   else
1024     {
1025       /* short key id */
1026     
1027       sprintf(search,"(pgpkeyid=%.8s)",getkey);
1028     }
1029
1030   if(opt->verbose>2)
1031     fprintf(console,"gpgkeys: LDAP fetch for: %s\n",search);
1032
1033   if(!opt->verbose)
1034     attrs[2]=NULL; /* keep only pgpkey(v2) and pgpcertid */
1035
1036   err=ldap_search_s(ldap,basekeyspacedn,
1037                     LDAP_SCOPE_SUBTREE,search,attrs,0,&res);
1038   if(err!=0)
1039     {
1040       int errtag=ldap_err_to_gpg_err(err);
1041
1042       fprintf(console,"gpgkeys: LDAP search error: %s\n",ldap_err2string(err));
1043       fprintf(output,"KEY 0x%s BEGIN\n",getkey);
1044       fprintf(output,"KEY 0x%s FAILED %d\n",getkey,errtag);
1045       return errtag;
1046     }
1047
1048   count=ldap_count_entries(ldap,res);
1049   if(count<1)
1050     {
1051       fprintf(console,"gpgkeys: key %s not found on keyserver\n",getkey);
1052       fprintf(output,"KEY 0x%s BEGIN\n",getkey);
1053       fprintf(output,"KEY 0x%s FAILED %d\n",getkey,KEYSERVER_KEY_NOT_FOUND);
1054     }
1055   else
1056     {
1057       /* There may be more than one unique result for a given keyID,
1058          so we should fetch them all (test this by fetching short key
1059          id 0xDEADBEEF). */
1060
1061       each=ldap_first_entry(ldap,res);
1062       while(each!=NULL)
1063         {
1064           char **vals,**certid;
1065
1066           /* Use the long keyid to remove duplicates.  The LDAP server
1067              returns the same keyid more than once if there are
1068              multiple user IDs on the key.  Note that this does NOT
1069              mean that a keyid that exists multiple times on the
1070              keyserver will not be fetched.  It means that each KEY,
1071              no matter how many user IDs share its keyid, will be
1072              fetched only once.  If a keyid that belongs to more than
1073              one key is fetched, the server quite properly responds
1074              with all matching keys. -ds */
1075
1076           certid=ldap_get_values(ldap,each,"pgpcertid");
1077           if(certid!=NULL)
1078             {
1079               if(!key_in_keylist(certid[0],dupelist))
1080                 {
1081                   /* it's not a duplicate, so add it */
1082
1083                   int rc=add_key_to_keylist(certid[0],&dupelist);
1084                   if(rc)
1085                     {
1086                       ret=rc;
1087                       goto fail;
1088                     }
1089
1090                   build_info(certid[0],each);
1091
1092                   fprintf(output,"KEY 0x%s BEGIN\n",getkey);
1093
1094                   vals=ldap_get_values(ldap,each,pgpkeystr);
1095                   if(vals==NULL)
1096                     {
1097                       int errtag=ldap_to_gpg_err(ldap);
1098
1099                       fprintf(console,"gpgkeys: unable to retrieve key %s "
1100                               "from keyserver\n",getkey);
1101                       fprintf(output,"KEY 0x%s FAILED %d\n",getkey,errtag);
1102                     }
1103                   else
1104                     {
1105                       print_nocr(output,vals[0]);
1106                       fprintf(output,"\nKEY 0x%s END\n",getkey);
1107
1108                       ldap_value_free(vals);
1109                     }
1110                 }
1111
1112               ldap_value_free(certid);
1113             }
1114
1115           each=ldap_next_entry(ldap,each);
1116         }
1117     }
1118
1119   ret=KEYSERVER_OK;
1120
1121  fail:
1122   ldap_msgfree(res);
1123   free_keylist(dupelist);
1124
1125   return ret;
1126 }
1127
1128 #define LDAP_ESCAPE_CHARS "*()\\"
1129
1130 /* Append string to buffer in a LDAP-quoted way */
1131 static void
1132 ldap_quote(char *buffer,const char *string)
1133 {
1134   /* Find the end of buffer */
1135   buffer+=strlen(buffer);
1136
1137   for(;*string;string++)
1138     {
1139       if(strchr(LDAP_ESCAPE_CHARS,*string))
1140         {
1141           sprintf(buffer,"\\%02X",*string);
1142           buffer+=3;
1143         }
1144       else
1145         *buffer++=*string;
1146     }
1147
1148   *buffer='\0';
1149 }
1150
1151 /* Note that key-not-found is not a fatal error */
1152 static int
1153 get_name(char *getkey)
1154 {
1155   LDAPMessage *res,*each;
1156   int ret=KEYSERVER_INTERNAL_ERROR,err,count;
1157   /* The maximum size of the search, including the optional stuff and
1158      the trailing \0 */
1159   char search[2+12+(MAX_LINE*3)+2+15+14+1+1+20];
1160   /* This ordering is significant - specifically, "pgpcertid" needs to
1161      be the second item in the list, since everything after it may be
1162      discarded if the user isn't in verbose mode. */
1163   char *attrs[]={"replaceme","pgpcertid","pgpuserid","pgpkeyid","pgprevoked",
1164                  "pgpdisabled","pgpkeycreatetime","modifytimestamp",
1165                  "pgpkeysize","pgpkeytype",NULL};
1166   attrs[0]=pgpkeystr; /* Some compilers don't like using variables as
1167                          array initializers. */
1168
1169   /* Build the search string */
1170
1171   search[0]='\0';
1172
1173   if(!opt->flags.include_disabled || !opt->flags.include_revoked)
