3fed8c59048d2c0b6cc4f20a326b3fb9069fc428
[gnupg.git] / keyserver / gpgkeys_ldap.c
1 /* gpgkeys_ldap.c - talk to a LDAP keyserver
2  * Copyright (C) 2001, 2002, 2004, 2005, 2006
3  *               2007  Free Software Foundation, Inc.
4  *
5  * This file is part of GnuPG.
6  *
7  * GnuPG is free software; you can redistribute it and/or modify
8  * it under the terms of the GNU General Public License as published by
9  * the Free Software Foundation; either version 3 of the License, or
10  * (at your option) any later version.
11  *
12  * GnuPG is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15  * GNU General Public License for more details.
16  *
17  * You should have received a copy of the GNU General Public License
18  * along with this program; if not, see <http://www.gnu.org/licenses/>.
19  *
20  * In addition, as a special exception, the Free Software Foundation
21  * gives permission to link the code of the keyserver helper tools:
22  * gpgkeys_ldap, gpgkeys_curl and gpgkeys_hkp with the OpenSSL
23  * project's "OpenSSL" library (or with modified versions of it that
24  * use the same license as the "OpenSSL" library), and distribute the
25  * linked executables.  You must obey the GNU General Public License
26  * in all respects for all of the code used other than "OpenSSL".  If
27  * you modify this file, you may extend this exception to your version
28  * of the file, but you are not obligated to do so.  If you do not
29  * wish to do so, delete this exception statement from your version.
30  */
31
32 #include <config.h>
33 #include <stdio.h>
34 #include <string.h>
35 #include <time.h>
36 #include <unistd.h>
37 #ifdef HAVE_GETOPT_H
38 #include <getopt.h>
39 #endif
40 #include <stdlib.h>
41 #include <errno.h>
42 #include <assert.h>
43
44 #ifdef _WIN32
45 #include <winsock2.h>
46 #include <winldap.h>
47 #else
48 #ifdef NEED_LBER_H
49 #include <lber.h>
50 #endif
51 /* For OpenLDAP, to enable the API that we're using. */
52 #define LDAP_DEPRECATED 1
53 #include <ldap.h>
54 #endif
55
56 #include "util.h"
57 #include "keyserver.h"
58 #include "ksutil.h"
59
60 #ifdef __riscos__
61 #include "util.h"
62 #endif
63
64 extern char *optarg;
65 extern int optind;
66
67 static int real_ldap=0;
68 static char *basekeyspacedn=NULL;
69 static char *pgpkeystr="pgpKey";
70 static FILE *input=NULL,*output=NULL,*console=NULL;
71 static LDAP *ldap=NULL;
72 static struct ks_options *opt;
73
74 #ifndef HAVE_TIMEGM
75 time_t timegm(struct tm *tm);
76 #endif
77
78 static int
79 ldap_err_to_gpg_err(int err)
80 {
81   int ret;
82
83   switch(err)
84     {
85     case LDAP_ALREADY_EXISTS:
86       ret=KEYSERVER_KEY_EXISTS;
87       break;
88
89     case LDAP_SERVER_DOWN:
90       ret=KEYSERVER_UNREACHABLE;
91       break;
92
93     default:
94       ret=KEYSERVER_GENERAL_ERROR;
95       break;
96     }
97
98   return ret;
99 }
100
101 static int
102 ldap_to_gpg_err(LDAP *ld)
103 {
104 #if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_ERROR_NUMBER)
105
106   int err;
107
108   if(ldap_get_option(ld,LDAP_OPT_ERROR_NUMBER,&err)==0)
109     return ldap_err_to_gpg_err(err);
110   else
111     return KEYSERVER_GENERAL_ERROR;
112
113 #elif defined(HAVE_LDAP_LD_ERRNO)
114
115   return ldap_err_to_gpg_err(ld->ld_errno);
116
117 #else
118
119   /* We should never get here since the LDAP library should always
120      have either ldap_get_option or ld_errno, but just in case... */
121   return KEYSERVER_GENERAL_ERROR;
122
123 #endif
124 }
125
126 static int
127 key_in_keylist(const char *key,struct keylist *list)
128 {
129   struct keylist *keyptr=list;
130
131   while(keyptr!=NULL)
132     {
133       if(strcasecmp(key,keyptr->str)==0)
134         return 1;
135
136       keyptr=keyptr->next;
137     }
138
139   return 0;
140 }
141
142 static int
143 add_key_to_keylist(const char *key,struct keylist **list)
144 {
145   struct keylist *keyptr=malloc(sizeof(struct keylist));
146
147   if(keyptr==NULL)
148     {
149       fprintf(console,"gpgkeys: out of memory when deduping "
150               "key list\n");
151       return KEYSERVER_NO_MEMORY;
152     }
153
154   strncpy(keyptr->str,key,MAX_LINE);
155   keyptr->str[MAX_LINE-1]='\0';
156   keyptr->next=*list;
157   *list=keyptr;
158
159   return 0;
160 }
161
162 static void
163 free_keylist(struct keylist *list)
164 {
165   while(list!=NULL)
166     {
167       struct keylist *keyptr=list;
168
169       list=keyptr->next;
170       free(keyptr);
171     }
172 }
173
174 static time_t
175 ldap2epochtime(const char *timestr)
176 {
177   struct tm pgptime;
178   time_t answer;
179
180   memset(&pgptime,0,sizeof(pgptime));
181
182   /* YYYYMMDDHHmmssZ */
183
184   sscanf(timestr,"%4d%2d%2d%2d%2d%2d",
185          &pgptime.tm_year,
186          &pgptime.tm_mon,
187          &pgptime.tm_mday,
188          &pgptime.tm_hour,
189          &pgptime.tm_min,
190          &pgptime.tm_sec);
191
192   pgptime.tm_year-=1900;
193   pgptime.tm_isdst=-1;
194   pgptime.tm_mon--;
195
196   /* mktime() takes the timezone into account, so we use timegm() */
197
198   answer=timegm(&pgptime);
199
200   return answer;
201 }
202
203 /* Caller must free */
204 static char *
205 epoch2ldaptime(time_t stamp)
206 {
207   struct tm *ldaptime;
208   char buf[16];
209
210   ldaptime=gmtime(&stamp);
211
212   ldaptime->tm_year+=1900;
213   ldaptime->tm_mon++;
214
215   /* YYYYMMDDHHmmssZ */
216
217   sprintf(buf,"%04d%02d%02d%02d%02d%02dZ",
218           ldaptime->tm_year,
219           ldaptime->tm_mon,
220           ldaptime->tm_mday,
221           ldaptime->tm_hour,
222           ldaptime->tm_min,
223           ldaptime->tm_sec);
224
225   return strdup(buf);
226 }
227
228 /* Append two onto the end of one.  Two is not freed, but its pointers
229    are now part of one.  Make sure you don't free them both! */
230 static int
231 join_two_modlists(LDAPMod ***one,LDAPMod **two)
232 {
233   int i,one_count=0,two_count=0;
234   LDAPMod **grow;
235
236   for(grow=*one;*grow;grow++)
237     one_count++;
238
239   for(grow=two;*grow;grow++)
240     two_count++;
241
242   grow=realloc(*one,sizeof(LDAPMod *)*(one_count+two_count+1));
243   if(!grow)
244     return 0;
245
246   for(i=0;i<two_count;i++)
247     grow[one_count+i]=two[i];
248
249   grow[one_count+i]=NULL;
250
251   *one=grow;
252
253   return 1;
254 }
255
256 /* Passing a NULL for value effectively deletes that attribute.  This
257    doesn't mean "delete" in the sense of removing something from the
258    modlist, but "delete" in the LDAP sense of adding a modlist item
259    that specifies LDAP_MOD_REPLACE and a null attribute for the given
260    attribute.  LDAP_MOD_DELETE doesn't work here as we don't know if
261    the attribute in question exists or not. */
262
263 static int
264 make_one_attr(LDAPMod ***modlist,char *attr,const char *value)
265 {
266   LDAPMod **m;
267   int nummods=0;
268
269   /* Search modlist for the attribute we're playing with. */
270   for(m=*modlist;*m;m++)
271     {
272       if(strcasecmp((*m)->mod_type,attr)==0)
273         {
274           char **ptr=(*m)->mod_values;
275           int numvalues=0;
276
277           /* We have this attribute already, so when the REPLACE
278              happens, the server attributes will be replaced
279              anyway. */
280           if(!value)
281             return 1;
282
283           if(ptr)
284             for(ptr=(*m)->mod_values;*ptr;ptr++)
285               {
286                 /* Duplicate value */
287                 if(strcmp(*ptr,value)==0)
288                   return 1;
289                 numvalues++;
290               }
291
292           ptr=realloc((*m)->mod_values,sizeof(char *)*(numvalues+2));
293           if(!ptr)
294             return 0;
295
296           (*m)->mod_values=ptr;
297           ptr[numvalues]=strdup(value);
298           if(!ptr[numvalues])
299             return 0;
300
301           ptr[numvalues+1]=NULL;
302           break;
303         }
304
305       nummods++;
306     }
307
308   /* We didn't find the attr, so make one and add it to the end */
309   if(!*m)
310     {
311       LDAPMod **grow;
312
