* gpgkeys_ldap.c (delete_one_attr): Removed. (make_one_attr): Delete
[gnupg.git] / keyserver / gpgkeys_ldap.c
1 /* gpgkeys_ldap.c - talk to a LDAP keyserver
2  * Copyright (C) 2001, 2002, 2004 Free Software Foundation, Inc.
3  *
4  * This file is part of GnuPG.
5  *
6  * GnuPG is free software; you can redistribute it and/or modify
7  * it under the terms of the GNU General Public License as published by
8  * the Free Software Foundation; either version 2 of the License, or
9  * (at your option) any later version.
10  *
11  * GnuPG is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  * GNU General Public License for more details.
15  *
16  * You should have received a copy of the GNU General Public License
17  * along with this program; if not, write to the Free Software
18  * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
19  */
20
21 #include <config.h>
22 #include <stdio.h>
23 #include <string.h>
24 #include <time.h>
25 #include <unistd.h>
26 #ifdef HAVE_GETOPT_H
27 #include <getopt.h>
28 #endif
29 #include <stdlib.h>
30 #include <errno.h>
31 #include <ldap.h>
32 #include "util.h"
33 #include "keyserver.h"
34
35 #ifdef __riscos__
36 #include "util.h"
37 #endif
38
39 extern char *optarg;
40 extern int optind;
41
42 #define GET    0
43 #define SEND   1
44 #define SEARCH 2
45 #define MAX_LINE 256
46
47 static int verbose=0,include_disabled=0,include_revoked=0,include_subkeys=0;
48 static int real_ldap=0;
49 static char *basekeyspacedn=NULL;
50 static char host[80]={'\0'};
51 static char portstr[10]={'\0'};
52 static char *pgpkeystr="pgpKey";
53 static FILE *input=NULL,*output=NULL,*console=NULL;
54 static LDAP *ldap=NULL;
55
56 #if !HAVE_SETENV
57 int setenv(const char *name, const char *value, int overwrite);
58 #endif
59
60 #if !HAVE_UNSETENV
61 int unsetenv(const char *name);
62 #endif
63
64 struct keylist
65 {
66   char str[MAX_LINE];
67   struct keylist *next;
68 };
69
70 static int
71 ldap_err_to_gpg_err(int err)
72 {
73   int ret;
74
75   switch(err)
76     {
77     case LDAP_ALREADY_EXISTS:
78       ret=KEYSERVER_KEY_EXISTS;
79       break;
80
81     case LDAP_SERVER_DOWN:
82       ret=KEYSERVER_UNREACHABLE;
83       break;
84
85     default:
86       ret=KEYSERVER_GENERAL_ERROR;
87       break;
88     }
89
90   return ret;
91 }
92
93 static int
94 ldap_to_gpg_err(LDAP *ld)
95 {
96 #if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_ERROR_NUMBER)
97
98   int err;
99
100   if(ldap_get_option(ld,LDAP_OPT_ERROR_NUMBER,&err)==0)
101     return ldap_err_to_gpg_err(err);
102   else
103     return KEYSERVER_GENERAL_ERROR;
104
105 #elif defined(HAVE_LDAP_LD_ERRNO)
106
107   return ldap_err_to_gpg_err(ld->ld_errno);
108
109 #else
110
111   /* We should never get here since the LDAP library should always
112      have either ldap_get_option or ld_errno, but just in case... */
113   return KEYSERVER_GENERAL_ERROR;
114
115 #endif
116 }
117
118 static int
119 key_in_keylist(const char *key,struct keylist *list)
120 {
121   struct keylist *keyptr=list;
122
123   while(keyptr!=NULL)
124     {
125       if(strcasecmp(key,keyptr->str)==0)
126         return 1;
127
128       keyptr=keyptr->next;
129     }
130
131   return 0;
132 }
133
134 static int
135 add_key_to_keylist(const char *key,struct keylist **list)
136 {
137   struct keylist *keyptr=malloc(sizeof(struct keylist));
138
139   if(keyptr==NULL)
140     {
141       fprintf(console,"gpgkeys: out of memory when deduping "
142               "key list\n");
143       return KEYSERVER_NO_MEMORY;
144     }
145
146   strncpy(keyptr->str,key,MAX_LINE);
147   keyptr->str[MAX_LINE-1]='\0';
148   keyptr->next=*list;
149   *list=keyptr;
150
151   return 0;
152 }
153
154 static void
155 free_keylist(struct keylist *list)
156 {
157   while(list!=NULL)
158     {
159       struct keylist *keyptr=list;
160
161       list=keyptr->next;
162       free(keyptr);
163     }
164 }
165
166 static time_t
167 ldap2epochtime(const char *timestr)
168 {
169   struct tm pgptime;
170   time_t answer;
171
172   memset(&pgptime,0,sizeof(pgptime));
173
174   /* YYYYMMDDHHmmssZ */
175
176   sscanf(timestr,"%4d%2d%2d%2d%2d%2d",
177          &pgptime.tm_year,
178          &pgptime.tm_mon,
179          &pgptime.tm_mday,
180          &pgptime.tm_hour,
181          &pgptime.tm_min,
182          &pgptime.tm_sec);
183
184   pgptime.tm_year-=1900;
185   pgptime.tm_isdst=-1;
186   pgptime.tm_mon--;
187
188   /* mktime takes the timezone into account, and we can't have that.
189      I'd use timegm, but it's not portable. */
190
191 #ifdef HAVE_TIMEGM
192   answer=timegm(&pgptime);
193 #else
194   {
195     char *zone=getenv("TZ");
196     setenv("TZ","UTC",1);
197     tzset();
198     answer=mktime(&pgptime);
199     if(zone)
200       setenv("TZ",zone,1);
201     else
202       unsetenv("TZ");
203     tzset();
204   }
205 #endif
206
207   return answer;
208 }
209
210 /* Caller must free */
211 static char *
212 epoch2ldaptime(time_t stamp)
213 {
214   struct tm *ldaptime;
215   char buf[16];
216
217   ldaptime=gmtime(&stamp);
218
219   ldaptime->tm_year+=1900;
220   ldaptime->tm_mon++;
221
222   /* YYYYMMDDHHmmssZ */
223
224   sprintf(buf,"%04d%02d%02d%02d%02d%02dZ",
225           ldaptime->tm_year,
226           ldaptime->tm_mon,
227           ldaptime->tm_mday,
228           ldaptime->tm_hour,
229           ldaptime->tm_min,
230           ldaptime->tm_sec);
231
232   return strdup(buf);
233 }
234
235 /* Passing a NULL for value effectively deletes that attribute.  This
236    doesn't mean "delete" in the sense of removing something from the
237    modlist, but "delete" in the LDAP sense of adding a modlist item
238    that specifies LDAP_MOD_REPLACE and a null attribute for the given
239    attribute.  LDAP_MOD_DELETE doesn't work here as we don't know if
240    the attribute in question exists or not. */
241
242 static int
243 make_one_attr(LDAPMod ***modlist,int unique,char *attr,const char *value)
244 {
245   LDAPMod **m;
246   int nummods=0;
247
248   /* Search modlist for the attribute we're playing with. */
249   for(m=*modlist;*m;m++)
250     {
251       if(strcasecmp((*m)->mod_type,attr)==0)
252         {
253           char **ptr=(*m)->mod_values;
254           int numvalues=0;
255
256           /* We have this attribute already, so when the REPLACE
257              happens, the server attributes will be replaced
258              anyway. */
259           if(!value)
260             return 1;
261
262           if(ptr)
263             for(ptr=(*m)->mod_values;*ptr;ptr++)
264               {
265                 if(unique && strcmp(*ptr,value)==0)
266                   return 1;
267                 numvalues++;
268               }
269
270           ptr=realloc((*m)->mod_values,sizeof(char *)*(numvalues+2));
271           if(!ptr)
272             return 0;
273
274           (*m)->mod_values=ptr;
275           ptr[numvalues]=strdup(value);
276           if(!ptr[numvalues])
277             return 0;
278
279           ptr[numvalues+1]=NULL;
280           break;
281         }
282
283       nummods++;
284     }
285
286   /* We didn't find the attr, so make one and add it to the end */
287   if(!*m)
288     {
289       LDAPMod **grow;
290
