search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Print 'empty file' warning only with --verbose.
[gnupg.git] / g10 / keyserver.c
blob249a62f95ebcaefb9b81eb224f7ff6f771ceb700
1 /* keyserver.c - generic keyserver code
2 * Copyright (C) 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008,
3 * 2009 Free Software Foundation, Inc.
4 *
5 * This file is part of GnuPG.
6 *
7 * GnuPG is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
11 *
12 * GnuPG is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include <config.h>
22 #include <ctype.h>
23 #include <stdio.h>
24 #include <string.h>
25 #include <stdlib.h>
26 #include <assert.h>
27 #include <errno.h>
28
29 #include "gpg.h"
30 #include "iobuf.h"
31 #include "filter.h"
32 #include "keydb.h"
33 #include "status.h"
34 #include "exec.h"
35 #include "main.h"
36 #include "i18n.h"
37 #include "ttyio.h"
38 #include "options.h"
39 #include "packet.h"
40 #include "trustdb.h"
41 #include "keyserver-internal.h"
42 #include "util.h"
43 #include "dns-cert.h"
44 #include "pka.h"
45
46 #ifdef HAVE_W32_SYSTEM
47 /* It seems Vista doesn't grok X_OK and so fails access() tests.
48 Previous versions interpreted X_OK as F_OK anyway, so we'll just
49 use F_OK directly. */
50 #undef X_OK
51 #define X_OK F_OK
52 #endif /* HAVE_W32_SYSTEM */
53
54 struct keyrec
55 {
56 KEYDB_SEARCH_DESC desc;
57 u32 createtime,expiretime;
58 int size,flags;
59 byte type;
60 IOBUF uidbuf;
61 unsigned int lines;
62 };
63
64 enum ks_action {KS_UNKNOWN=0,KS_GET,KS_GETNAME,KS_SEND,KS_SEARCH};
65
66 static struct parse_options keyserver_opts[]=
67 {
68 /* some of these options are not real - just for the help
69 message */
70 {"max-cert-size",0,NULL,NULL},
71 {"include-revoked",0,NULL,N_("include revoked keys in search results")},
72 {"include-subkeys",0,NULL,N_("include subkeys when searching by key ID")},
73 {"use-temp-files",0,NULL,
74 N_("use temporary files to pass data to keyserver helpers")},
75 {"keep-temp-files",KEYSERVER_KEEP_TEMP_FILES,NULL,
76 N_("do not delete temporary files after using them")},
77 {"refresh-add-fake-v3-keyids",KEYSERVER_ADD_FAKE_V3,NULL,
78 NULL},
79 {"auto-key-retrieve",KEYSERVER_AUTO_KEY_RETRIEVE,NULL,
80 N_("automatically retrieve keys when verifying signatures")},
81 {"honor-keyserver-url",KEYSERVER_HONOR_KEYSERVER_URL,NULL,
82 N_("honor the preferred keyserver URL set on the key")},
83 {"honor-pka-record",KEYSERVER_HONOR_PKA_RECORD,NULL,
84 N_("honor the PKA record set on a key when retrieving keys")},
85 {NULL,0,NULL,NULL}
86 };
87
88 static int keyserver_work(enum ks_action action,strlist_t list,
89 KEYDB_SEARCH_DESC *desc,int count,
90 unsigned char **fpr,size_t *fpr_len,
91 struct keyserver_spec *keyserver);
92
93 /* Reasonable guess */
94 #define DEFAULT_MAX_CERT_SIZE 16384
95
96 static size_t max_cert_size=DEFAULT_MAX_CERT_SIZE;
97
98 static void
99 add_canonical_option(char *option,strlist_t *list)
100 {
101 char *arg=argsplit(option);
102
103 if(arg)
104 {
105 char *joined;
106
107 joined=xmalloc(strlen(option)+1+strlen(arg)+1);
108 /* Make a canonical name=value form with no spaces */
109 strcpy(joined,option);
110 strcat(joined,"=");
111 strcat(joined,arg);
112 append_to_strlist(list,joined);
113 xfree(joined);
114 }
115 else
116 append_to_strlist(list,option);
117 }
118
119 int
120 parse_keyserver_options(char *options)
121 {
122 int ret=1;
123 char *tok;
124 char *max_cert=NULL;
125
126 keyserver_opts[0].value=&max_cert;
127
128 while((tok=optsep(&options)))
129 {
130 if(tok[0]=='\0')
131 continue;
132
133 /* For backwards compatibility. 1.2.x used honor-http-proxy and
134 there are a good number of documents published that recommend
135 it. */
136 if(ascii_strcasecmp(tok,"honor-http-proxy")==0)
137 tok="http-proxy";
138 else if(ascii_strcasecmp(tok,"no-honor-http-proxy")==0)
139 tok="no-http-proxy";
140
141 /* We accept quite a few possible options here - some options to
142 handle specially, the keyserver_options list, and import and
143 export options that pertain to keyserver operations. Note
144 that you must use strncasecmp here as there might be an
145 =argument attached which will foil the use of strcasecmp. */
146
147 #ifdef EXEC_TEMPFILE_ONLY
148 if(ascii_strncasecmp(tok,"use-temp-files",14)==0 ||
149 ascii_strncasecmp(tok,"no-use-temp-files",17)==0)
150 log_info(_("WARNING: keyserver option `%s' is not used"
151 " on this platform\n"),tok);
152 #else
153 if(ascii_strncasecmp(tok,"use-temp-files",14)==0)
154 opt.keyserver_options.options|=KEYSERVER_USE_TEMP_FILES;
155 else if(ascii_strncasecmp(tok,"no-use-temp-files",17)==0)
156 opt.keyserver_options.options&=~KEYSERVER_USE_TEMP_FILES;
157 #endif
158 else if(!parse_options(tok,&opt.keyserver_options.options,
159 keyserver_opts,0)
160 && !parse_import_options(tok,
161 &opt.keyserver_options.import_options,0)
162 && !parse_export_options(tok,
163 &opt.keyserver_options.export_options,0))
164 {
165 /* All of the standard options have failed, so the option is
166 destined for a keyserver plugin. */
167 add_canonical_option(tok,&opt.keyserver_options.other);
168 }
169 }
170
171 if(max_cert)
172 {
173 max_cert_size=strtoul(max_cert,(char **)NULL,10);
174
175 if(max_cert_size==0)
176 max_cert_size=DEFAULT_MAX_CERT_SIZE;
177 }
178
179 return ret;
180 }
181
182 void
183 free_keyserver_spec(struct keyserver_spec *keyserver)
184 {
185 xfree(keyserver->uri);
186 xfree(keyserver->scheme);
187 xfree(keyserver->auth);
188 xfree(keyserver->host);
189 xfree(keyserver->port);
190 xfree(keyserver->path);
191 xfree(keyserver->opaque);
192 free_strlist(keyserver->options);
193 xfree(keyserver);
194 }
195
196 /* Return 0 for match */
197 static int
198 cmp_keyserver_spec(struct keyserver_spec *one,struct keyserver_spec *two)
199 {
200 if(ascii_strcasecmp(one->scheme,two->scheme)==0)
201 {
202 if(one->host && two->host && ascii_strcasecmp(one->host,two->host)==0)
203 {
204 if((one->port && two->port
205 && ascii_strcasecmp(one->port,two->port)==0)
206 || (!one->port && !two->port))
207 return 0;
208 }
209 else if(one->opaque && two->opaque
210 && ascii_strcasecmp(one->opaque,two->opaque)==0)
211 return 0;
212 }
213
214 return 1;
215 }
216
217 /* Try and match one of our keyservers. If we can, return that. If
218 we can't, return our input. */
219 struct keyserver_spec *
220 keyserver_match(struct keyserver_spec *spec)
221 {
222 struct keyserver_spec *ks;
223
224 for(ks=opt.keyserver;ks;ks=ks->next)
225 if(cmp_keyserver_spec(spec,ks)==0)
226 return ks;
227
228 return spec;
229 }
230
231 /* TODO: once we cut over to an all-curl world, we don't need this
232 parser any longer so it can be removed, or at least moved to
233 keyserver/ksutil.c for limited use in gpgkeys_ldap or the like. */
234
235 struct keyserver_spec *
236 parse_keyserver_uri(const char *string,int require_scheme,
237 const char *configname,unsigned int configlineno)
238 {
239 int assume_hkp=0;
240 struct keyserver_spec *keyserver;
241 const char *idx;
242 int count;
243 char *uri,*options;
244
245 assert(string!=NULL);
246
247 keyserver=xmalloc_clear(sizeof(struct keyserver_spec));
248
249 uri=xstrdup(string);
250
251 options=strchr(uri,' ');
252 if(options)
253 {
254 char *tok;
255
256 *options='\0';
257 options++;
258
259 while((tok=optsep(&options)))
260 add_canonical_option(tok,&keyserver->options);
261 }
262
263 /* Get the scheme */
264
265 for(idx=uri,count=0;*idx && *idx!=':';idx++)
266 {
267 count++;
268
269 /* Do we see the start of an RFC-2732 ipv6 address here? If so,
270 there clearly isn't a scheme so get out early. */
271 if(*idx=='[')
272 {
273 /* Was the '[' the first thing in the string? If not, we
274 have a mangled scheme with a [ in it so fail. */
275 if(count==1)
276 break;
277 else
278 goto fail;
279 }
280 }
281
282 if(count==0)
283 goto fail;
284
285 if(*idx=='\0' || *idx=='[')
286 {
287 if(require_scheme)
288 return NULL;
289
290 /* Assume HKP if there is no scheme */
291 assume_hkp=1;
292 keyserver->scheme=xstrdup("hkp");
293
294 keyserver->uri=xmalloc(strlen(keyserver->scheme)+3+strlen(uri)+1);
295 strcpy(keyserver->uri,keyserver->scheme);
296 strcat(keyserver->uri,"://");
297 strcat(keyserver->uri,uri);
298 }
299 else
300 {
301 int i;
302
303 keyserver->uri=xstrdup(uri);
304
305 keyserver->scheme=xmalloc(count+1);
306
307 /* Force to lowercase */
308 for(i=0;i<count;i++)
309 keyserver->scheme[i]=ascii_tolower(uri[i]);
310
311 keyserver->scheme[i]='\0';
312
313 /* Skip past the scheme and colon */
314 uri+=count+1;
315 }
316
317 if(ascii_strcasecmp(keyserver->scheme,"x-broken-hkp")==0)
318 {
319 deprecated_warning(configname,configlineno,"x-broken-hkp",
320 "--keyserver-options ","broken-http-proxy");
321 xfree(keyserver->scheme);
322 keyserver->scheme=xstrdup("hkp");
323 append_to_strlist(&opt.keyserver_options.other,"broken-http-proxy");
324 }
325 else if(ascii_strcasecmp(keyserver->scheme,"x-hkp")==0)
326 {
327 /* Canonicalize this to "hkp" so it works with both the internal
328 and external keyserver interface. */
329 xfree(keyserver->scheme);
330 keyserver->scheme=xstrdup("hkp");
331 }
332
333 if (uri[0]=='/' && uri[1]=='/' && uri[2] == '/')
334 {
335 /* Three slashes means network path with a default host name.
