auto retrieve keys from PKA. Thsi allows to specify an email address
[gnupg.git] / g10 / keyserver.c
1 /* keyserver.c - generic keyserver code
2  * Copyright (C) 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc.
3  *
4  * This file is part of GnuPG.
5  *
6  * GnuPG is free software; you can redistribute it and/or modify
7  * it under the terms of the GNU General Public License as published by
8  * the Free Software Foundation; either version 2 of the License, or
9  * (at your option) any later version.
10  *
11  * GnuPG is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  * GNU General Public License for more details.
15  *
16  * You should have received a copy of the GNU General Public License
17  * along with this program; if not, write to the Free Software
18  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
19  * USA.
20  */
21
22 #include <config.h>
23 #include <ctype.h>
24 #include <stdio.h>
25 #include <string.h>
26 #include <stdlib.h>
27 #include <assert.h>
28 #ifdef HAVE_LIBCURL
29 #include <curl/curl.h>
30 #endif
31 #include "filter.h"
32 #include "keydb.h"
33 #include "status.h"
34 #include "exec.h"
35 #include "main.h"
36 #include "i18n.h"
37 #include "iobuf.h"
38 #include "memory.h"
39 #include "ttyio.h"
40 #include "options.h"
41 #include "packet.h"
42 #include "trustdb.h"
43 #include "keyserver-internal.h"
44 #include "util.h"
45
46 #define GET    0
47 #define SEND   1
48 #define SEARCH 2
49
50 #define GPGKEYS_PREFIX "gpgkeys_"
51
52 struct keyrec
53 {
54   KEYDB_SEARCH_DESC desc;
55   u32 createtime,expiretime;
56   int size,flags;
57   byte type;
58   IOBUF uidbuf;
59   unsigned int lines;
60 };
61
62 /* Tell remote processes about these options */
63 #define REMOTE_TELL (KEYSERVER_INCLUDE_REVOKED|KEYSERVER_INCLUDE_SUBKEYS|KEYSERVER_TRY_DNS_SRV)
64
65 static struct parse_options keyserver_opts[]=
66   {
67     {"include-revoked",KEYSERVER_INCLUDE_REVOKED,NULL},      
68     {"include-subkeys",KEYSERVER_INCLUDE_SUBKEYS,NULL},
69     {"keep-temp-files",KEYSERVER_KEEP_TEMP_FILES,NULL},
70     {"refresh-add-fake-v3-keyids",KEYSERVER_ADD_FAKE_V3,NULL},
71     {"auto-key-retrieve",KEYSERVER_AUTO_KEY_RETRIEVE,NULL},
72     {"auto-pka-retrieve",KEYSERVER_AUTO_PKA_RETRIEVE,NULL},
73     {"try-dns-srv",KEYSERVER_TRY_DNS_SRV,NULL},
74     {"honor-keyserver-url",KEYSERVER_HONOR_KEYSERVER_URL,NULL},
75     {NULL,0,NULL}
76   };
77
78 static int keyserver_work(int action,STRLIST list,KEYDB_SEARCH_DESC *desc,
79                           int count,struct keyserver_spec *keyserver);
80
81 int
82 parse_keyserver_options(char *options)
83 {
84   int ret=1;
85   char *tok;
86
87   while((tok=optsep(&options)))
88     {
89       if(tok[0]=='\0')
90         continue;
91
92       /* For backwards compatibility.  1.2.x used honor-http-proxy and
93          there are a good number of documents published that recommend
94          it. */
95       if(ascii_strcasecmp(tok,"honor-http-proxy")==0)
96         tok="http-proxy";
97       else if(ascii_strcasecmp(tok,"no-honor-http-proxy")==0)
98         tok="no-http-proxy";
99
100       /* We accept quite a few possible options here - some options to
101          handle specially, the keyserver_options list, and import and
102          export options that pertain to keyserver operations.  Note
103          that you must use strncasecmp here as there might be an
104          =argument attached which will foil the use of strcasecmp. */
105
106 #ifdef EXEC_TEMPFILE_ONLY
107       if(ascii_strncasecmp(tok,"use-temp-files",14)==0 ||
108               ascii_strncasecmp(tok,"no-use-temp-files",17)==0)
109         log_info(_("WARNING: keyserver option `%s' is not used"
110                    " on this platform\n"),tok);
111 #else
112       if(ascii_strncasecmp(tok,"use-temp-files",14)==0)
113         opt.keyserver_options.options|=KEYSERVER_USE_TEMP_FILES;
114       else if(ascii_strncasecmp(tok,"no-use-temp-files",17)==0)
115         opt.keyserver_options.options&=~KEYSERVER_USE_TEMP_FILES;
116 #endif
117       else if(!parse_options(tok,&opt.keyserver_options.options,
118                              keyserver_opts,0)
119          && !parse_import_options(tok,
120                                   &opt.keyserver_options.import_options,0)
121          && !parse_export_options(tok,
122                                   &opt.keyserver_options.export_options,0))
123         {
124           /* All of the standard options have failed, so the option is
125              destined for a keyserver plugin. */
126           char *arg=argsplit(tok);
127
128           if(arg)
129             {
130               char *joined;
131
132               joined=xmalloc(strlen(tok)+1+strlen(arg)+1);
133               /* Make a canonical name=value form with no
134                  spaces */
135               strcpy(joined,tok);
136               strcat(joined,"=");
137               strcat(joined,arg);
138               add_to_strlist(&opt.keyserver_options.other,joined);
139               xfree(joined);
140             }
141           else
142             add_to_strlist(&opt.keyserver_options.other,tok);
143         }
144     }
145
146   return ret;
147 }
148
149 void
150 free_keyserver_spec(struct keyserver_spec *keyserver)
151 {
152   xfree(keyserver->uri);
153   xfree(keyserver->scheme);
154   xfree(keyserver->auth);
155   xfree(keyserver->host);
156   xfree(keyserver->port);
157   xfree(keyserver->path);
158   xfree(keyserver->opaque);
159   xfree(keyserver);
160 }
161
162 /* TODO: once we cut over to an all-curl world, we don't need this
163    parser any longer so it can be removed, or at least moved to
164    keyserver/ksutil.c for limited use in gpgkeys_ldap or the like. */
165
166 struct keyserver_spec *
167 parse_keyserver_uri(const char *uri,int require_scheme,
168                     const char *configname,unsigned int configlineno)
169 {
170   int assume_hkp=0;
171   struct keyserver_spec *keyserver;
172   const char *idx;
173   int count;
174
175   assert(uri!=NULL);
176
177   keyserver=xmalloc_clear(sizeof(struct keyserver_spec));
178
179   keyserver->uri=xstrdup(uri);
180
181   /* Get the scheme */
182
183   for(idx=uri,count=0;*idx && *idx!=':';idx++)
184     {
185       count++;
186
187       /* Do we see the start of an RFC-2732 ipv6 address here?  If so,
188          there clearly isn't a scheme so get out early. */
189       if(*idx=='[')
190         {
191           /* Was the '[' the first thing in the string?  If not, we
192              have a mangled scheme with a [ in it so fail. */
193           if(count==1)
194             break;
195           else
196             goto fail;
197         }
198     }
199
200   if(count==0)
201     goto fail;
202
203   if(*idx=='\0' || *idx=='[')
204     {
205       if(require_scheme)
206         return NULL;