291       grow=realloc(*modlist,sizeof(LDAPMod *)*(nummods+2));
292       if(!grow)
293         return 0;
294
295       *modlist=grow;
296       grow[nummods]=malloc(sizeof(LDAPMod));
297       if(!grow[nummods])
298         return 0;
299       grow[nummods]->mod_op=LDAP_MOD_REPLACE;
300       grow[nummods]->mod_type=attr;
301       if(value)
302         {
303           grow[nummods]->mod_values=malloc(sizeof(char *)*2);
304           if(!grow[nummods]->mod_values)
305             {
306               grow[nummods]=NULL;
307               return 0;
308             }
309
310           /* Is this the right thing?  Can a UTF8-encoded user ID have
311              embedded nulls? */
312           grow[nummods]->mod_values[0]=strdup(value);
313           if(!grow[nummods]->mod_values[0])
314             {
315               free(grow[nummods]->mod_values);
316               grow[nummods]=NULL;
317               return 0;
318             }
319
320           grow[nummods]->mod_values[1]=NULL;
321         }
322       else
323         grow[nummods]->mod_values=NULL;
324
325       grow[nummods+1]=NULL;
326     }
327
328   return 1;
329 }
330
331 static void
332 build_attrs(LDAPMod ***modlist,char *line)
333 {
334   char *record;
335   int i;
336
337   /* Remove trailing whitespace */
338   for(i=strlen(line);i>0;i--)
339     if(ascii_isspace(line[i-1]))
340       line[i-1]='\0';
341     else
342       break;
343
344   if((record=strsep(&line,":"))==NULL)
345     return;
346
347   if(ascii_strcasecmp("pub",record)==0)
348     {
349       char *tok;
350       int disabled=0,revoked=0;
351
352       /* The long keyid */
353       if((tok=strsep(&line,":"))==NULL)
354         return;
355
356       if(strlen(tok)==16)
357         {
358           make_one_attr(modlist,0,"pgpCertID",tok);
359           make_one_attr(modlist,0,"pgpKeyID",&tok[8]);
360         }
361       else
362         return;
363
364       /* The primary pubkey algo */
365       if((tok=strsep(&line,":"))==NULL)
366         return;
367
368       switch(atoi(tok))
369         {
370         case 1:
371           make_one_attr(modlist,0,"pgpKeyType","RSA");
372           break;
373
374         case 17:
375           make_one_attr(modlist,0,"pgpKeyType","DSS/DH");
376           break;
377         }
378
379       /* Size of primary key */
380       if((tok=strsep(&line,":"))==NULL)
381         return;
382
383       if(atoi(tok)>0)
384         {
385           char padded[6];
386           int val=atoi(tok);
387
388           /* We zero pad this on the left to make PGP happy. */
389
390           if(val<99999 && val>0)
391             {
392               sprintf(padded,"%05u",atoi(tok));
393               make_one_attr(modlist,0,"pgpKeySize",padded);
394             }
395         }
396
397       /* pk timestamp */
398       if((tok=strsep(&line,":"))==NULL)
399         return;
400
401       if(atoi(tok)>0)
402         {
403           char *stamp=epoch2ldaptime(atoi(tok));
404           if(stamp)
405             {
406               make_one_attr(modlist,0,"pgpKeyCreateTime",stamp);
407               free(stamp);
408             }
409         }
410
411       /* pk expire */
412       if((tok=strsep(&line,":"))==NULL)
413         return;
414
415       if(atoi(tok)>0)
416         {
417           char *stamp=epoch2ldaptime(atoi(tok));
418           if(stamp)
419             {
420               make_one_attr(modlist,0,"pgpKeyExpireTime",stamp);
421               free(stamp);
422             }
423         }
424
425       /* flags */
426       if((tok=strsep(&line,":"))==NULL)
427         return;
428
429       while(*tok)
430         switch(*tok++)
431           {
432           case 'r':
433           case 'R':
434             revoked=1;
435             break;
436             
437           case 'd':
438           case 'D':
439             disabled=1;
440             break;
441           }
442
443       /*
444         Note that we always create the pgpDisabled and pgpRevoked
445         attributes, regardless of whether the key is disabled/revoked
446         or not.  This is because a very common search is like
447         "(&(pgpUserID=*isabella*)(pgpDisabled=0))"
448       */
449
450       make_one_attr(modlist,0,"pgpDisabled",disabled?"1":"0");
451       make_one_attr(modlist,0,"pgpRevoked",revoked?"1":"0");
452     }
453   else if(ascii_strcasecmp("uid",record)==0)
454     {
455       char *userid,*tok;
456
457       /* The user ID string */
458       if((tok=strsep(&line,":"))==NULL)
459         return;
460
461       if(strlen(tok)==0)
462         return;
463
464       userid=tok;
465
466       /* By definition, de-%-encoding is always smaller than the
467          original string so we can decode in place. */
468
469       i=0;
470
471       while(*tok)
472         if(tok[0]=='%' && tok[1] && tok[2])
473           {
474             if((userid[i]=hextobyte(&tok[1]))==-1)
475               userid[i]='?';
476
477             i++;
478             tok+=3;
479           }
480         else
481           userid[i++]=*tok++;
482
483       /* We don't care about the other info provided in the uid: line
484          since the LDAP schema doesn't need it. */
485
486       make_one_attr(modlist,0,"pgpUserID",userid);
487     }
488   else if(ascii_strcasecmp("sig",record)==0)
489     {
490       char *tok;
491
492       if((tok=strsep(&line,":"))==NULL)
493         return;
494
495       if(strlen(tok)==16)
496         make_one_attr(modlist,1,"pgpSignerID",tok);
497     }
498 }
499
500 static void
501 free_mod_values(LDAPMod *mod)
502 {
503   char **ptr;
504
505   if(!mod->mod_values)
506     return;
507
508   for(ptr=mod->mod_values;*ptr;ptr++)
509     free(*ptr);
510
511   free(mod->mod_values);
512 }
513
514 static int
515 send_key(int *eof)
516 {
517   int err,begin=0,end=0,keysize=1,ret=KEYSERVER_INTERNAL_ERROR;
518   char *dn=NULL,line[MAX_LINE],*key=NULL;
519   char keyid[17];
520   LDAPMod **modlist,**ml;
521
522   modlist=malloc(sizeof(LDAPMod *));
523   if(!modlist)
524     {
525       fprintf(console,"gpgkeys: can't allocate memory for keyserver record\n");
526       ret=KEYSERVER_NO_MEMORY;
527       goto fail;
528     }
529
530   *modlist=NULL;
531
532   /* Going on the assumption that modify operations are more frequent
533      than adds, I'm setting up the modify operations here first. */
534   make_one_attr(&modlist,0,"pgpDisabled",NULL);
535   make_one_attr(&modlist,0,"pgpKeyID",NULL);
536   make_one_attr(&modlist,0,"pgpKeyType",NULL);
537   make_one_attr(&modlist,0,"pgpUserID",NULL);
538   make_one_attr(&modlist,0,"pgpKeyCreateTime",NULL);
539   make_one_attr(&modlist,0,"pgpSignerID",NULL);
540   make_one_attr(&modlist,0,"pgpRevoked",NULL);
541   make_one_attr(&modlist,0,"pgpSubKeyID",NULL);
542   make_one_attr(&modlist,0,"pgpKeySize",NULL);
543   make_one_attr(&modlist,0,"pgpKeyExpireTime",NULL);
544
545   /* Assemble the INFO stuff into LDAP attributes */
546
547   while(fgets(line,MAX_LINE,input)!=NULL)
548     if(sscanf(line,"INFO %16s BEGIN\n",keyid)==1)
549       {
550         begin=1;
551         break;
552       }
553
554   if(!begin)
555     {
556       /* i.e. eof before the INFO BEGIN was found.  This isn't an
