* keyserver.c (parse_keyserver_uri): If there is a path present, set the
[gnupg.git] / g10 / keyserver.c
1 /* keyserver.c - generic keyserver code
2  * Copyright (C) 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc.
3  *
4  * This file is part of GnuPG.
5  *
6  * GnuPG is free software; you can redistribute it and/or modify
7  * it under the terms of the GNU General Public License as published by
8  * the Free Software Foundation; either version 2 of the License, or
9  * (at your option) any later version.
10  *
11  * GnuPG is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  * GNU General Public License for more details.
15  *
16  * You should have received a copy of the GNU General Public License
17  * along with this program; if not, write to the Free Software
18  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
19  * USA.
20  */
21
22 #include <config.h>
23 #include <ctype.h>
24 #include <stdio.h>
25 #include <string.h>
26 #include <stdlib.h>
27 #include <assert.h>
28 #ifdef HAVE_LIBCURL
29 #include <curl/curl.h>
30 #endif
31 #include "filter.h"
32 #include "keydb.h"
33 #include "status.h"
34 #include "exec.h"
35 #include "main.h"
36 #include "i18n.h"
37 #include "iobuf.h"
38 #include "memory.h"
39 #include "ttyio.h"
40 #include "options.h"
41 #include "packet.h"
42 #include "trustdb.h"
43 #include "keyserver-internal.h"
44 #include "util.h"
45
46 #define GPGKEYS_PREFIX "gpgkeys_"
47
48 #if defined(HAVE_LIBCURL) || defined(FAKE_CURL)
49 #define GPGKEYS_CURL "gpgkeys_curl"
50 #endif
51
52 #ifdef GPGKEYS_CURL
53 #define GPGKEYS_PREFIX_LEN (strlen(GPGKEYS_PREFIX)+strlen(GPGKEYS_CURL))
54 #else
55 #define GPGKEYS_PREFIX_LEN (strlen(GPGKEYS_PREFIX))
56 #endif
57
58 struct keyrec
59 {
60   KEYDB_SEARCH_DESC desc;
61   u32 createtime,expiretime;
62   int size,flags;
63   byte type;
64   IOBUF uidbuf;
65   unsigned int lines;
66 };
67
68 enum ks_action {KS_UNKNOWN=0,KS_GET,KS_GETNAME,KS_SEND,KS_SEARCH};
69
70 /* Tell remote processes about these options */
71 #define REMOTE_TELL (KEYSERVER_INCLUDE_REVOKED|KEYSERVER_INCLUDE_SUBKEYS|KEYSERVER_TRY_DNS_SRV)
72
73 static struct parse_options keyserver_opts[]=
74   {
75     {"include-revoked",KEYSERVER_INCLUDE_REVOKED,NULL,
76      N_("include revoked keys in search results")},
77     {"include-subkeys",KEYSERVER_INCLUDE_SUBKEYS,NULL,
78      N_("include subkeys when searching by key ID")},
79     /* not a real option - just for the help message */
80     {"use-temp-files",0,NULL,
81      N_("use temporary files to pass data to keyserver helpers")},
82     {"keep-temp-files",KEYSERVER_KEEP_TEMP_FILES,NULL,
83      N_("do not delete temporary files after using them")},
84     {"refresh-add-fake-v3-keyids",KEYSERVER_ADD_FAKE_V3,NULL,
85      NULL},
86     {"auto-key-retrieve",KEYSERVER_AUTO_KEY_RETRIEVE,NULL,
87      N_("automatically retrieve keys when verifying signatures")},
88     {"auto-pka-retrieve",KEYSERVER_AUTO_PKA_RETRIEVE,NULL,
89      N_("automatically retrieve keys from PKA records")},
90     {"auto-cert-retrieve",KEYSERVER_AUTO_CERT_RETRIEVE,NULL,
91      N_("automatically retrieve keys from DNS")},
92     {"try-dns-srv",KEYSERVER_TRY_DNS_SRV,NULL,
93      NULL},
94     {"honor-keyserver-url",KEYSERVER_HONOR_KEYSERVER_URL,NULL,
95      N_("honor the preferred keyserver URL set on the key")},
96     {NULL,0,NULL,NULL}
97   };
98
99 static int keyserver_work(enum ks_action action,STRLIST list,
100                           KEYDB_SEARCH_DESC *desc,int count,
101                           struct keyserver_spec *keyserver);
102
103 /* Reasonable guess */
104 #define DEFAULT_MAX_CERT_SIZE 16384
105
106 static size_t max_cert_size=DEFAULT_MAX_CERT_SIZE;
107
108 int
109 parse_keyserver_options(char *options)
110 {
111   int ret=1;
112   char *tok;
113   char *max_cert;
114
115   keyserver_opts[7].value=&max_cert;
116
117   while((tok=optsep(&options)))
118     {
119       if(tok[0]=='\0')
120         continue;
121
122       /* For backwards compatibility.  1.2.x used honor-http-proxy and
123          there are a good number of documents published that recommend
124          it. */
125       if(ascii_strcasecmp(tok,"honor-http-proxy")==0)
126         tok="http-proxy";
127       else if(ascii_strcasecmp(tok,"no-honor-http-proxy")==0)
128         tok="no-http-proxy";
129
130       /* We accept quite a few possible options here - some options to
131          handle specially, the keyserver_options list, and import and
132          export options that pertain to keyserver operations.  Note
133          that you must use strncasecmp here as there might be an
134          =argument attached which will foil the use of strcasecmp. */
135
136 #ifdef EXEC_TEMPFILE_ONLY
137       if(ascii_strncasecmp(tok,"use-temp-files",14)==0 ||
138               ascii_strncasecmp(tok,"no-use-temp-files",17)==0)
139         log_info(_("WARNING: keyserver option `%s' is not used"
140                    " on this platform\n"),tok);
141 #else
142       if(ascii_strncasecmp(tok,"use-temp-files",14)==0)
143         opt.keyserver_options.options|=KEYSERVER_USE_TEMP_FILES;
144       else if(ascii_strncasecmp(tok,"no-use-temp-files",17)==0)
145         opt.keyserver_options.options&=~KEYSERVER_USE_TEMP_FILES;
146 #endif
147       else if(!parse_options(tok,&opt.keyserver_options.options,
148                              keyserver_opts,0)
149          && !parse_import_options(tok,
150                                   &opt.keyserver_options.import_options,0)
151          && !parse_export_options(tok,
152                                   &opt.keyserver_options.export_options,0))
153         {
154           /* All of the standard options have failed, so the option is
155              destined for a keyserver plugin. */
156           char *arg=argsplit(tok);
157
158           if(arg)
159             {
160               char *joined;
161
162               joined=xmalloc(strlen(tok)+1+strlen(arg)+1);
163               /* Make a canonical name=value form with no
164                  spaces */
165               strcpy(joined,tok);
166               strcat(joined,"=");
167               strcat(joined,arg);
168               add_to_strlist(&opt.keyserver_options.other,joined);
169               xfree(joined);
170             }
171           else
172             add_to_strlist(&opt.keyserver_options.other,tok);
173         }
174     }
175
176   if(opt.keyserver_options.options&KEYSERVER_AUTO_CERT_RETRIEVE)
177     {
178       if(max_cert)
179         max_cert_size=strtoul(max_cert,(char **)NULL,10);
180
181       if(max_cert_size==0)
182         max_cert_size=DEFAULT_MAX_CERT_SIZE;
183     }
184
185   return ret;
186 }
187
188 void
189 free_keyserver_spec(struct keyserver_spec *keyserver)
190 {
191   xfree(keyserver->uri);
192   xfree(keyserver->scheme);
193   xfree(keyserver->auth);
194   xfree(keyserver->host);
195   xfree(keyserver->port);
196   xfree(keyserver->path);
197   xfree(keyserver->opaque);
198   xfree(keyserver);
199 }
200
201 /* TODO: once we cut over to an all-curl world, we don't need this
202    parser any longer so it can be removed, or at least moved to
203    keyserver/ksutil.c for limited use in gpgkeys_ldap or the like. */
204
205 struct keyserver_spec *
206 parse_keyserver_uri(const char *uri,int require_scheme,
207                     const char *configname,unsigned int configlineno)
208 {
209   int assume_hkp=0;
210   struct keyserver_spec *keyserver;
211   const char *idx;
212   int count;
213
214   assert(uri!=NULL);
215
216   keyserver=xmalloc_clear(sizeof(struct keyserver_spec));
217
218   keyserver->uri=xstrdup(uri);
219
220   /* Get the scheme */
221
222   for(idx=uri,count=0;*idx && *idx!=':';idx++)
223     {
224       count++;
225
226       /* Do we see the start of an RFC-2732 ipv6 address here?  If so,
227          there clearly isn't a scheme so get out early. */
228       if(*idx=='[')
229         {
230           /* Was the '[' the first thing in the string?  If not, we
231              have a mangled scheme with a [ in it so fail. */
232           if(count==1)
233             break;
234           else
235             goto fail;
236         }
237     }
238
239   if(count==0)
240     goto fail;
241
242   if(*idx=='\0' || *idx=='[')
243     {
244       if(require_scheme)
