* keyserver.c (keyserver_spawn): Free some memory.
[gnupg.git] / g10 / keyserver.c
1 /* keyserver.c - generic keyserver code
2  * Copyright (C) 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc.
3  *
4  * This file is part of GnuPG.
5  *
6  * GnuPG is free software; you can redistribute it and/or modify
7  * it under the terms of the GNU General Public License as published by
8  * the Free Software Foundation; either version 2 of the License, or
9  * (at your option) any later version.
10  *
11  * GnuPG is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  * GNU General Public License for more details.
15  *
16  * You should have received a copy of the GNU General Public License
17  * along with this program; if not, write to the Free Software
18  * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
19  */
20
21 #include <config.h>
22 #include <ctype.h>
23 #include <stdio.h>
24 #include <string.h>
25 #include <stdlib.h>
26 #include <assert.h>
27 #include "filter.h"
28 #include "keydb.h"
29 #include "status.h"
30 #include "exec.h"
31 #include "main.h"
32 #include "i18n.h"
33 #include "iobuf.h"
34 #include "memory.h"
35 #include "ttyio.h"
36 #include "options.h"
37 #include "packet.h"
38 #include "trustdb.h"
39 #include "keyserver-internal.h"
40 #include "util.h"
41
42 #define GET    0
43 #define SEND   1
44 #define SEARCH 2
45
46 #define GPGKEYS_PREFIX "gpgkeys_"
47
48 struct keyrec
49 {
50   KEYDB_SEARCH_DESC desc;
51   u32 createtime,expiretime;
52   int size,flags;
53   byte type;
54   IOBUF uidbuf;
55   unsigned int lines;
56 };
57
58 /* Tell remote processes about these options */
59 #define REMOTE_TELL (KEYSERVER_INCLUDE_REVOKED|KEYSERVER_INCLUDE_SUBKEYS|KEYSERVER_TRY_DNS_SRV)
60
61 static struct parse_options keyserver_opts[]=
62   {
63     {"include-revoked",KEYSERVER_INCLUDE_REVOKED,NULL},      
64     {"include-subkeys",KEYSERVER_INCLUDE_SUBKEYS,NULL},
65     {"keep-temp-files",KEYSERVER_KEEP_TEMP_FILES,NULL},
66     {"refresh-add-fake-v3-keyids",KEYSERVER_ADD_FAKE_V3,NULL},
67     {"auto-key-retrieve",KEYSERVER_AUTO_KEY_RETRIEVE,NULL},
68     {"try-dns-srv",KEYSERVER_TRY_DNS_SRV,NULL},
69     {"honor-keyserver-url",KEYSERVER_HONOR_KEYSERVER_URL,NULL},
70     {NULL,0,NULL}
71   };
72
73 static int keyserver_work(int action,STRLIST list,KEYDB_SEARCH_DESC *desc,
74                           int count,struct keyserver_spec *keyserver);
75
76 int
77 parse_keyserver_options(char *options)
78 {
79   int ret=1;
80   char *tok;
81
82   while((tok=optsep(&options)))
83     {
84       if(tok[0]=='\0')
85         continue;
86
87       /* For backwards compatibility.  1.2.x used honor-http-proxy and
88          there are a good number of documents published that recommend
89          it. */
90       if(ascii_strcasecmp(tok,"honor-http-proxy")==0)
91         tok="http-proxy";
92       else if(ascii_strcasecmp(tok,"no-honor-http-proxy")==0)
93         tok="no-http-proxy";
94
95       /* We accept quite a few possible options here - some options to
96          handle specially, the keyserver_options list, and import and
97          export options that pertain to keyserver operations.  Note
98          that you must use strncasecmp here as there might be an
99          =argument attached which will foil the use of strcasecmp. */
100
101 #ifdef EXEC_TEMPFILE_ONLY
102       if(ascii_strncasecmp(tok,"use-temp-files",14)==0 ||
103               ascii_strncasecmp(tok,"no-use-temp-files",17)==0)
104         log_info(_("WARNING: keyserver option `%s' is not used"
105                    " on this platform\n"),tok);
106 #else
107       if(ascii_strncasecmp(tok,"use-temp-files",14)==0)
108         opt.keyserver_options.options|=KEYSERVER_USE_TEMP_FILES;
109       else if(ascii_strncasecmp(tok,"no-use-temp-files",17)==0)
110         opt.keyserver_options.options&=~KEYSERVER_USE_TEMP_FILES;
111 #endif
112       else if(!parse_options(tok,&opt.keyserver_options.options,
113                              keyserver_opts,0)
114          && !parse_import_options(tok,
115                                   &opt.keyserver_options.import_options,0)
116          && !parse_export_options(tok,
117                                   &opt.keyserver_options.export_options,0))
118         {
119           /* All of the standard options have failed, so the option is
120              destined for a keyserver plugin. */
121           char *arg=argsplit(tok);
122
123           if(arg)
124             {
125               char *joined;
126
127               joined=m_alloc(strlen(tok)+1+strlen(arg)+1);
128               /* Make a canonical name=value form with no
129                  spaces */
130               strcpy(joined,tok);
131               strcat(joined,"=");
132               strcat(joined,arg);
133               add_to_strlist(&opt.keyserver_options.other,joined);
134               m_free(joined);
135             }
136           else
137             add_to_strlist(&opt.keyserver_options.other,tok);
138         }
139     }
140
141   return ret;
142 }
143
144 void
145 free_keyserver_spec(struct keyserver_spec *keyserver)
146 {
147   m_free(keyserver->uri);
148   m_free(keyserver->scheme);
149   m_free(keyserver->auth);
150   m_free(keyserver->host);
151   m_free(keyserver->port);
152   m_free(keyserver->path);
153   m_free(keyserver->opaque);
154   m_free(keyserver);
155 }
156
157 struct keyserver_spec *
158 parse_keyserver_uri(const char *uri,int require_scheme,
159                     const char *configname,unsigned int configlineno)
160 {
161   int assume_hkp=0;
162   struct keyserver_spec *keyserver;
163   const char *idx;
164   int count;
165
166   assert(uri!=NULL);
167
168   keyserver=m_alloc_clear(sizeof(struct keyserver_spec));
169
170   keyserver->uri=m_strdup(uri);
171
172   /* Get the scheme */
173
174   for(idx=uri,count=0;*idx && *idx!=':';idx++)
175     {
176       count++;
177
178       /* Do we see the start of an RFC-2732 ipv6 address here?  If so,
179          there clearly isn't a scheme so get out early. */
180       if(*idx=='[')
181         {
182           /* Was the '[' the first thing in the string?  If not, we
183              have a mangled scheme with a [ in it so fail. */
184           if(count==1)
185             break;
186           else
187             goto fail;
188         }
189     }
190
191   if(count==0)
192     goto fail;
193
194   if(*idx=='\0' || *idx=='[')
195     {
196       if(require_scheme)
197         return NULL;
198
199       /* Assume HKP if there is no scheme */
200       assume_hkp=1;
201       keyserver->scheme=m_strdup("hkp");
202     }
203   else
204     {
205       int i;
206
207       keyserver->scheme=m_alloc(count+1);
208
209       /* Force to lowercase */
210       for(i=0;i<count;i++)
211         keyserver->scheme[i]=ascii_tolower(uri[i]);
212
213       keyserver->scheme[i]='\0';