1174     strcat(search,"(&");
1175
1176   strcat(search,"(pgpUserID=*");
1177   ldap_quote(search,getkey);
1178   strcat(search,"*)");
1179
1180   if(!opt->flags.include_disabled)
1181     strcat(search,"(pgpDisabled=0)");
1182
1183   if(!opt->flags.include_revoked)
1184     strcat(search,"(pgpRevoked=0)");
1185
1186   if(!opt->flags.include_disabled || !opt->flags.include_revoked)
1187     strcat(search,")");
1188
1189   if(opt->verbose>2)
1190     fprintf(console,"gpgkeys: LDAP fetch for: %s\n",search);
1191
1192   if(!opt->verbose)
1193     attrs[2]=NULL; /* keep only pgpkey(v2) and pgpcertid */
1194
1195   err=ldap_search_s(ldap,basekeyspacedn,
1196                     LDAP_SCOPE_SUBTREE,search,attrs,0,&res);
1197   if(err!=0)
1198     {
1199       int errtag=ldap_err_to_gpg_err(err);
1200
1201       fprintf(console,"gpgkeys: LDAP search error: %s\n",ldap_err2string(err));
1202       fprintf(output,"NAME %s BEGIN\n",getkey);
1203       fprintf(output,"NAME %s FAILED %d\n",getkey,errtag);
1204       return errtag;
1205     }
1206
1207   count=ldap_count_entries(ldap,res);
1208   if(count<1)
1209     {
1210       fprintf(console,"gpgkeys: key %s not found on keyserver\n",getkey);
1211       fprintf(output,"NAME %s BEGIN\n",getkey);
1212       fprintf(output,"NAME %s FAILED %d\n",getkey,KEYSERVER_KEY_NOT_FOUND);
1213     }
1214   else
1215     {
1216       /* There may be more than one result, but we return them all. */
1217
1218       each=ldap_first_entry(ldap,res);
1219       while(each!=NULL)
1220         {
1221           char **vals,**certid;
1222
1223           certid=ldap_get_values(ldap,each,"pgpcertid");
1224           if(certid!=NULL)
1225             {
1226               build_info(certid[0],each);
1227
1228               fprintf(output,"NAME %s BEGIN\n",getkey);
1229
1230               vals=ldap_get_values(ldap,each,pgpkeystr);
1231               if(vals==NULL)
1232                 {
1233                   int errtag=ldap_to_gpg_err(ldap);
1234
1235                   fprintf(console,"gpgkeys: unable to retrieve key %s "
1236                           "from keyserver\n",getkey);
1237                   fprintf(output,"NAME %s FAILED %d\n",getkey,errtag);
1238                 }
1239               else
1240                 {
1241                   print_nocr(output,vals[0]);
1242                   fprintf(output,"\nNAME %s END\n",getkey);
1243
1244                   ldap_value_free(vals);
1245                 }
1246
1247               ldap_value_free(certid);
1248             }
1249
1250           each=ldap_next_entry(ldap,each);
1251         }
1252     }
1253
1254   ret=KEYSERVER_OK;
1255
1256   ldap_msgfree(res);
1257
1258   return ret;
1259 }
1260
1261 static void
1262 printquoted(FILE *stream,char *string,char delim)
1263 {
1264   while(*string)
1265     {
1266       if(*string==delim || *string=='%')
1267         fprintf(stream,"%%%02x",(unsigned char)*string);
1268       else
1269         fputc(*string,stream);
1270
1271       string++;
1272     }
1273 }
1274
1275 /* Returns 0 on success and -1 on error.  Note that key-not-found is
1276    not an error! */
1277 static int
1278 search_key(const char *searchkey)
1279 {
1280   char **vals;
1281   LDAPMessage *res,*each;
1282   int err,count=0;
1283   struct keylist *dupelist=NULL;
1284   /* The maximum size of the search, including the optional stuff and
1285      the trailing \0 */
1286   char search[2+1+9+1+3+(MAX_LINE*3)+3+1+15+14+1+1+20];
1287   char *attrs[]={"pgpcertid","pgpuserid","pgprevoked","pgpdisabled",
1288                  "pgpkeycreatetime","pgpkeyexpiretime","modifytimestamp",
1289                  "pgpkeysize","pgpkeytype",NULL};
1290   enum ks_search_type search_type;
1291
1292   fprintf(output,"SEARCH %s BEGIN\n",searchkey);
1293
1294   search_type=classify_ks_search(&searchkey);
1295
1296   if(opt->debug)
1297     fprintf(console,"search type is %d, and key is \"%s\"\n",
1298             search_type,searchkey);
1299
1300   /* Build the search string */
1301
1302   search[0]='\0';
1303
1304   if(!opt->flags.include_disabled || !opt->flags.include_revoked)
1305     strcat(search,"(&");
1306
1307   strcat(search,"(");
1308
1309   switch(search_type)
1310     {
1311     case KS_SEARCH_KEYID_SHORT:
1312       strcat(search,"pgpKeyID");
1313       break;
1314
1315     case KS_SEARCH_KEYID_LONG:
1316       strcat(search,"pgpCertID");
1317       break;
1318
1319     default:
1320       strcat(search,"pgpUserID");
1321       break;
1322     }
1323
1324   strcat(search,"=");
1325
1326   switch(search_type)
1327     {
1328     case KS_SEARCH_SUBSTR:
1329       strcat(search,"*");
1330       break;
1331
1332     case KS_SEARCH_MAIL:
1333       strcat(search,"*<");
1334       break;
1335
1336     case KS_SEARCH_MAILSUB:
1337       strcat(search,"*<*");
1338       break;
1339
1340     case KS_SEARCH_EXACT:
1341     case KS_SEARCH_KEYID_LONG:
1342     case KS_SEARCH_KEYID_SHORT:
1343       break;
1344     }
1345
1346   ldap_quote(search,searchkey);
1347
1348   switch(search_type)
1349     {
1350     case KS_SEARCH_SUBSTR:
1351       strcat(search,"*");
1352       break;
1353
1354     case KS_SEARCH_MAIL:
1355       strcat(search,">*");
1356       break;
1357
1358     case KS_SEARCH_MAILSUB:
1359       strcat(search,"*>*");
1360       break;
1361
1362     case KS_SEARCH_EXACT:
1363     case KS_SEARCH_KEYID_LONG:
1364     case KS_SEARCH_KEYID_SHORT:
1365       break;
1366     }
1367
1368   strcat(search,")");
1369
1370   if(!opt->flags.include_disabled)
1371     strcat(search,"(pgpDisabled=0)");
1372
1373   if(!opt->flags.include_revoked)
1374     strcat(search,"(pgpRevoked=0)");
1375
1376   if(!opt->flags.include_disabled || !opt->flags.include_revoked)
1377     strcat(search,")");
1378
1379   if(opt->verbose>2)
1380     fprintf(console,"gpgkeys: LDAP search for: %s\n",search);
1381
1382   err=ldap_search_s(ldap,basekeyspacedn,
1383                     LDAP_SCOPE_SUBTREE,search,attrs,0,&res);
1384   if(err!=LDAP_SUCCESS && err!=LDAP_SIZELIMIT_EXCEEDED)
1385     {
1386       int errtag=ldap_err_to_gpg_err(err);
1387
1388       fprintf(output,"SEARCH %s FAILED %d\n",searchkey,errtag);
1389       fprintf(console,"gpgkeys: LDAP search error: %s\n",ldap_err2string(err));
1390       return errtag;
1391     }
1392
1393   /* The LDAP server doesn't return a real count of unique keys, so we
1394      can't use ldap_count_entries here. */
1395   each=ldap_first_entry(ldap,res);
1396   while(each!=NULL)
1397     {
1398       char **certid=ldap_get_values(ldap,each,"pgpcertid");
1399
1400       if(certid!=NULL)
1401         {
1402           if(!key_in_keylist(certid[0],dupelist))
1403             {
1404               int rc=add_key_to_keylist(certid[0],&dupelist);
1405               if(rc!=0)
1406                 {
1407                   fprintf(output,"SEARCH %s FAILED %d\n",searchkey,rc);
1408                   free_keylist(dupelist);
1409                   return rc;
1410                 }
1411
1412               count++;
1413             }
1414         }
1415
1416       each=ldap_next_entry(ldap,each);
1417     }
1418
1419   if(err==LDAP_SIZELIMIT_EXCEEDED)
1420     {
1421       if(count==1)
1422         fprintf(console,"gpgkeys: search results exceeded server limit."
1423                 "  First %d result shown.\n",count);
1424       else
1425         fprintf(console,"gpgkeys: search results exceeded server limit."
1426                 "  First %d results shown.\n",count);
1427     }
1428
1429   free_keylist(dupelist);
1430   dupelist=NULL;
1431
1432   if(count<1)
1433     fprintf(output,"info:1:0\n");
1434   else
1435     {
1436       fprintf(output,"info:1:%d\n",count);
1437
1438       each=ldap_first_entry(ldap,res);
1439       while(each!=NULL)
1440         {
1441           char **certid;
1442
1443           certid=ldap_get_values(ldap,each,"pgpcertid");
1444           if(certid!=NULL)
1445             {
1446               LDAPMessage *uids;
1447
1448               /* Have we seen this certid before? */
1449               if(!key_in_keylist(certid[0],dupelist))
1450                 {
1451                   int rc=add_key_to_keylist(certid[0],&dupelist);
1452                   if(rc)
1453                     {
1454                       fprintf(output,"SEARCH %s FAILED %d\n",searchkey,rc);
1455                       free_keylist(dupelist);
1456                       ldap_value_free(certid);
1457                       ldap_msgfree(res);
1458                       return rc;
1459                     }
1460
1461                   fprintf(output,"pub:%s:",certid[0]);
1462
1463                   vals=ldap_get_values(ldap,each,"pgpkeytype");
1464                   if(vals!=NULL)
1465                     {
1466                       /* The LDAP server doesn't exactly handle this
1467                          well. */
1468                       if(strcasecmp(vals[0],"RSA")==0)
1469                         fprintf(output,"1");
1470                       else if(strcasecmp(vals[0],"DSS/DH")==0)
1471                         fprintf(output,"17");
1472                       ldap_value_free(vals);
1473                     }
1474
1475                   fputc(':',output);
1476
1477                   vals=ldap_get_values(ldap,each,"pgpkeysize");
1478                   if(vals!=NULL)
1479                     {
1480                       /* Not sure why, but some keys are listed with a
1481                          key size of 0.  Treat that like an
1482                          unknown. */
1483                       if(atoi(vals[0])>0)
1484                         fprintf(output,"%d",atoi(vals[0]));
1485                       ldap_value_free(vals);
1486                     }
1487
1488                   fputc(':',output);
1489
1490                   /* YYYYMMDDHHmmssZ */
1491
1492                   vals=ldap_get_values(ldap,each,"pgpkeycreatetime");
1493                   if(vals!=NULL && strlen(vals[0])==15)
1494                     {
1495                       fprintf(output,"%u",
1496                               (unsigned int)ldap2epochtime(vals[0]));
1497                       ldap_value_free(vals);
1498                     }
1499
1500                   fputc(':',output);
1501
1502                   vals=ldap_get_values(ldap,each,"pgpkeyexpiretime");
1503                   if(vals!=NULL && strlen(vals[0])==15)
1504                     {
1505                       fprintf(output,"%u",
1506                               (unsigned int)ldap2epochtime(vals[0]));