557          error. */
558       *eof=1;
559       ret=KEYSERVER_OK;
560       goto fail;
561     }
562
563   if(strlen(keyid)!=16)
564     {
565       *eof=1;
566       ret=KEYSERVER_KEY_INCOMPLETE;
567       goto fail;
568     }
569
570   dn=malloc(strlen("pgpCertID=")+16+1+strlen(basekeyspacedn)+1);
571   if(dn==NULL)
572     {
573       fprintf(console,"gpgkeys: can't allocate memory for keyserver record\n");
574       ret=KEYSERVER_NO_MEMORY;
575       goto fail;
576     }
577
578   sprintf(dn,"pgpCertID=%s,%s",keyid,basekeyspacedn);
579
580   key=malloc(1);
581   if(!key)
582     {
583       fprintf(console,"gpgkeys: unable to allocate memory for key\n");
584       ret=KEYSERVER_NO_MEMORY;
585       goto fail;
586     }
587
588   key[0]='\0';
589
590   /* Now parse each line until we see the END */
591
592   while(fgets(line,MAX_LINE,input)!=NULL)
593     if(sscanf(line,"INFO %16s END\n",keyid)==1)
594       {
595         end=1;
596         break;
597       }
598     else
599       build_attrs(&modlist,line);
600
601   if(!end)
602     {
603       fprintf(console,"gpgkeys: no INFO %s END found\n",keyid);
604       *eof=1;
605       ret=KEYSERVER_KEY_INCOMPLETE;
606       goto fail;
607     }
608
609   begin=end=0;
610
611   /* Read and throw away stdin until we see the BEGIN */
612
613   while(fgets(line,MAX_LINE,input)!=NULL)
614     if(sscanf(line,"KEY %16s BEGIN\n",keyid)==1)
615       {
616         begin=1;
617         break;
618       }
619
620   if(!begin)
621     {
622       /* i.e. eof before the KEY BEGIN was found.  This isn't an
623          error. */
624       *eof=1;
625       ret=KEYSERVER_OK;
626       goto fail;
627     }
628
629   /* Now slurp up everything until we see the END */
630
631   while(fgets(line,MAX_LINE,input)!=NULL)
632     if(sscanf(line,"KEY %16s END\n",keyid)==1)
633       {
634         end=1;
635         break;
636       }
637     else
638       {
639         char *tempkey;
640         keysize+=strlen(line);
641         tempkey=realloc(key,keysize);
642         if(tempkey==NULL)
643           {
644             fprintf(console,"gpgkeys: unable to reallocate for key\n");
645             ret=KEYSERVER_NO_MEMORY;
646             goto fail;
647           }
648         else
649           key=tempkey;
650
651         strcat(key,line);
652       }
653
654   if(!end)
655     {
656       fprintf(console,"gpgkeys: no KEY %s END found\n",keyid);
657       *eof=1;
658       ret=KEYSERVER_KEY_INCOMPLETE;
659       goto fail;
660     }
661
662   make_one_attr(&modlist,0,"objectClass","pgpKeyInfo");
663   make_one_attr(&modlist,0,"pgpKey",key);
664
665   /* If it's not there, we just turn around and send an add command
666      for the same key.  Otherwise, the modify brings the server copy
667      into compliance with our copy.  Note that unlike the LDAP
668      keyserver (and really, any other keyserver) this does NOT merge
669      signatures, but replaces the whole key.  This should make some
670      people very happy. */
671
672   err=ldap_modify_s(ldap,dn,modlist);
673   if(err==LDAP_NO_SUCH_OBJECT)
674     {
675       LDAPMod **addlist=&modlist[10];
676       err=ldap_add_s(ldap,dn,addlist);
677     }
678
679   if(err!=LDAP_SUCCESS)
680     {
681       printf("err %d\n",err);
682       fprintf(console,"gpgkeys: error adding key %s to keyserver: %s\n",
683               keyid,ldap_err2string(err));
684       ret=ldap_err_to_gpg_err(err);
685       goto fail;
686     }
687
688   ret=KEYSERVER_OK;
689
690  fail:
691   /* Unwind and free the whole modlist structure */
692   for(ml=modlist;*ml;ml++)
693     {
694       free_mod_values(*ml);
695       free(*ml);
696     }
697
698   free(modlist);
699   free(dn);
700
701   if(ret!=0 && begin)
702     fprintf(output,"KEY %s FAILED %d\n",keyid,ret);
703
704   return ret;
705 }
706
707 static int
708 send_key_keyserver(int *eof)
709 {
710   int err,begin=0,end=0,keysize=1,ret=KEYSERVER_INTERNAL_ERROR;
711   char *dn=NULL,line[MAX_LINE],*key[2]={NULL,NULL};
712   char keyid[17];
713   LDAPMod mod, *attrs[2];
714
715   memset (&mod, 0, sizeof mod);
716   mod.mod_op      = LDAP_MOD_ADD;
717   mod.mod_type    = pgpkeystr;
718   mod.mod_values  = key;
719   attrs[0]    = &mod;
720   attrs[1]    = NULL;
721
722   dn=malloc(strlen("pgpCertid=virtual,")+strlen(basekeyspacedn)+1);
723   if(dn==NULL)
724     {
725       fprintf(console,"gpgkeys: can't allocate memory for keyserver record\n");
726       ret=KEYSERVER_NO_MEMORY;
727       goto fail;
728     }
729
730   strcpy(dn,"pgpCertid=virtual,");
731   strcat(dn,basekeyspacedn);
732
733   key[0]=malloc(1);
734   if(key[0]==NULL)
735     {
736       fprintf(console,"gpgkeys: unable to allocate memory for key\n");
737       ret=KEYSERVER_NO_MEMORY;
738       goto fail;
739     }
740
741   key[0][0]='\0';
742
743   /* Read and throw away stdin until we see the BEGIN */
744
745   while(fgets(line,MAX_LINE,input)!=NULL)
746     if(sscanf(line,"KEY %16s BEGIN\n",keyid)==1)
747       {
748         begin=1;
749         break;
750       }
751
752   if(!begin)
753     {
754       /* i.e. eof before the KEY BEGIN was found.  This isn't an
755          error. */
756       *eof=1;
757       ret=KEYSERVER_OK;
758       goto fail;
759     }
760
761   /* Now slurp up everything until we see the END */
762
763   while(fgets(line,MAX_LINE,input)!=NULL)
764     if(sscanf(line,"KEY %16s END\n",keyid)==1)
765       {
766         end=1;
767         break;
768       }
769     else
770       {
771         keysize+=strlen(line);
772         key[0]=realloc(key[0],keysize);
773         if(key[0]==NULL)
774           {
775             fprintf(console,"gpgkeys: unable to reallocate for key\n");
776             ret=KEYSERVER_NO_MEMORY;
777             goto fail;
778           }
779
780         strcat(key[0],line);
781       }
782
783   if(!end)
784     {
785       fprintf(console,"gpgkeys: no KEY %s END found\n",keyid);
786       *eof=1;
787       ret=KEYSERVER_KEY_INCOMPLETE;
788       goto fail;
789     }
790
791   err=ldap_add_s(ldap,dn,attrs);
792   if(err!=LDAP_SUCCESS)
793     {
794       fprintf(console,"gpgkeys: error adding key %s to keyserver: %s\n",
795               keyid,ldap_err2string(err));
796       ret=ldap_err_to_gpg_err(err);
797       goto fail;
798     }
799
800   ret=KEYSERVER_OK;
801
802  fail:
803
804   free(key[0]);
805   free(dn);
806
807   if(ret!=0 && begin)
808     fprintf(output,"KEY %s FAILED %d\n",keyid,ret);
809
810   /* Not a fatal error */
811   if(ret==KEYSERVER_KEY_EXISTS)
812     ret=KEYSERVER_OK;
813
814   return ret;
815 }
816
817 /* Note that key-not-found is not a fatal error */
818 static int
819 get_key(char *getkey)
820 {
821   LDAPMessage *res,*each;
822   int ret=KEYSERVER_INTERNAL_ERROR,err,count;
823   struct keylist *dupelist=NULL;
824   char search[62];
825   /* This ordering is significant - specifically, "pgpcertid" needs to
826      be the second item in the list, since everything after it may be
827      discarded if the user isn't in verbose mode. */
828   char *attrs[]={"replaceme","pgpcertid","pgpuserid","pgpkeyid","pgprevoked",
829                  "pgpdisabled","pgpkeycreatetime","modifytimestamp",