214
215       /* Skip past the scheme and colon */
216       uri+=count+1;
217     }
218
219   if(ascii_strcasecmp(keyserver->scheme,"x-broken-hkp")==0)
220     {
221       deprecated_warning(configname,configlineno,"x-broken-hkp",
222                          "--keyserver-options ","broken-http-proxy");
223       m_free(keyserver->scheme);
224       keyserver->scheme=m_strdup("hkp");
225       add_to_strlist(&opt.keyserver_options.other,"broken-http-proxy");
226     }
227   else if(ascii_strcasecmp(keyserver->scheme,"x-hkp")==0)
228     {
229       /* Canonicalize this to "hkp" so it works with both the internal
230          and external keyserver interface. */
231       m_free(keyserver->scheme);
232       keyserver->scheme=m_strdup("hkp");
233     }
234
235   if(assume_hkp || (uri[0]=='/' && uri[1]=='/'))
236     {
237       /* Two slashes means network path. */
238
239       /* Skip over the "//", if any */
240       if(!assume_hkp)
241         uri+=2;
242
243       /* Do we have userinfo auth data present? */
244       for(idx=uri,count=0;*idx && *idx!='@' && *idx!='/';idx++)
245         count++;
246
247       /* We found a @ before the slash, so that means everything
248          before the @ is auth data. */
249       if(*idx=='@')
250         {
251           if(count==0)
252             goto fail;
253
254           keyserver->auth=m_alloc(count+1);
255           strncpy(keyserver->auth,uri,count);
256           keyserver->auth[count]='\0';
257           uri+=count+1;
258         }
259
260       /* Is it an RFC-2732 ipv6 [literal address] ? */
261       if(*uri=='[')
262         {
263           for(idx=uri+1,count=1;*idx
264                 && ((isascii (*idx) && isxdigit(*idx))
265                     || *idx==':' || *idx=='.');idx++)
266             count++;
267
268           /* Is the ipv6 literal address terminated? */
269           if(*idx==']')
270             count++;
271           else
272             goto fail;
273         }
274       else
275         for(idx=uri,count=0;*idx && *idx!=':' && *idx!='/';idx++)
276           count++;
277
278       if(count==0)
279         goto fail;
280
281       keyserver->host=m_alloc(count+1);
282       strncpy(keyserver->host,uri,count);
283       keyserver->host[count]='\0';
284
285       /* Skip past the host */
286       uri+=count;
287
288       if(*uri==':')
289         {
290           /* It would seem to be reasonable to limit the range of the
291              ports to values between 1-65535, but RFC 1738 and 1808
292              imply there is no limit.  Of course, the real world has
293              limits. */
294
295           for(idx=uri+1,count=0;*idx && *idx!='/';idx++)
296             {
297               count++;
298
299               /* Ports are digits only */
300               if(!digitp(idx))
301                 goto fail;
302             }
303
304           keyserver->port=m_alloc(count+1);
305           strncpy(keyserver->port,uri+1,count);
306           keyserver->port[count]='\0';
307
308           /* Skip past the colon and port number */
309           uri+=1+count;
310         }
311
312       /* Everything else is the path */
313       if(*uri)
314         keyserver->path=m_strdup(uri);
315       else
316         keyserver->path=m_strdup("/");
317     }
318   else if(uri[0]!='/')
319     {
320       /* No slash means opaque.  Just record the opaque blob and get
321          out. */
322       keyserver->opaque=m_strdup(uri);
323     }
324   else
325     {
326       /* One slash means absolute path.  We don't need to support that
327          yet. */
328       goto fail;
329     }
330
331   return keyserver;
332
333  fail:
334   free_keyserver_spec(keyserver);
335
336   return NULL;
337 }
338
339 struct keyserver_spec *
340 parse_preferred_keyserver(PKT_signature *sig)
341 {
342   struct keyserver_spec *spec=NULL;
343   const byte *p;
344   size_t plen;
345
346   p=parse_sig_subpkt(sig->hashed,SIGSUBPKT_PREF_KS,&plen);
347   if(p && plen)
348     {
349       byte *dupe=m_alloc(plen+1);
350
351       memcpy(dupe,p,plen);
352       dupe[plen]='\0';
353       spec=parse_keyserver_uri(dupe,1,NULL,0);
354       m_free(dupe);
355     }
356
357   return spec;
358 }
359
360 static void
361 print_keyrec(int number,struct keyrec *keyrec)
362 {
363   int i;
364
365   iobuf_writebyte(keyrec->uidbuf,0);
366   iobuf_flush_temp(keyrec->uidbuf);
367   printf("(%d)\t%s  ",number,iobuf_get_temp_buffer(keyrec->uidbuf));
368
369   if(keyrec->size>0)
370     printf("%d bit ",keyrec->size);
371
372   if(keyrec->type)
373     {
374       const char *str=pubkey_algo_to_string(keyrec->type);
375
376       if(str)
377         printf("%s ",str);
378       else
379         printf("unknown ");
380     }
381
382   switch(keyrec->desc.mode)
383     {
384       /* If the keyserver helper gave us a short keyid, we have no
385          choice but to use it.  Do check --keyid-format to add a 0x if
386          needed. */
387     case KEYDB_SEARCH_MODE_SHORT_KID:
388       printf("key %s%08lX",
389              (opt.keyid_format==KF_0xSHORT
390               || opt.keyid_format==KF_0xLONG)?"0x":"",
391              (ulong)keyrec->desc.u.kid[1]);
392       break;
393
394       /* However, if it gave us a long keyid, we can honor
395          --keyid-format */
396     case KEYDB_SEARCH_MODE_LONG_KID:
397       printf("key %s",keystr(keyrec->desc.u.kid));
398       break;
399
400     case KEYDB_SEARCH_MODE_FPR16:
401       printf("key ");
402       for(i=0;i<16;i++)
403         printf("%02X",keyrec->desc.u.fpr[i]);
404       break;
405
406     case KEYDB_SEARCH_MODE_FPR20:
407       printf("key ");
408       for(i=0;i<20;i++)
409         printf("%02X",keyrec->desc.u.fpr[i]);
410       break;
411
412     default:
413       BUG();
414       break;
415     }
416
417   if(keyrec->createtime>0)
418     {
419       printf(", ");
420       printf(_("created: %s"),strtimestamp(keyrec->createtime));
421     }
422
423   if(keyrec->expiretime>0)
424     {
425       printf(", ");
426       printf(_("expires: %s"),strtimestamp(keyrec->expiretime));
427     }
428
429   if(keyrec->flags&1)
430     printf(" (%s)",_("revoked"));
431   if(keyrec->flags&2)
432     printf(" (%s)",_("disabled"));
433   if(keyrec->flags&4)
434     printf(" (%s)",_("expired"));
435
436   printf("\n");
437 }
438
439 /* Returns a keyrec (which must be freed) once a key is complete, and
440    NULL otherwise.  Call with a NULL keystring once key parsing is
441    complete to return any unfinished keys. */
442 static struct keyrec *
443 parse_keyrec(char *keystring)
444 {
445   static struct keyrec *work=NULL;
446   struct keyrec *ret=NULL;
447   char *record;
448   int i;
449
450   if(keystring==NULL)
451     {
452       if(work==NULL)
453         return NULL;
454       else if(work->desc.mode==KEYDB_SEARCH_MODE_NONE)