1507                       ldap_value_free(vals);
1508                     }
1509
1510                   fputc(':',output);
1511
1512                   vals=ldap_get_values(ldap,each,"pgprevoked");
1513                   if(vals!=NULL)
1514                     {
1515                       if(atoi(vals[0])==1)
1516                         fprintf(output,"r");
1517                       ldap_value_free(vals);
1518                     }
1519
1520                   vals=ldap_get_values(ldap,each,"pgpdisabled");
1521                   if(vals!=NULL)
1522                     {
1523                       if(atoi(vals[0])==1)
1524                         fprintf(output,"d");
1525                       ldap_value_free(vals);
1526                     }
1527
1528 #if 0
1529                   /* This is not yet specified in the keyserver
1530                      protocol, but may be someday. */
1531                   fputc(':',output);
1532
1533                   vals=ldap_get_values(ldap,each,"modifytimestamp");
1534                   if(vals!=NULL && strlen(vals[0])==15)
1535                     {
1536                       fprintf(output,"%u",
1537                               (unsigned int)ldap2epochtime(vals[0]));
1538                       ldap_value_free(vals);
1539                     }
1540 #endif
1541
1542                   fprintf(output,"\n");
1543
1544                   /* Now print all the uids that have this certid */
1545                   uids=ldap_first_entry(ldap,res);
1546                   while(uids!=NULL)
1547                     {
1548                       vals=ldap_get_values(ldap,uids,"pgpcertid");
1549                       if(vals!=NULL)
1550                         {
1551                           if(strcasecmp(certid[0],vals[0])==0)
1552                             {
1553                               char **uidvals;
1554
1555                               fprintf(output,"uid:");
1556
1557                               uidvals=ldap_get_values(ldap,uids,"pgpuserid");
1558                               if(uidvals!=NULL)
1559                                 {
1560                                   /* Need to escape any colons */
1561                                   printquoted(output,uidvals[0],':');
1562                                   ldap_value_free(uidvals);
1563                                 }
1564
1565                               fprintf(output,"\n");
1566                             }
1567
1568                           ldap_value_free(vals);
1569                         }
1570
1571                       uids=ldap_next_entry(ldap,uids);
1572                     }
1573                 }
1574
1575               ldap_value_free(certid);
1576             }
1577
1578           each=ldap_next_entry(ldap,each);
1579         }
1580     }
1581
1582   ldap_msgfree(res);
1583   free_keylist(dupelist);
1584
1585   fprintf(output,"SEARCH %s END\n",searchkey);
1586
1587   return KEYSERVER_OK;
1588 }
1589
1590 static void
1591 fail_all(struct keylist *keylist,int err)
1592 {
1593   if(!keylist)
1594     return;
1595
1596   if(opt->action==KS_SEARCH)
1597     {
1598       fprintf(output,"SEARCH ");
1599       while(keylist)
1600         {
1601           fprintf(output,"%s ",keylist->str);
1602           keylist=keylist->next;
1603         }
1604       fprintf(output,"FAILED %d\n",err);
1605     }
1606   else
1607     while(keylist)
1608       {
1609         fprintf(output,"KEY %s FAILED %d\n",keylist->str,err);
1610         keylist=keylist->next;
1611       }
1612 }
1613
1614 static int
1615 find_basekeyspacedn(void)
1616 {
1617   int err,i;
1618   char *attr[]={"namingContexts",NULL,NULL,NULL};
1619   LDAPMessage *res;
1620   char **context;
1621
1622   /* Look for namingContexts */
1623   err=ldap_search_s(ldap,"",LDAP_SCOPE_BASE,"(objectClass=*)",attr,0,&res);
1624   if(err==LDAP_SUCCESS)
1625     {
1626       context=ldap_get_values(ldap,res,"namingContexts");
1627       if(context)
1628         {
1629           attr[0]="pgpBaseKeySpaceDN";
1630           attr[1]="pgpVersion";
1631           attr[2]="pgpSoftware";
1632
1633           real_ldap=1;
1634
1635           /* We found some, so try each namingContext as the search base
1636              and look for pgpBaseKeySpaceDN.  Because we found this, we
1637              know we're talking to a regular-ish LDAP server and not a
1638              LDAP keyserver. */
1639
1640           for(i=0;context[i] && !basekeyspacedn;i++)
1641             {
1642               char **vals;
1643               LDAPMessage *si_res;
1644               char *object;
1645
1646               object=malloc(17+strlen(context[i])+1);
1647               if(!object)
1648                 return -1;
1649
1650               strcpy(object,"cn=pgpServerInfo,");
1651               strcat(object,context[i]);
1652
1653               err=ldap_search_s(ldap,object,LDAP_SCOPE_BASE,
1654                                 "(objectClass=*)",attr,0,&si_res);
1655               free(object);
1656
1657               if(err==LDAP_NO_SUCH_OBJECT)
1658                 continue;
1659               else if(err!=LDAP_SUCCESS)
1660                 return err;
1661
1662               vals=ldap_get_values(ldap,si_res,"pgpBaseKeySpaceDN");
1663               if(vals)