245         return NULL;
246
247       /* Assume HKP if there is no scheme */
248       assume_hkp=1;
249       keyserver->scheme=xstrdup("hkp");
250     }
251   else
252     {
253       int i;
254
255       keyserver->scheme=xmalloc(count+1);
256
257       /* Force to lowercase */
258       for(i=0;i<count;i++)
259         keyserver->scheme[i]=ascii_tolower(uri[i]);
260
261       keyserver->scheme[i]='\0';
262
263       /* Skip past the scheme and colon */
264       uri+=count+1;
265     }
266
267   if(ascii_strcasecmp(keyserver->scheme,"x-broken-hkp")==0)
268     {
269       deprecated_warning(configname,configlineno,"x-broken-hkp",
270                          "--keyserver-options ","broken-http-proxy");
271       xfree(keyserver->scheme);
272       keyserver->scheme=xstrdup("hkp");
273       add_to_strlist(&opt.keyserver_options.other,"broken-http-proxy");
274     }
275   else if(ascii_strcasecmp(keyserver->scheme,"x-hkp")==0)
276     {
277       /* Canonicalize this to "hkp" so it works with both the internal
278          and external keyserver interface. */
279       xfree(keyserver->scheme);
280       keyserver->scheme=xstrdup("hkp");
281     }
282
283   if(assume_hkp || (uri[0]=='/' && uri[1]=='/'))
284     {
285       /* Two slashes means network path. */
286
287       /* Skip over the "//", if any */
288       if(!assume_hkp)
289         uri+=2;
290
291       /* Do we have userinfo auth data present? */
292       for(idx=uri,count=0;*idx && *idx!='@' && *idx!='/';idx++)
293         count++;
294
295       /* We found a @ before the slash, so that means everything
296          before the @ is auth data. */
297       if(*idx=='@')
298         {
299           if(count==0)
300             goto fail;
301
302           keyserver->auth=xmalloc(count+1);
303           strncpy(keyserver->auth,uri,count);
304           keyserver->auth[count]='\0';
305           uri+=count+1;
306         }
307
308       /* Is it an RFC-2732 ipv6 [literal address] ? */
309       if(*uri=='[')
310         {
311           for(idx=uri+1,count=1;*idx
312                 && ((isascii (*idx) && isxdigit(*idx))
313                     || *idx==':' || *idx=='.');idx++)
314             count++;
315
316           /* Is the ipv6 literal address terminated? */
317           if(*idx==']')
318             count++;
319           else
320             goto fail;
321         }
322       else
323         for(idx=uri,count=0;*idx && *idx!=':' && *idx!='/';idx++)
324           count++;
325
326       if(count==0)
327         goto fail;
328
329       keyserver->host=xmalloc(count+1);
330       strncpy(keyserver->host,uri,count);
331       keyserver->host[count]='\0';
332
333       /* Skip past the host */
334       uri+=count;
335
336       if(*uri==':')
337         {
338           /* It would seem to be reasonable to limit the range of the
339              ports to values between 1-65535, but RFC 1738 and 1808
340              imply there is no limit.  Of course, the real world has
341              limits. */
342
343           for(idx=uri+1,count=0;*idx && *idx!='/';idx++)
344             {
345               count++;
346
347               /* Ports are digits only */
348               if(!digitp(idx))
349                 goto fail;
350             }
351
352           keyserver->port=xmalloc(count+1);
353           strncpy(keyserver->port,uri+1,count);
354           keyserver->port[count]='\0';
355
356           /* Skip past the colon and port number */
357           uri+=1+count;
358         }
359
360       /* Everything else is the path */
361       if(*uri)
362         keyserver->path=xstrdup(uri);
363       else
364         keyserver->path=xstrdup("/");
365
366       if(keyserver->path[1]!='\0')
367         keyserver->flags.direct_uri=1;
368     }
369   else if(uri[0]!='/')
370     {
371       /* No slash means opaque.  Just record the opaque blob and get
372          out. */
373       keyserver->opaque=xstrdup(uri);
374     }
375   else
376     {
377       /* One slash means absolute path.  We don't need to support that
378          yet. */
379       goto fail;
380     }
381
382   return keyserver;
383
384  fail:
385   free_keyserver_spec(keyserver);
386
387   return NULL;
388 }
389
390 struct keyserver_spec *
391 parse_preferred_keyserver(PKT_signature *sig)
392 {
393   struct keyserver_spec *spec=NULL;
394   const byte *p;
395   size_t plen;
396
397   p=parse_sig_subpkt(sig->hashed,SIGSUBPKT_PREF_KS,&plen);
398   if(p && plen)
399     {
400       byte *dupe=xmalloc(plen+1);
401
402       memcpy(dupe,p,plen);
403       dupe[plen]='\0';
404       spec=parse_keyserver_uri(dupe,1,NULL,0);
405       xfree(dupe);
406     }
407
408   return spec;
409 }
410
411 static void
412 print_keyrec(int number,struct keyrec *keyrec)
413 {
414   int i;
415
416   iobuf_writebyte(keyrec->uidbuf,0);
417   iobuf_flush_temp(keyrec->uidbuf);
418   printf("(%d)\t%s  ",number,iobuf_get_temp_buffer(keyrec->uidbuf));
419
420   if(keyrec->size>0)
421     printf("%d bit ",keyrec->size);
422
423   if(keyrec->type)
424     {
425       const char *str=pubkey_algo_to_string(keyrec->type);
426
427       if(str)
428         printf("%s ",str);
429       else
430         printf("unknown ");
431     }
432
433   switch(keyrec->desc.mode)
434     {
435       /* If the keyserver helper gave us a short keyid, we have no
436          choice but to use it.  Do check --keyid-format to add a 0x if
437          needed. */
438     case KEYDB_SEARCH_MODE_SHORT_KID:
439       printf("key %s%08lX",
440              (opt.keyid_format==KF_0xSHORT
441               || opt.keyid_format==KF_0xLONG)?"0x":"",
442              (ulong)keyrec->desc.u.kid[1]);
443       break;
444
445       /* However, if it gave us a long keyid, we can honor
446          --keyid-format */
447     case KEYDB_SEARCH_MODE_LONG_KID:
448       printf("key %s",keystr(keyrec->desc.u.kid));
449       break;
450
451     case KEYDB_SEARCH_MODE_FPR16:
452       printf("key ");
453       for(i=0;i<16;i++)
454         printf("%02X",keyrec->desc.u.fpr[i]);
455       break;
456
457     case KEYDB_SEARCH_MODE_FPR20:
458       printf("key ");
459       for(i=0;i<20;i++)
460         printf("%02X",keyrec->desc.u.fpr[i]);
461       break;
462
463     default:
464       BUG();
465       break;
466     }
467
468   if(keyrec->createtime>0)
469     {
470       printf(", ");
471       printf(_("created: %s"),strtimestamp(keyrec->createtime));
472     }
473
474   if(keyrec->expiretime>0)
475     {
476       printf(", ");
477       printf(_("expires: %s"),strtimestamp(keyrec->expiretime));
478     }
479
480   if(keyrec->flags&1)
481     printf(" (%s)",_("revoked"));
482   if(keyrec->flags&2)
483     printf(" (%s)",_("disabled"));
484   if(keyrec->flags&4)
485     printf(" (%s)",_("expired"));
486
487   printf("\n");
488 }
489
490 /* Returns a keyrec (which must be freed) once a key is complete, and
491    NULL otherwise.  Call with a NULL keystring once key parsing is
492    complete to return any unfinished keys. */
493 static struct keyrec *
494 parse_keyrec(char *keystring)
495 {
496   static struct keyrec *work=NULL;
497   struct keyrec *ret=NULL;
498   char *record;
499   int i;
500
501   if(keystring==NULL)
502     {
503       if(work==NULL)
504         return NULL;
505       else if(work->desc.mode==KEYDB_SEARCH_MODE_NONE)
506         {
507           xfree(work);
508           return NULL;
509         }
510       else
511         {
512           ret=work;
513           work=NULL;
514           return ret;
515         }
516     }
517
518   if(work==NULL)
519     {
520       work=xmalloc_clear(sizeof(struct keyrec));
521       work->uidbuf=iobuf_temp();
522     }
523
524   /* Remove trailing whitespace */
525   for(i=strlen(keystring);i>0;i--)
526     if(ascii_isspace(keystring[i-1]))
527       keystring[i-1]='\0';
528     else
529       break;
530
531   if((record=strsep(&keystring,":"))==NULL)
532     return ret;
533
534   if(ascii_strcasecmp("pub",record)==0)
535     {
536       char *tok;
537
538       if(work->desc.mode)
539         {
540           ret=work;
541           work=xmalloc_clear(sizeof(struct keyrec));
542           work->uidbuf=iobuf_temp();
543         }
544
545       if((tok=strsep(&keystring,":"))==NULL)
546         return ret;
547