313       grow=realloc(*modlist,sizeof(LDAPMod *)*(nummods+2));
314       if(!grow)
315         return 0;
316
317       *modlist=grow;
318       grow[nummods]=malloc(sizeof(LDAPMod));
319       if(!grow[nummods])
320         return 0;
321       grow[nummods]->mod_op=LDAP_MOD_REPLACE;
322       grow[nummods]->mod_type=attr;
323       if(value)
324         {
325           grow[nummods]->mod_values=malloc(sizeof(char *)*2);
326           if(!grow[nummods]->mod_values)
327             {
328               grow[nummods]=NULL;
329               return 0;
330             }
331
332           /* Is this the right thing?  Can a UTF8-encoded user ID have
333              embedded nulls? */
334           grow[nummods]->mod_values[0]=strdup(value);
335           if(!grow[nummods]->mod_values[0])
336             {
337               free(grow[nummods]->mod_values);
338               grow[nummods]=NULL;
339               return 0;
340             }
341
342           grow[nummods]->mod_values[1]=NULL;
343         }
344       else
345         grow[nummods]->mod_values=NULL;
346
347       grow[nummods+1]=NULL;
348     }
349
350   return 1;
351 }
352
353 static void
354 build_attrs(LDAPMod ***modlist,char *line)
355 {
356   char *record;
357   int i;
358
359   /* Remove trailing whitespace */
360   for(i=strlen(line);i>0;i--)
361     if(ascii_isspace(line[i-1]))
362       line[i-1]='\0';
363     else
364       break;
365
366   if((record=strsep(&line,":"))==NULL)
367     return;
368
369   if(ks_strcasecmp("pub",record)==0)
370     {
371       char *tok;
372       int disabled=0,revoked=0;
373
374       /* The long keyid */
375       if((tok=strsep(&line,":"))==NULL)
376         return;
377
378       if(strlen(tok)==16)
379         {
380           make_one_attr(modlist,"pgpCertID",tok);
381           make_one_attr(modlist,"pgpKeyID",&tok[8]);
382         }
383       else
384         return;
385
386       /* The primary pubkey algo */
387       if((tok=strsep(&line,":"))==NULL)
388         return;
389
390       switch(atoi(tok))
391         {
392         case 1:
393           make_one_attr(modlist,"pgpKeyType","RSA");
394           break;
395
396         case 17:
397           make_one_attr(modlist,"pgpKeyType","DSS/DH");
398           break;
399         }
400
401       /* Size of primary key */
402       if((tok=strsep(&line,":"))==NULL)
403         return;
404
405       if(atoi(tok)>0)
406         {
407           char padded[6];
408           int val=atoi(tok);
409
410           /* We zero pad this on the left to make PGP happy. */
411
412           if(val<99999 && val>0)
413             {
414               sprintf(padded,"%05u",atoi(tok));
415               make_one_attr(modlist,"pgpKeySize",padded);
416             }
417         }
418
419       /* pk timestamp */
420       if((tok=strsep(&line,":"))==NULL)
421         return;
422
423       if(atoi(tok)>0)
424         {
425           char *stamp=epoch2ldaptime(atoi(tok));
426           if(stamp)
427             {
428               make_one_attr(modlist,"pgpKeyCreateTime",stamp);
429               free(stamp);
430             }
431         }
432
433       /* pk expire */
434       if((tok=strsep(&line,":"))==NULL)
435         return;
436
437       if(atoi(tok)>0)
438         {
439           char *stamp=epoch2ldaptime(atoi(tok));
440           if(stamp)
441             {
442               make_one_attr(modlist,"pgpKeyExpireTime",stamp);
443               free(stamp);
444             }
445         }
446
447       /* flags */
448       if((tok=strsep(&line,":"))==NULL)
449         return;
450
451       while(*tok)
452         switch(*tok++)
453           {
454           case 'r':
455           case 'R':
456             revoked=1;
457             break;
458             
459           case 'd':
460           case 'D':
461             disabled=1;
462             break;
463           }
464
465       /*
466         Note that we always create the pgpDisabled and pgpRevoked
467         attributes, regardless of whether the key is disabled/revoked
468         or not.  This is because a very common search is like
469         "(&(pgpUserID=*isabella*)(pgpDisabled=0))"
470       */
471
472       make_one_attr(modlist,"pgpDisabled",disabled?"1":"0");
473       make_one_attr(modlist,"pgpRevoked",revoked?"1":"0");
474     }
475   else if(ks_strcasecmp("sub",record)==0)
476     {
477       char *tok;
478
479       /* The long keyid */
480       if((tok=strsep(&line,":"))==NULL)
481         return;
482
483       if(strlen(tok)==16)
484         make_one_attr(modlist,"pgpSubKeyID",tok);
485       else
486         return;
487
488       /* The subkey algo */
489       if((tok=strsep(&line,":"))==NULL)
490         return;
491
492       /* Size of subkey */
493       if((tok=strsep(&line,":"))==NULL)
494         return;
495
496       if(atoi(tok)>0)
497         {
498           char padded[6];
499           int val=atoi(tok);
500
501           /* We zero pad this on the left to make PGP happy. */
502
503           if(val<99999 && val>0)
504             {
505               sprintf(padded,"%05u",atoi(tok));
506               make_one_attr(modlist,"pgpKeySize",padded);
507             }
508         }
509
510       /* Ignore the rest of the items for subkeys since the LDAP
511          schema doesn't store them. */
512     }
513   else if(ks_strcasecmp("uid",record)==0)
514     {
515       char *userid,*tok;
516
517       /* The user ID string */
518       if((tok=strsep(&line,":"))==NULL)
519         return;
520
521       if(strlen(tok)==0)
522         return;
523
524       userid=tok;
525
526       /* By definition, de-%-encoding is always smaller than the
527          original string so we can decode in place. */
528
529       i=0;
530
531       while(*tok)
532         if(tok[0]=='%' && tok[1] && tok[2])
533           {
534             int c;
535
536             userid[i] = (c=hextobyte(&tok[1])) == -1 ? '?' : c;
537             i++;
538             tok+=3;
539           }
540         else
541           userid[i++]=*tok++;
542
543       userid[i]='\0';
544
545       /* We don't care about the other info provided in the uid: line
546          since the LDAP schema doesn't need it. */
547
548       make_one_attr(modlist,"pgpUserID",userid);
549     }
550   else if(ks_strcasecmp("sig",record)==0)
551     {
552       char *tok;
553
554       if((tok=strsep(&line,":"))==NULL)
555         return;
556
557       if(strlen(tok)==16)
558         make_one_attr(modlist,"pgpSignerID",tok);
559     }
560 }
561
562 static void
563 free_mod_values(LDAPMod *mod)
564 {
565   char **ptr;
566
567   if(!mod->mod_values)
568     return;
569
570   for(ptr=mod->mod_values;*ptr;ptr++)
571     free(*ptr);
572
573   free(mod->mod_values);
574 }
575
576 static int
577 send_key(int *r_eof)
578 {
579   int err,begin=0,end=0,keysize=1,ret=KEYSERVER_INTERNAL_ERROR;
580   char *dn=NULL,line[MAX_LINE],*key=NULL;
581   char keyid[17],state[6];
582   LDAPMod **modlist,**addlist,**ml;
583
584   modlist=malloc(sizeof(LDAPMod *));
585   if(!modlist)
586     {
587       fprintf(console,"gpgkeys: can't allocate memory for keyserver record\n");
588       ret=KEYSERVER_NO_MEMORY;
589       goto fail;
590     }
591
592   *modlist=NULL;
593
594   addlist=malloc(sizeof(LDAPMod *));
595   if(!addlist)
596     {
597       fprintf(console,"gpgkeys: can't allocate memory for keyserver record\n");
598       ret=KEYSERVER_NO_MEMORY;
599       goto fail;
600     }
601
602   *addlist=NULL;
603
604   /* Start by nulling out all attributes.  We try and do a modify
605      operation first, so this ensures that we don't leave old
606      attributes lying around. */
607   make_one_attr(&modlist,"pgpDisabled",NULL);
608   make_one_attr(&modlist,"pgpKeyID",NULL);
609   make_one_attr(&modlist,"pgpKeyType",NULL);
610   make_one_attr(&modlist,"pgpUserID",NULL);
611   make_one_attr(&modlist,"pgpKeyCreateTime",NULL);
612   make_one_attr(&modlist,"pgpSignerID",NULL);
613   make_one_attr(&modlist,"pgpRevoked",NULL);
614   make_one_attr(&modlist,"pgpSubKeyID",NULL);
615   make_one_attr(&modlist,"pgpKeySize",NULL);
616   make_one_attr(&modlist,"pgpKeyExpireTime",NULL);
