* keyserver.c (curl_can_handle): New. Do a runtime check against libcurl
[gnupg.git] / g10 / keyserver.c
1 /* keyserver.c - generic keyserver code
2  * Copyright (C) 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc.
3  *
4  * This file is part of GnuPG.
5  *
6  * GnuPG is free software; you can redistribute it and/or modify
7  * it under the terms of the GNU General Public License as published by
8  * the Free Software Foundation; either version 2 of the License, or
9  * (at your option) any later version.
10  *
11  * GnuPG is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  * GNU General Public License for more details.
15  *
16  * You should have received a copy of the GNU General Public License
17  * along with this program; if not, write to the Free Software
18  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
19  * USA.
20  */
21
22 #include <config.h>
23 #include <ctype.h>
24 #include <stdio.h>
25 #include <string.h>
26 #include <stdlib.h>
27 #include <assert.h>
28 #ifdef HAVE_LIBCURL
29 #include <curl/curl.h>
30 #endif
31 #include "filter.h"
32 #include "keydb.h"
33 #include "status.h"
34 #include "exec.h"
35 #include "main.h"
36 #include "i18n.h"
37 #include "iobuf.h"
38 #include "memory.h"
39 #include "ttyio.h"
40 #include "options.h"
41 #include "packet.h"
42 #include "trustdb.h"
43 #include "keyserver-internal.h"
44 #include "util.h"
45
46 #define GET    0
47 #define SEND   1
48 #define SEARCH 2
49
50 #define GPGKEYS_PREFIX "gpgkeys_"
51
52 struct keyrec
53 {
54   KEYDB_SEARCH_DESC desc;
55   u32 createtime,expiretime;
56   int size,flags;
57   byte type;
58   IOBUF uidbuf;
59   unsigned int lines;
60 };
61
62 /* Tell remote processes about these options */
63 #define REMOTE_TELL (KEYSERVER_INCLUDE_REVOKED|KEYSERVER_INCLUDE_SUBKEYS|KEYSERVER_TRY_DNS_SRV)
64
65 static struct parse_options keyserver_opts[]=
66   {
67     {"include-revoked",KEYSERVER_INCLUDE_REVOKED,NULL},      
68     {"include-subkeys",KEYSERVER_INCLUDE_SUBKEYS,NULL},
69     {"keep-temp-files",KEYSERVER_KEEP_TEMP_FILES,NULL},
70     {"refresh-add-fake-v3-keyids",KEYSERVER_ADD_FAKE_V3,NULL},
71     {"auto-key-retrieve",KEYSERVER_AUTO_KEY_RETRIEVE,NULL},
72     {"try-dns-srv",KEYSERVER_TRY_DNS_SRV,NULL},
73     {"honor-keyserver-url",KEYSERVER_HONOR_KEYSERVER_URL,NULL},
74     {NULL,0,NULL}
75   };
76
77 static int keyserver_work(int action,STRLIST list,KEYDB_SEARCH_DESC *desc,
78                           int count,struct keyserver_spec *keyserver);
79
80 int
81 parse_keyserver_options(char *options)
82 {
83   int ret=1;
84   char *tok;
85
86   while((tok=optsep(&options)))
87     {
88       if(tok[0]=='\0')
89         continue;
90
91       /* For backwards compatibility.  1.2.x used honor-http-proxy and
92          there are a good number of documents published that recommend
93          it. */
94       if(ascii_strcasecmp(tok,"honor-http-proxy")==0)
95         tok="http-proxy";
96       else if(ascii_strcasecmp(tok,"no-honor-http-proxy")==0)
97         tok="no-http-proxy";
98
99       /* We accept quite a few possible options here - some options to
100          handle specially, the keyserver_options list, and import and
101          export options that pertain to keyserver operations.  Note
102          that you must use strncasecmp here as there might be an
103          =argument attached which will foil the use of strcasecmp. */
104
105 #ifdef EXEC_TEMPFILE_ONLY
106       if(ascii_strncasecmp(tok,"use-temp-files",14)==0 ||
107               ascii_strncasecmp(tok,"no-use-temp-files",17)==0)
108         log_info(_("WARNING: keyserver option `%s' is not used"
109                    " on this platform\n"),tok);
110 #else
111       if(ascii_strncasecmp(tok,"use-temp-files",14)==0)
112         opt.keyserver_options.options|=KEYSERVER_USE_TEMP_FILES;
113       else if(ascii_strncasecmp(tok,"no-use-temp-files",17)==0)
114         opt.keyserver_options.options&=~KEYSERVER_USE_TEMP_FILES;
115 #endif
116       else if(!parse_options(tok,&opt.keyserver_options.options,
117                              keyserver_opts,0)
118          && !parse_import_options(tok,
119                                   &opt.keyserver_options.import_options,0)
120          && !parse_export_options(tok,
121                                   &opt.keyserver_options.export_options,0))
122         {
123           /* All of the standard options have failed, so the option is
124              destined for a keyserver plugin. */
125           char *arg=argsplit(tok);
126
127           if(arg)
128             {
129               char *joined;
130
131               joined=m_alloc(strlen(tok)+1+strlen(arg)+1);
132               /* Make a canonical name=value form with no
133                  spaces */
134               strcpy(joined,tok);
135               strcat(joined,"=");
136               strcat(joined,arg);
137               add_to_strlist(&opt.keyserver_options.other,joined);
138               m_free(joined);
139             }
140           else
141             add_to_strlist(&opt.keyserver_options.other,tok);
142         }
143     }
144
145   return ret;
146 }
147
148 void
149 free_keyserver_spec(struct keyserver_spec *keyserver)
150 {
151   m_free(keyserver->uri);
152   m_free(keyserver->scheme);
153   m_free(keyserver->auth);
154   m_free(keyserver->host);
155   m_free(keyserver->port);
156   m_free(keyserver->path);
157   m_free(keyserver->opaque);
158   m_free(keyserver);
159 }
160
161 /* TODO: once we cut over to an all-curl world, we don't need this
162    parser any longer so it can be removed, or at least moved to
163    keyserver/ksutil.c for limited use in gpgkeys_ldap or the like. */
164
165 struct keyserver_spec *
166 parse_keyserver_uri(const char *uri,int require_scheme,
167                     const char *configname,unsigned int configlineno)
168 {
169   int assume_hkp=0;
170   struct keyserver_spec *keyserver;
171   const char *idx;
172   int count;
173
174   assert(uri!=NULL);
175
176   keyserver=m_alloc_clear(sizeof(struct keyserver_spec));
177
178   keyserver->uri=m_strdup(uri);
179
180   /* Get the scheme */
181
182   for(idx=uri,count=0;*idx && *idx!=':';idx++)
183     {
184       count++;
185
186       /* Do we see the start of an RFC-2732 ipv6 address here?  If so,
187          there clearly isn't a scheme so get out early. */
188       if(*idx=='[')
189         {
190           /* Was the '[' the first thing in the string?  If not, we
191              have a mangled scheme with a [ in it so fail. */
192           if(count==1)
193             break;
194           else
195             goto fail;
196         }
197     }
198
199   if(count==0)
200     goto fail;
201
202   if(*idx=='\0' || *idx=='[')
203     {
204       if(require_scheme)
205         return NULL;
206
207       /* Assume HKP if there is no scheme */
208       assume_hkp=1;
209       keyserver->scheme=m_strdup("hkp");
210     }
211   else
212     {
213       int i;