830                  "pgpkeysize","pgpkeytype",NULL};
831   attrs[0]=pgpkeystr; /* Some compilers don't like using variables as
832                          array initializers. */
833
834   /* Build the search string */
835
836   /* GPG can send us a v4 fingerprint, a v3 or v4 long key id, or a v3
837      or v4 short key id */
838
839   if(strncmp(getkey,"0x",2)==0)
840     getkey+=2;
841
842   if(strlen(getkey)==32)
843     {
844       fprintf(console,
845               "gpgkeys: LDAP keyservers do not support v3 fingerprints\n");
846       fprintf(output,"KEY 0x%s BEGIN\n",getkey);
847       fprintf(output,"KEY 0x%s FAILED %d\n",getkey,KEYSERVER_NOT_SUPPORTED);
848       return KEYSERVER_NOT_SUPPORTED;
849     }
850
851   if(strlen(getkey)>16)
852     {
853       char *offset=&getkey[strlen(getkey)-16];
854
855       /* fingerprint.  Take the last 16 characters and treat it like a
856          long key id */
857
858       if(include_subkeys)
859         sprintf(search,"(|(pgpcertid=%.16s)(pgpsubkeyid=%.16s))",
860                 offset,offset);
861       else
862         sprintf(search,"(pgpcertid=%.16s)",offset);
863     }
864   else if(strlen(getkey)>8)
865     {
866       /* long key id */
867
868       if(include_subkeys)
869         sprintf(search,"(|(pgpcertid=%.16s)(pgpsubkeyid=%.16s))",
870                 getkey,getkey);
871       else
872         sprintf(search,"(pgpcertid=%.16s)",getkey);
873     }
874   else
875     {
876       /* short key id */
877     
878       sprintf(search,"(pgpkeyid=%.8s)",getkey);
879     }
880
881   fprintf(output,"KEY 0x%s BEGIN\n",getkey);
882
883   if(verbose>2)
884     fprintf(console,"gpgkeys: LDAP fetch for: %s\n",search);
885
886   if(!verbose)
887     attrs[2]=NULL; /* keep only pgpkey(v2) and pgpcertid */
888
889   if(verbose)
890     fprintf(console,"gpgkeys: requesting key 0x%s from ldap://%s%s%s\n",
891             getkey,host,portstr[0]?":":"",portstr[0]?portstr:"");
892
893   err=ldap_search_s(ldap,basekeyspacedn,
894                     LDAP_SCOPE_SUBTREE,search,attrs,0,&res);
895   if(err!=0)
896     {
897       int errtag=ldap_err_to_gpg_err(err);
898
899       fprintf(console,"gpgkeys: LDAP search error: %s\n",ldap_err2string(err));
900       fprintf(output,"KEY 0x%s FAILED %d\n",getkey,errtag);
901       return errtag;
902     }
903
904   count=ldap_count_entries(ldap,res);
905   if(count<1)
906     {
907       fprintf(console,"gpgkeys: key %s not found on keyserver\n",getkey);
908       fprintf(output,"KEY 0x%s FAILED %d\n",getkey,KEYSERVER_KEY_NOT_FOUND);
909     }
910   else
911     {
912       /* There may be more than one unique result for a given keyID,
913          so we should fetch them all (test this by fetching short key
914          id 0xDEADBEEF). */
915
916       each=ldap_first_entry(ldap,res);
917       while(each!=NULL)
918         {
919           char **vals,**certid;
920
921           /* Use the long keyid to remove duplicates.  The LDAP server
922              returns the same keyid more than once if there are
923              multiple user IDs on the key.  Note that this does NOT
924              mean that a keyid that exists multiple times on the
925              keyserver will not be fetched.  It means that each KEY,
926              no matter how many user IDs share its keyid, will be
927              fetched only once.  If a keyid that belongs to more than
928              one key is fetched, the server quite properly responds
929              with all matching keys. -ds */
930
931           certid=ldap_get_values(ldap,each,"pgpcertid");
932           if(certid!=NULL)
933             {
934               if(!key_in_keylist(certid[0],dupelist))
935                 {
936                   /* it's not a duplicate, so add it */
937
938                   int rc=add_key_to_keylist(certid[0],&dupelist);
939                   if(rc)
940                     {
941                       ret=rc;
942                       goto fail;
943                     }
944
945                   if(verbose)
946                     {
947                       vals=ldap_get_values(ldap,each,"pgpuserid");
948                       if(vals!=NULL)
949                         {
950                           /* This is wrong, as the user ID is UTF8.  A
951                              better way to handle this would be to send it
952                              over to gpg and display it on that side of
953                              the pipe. */
954                           fprintf(console,"\nUser ID:\t%s\n",vals[0]);
955                           ldap_value_free(vals);
956                         }
957
958                       vals=ldap_get_values(ldap,each,"pgprevoked");
959                       if(vals!=NULL)
960                         {
961                           if(atoi(vals[0])==1)
962                             fprintf(console,"\t\t** KEY REVOKED **\n");
963                           ldap_value_free(vals);
964                         }
965
966                       vals=ldap_get_values(ldap,each,"pgpdisabled");
967                       if(vals!=NULL)
968                         {
969                           if(atoi(vals[0])==1)
970                             fprintf(console,"\t\t** KEY DISABLED **\n");
971                           ldap_value_free(vals);
972                         }
973
974                       vals=ldap_get_values(ldap,each,"pgpkeyid");
975                       if(vals!=NULL)
976                         {
977                           fprintf(console,"Short key ID:\t%s\n",vals[0]);
978                           ldap_value_free(vals);
979                         }
980
981                       fprintf(console,"Long key ID:\t%s\n",certid[0]);
982
983                       /* YYYYMMDDHHmmssZ */
984
985                       vals=ldap_get_values(ldap,each,"pgpkeycreatetime");
986                       if(vals!=NULL)
987                         {
988                           if(strlen(vals[0])==15)
989                             fprintf(console,"Key created:\t%.2s/%.2s/%.4s\n",
990                                     &vals[0][4],&vals[0][6],vals[0]);
991                           ldap_value_free(vals);
992                         }
993
994                       vals=ldap_get_values(ldap,each,"modifytimestamp");
995                       if(vals!=NULL)
996                         {
997                           if(strlen(vals[0])==15)
998                             fprintf(console,"Key modified:\t%.2s/%.2s/%.4s\n",
999                                     &vals[0][4],&vals[0][6],vals[0]);
1000                           ldap_value_free(vals);
1001                         }
1002
1003                       vals=ldap_get_values(ldap,each,"pgpkeysize");
1004                       if(vals!=NULL)
1005                         {
1006                           if(atoi(vals[0])>0)
1007                             fprintf(console,"Key size:\t%d\n",atoi(vals[0]));
1008                           ldap_value_free(vals);
1009                         }
1010
1011                       vals=ldap_get_values(ldap,each,"pgpkeytype");
1012                       if(vals!=NULL)
1013                         {