617   make_one_attr(&modlist,"pgpCertID",NULL);
618
619   /* Assemble the INFO stuff into LDAP attributes */
620
621   while(fgets(line,MAX_LINE,input)!=NULL)
622     if(sscanf(line,"INFO%*[ ]%16s%*[ ]%5s\n",keyid,state)==2
623        && strcmp(state,"BEGIN")==0)
624       {
625         begin=1;
626         break;
627       }
628
629   if(!begin)
630     {
631       /* i.e. eof before the INFO BEGIN was found.  This isn't an
632          error. */
633       *r_eof=1;
634       ret=KEYSERVER_OK;
635       goto fail;
636     }
637
638   if(strlen(keyid)!=16)
639     {
640       *r_eof=1;
641       ret=KEYSERVER_KEY_INCOMPLETE;
642       goto fail;
643     }
644
645   dn=malloc(strlen("pgpCertID=")+16+1+strlen(basekeyspacedn)+1);
646   if(dn==NULL)
647     {
648       fprintf(console,"gpgkeys: can't allocate memory for keyserver record\n");
649       ret=KEYSERVER_NO_MEMORY;
650       goto fail;
651     }
652
653   sprintf(dn,"pgpCertID=%s,%s",keyid,basekeyspacedn);
654
655   key=malloc(1);
656   if(!key)
657     {
658       fprintf(console,"gpgkeys: unable to allocate memory for key\n");
659       ret=KEYSERVER_NO_MEMORY;
660       goto fail;
661     }
662
663   key[0]='\0';
664
665   /* Now parse each line until we see the END */
666
667   while(fgets(line,MAX_LINE,input)!=NULL)
668     if(sscanf(line,"INFO%*[ ]%16s%*[ ]%3s\n",keyid,state)==2
669        && strcmp(state,"END")==0)
670       {
671         end=1;
672         break;
673       }
674     else
675       build_attrs(&addlist,line);
676
677   if(!end)
678     {
679       fprintf(console,"gpgkeys: no INFO %s END found\n",keyid);
680       *r_eof=1;
681       ret=KEYSERVER_KEY_INCOMPLETE;
682       goto fail;
683     }
684
685   begin=end=0;
686
687   /* Read and throw away stdin until we see the BEGIN */
688
689   while(fgets(line,MAX_LINE,input)!=NULL)
690     if(sscanf(line,"KEY%*[ ]%16s%*[ ]%5s\n",keyid,state)==2
691        && strcmp(state,"BEGIN")==0)
692       {
693         begin=1;
694         break;
695       }
696
697   if(!begin)
698     {
699       /* i.e. eof before the KEY BEGIN was found.  This isn't an
700          error. */
701       *r_eof=1;
702       ret=KEYSERVER_OK;
703       goto fail;
704     }
705
706   /* Now slurp up everything until we see the END */
707
708   while(fgets(line,MAX_LINE,input)!=NULL)
709     if(sscanf(line,"KEY%*[ ]%16s%*[ ]%3s\n",keyid,state)==2
710        && strcmp(state,"END")==0)
711       {
712         end=1;
713         break;
714       }
715     else
716       {
717         char *tempkey;
718         keysize+=strlen(line);
719         tempkey=realloc(key,keysize);
720         if(tempkey==NULL)
721           {
722             fprintf(console,"gpgkeys: unable to reallocate for key\n");
723             ret=KEYSERVER_NO_MEMORY;
724             goto fail;
725           }
726         else
727           key=tempkey;
728
729         strcat(key,line);
730       }
731
732   if(!end)
733     {
734       fprintf(console,"gpgkeys: no KEY %s END found\n",keyid);
735       *r_eof=1;
736       ret=KEYSERVER_KEY_INCOMPLETE;
737       goto fail;
738     }
739
740   make_one_attr(&addlist,"objectClass","pgpKeyInfo");
741   make_one_attr(&addlist,"pgpKey",key);
742
743   /* Now append addlist onto modlist */
744   if(!join_two_modlists(&modlist,addlist))
745     {
746       fprintf(console,"gpgkeys: unable to merge LDAP modification lists\n");
747       ret=KEYSERVER_NO_MEMORY;
748       goto fail;
749     }
750
751   /* Going on the assumption that modify operations are more frequent
752      than adds, we try a modify first.  If it's not there, we just
753      turn around and send an add command for the same key.  Otherwise,
754      the modify brings the server copy into compliance with our copy.
755      Note that unlike the LDAP keyserver (and really, any other
756      keyserver) this does NOT merge signatures, but replaces the whole
757      key.  This should make some people very happy. */
758
759   err=ldap_modify_s(ldap,dn,modlist);
760   if(err==LDAP_NO_SUCH_OBJECT)
761     err=ldap_add_s(ldap,dn,addlist);
762
763   if(err!=LDAP_SUCCESS)
764     {
765       fprintf(console,"gpgkeys: error adding key %s to keyserver: %s\n",
766               keyid,ldap_err2string(err));
767       ret=ldap_err_to_gpg_err(err);
768       goto fail;
769     }
770
771   ret=KEYSERVER_OK;
772
773  fail:
774   /* Unwind and free the whole modlist structure */
775   for(ml=modlist;*ml;ml++)
776     {
777       free_mod_values(*ml);
778       free(*ml);
779     }
780
781   free(modlist);
782   free(addlist);
783   free(dn);
784   free(key);
785
786   if(ret!=0 && begin)
787     fprintf(output,"KEY %s FAILED %d\n",keyid,ret);
788
789   return ret;
790 }
791
792 static int
793 send_key_keyserver(int *r_eof)
794 {
795   int err,begin=0,end=0,keysize=1,ret=KEYSERVER_INTERNAL_ERROR;
796   char *dn=NULL,line[MAX_LINE],*key[2]={NULL,NULL};
797   char keyid[17],state[6];
798   LDAPMod mod, *attrs[2];
799
800   memset(&mod,0,sizeof(mod));
801   mod.mod_op=LDAP_MOD_ADD;
802   mod.mod_type=pgpkeystr;
803   mod.mod_values=key;
804   attrs[0]=&mod;
805   attrs[1]=NULL;
806
807   dn=malloc(strlen("pgpCertid=virtual,")+strlen(basekeyspacedn)+1);
808   if(dn==NULL)
809     {
810       fprintf(console,"gpgkeys: can't allocate memory for keyserver record\n");
811       ret=KEYSERVER_NO_MEMORY;
812       goto fail;
813     }
814
815   strcpy(dn,"pgpCertid=virtual,");
816   strcat(dn,basekeyspacedn);
817
818   key[0]=malloc(1);
819   if(key[0]==NULL)
820     {
821       fprintf(console,"gpgkeys: unable to allocate memory for key\n");
822       ret=KEYSERVER_NO_MEMORY;
823       goto fail;
824     }
825
826   key[0][0]='\0';
827
828   /* Read and throw away stdin until we see the BEGIN */
829
830   while(fgets(line,MAX_LINE,input)!=NULL)
831     if(sscanf(line,"KEY%*[ ]%16s%*[ ]%5s\n",keyid,state)==2
832        && strcmp(state,"BEGIN")==0)
833       {
834         begin=1;
835         break;
836       }
837
838   if(!begin)
839     {
840       /* i.e. eof before the KEY BEGIN was found.  This isn't an
841          error. */
842       *r_eof=1;
843       ret=KEYSERVER_OK;
844       goto fail;
845     }
846
847   /* Now slurp up everything until we see the END */
848
849   while(fgets(line,MAX_LINE,input)!=NULL)
850     if(sscanf(line,"KEY%*[ ]%16s%*[ ]%3s\n",keyid,state)==2
851        && strcmp(state,"END")==0)
852       {
853         end=1;
854         break;
855       }
856     else
857       {
858         keysize+=strlen(line);
859         key[0]=realloc(key[0],keysize);
860         if(key[0]==NULL)
861           {
862             fprintf(console,"gpgkeys: unable to reallocate for key\n");
863             ret=KEYSERVER_NO_MEMORY;
864             goto fail;
865           }
866
867         strcat(key[0],line);
868       }
869
870   if(!end)
871     {
872       fprintf(console,"gpgkeys: no KEY %s END found\n",keyid);
873       *r_eof=1;
874       ret=KEYSERVER_KEY_INCOMPLETE;
875       goto fail;
876     }
877
878   err=ldap_add_s(ldap,dn,attrs);
879   if(err!=LDAP_SUCCESS)
880     {
881       fprintf(console,"gpgkeys: error adding key %s to keyserver: %s\n",
882               keyid,ldap_err2string(err));
883       ret=ldap_err_to_gpg_err(err);
884       goto fail;
885     }
886
887   ret=KEYSERVER_OK;
888
889  fail:
890
891   free(key[0]);
892   free(dn);
893
894   if(ret!=0 && begin)
895     fprintf(output,"KEY %s FAILED %d\n",keyid,ret);
896
897   /* Not a fatal error */
898   if(ret==KEYSERVER_KEY_EXISTS)
899     ret=KEYSERVER_OK;
900
901   return ret;
902 }
903
904 static void
905 build_info(const char *certid,LDAPMessage *each)
906 {
907   char **vals;
908
909   fprintf(output,"INFO %s BEGIN\n",certid);
910
911   fprintf(output,"pub:%s:",certid);
912
913   vals=ldap_get_values(ldap,each,"pgpkeytype");
914   if(vals!=NULL)
915     {
916       if(strcmp(vals[0],"RSA")==0)
917         fprintf(output,"1");
918       else if(strcmp(vals[0],"DSS/DH")==0)
919         fprintf(output,"17");
920       ldap_value_free(vals);
921     }
922
923   fprintf(output,":");
924
925   vals=ldap_get_values(ldap,each,"pgpkeysize");