214
215       keyserver->scheme=m_alloc(count+1);
216
217       /* Force to lowercase */
218       for(i=0;i<count;i++)
219         keyserver->scheme[i]=ascii_tolower(uri[i]);
220
221       keyserver->scheme[i]='\0';
222
223       /* Skip past the scheme and colon */
224       uri+=count+1;
225     }
226
227   if(ascii_strcasecmp(keyserver->scheme,"x-broken-hkp")==0)
228     {
229       deprecated_warning(configname,configlineno,"x-broken-hkp",
230                          "--keyserver-options ","broken-http-proxy");
231       m_free(keyserver->scheme);
232       keyserver->scheme=m_strdup("hkp");
233       add_to_strlist(&opt.keyserver_options.other,"broken-http-proxy");
234     }
235   else if(ascii_strcasecmp(keyserver->scheme,"x-hkp")==0)
236     {
237       /* Canonicalize this to "hkp" so it works with both the internal
238          and external keyserver interface. */
239       m_free(keyserver->scheme);
240       keyserver->scheme=m_strdup("hkp");
241     }
242
243   if(assume_hkp || (uri[0]=='/' && uri[1]=='/'))
244     {
245       /* Two slashes means network path. */
246
247       /* Skip over the "//", if any */
248       if(!assume_hkp)
249         uri+=2;
250
251       /* Do we have userinfo auth data present? */
252       for(idx=uri,count=0;*idx && *idx!='@' && *idx!='/';idx++)
253         count++;
254
255       /* We found a @ before the slash, so that means everything
256          before the @ is auth data. */
257       if(*idx=='@')
258         {
259           if(count==0)
260             goto fail;
261
262           keyserver->auth=m_alloc(count+1);
263           strncpy(keyserver->auth,uri,count);
264           keyserver->auth[count]='\0';
265           uri+=count+1;
266         }
267
268       /* Is it an RFC-2732 ipv6 [literal address] ? */
269       if(*uri=='[')
270         {
271           for(idx=uri+1,count=1;*idx
272                 && ((isascii (*idx) && isxdigit(*idx))
273                     || *idx==':' || *idx=='.');idx++)
274             count++;
275
276           /* Is the ipv6 literal address terminated? */
277           if(*idx==']')
278             count++;
279           else
280             goto fail;
281         }
282       else
283         for(idx=uri,count=0;*idx && *idx!=':' && *idx!='/';idx++)
284           count++;
285
286       if(count==0)
287         goto fail;
288
289       keyserver->host=m_alloc(count+1);
290       strncpy(keyserver->host,uri,count);
291       keyserver->host[count]='\0';
292
293       /* Skip past the host */
294       uri+=count;
295
296       if(*uri==':')
297         {
298           /* It would seem to be reasonable to limit the range of the
299              ports to values between 1-65535, but RFC 1738 and 1808
300              imply there is no limit.  Of course, the real world has
301              limits. */
302
303           for(idx=uri+1,count=0;*idx && *idx!='/';idx++)
304             {
305               count++;
306
307               /* Ports are digits only */
308               if(!digitp(idx))
309                 goto fail;
310             }
311
312           keyserver->port=m_alloc(count+1);
313           strncpy(keyserver->port,uri+1,count);
314           keyserver->port[count]='\0';
315
316           /* Skip past the colon and port number */
317           uri+=1+count;
318         }
319
320       /* Everything else is the path */
321       if(*uri)
322         keyserver->path=m_strdup(uri);
323       else
324         keyserver->path=m_strdup("/");
325     }
326   else if(uri[0]!='/')
327     {
328       /* No slash means opaque.  Just record the opaque blob and get
329          out. */
330       keyserver->opaque=m_strdup(uri);
331     }
332   else
333     {
334       /* One slash means absolute path.  We don't need to support that
335          yet. */
336       goto fail;
337     }
338
339   return keyserver;
340
341  fail:
342   free_keyserver_spec(keyserver);
343
344   return NULL;
345 }
346
347 struct keyserver_spec *
348 parse_preferred_keyserver(PKT_signature *sig)
349 {
350   struct keyserver_spec *spec=NULL;
351   const byte *p;
352   size_t plen;
353
354   p=parse_sig_subpkt(sig->hashed,SIGSUBPKT_PREF_KS,&plen);
355   if(p && plen)
356     {
357       byte *dupe=m_alloc(plen+1);
358
359       memcpy(dupe,p,plen);
360       dupe[plen]='\0';
361       spec=parse_keyserver_uri(dupe,1,NULL,0);
362       m_free(dupe);
363     }
364
365   return spec;
366 }
367
368 static void
369 print_keyrec(int number,struct keyrec *keyrec)
370 {
371   int i;
372
373   iobuf_writebyte(keyrec->uidbuf,0);
374   iobuf_flush_temp(keyrec->uidbuf);
375   printf("(%d)\t%s  ",number,iobuf_get_temp_buffer(keyrec->uidbuf));
376
377   if(keyrec->size>0)
378     printf("%d bit ",keyrec->size);
379
380   if(keyrec->type)
381     {
382       const char *str=pubkey_algo_to_string(keyrec->type);
383
384       if(str)
385         printf("%s ",str);
386       else
387         printf("unknown ");
388     }
389
390   switch(keyrec->desc.mode)
391     {
392       /* If the keyserver helper gave us a short keyid, we have no
393          choice but to use it.  Do check --keyid-format to add a 0x if
394          needed. */
395     case KEYDB_SEARCH_MODE_SHORT_KID:
396       printf("key %s%08lX",
397              (opt.keyid_format==KF_0xSHORT
398               || opt.keyid_format==KF_0xLONG)?"0x":"",
399              (ulong)keyrec->desc.u.kid[1]);
400       break;
401
402       /* However, if it gave us a long keyid, we can honor
403          --keyid-format */
404     case KEYDB_SEARCH_MODE_LONG_KID:
405       printf("key %s",keystr(keyrec->desc.u.kid));
406       break;
407
408     case KEYDB_SEARCH_MODE_FPR16:
409       printf("key ");
410       for(i=0;i<16;i++)
411         printf("%02X",keyrec->desc.u.fpr[i]);
412       break;
413
414     case KEYDB_SEARCH_MODE_FPR20:
415       printf("key ");
416       for(i=0;i<20;i++)
417         printf("%02X",keyrec->desc.u.fpr[i]);
418       break;
419
420     default:
421       BUG();
422       break;
423     }
424
425   if(keyrec->createtime>0)
426     {
427       printf(", ");
428       printf(_("created: %s"),strtimestamp(keyrec->createtime));
429     }
430
431   if(keyrec->expiretime>0)
432     {
433       printf(", ");
434       printf(_("expires: %s"),strtimestamp(keyrec->expiretime));
435     }
436
437   if(keyrec->flags&1)
438     printf(" (%s)",_("revoked"));
439   if(keyrec->flags&2)
440     printf(" (%s)",_("disabled"));
441   if(keyrec->flags&4)
442     printf(" (%s)",_("expired"));
443
444   printf("\n");
445 }
446
447 /* Returns a keyrec (which must be freed) once a key is complete, and
448    NULL otherwise.  Call with a NULL keystring once key parsing is
449    complete to return any unfinished keys. */
450 static struct keyrec *
451 parse_keyrec(char *keystring)
452 {
453   static struct keyrec *work=NULL;
454   struct keyrec *ret=NULL;
455   char *record;
456   int i;
457
458   if(keystring==NULL)