455         {
456           m_free(work);
457           return NULL;
458         }
459       else
460         {
461           ret=work;
462           work=NULL;
463           return ret;
464         }
465     }
466
467   if(work==NULL)
468     {
469       work=m_alloc_clear(sizeof(struct keyrec));
470       work->uidbuf=iobuf_temp();
471     }
472
473   /* Remove trailing whitespace */
474   for(i=strlen(keystring);i>0;i--)
475     if(ascii_isspace(keystring[i-1]))
476       keystring[i-1]='\0';
477     else
478       break;
479
480   if((record=strsep(&keystring,":"))==NULL)
481     return ret;
482
483   if(ascii_strcasecmp("pub",record)==0)
484     {
485       char *tok;
486
487       if(work->desc.mode)
488         {
489           ret=work;
490           work=m_alloc_clear(sizeof(struct keyrec));
491           work->uidbuf=iobuf_temp();
492         }
493
494       if((tok=strsep(&keystring,":"))==NULL)
495         return ret;
496
497       classify_user_id(tok,&work->desc);
498       if(work->desc.mode!=KEYDB_SEARCH_MODE_SHORT_KID
499          && work->desc.mode!=KEYDB_SEARCH_MODE_LONG_KID
500          && work->desc.mode!=KEYDB_SEARCH_MODE_FPR16
501          && work->desc.mode!=KEYDB_SEARCH_MODE_FPR20)
502         {
503           work->desc.mode=KEYDB_SEARCH_MODE_NONE;
504           return ret;
505         }
506
507       /* Note all items after this are optional.  This allows us to
508          have a pub line as simple as pub:keyid and nothing else. */
509
510       work->lines++;
511
512       if((tok=strsep(&keystring,":"))==NULL)
513         return ret;
514
515       work->type=atoi(tok);
516
517       if((tok=strsep(&keystring,":"))==NULL)
518         return ret;
519
520       work->size=atoi(tok);
521
522       if((tok=strsep(&keystring,":"))==NULL)
523         return ret;
524
525       if(atoi(tok)<=0)
526         work->createtime=0;
527       else
528         work->createtime=atoi(tok);
529
530       if((tok=strsep(&keystring,":"))==NULL)
531         return ret;
532
533       if(atoi(tok)<=0)
534         work->expiretime=0;
535       else
536         {
537           work->expiretime=atoi(tok);
538           /* Force the 'e' flag on if this key is expired. */
539           if(work->expiretime<=make_timestamp())
540             work->flags|=4;
541         }
542
543       if((tok=strsep(&keystring,":"))==NULL)
544         return ret;
545
546       while(*tok)
547         switch(*tok++)
548           {
549           case 'r':
550           case 'R':
551             work->flags|=1;
552             break;
553             
554           case 'd':
555           case 'D':
556             work->flags|=2;
557             break;
558
559           case 'e':
560           case 'E':
561             work->flags|=4;
562             break;
563           }
564     }
565   else if(ascii_strcasecmp("uid",record)==0 && work->desc.mode)
566     {
567       char *userid,*tok,*decoded;
568
569       if((tok=strsep(&keystring,":"))==NULL)
570         return ret;
571
572       if(strlen(tok)==0)
573         return ret;
574
575       userid=tok;
576
577       /* By definition, de-%-encoding is always smaller than the
578          original string so we can decode in place. */
579
580       i=0;
581
582       while(*tok)
583         if(tok[0]=='%' && tok[1] && tok[2])
584           {
585             if((userid[i]=hextobyte(&tok[1]))==-1)
586               userid[i]='?';
587
588             i++;
589             tok+=3;
590           }
591         else
592           userid[i++]=*tok++;
593
594       /* We don't care about the other info provided in the uid: line
595          since no keyserver supports marking userids with timestamps
596          or revoked/expired/disabled yet. */
597
598       /* No need to check for control characters, as utf8_to_native
599          does this for us. */
600
601       decoded=utf8_to_native(userid,i,0);
602       if(strlen(decoded)>opt.screen_columns-10)
603         decoded[opt.screen_columns-10]='\0';
604       iobuf_writestr(work->uidbuf,decoded);
605       m_free(decoded);
606       iobuf_writestr(work->uidbuf,"\n\t");
607       work->lines++;
608     }
609
610   /* Ignore any records other than "pri" and "uid" for easy future
611      growth. */
612
613   return ret;
614 }
615
616 /* TODO: do this as a list sent to keyserver_work rather than calling
617    it once for each key to get the correct counts after the import
618    (cosmetics, really) and to better take advantage of the keyservers
619    that can do multiple fetches in one go (LDAP). */
620 static int
621 show_prompt(KEYDB_SEARCH_DESC *desc,int numdesc,int count,const char *search)
622 {
623   char *answer;
624
625   if(count && opt.command_fd==-1)
626     {
627       static int from=1;
628       tty_printf("Keys %d-%d of %d for \"%s\".  ",from,numdesc,count,search);
629       from=numdesc+1;
630     }
631
632   answer=cpr_get_no_help("keysearch.prompt",
633                          _("Enter number(s), N)ext, or Q)uit > "));
634   /* control-d */
635   if(answer[0]=='\x04')
636     {
637       printf("Q\n");
638       answer[0]='q';
639     }
640
641   if(answer[0]=='q' || answer[0]=='Q')
642     {
643       m_free(answer);
644       return 1;
645     }
646   else if(atoi(answer)>=1 && atoi(answer)<=numdesc)
647     {
648       char *split=answer,*num;
649
650       while((num=strsep(&split," ,"))!=NULL)
651         if(atoi(num)>=1 && atoi(num)<=numdesc)
652           keyserver_work(GET,NULL,&desc[atoi(num)-1],1,opt.keyserver);
653
654       m_free(answer);
655       return 1;
656     }
657
658   return 0;
659 }
660
661 /* Count and searchstr are just for cosmetics.  If the count is too
662    small, it will grow safely.  If negative it disables the "Key x-y
663    of z" messages.  searchstr should be UTF-8 (rather than native). */
664 static void
665 keyserver_search_prompt(IOBUF buffer,const char *searchstr)
666 {
667   int i=0,validcount=0,started=0,header=0,count=1;
668   unsigned int maxlen,buflen,numlines=0;
669   KEYDB_SEARCH_DESC *desc;
670   byte *line=NULL;
671   char *localstr=NULL;
672
673   if(searchstr)
674     localstr=utf8_to_native(searchstr,strlen(searchstr),0);
675
676   desc=m_alloc(count*sizeof(KEYDB_SEARCH_DESC));
677
678   for(;;)
679     {
680       struct keyrec *keyrec;
681       int rl;
682
683       maxlen=1024;
684       rl=iobuf_read_line(buffer,&line,&buflen,&maxlen);
685
686       if(opt.with_colons)
687         {
688           if(!header && ascii_strncasecmp("SEARCH ",line,7)==0
689              && ascii_strncasecmp(" BEGIN",&line[strlen(line)-7],6)==0)
690             {
691               header=1;
692               continue;
693             }
694           else if(ascii_strncasecmp("SEARCH ",line,7)==0
695                   && ascii_strncasecmp(" END",&line[strlen(line)-5],4)==0)
696             continue;