1664                 {
1665                   basekeyspacedn=strdup(vals[0]);
1666                   ldap_value_free(vals);
1667                 }
1668
1669               if(opt->verbose>1)
1670                 {
1671                   vals=ldap_get_values(ldap,si_res,"pgpSoftware");
1672                   if(vals)
1673                     {
1674                       fprintf(console,"Server: \t%s\n",vals[0]);
1675                       ldap_value_free(vals);
1676                     }
1677
1678                   vals=ldap_get_values(ldap,si_res,"pgpVersion");
1679                   if(vals)
1680                     {
1681                       fprintf(console,"Version:\t%s\n",vals[0]);
1682                       ldap_value_free(vals);
1683                     }
1684                 }
1685
1686               ldap_msgfree(si_res);
1687             }
1688
1689           ldap_value_free(context);
1690         }
1691
1692       ldap_msgfree(res);
1693     }
1694   else
1695     {
1696       /* We don't have an answer yet, which means the server might be
1697          a LDAP keyserver. */
1698       char **vals;
1699       LDAPMessage *si_res;
1700
1701       attr[0]="pgpBaseKeySpaceDN";
1702       attr[1]="version";
1703       attr[2]="software";
1704
1705       err=ldap_search_s(ldap,"cn=pgpServerInfo",LDAP_SCOPE_BASE,
1706                         "(objectClass=*)",attr,0,&si_res);
1707       if(err!=LDAP_SUCCESS)
1708         return err;
1709
1710       /* For the LDAP keyserver, this is always "OU=ACTIVE,O=PGP
1711          KEYSPACE,C=US", but it might not be in the future. */
1712
1713       vals=ldap_get_values(ldap,si_res,"baseKeySpaceDN");
1714       if(vals)
1715         {
1716           basekeyspacedn=strdup(vals[0]);
1717           ldap_value_free(vals);
1718         }
1719
1720       if(opt->verbose>1)
1721         {
1722           vals=ldap_get_values(ldap,si_res,"software");
1723           if(vals)
1724             {
1725               fprintf(console,"Server: \t%s\n",vals[0]);
1726               ldap_value_free(vals);
1727             }
1728         }
1729
1730       vals=ldap_get_values(ldap,si_res,"version");
1731       if(vals)
1732         {
1733           if(opt->verbose>1)
1734             fprintf(console,"Version:\t%s\n",vals[0]);
1735
1736           /* If the version is high enough, use the new pgpKeyV2
1737              attribute.  This design if iffy at best, but it matches how
1738              PGP does it.  I figure the NAI folks assumed that there would
1739              never be a LDAP keyserver vendor with a different numbering
1740              scheme. */
1741           if(atoi(vals[0])>1)
1742             pgpkeystr="pgpKeyV2";
1743
1744           ldap_value_free(vals);
1745         }
1746
1747       ldap_msgfree(si_res);
1748     }   
1749
1750   return LDAP_SUCCESS;
1751 }
1752
1753 static void 
1754 show_help (FILE *fp)
1755 {
1756   fprintf (fp,"-h\thelp\n");
1757   fprintf (fp,"-V\tversion\n");
1758   fprintf (fp,"-o\toutput to this file\n");
1759 }
1760
1761 int
1762 main(int argc,char *argv[])
1763 {
1764   int port=0,arg,err,ret=KEYSERVER_INTERNAL_ERROR;
1765   char line[MAX_LINE],*binddn=NULL,*bindpw=NULL;
1766   int failed=0,use_ssl=0,use_tls=0,bound=0;
1767   struct keylist *keylist=NULL,*keyptr=NULL;
1768
1769   console=stderr;
1770
1771   /* Kludge to implement standard GNU options.  */
1772   if (argc > 1 && !strcmp (argv[1], "--version"))
1773     {
1774       fputs ("gpgkeys_ldap (GnuPG) " VERSION"\n", stdout);
1775       return 0;
1776     }
1777   else if (argc > 1 && !strcmp (argv[1], "--help"))
1778     {
1779       show_help (stdout);
1780       return 0;
1781     }
1782
1783   while((arg=getopt(argc,argv,"hVo:"))!=-1)
1784     switch(arg)
1785       {
1786       default:
1787       case 'h':
1788         show_help (console);
1789         return KEYSERVER_OK;
1790
1791       case 'V':
1792         fprintf(stdout,"%d\n%s\n",KEYSERVER_PROTO_VERSION,VERSION);
1793         return KEYSERVER_OK;
1794
1795       case 'o':
1796         output=fopen(optarg,"w");
1797         if(output==NULL)
1798           {
1799             fprintf(console,"gpgkeys: Cannot open output file `%s': %s\n",
1800                     optarg,strerror(errno));
1801             return KEYSERVER_INTERNAL_ERROR;
1802           }
1803
1804         break;
1805       }
1806
1807   if(argc>optind)
1808     {
1809       input=fopen(argv[optind],"r");
1810       if(input==NULL)
1811         {
1812           fprintf(console,"gpgkeys: Cannot open input file `%s': %s\n",
1813                   argv[optind],strerror(errno));
1814           return KEYSERVER_INTERNAL_ERROR;
1815         }
1816     }
1817
1818   if(input==NULL)
1819     input=stdin;
1820
1821   if(output==NULL)
1822     output=stdout;
1823
1824   opt=init_ks_options();
1825   if(!opt)
1826     return KEYSERVER_NO_MEMORY;
1827
1828   /* Get the command and info block */
1829
1830   while(fgets(line,MAX_LINE,input)!=NULL)
1831     {
1832       char optionstr[MAX_OPTION+1];
1833
1834       if(line[0]=='\n')
1835         break;
1836
1837       err=parse_ks_options(line,opt);
1838       if(err>0)
1839         {
1840           ret=err;
1841           goto fail;
1842         }
1843       else if(err==0)