1014                           fprintf(console,"Key type:\t%s\n",vals[0]);
1015                           ldap_value_free(vals);
1016                         }
1017                     }
1018
1019                   vals=ldap_get_values(ldap,each,pgpkeystr);
1020                   if(vals==NULL)
1021                     {
1022                       int errtag=ldap_to_gpg_err(ldap);
1023
1024                       fprintf(console,"gpgkeys: unable to retrieve key %s "
1025                               "from keyserver\n",getkey);
1026                       fprintf(output,"KEY 0x%s FAILED %d\n",getkey,errtag);
1027                     }
1028                   else
1029                     {
1030                       fprintf(output,"%sKEY 0x%s END\n",vals[0],getkey);
1031
1032                       ldap_value_free(vals);
1033                     }
1034                 }
1035
1036               ldap_value_free(certid);
1037             }
1038
1039           each=ldap_next_entry(ldap,each);
1040         }
1041     }
1042
1043   ret=KEYSERVER_OK;
1044
1045  fail:
1046   ldap_msgfree(res);
1047   free_keylist(dupelist);
1048
1049   return ret;
1050 }
1051
1052 static void
1053 printquoted(FILE *stream,char *string,char delim)
1054 {
1055   while(*string)
1056     {
1057       if(*string==delim || *string=='%')
1058         fprintf(stream,"%%%02x",*string);
1059       else
1060         fputc(*string,stream);
1061
1062       string++;
1063     }
1064 }
1065
1066 /* Returns 0 on success and -1 on error.  Note that key-not-found is
1067    not an error! */
1068 static int
1069 search_key(char *searchkey)
1070 {
1071   char **vals;
1072   LDAPMessage *res,*each;
1073   int err,count=0;
1074   struct keylist *dupelist=NULL;
1075   /* The maximum size of the search, including the optional stuff and
1076      the trailing \0 */
1077   char search[2+12+MAX_LINE+2+15+14+1+1];
1078   char *attrs[]={"pgpcertid","pgpuserid","pgprevoked","pgpdisabled",
1079                  "pgpkeycreatetime","pgpkeyexpiretime","modifytimestamp",
1080                  "pgpkeysize","pgpkeytype",NULL};
1081
1082   fprintf(output,"SEARCH %s BEGIN\n",searchkey);
1083
1084   /* Build the search string */
1085
1086   sprintf(search,"%s(pgpuserid=*%s*)%s%s%s",
1087           (!(include_disabled&&include_revoked))?"(&":"",
1088           searchkey,
1089           include_disabled?"":"(pgpdisabled=0)",
1090           include_revoked?"":"(pgprevoked=0)",
1091           !(include_disabled&&include_revoked)?")":"");
1092
1093   if(verbose>2)
1094     fprintf(console,"gpgkeys: LDAP search for: %s\n",search);
1095
1096   fprintf(console,("gpgkeys: searching for \"%s\" from LDAP server %s\n"),
1097           searchkey,host);
1098
1099   err=ldap_search_s(ldap,basekeyspacedn,
1100                     LDAP_SCOPE_SUBTREE,search,attrs,0,&res);
1101   if(err!=LDAP_SUCCESS && err!=LDAP_SIZELIMIT_EXCEEDED)
1102     {
1103       int errtag=ldap_err_to_gpg_err(err);
1104
1105       fprintf(output,"SEARCH %s FAILED %d\n",searchkey,errtag);
1106       fprintf(console,"gpgkeys: LDAP search error: %s\n",ldap_err2string(err));
1107       return errtag;
1108     }
1109
1110   /* The LDAP server doesn't return a real count of unique keys, so we
1111      can't use ldap_count_entries here. */
1112   each=ldap_first_entry(ldap,res);
1113   while(each!=NULL)
1114     {
1115       char **certid=ldap_get_values(ldap,each,"pgpcertid");
1116
1117       if(certid!=NULL)
1118         {
1119           if(!key_in_keylist(certid[0],dupelist))
1120             {
1121               int rc=add_key_to_keylist(certid[0],&dupelist);
1122               if(rc!=0)
1123                 {
1124                   fprintf(output,"SEARCH %s FAILED %d\n",searchkey,rc);
1125                   free_keylist(dupelist);
1126                   return rc;
1127                 }
1128
1129               count++;
1130             }
1131         }
1132
1133       each=ldap_next_entry(ldap,each);
1134     }
1135
1136   if(err==LDAP_SIZELIMIT_EXCEEDED)
1137     fprintf(console,"gpgkeys: search results exceeded server limit.  First %d results shown.\n",count);
1138
1139   free_keylist(dupelist);
1140   dupelist=NULL;
1141
1142   if(count<1)
1143     fprintf(output,"info:1:0\n");
1144   else
1145     {
1146       fprintf(output,"info:1:%d\n",count);
1147
1148       each=ldap_first_entry(ldap,res);
1149       while(each!=NULL)
1150         {
1151           char **certid;
1152
1153           certid=ldap_get_values(ldap,each,"pgpcertid");
1154           if(certid!=NULL)
1155             {
1156               LDAPMessage *uids;
1157
1158               /* Have we seen this certid before? */
1159               if(!key_in_keylist(certid[0],dupelist))
1160                 {
1161                   int rc=add_key_to_keylist(certid[0],&dupelist);
1162                   if(rc)
1163                     {
1164                       fprintf(output,"SEARCH %s FAILED %d\n",searchkey,rc);
1165                       free_keylist(dupelist);
1166                       ldap_value_free(certid);
1167                       ldap_msgfree(res);
1168                       return rc;
1169                     }
1170
1171                   fprintf(output,"pub:%s:",certid[0]);
1172
1173                   vals=ldap_get_values(ldap,each,"pgpkeytype");
1174                   if(vals!=NULL)
1175                     {
1176                       /* The LDAP server doesn't exactly handle this
1177                          well. */
1178                       if(strcasecmp(vals[0],"RSA")==0)
1179                         fprintf(output,"1");
1180                       else if(strcasecmp(vals[0],"DSS/DH")==0)
1181                         fprintf(output,"17");
1182                       ldap_value_free(vals);
1183                     }
1184
1185                   fputc(':',output);
1186
1187                   vals=ldap_get_values(ldap,each,"pgpkeysize");
1188                   if(vals!=NULL)
1189                     {
1190                       /* Not sure why, but some keys are listed with a
1191                          key size of 0.  Treat that like an
1192                          unknown. */
1193                       if(atoi(vals[0])>0)
1194                         fprintf(output,"%d",atoi(vals[0]));
1195                       ldap_value_free(vals);
1196                     }
1197
1198                   fputc(':',output);
1199
1200                   /* YYYYMMDDHHmmssZ */
1201
1202                   vals=ldap_get_values(ldap,each,"pgpkeycreatetime");
1203                   if(vals!=NULL && strlen(vals[0])==15)
1204                     {
1205                       fprintf(output,"%u",
1206                               (unsigned int)ldap2epochtime(vals[0]));
1207                       ldap_value_free(vals);
1208                     }
1209
1210                   fputc(':',output);
1211
1212                   vals=ldap_get_values(ldap,each,"pgpkeyexpiretime");
1213                   if(vals!=NULL && strlen(vals[0])==15)
1214                     {
1215                       fprintf(output,"%u",
1216                               (unsigned int)ldap2epochtime(vals[0]));
1217                       ldap_value_free(vals);