926   if(vals!=NULL)
927     {
928       if(atoi(vals[0])>0)
929         fprintf(output,"%d",atoi(vals[0]));
930       ldap_value_free(vals);
931     }
932
933   fprintf(output,":");
934
935   vals=ldap_get_values(ldap,each,"pgpkeycreatetime");
936   if(vals!=NULL)
937     {
938       if(strlen(vals[0])==15)
939         fprintf(output,"%u",(unsigned int)ldap2epochtime(vals[0]));
940       ldap_value_free(vals);
941     }
942
943   fprintf(output,":");
944
945   vals=ldap_get_values(ldap,each,"pgpkeyexpiretime");
946   if(vals!=NULL)
947     {
948       if(strlen(vals[0])==15)
949         fprintf(output,"%u",(unsigned int)ldap2epochtime(vals[0]));
950       ldap_value_free(vals);
951     }
952
953   fprintf(output,":");
954
955   vals=ldap_get_values(ldap,each,"pgprevoked");
956   if(vals!=NULL)
957     {
958       if(atoi(vals[0])==1)
959         fprintf(output,"r");
960       ldap_value_free(vals);
961     }
962
963   fprintf(output,"\n");
964
965   vals=ldap_get_values(ldap,each,"pgpuserid");
966   if(vals!=NULL)
967     {
968       int i;
969
970       for(i=0;vals[i];i++)
971         fprintf(output,"uid:%s\n",vals[i]);
972       ldap_value_free(vals);
973     }
974
975   fprintf(output,"INFO %s END\n",certid);
976 }
977
978 /* Note that key-not-found is not a fatal error */
979 static int
980 get_key(char *getkey)
981 {
982   LDAPMessage *res,*each;
983   int ret=KEYSERVER_INTERNAL_ERROR,err,count;
984   struct keylist *dupelist=NULL;
985   char search[62];
986   /* This ordering is significant - specifically, "pgpcertid" needs to
987      be the second item in the list, since everything after it may be
988      discarded if the user isn't in verbose mode. */
989   char *attrs[]={"replaceme","pgpcertid","pgpuserid","pgpkeyid","pgprevoked",
990                  "pgpdisabled","pgpkeycreatetime","modifytimestamp",
991                  "pgpkeysize","pgpkeytype",NULL};
992   attrs[0]=pgpkeystr; /* Some compilers don't like using variables as
993                          array initializers. */
994
995   /* Build the search string */
996
997   /* GPG can send us a v4 fingerprint, a v3 or v4 long key id, or a v3
998      or v4 short key id */
999
1000   if(strncmp(getkey,"0x",2)==0)
1001     getkey+=2;
1002
1003   if(strlen(getkey)==32)
1004     {
1005       fprintf(console,
1006               "gpgkeys: LDAP keyservers do not support v3 fingerprints\n");
1007       fprintf(output,"KEY 0x%s BEGIN\n",getkey);
1008       fprintf(output,"KEY 0x%s FAILED %d\n",getkey,KEYSERVER_NOT_SUPPORTED);
1009       return KEYSERVER_NOT_SUPPORTED;
1010     }
1011
1012   if(strlen(getkey)>16)
1013     {
1014       char *offset=&getkey[strlen(getkey)-16];
1015
1016       /* fingerprint.  Take the last 16 characters and treat it like a
1017          long key id */
1018
1019       if(opt->flags.include_subkeys)
1020         sprintf(search,"(|(pgpcertid=%.16s)(pgpsubkeyid=%.16s))",
1021                 offset,offset);
1022       else
1023         sprintf(search,"(pgpcertid=%.16s)",offset);
1024     }
1025   else if(strlen(getkey)>8)
1026     {
1027       /* long key id */
1028
1029       if(opt->flags.include_subkeys)
1030         sprintf(search,"(|(pgpcertid=%.16s)(pgpsubkeyid=%.16s))",
1031                 getkey,getkey);
1032       else
1033         sprintf(search,"(pgpcertid=%.16s)",getkey);
1034     }
1035   else
1036     {
1037       /* short key id */
1038     
1039       sprintf(search,"(pgpkeyid=%.8s)",getkey);
1040     }
1041
1042   if(opt->verbose>2)
1043     fprintf(console,"gpgkeys: LDAP fetch for: %s\n",search);
1044
1045   if(!opt->verbose)
1046     attrs[2]=NULL; /* keep only pgpkey(v2) and pgpcertid */
1047
1048   err=ldap_search_s(ldap,basekeyspacedn,
1049                     LDAP_SCOPE_SUBTREE,search,attrs,0,&res);
1050   if(err!=0)
1051     {
1052       int errtag=ldap_err_to_gpg_err(err);
1053
1054       fprintf(console,"gpgkeys: LDAP search error: %s\n",ldap_err2string(err));
1055       fprintf(output,"KEY 0x%s BEGIN\n",getkey);
1056       fprintf(output,"KEY 0x%s FAILED %d\n",getkey,errtag);
1057       return errtag;
1058     }
1059
1060   count=ldap_count_entries(ldap,res);
1061   if(count<1)
1062     {
1063       fprintf(console,"gpgkeys: key %s not found on keyserver\n",getkey);
1064       fprintf(output,"KEY 0x%s BEGIN\n",getkey);
1065       fprintf(output,"KEY 0x%s FAILED %d\n",getkey,KEYSERVER_KEY_NOT_FOUND);
1066     }
1067   else
1068     {
1069       /* There may be more than one unique result for a given keyID,
1070          so we should fetch them all (test this by fetching short key
1071          id 0xDEADBEEF). */
1072
1073       each=ldap_first_entry(ldap,res);
1074       while(each!=NULL)
1075         {
1076           char **vals,**certid;
1077
1078           /* Use the long keyid to remove duplicates.  The LDAP server
1079              returns the same keyid more than once if there are
1080              multiple user IDs on the key.  Note that this does NOT
1081              mean that a keyid that exists multiple times on the
1082              keyserver will not be fetched.  It means that each KEY,
1083              no matter how many user IDs share its keyid, will be
1084              fetched only once.  If a keyid that belongs to more than
1085              one key is fetched, the server quite properly responds
1086              with all matching keys. -ds */
1087
1088           certid=ldap_get_values(ldap,each,"pgpcertid");
1089           if(certid!=NULL)
1090             {
1091               if(!key_in_keylist(certid[0],dupelist))
1092                 {
1093                   /* it's not a duplicate, so add it */
1094
1095                   int rc=add_key_to_keylist(certid[0],&dupelist);
1096                   if(rc)
1097                     {
1098                       ret=rc;
1099                       goto fail;
1100                     }
1101
1102                   build_info(certid[0],each);
1103
1104                   fprintf(output,"KEY 0x%s BEGIN\n",getkey);
1105
1106                   vals=ldap_get_values(ldap,each,pgpkeystr);
1107                   if(vals==NULL)
1108                     {
1109                       int errtag=ldap_to_gpg_err(ldap);
1110
1111                       fprintf(console,"gpgkeys: unable to retrieve key %s "
1112                               "from keyserver\n",getkey);
1113                       fprintf(output,"KEY 0x%s FAILED %d\n",getkey,errtag);
1114                     }
1115                   else
1116                     {
1117                       print_nocr(output,vals[0]);
1118                       fprintf(output,"\nKEY 0x%s END\n",getkey);
1119
1120                       ldap_value_free(vals);
1121                     }
1122                 }
1123
1124               ldap_value_free(certid);
1125             }
1126
1127           each=ldap_next_entry(ldap,each);
1128         }
1129     }
1130
1131   ret=KEYSERVER_OK;
1132
1133  fail:
1134   ldap_msgfree(res);
1135   free_keylist(dupelist);
1136
1137   return ret;
1138 }
1139
1140 #define LDAP_ESCAPE_CHARS "*()\\"
1141
1142 /* Append string to buffer in a LDAP-quoted way */
1143 static void
1144 ldap_quote(char *buffer,const char *string)
1145 {
1146   /* Find the end of buffer */
1147   buffer+=strlen(buffer);
1148
1149   for(;*string;string++)
1150     {
1151       if(strchr(LDAP_ESCAPE_CHARS,*string))
1152         {
1153           sprintf(buffer,"\\%02X",*string);
1154           buffer+=3;
1155         }
1156       else
1157         *buffer++=*string;
1158     }
1159
1160   *buffer='\0';
1161 }
1162
1163 /* Note that key-not-found is not a fatal error */
1164 static int
1165 get_name(char *getkey)
1166 {
1167   LDAPMessage *res,*each;
1168   int ret=KEYSERVER_INTERNAL_ERROR,err,count;
1169   /* The maximum size of the search, including the optional stuff and
1170      the trailing \0 */
1171   char search[2+12+(MAX_LINE*3)+2+15+14+1+1+20];
1172   /* This ordering is significant - specifically, "pgpcertid" needs to
1173      be the second item in the list, since everything after it may be
1174      discarded if the user isn't in verbose mode. */