697
698           printf("%s",line);
699         }
700
701       /* Look for an info: line.  The only current info: values
702          defined are the version and key count. */
703       if(!started && rl>0 && ascii_strncasecmp("info:",line,5)==0)
704         {
705           char *tok,*str=&line[5];
706
707           if((tok=strsep(&str,":"))!=NULL)
708             {
709               int version;
710
711               if(sscanf(tok,"%d",&version)!=1)
712                 version=1;
713
714               if(version!=1)
715                 {
716                   log_error(_("invalid keyserver protocol "
717                               "(us %d!=handler %d)\n"),1,version);
718                   break;
719                 }
720             }
721
722           if((tok=strsep(&str,":"))!=NULL && sscanf(tok,"%d",&count)==1)
723             {
724               if(count==0)
725                 goto notfound;
726               else if(count<0)
727                 count=10;
728               else
729                 validcount=1;
730
731               desc=m_realloc(desc,count*sizeof(KEYDB_SEARCH_DESC));
732             }
733
734           started=1;
735           continue;
736         }
737
738       if(rl==0)
739         {
740           keyrec=parse_keyrec(NULL);
741
742           if(keyrec==NULL)
743             {
744               if(i==0)
745                 {
746                   count=0;
747                   break;
748                 }
749
750               if(i!=count)
751                 validcount=0;
752
753               for(;;)
754                 {
755                   if(show_prompt(desc,i,validcount?count:0,localstr))
756                     break;
757                   validcount=0;
758                 }
759
760               break;
761             }
762         }
763       else
764         keyrec=parse_keyrec(line);
765
766       if(i==count)
767         {
768           /* keyserver helper sent more keys than they claimed in the
769              info: line. */
770           count+=10;
771           desc=m_realloc(desc,count*sizeof(KEYDB_SEARCH_DESC));
772           validcount=0;
773         }
774
775       if(keyrec)
776         {
777           desc[i]=keyrec->desc;
778
779           if(!opt.with_colons)
780             {
781               /* screen_lines - 1 for the prompt. */
782               if(numlines+keyrec->lines>opt.screen_lines-1)
783                 {
784                   if(show_prompt(desc,i,validcount?count:0,localstr))
785                     break;
786                   else
787                     numlines=0;
788                 }
789
790               print_keyrec(i+1,keyrec);
791             }
792
793           numlines+=keyrec->lines;
794           iobuf_close(keyrec->uidbuf);
795           m_free(keyrec);
796
797           started=1;
798           i++;
799         }
800     }
801
802  notfound:
803   /* Leave this commented out or now, and perhaps for a very long
804      time.  All HKPish servers return HTML error messages for
805      no-key-found. */
806   /* 
807      if(!started)
808      log_info(_("keyserver does not support searching\n"));
809      else
810   */
811   if(count==0)
812     {
813       if(localstr)
814         log_info(_("key \"%s\" not found on keyserver\n"),localstr);
815       else
816         log_info(_("key not found on keyserver\n"));
817     }
818
819   m_free(localstr);
820   m_free(desc);
821   m_free(line);
822 }
823
824 /* We sometimes want to use a different gpgkeys_xxx for a given
825    protocol (for example, ldaps is handled by gpgkeys_ldap).  Map
826    these here. */
827 static const char *
828 keyserver_typemap(const char *type)
829 {
830   if(strcmp(type,"ldaps")==0)
831     return "ldap";
832 #ifdef FTP_VIA_LIBCURL
833   else if(strcmp(type,"ftp")==0)
834     return "curl";
835 #endif
836 #ifdef FTPS_VIA_LIBCURL
837   else if(strcmp(type,"ftps")==0)
838     return "curl";
839 #endif
840 #ifdef HTTP_VIA_LIBCURL
841   else if(strcmp(type,"http")==0)
842     return "curl";
843 #endif
844 #ifdef HTTPS_VIA_LIBCURL
845   else if(strcmp(type,"https")==0)
846     return "curl";
847 #endif
848   else
849     return type;
850 }
851
852 #define KEYSERVER_ARGS_KEEP " -o \"%O\" \"%I\""
853 #define KEYSERVER_ARGS_NOKEEP " -o \"%o\" \"%i\""
854
855 static int 
856 keyserver_spawn(int action,STRLIST list,KEYDB_SEARCH_DESC *desc,
857                 int count,int *prog,struct keyserver_spec *keyserver)
858 {
859   int ret=0,i,gotversion=0,outofband=0;
860   STRLIST temp;
861   unsigned int maxlen,buflen;
862   char *command,*searchstr=NULL;
863   byte *line=NULL;
864   struct parse_options *kopts;
865   struct exec_info *spawn;
866   const char *scheme;
867
868   assert(keyserver);
869
870 #ifdef EXEC_TEMPFILE_ONLY
871   opt.keyserver_options.options|=KEYSERVER_USE_TEMP_FILES;
872 #endif
873
874   /* Build the filename for the helper to execute */
875   scheme=keyserver_typemap(keyserver->scheme);
876
877 #ifdef DISABLE_KEYSERVER_PATH
878   /* Destroy any path we might have.  This is a little tricky,
879      portability-wise.  It's not correct to delete the PATH
880      environment variable, as that may fall back to a system built-in
881      PATH.  Similarly, it is not correct to set PATH to the null
882      string (PATH="") since this actually deletes the PATH environment
883      variable under MinGW.  The safest thing to do here is to force
884      PATH to be GNUPG_LIBEXECDIR.  All this is not that meaningful on
885      Unix-like systems (since we're going to give a full path to
886      gpgkeys_foo), but on W32 it prevents loading any DLLs from
887      directories in %PATH%. */
888   set_exec_path(GNUPG_LIBEXECDIR);
889 #else
890   if(opt.exec_path_set)
891     {
892       /* If exec-path was set, and DISABLE_KEYSERVER_PATH is
893          undefined, then don't specify a full path to gpgkeys_foo, so
894          that the PATH can work. */
895       command=m_alloc(strlen(GPGKEYS_PREFIX)+strlen(scheme)+1);
896       command[0]='\0';
897     }
898   else
899 #endif
900     {
901       /* Specify a full path to gpgkeys_foo. */
902       command=m_alloc(strlen(GNUPG_LIBEXECDIR)+strlen(DIRSEP_S)+
903                       strlen(GPGKEYS_PREFIX)+strlen(scheme)+1);
904       strcpy(command,GNUPG_LIBEXECDIR);
905       strcat(command,DIRSEP_S);
906     }
907
908   strcat(command,GPGKEYS_PREFIX); 
909   strcat(command,scheme);
910
911   if(opt.keyserver_options.options&KEYSERVER_USE_TEMP_FILES)
912     {
913       if(opt.keyserver_options.options&KEYSERVER_KEEP_TEMP_FILES)
914         {
915           command=m_realloc(command,strlen(command)+
916                             strlen(KEYSERVER_ARGS_KEEP)+1);
917           strcat(command,KEYSERVER_ARGS_KEEP);
918         }
919       else
920         {
921           command=m_realloc(command,strlen(command)+