336 This is a hack because it does not crok all possible
337 combiantions. We should better repalce all code bythe parser
338 from http.c. */
339 keyserver->path = xstrdup (uri+2);
340 }
341 else if(assume_hkp || (uri[0]=='/' && uri[1]=='/'))
342 {
343 /* Two slashes means network path. */
344
345 /* Skip over the "//", if any */
346 if(!assume_hkp)
347 uri+=2;
348
349 /* Do we have userinfo auth data present? */
350 for(idx=uri,count=0;*idx && *idx!='@' && *idx!='/';idx++)
351 count++;
352
353 /* We found a @ before the slash, so that means everything
354 before the @ is auth data. */
355 if(*idx=='@')
356 {
357 if(count==0)
358 goto fail;
359
360 keyserver->auth=xmalloc(count+1);
361 strncpy(keyserver->auth,uri,count);
362 keyserver->auth[count]='\0';
363 uri+=count+1;
364 }
365
366 /* Is it an RFC-2732 ipv6 [literal address] ? */
367 if(*uri=='[')
368 {
369 for(idx=uri+1,count=1;*idx
370 && ((isascii (*idx) && isxdigit(*idx))
371 || *idx==':' || *idx=='.');idx++)
372 count++;
373
374 /* Is the ipv6 literal address terminated? */
375 if(*idx==']')
376 count++;
377 else
378 goto fail;
379 }
380 else
381 for(idx=uri,count=0;*idx && *idx!=':' && *idx!='/';idx++)
382 count++;
383
384 if(count==0)
385 goto fail;
386
387 keyserver->host=xmalloc(count+1);
388 strncpy(keyserver->host,uri,count);
389 keyserver->host[count]='\0';
390
391 /* Skip past the host */
392 uri+=count;
393
394 if(*uri==':')
395 {
396 /* It would seem to be reasonable to limit the range of the
397 ports to values between 1-65535, but RFC 1738 and 1808
398 imply there is no limit. Of course, the real world has
399 limits. */
400
401 for(idx=uri+1,count=0;*idx && *idx!='/';idx++)
402 {
403 count++;
404
405 /* Ports are digits only */
406 if(!digitp(idx))
407 goto fail;
408 }
409
410 keyserver->port=xmalloc(count+1);
411 strncpy(keyserver->port,uri+1,count);
412 keyserver->port[count]='\0';
413
414 /* Skip past the colon and port number */
415 uri+=1+count;
416 }
417
418 /* Everything else is the path */
419 if(*uri)
420 keyserver->path=xstrdup(uri);
421 else
422 keyserver->path=xstrdup("/");
423
424 if(keyserver->path[1])
425 keyserver->flags.direct_uri=1;
426 }
427 else if(uri[0]!='/')
428 {
429 /* No slash means opaque. Just record the opaque blob and get
430 out. */
431 keyserver->opaque=xstrdup(uri);
432 }
433 else
434 {
435 /* One slash means absolute path. We don't need to support that
436 yet. */
437 goto fail;
438 }
439
440 return keyserver;
441
442 fail:
443 free_keyserver_spec(keyserver);
444
445 return NULL;
446 }
447
448 struct keyserver_spec *
449 parse_preferred_keyserver(PKT_signature *sig)
450 {
451 struct keyserver_spec *spec=NULL;
452 const byte *p;
453 size_t plen;
454
455 p=parse_sig_subpkt(sig->hashed,SIGSUBPKT_PREF_KS,&plen);
456 if(p && plen)
457 {
458 byte *dupe=xmalloc(plen+1);
459
460 memcpy(dupe,p,plen);
461 dupe[plen]='\0';
462 spec=parse_keyserver_uri(dupe,1,NULL,0);
463 xfree(dupe);
464 }
465
466 return spec;
467 }
468
469 static void
470 print_keyrec(int number,struct keyrec *keyrec)
471 {
472 int i;
473
474 iobuf_writebyte(keyrec->uidbuf,0);
475 iobuf_flush_temp(keyrec->uidbuf);
476 printf("(%d)\t%s ",number,iobuf_get_temp_buffer(keyrec->uidbuf));
477
478 if(keyrec->size>0)
479 printf("%d bit ",keyrec->size);
480
481 if(keyrec->type)
482 {
483 const char *str = gcry_pk_algo_name (keyrec->type);
484
485 if(str)
486 printf("%s ",str);
487 else
488 printf("unknown ");
489 }
490
491 switch(keyrec->desc.mode)
492 {
493 /* If the keyserver helper gave us a short keyid, we have no
494 choice but to use it. Do check --keyid-format to add a 0x if
495 needed. */
496 case KEYDB_SEARCH_MODE_SHORT_KID:
497 printf("key %s%08lX",
498 (opt.keyid_format==KF_0xSHORT
499 || opt.keyid_format==KF_0xLONG)?"0x":"",
500 (ulong)keyrec->desc.u.kid[1]);
501 break;
502
503 /* However, if it gave us a long keyid, we can honor
504 --keyid-format */
505 case KEYDB_SEARCH_MODE_LONG_KID:
506 printf("key %s",keystr(keyrec->desc.u.kid));
507 break;
508
509 case KEYDB_SEARCH_MODE_FPR16:
510 printf("key ");
511 for(i=0;i<16;i++)
512 printf("%02X",keyrec->desc.u.fpr[i]);
513 break;
514
515 case KEYDB_SEARCH_MODE_FPR20:
516 printf("key ");
517 for(i=0;i<20;i++)
518 printf("%02X",keyrec->desc.u.fpr[i]);
519 break;
520
521 default:
522 BUG();
523 break;
524 }
525
526 if(keyrec->createtime>0)
527 {
528 printf(", ");
529 printf(_("created: %s"),strtimestamp(keyrec->createtime));
530 }
531
532 if(keyrec->expiretime>0)
533 {
534 printf(", ");
535 printf(_("expires: %s"),strtimestamp(keyrec->expiretime));
536 }
537
538 if(keyrec->flags&1)
539 printf(" (%s)",_("revoked"));
540 if(keyrec->flags&2)
541 printf(" (%s)",_("disabled"));
542 if(keyrec->flags&4)
543 printf(" (%s)",_("expired"));
544
545 printf("\n");
546 }
547
548 /* Returns a keyrec (which must be freed) once a key is complete, and
549 NULL otherwise. Call with a NULL keystring once key parsing is
550 complete to return any unfinished keys. */
551 static struct keyrec *
552 parse_keyrec(char *keystring)
553 {
554 static struct keyrec *work=NULL;
555 struct keyrec *ret=NULL;
556 char *record;
557 int i;
558
559 if(keystring==NULL)
560 {
561 if(work==NULL)
562 return NULL;
563 else if(work->desc.mode==KEYDB_SEARCH_MODE_NONE)
564 {
565 xfree(work);
566 return NULL;
567 }
568 else
569 {
570 ret=work;
571 work=NULL;
572 return ret;
573 }
574 }
575
576 if(work==NULL)
577 {
578 work=xmalloc_clear(sizeof(struct keyrec));
579 work->uidbuf=iobuf_temp();
580 }
581
582 /* Remove trailing whitespace */
583 for(i=strlen(keystring);i>0;i--)
584 if(ascii_isspace(keystring[i-1]))
585 keystring[i-1]='\0';
586 else
587 break;
588
589 if((record=strsep(&keystring,":"))==NULL)
590 return ret;
591
592 if(ascii_strcasecmp("pub",record)==0)
593 {
594 char *tok;
595
596 if(work->desc.mode)
597 {
598 ret=work;
599 work=xmalloc_clear(sizeof(struct keyrec));
600 work->uidbuf=iobuf_temp();
601 }
602
603 if((tok=strsep(&keystring,":"))==NULL)
604 return ret;
605
606 classify_user_id(tok,&work->desc);
607 if(work->desc.mode!=KEYDB_SEARCH_MODE_SHORT_KID
608 && work->desc.mode!=KEYDB_SEARCH_MODE_LONG_KID
609 && work->desc.mode!=KEYDB_SEARCH_MODE_FPR16
610 && work->desc.mode!=KEYDB_SEARCH_MODE_FPR20)
611 {
612 work->desc.mode=KEYDB_SEARCH_MODE_NONE;
613 return ret;
614 }
615
616 /* Note all items after this are optional. This allows us to
617 have a pub line as simple as pub:keyid and nothing else. */
618
619 work->lines++;
620
621 if((tok=strsep(&keystring,":"))==NULL)
622 return ret;
623