548       classify_user_id(tok,&work->desc);
549       if(work->desc.mode!=KEYDB_SEARCH_MODE_SHORT_KID
550          && work->desc.mode!=KEYDB_SEARCH_MODE_LONG_KID
551          && work->desc.mode!=KEYDB_SEARCH_MODE_FPR16
552          && work->desc.mode!=KEYDB_SEARCH_MODE_FPR20)
553         {
554           work->desc.mode=KEYDB_SEARCH_MODE_NONE;
555           return ret;
556         }
557
558       /* Note all items after this are optional.  This allows us to
559          have a pub line as simple as pub:keyid and nothing else. */
560
561       work->lines++;
562
563       if((tok=strsep(&keystring,":"))==NULL)
564         return ret;
565
566       work->type=atoi(tok);
567
568       if((tok=strsep(&keystring,":"))==NULL)
569         return ret;
570
571       work->size=atoi(tok);
572
573       if((tok=strsep(&keystring,":"))==NULL)
574         return ret;
575
576       if(atoi(tok)<=0)
577         work->createtime=0;
578       else
579         work->createtime=atoi(tok);
580
581       if((tok=strsep(&keystring,":"))==NULL)
582         return ret;
583
584       if(atoi(tok)<=0)
585         work->expiretime=0;
586       else
587         {
588           work->expiretime=atoi(tok);
589           /* Force the 'e' flag on if this key is expired. */
590           if(work->expiretime<=make_timestamp())
591             work->flags|=4;
592         }
593
594       if((tok=strsep(&keystring,":"))==NULL)
595         return ret;
596
597       while(*tok)
598         switch(*tok++)
599           {
600           case 'r':
601           case 'R':
602             work->flags|=1;
603             break;
604             
605           case 'd':
606           case 'D':
607             work->flags|=2;
608             break;
609
610           case 'e':
611           case 'E':
612             work->flags|=4;
613             break;
614           }
615     }
616   else if(ascii_strcasecmp("uid",record)==0 && work->desc.mode)
617     {
618       char *userid,*tok,*decoded;
619
620       if((tok=strsep(&keystring,":"))==NULL)
621         return ret;
622
623       if(strlen(tok)==0)
624         return ret;
625
626       userid=tok;
627
628       /* By definition, de-%-encoding is always smaller than the
629          original string so we can decode in place. */
630
631       i=0;
632
633       while(*tok)
634         if(tok[0]=='%' && tok[1] && tok[2])
635           {
636             if((userid[i]=hextobyte(&tok[1]))==-1)
637               userid[i]='?';
638
639             i++;
640             tok+=3;
641           }
642         else
643           userid[i++]=*tok++;
644
645       /* We don't care about the other info provided in the uid: line
646          since no keyserver supports marking userids with timestamps
647          or revoked/expired/disabled yet. */
648
649       /* No need to check for control characters, as utf8_to_native
650          does this for us. */
651
652       decoded=utf8_to_native(userid,i,0);
653       if(strlen(decoded)>opt.screen_columns-10)
654         decoded[opt.screen_columns-10]='\0';
655       iobuf_writestr(work->uidbuf,decoded);
656       xfree(decoded);
657       iobuf_writestr(work->uidbuf,"\n\t");
658       work->lines++;
659     }
660
661   /* Ignore any records other than "pri" and "uid" for easy future
662      growth. */
663
664   return ret;
665 }
666
667 /* TODO: do this as a list sent to keyserver_work rather than calling
668    it once for each key to get the correct counts after the import
669    (cosmetics, really) and to better take advantage of the keyservers
670    that can do multiple fetches in one go (LDAP). */
671 static int
672 show_prompt(KEYDB_SEARCH_DESC *desc,int numdesc,int count,const char *search)
673 {
674   char *answer;
675
676   if(count && opt.command_fd==-1)
677     {
678       static int from=1;
679       tty_printf("Keys %d-%d of %d for \"%s\".  ",from,numdesc,count,search);
680       from=numdesc+1;
681     }
682
683   answer=cpr_get_no_help("keysearch.prompt",
684                          _("Enter number(s), N)ext, or Q)uit > "));
685   /* control-d */
686   if(answer[0]=='\x04')
687     {
688       printf("Q\n");
689       answer[0]='q';
690     }
691
692   if(answer[0]=='q' || answer[0]=='Q')
693     {
694       xfree(answer);
695       return 1;
696     }
697   else if(atoi(answer)>=1 && atoi(answer)<=numdesc)
698     {
699       char *split=answer,*num;
700
701       while((num=strsep(&split," ,"))!=NULL)
702         if(atoi(num)>=1 && atoi(num)<=numdesc)
703           keyserver_work(KS_GET,NULL,&desc[atoi(num)-1],1,opt.keyserver);
704
705       xfree(answer);
706       return 1;
707     }
708
709   return 0;
710 }
711
712 /* Count and searchstr are just for cosmetics.  If the count is too
713    small, it will grow safely.  If negative it disables the "Key x-y
714    of z" messages.  searchstr should be UTF-8 (rather than native). */
715 static void
716 keyserver_search_prompt(IOBUF buffer,const char *searchstr)
717 {
718   int i=0,validcount=0,started=0,header=0,count=1;
719   unsigned int maxlen,buflen,numlines=0;
720   KEYDB_SEARCH_DESC *desc;
721   byte *line=NULL;
722   char *localstr=NULL;
723
724   if(searchstr)
725     localstr=utf8_to_native(searchstr,strlen(searchstr),0);
726
727   desc=xmalloc(count*sizeof(KEYDB_SEARCH_DESC));
728
729   for(;;)
730     {
731       struct keyrec *keyrec;
732       int rl;
733
734       maxlen=1024;
735       rl=iobuf_read_line(buffer,&line,&buflen,&maxlen);
736
737       if(opt.with_colons)
738         {
739           if(!header && ascii_strncasecmp("SEARCH ",line,7)==0
740              && ascii_strncasecmp(" BEGIN",&line[strlen(line)-7],6)==0)
741             {
742               header=1;
743               continue;
744             }
745           else if(ascii_strncasecmp("SEARCH ",line,7)==0
746                   && ascii_strncasecmp(" END",&line[strlen(line)-5],4)==0)
747             continue;
748
749           printf("%s",line);
750         }
751
752       /* Look for an info: line.  The only current info: values
753          defined are the version and key count. */
754       if(!started && rl>0 && ascii_strncasecmp("info:",line,5)==0)
755         {
756           char *tok,*str=&line[5];
757
758           if((tok=strsep(&str,":"))!=NULL)
759             {
760               int version;
761
762               if(sscanf(tok,"%d",&version)!=1)
763                 version=1;
764
765               if(version!=1)
766                 {
767                   log_error(_("invalid keyserver protocol "
768                               "(us %d!=handler %d)\n"),1,version);
769                   break;
770                 }
771             }
772
773           if((tok=strsep(&str,":"))!=NULL && sscanf(tok,"%d",&count)==1)
774             {
775               if(count==0)
776                 goto notfound;
777               else if(count<0)
778                 count=10;
779               else
780                 validcount=1;
781
782               desc=xrealloc(desc,count*sizeof(KEYDB_SEARCH_DESC));
783             }
784
785           started=1;
786           continue;
787         }
788
789       if(rl==0)
790         {
791           keyrec=parse_keyrec(NULL);
792
793           if(keyrec==NULL)
794             {
795               if(i==0)
796                 {
797                   count=0;
798                   break;
799                 }
800
801               if(i!=count)
802                 validcount=0;
803
804               for(;;)
805                 {
806                   if(show_prompt(desc,i,validcount?count:0,localstr))
807                     break;
808                   validcount=0;
809                 }
810
811               break;
812             }
813         }
814       else
815         keyrec=parse_keyrec(line);
816
817       if(i==count)
818         {
819           /* keyserver helper sent more keys than they claimed in the
820              info: line. */
821           count+=10;
822           desc=xrealloc(desc,count*sizeof(KEYDB_SEARCH_DESC));
823           validcount=0;
824         }
825
826       if(keyrec)
827         {
828           desc[i]=keyrec->desc;
829
830           if(!opt.with_colons)
831             {
832               /* screen_lines - 1 for the prompt. */
833               if(numlines+keyrec->lines>opt.screen_lines-1)