1175   char *attrs[]={"replaceme","pgpcertid","pgpuserid","pgpkeyid","pgprevoked",
1176                  "pgpdisabled","pgpkeycreatetime","modifytimestamp",
1177                  "pgpkeysize","pgpkeytype",NULL};
1178   attrs[0]=pgpkeystr; /* Some compilers don't like using variables as
1179                          array initializers. */
1180
1181   /* Build the search string */
1182
1183   search[0]='\0';
1184
1185   if(!opt->flags.include_disabled || !opt->flags.include_revoked)
1186     strcat(search,"(&");
1187
1188   strcat(search,"(pgpUserID=*");
1189   ldap_quote(search,getkey);
1190   strcat(search,"*)");
1191
1192   if(!opt->flags.include_disabled)
1193     strcat(search,"(pgpDisabled=0)");
1194
1195   if(!opt->flags.include_revoked)
1196     strcat(search,"(pgpRevoked=0)");
1197
1198   if(!opt->flags.include_disabled || !opt->flags.include_revoked)
1199     strcat(search,")");
1200
1201   if(opt->verbose>2)
1202     fprintf(console,"gpgkeys: LDAP fetch for: %s\n",search);
1203
1204   if(!opt->verbose)
1205     attrs[2]=NULL; /* keep only pgpkey(v2) and pgpcertid */
1206
1207   err=ldap_search_s(ldap,basekeyspacedn,
1208                     LDAP_SCOPE_SUBTREE,search,attrs,0,&res);
1209   if(err!=0)
1210     {
1211       int errtag=ldap_err_to_gpg_err(err);
1212
1213       fprintf(console,"gpgkeys: LDAP search error: %s\n",ldap_err2string(err));
1214       fprintf(output,"NAME %s BEGIN\n",getkey);
1215       fprintf(output,"NAME %s FAILED %d\n",getkey,errtag);
1216       return errtag;
1217     }
1218
1219   count=ldap_count_entries(ldap,res);
1220   if(count<1)
1221     {
1222       fprintf(console,"gpgkeys: key %s not found on keyserver\n",getkey);
1223       fprintf(output,"NAME %s BEGIN\n",getkey);
1224       fprintf(output,"NAME %s FAILED %d\n",getkey,KEYSERVER_KEY_NOT_FOUND);
1225     }
1226   else
1227     {
1228       /* There may be more than one result, but we return them all. */
1229
1230       each=ldap_first_entry(ldap,res);
1231       while(each!=NULL)
1232         {
1233           char **vals,**certid;
1234
1235           certid=ldap_get_values(ldap,each,"pgpcertid");
1236           if(certid!=NULL)
1237             {
1238               build_info(certid[0],each);
1239
1240               fprintf(output,"NAME %s BEGIN\n",getkey);
1241
1242               vals=ldap_get_values(ldap,each,pgpkeystr);
1243               if(vals==NULL)
1244                 {
1245                   int errtag=ldap_to_gpg_err(ldap);
1246
1247                   fprintf(console,"gpgkeys: unable to retrieve key %s "
1248                           "from keyserver\n",getkey);
1249                   fprintf(output,"NAME %s FAILED %d\n",getkey,errtag);
1250                 }
1251               else
1252                 {
1253                   print_nocr(output,vals[0]);
1254                   fprintf(output,"\nNAME %s END\n",getkey);
1255
1256                   ldap_value_free(vals);
1257                 }
1258
1259               ldap_value_free(certid);
1260             }
1261
1262           each=ldap_next_entry(ldap,each);
1263         }
1264     }
1265
1266   ret=KEYSERVER_OK;
1267
1268   ldap_msgfree(res);
1269
1270   return ret;
1271 }
1272
1273 static void
1274 printquoted(FILE *stream,char *string,char delim)
1275 {
1276   while(*string)
1277     {
1278       if(*string==delim || *string=='%')
1279         fprintf(stream,"%%%02x",*string);
1280       else
1281         fputc(*string,stream);
1282
1283       string++;
1284     }
1285 }
1286
1287 /* Returns 0 on success and -1 on error.  Note that key-not-found is
1288    not an error! */
1289 static int
1290 search_key(const char *searchkey)
1291 {
1292   char **vals,*search;
1293   LDAPMessage *res,*each;
1294   int err,count=0;
1295   struct keylist *dupelist=NULL;
1296   /* The maximum size of the search, including the optional stuff and
1297      the trailing \0 */
1298   char *attrs[]={"pgpcertid","pgpuserid","pgprevoked","pgpdisabled",
1299                  "pgpkeycreatetime","pgpkeyexpiretime","modifytimestamp",
1300                  "pgpkeysize","pgpkeytype",NULL};
1301   enum ks_search_type search_type;
1302
1303   search=malloc(2+1+9+1+3+strlen(searchkey)+3+1+15+14+1+1+20);
1304   if(!search)
1305     {
1306       fprintf(console,"gpgkeys: out of memory when building search list\n");
1307       fprintf(output,"SEARCH %s FAILED %d\n",searchkey,KEYSERVER_NO_MEMORY);
1308       return KEYSERVER_NO_MEMORY;
1309     }
1310
1311   fprintf(output,"SEARCH %s BEGIN\n",searchkey);
1312
1313   search_type=classify_ks_search(&searchkey);
1314
1315   if(opt->debug)
1316     fprintf(console,"search type is %d, and key is \"%s\"\n",
1317             search_type,searchkey);
1318
1319   /* Build the search string */
1320
1321   search[0]='\0';
1322
1323   if(!opt->flags.include_disabled || !opt->flags.include_revoked)
1324     strcat(search,"(&");
1325
1326   strcat(search,"(");
1327
1328   switch(search_type)
1329     {
1330     case KS_SEARCH_KEYID_SHORT:
1331       strcat(search,"pgpKeyID");
1332       break;
1333
1334     case KS_SEARCH_KEYID_LONG:
1335       strcat(search,"pgpCertID");
1336       break;
1337
1338     default:
1339       strcat(search,"pgpUserID");
1340       break;
1341     }
1342
1343   strcat(search,"=");
1344
1345   switch(search_type)
1346     {
1347     case KS_SEARCH_SUBSTR:
1348       strcat(search,"*");
1349       break;
1350
1351     case KS_SEARCH_MAIL:
1352       strcat(search,"*<");
1353       break;
1354
1355     case KS_SEARCH_MAILSUB:
1356       strcat(search,"*<*");
1357       break;
1358
1359     case KS_SEARCH_EXACT:
1360     case KS_SEARCH_KEYID_LONG:
1361     case KS_SEARCH_KEYID_SHORT:
1362       break;
1363     }
1364
1365   strcat(search,searchkey);
1366
1367   switch(search_type)
1368     {
1369     case KS_SEARCH_SUBSTR:
1370       strcat(search,"*");
1371       break;
1372
1373     case KS_SEARCH_MAIL:
1374       strcat(search,">*");
1375       break;
1376
1377     case KS_SEARCH_MAILSUB:
1378       strcat(search,"*>*");
1379       break;
1380
1381     case KS_SEARCH_EXACT:
1382     case KS_SEARCH_KEYID_LONG:
1383     case KS_SEARCH_KEYID_SHORT:
1384       break;
1385     }
1386
1387   strcat(search,")");
1388
1389   if(!opt->flags.include_disabled)
1390     strcat(search,"(pgpDisabled=0)");
1391
1392   if(!opt->flags.include_revoked)
1393     strcat(search,"(pgpRevoked=0)");
1394
1395   if(!opt->flags.include_disabled || !opt->flags.include_revoked)
1396     strcat(search,")");
1397
1398   if(opt->verbose>2)
1399     fprintf(console,"gpgkeys: LDAP search for: %s\n",search);
1400
1401   err=ldap_search_s(ldap,basekeyspacedn,
1402                     LDAP_SCOPE_SUBTREE,search,attrs,0,&res);
1403   free(search);
1404   if(err!=LDAP_SUCCESS && err!=LDAP_SIZELIMIT_EXCEEDED)
1405     {
1406       int errtag=ldap_err_to_gpg_err(err);
1407
1408       fprintf(output,"SEARCH %s FAILED %d\n",searchkey,errtag);
1409       fprintf(console,"gpgkeys: LDAP search error: %s\n",ldap_err2string(err));
1410       return errtag;
1411     }
1412
1413   /* The LDAP server doesn't return a real count of unique keys, so we
1414      can't use ldap_count_entries here. */
1415   each=ldap_first_entry(ldap,res);
1416   while(each!=NULL)
1417     {
1418       char **certid=ldap_get_values(ldap,each,"pgpcertid");
1419
1420       if(certid!=NULL)
1421         {
1422           if(!key_in_keylist(certid[0],dupelist))
1423             {
1424               int rc=add_key_to_keylist(certid[0],&dupelist);
1425               if(rc!=0)
1426                 {
1427                   fprintf(output,"SEARCH %s FAILED %d\n",searchkey,rc);
1428                   free_keylist(dupelist);
1429                   return rc;
1430                 }
1431
1432               count++;
1433             }
1434         }
1435
1436       each=ldap_next_entry(ldap,each);
1437     }
1438
1439   if(err==LDAP_SIZELIMIT_EXCEEDED)
1440     {
1441       if(count==1)
1442         fprintf(console,"gpgkeys: search results exceeded server limit."
1443                 "  First %d result shown.\n",count);
1444       else
1445         fprintf(console,"gpgkeys: search results exceeded server limit."