624 work->type=atoi(tok);
625
626 if((tok=strsep(&keystring,":"))==NULL)
627 return ret;
628
629 work->size=atoi(tok);
630
631 if((tok=strsep(&keystring,":"))==NULL)
632 return ret;
633
634 if(atoi(tok)<=0)
635 work->createtime=0;
636 else
637 work->createtime=atoi(tok);
638
639 if((tok=strsep(&keystring,":"))==NULL)
640 return ret;
641
642 if(atoi(tok)<=0)
643 work->expiretime=0;
644 else
645 {
646 work->expiretime=atoi(tok);
647 /* Force the 'e' flag on if this key is expired. */
648 if(work->expiretime<=make_timestamp())
649 work->flags|=4;
650 }
651
652 if((tok=strsep(&keystring,":"))==NULL)
653 return ret;
654
655 while(*tok)
656 switch(*tok++)
657 {
658 case 'r':
659 case 'R':
660 work->flags|=1;
661 break;
662
663 case 'd':
664 case 'D':
665 work->flags|=2;
666 break;
667
668 case 'e':
669 case 'E':
670 work->flags|=4;
671 break;
672 }
673 }
674 else if(ascii_strcasecmp("uid",record)==0 && work->desc.mode)
675 {
676 char *userid,*tok,*decoded;
677
678 if((tok=strsep(&keystring,":"))==NULL)
679 return ret;
680
681 if(strlen(tok)==0)
682 return ret;
683
684 userid=tok;
685
686 /* By definition, de-%-encoding is always smaller than the
687 original string so we can decode in place. */
688
689 i=0;
690
691 while(*tok)
692 if(tok[0]=='%' && tok[1] && tok[2])
693 {
694 int c;
695
696 userid[i] = (c=hextobyte(&tok[1])) == -1 ? '?' : c;
697 i++;
698 tok+=3;
699 }
700 else
701 userid[i++]=*tok++;
702
703 /* We don't care about the other info provided in the uid: line
704 since no keyserver supports marking userids with timestamps
705 or revoked/expired/disabled yet. */
706
707 /* No need to check for control characters, as utf8_to_native
708 does this for us. */
709
710 decoded=utf8_to_native(userid,i,0);
711 if(strlen(decoded)>opt.screen_columns-10)
712 decoded[opt.screen_columns-10]='\0';
713 iobuf_writestr(work->uidbuf,decoded);
714 xfree(decoded);
715 iobuf_writestr(work->uidbuf,"\n\t");
716 work->lines++;
717 }
718
719 /* Ignore any records other than "pri" and "uid" for easy future
720 growth. */
721
722 return ret;
723 }
724
725 /* TODO: do this as a list sent to keyserver_work rather than calling
726 it once for each key to get the correct counts after the import
727 (cosmetics, really) and to better take advantage of the keyservers
728 that can do multiple fetches in one go (LDAP). */
729 static int
730 show_prompt(KEYDB_SEARCH_DESC *desc,int numdesc,int count,const char *search)
731 {
732 char *answer;
733
734 fflush (stdout);
735
736 if(count && opt.command_fd==-1)
737 {
738 static int from=1;
739 tty_printf("Keys %d-%d of %d for \"%s\". ",from,numdesc,count,search);
740 from=numdesc+1;
741 }
742
743 answer=cpr_get_no_help("keysearch.prompt",
744 _("Enter number(s), N)ext, or Q)uit > "));
745 /* control-d */
746 if(answer[0]=='\x04')
747 {
748 printf("Q\n");
749 answer[0]='q';
750 }
751
752 if(answer[0]=='q' || answer[0]=='Q')
753 {
754 xfree(answer);
755 return 1;
756 }
757 else if(atoi(answer)>=1 && atoi(answer)<=numdesc)
758 {
759 char *split=answer,*num;
760
761 while((num=strsep(&split," ,"))!=NULL)
762 if(atoi(num)>=1 && atoi(num)<=numdesc)
763 keyserver_work(KS_GET,NULL,&desc[atoi(num)-1],1,
764 NULL,NULL,opt.keyserver);
765
766 xfree(answer);
767 return 1;
768 }
769
770 return 0;
771 }
772
773 /* Count and searchstr are just for cosmetics. If the count is too
774 small, it will grow safely. If negative it disables the "Key x-y
775 of z" messages. searchstr should be UTF-8 (rather than native). */
776 static void
777 keyserver_search_prompt(IOBUF buffer,const char *searchstr)
778 {
779 int i=0,validcount=0,started=0,header=0,count=1;
780 unsigned int maxlen,buflen,numlines=0;
781 KEYDB_SEARCH_DESC *desc;
782 byte *line=NULL;
783 char *localstr=NULL;
784
785 if(searchstr)
786 localstr=utf8_to_native(searchstr,strlen(searchstr),0);
787
788 desc=xmalloc(count*sizeof(KEYDB_SEARCH_DESC));
789
790 for(;;)
791 {
792 struct keyrec *keyrec;
793 int rl;
794
795 maxlen=1024;
796 rl=iobuf_read_line(buffer,&line,&buflen,&maxlen);
797
798 if(opt.with_colons)
799 {
800 if(!header && ascii_strncasecmp("SEARCH ",line,7)==0
801 && ascii_strncasecmp(" BEGIN",&line[strlen(line)-7],6)==0)
802 {
803 header=1;
804 continue;
805 }
806 else if(ascii_strncasecmp("SEARCH ",line,7)==0
807 && ascii_strncasecmp(" END",&line[strlen(line)-5],4)==0)
808 continue;
809
810 printf("%s",line);
811 }
812
813 /* Look for an info: line. The only current info: values
814 defined are the version and key count. */
815 if(!started && rl>0 && ascii_strncasecmp("info:",line,5)==0)
816 {
817 char *tok,*str=&line[5];
818
819 if((tok=strsep(&str,":"))!=NULL)
820 {
821 int version;
822
823 if(sscanf(tok,"%d",&version)!=1)
824 version=1;
825
826 if(version!=1)
827 {
828 log_error(_("invalid keyserver protocol "
829 "(us %d!=handler %d)\n"),1,version);
830 break;
831 }
832 }
833
834 if((tok=strsep(&str,":"))!=NULL && sscanf(tok,"%d",&count)==1)
835 {
836 if(count==0)
837 goto notfound;
838 else if(count<0)
839 count=10;
840 else
841 validcount=1;
842
843 desc=xrealloc(desc,count*sizeof(KEYDB_SEARCH_DESC));
844 }
845
846 started=1;
847 continue;
848 }
849
850 if(rl==0)
851 {
852 keyrec=parse_keyrec(NULL);
853
854 if(keyrec==NULL)
855 {
856 if(i==0)
857 {
858 count=0;
859 break;
860 }
861
862 if(i!=count)
863 validcount=0;
864
865 for(;;)
866 {
867 if(show_prompt(desc,i,validcount?count:0,localstr))
868 break;
869 validcount=0;
870 }
871
872 break;
873 }
874 }
875 else
876 keyrec=parse_keyrec(line);
877
878 if(i==count)
879 {
880 /* keyserver helper sent more keys than they claimed in the
881 info: line. */
882 count+=10;
883 desc=xrealloc(desc,count*sizeof(KEYDB_SEARCH_DESC));
884 validcount=0;
885 }
886
887 if(keyrec)
888 {
889 desc[i]=keyrec->desc;
890
891 if(!opt.with_colons)
892 {
893 /* screen_lines - 1 for the prompt. */
894 if(numlines+keyrec->lines>opt.screen_lines-1)
895 {
896 if(show_prompt(desc,i,validcount?count:0,localstr))
897 break;
898 else
899 numlines=0;
900 }
901
902 print_keyrec(i+1,keyrec);
903 }
904
905 numlines+=keyrec->lines;
906 iobuf_close(keyrec->uidbuf);
907 xfree(keyrec);
908
909 started=1;
910 i++;
911 }
912 }
913
914 notfound:
915 /* Leave this commented out or now, and perhaps for a very long
916 time. All HKPish servers return HTML error messages for
917 no-key-found. */
918 /*
919 if(!started)
920 log_info(_("keyserver does not support searching\n"));
921 else
922 */
923 if(count==0)
924 {
925 if(localstr)
926 log_info(_("key \"%s\" not found on keyserver\n"),localstr);
927 else