1844         continue;
1845
1846       if(sscanf(line,"OPTION %" MKSTRING(MAX_OPTION) "[^\n]\n",optionstr)==1)
1847         {
1848           int no=0;
1849           char *start=&optionstr[0];
1850
1851           optionstr[MAX_OPTION]='\0';
1852
1853           if(strncasecmp(optionstr,"no-",3)==0)
1854             {
1855               no=1;
1856               start=&optionstr[3];
1857             }
1858
1859           if(strncasecmp(start,"tls",3)==0)
1860             {
1861               if(no)
1862                 use_tls=0;
1863               else if(start[3]=='=')
1864                 {
1865                   if(strcasecmp(&start[4],"no")==0)
1866                     use_tls=0;
1867                   else if(strcasecmp(&start[4],"try")==0)
1868                     use_tls=1;
1869                   else if(strcasecmp(&start[4],"warn")==0)
1870                     use_tls=2;
1871                   else if(strcasecmp(&start[4],"require")==0)
1872                     use_tls=3;
1873                   else
1874                     use_tls=1;
1875                 }
1876               else if(start[3]=='\0')
1877                 use_tls=1;
1878             }
1879           else if(strncasecmp(start,"basedn",6)==0)
1880             {
1881               if(no)
1882                 {
1883                   free(basekeyspacedn);
1884                   basekeyspacedn=NULL;
1885                 }
1886               else if(start[6]=='=')
1887                 {
1888                   free(basekeyspacedn);
1889                   basekeyspacedn=strdup(&start[7]);
1890                   if(!basekeyspacedn)
1891                     {
1892                       fprintf(console,"gpgkeys: out of memory while creating "
1893                               "base DN\n");
1894                       ret=KEYSERVER_NO_MEMORY;
1895                       goto fail;
1896                     }
1897
1898                   real_ldap=1;
1899                 }
1900             }
1901           else if(strncasecmp(start,"binddn",6)==0)
1902             {
1903               if(no)
1904                 {
1905                   free(binddn);
1906                   binddn=NULL;
1907                 }
1908               else if(start[6]=='=')
1909                 {
1910                   free(binddn);
1911                   binddn=strdup(&start[7]);
1912                   if(!binddn)
1913                     {
1914                       fprintf(console,"gpgkeys: out of memory while creating "
1915                               "bind DN\n");
1916                       ret=KEYSERVER_NO_MEMORY;
1917                       goto fail;
1918                     }
1919
1920                   real_ldap=1;
1921                 }
1922             }
1923           else if(strncasecmp(start,"bindpw",6)==0)
1924             {
1925               if(no)
1926                 {
1927                   free(bindpw);
1928                   bindpw=NULL;
1929                 }
1930               else if(start[6]=='=')
1931                 {
1932                   free(bindpw);
1933                   bindpw=strdup(&start[7]);
1934                   if(!bindpw)
1935                     {
1936                       fprintf(console,"gpgkeys: out of memory while creating "
1937                               "bind password\n");
1938                       ret=KEYSERVER_NO_MEMORY;
1939                       goto fail;
1940                     }
1941
1942                   real_ldap=1;
1943                 }
1944             }
1945
1946           continue;
1947         }
1948     }
1949
1950   if(!opt->scheme)
1951     {
1952       fprintf(console,"gpgkeys: no scheme supplied!\n");
1953       ret=KEYSERVER_SCHEME_NOT_FOUND;
1954       goto fail;
1955     }
1956
1957   if(strcasecmp(opt->scheme,"ldaps")==0)
1958     {
1959       port=636;
1960       use_ssl=1;
1961     }
1962
1963   if(opt->port)
1964     port=atoi(opt->port);
1965
1966   if(!opt->host)
1967     {
1968       fprintf(console,"gpgkeys: no keyserver host provided\n");
1969       goto fail;
1970     }
1971
1972   if(opt->timeout && register_timeout()==-1)
1973     {
1974       fprintf(console,"gpgkeys: unable to register timeout handler\n");
1975       return KEYSERVER_INTERNAL_ERROR;
1976     }
1977
1978 #if defined(LDAP_OPT_X_TLS_CACERTFILE) && defined(HAVE_LDAP_SET_OPTION)
1979
1980   if(opt->ca_cert_file)
1981     {
1982       err=ldap_set_option(NULL,LDAP_OPT_X_TLS_CACERTFILE,opt->ca_cert_file);
1983       if(err!=LDAP_SUCCESS)
1984         {
1985           fprintf(console,"gpgkeys: unable to set ca-cert-file: %s\n",
1986                   ldap_err2string(err));
1987           ret=KEYSERVER_INTERNAL_ERROR;
1988           goto fail;
1989         }
1990     }
1991 #endif /* LDAP_OPT_X_TLS_CACERTFILE && HAVE_LDAP_SET_OPTION */
1992
1993   /* SSL trumps TLS */
1994   if(use_ssl)
1995     use_tls=0;
1996
1997   /* If it's a GET or a SEARCH, the next thing to come in is the
1998      keyids.  If it's a SEND, then there are no keyids. */
1999
2000   if(opt->action==KS_SEND)
2001     while(fgets(line,MAX_LINE,input)!=NULL && line[0]!='\n');
2002   else if(opt->action==KS_GET
2003           || opt->action==KS_GETNAME || opt->action==KS_SEARCH)
2004     {
2005       for(;;)
2006         {