922                             strlen(KEYSERVER_ARGS_NOKEEP)+1);
923           strcat(command,KEYSERVER_ARGS_NOKEEP);  
924         }
925
926       ret=exec_write(&spawn,NULL,command,NULL,0,0);
927     }
928   else
929     ret=exec_write(&spawn,command,NULL,NULL,0,0);
930
931   m_free(command);
932
933   if(ret)
934     return ret;
935
936   fprintf(spawn->tochild,
937           "# This is a GnuPG %s keyserver communications file\n",VERSION);
938   fprintf(spawn->tochild,"VERSION %d\n",KEYSERVER_PROTO_VERSION);
939   fprintf(spawn->tochild,"PROGRAM %s\n",VERSION);
940   fprintf(spawn->tochild,"SCHEME %s\n",keyserver->scheme);
941
942   if(keyserver->opaque)
943     fprintf(spawn->tochild,"OPAQUE %s\n",keyserver->opaque);
944   else
945     {
946       if(keyserver->auth)
947         fprintf(spawn->tochild,"AUTH %s\n",keyserver->auth);
948
949       if(keyserver->host)
950         fprintf(spawn->tochild,"HOST %s\n",keyserver->host);
951
952       if(keyserver->port)
953         fprintf(spawn->tochild,"PORT %s\n",keyserver->port);
954
955       if(keyserver->path)
956         fprintf(spawn->tochild,"PATH %s\n",keyserver->path);
957     }
958
959   /* Write options */
960
961   for(i=0,kopts=keyserver_opts;kopts[i].name;i++)
962     if(opt.keyserver_options.options & kopts[i].bit & REMOTE_TELL)
963       fprintf(spawn->tochild,"OPTION %s\n",kopts[i].name);
964
965   for(temp=opt.keyserver_options.other;temp;temp=temp->next)
966     fprintf(spawn->tochild,"OPTION %s\n",temp->d);
967
968   switch(action)
969     {
970     case GET:
971       {
972         fprintf(spawn->tochild,"COMMAND GET\n\n");
973
974         /* Which keys do we want? */
975
976         for(i=0;i<count;i++)
977           {
978             if(desc[i].mode==KEYDB_SEARCH_MODE_FPR20)
979               {
980                 int f;
981
982                 fprintf(spawn->tochild,"0x");
983
984                 for(f=0;f<MAX_FINGERPRINT_LEN;f++)
985                   fprintf(spawn->tochild,"%02X",desc[i].u.fpr[f]);
986
987                 fprintf(spawn->tochild,"\n");
988               }
989             else if(desc[i].mode==KEYDB_SEARCH_MODE_FPR16)
990               {
991                 int f;
992
993                 fprintf(spawn->tochild,"0x");
994
995                 for(f=0;f<16;f++)
996                   fprintf(spawn->tochild,"%02X",desc[i].u.fpr[f]);
997
998                 fprintf(spawn->tochild,"\n");
999               }
1000             else if(desc[i].mode==KEYDB_SEARCH_MODE_LONG_KID)
1001               fprintf(spawn->tochild,"0x%08lX%08lX\n",
1002                       (ulong)desc[i].u.kid[0],
1003                       (ulong)desc[i].u.kid[1]);
1004             else if(desc[i].mode==KEYDB_SEARCH_MODE_SHORT_KID)
1005               fprintf(spawn->tochild,"0x%08lX\n",
1006                       (ulong)desc[i].u.kid[1]);
1007             else if(desc[i].mode==KEYDB_SEARCH_MODE_NONE)
1008               continue;
1009             else
1010               BUG();
1011
1012             if(keyserver->host)
1013               log_info(_("requesting key %s from %s server %s\n"),
1014                        keystr_from_desc(&desc[i]),
1015                        keyserver->scheme,keyserver->host);
1016             else
1017               log_info(_("requesting key %s from %s\n"),
1018                        keystr_from_desc(&desc[i]),keyserver->uri);
1019           }
1020
1021         fprintf(spawn->tochild,"\n");
1022
1023         break;
1024       }
1025
1026     case SEND:
1027       {
1028         STRLIST key;
1029
1030         /* Note the extra \n here to send an empty keylist block */
1031         fprintf(spawn->tochild,"COMMAND SEND\n\n\n");
1032
1033         for(key=list;key!=NULL;key=key->next)
1034           {
1035             armor_filter_context_t afx;
1036             IOBUF buffer=iobuf_temp();
1037             KBNODE block;
1038
1039             temp=NULL;
1040             add_to_strlist(&temp,key->d);
1041
1042             memset(&afx,0,sizeof(afx));
1043             afx.what=1;
1044             /* Tell the armor filter to use Unix-style \n line
1045                endings, since we're going to fprintf this to a file
1046                that (on Win32) is open in text mode.  The win32 stdio
1047                will transform the \n to \r\n and we'll end up with the
1048                proper line endings on win32.  This is a no-op on
1049                Unix. */
1050             afx.eol[0]='\n';
1051             iobuf_push_filter(buffer,armor_filter,&afx);
1052
1053             /* TODO: Remove Comment: lines from keys exported this
1054                way? */
1055
1056             if(export_pubkeys_stream(buffer,temp,&block,
1057                                      opt.keyserver_options.export_options)==-1)
1058               iobuf_close(buffer);
1059             else
1060               {
1061                 KBNODE node;
1062
1063                 iobuf_flush_temp(buffer);
1064
1065                 merge_keys_and_selfsig(block);
1066
1067                 fprintf(spawn->tochild,"INFO %08lX%08lX BEGIN\n",
1068                         (ulong)block->pkt->pkt.public_key->keyid[0],
1069                         (ulong)block->pkt->pkt.public_key->keyid[1]);
1070
1071                 for(node=block;node;node=node->next)
1072                   {
1073                     switch(node->pkt->pkttype)
1074                       {
1075                       default:
1076                         continue;
1077
1078                       case PKT_PUBLIC_KEY:
1079                       case PKT_PUBLIC_SUBKEY:
1080                         {
1081                           PKT_public_key *pk=node->pkt->pkt.public_key;
1082
1083                           keyid_from_pk(pk,NULL);
1084
1085                           fprintf(spawn->tochild,"%sb:%08lX%08lX:%u:%u:%u:%u:",
1086                                   node->pkt->pkttype==PKT_PUBLIC_KEY?"pu":"su",
1087                                   (ulong)pk->keyid[0],(ulong)pk->keyid[1],
1088                                   pk->pubkey_algo,
1089                                   nbits_from_pk(pk),
1090                                   pk->timestamp,
1091                                   pk->expiredate);
1092
1093                           if(pk->is_revoked)
1094                             fprintf(spawn->tochild,"r");
1095                           if(pk->has_expired)
1096                             fprintf(spawn->tochild,"e");
1097
1098                           fprintf(spawn->tochild,"\n");
1099                         }
1100                         break;
1101
1102                       case PKT_USER_ID:
1103                         {
1104                           PKT_user_id *uid=node->pkt->pkt.user_id;
1105                           int r;
1106
1107                           if(uid->attrib_data)