928 log_info(_("key not found on keyserver\n"));
929 }
930
931 xfree(localstr);
932 xfree(desc);
933 xfree(line);
934 }
935
936 /* We sometimes want to use a different gpgkeys_xxx for a given
937 protocol (for example, ldaps is handled by gpgkeys_ldap). Map
938 these here. */
939 static const char *
940 keyserver_typemap(const char *type)
941 {
942 if(strcmp(type,"ldaps")==0)
943 return "ldap";
944 else if(strcmp(type,"hkps")==0)
945 return "hkp";
946 else
947 return type;
948 }
949
950 /* The PGP LDAP and the curl fetch-a-LDAP-object methodologies are
951 sufficiently different that we can't use curl to do LDAP. */
952 static int
953 direct_uri_map(const char *scheme,unsigned int is_direct)
954 {
955 if(is_direct && strcmp(scheme,"ldap")==0)
956 return 1;
957
958 return 0;
959 }
960
961 #if GNUPG_MAJOR_VERSION == 2
962 #define GPGKEYS_PREFIX "gpg2keys_"
963 #else
964 #define GPGKEYS_PREFIX "gpgkeys_"
965 #endif
966 #define GPGKEYS_CURL GPGKEYS_PREFIX "curl" EXEEXT
967 #define GPGKEYS_PREFIX_LEN (strlen(GPGKEYS_CURL))
968 #define KEYSERVER_ARGS_KEEP " -o \"%O\" \"%I\""
969 #define KEYSERVER_ARGS_NOKEEP " -o \"%o\" \"%i\""
970
971 static int
972 keyserver_spawn(enum ks_action action,strlist_t list,KEYDB_SEARCH_DESC *desc,
973 int count,int *prog,unsigned char **fpr,size_t *fpr_len,
974 struct keyserver_spec *keyserver)
975 {
976 int ret=0,i,gotversion=0,outofband=0;
977 strlist_t temp;
978 unsigned int maxlen,buflen;
979 char *command,*end,*searchstr=NULL;
980 byte *line=NULL;
981 struct exec_info *spawn;
982 const char *scheme;
983 const char *libexecdir = gnupg_libexecdir ();
984
985 assert(keyserver);
986
987 #ifdef EXEC_TEMPFILE_ONLY
988 opt.keyserver_options.options|=KEYSERVER_USE_TEMP_FILES;
989 #endif
990
991 /* Build the filename for the helper to execute */
992 scheme=keyserver_typemap(keyserver->scheme);
993
994 #ifdef DISABLE_KEYSERVER_PATH
995 /* Destroy any path we might have. This is a little tricky,
996 portability-wise. It's not correct to delete the PATH
997 environment variable, as that may fall back to a system built-in
998 PATH. Similarly, it is not correct to set PATH to the null
999 string (PATH="") since this actually deletes the PATH environment
1000 variable under MinGW. The safest thing to do here is to force
1001 PATH to be GNUPG_LIBEXECDIR. All this is not that meaningful on
1002 Unix-like systems (since we're going to give a full path to
1003 gpgkeys_foo), but on W32 it prevents loading any DLLs from
1004 directories in %PATH%.
1005
1006 After some more thinking about this we came to the conclusion
1007 that it is better to load the helpers from the directory where
1008 the program of this process lives. Fortunately Windows provides
1009 a way to retrieve this and our gnupg_libexecdir function has been
1010 modified to return just this. Setting the exec-path is not
1011 anymore required.
1012 set_exec_path(libexecdir);
1013 */
1014 #else
1015 if(opt.exec_path_set)
1016 {
1017 /* If exec-path was set, and DISABLE_KEYSERVER_PATH is
1018 undefined, then don't specify a full path to gpgkeys_foo, so
1019 that the PATH can work. */
1020 command=xmalloc(GPGKEYS_PREFIX_LEN+strlen(scheme)+3+strlen(EXEEXT)+1);
1021 command[0]='\0';
1022 }
1023 else
1024 #endif
1025 {
1026 /* Specify a full path to gpgkeys_foo. */
1027 command=xmalloc(strlen(libexecdir)+strlen(DIRSEP_S)+
1028 GPGKEYS_PREFIX_LEN+strlen(scheme)+3+strlen(EXEEXT)+1);
1029 strcpy(command,libexecdir);
1030 strcat(command,DIRSEP_S);
1031 }
1032
1033 end=command+strlen(command);
1034
1035 /* Build a path for the keyserver helper. If it is direct_uri
1036 (i.e. an object fetch and not a keyserver), then add "_uri" to
1037 the end to distinguish the keyserver helper from an object
1038 fetcher that can speak that protocol (this is a problem for
1039 LDAP). */
1040
1041 strcat(command,GPGKEYS_PREFIX);
1042 strcat(command,scheme);
1043
1044 /* This "_uri" thing is in case we need to call a direct handler
1045 instead of the keyserver handler. This lets us use gpgkeys_curl
1046 or gpgkeys_ldap_uri (we don't provide it, but a user might)
1047 instead of gpgkeys_ldap to fetch things like
1048 ldap://keyserver.pgp.com/o=PGP%20keys?pgpkey?sub?pgpkeyid=99242560 */
1049
1050 if(direct_uri_map(scheme,keyserver->flags.direct_uri))
1051 strcat(command,"_uri");
1052
1053 strcat(command,EXEEXT);
1054
1055 /* Can we execute it? If not, try curl as our catchall. */
1056 if(path_access(command,X_OK)!=0)
1057 strcpy(end,GPGKEYS_CURL);
1058
1059 if(opt.keyserver_options.options&KEYSERVER_USE_TEMP_FILES)
1060 {
1061 if(opt.keyserver_options.options&KEYSERVER_KEEP_TEMP_FILES)
1062 {
1063 command=xrealloc(command,strlen(command)+
1064 strlen(KEYSERVER_ARGS_KEEP)+1);
1065 strcat(command,KEYSERVER_ARGS_KEEP);
1066 }
1067 else
1068 {
1069 command=xrealloc(command,strlen(command)+
1070 strlen(KEYSERVER_ARGS_NOKEEP)+1);
1071 strcat(command,KEYSERVER_ARGS_NOKEEP);
1072 }
1073
1074 ret=exec_write(&spawn,NULL,command,NULL,0,0);
1075 }
1076 else
1077 ret=exec_write(&spawn,command,NULL,NULL,0,0);
1078
1079 xfree(command);
1080
1081 if(ret)
1082 return ret;
1083
1084 fprintf(spawn->tochild,
1085 "# This is a GnuPG %s keyserver communications file\n",VERSION);
1086 fprintf(spawn->tochild,"VERSION %d\n",KEYSERVER_PROTO_VERSION);
1087 fprintf(spawn->tochild,"PROGRAM %s\n",VERSION);
1088 fprintf(spawn->tochild,"SCHEME %s\n",keyserver->scheme);
1089
1090 if(keyserver->opaque)
1091 fprintf(spawn->tochild,"OPAQUE %s\n",keyserver->opaque);
1092 else
1093 {
1094 if(keyserver->auth)
1095 fprintf(spawn->tochild,"AUTH %s\n",keyserver->auth);
1096
1097 if(keyserver->host)
1098 fprintf(spawn->tochild,"HOST %s\n",keyserver->host);
1099
1100 if(keyserver->port)
1101 fprintf(spawn->tochild,"PORT %s\n",keyserver->port);
1102
1103 if(keyserver->path)
1104 fprintf(spawn->tochild,"PATH %s\n",keyserver->path);
1105 }
1106
1107 /* Write global options */
1108
1109 for(temp=opt.keyserver_options.other;temp;temp=temp->next)
1110 fprintf(spawn->tochild,"OPTION %s\n",temp->d);
1111
1112 /* Write per-keyserver options */
1113
1114 for(temp=keyserver->options;temp;temp=temp->next)
1115 fprintf(spawn->tochild,"OPTION %s\n",temp->d);
1116
1117 switch(action)
1118 {
1119 case KS_GET:
1120 {
1121 fprintf(spawn->tochild,"COMMAND GET\n\n");
1122
1123 /* Which keys do we want? */
1124
1125 for(i=0;i<count;i++)
1126 {
1127 int quiet=0;
1128
1129 if(desc[i].mode==KEYDB_SEARCH_MODE_FPR20)
1130 {
1131 int f;
1132
1133 fprintf(spawn->tochild,"0x");
1134
1135 for(f=0;f<MAX_FINGERPRINT_LEN;f++)