1218                     }
1219
1220                   fputc(':',output);
1221
1222                   vals=ldap_get_values(ldap,each,"pgprevoked");
1223                   if(vals!=NULL)
1224                     {
1225                       if(atoi(vals[0])==1)
1226                         fprintf(output,"r");
1227                       ldap_value_free(vals);
1228                     }
1229
1230                   vals=ldap_get_values(ldap,each,"pgpdisabled");
1231                   if(vals!=NULL)
1232                     {
1233                       if(atoi(vals[0])==1)
1234                         fprintf(output,"d");
1235                       ldap_value_free(vals);
1236                     }
1237
1238 #if 0
1239                   /* This is not yet specified in the keyserver
1240                      protocol, but may be someday. */
1241                   fputc(':',output);
1242
1243                   vals=ldap_get_values(ldap,each,"modifytimestamp");
1244                   if(vals!=NULL && strlen(vals[0])==15)
1245                     {
1246                       fprintf(output,"%u",
1247                               (unsigned int)ldap2epochtime(vals[0]));
1248                       ldap_value_free(vals);
1249                     }
1250 #endif
1251
1252                   fprintf(output,"\n");
1253
1254                   /* Now print all the uids that have this certid */
1255                   uids=ldap_first_entry(ldap,res);
1256                   while(uids!=NULL)
1257                     {
1258                       vals=ldap_get_values(ldap,uids,"pgpcertid");
1259                       if(vals!=NULL)
1260                         {
1261                           if(strcasecmp(certid[0],vals[0])==0)
1262                             {
1263                               char **uidvals;
1264
1265                               fprintf(output,"uid:");
1266
1267                               uidvals=ldap_get_values(ldap,uids,"pgpuserid");
1268                               if(uidvals!=NULL)
1269                                 {
1270                                   /* Need to escape any colons */
1271                                   printquoted(output,uidvals[0],':');
1272                                   ldap_value_free(uidvals);
1273                                 }
1274
1275                               fprintf(output,"\n");
1276                             }
1277
1278                           ldap_value_free(vals);
1279                         }
1280
1281                       uids=ldap_next_entry(ldap,uids);
1282                     }
1283                 }
1284
1285               ldap_value_free(certid);
1286             }
1287
1288           each=ldap_next_entry(ldap,each);
1289         }
1290     }
1291
1292   ldap_msgfree(res);
1293   free_keylist(dupelist);
1294
1295   fprintf(output,"SEARCH %s END\n",searchkey);
1296
1297   return KEYSERVER_OK;
1298 }
1299
1300 static void
1301 fail_all(struct keylist *keylist,int action,int err)
1302 {
1303   if(!keylist)
1304     return;
1305
1306   if(action==SEARCH)
1307     {
1308       fprintf(output,"SEARCH ");
1309       while(keylist)
1310         {
1311           fprintf(output,"%s ",keylist->str);
1312           keylist=keylist->next;
1313         }
1314       fprintf(output,"FAILED %d\n",err);
1315     }
1316   else
1317     while(keylist)
1318       {
1319         fprintf(output,"KEY %s FAILED %d\n",keylist->str,err);
1320         keylist=keylist->next;
1321       }
1322 }
1323
1324 static int
1325 find_basekeyspacedn(void)
1326 {
1327   int err,i;
1328   char *attr[]={"namingContexts",NULL,NULL,NULL};
1329   LDAPMessage *res;
1330   char **context;
1331
1332   /* Look for namingContexts */
1333   err=ldap_search_s(ldap,"",LDAP_SCOPE_BASE,"(objectClass=*)",attr,0,&res);
1334   if(err==LDAP_SUCCESS)
1335     {
1336       context=ldap_get_values(ldap,res,"namingContexts");
1337       if(context)
1338         {
1339           attr[0]="pgpBaseKeySpaceDN";
1340           attr[1]="pgpVersion";
1341           attr[2]="pgpSoftware";
1342
1343           real_ldap=1;
1344
1345           /* We found some, so try each namingContext as the search base
1346              and look for pgpBaseKeySpaceDN.  Because we found this, we
1347              know we're talking to a regular-ish LDAP server and not a
1348              LDAP keyserver. */
1349
1350           for(i=0;context[i] && !basekeyspacedn;i++)
1351             {
1352               char **vals;
1353               LDAPMessage *si_res;
1354               err=ldap_search_s(ldap,context[i],LDAP_SCOPE_ONELEVEL,
1355                                 "(cn=pgpServerInfo)",attr,0,&si_res);
1356               if(err!=LDAP_SUCCESS)
1357                 return err;
1358
1359               vals=ldap_get_values(ldap,si_res,"pgpBaseKeySpaceDN");
1360               if(vals)
1361                 {
1362                   /* This is always "OU=ACTIVE,O=PGP KEYSPACE,C=US", but
1363                      it might not be in the future. */
1364
1365                   basekeyspacedn=strdup(vals[0]);
1366                   ldap_value_free(vals);
1367                 }
1368
1369               if(verbose>1)
1370                 {
1371                   vals=ldap_get_values(ldap,si_res,"pgpSoftware");
1372                   if(vals)
1373                     {
1374                       fprintf(console,"Server: \t%s\n",vals[0]);
1375                       ldap_value_free(vals);
1376                     }
1377
1378                   vals=ldap_get_values(ldap,si_res,"pgpVersion");
1379                   if(vals)
1380                     {
1381                       fprintf(console,"Version:\t%s\n",vals[0]);
1382                       ldap_value_free(vals);
1383                     }
1384                 }
1385
1386               ldap_msgfree(si_res);
1387             }
1388
1389           ldap_value_free(context);
1390         }
1391
1392       ldap_msgfree(res);
1393     }
1394   else
1395     {
1396       /* We don't have an answer yet, which means the server might be
1397          a LDAP keyserver. */
1398       char **vals;
1399       LDAPMessage *si_res;
1400
1401       attr[0]="pgpBaseKeySpaceDN";
1402       attr[1]="version";
1403       attr[2]="software";
1404
1405       err=ldap_search_s(ldap,"cn=pgpServerInfo",LDAP_SCOPE_BASE,
1406                         "(objectClass=*)",attr,0,&si_res);
1407       if(err!=LDAP_SUCCESS)
1408         return err;
1409
1410       vals=ldap_get_values(ldap,si_res,"baseKeySpaceDN");
1411       if(vals)
1412         {
1413           basekeyspacedn=strdup(vals[0]);
1414           ldap_value_free(vals);
1415         }
1416
1417       if(verbose>1)
1418         {
1419           vals=ldap_get_values(ldap,si_res,"software");
1420           if(vals)
1421             {
1422               fprintf(console,"Server: \t%s\n",vals[0]);
1423               ldap_value_free(vals);
1424             }
1425         }
1426
1427       vals=ldap_get_values(ldap,si_res,"version");
1428       if(vals)
1429         {
1430           if(verbose>1)
1431             fprintf(console,"Version:\t%s\n",vals[0]);
1432
1433           /* If the version is high enough, use the new pgpKeyV2
