Enhanced last patch.
[gnupg.git] / keyserver / gpgkeys_ldap.c
blobf44a5c369b41ccb44f846fda593e0adff2bf7d55
1 /* gpgkeys_ldap.c - talk to a LDAP keyserver
2 * Copyright (C) 2001, 2002, 2004, 2005, 2006
3 * 2007 Free Software Foundation, Inc.
5 * This file is part of GnuPG.
7 * GnuPG is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * GnuPG is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
20 * In addition, as a special exception, the Free Software Foundation
21 * gives permission to link the code of the keyserver helper tools:
22 * gpgkeys_ldap, gpgkeys_curl and gpgkeys_hkp with the OpenSSL
23 * project's "OpenSSL" library (or with modified versions of it that
24 * use the same license as the "OpenSSL" library), and distribute the
25 * linked executables. You must obey the GNU General Public License
26 * in all respects for all of the code used other than "OpenSSL". If
27 * you modify this file, you may extend this exception to your version
28 * of the file, but you are not obligated to do so. If you do not
29 * wish to do so, delete this exception statement from your version.
32 #include <config.h>
33 #include <stdio.h>
34 #include <string.h>
35 #include <time.h>
36 #include <unistd.h>
37 #ifdef HAVE_GETOPT_H
38 #include <getopt.h>
39 #endif
40 #include <stdlib.h>
41 #include <errno.h>
42 #include <assert.h>
44 #ifdef _WIN32
45 #include <winsock2.h>
46 #include <winldap.h>
47 #else
48 #ifdef NEED_LBER_H
49 #include <lber.h>
50 #endif
51 /* For OpenLDAP, to enable the API that we're using. */
52 #define LDAP_DEPRECATED 1
53 #include <ldap.h>
54 #endif
56 #include "util.h"
57 #include "keyserver.h"
58 #include "ksutil.h"
60 #ifdef __riscos__
61 #include "util.h"
62 #endif
64 extern char *optarg;
65 extern int optind;
67 static int real_ldap=0;
68 static char *basekeyspacedn=NULL;
69 static char *pgpkeystr="pgpKey";
70 static FILE *input=NULL,*output=NULL,*console=NULL;
71 static LDAP *ldap=NULL;
72 static struct ks_options *opt;
74 #ifndef HAVE_TIMEGM
75 time_t timegm(struct tm *tm);
76 #endif
78 static int
79 ldap_err_to_gpg_err(int err)
81 int ret;
83 switch(err)
85 case LDAP_ALREADY_EXISTS:
86 ret=KEYSERVER_KEY_EXISTS;
87 break;
89 case LDAP_SERVER_DOWN:
90 ret=KEYSERVER_UNREACHABLE;
91 break;
93 default:
94 ret=KEYSERVER_GENERAL_ERROR;
95 break;
98 return ret;
101 static int
102 ldap_to_gpg_err(LDAP *ld)
104 #if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_ERROR_NUMBER)
106 int err;
108 if(ldap_get_option(ld,LDAP_OPT_ERROR_NUMBER,&err)==0)
109 return ldap_err_to_gpg_err(err);
110 else
111 return KEYSERVER_GENERAL_ERROR;
113 #elif defined(HAVE_LDAP_LD_ERRNO)
115 return ldap_err_to_gpg_err(ld->ld_errno);
117 #else
119 /* We should never get here since the LDAP library should always
120 have either ldap_get_option or ld_errno, but just in case... */
121 return KEYSERVER_GENERAL_ERROR;
123 #endif
126 static int
127 key_in_keylist(const char *key,struct keylist *list)
129 struct keylist *keyptr=list;
131 while(keyptr!=NULL)
133 if(strcasecmp(key,keyptr->str)==0)
134 return 1;
136 keyptr=keyptr->next;
139 return 0;
142 static int
143 add_key_to_keylist(const char *key,struct keylist **list)
145 struct keylist *keyptr=malloc(sizeof(struct keylist));
147 if(keyptr==NULL)
149 fprintf(console,"gpgkeys: out of memory when deduping "
150 "key list\n");
151 return KEYSERVER_NO_MEMORY;
154 strncpy(keyptr->str,key,MAX_LINE);
155 keyptr->str[MAX_LINE-1]='\0';
156 keyptr->next=*list;
157 *list=keyptr;
159 return 0;
162 static void
163 free_keylist(struct keylist *list)
165 while(list!=NULL)
167 struct keylist *keyptr=list;
169 list=keyptr->next;
170 free(keyptr);
174 static time_t
175 ldap2epochtime(const char *timestr)
177 struct tm pgptime;
178 time_t answer;
180 memset(&pgptime,0,sizeof(pgptime));
182 /* YYYYMMDDHHmmssZ */
184 sscanf(timestr,"%4d%2d%2d%2d%2d%2d",
185 &pgptime.tm_year,
186 &pgptime.tm_mon,
187 &pgptime.tm_mday,
188 &pgptime.tm_hour,
189 &pgptime.tm_min,
190 &pgptime.tm_sec);
192 pgptime.tm_year-=1900;
193 pgptime.tm_isdst=-1;
194 pgptime.tm_mon--;
196 /* mktime() takes the timezone into account, so we use timegm() */
198 answer=timegm(&pgptime);
200 return answer;
203 /* Caller must free */
204 static char *
205 epoch2ldaptime(time_t stamp)
207 struct tm *ldaptime;
208 char buf[16];
210 ldaptime=gmtime(&stamp);
212 ldaptime->tm_year+=1900;
213 ldaptime->tm_mon++;
215 /* YYYYMMDDHHmmssZ */
217 sprintf(buf,"%04d%02d%02d%02d%02d%02dZ",
218 ldaptime->tm_year,
219 ldaptime->tm_mon,
220 ldaptime->tm_mday,
221 ldaptime->tm_hour,
222 ldaptime->tm_min,
223 ldaptime->tm_sec);
225 return strdup(buf);
228 /* Append two onto the end of one. Two is not freed, but its pointers
229 are now part of one. Make sure you don't free them both! */
230 static int
231 join_two_modlists(LDAPMod ***one,LDAPMod **two)
233 int i,one_count=0,two_count=0;
234 LDAPMod **grow;
236 for(grow=*one;*grow;grow++)
237 one_count++;
239 for(grow=two;*grow;grow++)
240 two_count++;
242 grow=realloc(*one,sizeof(LDAPMod *)*(one_count+two_count+1));
243 if(!grow)
244 return 0;
246 for(i=0;i<two_count;i++)
247 grow[one_count+i]=two[i];
249 grow[one_count+i]=NULL;
251 *one=grow;
253 return 1;
256 /* Passing a NULL for value effectively deletes that attribute. This
257 doesn't mean "delete" in the sense of removing something from the
258 modlist, but "delete" in the LDAP sense of adding a modlist item
259 that specifies LDAP_MOD_REPLACE and a null attribute for the given
260 attribute. LDAP_MOD_DELETE doesn't work here as we don't know if
261 the attribute in question exists or not. */
263 static int
264 make_one_attr(LDAPMod ***modlist,char *attr,const char *value)
266 LDAPMod **m;
267 int nummods=0;
269 /* Search modlist for the attribute we're playing with. */
270 for(m=*modlist;*m;m++)
272 if(strcasecmp((*m)->mod_type,attr)==0)
274 char **ptr=(*m)->mod_values;
275 int numvalues=0;
277 /* We have this attribute already, so when the REPLACE
278 happens, the server attributes will be replaced
279 anyway. */
280 if(!value)
281 return 1;
283 if(ptr)
284 for(ptr=(*m)->mod_values;*ptr;ptr++)
286 /* Duplicate value */
287 if(strcmp(*ptr,value)==0)
288 return 1;
289 numvalues++;
292 ptr=realloc((*m)->mod_values,sizeof(char *)*(numvalues+2));
293 if(!ptr)