1108                             continue;
1109
1110                           fprintf(spawn->tochild,"uid:");
1111
1112                           /* Quote ':', '%', and any 8-bit
1113                              characters */
1114                           for(r=0;r<uid->len;r++)
1115                             {
1116                               if(uid->name[r]==':' || uid->name[r]=='%'
1117                                  || uid->name[r]&0x80)
1118                                 fprintf(spawn->tochild,"%%%02X",
1119                                         (byte)uid->name[r]);
1120                               else
1121                                 fprintf(spawn->tochild,"%c",uid->name[r]);
1122                             }
1123
1124                           fprintf(spawn->tochild,":%u:%u:",
1125                                   uid->created,uid->expiredate);
1126
1127                           if(uid->is_revoked)
1128                             fprintf(spawn->tochild,"r");
1129                           if(uid->is_expired)
1130                             fprintf(spawn->tochild,"e");
1131
1132                           fprintf(spawn->tochild,"\n");
1133                         }
1134                         break;
1135
1136                         /* This bit is really for the benefit of
1137                            people who store their keys in LDAP
1138                            servers.  It makes it easy to do queries
1139                            for things like "all keys signed by
1140                            Isabella". */
1141                       case PKT_SIGNATURE:
1142                         {
1143                           PKT_signature *sig=node->pkt->pkt.signature;
1144
1145                           if(!IS_UID_SIG(sig))
1146                             continue;
1147
1148                           fprintf(spawn->tochild,"sig:%08lX%08lX:%X:%u:%u\n",
1149                                   (ulong)sig->keyid[0],(ulong)sig->keyid[1],
1150                                   sig->sig_class,sig->timestamp,
1151                                   sig->expiredate);
1152                         }
1153                         break;
1154                       }
1155                   }
1156
1157                 fprintf(spawn->tochild,"INFO %08lX%08lX END\n",
1158                         (ulong)block->pkt->pkt.public_key->keyid[0],
1159                         (ulong)block->pkt->pkt.public_key->keyid[1]);
1160
1161                 fprintf(spawn->tochild,"KEY %s BEGIN\n",key->d);
1162                 fwrite(iobuf_get_temp_buffer(buffer),
1163                        iobuf_get_temp_length(buffer),1,spawn->tochild);
1164                 fprintf(spawn->tochild,"KEY %s END\n",key->d);
1165
1166                 iobuf_close(buffer);
1167
1168                 if(keyserver->host)
1169                   log_info(_("sending key %s to %s server %s\n"),
1170                            keystr(block->pkt->pkt.public_key->keyid),
1171                            keyserver->scheme,keyserver->host);
1172                 else
1173                   log_info(_("sending key %s to %s\n"),
1174                            keystr(block->pkt->pkt.public_key->keyid),
1175                            keyserver->uri);
1176
1177                 release_kbnode(block);
1178               }
1179
1180             free_strlist(temp);
1181           }
1182
1183         break;
1184       }
1185
1186     case SEARCH:
1187       {
1188         STRLIST key;
1189
1190         fprintf(spawn->tochild,"COMMAND SEARCH\n\n");
1191
1192         /* Which keys do we want?  Remember that the gpgkeys_ program
1193            is going to lump these together into a search string. */
1194
1195         for(key=list;key!=NULL;key=key->next)
1196           {
1197             fprintf(spawn->tochild,"%s\n",key->d);
1198             if(key!=list)
1199               {
1200                 searchstr=m_realloc(searchstr,
1201                                     strlen(searchstr)+strlen(key->d)+2);
1202                 strcat(searchstr," ");
1203               }
1204             else
1205               {
1206                 searchstr=m_alloc(strlen(key->d)+1);
1207                 searchstr[0]='\0';
1208               }
1209
1210             strcat(searchstr,key->d);
1211           }
1212
1213         fprintf(spawn->tochild,"\n");
1214
1215         if(keyserver->host)
1216           log_info(_("searching for \"%s\" from %s server %s\n"),
1217                    searchstr,keyserver->scheme,keyserver->host);
1218         else
1219           log_info(_("searching for \"%s\" from %s\n"),
1220                    searchstr,keyserver->uri);
1221
1222         break;
1223       }
1224
1225     default:
1226       log_fatal(_("no keyserver action!\n"));
1227       break;
1228     }
1229
1230   /* Done sending, so start reading. */
1231   ret=exec_read(spawn);
1232   if(ret)
1233     goto fail;
1234
1235   /* Now handle the response */
1236
1237   for(;;)
1238     {
1239       int plen;
1240       char *ptr;
1241
1242       maxlen=1024;
1243       if(iobuf_read_line(spawn->fromchild,&line,&buflen,&maxlen)==0)
1244         {
1245           ret=G10ERR_READ_FILE;
1246           goto fail; /* i.e. EOF */
1247         }
1248
1249       ptr=line;
1250
1251       /* remove trailing whitespace */
1252       plen=strlen(ptr);
1253       while(plen>0 && ascii_isspace(ptr[plen-1]))
1254         plen--;
1255       plen[ptr]='\0';
1256
1257       if(*ptr=='\0')
1258         break;
1259
1260       if(ascii_strncasecmp(ptr,"VERSION ",8)==0)
1261         {
1262           gotversion=1;
1263
1264           if(atoi(&ptr[8])!=KEYSERVER_PROTO_VERSION)
1265             {
1266               log_error(_("invalid keyserver protocol (us %d!=handler %d)\n"),
1267                         KEYSERVER_PROTO_VERSION,atoi(&ptr[8]));
1268               goto fail;
1269             }
1270         }
1271       else if(ascii_strncasecmp(ptr,"PROGRAM ",8)==0)
1272         {
1273           if(ascii_strncasecmp(&ptr[8],VERSION,strlen(VERSION))!=0)
1274             log_info(_("WARNING: keyserver handler from a different"
1275                        " version of GnuPG (%s)\n"),&ptr[8]);
1276         }
1277       else if(ascii_strncasecmp(ptr,"OPTION OUTOFBAND",16)==0)
1278         outofband=1; /* Currently the only OPTION */
1279     }
1280
1281   if(!gotversion)
1282     {
1283       log_error(_("keyserver did not send VERSION\n"));
1284       goto fail;
1285     }
1286
1287   if(!outofband)
1288     switch(action)
1289       {
1290       case GET:
1291         {
1292           void *stats_handle;
1293
1294           stats_handle=import_new_stats_handle();
1295
1296           /* Slurp up all the key data.  In the future, it might be
1297              nice to look for KEY foo OUTOFBAND and FAILED indicators.