1136 fprintf(spawn->tochild,"%02X",desc[i].u.fpr[f]);
1137
1138 fprintf(spawn->tochild,"\n");
1139 }
1140 else if(desc[i].mode==KEYDB_SEARCH_MODE_FPR16)
1141 {
1142 int f;
1143
1144 fprintf(spawn->tochild,"0x");
1145
1146 for(f=0;f<16;f++)
1147 fprintf(spawn->tochild,"%02X",desc[i].u.fpr[f]);
1148
1149 fprintf(spawn->tochild,"\n");
1150 }
1151 else if(desc[i].mode==KEYDB_SEARCH_MODE_LONG_KID)
1152 fprintf(spawn->tochild,"0x%08lX%08lX\n",
1153 (ulong)desc[i].u.kid[0],
1154 (ulong)desc[i].u.kid[1]);
1155 else if(desc[i].mode==KEYDB_SEARCH_MODE_SHORT_KID)
1156 fprintf(spawn->tochild,"0x%08lX\n",
1157 (ulong)desc[i].u.kid[1]);
1158 else if(desc[i].mode==KEYDB_SEARCH_MODE_EXACT)
1159 {
1160 fprintf(spawn->tochild,"0x0000000000000000\n");
1161 quiet=1;
1162 }
1163 else if(desc[i].mode==KEYDB_SEARCH_MODE_NONE)
1164 continue;
1165 else
1166 BUG();
1167
1168 if(!quiet)
1169 {
1170 if(keyserver->host)
1171 log_info(_("requesting key %s from %s server %s\n"),
1172 keystr_from_desc(&desc[i]),
1173 keyserver->scheme,keyserver->host);
1174 else
1175 log_info(_("requesting key %s from %s\n"),
1176 keystr_from_desc(&desc[i]),keyserver->uri);
1177 }
1178 }
1179
1180 fprintf(spawn->tochild,"\n");
1181
1182 break;
1183 }
1184
1185 case KS_GETNAME:
1186 {
1187 strlist_t key;
1188
1189 fprintf(spawn->tochild,"COMMAND GETNAME\n\n");
1190
1191 /* Which names do we want? */
1192
1193 for(key=list;key!=NULL;key=key->next)
1194 fprintf(spawn->tochild,"%s\n",key->d);
1195
1196 fprintf(spawn->tochild,"\n");
1197
1198 if(keyserver->host)
1199 log_info(_("searching for names from %s server %s\n"),
1200 keyserver->scheme,keyserver->host);
1201 else
1202 log_info(_("searching for names from %s\n"),keyserver->uri);
1203
1204 break;
1205 }
1206
1207 case KS_SEND:
1208 {
1209 strlist_t key;
1210
1211 /* Note the extra \n here to send an empty keylist block */
1212 fprintf(spawn->tochild,"COMMAND SEND\n\n\n");
1213
1214 for(key=list;key!=NULL;key=key->next)
1215 {
1216 armor_filter_context_t *afx;
1217 IOBUF buffer = iobuf_temp ();
1218 KBNODE block;
1219
1220 temp=NULL;
1221 add_to_strlist(&temp,key->d);
1222
1223 afx = new_armor_context ();
1224 afx->what = 1;
1225 /* Tell the armor filter to use Unix-style \n line
1226 endings, since we're going to fprintf this to a file
1227 that (on Win32) is open in text mode. The win32 stdio
1228 will transform the \n to \r\n and we'll end up with the
1229 proper line endings on win32. This is a no-op on
1230 Unix. */
1231 afx->eol[0] = '\n';
1232 push_armor_filter (afx, buffer);
1233 release_armor_context (afx);
1234
1235 /* TODO: Remove Comment: lines from keys exported this
1236 way? */
1237
1238 if(export_pubkeys_stream(buffer,temp,&block,
1239 opt.keyserver_options.export_options)==-1)
1240 iobuf_close(buffer);
1241 else
1242 {
1243 KBNODE node;
1244
1245 iobuf_flush_temp(buffer);
1246
1247 merge_keys_and_selfsig(block);
1248
1249 fprintf(spawn->tochild,"INFO %08lX%08lX BEGIN\n",
1250 (ulong)block->pkt->pkt.public_key->keyid[0],
1251 (ulong)block->pkt->pkt.public_key->keyid[1]);
1252
1253 for(node=block;node;node=node->next)
1254 {
1255 switch(node->pkt->pkttype)
1256 {
1257 default:
1258 continue;
1259
1260 case PKT_PUBLIC_KEY:
1261 case PKT_PUBLIC_SUBKEY:
1262 {
1263 PKT_public_key *pk=node->pkt->pkt.public_key;
1264
1265 keyid_from_pk(pk,NULL);
1266
1267 fprintf(spawn->tochild,"%sb:%08lX%08lX:%u:%u:%u:%u:",
1268 node->pkt->pkttype==PKT_PUBLIC_KEY?"pu":"su",
1269 (ulong)pk->keyid[0],(ulong)pk->keyid[1],
1270 pk->pubkey_algo,
1271 nbits_from_pk(pk),
1272 pk->timestamp,
1273 pk->expiredate);
1274
1275 if(pk->is_revoked)
1276 fprintf(spawn->tochild,"r");
1277 if(pk->has_expired)
1278 fprintf(spawn->tochild,"e");
1279
1280 fprintf(spawn->tochild,"\n");
1281 }
1282 break;
1283
1284 case PKT_USER_ID:
1285 {
1286 PKT_user_id *uid=node->pkt->pkt.user_id;
1287 int r;
1288
1289 if(uid->attrib_data)
1290 continue;
1291
1292 fprintf(spawn->tochild,"uid:");
1293
1294 /* Quote ':', '%', and any 8-bit
1295 characters */
1296 for(r=0;r<uid->len;r++)
1297 {
1298 if(uid->name[r]==':' || uid->name[r]=='%'
1299 || uid->name[r]&0x80)
1300 fprintf(spawn->tochild,"%%%02X",
1301 (byte)uid->name[r]);
1302 else
1303 fprintf(spawn->tochild,"%c",uid->name[r]);
1304 }
1305
1306 fprintf(spawn->tochild,":%u:%u:",
1307 uid->created,uid->expiredate);
1308
1309 if(uid->is_revoked)
1310 fprintf(spawn->tochild,"r");
1311 if(uid->is_expired)
1312 fprintf(spawn->tochild,"e");
1313
1314 fprintf(spawn->tochild,"\n");
1315 }
1316 break;
1317
1318 /* This bit is really for the benefit of
1319 people who store their keys in LDAP
1320 servers. It makes it easy to do queries
1321 for things like "all keys signed by
1322 Isabella". */
1323 case PKT_SIGNATURE:
1324 {
1325 PKT_signature *sig=node->pkt->pkt.signature;
1326
1327 if(!IS_UID_SIG(sig))
1328 continue;
1329
1330 fprintf(spawn->tochild,"sig:%08lX%08lX:%X:%u:%u\n",
1331 (ulong)sig->keyid[0],(ulong)sig->keyid[1],
1332 sig->sig_class,sig->timestamp,
1333 sig->expiredate);
1334 }
1335 break;
1336 }
1337 }
1338
1339 fprintf(spawn->tochild,"INFO %08lX%08lX END\n",
1340 (ulong)block->pkt->pkt.public_key->keyid[0],
1341 (ulong)block->pkt->pkt.public_key->keyid[1]);
1342
1343 fprintf(spawn->tochild,"KEY %08lX%08lX BEGIN\n",
1344 (ulong)block->pkt->pkt.public_key->keyid[0],
1345 (ulong)block->pkt->pkt.public_key->keyid[1]);
1346 fwrite(iobuf_get_temp_buffer(buffer),
1347 iobuf_get_temp_length(buffer),1,spawn->tochild);
1348 fprintf(spawn->tochild,"KEY %08lX%08lX END\n",
1349 (ulong)block->pkt->pkt.public_key->keyid[0],
1350 (ulong)block->pkt->pkt.public_key->keyid[1]);
1351
1352 iobuf_close(buffer);
1353
1354 if(keyserver->host)
1355 log_info(_("sending key %s to %s server %s\n"),
1356 keystr(block->pkt->pkt.public_key->keyid),
1357 keyserver->scheme,keyserver->host);
1358 else
1359 log_info(_("sending key %s to %s\n"),
1360 keystr(block->pkt->pkt.public_key->keyid),
1361 keyserver->uri);
1362
1363 release_kbnode(block);
1364 }
1365
1366 free_strlist(temp);
1367 }
1368
1369 break;
1370 }
1371
1372 case KS_SEARCH:
1373 {
1374 strlist_t key;
1375
1376 fprintf(spawn->tochild,"COMMAND SEARCH\n\n");
1377
1378 /* Which keys do we want? Remember that the gpgkeys_ program
1379 is going to lump these together into a search string. */
1380
1381 for(key=list;key!=NULL;key=key->next)
1382 {
1383 fprintf(spawn->tochild,"%s\n",key->d);
1384 if(key!=list)
1385 {
1386 searchstr=xrealloc(searchstr,
1387 strlen(searchstr)+strlen(key->d)+2);
1388 strcat(searchstr," ");