294 return 0;
296 (*m)->mod_values=ptr;
297 ptr[numvalues]=strdup(value);
298 if(!ptr[numvalues])
299 return 0;
301 ptr[numvalues+1]=NULL;
302 break;
305 nummods++;
308 /* We didn't find the attr, so make one and add it to the end */
309 if(!*m)
311 LDAPMod **grow;
313 grow=realloc(*modlist,sizeof(LDAPMod *)*(nummods+2));
314 if(!grow)
315 return 0;
317 *modlist=grow;
318 grow[nummods]=malloc(sizeof(LDAPMod));
319 if(!grow[nummods])
320 return 0;
321 grow[nummods]->mod_op=LDAP_MOD_REPLACE;
322 grow[nummods]->mod_type=attr;
323 if(value)
325 grow[nummods]->mod_values=malloc(sizeof(char *)*2);
326 if(!grow[nummods]->mod_values)
328 grow[nummods]=NULL;
329 return 0;
332 /* Is this the right thing? Can a UTF8-encoded user ID have
333 embedded nulls? */
334 grow[nummods]->mod_values[0]=strdup(value);
335 if(!grow[nummods]->mod_values[0])
337 free(grow[nummods]->mod_values);
338 grow[nummods]=NULL;
339 return 0;
342 grow[nummods]->mod_values[1]=NULL;
344 else
345 grow[nummods]->mod_values=NULL;
347 grow[nummods+1]=NULL;
350 return 1;
353 static void
354 build_attrs(LDAPMod ***modlist,char *line)
356 char *record;
357 int i;
359 /* Remove trailing whitespace */
360 for(i=strlen(line);i>0;i--)
361 if(ascii_isspace(line[i-1]))
362 line[i-1]='\0';
363 else
364 break;
366 if((record=strsep(&line,":"))==NULL)
367 return;
369 if(ks_strcasecmp("pub",record)==0)
371 char *tok;
372 int disabled=0,revoked=0;
374 /* The long keyid */
375 if((tok=strsep(&line,":"))==NULL)
376 return;
378 if(strlen(tok)==16)
380 make_one_attr(modlist,"pgpCertID",tok);
381 make_one_attr(modlist,"pgpKeyID",&tok[8]);
383 else
384 return;
386 /* The primary pubkey algo */
387 if((tok=strsep(&line,":"))==NULL)
388 return;
390 switch(atoi(tok))
392 case 1:
393 make_one_attr(modlist,"pgpKeyType","RSA");
394 break;
396 case 17:
397 make_one_attr(modlist,"pgpKeyType","DSS/DH");
398 break;
401 /* Size of primary key */
402 if((tok=strsep(&line,":"))==NULL)
403 return;
405 if(atoi(tok)>0)
407 char padded[6];
408 int val=atoi(tok);
410 /* We zero pad this on the left to make PGP happy. */
412 if(val<99999 && val>0)
414 sprintf(padded,"%05u",atoi(tok));
415 make_one_attr(modlist,"pgpKeySize",padded);
419 /* pk timestamp */
420 if((tok=strsep(&line,":"))==NULL)
421 return;
423 if(atoi(tok)>0)
425 char *stamp=epoch2ldaptime(atoi(tok));
426 if(stamp)
428 make_one_attr(modlist,"pgpKeyCreateTime",stamp);
429 free(stamp);
433 /* pk expire */
434 if((tok=strsep(&line,":"))==NULL)
435 return;
437 if(atoi(tok)>0)
439 char *stamp=epoch2ldaptime(atoi(tok));
440 if(stamp)
442 make_one_attr(modlist,"pgpKeyExpireTime",stamp);
443 free(stamp);
447 /* flags */
448 if((tok=strsep(&line,":"))==NULL)
449 return;
451 while(*tok)
452 switch(*tok++)
454 case 'r':
455 case 'R':
456 revoked=1;
457 break;
459 case 'd':
460 case 'D':
461 disabled=1;
462 break;
466 Note that we always create the pgpDisabled and pgpRevoked
467 attributes, regardless of whether the key is disabled/revoked
468 or not. This is because a very common search is like
469 "(&(pgpUserID=*isabella*)(pgpDisabled=0))"
472 make_one_attr(modlist,"pgpDisabled",disabled?"1":"0");
473 make_one_attr(modlist,"pgpRevoked",revoked?"1":"0");
475 else if(ks_strcasecmp("sub",record)==0)
477 char *tok;
479 /* The long keyid */
480 if((tok=strsep(&line,":"))==NULL)
481 return;
483 if(strlen(tok)==16)
484 make_one_attr(modlist,"pgpSubKeyID",tok);
485 else
486 return;
488 /* The subkey algo */
489 if((tok=strsep(&line,":"))==NULL)
490 return;
492 /* Size of subkey */
493 if((tok=strsep(&line,":"))==NULL)
494 return;
496 if(atoi(tok)>0)
498 char padded[6];
499 int val=atoi(tok);
501 /* We zero pad this on the left to make PGP happy. */
503 if(val<99999 && val>0)
505 sprintf(padded,"%05u",atoi(tok));
506 make_one_attr(modlist,"pgpKeySize",padded);
510 /* Ignore the rest of the items for subkeys since the LDAP
511 schema doesn't store them. */
513 else if(ks_strcasecmp("uid",record)==0)
515 char *userid,*tok;
517 /* The user ID string */
518 if((tok=strsep(&line,":"))==NULL)
519 return;
521 if(strlen(tok)==0)
522 return;
524 userid=tok;
526 /* By definition, de-%-encoding is always smaller than the
527 original string so we can decode in place. */
529 i=0;
531 while(*tok)
532 if(tok[0]=='%' && tok[1] && tok[2])
534 int c;
536 userid[i] = (c=hextobyte(&tok[1])) == -1 ? '?' : c;
537 i++;
538 tok+=3;
540 else
541 userid[i++]=*tok++;
543 userid[i]='\0';
545 /* We don't care about the other info provided in the uid: line
546 since the LDAP schema doesn't need it. */
548 make_one_attr(modlist,"pgpUserID",userid);
550 else if(ks_strcasecmp("sig",record)==0)
552 char *tok;
554 if((tok=strsep(&line,":"))==NULL)
555 return;
557 if(strlen(tok)==16)
558 make_one_attr(modlist,"pgpSignerID",tok);
562 static void
563 free_mod_values(LDAPMod *mod)
565 char **ptr;
567 if(!mod->mod_values)
568 return;
570 for(ptr=mod->mod_values;*ptr;ptr++)
571 free(*ptr);
573 free(mod->mod_values);
576 static int
577 send_key(int *r_eof)
579 int err,begin=0,end=0,keysize=1,ret=KEYSERVER_INTERNAL_ERROR;
580 char *dn=NULL,line[MAX_LINE],*key=NULL;
581 char keyid[17],state[6];
582 LDAPMod **modlist,**addlist,**ml;
584 modlist=malloc(sizeof(LDAPMod *));
585 if(!modlist)
587 fprintf(console,"gpgkeys: can't allocate memory for keyserver record\n");
588 ret=KEYSERVER_NO_MEMORY;
589 goto fail;
592 *modlist=NULL;
594 addlist=malloc(sizeof(LDAPMod *));
595 if(!addlist)
597 fprintf(console,"gpgkeys: can't allocate memory for keyserver record\n");
598 ret=KEYSERVER_NO_MEMORY;
599 goto fail;
602 *addlist=NULL;
604 /* Start by nulling out all attributes. We try and do a modify
605 operation first, so this ensures that we don't leave old
606 attributes lying around. */
607 make_one_attr(&modlist,"pgpDisabled",NULL);
608 make_one_attr(&modlist,"pgpKeyID",NULL);
609 make_one_attr(&modlist,"pgpKeyType",NULL);
610 make_one_attr(&modlist,"pgpUserID",NULL);
611 make_one_attr(&modlist,"pgpKeyCreateTime",NULL);
612 make_one_attr(&modlist,"pgpSignerID",NULL);
613 make_one_attr(&modlist,"pgpRevoked",NULL);
614 make_one_attr(&modlist,"pgpSubKeyID",NULL);
615 make_one_attr(&modlist,"pgpKeySize",NULL);
616 make_one_attr(&modlist,"pgpKeyExpireTime",NULL);
617 make_one_attr(&modlist,"pgpCertID",NULL);