207
208       /* Assume HKP if there is no scheme */
209       assume_hkp=1;
210       keyserver->scheme=xstrdup("hkp");
211     }
212   else
213     {
214       int i;
215
216       keyserver->scheme=xmalloc(count+1);
217
218       /* Force to lowercase */
219       for(i=0;i<count;i++)
220         keyserver->scheme[i]=ascii_tolower(uri[i]);
221
222       keyserver->scheme[i]='\0';
223
224       /* Skip past the scheme and colon */
225       uri+=count+1;
226     }
227
228   if(ascii_strcasecmp(keyserver->scheme,"x-broken-hkp")==0)
229     {
230       deprecated_warning(configname,configlineno,"x-broken-hkp",
231                          "--keyserver-options ","broken-http-proxy");
232       xfree(keyserver->scheme);
233       keyserver->scheme=xstrdup("hkp");
234       add_to_strlist(&opt.keyserver_options.other,"broken-http-proxy");
235     }
236   else if(ascii_strcasecmp(keyserver->scheme,"x-hkp")==0)
237     {
238       /* Canonicalize this to "hkp" so it works with both the internal
239          and external keyserver interface. */
240       xfree(keyserver->scheme);
241       keyserver->scheme=xstrdup("hkp");
242     }
243
244   if(assume_hkp || (uri[0]=='/' && uri[1]=='/'))
245     {
246       /* Two slashes means network path. */
247
248       /* Skip over the "//", if any */
249       if(!assume_hkp)
250         uri+=2;
251
252       /* Do we have userinfo auth data present? */
253       for(idx=uri,count=0;*idx && *idx!='@' && *idx!='/';idx++)
254         count++;
255
256       /* We found a @ before the slash, so that means everything
257          before the @ is auth data. */
258       if(*idx=='@')
259         {
260           if(count==0)
261             goto fail;
262
263           keyserver->auth=xmalloc(count+1);
264           strncpy(keyserver->auth,uri,count);
265           keyserver->auth[count]='\0';
266           uri+=count+1;
267         }
268
269       /* Is it an RFC-2732 ipv6 [literal address] ? */
270       if(*uri=='[')
271         {
272           for(idx=uri+1,count=1;*idx
273                 && ((isascii (*idx) && isxdigit(*idx))
274                     || *idx==':' || *idx=='.');idx++)
275             count++;
276
277           /* Is the ipv6 literal address terminated? */
278           if(*idx==']')
279             count++;
280           else
281             goto fail;
282         }
283       else
284         for(idx=uri,count=0;*idx && *idx!=':' && *idx!='/';idx++)
285           count++;
286
287       if(count==0)
288         goto fail;
289
290       keyserver->host=xmalloc(count+1);
291       strncpy(keyserver->host,uri,count);
292       keyserver->host[count]='\0';
293
294       /* Skip past the host */
295       uri+=count;
296
297       if(*uri==':')
298         {
299           /* It would seem to be reasonable to limit the range of the
300              ports to values between 1-65535, but RFC 1738 and 1808
301              imply there is no limit.  Of course, the real world has
302              limits. */
303
304           for(idx=uri+1,count=0;*idx && *idx!='/';idx++)
305             {
306               count++;
307
308               /* Ports are digits only */
309               if(!digitp(idx))
310                 goto fail;
311             }
312
313           keyserver->port=xmalloc(count+1);
314           strncpy(keyserver->port,uri+1,count);
315           keyserver->port[count]='\0';
316
317           /* Skip past the colon and port number */
318           uri+=1+count;
319         }
320
321       /* Everything else is the path */
322       if(*uri)
323         keyserver->path=xstrdup(uri);
324       else
325         keyserver->path=xstrdup("/");
326     }
327   else if(uri[0]!='/')
328     {
329       /* No slash means opaque.  Just record the opaque blob and get
330          out. */
331       keyserver->opaque=xstrdup(uri);
332     }
333   else
334     {
335       /* One slash means absolute path.  We don't need to support that
336          yet. */
337       goto fail;
338     }
339
340   return keyserver;
341
342  fail:
343   free_keyserver_spec(keyserver);
344
345   return NULL;
346 }
347
348 struct keyserver_spec *
349 parse_preferred_keyserver(PKT_signature *sig)
350 {
351   struct keyserver_spec *spec=NULL;
352   const byte *p;
353   size_t plen;
354
355   p=parse_sig_subpkt(sig->hashed,SIGSUBPKT_PREF_KS,&plen);
356   if(p && plen)
357     {
358       byte *dupe=xmalloc(plen+1);
359
360       memcpy(dupe,p,plen);
361       dupe[plen]='\0';
362       spec=parse_keyserver_uri(dupe,1,NULL,0);
363       xfree(dupe);
364     }
365
366   return spec;
367 }
368
369 static void
370 print_keyrec(int number,struct keyrec *keyrec)
371 {
372   int i;
373
374   iobuf_writebyte(keyrec->uidbuf,0);
375   iobuf_flush_temp(keyrec->uidbuf);
376   printf("(%d)\t%s  ",number,iobuf_get_temp_buffer(keyrec->uidbuf));
377
378   if(keyrec->size>0)
379     printf("%d bit ",keyrec->size);
380
381   if(keyrec->type)
382     {
383       const char *str=pubkey_algo_to_string(keyrec->type);
384
385       if(str)
386         printf("%s ",str);
387       else
388         printf("unknown ");
389     }
390
391   switch(keyrec->desc.mode)
392     {
393       /* If the keyserver helper gave us a short keyid, we have no
394          choice but to use it.  Do check --keyid-format to add a 0x if
395          needed. */
396     case KEYDB_SEARCH_MODE_SHORT_KID:
397       printf("key %s%08lX",
398              (opt.keyid_format==KF_0xSHORT
399               || opt.keyid_format==KF_0xLONG)?"0x":"",
400              (ulong)keyrec->desc.u.kid[1]);
401       break;
402
403       /* However, if it gave us a long keyid, we can honor
404          --keyid-format */
405     case KEYDB_SEARCH_MODE_LONG_KID:
406       printf("key %s",keystr(keyrec->desc.u.kid));
407       break;
408
409     case KEYDB_SEARCH_MODE_FPR16:
410       printf("key ");
411       for(i=0;i<16;i++)
412         printf("%02X",keyrec->desc.u.fpr[i]);
413       break;
414
415     case KEYDB_SEARCH_MODE_FPR20:
416       printf("key ");
417       for(i=0;i<20;i++)
418         printf("%02X",keyrec->desc.u.fpr[i]);
419       break;
420
421     default:
422       BUG();
423       break;
424     }
425
426   if(keyrec->createtime>0)
427     {
428       printf(", ");
429       printf(_("created: %s"),strtimestamp(keyrec->createtime));
430     }
431
432   if(keyrec->expiretime>0)
433     {
434       printf(", ");
435       printf(_("expires: %s"),strtimestamp(keyrec->expiretime));
436     }
437
438   if(keyrec->flags&1)
439     printf(" (%s)",_("revoked"));
440   if(keyrec->flags&2)
441     printf(" (%s)",_("disabled"));
442   if(keyrec->flags&4)
443     printf(" (%s)",_("expired"));
444
445   printf("\n");
446 }
447
448 /* Returns a keyrec (which must be freed) once a key is complete, and