1389 }
1390 else
1391 {
1392 searchstr=xmalloc(strlen(key->d)+1);
1393 searchstr[0]='\0';
1394 }
1395
1396 strcat(searchstr,key->d);
1397 }
1398
1399 fprintf(spawn->tochild,"\n");
1400
1401 if(keyserver->host)
1402 log_info(_("searching for \"%s\" from %s server %s\n"),
1403 searchstr,keyserver->scheme,keyserver->host);
1404 else
1405 log_info(_("searching for \"%s\" from %s\n"),
1406 searchstr,keyserver->uri);
1407
1408 break;
1409 }
1410
1411 default:
1412 log_fatal(_("no keyserver action!\n"));
1413 break;
1414 }
1415
1416 /* Done sending, so start reading. */
1417 ret=exec_read(spawn);
1418 if(ret)
1419 goto fail;
1420
1421 /* Now handle the response */
1422
1423 for(;;)
1424 {
1425 int plen;
1426 char *ptr;
1427
1428 maxlen=1024;
1429 if(iobuf_read_line(spawn->fromchild,&line,&buflen,&maxlen)==0)
1430 {
1431 ret = gpg_error_from_syserror ();
1432 goto fail; /* i.e. EOF */
1433 }
1434
1435 ptr=line;
1436
1437 /* remove trailing whitespace */
1438 plen=strlen(ptr);
1439 while(plen>0 && ascii_isspace(ptr[plen-1]))
1440 plen--;
1441 plen[ptr]='\0';
1442
1443 if(*ptr=='\0')
1444 break;
1445
1446 if(ascii_strncasecmp(ptr,"VERSION ",8)==0)
1447 {
1448 gotversion=1;
1449
1450 if(atoi(&ptr[8])!=KEYSERVER_PROTO_VERSION)
1451 {
1452 log_error(_("invalid keyserver protocol (us %d!=handler %d)\n"),
1453 KEYSERVER_PROTO_VERSION,atoi(&ptr[8]));
1454 goto fail;
1455 }
1456 }
1457 else if(ascii_strncasecmp(ptr,"PROGRAM ",8)==0)
1458 {
1459 if(ascii_strncasecmp(&ptr[8],VERSION,strlen(VERSION))!=0)
1460 log_info(_("WARNING: keyserver handler from a different"
1461 " version of GnuPG (%s)\n"),&ptr[8]);
1462 }
1463 else if(ascii_strncasecmp(ptr,"OPTION OUTOFBAND",16)==0)
1464 outofband=1; /* Currently the only OPTION */
1465 }
1466
1467 if(!gotversion)
1468 {
1469 log_error(_("keyserver did not send VERSION\n"));
1470 goto fail;
1471 }
1472
1473 if(!outofband)
1474 switch(action)
1475 {
1476 case KS_GET:
1477 case KS_GETNAME:
1478 {
1479 void *stats_handle;
1480
1481 stats_handle=import_new_stats_handle();
1482
1483 /* Slurp up all the key data. In the future, it might be
1484 nice to look for KEY foo OUTOFBAND and FAILED indicators.
1485 It's harmless to ignore them, but ignoring them does make
1486 gpg complain about "no valid OpenPGP data found". One
1487 way to do this could be to continue parsing this
1488 line-by-line and make a temp iobuf for each key. */
1489
1490 import_keys_stream(spawn->fromchild,stats_handle,fpr,fpr_len,
1491 opt.keyserver_options.import_options);
1492
1493 import_print_stats(stats_handle);
1494 import_release_stats_handle(stats_handle);
1495
1496 break;
1497 }
1498
1499 /* Nothing to do here */
1500 case KS_SEND:
1501 break;
1502
1503 case KS_SEARCH:
1504 keyserver_search_prompt(spawn->fromchild,searchstr);
1505 break;
1506
1507 default:
1508 log_fatal(_("no keyserver action!\n"));
1509 break;
1510 }
1511
1512 fail:
1513 xfree(line);
1514 xfree(searchstr);
1515
1516
1517 *prog=exec_finish(spawn);
1518
1519 return ret;
1520 }
1521
1522 static int
1523 keyserver_work(enum ks_action action,strlist_t list,KEYDB_SEARCH_DESC *desc,
1524 int count,unsigned char **fpr,size_t *fpr_len,
1525 struct keyserver_spec *keyserver)
1526 {
1527 int rc=0,ret=0;
1528
1529 if(!keyserver)
1530 {
1531 log_error(_("no keyserver known (use option --keyserver)\n"));
1532 return G10ERR_BAD_URI;
1533 }
1534
1535 #ifdef DISABLE_KEYSERVER_HELPERS
1536
1537 log_error(_("external keyserver calls are not supported in this build\n"));
1538 return G10ERR_KEYSERVER;
1539
1540 #else
1541 /* Spawn a handler */
1542
1543 rc=keyserver_spawn(action,list,desc,count,&ret,fpr,fpr_len,keyserver);
1544 if(ret)
1545 {
1546 switch(ret)
1547 {
1548 case KEYSERVER_SCHEME_NOT_FOUND:
1549 log_error(_("no handler for keyserver scheme `%s'\n"),
1550 keyserver->scheme);
1551 break;
1552
1553 case KEYSERVER_NOT_SUPPORTED:
1554 log_error(_("action `%s' not supported with keyserver "
1555 "scheme `%s'\n"),
1556 action==KS_GET?"get":action==KS_SEND?"send":
1557 action==KS_SEARCH?"search":"unknown",
1558 keyserver->scheme);
1559 break;
1560
1561 case KEYSERVER_VERSION_ERROR:
1562 log_error(_(GPGKEYS_PREFIX "%s does not support"
1563 " handler version %d\n"),
1564 keyserver_typemap(keyserver->scheme),
1565 KEYSERVER_PROTO_VERSION);
1566 break;
1567
1568 case KEYSERVER_TIMEOUT:
1569 log_error(_("keyserver timed out\n"));
1570 break;
1571
1572 case KEYSERVER_INTERNAL_ERROR:
1573 default:
1574 log_error(_("keyserver internal error\n"));
1575 break;
1576 }
1577
1578 return G10ERR_KEYSERVER;
1579 }
1580
1581 if(rc)
1582 {
1583 log_error(_("keyserver communications error: %s\n"),g10_errstr(rc));
1584
1585 return rc;
1586 }
1587
1588 return 0;
1589 #endif /* ! DISABLE_KEYSERVER_HELPERS*/
1590 }
1591
1592 int
1593 keyserver_export(strlist_t users)
1594 {
1595 strlist_t sl=NULL;
1596 KEYDB_SEARCH_DESC desc;
1597 int rc=0;
1598
1599 /* Weed out descriptors that we don't support sending */
1600 for(;users;users=users->next)
1601 {
1602 classify_user_id (users->d, &desc);
1603 if(desc.mode!=KEYDB_SEARCH_MODE_SHORT_KID &&
1604 desc.mode!=KEYDB_SEARCH_MODE_LONG_KID &&
1605 desc.mode!=KEYDB_SEARCH_MODE_FPR16 &&
1606 desc.mode!=KEYDB_SEARCH_MODE_FPR20)
1607 {
1608 log_error(_("\"%s\" not a key ID: skipping\n"),users->d);
1609 continue;
1610 }
1611 else
1612 append_to_strlist(&sl,users->d);
1613 }
1614
1615 if(sl)
1616 {
1617 rc=keyserver_work(KS_SEND,sl,NULL,0,NULL,NULL,opt.keyserver);
1618 free_strlist(sl);
1619 }
1620
1621 return rc;
1622 }
1623
1624 int
1625 keyserver_import(strlist_t users)
1626 {
1627 KEYDB_SEARCH_DESC *desc;
1628 int num=100,count=0;
1629 int rc=0;
1630
1631 /* Build a list of key ids */
1632 desc=xmalloc(sizeof(KEYDB_SEARCH_DESC)*num);
1633
1634 for(;users;users=users->next)
1635 {
1636 classify_user_id (users->d, &desc[count]);
1637 if(desc[count].mode!=KEYDB_SEARCH_MODE_SHORT_KID &&
1638 desc[count].mode!=KEYDB_SEARCH_MODE_LONG_KID &&
1639 desc[count].mode!=KEYDB_SEARCH_MODE_FPR16 &&
1640 desc[count].mode!=KEYDB_SEARCH_MODE_FPR20)
1641 {
1642 log_error(_("\"%s\" not a key ID: skipping\n"),users->d);
1643 continue;
1644 }
1645
1646 count++;
1647 if(count==num)
1648 {
1649 num+=100;
1650 desc=xrealloc(desc,sizeof(KEYDB_SEARCH_DESC)*num);
1651 }
1652 }
1653
1654 if(count>0)
1655 rc=keyserver_work(KS_GET,NULL,desc,count,NULL,NULL,opt.keyserver);
1656
1657 xfree(desc);
1658
1659 return rc;
1660 }
1661
1662 int
1663 keyserver_import_fprint(const byte *fprint,size_t fprint_len,
1664 struct keyserver_spec *keyserver)