1434              attribute.  This design if iffy at best, but it matches how
1435              PGP does it.  I figure the NAI folks assumed that there would
1436              never be a LDAP keyserver vendor with a different numbering
1437              scheme. */
1438           if(atoi(vals[0])>1)
1439             pgpkeystr="pgpKeyV2";
1440
1441           ldap_value_free(vals);
1442         }
1443
1444       ldap_msgfree(si_res);
1445     }   
1446
1447   return LDAP_SUCCESS;
1448 }
1449
1450 int
1451 main(int argc,char *argv[])
1452 {
1453   int port=0,arg,err,action=-1,ret=KEYSERVER_INTERNAL_ERROR;
1454   char line[MAX_LINE];
1455   int version,failed=0,use_ssl=0,use_tls=0;
1456   struct keylist *keylist=NULL,*keyptr=NULL;
1457
1458   console=stderr;
1459
1460   while((arg=getopt(argc,argv,"hVo:"))!=-1)
1461     switch(arg)
1462       {
1463       default:
1464       case 'h':
1465         fprintf(console,"-h\thelp\n");
1466         fprintf(console,"-V\tversion\n");
1467         fprintf(console,"-o\toutput to this file\n");
1468         return KEYSERVER_OK;
1469
1470       case 'V':
1471         fprintf(stdout,"%d\n%s\n",KEYSERVER_PROTO_VERSION,VERSION);
1472         return KEYSERVER_OK;
1473
1474       case 'o':
1475         output=fopen(optarg,"w");
1476         if(output==NULL)
1477           {
1478             fprintf(console,"gpgkeys: Cannot open output file \"%s\": %s\n",
1479                     optarg,strerror(errno));
1480             return KEYSERVER_INTERNAL_ERROR;
1481           }
1482
1483         break;
1484       }
1485
1486   if(argc>optind)
1487     {
1488       input=fopen(argv[optind],"r");
1489       if(input==NULL)
1490         {
1491           fprintf(console,"gpgkeys: Cannot open input file \"%s\": %s\n",
1492                   argv[optind],strerror(errno));
1493           return KEYSERVER_INTERNAL_ERROR;
1494         }
1495     }
1496
1497   if(input==NULL)
1498     input=stdin;
1499
1500   if(output==NULL)
1501     output=stdout;
1502
1503   /* Get the command and info block */
1504
1505   while(fgets(line,MAX_LINE,input)!=NULL)
1506     {
1507       char commandstr[7];
1508       char optionstr[30];
1509       char schemestr[80];
1510       char hash;
1511
1512       if(line[0]=='\n')
1513         break;
1514
1515       if(sscanf(line,"%c",&hash)==1 && hash=='#')
1516         continue;
1517
1518       if(sscanf(line,"COMMAND %6s\n",commandstr)==1)
1519         {
1520           commandstr[6]='\0';
1521
1522           if(strcasecmp(commandstr,"get")==0)
1523             action=GET;
1524           else if(strcasecmp(commandstr,"send")==0)
1525             action=SEND;
1526           else if(strcasecmp(commandstr,"search")==0)
1527             action=SEARCH;
1528
1529           continue;
1530         }
1531
1532       if(sscanf(line,"HOST %79s\n",host)==1)
1533         {
1534           host[79]='\0';
1535           continue;
1536         }
1537
1538       if(sscanf(line,"PORT %9s\n",portstr)==1)
1539         {
1540           portstr[9]='\0';
1541           port=atoi(portstr);
1542           continue;
1543         }
1544
1545       if(sscanf(line,"SCHEME %79s\n",schemestr)==1)
1546         {
1547           schemestr[79]='\0';
1548           if(strcasecmp(schemestr,"ldaps")==0)
1549             {
1550               port=636;
1551               use_ssl=1;
1552             }
1553           continue;
1554         }
1555
1556       if(sscanf(line,"VERSION %d\n",&version)==1)
1557         {
1558           if(version!=KEYSERVER_PROTO_VERSION)
1559             {
1560               ret=KEYSERVER_VERSION_ERROR;
1561               goto fail;
1562             }
1563
1564           continue;
1565         }
1566
1567       if(sscanf(line,"OPTION %29s\n",optionstr)==1)
1568         {
1569           int no=0;
1570           char *start=&optionstr[0];
1571
1572           optionstr[29]='\0';
1573
1574           if(strncasecmp(optionstr,"no-",3)==0)
1575             {
1576               no=1;
1577               start=&optionstr[3];
1578             }
1579
1580           if(strcasecmp(start,"verbose")==0)
1581             {
1582               if(no)
1583                 verbose--;
1584               else
1585                 verbose++;
1586             }
1587           else if(strcasecmp(start,"include-disabled")==0)
1588             {
1589               if(no)
1590                 include_disabled=0;
1591               else
1592                 include_disabled=1;
1593             }
1594           else if(strcasecmp(start,"include-revoked")==0)
1595             {
1596               if(no)
1597                 include_revoked=0;
1598               else
1599                 include_revoked=1;
1600             }
1601           else if(strcasecmp(start,"include-subkeys")==0)
1602             {
1603               if(no)
1604                 include_subkeys=0;
1605               else
1606                 include_subkeys=1;
1607             }
1608           else if(strncasecmp(start,"tls",3)==0)
1609             {
1610               if(no)
1611                 use_tls=0;
1612               else if(start[3]=='=')
1613                 {
1614                   if(strcasecmp(&start[4],"no")==0)
1615                     use_tls=0;
1616                   else if(strcasecmp(&start[4],"try")==0)
1617                     use_tls=1;
1618                   else if(strcasecmp(&start[4],"warn")==0)
1619                     use_tls=2;
1620                   else if(strcasecmp(&start[4],"require")==0)
1621                     use_tls=3;
1622                   else
1623                     use_tls=1;
1624                 }
1625               else if(start[3]=='\0')
1626                 use_tls=1;
1627             }
1628
1629           continue;
1630         }
1631     }
1632
1633   /* If it's a GET or a SEARCH, the next thing to come in is the
1634      keyids.  If it's a SEND, then there are no keyids. */
1635
1636   if(action==SEND)
1637     while(fgets(line,MAX_LINE,input)!=NULL && line[0]!='\n');
1638   else if(action==GET || action==SEARCH)
1639     {
1640       for(;;)
1641         {
1642           struct keylist *work;
1643
1644           if(fgets(line,MAX_LINE,input)==NULL)
1645             break;
1646           else
1647             {
1648               if(line[0]=='\n' || line[0]=='\0')
1649                 break;
1650
1651               work=malloc(sizeof(struct keylist));
1652               if(work==NULL)
1653                 {
1654                   fprintf(console,"gpgkeys: out of memory while "
1655                           "building key list\n");
1656                   ret=KEYSERVER_NO_MEMORY;
1657                   goto fail;
1658                 }
1659
1660               strcpy(work->str,line);
1661
1662               /* Trim the trailing \n */
1663               work->str[strlen(line)-1]='\0';
1664
1665               work->next=NULL;
1666
1667               /* Always attach at the end to keep the list in proper
1668                  order for searching */
1669               if(keylist==NULL)
1670                 keylist=work;
1671               else
1672                 keyptr->next=work;
1673
1674               keyptr=work;
1675             }
1676         }