834                 {
835                   if(show_prompt(desc,i,validcount?count:0,localstr))
836                     break;
837                   else
838                     numlines=0;
839                 }
840
841               print_keyrec(i+1,keyrec);
842             }
843
844           numlines+=keyrec->lines;
845           iobuf_close(keyrec->uidbuf);
846           xfree(keyrec);
847
848           started=1;
849           i++;
850         }
851     }
852
853  notfound:
854   /* Leave this commented out or now, and perhaps for a very long
855      time.  All HKPish servers return HTML error messages for
856      no-key-found. */
857   /* 
858      if(!started)
859      log_info(_("keyserver does not support searching\n"));
860      else
861   */
862   if(count==0)
863     {
864       if(localstr)
865         log_info(_("key \"%s\" not found on keyserver\n"),localstr);
866       else
867         log_info(_("key not found on keyserver\n"));
868     }
869
870   xfree(localstr);
871   xfree(desc);
872   xfree(line);
873 }
874
875 /* We sometimes want to use a different gpgkeys_xxx for a given
876    protocol (for example, ldaps is handled by gpgkeys_ldap).  Map
877    these here. */
878 static const char *
879 keyserver_typemap(const char *type)
880 {
881   if(strcmp(type,"ldaps")==0)
882     return "ldap";
883   else
884     return type;
885 }
886
887 #ifdef GPGKEYS_CURL
888 /* The PGP LDAP and the curl fetch-a-LDAP-object methodologies are
889    sufficiently different that we can't use curl to do LDAP. */
890 static int
891 curl_cant_handle(const char *scheme,unsigned int direct_uri)
892 {
893   if(!direct_uri && (strcmp(scheme,"ldap")==0 || strcmp(scheme,"ldaps")==0))
894     return 1;
895
896   return 0;
897 }
898 #endif
899
900 #define KEYSERVER_ARGS_KEEP " -o \"%O\" \"%I\""
901 #define KEYSERVER_ARGS_NOKEEP " -o \"%o\" \"%i\""
902
903 static int 
904 keyserver_spawn(enum ks_action action,STRLIST list,KEYDB_SEARCH_DESC *desc,
905                 int count,int *prog,struct keyserver_spec *keyserver)
906 {
907   int ret=0,i,gotversion=0,outofband=0;
908   STRLIST temp;
909   unsigned int maxlen,buflen;
910   char *command,*end,*searchstr=NULL;
911   byte *line=NULL;
912   struct parse_options *kopts;
913   struct exec_info *spawn;
914   const char *scheme;
915   const char *libexecdir = get_libexecdir ();
916
917   assert(keyserver);
918
919 #ifdef EXEC_TEMPFILE_ONLY
920   opt.keyserver_options.options|=KEYSERVER_USE_TEMP_FILES;
921 #endif
922
923   /* Build the filename for the helper to execute */
924   scheme=keyserver_typemap(keyserver->scheme);
925
926 #ifdef DISABLE_KEYSERVER_PATH
927   /* Destroy any path we might have.  This is a little tricky,
928      portability-wise.  It's not correct to delete the PATH
929      environment variable, as that may fall back to a system built-in
930      PATH.  Similarly, it is not correct to set PATH to the null
931      string (PATH="") since this actually deletes the PATH environment
932      variable under MinGW.  The safest thing to do here is to force
933      PATH to be GNUPG_LIBEXECDIR.  All this is not that meaningful on
934      Unix-like systems (since we're going to give a full path to
935      gpgkeys_foo), but on W32 it prevents loading any DLLs from
936      directories in %PATH%.
937
938      After some more thinking about this we came to the conclusion
939      that it is better to load the helpers from the directory where
940      the program of this process lives.  Fortunately Windows provides
941      a way to retrieve this and our get_libexecdir function has been
942      modified to return just this.  Setting the exec-path is not
943      anymore required.  
944        set_exec_path(libexecdir);
945  */
946 #else
947   if(opt.exec_path_set)
948     {
949       /* If exec-path was set, and DISABLE_KEYSERVER_PATH is
950          undefined, then don't specify a full path to gpgkeys_foo, so
951          that the PATH can work. */
952       command=xmalloc(GPGKEYS_PREFIX_LEN+strlen(scheme)+3+strlen(EXEEXT)+1);
953       command[0]='\0';
954     }
955   else
956 #endif
957     {
958       /* Specify a full path to gpgkeys_foo. */
959       command=xmalloc(strlen(libexecdir)+strlen(DIRSEP_S)+
960                       GPGKEYS_PREFIX_LEN+strlen(scheme)+3+strlen(EXEEXT)+1);
961       strcpy(command,libexecdir);
962       strcat(command,DIRSEP_S);
963     }
964
965   end=command+strlen(command);
966
967   strcat(command,GPGKEYS_PREFIX); 
968   strcat(command,scheme);
969
970   if(keyserver->flags.direct_uri)
971     strcat(command,"uri");
972
973   strcat(command,EXEEXT);
974
975 #ifdef GPGKEYS_CURL
976   if(!curl_cant_handle(scheme,keyserver->flags.direct_uri)
977      && path_access(command,X_OK)!=0)
978     strcpy(end,GPGKEYS_CURL);
979 #endif
980
981   if(opt.keyserver_options.options&KEYSERVER_USE_TEMP_FILES)
982     {
983       if(opt.keyserver_options.options&KEYSERVER_KEEP_TEMP_FILES)
984         {
985           command=xrealloc(command,strlen(command)+
986                             strlen(KEYSERVER_ARGS_KEEP)+1);
987           strcat(command,KEYSERVER_ARGS_KEEP);
988         }
989       else
990         {
991           command=xrealloc(command,strlen(command)+
992                             strlen(KEYSERVER_ARGS_NOKEEP)+1);
993           strcat(command,KEYSERVER_ARGS_NOKEEP);  
994         }
995
996       ret=exec_write(&spawn,NULL,command,NULL,0,0);
997     }
998   else
999     ret=exec_write(&spawn,command,NULL,NULL,0,0);
1000
1001   xfree(command);
1002
1003   if(ret)
1004     return ret;
1005
1006   fprintf(spawn->tochild,
1007           "# This is a GnuPG %s keyserver communications file\n",VERSION);
1008   fprintf(spawn->tochild,"VERSION %d\n",KEYSERVER_PROTO_VERSION);
1009   fprintf(spawn->tochild,"PROGRAM %s\n",VERSION);
1010   fprintf(spawn->tochild,"SCHEME %s\n",keyserver->scheme);
1011
1012   if(keyserver->opaque)
1013     fprintf(spawn->tochild,"OPAQUE %s\n",keyserver->opaque);
1014   else
1015     {
1016       if(keyserver->auth)
1017         fprintf(spawn->tochild,"AUTH %s\n",keyserver->auth);
1018
1019       if(keyserver->host)
1020         fprintf(spawn->tochild,"HOST %s\n",keyserver->host);
1021
1022       if(keyserver->port)
1023         fprintf(spawn->tochild,"PORT %s\n",keyserver->port);
1024
1025       if(keyserver->path)
1026         fprintf(spawn->tochild,"PATH %s\n",keyserver->path);
1027     }
1028
1029   /* Write options */
1030
1031   for(i=0,kopts=keyserver_opts;kopts[i].name;i++)
1032     if(opt.keyserver_options.options & kopts[i].bit & REMOTE_TELL)
1033       fprintf(spawn->tochild,"OPTION %s\n",kopts[i].name);
1034
1035   for(temp=opt.keyserver_options.other;temp;temp=temp->next)
1036     fprintf(spawn->tochild,"OPTION %s\n",temp->d);
1037
1038   switch(action)
1039     {
1040     case KS_GET:
1041       {
1042         fprintf(spawn->tochild,"COMMAND GET\n\n");
1043
1044         /* Which keys do we want? */
1045
1046         for(i=0;i<count;i++)
1047           {
1048             int quiet=0;
1049
1050             if(desc[i].mode==KEYDB_SEARCH_MODE_FPR20)
1051               {
1052                 int f;
1053
1054                 fprintf(spawn->tochild,"0x");
1055
1056                 for(f=0;f<MAX_FINGERPRINT_LEN;f++)
1057                   fprintf(spawn->tochild,"%02X",desc[i].u.fpr[f]);
1058
1059                 fprintf(spawn->tochild,"\n");
1060               }
1061             else if(desc[i].mode==KEYDB_SEARCH_MODE_FPR16)
1062               {
1063                 int f;
1064
1065                 fprintf(spawn->tochild,"0x");
1066
1067                 for(f=0;f<16;f++)
1068                   fprintf(spawn->tochild,"%02X",desc[i].u.fpr[f]);
1069
1070                 fprintf(spawn->tochild,"\n");
1071               }
1072             else if(desc[i].mode==KEYDB_SEARCH_MODE_LONG_KID)
1073               fprintf(spawn->tochild,"0x%08lX%08lX\n",
1074                       (ulong)desc[i].u.kid[0],
1075                       (ulong)desc[i].u.kid[1]);
1076             else if(desc[i].mode==KEYDB_SEARCH_MODE_SHORT_KID)
1077               fprintf(spawn->tochild,"0x%08lX\n",
1078                       (ulong)desc[i].u.kid[1]);
1079             else if(desc[i].mode==KEYDB_SEARCH_MODE_EXACT)
1080               {