2007           struct keylist *work;
2008
2009           if(fgets(line,MAX_LINE,input)==NULL)
2010             break;
2011           else
2012             {
2013               if(line[0]=='\n' || line[0]=='\0')
2014                 break;
2015
2016               work=malloc(sizeof(struct keylist));
2017               if(work==NULL)
2018                 {
2019                   fprintf(console,"gpgkeys: out of memory while "
2020                           "building key list\n");
2021                   ret=KEYSERVER_NO_MEMORY;
2022                   goto fail;
2023                 }
2024
2025               strcpy(work->str,line);
2026
2027               /* Trim the trailing \n */
2028               work->str[strlen(line)-1]='\0';
2029
2030               work->next=NULL;
2031
2032               /* Always attach at the end to keep the list in proper
2033                  order for searching */
2034               if(keylist==NULL)
2035                 keylist=work;
2036               else
2037                 keyptr->next=work;
2038
2039               keyptr=work;
2040             }
2041         }
2042     }
2043   else
2044     {
2045       fprintf(console,"gpgkeys: no keyserver command specified\n");
2046       goto fail;
2047     }
2048
2049   /* Send the response */
2050
2051   fprintf(output,"VERSION %d\n",KEYSERVER_PROTO_VERSION);
2052   fprintf(output,"PROGRAM %s\n\n",VERSION);
2053
2054   if(opt->verbose>1)
2055     {
2056       fprintf(console,"Host:\t\t%s\n",opt->host);
2057       if(port)
2058         fprintf(console,"Port:\t\t%d\n",port);
2059       fprintf(console,"Command:\t%s\n",ks_action_to_string(opt->action));
2060     }
2061
2062   if(opt->debug)
2063     {
2064 #if defined(LDAP_OPT_DEBUG_LEVEL) && defined(HAVE_LDAP_SET_OPTION)
2065       err=ldap_set_option(NULL,LDAP_OPT_DEBUG_LEVEL,&opt->debug);
2066       if(err!=LDAP_SUCCESS)
2067         fprintf(console,"gpgkeys: unable to set debug mode: %s\n",
2068                 ldap_err2string(err));
2069       else
2070         fprintf(console,"gpgkeys: debug level %d\n",opt->debug);
2071 #else
2072       fprintf(console,"gpgkeys: not built with debugging support\n");
2073 #endif
2074     }
2075
2076   /* We have a timeout set for the setup stuff since it could time out
2077      as well. */
2078   set_timeout(opt->timeout);
2079
2080   /* Note that this tries all A records on a given host (or at least,
2081      OpenLDAP does). */
2082   ldap=ldap_init(opt->host,port);
2083   if(ldap==NULL)
2084     {
2085       fprintf(console,"gpgkeys: internal LDAP init error: %s\n",
2086               strerror(errno));
2087       fail_all(keylist,KEYSERVER_INTERNAL_ERROR);
2088       goto fail;
2089     }
2090
2091   if(use_ssl)
2092     {
2093 #if defined(LDAP_OPT_X_TLS) && defined(HAVE_LDAP_SET_OPTION)
2094       int ssl=LDAP_OPT_X_TLS_HARD;
2095
2096       err=ldap_set_option(ldap,LDAP_OPT_X_TLS,&ssl);
2097       if(err!=LDAP_SUCCESS)
2098         {
2099           fprintf(console,"gpgkeys: unable to make SSL connection: %s\n",
2100                   ldap_err2string(err));
2101           fail_all(keylist,ldap_err_to_gpg_err(err));
2102           goto fail;
2103         }
2104
2105       if(!opt->flags.check_cert)
2106         ssl=LDAP_OPT_X_TLS_NEVER;
2107
2108       err=ldap_set_option(NULL,LDAP_OPT_X_TLS_REQUIRE_CERT,&ssl);
2109       if(err!=LDAP_SUCCESS)
2110         {
2111           fprintf(console,
2112                   "gpgkeys: unable to set certificate validation: %s\n",
2113                   ldap_err2string(err));
2114           fail_all(keylist,ldap_err_to_gpg_err(err));
2115           goto fail;
2116         }
2117 #else
2118       fprintf(console,"gpgkeys: unable to make SSL connection: %s\n",
2119               "not built with LDAPS support");
2120       fail_all(keylist,KEYSERVER_INTERNAL_ERROR);
2121       goto fail;
2122 #endif
2123     }
2124
2125   if(!basekeyspacedn)
2126     if((err=find_basekeyspacedn()) || !basekeyspacedn)
2127       {
2128         fprintf(console,"gpgkeys: unable to retrieve LDAP base: %s\n",
2129                 err?ldap_err2string(err):"not found");
2130         fail_all(keylist,ldap_err_to_gpg_err(err));
2131         goto fail;
2132       }
2133
2134   /* use_tls: 0=don't use, 1=try silently to use, 2=try loudly to use,
2135      3=force use. */
2136   if(use_tls)
2137     {
2138       if(!real_ldap)
2139         {
2140           if(use_tls>=2)
2141             fprintf(console,"gpgkeys: unable to start TLS: %s\n",
2142                     "not supported by the NAI LDAP keyserver");
2143           if(use_tls==3)
2144             {
2145               fail_all(keylist,KEYSERVER_INTERNAL_ERROR);
2146               goto fail;
2147             }
2148         }
2149       else
2150         {
2151 #if defined(HAVE_LDAP_START_TLS_S) && defined(HAVE_LDAP_SET_OPTION)
2152           int ver=LDAP_VERSION3;
2153
2154           err=ldap_set_option(ldap,LDAP_OPT_PROTOCOL_VERSION,&ver);
2155
2156 #ifdef LDAP_OPT_X_TLS
2157           if(err==LDAP_SUCCESS)
2158             {
2159               if(opt->flags.check_cert)
2160                 ver=LDAP_OPT_X_TLS_HARD;
2161               else
2162                 ver=LDAP_OPT_X_TLS_NEVER;
2163
2164               err=ldap_set_option(ldap,LDAP_OPT_X_TLS_REQUIRE_CERT,&ver);