1665 {
1666 KEYDB_SEARCH_DESC desc;
1667
1668 memset(&desc,0,sizeof(desc));
1669
1670 if(fprint_len==16)
1671 desc.mode=KEYDB_SEARCH_MODE_FPR16;
1672 else if(fprint_len==20)
1673 desc.mode=KEYDB_SEARCH_MODE_FPR20;
1674 else
1675 return -1;
1676
1677 memcpy(desc.u.fpr,fprint,fprint_len);
1678
1679 /* TODO: Warn here if the fingerprint we got doesn't match the one
1680 we asked for? */
1681 return keyserver_work(KS_GET,NULL,&desc,1,NULL,NULL,keyserver);
1682 }
1683
1684 int
1685 keyserver_import_keyid(u32 *keyid,struct keyserver_spec *keyserver)
1686 {
1687 KEYDB_SEARCH_DESC desc;
1688
1689 memset(&desc,0,sizeof(desc));
1690
1691 desc.mode=KEYDB_SEARCH_MODE_LONG_KID;
1692 desc.u.kid[0]=keyid[0];
1693 desc.u.kid[1]=keyid[1];
1694
1695 return keyserver_work(KS_GET,NULL,&desc,1,NULL,NULL,keyserver);
1696 }
1697
1698 /* code mostly stolen from do_export_stream */
1699 static int
1700 keyidlist(strlist_t users,KEYDB_SEARCH_DESC **klist,int *count,int fakev3)
1701 {
1702 int rc=0,ndesc,num=100;
1703 KBNODE keyblock=NULL,node;
1704 KEYDB_HANDLE kdbhd;
1705 KEYDB_SEARCH_DESC *desc;
1706 strlist_t sl;
1707
1708 *count=0;
1709
1710 *klist=xmalloc(sizeof(KEYDB_SEARCH_DESC)*num);
1711
1712 kdbhd=keydb_new(0);
1713
1714 if(!users)
1715 {
1716 ndesc = 1;
1717 desc = xmalloc_clear ( ndesc * sizeof *desc);
1718 desc[0].mode = KEYDB_SEARCH_MODE_FIRST;
1719 }
1720 else
1721 {
1722 for (ndesc=0, sl=users; sl; sl = sl->next, ndesc++)
1723 ;
1724 desc = xmalloc ( ndesc * sizeof *desc);
1725
1726 for (ndesc=0, sl=users; sl; sl = sl->next)
1727 {
1728 if(classify_user_id (sl->d, desc+ndesc))
1729 ndesc++;
1730 else
1731 log_error (_("key \"%s\" not found: %s\n"),
1732 sl->d, g10_errstr (G10ERR_INV_USER_ID));
1733 }
1734 }
1735
1736 while (!(rc = keydb_search (kdbhd, desc, ndesc)))
1737 {
1738 if (!users)
1739 desc[0].mode = KEYDB_SEARCH_MODE_NEXT;
1740
1741 /* read the keyblock */
1742 rc = keydb_get_keyblock (kdbhd, &keyblock );
1743 if( rc )
1744 {
1745 log_error (_("error reading keyblock: %s\n"), g10_errstr(rc) );
1746 goto leave;
1747 }
1748
1749 if((node=find_kbnode(keyblock,PKT_PUBLIC_KEY)))
1750 {
1751 /* This is to work around a bug in some keyservers (pksd and
1752 OKS) that calculate v4 RSA keyids as if they were v3 RSA.
1753 The answer is to refresh both the correct v4 keyid
1754 (e.g. 99242560) and the fake v3 keyid (e.g. 68FDDBC7).
1755 This only happens for key refresh using the HKP scheme
1756 and if the refresh-add-fake-v3-keyids keyserver option is
1757 set. */
1758 if(fakev3 && is_RSA(node->pkt->pkt.public_key->pubkey_algo) &&
1759 node->pkt->pkt.public_key->version>=4)
1760 {
1761 (*klist)[*count].mode=KEYDB_SEARCH_MODE_LONG_KID;
1762 v3_keyid (node->pkt->pkt.public_key->pkey[0],
1763 (*klist)[*count].u.kid);
1764 (*count)++;
1765
1766 if(*count==num)
1767 {
1768 num+=100;
1769 *klist=xrealloc(*klist,sizeof(KEYDB_SEARCH_DESC)*num);
1770 }
1771 }
1772
1773 /* v4 keys get full fingerprints. v3 keys get long keyids.
1774 This is because it's easy to calculate any sort of keyid
1775 from a v4 fingerprint, but not a v3 fingerprint. */
1776
1777 if(node->pkt->pkt.public_key->version<4)
1778 {
1779 (*klist)[*count].mode=KEYDB_SEARCH_MODE_LONG_KID;
1780 keyid_from_pk(node->pkt->pkt.public_key,
1781 (*klist)[*count].u.kid);
1782 }
1783 else
1784 {
1785 size_t dummy;
1786
1787 (*klist)[*count].mode=KEYDB_SEARCH_MODE_FPR20;
1788 fingerprint_from_pk(node->pkt->pkt.public_key,
1789 (*klist)[*count].u.fpr,&dummy);
1790 }
1791
1792 /* This is a little hackish, using the skipfncvalue as a
1793 void* pointer to the keyserver spec, but we don't need
1794 the skipfnc here, and it saves having an additional field
1795 for this (which would be wasted space most of the
1796 time). */
1797
1798 (*klist)[*count].skipfncvalue=NULL;
1799
1800 /* Are we honoring preferred keyservers? */
1801 if(opt.keyserver_options.options&KEYSERVER_HONOR_KEYSERVER_URL)
1802 {
1803 PKT_user_id *uid=NULL;
1804 PKT_signature *sig=NULL;
1805
1806 merge_keys_and_selfsig(keyblock);
1807
1808 for(node=node->next;node;node=node->next)
1809 {
1810 if(node->pkt->pkttype==PKT_USER_ID
1811 && node->pkt->pkt.user_id->is_primary)
1812 uid=node->pkt->pkt.user_id;
1813 else if(node->pkt->pkttype==PKT_SIGNATURE
1814 && node->pkt->pkt.signature->
1815 flags.chosen_selfsig && uid)
1816 {
1817 sig=node->pkt->pkt.signature;
1818 break;
1819 }
1820 }
1821
1822 /* Try and parse the keyserver URL. If it doesn't work,
1823 then we end up writing NULL which indicates we are
1824 the same as any other key. */
1825 if(sig)
1826 (*klist)[*count].skipfncvalue=parse_preferred_keyserver(sig);
1827 }
1828
1829 (*count)++;
1830
1831 if(*count==num)
1832 {
1833 num+=100;
1834 *klist=xrealloc(*klist,sizeof(KEYDB_SEARCH_DESC)*num);
1835 }
1836 }
1837 }
1838
1839 if(rc==-1)
1840 rc=0;
1841
1842 leave:
1843 if(rc)
1844 xfree(*klist);
1845 xfree(desc);
1846 keydb_release(kdbhd);
1847 release_kbnode(keyblock);
1848
1849 return rc;
1850 }
1851
1852 /* Note this is different than the original HKP refresh. It allows
1853 usernames to refresh only part of the keyring. */
1854
1855 int
1856 keyserver_refresh(strlist_t users)
1857 {
1858 int rc,count,numdesc,fakev3=0;
1859 KEYDB_SEARCH_DESC *desc;
1860 unsigned int options=opt.keyserver_options.import_options;
1861
1862 /* We switch merge-only on during a refresh, as 'refresh' should
1863 never import new keys, even if their keyids match. */
1864 opt.keyserver_options.import_options|=IMPORT_MERGE_ONLY;
1865
1866 /* Similarly, we switch on fast-import, since refresh may make
1867 multiple import sets (due to preferred keyserver URLs). We don't
1868 want each set to rebuild the trustdb. Instead we do it once at
1869 the end here. */
1870 opt.keyserver_options.import_options|=IMPORT_FAST;
1871
1872 /* If refresh_add_fake_v3_keyids is on and it's a HKP or MAILTO
1873 scheme, then enable fake v3 keyid generation. */
1874 if((opt.keyserver_options.options&KEYSERVER_ADD_FAKE_V3) && opt.keyserver
1875 && (ascii_strcasecmp(opt.keyserver->scheme,"hkp")==0 ||
1876 ascii_strcasecmp(opt.keyserver->scheme,"mailto")==0))
1877 fakev3=1;
1878
1879 rc=keyidlist(users,&desc,&numdesc,fakev3);
1880 if(rc)
1881 return rc;
1882
1883 count=numdesc;
1884 if(count>0)
1885 {
1886 int i;
1887
1888 /* Try to handle preferred keyserver keys first */
1889 for(i=0;i<numdesc;i++)
1890 {
1891 if(desc[i].skipfncvalue)
1892 {
1893 struct keyserver_spec *keyserver=desc[i].skipfncvalue;
1894
1895 /* We use the keyserver structure we parsed out before.