459     {
460       if(work==NULL)
461         return NULL;
462       else if(work->desc.mode==KEYDB_SEARCH_MODE_NONE)
463         {
464           m_free(work);
465           return NULL;
466         }
467       else
468         {
469           ret=work;
470           work=NULL;
471           return ret;
472         }
473     }
474
475   if(work==NULL)
476     {
477       work=m_alloc_clear(sizeof(struct keyrec));
478       work->uidbuf=iobuf_temp();
479     }
480
481   /* Remove trailing whitespace */
482   for(i=strlen(keystring);i>0;i--)
483     if(ascii_isspace(keystring[i-1]))
484       keystring[i-1]='\0';
485     else
486       break;
487
488   if((record=strsep(&keystring,":"))==NULL)
489     return ret;
490
491   if(ascii_strcasecmp("pub",record)==0)
492     {
493       char *tok;
494
495       if(work->desc.mode)
496         {
497           ret=work;
498           work=m_alloc_clear(sizeof(struct keyrec));
499           work->uidbuf=iobuf_temp();
500         }
501
502       if((tok=strsep(&keystring,":"))==NULL)
503         return ret;
504
505       classify_user_id(tok,&work->desc);
506       if(work->desc.mode!=KEYDB_SEARCH_MODE_SHORT_KID
507          && work->desc.mode!=KEYDB_SEARCH_MODE_LONG_KID
508          && work->desc.mode!=KEYDB_SEARCH_MODE_FPR16
509          && work->desc.mode!=KEYDB_SEARCH_MODE_FPR20)
510         {
511           work->desc.mode=KEYDB_SEARCH_MODE_NONE;
512           return ret;
513         }
514
515       /* Note all items after this are optional.  This allows us to
516          have a pub line as simple as pub:keyid and nothing else. */
517
518       work->lines++;
519
520       if((tok=strsep(&keystring,":"))==NULL)
521         return ret;
522
523       work->type=atoi(tok);
524
525       if((tok=strsep(&keystring,":"))==NULL)
526         return ret;
527
528       work->size=atoi(tok);
529
530       if((tok=strsep(&keystring,":"))==NULL)
531         return ret;
532
533       if(atoi(tok)<=0)
534         work->createtime=0;
535       else
536         work->createtime=atoi(tok);
537
538       if((tok=strsep(&keystring,":"))==NULL)
539         return ret;
540
541       if(atoi(tok)<=0)
542         work->expiretime=0;
543       else
544         {
545           work->expiretime=atoi(tok);
546           /* Force the 'e' flag on if this key is expired. */
547           if(work->expiretime<=make_timestamp())
548             work->flags|=4;
549         }
550
551       if((tok=strsep(&keystring,":"))==NULL)
552         return ret;
553
554       while(*tok)
555         switch(*tok++)
556           {
557           case 'r':
558           case 'R':
559             work->flags|=1;
560             break;
561             
562           case 'd':
563           case 'D':
564             work->flags|=2;
565             break;
566
567           case 'e':
568           case 'E':
569             work->flags|=4;
570             break;
571           }
572     }
573   else if(ascii_strcasecmp("uid",record)==0 && work->desc.mode)
574     {
575       char *userid,*tok,*decoded;
576
577       if((tok=strsep(&keystring,":"))==NULL)
578         return ret;
579
580       if(strlen(tok)==0)
581         return ret;
582
583       userid=tok;
584
585       /* By definition, de-%-encoding is always smaller than the
586          original string so we can decode in place. */
587
588       i=0;
589
590       while(*tok)
591         if(tok[0]=='%' && tok[1] && tok[2])
592           {
593             if((userid[i]=hextobyte(&tok[1]))==-1)
594               userid[i]='?';
595
596             i++;
597             tok+=3;
598           }
599         else
600           userid[i++]=*tok++;
601
602       /* We don't care about the other info provided in the uid: line
603          since no keyserver supports marking userids with timestamps
604          or revoked/expired/disabled yet. */
605
606       /* No need to check for control characters, as utf8_to_native
607          does this for us. */
608
609       decoded=utf8_to_native(userid,i,0);
610       if(strlen(decoded)>opt.screen_columns-10)
611         decoded[opt.screen_columns-10]='\0';
612       iobuf_writestr(work->uidbuf,decoded);
613       m_free(decoded);
614       iobuf_writestr(work->uidbuf,"\n\t");
615       work->lines++;
616     }
617
618   /* Ignore any records other than "pri" and "uid" for easy future
619      growth. */
620
621   return ret;
622 }
623
624 /* TODO: do this as a list sent to keyserver_work rather than calling
625    it once for each key to get the correct counts after the import
626    (cosmetics, really) and to better take advantage of the keyservers
627    that can do multiple fetches in one go (LDAP). */
628 static int
629 show_prompt(KEYDB_SEARCH_DESC *desc,int numdesc,int count,const char *search)
630 {
631   char *answer;
632
633   if(count && opt.command_fd==-1)
634     {
635       static int from=1;
636       tty_printf("Keys %d-%d of %d for \"%s\".  ",from,numdesc,count,search);
637       from=numdesc+1;
638     }
639
640   answer=cpr_get_no_help("keysearch.prompt",
641                          _("Enter number(s), N)ext, or Q)uit > "));
642   /* control-d */
643   if(answer[0]=='\x04')
644     {
645       printf("Q\n");
646       answer[0]='q';
647     }
648
649   if(answer[0]=='q' || answer[0]=='Q')
650     {
651       m_free(answer);
652       return 1;
653     }
654   else if(atoi(answer)>=1 && atoi(answer)<=numdesc)
655     {
656       char *split=answer,*num;
657
658       while((num=strsep(&split," ,"))!=NULL)
659         if(atoi(num)>=1 && atoi(num)<=numdesc)
660           keyserver_work(GET,NULL,&desc[atoi(num)-1],1,opt.keyserver);
661
662       m_free(answer);
663       return 1;
664     }
665
666   return 0;
667 }
668
669 /* Count and searchstr are just for cosmetics.  If the count is too
670    small, it will grow safely.  If negative it disables the "Key x-y
671    of z" messages.  searchstr should be UTF-8 (rather than native). */
672 static void
673 keyserver_search_prompt(IOBUF buffer,const char *searchstr)
674 {
675   int i=0,validcount=0,started=0,header=0,count=1;
676   unsigned int maxlen,buflen,numlines=0;
677   KEYDB_SEARCH_DESC *desc;
678   byte *line=NULL;
679   char *localstr=NULL;
680
681   if(searchstr)
682     localstr=utf8_to_native(searchstr,strlen(searchstr),0);
683
684   desc=m_alloc(count*sizeof(KEYDB_SEARCH_DESC));
685
686   for(;;)
687     {
688       struct keyrec *keyrec;
689       int rl;
690
691       maxlen=1024;
692       rl=iobuf_read_line(buffer,&line,&buflen,&maxlen);
693
694       if(opt.with_colons)
695         {
696           if(!header && ascii_strncasecmp("SEARCH ",line,7)==0
697              && ascii_strncasecmp(" BEGIN",&line[strlen(line)-7],6)==0)
698             {
699               header=1;
700               continue;
701             }
702           else if(ascii_strncasecmp("SEARCH ",line,7)==0
703                   && ascii_strncasecmp(" END",&line[strlen(line)-5],4)==0)