2165             }
2166 #endif
2167
2168           if(err==LDAP_SUCCESS)
2169             err=ldap_start_tls_s(ldap,NULL,NULL);
2170
2171           if(err!=LDAP_SUCCESS)
2172             {
2173               if(use_tls>=2 || opt->verbose>2)
2174                 fprintf(console,"gpgkeys: unable to start TLS: %s\n",
2175                         ldap_err2string(err));
2176               /* Are we forcing it? */
2177               if(use_tls==3)
2178                 {
2179                   fail_all(keylist,ldap_err_to_gpg_err(err));
2180                   goto fail;
2181                 }
2182             }
2183           else if(opt->verbose>1)
2184             fprintf(console,"gpgkeys: TLS started successfully.\n");
2185 #else
2186           if(use_tls>=2)
2187             fprintf(console,"gpgkeys: unable to start TLS: %s\n",
2188                     "not built with TLS support");
2189           if(use_tls==3)
2190             {
2191               fail_all(keylist,KEYSERVER_INTERNAL_ERROR);
2192               goto fail;
2193             }
2194 #endif
2195         }
2196     }
2197
2198   /* By default we don't bind as there is usually no need to.  For
2199      cases where the server needs some authentication, the user can
2200      use binddn and bindpw for auth. */
2201
2202   if(binddn)
2203     {
2204 #ifdef HAVE_LDAP_SET_OPTION
2205       int ver=LDAP_VERSION3;
2206
2207       err=ldap_set_option(ldap,LDAP_OPT_PROTOCOL_VERSION,&ver);
2208       if(err!=LDAP_SUCCESS)
2209         {
2210           fprintf(console,"gpgkeys: unable to go to LDAP 3: %s\n",
2211                   ldap_err2string(err));
2212           fail_all(keylist,ldap_err_to_gpg_err(err));
2213           goto fail;
2214         }
2215 #endif
2216
2217       if(opt->verbose>2)
2218         fprintf(console,"gpgkeys: LDAP bind to %s, pw %s\n",binddn,
2219                 bindpw?">not shown<":">none<");
2220       err=ldap_simple_bind_s(ldap,binddn,bindpw);
2221       if(err!=LDAP_SUCCESS)
2222         {
2223           fprintf(console,"gpgkeys: internal LDAP bind error: %s\n",
2224                   ldap_err2string(err));
2225           fail_all(keylist,ldap_err_to_gpg_err(err));
2226           goto fail;
2227         }
2228       else
2229         bound=1;
2230     }
2231
2232   if(opt->action==KS_GET)
2233     {
2234       keyptr=keylist;
2235
2236       while(keyptr!=NULL)
2237         {
2238           set_timeout(opt->timeout);
2239
2240           if(get_key(keyptr->str)!=KEYSERVER_OK)
2241             failed++;
2242
2243           keyptr=keyptr->next;
2244         }
2245     }
2246   else if(opt->action==KS_GETNAME)
2247     {
2248       keyptr=keylist;
2249
2250       while(keyptr!=NULL)
2251         {
2252           set_timeout(opt->timeout);
2253
2254           if(get_name(keyptr->str)!=KEYSERVER_OK)
2255             failed++;
2256
2257           keyptr=keyptr->next;
2258         }
2259     }
2260   else if(opt->action==KS_SEND)
2261     {
2262       int eof=0;
2263
2264       do
2265         {
2266           set_timeout(opt->timeout);
2267
2268           if(real_ldap)
2269             {
2270               if(send_key(&eof)!=KEYSERVER_OK)
2271                 failed++;
2272             }
2273           else
2274             {
2275               if(send_key_keyserver(&eof)!=KEYSERVER_OK)
2276                 failed++;
2277             }
2278         }
2279       while(!eof);
2280     }
2281   else if(opt->action==KS_SEARCH)
2282     {
2283       char *searchkey=NULL;
2284       int len=0;
2285
2286       set_timeout(opt->timeout);
2287
2288       /* To search, we stick a * in between each key to search for.
2289          This means that if the user enters words, they'll get
2290          "enters*words".  If the user "enters words", they'll get
2291          "enters words" */
2292
2293       keyptr=keylist;
2294       while(keyptr!=NULL)
2295         {
2296           len+=strlen(keyptr->str)+1;
2297           keyptr=keyptr->next;
2298         }
2299
2300       searchkey=malloc(len+1);
2301       if(searchkey==NULL)
2302         {
2303           ret=KEYSERVER_NO_MEMORY;
2304           fail_all(keylist,KEYSERVER_NO_MEMORY);
2305           goto fail;
2306         }
2307
2308       searchkey[0]='\0';
2309
2310       keyptr=keylist;
2311       while(keyptr!=NULL)
2312         {
2313           strcat(searchkey,keyptr->str);
2314           strcat(searchkey,"*");
2315           keyptr=keyptr->next;
2316         }
2317
2318       /* Nail that last "*" */
2319       if(*searchkey)
2320         searchkey[strlen(searchkey)-1]='\0';
2321
2322       if(search_key(searchkey)!=KEYSERVER_OK)
2323         failed++;
2324
2325       free(searchkey);
2326     }
2327   else
2328     BUG();
2329
2330   if(!failed)
2331     ret=KEYSERVER_OK;
2332
2333  fail:
2334
2335   while(keylist!=NULL)
2336     {
2337       struct keylist *current=keylist;
2338       keylist=keylist->next;
2339       free(current);
2340     }
2341
2342   if(input!=stdin)
2343     fclose(input);
2344
2345   if(output!=stdout)
2346     fclose(output);
2347
2348   free_ks_options(opt);
2349
2350   if(ldap!=NULL && bound)
2351     ldap_unbind_s(ldap);
2352
2353   free(basekeyspacedn);
2354
2355   return ret;
2356 }