619 /* Assemble the INFO stuff into LDAP attributes */
621 while(fgets(line,MAX_LINE,input)!=NULL)
622 if(sscanf(line,"INFO%*[ ]%16s%*[ ]%5s\n",keyid,state)==2
623 && strcmp(state,"BEGIN")==0)
625 begin=1;
626 break;
629 if(!begin)
631 /* i.e. eof before the INFO BEGIN was found. This isn't an
632 error. */
633 *r_eof=1;
634 ret=KEYSERVER_OK;
635 goto fail;
638 if(strlen(keyid)!=16)
640 *r_eof=1;
641 ret=KEYSERVER_KEY_INCOMPLETE;
642 goto fail;
645 dn=malloc(strlen("pgpCertID=")+16+1+strlen(basekeyspacedn)+1);
646 if(dn==NULL)
648 fprintf(console,"gpgkeys: can't allocate memory for keyserver record\n");
649 ret=KEYSERVER_NO_MEMORY;
650 goto fail;
653 sprintf(dn,"pgpCertID=%s,%s",keyid,basekeyspacedn);
655 key=malloc(1);
656 if(!key)
658 fprintf(console,"gpgkeys: unable to allocate memory for key\n");
659 ret=KEYSERVER_NO_MEMORY;
660 goto fail;
663 key[0]='\0';
665 /* Now parse each line until we see the END */
667 while(fgets(line,MAX_LINE,input)!=NULL)
668 if(sscanf(line,"INFO%*[ ]%16s%*[ ]%3s\n",keyid,state)==2
669 && strcmp(state,"END")==0)
671 end=1;
672 break;
674 else
675 build_attrs(&addlist,line);
677 if(!end)
679 fprintf(console,"gpgkeys: no INFO %s END found\n",keyid);
680 *r_eof=1;
681 ret=KEYSERVER_KEY_INCOMPLETE;
682 goto fail;
685 begin=end=0;
687 /* Read and throw away stdin until we see the BEGIN */
689 while(fgets(line,MAX_LINE,input)!=NULL)
690 if(sscanf(line,"KEY%*[ ]%16s%*[ ]%5s\n",keyid,state)==2
691 && strcmp(state,"BEGIN")==0)
693 begin=1;
694 break;
697 if(!begin)
699 /* i.e. eof before the KEY BEGIN was found. This isn't an
700 error. */
701 *r_eof=1;
702 ret=KEYSERVER_OK;
703 goto fail;
706 /* Now slurp up everything until we see the END */
708 while(fgets(line,MAX_LINE,input)!=NULL)
709 if(sscanf(line,"KEY%*[ ]%16s%*[ ]%3s\n",keyid,state)==2
710 && strcmp(state,"END")==0)
712 end=1;
713 break;
715 else
717 char *tempkey;
718 keysize+=strlen(line);
719 tempkey=realloc(key,keysize);
720 if(tempkey==NULL)
722 fprintf(console,"gpgkeys: unable to reallocate for key\n");
723 ret=KEYSERVER_NO_MEMORY;
724 goto fail;
726 else
727 key=tempkey;
729 strcat(key,line);
732 if(!end)
734 fprintf(console,"gpgkeys: no KEY %s END found\n",keyid);
735 *r_eof=1;
736 ret=KEYSERVER_KEY_INCOMPLETE;
737 goto fail;
740 make_one_attr(&addlist,"objectClass","pgpKeyInfo");
741 make_one_attr(&addlist,"pgpKey",key);
743 /* Now append addlist onto modlist */
744 if(!join_two_modlists(&modlist,addlist))
746 fprintf(console,"gpgkeys: unable to merge LDAP modification lists\n");
747 ret=KEYSERVER_NO_MEMORY;
748 goto fail;
751 /* Going on the assumption that modify operations are more frequent
752 than adds, we try a modify first. If it's not there, we just
753 turn around and send an add command for the same key. Otherwise,
754 the modify brings the server copy into compliance with our copy.
755 Note that unlike the LDAP keyserver (and really, any other
756 keyserver) this does NOT merge signatures, but replaces the whole
757 key. This should make some people very happy. */
759 err=ldap_modify_s(ldap,dn,modlist);
760 if(err==LDAP_NO_SUCH_OBJECT)
761 err=ldap_add_s(ldap,dn,addlist);
763 if(err!=LDAP_SUCCESS)
765 fprintf(console,"gpgkeys: error adding key %s to keyserver: %s\n",
766 keyid,ldap_err2string(err));
767 ret=ldap_err_to_gpg_err(err);
768 goto fail;
771 ret=KEYSERVER_OK;
773 fail:
774 /* Unwind and free the whole modlist structure */
775 for(ml=modlist;*ml;ml++)
777 free_mod_values(*ml);
778 free(*ml);
781 free(modlist);
782 free(addlist);
783 free(dn);
784 free(key);
786 if(ret!=0 && begin)
787 fprintf(output,"KEY %s FAILED %d\n",keyid,ret);
789 return ret;
792 static int
793 send_key_keyserver(int *r_eof)
795 int err,begin=0,end=0,keysize=1,ret=KEYSERVER_INTERNAL_ERROR;
796 char *dn=NULL,line[MAX_LINE],*key[2]={NULL,NULL};
797 char keyid[17],state[6];
798 LDAPMod mod, *attrs[2];
800 memset(&mod,0,sizeof(mod));
801 mod.mod_op=LDAP_MOD_ADD;
802 mod.mod_type=pgpkeystr;
803 mod.mod_values=key;
804 attrs[0]=&mod;
805 attrs[1]=NULL;
807 dn=malloc(strlen("pgpCertid=virtual,")+strlen(basekeyspacedn)+1);
808 if(dn==NULL)
810 fprintf(console,"gpgkeys: can't allocate memory for keyserver record\n");
811 ret=KEYSERVER_NO_MEMORY;
812 goto fail;
815 strcpy(dn,"pgpCertid=virtual,");
816 strcat(dn,basekeyspacedn);
818 key[0]=malloc(1);
819 if(key[0]==NULL)
821 fprintf(console,"gpgkeys: unable to allocate memory for key\n");
822 ret=KEYSERVER_NO_MEMORY;
823 goto fail;
826 key[0][0]='\0';
828 /* Read and throw away stdin until we see the BEGIN */
830 while(fgets(line,MAX_LINE,input)!=NULL)
831 if(sscanf(line,"KEY%*[ ]%16s%*[ ]%5s\n",keyid,state)==2
832 && strcmp(state,"BEGIN")==0)
834 begin=1;
835 break;
838 if(!begin)
840 /* i.e. eof before the KEY BEGIN was found. This isn't an
841 error. */
842 *r_eof=1;
843 ret=KEYSERVER_OK;
844 goto fail;
847 /* Now slurp up everything until we see the END */
849 while(fgets(line,MAX_LINE,input)!=NULL)
850 if(sscanf(line,"KEY%*[ ]%16s%*[ ]%3s\n",keyid,state)==2
851 && strcmp(state,"END")==0)
853 end=1;
854 break;
856 else
858 keysize+=strlen(line);
859 key[0]=realloc(key[0],keysize);
860 if(key[0]==NULL)
862 fprintf(console,"gpgkeys: unable to reallocate for key\n");
863 ret=KEYSERVER_NO_MEMORY;
864 goto fail;
867 strcat(key[0],line);
870 if(!end)
872 fprintf(console,"gpgkeys: no KEY %s END found\n",keyid);
873 *r_eof=1;
874 ret=KEYSERVER_KEY_INCOMPLETE;
875 goto fail;
878 err=ldap_add_s(ldap,dn,attrs);
879 if(err!=LDAP_SUCCESS)
881 fprintf(console,"gpgkeys: error adding key %s to keyserver: %s\n",
882 keyid,ldap_err2string(err));
883 ret=ldap_err_to_gpg_err(err);
884 goto fail;
887 ret=KEYSERVER_OK;
889 fail:
891 free(key[0]);
892 free(dn);
894 if(ret!=0 && begin)
895 fprintf(output,"KEY %s FAILED %d\n",keyid,ret);
897 /* Not a fatal error */
898 if(ret==KEYSERVER_KEY_EXISTS)
899 ret=KEYSERVER_OK;
901 return ret;
904 static void
905 build_info(const char *certid,LDAPMessage *each)
907 char **vals;
909 fprintf(output,"INFO %s BEGIN\n",certid);
911 fprintf(output,"pub:%s:",certid);
913 vals=ldap_get_values(ldap,each,"pgpkeytype");
914 if(vals!=NULL)
916 if(strcmp(vals[0],"RSA")==0)
917 fprintf(output,"1");
918 else if(strcmp(vals[0],"DSS/DH")==0)
919 fprintf(output,"17");
920 ldap_value_free(vals);