1081                 fprintf(spawn->tochild,"0x0000000000000000\n");
1082                 quiet=1;
1083               }
1084             else if(desc[i].mode==KEYDB_SEARCH_MODE_NONE)
1085               continue;
1086             else
1087               BUG();
1088
1089             if(!quiet)
1090               {
1091                 if(keyserver->host)
1092                   log_info(_("requesting key %s from %s server %s\n"),
1093                            keystr_from_desc(&desc[i]),
1094                            keyserver->scheme,keyserver->host);
1095                 else
1096                   log_info(_("requesting key %s from %s\n"),
1097                            keystr_from_desc(&desc[i]),keyserver->uri);
1098               }
1099           }
1100
1101         fprintf(spawn->tochild,"\n");
1102
1103         break;
1104       }
1105
1106     case KS_GETNAME:
1107       {
1108         STRLIST key;
1109
1110         fprintf(spawn->tochild,"COMMAND GETNAME\n\n");
1111
1112         /* Which names do we want? */
1113
1114         for(key=list;key!=NULL;key=key->next)
1115           fprintf(spawn->tochild,"%s\n",key->d);
1116
1117         fprintf(spawn->tochild,"\n");
1118
1119         if(keyserver->host)
1120           log_info(_("searching for names from %s server %s\n"),
1121                    keyserver->scheme,keyserver->host);
1122         else
1123           log_info(_("searching for names from %s\n"),keyserver->uri);
1124
1125         break;
1126       }
1127
1128     case KS_SEND:
1129       {
1130         STRLIST key;
1131
1132         /* Note the extra \n here to send an empty keylist block */
1133         fprintf(spawn->tochild,"COMMAND SEND\n\n\n");
1134
1135         for(key=list;key!=NULL;key=key->next)
1136           {
1137             armor_filter_context_t afx;
1138             IOBUF buffer=iobuf_temp();
1139             KBNODE block;
1140
1141             temp=NULL;
1142             add_to_strlist(&temp,key->d);
1143
1144             memset(&afx,0,sizeof(afx));
1145             afx.what=1;
1146             /* Tell the armor filter to use Unix-style \n line
1147                endings, since we're going to fprintf this to a file
1148                that (on Win32) is open in text mode.  The win32 stdio
1149                will transform the \n to \r\n and we'll end up with the
1150                proper line endings on win32.  This is a no-op on
1151                Unix. */
1152             afx.eol[0]='\n';
1153             iobuf_push_filter(buffer,armor_filter,&afx);
1154
1155             /* TODO: Remove Comment: lines from keys exported this
1156                way? */
1157
1158             if(export_pubkeys_stream(buffer,temp,&block,
1159                                      opt.keyserver_options.export_options)==-1)
1160               iobuf_close(buffer);
1161             else
1162               {
1163                 KBNODE node;
1164
1165                 iobuf_flush_temp(buffer);
1166
1167                 merge_keys_and_selfsig(block);
1168
1169                 fprintf(spawn->tochild,"INFO %08lX%08lX BEGIN\n",
1170                         (ulong)block->pkt->pkt.public_key->keyid[0],
1171                         (ulong)block->pkt->pkt.public_key->keyid[1]);
1172
1173                 for(node=block;node;node=node->next)
1174                   {
1175                     switch(node->pkt->pkttype)
1176                       {
1177                       default:
1178                         continue;
1179
1180                       case PKT_PUBLIC_KEY:
1181                       case PKT_PUBLIC_SUBKEY:
1182                         {
1183                           PKT_public_key *pk=node->pkt->pkt.public_key;
1184
1185                           keyid_from_pk(pk,NULL);
1186
1187                           fprintf(spawn->tochild,"%sb:%08lX%08lX:%u:%u:%u:%u:",
1188                                   node->pkt->pkttype==PKT_PUBLIC_KEY?"pu":"su",
1189                                   (ulong)pk->keyid[0],(ulong)pk->keyid[1],
1190                                   pk->pubkey_algo,
1191                                   nbits_from_pk(pk),
1192                                   pk->timestamp,
1193                                   pk->expiredate);
1194
1195                           if(pk->is_revoked)
1196                             fprintf(spawn->tochild,"r");
1197                           if(pk->has_expired)
1198                             fprintf(spawn->tochild,"e");
1199
1200                           fprintf(spawn->tochild,"\n");
1201                         }
1202                         break;
1203
1204                       case PKT_USER_ID:
1205                         {
1206                           PKT_user_id *uid=node->pkt->pkt.user_id;
1207                           int r;
1208
1209                           if(uid->attrib_data)
1210                             continue;
1211
1212                           fprintf(spawn->tochild,"uid:");
1213
1214                           /* Quote ':', '%', and any 8-bit
1215                              characters */
1216                           for(r=0;r<uid->len;r++)
1217                             {
1218                               if(uid->name[r]==':' || uid->name[r]=='%'
1219                                  || uid->name[r]&0x80)
1220                                 fprintf(spawn->tochild,"%%%02X",
1221                                         (byte)uid->name[r]);
1222                               else
1223                                 fprintf(spawn->tochild,"%c",uid->name[r]);
1224                             }
1225
1226                           fprintf(spawn->tochild,":%u:%u:",
1227                                   uid->created,uid->expiredate);
1228
1229                           if(uid->is_revoked)
1230                             fprintf(spawn->tochild,"r");
1231                           if(uid->is_expired)
1232                             fprintf(spawn->tochild,"e");
1233
1234                           fprintf(spawn->tochild,"\n");
1235                         }
1236                         break;
1237
1238                         /* This bit is really for the benefit of
1239                            people who store their keys in LDAP
1240                            servers.  It makes it easy to do queries
1241                            for things like "all keys signed by
1242                            Isabella". */
1243                       case PKT_SIGNATURE:
1244                         {
1245                           PKT_signature *sig=node->pkt->pkt.signature;
1246
1247                           if(!IS_UID_SIG(sig))
1248                             continue;
1249
1250                           fprintf(spawn->tochild,"sig:%08lX%08lX:%X:%u:%u\n",
1251                                   (ulong)sig->keyid[0],(ulong)sig->keyid[1],
1252                                   sig->sig_class,sig->timestamp,
1253                                   sig->expiredate);
1254                         }
1255                         break;
1256                       }
1257                   }
1258
1259                 fprintf(spawn->tochild,"INFO %08lX%08lX END\n",
1260                         (ulong)block->pkt->pkt.public_key->keyid[0],
1261                         (ulong)block->pkt->pkt.public_key->keyid[1]);
1262
1263                 fprintf(spawn->tochild,"KEY %s BEGIN\n",key->d);
1264                 fwrite(iobuf_get_temp_buffer(buffer),
1265                        iobuf_get_temp_length(buffer),1,spawn->tochild);
1266                 fprintf(spawn->tochild,"KEY %s END\n",key->d);
1267
1268                 iobuf_close(buffer);
1269
1270                 if(keyserver->host)
1271                   log_info(_("sending key %s to %s server %s\n"),
1272                            keystr(block->pkt->pkt.public_key->keyid),
1273                            keyserver->scheme,keyserver->host);
1274                 else
1275                   log_info(_("sending key %s to %s\n"),
1276                            keystr(block->pkt->pkt.public_key->keyid),
1277                            keyserver->uri);
1278
1279                 release_kbnode(block);
1280               }
1281
1282             free_strlist(temp);
1283           }
1284
1285         break;
1286       }
1287
1288     case KS_SEARCH:
1289       {
1290         STRLIST key;
1291
1292         fprintf(spawn->tochild,"COMMAND SEARCH\n\n");
1293
1294         /* Which keys do we want?  Remember that the gpgkeys_ program
1295            is going to lump these together into a search string. */
1296
1297         for(key=list;key!=NULL;key=key->next)
1298           {
1299             fprintf(spawn->tochild,"%s\n",key->d);
1300             if(key!=list)
1301               {
1302                 searchstr=xrealloc(searchstr,
1303                                     strlen(searchstr)+strlen(key->d)+2);
1304                 strcat(searchstr," ");
1305               }
1306             else
1307               {
1308                 searchstr=xmalloc(strlen(key->d)+1);
1309                 searchstr[0]='\0';
1310               }
1311
1312             strcat(searchstr,key->d);
1313           }
1314
1315         fprintf(spawn->tochild,"\n");
1316
1317         if(keyserver->host)
1318           log_info(_("searching for \"%s\" from %s server %s\n"),
1319                    searchstr,keyserver->scheme,keyserver->host);
1320         else
1321           log_info(_("searching for \"%s\" from %s\n"),
1322                    searchstr,keyserver->uri);
1323
1324         break;
1325       }
1326
1327     default:
1328       log_fatal(_("no keyserver action!\n"));
1329       break;
1330     }
1331
1332   /* Done sending, so start reading. */
1333   ret=exec_read(spawn);
1334   if(ret)
1335     goto fail;
1336
1337   /* Now handle the response */
1338
1339   for(;;)
1340     {
1341       int plen;
1342       char *ptr;
1343
1344       maxlen=1024;
1345       if(iobuf_read_line(spawn->fromchild,&line,&buflen,&maxlen)==0)
1346         {
1347           ret=G10ERR_READ_FILE;
1348           goto fail; /* i.e. EOF */
1349         }
1350
1351       ptr=line;
1352
1353       /* remove trailing whitespace */
1354       plen=strlen(ptr);
1355       while(plen>0 && ascii_isspace(ptr[plen-1]))
1356         plen--;
1357       plen[ptr]='\0';
1358
1359       if(*ptr=='\0')
1360         break;
1361
1362       if(ascii_strncasecmp(ptr,"VERSION ",8)==0)
1363         {
1364           gotversion=1;
1365
1366           if(atoi(&ptr[8])!=KEYSERVER_PROTO_VERSION)
1367             {
1368               log_error(_("invalid keyserver protocol (us %d!=handler %d)\n"),
1369                         KEYSERVER_PROTO_VERSION,atoi(&ptr[8]));
1370               goto fail;
1371             }
1372         }
1373       else if(ascii_strncasecmp(ptr,"PROGRAM ",8)==0)
1374         {
1375           if(ascii_strncasecmp(&ptr[8],VERSION,strlen(VERSION))!=0)
1376             log_info(_("WARNING: keyserver handler from a different"
1377                        " version of GnuPG (%s)\n"),&ptr[8]);
1378         }
1379       else if(ascii_strncasecmp(ptr,"OPTION OUTOFBAND",16)==0)
1380         outofband=1; /* Currently the only OPTION */
1381     }
1382
1383   if(!gotversion)
1384     {
1385       log_error(_("keyserver did not send VERSION\n"));
1386       goto fail;
1387     }
1388
1389   if(!outofband)
1390     switch(action)
1391       {
1392       case KS_GET:
1393       case KS_GETNAME:
1394         {
1395           void *stats_handle;
1396
1397           stats_handle=import_new_stats_handle();
1398
1399           /* Slurp up all the key data.  In the future, it might be
1400              nice to look for KEY foo OUTOFBAND and FAILED indicators.
1401              It's harmless to ignore them, but ignoring them does make
1402              gpg complain about "no valid OpenPGP data found".  One
1403              way to do this could be to continue parsing this
1404              line-by-line and make a temp iobuf for each key. */
1405
1406           import_keys_stream(spawn->fromchild,stats_handle,
1407                              opt.keyserver_options.import_options);
1408
1409           import_print_stats(stats_handle);
1410           import_release_stats_handle(stats_handle);
1411
1412           break;
1413         }
1414
1415         /* Nothing to do here */
1416       case KS_SEND:
1417         break;
1418
1419       case KS_SEARCH:
1420         keyserver_search_prompt(spawn->fromchild,searchstr);
1421         break;
1422
1423       default:
1424         log_fatal(_("no keyserver action!\n"));
1425         break;
1426       }
1427
1428  fail:
1429   xfree(line);
1430   xfree(searchstr);
1431
1432
1433   *prog=exec_finish(spawn);
1434
1435   return ret;
1436 }
1437
1438 static int 
1439 keyserver_work(enum ks_action action,STRLIST list,KEYDB_SEARCH_DESC *desc,
1440                int count,struct keyserver_spec *keyserver)
1441 {
1442   int rc=0,ret=0;
1443
1444   if(!keyserver)
1445     {
1446       log_error(_("no keyserver known (use option --keyserver)\n"));
1447       return G10ERR_BAD_URI;
1448     }
1449
1450 #ifdef DISABLE_KEYSERVER_HELPERS
1451
1452   log_error(_("external keyserver calls are not supported in this build\n"));
1453   return G10ERR_KEYSERVER;
1454
1455 #else
1456   /* Spawn a handler */
1457
1458   rc=keyserver_spawn(action,list,desc,count,&ret,keyserver);
1459   if(ret)
1460     {
1461       switch(ret)
1462         {
1463         case KEYSERVER_SCHEME_NOT_FOUND:
1464           log_error(_("no handler for keyserver scheme `%s'\n"),
1465                     keyserver->scheme);
1466           break;
1467
1468         case KEYSERVER_NOT_SUPPORTED:
1469           log_error(_("action `%s' not supported with keyserver "
1470                       "scheme `%s'\n"),
1471                     action==KS_GET?"get":action==KS_SEND?"send":
1472                     action==KS_SEARCH?"search":"unknown",
1473                     keyserver->scheme);
1474           break;
1475
1476         case KEYSERVER_VERSION_ERROR:
1477           log_error(_(GPGKEYS_PREFIX "%s does not support"
1478                       " handler version %d\n"),
1479                     keyserver_typemap(keyserver->scheme),
1480                     KEYSERVER_PROTO_VERSION);
1481           break;
1482
1483         case KEYSERVER_TIMEOUT:
1484           log_error(_("keyserver timed out\n"));
1485           break;
1486
1487         case KEYSERVER_INTERNAL_ERROR:
1488         default:
1489           log_error(_("keyserver internal error\n"));
1490           break;
1491         }
1492
1493       return G10ERR_KEYSERVER;
1494     }
1495
1496   if(rc)
1497     {
1498       log_error(_("keyserver communications error: %s\n"),g10_errstr(rc));
1499
1500       return rc;
1501     }
1502
1503   return 0;
1504 #endif /* ! DISABLE_KEYSERVER_HELPERS*/
1505 }
1506
1507 int 
1508 keyserver_export(STRLIST users)
1509 {
1510   STRLIST sl=NULL;
1511   KEYDB_SEARCH_DESC desc;
1512   int rc=0;
1513
1514   /* Weed out descriptors that we don't support sending */
1515   for(;users;users=users->next)
1516     {
1517       classify_user_id (users->d, &desc);
1518       if(desc.mode!=KEYDB_SEARCH_MODE_SHORT_KID &&
1519          desc.mode!=KEYDB_SEARCH_MODE_LONG_KID &&
1520          desc.mode!=KEYDB_SEARCH_MODE_FPR16 &&
1521          desc.mode!=KEYDB_SEARCH_MODE_FPR20)
1522         {
1523           log_error(_("\"%s\" not a key ID: skipping\n"),users->d);
1524           continue;
1525         }
1526       else
1527         append_to_strlist(&sl,users->d);
1528     }
1529
1530   if(sl)
1531     {
1532       rc=keyserver_work(KS_SEND,sl,NULL,0,opt.keyserver);
1533       free_strlist(sl);
1534     }
1535
1536   return rc;
1537 }
1538
1539 int 
1540 keyserver_import(STRLIST users)
1541 {
1542   KEYDB_SEARCH_DESC *desc;
1543   int num=100,count=0;
1544   int rc=0;
1545
1546   /* Build a list of key ids */
1547   desc=xmalloc(sizeof(KEYDB_SEARCH_DESC)*num);
1548
1549   for(;users;users=users->next)
1550     {
1551       classify_user_id (users->d, &desc[count]);
1552       if(desc[count].mode!=KEYDB_SEARCH_MODE_SHORT_KID &&
1553          desc[count].mode!=KEYDB_SEARCH_MODE_LONG_KID &&
1554          desc[count].mode!=KEYDB_SEARCH_MODE_FPR16 &&
1555          desc[count].mode!=KEYDB_SEARCH_MODE_FPR20)
1556         {
1557           log_error(_("\"%s\" not a key ID: skipping\n"),users->d);
1558           continue;
1559         }
1560
1561       count++;
1562       if(count==num)
1563         {
1564           num+=100;
1565           desc=xrealloc(desc,sizeof(KEYDB_SEARCH_DESC)*num);