449    NULL otherwise.  Call with a NULL keystring once key parsing is
450    complete to return any unfinished keys. */
451 static struct keyrec *
452 parse_keyrec(char *keystring)
453 {
454   static struct keyrec *work=NULL;
455   struct keyrec *ret=NULL;
456   char *record;
457   int i;
458
459   if(keystring==NULL)
460     {
461       if(work==NULL)
462         return NULL;
463       else if(work->desc.mode==KEYDB_SEARCH_MODE_NONE)
464         {
465           xfree(work);
466           return NULL;
467         }
468       else
469         {
470           ret=work;
471           work=NULL;
472           return ret;
473         }
474     }
475
476   if(work==NULL)
477     {
478       work=xmalloc_clear(sizeof(struct keyrec));
479       work->uidbuf=iobuf_temp();
480     }
481
482   /* Remove trailing whitespace */
483   for(i=strlen(keystring);i>0;i--)
484     if(ascii_isspace(keystring[i-1]))
485       keystring[i-1]='\0';
486     else
487       break;
488
489   if((record=strsep(&keystring,":"))==NULL)
490     return ret;
491
492   if(ascii_strcasecmp("pub",record)==0)
493     {
494       char *tok;
495
496       if(work->desc.mode)
497         {
498           ret=work;
499           work=xmalloc_clear(sizeof(struct keyrec));
500           work->uidbuf=iobuf_temp();
501         }
502
503       if((tok=strsep(&keystring,":"))==NULL)
504         return ret;
505
506       classify_user_id(tok,&work->desc);
507       if(work->desc.mode!=KEYDB_SEARCH_MODE_SHORT_KID
508          && work->desc.mode!=KEYDB_SEARCH_MODE_LONG_KID
509          && work->desc.mode!=KEYDB_SEARCH_MODE_FPR16
510          && work->desc.mode!=KEYDB_SEARCH_MODE_FPR20)
511         {
512           work->desc.mode=KEYDB_SEARCH_MODE_NONE;
513           return ret;
514         }
515
516       /* Note all items after this are optional.  This allows us to
517          have a pub line as simple as pub:keyid and nothing else. */
518
519       work->lines++;
520
521       if((tok=strsep(&keystring,":"))==NULL)
522         return ret;
523
524       work->type=atoi(tok);
525
526       if((tok=strsep(&keystring,":"))==NULL)
527         return ret;
528
529       work->size=atoi(tok);
530
531       if((tok=strsep(&keystring,":"))==NULL)
532         return ret;
533
534       if(atoi(tok)<=0)
535         work->createtime=0;
536       else
537         work->createtime=atoi(tok);
538
539       if((tok=strsep(&keystring,":"))==NULL)
540         return ret;
541
542       if(atoi(tok)<=0)
543         work->expiretime=0;
544       else
545         {
546           work->expiretime=atoi(tok);
547           /* Force the 'e' flag on if this key is expired. */
548           if(work->expiretime<=make_timestamp())
549             work->flags|=4;
550         }
551
552       if((tok=strsep(&keystring,":"))==NULL)
553         return ret;
554
555       while(*tok)
556         switch(*tok++)
557           {
558           case 'r':
559           case 'R':
560             work->flags|=1;
561             break;
562             
563           case 'd':
564           case 'D':
565             work->flags|=2;
566             break;
567
568           case 'e':
569           case 'E':
570             work->flags|=4;
571             break;
572           }
573     }
574   else if(ascii_strcasecmp("uid",record)==0 && work->desc.mode)
575     {
576       char *userid,*tok,*decoded;
577
578       if((tok=strsep(&keystring,":"))==NULL)
579         return ret;
580
581       if(strlen(tok)==0)
582         return ret;
583
584       userid=tok;
585
586       /* By definition, de-%-encoding is always smaller than the
587          original string so we can decode in place. */
588
589       i=0;
590
591       while(*tok)
592         if(tok[0]=='%' && tok[1] && tok[2])
593           {
594             if((userid[i]=hextobyte(&tok[1]))==-1)
595               userid[i]='?';
596
597             i++;
598             tok+=3;
599           }
600         else
601           userid[i++]=*tok++;
602
603       /* We don't care about the other info provided in the uid: line
604          since no keyserver supports marking userids with timestamps
605          or revoked/expired/disabled yet. */
606
607       /* No need to check for control characters, as utf8_to_native
608          does this for us. */
609
610       decoded=utf8_to_native(userid,i,0);
611       if(strlen(decoded)>opt.screen_columns-10)
612         decoded[opt.screen_columns-10]='\0';
613       iobuf_writestr(work->uidbuf,decoded);
614       xfree(decoded);
615       iobuf_writestr(work->uidbuf,"\n\t");
616       work->lines++;
617     }
618
619   /* Ignore any records other than "pri" and "uid" for easy future
620      growth. */
621
622   return ret;
623 }
624
625 /* TODO: do this as a list sent to keyserver_work rather than calling
626    it once for each key to get the correct counts after the import
627    (cosmetics, really) and to better take advantage of the keyservers
628    that can do multiple fetches in one go (LDAP). */
629 static int
630 show_prompt(KEYDB_SEARCH_DESC *desc,int numdesc,int count,const char *search)
631 {
632   char *answer;
633
634   if(count && opt.command_fd==-1)
635     {
636       static int from=1;
637       tty_printf("Keys %d-%d of %d for \"%s\".  ",from,numdesc,count,search);
638       from=numdesc+1;
639     }
640
641   answer=cpr_get_no_help("keysearch.prompt",
642                          _("Enter number(s), N)ext, or Q)uit > "));
643   /* control-d */
644   if(answer[0]=='\x04')
645     {
646       printf("Q\n");
647       answer[0]='q';
648     }
649
650   if(answer[0]=='q' || answer[0]=='Q')
651     {
652       xfree(answer);
653       return 1;
654     }
655   else if(atoi(answer)>=1 && atoi(answer)<=numdesc)
656     {
657       char *split=answer,*num;
658
659       while((num=strsep(&split," ,"))!=NULL)
660         if(atoi(num)>=1 && atoi(num)<=numdesc)
661           keyserver_work(GET,NULL,&desc[atoi(num)-1],1,opt.keyserver);
662
663       xfree(answer);
664       return 1;
665     }
666
667   return 0;
668 }
669
670 /* Count and searchstr are just for cosmetics.  If the count is too
671    small, it will grow safely.  If negative it disables the "Key x-y
672    of z" messages.  searchstr should be UTF-8 (rather than native). */
673 static void
674 keyserver_search_prompt(IOBUF buffer,const char *searchstr)
675 {
676   int i=0,validcount=0,started=0,header=0,count=1;
677   unsigned int maxlen,buflen,numlines=0;
678   KEYDB_SEARCH_DESC *desc;
679   byte *line=NULL;
680   char *localstr=NULL;
681
682   if(searchstr)
683     localstr=utf8_to_native(searchstr,strlen(searchstr),0);
684
685   desc=xmalloc(count*sizeof(KEYDB_SEARCH_DESC));
686
687   for(;;)
688     {
689       struct keyrec *keyrec;
690       int rl;
691
692       maxlen=1024;
693       rl=iobuf_read_line(buffer,&line,&buflen,&maxlen);