923 fprintf(output,":");
925 vals=ldap_get_values(ldap,each,"pgpkeysize");
926 if(vals!=NULL)
928 if(atoi(vals[0])>0)
929 fprintf(output,"%d",atoi(vals[0]));
930 ldap_value_free(vals);
933 fprintf(output,":");
935 vals=ldap_get_values(ldap,each,"pgpkeycreatetime");
936 if(vals!=NULL)
938 if(strlen(vals[0])==15)
939 fprintf(output,"%u",(unsigned int)ldap2epochtime(vals[0]));
940 ldap_value_free(vals);
943 fprintf(output,":");
945 vals=ldap_get_values(ldap,each,"pgpkeyexpiretime");
946 if(vals!=NULL)
948 if(strlen(vals[0])==15)
949 fprintf(output,"%u",(unsigned int)ldap2epochtime(vals[0]));
950 ldap_value_free(vals);
953 fprintf(output,":");
955 vals=ldap_get_values(ldap,each,"pgprevoked");
956 if(vals!=NULL)
958 if(atoi(vals[0])==1)
959 fprintf(output,"r");
960 ldap_value_free(vals);
963 fprintf(output,"\n");
965 vals=ldap_get_values(ldap,each,"pgpuserid");
966 if(vals!=NULL)
968 int i;
970 for(i=0;vals[i];i++)
971 fprintf(output,"uid:%s\n",vals[i]);
972 ldap_value_free(vals);
975 fprintf(output,"INFO %s END\n",certid);
978 /* Note that key-not-found is not a fatal error */
979 static int
980 get_key(char *getkey)
982 LDAPMessage *res,*each;
983 int ret=KEYSERVER_INTERNAL_ERROR,err,count;
984 struct keylist *dupelist=NULL;
985 char search[62];
986 /* This ordering is significant - specifically, "pgpcertid" needs to
987 be the second item in the list, since everything after it may be
988 discarded if the user isn't in verbose mode. */
989 char *attrs[]={"replaceme","pgpcertid","pgpuserid","pgpkeyid","pgprevoked",
990 "pgpdisabled","pgpkeycreatetime","modifytimestamp",
991 "pgpkeysize","pgpkeytype",NULL};
992 attrs[0]=pgpkeystr; /* Some compilers don't like using variables as
993 array initializers. */
995 /* Build the search string */
997 /* GPG can send us a v4 fingerprint, a v3 or v4 long key id, or a v3
998 or v4 short key id */
1000 if(strncmp(getkey,"0x",2)==0)
1001 getkey+=2;
1003 if(strlen(getkey)==32)
1005 fprintf(console,
1006 "gpgkeys: LDAP keyservers do not support v3 fingerprints\n");
1007 fprintf(output,"KEY 0x%s BEGIN\n",getkey);
1008 fprintf(output,"KEY 0x%s FAILED %d\n",getkey,KEYSERVER_NOT_SUPPORTED);
1009 return KEYSERVER_NOT_SUPPORTED;
1012 if(strlen(getkey)>16)
1014 char *offset=&getkey[strlen(getkey)-16];
1016 /* fingerprint. Take the last 16 characters and treat it like a
1017 long key id */
1019 if(opt->flags.include_subkeys)
1020 sprintf(search,"(|(pgpcertid=%.16s)(pgpsubkeyid=%.16s))",
1021 offset,offset);
1022 else
1023 sprintf(search,"(pgpcertid=%.16s)",offset);
1025 else if(strlen(getkey)>8)
1027 /* long key id */
1029 if(opt->flags.include_subkeys)
1030 sprintf(search,"(|(pgpcertid=%.16s)(pgpsubkeyid=%.16s))",
1031 getkey,getkey);
1032 else
1033 sprintf(search,"(pgpcertid=%.16s)",getkey);
1035 else
1037 /* short key id */
1039 sprintf(search,"(pgpkeyid=%.8s)",getkey);
1042 if(opt->verbose>2)
1043 fprintf(console,"gpgkeys: LDAP fetch for: %s\n",search);
1045 if(!opt->verbose)
1046 attrs[2]=NULL; /* keep only pgpkey(v2) and pgpcertid */
1048 err=ldap_search_s(ldap,basekeyspacedn,
1049 LDAP_SCOPE_SUBTREE,search,attrs,0,&res);
1050 if(err!=0)
1052 int errtag=ldap_err_to_gpg_err(err);
1054 fprintf(console,"gpgkeys: LDAP search error: %s\n",ldap_err2string(err));
1055 fprintf(output,"KEY 0x%s BEGIN\n",getkey);
1056 fprintf(output,"KEY 0x%s FAILED %d\n",getkey,errtag);
1057 return errtag;
1060 count=ldap_count_entries(ldap,res);
1061 if(count<1)
1063 fprintf(console,"gpgkeys: key %s not found on keyserver\n",getkey);
1064 fprintf(output,"KEY 0x%s BEGIN\n",getkey);
1065 fprintf(output,"KEY 0x%s FAILED %d\n",getkey,KEYSERVER_KEY_NOT_FOUND);
1067 else
1069 /* There may be more than one unique result for a given keyID,
1070 so we should fetch them all (test this by fetching short key
1071 id 0xDEADBEEF). */
1073 each=ldap_first_entry(ldap,res);
1074 while(each!=NULL)
1076 char **vals,**certid;
1078 /* Use the long keyid to remove duplicates. The LDAP server
1079 returns the same keyid more than once if there are
1080 multiple user IDs on the key. Note that this does NOT
1081 mean that a keyid that exists multiple times on the
1082 keyserver will not be fetched. It means that each KEY,
1083 no matter how many user IDs share its keyid, will be
1084 fetched only once. If a keyid that belongs to more than
1085 one key is fetched, the server quite properly responds
1086 with all matching keys. -ds */
1088 certid=ldap_get_values(ldap,each,"pgpcertid");
1089 if(certid!=NULL)
1091 if(!key_in_keylist(certid[0],dupelist))
1093 /* it's not a duplicate, so add it */
1095 int rc=add_key_to_keylist(certid[0],&dupelist);
1096 if(rc)
1098 ret=rc;
1099 goto fail;
1102 build_info(certid[0],each);
1104 fprintf(output,"KEY 0x%s BEGIN\n",getkey);
1106 vals=ldap_get_values(ldap,each,pgpkeystr);
1107 if(vals==NULL)
1109 int errtag=ldap_to_gpg_err(ldap);
1111 fprintf(console,"gpgkeys: unable to retrieve key %s "
1112 "from keyserver\n",getkey);
1113 fprintf(output,"KEY 0x%s FAILED %d\n",getkey,errtag);
1115 else
1117 print_nocr(output,vals[0]);
1118 fprintf(output,"\nKEY 0x%s END\n",getkey);
1120 ldap_value_free(vals);
1124 ldap_value_free(certid);
1127 each=ldap_next_entry(ldap,each);
1131 ret=KEYSERVER_OK;
1133 fail:
1134 ldap_msgfree(res);
1135 free_keylist(dupelist);
1137 return ret;
1140 #define LDAP_ESCAPE_CHARS "*()\\"
1142 /* Append string to buffer in a LDAP-quoted way */
1143 static void
1144 ldap_quote(char *buffer,const char *string)
1146 /* Find the end of buffer */
1147 buffer+=strlen(buffer);
1149 for(;*string;string++)
1151 if(strchr(LDAP_ESCAPE_CHARS,*string))
1153 sprintf(buffer,"\\%02X",*string);
1154 buffer+=3;
1156 else
1157 *buffer++=*string;
1160 *buffer='\0';
1163 /* Note that key-not-found is not a fatal error */
1164 static int
1165 get_name(char *getkey)
1167 LDAPMessage *res,*each;
1168 int ret=KEYSERVER_INTERNAL_ERROR,err,count;
1169 /* The maximum size of the search, including the optional stuff and
1170 the trailing \0 */
1171 char search[2+12+(MAX_LINE*3)+2+15+14+1+1+20];
1172 /* This ordering is significant - specifically, "pgpcertid" needs to
1173 be the second item in the list, since everything after it may be
1174 discarded if the user isn't in verbose mode. */