1446                 "  First %d results shown.\n",count);
1447     }
1448
1449   free_keylist(dupelist);
1450   dupelist=NULL;
1451
1452   if(count<1)
1453     fprintf(output,"info:1:0\n");
1454   else
1455     {
1456       fprintf(output,"info:1:%d\n",count);
1457
1458       each=ldap_first_entry(ldap,res);
1459       while(each!=NULL)
1460         {
1461           char **certid;
1462
1463           certid=ldap_get_values(ldap,each,"pgpcertid");
1464           if(certid!=NULL)
1465             {
1466               LDAPMessage *uids;
1467
1468               /* Have we seen this certid before? */
1469               if(!key_in_keylist(certid[0],dupelist))
1470                 {
1471                   int rc=add_key_to_keylist(certid[0],&dupelist);
1472                   if(rc)
1473                     {
1474                       fprintf(output,"SEARCH %s FAILED %d\n",searchkey,rc);
1475                       free_keylist(dupelist);
1476                       ldap_value_free(certid);
1477                       ldap_msgfree(res);
1478                       return rc;
1479                     }
1480
1481                   fprintf(output,"pub:%s:",certid[0]);
1482
1483                   vals=ldap_get_values(ldap,each,"pgpkeytype");
1484                   if(vals!=NULL)
1485                     {
1486                       /* The LDAP server doesn't exactly handle this
1487                          well. */
1488                       if(strcasecmp(vals[0],"RSA")==0)
1489                         fprintf(output,"1");
1490                       else if(strcasecmp(vals[0],"DSS/DH")==0)
1491                         fprintf(output,"17");
1492                       ldap_value_free(vals);
1493                     }
1494
1495                   fputc(':',output);
1496
1497                   vals=ldap_get_values(ldap,each,"pgpkeysize");
1498                   if(vals!=NULL)
1499                     {
1500                       /* Not sure why, but some keys are listed with a
1501                          key size of 0.  Treat that like an
1502                          unknown. */
1503                       if(atoi(vals[0])>0)
1504                         fprintf(output,"%d",atoi(vals[0]));
1505                       ldap_value_free(vals);
1506                     }
1507
1508                   fputc(':',output);
1509
1510                   /* YYYYMMDDHHmmssZ */
1511
1512                   vals=ldap_get_values(ldap,each,"pgpkeycreatetime");
1513                   if(vals!=NULL && strlen(vals[0])==15)
1514                     {
1515                       fprintf(output,"%u",
1516                               (unsigned int)ldap2epochtime(vals[0]));
1517                       ldap_value_free(vals);
1518                     }
1519
1520                   fputc(':',output);
1521
1522                   vals=ldap_get_values(ldap,each,"pgpkeyexpiretime");
1523                   if(vals!=NULL && strlen(vals[0])==15)
1524                     {
1525                       fprintf(output,"%u",
1526                               (unsigned int)ldap2epochtime(vals[0]));
1527                       ldap_value_free(vals);
1528                     }
1529
1530                   fputc(':',output);
1531
1532                   vals=ldap_get_values(ldap,each,"pgprevoked");
1533                   if(vals!=NULL)
1534                     {
1535                       if(atoi(vals[0])==1)
1536                         fprintf(output,"r");
1537                       ldap_value_free(vals);
1538                     }
1539
1540                   vals=ldap_get_values(ldap,each,"pgpdisabled");
1541                   if(vals!=NULL)
1542                     {
1543                       if(atoi(vals[0])==1)
1544                         fprintf(output,"d");
1545                       ldap_value_free(vals);
1546                     }
1547
1548 #if 0
1549                   /* This is not yet specified in the keyserver
1550                      protocol, but may be someday. */
1551                   fputc(':',output);
1552
1553                   vals=ldap_get_values(ldap,each,"modifytimestamp");
1554                   if(vals!=NULL && strlen(vals[0])==15)
1555                     {
1556                       fprintf(output,"%u",
1557                               (unsigned int)ldap2epochtime(vals[0]));
1558                       ldap_value_free(vals);
1559                     }
1560 #endif
1561
1562                   fprintf(output,"\n");
1563
1564                   /* Now print all the uids that have this certid */
1565                   uids=ldap_first_entry(ldap,res);
1566                   while(uids!=NULL)
1567                     {
1568                       vals=ldap_get_values(ldap,uids,"pgpcertid");
1569                       if(vals!=NULL)
1570                         {
1571                           if(strcasecmp(certid[0],vals[0])==0)
1572                             {
1573                               char **uidvals;
1574
1575                               fprintf(output,"uid:");
1576
1577                               uidvals=ldap_get_values(ldap,uids,"pgpuserid");
1578                               if(uidvals!=NULL)
1579                                 {
1580                                   /* Need to escape any colons */
1581                                   printquoted(output,uidvals[0],':');
1582                                   ldap_value_free(uidvals);
1583                                 }
1584
1585                               fprintf(output,"\n");
1586                             }
1587
1588                           ldap_value_free(vals);
1589                         }
1590
1591                       uids=ldap_next_entry(ldap,uids);
1592                     }
1593                 }
1594
1595               ldap_value_free(certid);
1596             }
1597
1598           each=ldap_next_entry(ldap,each);
1599         }
1600     }
1601
1602   ldap_msgfree(res);
1603   free_keylist(dupelist);
1604
1605   fprintf(output,"SEARCH %s END\n",searchkey);
1606
1607   return KEYSERVER_OK;
1608 }
1609
1610 static void
1611 fail_all(struct keylist *keylist,int err)
1612 {
1613   if(!keylist)
1614     return;
1615
1616   if(opt->action==KS_SEARCH)
1617     {
1618       fprintf(output,"SEARCH ");
1619       while(keylist)
1620         {
1621           fprintf(output,"%s ",keylist->str);
1622           keylist=keylist->next;
1623         }
1624       fprintf(output,"FAILED %d\n",err);
1625     }
1626   else
1627     while(keylist)
1628       {
1629         fprintf(output,"KEY %s FAILED %d\n",keylist->str,err);
1630         keylist=keylist->next;
1631       }
1632 }
1633
1634 static int
1635 find_basekeyspacedn(void)
1636 {
1637   int err,i;
1638   char *attr[]={"namingContexts",NULL,NULL,NULL};
1639   LDAPMessage *res;
1640   char **context;
1641
1642   /* Look for namingContexts */
1643   err=ldap_search_s(ldap,"",LDAP_SCOPE_BASE,"(objectClass=*)",attr,0,&res);
1644   if(err==LDAP_SUCCESS)
1645     {
1646       context=ldap_get_values(ldap,res,"namingContexts");
1647       if(context)
1648         {
1649           attr[0]="pgpBaseKeySpaceDN";
1650           attr[1]="pgpVersion";
1651           attr[2]="pgpSoftware";
1652
1653           real_ldap=1;
1654
1655           /* We found some, so try each namingContext as the search base
1656              and look for pgpBaseKeySpaceDN.  Because we found this, we
1657              know we're talking to a regular-ish LDAP server and not a
1658              LDAP keyserver. */
1659
1660           for(i=0;context[i] && !basekeyspacedn;i++)
1661             {
1662               char **vals;
1663               LDAPMessage *si_res;
1664               char *object;
1665
1666               object=malloc(17+strlen(context[i])+1);
1667               if(!object)
1668                 return -1;
1669
1670               strcpy(object,"cn=pgpServerInfo,");
1671               strcat(object,context[i]);
1672
1673               err=ldap_search_s(ldap,object,LDAP_SCOPE_BASE,
1674                                 "(objectClass=*)",attr,0,&si_res);
1675               free(object);
1676
1677               if(err==LDAP_NO_SUCH_OBJECT)
1678                 continue;
1679               else if(err!=LDAP_SUCCESS)
1680                 return err;
1681
1682               vals=ldap_get_values(ldap,si_res,"pgpBaseKeySpaceDN");
1683               if(vals)
1684                 {
1685                   basekeyspacedn=strdup(vals[0]);
1686                   ldap_value_free(vals);
1687                 }
1688
1689               if(opt->verbose>1)
1690                 {
1691                   vals=ldap_get_values(ldap,si_res,"pgpSoftware");
1692                   if(vals)
1693                     {
1694                       fprintf(console,"Server: \t%s\n",vals[0]);
1695                       ldap_value_free(vals);
1696                     }
1697
1698                   vals=ldap_get_values(ldap,si_res,"pgpVersion");
1699                   if(vals)
1700                     {
1701                       fprintf(console,"Version:\t%s\n",vals[0]);
1702                       ldap_value_free(vals);
1703                     }
1704                 }
1705
1706               ldap_msgfree(si_res);
1707             }
1708
1709           ldap_value_free(context);
1710         }
1711
1712       ldap_msgfree(res);
1713     }
1714   else
1715     {
1716       /* We don't have an answer yet, which means the server might be
1717          a LDAP keyserver. */
1718       char **vals;
1719       LDAPMessage *si_res;
1720
1721       attr[0]="pgpBaseKeySpaceDN";
1722       attr[1]="version";
1723       attr[2]="software";
1724
1725       err=ldap_search_s(ldap,"cn=pgpServerInfo",LDAP_SCOPE_BASE,
1726                         "(objectClass=*)",attr,0,&si_res);
1727       if(err!=LDAP_SUCCESS)
1728         return err;
1729