1298              It's harmless to ignore them, but ignoring them does make
1299              gpg complain about "no valid OpenPGP data found".  One
1300              way to do this could be to continue parsing this
1301              line-by-line and make a temp iobuf for each key. */
1302
1303           import_keys_stream(spawn->fromchild,stats_handle,
1304                              opt.keyserver_options.import_options);
1305
1306           import_print_stats(stats_handle);
1307           import_release_stats_handle(stats_handle);
1308
1309           break;
1310         }
1311
1312         /* Nothing to do here */
1313       case SEND:
1314         break;
1315
1316       case SEARCH:
1317         keyserver_search_prompt(spawn->fromchild,searchstr);
1318         break;
1319
1320       default:
1321         log_fatal(_("no keyserver action!\n"));
1322         break;
1323       }
1324
1325  fail:
1326   m_free(line);
1327   m_free(searchstr);
1328
1329   *prog=exec_finish(spawn);
1330
1331   return ret;
1332 }
1333
1334 static int 
1335 keyserver_work(int action,STRLIST list,KEYDB_SEARCH_DESC *desc,
1336                int count,struct keyserver_spec *keyserver)
1337 {
1338   int rc=0,ret=0;
1339
1340   if(!keyserver)
1341     {
1342       log_error(_("no keyserver known (use option --keyserver)\n"));
1343       return G10ERR_BAD_URI;
1344     }
1345
1346 #ifdef DISABLE_KEYSERVER_HELPERS
1347
1348   log_error(_("external keyserver calls are not supported in this build\n"));
1349   return G10ERR_KEYSERVER;
1350
1351 #else
1352   /* Spawn a handler */
1353
1354   rc=keyserver_spawn(action,list,desc,count,&ret,keyserver);
1355   if(ret)
1356     {
1357       switch(ret)
1358         {
1359         case KEYSERVER_SCHEME_NOT_FOUND:
1360           log_error(_("no handler for keyserver scheme `%s'\n"),
1361                     keyserver->scheme);
1362           break;
1363
1364         case KEYSERVER_NOT_SUPPORTED:
1365           log_error(_("action `%s' not supported with keyserver "
1366                       "scheme `%s'\n"),
1367                     action==GET?"get":action==SEND?"send":
1368                     action==SEARCH?"search":"unknown",
1369                     keyserver->scheme);
1370           break;
1371
1372         case KEYSERVER_VERSION_ERROR:
1373           log_error(_(GPGKEYS_PREFIX "%s does not support"
1374                       " handler version %d\n"),
1375                     keyserver_typemap(keyserver->scheme),
1376                     KEYSERVER_PROTO_VERSION);
1377           break;
1378
1379         case KEYSERVER_TIMEOUT:
1380           log_error(_("keyserver timed out\n"));
1381           break;
1382
1383         case KEYSERVER_INTERNAL_ERROR:
1384         default:
1385           log_error(_("keyserver internal error\n"));
1386           break;
1387         }
1388
1389       return G10ERR_KEYSERVER;
1390     }
1391
1392   if(rc)
1393     {
1394       log_error(_("keyserver communications error: %s\n"),g10_errstr(rc));
1395
1396       return rc;
1397     }
1398
1399   return 0;
1400 #endif /* ! DISABLE_KEYSERVER_HELPERS*/
1401 }
1402
1403 int 
1404 keyserver_export(STRLIST users)
1405 {
1406   STRLIST sl=NULL;
1407   KEYDB_SEARCH_DESC desc;
1408   int rc=0;
1409
1410   /* Weed out descriptors that we don't support sending */
1411   for(;users;users=users->next)
1412     {
1413       classify_user_id (users->d, &desc);
1414       if(desc.mode!=KEYDB_SEARCH_MODE_SHORT_KID &&
1415          desc.mode!=KEYDB_SEARCH_MODE_LONG_KID &&
1416          desc.mode!=KEYDB_SEARCH_MODE_FPR16 &&
1417          desc.mode!=KEYDB_SEARCH_MODE_FPR20)
1418         {
1419           log_error(_("\"%s\" not a key ID: skipping\n"),users->d);
1420           continue;
1421         }
1422       else
1423         append_to_strlist(&sl,users->d);
1424     }
1425
1426   if(sl)
1427     {
1428       rc=keyserver_work(SEND,sl,NULL,0,opt.keyserver);
1429       free_strlist(sl);
1430     }
1431
1432   return rc;
1433 }
1434
1435 int 
1436 keyserver_import(STRLIST users)
1437 {
1438   KEYDB_SEARCH_DESC *desc;
1439   int num=100,count=0;
1440   int rc=0;
1441
1442   /* Build a list of key ids */
1443   desc=m_alloc(sizeof(KEYDB_SEARCH_DESC)*num);
1444
1445   for(;users;users=users->next)
1446     {
1447       classify_user_id (users->d, &desc[count]);
1448       if(desc[count].mode!=KEYDB_SEARCH_MODE_SHORT_KID &&
1449          desc[count].mode!=KEYDB_SEARCH_MODE_LONG_KID &&
1450          desc[count].mode!=KEYDB_SEARCH_MODE_FPR16 &&
1451          desc[count].mode!=KEYDB_SEARCH_MODE_FPR20)
1452         {
1453           log_error(_("\"%s\" not a key ID: skipping\n"),users->d);
1454           continue;
1455         }
1456
1457       count++;
1458       if(count==num)
1459         {
1460           num+=100;
1461           desc=m_realloc(desc,sizeof(KEYDB_SEARCH_DESC)*num);
1462         }
1463     }
1464
1465   if(count>0)
1466     rc=keyserver_work(GET,NULL,desc,count,opt.keyserver);
1467
1468   m_free(desc);
1469
1470   return rc;
1471 }
1472
1473 int
1474 keyserver_import_fprint(const byte *fprint,size_t fprint_len,
1475                         struct keyserver_spec *keyserver)
1476 {
1477   KEYDB_SEARCH_DESC desc;
1478
1479   memset(&desc,0,sizeof(desc));
1480
1481   if(fprint_len==16)
1482     desc.mode=KEYDB_SEARCH_MODE_FPR16;
1483   else if(fprint_len==20)
1484     desc.mode=KEYDB_SEARCH_MODE_FPR20;
1485   else
1486     return -1;
1487
1488   memcpy(desc.u.fpr,fprint,fprint_len);
1489
1490   return keyserver_work(GET,NULL,&desc,1,keyserver);
1491 }
1492
1493 int 
1494 keyserver_import_keyid(u32 *keyid,struct keyserver_spec *keyserver)
1495 {
1496   KEYDB_SEARCH_DESC desc;
1497
1498   memset(&desc,0,sizeof(desc));
1499
1500   desc.mode=KEYDB_SEARCH_MODE_LONG_KID;
1501   desc.u.kid[0]=keyid[0];
1502   desc.u.kid[1]=keyid[1];
1503
1504   return keyserver_work(GET,NULL,&desc,1,keyserver);
1505 }
1506
1507 /* code mostly stolen from do_export_stream */
1508 static int 
1509 keyidlist(STRLIST users,KEYDB_SEARCH_DESC **klist,int *count,int fakev3)
1510 {
1511   int rc=0,ndesc,num=100;
1512   KBNODE keyblock=NULL,node;
1513   KEYDB_HANDLE kdbhd;
1514   KEYDB_SEARCH_DESC *desc;
1515   STRLIST sl;
1516
1517   *count=0;
1518
1519   *klist=m_alloc(sizeof(KEYDB_SEARCH_DESC)*num);
1520
1521   kdbhd=keydb_new(0);
1522
1523   if(!users)
1524     {
1525       ndesc = 1;
1526       desc = m_alloc_clear ( ndesc * sizeof *desc);
1527       desc[0].mode = KEYDB_SEARCH_MODE_FIRST;
1528     }
1529   else
1530     {
1531       for (ndesc=0, sl=users; sl; sl = sl->next, ndesc++) 
1532         ;
1533       desc = m_alloc ( ndesc * sizeof *desc);
1534         
1535       for (ndesc=0, sl=users; sl; sl = sl->next)
1536         {
1537           if(classify_user_id (sl->d, desc+ndesc))
1538             ndesc++;
1539           else
1540             log_error (_("key \"%s\" not found: %s\n"),
1541                        sl->d, g10_errstr (G10ERR_INV_USER_ID));
1542         }
1543     }
1544
1545   while (!(rc = keydb_search (kdbhd, desc, ndesc)))
1546     {
1547       if (!users) 
1548         desc[0].mode = KEYDB_SEARCH_MODE_NEXT;
1549
1550       /* read the keyblock */
1551       rc = keydb_get_keyblock (kdbhd, &keyblock );
1552       if( rc )
1553         {
1554           log_error (_("error reading keyblock: %s\n"), g10_errstr(rc) );
1555           goto leave;
1556         }
1557
1558       if((node=find_kbnode(keyblock,PKT_PUBLIC_KEY)))
1559         {
1560           /* This is to work around a bug in some keyservers (pksd and
1561              OKS) that calculate v4 RSA keyids as if they were v3 RSA.
1562              The answer is to refresh both the correct v4 keyid
1563              (e.g. 99242560) and the fake v3 keyid (e.g. 68FDDBC7).