1175 char *attrs[]={"replaceme","pgpcertid","pgpuserid","pgpkeyid","pgprevoked",
1176 "pgpdisabled","pgpkeycreatetime","modifytimestamp",
1177 "pgpkeysize","pgpkeytype",NULL};
1178 attrs[0]=pgpkeystr; /* Some compilers don't like using variables as
1179 array initializers. */
1181 /* Build the search string */
1183 search[0]='\0';
1185 if(!opt->flags.include_disabled || !opt->flags.include_revoked)
1186 strcat(search,"(&");
1188 strcat(search,"(pgpUserID=*");
1189 ldap_quote(search,getkey);
1190 strcat(search,"*)");
1192 if(!opt->flags.include_disabled)
1193 strcat(search,"(pgpDisabled=0)");
1195 if(!opt->flags.include_revoked)
1196 strcat(search,"(pgpRevoked=0)");
1198 if(!opt->flags.include_disabled || !opt->flags.include_revoked)
1199 strcat(search,")");
1201 if(opt->verbose>2)
1202 fprintf(console,"gpgkeys: LDAP fetch for: %s\n",search);
1204 if(!opt->verbose)
1205 attrs[2]=NULL; /* keep only pgpkey(v2) and pgpcertid */
1207 err=ldap_search_s(ldap,basekeyspacedn,
1208 LDAP_SCOPE_SUBTREE,search,attrs,0,&res);
1209 if(err!=0)
1211 int errtag=ldap_err_to_gpg_err(err);
1213 fprintf(console,"gpgkeys: LDAP search error: %s\n",ldap_err2string(err));
1214 fprintf(output,"NAME %s BEGIN\n",getkey);
1215 fprintf(output,"NAME %s FAILED %d\n",getkey,errtag);
1216 return errtag;
1219 count=ldap_count_entries(ldap,res);
1220 if(count<1)
1222 fprintf(console,"gpgkeys: key %s not found on keyserver\n",getkey);
1223 fprintf(output,"NAME %s BEGIN\n",getkey);
1224 fprintf(output,"NAME %s FAILED %d\n",getkey,KEYSERVER_KEY_NOT_FOUND);
1226 else
1228 /* There may be more than one result, but we return them all. */
1230 each=ldap_first_entry(ldap,res);
1231 while(each!=NULL)
1233 char **vals,**certid;
1235 certid=ldap_get_values(ldap,each,"pgpcertid");
1236 if(certid!=NULL)
1238 build_info(certid[0],each);
1240 fprintf(output,"NAME %s BEGIN\n",getkey);
1242 vals=ldap_get_values(ldap,each,pgpkeystr);
1243 if(vals==NULL)
1245 int errtag=ldap_to_gpg_err(ldap);
1247 fprintf(console,"gpgkeys: unable to retrieve key %s "
1248 "from keyserver\n",getkey);
1249 fprintf(output,"NAME %s FAILED %d\n",getkey,errtag);
1251 else
1253 print_nocr(output,vals[0]);
1254 fprintf(output,"\nNAME %s END\n",getkey);
1256 ldap_value_free(vals);
1259 ldap_value_free(certid);
1262 each=ldap_next_entry(ldap,each);
1266 ret=KEYSERVER_OK;
1268 ldap_msgfree(res);
1270 return ret;
1273 static void
1274 printquoted(FILE *stream,char *string,char delim)
1276 while(*string)
1278 if(*string==delim || *string=='%')
1279 fprintf(stream,"%%%02x",*string);
1280 else
1281 fputc(*string,stream);
1283 string++;
1287 /* Returns 0 on success and -1 on error. Note that key-not-found is
1288 not an error! */
1289 static int
1290 search_key(const char *searchkey)
1292 char **vals,*search;
1293 LDAPMessage *res,*each;
1294 int err,count=0;
1295 struct keylist *dupelist=NULL;
1296 /* The maximum size of the search, including the optional stuff and
1297 the trailing \0 */
1298 char *attrs[]={"pgpcertid","pgpuserid","pgprevoked","pgpdisabled",
1299 "pgpkeycreatetime","pgpkeyexpiretime","modifytimestamp",
1300 "pgpkeysize","pgpkeytype",NULL};
1301 enum ks_search_type search_type;
1303 search=malloc(2+1+9+1+3+strlen(searchkey)+3+1+15+14+1+1+20);
1304 if(!search)
1306 fprintf(console,"gpgkeys: out of memory when building search list\n");
1307 fprintf(output,"SEARCH %s FAILED %d\n",searchkey,KEYSERVER_NO_MEMORY);
1308 return KEYSERVER_NO_MEMORY;
1311 fprintf(output,"SEARCH %s BEGIN\n",searchkey);
1313 search_type=classify_ks_search(&searchkey);
1315 if(opt->debug)
1316 fprintf(console,"search type is %d, and key is \"%s\"\n",
1317 search_type,searchkey);
1319 /* Build the search string */
1321 search[0]='\0';
1323 if(!opt->flags.include_disabled || !opt->flags.include_revoked)
1324 strcat(search,"(&");
1326 strcat(search,"(");
1328 switch(search_type)
1330 case KS_SEARCH_KEYID_SHORT:
1331 strcat(search,"pgpKeyID");
1332 break;
1334 case KS_SEARCH_KEYID_LONG:
1335 strcat(search,"pgpCertID");
1336 break;
1338 default:
1339 strcat(search,"pgpUserID");
1340 break;
1343 strcat(search,"=");
1345 switch(search_type)
1347 case KS_SEARCH_SUBSTR:
1348 strcat(search,"*");
1349 break;
1351 case KS_SEARCH_MAIL:
1352 strcat(search,"*<");
1353 break;
1355 case KS_SEARCH_MAILSUB:
1356 strcat(search,"*<*");
1357 break;
1359 case KS_SEARCH_EXACT:
1360 case KS_SEARCH_KEYID_LONG:
1361 case KS_SEARCH_KEYID_SHORT:
1362 break;
1365 strcat(search,searchkey);
1367 switch(search_type)
1369 case KS_SEARCH_SUBSTR:
1370 strcat(search,"*");
1371 break;
1373 case KS_SEARCH_MAIL:
1374 strcat(search,">*");
1375 break;
1377 case KS_SEARCH_MAILSUB:
1378 strcat(search,"*>*");
1379 break;
1381 case KS_SEARCH_EXACT:
1382 case KS_SEARCH_KEYID_LONG:
1383 case KS_SEARCH_KEYID_SHORT:
1384 break;
1387 strcat(search,")");
1389 if(!opt->flags.include_disabled)
1390 strcat(search,"(pgpDisabled=0)");
1392 if(!opt->flags.include_revoked)
1393 strcat(search,"(pgpRevoked=0)");
1395 if(!opt->flags.include_disabled || !opt->flags.include_revoked)
1396 strcat(search,")");
1398 if(opt->verbose>2)
1399 fprintf(console,"gpgkeys: LDAP search for: %s\n",search);
1401 err=ldap_search_s(ldap,basekeyspacedn,
1402 LDAP_SCOPE_SUBTREE,search,attrs,0,&res);
1403 free(search);
1404 if(err!=LDAP_SUCCESS && err!=LDAP_SIZELIMIT_EXCEEDED)
1406 int errtag=ldap_err_to_gpg_err(err);
1408 fprintf(output,"SEARCH %s FAILED %d\n",searchkey,errtag);
1409 fprintf(console,"gpgkeys: LDAP search error: %s\n",ldap_err2string(err));
1410 return errtag;
1413 /* The LDAP server doesn't return a real count of unique keys, so we
1414 can't use ldap_count_entries here. */
1415 each=ldap_first_entry(ldap,res);
1416 while(each!=NULL)
1418 char **certid=ldap_get_values(ldap,each,"pgpcertid");
1420 if(certid!=NULL)
1422 if(!key_in_keylist(certid[0],dupelist))
1424 int rc=add_key_to_keylist(certid[0],&dupelist);
1425 if(rc!=0)
1427 fprintf(output,"SEARCH %s FAILED %d\n",searchkey,rc);
1428 free_keylist(dupelist);
1429 return rc;
1432 count++;
1436 each=ldap_next_entry(ldap,each);
1439 if(err==LDAP_SIZELIMIT_EXCEEDED)
1441 if(count==1)
1442 fprintf(console,"gpgkeys: search results exceeded server limit."
1443 " First %d result shown.\n",count);
1444 else
1445 fprintf(console,"gpgkeys: search results exceeded server limit."