1730       /* For the LDAP keyserver, this is always "OU=ACTIVE,O=PGP
1731          KEYSPACE,C=US", but it might not be in the future. */
1732
1733       vals=ldap_get_values(ldap,si_res,"baseKeySpaceDN");
1734       if(vals)
1735         {
1736           basekeyspacedn=strdup(vals[0]);
1737           ldap_value_free(vals);
1738         }
1739
1740       if(opt->verbose>1)
1741         {
1742           vals=ldap_get_values(ldap,si_res,"software");
1743           if(vals)
1744             {
1745               fprintf(console,"Server: \t%s\n",vals[0]);
1746               ldap_value_free(vals);
1747             }
1748         }
1749
1750       vals=ldap_get_values(ldap,si_res,"version");
1751       if(vals)
1752         {
1753           if(opt->verbose>1)
1754             fprintf(console,"Version:\t%s\n",vals[0]);
1755
1756           /* If the version is high enough, use the new pgpKeyV2
1757              attribute.  This design if iffy at best, but it matches how
1758              PGP does it.  I figure the NAI folks assumed that there would
1759              never be a LDAP keyserver vendor with a different numbering
1760              scheme. */
1761           if(atoi(vals[0])>1)
1762             pgpkeystr="pgpKeyV2";
1763
1764           ldap_value_free(vals);
1765         }
1766
1767       ldap_msgfree(si_res);
1768     }   
1769
1770   return LDAP_SUCCESS;
1771 }
1772
1773 static void 
1774 show_help (FILE *fp)
1775 {
1776   fprintf (fp,"-h, --help\thelp\n");
1777   fprintf (fp,"-V\t\tmachine readable version\n");
1778   fprintf (fp,"--version\thuman readable version\n");
1779   fprintf (fp,"-o\t\toutput to this file\n");
1780 }
1781
1782 int
1783 main(int argc,char *argv[])
1784 {
1785   int port=0,arg,err,ret=KEYSERVER_INTERNAL_ERROR;
1786   char line[MAX_LINE],*binddn=NULL,*bindpw=NULL;
1787   int failed=0,use_ssl=0,use_tls=0,bound=0;
1788   struct keylist *keylist=NULL,*keyptr=NULL;
1789
1790   console=stderr;
1791
1792   /* Kludge to implement standard GNU options.  */
1793   if (argc > 1 && !strcmp (argv[1], "--version"))
1794     {
1795       fputs ("gpgkeys_ldap (GnuPG) " VERSION"\n", stdout);
1796       return 0;
1797     }
1798   else if (argc > 1 && !strcmp (argv[1], "--help"))
1799     {
1800       show_help (stdout);
1801       return 0;
1802     }
1803
1804   while((arg=getopt(argc,argv,"hVo:"))!=-1)
1805     switch(arg)
1806       {
1807       default:
1808       case 'h':
1809         show_help (console);
1810         return KEYSERVER_OK;
1811
1812       case 'V':
1813         fprintf(stdout,"%d\n%s\n",KEYSERVER_PROTO_VERSION,VERSION);
1814         return KEYSERVER_OK;
1815
1816       case 'o':
1817         output=fopen(optarg,"w");
1818         if(output==NULL)
1819           {
1820             fprintf(console,"gpgkeys: Cannot open output file `%s': %s\n",
1821                     optarg,strerror(errno));
1822             return KEYSERVER_INTERNAL_ERROR;
1823           }
1824
1825         break;
1826       }
1827
1828   if(argc>optind)
1829     {
1830       input=fopen(argv[optind],"r");
1831       if(input==NULL)
1832         {
1833           fprintf(console,"gpgkeys: Cannot open input file `%s': %s\n",
1834                   argv[optind],strerror(errno));
1835           return KEYSERVER_INTERNAL_ERROR;
1836         }
1837     }
1838
1839   if(input==NULL)
1840     input=stdin;
1841
1842   if(output==NULL)
1843     output=stdout;
1844
1845   opt=init_ks_options();
1846   if(!opt)
1847     return KEYSERVER_NO_MEMORY;
1848
1849   /* Get the command and info block */
1850
1851   while(fgets(line,MAX_LINE,input)!=NULL)
1852     {
1853       char optionstr[MAX_OPTION+1];
1854
1855       if(line[0]=='\n')
1856         break;
1857
1858       err=parse_ks_options(line,opt);
1859       if(err>0)
1860         {
1861           ret=err;
1862           goto fail;
1863         }
1864       else if(err==0)
1865         continue;
1866
1867       if(sscanf(line,"OPTION %" MKSTRING(MAX_OPTION) "[^\n]\n",optionstr)==1)
1868         {
1869           int no=0;
1870           char *start=&optionstr[0];
1871
1872           optionstr[MAX_OPTION]='\0';
1873
1874           if(strncasecmp(optionstr,"no-",3)==0)
1875             {
1876               no=1;
1877               start=&optionstr[3];
1878             }
1879
1880           if(strncasecmp(start,"tls",3)==0)
1881             {
1882               if(no)
1883                 use_tls=0;
1884               else if(start[3]=='=')
1885                 {
1886                   if(strcasecmp(&start[4],"no")==0)
1887                     use_tls=0;
1888                   else if(strcasecmp(&start[4],"try")==0)
1889                     use_tls=1;
1890                   else if(strcasecmp(&start[4],"warn")==0)
1891                     use_tls=2;
1892                   else if(strcasecmp(&start[4],"require")==0)
1893                     use_tls=3;
1894                   else
1895                     use_tls=1;
1896                 }
1897               else if(start[3]=='\0')
1898                 use_tls=1;
1899             }
1900           else if(strncasecmp(start,"basedn",6)==0)
1901             {
1902               if(no)
1903                 {
1904                   free(basekeyspacedn);
1905                   basekeyspacedn=NULL;
1906                 }
1907               else if(start[6]=='=')
1908                 {
1909                   free(basekeyspacedn);
1910                   basekeyspacedn=strdup(&start[7]);
1911                   if(!basekeyspacedn)
1912                     {
1913                       fprintf(console,"gpgkeys: out of memory while creating "
1914                               "base DN\n");
1915                       ret=KEYSERVER_NO_MEMORY;
1916                       goto fail;
1917                     }
1918
1919                   real_ldap=1;
1920                 }
1921             }
1922           else if(strncasecmp(start,"binddn",6)==0)
1923             {
1924               if(no)
1925                 {
1926                   free(binddn);
1927                   binddn=NULL;
1928                 }
1929               else if(start[6]=='=')
1930                 {
1931                   free(binddn);
1932                   binddn=strdup(&start[7]);
1933                   if(!binddn)
1934                     {
1935                       fprintf(console,"gpgkeys: out of memory while creating "
1936                               "bind DN\n");
1937                       ret=KEYSERVER_NO_MEMORY;
1938                       goto fail;
1939                     }
1940
1941                   real_ldap=1;
1942                 }
1943             }
1944           else if(strncasecmp(start,"bindpw",6)==0)
1945             {
1946               if(no)
1947                 {
1948                   free(bindpw);
1949                   bindpw=NULL;
1950                 }
1951               else if(start[6]=='=')
1952                 {
1953                   free(bindpw);
1954                   bindpw=strdup(&start[7]);
1955                   if(!bindpw)
1956                     {
1957                       fprintf(console,"gpgkeys: out of memory while creating "
1958                               "bind password\n");
1959                       ret=KEYSERVER_NO_MEMORY;
1960                       goto fail;
1961                     }
1962
1963                   real_ldap=1;
1964                 }
1965             }
1966
1967           continue;
1968         }
1969     }
1970
1971   if(!opt->scheme)
1972     {
1973       fprintf(console,"gpgkeys: no scheme supplied!\n");
1974       ret=KEYSERVER_SCHEME_NOT_FOUND;
1975       goto fail;
1976     }
1977
1978   if(strcasecmp(opt->scheme,"ldaps")==0)
1979     {
1980       port=636;
1981       use_ssl=1;
1982     }
1983
1984   if(opt->port)
1985     port=atoi(opt->port);
1986
1987   if(!opt->host)
1988     {
1989       fprintf(console,"gpgkeys: no keyserver host provided\n");
1990       goto fail;
1991     }
1992
1993   if(opt->timeout && register_timeout()==-1)
1994     {
1995       fprintf(console,"gpgkeys: unable to register timeout handler\n");
1996       return KEYSERVER_INTERNAL_ERROR;
1997     }
1998
1999 #if defined(LDAP_OPT_X_TLS_CACERTFILE) && defined(HAVE_LDAP_SET_OPTION)
2000
2001   if(opt->ca_cert_file)
2002     {
2003       err=ldap_set_option(NULL,LDAP_OPT_X_TLS_CACERTFILE,opt->ca_cert_file);
2004       if(err!=LDAP_SUCCESS)
2005         {
2006           fprintf(console,"gpgkeys: unable to set ca-cert-file: %s\n",
2007                   ldap_err2string(err));
2008           ret=KEYSERVER_INTERNAL_ERROR;
2009           goto fail;
2010         }
2011     }
2012 #endif /* LDAP_OPT_X_TLS_CACERTFILE && HAVE_LDAP_SET_OPTION */
2013
2014   /* SSL trumps TLS */
2015   if(use_ssl)
2016     use_tls=0;
2017
2018   /* If it's a GET or a SEARCH, the next thing to come in is the
2019      keyids.  If it's a SEND, then there are no keyids. */
2020
2021   if(opt->action==KS_SEND)
2022     while(fgets(line,MAX_LINE,input)!=NULL && line[0]!='\n');
2023   else if(opt->action==KS_GET
2024           || opt->action==KS_GETNAME || opt->action==KS_SEARCH)
2025     {
2026       for(;;)
2027         {
2028           struct keylist *work;
2029
2030           if(fgets(line,MAX_LINE,input)==NULL)
2031             break;
2032           else
2033             {
2034               if(line[0]=='\n' || line[0]=='\0')
2035                 break;
2036
2037               work=malloc(sizeof(struct keylist));
2038               if(work==NULL)
2039                 {
2040                   fprintf(console,"gpgkeys: out of memory while "
2041                           "building key list\n");
2042                   ret=KEYSERVER_NO_MEMORY;
2043                   goto fail;
2044                 }
2045
2046               strcpy(work->str,line);
2047
2048               /* Trim the trailing \n */
2049               work->str[strlen(line)-1]='\0';