694
695       if(opt.with_colons)
696         {
697           if(!header && ascii_strncasecmp("SEARCH ",line,7)==0
698              && ascii_strncasecmp(" BEGIN",&line[strlen(line)-7],6)==0)
699             {
700               header=1;
701               continue;
702             }
703           else if(ascii_strncasecmp("SEARCH ",line,7)==0
704                   && ascii_strncasecmp(" END",&line[strlen(line)-5],4)==0)
705             continue;
706
707           printf("%s",line);
708         }
709
710       /* Look for an info: line.  The only current info: values
711          defined are the version and key count. */
712       if(!started && rl>0 && ascii_strncasecmp("info:",line,5)==0)
713         {
714           char *tok,*str=&line[5];
715
716           if((tok=strsep(&str,":"))!=NULL)
717             {
718               int version;
719
720               if(sscanf(tok,"%d",&version)!=1)
721                 version=1;
722
723               if(version!=1)
724                 {
725                   log_error(_("invalid keyserver protocol "
726                               "(us %d!=handler %d)\n"),1,version);
727                   break;
728                 }
729             }
730
731           if((tok=strsep(&str,":"))!=NULL && sscanf(tok,"%d",&count)==1)
732             {
733               if(count==0)
734                 goto notfound;
735               else if(count<0)
736                 count=10;
737               else
738                 validcount=1;
739
740               desc=xrealloc(desc,count*sizeof(KEYDB_SEARCH_DESC));
741             }
742
743           started=1;
744           continue;
745         }
746
747       if(rl==0)
748         {
749           keyrec=parse_keyrec(NULL);
750
751           if(keyrec==NULL)
752             {
753               if(i==0)
754                 {
755                   count=0;
756                   break;
757                 }
758
759               if(i!=count)
760                 validcount=0;
761
762               for(;;)
763                 {
764                   if(show_prompt(desc,i,validcount?count:0,localstr))
765                     break;
766                   validcount=0;
767                 }
768
769               break;
770             }
771         }
772       else
773         keyrec=parse_keyrec(line);
774
775       if(i==count)
776         {
777           /* keyserver helper sent more keys than they claimed in the
778              info: line. */
779           count+=10;
780           desc=xrealloc(desc,count*sizeof(KEYDB_SEARCH_DESC));
781           validcount=0;
782         }
783
784       if(keyrec)
785         {
786           desc[i]=keyrec->desc;
787
788           if(!opt.with_colons)
789             {
790               /* screen_lines - 1 for the prompt. */
791               if(numlines+keyrec->lines>opt.screen_lines-1)
792                 {
793                   if(show_prompt(desc,i,validcount?count:0,localstr))
794                     break;
795                   else
796                     numlines=0;
797                 }
798
799               print_keyrec(i+1,keyrec);
800             }
801
802           numlines+=keyrec->lines;
803           iobuf_close(keyrec->uidbuf);
804           xfree(keyrec);
805
806           started=1;
807           i++;
808         }
809     }
810
811  notfound:
812   /* Leave this commented out or now, and perhaps for a very long
813      time.  All HKPish servers return HTML error messages for
814      no-key-found. */
815   /* 
816      if(!started)
817      log_info(_("keyserver does not support searching\n"));
818      else
819   */
820   if(count==0)
821     {
822       if(localstr)
823         log_info(_("key \"%s\" not found on keyserver\n"),localstr);
824       else
825         log_info(_("key not found on keyserver\n"));
826     }
827
828   xfree(localstr);
829   xfree(desc);
830   xfree(line);
831 }
832
833 static int
834 curl_can_handle(const char *scheme)
835 {
836 #if defined(HAVE_LIBCURL)
837
838   const char * const *proto;
839   curl_version_info_data *data=curl_version_info(CURLVERSION_NOW);
840
841   assert(data);
842
843   for(proto=data->protocols;*proto;proto++)
844     if(strcasecmp(*proto,scheme)==0)
845       return 1;
846
847 #elif defined(FAKE_CURL)
848
849   /* If we're faking curl, then we only support HTTP */
850   if(strcasecmp(scheme,"http")==0)
851     return 1;
852
853 #endif
854
855   return 0;
856 }
857
858 /* We sometimes want to use a different gpgkeys_xxx for a given
859    protocol (for example, ldaps is handled by gpgkeys_ldap).  Map
860    these here. */
861 static const char *
862 keyserver_typemap(const char *type)
863 {
864   if(strcmp(type,"ldap")==0)
865     return "ldap";
866   else if(strcmp(type,"ldaps")==0)
867     return "ldap";
868   else if(curl_can_handle(type))
869     return "curl";
870   else
871     return type;
872 }
873
874 #define KEYSERVER_ARGS_KEEP " -o \"%O\" \"%I\""
875 #define KEYSERVER_ARGS_NOKEEP " -o \"%o\" \"%i\""
876
877 static int 
878 keyserver_spawn(int action,STRLIST list,KEYDB_SEARCH_DESC *desc,
879                 int count,int *prog,struct keyserver_spec *keyserver)
880 {
881   int ret=0,i,gotversion=0,outofband=0;
882   STRLIST temp;
883   unsigned int maxlen,buflen;
884   char *command,*searchstr=NULL;
885   byte *line=NULL;
886   struct parse_options *kopts;
887   struct exec_info *spawn;
888   const char *scheme;
889   const char *libexecdir = get_libexecdir ();
890
891   assert(keyserver);
892
893 #ifdef EXEC_TEMPFILE_ONLY
894   opt.keyserver_options.options|=KEYSERVER_USE_TEMP_FILES;
895 #endif
896
897   /* Build the filename for the helper to execute */
898   scheme=keyserver_typemap(keyserver->scheme);
899
900 #ifdef DISABLE_KEYSERVER_PATH
901   /* Destroy any path we might have.  This is a little tricky,
902      portability-wise.  It's not correct to delete the PATH
903      environment variable, as that may fall back to a system built-in
904      PATH.  Similarly, it is not correct to set PATH to the null
905      string (PATH="") since this actually deletes the PATH environment
906      variable under MinGW.  The safest thing to do here is to force
907      PATH to be GNUPG_LIBEXECDIR.  All this is not that meaningful on
908      Unix-like systems (since we're going to give a full path to
909      gpgkeys_foo), but on W32 it prevents loading any DLLs from
910      directories in %PATH%.
911
912      After some more thinking about this we came to the conclusion
913      that it is better to load the helpers from the directory where
914      the program of this process lives.  Fortunately Windows provides
915      a way to retrieve this and our get_libexecdir function has been
916      modified to return just this.  Setting the exec-path is not
917      anymore required.  