1896 Note that a preferred keyserver without a scheme://
1897 will be interpreted as hkp:// */
1898
1899 rc=keyserver_work(KS_GET,NULL,&desc[i],1,NULL,NULL,keyserver);
1900 if(rc)
1901 log_info(_("WARNING: unable to refresh key %s"
1902 " via %s: %s\n"),keystr_from_desc(&desc[i]),
1903 keyserver->uri,g10_errstr(rc));
1904 else
1905 {
1906 /* We got it, so mark it as NONE so we don't try and
1907 get it again from the regular keyserver. */
1908
1909 desc[i].mode=KEYDB_SEARCH_MODE_NONE;
1910 count--;
1911 }
1912
1913 free_keyserver_spec(keyserver);
1914 }
1915 }
1916 }
1917
1918 if(count>0)
1919 {
1920 if(opt.keyserver)
1921 {
1922 if(count==1)
1923 log_info(_("refreshing 1 key from %s\n"),opt.keyserver->uri);
1924 else
1925 log_info(_("refreshing %d keys from %s\n"),
1926 count,opt.keyserver->uri);
1927 }
1928
1929 rc=keyserver_work(KS_GET,NULL,desc,numdesc,NULL,NULL,opt.keyserver);
1930 }
1931
1932 xfree(desc);
1933
1934 opt.keyserver_options.import_options=options;
1935
1936 /* If the original options didn't have fast import, and the trustdb
1937 is dirty, rebuild. */
1938 if(!(opt.keyserver_options.import_options&IMPORT_FAST))
1939 trustdb_check_or_update();
1940
1941 return rc;
1942 }
1943
1944 int
1945 keyserver_search(strlist_t tokens)
1946 {
1947 if(tokens)
1948 return keyserver_work(KS_SEARCH,tokens,NULL,0,NULL,NULL,opt.keyserver);
1949 else
1950 return 0;
1951 }
1952
1953 int
1954 keyserver_fetch(strlist_t urilist)
1955 {
1956 KEYDB_SEARCH_DESC desc;
1957 strlist_t sl;
1958 unsigned int options=opt.keyserver_options.import_options;
1959
1960 /* Switch on fast-import, since fetch can handle more than one
1961 import and we don't want each set to rebuild the trustdb.
1962 Instead we do it once at the end. */
1963 opt.keyserver_options.import_options|=IMPORT_FAST;
1964
1965 /* A dummy desc since we're not actually fetching a particular key
1966 ID */
1967 memset(&desc,0,sizeof(desc));
1968 desc.mode=KEYDB_SEARCH_MODE_EXACT;
1969
1970 for(sl=urilist;sl;sl=sl->next)
1971 {
1972 struct keyserver_spec *spec;
1973
1974 spec=parse_keyserver_uri(sl->d,1,NULL,0);
1975 if(spec)
1976 {
1977 int rc;
1978
1979 rc=keyserver_work(KS_GET,NULL,&desc,1,NULL,NULL,spec);
1980 if(rc)
1981 log_info (_("WARNING: unable to fetch URI %s: %s\n"),
1982 sl->d,g10_errstr(rc));
1983
1984 free_keyserver_spec(spec);
1985 }
1986 else
1987 log_info (_("WARNING: unable to parse URI %s\n"),sl->d);
1988 }
1989
1990 opt.keyserver_options.import_options=options;
1991
1992 /* If the original options didn't have fast import, and the trustdb
1993 is dirty, rebuild. */
1994 if(!(opt.keyserver_options.import_options&IMPORT_FAST))
1995 trustdb_check_or_update();
1996
1997 return 0;
1998 }
1999
2000 /* Import key in a CERT or pointed to by a CERT */
2001 int
2002 keyserver_import_cert(const char *name,unsigned char **fpr,size_t *fpr_len)
2003 {
2004 char *domain,*look,*url;
2005 IOBUF key;
2006 int type,rc=G10ERR_GENERAL;
2007
2008 look=xstrdup(name);
2009
2010 domain=strrchr(look,'@');
2011 if(domain)
2012 *domain='.';
2013
2014 type=get_dns_cert(look,max_cert_size,&key,fpr,fpr_len,&url);
2015 if (!type || type == -1)
2016 {
2017 /* There might be an error in res_query which leads to an error
2018 return (-1) in the case that nothing was found. Thus we take
2019 all errors as key not found. */
2020 rc = G10ERR_NO_PUBKEY;
2021 }
2022 else if (type==1)
2023 {
2024 int armor_status=opt.no_armor;
2025
2026 /* CERTs are always in binary format */
2027 opt.no_armor=1;
2028
2029 rc=import_keys_stream(key,NULL,fpr,fpr_len,
2030 opt.keyserver_options.import_options);
2031
2032 opt.no_armor=armor_status;
2033
2034 iobuf_close(key);
2035 }
2036 else if(type==2 && *fpr)
2037 {
2038 /* We only consider the IPGP type if a fingerprint was provided.
2039 This lets us select the right key regardless of what a URL
2040 points to, or get the key from a keyserver. */
2041 if(url)
2042 {
2043 struct keyserver_spec *spec;
2044
2045 spec=parse_keyserver_uri(url,1,NULL,0);
2046 if(spec)
2047 {
2048 rc=keyserver_import_fprint(*fpr,*fpr_len,spec);
2049 free_keyserver_spec(spec);
2050 }
2051 }
2052 else if(opt.keyserver)
2053 {
2054 /* If only a fingerprint is provided, try and fetch it from
2055 our --keyserver */
2056
2057 rc=keyserver_import_fprint(*fpr,*fpr_len,opt.keyserver);
2058 }
2059 else
2060 log_info(_("no keyserver known (use option --keyserver)\n"));
2061
2062 /* Give a better string here? "CERT fingerprint for \"%s\"
2063 found, but no keyserver" " known (use option
2064 --keyserver)\n" ? */
2065
2066 xfree(url);
2067 }
2068
2069 xfree(look);
2070
2071 return rc;
2072 }
2073
2074 /* Import key pointed to by a PKA record. Return the requested
2075 fingerprint in fpr. */
2076 int
2077 keyserver_import_pka(const char *name,unsigned char **fpr,size_t *fpr_len)
2078 {
2079 char *uri;
2080 int rc = G10ERR_NO_PUBKEY;
2081
2082 *fpr = xmalloc (20);
2083 *fpr_len = 20;
2084
2085 uri = get_pka_info (name, *fpr);
2086 if (uri && *uri)
2087 {
2088 /* An URI is available. Lookup the key. */
2089 struct keyserver_spec *spec;
2090 spec = parse_keyserver_uri (uri, 1, NULL, 0);
2091 if (spec)
2092 {
2093 rc = keyserver_import_fprint (*fpr, 20, spec);
2094 free_keyserver_spec (spec);
2095 }
2096 xfree (uri);
2097 }
2098
2099 if (rc)
2100 {
2101 xfree(*fpr);
2102 *fpr = NULL;
2103 }
2104
2105 return rc;
2106 }
2107
2108 /* Import all keys that match name */
2109 int
2110 keyserver_import_name(const char *name,unsigned char **fpr,size_t *fpr_len,
2111 struct keyserver_spec *keyserver)
2112 {
2113 strlist_t list=NULL;
2114 int rc;
2115
2116 append_to_strlist(&list,name);
2117
2118 rc=keyserver_work(KS_GETNAME,list,NULL,0,fpr,fpr_len,keyserver);
2119
2120 free_strlist(list);
2121
2122 return rc;
2123 }
2124
2125 /* Use the PGP Universal trick of asking ldap://keys.(maildomain) for
2126 the key. */
2127 int
2128 keyserver_import_ldap(const char *name,unsigned char **fpr,size_t *fpr_len)
2129 {
2130 char *domain;
2131 struct keyserver_spec *keyserver;
2132 strlist_t list=NULL;
2133 int rc;
2134
2135 append_to_strlist(&list,name);
2136
2137 /* Parse out the domain */
2138 domain=strrchr(name,'@');
2139 if(!domain)
2140 return G10ERR_GENERAL;
2141
2142 domain++;
2143
2144 keyserver=xmalloc_clear(sizeof(struct keyserver_spec));
2145
2146 keyserver->scheme=xstrdup("ldap");
2147 keyserver->host=xmalloc(5+strlen(domain)+1);
2148 strcpy(keyserver->host,"keys.");
2149 strcat(keyserver->host,domain);
2150 keyserver->uri=xmalloc(strlen(keyserver->scheme)+
2151 3+strlen(keyserver->host)+1);
2152 strcpy(keyserver->uri,keyserver->scheme);
2153 strcat(keyserver->uri,"://");
2154 strcat(keyserver->uri,keyserver->host);
2155
2156 rc=keyserver_work(KS_GETNAME,list,NULL,0,fpr,fpr_len,keyserver);
2157
2158 free_strlist(list);
2159
2160 free_keyserver_spec(keyserver);
2161
2162 return rc;
2163 }
gnupg svn clone