2050
2051               work->next=NULL;
2052
2053               /* Always attach at the end to keep the list in proper
2054                  order for searching */
2055               if(keylist==NULL)
2056                 keylist=work;
2057               else
2058                 keyptr->next=work;
2059
2060               keyptr=work;
2061             }
2062         }
2063     }
2064   else
2065     {
2066       fprintf(console,"gpgkeys: no keyserver command specified\n");
2067       goto fail;
2068     }
2069
2070   /* Send the response */
2071
2072   fprintf(output,"VERSION %d\n",KEYSERVER_PROTO_VERSION);
2073   fprintf(output,"PROGRAM %s\n\n",VERSION);
2074
2075   if(opt->verbose>1)
2076     {
2077       fprintf(console,"Host:\t\t%s\n",opt->host);
2078       if(port)
2079         fprintf(console,"Port:\t\t%d\n",port);
2080       fprintf(console,"Command:\t%s\n",ks_action_to_string(opt->action));
2081     }
2082
2083   if(opt->debug)
2084     {
2085 #if defined(LDAP_OPT_DEBUG_LEVEL) && defined(HAVE_LDAP_SET_OPTION)
2086       err=ldap_set_option(NULL,LDAP_OPT_DEBUG_LEVEL,&opt->debug);
2087       if(err!=LDAP_SUCCESS)
2088         fprintf(console,"gpgkeys: unable to set debug mode: %s\n",
2089                 ldap_err2string(err));
2090       else
2091         fprintf(console,"gpgkeys: debug level %d\n",opt->debug);
2092 #else
2093       fprintf(console,"gpgkeys: not built with debugging support\n");
2094 #endif
2095     }
2096
2097   /* We have a timeout set for the setup stuff since it could time out
2098      as well. */
2099   set_timeout(opt->timeout);
2100
2101   /* Note that this tries all A records on a given host (or at least,
2102      OpenLDAP does). */
2103   ldap=ldap_init(opt->host,port);
2104   if(ldap==NULL)
2105     {
2106       fprintf(console,"gpgkeys: internal LDAP init error: %s\n",
2107               strerror(errno));
2108       fail_all(keylist,KEYSERVER_INTERNAL_ERROR);
2109       goto fail;
2110     }
2111
2112   if(use_ssl)
2113     {
2114 #if defined(LDAP_OPT_X_TLS) && defined(HAVE_LDAP_SET_OPTION)
2115       int ssl=LDAP_OPT_X_TLS_HARD;
2116
2117       err=ldap_set_option(ldap,LDAP_OPT_X_TLS,&ssl);
2118       if(err!=LDAP_SUCCESS)
2119         {
2120           fprintf(console,"gpgkeys: unable to make SSL connection: %s\n",
2121                   ldap_err2string(err));
2122           fail_all(keylist,ldap_err_to_gpg_err(err));
2123           goto fail;
2124         }
2125
2126       if(!opt->flags.check_cert)
2127         ssl=LDAP_OPT_X_TLS_NEVER;
2128
2129       err=ldap_set_option(NULL,LDAP_OPT_X_TLS_REQUIRE_CERT,&ssl);
2130       if(err!=LDAP_SUCCESS)
2131         {
2132           fprintf(console,
2133                   "gpgkeys: unable to set certificate validation: %s\n",
2134                   ldap_err2string(err));
2135           fail_all(keylist,ldap_err_to_gpg_err(err));
2136           goto fail;
2137         }
2138 #else
2139       fprintf(console,"gpgkeys: unable to make SSL connection: %s\n",
2140               "not built with LDAPS support");
2141       fail_all(keylist,KEYSERVER_INTERNAL_ERROR);
2142       goto fail;
2143 #endif
2144     }
2145
2146   if(!basekeyspacedn)
2147     if((err=find_basekeyspacedn()) || !basekeyspacedn)
2148       {
2149         fprintf(console,"gpgkeys: unable to retrieve LDAP base: %s\n",
2150                 err?ldap_err2string(err):"not found");
2151         fail_all(keylist,ldap_err_to_gpg_err(err));
2152         goto fail;
2153       }
2154
2155   /* use_tls: 0=don't use, 1=try silently to use, 2=try loudly to use,
2156      3=force use. */
2157   if(use_tls)
2158     {
2159       if(!real_ldap)
2160         {
2161           if(use_tls>=2)
2162             fprintf(console,"gpgkeys: unable to start TLS: %s\n",
2163                     "not supported by the NAI LDAP keyserver");
2164           if(use_tls==3)
2165             {
2166               fail_all(keylist,KEYSERVER_INTERNAL_ERROR);
2167               goto fail;
2168             }
2169         }
2170       else
2171         {
2172 #if defined(HAVE_LDAP_START_TLS_S) && defined(HAVE_LDAP_SET_OPTION)
2173           int ver=LDAP_VERSION3;
2174
2175           err=ldap_set_option(ldap,LDAP_OPT_PROTOCOL_VERSION,&ver);
2176
2177 #ifdef LDAP_OPT_X_TLS
2178           if(err==LDAP_SUCCESS)
2179             {
2180               if(opt->flags.check_cert)
2181                 ver=LDAP_OPT_X_TLS_HARD;
2182               else
2183                 ver=LDAP_OPT_X_TLS_NEVER;
2184
2185               err=ldap_set_option(NULL,LDAP_OPT_X_TLS_REQUIRE_CERT,&ver);
2186             }
2187 #endif
2188
2189           if(err==LDAP_SUCCESS)
2190             err=ldap_start_tls_s(ldap,NULL,NULL);
2191
2192           if(err!=LDAP_SUCCESS)
2193             {
2194               if(use_tls>=2 || opt->verbose>2)
2195                 fprintf(console,"gpgkeys: unable to start TLS: %s\n",
2196                         ldap_err2string(err));
2197               /* Are we forcing it? */
2198               if(use_tls==3)
2199                 {
2200                   fail_all(keylist,ldap_err_to_gpg_err(err));
2201                   goto fail;
2202                 }
2203             }
2204           else if(opt->verbose>1)
2205             fprintf(console,"gpgkeys: TLS started successfully.\n");
2206 #else
2207           if(use_tls>=2)
2208             fprintf(console,"gpgkeys: unable to start TLS: %s\n",
2209                     "not built with TLS support");
2210           if(use_tls==3)
2211             {
2212               fail_all(keylist,KEYSERVER_INTERNAL_ERROR);
2213               goto fail;
2214             }
2215 #endif
2216         }
2217     }
2218
2219   /* By default we don't bind as there is usually no need to.  For
2220      cases where the server needs some authentication, the user can
2221      use binddn and bindpw for auth. */
2222
2223   if(binddn)
2224     {
2225 #ifdef HAVE_LDAP_SET_OPTION
2226       int ver=LDAP_VERSION3;
2227
2228       err=ldap_set_option(ldap,LDAP_OPT_PROTOCOL_VERSION,&ver);
2229       if(err!=LDAP_SUCCESS)
2230         {
2231           fprintf(console,"gpgkeys: unable to go to LDAP 3: %s\n",
2232                   ldap_err2string(err));
2233           fail_all(keylist,ldap_err_to_gpg_err(err));
2234           goto fail;
2235         }
2236 #endif
2237
2238       if(opt->verbose>2)
2239         fprintf(console,"gpgkeys: LDAP bind to %s, pw %s\n",binddn,
2240                 bindpw?">not shown<":">none<");
2241       err=ldap_simple_bind_s(ldap,binddn,bindpw);
2242       if(err!=LDAP_SUCCESS)
2243         {
2244           fprintf(console,"gpgkeys: internal LDAP bind error: %s\n",
2245                   ldap_err2string(err));
2246           fail_all(keylist,ldap_err_to_gpg_err(err));
2247           goto fail;
2248         }
2249       else
2250         bound=1;
2251     }
2252
2253   if(opt->action==KS_GET)
2254     {
2255       keyptr=keylist;
2256
2257       while(keyptr!=NULL)
2258         {
2259           set_timeout(opt->timeout);
2260
2261           if(get_key(keyptr->str)!=KEYSERVER_OK)
2262             failed++;
2263
2264           keyptr=keyptr->next;
2265         }
2266     }
2267   else if(opt->action==KS_GETNAME)
2268     {
2269       keyptr=keylist;
2270
2271       while(keyptr!=NULL)
2272         {
2273           set_timeout(opt->timeout);
2274
2275           if(get_name(keyptr->str)!=KEYSERVER_OK)
2276             failed++;
2277
2278           keyptr=keyptr->next;
2279         }
2280     }
2281   else if(opt->action==KS_SEND)
2282     {
2283       int eof_seen = 0;
2284
2285       do
2286         {
2287           set_timeout(opt->timeout);
2288
2289           if(real_ldap)
2290             {
2291               if (send_key(&eof_seen) != KEYSERVER_OK)
2292                 failed++;
2293             }
2294           else
2295             {
2296               if (send_key_keyserver(&eof_seen) != KEYSERVER_OK)
2297                 failed++;
2298             }
2299         }
2300       while (!eof_seen);
2301     }
2302   else if(opt->action==KS_SEARCH)
2303     {
2304       char *searchkey=NULL;
2305       int len=0;
2306
2307       set_timeout(opt->timeout);
2308
2309       /* To search, we stick a * in between each key to search for.
2310          This means that if the user enters words, they'll get
2311          "enters*words".  If the user "enters words", they'll get
2312          "enters words" */
2313
2314       keyptr=keylist;
2315       while(keyptr!=NULL)
2316         {
2317           len+=strlen(keyptr->str)+1;
2318           keyptr=keyptr->next;
2319         }
2320
2321       searchkey=malloc((len*3)+1);
2322       if(searchkey==NULL)
2323         {
2324           ret=KEYSERVER_NO_MEMORY;
2325           fail_all(keylist,KEYSERVER_NO_MEMORY);
2326           goto fail;
2327         }
2328
2329       searchkey[0]='\0';
2330
2331       keyptr=keylist;
2332       while(keyptr!=NULL)
2333         {
2334           ldap_quote(searchkey,keyptr->str);
2335           strcat(searchkey,"*");
2336           keyptr=keyptr->next;
2337         }
2338
2339       /* Nail that last "*" */
2340       if(*searchkey)
2341         searchkey[strlen(searchkey)-1]='\0';
2342
2343       if(search_key(searchkey)!=KEYSERVER_OK)
2344         failed++;
2345
2346       free(searchkey);
2347     }
2348   else
2349     assert (!"bad action");
2350
2351   if(!failed)
2352     ret=KEYSERVER_OK;
2353
2354  fail:
2355
2356   while(keylist!=NULL)
2357     {
2358       struct keylist *current=keylist;
2359       keylist=keylist->next;
2360       free(current);
2361     }
2362
2363   if(input!=stdin)
2364     fclose(input);
2365
2366   if(output!=stdout)
2367     fclose(output);
2368
2369   free_ks_options(opt);
2370
2371   if(ldap!=NULL && bound)
2372     ldap_unbind_s(ldap);
2373
2374   free(basekeyspacedn);
2375
2376   return ret;
2377 }