1446 " First %d results shown.\n",count);
1449 free_keylist(dupelist);
1450 dupelist=NULL;
1452 if(count<1)
1453 fprintf(output,"info:1:0\n");
1454 else
1456 fprintf(output,"info:1:%d\n",count);
1458 each=ldap_first_entry(ldap,res);
1459 while(each!=NULL)
1461 char **certid;
1463 certid=ldap_get_values(ldap,each,"pgpcertid");
1464 if(certid!=NULL)
1466 LDAPMessage *uids;
1468 /* Have we seen this certid before? */
1469 if(!key_in_keylist(certid[0],dupelist))
1471 int rc=add_key_to_keylist(certid[0],&dupelist);
1472 if(rc)
1474 fprintf(output,"SEARCH %s FAILED %d\n",searchkey,rc);
1475 free_keylist(dupelist);
1476 ldap_value_free(certid);
1477 ldap_msgfree(res);
1478 return rc;
1481 fprintf(output,"pub:%s:",certid[0]);
1483 vals=ldap_get_values(ldap,each,"pgpkeytype");
1484 if(vals!=NULL)
1486 /* The LDAP server doesn't exactly handle this
1487 well. */
1488 if(strcasecmp(vals[0],"RSA")==0)
1489 fprintf(output,"1");
1490 else if(strcasecmp(vals[0],"DSS/DH")==0)
1491 fprintf(output,"17");
1492 ldap_value_free(vals);
1495 fputc(':',output);
1497 vals=ldap_get_values(ldap,each,"pgpkeysize");
1498 if(vals!=NULL)
1500 /* Not sure why, but some keys are listed with a
1501 key size of 0. Treat that like an
1502 unknown. */
1503 if(atoi(vals[0])>0)
1504 fprintf(output,"%d",atoi(vals[0]));
1505 ldap_value_free(vals);
1508 fputc(':',output);
1510 /* YYYYMMDDHHmmssZ */
1512 vals=ldap_get_values(ldap,each,"pgpkeycreatetime");
1513 if(vals!=NULL && strlen(vals[0])==15)
1515 fprintf(output,"%u",
1516 (unsigned int)ldap2epochtime(vals[0]));
1517 ldap_value_free(vals);
1520 fputc(':',output);
1522 vals=ldap_get_values(ldap,each,"pgpkeyexpiretime");
1523 if(vals!=NULL && strlen(vals[0])==15)
1525 fprintf(output,"%u",
1526 (unsigned int)ldap2epochtime(vals[0]));
1527 ldap_value_free(vals);
1530 fputc(':',output);
1532 vals=ldap_get_values(ldap,each,"pgprevoked");
1533 if(vals!=NULL)
1535 if(atoi(vals[0])==1)
1536 fprintf(output,"r");
1537 ldap_value_free(vals);
1540 vals=ldap_get_values(ldap,each,"pgpdisabled");
1541 if(vals!=NULL)
1543 if(atoi(vals[0])==1)
1544 fprintf(output,"d");
1545 ldap_value_free(vals);
1548 #if 0
1549 /* This is not yet specified in the keyserver
1550 protocol, but may be someday. */
1551 fputc(':',output);
1553 vals=ldap_get_values(ldap,each,"modifytimestamp");
1554 if(vals!=NULL && strlen(vals[0])==15)
1556 fprintf(output,"%u",
1557 (unsigned int)ldap2epochtime(vals[0]));
1558 ldap_value_free(vals);
1560 #endif
1562 fprintf(output,"\n");
1564 /* Now print all the uids that have this certid */
1565 uids=ldap_first_entry(ldap,res);
1566 while(uids!=NULL)
1568 vals=ldap_get_values(ldap,uids,"pgpcertid");
1569 if(vals!=NULL)
1571 if(strcasecmp(certid[0],vals[0])==0)
1573 char **uidvals;
1575 fprintf(output,"uid:");
1577 uidvals=ldap_get_values(ldap,uids,"pgpuserid");
1578 if(uidvals!=NULL)
1580 /* Need to escape any colons */
1581 printquoted(output,uidvals[0],':');
1582 ldap_value_free(uidvals);
1585 fprintf(output,"\n");
1588 ldap_value_free(vals);
1591 uids=ldap_next_entry(ldap,uids);
1595 ldap_value_free(certid);
1598 each=ldap_next_entry(ldap,each);
1602 ldap_msgfree(res);
1603 free_keylist(dupelist);
1605 fprintf(output,"SEARCH %s END\n",searchkey);
1607 return KEYSERVER_OK;
1610 static void
1611 fail_all(struct keylist *keylist,int err)
1613 if(!keylist)
1614 return;
1616 if(opt->action==KS_SEARCH)
1618 fprintf(output,"SEARCH ");
1619 while(keylist)
1621 fprintf(output,"%s ",keylist->str);
1622 keylist=keylist->next;
1624 fprintf(output,"FAILED %d\n",err);
1626 else
1627 while(keylist)
1629 fprintf(output,"KEY %s FAILED %d\n",keylist->str,err);
1630 keylist=keylist->next;
1634 static int
1635 find_basekeyspacedn(void)
1637 int err,i;
1638 char *attr[]={"namingContexts",NULL,NULL,NULL};
1639 LDAPMessage *res;
1640 char **context;
1642 /* Look for namingContexts */
1643 err=ldap_search_s(ldap,"",LDAP_SCOPE_BASE,"(objectClass=*)",attr,0,&res);
1644 if(err==LDAP_SUCCESS)
1646 context=ldap_get_values(ldap,res,"namingContexts");
1647 if(context)
1649 attr[0]="pgpBaseKeySpaceDN";
1650 attr[1]="pgpVersion";
1651 attr[2]="pgpSoftware";
1653 real_ldap=1;
1655 /* We found some, so try each namingContext as the search base
1656 and look for pgpBaseKeySpaceDN. Because we found this, we
1657 know we're talking to a regular-ish LDAP server and not a
1658 LDAP keyserver. */
1660 for(i=0;context[i] && !basekeyspacedn;i++)
1662 char **vals;
1663 LDAPMessage *si_res;
1664 char *object;
1666 object=malloc(17+strlen(context[i])+1);
1667 if(!object)
1668 return -1;
1670 strcpy(object,"cn=pgpServerInfo,");
1671 strcat(object,context[i]);
1673 err=ldap_search_s(ldap,object,LDAP_SCOPE_BASE,
1674 "(objectClass=*)",attr,0,&si_res);
1675 free(object);
1677 if(err==LDAP_NO_SUCH_OBJECT)
1678 continue;
1679 else if(err!=LDAP_SUCCESS)
1680 return err;
1682 vals=ldap_get_values(ldap,si_res,"pgpBaseKeySpaceDN");
1683 if(vals)
1685 basekeyspacedn=strdup(vals[0]);
1686 ldap_value_free(vals);
1689 if(opt->verbose>1)
1691 vals=ldap_get_values(ldap,si_res,"pgpSoftware");
1692 if(vals)
1694 fprintf(console,"Server: \t%s\n",vals[0]);
1695 ldap_value_free(vals);
1698 vals=ldap_get_values(ldap,si_res,"pgpVersion");
1699 if(vals)
1701 fprintf(console,"Version:\t%s\n",vals[0]);
1702 ldap_value_free(vals);
1706 ldap_msgfree(si_res);
1709 ldap_value_free(context);
1712 ldap_msgfree(res);
1714 else
1716 /* We don't have an answer yet, which means the server might be
1717 a LDAP keyserver. */
1718 char **vals;
1719 LDAPMessage *si_res;
1721 attr[0]="pgpBaseKeySpaceDN";
1722 attr[1]="version";
1723 attr[2]="software";
1725 err=ldap_search_s(ldap,"cn=pgpServerInfo",LDAP_SCOPE_BASE,
1726 "(objectClass=*)",attr,0,&si_res);
1727 if(err!=LDAP_SUCCESS)
1728 return err;
1730 /* For the LDAP keyserver, this is always "OU=ACTIVE,O=PGP
1731 KEYSPACE,C=US", but it might not be in the future. */
1733 vals=ldap_get_values(ldap,si_res,"baseKeySpaceDN");
1734 if(vals)
1736 basekeyspacedn=strdup(vals[0]);
1737 ldap_value_free(vals);
1740 if(opt->verbose>1)
1742 vals=ldap_get_values(ldap,si_res,"software");
1743 if(vals)
1745 fprintf(console,"Server: \t%s\n",vals[0]);
1746 ldap_value_free(vals);
1750 vals=ldap_get_values(ldap,si_res,"version");
1751 if(vals)
1753 if(opt->verbose>1)
1754 fprintf(console,"Version:\t%s\n",vals[0]);