704             continue;
705
706           printf("%s",line);
707         }
708
709       /* Look for an info: line.  The only current info: values
710          defined are the version and key count. */
711       if(!started && rl>0 && ascii_strncasecmp("info:",line,5)==0)
712         {
713           char *tok,*str=&line[5];
714
715           if((tok=strsep(&str,":"))!=NULL)
716             {
717               int version;
718
719               if(sscanf(tok,"%d",&version)!=1)
720                 version=1;
721
722               if(version!=1)
723                 {
724                   log_error(_("invalid keyserver protocol "
725                               "(us %d!=handler %d)\n"),1,version);
726                   break;
727                 }
728             }
729
730           if((tok=strsep(&str,":"))!=NULL && sscanf(tok,"%d",&count)==1)
731             {
732               if(count==0)
733                 goto notfound;
734               else if(count<0)
735                 count=10;
736               else
737                 validcount=1;
738
739               desc=m_realloc(desc,count*sizeof(KEYDB_SEARCH_DESC));
740             }
741
742           started=1;
743           continue;
744         }
745
746       if(rl==0)
747         {
748           keyrec=parse_keyrec(NULL);
749
750           if(keyrec==NULL)
751             {
752               if(i==0)
753                 {
754                   count=0;
755                   break;
756                 }
757
758               if(i!=count)
759                 validcount=0;
760
761               for(;;)
762                 {
763                   if(show_prompt(desc,i,validcount?count:0,localstr))
764                     break;
765                   validcount=0;
766                 }
767
768               break;
769             }
770         }
771       else
772         keyrec=parse_keyrec(line);
773
774       if(i==count)
775         {
776           /* keyserver helper sent more keys than they claimed in the
777              info: line. */
778           count+=10;
779           desc=m_realloc(desc,count*sizeof(KEYDB_SEARCH_DESC));
780           validcount=0;
781         }
782
783       if(keyrec)
784         {
785           desc[i]=keyrec->desc;
786
787           if(!opt.with_colons)
788             {
789               /* screen_lines - 1 for the prompt. */
790               if(numlines+keyrec->lines>opt.screen_lines-1)
791                 {
792                   if(show_prompt(desc,i,validcount?count:0,localstr))
793                     break;
794                   else
795                     numlines=0;
796                 }
797
798               print_keyrec(i+1,keyrec);
799             }
800
801           numlines+=keyrec->lines;
802           iobuf_close(keyrec->uidbuf);
803           m_free(keyrec);
804
805           started=1;
806           i++;
807         }
808     }
809
810  notfound:
811   /* Leave this commented out or now, and perhaps for a very long
812      time.  All HKPish servers return HTML error messages for
813      no-key-found. */
814   /* 
815      if(!started)
816      log_info(_("keyserver does not support searching\n"));
817      else
818   */
819   if(count==0)
820     {
821       if(localstr)
822         log_info(_("key \"%s\" not found on keyserver\n"),localstr);
823       else
824         log_info(_("key not found on keyserver\n"));
825     }
826
827   m_free(localstr);
828   m_free(desc);
829   m_free(line);
830 }
831
832 static int
833 curl_can_handle(const char *scheme)
834 {
835 #if defined(HAVE_LIBCURL)
836
837   const char * const *proto;
838   curl_version_info_data *data=curl_version_info(CURLVERSION_NOW);
839
840   assert(data);
841
842   for(proto=data->protocols;*proto;proto++)
843     if(strcasecmp(*proto,scheme)==0)
844       return 1;
845
846 #elif defined(FAKE_CURL)
847
848   /* If we're faking curl, then we only support HTTP */
849   if(strcasecmp(scheme,"http")==0)
850     return 1;
851
852 #endif
853
854   return 0;
855 }
856
857 /* We sometimes want to use a different gpgkeys_xxx for a given
858    protocol (for example, ldaps is handled by gpgkeys_ldap).  Map
859    these here. */
860 static const char *
861 keyserver_typemap(const char *type)
862 {
863   if(strcmp(type,"ldaps")==0)
864     return "ldap";
865   else if(curl_can_handle(type))
866     return "curl";
867   else
868     return type;
869 }
870
871 #define KEYSERVER_ARGS_KEEP " -o \"%O\" \"%I\""
872 #define KEYSERVER_ARGS_NOKEEP " -o \"%o\" \"%i\""
873
874 static int 
875 keyserver_spawn(int action,STRLIST list,KEYDB_SEARCH_DESC *desc,
876                 int count,int *prog,struct keyserver_spec *keyserver)
877 {
878   int ret=0,i,gotversion=0,outofband=0;
879   STRLIST temp;
880   unsigned int maxlen,buflen;
881   char *command,*searchstr=NULL;
882   byte *line=NULL;
883   struct parse_options *kopts;
884   struct exec_info *spawn;
885   const char *scheme;
886   const char *libexecdir = get_libexecdir ();
887
888   assert(keyserver);
889
890 #ifdef EXEC_TEMPFILE_ONLY
891   opt.keyserver_options.options|=KEYSERVER_USE_TEMP_FILES;
892 #endif
893
894   /* Build the filename for the helper to execute */
895   scheme=keyserver_typemap(keyserver->scheme);
896
897 #ifdef DISABLE_KEYSERVER_PATH
898   /* Destroy any path we might have.  This is a little tricky,
899      portability-wise.  It's not correct to delete the PATH
900      environment variable, as that may fall back to a system built-in
901      PATH.  Similarly, it is not correct to set PATH to the null
902      string (PATH="") since this actually deletes the PATH environment
903      variable under MinGW.  The safest thing to do here is to force
904      PATH to be GNUPG_LIBEXECDIR.  All this is not that meaningful on
905      Unix-like systems (since we're going to give a full path to
906      gpgkeys_foo), but on W32 it prevents loading any DLLs from
907      directories in %PATH%. */
908   set_exec_path(libexecdir);
909 #else
910   if(opt.exec_path_set)
911     {
912       /* If exec-path was set, and DISABLE_KEYSERVER_PATH is
913          undefined, then don't specify a full path to gpgkeys_foo, so
914          that the PATH can work. */
915       command=m_alloc(strlen(GPGKEYS_PREFIX)+strlen(scheme)+1);
916       command[0]='\0';
917     }
918   else
919 #endif
920     {
921       /* Specify a full path to gpgkeys_foo. */
922       command=m_alloc(strlen(libexecdir)+strlen(DIRSEP_S)+
923                       strlen(GPGKEYS_PREFIX)+strlen(scheme)+1);
924       strcpy(command,libexecdir);
925       strcat(command,DIRSEP_S);
926     }
927
928   strcat(command,GPGKEYS_PREFIX); 
929   strcat(command,scheme);
930
931   if(opt.keyserver_options.options&KEYSERVER_USE_TEMP_FILES)
932     {
933       if(opt.keyserver_options.options&KEYSERVER_KEEP_TEMP_FILES)
934         {
935           command=m_realloc(command,strlen(command)+
936                             strlen(KEYSERVER_ARGS_KEEP)+1);