1564              This only happens for key refresh using the HKP scheme
1565              and if the refresh-add-fake-v3-keyids keyserver option is
1566              set. */
1567           if(fakev3 && is_RSA(node->pkt->pkt.public_key->pubkey_algo) &&
1568              node->pkt->pkt.public_key->version>=4)
1569             {
1570               (*klist)[*count].mode=KEYDB_SEARCH_MODE_LONG_KID;
1571               mpi_get_keyid(node->pkt->pkt.public_key->pkey[0],
1572                             (*klist)[*count].u.kid);
1573               (*count)++;
1574
1575               if(*count==num)
1576                 {
1577                   num+=100;
1578                   *klist=m_realloc(*klist,sizeof(KEYDB_SEARCH_DESC)*num);
1579                 }
1580             }
1581
1582           /* v4 keys get full fingerprints.  v3 keys get long keyids.
1583              This is because it's easy to calculate any sort of keyid
1584              from a v4 fingerprint, but not a v3 fingerprint. */
1585
1586           if(node->pkt->pkt.public_key->version<4)
1587             {
1588               (*klist)[*count].mode=KEYDB_SEARCH_MODE_LONG_KID;
1589               keyid_from_pk(node->pkt->pkt.public_key,
1590                             (*klist)[*count].u.kid);
1591             }
1592           else
1593             {
1594               size_t dummy;
1595
1596               (*klist)[*count].mode=KEYDB_SEARCH_MODE_FPR20;
1597               fingerprint_from_pk(node->pkt->pkt.public_key,
1598                                   (*klist)[*count].u.fpr,&dummy);
1599             }
1600
1601           /* This is a little hackish, using the skipfncvalue as a
1602              void* pointer to the keyserver spec, but we don't need
1603              the skipfnc here, and it saves having an additional field
1604              for this (which would be wasted space most of the
1605              time). */
1606
1607           (*klist)[*count].skipfncvalue=NULL;
1608
1609           /* Are we honoring preferred keyservers? */
1610           if(opt.keyserver_options.options&KEYSERVER_HONOR_KEYSERVER_URL)
1611             {
1612               PKT_user_id *uid=NULL;
1613               PKT_signature *sig=NULL;
1614
1615               merge_keys_and_selfsig(keyblock);
1616
1617               for(node=node->next;node;node=node->next)
1618                 {
1619                   if(node->pkt->pkttype==PKT_USER_ID
1620                      && node->pkt->pkt.user_id->is_primary)
1621                     uid=node->pkt->pkt.user_id;
1622                   else if(node->pkt->pkttype==PKT_SIGNATURE
1623                           && node->pkt->pkt.signature->
1624                           flags.chosen_selfsig && uid)
1625                     {
1626                       sig=node->pkt->pkt.signature;
1627                       break;
1628                     }
1629                 }
1630
1631               /* Try and parse the keyserver URL.  If it doesn't work,
1632                  then we end up writing NULL which indicates we are
1633                  the same as any other key. */
1634               if(uid && sig)
1635                 (*klist)[*count].skipfncvalue=parse_preferred_keyserver(sig);
1636             }
1637
1638           (*count)++;
1639
1640           if(*count==num)
1641             {
1642               num+=100;
1643               *klist=m_realloc(*klist,sizeof(KEYDB_SEARCH_DESC)*num);
1644             }
1645         }
1646     }
1647
1648   if(rc==-1)
1649     rc=0;
1650   
1651  leave:
1652   if(rc)
1653     m_free(*klist);
1654   m_free(desc);
1655   keydb_release(kdbhd);
1656   release_kbnode(keyblock);
1657
1658   return rc;
1659 }
1660
1661 /* Note this is different than the original HKP refresh.  It allows
1662    usernames to refresh only part of the keyring. */
1663
1664 int 
1665 keyserver_refresh(STRLIST users)
1666 {
1667   int rc,count,numdesc,fakev3=0;
1668   KEYDB_SEARCH_DESC *desc;
1669   unsigned int options=opt.keyserver_options.import_options;
1670
1671   /* We switch merge-only on during a refresh, as 'refresh' should
1672      never import new keys, even if their keyids match. */
1673   opt.keyserver_options.import_options|=IMPORT_MERGE_ONLY;
1674
1675   /* Similarly, we switch on fast-import, since refresh may make
1676      multiple import sets (due to preferred keyserver URLs).  We don't
1677      want each set to rebuild the trustdb.  Instead we do it once at
1678      the end here. */
1679   opt.keyserver_options.import_options|=IMPORT_FAST;
1680
1681   /* If refresh_add_fake_v3_keyids is on and it's a HKP or MAILTO
1682      scheme, then enable fake v3 keyid generation. */
1683   if((opt.keyserver_options.options&KEYSERVER_ADD_FAKE_V3) && opt.keyserver
1684      && (ascii_strcasecmp(opt.keyserver->scheme,"hkp")==0 ||
1685          ascii_strcasecmp(opt.keyserver->scheme,"mailto")==0))
1686     fakev3=1;
1687
1688   rc=keyidlist(users,&desc,&numdesc,fakev3);
1689   if(rc)
1690     return rc;
1691
1692   count=numdesc;
1693   if(count>0)
1694     {
1695       int i;
1696
1697       /* Try to handle preferred keyserver keys first */
1698       for(i=0;i<count;i++)
1699         {
1700           if(desc[i].skipfncvalue)
1701             {
1702               struct keyserver_spec *keyserver=desc[i].skipfncvalue;
1703
1704               /* We use the keyserver structure we parsed out before.
1705                  Note that a preferred keyserver without a scheme://
1706                  will be interpreted as hkp:// */
1707
1708               rc=keyserver_work(GET,NULL,&desc[i],1,keyserver);
1709               if(rc)
1710                 log_info(_("WARNING: unable to refresh key %s"
1711                            " via %s: %s\n"),keystr_from_desc(&desc[i]),
1712                          keyserver->uri,g10_errstr(rc));
1713               else
1714                 {
1715                   /* We got it, so mark it as NONE so we don't try and
1716                      get it again from the regular keyserver. */
1717
1718                   desc[i].mode=KEYDB_SEARCH_MODE_NONE;
1719                   count--;
1720                 }
1721
1722               free_keyserver_spec(keyserver);
1723             }
1724         }
1725     }
1726
1727   if(count>0)
1728     {
1729       if(opt.keyserver)
1730         {
1731           if(count==1)
1732             log_info(_("refreshing 1 key from %s\n"),opt.keyserver->uri);
1733           else
1734             log_info(_("refreshing %d keys from %s\n"),
1735                      count,opt.keyserver->uri);
1736         }
1737
1738       rc=keyserver_work(GET,NULL,desc,numdesc,opt.keyserver);
1739     }
1740
1741   m_free(desc);
1742
1743   opt.keyserver_options.import_options=options;
1744
1745   /* If the original options didn't have fast import, and the trustdb
1746      is dirty, rebuild. */
1747   if(!(opt.keyserver_options.import_options&IMPORT_FAST))
1748     trustdb_check_or_update();
1749
1750   return rc;
1751 }
1752
1753 int
1754 keyserver_search(STRLIST tokens)
1755 {
1756   if(tokens)
1757     return keyserver_work(SEARCH,tokens,NULL,0,opt.keyserver);
1758   else
1759     return 0;
1760 }