1677     }
1678   else
1679     {
1680       fprintf(console,"gpgkeys: no keyserver command specified\n");
1681       goto fail;
1682     }
1683
1684   /* Send the response */
1685
1686   fprintf(output,"VERSION %d\n",KEYSERVER_PROTO_VERSION);
1687   fprintf(output,"PROGRAM %s\n\n",VERSION);
1688
1689   if(verbose>1)
1690     {
1691       fprintf(console,"Host:\t\t%s\n",host);
1692       if(port)
1693         fprintf(console,"Port:\t\t%d\n",port);
1694       fprintf(console,"Command:\t%s\n",action==GET?"GET":
1695               action==SEND?"SEND":"SEARCH");
1696     }
1697
1698   /* Note that this tries all A records on a given host (or at least,
1699      OpenLDAP does). */
1700   ldap=ldap_init(host,port);
1701   if(ldap==NULL)
1702     {
1703       fprintf(console,"gpgkeys: internal LDAP init error: %s\n",
1704               strerror(errno));
1705       fail_all(keylist,action,KEYSERVER_INTERNAL_ERROR);
1706       goto fail;
1707     }
1708
1709   if(use_ssl)
1710     {
1711       if(!real_ldap)
1712         {
1713           fprintf(console,"gpgkeys: unable to make SSL connection: %s\n",
1714                   "not supported by the NAI LDAP keyserver");
1715           fail_all(keylist,action,KEYSERVER_INTERNAL_ERROR);
1716           goto fail;
1717         }
1718       else
1719         {
1720 #if defined(LDAP_OPT_X_TLS_HARD) && defined(HAVE_LDAP_SET_OPTION)
1721           int ssl=LDAP_OPT_X_TLS_HARD;
1722           err=ldap_set_option(ldap,LDAP_OPT_X_TLS,&ssl);
1723           if(err!=LDAP_SUCCESS)
1724             {
1725               fprintf(console,"gpgkeys: unable to make SSL connection: %s\n",
1726                       ldap_err2string(err));
1727               fail_all(keylist,action,ldap_err_to_gpg_err(err));
1728               goto fail;
1729             }
1730 #else
1731           fprintf(console,"gpgkeys: unable to make SSL connection: %s\n",
1732                   "not built with LDAPS support");
1733           fail_all(keylist,action,KEYSERVER_INTERNAL_ERROR);
1734           goto fail;
1735 #endif
1736         }
1737     }
1738
1739   if((err=find_basekeyspacedn()))
1740     {
1741       fprintf(console,"gpgkeys: unable to retrieve LDAP base: %s\n",
1742               ldap_err2string(err));
1743       fail_all(keylist,action,ldap_err_to_gpg_err(err));
1744       goto fail;
1745     }
1746
1747   /* use_tls: 0=don't use, 1=try silently to use, 2=try loudly to use,
1748      3=force use. */
1749   if(use_tls)
1750     {
1751       if(!real_ldap)
1752         {
1753           if(use_tls>=2)
1754             fprintf(console,"gpgkeys: unable to start TLS: %s\n",
1755                     "not supported by the NAI LDAP keyserver");
1756           if(use_tls==3)
1757             {
1758               fail_all(keylist,action,KEYSERVER_INTERNAL_ERROR);
1759               goto fail;
1760             }
1761         }
1762       else
1763         {
1764 #if defined(HAVE_LDAP_START_TLS_S) && defined(HAVE_LDAP_SET_OPTION)
1765           int ver=LDAP_VERSION3;
1766
1767           err=LDAP_SUCCESS;
1768
1769           err=ldap_set_option(ldap,LDAP_OPT_PROTOCOL_VERSION,&ver);
1770           if(err==LDAP_SUCCESS)
1771             err=ldap_start_tls_s(ldap,NULL,NULL);
1772
1773           if(err!=LDAP_SUCCESS && use_tls>=2)
1774             {
1775               fprintf(console,"gpgkeys: unable to start TLS: %s\n",
1776                       ldap_err2string(err));
1777               /* Are we forcing it? */
1778               if(use_tls==3)
1779                 {
1780                   fail_all(keylist,action,ldap_err_to_gpg_err(err));
1781                   goto fail;
1782                 }
1783             }
1784           else if(verbose>1)
1785             fprintf(console,"gpgkeys: TLS started successfully.\n");
1786 #else
1787           if(use_tls>=2)
1788             fprintf(console,"gpgkeys: unable to start TLS: %s\n",
1789                     "not built with TLS support");
1790           if(use_tls==3)
1791             {
1792               fail_all(keylist,action,KEYSERVER_INTERNAL_ERROR);
1793               goto fail;
1794             }
1795 #endif
1796         }
1797     }
1798
1799   /* The LDAP keyserver doesn't require this, but it might be useful
1800      if someone stores keys on a V2 LDAP server somewhere.  (V3
1801      doesn't require a bind). */
1802
1803   err=ldap_simple_bind_s(ldap,NULL,NULL);
1804   if(err!=0)
1805     {
1806       fprintf(console,"gpgkeys: internal LDAP bind error: %s\n",
1807               ldap_err2string(err));
1808       fail_all(keylist,action,ldap_err_to_gpg_err(err));
1809       goto fail;
1810     }
1811
1812   switch(action)
1813     {
1814     case GET:
1815       keyptr=keylist;
1816
1817       while(keyptr!=NULL)
1818         {
1819           if(get_key(keyptr->str)!=KEYSERVER_OK)
1820             failed++;
1821
1822           keyptr=keyptr->next;
1823         }
1824       break;
1825
1826     case SEND:
1827       {
1828         int eof=0;
1829
1830         do
1831           {
1832             if(real_ldap)
1833               {
1834                 if(send_key(&eof)!=KEYSERVER_OK)
1835                   failed++;
1836               }
1837             else
1838               {
1839                 if(send_key_keyserver(&eof)!=KEYSERVER_OK)
1840                   failed++;
1841               }
1842           }
1843         while(!eof);
1844       }
1845       break;
1846
1847     case SEARCH:
1848       {
1849         char *searchkey=NULL;
1850         int len=0;
1851
1852         /* To search, we stick a * in between each key to search for.
1853            This means that if the user enters words, they'll get
1854            "enters*words".  If the user "enters words", they'll get
1855            "enters words" */
1856
1857         keyptr=keylist;
1858         while(keyptr!=NULL)
1859           {
1860             len+=strlen(keyptr->str)+1;
1861             keyptr=keyptr->next;
1862           }
1863
1864         searchkey=malloc(len+1);
1865         if(searchkey==NULL)
1866           {
1867             ret=KEYSERVER_NO_MEMORY;
1868             fail_all(keylist,action,KEYSERVER_NO_MEMORY);
1869             goto fail;
1870           }
1871
1872         searchkey[0]='\0';
1873
1874         keyptr=keylist;
1875         while(keyptr!=NULL)
1876           {
1877             strcat(searchkey,keyptr->str);
1878             strcat(searchkey,"*");
1879             keyptr=keyptr->next;
1880           }
1881
1882         /* Nail that last "*" */
1883         if(*searchkey)
1884           searchkey[strlen(searchkey)-1]='\0';
1885
1886         if(search_key(searchkey)!=KEYSERVER_OK)
1887           failed++;
1888
1889         free(searchkey);
1890       }
1891
1892       break;
1893     }
1894
1895   if(!failed)
1896     ret=KEYSERVER_OK;
1897
1898  fail:
1899
1900   while(keylist!=NULL)
1901     {
1902       struct keylist *current=keylist;
1903       keylist=keylist->next;
1904       free(current);
1905     }
1906
1907   if(input!=stdin)
1908     fclose(input);
1909
1910   if(output!=stdout)
1911     fclose(output);
1912
1913   if(ldap!=NULL)
1914     ldap_unbind_s(ldap);
1915
1916   free(basekeyspacedn);
1917
1918   return ret;
1919 }