937           strcat(command,KEYSERVER_ARGS_KEEP);
938         }
939       else
940         {
941           command=m_realloc(command,strlen(command)+
942                             strlen(KEYSERVER_ARGS_NOKEEP)+1);
943           strcat(command,KEYSERVER_ARGS_NOKEEP);  
944         }
945
946       ret=exec_write(&spawn,NULL,command,NULL,0,0);
947     }
948   else
949     ret=exec_write(&spawn,command,NULL,NULL,0,0);
950
951   m_free(command);
952
953   if(ret)
954     return ret;
955
956   fprintf(spawn->tochild,
957           "# This is a GnuPG %s keyserver communications file\n",VERSION);
958   fprintf(spawn->tochild,"VERSION %d\n",KEYSERVER_PROTO_VERSION);
959   fprintf(spawn->tochild,"PROGRAM %s\n",VERSION);
960   fprintf(spawn->tochild,"SCHEME %s\n",keyserver->scheme);
961
962   if(keyserver->opaque)
963     fprintf(spawn->tochild,"OPAQUE %s\n",keyserver->opaque);
964   else
965     {
966       if(keyserver->auth)
967         fprintf(spawn->tochild,"AUTH %s\n",keyserver->auth);
968
969       if(keyserver->host)
970         fprintf(spawn->tochild,"HOST %s\n",keyserver->host);
971
972       if(keyserver->port)
973         fprintf(spawn->tochild,"PORT %s\n",keyserver->port);
974
975       if(keyserver->path)
976         fprintf(spawn->tochild,"PATH %s\n",keyserver->path);
977     }
978
979   /* Write options */
980
981   for(i=0,kopts=keyserver_opts;kopts[i].name;i++)
982     if(opt.keyserver_options.options & kopts[i].bit & REMOTE_TELL)
983       fprintf(spawn->tochild,"OPTION %s\n",kopts[i].name);
984
985   for(temp=opt.keyserver_options.other;temp;temp=temp->next)
986     fprintf(spawn->tochild,"OPTION %s\n",temp->d);
987
988   switch(action)
989     {
990     case GET:
991       {
992         fprintf(spawn->tochild,"COMMAND GET\n\n");
993
994         /* Which keys do we want? */
995
996         for(i=0;i<count;i++)
997           {
998             if(desc[i].mode==KEYDB_SEARCH_MODE_FPR20)
999               {
1000                 int f;
1001
1002                 fprintf(spawn->tochild,"0x");
1003
1004                 for(f=0;f<MAX_FINGERPRINT_LEN;f++)
1005                   fprintf(spawn->tochild,"%02X",desc[i].u.fpr[f]);
1006
1007                 fprintf(spawn->tochild,"\n");
1008               }
1009             else if(desc[i].mode==KEYDB_SEARCH_MODE_FPR16)
1010               {
1011                 int f;
1012
1013                 fprintf(spawn->tochild,"0x");
1014
1015                 for(f=0;f<16;f++)
1016                   fprintf(spawn->tochild,"%02X",desc[i].u.fpr[f]);
1017
1018                 fprintf(spawn->tochild,"\n");
1019               }
1020             else if(desc[i].mode==KEYDB_SEARCH_MODE_LONG_KID)
1021               fprintf(spawn->tochild,"0x%08lX%08lX\n",
1022                       (ulong)desc[i].u.kid[0],
1023                       (ulong)desc[i].u.kid[1]);
1024             else if(desc[i].mode==KEYDB_SEARCH_MODE_SHORT_KID)
1025               fprintf(spawn->tochild,"0x%08lX\n",
1026                       (ulong)desc[i].u.kid[1]);
1027             else if(desc[i].mode==KEYDB_SEARCH_MODE_NONE)
1028               continue;
1029             else
1030               BUG();
1031
1032             if(keyserver->host)
1033               log_info(_("requesting key %s from %s server %s\n"),
1034                        keystr_from_desc(&desc[i]),
1035                        keyserver->scheme,keyserver->host);
1036             else
1037               log_info(_("requesting key %s from %s\n"),
1038                        keystr_from_desc(&desc[i]),keyserver->uri);
1039           }
1040
1041         fprintf(spawn->tochild,"\n");
1042
1043         break;
1044       }
1045
1046     case SEND:
1047       {
1048         STRLIST key;
1049
1050         /* Note the extra \n here to send an empty keylist block */
1051         fprintf(spawn->tochild,"COMMAND SEND\n\n\n");
1052
1053         for(key=list;key!=NULL;key=key->next)
1054           {
1055             armor_filter_context_t afx;
1056             IOBUF buffer=iobuf_temp();
1057             KBNODE block;
1058
1059             temp=NULL;
1060             add_to_strlist(&temp,key->d);
1061
1062             memset(&afx,0,sizeof(afx));
1063             afx.what=1;
1064             /* Tell the armor filter to use Unix-style \n line
1065                endings, since we're going to fprintf this to a file
1066                that (on Win32) is open in text mode.  The win32 stdio
1067                will transform the \n to \r\n and we'll end up with the
1068                proper line endings on win32.  This is a no-op on
1069                Unix. */
1070             afx.eol[0]='\n';
1071             iobuf_push_filter(buffer,armor_filter,&afx);
1072
1073             /* TODO: Remove Comment: lines from keys exported this
1074                way? */
1075
1076             if(export_pubkeys_stream(buffer,temp,&block,
1077                                      opt.keyserver_options.export_options)==-1)
1078               iobuf_close(buffer);
1079             else
1080               {
1081                 KBNODE node;
1082
1083                 iobuf_flush_temp(buffer);
1084
1085                 merge_keys_and_selfsig(block);
1086
1087                 fprintf(spawn->tochild,"INFO %08lX%08lX BEGIN\n",
1088                         (ulong)block->pkt->pkt.public_key->keyid[0],
1089                         (ulong)block->pkt->pkt.public_key->keyid[1]);
1090
1091                 for(node=block;node;node=node->next)
1092                   {
1093                     switch(node->pkt->pkttype)
1094                       {
1095                       default:
1096                         continue;
1097
1098                       case PKT_PUBLIC_KEY:
1099                       case PKT_PUBLIC_SUBKEY:
1100                         {
1101                           PKT_public_key *pk=node->pkt->pkt.public_key;
1102
1103                           keyid_from_pk(pk,NULL);
1104
1105                           fprintf(spawn->tochild,"%sb:%08lX%08lX:%u:%u:%u:%u:",
1106                                   node->pkt->pkttype==PKT_PUBLIC_KEY?"pu":"su",
1107                                   (ulong)pk->keyid[0],(ulong)pk->keyid[1],
1108                                   pk->pubkey_algo,
1109                                   nbits_from_pk(pk),
1110                                   pk->timestamp,
1111                                   pk->expiredate);
1112
1113                           if(pk->is_revoked)
1114                             fprintf(spawn->tochild,"r");
1115                           if(pk->has_expired)
1116                             fprintf(spawn->tochild,"e");
1117
1118                           fprintf(spawn->tochild,"\n");
1119                         }
1120                         break;
1121
1122                       case PKT_USER_ID:
1123                         {
1124                           PKT_user_id *uid=node->pkt->pkt.user_id;