1566         }
1567     }
1568
1569   if(count>0)
1570     rc=keyserver_work(KS_GET,NULL,desc,count,opt.keyserver);
1571
1572   xfree(desc);
1573
1574   return rc;
1575 }
1576
1577 int
1578 keyserver_import_fprint(const byte *fprint,size_t fprint_len,
1579                         struct keyserver_spec *keyserver)
1580 {
1581   KEYDB_SEARCH_DESC desc;
1582
1583   memset(&desc,0,sizeof(desc));
1584
1585   if(fprint_len==16)
1586     desc.mode=KEYDB_SEARCH_MODE_FPR16;
1587   else if(fprint_len==20)
1588     desc.mode=KEYDB_SEARCH_MODE_FPR20;
1589   else
1590     return -1;
1591
1592   memcpy(desc.u.fpr,fprint,fprint_len);
1593
1594   return keyserver_work(KS_GET,NULL,&desc,1,keyserver);
1595 }
1596
1597 int 
1598 keyserver_import_keyid(u32 *keyid,struct keyserver_spec *keyserver)
1599 {
1600   KEYDB_SEARCH_DESC desc;
1601
1602   memset(&desc,0,sizeof(desc));
1603
1604   desc.mode=KEYDB_SEARCH_MODE_LONG_KID;
1605   desc.u.kid[0]=keyid[0];
1606   desc.u.kid[1]=keyid[1];
1607
1608   return keyserver_work(KS_GET,NULL,&desc,1,keyserver);
1609 }
1610
1611 /* code mostly stolen from do_export_stream */
1612 static int 
1613 keyidlist(STRLIST users,KEYDB_SEARCH_DESC **klist,int *count,int fakev3)
1614 {
1615   int rc=0,ndesc,num=100;
1616   KBNODE keyblock=NULL,node;
1617   KEYDB_HANDLE kdbhd;
1618   KEYDB_SEARCH_DESC *desc;
1619   STRLIST sl;
1620
1621   *count=0;
1622
1623   *klist=xmalloc(sizeof(KEYDB_SEARCH_DESC)*num);
1624
1625   kdbhd=keydb_new(0);
1626
1627   if(!users)
1628     {
1629       ndesc = 1;
1630       desc = xmalloc_clear ( ndesc * sizeof *desc);
1631       desc[0].mode = KEYDB_SEARCH_MODE_FIRST;
1632     }
1633   else
1634     {
1635       for (ndesc=0, sl=users; sl; sl = sl->next, ndesc++) 
1636         ;
1637       desc = xmalloc ( ndesc * sizeof *desc);
1638         
1639       for (ndesc=0, sl=users; sl; sl = sl->next)
1640         {
1641           if(classify_user_id (sl->d, desc+ndesc))
1642             ndesc++;
1643           else
1644             log_error (_("key \"%s\" not found: %s\n"),
1645                        sl->d, g10_errstr (G10ERR_INV_USER_ID));
1646         }
1647     }
1648
1649   while (!(rc = keydb_search (kdbhd, desc, ndesc)))
1650     {
1651       if (!users) 
1652         desc[0].mode = KEYDB_SEARCH_MODE_NEXT;
1653
1654       /* read the keyblock */
1655       rc = keydb_get_keyblock (kdbhd, &keyblock );
1656       if( rc )
1657         {
1658           log_error (_("error reading keyblock: %s\n"), g10_errstr(rc) );
1659           goto leave;
1660         }
1661
1662       if((node=find_kbnode(keyblock,PKT_PUBLIC_KEY)))
1663         {
1664           /* This is to work around a bug in some keyservers (pksd and
1665              OKS) that calculate v4 RSA keyids as if they were v3 RSA.
1666              The answer is to refresh both the correct v4 keyid
1667              (e.g. 99242560) and the fake v3 keyid (e.g. 68FDDBC7).
1668              This only happens for key refresh using the HKP scheme
1669              and if the refresh-add-fake-v3-keyids keyserver option is
1670              set. */
1671           if(fakev3 && is_RSA(node->pkt->pkt.public_key->pubkey_algo) &&
1672              node->pkt->pkt.public_key->version>=4)
1673             {
1674               (*klist)[*count].mode=KEYDB_SEARCH_MODE_LONG_KID;
1675               mpi_get_keyid(node->pkt->pkt.public_key->pkey[0],
1676                             (*klist)[*count].u.kid);
1677               (*count)++;
1678
1679               if(*count==num)
1680                 {
1681                   num+=100;
1682                   *klist=xrealloc(*klist,sizeof(KEYDB_SEARCH_DESC)*num);
1683                 }
1684             }
1685
1686           /* v4 keys get full fingerprints.  v3 keys get long keyids.
1687              This is because it's easy to calculate any sort of keyid
1688              from a v4 fingerprint, but not a v3 fingerprint. */
1689
1690           if(node->pkt->pkt.public_key->version<4)
1691             {
1692               (*klist)[*count].mode=KEYDB_SEARCH_MODE_LONG_KID;
1693               keyid_from_pk(node->pkt->pkt.public_key,
1694                             (*klist)[*count].u.kid);
1695             }
1696           else
1697             {
1698               size_t dummy;
1699
1700               (*klist)[*count].mode=KEYDB_SEARCH_MODE_FPR20;
1701               fingerprint_from_pk(node->pkt->pkt.public_key,
1702                                   (*klist)[*count].u.fpr,&dummy);
1703             }
1704
1705           /* This is a little hackish, using the skipfncvalue as a
1706              void* pointer to the keyserver spec, but we don't need
1707              the skipfnc here, and it saves having an additional field
1708              for this (which would be wasted space most of the
1709              time). */
1710
1711           (*klist)[*count].skipfncvalue=NULL;
1712
1713           /* Are we honoring preferred keyservers? */
1714           if(opt.keyserver_options.options&KEYSERVER_HONOR_KEYSERVER_URL)
1715             {
1716               PKT_user_id *uid=NULL;
1717               PKT_signature *sig=NULL;
1718
1719               merge_keys_and_selfsig(keyblock);
1720
1721               for(node=node->next;node;node=node->next)
1722                 {
1723                   if(node->pkt->pkttype==PKT_USER_ID
1724                      && node->pkt->pkt.user_id->is_primary)
1725                     uid=node->pkt->pkt.user_id;
1726                   else if(node->pkt->pkttype==PKT_SIGNATURE
1727                           && node->pkt->pkt.signature->
1728                           flags.chosen_selfsig && uid)
1729                     {
1730                       sig=node->pkt->pkt.signature;
1731                       break;
1732                     }
1733                 }
1734
1735               /* Try and parse the keyserver URL.  If it doesn't work,
1736                  then we end up writing NULL which indicates we are
1737                  the same as any other key. */
1738               if(uid && sig)
1739                 (*klist)[*count].skipfncvalue=parse_preferred_keyserver(sig);
1740             }
1741
1742           (*count)++;
1743
1744           if(*count==num)
1745             {
1746               num+=100;
1747               *klist=xrealloc(*klist,sizeof(KEYDB_SEARCH_DESC)*num);
1748             }
1749         }
1750     }
1751
1752   if(rc==-1)
1753     rc=0;
1754   
1755  leave:
1756   if(rc)
1757     xfree(*klist);
1758   xfree(desc);
1759   keydb_release(kdbhd);
1760   release_kbnode(keyblock);
1761
1762   return rc;
1763 }
1764
1765 /* Note this is different than the original HKP refresh.  It allows
1766    usernames to refresh only part of the keyring. */
1767
1768 int
1769 keyserver_refresh(STRLIST users)
1770 {
1771   int rc,count,numdesc,fakev3=0;
1772   KEYDB_SEARCH_DESC *desc;
1773   unsigned int options=opt.keyserver_options.import_options;
1774
1775   /* We switch merge-only on during a refresh, as 'refresh' should
1776      never import new keys, even if their keyids match. */
1777   opt.keyserver_options.import_options|=IMPORT_MERGE_ONLY;
1778
1779   /* Similarly, we switch on fast-import, since refresh may make
1780      multiple import sets (due to preferred keyserver URLs).  We don't
1781      want each set to rebuild the trustdb.  Instead we do it once at
1782      the end here. */
1783   opt.keyserver_options.import_options|=IMPORT_FAST;
1784
1785   /* If refresh_add_fake_v3_keyids is on and it's a HKP or MAILTO
1786      scheme, then enable fake v3 keyid generation. */
1787   if((opt.keyserver_options.options&KEYSERVER_ADD_FAKE_V3) && opt.keyserver
1788      && (ascii_strcasecmp(opt.keyserver->scheme,"hkp")==0 ||
1789          ascii_strcasecmp(opt.keyserver->scheme,"mailto")==0))
1790     fakev3=1;
1791
1792   rc=keyidlist(users,&desc,&numdesc,fakev3);
1793   if(rc)
1794     return rc;
1795
1796   count=numdesc;
1797   if(count>0)
1798     {
1799       int i;
1800
1801       /* Try to handle preferred keyserver keys first */
1802       for(i=0;i<numdesc;i++)
1803         {
1804           if(desc[i].skipfncvalue)
1805             {
1806               struct keyserver_spec *keyserver=desc[i].skipfncvalue;
1807
1808               /* We use the keyserver structure we parsed out before.