918        set_exec_path(libexecdir);
919  */
920 #else
921   if(opt.exec_path_set)
922     {
923       /* If exec-path was set, and DISABLE_KEYSERVER_PATH is
924          undefined, then don't specify a full path to gpgkeys_foo, so
925          that the PATH can work. */
926       command=xmalloc(strlen(GPGKEYS_PREFIX)+strlen(scheme)+1);
927       command[0]='\0';
928     }
929   else
930 #endif
931     {
932       /* Specify a full path to gpgkeys_foo. */
933       command=xmalloc(strlen(libexecdir)+strlen(DIRSEP_S)+
934                       strlen(GPGKEYS_PREFIX)+strlen(scheme)+1);
935       strcpy(command,libexecdir);
936       strcat(command,DIRSEP_S);
937     }
938
939   strcat(command,GPGKEYS_PREFIX); 
940   strcat(command,scheme);
941
942   if(opt.keyserver_options.options&KEYSERVER_USE_TEMP_FILES)
943     {
944       if(opt.keyserver_options.options&KEYSERVER_KEEP_TEMP_FILES)
945         {
946           command=xrealloc(command,strlen(command)+
947                             strlen(KEYSERVER_ARGS_KEEP)+1);
948           strcat(command,KEYSERVER_ARGS_KEEP);
949         }
950       else
951         {
952           command=xrealloc(command,strlen(command)+
953                             strlen(KEYSERVER_ARGS_NOKEEP)+1);
954           strcat(command,KEYSERVER_ARGS_NOKEEP);  
955         }
956
957       ret=exec_write(&spawn,NULL,command,NULL,0,0);
958     }
959   else
960     ret=exec_write(&spawn,command,NULL,NULL,0,0);
961
962   xfree(command);
963
964   if(ret)
965     return ret;
966
967   fprintf(spawn->tochild,
968           "# This is a GnuPG %s keyserver communications file\n",VERSION);
969   fprintf(spawn->tochild,"VERSION %d\n",KEYSERVER_PROTO_VERSION);
970   fprintf(spawn->tochild,"PROGRAM %s\n",VERSION);
971   fprintf(spawn->tochild,"SCHEME %s\n",keyserver->scheme);
972
973   if(keyserver->opaque)
974     fprintf(spawn->tochild,"OPAQUE %s\n",keyserver->opaque);
975   else
976     {
977       if(keyserver->auth)
978         fprintf(spawn->tochild,"AUTH %s\n",keyserver->auth);
979
980       if(keyserver->host)
981         fprintf(spawn->tochild,"HOST %s\n",keyserver->host);
982
983       if(keyserver->port)
984         fprintf(spawn->tochild,"PORT %s\n",keyserver->port);
985
986       if(keyserver->path)
987         fprintf(spawn->tochild,"PATH %s\n",keyserver->path);
988     }
989
990   /* Write options */
991
992   for(i=0,kopts=keyserver_opts;kopts[i].name;i++)
993     if(opt.keyserver_options.options & kopts[i].bit & REMOTE_TELL)
994       fprintf(spawn->tochild,"OPTION %s\n",kopts[i].name);
995
996   for(temp=opt.keyserver_options.other;temp;temp=temp->next)
997     fprintf(spawn->tochild,"OPTION %s\n",temp->d);
998
999   switch(action)
1000     {
1001     case GET:
1002       {
1003         fprintf(spawn->tochild,"COMMAND GET\n\n");
1004
1005         /* Which keys do we want? */
1006
1007         for(i=0;i<count;i++)
1008           {
1009             if(desc[i].mode==KEYDB_SEARCH_MODE_FPR20)
1010               {
1011                 int f;
1012
1013                 fprintf(spawn->tochild,"0x");
1014
1015                 for(f=0;f<MAX_FINGERPRINT_LEN;f++)
1016                   fprintf(spawn->tochild,"%02X",desc[i].u.fpr[f]);
1017
1018                 fprintf(spawn->tochild,"\n");
1019               }
1020             else if(desc[i].mode==KEYDB_SEARCH_MODE_FPR16)
1021               {
1022                 int f;
1023
1024                 fprintf(spawn->tochild,"0x");
1025
1026                 for(f=0;f<16;f++)
1027                   fprintf(spawn->tochild,"%02X",desc[i].u.fpr[f]);
1028
1029                 fprintf(spawn->tochild,"\n");
1030               }
1031             else if(desc[i].mode==KEYDB_SEARCH_MODE_LONG_KID)
1032               fprintf(spawn->tochild,"0x%08lX%08lX\n",
1033                       (ulong)desc[i].u.kid[0],
1034                       (ulong)desc[i].u.kid[1]);
1035             else if(desc[i].mode==KEYDB_SEARCH_MODE_SHORT_KID)
1036               fprintf(spawn->tochild,"0x%08lX\n",
1037                       (ulong)desc[i].u.kid[1]);
1038             else if(desc[i].mode==KEYDB_SEARCH_MODE_NONE)
1039               continue;
1040             else
1041               BUG();
1042
1043             if(keyserver->host)
1044               log_info(_("requesting key %s from %s server %s\n"),
1045                        keystr_from_desc(&desc[i]),
1046                        keyserver->scheme,keyserver->host);
1047             else
1048               log_info(_("requesting key %s from %s\n"),
1049                        keystr_from_desc(&desc[i]),keyserver->uri);
1050           }
1051
1052         fprintf(spawn->tochild,"\n");
1053
1054         break;
1055       }
1056
1057     case SEND:
1058       {
1059         STRLIST key;
1060
1061         /* Note the extra \n here to send an empty keylist block */
1062         fprintf(spawn->tochild,"COMMAND SEND\n\n\n");
1063
1064         for(key=list;key!=NULL;key=key->next)
1065           {
1066             armor_filter_context_t afx;
1067             IOBUF buffer=iobuf_temp();
1068             KBNODE block;
1069
1070             temp=NULL;
1071             add_to_strlist(&temp,key->d);
1072
1073             memset(&afx,0,sizeof(afx));
1074             afx.what=1;
1075             /* Tell the armor filter to use Unix-style \n line
1076                endings, since we're going to fprintf this to a file
1077                that (on Win32) is open in text mode.  The win32 stdio
1078                will transform the \n to \r\n and we'll end up with the
1079                proper line endings on win32.  This is a no-op on
1080                Unix. */
1081             afx.eol[0]='\n';
1082             iobuf_push_filter(buffer,armor_filter,&afx);
1083
1084             /* TODO: Remove Comment: lines from keys exported this
1085                way? */
1086
1087             if(export_pubkeys_stream(buffer,temp,&block,
1088                                      opt.keyserver_options.export_options)==-1)
1089               iobuf_close(buffer);
1090             else
1091               {
1092                 KBNODE node;
1093
1094                 iobuf_flush_temp(buffer);
1095
1096                 merge_keys_and_selfsig(block);
1097
1098                 fprintf(spawn->tochild,"INFO %08lX%08lX BEGIN\n",
1099                         (ulong)block->pkt->pkt.public_key->keyid[0],
1100                         (ulong)block->pkt->pkt.public_key->keyid[1]);
1101
1102                 for(node=block;node;node=node->next)
1103                   {
1104                     switch(node->pkt->pkttype)
1105                       {
1106                       default:
1107                         continue;
1108
1109                       case PKT_PUBLIC_KEY:
1110                       case PKT_PUBLIC_SUBKEY:
1111                         {
1112                           PKT_public_key *pk=node->pkt->pkt.public_key;
1113
1114                           keyid_from_pk(pk,NULL);
1115
1116                           fprintf(spawn->tochild,"%sb:%08lX%08lX:%u:%u:%u:%u:",
1117                                   node->pkt->pkttype==PKT_PUBLIC_KEY?"pu":"su",
1118                                   (ulong)pk->keyid[0],(ulong)pk->keyid[1],
1119                                   pk->pubkey_algo,
1120                                   nbits_from_pk(pk),
1121                                   pk->timestamp,
1122                                   pk->expiredate);
1123