1125                           int r;
1126
1127                           if(uid->attrib_data)
1128                             continue;
1129
1130                           fprintf(spawn->tochild,"uid:");
1131
1132                           /* Quote ':', '%', and any 8-bit
1133                              characters */
1134                           for(r=0;r<uid->len;r++)
1135                             {
1136                               if(uid->name[r]==':' || uid->name[r]=='%'
1137                                  || uid->name[r]&0x80)
1138                                 fprintf(spawn->tochild,"%%%02X",
1139                                         (byte)uid->name[r]);
1140                               else
1141                                 fprintf(spawn->tochild,"%c",uid->name[r]);
1142                             }
1143
1144                           fprintf(spawn->tochild,":%u:%u:",
1145                                   uid->created,uid->expiredate);
1146
1147                           if(uid->is_revoked)
1148                             fprintf(spawn->tochild,"r");
1149                           if(uid->is_expired)
1150                             fprintf(spawn->tochild,"e");
1151
1152                           fprintf(spawn->tochild,"\n");
1153                         }
1154                         break;
1155
1156                         /* This bit is really for the benefit of
1157                            people who store their keys in LDAP
1158                            servers.  It makes it easy to do queries
1159                            for things like "all keys signed by
1160                            Isabella". */
1161                       case PKT_SIGNATURE:
1162                         {
1163                           PKT_signature *sig=node->pkt->pkt.signature;
1164
1165                           if(!IS_UID_SIG(sig))
1166                             continue;
1167
1168                           fprintf(spawn->tochild,"sig:%08lX%08lX:%X:%u:%u\n",
1169                                   (ulong)sig->keyid[0],(ulong)sig->keyid[1],
1170                                   sig->sig_class,sig->timestamp,
1171                                   sig->expiredate);
1172                         }
1173                         break;
1174                       }
1175                   }
1176
1177                 fprintf(spawn->tochild,"INFO %08lX%08lX END\n",
1178                         (ulong)block->pkt->pkt.public_key->keyid[0],
1179                         (ulong)block->pkt->pkt.public_key->keyid[1]);
1180
1181                 fprintf(spawn->tochild,"KEY %s BEGIN\n",key->d);
1182                 fwrite(iobuf_get_temp_buffer(buffer),
1183                        iobuf_get_temp_length(buffer),1,spawn->tochild);
1184                 fprintf(spawn->tochild,"KEY %s END\n",key->d);
1185
1186                 iobuf_close(buffer);
1187
1188                 if(keyserver->host)
1189                   log_info(_("sending key %s to %s server %s\n"),
1190                            keystr(block->pkt->pkt.public_key->keyid),
1191                            keyserver->scheme,keyserver->host);
1192                 else
1193                   log_info(_("sending key %s to %s\n"),
1194                            keystr(block->pkt->pkt.public_key->keyid),
1195                            keyserver->uri);
1196
1197                 release_kbnode(block);
1198               }
1199
1200             free_strlist(temp);
1201           }
1202
1203         break;
1204       }
1205
1206     case SEARCH:
1207       {
1208         STRLIST key;
1209
1210         fprintf(spawn->tochild,"COMMAND SEARCH\n\n");
1211
1212         /* Which keys do we want?  Remember that the gpgkeys_ program
1213            is going to lump these together into a search string. */
1214
1215         for(key=list;key!=NULL;key=key->next)
1216           {
1217             fprintf(spawn->tochild,"%s\n",key->d);
1218             if(key!=list)
1219               {
1220                 searchstr=m_realloc(searchstr,
1221                                     strlen(searchstr)+strlen(key->d)+2);
1222                 strcat(searchstr," ");
1223               }
1224             else
1225               {
1226                 searchstr=m_alloc(strlen(key->d)+1);
1227                 searchstr[0]='\0';
1228               }
1229
1230             strcat(searchstr,key->d);
1231           }
1232
1233         fprintf(spawn->tochild,"\n");
1234
1235         if(keyserver->host)
1236           log_info(_("searching for \"%s\" from %s server %s\n"),
1237                    searchstr,keyserver->scheme,keyserver->host);
1238         else
1239           log_info(_("searching for \"%s\" from %s\n"),
1240                    searchstr,keyserver->uri);
1241
1242         break;
1243       }
1244
1245     default:
1246       log_fatal(_("no keyserver action!\n"));
1247       break;
1248     }
1249
1250   /* Done sending, so start reading. */
1251   ret=exec_read(spawn);
1252   if(ret)
1253     goto fail;
1254
1255   /* Now handle the response */
1256
1257   for(;;)
1258     {
1259       int plen;
1260       char *ptr;
1261
1262       maxlen=1024;
1263       if(iobuf_read_line(spawn->fromchild,&line,&buflen,&maxlen)==0)
1264         {
1265           ret=G10ERR_READ_FILE;
1266           goto fail; /* i.e. EOF */
1267         }
1268
1269       ptr=line;
1270
1271       /* remove trailing whitespace */
1272       plen=strlen(ptr);
1273       while(plen>0 && ascii_isspace(ptr[plen-1]))
1274         plen--;
1275       plen[ptr]='\0';
1276
1277       if(*ptr=='\0')
1278         break;
1279
1280       if(ascii_strncasecmp(ptr,"VERSION ",8)==0)
1281         {
1282           gotversion=1;
1283
1284           if(atoi(&ptr[8])!=KEYSERVER_PROTO_VERSION)
1285             {
1286               log_error(_("invalid keyserver protocol (us %d!=handler %d)\n"),
1287                         KEYSERVER_PROTO_VERSION,atoi(&ptr[8]));
1288               goto fail;
1289             }
1290         }
1291       else if(ascii_strncasecmp(ptr,"PROGRAM ",8)==0)
1292         {
1293           if(ascii_strncasecmp(&ptr[8],VERSION,strlen(VERSION))!=0)
1294             log_info(_("WARNING: keyserver handler from a different"
1295                        " version of GnuPG (%s)\n"),&ptr[8]);
1296         }
1297       else if(ascii_strncasecmp(ptr,"OPTION OUTOFBAND",16)==0)
1298         outofband=1; /* Currently the only OPTION */
1299     }
1300
1301   if(!gotversion)
1302     {
1303       log_error(_("keyserver did not send VERSION\n"));
1304       goto fail;
1305     }
1306
1307   if(!outofband)
1308     switch(action)
1309       {
1310       case GET:
1311         {
1312           void *stats_handle;
1313
1314           stats_handle=import_new_stats_handle();
1315
1316           /* Slurp up all the key data.  In the future, it might be
1317              nice to look for KEY foo OUTOFBAND and FAILED indicators.