1756 /* If the version is high enough, use the new pgpKeyV2
1757 attribute. This design if iffy at best, but it matches how
1758 PGP does it. I figure the NAI folks assumed that there would
1759 never be a LDAP keyserver vendor with a different numbering
1760 scheme. */
1761 if(atoi(vals[0])>1)
1762 pgpkeystr="pgpKeyV2";
1764 ldap_value_free(vals);
1767 ldap_msgfree(si_res);
1770 return LDAP_SUCCESS;
1773 static void
1774 show_help (FILE *fp)
1776 fprintf (fp,"-h\thelp\n");
1777 fprintf (fp,"-V\tversion\n");
1778 fprintf (fp,"-o\toutput to this file\n");
1782 main(int argc,char *argv[])
1784 int port=0,arg,err,ret=KEYSERVER_INTERNAL_ERROR;
1785 char line[MAX_LINE],*binddn=NULL,*bindpw=NULL;
1786 int failed=0,use_ssl=0,use_tls=0,bound=0;
1787 struct keylist *keylist=NULL,*keyptr=NULL;
1789 console=stderr;
1791 /* Kludge to implement standard GNU options. */
1792 if (argc > 1 && !strcmp (argv[1], "--version"))
1794 fputs ("gpgkeys_ldap (GnuPG) " VERSION"\n", stdout);
1795 return 0;
1797 else if (argc > 1 && !strcmp (argv[1], "--help"))
1799 show_help (stdout);
1800 return 0;
1803 while((arg=getopt(argc,argv,"hVo:"))!=-1)
1804 switch(arg)
1806 default:
1807 case 'h':
1808 show_help (console);
1809 return KEYSERVER_OK;
1811 case 'V':
1812 fprintf(stdout,"%d\n%s\n",KEYSERVER_PROTO_VERSION,VERSION);
1813 return KEYSERVER_OK;
1815 case 'o':
1816 output=fopen(optarg,"w");
1817 if(output==NULL)
1819 fprintf(console,"gpgkeys: Cannot open output file `%s': %s\n",
1820 optarg,strerror(errno));
1821 return KEYSERVER_INTERNAL_ERROR;
1824 break;
1827 if(argc>optind)
1829 input=fopen(argv[optind],"r");
1830 if(input==NULL)
1832 fprintf(console,"gpgkeys: Cannot open input file `%s': %s\n",
1833 argv[optind],strerror(errno));
1834 return KEYSERVER_INTERNAL_ERROR;
1838 if(input==NULL)
1839 input=stdin;
1841 if(output==NULL)
1842 output=stdout;
1844 opt=init_ks_options();
1845 if(!opt)
1846 return KEYSERVER_NO_MEMORY;
1848 /* Get the command and info block */
1850 while(fgets(line,MAX_LINE,input)!=NULL)
1852 char optionstr[MAX_OPTION+1];
1854 if(line[0]=='\n')
1855 break;
1857 err=parse_ks_options(line,opt);
1858 if(err>0)
1860 ret=err;
1861 goto fail;
1863 else if(err==0)
1864 continue;
1866 if(sscanf(line,"OPTION %" MKSTRING(MAX_OPTION) "[^\n]\n",optionstr)==1)
1868 int no=0;
1869 char *start=&optionstr[0];
1871 optionstr[MAX_OPTION]='\0';
1873 if(strncasecmp(optionstr,"no-",3)==0)
1875 no=1;
1876 start=&optionstr[3];
1879 if(strncasecmp(start,"tls",3)==0)
1881 if(no)
1882 use_tls=0;
1883 else if(start[3]=='=')
1885 if(strcasecmp(&start[4],"no")==0)
1886 use_tls=0;
1887 else if(strcasecmp(&start[4],"try")==0)
1888 use_tls=1;
1889 else if(strcasecmp(&start[4],"warn")==0)
1890 use_tls=2;
1891 else if(strcasecmp(&start[4],"require")==0)
1892 use_tls=3;
1893 else
1894 use_tls=1;
1896 else if(start[3]=='\0')
1897 use_tls=1;
1899 else if(strncasecmp(start,"basedn",6)==0)
1901 if(no)
1903 free(basekeyspacedn);
1904 basekeyspacedn=NULL;
1906 else if(start[6]=='=')
1908 free(basekeyspacedn);
1909 basekeyspacedn=strdup(&start[7]);
1910 if(!basekeyspacedn)
1912 fprintf(console,"gpgkeys: out of memory while creating "
1913 "base DN\n");
1914 ret=KEYSERVER_NO_MEMORY;
1915 goto fail;
1918 real_ldap=1;
1921 else if(strncasecmp(start,"binddn",6)==0)
1923 if(no)
1925 free(binddn);
1926 binddn=NULL;
1928 else if(start[6]=='=')
1930 free(binddn);
1931 binddn=strdup(&start[7]);
1932 if(!binddn)
1934 fprintf(console,"gpgkeys: out of memory while creating "
1935 "bind DN\n");
1936 ret=KEYSERVER_NO_MEMORY;
1937 goto fail;
1940 real_ldap=1;
1943 else if(strncasecmp(start,"bindpw",6)==0)
1945 if(no)
1947 free(bindpw);
1948 bindpw=NULL;
1950 else if(start[6]=='=')
1952 free(bindpw);
1953 bindpw=strdup(&start[7]);
1954 if(!bindpw)
1956 fprintf(console,"gpgkeys: out of memory while creating "
1957 "bind password\n");
1958 ret=KEYSERVER_NO_MEMORY;
1959 goto fail;
1962 real_ldap=1;
1966 continue;
1970 if(!opt->scheme)
1972 fprintf(console,"gpgkeys: no scheme supplied!\n");
1973 ret=KEYSERVER_SCHEME_NOT_FOUND;
1974 goto fail;
1977 if(strcasecmp(opt->scheme,"ldaps")==0)
1979 port=636;
1980 use_ssl=1;
1983 if(opt->port)
1984 port=atoi(opt->port);
1986 if(!opt->host)
1988 fprintf(console,"gpgkeys: no keyserver host provided\n");
1989 goto fail;
1992 if(opt->timeout && register_timeout()==-1)
1994 fprintf(console,"gpgkeys: unable to register timeout handler\n");
1995 return KEYSERVER_INTERNAL_ERROR;
1998 #if defined(LDAP_OPT_X_TLS_CACERTFILE) && defined(HAVE_LDAP_SET_OPTION)
2000 if(opt->ca_cert_file)
2002 err=ldap_set_option(NULL,LDAP_OPT_X_TLS_CACERTFILE,opt->ca_cert_file);
2003 if(err!=LDAP_SUCCESS)
2005 fprintf(console,"gpgkeys: unable to set ca-cert-file: %s\n",
2006 ldap_err2string(err));
2007 ret=KEYSERVER_INTERNAL_ERROR;
2008 goto fail;
2011 #endif /* LDAP_OPT_X_TLS_CACERTFILE && HAVE_LDAP_SET_OPTION */
2013 /* SSL trumps TLS */
2014 if(use_ssl)
2015 use_tls=0;
2017 /* If it's a GET or a SEARCH, the next thing to come in is the
2018 keyids. If it's a SEND, then there are no keyids. */
2020 if(opt->action==KS_SEND)
2021 while(fgets(line,MAX_LINE,input)!=NULL && line[0]!='\n');
2022 else if(opt->action==KS_GET
2023 || opt->action==KS_GETNAME || opt->action==KS_SEARCH)
2025 for(;;)
2027 struct keylist *work;
2029 if(fgets(line,MAX_LINE,input)==NULL)
2030 break;
2031 else
2033 if(line[0]=='\n' || line[0]=='\0')
2034 break;
2036 work=malloc(sizeof(struct keylist));
2037 if(work==NULL)
2039 fprintf(console,"gpgkeys: out of memory while "
2040 "building key list\n");
2041 ret=KEYSERVER_NO_MEMORY;
2042 goto fail;
2045 strcpy(work->str,line);
2047 /* Trim the trailing \n */
2048 work->str[strlen(line)-1]='\0';
2050 work->next=NULL;
2052 /* Always attach at the end to keep the list in proper
2053 order for searching */
2054 if(keylist==NULL)
2055 keylist=work;
2056 else
2057 keyptr->next=work;
2059 keyptr=work;
2063 else
2065 fprintf(console,"gpgkeys: no keyserver command specified\n");
2066 goto fail;
2069 /* Send the response */
2071 fprintf(output,"VERSION %d\n",KEYSERVER_PROTO_VERSION);
2072 fprintf(output,"PROGRAM %s\n\n",VERSION);
2074 if(opt->verbose>1)
2076 fprintf(console,"Host:\t\t%s\n",opt->host);
2077 if(port)
2078 fprintf(console,"Port:\t\t%d\n",port);
2079 fprintf(console,"Command:\t%s\n",ks_action_to_string(opt->action));