1124                           if(pk->is_revoked)
1125                             fprintf(spawn->tochild,"r");
1126                           if(pk->has_expired)
1127                             fprintf(spawn->tochild,"e");
1128
1129                           fprintf(spawn->tochild,"\n");
1130                         }
1131                         break;
1132
1133                       case PKT_USER_ID:
1134                         {
1135                           PKT_user_id *uid=node->pkt->pkt.user_id;
1136                           int r;
1137
1138                           if(uid->attrib_data)
1139                             continue;
1140
1141                           fprintf(spawn->tochild,"uid:");
1142
1143                           /* Quote ':', '%', and any 8-bit
1144                              characters */
1145                           for(r=0;r<uid->len;r++)
1146                             {
1147                               if(uid->name[r]==':' || uid->name[r]=='%'
1148                                  || uid->name[r]&0x80)
1149                                 fprintf(spawn->tochild,"%%%02X",
1150                                         (byte)uid->name[r]);
1151                               else
1152                                 fprintf(spawn->tochild,"%c",uid->name[r]);
1153                             }
1154
1155                           fprintf(spawn->tochild,":%u:%u:",
1156                                   uid->created,uid->expiredate);
1157
1158                           if(uid->is_revoked)
1159                             fprintf(spawn->tochild,"r");
1160                           if(uid->is_expired)
1161                             fprintf(spawn->tochild,"e");
1162
1163                           fprintf(spawn->tochild,"\n");
1164                         }
1165                         break;
1166
1167                         /* This bit is really for the benefit of
1168                            people who store their keys in LDAP
1169                            servers.  It makes it easy to do queries
1170                            for things like "all keys signed by
1171                            Isabella". */
1172                       case PKT_SIGNATURE:
1173                         {
1174                           PKT_signature *sig=node->pkt->pkt.signature;
1175
1176                           if(!IS_UID_SIG(sig))
1177                             continue;
1178
1179                           fprintf(spawn->tochild,"sig:%08lX%08lX:%X:%u:%u\n",
1180                                   (ulong)sig->keyid[0],(ulong)sig->keyid[1],
1181                                   sig->sig_class,sig->timestamp,
1182                                   sig->expiredate);
1183                         }
1184                         break;
1185                       }
1186                   }
1187
1188                 fprintf(spawn->tochild,"INFO %08lX%08lX END\n",
1189                         (ulong)block->pkt->pkt.public_key->keyid[0],
1190                         (ulong)block->pkt->pkt.public_key->keyid[1]);
1191
1192                 fprintf(spawn->tochild,"KEY %s BEGIN\n",key->d);
1193                 fwrite(iobuf_get_temp_buffer(buffer),
1194                        iobuf_get_temp_length(buffer),1,spawn->tochild);
1195                 fprintf(spawn->tochild,"KEY %s END\n",key->d);
1196
1197                 iobuf_close(buffer);
1198
1199                 if(keyserver->host)
1200                   log_info(_("sending key %s to %s server %s\n"),
1201                            keystr(block->pkt->pkt.public_key->keyid),
1202                            keyserver->scheme,keyserver->host);
1203                 else
1204                   log_info(_("sending key %s to %s\n"),
1205                            keystr(block->pkt->pkt.public_key->keyid),
1206                            keyserver->uri);
1207
1208                 release_kbnode(block);
1209               }
1210
1211             free_strlist(temp);
1212           }
1213
1214         break;
1215       }
1216
1217     case SEARCH:
1218       {
1219         STRLIST key;
1220
1221         fprintf(spawn->tochild,"COMMAND SEARCH\n\n");
1222
1223         /* Which keys do we want?  Remember that the gpgkeys_ program
1224            is going to lump these together into a search string. */
1225
1226         for(key=list;key!=NULL;key=key->next)
1227           {
1228             fprintf(spawn->tochild,"%s\n",key->d);
1229             if(key!=list)
1230               {
1231                 searchstr=xrealloc(searchstr,
1232                                     strlen(searchstr)+strlen(key->d)+2);
1233                 strcat(searchstr," ");
1234               }
1235             else
1236               {
1237                 searchstr=xmalloc(strlen(key->d)+1);
1238                 searchstr[0]='\0';
1239               }
1240
1241             strcat(searchstr,key->d);
1242           }
1243
1244         fprintf(spawn->tochild,"\n");
1245
1246         if(keyserver->host)
1247           log_info(_("searching for \"%s\" from %s server %s\n"),
1248                    searchstr,keyserver->scheme,keyserver->host);
1249         else
1250           log_info(_("searching for \"%s\" from %s\n"),
1251                    searchstr,keyserver->uri);
1252
1253         break;
1254       }
1255
1256     default:
1257       log_fatal(_("no keyserver action!\n"));
1258       break;
1259     }
1260
1261   /* Done sending, so start reading. */
1262   ret=exec_read(spawn);
1263   if(ret)
1264     goto fail;
1265
1266   /* Now handle the response */
1267
1268   for(;;)
1269     {
1270       int plen;
1271       char *ptr;
1272
1273       maxlen=1024;
1274       if(iobuf_read_line(spawn->fromchild,&line,&buflen,&maxlen)==0)
1275         {
1276           ret=G10ERR_READ_FILE;
1277           goto fail; /* i.e. EOF */
1278         }
1279
1280       ptr=line;
1281
1282       /* remove trailing whitespace */
1283       plen=strlen(ptr);
1284       while(plen>0 && ascii_isspace(ptr[plen-1]))
1285         plen--;
1286       plen[ptr]='\0';
1287
1288       if(*ptr=='\0')
1289         break;
1290
1291       if(ascii_strncasecmp(ptr,"VERSION ",8)==0)
1292         {
1293           gotversion=1;
1294
1295           if(atoi(&ptr[8])!=KEYSERVER_PROTO_VERSION)
1296             {
1297               log_error(_("invalid keyserver protocol (us %d!=handler %d)\n"),
1298                         KEYSERVER_PROTO_VERSION,atoi(&ptr[8]));
1299               goto fail;
1300             }
1301         }
1302       else if(ascii_strncasecmp(ptr,"PROGRAM ",8)==0)
1303         {
1304           if(ascii_strncasecmp(&ptr[8],VERSION,strlen(VERSION))!=0)
1305             log_info(_("WARNING: keyserver handler from a different"
1306                        " version of GnuPG (%s)\n"),&ptr[8]);
1307         }
1308       else if(ascii_strncasecmp(ptr,"OPTION OUTOFBAND",16)==0)
1309         outofband=1; /* Currently the only OPTION */
1310     }
1311
1312   if(!gotversion)
1313     {
1314       log_error(_("keyserver did not send VERSION\n"));
1315       goto fail;
1316     }
1317
1318   if(!outofband)
1319     switch(action)
1320       {
1321       case GET:
1322         {
1323           void *stats_handle;
1324
1325           stats_handle=import_new_stats_handle();
1326
1327           /* Slurp up all the key data.  In the future, it might be
1328              nice to look for KEY foo OUTOFBAND and FAILED indicators.