1318              It's harmless to ignore them, but ignoring them does make
1319              gpg complain about "no valid OpenPGP data found".  One
1320              way to do this could be to continue parsing this
1321              line-by-line and make a temp iobuf for each key. */
1322
1323           import_keys_stream(spawn->fromchild,stats_handle,
1324                              opt.keyserver_options.import_options);
1325
1326           import_print_stats(stats_handle);
1327           import_release_stats_handle(stats_handle);
1328
1329           break;
1330         }
1331
1332         /* Nothing to do here */
1333       case SEND:
1334         break;
1335
1336       case SEARCH:
1337         keyserver_search_prompt(spawn->fromchild,searchstr);
1338         break;
1339
1340       default:
1341         log_fatal(_("no keyserver action!\n"));
1342         break;
1343       }
1344
1345  fail:
1346   xfree(line);
1347   xfree(searchstr);
1348
1349
1350   *prog=exec_finish(spawn);
1351
1352   return ret;
1353 }
1354
1355 static int 
1356 keyserver_work(int action,STRLIST list,KEYDB_SEARCH_DESC *desc,
1357                int count,struct keyserver_spec *keyserver)
1358 {
1359   int rc=0,ret=0;
1360
1361   if(!keyserver)
1362     {
1363       log_error(_("no keyserver known (use option --keyserver)\n"));
1364       return G10ERR_BAD_URI;
1365     }
1366
1367 #ifdef DISABLE_KEYSERVER_HELPERS
1368
1369   log_error(_("external keyserver calls are not supported in this build\n"));
1370   return G10ERR_KEYSERVER;
1371
1372 #else
1373   /* Spawn a handler */
1374
1375   rc=keyserver_spawn(action,list,desc,count,&ret,keyserver);
1376   if(ret)
1377     {
1378       switch(ret)
1379         {
1380         case KEYSERVER_SCHEME_NOT_FOUND:
1381           log_error(_("no handler for keyserver scheme `%s'\n"),
1382                     keyserver->scheme);
1383           break;
1384
1385         case KEYSERVER_NOT_SUPPORTED:
1386           log_error(_("action `%s' not supported with keyserver "
1387                       "scheme `%s'\n"),
1388                     action==GET?"get":action==SEND?"send":
1389                     action==SEARCH?"search":"unknown",
1390                     keyserver->scheme);
1391           break;
1392
1393         case KEYSERVER_VERSION_ERROR:
1394           log_error(_(GPGKEYS_PREFIX "%s does not support"
1395                       " handler version %d\n"),
1396                     keyserver_typemap(keyserver->scheme),
1397                     KEYSERVER_PROTO_VERSION);
1398           break;
1399
1400         case KEYSERVER_TIMEOUT:
1401           log_error(_("keyserver timed out\n"));
1402           break;
1403
1404         case KEYSERVER_INTERNAL_ERROR:
1405         default:
1406           log_error(_("keyserver internal error\n"));
1407           break;
1408         }
1409
1410       return G10ERR_KEYSERVER;
1411     }
1412
1413   if(rc)
1414     {
1415       log_error(_("keyserver communications error: %s\n"),g10_errstr(rc));
1416
1417       return rc;
1418     }
1419
1420   return 0;
1421 #endif /* ! DISABLE_KEYSERVER_HELPERS*/
1422 }
1423
1424 int 
1425 keyserver_export(STRLIST users)
1426 {
1427   STRLIST sl=NULL;
1428   KEYDB_SEARCH_DESC desc;
1429   int rc=0;
1430
1431   /* Weed out descriptors that we don't support sending */
1432   for(;users;users=users->next)
1433     {
1434       classify_user_id (users->d, &desc);
1435       if(desc.mode!=KEYDB_SEARCH_MODE_SHORT_KID &&
1436          desc.mode!=KEYDB_SEARCH_MODE_LONG_KID &&
1437          desc.mode!=KEYDB_SEARCH_MODE_FPR16 &&
1438          desc.mode!=KEYDB_SEARCH_MODE_FPR20)
1439         {
1440           log_error(_("\"%s\" not a key ID: skipping\n"),users->d);
1441           continue;
1442         }
1443       else
1444         append_to_strlist(&sl,users->d);
1445     }
1446
1447   if(sl)
1448     {
1449       rc=keyserver_work(SEND,sl,NULL,0,opt.keyserver);
1450       free_strlist(sl);
1451     }
1452
1453   return rc;
1454 }
1455
1456 int 
1457 keyserver_import(STRLIST users)
1458 {
1459   KEYDB_SEARCH_DESC *desc;
1460   int num=100,count=0;
1461   int rc=0;
1462
1463   /* Build a list of key ids */
1464   desc=m_alloc(sizeof(KEYDB_SEARCH_DESC)*num);
1465
1466   for(;users;users=users->next)
1467     {
1468       classify_user_id (users->d, &desc[count]);
1469       if(desc[count].mode!=KEYDB_SEARCH_MODE_SHORT_KID &&
1470          desc[count].mode!=KEYDB_SEARCH_MODE_LONG_KID &&
1471          desc[count].mode!=KEYDB_SEARCH_MODE_FPR16 &&
1472          desc[count].mode!=KEYDB_SEARCH_MODE_FPR20)
1473         {
1474           log_error(_("\"%s\" not a key ID: skipping\n"),users->d);
1475           continue;
1476         }
1477
1478       count++;
1479       if(count==num)
1480         {
1481           num+=100;
1482           desc=m_realloc(desc,sizeof(KEYDB_SEARCH_DESC)*num);
1483         }
1484     }
1485
1486   if(count>0)
1487     rc=keyserver_work(GET,NULL,desc,count,opt.keyserver);
1488
1489   m_free(desc);
1490
1491   return rc;
1492 }
1493
1494 int
1495 keyserver_import_fprint(const byte *fprint,size_t fprint_len,
1496                         struct keyserver_spec *keyserver)
1497 {
1498   KEYDB_SEARCH_DESC desc;
1499
1500   memset(&desc,0,sizeof(desc));
1501
1502   if(fprint_len==16)
1503     desc.mode=KEYDB_SEARCH_MODE_FPR16;
1504   else if(fprint_len==20)
1505     desc.mode=KEYDB_SEARCH_MODE_FPR20;
1506   else
1507     return -1;
1508
1509   memcpy(desc.u.fpr,fprint,fprint_len);
1510
1511   return keyserver_work(GET,NULL,&desc,1,keyserver);
1512 }
1513
1514 int 
1515 keyserver_import_keyid(u32 *keyid,struct keyserver_spec *keyserver)
1516 {
1517   KEYDB_SEARCH_DESC desc;
1518
1519   memset(&desc,0,sizeof(desc));
1520
1521   desc.mode=KEYDB_SEARCH_MODE_LONG_KID;
1522   desc.u.kid[0]=keyid[0];
1523   desc.u.kid[1]=keyid[1];
1524
1525   return keyserver_work(GET,NULL,&desc,1,keyserver);
1526 }
1527
1528 /* code mostly stolen from do_export_stream */
1529 static int 
1530 keyidlist(STRLIST users,KEYDB_SEARCH_DESC **klist,int *count,int fakev3)
1531 {
1532   int rc=0,ndesc,num=100;
1533   KBNODE keyblock=NULL,node;
1534   KEYDB_HANDLE kdbhd;
1535   KEYDB_SEARCH_DESC *desc;
1536   STRLIST sl;
1537
1538   *count=0;
1539
1540   *klist=m_alloc(sizeof(KEYDB_SEARCH_DESC)*num);
1541
1542   kdbhd=keydb_new(0);
1543
1544   if(!users)
1545     {
1546       ndesc = 1;
1547       desc = m_alloc_clear ( ndesc * sizeof *desc);
1548       desc[0].mode = KEYDB_SEARCH_MODE_FIRST;
1549     }
1550   else
1551     {
1552       for (ndesc=0, sl=users; sl; sl = sl->next, ndesc++) 
1553         ;
1554       desc = m_alloc ( ndesc * sizeof *desc);
1555         
1556       for (ndesc=0, sl=users; sl; sl = sl->next)
1557         {
1558           if(classify_user_id (sl->d, desc+ndesc))
1559             ndesc++;
1560           else
1561             log_error (_("key \"%s\" not found: %s\n"),
1562                        sl->d, g10_errstr (G10ERR_INV_USER_ID));
1563         }
1564     }
1565
1566   while (!(rc = keydb_search (kdbhd, desc, ndesc)))
1567     {
1568       if (!users) 
1569         desc[0].mode = KEYDB_SEARCH_MODE_NEXT;
1570
1571       /* read the keyblock */
1572       rc = keydb_get_keyblock (kdbhd, &keyblock );
1573       if( rc )
1574         {
1575           log_error (_("error reading keyblock: %s\n"), g10_errstr(rc) );
1576           goto leave;
1577         }
1578
1579       if((node=find_kbnode(keyblock,PKT_PUBLIC_KEY)))
1580         {
1581           /* This is to work around a bug in some keyservers (pksd and
1582              OKS) that calculate v4 RSA keyids as if they were v3 RSA.
1583              The answer is to refresh both the correct v4 keyid
1584              (e.g. 99242560) and the fake v3 keyid (e.g. 68FDDBC7).