2082 if(opt->debug)
2084 #if defined(LDAP_OPT_DEBUG_LEVEL) && defined(HAVE_LDAP_SET_OPTION)
2085 err=ldap_set_option(NULL,LDAP_OPT_DEBUG_LEVEL,&opt->debug);
2086 if(err!=LDAP_SUCCESS)
2087 fprintf(console,"gpgkeys: unable to set debug mode: %s\n",
2088 ldap_err2string(err));
2089 else
2090 fprintf(console,"gpgkeys: debug level %d\n",opt->debug);
2091 #else
2092 fprintf(console,"gpgkeys: not built with debugging support\n");
2093 #endif
2096 /* We have a timeout set for the setup stuff since it could time out
2097 as well. */
2098 set_timeout(opt->timeout);
2100 /* Note that this tries all A records on a given host (or at least,
2101 OpenLDAP does). */
2102 ldap=ldap_init(opt->host,port);
2103 if(ldap==NULL)
2105 fprintf(console,"gpgkeys: internal LDAP init error: %s\n",
2106 strerror(errno));
2107 fail_all(keylist,KEYSERVER_INTERNAL_ERROR);
2108 goto fail;
2111 if(use_ssl)
2113 #if defined(LDAP_OPT_X_TLS) && defined(HAVE_LDAP_SET_OPTION)
2114 int ssl=LDAP_OPT_X_TLS_HARD;
2116 err=ldap_set_option(ldap,LDAP_OPT_X_TLS,&ssl);
2117 if(err!=LDAP_SUCCESS)
2119 fprintf(console,"gpgkeys: unable to make SSL connection: %s\n",
2120 ldap_err2string(err));
2121 fail_all(keylist,ldap_err_to_gpg_err(err));
2122 goto fail;
2125 if(!opt->flags.check_cert)
2126 ssl=LDAP_OPT_X_TLS_NEVER;
2128 err=ldap_set_option(NULL,LDAP_OPT_X_TLS_REQUIRE_CERT,&ssl);
2129 if(err!=LDAP_SUCCESS)
2131 fprintf(console,
2132 "gpgkeys: unable to set certificate validation: %s\n",
2133 ldap_err2string(err));
2134 fail_all(keylist,ldap_err_to_gpg_err(err));
2135 goto fail;
2137 #else
2138 fprintf(console,"gpgkeys: unable to make SSL connection: %s\n",
2139 "not built with LDAPS support");
2140 fail_all(keylist,KEYSERVER_INTERNAL_ERROR);
2141 goto fail;
2142 #endif
2145 if(!basekeyspacedn)
2146 if((err=find_basekeyspacedn()) || !basekeyspacedn)
2148 fprintf(console,"gpgkeys: unable to retrieve LDAP base: %s\n",
2149 err?ldap_err2string(err):"not found");
2150 fail_all(keylist,ldap_err_to_gpg_err(err));
2151 goto fail;
2154 /* use_tls: 0=don't use, 1=try silently to use, 2=try loudly to use,
2155 3=force use. */
2156 if(use_tls)
2158 if(!real_ldap)
2160 if(use_tls>=2)
2161 fprintf(console,"gpgkeys: unable to start TLS: %s\n",
2162 "not supported by the NAI LDAP keyserver");
2163 if(use_tls==3)
2165 fail_all(keylist,KEYSERVER_INTERNAL_ERROR);
2166 goto fail;
2169 else
2171 #if defined(HAVE_LDAP_START_TLS_S) && defined(HAVE_LDAP_SET_OPTION)
2172 int ver=LDAP_VERSION3;
2174 err=ldap_set_option(ldap,LDAP_OPT_PROTOCOL_VERSION,&ver);
2176 #ifdef LDAP_OPT_X_TLS
2177 if(err==LDAP_SUCCESS)
2179 if(opt->flags.check_cert)
2180 ver=LDAP_OPT_X_TLS_HARD;
2181 else
2182 ver=LDAP_OPT_X_TLS_NEVER;
2184 err=ldap_set_option(NULL,LDAP_OPT_X_TLS_REQUIRE_CERT,&ver);
2186 #endif
2188 if(err==LDAP_SUCCESS)
2189 err=ldap_start_tls_s(ldap,NULL,NULL);
2191 if(err!=LDAP_SUCCESS)
2193 if(use_tls>=2 || opt->verbose>2)
2194 fprintf(console,"gpgkeys: unable to start TLS: %s\n",
2195 ldap_err2string(err));
2196 /* Are we forcing it? */
2197 if(use_tls==3)
2199 fail_all(keylist,ldap_err_to_gpg_err(err));
2200 goto fail;
2203 else if(opt->verbose>1)
2204 fprintf(console,"gpgkeys: TLS started successfully.\n");
2205 #else
2206 if(use_tls>=2)
2207 fprintf(console,"gpgkeys: unable to start TLS: %s\n",
2208 "not built with TLS support");
2209 if(use_tls==3)
2211 fail_all(keylist,KEYSERVER_INTERNAL_ERROR);
2212 goto fail;
2214 #endif
2218 /* By default we don't bind as there is usually no need to. For
2219 cases where the server needs some authentication, the user can
2220 use binddn and bindpw for auth. */
2222 if(binddn)
2224 #ifdef HAVE_LDAP_SET_OPTION
2225 int ver=LDAP_VERSION3;
2227 err=ldap_set_option(ldap,LDAP_OPT_PROTOCOL_VERSION,&ver);
2228 if(err!=LDAP_SUCCESS)
2230 fprintf(console,"gpgkeys: unable to go to LDAP 3: %s\n",
2231 ldap_err2string(err));
2232 fail_all(keylist,ldap_err_to_gpg_err(err));
2233 goto fail;
2235 #endif
2237 if(opt->verbose>2)
2238 fprintf(console,"gpgkeys: LDAP bind to %s, pw %s\n",binddn,
2239 bindpw?">not shown<":">none<");
2240 err=ldap_simple_bind_s(ldap,binddn,bindpw);
2241 if(err!=LDAP_SUCCESS)
2243 fprintf(console,"gpgkeys: internal LDAP bind error: %s\n",
2244 ldap_err2string(err));
2245 fail_all(keylist,ldap_err_to_gpg_err(err));
2246 goto fail;
2248 else
2249 bound=1;
2252 if(opt->action==KS_GET)
2254 keyptr=keylist;
2256 while(keyptr!=NULL)
2258 set_timeout(opt->timeout);
2260 if(get_key(keyptr->str)!=KEYSERVER_OK)
2261 failed++;
2263 keyptr=keyptr->next;
2266 else if(opt->action==KS_GETNAME)
2268 keyptr=keylist;
2270 while(keyptr!=NULL)
2272 set_timeout(opt->timeout);
2274 if(get_name(keyptr->str)!=KEYSERVER_OK)
2275 failed++;
2277 keyptr=keyptr->next;
2280 else if(opt->action==KS_SEND)
2282 int eof_seen = 0;
2286 set_timeout(opt->timeout);
2288 if(real_ldap)
2290 if (send_key(&eof_seen) != KEYSERVER_OK)
2291 failed++;
2293 else
2295 if (send_key_keyserver(&eof_seen) != KEYSERVER_OK)
2296 failed++;
2299 while (!eof_seen);
2301 else if(opt->action==KS_SEARCH)
2303 char *searchkey=NULL;
2304 int len=0;
2306 set_timeout(opt->timeout);
2308 /* To search, we stick a * in between each key to search for.
2309 This means that if the user enters words, they'll get
2310 "enters*words". If the user "enters words", they'll get
2311 "enters words" */
2313 keyptr=keylist;
2314 while(keyptr!=NULL)
2316 len+=strlen(keyptr->str)+1;
2317 keyptr=keyptr->next;
2320 searchkey=malloc((len*3)+1);
2321 if(searchkey==NULL)
2323 ret=KEYSERVER_NO_MEMORY;
2324 fail_all(keylist,KEYSERVER_NO_MEMORY);
2325 goto fail;
2328 searchkey[0]='\0';
2330 keyptr=keylist;
2331 while(keyptr!=NULL)
2333 ldap_quote(searchkey,keyptr->str);
2334 strcat(searchkey,"*");
2335 keyptr=keyptr->next;
2338 /* Nail that last "*" */
2339 if(*searchkey)
2340 searchkey[strlen(searchkey)-1]='\0';
2342 if(search_key(searchkey)!=KEYSERVER_OK)
2343 failed++;
2345 free(searchkey);
2347 else
2348 assert (!"bad action");
2350 if(!failed)
2351 ret=KEYSERVER_OK;
2353 fail:
2355 while(keylist!=NULL)
2357 struct keylist *current=keylist;
2358 keylist=keylist->next;
2359 free(current);
2362 if(input!=stdin)
2363 fclose(input);
2365 if(output!=stdout)
2366 fclose(output);
2368 free_ks_options(opt);
2370 if(ldap!=NULL && bound)
2371 ldap_unbind_s(ldap);
2373 free(basekeyspacedn);
2375 return ret;