1329              It's harmless to ignore them, but ignoring them does make
1330              gpg complain about "no valid OpenPGP data found".  One
1331              way to do this could be to continue parsing this
1332              line-by-line and make a temp iobuf for each key. */
1333
1334           import_keys_stream(spawn->fromchild,stats_handle,
1335                              opt.keyserver_options.import_options);
1336
1337           import_print_stats(stats_handle);
1338           import_release_stats_handle(stats_handle);
1339
1340           break;
1341         }
1342
1343         /* Nothing to do here */
1344       case SEND:
1345         break;
1346
1347       case SEARCH:
1348         keyserver_search_prompt(spawn->fromchild,searchstr);
1349         break;
1350
1351       default:
1352         log_fatal(_("no keyserver action!\n"));
1353         break;
1354       }
1355
1356  fail:
1357   xfree(line);
1358   xfree(searchstr);
1359
1360
1361   *prog=exec_finish(spawn);
1362
1363   return ret;
1364 }
1365
1366 static int 
1367 keyserver_work(int action,STRLIST list,KEYDB_SEARCH_DESC *desc,
1368                int count,struct keyserver_spec *keyserver)
1369 {
1370   int rc=0,ret=0;
1371
1372   if(!keyserver)
1373     {
1374       log_error(_("no keyserver known (use option --keyserver)\n"));
1375       return G10ERR_BAD_URI;
1376     }
1377
1378 #ifdef DISABLE_KEYSERVER_HELPERS
1379
1380   log_error(_("external keyserver calls are not supported in this build\n"));
1381   return G10ERR_KEYSERVER;
1382
1383 #else
1384   /* Spawn a handler */
1385
1386   rc=keyserver_spawn(action,list,desc,count,&ret,keyserver);
1387   if(ret)
1388     {
1389       switch(ret)
1390         {
1391         case KEYSERVER_SCHEME_NOT_FOUND:
1392           log_error(_("no handler for keyserver scheme `%s'\n"),
1393                     keyserver->scheme);
1394           break;
1395
1396         case KEYSERVER_NOT_SUPPORTED:
1397           log_error(_("action `%s' not supported with keyserver "
1398                       "scheme `%s'\n"),
1399                     action==GET?"get":action==SEND?"send":
1400                     action==SEARCH?"search":"unknown",
1401                     keyserver->scheme);
1402           break;
1403
1404         case KEYSERVER_VERSION_ERROR:
1405           log_error(_(GPGKEYS_PREFIX "%s does not support"
1406                       " handler version %d\n"),
1407                     keyserver_typemap(keyserver->scheme),
1408                     KEYSERVER_PROTO_VERSION);
1409           break;
1410
1411         case KEYSERVER_TIMEOUT:
1412           log_error(_("keyserver timed out\n"));
1413           break;
1414
1415         case KEYSERVER_INTERNAL_ERROR:
1416         default:
1417           log_error(_("keyserver internal error\n"));
1418           break;
1419         }
1420
1421       return G10ERR_KEYSERVER;
1422     }
1423
1424   if(rc)
1425     {
1426       log_error(_("keyserver communications error: %s\n"),g10_errstr(rc));
1427
1428       return rc;
1429     }
1430
1431   return 0;
1432 #endif /* ! DISABLE_KEYSERVER_HELPERS*/
1433 }
1434
1435 int 
1436 keyserver_export(STRLIST users)
1437 {
1438   STRLIST sl=NULL;
1439   KEYDB_SEARCH_DESC desc;
1440   int rc=0;
1441
1442   /* Weed out descriptors that we don't support sending */
1443   for(;users;users=users->next)
1444     {
1445       classify_user_id (users->d, &desc);
1446       if(desc.mode!=KEYDB_SEARCH_MODE_SHORT_KID &&
1447          desc.mode!=KEYDB_SEARCH_MODE_LONG_KID &&
1448          desc.mode!=KEYDB_SEARCH_MODE_FPR16 &&
1449          desc.mode!=KEYDB_SEARCH_MODE_FPR20)
1450         {
1451           log_error(_("\"%s\" not a key ID: skipping\n"),users->d);
1452           continue;
1453         }
1454       else
1455         append_to_strlist(&sl,users->d);
1456     }
1457
1458   if(sl)
1459     {
1460       rc=keyserver_work(SEND,sl,NULL,0,opt.keyserver);
1461       free_strlist(sl);
1462     }
1463
1464   return rc;
1465 }
1466
1467 int 
1468 keyserver_import(STRLIST users)
1469 {
1470   KEYDB_SEARCH_DESC *desc;
1471   int num=100,count=0;
1472   int rc=0;
1473
1474   /* Build a list of key ids */
1475   desc=xmalloc(sizeof(KEYDB_SEARCH_DESC)*num);
1476
1477   for(;users;users=users->next)
1478     {
1479       classify_user_id (users->d, &desc[count]);
1480       if(desc[count].mode!=KEYDB_SEARCH_MODE_SHORT_KID &&
1481          desc[count].mode!=KEYDB_SEARCH_MODE_LONG_KID &&
1482          desc[count].mode!=KEYDB_SEARCH_MODE_FPR16 &&
1483          desc[count].mode!=KEYDB_SEARCH_MODE_FPR20)
1484         {
1485           log_error(_("\"%s\" not a key ID: skipping\n"),users->d);
1486           continue;
1487         }
1488
1489       count++;
1490       if(count==num)
1491         {
1492           num+=100;
1493           desc=xrealloc(desc,sizeof(KEYDB_SEARCH_DESC)*num);
1494         }
1495     }
1496
1497   if(count>0)
1498     rc=keyserver_work(GET,NULL,desc,count,opt.keyserver);
1499
1500   xfree(desc);
1501
1502   return rc;
1503 }
1504
1505 int
1506 keyserver_import_fprint(const byte *fprint,size_t fprint_len,
1507                         struct keyserver_spec *keyserver)
1508 {
1509   KEYDB_SEARCH_DESC desc;
1510
1511   memset(&desc,0,sizeof(desc));
1512
1513   if(fprint_len==16)
1514     desc.mode=KEYDB_SEARCH_MODE_FPR16;
1515   else if(fprint_len==20)
1516     desc.mode=KEYDB_SEARCH_MODE_FPR20;
1517   else
1518     return -1;
1519
1520   memcpy(desc.u.fpr,fprint,fprint_len);
1521
1522   return keyserver_work(GET,NULL,&desc,1,keyserver);
1523 }
1524
1525 int 
1526 keyserver_import_keyid(u32 *keyid,struct keyserver_spec *keyserver)
1527 {
1528   KEYDB_SEARCH_DESC desc;
1529
1530   memset(&desc,0,sizeof(desc));
1531
1532   desc.mode=KEYDB_SEARCH_MODE_LONG_KID;
1533   desc.u.kid[0]=keyid[0];
1534   desc.u.kid[1]=keyid[1];
1535
1536   return keyserver_work(GET,NULL,&desc,1,keyserver);
1537 }
1538
1539 /* code mostly stolen from do_export_stream */
1540 static int 
1541 keyidlist(STRLIST users,KEYDB_SEARCH_DESC **klist,int *count,int fakev3)
1542 {
1543   int rc=0,ndesc,num=100;
1544   KBNODE keyblock=NULL,node;
1545   KEYDB_HANDLE kdbhd;
1546   KEYDB_SEARCH_DESC *desc;
1547   STRLIST sl;
1548
1549   *count=0;
1550
1551   *klist=xmalloc(sizeof(KEYDB_SEARCH_DESC)*num);
1552
1553   kdbhd=keydb_new(0);
1554
1555   if(!users)
1556     {
1557       ndesc = 1;
1558       desc = xmalloc_clear ( ndesc * sizeof *desc);
1559       desc[0].mode = KEYDB_SEARCH_MODE_FIRST;
1560     }
1561   else
1562     {
1563       for (ndesc=0, sl=users; sl; sl = sl->next, ndesc++) 
1564         ;
1565       desc = xmalloc ( ndesc * sizeof *desc);
1566         
1567       for (ndesc=0, sl=users; sl; sl = sl->next)
1568         {
1569           if(classify_user_id (sl->d, desc+ndesc))
1570             ndesc++;
1571           else
1572             log_error (_("key \"%s\" not found: %s\n"),
1573                        sl->d, g10_errstr (G10ERR_INV_USER_ID));
1574         }
1575     }
1576
1577   while (!(rc = keydb_search (kdbhd, desc, ndesc)))
1578     {
1579       if (!users) 
1580         desc[0].mode = KEYDB_SEARCH_MODE_NEXT;
1581
1582       /* read the keyblock */
1583       rc = keydb_get_keyblock (kdbhd, &keyblock );
1584       if( rc )
1585         {
1586           log_error (_("error reading keyblock: %s\n"), g10_errstr(rc) );
1587           goto leave;
1588         }
1589
1590       if((node=find_kbnode(keyblock,PKT_PUBLIC_KEY)))
1591         {
1592           /* This is to work around a bug in some keyservers (pksd and
1593              OKS) that calculate v4 RSA keyids as if they were v3 RSA.
1594              The answer is to refresh both the correct v4 keyid
1595              (e.g. 99242560) and the fake v3 keyid (e.g. 68FDDBC7).