1585              This only happens for key refresh using the HKP scheme
1586              and if the refresh-add-fake-v3-keyids keyserver option is
1587              set. */
1588           if(fakev3 && is_RSA(node->pkt->pkt.public_key->pubkey_algo) &&
1589              node->pkt->pkt.public_key->version>=4)
1590             {
1591               (*klist)[*count].mode=KEYDB_SEARCH_MODE_LONG_KID;
1592               mpi_get_keyid(node->pkt->pkt.public_key->pkey[0],
1593                             (*klist)[*count].u.kid);
1594               (*count)++;
1595
1596               if(*count==num)
1597                 {
1598                   num+=100;
1599                   *klist=m_realloc(*klist,sizeof(KEYDB_SEARCH_DESC)*num);
1600                 }
1601             }
1602
1603           /* v4 keys get full fingerprints.  v3 keys get long keyids.
1604              This is because it's easy to calculate any sort of keyid
1605              from a v4 fingerprint, but not a v3 fingerprint. */
1606
1607           if(node->pkt->pkt.public_key->version<4)
1608             {
1609               (*klist)[*count].mode=KEYDB_SEARCH_MODE_LONG_KID;
1610               keyid_from_pk(node->pkt->pkt.public_key,
1611                             (*klist)[*count].u.kid);
1612             }
1613           else
1614             {
1615               size_t dummy;
1616
1617               (*klist)[*count].mode=KEYDB_SEARCH_MODE_FPR20;
1618               fingerprint_from_pk(node->pkt->pkt.public_key,
1619                                   (*klist)[*count].u.fpr,&dummy);
1620             }
1621
1622           /* This is a little hackish, using the skipfncvalue as a
1623              void* pointer to the keyserver spec, but we don't need
1624              the skipfnc here, and it saves having an additional field
1625              for this (which would be wasted space most of the
1626              time). */
1627
1628           (*klist)[*count].skipfncvalue=NULL;
1629
1630           /* Are we honoring preferred keyservers? */
1631           if(opt.keyserver_options.options&KEYSERVER_HONOR_KEYSERVER_URL)
1632             {
1633               PKT_user_id *uid=NULL;
1634               PKT_signature *sig=NULL;
1635
1636               merge_keys_and_selfsig(keyblock);
1637
1638               for(node=node->next;node;node=node->next)
1639                 {
1640                   if(node->pkt->pkttype==PKT_USER_ID
1641                      && node->pkt->pkt.user_id->is_primary)
1642                     uid=node->pkt->pkt.user_id;
1643                   else if(node->pkt->pkttype==PKT_SIGNATURE
1644                           && node->pkt->pkt.signature->
1645                           flags.chosen_selfsig && uid)
1646                     {
1647                       sig=node->pkt->pkt.signature;
1648                       break;
1649                     }
1650                 }
1651
1652               /* Try and parse the keyserver URL.  If it doesn't work,
1653                  then we end up writing NULL which indicates we are
1654                  the same as any other key. */
1655               if(uid && sig)
1656                 (*klist)[*count].skipfncvalue=parse_preferred_keyserver(sig);
1657             }
1658
1659           (*count)++;
1660
1661           if(*count==num)
1662             {
1663               num+=100;
1664               *klist=m_realloc(*klist,sizeof(KEYDB_SEARCH_DESC)*num);
1665             }
1666         }
1667     }
1668
1669   if(rc==-1)
1670     rc=0;
1671   
1672  leave:
1673   if(rc)
1674     m_free(*klist);
1675   m_free(desc);
1676   keydb_release(kdbhd);
1677   release_kbnode(keyblock);
1678
1679   return rc;
1680 }
1681
1682 /* Note this is different than the original HKP refresh.  It allows
1683    usernames to refresh only part of the keyring. */
1684
1685 int 
1686 keyserver_refresh(STRLIST users)
1687 {
1688   int rc,count,numdesc,fakev3=0;
1689   KEYDB_SEARCH_DESC *desc;
1690   unsigned int options=opt.keyserver_options.import_options;
1691
1692   /* We switch merge-only on during a refresh, as 'refresh' should
1693      never import new keys, even if their keyids match. */
1694   opt.keyserver_options.import_options|=IMPORT_MERGE_ONLY;
1695
1696   /* Similarly, we switch on fast-import, since refresh may make
1697      multiple import sets (due to preferred keyserver URLs).  We don't
1698      want each set to rebuild the trustdb.  Instead we do it once at
1699      the end here. */
1700   opt.keyserver_options.import_options|=IMPORT_FAST;
1701
1702   /* If refresh_add_fake_v3_keyids is on and it's a HKP or MAILTO
1703      scheme, then enable fake v3 keyid generation. */
1704   if((opt.keyserver_options.options&KEYSERVER_ADD_FAKE_V3) && opt.keyserver
1705      && (ascii_strcasecmp(opt.keyserver->scheme,"hkp")==0 ||
1706          ascii_strcasecmp(opt.keyserver->scheme,"mailto")==0))
1707     fakev3=1;
1708
1709   rc=keyidlist(users,&desc,&numdesc,fakev3);
1710   if(rc)
1711     return rc;
1712
1713   count=numdesc;
1714   if(count>0)
1715     {
1716       int i;
1717
1718       /* Try to handle preferred keyserver keys first */
1719       for(i=0;i<count;i++)
1720         {
1721           if(desc[i].skipfncvalue)
1722             {
1723               struct keyserver_spec *keyserver=desc[i].skipfncvalue;
1724
1725               /* We use the keyserver structure we parsed out before.
1726                  Note that a preferred keyserver without a scheme://
1727                  will be interpreted as hkp:// */
1728
1729               rc=keyserver_work(GET,NULL,&desc[i],1,keyserver);
1730               if(rc)
1731                 log_info(_("WARNING: unable to refresh key %s"
1732                            " via %s: %s\n"),keystr_from_desc(&desc[i]),
1733                          keyserver->uri,g10_errstr(rc));
1734               else
1735                 {
1736                   /* We got it, so mark it as NONE so we don't try and
1737                      get it again from the regular keyserver. */
1738
1739                   desc[i].mode=KEYDB_SEARCH_MODE_NONE;
1740                   count--;
1741                 }
1742
1743               free_keyserver_spec(keyserver);
1744             }
1745         }
1746     }
1747
1748   if(count>0)
1749     {
1750       if(opt.keyserver)
1751         {
1752           if(count==1)
1753             log_info(_("refreshing 1 key from %s\n"),opt.keyserver->uri);
1754           else
1755             log_info(_("refreshing %d keys from %s\n"),
1756                      count,opt.keyserver->uri);
1757         }
1758
1759       rc=keyserver_work(GET,NULL,desc,numdesc,opt.keyserver);
1760     }
1761
1762   m_free(desc);
1763
1764   opt.keyserver_options.import_options=options;
1765
1766   /* If the original options didn't have fast import, and the trustdb
1767      is dirty, rebuild. */
1768   if(!(opt.keyserver_options.import_options&IMPORT_FAST))
1769     trustdb_check_or_update();
1770
1771   return rc;
1772 }
1773
1774 int
1775 keyserver_search(STRLIST tokens)
1776 {
1777   if(tokens)
1778     return keyserver_work(SEARCH,tokens,NULL,0,opt.keyserver);
1779   else
1780     return 0;
1781 }