1809                  Note that a preferred keyserver without a scheme://
1810                  will be interpreted as hkp:// */
1811
1812               rc=keyserver_work(KS_GET,NULL,&desc[i],1,keyserver);
1813               if(rc)
1814                 log_info(_("WARNING: unable to refresh key %s"
1815                            " via %s: %s\n"),keystr_from_desc(&desc[i]),
1816                          keyserver->uri,g10_errstr(rc));
1817               else
1818                 {
1819                   /* We got it, so mark it as NONE so we don't try and
1820                      get it again from the regular keyserver. */
1821
1822                   desc[i].mode=KEYDB_SEARCH_MODE_NONE;
1823                   count--;
1824                 }
1825
1826               free_keyserver_spec(keyserver);
1827             }
1828         }
1829     }
1830
1831   if(count>0)
1832     {
1833       if(opt.keyserver)
1834         {
1835           if(count==1)
1836             log_info(_("refreshing 1 key from %s\n"),opt.keyserver->uri);
1837           else
1838             log_info(_("refreshing %d keys from %s\n"),
1839                      count,opt.keyserver->uri);
1840         }
1841
1842       rc=keyserver_work(KS_GET,NULL,desc,numdesc,opt.keyserver);
1843     }
1844
1845   xfree(desc);
1846
1847   opt.keyserver_options.import_options=options;
1848
1849   /* If the original options didn't have fast import, and the trustdb
1850      is dirty, rebuild. */
1851   if(!(opt.keyserver_options.import_options&IMPORT_FAST))
1852     trustdb_check_or_update();
1853
1854   return rc;
1855 }
1856
1857 int
1858 keyserver_search(STRLIST tokens)
1859 {
1860   if(tokens)
1861     return keyserver_work(KS_SEARCH,tokens,NULL,0,opt.keyserver);
1862   else
1863     return 0;
1864 }
1865
1866 int
1867 keyserver_fetch(STRLIST urilist)
1868 {
1869   KEYDB_SEARCH_DESC desc;
1870   STRLIST sl;
1871   unsigned int options=opt.keyserver_options.import_options;
1872
1873   /* Switch on fast-import, since fetch can handle more than one
1874      import and we don't want each set to rebuild the trustdb.
1875      Instead we do it once at the end. */
1876   opt.keyserver_options.import_options|=IMPORT_FAST;
1877
1878   /* A dummy desc since we're not actually fetching a particular key
1879      ID */
1880   memset(&desc,0,sizeof(desc));
1881   desc.mode=KEYDB_SEARCH_MODE_EXACT;
1882
1883   for(sl=urilist;sl;sl=sl->next)
1884     {
1885       struct keyserver_spec *spec;
1886
1887       spec=parse_keyserver_uri(sl->d,1,NULL,0);
1888       if(spec)
1889         {
1890           int rc;
1891
1892           /*
1893             Set the direct_uri flag so we know later to call a direct
1894             handler instead of the keyserver style.  This lets us use
1895             gpgkeys_curl or gpgkeys_ldapuri instead of gpgkeys_ldap to
1896             fetch things like
1897             ldap://keyserver.pgp.com/o=PGP%20keys?pgpkey?sub?pgpkeyid=99242560
1898           */
1899           spec->flags.direct_uri=1;
1900
1901           rc=keyserver_work(KS_GET,NULL,&desc,1,spec);
1902           if(rc)
1903             log_info (_("WARNING: unable to fetch URI %s: %s\n"),
1904                      sl->d,g10_errstr(rc));
1905
1906           free_keyserver_spec(spec);
1907         }
1908       else
1909         log_info (_("WARNING: unable to parse URI %s\n"),sl->d);
1910     }
1911
1912   opt.keyserver_options.import_options=options;
1913
1914   /* If the original options didn't have fast import, and the trustdb
1915      is dirty, rebuild. */
1916   if(!(opt.keyserver_options.import_options&IMPORT_FAST))
1917     trustdb_check_or_update();
1918
1919   return 0;
1920 }
1921
1922 /* Import key in a CERT or pointed to by a CERT */
1923 int
1924 keyserver_import_cert(const char *name)
1925 {
1926   char *domain,*look,*url;
1927   IOBUF key;
1928   int type,rc=-1;
1929
1930   look=xstrdup(name);
1931
1932   domain=strrchr(look,'@');
1933   if(domain)
1934     *domain='.';
1935
1936   type=get_cert(look,max_cert_size,&key,&url);
1937   if(type==1)
1938     {
1939       int armor_status=opt.no_armor;
1940
1941       /* CERTs are always in binary format */
1942       opt.no_armor=1;
1943
1944       rc=import_keys_stream(key,NULL,opt.keyserver_options.import_options);
1945
1946       opt.no_armor=armor_status;
1947
1948       iobuf_close(key);
1949     }
1950   else if(type==2)
1951     {
1952       struct keyserver_spec *spec;
1953
1954       spec=parse_keyserver_uri(url,1,NULL,0);
1955       if(spec)
1956         {
1957           STRLIST list=NULL;
1958
1959           add_to_strlist(&list,url);
1960
1961           rc=keyserver_fetch(list);
1962
1963           free_strlist(list);
1964           free_keyserver_spec(spec);
1965         }
1966
1967       xfree(url);
1968     }
1969
1970   xfree(look);
1971
1972   return rc;
1973 }
1974
1975 /* Import key pointed to by a PKA record */
1976 int
1977 keyserver_import_pka(const char *name)
1978 {
1979   unsigned char fpr[MAX_FINGERPRINT_LEN];
1980   char *uri;
1981   int rc=-1;
1982       
1983   uri = get_pka_info (name, fpr);
1984   if (uri)
1985     {
1986       struct keyserver_spec *spec;
1987       spec = parse_keyserver_uri (uri, 1, NULL, 0);
1988       if (spec)
1989         {
1990           rc=keyserver_import_fprint (fpr, 20, spec);
1991           free_keyserver_spec (spec);
1992         }
1993       xfree (uri);
1994     }
1995
1996   return rc;
1997 }
1998
1999 /* Import all keys that match name */
2000 int
2001 keyserver_import_name(const char *name)
2002 {
2003   STRLIST list=NULL;
2004   int rc;
2005
2006   append_to_strlist(&list,name);
2007
2008   rc=keyserver_work(KS_GETNAME,list,NULL,0,opt.keyserver);
2009
2010   free_strlist(list);
2011
2012   return rc;
2013 }