1596              This only happens for key refresh using the HKP scheme
1597              and if the refresh-add-fake-v3-keyids keyserver option is
1598              set. */
1599           if(fakev3 && is_RSA(node->pkt->pkt.public_key->pubkey_algo) &&
1600              node->pkt->pkt.public_key->version>=4)
1601             {
1602               (*klist)[*count].mode=KEYDB_SEARCH_MODE_LONG_KID;
1603               mpi_get_keyid(node->pkt->pkt.public_key->pkey[0],
1604                             (*klist)[*count].u.kid);
1605               (*count)++;
1606
1607               if(*count==num)
1608                 {
1609                   num+=100;
1610                   *klist=xrealloc(*klist,sizeof(KEYDB_SEARCH_DESC)*num);
1611                 }
1612             }
1613
1614           /* v4 keys get full fingerprints.  v3 keys get long keyids.
1615              This is because it's easy to calculate any sort of keyid
1616              from a v4 fingerprint, but not a v3 fingerprint. */
1617
1618           if(node->pkt->pkt.public_key->version<4)
1619             {
1620               (*klist)[*count].mode=KEYDB_SEARCH_MODE_LONG_KID;
1621               keyid_from_pk(node->pkt->pkt.public_key,
1622                             (*klist)[*count].u.kid);
1623             }
1624           else
1625             {
1626               size_t dummy;
1627
1628               (*klist)[*count].mode=KEYDB_SEARCH_MODE_FPR20;
1629               fingerprint_from_pk(node->pkt->pkt.public_key,
1630                                   (*klist)[*count].u.fpr,&dummy);
1631             }
1632
1633           /* This is a little hackish, using the skipfncvalue as a
1634              void* pointer to the keyserver spec, but we don't need
1635              the skipfnc here, and it saves having an additional field
1636              for this (which would be wasted space most of the
1637              time). */
1638
1639           (*klist)[*count].skipfncvalue=NULL;
1640
1641           /* Are we honoring preferred keyservers? */
1642           if(opt.keyserver_options.options&KEYSERVER_HONOR_KEYSERVER_URL)
1643             {
1644               PKT_user_id *uid=NULL;
1645               PKT_signature *sig=NULL;
1646
1647               merge_keys_and_selfsig(keyblock);
1648
1649               for(node=node->next;node;node=node->next)
1650                 {
1651                   if(node->pkt->pkttype==PKT_USER_ID
1652                      && node->pkt->pkt.user_id->is_primary)
1653                     uid=node->pkt->pkt.user_id;
1654                   else if(node->pkt->pkttype==PKT_SIGNATURE
1655                           && node->pkt->pkt.signature->
1656                           flags.chosen_selfsig && uid)
1657                     {
1658                       sig=node->pkt->pkt.signature;
1659                       break;
1660                     }
1661                 }
1662
1663               /* Try and parse the keyserver URL.  If it doesn't work,
1664                  then we end up writing NULL which indicates we are
1665                  the same as any other key. */
1666               if(uid && sig)
1667                 (*klist)[*count].skipfncvalue=parse_preferred_keyserver(sig);
1668             }
1669
1670           (*count)++;
1671
1672           if(*count==num)
1673             {
1674               num+=100;
1675               *klist=xrealloc(*klist,sizeof(KEYDB_SEARCH_DESC)*num);
1676             }
1677         }
1678     }
1679
1680   if(rc==-1)
1681     rc=0;
1682   
1683  leave:
1684   if(rc)
1685     xfree(*klist);
1686   xfree(desc);
1687   keydb_release(kdbhd);
1688   release_kbnode(keyblock);
1689
1690   return rc;
1691 }
1692
1693 /* Note this is different than the original HKP refresh.  It allows
1694    usernames to refresh only part of the keyring. */
1695
1696 int 
1697 keyserver_refresh(STRLIST users)
1698 {
1699   int rc,count,numdesc,fakev3=0;
1700   KEYDB_SEARCH_DESC *desc;
1701   unsigned int options=opt.keyserver_options.import_options;
1702
1703   /* We switch merge-only on during a refresh, as 'refresh' should
1704      never import new keys, even if their keyids match. */
1705   opt.keyserver_options.import_options|=IMPORT_MERGE_ONLY;
1706
1707   /* Similarly, we switch on fast-import, since refresh may make
1708      multiple import sets (due to preferred keyserver URLs).  We don't
1709      want each set to rebuild the trustdb.  Instead we do it once at
1710      the end here. */
1711   opt.keyserver_options.import_options|=IMPORT_FAST;
1712
1713   /* If refresh_add_fake_v3_keyids is on and it's a HKP or MAILTO
1714      scheme, then enable fake v3 keyid generation. */
1715   if((opt.keyserver_options.options&KEYSERVER_ADD_FAKE_V3) && opt.keyserver
1716      && (ascii_strcasecmp(opt.keyserver->scheme,"hkp")==0 ||
1717          ascii_strcasecmp(opt.keyserver->scheme,"mailto")==0))
1718     fakev3=1;
1719
1720   rc=keyidlist(users,&desc,&numdesc,fakev3);
1721   if(rc)
1722     return rc;
1723
1724   count=numdesc;
1725   if(count>0)
1726     {
1727       int i;
1728
1729       /* Try to handle preferred keyserver keys first */
1730       for(i=0;i<count;i++)
1731         {
1732           if(desc[i].skipfncvalue)
1733             {
1734               struct keyserver_spec *keyserver=desc[i].skipfncvalue;
1735
1736               /* We use the keyserver structure we parsed out before.
1737                  Note that a preferred keyserver without a scheme://
1738                  will be interpreted as hkp:// */
1739
1740               rc=keyserver_work(GET,NULL,&desc[i],1,keyserver);
1741               if(rc)
1742                 log_info(_("WARNING: unable to refresh key %s"
1743                            " via %s: %s\n"),keystr_from_desc(&desc[i]),
1744                          keyserver->uri,g10_errstr(rc));
1745               else
1746                 {
1747                   /* We got it, so mark it as NONE so we don't try and
1748                      get it again from the regular keyserver. */
1749
1750                   desc[i].mode=KEYDB_SEARCH_MODE_NONE;
1751                   count--;
1752                 }
1753
1754               free_keyserver_spec(keyserver);
1755             }
1756         }
1757     }
1758
1759   if(count>0)
1760     {
1761       if(opt.keyserver)
1762         {
1763           if(count==1)
1764             log_info(_("refreshing 1 key from %s\n"),opt.keyserver->uri);
1765           else
1766             log_info(_("refreshing %d keys from %s\n"),
1767                      count,opt.keyserver->uri);
1768         }
1769
1770       rc=keyserver_work(GET,NULL,desc,numdesc,opt.keyserver);
1771     }
1772
1773   xfree(desc);
1774
1775   opt.keyserver_options.import_options=options;
1776
1777   /* If the original options didn't have fast import, and the trustdb
1778      is dirty, rebuild. */
1779   if(!(opt.keyserver_options.import_options&IMPORT_FAST))
1780     trustdb_check_or_update();
1781
1782   return rc;
1783 }
1784
1785 int
1786 keyserver_search(STRLIST tokens)
1787 {
1788   if(tokens)
1789     return keyserver_work(SEARCH,tokens,NULL,0,opt.keyserver);
1790   else
1791     return 0;
1792 }